Project_Velocity/infrastructure/desineuron_ingress

Desineuron Ingress

This directory contains the reproducible bootstrap artifacts for the desineuron-ingress-01 EC2 node.

Architecture:

• EC2 t4g.micro on-demand in us-east-1
• Amazon Linux 2023 ARM64
• 20 GB gp3 root volume
• Caddy as the public HTTPS edge
• rathole as the reverse TCP relay from the Linux origin box

Traffic model:

• Public DNS stays in Cloudflare
• Public HTTPS terminates on EC2
• All six public hostnames proxy through EC2 to one local relay socket
• Linux origin continues to serve the actual apps on https://localhost:443

Key files:

• user_data.sh: first-boot provisioning for the EC2 ingress node
• Caddyfile: public edge routing
• rathole-server.toml: EC2-side relay config
• rathole-client.toml: Linux-side relay config template
• install_linux_rathole_client.sh: Linux-side installer/service script
• sync_ingress_home_ip.py: detects current home public IP and updates the ingress SSH allowlist rule
• desineuron-ingress-home-ip-sync.service: systemd oneshot service for the IP sync
• desineuron-ingress-home-ip-sync.timer: persistent timer that reruns the sync every 5 minutes and on boot
• install_linux_ingress_ip_sync.sh: Linux-side installer for the IP sync service

Manual Cloudflare work still required unless API credentials are provided:

• set the six hostnames to DNS-only
• point them to the ingress Elastic IP
• retire the Cloudflare Tunnel routes once public validation passes

Dynamic home IP handling:

• rathole control port 2333/tcp is intentionally open on the ingress so public services do not break when the ISP IP changes
• SSH fallback on the ingress remains restricted to the current home public IP on 22/tcp
• the Linux-side IP sync service keeps that SSH fallback rule current after ISP churn or reboot