3.7 KiB
G14 Provider Node
G14 is a UniDesk provider node for migrated infrastructure workloads. Its UniDesk provider id is G14; the local UniDesk worktree is /root/unidesk, and the native k3s kubeconfig is /etc/rancher/k3s/k3s.yaml.
G14's long-lived k3s control bridge is k3sctl-adapter-g14, a UniDesk direct service outside the k3s fault domain. It listens on the G14 host loopback port 127.0.0.1:4266 and is registered separately from the D601 k3sctl-adapter, so G14 infrastructure services can move without taking over user services that still run on D601.
For Code Queue and CI/CD migration, G14 uses native k3s labels unidesk.ai/node-id=G14 and unidesk.ai/provider-id=G14. The migrated Code Queue execution plane uses src/components/microservices/k3sctl-adapter/k3s/code-queue.g14.k8s.yaml and the managed-service catalog src/components/microservices/k3sctl-adapter/k3s/code-queue.g14.k3s.json.
Node-Local VPN Proxy
G14 has a node-local VPN/proxy stack for infrastructure bootstrap and recovery downloads:
- Primary mixed HTTP/SOCKS proxy:
127.0.0.1:10808. - Backup Hysteria2 HTTP proxy:
127.0.0.1:11809. - Backup Hysteria2 SOCKS5 proxy:
127.0.0.1:11808. - Operator-only local details remain on G14 under
/root/docs/vpn-proxy-ops.md; subscription URLs, node credentials and GUI database contents must not be copied into the UniDesk repository.
The G14 host persists this proxy configuration in these local files:
/etc/profile.d/unidesk-g14-proxy.shexportsHTTP_PROXY,HTTPS_PROXY,ALL_PROXY, lowercase aliases andNO_PROXYfor new login shells. SetUNIDESK_G14_DISABLE_PROXY=1before shell startup to opt out./root/.npmrcpins npmproxy,https-proxy,noproxyand retry settings for root-side bootstrap commands./root/.gitconfigpins root Git HTTP/HTTPS proxy settings./etc/systemd/system/docker.service.d/proxy.confpins Docker daemon pull proxy settings. Updating this drop-in requiressystemctl daemon-reloadand a Docker restart before the active daemon sees the newNO_PROXY; do not restart Docker while G14 provider-gateway, k3s bootstrap or image builds are in flight unless that interruption is intentional.
The NO_PROXY list must include localhost, the main server, private LAN ranges, k3s pod/service CIDRs, Kubernetes service domains and the loopback registry so that k3s, 127.0.0.1:5000, Kubernetes API access and UniDesk control paths do not route through the VPN proxy.
The primary proxy can be used for G14 target-side image bootstrap when Docker Hub, npm, GitHub or Playwright downloads are unreliable through direct network or provider-gateway WS egress. For Docker build steps that use 127.0.0.1, build with host networking so the build container reaches the host proxy:
docker build --network host \
--build-arg HTTP_PROXY=http://127.0.0.1:10808 \
--build-arg HTTPS_PROXY=http://127.0.0.1:10808 \
--build-arg ALL_PROXY=socks5h://127.0.0.1:10808 \
--build-arg http_proxy=http://127.0.0.1:10808 \
--build-arg https_proxy=http://127.0.0.1:10808 \
--build-arg all_proxy=socks5h://127.0.0.1:10808 \
...
The backup proxy uses HTTP_PROXY=http://127.0.0.1:11809, HTTPS_PROXY=http://127.0.0.1:11809 and ALL_PROXY=socks5h://127.0.0.1:11808.
This proxy is not a replacement for UniDesk runtime egress. k3s workloads such as Code Queue must still use the cataloged g14-provider-egress-proxy Kubernetes Service and g14-tcp-egress-gateway for normal runtime access to PostgreSQL, OA Event Flow and external APIs. The node-local VPN proxy is allowed only for G14 host-side bootstrap, image build, cache prewarm or recovery steps, and those steps should record the proxy choice in issue or deployment evidence.