clawdie/colibri
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions 43

Linux/systemd colibri-bridge packaging + domedog network facts #203

Merged
clawdie merged 2 commits from feat/colibri-bridge-linux-packaging into main 2026-06-26 01:35:10 +02:00
Conversation 0 Commits 2 Files changed 4 +208
clawdie commented 2026-06-26 01:03:53 +02:00
Owner
Copy link

Records the Colibri TCP-bridge story end to end for the Linux/domedog side, mirroring packaging/freebsd/colibri_bridge.in on hermes.

What's here (packaging/linux/)

  • colibri-bridge.service — systemd unit running socat TCP-LISTEN:9190,bind=$ADDR,freebind → UNIX-CONNECT:$SOCKET, BindsTo the daemon, sandboxed. freebind binds the tailnet IP before tailscaled is up (the one improvement over the rc.d version).
  • colibri-bridge.env.example — tunables. COLIBRI_BRIDGE_LISTEN_ADDR=TAILSCALE_IP_REQUIRED (operator fills in via tailscale ip -4 at deploy; real 100.x addresses are never committed).
  • colibri-bridge.nft — nftables ruleset for hosts without ufw.
  • README.md — install steps, verified domedog host facts, open questions for the hermes review.

Network gate — already live on domedog

ufw allow in on tailscale0 to any port 9190 proto tcp is applied (v4+v6). domedog runs ufw default-deny, so the public side was already blocked and only the tailnet-scoped allow was needed. The nft table is kept for non-ufw hosts only (under ufw its accept isn't terminal and its drop is redundant).

Host facts recorded (verified 26.jun.2026)

  • domedog vs hermes: systemd vs rc.d; user clawdija vs clawdie; distinct tailnet 100.x addresses (via tailscale ip -4, not committed).
  • ufw active + default-deny incoming (nftables-backed, fail2ban on top); allowed inbound 22/80/443/8433–8443 + the new tailnet-scoped 9190.
  • Port 8443 = CloudPanel (nginx cloudpanel.conf, user clp); only 8443 listens. ⚠️ Its admin login is exposed to the public internet — flagged for the host-exposure review.

Status

  • systemd unit proposed, not yet enabled — pending the hermes cross-host review (control-plane auth model, socket-path parity, CloudPanel exposure).
  • The FreeBSD colibri_bridge.in health/status bug was fixed+pushed on the hermes side during this work.

Updated: scrubbed real Tailscale IPs from all committed files per the no-100.x-in-git policy.

🤖 Generated with Claude Code

Records the Colibri TCP-bridge story end to end for the Linux/domedog side, mirroring `packaging/freebsd/colibri_bridge.in` on hermes. ## What's here (`packaging/linux/`) - **`colibri-bridge.service`** — systemd unit running `socat TCP-LISTEN:9190,bind=$ADDR,freebind → UNIX-CONNECT:$SOCKET`, `BindsTo` the daemon, sandboxed. `freebind` binds the tailnet IP before `tailscaled` is up (the one improvement over the rc.d version). - **`colibri-bridge.env.example`** — tunables. `COLIBRI_BRIDGE_LISTEN_ADDR=TAILSCALE_IP_REQUIRED` (operator fills in via `tailscale ip -4` at deploy; real 100.x addresses are never committed). - **`colibri-bridge.nft`** — nftables ruleset for hosts **without** ufw. - **`README.md`** — install steps, verified domedog host facts, open questions for the hermes review. ## Network gate — already live on domedog `ufw allow in on tailscale0 to any port 9190 proto tcp` is **applied** (v4+v6). domedog runs ufw default-deny, so the public side was already blocked and only the tailnet-scoped allow was needed. The nft table is kept for non-ufw hosts only (under ufw its `accept` isn't terminal and its `drop` is redundant). ## Host facts recorded (verified 26.jun.2026) - domedog vs hermes: systemd vs rc.d; user `clawdija` vs `clawdie`; distinct tailnet `100.x` addresses (via `tailscale ip -4`, not committed). - ufw active + default-deny incoming (nftables-backed, fail2ban on top); allowed inbound 22/80/443/8433–8443 + the new tailnet-scoped 9190. - **Port 8443 = CloudPanel** (nginx `cloudpanel.conf`, user `clp`); only 8443 listens. ⚠️ Its admin login is exposed to the public internet — flagged for the host-exposure review. ## Status - systemd unit **proposed, not yet enabled** — pending the hermes cross-host review (control-plane auth model, socket-path parity, CloudPanel exposure). - The FreeBSD `colibri_bridge.in` health/status bug was fixed+pushed on the hermes side during this work. _Updated: scrubbed real Tailscale IPs from all committed files per the no-100.x-in-git policy._ 🤖 Generated with [Claude Code](https://claude.com/claude-code)
clawdie added 1 commit 2026-06-26 01:03:56 +02:00
docs(packaging): Linux/systemd colibri-bridge + domedog network facts
Some checks are pending
CI / rust (pull_request) Waiting to run
Details
CI / markdown (pull_request) Waiting to run
Details
CI / port (pull_request) Waiting to run
Details
CI / agent-jail-pkgs (pull_request) Waiting to run
Details
3b00b49e03 
Linux peer of packaging/freebsd/colibri_bridge.in: bridge the colibri-daemon
control-plane Unix socket to TCP 9190 on the Tailscale interface so mesh hosts
can reach the control plane.

- colibri-bridge.service: systemd unit running socat under sandboxing, BindsTo
  the daemon, freebind so it can bind the tailnet IP before tailscaled is up.
- colibri-bridge.env.example: tunables (systemd parallel to the rc.d sysrc vars).
- colibri-bridge.nft: nftables ruleset for hosts WITHOUT ufw.
- README: install steps + the verified domedog host facts (tailnet IP, ufw
  default-deny posture, 8443=CloudPanel and its public exposure) + open
  questions for the cross-host (hermes) review.

Network gate already applied on domedog: `ufw allow in on tailscale0 to any
port 9190 proto tcp`. The systemd unit is proposed pending the hermes review.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
claude-domedog added 1 commit 2026-06-26 01:22:20 +02:00
docs(packaging): scrub real Tailscale IPs from bridge files
Some checks are pending
CI / rust (pull_request) Waiting to run
Details
CI / markdown (pull_request) Waiting to run
Details
CI / port (pull_request) Waiting to run
Details
CI / agent-jail-pkgs (pull_request) Waiting to run
Details
2be8d4f72f 
Per the no-real-100.x-IPs-in-git policy: env.example now ships
COLIBRI_BRIDGE_LISTEN_ADDR=TAILSCALE_IP_REQUIRED (operator fills in via
tailscale ip -4 at deploy time), and the README uses placeholders/commands
instead of literal addresses for both domedog and hermes.
clawdie merged commit ca5a226dce into main 2026-06-26 01:35:10 +02:00
clawdie deleted branch feat/colibri-bridge-linux-packaging 2026-06-26 01:35:12 +02:00
Sign in to join this conversation.
Reviewers
No reviewers
Labels
Clear labels   
first-proof blocker

gates the first proven end-to-end

  
hardening

security/robustness follow-up, not a first-proof gate

No labels
first-proof blocker
hardening
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
2 participants
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: clawdie/colibri#203
No description provided.
Delete branch "feat/colibri-bridge-linux-packaging"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?