feat(support): add support service with WebSockets and Yamux

.github/workflows/ci-main.yml

@@ -17,11 +17,19 @@ jobs:
     runs-on: ubuntu-latest
     strategy:
       matrix:
-        component: [backend, sync, collect]
+        include:
+          - component: backend
+            path: backend
+          - component: sync
+            path: sync
+          - component: collect
+            path: collect
+          - component: support
+            path: services/support
 
     defaults:
       run:
-        working-directory: ${{ matrix.component }}
+        working-directory: ${{ matrix.path }}
 
     steps:
     - uses: actions/checkout@v4
@@ -38,7 +46,7 @@ jobs:
         path: |
           ~/.cache/go-build
           ~/go/pkg/mod
-        key: ${{ runner.os }}-go-${{ matrix.component }}-${{ hashFiles(format('{0}/go.sum', matrix.component)) }}
+        key: ${{ runner.os }}-go-${{ matrix.component }}-${{ hashFiles(format('{0}/go.sum', matrix.path)) }}
         restore-keys: |
           ${{ runner.os }}-go-${{ matrix.component }}-
 
@@ -56,7 +64,7 @@ jobs:
       uses: actions/upload-artifact@v4
       with:
         name: ${{ matrix.component }}-coverage
-        path: ${{ matrix.component }}/coverage.out
+        path: ${{ matrix.path }}/coverage.out
         retention-days: 30
 
     - name: Run go vet
@@ -74,7 +82,7 @@ jobs:
       uses: golangci/golangci-lint-action@v6
       with:
         version: latest
-        working-directory: ${{ matrix.component }}
+        working-directory: ${{ matrix.path }}
         args: --timeout=10m
 
   # ===========================================================================
@@ -142,6 +150,11 @@ jobs:
             context: proxy
           - component: mimir
             context: services/mimir
+          - component: support
+            context: services/support
+          - component: tunnel-client
+            context: services/support
+            dockerfile: services/support/Containerfile.tunnel-client
 
     steps:
     - uses: actions/checkout@v4
@@ -200,3 +213,58 @@ jobs:
       with:
         sarif_file: 'trivy-${{ matrix.component }}-results.sarif'
         category: 'trivy-${{ matrix.component }}'
+
+  # ===========================================================================
+  # TUNNEL CLIENT BINARY - Rolling dev release (only on main push)
+  # ===========================================================================
+  tunnel-client-binary:
+    runs-on: ubuntu-latest
+    needs: [go-tests, frontend-tests]
+    if: github.event_name == 'push' && github.ref == 'refs/heads/main'
+    permissions:
+      contents: write
+
+    steps:
+    - uses: actions/checkout@v4
+
+    - name: Set up Go
+      uses: actions/setup-go@v5
+      with:
+        go-version: '1.24'
+        cache: false
+
+    - name: Build tunnel-client binary
+      working-directory: services/support
+      run: |
+        COMMIT="${{ github.sha }}"
+        BUILD_TIME=$(date -u +"%Y-%m-%dT%H:%M:%SZ")
+        LDFLAGS="-s -w -X github.com/nethesis/my/services/support/pkg/version.Version=dev-${COMMIT::7} -X github.com/nethesis/my/services/support/pkg/version.Commit=${COMMIT} -X github.com/nethesis/my/services/support/pkg/version.BuildTime=${BUILD_TIME}"
+
+        mkdir -p dist
+        GOOS=linux GOARCH=amd64 CGO_ENABLED=0 go build -ldflags="${LDFLAGS}" -o dist/tunnel-client-linux-amd64 ./cmd/tunnel-client/main.go
+
+    - name: Update dev release
+      uses: softprops/action-gh-release@v2
+      with:
+        tag_name: dev
+        name: Development Build
+        body: |
+          Rolling development build from `main` branch.
+          Updated on every push to main.
+
+          **Commit:** ${{ github.sha }}
+
+          ## Download
+
+          - `tunnel-client-linux-amd64` — tunnel client for NethSecurity (OpenWrt)
+        prerelease: true
+        make_latest: false
+        files: |
+          services/support/dist/tunnel-client-linux-amd64
+
+    - name: Delete old dev tag and recreate
+      run: |
+        git tag -d dev 2>/dev/null || true
+        git push origin :refs/tags/dev 2>/dev/null || true
+        git tag dev
+        git push origin dev

.github/workflows/pr-build-trigger.yml

@@ -64,7 +64,7 @@ jobs:
           echo "Updating build triggers with timestamp: $TIMESTAMP"
           UPDATED_FILES=()
 
-          for component in backend collect frontend proxy services/mimir; do
+          for component in backend collect frontend proxy services/mimir services/support; do
             if [ -f "$component/.render-build-trigger" ]; then
               echo "Updating $component/.render-build-trigger"
               perl -i -pe "s/LAST_UPDATE=.*/LAST_UPDATE=$TIMESTAMP/" "$component/.render-build-trigger"
@@ -108,7 +108,7 @@ jobs:
 
           echo "✅ Safety checks passed. Proceeding with commit to branch: $TARGET_BRANCH"
 
-          git add */.render-build-trigger services/mimir/.render-build-trigger
+          git add */.render-build-trigger services/mimir/.render-build-trigger services/support/.render-build-trigger
           git commit -m "chore: update build triggers for PR deployment
 
           Auto-updated .render-build-trigger files to ensure all services

.github/workflows/pr-update-template.yml

@@ -111,7 +111,9 @@ jobs:
                   { name: 'Collect Build', jobKey: 'build (collect)' },
                   { name: 'Sync Build', jobKey: 'build (sync)' },
                   { name: 'Frontend Build', jobKey: 'build (frontend)' },
-                  { name: 'Proxy Build', jobKey: 'build (proxy)' }
+                  { name: 'Proxy Build', jobKey: 'build (proxy)' },
+                  { name: 'Support Tests', jobKey: 'go-tests (services/support)' },
+                  { name: 'Support Build', jobKey: 'build (support)' }
                 ];
 
                 for (const { name, jobKey } of badgeReplacements) {

.github/workflows/release-production.yml

@@ -62,6 +62,15 @@ jobs:
           exit 1
         fi
 
+    - name: Check code formatting (support)
+      working-directory: services/support
+      run: |
+        if [ "$(gofmt -s -l . | wc -l)" -gt 0 ]; then
+          echo "Code is not formatted properly in services/support:"
+          gofmt -s -l .
+          exit 1
+        fi
+
     - name: Run backend linting
       uses: golangci/golangci-lint-action@v6
       with:
@@ -83,6 +92,13 @@ jobs:
         working-directory: collect
         args: --timeout=10m
 
+    - name: Run support linting
+      uses: golangci/golangci-lint-action@v6
+      with:
+        version: latest
+        working-directory: services/support
+        args: --timeout=10m
+
     - name: Run backend tests
       working-directory: backend
       run: go test ./...
@@ -95,6 +111,10 @@ jobs:
       working-directory: collect
       run: go test ./...
 
+    - name: Run support tests
+      working-directory: services/support
+      run: go test ./...
+
     - name: Set up Node.js
       uses: actions/setup-node@v4
       with:
@@ -196,6 +216,33 @@ jobs:
         tar -czf sync-linux-amd64.tar.gz sync-linux-amd64-release
         rm -rf sync-linux-amd64-release
 
+    # Support Release
+    - name: Build support binary
+      working-directory: services/support
+      run: |
+        mkdir -p dist
+
+        VERSION="${{ steps.version.outputs.VERSION }}"
+        COMMIT="${{ github.sha }}"
+        BUILD_TIME=$(date -u +"%Y-%m-%dT%H:%M:%SZ")
+        LDFLAGS="-s -w -X github.com/nethesis/my/services/support/pkg/version.Version=${VERSION} -X github.com/nethesis/my/services/support/pkg/version.Commit=${COMMIT} -X github.com/nethesis/my/services/support/pkg/version.BuildTime=${BUILD_TIME}"
+
+        GOOS=linux GOARCH=amd64 CGO_ENABLED=0 go build -ldflags="${LDFLAGS}" -o dist/support-linux-amd64 main.go
+
+        cd dist
+        tar -czf support-linux-amd64.tar.gz support-linux-amd64
+
+    # Tunnel Client Release
+    - name: Build tunnel-client binary
+      working-directory: services/support
+      run: |
+        VERSION="${{ steps.version.outputs.VERSION }}"
+        COMMIT="${{ github.sha }}"
+        BUILD_TIME=$(date -u +"%Y-%m-%dT%H:%M:%SZ")
+        LDFLAGS="-s -w -X github.com/nethesis/my/services/support/pkg/version.Version=${VERSION} -X github.com/nethesis/my/services/support/pkg/version.Commit=${COMMIT} -X github.com/nethesis/my/services/support/pkg/version.BuildTime=${BUILD_TIME}"
+
+        GOOS=linux GOARCH=amd64 CGO_ENABLED=0 go build -ldflags="${LDFLAGS}" -o dist/tunnel-client-linux-amd64 ./cmd/tunnel-client/main.go
+
     # Docker Images
     - name: Extract backend metadata
       id: backend_meta
@@ -395,6 +442,76 @@ jobs:
         format: cyclonedx-json
         output-file: mimir-sbom.cdx.json
 
+    - name: Extract support metadata
+      id: support_meta
+      uses: docker/metadata-action@v5
+      with:
+        images: ${{ env.REGISTRY }}/${{ github.repository }}/support
+        tags: |
+          type=semver,pattern=v{{version}},value=${{ steps.version.outputs.VERSION }}
+          type=raw,value=latest
+
+    - name: Build and push support Docker image
+      uses: docker/build-push-action@v5
+      with:
+        context: services/support
+        file: services/support/Containerfile
+        platforms: linux/amd64
+        push: true
+        tags: ${{ steps.support_meta.outputs.tags }}
+        labels: |
+          ${{ steps.support_meta.outputs.labels }}
+          org.opencontainers.image.title=My Nethesis Support
+          org.opencontainers.image.description=WebSocket tunnel support service for My Nethesis
+        cache-from: type=gha,scope=support
+        cache-to: type=gha,mode=max,scope=support
+        build-args: |
+          VERSION=${{ steps.version.outputs.VERSION }}
+          COMMIT=${{ github.sha }}
+          BUILD_TIME=${{ steps.support_meta.outputs.labels['org.opencontainers.image.created'] }}
+
+    - name: Generate support SBOM
+      uses: anchore/sbom-action@v0
+      with:
+        image: ${{ env.REGISTRY }}/${{ steps.image_prefix.outputs.PREFIX }}/support:${{ steps.version.outputs.VERSION }}
+        format: cyclonedx-json
+        output-file: support-sbom.cdx.json
+
+    - name: Extract tunnel-client metadata
+      id: tunnel_client_meta
+      uses: docker/metadata-action@v5
+      with:
+        images: ${{ env.REGISTRY }}/${{ github.repository }}/tunnel-client
+        tags: |
+          type=semver,pattern=v{{version}},value=${{ steps.version.outputs.VERSION }}
+          type=raw,value=latest
+
+    - name: Build and push tunnel-client Docker image
+      uses: docker/build-push-action@v5
+      with:
+        context: services/support
+        file: services/support/Containerfile.tunnel-client
+        platforms: linux/amd64
+        push: true
+        tags: ${{ steps.tunnel_client_meta.outputs.tags }}
+        labels: |
+          ${{ steps.tunnel_client_meta.outputs.labels }}
+          org.opencontainers.image.title=My Nethesis Tunnel Client
+          org.opencontainers.image.description=WebSocket tunnel client for NS8 remote support
+        cache-from: type=gha,scope=tunnel-client
+        cache-to: type=gha,mode=max,scope=tunnel-client
+        build-args: |
+          VERSION=${{ steps.version.outputs.VERSION }}
+          COMMIT=${{ github.sha }}
+          BUILD_TIME=${{ steps.tunnel_client_meta.outputs.labels['org.opencontainers.image.created'] }}
+
+    - name: Generate tunnel-client SBOM
+      uses: anchore/sbom-action@v0
+      with:
+        image: ${{ env.REGISTRY }}/${{ steps.image_prefix.outputs.PREFIX }}/tunnel-client:${{ steps.version.outputs.VERSION }}
+        format: cyclonedx-json
+        output-file: tunnel-client-sbom.cdx.json
+
     # Create GitHub Release
     - name: Create Release
       uses: softprops/action-gh-release@v2
@@ -404,9 +521,13 @@ jobs:
           backend/dist/*.tar.gz
           sync/dist/*.tar.gz
           collect/dist/*.tar.gz
+          services/support/dist/support-linux-amd64.tar.gz
+          services/support/dist/tunnel-client-linux-amd64
           backend-sbom.cdx.json
           sync-sbom.cdx.json
           collect-sbom.cdx.json
+          support-sbom.cdx.json
+          tunnel-client-sbom.cdx.json
           frontend-sbom.cdx.json
           proxy-sbom.cdx.json
           mimir-sbom.cdx.json

.gitignore

@@ -9,6 +9,9 @@ collect/collect
 collect/main
 collect/build/
 collect/*.exe
+services/support/build/
+services/support/tunnel-client
+services/support/*.exe
 *.exe
 *.bin