The game is 100% static (vanilla JS + HTML5 Canvas, no build) served by GitHub Pages.
The only thing that goes out to the network is the chat with the bums: a fetch to our
proxy. And that request crosses a whole self-hosted Kubernetes infra. This is the full end-to-end
journey of one message. Nothing is magic or someone else's cloud: it's our own hardware, and
everything is declared via API.
Two different things travel: the game's static files (HTML/JS/CSS) and the AI chat. The static files can be served from GitHub Pages (today) or from our own infra (nginx in the cluster); the chat always goes through the self-hosted infra. Same browser, two origins:
[ Browser / GitHub Pages ] the game (static)
│ HTTPS fetch(llm-tormenta-solar.cybercirujas.club)
▼
[ Public DNS + WAN IP ] A → home IP
│ :443
▼
[ HAProxy (edge, Mac mini G4 · OpenBSD) ] TCP mode · SNI passthrough
│ forwards raw TCP by hostname (doesn't terminate TLS)
▼
[ Cilium Gateway API 192.168.178.200 ] ← TLS terminates HERE (Let's Encrypt)
│ cilium-envoy + HTTPRoute (hostname → Service)
▼
[ Service → Pod: tormenta-ai-proxy ] Node · CORS · personas · guardrails
│ POST /v1/chat/completions
▼
[ LiteLLM (the central router) ] key pool · fallback · routing
├──────────────┬──────────────┐
▼ ▼ ▼
[ OpenRouter ] [ NVIDIA GPU ] [ RK1 NPUs ]
cloud · free HAMi + Ollama 4× local inference
Vanilla JS + Canvas, no framework, no build, hosted on GitHub Pages. The chat does a
fetch POST with the NPC, your message and a bit of context. Your API key is optional:
by default it hits our proxy (free); if you set an OpenRouter key, it stays only in your browser as an
override. The server's "real" key never touches the client.
The domain llm-tormenta-solar.cybercirujas.club resolves to the home public IP. The
certificate is from Let's Encrypt, issued by cert-manager using a DNS-01 challenge via
acme-dns — so there's no need to expose :80 or validate over HTTP. The cert renews
itself.
The edge is the most "junkyard-hacker" part of all: a PowerPC Mac mini G4 running
OpenBSD — yes, a ~2005 machine recycled as a TLS router. HAProxy lives there in TCP mode
with SNI passthrough: it reads the req.ssl_sni from the TLS hello and, depending on
the hostname, forwards the raw TCP to the right backend — without decrypting anything (TLS is
terminated by the gateway, further in). Several domains share the same backend pointing at the cluster
VIP. Here we tune maxconn and timeout so long LLM responses don't get cut.
Traffic enters the Kubernetes cluster through the cluster-gateway (GatewayClass
cilium), a fixed VIP served by Cilium LB-IPAM. TLS terminates here: a per-host
HTTPS listener presents the certificate (the Secret filled by cert-manager). It's Gateway
API, not Ingress: routing is a declarative, standard resource.
An HTTPRoute matches the hostname and routes to the proxy's Service. The data plane is cilium-envoy, acting as an HTTP reverse-proxy inside the cluster. Adding a new domain is, quite literally, adding an HTTPRoute and a listener — without touching HAProxy beyond the SNI rule.
tormenta-ai-proxyA tiny Node service (our own image, arm64). It does three things: sets the CORS headers so GitHub Pages can call it; keeps the personas (each bum's system-prompt) server-side; applies the guardrails (if the model is slow, it returns the "the solar storm is interfering with the model" line instead of leaving you hanging). Then it forwards the request to LiteLLM with the real key, which never leaves to the browser.
A single OpenAI-compatible endpoint (/v1/chat/completions) that's the routing
brain. It keeps an API key pool, does fallback between models if one fails or saturates,
and decides where to send each request based on the model_name. Switching from "cloud" to
"own hardware" is changing a model name — the game has no idea. The chat currently uses a
free model (Gemma family) by default.
Behind LiteLLM there are three interchangeable destinations:
The idea: start free in the cloud and, when it makes sense, move the chat to our own hardware without touching the game or the proxy.
Hubble (from Cilium) shows every L3/L4/L7 network flow in the cluster: you can watch, live, the request leaving the proxy toward LiteLLM and on to inference. Prometheus scrapes the metrics (LiteLLM exposes requests, latency, spend, fallbacks) and Grafana charts them. If something is slow or failing, you see it on a dashboard, not blind.
The proxy image is built inside the cluster with Kaniko orchestrated by Argo Workflows (no Docker daemon or external CI needed), on an arm64 node, and pushed to an internal registry. The deploy is a Helm chart that creates everything declarative: the HTTPRoute, the Certificate, and even an idempotent hook that adds the HTTPS listener to the shared gateway. Standing it up on another cluster is one command.
None of this was done "by hand and let's see if it works": Gateway and HTTPRoute (Gateway API), Certificate and ClusterIssuer (cert-manager CRDs), the build (Argo CRD), the deploy (Helm values). Everything is a versioned object that re-applies the same way every time. That's what makes a home-grown infra serious: it's reproducible.
A Telegram bot wired to Hermes (an agent already running in the same cluster) to run the game from Telegram chat: administer it, generate new content and orchestrate the world from your phone. The game gets a conversational "control panel", on the same infra.