soroushdes/flatrender
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

feat(node-agent): production ops kit — Windows service + WireGuard mesh

Browse Source 
config:
- LoadEnvFile(): reads agent.env beside the exe (or $AGENT_ENV_FILE) before env,
  so the sc.exe service needs no per-service environment plumbing; real env wins

deploy/ (new):
- build-windows.ps1     cross-compile → dist\ + stage the deploy kit
- agent.env.example     fully documented config template
- install-service.ps1   register as auto-start Windows service (native sc.exe),
                        crash-restart 3×/5s, no NSSM dependency
- uninstall-service.ps1 stop + remove
- wireguard-node.conf.template + setup-wireguard.ps1  node dials out only, no
                        public IP / inbound rules; tunnel installed as boot service
- README.md             full control-plane + node walkthrough, ops table, troubleshooting

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
This commit is contained in:
soroush.asadi
2026-06-05 12:20:48 +03:30
parent 67060c73b2
commit 52be5be93f
8 changed files with 522 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files
services/node-agent/deploy/wireguard-node.conf.template
+29
View File
@@ -0,0 +1,29 @@
# WireGuard tunnel for a FlatRender render node.
#
# The render node only ever dials OUT to the control plane — it never needs a
# public IP or any inbound firewall rule. All traffic to the gateway / MinIO
# rides this encrypted tunnel, so nodes can live behind NAT, on home ADSL, or
# in any datacenter.
#
# Fill in the four <PLACEHOLDERS> below, save as `wg-flatrender.conf`, then run
# setup-wireguard.ps1 (or import it in the WireGuard GUI).
[Interface]
# This node's private key (generate on the node: `wg genkey`).
PrivateKey = <NODE_PRIVATE_KEY>
# This node's address inside the mesh. Pick a unique 10.66.0.x per node.
Address = 10.66.0.<NODE_NUMBER>/32
# Optional: keep DNS on the LAN; the tunnel only carries mesh traffic (see AllowedIPs).
# DNS = 1.1.1.1
[Peer]
# Control plane (gateway + MinIO host) public key (from the server: `wg show`).
PublicKey = <SERVER_PUBLIC_KEY>
# Public endpoint of the control plane: <public-ip-or-host>:51820
Endpoint = <SERVER_PUBLIC_ENDPOINT>:51820
# Only route the mesh subnet through the tunnel — everything else uses the normal
# internet path. 10.66.0.0/24 = the FlatRender control + render mesh.
AllowedIPs = 10.66.0.0/24
# Hold the NAT mapping open so the orchestrator can reach the node's :7777 health
# port and so long-poll claims stay alive behind home routers / CGNAT.
PersistentKeepalive = 25