Iron-Legion/documentation
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
1b6c73d13bb575939818520b0b0aa6501b0878c1
documentation/procedures/vscode-server-mk7-deploy.md
F.R.I.D.A.Y. 1b6c73d13b docs: Update vscode-server procedure for Traefik file provider 
- Remove host port publish (8443) from compose
- Document Traefik file provider route requirement
- Add example dynamic config for vscode.ai.home
- Fix DNS guidance: CNAME to traefik.ai.home
2026-06-02 21:35:01 -04:00

6.2 KiB
Raw Blame History

VS Code: Server Deployment Procedure

Generated: 2026-06-02 Maintainer: Artemis (AI Foreman)

Overview

This document describes the deployment of Microsoft VS Code: Server (via LinuxServer openvscode-server Docker image) on MK7 (Swarm Manager) to replace the previous code-server deployment on Neo. The primary driver was to enable native Remote-SSH support, which is unavailable in OpenVSX-based alternatives.

Key advantage: MK7's placement on the 192.168.7.x LAN grants direct access to all fleet nodes and Proxmox VE workers via their LAN IPs. When deployed on Neo (192.168.192.x), the container was isolated from fleet subnets.

Architecture

Component Value
Host MK7 (mark-vii.ai.home)
Swarm Mode replicated with placement constraint node.hostname == mark-vii.ai.home
Container IP Swarm overlay (10.0.1.x/24) via traefik-public network
Internal Service Port 3000
Traefik Endpoint vscode.ai.homehttp://192.168.7.7:8443
DNS Record CNAME vscode.ai.hometraefik.ai.home (Technitium)
Image lscr.io/linuxserver/openvscode-server:latest
Marketplace Microsoft (official) — Remote-SSH available natively

Prerequisites

  • MK7 Docker Swarm active with traefik-public overlay network
  • Traefik reverse proxy running on traefik.ai.home
  • Technitium DNS authoritative for ai.home zone
  • SSH key pair (vscode_ed25519) deployed to all fleet nodes
  • /home/jarvis/.vscode-ssh directory created on MK7 host with:
    • config — SSH aliases for all fleet nodes
    • vscode_ed25519 — private key (mode 600)
    • vscode_ed25519.pub — public key (mode 644)

Deployment Steps

1. Prepare SSH Key Directory on MK7

mkdir -p /home/jarvis/.vscode-ssh
chmod 700 /home/jarvis/.vscode-ssh
# Copy vscode_ed25519 key pair + config from source node
scp source:/path/to/vscode_ed25519* /home/jarvis/.vscode-ssh/
chmod 600 /home/jarvis/.vscode-ssh/vscode_ed25519
chmod 644 /home/jarvis/.vscode-ssh/vscode_ed25519.pub
chmod 644 /home/jarvis/.vscode-ssh/config

2. Compose File (vscode-server-compose.yaml)

version: '3.8'

services:
  vscode:
    image: lscr.io/linuxserver/openvscode-server:latest
    environment:
      - PUID=1000
      - PGID=1000
      - TZ=America/New_York
      # Generate a random hex token: openssl rand -hex 16
      - CONNECTION_TOKEN=<RANDOM_HEX_TOKEN>
      - DEFAULT_WORKSPACE=/config/workspace
    volumes:
      - vscode_data:/config/workspace
      - type: bind
        source: /home/jarvis/.vscode-ssh
        target: /config/.ssh
    networks:
      - traefik-public
    deploy:
      placement:
        constraints:
          - node.hostname == mark-vii.ai.home
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.vscode.rule=Host(`vscode.ai.home`)"
      - "traefik.http.routers.vscode.entrypoints=websecure"
      - "traefik.http.routers.vscode.tls=true"
      - "traefik.http.services.vscode.loadbalancer.server.port=3000"

volumes:
  vscode_data:
    driver: local

networks:
  traefik-public:
    external: true

Note: Traefik on this cluster uses the file provider (not Docker provider). Swarm labels are informational only. You must also add a route file to Traefik's dynamic config directory.

3a. Traefik Route File

Create /opt/iron-legion/docker-swarm/traefik/dynamic/vscode.yml on the MK7 host:

http:
  routers:
    vscode-http:
      rule: "Host(`vscode.ai.home`)"
      entryPoints:
        - web
      service: vscode
    vscode-https:
      rule: "Host(`vscode.ai.home`)"
      entryPoints:
        - websecure
      service: vscode
      tls: {}

  services:
    vscode:
      loadBalancer:
        servers:
          - url: "http://192.168.7.7:8443"
        passHostHeader: true

Traefik auto-reloads file provider configs on change.

3. Deploy via Swarm

sudo docker stack deploy -c vscode-server-compose.yaml vscode

4. Verify Startup

sudo docker service ls | grep vscode
sudo docker service ps vscode_vscode
sudo docker logs $(docker ps -q -f name=vscode)

Access URLs

| Direct (HTTP) | http://192.168.7.7:8443/?tkn=<TOKEN> | Lan-only, no SSL (if port published) | | Via Traefik (HTTPS) | https://vscode.ai.home/?tkn=<TOKEN> | Recommended — CNAME to traefik.ai.home |

Token location: Set in compose CONNECTION_TOKEN env var.

Fleet Node SSH Config

The container mounts /config/.ssh containing a standard OpenSSH config file with all fleet aliases. Remote-SSH extension reads this automatically.

Format example:

Host artemis
    HostName 192.168.15.182
    User jarvis
    IdentityFile ~/.ssh/vscode_ed25519
    IdentitiesOnly yes

PVE nodes (mk33/34/39): Present but User root — key deployment pending.

Why MK7 Over Neo

Factor Neo (Previous) MK7 (Current)
Network Isolated subnet (192.168.192.x) Core LAN (192.168.7.x)
Swarm Standalone Manager
Traefik Manual or absent Already deployed
Remote-SSH Unavailable (OpenVSX) Available (Microsoft)
Fleet Reach None Direct SSH to all nodes

Troubleshooting

Port 8443 not reachable externally:

  • Check Swarm ingress: sudo iptables -t nat -L DOCKER-INGRESS | grep 8443
  • Verify container binding: sudo ss -tlnp | grep 8443

Container fails to start with mount error:

  • Ensure /home/jarvis/.vscode-ssh exists on MK7 host before deploy
  • Swarm bind mounts require host path existence at deploy time

Token rejected:

  • Tokens must be hex-only characters (0-9, a-f)
  • Regenerate with: openssl rand -hex 16

Traefik route not found:

  • Verify traefik-public network exists: docker network ls | grep traefik
  • Check Traefik dashboard at https://traefik.ai.home:8080

References

End of document

Reference in New Issue View Git Blame Copy Permalink