From a6e509247fc1323fa0bfe0e5d34b1d53d744ad5c Mon Sep 17 00:00:00 2001 From: root Date: Wed, 27 May 2026 10:31:14 +0000 Subject: [PATCH] Record Tailscale login for Hermes --- docs/hermes-operations.md | 10 +++++++++- docs/hermes-setup-upgrade-roadmap.md | 10 +++++----- 2 files changed, 14 insertions(+), 6 deletions(-) diff --git a/docs/hermes-operations.md b/docs/hermes-operations.md index fb103b9..d9a57c3 100644 --- a/docs/hermes-operations.md +++ b/docs/hermes-operations.md @@ -17,7 +17,7 @@ Observed on 2026-05-27: - Backup cron: `Sync Hermes persistent-data backup to GitHub`, every 30 minutes, local delivery - Watchdog cron: `ByteLyst Hermes gateway/backup/disk watchdog`, every 15 minutes, Telegram delivery on failure only - Dashboard policy: do not expose Hermes dashboard/API publicly without explicit approval -- Tailscale: installed and `tailscaled` enabled/running; login intentionally deferred until the operator can authenticate the node +- Tailscale: installed and `tailscaled` enabled/running; authenticated as tailnet IP `100.87.53.10` ## Safety guardrail: no public Hermes dashboard/API @@ -40,6 +40,14 @@ Allowed private access patterns for a future Hermes dashboard: 4. Cloudflare Access or equivalent identity gate 5. basic auth plus IP allowlist only if public routing is unavoidable and explicitly approved +Current private network access: + +```bash +tailscale status +tailscale ip -4 +# Expected server IPv4: 100.87.53.10 +``` + ## Health baseline commands ```bash diff --git a/docs/hermes-setup-upgrade-roadmap.md b/docs/hermes-setup-upgrade-roadmap.md index 8807c4d..ce9cc08 100644 --- a/docs/hermes-setup-upgrade-roadmap.md +++ b/docs/hermes-setup-upgrade-roadmap.md @@ -83,7 +83,7 @@ A healthy ByteLyst Hermes setup should be: - [x] Verify firewall/Caddy routes for any hostnames pointing to Hermes ports. - vijay: reviewed current listeners and Caddy references; no Hermes-specific public hostname was identified. Re-run before adding any new route. - [x] Decide private access pattern for any future dashboard: - - vijay: selected private-only access with local binding plus Tailscale/SSH tunnel; Tailscale is installed and `tailscaled` is enabled/running, but tailnet login remains a credential/auth step. + - vijay: selected private-only access with local binding plus Tailscale/SSH tunnel; Tailscale is installed, authenticated, and connected as `100.87.53.10`. - [x] local-only binding - [x] SSH tunnel - [x] Tailscale/WireGuard @@ -298,8 +298,8 @@ A healthy ByteLyst Hermes setup should be: - [x] Do not expose Hermes dashboard publicly. - vijay: no public dashboard/API route added; private-only policy documented. - [x] If a dashboard is useful, make it private-only and operationally scoped. - - vijay: selected private-only dashboard direction; installed Tailscale daemon for future private access. Dashboard itself is not running and no `9119/9120` listener is exposed. - - bheem: Uma dashboard access should use the same private-only host path after Tailscale login; no Uma dashboard listener is exposed. + - vijay: selected private-only dashboard direction; Tailscale is connected at `100.87.53.10`. Dashboard itself is not running and no `9119/9120` listener is exposed. + - bheem: Uma dashboard access should use the same private-only Tailscale host path; no Uma dashboard listener is exposed. - [ ] Dashboard should show: - [ ] gateway status - [ ] active sessions @@ -308,7 +308,7 @@ A healthy ByteLyst Hermes setup should be: - [ ] recent sanitized alerts - [ ] quick links to docs/runbooks - [x] Any dashboard actions must require authentication and ideally remain reachable only over private network/tunnel. - - vijay: standing decision is local/Tailscale/SSH-only. Tailnet login and dashboard auth validation remain tomorrow tasks. + - vijay: standing decision is local/Tailscale/SSH-only. Tailnet login is complete; dashboard auth validation remains a future task if the dashboard is started. - bheem: same standing decision for Uma; no public dashboard route should be added. - [x] Add a Caddy review step before adding any new hostname. - vijay: added Caddy/port review commands to `docs/hermes-operations.md`. @@ -432,7 +432,7 @@ This roadmap is complete when: - bheem: verified Uma provider smoke test: `uma-roadmap-ok`. - vijay: confirmed root service is enabled and active. - bheem: confirmed Uma service is enabled and active; Docker-based Uma Hermes remains removed. -- vijay: installed Tailscale `1.98.3`; `tailscaled` is enabled/running and awaits tailnet login. +- vijay: installed Tailscale `1.98.3`; `tailscaled` is enabled/running and authenticated to tailnet IP `100.87.53.10`. - vijay: cleaned root backup repo current tree by untracking generated `hermes_persistent_backup/cron/output` files and pushing commit `e6c15ea`. - bheem: confirmed Uma wrapper repo is clean at `7ee5720` after Docker deployment removal. - vijay: ran root restore rehearsal into `/tmp/hermes-restore-test-root`, verified portable restore content, and scanned restored config/template for common token patterns.