ci/woodpecker/push/woodpecker Pipeline was successfulDetails
Stripped-down, generic version of the Traefik Swarm setup that the
tunnel-server depends on for dynamic label-based routing. Sanitized
of infrastructure-specific details so others can replicate the setup.
Co-authored-by: Cursor <cursoragent@cursor.com>
ci/woodpecker/push/woodpecker Pipeline was successfulDetails
docker service update --label-add was restarting the tunnel-server
container on every label change, breaking all active SSH tunnels.
Now the server writes YAML config files to /root/traefik/dynamic/ on
the Traefik host via SSH. Traefik's file provider watches the directory
and picks up changes without any container restarts. Clients can
reconnect reliably after server restarts with no restart loops.
Co-authored-by: Cursor <cursoragent@cursor.com>
ci/woodpecker/push/woodpecker Pipeline was successfulDetails
Ensures tunnel clients and test services restart automatically
whenever Docker is available, including after host reboots.
Co-authored-by: Cursor <cursoragent@cursor.com>
ci/woodpecker/push/woodpecker Pipeline was successfulDetails
The bcrypt hash was escaping $ to $$ which is only needed in compose
files. docker service update --label-add with single-quoted values
preserves dollar signs literally, so doubling them broke Traefik auth.
Co-authored-by: Cursor <cursoragent@cursor.com>
ci/woodpecker/push/woodpecker Pipeline was successfulDetails
docker-compose.test.yml spins up an nginx + tunnel-client pointing at
testrst.nixc.us with basicauth test:test for end-to-end validation.
Co-authored-by: Cursor <cursoragent@cursor.com>
Clients can now set TUNNEL_AUTH_USER and TUNNEL_AUTH_PASS to have the
server add a Traefik basicauth middleware in front of the tunnel route.
Credentials are sent as tunnel metadata over the SSH channel and the
server generates a bcrypt htpasswd entry for Traefik's Docker labels.
Co-authored-by: Cursor <cursoragent@cursor.com>
Keys are now mounted directly from /root/.ssh/ on the host node
instead of using Docker Swarm secrets. CI deploy step simplified
to verify key files exist and clean up leftover secrets.
Co-authored-by: Cursor <cursoragent@cursor.com>
- keyutil.go / client ssh.go: if <key>-cert.pub exists next to
the private key, load it automatically (mirrors openssh behavior)
- stack.production.yml: TRAEFIK_SSH_HOST uses port 65522
Co-authored-by: Cursor <cursoragent@cursor.com>
Local dev override mounts real SSH keys for testing the tunnel
server and client without needing Swarm secrets.
Co-authored-by: Cursor <cursoragent@cursor.com>
- labels.go: use `docker service update --label-add/rm` via SSH to
dynamically manage Traefik labels on the Swarm service itself,
matching how traefik-http discovers routes from Docker swarm labels
- stack.production.yml: constrain to ingress.nixc.us, host-mode port
2222, base traefik.enable labels, SWARM_SERVICE_NAME env
- cmd/server/main.go: SWARM_SERVICE_NAME replaces TRAEFIK_CONFIG_DIR
- .woodpecker.yml: hardcode stack name better-argo-tunnels, update
smoke test env vars
Co-authored-by: Cursor <cursoragent@cursor.com>
- .woodpecker.yml: test, build+push x86 images, smoke test, deploy to Swarm
- docker-compose.production.yml: CI build targets for server + client images
- stack.production.yml: Swarm stack with secrets, Traefik TCP labels, port range
- docker-compose.yml: simplified to minimal build+image (matches smsbridge pattern)
Co-authored-by: Cursor <cursoragent@cursor.com>
Go binary pair (server + client) that establishes reverse SSH tunnels
and dynamically registers Traefik routes by SSHing into the ingress
host to write file-provider config. Clients need only a private key,
server address, domain, and local port as envvars.
Co-authored-by: Cursor <cursoragent@cursor.com>
Leopere