bytelyst/bytelyst-devops-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Record Tailscale login for Hermes

Browse Source
This commit is contained in:
root 2026-05-27 10:31:14 +00:00
parent ac364be6c3
commit a6e509247f
2 changed files with 14 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
docs/hermes-operations.md
View File

@ -17,7 +17,7 @@ Observed on 2026-05-27:
- Backup cron: `Sync Hermes persistent-data backup to GitHub`, every 30 minutes, local delivery - Backup cron: `Sync Hermes persistent-data backup to GitHub`, every 30 minutes, local delivery
- Watchdog cron: `ByteLyst Hermes gateway/backup/disk watchdog`, every 15 minutes, Telegram delivery on failure only - Watchdog cron: `ByteLyst Hermes gateway/backup/disk watchdog`, every 15 minutes, Telegram delivery on failure only
- Dashboard policy: do not expose Hermes dashboard/API publicly without explicit approval - Dashboard policy: do not expose Hermes dashboard/API publicly without explicit approval
- Tailscale: installed and `tailscaled` enabled/running; login intentionally deferred until the operator can authenticate the node - Tailscale: installed and `tailscaled` enabled/running; authenticated as tailnet IP `100.87.53.10`
## Safety guardrail: no public Hermes dashboard/API ## Safety guardrail: no public Hermes dashboard/API
@ -40,6 +40,14 @@ Allowed private access patterns for a future Hermes dashboard:
4. Cloudflare Access or equivalent identity gate 4. Cloudflare Access or equivalent identity gate
5. basic auth plus IP allowlist only if public routing is unavoidable and explicitly approved 5. basic auth plus IP allowlist only if public routing is unavoidable and explicitly approved
Current private network access:
```bash
tailscale status
tailscale ip -4
# Expected server IPv4: 100.87.53.10
```
## Health baseline commands ## Health baseline commands
```bash ```bash

10
docs/hermes-setup-upgrade-roadmap.md
View File

@ -83,7 +83,7 @@ A healthy ByteLyst Hermes setup should be:
- [x] Verify firewall/Caddy routes for any hostnames pointing to Hermes ports. - [x] Verify firewall/Caddy routes for any hostnames pointing to Hermes ports.
- vijay: reviewed current listeners and Caddy references; no Hermes-specific public hostname was identified. Re-run before adding any new route. - vijay: reviewed current listeners and Caddy references; no Hermes-specific public hostname was identified. Re-run before adding any new route.
- [x] Decide private access pattern for any future dashboard: - [x] Decide private access pattern for any future dashboard:
- vijay: selected private-only access with local binding plus Tailscale/SSH tunnel; Tailscale is installed and `tailscaled` is enabled/running, but tailnet login remains a credential/auth step. - vijay: selected private-only access with local binding plus Tailscale/SSH tunnel; Tailscale is installed, authenticated, and connected as `100.87.53.10`.
- [x] local-only binding - [x] local-only binding
- [x] SSH tunnel - [x] SSH tunnel
- [x] Tailscale/WireGuard - [x] Tailscale/WireGuard
@ -298,8 +298,8 @@ A healthy ByteLyst Hermes setup should be:
- [x] Do not expose Hermes dashboard publicly. - [x] Do not expose Hermes dashboard publicly.
- vijay: no public dashboard/API route added; private-only policy documented. - vijay: no public dashboard/API route added; private-only policy documented.
- [x] If a dashboard is useful, make it private-only and operationally scoped. - [x] If a dashboard is useful, make it private-only and operationally scoped.
- vijay: selected private-only dashboard direction; installed Tailscale daemon for future private access. Dashboard itself is not running and no `9119/9120` listener is exposed. - vijay: selected private-only dashboard direction; Tailscale is connected at `100.87.53.10`. Dashboard itself is not running and no `9119/9120` listener is exposed.
- bheem: Uma dashboard access should use the same private-only host path after Tailscale login; no Uma dashboard listener is exposed. - bheem: Uma dashboard access should use the same private-only Tailscale host path; no Uma dashboard listener is exposed.
- [ ] Dashboard should show: - [ ] Dashboard should show:
- [ ] gateway status - [ ] gateway status
- [ ] active sessions - [ ] active sessions
@ -308,7 +308,7 @@ A healthy ByteLyst Hermes setup should be:
- [ ] recent sanitized alerts - [ ] recent sanitized alerts
- [ ] quick links to docs/runbooks - [ ] quick links to docs/runbooks
- [x] Any dashboard actions must require authentication and ideally remain reachable only over private network/tunnel. - [x] Any dashboard actions must require authentication and ideally remain reachable only over private network/tunnel.
- vijay: standing decision is local/Tailscale/SSH-only. Tailnet login and dashboard auth validation remain tomorrow tasks. - vijay: standing decision is local/Tailscale/SSH-only. Tailnet login is complete; dashboard auth validation remains a future task if the dashboard is started.
- bheem: same standing decision for Uma; no public dashboard route should be added. - bheem: same standing decision for Uma; no public dashboard route should be added.
- [x] Add a Caddy review step before adding any new hostname. - [x] Add a Caddy review step before adding any new hostname.
- vijay: added Caddy/port review commands to `docs/hermes-operations.md`. - vijay: added Caddy/port review commands to `docs/hermes-operations.md`.
@ -432,7 +432,7 @@ This roadmap is complete when:
- bheem: verified Uma provider smoke test: `uma-roadmap-ok`. - bheem: verified Uma provider smoke test: `uma-roadmap-ok`.
- vijay: confirmed root service is enabled and active. - vijay: confirmed root service is enabled and active.
- bheem: confirmed Uma service is enabled and active; Docker-based Uma Hermes remains removed. - bheem: confirmed Uma service is enabled and active; Docker-based Uma Hermes remains removed.
- vijay: installed Tailscale `1.98.3`; `tailscaled` is enabled/running and awaits tailnet login. - vijay: installed Tailscale `1.98.3`; `tailscaled` is enabled/running and authenticated to tailnet IP `100.87.53.10`.
- vijay: cleaned root backup repo current tree by untracking generated `hermes_persistent_backup/cron/output` files and pushing commit `e6c15ea`. - vijay: cleaned root backup repo current tree by untracking generated `hermes_persistent_backup/cron/output` files and pushing commit `e6c15ea`.
- bheem: confirmed Uma wrapper repo is clean at `7ee5720` after Docker deployment removal. - bheem: confirmed Uma wrapper repo is clean at `7ee5720` after Docker deployment removal.
- vijay: ran root restore rehearsal into `/tmp/hermes-restore-test-root`, verified portable restore content, and scanned restored config/template for common token patterns. - vijay: ran root restore rehearsal into `/tmp/hermes-restore-test-root`, verified portable restore content, and scanned restored config/template for common token patterns.