v3.1.2

tunnel: Expose tunnel service via TLS

.gitignore

@@ -1,6 +1,7 @@
 .DS_Store
 .project
 .vagrant/
-config/
-src/
-package-lock.json
+
+/config
+/docker-compose.yml
+/package-lock.json

CHANGELOG.md

@@ -4,6 +4,432 @@ All notable changes to this project will be documented in this file
 automatically by Versionist. DO NOT EDIT THIS FILE MANUALLY!
 This project adheres to [Semantic Versioning](http://semver.org/).
 
+# v3.1.2
+## (2021-01-22)
+
+* tunnel: Expose tunnel service via TLS [Rich Bayliss]
+
+# v3.1.1
+## (2020-11-10)
+
+* Update open-balena-api [Akis Kesoglou]
+
+# v3.1.0
+## (2020-11-03)
+
+* Change S3 OS images folder from resinos to images [Stevche Radevski]
+
+# v3.0.1
+## (2020-10-29)
+
+* Update the API fixing an issue with migrations [Akis Kesoglou]
+
+# v3.0.0
+## (2020-10-28)
+
+* Update versions of services [Akis Kesoglou]
+
+# v2.0.5
+## (2020-10-09)
+
+* docs: add table comparing features of openBalena and balenaCloud [Matthew McGinn]
+
+# v2.0.4
+## (2020-10-08)
+
+* docs: note that balenaCLI is incompatible >12.2.2 [Matthew McGinn]
+
+# v2.0.3
+## (2020-06-01)
+
+* docs: Add PSA about balenaOS version breakage [Rich Bayliss]
+
+# v2.0.2
+## (2020-04-03)
+
+* Added units to haproxy.cfg default timeouts [Frederic Tausch]
+
+# v2.0.1
+## (2020-01-17)
+
+* cert-provider: Update to support ACMEv2 on staging provider [Rich Bayliss]
+
+# v2.0.0
+## (2019-09-02)
+
+* feature: Use S3 bucket for Registry service backend [Rich Bayliss]
+
+# v1.3.0
+## (2019-07-30)
+
+* services: Update Registry service version [Rich Bayliss]
+* feature: Support deployment via balena push to local-mode balenaOS devices [Rich Bayliss]
+
+# v1.2.0
+## (2019-05-21)
+
+* tidy: Remove unused DEVICE_CONFIG_OPENVPN_CONFIG variable [Rich Bayliss]
+* services: Update Registry service version [Akis Kesoglou]
+* services: Update API service version [Rich Bayliss]
+
+<details>
+<summary> View details </summary>
+
+## open-balena-api-0.19.5
+### (2019-05-20)
+
+* Update typed-error to 3.1.0 [Pagan Gazzard]
+
+<details>
+<summary> View details </summary>
+
+### typed-error-3.1.0
+#### (2019-04-01)
+
+* dev: Enforce prettier coding standards [Will Boyce]
+* npm: Update dependencies and remove `package-lock.json` [Will Boyce]
+* codeowners: Add top contributors @wrboyce, @Page-, and @dfunckt [Will Boyce]
+* versionbot: Add CHANGELOG.yml (for nested changelogs) [Will Boyce]
+
+### typed-error-3.0.2
+#### (2018-11-01)
+
+* Update README with new import style [CameronDiver]
+
+### typed-error-3.0.1
+#### (2018-10-29)
+
+* Update to typescript 3 [Pagan Gazzard]
+* Update dev dependencies [Pagan Gazzard]
+* Add node-10 to the circle test suite [Pagan Gazzard]
+
+### typed-error-3.0.0
+#### (2018-04-17)
+
+* Distribute generated typescript declaration [Will Boyce]
+* use circle for build/publish and add package-lock [Will Boyce]
+* add lint scripts/requirements [Will Boyce]
+* Remove `BaseError` class and  directly subclass `Error` [Will Boyce]
+* Update dependencies, clean up package/tsconfig [Will Boyce]
+
+### typed-error-2.0.1
+#### (2017-12-15)
+
+* Add LICENSE [Akis Kesoglou]
+</details>
+
+
+## open-balena-api-0.19.4
+### (2019-05-20)
+
+* Some linting fixes for resin-lint 3 [Pagan Gazzard]
+
+## open-balena-api-0.19.3
+### (2019-05-17)
+
+* Silence expected API key related rejections [Akis Kesoglou]
+
+## open-balena-api-0.19.2
+### (2019-05-17)
+
+* Update dependencies [Pagan Gazzard]
+
+## open-balena-api-0.19.1
+### (2019-05-15)
+
+* Make use of a prepared query for device state query [Pagan Gazzard]
+* Update pinejs to 10.14.0 [Pagan Gazzard]
+
+<details>
+<summary> View details </summary>
+
+### pinejs-10.14.0
+#### (2019-05-15)
+
+* Update pinejs-client-core and make use of prepared queries [Pagan Gazzard]
+
+<details>
+<summary> View details </summary>
+
+#### odata-parser-1.0.3
+##### (2019-05-08)
+
+* Add .versionbot/CHANGELOG.yml for downstream changelogs [Pagan Gazzard]
+
+#### odata-parser-1.0.2
+##### (2019-04-15)
+
+* Update dependencies [Pagan Gazzard]
+
+#### abstract-sql-compiler-6.4.2
+##### (2019-05-09)
+
+* Update and fix lodash typings [Pagan Gazzard]
+* Update husky/mocha dev dependencies [Pagan Gazzard]
+
+#### abstract-sql-compiler-6.4.1
+##### (2019-05-08)
+
+* Fix typescript compilation [Pagan Gazzard]
+
+<details>
+<summary> View details </summary>
+
+##### sbvr-parser-0.2.2
+###### (2019-05-08)
+
+* Add .versionbot/CHANGELOG.yml for downstream changelogs [Pagan Gazzard]
+</details>
+
+* Add node 12 tests [Pagan Gazzard]
+* Add repo.yml for upstream changelogs [Pagan Gazzard]
+* Add .versionbot/CHANGELOG.yml for downstream changelogs [Pagan Gazzard]
+
+#### pinejs-client-js-5.5.1
+##### (2019-05-15)
+
+* Fix downstream declaration creation errors due to `Dictionary` [Pagan Gazzard]
+
+#### pinejs-client-js-5.5.0
+##### (2019-05-15)
+
+* Add a prepare method that prepares a query into a function [Pagan Gazzard]
+
+#### pinejs-client-js-5.4.1
+##### (2019-05-10)
+
+* Add CODEOWNERS [Gergely Imreh]
+
+#### pinejs-client-js-5.4.0
+##### (2019-05-10)
+
+* Add support for parameter aliases in resource ids [Pagan Gazzard]
+
+#### pinejs-client-js-5.3.10
+##### (2019-05-10)
+
+* Deduplicate transformation of GET results [Pagan Gazzard]
+
+#### pinejs-client-js-5.3.9
+##### (2019-05-10)
+
+* Simplify how we expose types, which means `subscribe` is now exposed [Pagan Gazzard]
+
+#### pinejs-client-js-5.3.8
+##### (2019-05-09)
+
+* Add automatic formatting via prettier [Pagan Gazzard]
+
+#### pinejs-client-js-5.3.7
+##### (2019-05-08)
+
+* Remove node 4 build, add node 12 [Pagan Gazzard]
+* Add .versionbot/CHANGELOG.yml for downstream changelogs [Pagan Gazzard]
+
+#### odata-to-abstract-sql-3.1.2
+##### (2019-05-08)
+
+* Add node 12 tests [Pagan Gazzard]
+* Add repo.yml for upstream changelogs [Pagan Gazzard]
+* Add .versionbot/CHANGELOG.yml for downstream changelogs [Pagan Gazzard]
+
+#### sbvr-types-2.0.3
+##### (2019-05-08)
+
+* Add .versionbot/CHANGELOG.yml for downstream changelogs [Pagan Gazzard]
+
+#### sbvr-parser-0.2.2
+##### (2019-05-08)
+
+* Add .versionbot/CHANGELOG.yml for downstream changelogs [Pagan Gazzard]
+</details>
+
+
+### pinejs-10.13.3
+#### (2019-05-14)
+
+* Fix possible null error when using a parameter alias with no value [Pagan Gazzard]
+
+### pinejs-10.13.2
+#### (2019-05-08)
+
+* Add repo.yml for nested changelogs [Pagan Gazzard]
+
+### pinejs-10.13.1
+#### (2019-05-06)
+
+* Add node 12 to the circle tests [Pagan Gazzard]
+
+### pinejs-10.13.0
+#### (2019-05-06)
+
+* Expose odata-compiler as a bin script [Pagan Gazzard]
+
+### pinejs-10.12.0
+#### (2019-05-01)
+
+* Expose sbvr-compiler as a bin script [Pagan Gazzard]
+* Move odata-metadata-generator into odata-metadata directory [Pagan Gazzard]
+
+### pinejs-10.11.3
+#### (2019-05-01)
+
+* Update @types/lodash, avoiding `_.isObject` where necessary [Pagan Gazzard]
+
+### pinejs-10.11.2
+#### (2019-04-22)
+
+* Only validate the model if the query affected at least 1 row [Pagan Gazzard]
+
+### pinejs-10.11.1
+#### (2019-04-11)
+
+* Switch odata-metadata-generator to using an abstract sql model [Pagan Gazzard]
+</details>
+
+
+## open-balena-api-0.19.0
+### (2019-05-15)
+
+* Update target to es2018 [Pagan Gazzard]
+
+## open-balena-api-0.18.6
+### (2019-05-10)
+
+* bug: Resolve NPM dependency issues preventing startup [Rich Bayliss]
+
+## open-balena-api-0.18.5
+### (2019-05-08)
+
+* Add typed-error upstream to repo.yml [Pagan Gazzard]
+* Add open-balena-base upstream to repo.yml [Pagan Gazzard]
+
+## open-balena-api-0.18.4
+### (2019-05-06)
+
+* Disable the service start limit [Pagan Gazzard]
+* Update open-balena-base to v7.0.2 [Pagan Gazzard]
+
+## open-balena-api-0.18.3
+### (2019-05-01)
+
+* tests: Add test framework [Rich Bayliss]
+
+## open-balena-api-0.18.2
+### (2019-04-29)
+
+* Fix import ordering issue [Pagan Gazzard]
+
+## open-balena-api-0.18.1
+### (2019-04-29)
+
+* versionbot: add machine readable changelog [Gergely Imreh]
+
+## open-balena-api-0.18.0
+### (2019-04-29)
+
+* device-config: allow devices going back to v1.2.1 to use registry v2 [Gergely Imreh]
+
+## open-balena-api-0.17.4
+### (2019-04-26)
+
+* Handle requesting registry scopes with explicit indices above 20 [Pagan Gazzard]
+
+## open-balena-api-0.17.3
+### (2019-04-26)
+
+* Use more accurate `BadRequestError`s for invalid env var names [Pagan Gazzard]
+* Remove unnecessary `nameProp` argument from `addEnvHooks` [Pagan Gazzard]
+* Avoid unnecessary object creation on env var validation [Pagan Gazzard]
+
+## open-balena-api-0.17.2
+### (2019-04-24)
+
+* os-config: disable client-initiated vpn tls key renegotiation [Will Boyce]
+
+## open-balena-api-0.17.1
+### (2019-04-19)
+
+* Remove unused `DEVICE_CONFIG_OPENVPN_CONFIG` fron env backend [Pagan Gazzard]
+
+## open-balena-api-0.17.0
+### (2019-04-18)
+
+* Rename `env_var_name` to `name` to match cloud [Pagan Gazzard]
+
+## open-balena-api-0.16.1
+### (2019-04-18)
+
+* fix: Changes required to make `my_application` resource available [Rich Bayliss]
+
+## open-balena-api-0.16.0
+### (2019-04-17)
+
+* Handle `my_applications` within pinejs [Pagan Gazzard]
+
+## open-balena-api-0.15.2
+### (2019-04-17)
+
+* device-proxy: use `.balena` tld in favour of `.resin` [Will Boyce]
+
+## open-balena-api-0.15.1
+### (2019-04-17)
+
+* Update method-override to 3.x [Pagan Gazzard]
+
+## open-balena-api-0.15.0
+### (2019-04-15)
+
+* Rename `configPath` to `config` and make sure config.json is valid [Pagan Gazzard]
+
+## open-balena-api-0.14.0
+### (2019-04-11)
+
+* Whitelist the new RESIN_SUPERVISOR_INSTANT_UPDATE_TRIGGER configuration variable [Pablo Carranza Velez]
+
+## open-balena-api-0.13.3
+### (2019-04-02)
+
+* Fix `ResolvableReturnType` typing [Pagan Gazzard]
+
+## open-balena-api-0.13.2
+### (2019-04-01)
+
+* Add CODEOWNERS file [Pagan Gazzard]
+
+## open-balena-api-0.13.1
+### (2019-04-01)
+
+* Add an index for the vpn's service instance lookup [Pagan Gazzard]
+
+## open-balena-api-0.13.0
+### (2019-03-28)
+
+* Use a readTransaction for device state [Pagan Gazzard]
+* Remove runInTransaction wrapper to avoid unnecessary function creation [Pagan Gazzard]
+* Avoid need to repeateadly check for `readTransaction` existence [Pagan Gazzard]
+
+## open-balena-api-0.12.0
+### (2019-03-19)
+
+* Add build log to release resource [Stevche Radevski]
+</details>
+
+# v1.1.1
+## (2019-05-07)
+
+* docker: Update docker-compose version to latest [Heds Simons]
+
+# v1.1.0
+## (2019-05-07)
+
+* s3: Update to latest version with credentials [Heds Simons]
+
+# v1.0.2
+## (2019-04-17)
+
+* scripts: Handle missing coreutils on Mac [Roman Mazur]
+
 # v1.0.1
 ## (2019-03-20)
 

README.md

@@ -25,42 +25,25 @@ To learn more about openBalena, visit [balena.io/open][open-balena-website].
 - **Built-in VPN**: Access your devices regardless of their network environment
 
 
-## Roadmap
-
-OpenBalena is currently in beta. While fully functional, it lacks features we
-consider important before we can comfortably call it production-ready. During
-this phase, don’t be alarmed if things don’t work as expected just yet (and
-please let us know about any bugs or errors you encounter!). The following
-improvements and new functionality is planned:
-
-- Full documentation
-- Full test suite
-- Simplified deployment
-- Remote host OS updates
-- Support for custom device types
-
-
-## Contributing
-
-Everyone is welcome to contribute to openBalena. There are many different ways
-to get involved apart from submitting pull requests, including helping other
-users on the [forums][forums], reporting or triaging [issues][issue-tracker],
-reviewing and discussing [pull requests][pulls], or just spreading the word.
-
-All of openBalena is hosted on GitHub. Apart from its constituent components,
-which are the [API][open-balena-api], [VPN][open-balena-vpn], [Registry][open-balena-registry],
-[S3 storage service][open-balena-s3], and [Database][open-balena-db], contributions
-are also welcome to its client-side software such as the [balena CLI][balena-cli],
-the [balena SDK][balena-sdk], [balenaOS][balena-os] and [balenaEngine][balena-engine].
-
-
 ## Getting Started
 
-Our [Getting Started][getting-started] guide is the most direct path to getting
+Our [Getting Started guide][getting-started] is the most direct path to getting
 an openBalena installation up and running and successfully deploying your
 application to your device(s).
 
 
+## Compatibility
+
+The current release of openBalena has the following minimum version requirements:
+
+- balenaOS v2.58.3
+- balena CLI v12.38.5
+
+If you are updating from previous openBalena versions, ensure you update the balena
+CLI and reprovision any devices to at least the minimum required versions in order
+for them to be fully compatible with this release, as some features may not work.
+
+
 ## Documentation
 
 While we're still working on the project documentation, please refer to the
@@ -89,6 +72,53 @@ for help, or contribute by answering questions posted by fellow openBalena users
 Please do not use the issue tracker for support-related questions.
 
 
+## Contributing
+
+Everyone is welcome to contribute to openBalena. There are many different ways
+to get involved apart from submitting pull requests, including helping other
+users on the [forums][forums], reporting or triaging [issues][issue-tracker],
+reviewing and discussing [pull requests][pulls], or just spreading the word.
+
+All of openBalena is hosted on GitHub. Apart from its constituent components,
+which are the [API][open-balena-api], [VPN][open-balena-vpn], [Registry][open-balena-registry],
+[S3 storage service][open-balena-s3], and [Database][open-balena-db], contributions
+are also welcome to its client-side software such as the [balena CLI][balena-cli],
+the [balena SDK][balena-sdk], [balenaOS][balena-os] and [balenaEngine][balena-engine].
+
+
+## Roadmap
+
+OpenBalena is currently in beta. While fully functional, it lacks features we
+consider important before we can comfortably call it production-ready. During
+this phase, don’t be alarmed if things don’t work as expected just yet (and
+please let us know about any bugs or errors you encounter!). The following
+improvements and new functionality is planned:
+
+- Full documentation
+- Full test suite
+- Simplified deployment
+- Remote host OS updates
+- Support for custom device types
+
+
+## Differences between openBalena and balenaCloud
+
+| openBalena                                          | balenaCloud                                                                                                                                                                                                                                                             |
+| -----                                               | ----                                                                                                                                                                                                                                                                    |
+| Device updates using full images                    | Device updates using [delta images](https://www.balena.io/docs/learn/deploy/delta/)                                                                                                                                                                                     |
+| Support for a single user                           | Support for [multiple users](https://www.balena.io/docs/learn/manage/account/#application-members)                                                                                                                                                                      |
+| Self-hosted deployment and scaling                  | balena-managed scaling and deployment |
+| Community support via [forums][forums]              | Private support on [paid plans](https://www.balena.io/pricing/)                                                                                                                                           |
+| Deploy via `balena deploy` only                     | Build remotely with native builders using [`balena push`](https://www.balena.io/docs/learn/deploy/deployment/#balena-push) or  [`git push`](https://www.balena.io/docs/learn/deploy/deployment/#git-push) |
+| No support for building via `git push`              | Use the same CI workflow with [`git push`](https://www.balena.io/docs/learn/deploy/deployment/#git-push)                                                                                                  |
+| No public URL support                               | Serve websites directly from device with [public device URLs](https://www.balena.io/docs/learn/manage/actions/#enable-public-device-url)                                                                  |
+| Management via `balena-cli` only                    | Cloud-based device management dashboard                                                                                                                                                                   |
+| Download images from [balena.io][balena-os-website] | Download preconfigured images directly from the dashboard                                                                                                                                                 |
+| No supported remote diagnostics                     | Remote device diagnostics                                                                                                                                                                                 |
+
+Additionally, refer back to the [roadmap](#roadmap) above for planned but not yet implemented features.
+
+
 ## License
 
 OpenBalena is licensed under the terms of AGPL v3. See [LICENSE](LICENSE) for details.

VERSION

@@ -1 +1 @@
-1.0.1
+3.1.2

Vagrantfile

@@ -20,15 +20,21 @@ Vagrant.configure('2') do |config|
   config.ssh.forward_agent = true
 
   config.vm.provision :docker
-  config.vm.provision :docker_compose
 
   $provision = <<-SCRIPT
+    DOCKER_COMPOSE_VERSION=1.24.0
+
     touch /home/vagrant/.bashrc
     grep -Fxq 'source /home/vagrant/openbalena/.openbalenarc' /home/vagrant/.bashrc || echo 'source /home/vagrant/openbalena/.openbalenarc' >> /home/vagrant/.bashrc
 
     curl -o- https://raw.githubusercontent.com/creationix/nvm/v0.34.0/install.sh | bash
     source "/home/vagrant/.nvm/nvm.sh" # This loads nvm
     nvm install 10.15.0 && nvm use 10.15.0
+
+    # Install a newer version of docker-compose
+    (cd /usr/local/bin; \
+    sudo curl -o docker-compose --silent --location https://github.com/docker/compose/releases/download/$DOCKER_COMPOSE_VERSION/docker-compose-Linux-x86_64; \
+    sudo chmod a+x docker-compose)
   SCRIPT
 
   config.vm.provision :shell, privileged: false, inline: $provision

compose/common.yml

@@ -1,4 +1,4 @@
-version: '2.1'
+version: "2.0"
 
 services:
   component:

compose/mdns.yml

@@ -0,0 +1,31 @@
+version: "2.0"
+
+services:
+  balena-mdns-publisher:
+    image: balena/balena-mdns-publisher:${OPENBALENA_MDNS_PUBLISHER_VERSION_TAG}
+    network_mode: "host"
+    cap_add:
+        - SYS_RESOURCE
+        - SYS_ADMIN
+    security_opt:
+        - apparmor:unconfined
+    tmpfs:
+        - /run
+        - /sys/fs/cgroup
+    # balenaOS - Required for host DBus comms. Not required for standalone Linux
+    labels:
+        io.balena.features.dbus: '1'
+        io.balena.features.supervisor-api: '1'
+    environment:
+        CONFD_BACKEND: ENV
+        # The name of the TLD to use. This *must* match certificates used for the rest of
+        # the resin backend (eg. that for BALENA_ROOT_CA if present).
+        MDNS_TLD: ${OPENBALENA_HOST_NAME}
+        # List of subdomains to advertise. This must include all required hosts.
+        MDNS_SUBDOMAINS: '["api", "db", "registry", "s3", "tunnel", "vpn"]'
+        # The expectation is the DBus socket to use is always at the following location.
+        DBUS_SESSION_BUS_ADDRESS: "unix:path=/host/run/dbus/system_bus_socket"
+        # Selects the interface used for incoming connections from the wider subnet.
+        # For NUCs, this is `eno1`. If running natively, pick the appropriate interface.
+        # Alternatively, keep the default commented out to autoselect.
+        #INTERFACE: "eno1"

compose/services.yml

@@ -1,4 +1,4 @@
-version: "2.1"
+version: "2.0"
 
 volumes:
   certs: {}
@@ -13,7 +13,7 @@ services:
     extends:
       file: ./common.yml
       service: component
-    image: balena/open-balena-api:${OPENBALENA_API_VERSION_TAG:-master}
+    image: balena/open-balena-api:${OPENBALENA_API_VERSION_TAG}
     depends_on:
       - db
       - s3
@@ -27,13 +27,12 @@ services:
       DB_PORT: 5432
       DB_USER: docker
       DELTA_HOST: delta.${OPENBALENA_HOST_NAME}
-      DEVICE_CONFIG_OPENVPN_CONFIG: ${OPENBALENA_VPN_CONFIG}
       DEVICE_CONFIG_OPENVPN_CA: ${OPENBALENA_VPN_CA_CHAIN}
       DEVICE_CONFIG_SSH_AUTHORIZED_KEYS: ${OPENBALENA_SSH_AUTHORIZED_KEYS}
       HOST: api.${OPENBALENA_HOST_NAME}
       IMAGE_MAKER_URL: img.${OPENBALENA_HOST_NAME}
       IMAGE_STORAGE_BUCKET: resin-production-img-cloudformation
-      IMAGE_STORAGE_PREFIX: resinos
+      IMAGE_STORAGE_PREFIX: images
       IMAGE_STORAGE_ENDPOINT: s3.amazonaws.com
       JSON_WEB_TOKEN_EXPIRY_MINUTES: 10080
       JSON_WEB_TOKEN_SECRET: ${OPENBALENA_JWT_SECRET}
@@ -45,7 +44,7 @@ services:
       REDIS_PORT: 6379
       REGISTRY2_HOST: registry.${OPENBALENA_HOST_NAME}
       REGISTRY_HOST: registry.${OPENBALENA_HOST_NAME}
-      SENTRY_DSN:
+      SENTRY_DSN: ""
       TOKEN_AUTH_BUILDER_TOKEN: ${OPENBALENA_TOKEN_AUTH_BUILDER_TOKEN}
       TOKEN_AUTH_CERT_ISSUER: api.${OPENBALENA_HOST_NAME}
       TOKEN_AUTH_CERT_KEY: ${OPENBALENA_TOKEN_AUTH_KEY}
@@ -62,9 +61,8 @@ services:
     extends:
       file: ./common.yml
       service: component
-    image: balena/open-balena-registry:${OPENBALENA_REGISTRY_VERSION_TAG:-master}
+    image: balena/open-balena-registry:${OPENBALENA_REGISTRY_VERSION_TAG}
     depends_on:
-      - api
       - s3
       - redis
     volumes:
@@ -75,10 +73,16 @@ services:
       BALENA_ROOT_CA: ${OPENBALENA_ROOT_CA}
       BALENA_TOKEN_AUTH_ISSUER: api.${OPENBALENA_HOST_NAME}
       BALENA_TOKEN_AUTH_REALM: https://api.${OPENBALENA_HOST_NAME}/auth/v1/token
-      COMMON_REGION:
-      REGISTRY2_S3_BUCKET:
-      REGISTRY2_S3_KEY:
-      REGISTRY2_S3_SECRET:
+      COMMON_REGION: ${OPENBALENA_S3_REGION}
+      REGISTRY2_CACHE_ENABLED: "false"
+      REGISTRY2_CACHE_ADDR: 127.0.0.1:6379
+      REGISTRY2_CACHE_DB: 0
+      REGISTRY2_CACHE_MAXMEMORY_MB: 1024 # megabytes
+      REGISTRY2_CACHE_MAXMEMORY_POLICY: allkeys-lru
+      REGISTRY2_S3_REGION_ENDPOINT: ${OPENBALENA_S3_ENDPOINT}
+      REGISTRY2_S3_BUCKET: ${OPENBALENA_REGISTRY2_S3_BUCKET}
+      REGISTRY2_S3_KEY: ${OPENBALENA_S3_ACCESS_KEY}
+      REGISTRY2_S3_SECRET: ${OPENBALENA_S3_SECRET_KEY}
       REGISTRY2_SECRETKEY: ${OPENBALENA_REGISTRY_SECRET_KEY}
       REGISTRY2_STORAGEPATH: /data
 
@@ -86,7 +90,7 @@ services:
     extends:
       file: ./common.yml
       service: component
-    image: balena/open-balena-vpn:${OPENBALENA_VPN_VERSION_TAG:-master}
+    image: balena/open-balena-vpn:${OPENBALENA_VPN_VERSION_TAG}
     depends_on:
       - api
     cap_add:
@@ -98,7 +102,7 @@ services:
       BALENA_VPN_PORT: 443
       PRODUCTION_MODE: "${OPENBALENA_PRODUCTION_MODE}"
       RESIN_VPN_GATEWAY: 10.2.0.1
-      SENTRY_DSN:
+      SENTRY_DSN: ""
       VPN_HAPROXY_USEPROXYPROTOCOL: "true"
       VPN_OPENVPN_CA_CRT: ${OPENBALENA_VPN_CA}
       VPN_OPENVPN_SERVER_CRT: ${OPENBALENA_VPN_SERVER_CRT}
@@ -110,17 +114,21 @@ services:
     extends:
       file: ./common.yml
       service: system
-    image: balena/open-balena-db:${OPENBALENA_DB_VERSION_TAG:-master}
+    image: balena/open-balena-db:${OPENBALENA_DB_VERSION_TAG}
     volumes:
       - db:/var/lib/postgresql/data
 
   s3:
     extends:
       file: ./common.yml
-      service: system
-    image: balena/open-balena-s3:${OPENBALENA_S3_VERSION_TAG:-master}
+      service: component
+    image: balena/open-balena-s3:${OPENBALENA_S3_VERSION_TAG}
     volumes:
       - s3:/export
+    environment:
+      S3_MINIO_ACCESS_KEY: ${OPENBALENA_S3_ACCESS_KEY}
+      S3_MINIO_SECRET_KEY: ${OPENBALENA_S3_SECRET_KEY}
+      BUCKETS: ${OPENBALENA_S3_BUCKETS}
 
   redis:
     extends:
@@ -134,7 +142,7 @@ services:
     extends:
       file: ./common.yml
       service: system
-    build: ../haproxy
+    build: ../src/haproxy
     depends_on:
       - api
       - cert-provider
@@ -160,6 +168,7 @@ services:
           - db.${OPENBALENA_HOST_NAME}
           - s3.${OPENBALENA_HOST_NAME}
           - redis.${OPENBALENA_HOST_NAME}
+          - tunnel.${OPENBALENA_HOST_NAME}
     environment:
       BALENA_HAPROXY_CRT: ${OPENBALENA_ROOT_CRT}
       BALENA_HAPROXY_KEY: ${OPENBALENA_ROOT_KEY}
@@ -169,11 +178,11 @@ services:
       - certs:/certs:ro
 
   cert-provider:
-    build: ../cert-provider
+    build: ../src/cert-provider
     volumes:
       - certs:/certs
       - cert-provider:/usr/src/app/certs
     environment:
       ACTIVE: ${OPENBALENA_ACME_CERT_ENABLED}
-      DOMAINS: "api.${OPENBALENA_HOST_NAME},registry.${OPENBALENA_HOST_NAME},s3.${OPENBALENA_HOST_NAME},vpn.${OPENBALENA_HOST_NAME}"
+      DOMAINS: "api.${OPENBALENA_HOST_NAME},registry.${OPENBALENA_HOST_NAME},s3.${OPENBALENA_HOST_NAME},vpn.${OPENBALENA_HOST_NAME},tunnel.${OPENBALENA_HOST_NAME}"
       OUTPUT_PEM: /certs/open-balena.pem

compose/template.yml

@@ -7,4 +7,4 @@
 # `compose/services.yml` as the "base" config.
 #
 # You may view the effective config with `scripts/compose config`.
-version: '2.1'
+version: "2.0"

compose/versions

@@ -1,5 +1,6 @@
-export OPENBALENA_API_VERSION_TAG=v0.11.8
-export OPENBALENA_DB_VERSION_TAG=v2.0.3
-export OPENBALENA_REGISTRY_VERSION_TAG=v2.5.0
-export OPENBALENA_S3_VERSION_TAG=v2.5.0
-export OPENBALENA_VPN_VERSION_TAG=v8.10.0
+export OPENBALENA_API_VERSION_TAG=v0.109.2
+export OPENBALENA_DB_VERSION_TAG=v4.1.0
+export OPENBALENA_MDNS_PUBLISHER_VERSION_TAG=v1.7.9
+export OPENBALENA_REGISTRY_VERSION_TAG=v2.13.11
+export OPENBALENA_S3_VERSION_TAG=v2.9.9
+export OPENBALENA_VPN_VERSION_TAG=v9.16.1

repo.yml

@@ -1,2 +1,15 @@
-type: 'generic'
+type: "generic"
 reviewers: 1
+upstream:
+  - repo: open-balena-api
+    url: https://github.com/balena-io/open-balena-api
+  - repo: open-balena-vpn
+    url: https://github.com/balena-io/open-balena-vpn
+  - repo: open-balena-registry
+    url: https://github.com/balena-io/open-balena-registry
+  - repo: open-balena-db
+    url: https://github.com/balena-io/open-balena-db
+  - repo: open-balena-s3
+    url: https://github.com/balena-io/open-balena-s3
+  - repo: balena-mdns-publisher
+    url: https://github.com/balena-io/balena-mdns-publisher

scripts/_realpath

@@ -1,5 +1,11 @@
 #!/bin/bash -e
 
+echo_error() {
+    local RED=`tput setaf 1`
+    local RESET=`tput sgr0`
+    echo "${RED}ERROR: ${1}${RESET}"
+}
+
 REALPATH=
 REALPATHS=(
     'realpath'
@@ -14,8 +20,13 @@ fi
 done
 
 if [ -z "${REALPATH}" ]; then
-    local RED=`tput setaf 1`
-    echo "${RED}ERROR: Unable to find suitable command for realpath."
+    echo_error 'Unable to find suitable command for realpath.'
+    if [ $(uname) == 'Darwin' ]; then
+        echo 'GNU coreutils are required to build openBalena on macOS. To install with brew, run'
+        echo ''
+        echo '    brew install coreutils'
+        echo ''
+    fi
     exit 1
 fi
 

scripts/compose

@@ -11,6 +11,10 @@ echo_bold() {
   printf "\\033[1m%s\\033[0m\\n" "$@"
 }
 
+echo_bold_stderr() {
+  printf "\\033[1m%s\\033[0m\\n" "$@" 1>&2
+}
+
 VERSIONS_FILE="${BASE_DIR}/compose/versions"
 if [ ! -f "$VERSIONS_FILE" ]; then
   echo_bold "No service versions defined in ${VERSIONS_FILE}"
@@ -24,9 +28,20 @@ if [ ! -f "$ENV_FILE" ]; then
   exit 1
 fi
 
+source "${ENV_FILE}"
+
+# only include the MDNS publisher IF the domain is valid...
+if [ ${OPENBALENA_HOST_NAME: -6} == ".local" ]; then
+  INCLUDE_MDNS="-f ${BASE_DIR}/compose/mdns.yml"
+fi
+
+# show a warning to update your balena CLI tool...
+echo_bold_stderr "IMPORTANT: Please update your Balena CLI installation to version v12.38.5"
+
 # shellcheck source=/dev/null
-source "${VERSIONS_FILE}"; source "${ENV_FILE}"; docker-compose \
+source "${VERSIONS_FILE}"; docker-compose \
   --project-name 'openbalena' \
   -f "${BASE_DIR}/compose/services.yml" \
+  ${INCLUDE_MDNS} \
   -f "${CONFIG_DIR}/docker-compose.yml" \
   "$@"

scripts/logger.sh

@@ -0,0 +1,62 @@
+#!/bin/sh
+
+BLACK=`tput setaf 0`
+RED=`tput setaf 1`
+GREEN=`tput setaf 2`
+YELLOW=`tput setaf 3`
+BLUE=`tput setaf 4`
+MAGENTA=`tput setaf 5`
+CYAN=`tput setaf 6`
+WHITE=`tput setaf 7`
+
+BOLD=`tput bold`
+RESET=`tput sgr0`
+
+log_raw () {
+    local COLOR="${WHITE}"
+    local LEVEL="${1}"
+    local MESSAGE="${2}"
+    case "${LEVEL}" in
+        info)
+            COLOR="${BLUE}"
+            ;;
+        warn)
+            COLOR="${YELLOW}"
+            ;;
+        fatal)
+            COLOR="${RED}"
+            ;;
+        *)
+            LEVEL="debug"
+            ;;
+    esac
+    LEVEL="${LEVEL}     "
+    echo "[$(date +%T)] ${COLOR}$(echo "${LEVEL:0:5}" | tr '[:lower:]' '[:upper:]')${RESET} ${MESSAGE}";
+}
+
+log () {
+    log_raw "debug" "${1}"
+}
+
+info () {
+    log_raw "info" "${1}";
+}
+
+warn () {
+    log_raw "warn" "${1}";
+}
+
+die () {
+    log_raw "fatal" "${1}";
+    exit 1;
+}
+
+die_unless_forced () {
+    if [ ! -z "$1" ]; then
+        log_raw "warn" "$2";
+        return;
+    fi
+    
+    log_raw "fatal" "$2";
+    die "Use -f to forcibly upgrade.";
+}

scripts/make-env

@@ -40,40 +40,15 @@ b64file() {
   b64encode "$(cat "$@")"
 }
 
-VPN_CONFIG=$(cat <<STR
-client
-remote vpn.$DOMAIN 443
-resolv-retry infinite
-
-remote-cert-tls server
-ca /etc/openvpn/ca.crt
-auth-user-pass /var/volatile/vpn-auth
-auth-retry none
-script-security 2
-up /etc/openvpn-misc/upscript.sh
-up-restart
-down /etc/openvpn-misc/downscript.sh
-
-comp-lzo
-dev resin-vpn
-dev-type tun
-proto tcp
-nobind
-
-persist-key
-persist-tun
-verb 3
-user openvpn
-group openvpn
-
-STR
-)
+# buckets to create in the S3 service...
+REGISTRY2_S3_BUCKET="registry-data"
 
 cat <<STR
 export OPENBALENA_PRODUCTION_MODE=false
 export OPENBALENA_COOKIE_SESSION_SECRET=$(randstr 32)
 export OPENBALENA_HOST_NAME=$DOMAIN
 export OPENBALENA_JWT_SECRET=$(randstr 32)
+export OPENBALENA_REGISTRY2_S3_BUCKET=${REGISTRY2_S3_BUCKET}
 export OPENBALENA_RESINOS_REGISTRY_CODE=$(randstr 32)
 export OPENBALENA_ROOT_CA=$(b64file "${ROOT_CA}")
 export OPENBALENA_ROOT_CRT=$(b64file "${ROOT_CRT}")
@@ -84,13 +59,17 @@ export OPENBALENA_TOKEN_AUTH_KEY=$(b64file "$JWT_KEY")
 export OPENBALENA_TOKEN_AUTH_KID=$(b64file "$JWT_KID")
 export OPENBALENA_VPN_CA=$(b64file "$VPN_CA")
 export OPENBALENA_VPN_CA_CHAIN=$(b64file "$VPN_CA")
-export OPENBALENA_VPN_CONFIG=$(b64encode "$VPN_CONFIG")
 export OPENBALENA_VPN_SERVER_CRT=$(b64file "$VPN_CRT")
 export OPENBALENA_VPN_SERVER_KEY=$(b64file "$VPN_KEY")
 export OPENBALENA_VPN_SERVER_DH=$(b64file "$VPN_DH")
 export OPENBALENA_VPN_SERVICE_API_KEY=$(randstr 32)
 export OPENBALENA_API_VPN_SERVICE_API_KEY=$(randstr 32)
 export OPENBALENA_REGISTRY_SECRET_KEY=$(randstr 32)
+export OPENBALENA_S3_ACCESS_KEY=$(randstr 32)
+export OPENBALENA_S3_BUCKETS="${REGISTRY2_S3_BUCKET}"
+export OPENBALENA_S3_ENDPOINT="https://s3.${DOMAIN}"
+export OPENBALENA_S3_REGION=us-east-1
+export OPENBALENA_S3_SECRET_KEY=$(randstr 32)
 export OPENBALENA_SSH_AUTHORIZED_KEYS=
 export OPENBALENA_SUPERUSER_EMAIL=$SUPERUSER_EMAIL
 export OPENBALENA_SUPERUSER_PASSWORD=$(printf "%q" "${SUPERUSER_PASSWORD}")

scripts/migrate-registry-storage

@@ -0,0 +1,29 @@
+#!/bin/sh
+
+migrate_data_to_s3 () {
+  BUCKET="${1:-registry-data}"
+
+  if [ -z "${BUCKET}" ]; then return 1; fi
+
+  if [ -n "${DOCKER_HOST}" ]; then
+      log "Using docker host: ${DOCKER_HOST}"
+      export DOCKER_HOST="${DOCKER_HOST}"
+  fi
+
+  REGISTRY_CONTAINER="$(docker ps | grep registry_ | awk '{print $1}')"
+  S3_CONTAINER="$(docker ps | grep s3_ | awk '{print $1}')"
+
+  if [ -z "${REGISTRY_CONTAINER}" ] || [ -z "${S3_CONTAINER}" ]; then return 2; fi
+
+  REGISTRY_VOLUME="$(docker inspect "${REGISTRY_CONTAINER}" | jq -r '.[].Mounts | map(select(.Destination=="/data")) | .[0].Source')"
+  S3_VOLUME=$(docker inspect "${S3_CONTAINER}" | jq -r '.[].Mounts | map(select(.Destination=="/export")) | .[0].Source')
+
+  if [ -z "${REGISTRY_VOLUME}" ] || [ -z "${S3_VOLUME}" ]; then return 3; fi
+
+  # run the S3 container image, and copy the data partition into S3...
+  docker run -it --rm \
+      -v "${REGISTRY_VOLUME}:/data" \
+      -v "${S3_VOLUME}:/s3" \
+      --name "migrate-registry" alpine \
+      sh -c "mkdir -p /s3/${BUCKET}/data && cp -r /data/docker /s3/${BUCKET}/data/"
+}

scripts/quickstart

@@ -16,6 +16,12 @@ RESET=`tput sgr0`
 OPENSSL_VERSION=$(openssl version -v)
 if [[ "${OPENSSL_VERSION}" =~ ^LibreSSL.*$ ]]; then
   echo -e "${RED}ERROR: You may not have a compatible OpenSSL version (${OPENSSL_VERSION}). Please install OpenSSL version 1.0.2q or above.${RESET}"
+  if [ $(uname) == 'Darwin' ]; then
+        echo 'OpenSSL is required to build openBalena on macOS. To install with brew, run'
+        echo ''
+        echo '    brew install openssl'
+        echo ''
+    fi
   exit 1
 fi
 
@@ -125,7 +131,25 @@ fi
 echo_bold "==> Success!"
 echo '  - Start the instance with: ./scripts/compose up -d'
 echo '  - Stop the instance with: ./scripts/compose stop'
+echo '  - To create a single, flat, docker-compose.yml file, run:'
+echo ''
+echo '      ./scripts/compose config > docker-compose.yml'
+echo ''
 
 if [ -z "${ACME_CERT_ENABLED}" ]; then
   echo "  - Use the following certificate with Balena CLI: ${CERTS_DIR}/root/ca.crt"
+
+  case $(uname) in
+    Darwin)
+      echo ''
+      printf '    On macOS:\n\n'
+      printf '      sudo security add-trusted-cert -d -r trustRoot -k "/Library/Keychains/System.keychain" "%s/root/ca.crt"\n' "${CERTS_DIR}"
+      echo ''
+      ;;
+    *)
+      ;;
+  esac
+
+  echo -e "    ${YELLOW}IMPORTANT:${RESET} You will need to restart your Docker daemon after trusting this certificate to allow your workstation to push images to the registry."
+  echo ''
 fi

scripts/upgrade-1.x-to-2.0

@@ -0,0 +1,78 @@
+#!/bin/sh
+
+source "${BASH_SOURCE%/*}/logger.sh"
+source "${BASH_SOURCE%/*}/migrate-registry-storage"
+
+# This script takes a v1.x.x install and updates the compose stack to use S3 as your
+# registry storage.
+
+source "${BASH_SOURCE%/*}/_realpath"
+
+DIR="$(dirname $(realpath "$0"))"
+BASE_DIR="$(dirname "${DIR}")"
+CONFIG_DIR="${BASE_DIR}/config"
+CONFIG_FILE="${CONFIG_DIR}/activate"
+
+# Step 1. Make sure a config exists...
+[ -f "${CONFIG_FILE}" ] || die "Unable to find existing config!";
+
+info "Preparing to upgrade..."
+source "${CONFIG_FILE}"
+
+while getopts "f" opt; do
+  case "${opt}" in
+    f) 
+        warn "Forcing upgrade! I hope you know what you're doing..."
+        FORCE_UPGRADE=1
+        ;;
+    *)
+      echo "Invalid argument: ${OPTARG}"
+      exit 1
+      ;;
+  esac
+done
+shift $((OPTIND-1))
+
+# Step 2. Check if the S3 configuration already exists...
+upgrade_required () {
+    [ -z "${OPENBALENA_REGISTRY2_S3_BUCKET}" ] || return 1;
+    [ -z "${OPENBALENA_S3_ACCESS_KEY}" ] || return 1;
+    [ -z "${OPENBALENA_S3_ENDPOINT}" ] || return 1;
+    [ -z "${OPENBALENA_S3_REGION}" ] || return 1;
+    [ -z "${OPENBALENA_S3_SECRET_KEY}" ] || return 1;
+}
+upgrade_required || die_unless_forced "${FORCE_UPGRADE}" "Configuration may already be using S3 for Registry storage!"
+
+# Step 3. Create missing S3 configuration...
+randstr() {
+  LC_CTYPE=C tr -dc A-Za-z0-9 < /dev/urandom | fold -w "${1:-32}" | head -n 1
+}
+
+upsert_config () {
+    var="${1}"
+    value="${2}"
+
+    if [ -z "${!var}" ]; then
+        echo "export ${1}=${2}" >> "${CONFIG_FILE}"
+    else
+        sed -i '' "s~export ${1}=.*~export ${1}=${2}~" "${CONFIG_FILE}"
+    fi
+}
+
+upsert_config "OPENBALENA_REGISTRY2_S3_BUCKET" "registry-data" || warn "Failed to update config value OPENBALENA_REGISTRY2_S3_BUCKET"
+upsert_config "OPENBALENA_S3_ACCESS_KEY" "$(randstr 32)" || warn "Failed to update config value OPENBALENA_S3_ACCESS_KEY"
+upsert_config "OPENBALENA_S3_ENDPOINT" "https://s3.${OPENBALENA_HOST_NAME}" || warn "Failed to update config value OPENBALENA_S3_ENDPOINT"
+upsert_config "OPENBALENA_S3_REGION" "us-east-1" || warn "Failed to update config value OPENBALENA_S3_REGION"
+upsert_config "OPENBALENA_S3_SECRET_KEY" "$(randstr 32)" || warn "Failed to update config value OPENBALENA_S3_SECRET_KEY"
+
+# Step 4. Migrate Registry data to S3...
+info "Copying data from the Registry volume to the S3 volume..."
+migrate_data_to_s3 "registry-data"
+case $? in
+    1)  die "Invalid bucket name";;
+    2)  die "Unable to find the running Registry or S3 containers";;
+    3)  die "Unable to determine the data volumes for the Registry or S3 containers";;
+    *)  info "Registry data copied"
+        ;;
+esac
+info "Upgrade complete"

src/cert-provider/Dockerfile

@@ -6,9 +6,11 @@ VOLUME [ "/usr/src/app/certs" ]
 
 RUN apk add --update bash curl git openssl ncurses socat
 
+# from https://github.com/Neilpang/acme.sh/releases/tag/2.8.5
 RUN git clone https://github.com/Neilpang/acme.sh.git && \
     cd acme.sh && \
-    git checkout 08357e3cb0d80c84bdaf3e42ce0e439665387f57 . && \
+    git fetch && git fetch --tags && \
+    git checkout 2.8.5 . && \
     ./acme.sh --install  \
     --cert-home /usr/src/app/certs
 

src/cert-provider/cert-provider.sh

@@ -1,4 +1,4 @@
-#!/bin/bash
+#!/usr/bin/env bash
 
 # the acme.sh client script, installed via Git in the Dockerfile...
 ACME_BIN="$(realpath ~/.acme.sh/acme.sh)"
@@ -45,14 +45,20 @@ retryWithDelay() {
     DELAY=${3:-5}
 
     local ATTEMPT=0
-    while [ $RETRIES -gt $ATTEMPT ]; do
-        let "ATTEMPT++"
+    while [ "$RETRIES" -gt "$ATTEMPT" ]; do
+        (( ATTEMPT++ ))
+        logInfo "($ATTEMPT/$RETRIES) Connecting..."
         if $1; then
+            logInfo "($ATTEMPT/$RETRIES) Success!"
             return $?
         fi
 
-        echo "($ATTEMPT/$RETRIES) Retrying in ${DELAY} seconds..."
-        sleep $DELAY
+        if [ "$RETRIES" -gt "$ATTEMPT" ]; then
+            logInfo "($ATTEMPT/$RETRIES) Failed. Retrying in ${DELAY} seconds..."
+            sleep "$DELAY"
+        else
+            logInfo "($ATTEMPT/$RETRIES) Failed!"
+        fi
     done
 
     return 1
@@ -62,7 +68,7 @@ waitForOnline() {
     ADDRESS="${1,,}"
 
     logInfo "Waiting for ${ADDRESS} to be available via HTTP..."
-    retryWithDelay "curl --output /dev/null --silent --head --fail http://${ADDRESS}" 6 5
+    retryWithDelay "curl --output /dev/null --silent --head --fail --max-time 5 http://${ADDRESS}"
 }
 
 isUsingStagingCert() {
@@ -167,7 +173,10 @@ acquireCertificate() {
 
 pre-flight || logErrorAndStop "Unable to continue due to misconfiguration. See errors above."
 
-waitForOnline "${ACME_DOMAINS[0]}" || logErrorAndStop "Unable to access ${ACME_DOMAINS[0]} on port 80. This is needed for certificate validation."
+while ! waitForOnline "${ACME_DOMAINS[0]}"; do
+    logInfo "Unable to access ${ACME_DOMAINS[0]} on port 80. This is needed for certificate validation. Retrying in 30 seconds..."
+    sleep 30
+done
 
 if ! lastAcquiredCertFor "production"; then
     acquireCertificate "staging" || logErrorAndStop "Unable to acquire a staging certificate."

src/haproxy/haproxy.cfg

@@ -2,9 +2,9 @@ global
   tune.ssl.default-dh-param 1024
 
 defaults
-  timeout connect 5000
-  timeout client 50000
-  timeout server 50000
+  timeout connect 5s
+  timeout client 50s
+  timeout server 50s
 
 frontend http-in
   mode http
@@ -34,6 +34,10 @@ frontend ssl-in
   tcp-request content accept if { req.ssl_hello_type 1 }
 
   acl is_ssl req.ssl_ver 2:3.4
+
+  acl host_tunnel req_ssl_sni -i "tunnel.${HAPROXY_HOSTNAME}"
+  use_backend redirect-to-tunnel-in if host_tunnel
+
   use_backend redirect-to-https-in if is_ssl
   use_backend vpn-devices if !is_ssl
 
@@ -42,6 +46,11 @@ backend redirect-to-https-in
   balance roundrobin
   server localhost 127.0.0.1:444 send-proxy-v2
 
+backend redirect-to-tunnel-in
+  mode tcp
+  balance roundrobin
+  server localhost 127.0.0.1:3129
+
 frontend https-in
   mode http
   option forwardfor
@@ -64,34 +73,35 @@ backend backend_api
   mode http
   option forwardfor
   balance roundrobin
-  server resin_api_1 api:80 check port 80
+  server balena_api_1 api:80 check port 80
 
 backend backend_registry
   mode http
   option forwardfor
   balance roundrobin
-  server resin_registry_1 registry:80 check port 80
+  server balena_registry_1 registry:80 check port 80
 
 backend backend_vpn
   mode http
   option forwardfor
   balance roundrobin
-  server resin_vpn_1 vpn:80 check port 80
+  server balena_vpn_1 vpn:80 check port 80
 
 backend backend_s3
   mode http
   option forwardfor
   balance roundrobin
+  server balena_s3_1 s3:80 check port 80
 
 backend cert-provider
   mode http
   option forwardfor
   balance roundrobin
-  server resin_cert-provider_1 cert-provider:80 no-check
+  server balena_cert-provider_1 cert-provider:80 no-check
 
 backend vpn-devices
   mode tcp
-  server resin_vpn_1 vpn:443 send-proxy-v2 check-send-proxy port 443
+  server balena_vpn_1 vpn:443 send-proxy-v2 check-send-proxy port 443
 
 frontend db
   mode tcp
@@ -101,7 +111,7 @@ frontend db
 
 backend backend_db
   mode tcp
-  server resin_db_1 db:5432 check port 5432
+  server balena_db_1 db:5432 check port 5432
 
 frontend redis
   mode tcp
@@ -111,9 +121,14 @@ frontend redis
 
 backend backend_redis
   mode tcp
-  server resin_redis_1 redis:6379 check port 6379
+  server balena_redis_1 redis:6379 check port 6379
 
 listen vpn-tunnel
   mode tcp
   bind *:3128
   server balena_vpn vpn:3128 check port 3128
+
+listen vpn-tunnel-tls
+  mode tcp
+  bind *:3129 ssl crt /etc/ssl/private/open-balena.pem
+  server balena_vpn vpn:3128 check port 3128