eblume/blumeops
1
1
Fork 0
Code Issues Pull requests Projects Releases 83 Packages Wiki Activity Actions

Add hephaestus sync hub to indri (launchagent, PWA, device-code OIDC) #369

Merged
eblume merged 4 commits from heph-indri-hub into main 2026-06-05 06:46:59 -07:00
Conversation 0 Commits 4 Files changed 10 +13 -3
1 changed files with 13 additions and 3 deletions
Download patch file Download diff file Expand all files Collapse all files
Showing only changes of commit 9ed6272dc7 - Show all commits

heph docs: spoke sync uses direct http://...:8787, not Caddy HTTPS

Prev Next 
hephd's sync client is plain-HTTP-only — a Caddy https hub-url fails with a
confusing 'error sending request' (HTTP connector rejects the https scheme).
Spokes sync over the direct tailnet URL; heph.ops.eblu.me is for the PWA only.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Erich Blume 2026-06-05 06:43:54 -07:00
commit 9ed6272dc7

16
docs/reference/services/hephaestus.md
View file

@ -18,7 +18,8 @@ against one canonical **hub**. Indri runs that hub.
| Property | Value | | Property | Value |
|----------|-------| |----------|-------|
| **URL** | https://heph.ops.eblu.me (PWA + sync endpoint) | | **PWA URL** | https://heph.ops.eblu.me (browser PWA, Caddy TLS) |
| **Spoke sync URL** | http://indri.tail8d86e.ts.net:8787 (direct, tailnet) |
| **Local Port** | 8787 (`hephd --mode server`, bound `0.0.0.0`) | | **Local Port** | 8787 (`hephd --mode server`, bound `0.0.0.0`) |
| **Binary** | `~/.cargo/bin/hephd` (self-updating) | | **Binary** | `~/.cargo/bin/hephd` (self-updating) |
| **Data** | `~/.local/share/heph/heph.db` | | **Data** | `~/.local/share/heph/heph.db` |
@ -99,13 +100,22 @@ A device joins by running its local daemon with the hub URL + OIDC client and
logging in once: logging in once:
```bash ```bash
hephd --mode local --hub-url https://heph.ops.eblu.me \ hephd --mode local --hub-url http://indri.tail8d86e.ts.net:8787 \
--oidc-issuer https://authentik.ops.eblu.me/application/o/heph/ \ --oidc-issuer https://authentik.ops.eblu.me/application/o/heph/ \
--oidc-client-id heph --oidc-client-id heph
heph auth login --hub-url https://heph.ops.eblu.me \ heph auth login --hub-url http://indri.tail8d86e.ts.net:8787 \
--issuer https://authentik.ops.eblu.me/application/o/heph/ --client-id heph --issuer https://authentik.ops.eblu.me/application/o/heph/ --client-id heph
``` ```
> **Use the direct `http://…:8787` tailnet URL for sync, not the Caddy HTTPS
> URL.** hephd's sync client is plain-HTTP-only; pointing `--hub-url` at
> `https://heph.ops.eblu.me` fails with a confusing `error sending request`
> (the HTTP connector rejects the `https` scheme before connecting). Tailscale
> encrypts the transport, and the OIDC bearer token still gates every request.
> `heph.ops.eblu.me` (Caddy TLS) exists only for the browser PWA, which needs a
> secure context. The cached token is keyed by the exact `--hub-url`, so use the
> same value for `hephd` and `heph auth login`.
> **Caveat:** `heph daemon` cannot yet bake hub/spoke flags into the generated > **Caveat:** `heph daemon` cannot yet bake hub/spoke flags into the generated
> launchd plist (upstream gap). On a spoke whose plist is managed by `heph > launchd plist (upstream gap). On a spoke whose plist is managed by `heph
> daemon`, the hub/OIDC flags must be hand-added — and a later `heph daemon > daemon`, the hub/OIDC flags must be hand-added — and a later `heph daemon