Skip to content

Cloudflare changes #66

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
kixelated merged 11 commits into from
Sep 4, 2025
Merged

Cloudflare changes #66

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
11 commits
Select commit Hold shift + click to select a range
a343d42
Initial blog posts.
kixelated Aug 18, 2025
1adf69d
Small tweaks.
kixelated Aug 20, 2025
9692577
CF is mostly ready.
kixelated Aug 20, 2025
0f465fc
Layout tweaks.
kixelated Aug 20, 2025
4584211
Add staging.
kixelated Aug 21, 2025
4f1d6f2
Bump and remove unused inputs
kixelated Aug 21, 2025
6725834
Cloudflare complete.
kixelated Aug 22, 2025
4367f39
Misc stuff.
kixelated Aug 25, 2025
9e5303c
Update the favicon.
kixelated Aug 28, 2025
bf1c055
Update moq-relay with WebSocket.
kixelated Sep 4, 2025
03cdb5c
Fix the iptables rule.
kixelated Sep 4, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 1 addition & 0 deletions .env.development
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,2 +1,3 @@
PUBLIC_RELAY_URL="http://localhost:4443"
PUBLIC_RELAY_TOKEN=""
PUBLIC_CLOUDFLARE_URL="https://relay.cloudflare.mediaoverquic.com"
1 change: 1 addition & 0 deletions .env.production
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,3 +1,4 @@
PUBLIC_RELAY_URL="https://relay.moq.dev"
# Generate with: cargo run --bin moq-token -- --key root.jwk sign --root "demo" --subscribe ""
PUBLIC_RELAY_TOKEN="eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJyb290IjoiZGVtbyIsImdldCI6WyIiXSwiZXhwIjpudWxsLCJpYXQiOm51bGx9.6EoN-Y1Ouj35_qV5FokcdcdderrE2navNbYQjJyR2Ac"
PUBLIC_CLOUDFLARE_URL="https://relay.cloudflare.mediaoverquic.com"
3 changes: 3 additions & 0 deletions astro.config.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -36,5 +36,8 @@ export default defineConfig({
"@": "/src",
},
},
optimizeDeps: {
exclude: ["@kixelated/hang"],
},
},
});
1 change: 1 addition & 0 deletions env.d.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -3,6 +3,7 @@
interface ImportMetaEnv {
readonly PUBLIC_RELAY_URL: string;
readonly PUBLIC_RELAY_TOKEN: string;
readonly PUBLIC_CLOUDFLARE_URL: string;
}

interface ImportMeta {
Expand Down
14 changes: 2 additions & 12 deletions infra/input.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -25,22 +25,12 @@ variable "domain" {

variable "docker_relay" {
description = "Docker image for moq-relay"
default = "docker.io/kixelated/moq-relay:0.8.8"
default = "docker.io/kixelated/moq-relay:0.9.2"
}

variable "docker_hang" {
description = "Docker image for hang"
default = "docker.io/kixelated/hang:0.2.5"
}

variable "cloudflare_dns_token" {
description = "Cloudflare DNS API token - edit permissions for moq.dev"
sensitive = true
}

variable "cloudflare_zone_token" {
description = "Cloudflare Zone API token - read permissions for all zones"
sensitive = true
default = "docker.io/kixelated/hang:0.2.9"
}
Comment on lines 26 to 34
Copy link

@coderabbitai coderabbitai bot Sep 4, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🛠️ Refactor suggestion

Pin Docker images by digest to prevent supply‑chain drift.

Tags are mutable; use immutable digests for deterministic, auditable deploys.

Apply:

-variable "docker_relay" {
-  description = "Docker image for moq-relay"
-  default     = "docker.io/kixelated/moq-relay:0.9.2"
-}
+variable "docker_relay" {
+  description = "Docker image for moq-relay"
+  # Example with digest; update to the correct digest from your registry
+  default     = "docker.io/kixelated/moq-relay@sha256:<relay-digest>"
+}
 
-variable "docker_hang" {
-  description = "Docker image for hang"
-  default     = "docker.io/kixelated/hang:0.2.9"
-}
+variable "docker_hang" {
+  description = "Docker image for hang"
+  # Example with digest; update to the correct digest from your registry
+  default     = "docker.io/kixelated/hang@sha256:<hang-digest>"
+}
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
variable "docker_relay" {
description = "Docker image for moq-relay"
default = "docker.io/kixelated/moq-relay:0.8.8"
default = "docker.io/kixelated/moq-relay:0.9.2"
}
variable "docker_hang" {
description = "Docker image for hang"
default = "docker.io/kixelated/hang:0.2.5"
}
variable "cloudflare_dns_token" {
description = "Cloudflare DNS API token - edit permissions for moq.dev"
sensitive = true
}
variable "cloudflare_zone_token" {
description = "Cloudflare Zone API token - read permissions for all zones"
sensitive = true
default = "docker.io/kixelated/hang:0.2.9"
}
variable "docker_relay" {
description = "Docker image for moq-relay"
# Example with digest; update to the correct digest from your registry
default = "docker.io/kixelated/moq-relay@sha256:<relay-digest>"
}
variable "docker_hang" {
description = "Docker image for hang"
# Example with digest; update to the correct digest from your registry
default = "docker.io/kixelated/hang@sha256:<hang-digest>"
}
🤖 Prompt for AI Agents 
In infra/input.tf around lines 26 to 34, the variables define Docker images
using mutable tags which can drift; update them to pinned image digests
(image@sha256:<digest>) instead of tag-only defaults. Obtain the exact sha256
digests from the image registry (docker pull or registry API) for
docker.io/kixelated/moq-relay:0.9.2 and docker.io/kixelated/hang:0.2.9 and
replace the default values with the corresponding image@sha256:<digest> strings,
or alternatively make the variables required (no default) and document that
callers must supply a digest-pinned image; ensure any other references in the
code use the new digest variables.


# Too complicated to specify via flags, so do it here.
Expand Down
9 changes: 9 additions & 0 deletions infra/relay-lb.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -70,4 +70,13 @@ resource "google_compute_backend_service" "relay_lb" {
google_compute_http_health_check.relay.self_link
]
}


# We must use a legacy health check for the UDP load balancer
resource "google_compute_http_health_check" "relay" {
name = "relay"
request_path = "/health"
check_interval_sec = 5
timeout_sec = 5
}
*/
15 changes: 6 additions & 9 deletions infra/relay.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -89,7 +89,7 @@ resource "google_dns_record_set" "relay" {
rrdatas = [google_compute_address.relay[each.key].address]
}

# Allow UDP 443
# Allow port 443
resource "google_compute_firewall" "relay" {
name = "relay"
network = "default"
Expand All @@ -99,18 +99,15 @@ resource "google_compute_firewall" "relay" {
ports = ["443"]
}

allow {
protocol = "tcp"
ports = ["443"]
}

source_ranges = ["0.0.0.0/0"]
target_tags = ["relay"]
}

# We must use a legacy health check for the UDP load balancer
resource "google_compute_http_health_check" "relay" {
name = "relay"
request_path = "/health"
check_interval_sec = 5
timeout_sec = 5
}

# Create an internal TLS certificate for the relay
resource "tls_private_key" "relay_internal" {
for_each = local.relays
Expand Down
15 changes: 8 additions & 7 deletions infra/relay.yml.tpl
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -56,17 +56,17 @@ write_files:
[server]
listen = "0.0.0.0:443"

[[server.tls.cert]]
chain = "/etc/cert/${cluster_node}.crt"
key = "/etc/cert/${cluster_node}.key"

[[server.tls.cert]]
chain = "/etc/cert/${public_host}.crt"
key = "/etc/cert/${public_host}.key"
tls.cert = [ "/etc/cert/${cluster_node}.crt", "/etc/cert/${public_host}.crt" ]
tls.key = [ "/etc/cert/${cluster_node}.key", "/etc/cert/${public_host}.key" ]

[client]
tls.root = [ "/etc/cert/internal.ca" ]

[web.https]
listen = "0.0.0.0:443"
cert = "/etc/cert/${public_host}.crt"
key = "/etc/cert/${public_host}.key"

[cluster]
connect = "${cluster_root}"
advertise = "${cluster_node}"
Expand Down Expand Up @@ -115,6 +115,7 @@ write_files:
Type=oneshot
RemainAfterExit=true
ExecStart=iptables -A INPUT -p udp --dport 443 -j ACCEPT
ExecStart=iptables -A INPUT -p tcp --dport 443 -j ACCEPT

# There's a mismatch between the GCP network MTU and the docker MTU
- path: /etc/docker/daemon.json
Expand Down
7 changes: 5 additions & 2 deletions justfile
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -54,11 +54,14 @@ build:
pnpm astro build

# Deploy the site to Cloudflare Pages
deploy: build
pnpm wrangler deploy
deploy env="staging": build
pnpm wrangler deploy --env {{env}}

dev:
pnpm i

# Run the web development server
pnpm astro dev --open

preview: build
pnpm astro preview --open
2 changes: 1 addition & 1 deletion package.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -13,7 +13,7 @@
"fix": "biome check --write && pnpm audit fix"
},
"dependencies": {
"@kixelated/hang": "^0.3.9",
"@kixelated/hang": "link:../moq/js/hang",
Copy link

@coderabbitai coderabbitai bot Sep 4, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue

Local link dependency will break CI/Cloudflare builds.

link:../moq/js/hang assumes a sibling repo on disk and won’t exist in remote builders, causing installs/builds to fail. Use a published semver or a Git dependency for reproducible builds; keep local linking as a dev-only override.

Recommended revert for main:

-    "@kixelated/hang": "link:../moq/js/hang",
+    "@kixelated/hang": "^0.3.9",

Dev-only options:

  • Use pnpm link --global locally without committing.
  • Or add a per-developer .npmrc with @kixelated:registry= pointing to a private feed if testing prereleases.
  • If you need unreleased code, reference a Git tag/commit: "@kixelated/hang": "github:kixelated/moq#<commit-or-tag>:js/hang" (ensure your build environment has access).
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
"@kixelated/hang": "link:../moq/js/hang",
"@kixelated/hang": "^0.3.9",
🤖 Prompt for AI Agents 
In package.json around line 16, the dependency "@kixelated/hang":
"link:../moq/js/hang" is a local filesystem link that will break CI/Cloudflare
builds; replace it with a published semver or a remote Git reference for
reproducible builds (e.g. a package version or
"github:kixelated/moq#<commit-or-tag>:js/hang"), and keep any local link only as
a developer-only override (use pnpm link locally or per-developer .npmrc) so
commits do not include link: paths that remote builders can't resolve.

"astro": "^5.8.2",
"solid-js": "^1.9.7",
"unique-names-generator": "^4.7.1"
Expand Down
Loading
Loading