NHAS
commented
5 months ago Hi Chris, Im going to assume you want to destroy the wag boxes aggressively so it becomes incredibly difficult for an attacker to maintain persistence on your ingress machine?
Or is this for updates/infra as code?
I'd be more than happy for this to be an addition to wag as I think it makes sense.
I am currently working on a couple things which will delay my involvement in this. Such as moving on from eBPF, Websocket challenge response, and better etcd cluster roaming.
ChrisPortman
I would like to be able to run a WAG instance in a cloud environment where it is deployed as a single instance that is periodically replaced by a new vm (e.g. EC2) instance. The instance cannot run NAT so that we preserve the traffic source information in application logs - hence the single instance.
Currently the stable version uses an sqlite database local on the machine, and the new beta appears to be using an in process etcd solution.
Ideally, it would be great if the users/device/other_state could be stored in a database SaaS offering (RDS postgres or similar) so that WAG servers could by brutally replaced without loosing state. Potentially allowing WAG to connect to an external etcd cluster could be an option, but it doesnt appear like any of the cloud providers provide a SaaS etcd service akin to RDS.
Perhaps if the state management could be restructured as an interface, so that a sqlite, etcd, other data store implementation could be supported, i'd be keen to contribute a postgres option