feat: rg prod (#2281)

<!-- Please make sure there is an issue that this PR is correlated to. -->

## Changes

<!-- If there are frontend changes, please include screenshots. -->

Author: MasterPtato

Diff for: examples/system-test/package.json

@@ -11,6 +11,7 @@
 	"devDependencies": {
 		"@rivet-gg/actor-core": "^5.1.2",
 		"@rivet-gg/api": "^24.6.2",
+		"@types/deno": "^2.2.0",
 		"@types/node": "^22.13.9",
 		"@types/ws": "^8.18.0",
 		"node-fetch": "^3.3.2",

Diff for: examples/system-test/yarn.lock

@@ -277,6 +277,13 @@ __metadata:
   languageName: node
   linkType: hard
 
+"@types/deno@npm:^2.2.0":
+  version: 2.2.0
+  resolution: "@types/deno@npm:2.2.0"
+  checksum: 10c0/cb45bbffe66a3008224a509c6bcb338921cc68b9045363f77ba5d84650d879b8fd4c810db24369a93fbce4a8e2855808bb141c0447feb47d911a7512ba374bde
+  languageName: node
+  linkType: hard
+
 "@types/node@npm:*, @types/node@npm:^22.13.9":
   version: 22.13.9
   resolution: "@types/node@npm:22.13.9"
@@ -1519,6 +1526,7 @@ __metadata:
     "@hono/node-ws": "npm:^1.1.0"
     "@rivet-gg/actor-core": "npm:^5.1.2"
     "@rivet-gg/api": "npm:^24.6.2"
+    "@types/deno": "npm:^2.2.0"
     "@types/node": "npm:^22.13.9"
     "@types/ws": "npm:^8.18.0"
     hono: "npm:^4.6.17"

Diff for: frontend/apps/hub/vendor/rivet-gg-api.tgz

@@ -1,3 +1,3 @@
 version https://git-lfs.github.com/spec/v1
-oid sha256:2b4cedaff70a26f081fc0d58a41f072518e9679461a19a35dae9a56c70ea1830
-size 545765
+oid sha256:33f122a17701fd66c37418c5a467ab386559bfce63b3859f587bac2ce63339e6
+size 545789

Diff for: packages/common/config/src/config/guard/mod.rs

@@ -7,16 +7,16 @@ use std::path::PathBuf;
 #[serde(deny_unknown_fields)]
 #[derive(Default)]
 pub struct Guard {
-	pub http_port: u16, // Port for HTTP traffic
+	pub http_port: u16,       // Port for HTTP traffic
 	pub https: Option<Https>, // Optional HTTPS configuration
 }
 
 #[derive(Debug, Serialize, Deserialize, Clone, JsonSchema)]
 #[serde(deny_unknown_fields)]
 #[derive(Default)]
 pub struct Https {
-	pub port: u16,      // Port for HTTPS traffic
-	pub tls: Tls,       // TLS configuration
+	pub port: u16, // Port for HTTPS traffic
+	pub tls: Tls,  // TLS configuration
 }
 
 #[derive(Debug, Serialize, Deserialize, Clone, JsonSchema)]

Diff for: packages/common/config/src/config/mod.rs

@@ -2,11 +2,11 @@ use global_error::prelude::*;
 use schemars::JsonSchema;
 use serde::{Deserialize, Serialize};
 
-pub mod server;
 pub mod guard;
+pub mod server;
 
-pub use server::*;
 pub use guard::*;
+pub use server::*;
 
 // IMPORTANT:
 //

Diff for: packages/common/config/src/config/server/rivet/cluster_provision.rs

@@ -25,6 +25,9 @@ pub struct ClusterProvision {
 
 	// The URL for the rivet edge server binary.
 	pub edge_server_binary_url: Url,
+
+	// The URL for the rivet guard binary.
+	pub guard_binary_url: Url,
 }
 
 impl ClusterProvision {
@@ -44,6 +47,7 @@ pub struct ClusterPools {
 	pub fdb: ClusterPoolFdb,
 	pub worker: ClusterPoolWorker,
 	pub nats: ClusterPoolNats,
+	pub guard: ClusterPoolGuard,
 }
 
 #[derive(Debug, Serialize, Deserialize, Clone, JsonSchema)]
@@ -303,6 +307,88 @@ impl ClusterPoolNats {
 	}
 }
 
+#[derive(Debug, Serialize, Deserialize, Clone, JsonSchema)]
+#[serde(rename_all = "snake_case", deny_unknown_fields)]
+pub struct ClusterPoolGuard {
+	pub autoscale_margin: u32,
+
+	#[schemars(with = "Option<String>")]
+	pub vlan_ip_net: Option<Ipv4Net>,
+	pub firewall_rules: Option<Vec<FirewallRule>>,
+}
+
+impl ClusterPoolGuard {
+	pub fn vlan_ip_net(&self) -> Ipv4Net {
+		Ipv4Net::new(Ipv4Addr::new(10, 0, 0, 0), 26).unwrap()
+	}
+
+	pub fn vlan_addr_range(&self) -> Ipv4AddrRange {
+		self.vlan_ip_net().hosts()
+	}
+
+	pub fn firewall_rules(&self, rg: &super::Guard) -> Vec<FirewallRule> {
+		[
+			FirewallRule::base_rules(),
+			vec![
+				// HTTP(S)
+				FirewallRule {
+					label: "http-tcp".into(),
+					ports: "80".into(),
+					protocol: "tcp".into(),
+					inbound_ipv4_cidr: vec!["0.0.0.0/0".into()],
+					inbound_ipv6_cidr: vec!["::/0".into()],
+				},
+				FirewallRule {
+					label: "http-udp".into(),
+					ports: "80".into(),
+					protocol: "udp".into(),
+					inbound_ipv4_cidr: vec!["0.0.0.0/0".into()],
+					inbound_ipv6_cidr: vec!["::/0".into()],
+				},
+				FirewallRule {
+					label: "https-tcp".into(),
+					ports: "443".into(),
+					protocol: "tcp".into(),
+					inbound_ipv4_cidr: vec!["0.0.0.0/0".into()],
+					inbound_ipv6_cidr: vec!["::/0".into()],
+				},
+				FirewallRule {
+					label: "https-udp".into(),
+					ports: "443".into(),
+					protocol: "udp".into(),
+					inbound_ipv4_cidr: vec!["0.0.0.0/0".into()],
+					inbound_ipv6_cidr: vec!["::/0".into()],
+				},
+				// Dynamic TCP
+				FirewallRule {
+					label: "dynamic-tcp".into(),
+					ports: format!(
+						"{}-{}",
+						rg.min_ingress_port_tcp(),
+						rg.max_ingress_port_tcp()
+					),
+					protocol: "tcp".into(),
+					inbound_ipv4_cidr: vec!["0.0.0.0/0".into()],
+					inbound_ipv6_cidr: vec!["::/0".into()],
+				},
+				// Dynamic UDP
+				FirewallRule {
+					label: "dynamic-udp".into(),
+					ports: format!(
+						"{}-{}",
+						rg.min_ingress_port_udp(),
+						rg.max_ingress_port_udp()
+					),
+					protocol: "udp".into(),
+					inbound_ipv4_cidr: vec!["0.0.0.0/0".into()],
+					inbound_ipv6_cidr: vec!["::/0".into()],
+				},
+			],
+		]
+		.concat()
+	}
+}
+
 #[derive(Debug, Serialize, Deserialize, Clone, JsonSchema)]
 pub struct FirewallRule {
 	pub label: String,

Diff for: packages/common/config/src/config/server/rivet/mod.rs

@@ -29,7 +29,7 @@ pub mod default_dev_cluster {
 
 	// In dev, there are no servers to pull the addresses from. We need to have a fallback address.
 	pub const DEV_EDGE_API_FALLBACK_ADDR_LAN_HOST: &str = "rivet-edge-server";
-pub const DEV_EDGE_API_FALLBACK_ADDR_LAN_PORT: u16 = 8080;
+	pub const DEV_EDGE_API_FALLBACK_ADDR_LAN_PORT: u16 = 8080;
 }
 
 pub mod default_hosts {
@@ -287,12 +287,10 @@ impl Rivet {
 				Some(lan_addr.clone())
 			} else {
 				match self.auth.access_kind {
-					AccessKind::Development => {
-						Some((
-							default_dev_cluster::DEV_EDGE_API_FALLBACK_ADDR_LAN_HOST.to_string(),
-							default_dev_cluster::DEV_EDGE_API_FALLBACK_ADDR_LAN_PORT
-						))
-					}
+					AccessKind::Development => Some((
+						default_dev_cluster::DEV_EDGE_API_FALLBACK_ADDR_LAN_HOST.to_string(),
+						default_dev_cluster::DEV_EDGE_API_FALLBACK_ADDR_LAN_PORT,
+					)),
 					AccessKind::Public | AccessKind::Private => None,
 				}
 			}
@@ -811,5 +809,5 @@ pub struct Edge {
 	#[serde(default)]
 	pub api_lan_address: Option<(String, u16)>,
 	#[serde(default)]
-	pub redirect_logs: Option<bool>,
+	pub redirect_logs_dir: Option<PathBuf>,
 }

Diff for: packages/common/convert/src/impls/provision.rs

@@ -13,6 +13,7 @@ impl ApiFrom<models::ProvisionPoolType> for cluster::types::PoolType {
 			models::ProvisionPoolType::Fdb => cluster::types::PoolType::Fdb,
 			models::ProvisionPoolType::Worker => cluster::types::PoolType::Worker,
 			models::ProvisionPoolType::Nats => cluster::types::PoolType::Nats,
+			models::ProvisionPoolType::Guard => cluster::types::PoolType::Guard,
 		}
 	}
 }
@@ -28,6 +29,7 @@ impl ApiFrom<cluster::types::PoolType> for models::ProvisionPoolType {
 			cluster::types::PoolType::Fdb => models::ProvisionPoolType::Fdb,
 			cluster::types::PoolType::Worker => models::ProvisionPoolType::Worker,
 			cluster::types::PoolType::Nats => models::ProvisionPoolType::Nats,
+			cluster::types::PoolType::Guard => models::ProvisionPoolType::Guard,
 		}
 	}
 }

Diff for: packages/common/runtime/src/otel.rs

@@ -1,5 +1,6 @@
 // Based off of https://github.com/tokio-rs/tracing-opentelemetry/blob/v0.1.x/examples/opentelemetry-otlp.rs
 
+use console_subscriber;
 use opentelemetry::{global, trace::TracerProvider as _, KeyValue};
 use opentelemetry_otlp::WithExportConfig;
 use opentelemetry_sdk::{
@@ -11,7 +12,6 @@ use opentelemetry_sdk::{
 use opentelemetry_semantic_conventions::{attribute::SERVICE_VERSION, SCHEMA_URL};
 use tracing_opentelemetry::{MetricsLayer, OpenTelemetryLayer};
 use tracing_subscriber::{layer::SubscriberExt, util::SubscriberInitExt, EnvFilter, Layer};
-use console_subscriber;
 
 fn resource() -> Resource {
 	Resource::builder()
@@ -119,7 +119,6 @@ pub fn init_tracing_subscriber() -> OtelGuard {
 	//	opentelemetry_appender_tracing::layer::OpenTelemetryTracingBridge::new(&logger_provider)
 	//		.with_filter(filter_otel);
 
-
 	// Create env filter
 	let mut env_filter = EnvFilter::default()
 		// Default filter

Diff for: packages/common/server-cli/src/commands/start.rs

@@ -1,4 +1,4 @@
-use std::{path::Path, time::Duration};
+use std::time::Duration;
 
 use anyhow::*;
 use clap::Parser;
@@ -48,16 +48,14 @@ impl Opts {
 		run_config: &RunConfig,
 	) -> Result<()> {
 		// Redirect logs if enabled on the edge
-		if config
+		if let Some(logs_dir) = config
 			.server()
 			.ok()
 			.and_then(|x| x.rivet.edge.as_ref())
-			.and_then(|x| x.redirect_logs)
-			.unwrap_or_default()
+			.and_then(|x| x.redirect_logs_dir.as_ref())
 		{
-			let logs_path = Path::new("/var/log/rivet-edge-server");
-			std::fs::create_dir_all(logs_path)?;
-			rivet_logs::Logs::new(logs_path.to_path_buf(), LOGS_RETENTION)
+			std::fs::create_dir_all(logs_dir)?;
+			rivet_logs::Logs::new(logs_dir.clone(), LOGS_RETENTION)
 				.start()
 				.await?;
 		}

Diff for: packages/core/api/traefik-provider/src/route/tunnel.rs

@@ -45,7 +45,10 @@ pub async fn build_ip_allowlist(
 	let servers_res = ctx
 		.op(cluster::ops::server::list::Input {
 			filter: cluster::types::Filter {
-				pool_types: Some(vec![cluster::types::PoolType::Gg]),
+				pool_types: Some(vec![
+					cluster::types::PoolType::Gg,
+					cluster::types::PoolType::Guard,
+				]),
 				..Default::default()
 			},
 			include_destroyed: false,

Diff for: packages/core/services/cluster/src/lib.rs

@@ -18,6 +18,8 @@ pub fn registry() -> WorkflowResult<Registry> {
 	registry.register_workflow::<server::drain::Workflow>()?;
 	registry.register_workflow::<server::gg_dns_create::Workflow>()?;
 	registry.register_workflow::<server::gg_dns_delete::Workflow>()?;
+	registry.register_workflow::<server::guard_dns_create::Workflow>()?;
+	registry.register_workflow::<server::guard_dns_delete::Workflow>()?;
 	registry.register_workflow::<server::install::Workflow>()?;
 	registry.register_workflow::<server::undrain::Workflow>()?;
 	registry.register_workflow::<server::Workflow>()?;

Diff for: packages/core/services/cluster/src/ops/datacenter/location_get.rs

@@ -61,7 +61,7 @@ pub async fn cluster_datacenter_location_get(
 }
 
 async fn query_dcs(ctx: OperationCtx, datacenter_ids: Vec<Uuid>) -> GlobalResult<Vec<Datacenter>> {
-	// NOTE: if there is no active GG node in a datacenter, we cannot retrieve its location
+	// NOTE: if there is no active guard node in a datacenter, we cannot retrieve its location
 	// Fetch the gg node public ip for each datacenter (there may be more than one, hence `DISTINCT`)
 	let server_rows = sql_fetch_all!(
 		[ctx, (Uuid, IpAddr)]
@@ -71,14 +71,14 @@ async fn query_dcs(ctx: OperationCtx, datacenter_ids: Vec<Uuid>) -> GlobalResult
 		FROM db_cluster.servers
 		WHERE
 			datacenter_id = ANY($1) AND
-			pool_type = $2 AND
+			pool_type = ANY($2) AND
 			public_ip IS NOT NULL AND
 			cloud_destroy_ts IS NULL
 		-- For consistency
 		ORDER BY public_ip DESC
 		",
 		&datacenter_ids,
-		PoolType::Gg as i64,
+		[PoolType::Gg as i64, PoolType::Guard as i64],
 	)
 	.await?;
 

Diff for: packages/core/services/cluster/src/ops/datacenter/topology_get/mod.rs

@@ -200,7 +200,7 @@ pub async fn cluster_datacenter_topology_get(
 						PoolType::Gg
 							| PoolType::Ats | PoolType::PegboardIsolate
 							| PoolType::Fdb | PoolType::Worker
-							| PoolType::Nats
+							| PoolType::Nats | PoolType::Guard
 					)
 				})
 				.collect::<Vec<_>>();

Diff for: packages/core/services/cluster/src/types.rs

@@ -85,6 +85,7 @@ pub enum PoolType {
 	Fdb = 5,
 	Worker = 6,
 	Nats = 7,
+	Guard = 8,
 }
 
 impl std::fmt::Display for PoolType {
@@ -98,6 +99,7 @@ impl std::fmt::Display for PoolType {
 			PoolType::Fdb => write!(f, "fdb"),
 			PoolType::Worker => write!(f, "worker"),
 			PoolType::Nats => write!(f, "nats"),
+			PoolType::Guard => write!(f, "guard"),
 		}
 	}
 }

Diff for: packages/core/services/cluster/src/workflows/datacenter/scale.rs

@@ -348,7 +348,12 @@ async fn scale_servers(
 				.await?;
 			}
 		}
-		PoolType::Gg | PoolType::Ats | PoolType::Fdb | PoolType::Worker | PoolType::Nats => {
+		PoolType::Gg
+		| PoolType::Ats
+		| PoolType::Fdb
+		| PoolType::Worker
+		| PoolType::Nats
+		| PoolType::Guard => {
 			let installed_servers = active_servers.filter(|server| server.is_installed);
 			let installed_count = installed_servers.clone().count();
 

Diff for: packages/core/services/cluster/src/workflows/prebake.rs

@@ -44,7 +44,7 @@ pub async fn cluster_prebake(ctx: &mut WorkflowCtx, input: &Input) -> GlobalResu
 						PoolType::Job | PoolType::Pegboard | PoolType::PegboardIsolate => {
 							linode::types::FirewallPreset::Job
 						}
-						PoolType::Gg => linode::types::FirewallPreset::Gg,
+						PoolType::Gg | PoolType::Guard => linode::types::FirewallPreset::Gg,
 						PoolType::Ats => linode::types::FirewallPreset::Ats,
 						PoolType::Fdb => linode::types::FirewallPreset::Fdb,
 						PoolType::Worker => linode::types::FirewallPreset::Worker,

Diff for: packages/core/services/cluster/src/workflows/server/drain.rs

@@ -36,7 +36,7 @@ pub(crate) async fn cluster_server_drain(ctx: &mut WorkflowCtx, input: &Input) -
 			})
 			.await?;
 		}
-		PoolType::Gg => {
+		PoolType::Gg | PoolType::Guard => {
 			ctx.signal(crate::workflows::server::DnsDelete {})
 				.tag("server_id", input.server_id)
 				.send()