rivet-gg · graphite-app · Jul 23, 2024 · Jul 23, 2024
diff --git a/Taskfile.yaml b/Taskfile.yaml
diff --git a/infra/dev-tunnel/Taskfile.yaml b/infra/dev-tunnel/Taskfile.yaml
diff --git a/infra/dev-tunnel/providers.tf b/infra/dev-tunnel/providers.tf
diff --git a/infra/dev-tunnel/vars.tf b/infra/dev-tunnel/vars.tf
diff --git a/infra/tf/dev_tunnel/dev_tunnel b/infra/tf/dev_tunnel/dev_tunnel
@@ -0,0 +1 @@
+dev_tunnel/
diff --git a/infra/dev-tunnel/main.tf → infra/tf/dev_tunnel/main.tf b/infra/dev-tunnel/main.tf → infra/tf/dev_tunnel/main.tf
@@ -11,6 +11,11 @@ terraform {
 	}
 }
 
-output "ip" {
-	value = linode_instance.tunnel.ip_address
+module "secrets" {
+	source = "../modules/secrets"
+
+	keys = [
+		"linode/token",
+	]
 }
+
diff --git a/infra/tf/dev_tunnel/outputs.tf b/infra/tf/dev_tunnel/outputs.tf
@@ -0,0 +1,3 @@
+output "tunnel_public_ip" {
+	value = linode_instance.tunnel.ip_address
+}
diff --git a/infra/tf/dev_tunnel/providers.tf b/infra/tf/dev_tunnel/providers.tf
@@ -0,0 +1,3 @@
+provider "linode" {
+	token = module.secrets.values["linode/token"]
+}
diff --git a/infra/dev-tunnel/server.tf → infra/tf/dev_tunnel/server.tf b/infra/dev-tunnel/server.tf → infra/tf/dev_tunnel/server.tf
@@ -1,5 +1,5 @@
 locals {
-	dev_tunnel_name = "dev-tunnel-${random_string.tunnel_suffix.result}"
+	dev_tunnel_name = "${var.namespace}-dev-tunnel"
 }
 
 resource "random_string" "tunnel_suffix" {
@@ -11,9 +11,9 @@ resource "random_string" "tunnel_suffix" {
 }
 
 resource "random_password" "password" {
-    length  = 16
-    special = true
-    override_special = "_%@"
+	length  = 16
+	special = true
+	override_special = "_%@"
 }
 
 resource "linode_instance" "tunnel" {
@@ -23,7 +23,7 @@ resource "linode_instance" "tunnel" {
 	type = "g6-nanode-1"
 	authorized_keys = [trimspace(tls_private_key.ssh_key.public_key_openssh)]
 	root_pass = random_password.password.result
-	tags = ["dev-tunnel"]
+	tags = ["rivet-${var.namespace}", "${var.namespace}-dev-tunnel"]
 }
 
 resource "linode_firewall" "tunnel_firewall" {
@@ -45,38 +45,44 @@ resource "linode_firewall" "tunnel_firewall" {
 		label = "http"
 		action = "ACCEPT"
 		protocol = "TCP"
-		ports = "80"
+		ports = var.api_http_port
 		ipv4 = ["0.0.0.0/0"]
 		ipv6 = ["::/0"]
 	}
 
-	inbound {
-		label = "https"
-		action = "ACCEPT"
-		protocol = "TCP"
-		ports = "443"
-		ipv4 = ["0.0.0.0/0"]
-		ipv6 = ["::/0"]
+	dynamic "inbound" {
+		for_each = var.api_https_port != null ? [1] : []
+		content {
+			label = "https"
+			action = "ACCEPT"
+			protocol = "TCP"
+			ports = var.api_https_port
+			ipv4 = ["0.0.0.0/0"]
+			ipv6 = ["::/0"]
+		}
 	}
 
 	inbound {
 		label = "tunnel"
 		action = "ACCEPT"
 		protocol = "TCP"
-		ports = "5000"
+		ports = var.tunnel_port
 		ipv4 = ["0.0.0.0/0"]
 		ipv6 = ["::/0"]
 	}
 
-	inbound {
-		label = "minio"
-		action = "ACCEPT"
-		protocol = "TCP"
-		ports = "9000"
-		ipv4 = ["0.0.0.0/0"]
-		ipv6 = ["::/0"]
+	dynamic "inbound" {
+		for_each = var.minio_port != null ? [1] : []
+		content {
+			label = "minio"
+			action = "ACCEPT"
+			protocol = "TCP"
+			ports = var.minio_port
+			ipv4 = ["0.0.0.0/0"]
+			ipv6 = ["::/0"]
+		}
 	}
 
-      linodes = [linode_instance.tunnel.id]
+	linodes = [linode_instance.tunnel.id]
 }
- 
+
diff --git a/infra/dev-tunnel/tls.tf → infra/tf/dev_tunnel/tls.tf b/infra/dev-tunnel/tls.tf → infra/tf/dev_tunnel/tls.tf
diff --git a/infra/dev-tunnel/tunnel.tf → infra/tf/dev_tunnel/tunnel.tf b/infra/dev-tunnel/tunnel.tf → infra/tf/dev_tunnel/tunnel.tf
@@ -1,3 +1,14 @@
+locals {
+	fwd_ports = flatten([
+		var.api_http_port,
+		var.api_https_port != null ? [var.api_https_port] : [],
+		var.tunnel_port,
+		var.minio_port != null ? [var.minio_port] : [],
+	])
+
+	ssh_fwd_flags = join(" ", [for x in local.fwd_ports: "-R 0.0.0.0:${x}:127.0.0.1:${x}"])
+}
+
 resource "null_resource" "update_sshd_config" {
 	depends_on = [linode_instance.tunnel]
     triggers = {
@@ -47,7 +58,7 @@ resource "docker_container" "ssh_tunnel" {
 		apt-get install -y openssh-client 
 		while true; do
 			echo 'Connecting...'
-			ssh -o StrictHostKeyChecking=no -i /root/.ssh/id_rsa -vNT -R 0.0.0.0:80:127.0.0.1:80 -R 0.0.0.0:443:127.0.0.1:443 -R 0.0.0.0:5000:127.0.0.1:5000 -R 0.0.0.0:9000:127.0.0.1:9000 root@${linode_instance.tunnel.ip_address}
+			ssh -o StrictHostKeyChecking=no -i /root/.ssh/id_rsa -vNT ${local.ssh_fwd_flags} root@${linode_instance.tunnel.ip_address}
 			sleep 5
 		done
 		EOF

diff --git a/infra/tf/dev_tunnel/vars.tf b/infra/tf/dev_tunnel/vars.tf
@@ -0,0 +1,22 @@
+variable "namespace" {
+	type = string
+}
+
+variable "api_http_port" {
+	type = number
+}
+
+variable "api_https_port" {
+	type = number
+	nullable = true
+}
+
+variable "minio_port" {
+	type = number
+	nullable = true
+}
+
+variable "tunnel_port" {
+	type = number
+}
+
diff --git a/infra/tf/k8s_cluster_k3d/output.tf b/infra/tf/k8s_cluster_k3d/output.tf
@@ -1,7 +1,3 @@
-output "traefik_external_ip" {
-	value = var.public_ip
-}
-
 output "repo_host" {
 	value = local.repo_host
 }

diff --git a/infra/tf/k8s_cluster_k3d/vars.tf b/infra/tf/k8s_cluster_k3d/vars.tf
@@ -14,10 +14,6 @@ variable "cargo_target_dir" {
 	type = string
 }
 
-variable "public_ip" {
-	type = string
-}
-
 variable "api_http_port" {
 	type = number
 }

diff --git a/infra/tf/k8s_infra/outputs.tf b/infra/tf/k8s_infra/outputs.tf
@@ -2,14 +2,16 @@ output "traefik_external_ip" {
 	value = (
 		var.deploy_method_cluster ?
 			data.kubernetes_service.traefik.status[0].load_balancer[0].ingress[0].hostname :
-			var.public_ip
+			var.dev_public_ip
 	)
 }
 
 output "traefik_tunnel_external_ip" {
 	value = (
-		var.deploy_method_cluster && var.edge_enabled ?
-			data.kubernetes_service.traefik_tunnel.0.status[0].load_balancer[0].ingress[0].hostname :
-			var.public_ip
+		var.edge_enabled
+			? var.deploy_method_cluster
+				? data.kubernetes_service.traefik_tunnel.0.status[0].load_balancer[0].ingress[0].hostname 
+				: var.dev_public_ip
+			: null
 	)
 }
diff --git a/infra/tf/k8s_infra/vars.tf b/infra/tf/k8s_infra/vars.tf
@@ -6,7 +6,7 @@ variable "deploy_method_cluster" {
 	type = bool
 }
 
-variable "public_ip" {
+variable "dev_public_ip" {
 	type = string
 	nullable = true
 	default = null

diff --git a/lib/bolt/config/src/ns.rs b/lib/bolt/config/src/ns.rs
@@ -66,7 +66,9 @@ pub struct Cluster {
 pub enum ClusterKind {
 	#[serde(rename = "single_node")]
 	SingleNode {
-		public_ip: String,
+		#[serde(default)]
+		public_ip: Option<String>,
+
 		/// Port to expose API HTTP interface. Exposed on public IP.
 		#[serde(default = "default_api_http_port")]
 		api_http_port: u16,
@@ -85,11 +87,19 @@ pub enum ClusterKind {
 		/// Disabled by default since this doesn't play well with development machines.
 		#[serde(default)]
 		limit_resources: bool,
+
+		/// Create a dev tunnel for this server.
+		#[serde(default)]
+		dev_tunnel: Option<DevTunnel>,
 	},
 	#[serde(rename = "distributed")]
 	Distributed {},
 }
 
+#[derive(Default, Serialize, Deserialize, Clone, Debug)]
+#[serde(deny_unknown_fields)]
+pub struct DevTunnel {}
+
 #[derive(Default, Serialize, Deserialize, Clone, Debug)]
 #[serde(deny_unknown_fields)]
 pub struct Secrets {