Add support for High Availability VPC #3
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
…ups of sqlite, backup of noise private key, and more robust node configurations
Evrard-Nil
requested changes
Jan 16, 2026
| if aws s3 ls "\$S3_PATH" >/dev/null 2>&1; then | ||
| echo "noise_private.key already exists in S3, skipping upload" | ||
| elif [ -f "\$KEY_PATH" ]; then | ||
| echo "Uploading noise_private.key to S3..." |
Collaborator
There was a problem hiding this comment.
Ideally we want to encrypt the key to avoid us being able to retrieve it from s3 and run headscale outside a CVM
Collaborator
There was a problem hiding this comment.
E.g. using the disk key at /dstack/.host-shared/.appkeys.json | jq .disk_crypt_key
Author
There was a problem hiding this comment.
Hi Evrard,
I just experimented a bit. I don't think we should do this because the cvm configurations might (will) change with most deployments and the key will be different as well, so the decryptions won't work. I do think encryptions of some sort would be very useful here, but I think we can maybe do this later.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
High Availability Architecture: Introduces an Nginx load balancer and dynamic Docker Compose logic to support running multiple VPC API servers in parallel (toggled via DSTACK_VPC_HA_MODE).
Database Persistence & S3 Replication: Integrates Litestream to replicate the Headscale SQLite database to S3 in real-time and implements automated backup/restore for the noise_private.key to preserve server identity across redeployments.
Self-Healing Client Nodes: Upgrades node scripts with intelligent retry logic, connection timeouts, and an auto-recovery mechanism that automatically triggers re-registration if VPN authentication fails.
Operational Stability: Implements container restart limits to prevent infinite crash loops, updates health checks to support the new load balancer, and bumps core dependencies (Docker, OpenSSL) to the latest versions.
https://www.notion.so/jasnahcom/DStack-VPC-High-Availability-Architecture-Changes-2e229a6526bf80a38ea9e5aaef7cbd1a
Testing
Test Environment
Scenario 1: Initial Deployment & Backup
Scenario 2: VPC Server Redeploy (Fresh CVM)
Scenario 3: New Node After Restore