Skip to content

feat(miner): add a fleet-mode AMS host Terraform starter module#5549

Merged
JSONbored merged 1 commit into
JSONbored:mainfrom
davion-knight:feat-miner-terraform-fixed
Jul 13, 2026
Merged

feat(miner): add a fleet-mode AMS host Terraform starter module#5549
JSONbored merged 1 commit into
JSONbored:mainfrom
davion-knight:feat-miner-terraform-fixed

Conversation

@davion-knight

Copy link
Copy Markdown
Contributor

What

Adds a minimal, self-contained Terraform starter module at packages/gittensory-miner/terraform/ that provisions a dedicated fleet-mode host for gittensory-miner — an always-on CLI worker, vs laptop mode. Per #5183.

Mirrors the root terraform/ module's Hetzner Cloud provider/conventions, but as the CLI-worker profile:

  • No public endpoints by default — the miner only makes outbound calls, so the sole inbound firewall rule is SSH, scoped to admin_ip_allowlist.
  • Docker via the distro docker.io package in cloud-init — no third-party apt repo, no piped remote install scripts.
  • Persistent volume mounted at /data/miner (the miner's GITTENSORY_MINER_CONFIG_DIR), so the attempt log, prediction ledger, and every other local store survive re-provisioning. cloud-init polls for the attached block device before mounting, so first boot can never leave /data/miner silently backed by the root disk.
  • Modest CLI-worker sizing (cx22 default, 10 GB volume), distinct from ORB's multi-tenant defaults.
  • Variables for provider token (sensitive), region, instance size; outputs incl. data_mount; README.md covering init/plan/apply and the post-apply run step (docker-compose.miner.yml / DEPLOYMENT.md).
  • The root terraform/ module is not touched.

Validation

  • terraform fmt -check — clean
  • terraform init + terraform validate"Success! The configuration is valid."
  • test/unit/miner-terraform-module.test.ts (8 tests) locks the invariants a syntax check can't see: no public inbound (only port 22), volume mounted at /data/miner behind a post-attachment device poll (no first-boot race), Docker via distro package with no remote-fetch-and-execute, sensitive credential var, and no hardcoded secrets.

Fixes #5183

Provision a dedicated, firewalled Hetzner Cloud host for running gittensory-miner as
an always-on fleet-mode CLI worker (vs laptop mode): a single Ubuntu VM with a
persistent volume mounted at /data/miner, so the attempt log, prediction ledger, and
all other local stores survive re-provisioning.

- SSH-only inbound (no public endpoints) — the CLI-worker profile, distinct from the
  root terraform/ ORB server module, which is left untouched.
- Docker installed from Ubuntu's own docker.io package via cloud-init (no third-party
  apt repo, no piped remote install scripts).
- cloud-init polls for the attached volume's block device before mounting, so first
  boot can never leave /data/miner silently backed by the root disk.
- Modest CLI-worker default sizing (cx22, 10 GB); mirrors the root module's Hetzner
  provider and conventions for consistency.

Fixes JSONbored#5183
@davion-knight davion-knight requested a review from JSONbored as a code owner July 13, 2026 04:24
@superagent-security

Copy link
Copy Markdown
Contributor

Superagent didn't find any vulnerabilities or security issues in this PR.

@codecov

codecov Bot commented Jul 13, 2026

Copy link
Copy Markdown

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 94.87%. Comparing base (7cffca2) to head (e74ebb0).
⚠️ Report is 2 commits behind head on main.

Additional details and impacted files
@@           Coverage Diff           @@
##             main    #5549   +/-   ##
=======================================
  Coverage   94.87%   94.87%           
=======================================
  Files         568      568           
  Lines       45055    45055           
  Branches    14675    14675           
=======================================
  Hits        42746    42746           
  Misses       1575     1575           
  Partials      734      734           
Flag Coverage Δ
shard-1 43.78% <ø> (-0.44%) ⬇️
shard-2 35.45% <ø> (-0.04%) ⬇️
shard-3 32.14% <ø> (+0.13%) ⬆️
shard-4 31.20% <ø> (-0.84%) ⬇️
shard-5 33.50% <ø> (+0.60%) ⬆️
shard-6 44.49% <ø> (+0.18%) ⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

🚀 New features to boost your workflow:
  • 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

@gittensory-orb gittensory-orb Bot added the gittensor:feature Gittensor-scored feature linked to a feature issue — scores a 0.25x multiplier. label Jul 13, 2026
@gittensory-orb

gittensory-orb Bot commented Jul 13, 2026

Copy link
Copy Markdown

Tip

🟩🟩🟩🟩🟩🟩🟩🟩🟩🟩🟩🟩

✅ Gittensory review result - approve/merge recommended

Review updated: 2026-07-13 04:31:38 UTC

5 files · 1 AI reviewer · no blockers · readiness 100/100 · CI green · clean

✅ Suggested Action - Approve/Merge

  • safe to merge

Review summary
This adds a new, self-contained Terraform starter module for a fleet-mode gittensory-miner host on Hetzner Cloud, structurally mirroring the root terraform/ module but scoped down to a CLI-worker profile with only SSH exposed and no public ports. The mount-race fix (polling for the block device by stable by-id path before mounting) is a real improvement over the root module's lsblk-based approach and is locked in by a matching structural test. The module is additive only — the root terraform/ is untouched — and the linked issue (#5183) is closed by this diff as described.

Nits — 5 non-blocking
  • variables.tf:38 defaults admin_ip_allowlist to 0.0.0.0/0 and ::/0, so a fresh apply leaves SSH open to the internet by default; this mirrors the root module's existing convention but is still worth tightening or at minimum a loud README warning beyond the current 'restrict this to your IP(s) in production' line.
  • The static regex-based tests in miner-terraform-module.test.ts are convention-locking rather than functional verification (they can't catch e.g. a firewall rule that's syntactically fine but semantically wrong); that's acceptable for a Terraform module but worth noting as the ceiling of what this test file proves.
  • main.tf hardcodes the Hetzner by-id device path (/dev/disk/by-id/scsi-0HC_Volume_${id}) while the root module discovers the device via lsblk — this is arguably more robust, but the inconsistency between the two modules' mounting strategies isn't called out anywhere and could confuse a future maintainer diffing the two.
  • Consider tightening the admin_ip_allowlist default to require an explicit value (no default) rather than 0.0.0.0/0, forcing operators to make an active choice before their SSH port is open to the world.
  • Add a short note in README.md or variables.tf explaining why this module uses the by-id device path instead of the root module's lsblk approach, so the divergence reads as intentional rather than accidental drift.
Signal Result Evidence
Code review ✅ No blockers 1 reviewer
Linked issue ✅ Linked #5183
Related work ✅ No active overlap found No same-issue or scoped active PR overlap found.
Change scope ✅ 20/20 Low review scope from cached public metadata (1 linked issue).
Validation posture ✅ 25/25 PR body includes validation/test evidence.
Contributor workload ✅ 10/10 Author activity: 122 registered-repo PR(s), 88 merged, 2 issue(s).
Contributor context ✅ Confirmed Gittensor contributor davion-knight; Gittensor profile; 122 PR(s), 2 issue(s).
Gate result ✅ Passing No configured blocker found.
Improvement ⚠️ ℹ️ Insufficient signal risk: clean · value: insufficient-signal — Nothing measurable for the structural-improvement analyzers on this PR (e.g. no code files changed).
Review context
  • Author: davion-knight
  • Role context: outside_contributor
  • Public audience mode: oss maintainer
  • Lane context: Repository is configured for direct PR review.
  • Public profile languages: not available
  • Official Gittensor activity: 122 PR(s), 2 issue(s).
  • PR-specific overlap: none found.
Contributor next steps
  • Keep the PR focused and include validation evidence before maintainer review.
Signal definitions
  • Related work = same linked issue, overlapping active PRs, or title/path similarity.
  • Change scope = cached public metadata such as size labels, draft state, and review-burden hints.
  • Validation posture = whether the PR provides enough public validation/test evidence for maintainer review.
  • Contributor workload = public contributor activity and cleanup pressure, not a repo-wide quality failure.
  • Contributor context = public GitHub/Gittensor identity context; non-Gittensor status is not a blocker.
[BETA] Chat with Gittensory

Ask Gittensory a question about this PR directly in a comment — grounded only in the same cached, public-safe facts shown above, never a new claim.

  • @gittensory ask &lt;question&gt; answers contribution-quality Q&A with source citations and freshness.
  • @gittensory chat &lt;question&gt; answers in natural prose from cached decision-pack facts via local inference (maintainer/collaborator; read-only).
  • A plain-language @gittensory mention with a real question is routed to the closest matching read-only command automatically -- no exact syntax required.

Full command reference: https://gittensory.aethereal.dev/docs/gittensory-commands

🟩 Safe / merged · 🟦 Advisory · 🟨 Held for review · 🟥 Blocked / closed


💰 Earn for open-source contributions like this. Gittensor lets GitHub contributors earn for the work they already do — register to start earning →.

Checked by Gittensory, a quiet PR intelligence layer for OSS maintainers.

  • Re-run Gittensory review

@gittensory-orb gittensory-orb Bot added the manual-review Gittensor contributor context label Jul 13, 2026
@JSONbored JSONbored merged commit f0b1840 into JSONbored:main Jul 13, 2026
16 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

gittensor:feature Gittensor-scored feature linked to a feature issue — scores a 0.25x multiplier. manual-review Gittensor contributor context

Projects

None yet

Development

Successfully merging this pull request may close these issues.

Add a Terraform starter module for provisioning a dedicated fleet-mode AMS host

2 participants