Cloudflare changes (#66)

Author: kixelated

.env.development

@@ -1,2 +1,3 @@
 PUBLIC_RELAY_URL="http://localhost:4443"
 PUBLIC_RELAY_TOKEN=""
+PUBLIC_CLOUDFLARE_URL="https://relay.cloudflare.mediaoverquic.com"

.env.production

@@ -1,3 +1,4 @@
 PUBLIC_RELAY_URL="https://relay.moq.dev"
 # Generate with: cargo run --bin moq-token -- --key root.jwk sign --root "demo" --subscribe ""
 PUBLIC_RELAY_TOKEN="eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJyb290IjoiZGVtbyIsImdldCI6WyIiXSwiZXhwIjpudWxsLCJpYXQiOm51bGx9.6EoN-Y1Ouj35_qV5FokcdcdderrE2navNbYQjJyR2Ac"
+PUBLIC_CLOUDFLARE_URL="https://relay.cloudflare.mediaoverquic.com"

astro.config.ts

@@ -36,5 +36,8 @@ export default defineConfig({
 				"@": "/src",
 			},
 		},
+		optimizeDeps: {
+			exclude: ["@kixelated/hang"],
+		},
 	},
 });

env.d.ts

@@ -3,6 +3,7 @@
 interface ImportMetaEnv {
 	readonly PUBLIC_RELAY_URL: string;
 	readonly PUBLIC_RELAY_TOKEN: string;
+	readonly PUBLIC_CLOUDFLARE_URL: string;
 }
 
 interface ImportMeta {

infra/input.tf

@@ -25,22 +25,12 @@ variable "domain" {
 
 variable "docker_relay" {
   description = "Docker image for moq-relay"
-  default     = "docker.io/kixelated/moq-relay:0.8.8"
+  default     = "docker.io/kixelated/moq-relay:0.9.2"
 }
 
 variable "docker_hang" {
   description = "Docker image for hang"
-  default     = "docker.io/kixelated/hang:0.2.5"
-}
-
-variable "cloudflare_dns_token" {
-  description = "Cloudflare DNS API token - edit permissions for moq.dev"
-  sensitive   = true
-}
-
-variable "cloudflare_zone_token" {
-  description = "Cloudflare Zone API token - read permissions for all zones"
-  sensitive   = true
+  default     = "docker.io/kixelated/hang:0.2.9"
 }
 
 # Too complicated to specify via flags, so do it here.

infra/relay-lb.tf

@@ -70,4 +70,13 @@ resource "google_compute_backend_service" "relay_lb" {
     google_compute_http_health_check.relay.self_link
   ]
 }
+
+
+# We must use a legacy health check for the UDP load balancer
+resource "google_compute_http_health_check" "relay" {
+  name               = "relay"
+  request_path       = "/health"
+  check_interval_sec = 5
+  timeout_sec        = 5
+}
 */

infra/relay.tf

@@ -89,7 +89,7 @@ resource "google_dns_record_set" "relay" {
   rrdatas      = [google_compute_address.relay[each.key].address]
 }
 
-# Allow UDP 443
+# Allow port 443
 resource "google_compute_firewall" "relay" {
   name    = "relay"
   network = "default"
@@ -99,18 +99,15 @@ resource "google_compute_firewall" "relay" {
     ports    = ["443"]
   }
 
+  allow {
+    protocol = "tcp"
+    ports    = ["443"]
+  }
+
   source_ranges = ["0.0.0.0/0"]
   target_tags   = ["relay"]
 }
 
-# We must use a legacy health check for the UDP load balancer
-resource "google_compute_http_health_check" "relay" {
-  name               = "relay"
-  request_path       = "/health"
-  check_interval_sec = 5
-  timeout_sec        = 5
-}
-
 # Create an internal TLS certificate for the relay
 resource "tls_private_key" "relay_internal" {
   for_each = local.relays

infra/relay.yml.tpl

@@ -56,17 +56,17 @@ write_files:
       [server]
       listen = "0.0.0.0:443"
 
-      [[server.tls.cert]]
-      chain = "/etc/cert/${cluster_node}.crt"
-      key = "/etc/cert/${cluster_node}.key"
-
-      [[server.tls.cert]]
-      chain = "/etc/cert/${public_host}.crt"
-      key = "/etc/cert/${public_host}.key"
+      tls.cert = [ "/etc/cert/${cluster_node}.crt", "/etc/cert/${public_host}.crt" ]
+      tls.key = [ "/etc/cert/${cluster_node}.key", "/etc/cert/${public_host}.key" ]
 
       [client]
       tls.root = [ "/etc/cert/internal.ca" ]
 
+      [web.https]
+      listen = "0.0.0.0:443"
+      cert = "/etc/cert/${public_host}.crt"
+      key = "/etc/cert/${public_host}.key"
+
       [cluster]
       connect = "${cluster_root}"
       advertise = "${cluster_node}"
@@ -115,6 +115,7 @@ write_files:
       Type=oneshot
       RemainAfterExit=true
       ExecStart=iptables -A INPUT -p udp --dport 443 -j ACCEPT
+      ExecStart=iptables -A INPUT -p tcp --dport 443 -j ACCEPT
 
   # There's a mismatch between the GCP network MTU and the docker MTU
   - path: /etc/docker/daemon.json

justfile

@@ -54,11 +54,14 @@ build:
 	pnpm astro build
 
 # Deploy the site to Cloudflare Pages
-deploy: build
-	pnpm wrangler deploy
+deploy env="staging": build
+	pnpm wrangler deploy --env {{env}}
 
 dev:
 	pnpm i
 
 	# Run the web development server
 	pnpm astro dev --open
+
+preview: build
+	pnpm astro preview --open

package.json

@@ -13,7 +13,7 @@
 		"fix": "biome check --write && pnpm audit fix"
 	},
 	"dependencies": {
-		"@kixelated/hang": "^0.3.9",
+		"@kixelated/hang": "link:../moq/js/hang",
 		"astro": "^5.8.2",
 		"solid-js": "^1.9.7",
 		"unique-names-generator": "^4.7.1"