bytelyst/bytelyst-devops-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Record Tailscale login for Hermes

Browse Source
This commit is contained in:
root 2026-05-27 10:31:14 +00:00
parent ac364be6c3
commit a6e509247f
2 changed files with 14 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
docs/hermes-operations.md
View File

@ -17,7 +17,7 @@ Observed on 2026-05-27:
- Backup cron: `Sync Hermes persistent-data backup to GitHub`, every 30 minutes, local delivery
- Watchdog cron: `ByteLyst Hermes gateway/backup/disk watchdog`, every 15 minutes, Telegram delivery on failure only
- Dashboard policy: do not expose Hermes dashboard/API publicly without explicit approval
- Tailscale: installed and `tailscaled` enabled/running; login intentionally deferred until the operator can authenticate the node
- Tailscale: installed and `tailscaled` enabled/running; authenticated as tailnet IP `100.87.53.10`
## Safety guardrail: no public Hermes dashboard/API
@ -40,6 +40,14 @@ Allowed private access patterns for a future Hermes dashboard:
4. Cloudflare Access or equivalent identity gate
5. basic auth plus IP allowlist only if public routing is unavoidable and explicitly approved
Current private network access:
```bash
tailscale status
tailscale ip -4
# Expected server IPv4: 100.87.53.10
```
## Health baseline commands
```bash

10
docs/hermes-setup-upgrade-roadmap.md
View File

@ -83,7 +83,7 @@ A healthy ByteLyst Hermes setup should be:
- [x] Verify firewall/Caddy routes for any hostnames pointing to Hermes ports.
- vijay: reviewed current listeners and Caddy references; no Hermes-specific public hostname was identified. Re-run before adding any new route.
- [x] Decide private access pattern for any future dashboard:
- vijay: selected private-only access with local binding plus Tailscale/SSH tunnel; Tailscale is installed and `tailscaled` is enabled/running, but tailnet login remains a credential/auth step.
- vijay: selected private-only access with local binding plus Tailscale/SSH tunnel; Tailscale is installed, authenticated, and connected as `100.87.53.10`.
- [x] local-only binding
- [x] SSH tunnel
- [x] Tailscale/WireGuard
@ -298,8 +298,8 @@ A healthy ByteLyst Hermes setup should be:
- [x] Do not expose Hermes dashboard publicly.
- vijay: no public dashboard/API route added; private-only policy documented.
- [x] If a dashboard is useful, make it private-only and operationally scoped.
- vijay: selected private-only dashboard direction; installed Tailscale daemon for future private access. Dashboard itself is not running and no `9119/9120` listener is exposed.
- bheem: Uma dashboard access should use the same private-only host path after Tailscale login; no Uma dashboard listener is exposed.
- vijay: selected private-only dashboard direction; Tailscale is connected at `100.87.53.10`. Dashboard itself is not running and no `9119/9120` listener is exposed.
- bheem: Uma dashboard access should use the same private-only Tailscale host path; no Uma dashboard listener is exposed.
- [ ] Dashboard should show:
- [ ] gateway status
- [ ] active sessions
@ -308,7 +308,7 @@ A healthy ByteLyst Hermes setup should be:
- [ ] recent sanitized alerts
- [ ] quick links to docs/runbooks
- [x] Any dashboard actions must require authentication and ideally remain reachable only over private network/tunnel.
- vijay: standing decision is local/Tailscale/SSH-only. Tailnet login and dashboard auth validation remain tomorrow tasks.
- vijay: standing decision is local/Tailscale/SSH-only. Tailnet login is complete; dashboard auth validation remains a future task if the dashboard is started.
- bheem: same standing decision for Uma; no public dashboard route should be added.
- [x] Add a Caddy review step before adding any new hostname.
- vijay: added Caddy/port review commands to `docs/hermes-operations.md`.
@ -432,7 +432,7 @@ This roadmap is complete when:
- bheem: verified Uma provider smoke test: `uma-roadmap-ok`.
- vijay: confirmed root service is enabled and active.
- bheem: confirmed Uma service is enabled and active; Docker-based Uma Hermes remains removed.
- vijay: installed Tailscale `1.98.3`; `tailscaled` is enabled/running and awaits tailnet login.
- vijay: installed Tailscale `1.98.3`; `tailscaled` is enabled/running and authenticated to tailnet IP `100.87.53.10`.
- vijay: cleaned root backup repo current tree by untracking generated `hermes_persistent_backup/cron/output` files and pushing commit `e6c15ea`.
- bheem: confirmed Uma wrapper repo is clean at `7ee5720` after Docker deployment removal.
- vijay: ran root restore rehearsal into `/tmp/hermes-restore-test-root`, verified portable restore content, and scanned restored config/template for common token patterns.