ci/woodpecker/push/woodpecker Pipeline was successfulDetails
docker service update --label-add was restarting the tunnel-server
container on every label change, breaking all active SSH tunnels.
Now the server writes YAML config files to /root/traefik/dynamic/ on
the Traefik host via SSH. Traefik's file provider watches the directory
and picks up changes without any container restarts. Clients can
reconnect reliably after server restarts with no restart loops.
Co-authored-by: Cursor <cursoragent@cursor.com>
ci/woodpecker/push/woodpecker Pipeline was successfulDetails
The bcrypt hash was escaping $ to $$ which is only needed in compose
files. docker service update --label-add with single-quoted values
preserves dollar signs literally, so doubling them broke Traefik auth.
Co-authored-by: Cursor <cursoragent@cursor.com>
Clients can now set TUNNEL_AUTH_USER and TUNNEL_AUTH_PASS to have the
server add a Traefik basicauth middleware in front of the tunnel route.
Credentials are sent as tunnel metadata over the SSH channel and the
server generates a bcrypt htpasswd entry for Traefik's Docker labels.
Co-authored-by: Cursor <cursoragent@cursor.com>
- labels.go: use `docker service update --label-add/rm` via SSH to
dynamically manage Traefik labels on the Swarm service itself,
matching how traefik-http discovers routes from Docker swarm labels
- stack.production.yml: constrain to ingress.nixc.us, host-mode port
2222, base traefik.enable labels, SWARM_SERVICE_NAME env
- cmd/server/main.go: SWARM_SERVICE_NAME replaces TRAEFIK_CONFIG_DIR
- .woodpecker.yml: hardcode stack name better-argo-tunnels, update
smoke test env vars
Co-authored-by: Cursor <cursoragent@cursor.com>
Go binary pair (server + client) that establishes reverse SSH tunnels
and dynamically registers Traefik routes by SSHing into the ingress
host to write file-provider config. Clients need only a private key,
server address, domain, and local port as envvars.
Co-authored-by: Cursor <cursoragent@cursor.com>
Leopere