Add hephaestus sync hub to indri (launchagent, PWA, device-code OIDC) #369

Merged

eblume merged 4 commits from heph-indri-hub into main 2026-06-05 06:46:59 -07:00

Conversation 0 Commits 4 Files changed 10 +403

eblume commented 2026-06-04 22:23:04 -07:00

Owner

Copy link

Makes indri the canonical heph hub for the hub-and-spoke task/context system, deployed as a self-updating LaunchAgent managed by Ansible. Other devices (gilbert) attach as offline-capable spokes.

What's here

• ansible/roles/heph (tag heph) — bootstrap cargo install hephd (only if absent; --self-update keeps it current after), version-pinned heph-pwa checkout served via --web-root, launchagent mcquack.eblume.heph:

  hephd --mode server --http-addr 0.0.0.0:8787 --db … --web-root …
        --oidc-issuer …/o/heph/ --oidc-audience heph
        --self-update --self-update-interval-secs 600
  

  ~/.cargo/bin is on the agent PATH so self-update's cargo install works.
• Caddy — heph.ops.eblu.me → localhost:8787 (TLS for the PWA secure context).
• Authentik — new heph public device-code OIDC app + default-device-code-flow bound to the default brand's flow_device_code (verified live: brand authentik-default, field currently unset → additive).
• Docs — services/hephaestus.md (Path-A seeding runbook + spoke caveat), indri.md, changelog fragment.

Three features requested

• Autoupdate — 10-min interval (--self-update-interval-secs 600).
• PWA — --web-root (confirmed shipped in v1.2.0).
• Spoke — gilbert reconfig documented (post-merge step).

Deploy plan (not done yet — awaiting review)

1. Seed from gilbert (Path A): heph daemon stop → copy heph.db → DELETE FROM meta WHERE key='origin'.
2. Sync Authentik apps/blueprint; verify blueprint status via API (not just logs).
3. provision-indri --tags heph,caddy from this branch.
4. Point gilbert at the hub + heph auth login.

Known follow-ups (heph-side, tracked in the Hephaestus project)

• heph daemon can't bake hub/spoke config or pass --self-update-interval-secs → worked around by the ansible plist.
• Path-A seeding lacks a clean hephd --owner-id/seed command → manual meta.origin reset for now.
• Self-update moves hephd ahead of the ansible-pinned PWA shell over time (drift; tolerated by the SW cache, revisit on next release).

🤖 Generated with Claude Code

Makes indri the canonical **heph** hub for the hub-and-spoke task/context system, deployed as a self-updating LaunchAgent managed by Ansible. Other devices (gilbert) attach as offline-capable spokes. ## What's here - **`ansible/roles/heph`** (tag `heph`) — bootstrap `cargo install hephd` (only if absent; `--self-update` keeps it current after), version-pinned `heph-pwa` checkout served via `--web-root`, launchagent `mcquack.eblume.heph`: ``` hephd --mode server --http-addr 0.0.0.0:8787 --db … --web-root … --oidc-issuer …/o/heph/ --oidc-audience heph --self-update --self-update-interval-secs 600 ``` `~/.cargo/bin` is on the agent `PATH` so self-update's `cargo install` works. - **Caddy** — `heph.ops.eblu.me → localhost:8787` (TLS for the PWA secure context). - **Authentik** — new `heph` **public device-code** OIDC app + `default-device-code-flow` bound to the default brand's `flow_device_code` (verified live: brand `authentik-default`, field currently unset → additive). - **Docs** — `services/hephaestus.md` (Path-A seeding runbook + spoke caveat), `indri.md`, changelog fragment. ## Three features requested - **Autoupdate** — 10-min interval (`--self-update-interval-secs 600`). - **PWA** — `--web-root` (confirmed shipped in v1.2.0). - **Spoke** — gilbert reconfig documented (post-merge step). ## Deploy plan (not done yet — awaiting review) 1. Seed from gilbert (Path A): `heph daemon stop` → copy `heph.db` → `DELETE FROM meta WHERE key='origin'`. 2. Sync Authentik `apps`/blueprint; verify blueprint status via API (not just logs). 3. `provision-indri --tags heph,caddy` from this branch. 4. Point gilbert at the hub + `heph auth login`. ## Known follow-ups (heph-side, tracked in the Hephaestus project) - `heph daemon` can't bake hub/spoke config or pass `--self-update-interval-secs` → worked around by the ansible plist. - Path-A seeding lacks a clean `hephd --owner-id`/seed command → manual `meta.origin` reset for now. - Self-update moves hephd ahead of the ansible-pinned PWA shell over time (drift; tolerated by the SW cache, revisit on next release). 🤖 Generated with [Claude Code](https://claude.com/claude-code)

eblume added 1 commit 2026-06-04 22:23:05 -07:00

Add hephaestus sync hub to indri (launchagent, PWA, device-code OIDC) ... d99c962fe1

Deploy hephd --mode server on indri as a self-updating LaunchAgent managed
by Ansible (ansible/roles/heph, tag heph), making indri the canonical heph
hub for the hub-and-spoke task/context system.

- Server mode on 0.0.0.0:8787, self-update every 10 minutes (cargo install
  from the public forge URL; ~/.cargo/bin on the agent PATH).
- heph-pwa shell served via --web-root straight from a version-pinned checkout,
  TLS-terminated at heph.ops.eblu.me through Caddy (new caddy_services entry).
- New Authentik device-code (RFC 8628) OIDC app 'heph' (public client) plus a
  default-device-code-flow bound to the default brand's flow_device_code.
- Docs: new services/hephaestus.md service card (incl. Path A seeding runbook
  and the gilbert spoke caveat), indri.md service list, changelog fragment.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

eblume added 1 commit 2026-06-05 06:06:28 -07:00

heph Authentik: add empty redirect_uris (required by provider serializer) ... 82c37e0f78

The OAuth2 provider serializer requires redirect_uris even for a public
device-code client; its absence failed blueprint validation atomically.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

eblume added 1 commit 2026-06-05 06:18:29 -07:00

heph: pin RUSTUP_TOOLCHAIN=stable for build + self-update ... dc9a951eb2

The launchagent and ansible run without mise activation, so a bare cargo/rustc
shim falls back to rustup's default toolchain — which lagged heph's rust-version
floor (1.89) on both indri (1.87) and gilbert (1.84), silently failing the build.
Pin the channel explicitly in the bootstrap env and the plist.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

eblume added 1 commit 2026-06-05 06:44:00 -07:00

heph docs: spoke sync uses direct http://...:8787, not Caddy HTTPS ... 9ed6272dc7

hephd's sync client is plain-HTTP-only — a Caddy https hub-url fails with a
confusing 'error sending request' (HTTP connector rejects the https scheme).
Spokes sync over the direct tailnet URL; heph.ops.eblu.me is for the PWA only.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

eblume merged commit a2f1e06224 into main 2026-06-05 06:46:59 -07:00

eblume referenced this pull request from a commit 2026-06-05 06:46:59 -07:00

Add hephaestus sync hub to indri (launchagent, PWA, device-code OIDC) (#369)

Sign in to join this conversation.

Reviewers

No reviewers

Labels

Clear labels

No items

No labels

Milestone

Clear milestone

No items

No milestone

Projects

Clear projects

No items

No project

Assignees

Clear assignees

No assignees

1 participant

Notifications

Subscribe

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference

eblume/blumeops!369

No description provided.