feat(infra): add ability to provision dev tunnel

Taskfile.yaml

@@ -0,0 +1,6 @@
+version: "3"
+
+includes:
+  dev-tunnel:
+    taskfile: infra/dev-tunnel
+    dir: infra/dev-tunnel

docs/getting_started/DEVELOPMENT.md

@@ -109,6 +109,12 @@ and run "Remote-Containers: Reopen in Container".
 
 You can now skip to the [Common steps](#common-steps) section.
 
+### Step 5: Setup dev tunnel (optional)
+
+Rivet needs a publicly accessible IP in order to be able to deploy servers. Without it, you can still run Rivet, but you won't be able to access servers.
+
+Read the guide on setting up a dev tunnel (similar to ngrok) [here](/docs/infrastructure/dev-tunnel/SETUP.md).
+
 ## Method 2: Virtual Machine
 
 This is best if running a small deployment of Rivet on a cloud provider.

docs/infrastructure/dev-tunnel/SETUP.md

@@ -0,0 +1,71 @@
+# Setup Dev Tunnel
+
+This guide will show you how to set up a dev tunnel (similar to [ngrok](https://ngrok.com/)) for developing Rivet locally.
+
+This will run a Terraform plan to deploy two components:
+
+-   A server on Linode that will forward traffic to your local machine
+-   A Docker container that will connect to the remote server over SSH and expose a reverse tunnel
+
+## Prerequisites
+
+Make sure to run `nix-shell` for all subsequent commands.
+
+-   Docker
+-   Linode API Key
+
+## Step 1: Create Dev Tunnel
+
+```sh
+task dev-tunnel:up
+```
+
+This will prompt you to past your Linode API token.
+
+Once complete, this will print an IP to your console like:
+
+```toml
+ip = "1.2.3.4"
+```
+
+## Step 2: Update public IP
+
+Open your namespace config in `namespaces/dev.toml`.
+
+-   Update `cluter.single_node.public_ip` to the IP from the last step. By default, the config is generated with `public_ip = "127.0.0.1"`.
+-   If exists, delete the line that says `api_http_port = 8080`.
+-   Validate that there are no ports overridden (i.e. `cluter.single_node.api_http_port`).
+
+If you need your IP again, run `task dev-tunnel:get-ip`.
+
+## Step 3: Update infrastructure
+
+To deploy the new DNS records & configs, run:
+
+```sh
+bolt infra up
+```
+
+## Step 4: Valdiate deployment
+
+Validate you can reach your local server on the public IP, replace `MY_TUNNEL_IP` with the IP from the last step:
+
+```sh
+curl MY_TUNNEL_IP:80
+```
+
+This should return a 404 response:
+
+```
+404 page not found
+```
+
+This means your server is now accessible.
+
+If you have DNS configured, you should be able to reach your server from `api.my
+
+## Cleanup
+
+```sh
+task dev-tunnel:down
+```

infra/dev-tunnel/Taskfile.yaml

@@ -0,0 +1,21 @@
+version: "3"
+
+tasks:
+  init:
+    internal: true
+    cmds:
+      - terraform init -upgrade
+
+  up:
+    deps: [init]
+    cmds:
+      - terraform apply
+
+  down:
+    deps: [init]
+    cmds:
+      - terraform destroy
+
+  get-ip:
+    cmds:
+      - terraform output

infra/dev-tunnel/main.tf

@@ -0,0 +1,16 @@
+terraform {
+	required_providers {
+		linode = {
+			source = "linode/linode"
+			version = "~> 1.23.0"
+		}
+        docker = {
+            source  = "kreuzwerker/docker"
+            version = "~> 2.15.0"
+        }
+	}
+}
+
+output "ip" {
+	value = linode_instance.tunnel.ip_address
+}

infra/dev-tunnel/providers.tf

@@ -0,0 +1,3 @@
+provider "linode" {
+    token = var.linode_token
+}

infra/dev-tunnel/server.tf

@@ -0,0 +1,82 @@
+locals {
+	dev_tunnel_name = "dev-tunnel-${random_string.tunnel_suffix.result}"
+}
+
+resource "random_string" "tunnel_suffix" {
+	length = 8
+	special = false
+	upper = false
+	lower = true
+	numeric  = true
+}
+
+resource "random_password" "password" {
+    length  = 16
+    special = true
+    override_special = "_%@"
+}
+
+resource "linode_instance" "tunnel" {
+	image = "linode/debian11"
+	label = local.dev_tunnel_name
+	region = "us-west"
+	type = "g6-nanode-1"
+	authorized_keys = [trimspace(tls_private_key.ssh_key.public_key_openssh)]
+	root_pass = random_password.password.result
+	tags = ["dev-tunnel"]
+}
+
+resource "linode_firewall" "tunnel_firewall" {
+	label = local.dev_tunnel_name
+
+	inbound_policy = "DROP"
+	outbound_policy = "ACCEPT"
+
+	inbound {
+		label = "ssh"
+		action = "ACCEPT"
+		protocol = "TCP"
+		ports = "22"
+		ipv4 = ["0.0.0.0/0"]
+		ipv6 = ["::/0"]
+	}
+
+	inbound {
+		label = "http"
+		action = "ACCEPT"
+		protocol = "TCP"
+		ports = "80"
+		ipv4 = ["0.0.0.0/0"]
+		ipv6 = ["::/0"]
+	}
+
+	inbound {
+		label = "https"
+		action = "ACCEPT"
+		protocol = "TCP"
+		ports = "443"
+		ipv4 = ["0.0.0.0/0"]
+		ipv6 = ["::/0"]
+	}
+
+	inbound {
+		label = "tunnel"
+		action = "ACCEPT"
+		protocol = "TCP"
+		ports = "5000"
+		ipv4 = ["0.0.0.0/0"]
+		ipv6 = ["::/0"]
+	}
+
+	inbound {
+		label = "minio"
+		action = "ACCEPT"
+		protocol = "TCP"
+		ports = "9000"
+		ipv4 = ["0.0.0.0/0"]
+		ipv6 = ["::/0"]
+	}
+
+      linodes = [linode_instance.tunnel.id]
+}
+

infra/dev-tunnel/tls.tf

@@ -0,0 +1,10 @@
+resource "tls_private_key" "ssh_key" {
+	algorithm = "RSA"
+	rsa_bits = 2048
+}
+
+resource "local_file" "ssh_key_file" {
+	filename = "/tmp/tunnel_id_rsa"
+	content  = tls_private_key.ssh_key.private_key_pem
+	file_permission = "0600"
+}

infra/dev-tunnel/tunnel.tf

@@ -0,0 +1,59 @@
+resource "null_resource" "update_sshd_config" {
+	depends_on = [linode_instance.tunnel]
+    triggers = {
+      override = 2
+    }
+
+	connection {
+		type = "ssh"
+		user = "root"
+		private_key = tls_private_key.ssh_key.private_key_pem
+		host = linode_instance.tunnel.ip_address
+	}
+
+	provisioner "local-exec" {
+		command = <<-EOT
+		 	# Wait for SSH
+			while ! nc -z ${linode_instance.tunnel.ip_address} 22; do
+				echo "Waiting for SSH to be available..."
+				sleep 2
+			done
+
+			# Update config
+			ssh -o StrictHostKeyChecking=no -i ${local_file.ssh_key_file.filename} root@${linode_instance.tunnel.ip_address} \
+            "echo 'GatewayPorts yes' > /etc/ssh/sshd_config.d/dev_tunnel.conf && \
+            systemctl restart ssh"
+		EOT
+	}
+}
+
+resource "docker_container" "ssh_tunnel" {
+    depends_on = [ null_resource.update_sshd_config]
+
+	image = "debian:11"
+	name = "rivet-tunnel"
+	restart = "unless-stopped"
+	network_mode = "host"
+	command = [
+		"sh",
+		"-c",
+		# StrictHostKeyChecking=no = disables prompting before adding remote host to hosts file
+		# -v = verbose
+		# -N = don't execute command
+		# -T = no TTY
+		# -R = reverse proxy
+		<<EOF
+		apt-get update -y
+		apt-get install -y openssh-client 
+		while true; do
+			echo 'Connecting...'
+			ssh -o StrictHostKeyChecking=no -i /root/.ssh/id_rsa -vNT -R 0.0.0.0:80:127.0.0.1:80 -R 0.0.0.0:443:127.0.0.1:443 -R 0.0.0.0:5000:127.0.0.1:5000 -R 0.0.0.0:9000:127.0.0.1:9000 root@${linode_instance.tunnel.ip_address}
+			sleep 5
+		done
+		EOF
+	]
+	volumes {
+		host_path = local_file.ssh_key_file.filename
+		container_path = "/root/.ssh/id_rsa"
+	}
+}

infra/dev-tunnel/vars.tf

@@ -0,0 +1,4 @@
+variable "linode_token" {
+    type = string
+    sensitive = true
+}

shell.nix

@@ -64,6 +64,10 @@ in
 			bashInteractive
 			bash-completion
 
+			# Utilities
+			go-task
+			netcat
+
 			# Fixes "cannot change locale" warning
 			glibcLocales
 		]