Linux/systemd colibri-bridge packaging + domedog network facts #203

Merged

clawdie merged 2 commits from feat/colibri-bridge-linux-packaging into main

2026-06-26 01:35:10 +02:00

Author	SHA1	Message	Date
Sam & Claude	2be8d4f72f	docs(packaging): scrub real Tailscale IPs from bridge files Some checks are pending CI / rust (pull_request) Waiting to run Details CI / markdown (pull_request) Waiting to run Details CI / port (pull_request) Waiting to run Details CI / agent-jail-pkgs (pull_request) Waiting to run Details Per the no-real-100.x-IPs-in-git policy: env.example now ships COLIBRI_BRIDGE_LISTEN_ADDR=TAILSCALE_IP_REQUIRED (operator fills in via tailscale ip -4 at deploy time), and the README uses placeholders/commands instead of literal addresses for both domedog and hermes.	2026-06-26 01:22:10 +02:00
Sam & Claude	3b00b49e03	docs(packaging): Linux/systemd colibri-bridge + domedog network facts Some checks are pending CI / rust (pull_request) Waiting to run Details CI / markdown (pull_request) Waiting to run Details CI / port (pull_request) Waiting to run Details CI / agent-jail-pkgs (pull_request) Waiting to run Details Linux peer of packaging/freebsd/colibri_bridge.in: bridge the colibri-daemon control-plane Unix socket to TCP 9190 on the Tailscale interface so mesh hosts can reach the control plane. - colibri-bridge.service: systemd unit running socat under sandboxing, BindsTo the daemon, freebind so it can bind the tailnet IP before tailscaled is up. - colibri-bridge.env.example: tunables (systemd parallel to the rc.d sysrc vars). - colibri-bridge.nft: nftables ruleset for hosts WITHOUT ufw. - README: install steps + the verified domedog host facts (tailnet IP, ufw default-deny posture, 8443=CloudPanel and its public exposure) + open questions for the cross-host (hermes) review. Network gate already applied on domedog: `ufw allow in on tailscale0 to any port 9190 proto tcp`. The systemd unit is proposed pending the hermes review. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>	2026-06-26 01:03:29 +02:00

Author

SHA1

Message

Date

Sam & Claude

2be8d4f72f

docs(packaging): scrub real Tailscale IPs from bridge files

CI / rust (pull_request) Waiting to run

Details

CI / markdown (pull_request) Waiting to run

Details

CI / port (pull_request) Waiting to run

Details

CI / agent-jail-pkgs (pull_request) Waiting to run

Details

Per the no-real-100.x-IPs-in-git policy: env.example now ships
COLIBRI_BRIDGE_LISTEN_ADDR=TAILSCALE_IP_REQUIRED (operator fills in via
tailscale ip -4 at deploy time), and the README uses placeholders/commands
instead of literal addresses for both domedog and hermes.

2026-06-26 01:22:10 +02:00

Sam & Claude

3b00b49e03

docs(packaging): Linux/systemd colibri-bridge + domedog network facts

CI / rust (pull_request) Waiting to run

Details

CI / markdown (pull_request) Waiting to run

Details

CI / port (pull_request) Waiting to run

Details

CI / agent-jail-pkgs (pull_request) Waiting to run

Details

Linux peer of packaging/freebsd/colibri_bridge.in: bridge the colibri-daemon
control-plane Unix socket to TCP 9190 on the Tailscale interface so mesh hosts
can reach the control plane.

- colibri-bridge.service: systemd unit running socat under sandboxing, BindsTo
  the daemon, freebind so it can bind the tailnet IP before tailscaled is up.
- colibri-bridge.env.example: tunables (systemd parallel to the rc.d sysrc vars).
- colibri-bridge.nft: nftables ruleset for hosts WITHOUT ufw.
- README: install steps + the verified domedog host facts (tailnet IP, ufw
  default-deny posture, 8443=CloudPanel and its public exposure) + open
  questions for the cross-host (hermes) review.

Network gate already applied on domedog: `ufw allow in on tailscale0 to any
port 9190 proto tcp`. The systemd unit is proposed pending the hermes review.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>

2026-06-26 01:03:29 +02:00