clawdie/colibri
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions 22
colibri/packaging/linux
History
Sam & Claude 3b00b49e03
Some checks failed
CI / rust (pull_request) Has been cancelled
Details
CI / markdown (pull_request) Has been cancelled
Details
CI / port (pull_request) Has been cancelled
Details
CI / agent-jail-pkgs (pull_request) Has been cancelled
Details
docs(packaging): Linux/systemd colibri-bridge + domedog network facts 
Linux peer of packaging/freebsd/colibri_bridge.in: bridge the colibri-daemon
control-plane Unix socket to TCP 9190 on the Tailscale interface so mesh hosts
can reach the control plane.

- colibri-bridge.service: systemd unit running socat under sandboxing, BindsTo
  the daemon, freebind so it can bind the tailnet IP before tailscaled is up.
- colibri-bridge.env.example: tunables (systemd parallel to the rc.d sysrc vars).
- colibri-bridge.nft: nftables ruleset for hosts WITHOUT ufw.
- README: install steps + the verified domedog host facts (tailnet IP, ufw
  default-deny posture, 8443=CloudPanel and its public exposure) + open
  questions for the cross-host (hermes) review.

Network gate already applied on domedog: `ufw allow in on tailscale0 to any
port 9190 proto tcp`. The systemd unit is proposed pending the hermes review.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
2026-06-26 01:03:29 +02:00
..
colibri-bridge.env.example docs(packaging): Linux/systemd colibri-bridge + domedog network facts 2026-06-26 01:03:29 +02:00
colibri-bridge.nft docs(packaging): Linux/systemd colibri-bridge + domedog network facts 2026-06-26 01:03:29 +02:00
colibri-bridge.service docs(packaging): Linux/systemd colibri-bridge + domedog network facts 2026-06-26 01:03:29 +02:00
README.md docs(packaging): Linux/systemd colibri-bridge + domedog network facts 2026-06-26 01:03:29 +02:00

README.md

Colibri bridge — Linux (systemd)

Linux/systemd peer of packaging/freebsd/colibri_bridge.in. Exposes the colibri-daemon control-plane Unix socket as a TCP port on the Tailscale interface only, so other mesh hosts can drive the control plane.

The FreeBSD bridge already runs on hermes (binds 100.72.229.63); this is the matching domedog side. The network gate (ufw) is already applied on domedog (see "domedog host facts"); the systemd unit here is the proposed service — review the open questions with hermes before enable --now.

Files

File Purpose
colibri-bridge.service systemd unit running socat (peer of the rc.d script)
colibri-bridge.env.example tunables — install to /etc/colibri/bridge.env
colibri-bridge.nft nftables ruleset for hosts without ufw (see facts below)

Install (one-time, as root)

install -D -m 0644 packaging/linux/colibri-bridge.service \
    /etc/systemd/system/colibri-bridge.service
install -D -m 0644 packaging/linux/colibri-bridge.env.example \
    /etc/colibri/bridge.env          # then edit for this host

# Firewall: scope port 9190 to tailscale0 (peer of the hermes pf rule).
# domedog runs ufw (active, default-deny input) — the allow goes in ufw, and
# ufw's default-deny already blocks 9190 on every other interface:
ufw allow in on tailscale0 to any port 9190 proto tcp comment 'colibri-bridge'
# On a host WITHOUT ufw / with a default-accept input, use the nft table instead:
#   install -D -m 0644 packaging/linux/colibri-bridge.nft /etc/colibri/colibri-bridge.nft
#   nft -f /etc/colibri/colibri-bridge.nft

systemctl daemon-reload
systemctl enable --now colibri-bridge.service
systemctl status colibri-bridge.service

Quick check from another tailnet host:

printf '{"cmd":"status"}\n' | nc -w2 100.103.255.41 9190

domedog host facts (verified 26.jun.2026)

The networking reality this packaging assumes, recorded so the next person doesn't have to re-derive it:

  • Tailnet IPv4: 100.103.255.41 (hermes is 100.72.229.63).
  • Init / service mgr: systemd (Ubuntu 24.04). FreeBSD/hermes uses rc.d.
  • Daemon user: clawdija (hermes: clawdie). No dedicated colibri group exists on domedog; the bridge runs as the daemon's own user so it can reach the 0770 socket.
  • Firewall: ufw active + enabled, default deny (incoming) / allow (outgoing), backed by nftables, with fail2ban on top. Live packet counters confirm it's enforcing, not just configured.
  • Currently-allowed inbound ports: 22/tcp (ssh), 80/tcp, 443 (tcp+udp), 84338443/tcp, and now 9190/tcp scoped to tailscale0 (the bridge, added for this work).
  • Port 8443 = CloudPanel server control panel (nginx vhost cloudpanel.conf, run by the clp user from /home/clp/services/nginx/). Only 8443 actually listens; 84338442 are allowed but unused (range wider than needed). ⚠️ CloudPanel's admin login is exposed to Anywhere (public), not tailnet-scoped — the opposite posture from this bridge; flagged for the host-exposure review.

Open questions for the hermes discussion

  1. The socket has no auth — the tailnet boundary is the auth. With both hosts bridging the control plane, any tailnet peer that can reach either host can issue full control-plane commands (spawn-agent, kill-agent, terminal-*). Consider a Tailscale ACL scoping :9190 to specific peers.
  2. Socket path parity. Both sides assume /run/colibri/colibri.sock (FreeBSD: /var/run/colibri/colibri.sock). domedog's daemon must be started with a matching COLIBRI_DAEMON_SOCKET; the daemon's default is under $XDG_DATA_HOME, which the bridge can't see under ProtectHome=yes.
  3. CloudPanel public exposure (8443) — decide whether to keep it public or move it behind the tailnet like the bridge.

Notes

  • The FreeBSD colibri_bridge.in health/status block bug (scrambled function definitions) was fixed and pushed on the hermes side during this work.
  • colibri-bridge.nft is retained for hosts with a default-accept input chain; on a ufw host its accept is not reliable (ufw's drop is terminal across base chains) and its drop is redundant (ufw already default-denies). Kept as documentation of intent and for the no-ufw case.