docs: use Tailscale for netdata access instead of basic auth

+2 -8

Caddyfile.example

··· 13 13 reverse_proxy letta:8283 14 14 } 15 15 16 - # Netdata monitoring - basic auth protected 17 - # Generate password hash: docker run --rm -it caddy caddy hash-password 18 - netdata.assistant.mosphere.at { 19 - basic_auth { 20 - admin $2a$14$REPLACE_WITH_YOUR_HASH 21 - } 22 - reverse_proxy netdata:19999 23 - } 16 + # Netdata is accessed via Tailscale (http://TAILSCALE_IP:19999) 17 + # No public exposure needed

+64 -57

DEPLOY.md

··· 78 78 apt install -y mosh git 79 79 ``` 80 80 81 + Install Tailscale (for secure access to internal services): 82 + ```bash 83 + curl -fsSL https://tailscale.com/install.sh | sh 84 + tailscale up 85 + ``` 86 + 87 + Follow the link to authenticate with your Tailscale account. Note your server's Tailscale IP (100.x.x.x). 88 + 81 89 Install GitHub CLI: 82 90 ```bash 83 91 (type -p wget >/dev/null || (apt update && apt install wget -y)) && mkdir -p -m 755 /etc/apt/keyrings && out=$(mktemp) && wget -nv -O$out https://cli.github.com/packages/githubcli-archive-keyring.gpg && cat $out | tee /etc/apt/keyrings/githubcli-archive-keyring.gpg > /dev/null && chmod go+r /etc/apt/keyrings/githubcli-archive-keyring.gpg && echo "deb [arch=$(dpkg --print-architecture) signed-by=/etc/apt/keyrings/githubcli-archive-keyring.gpg] https://cli.github.com/packages stable main" | tee /etc/apt/sources.list.d/github-cli.list > /dev/null && apt update && apt install gh -y ··· 129 137 vim Caddyfile 130 138 ``` 131 139 132 - Generate a password hash for Netdata basic auth: 133 - ```bash 134 - docker run --rm -it caddy caddy hash-password 135 - # Enter your password when prompted, copy the hash into Caddyfile 136 - ``` 137 - 138 - Replace domains and password hash with your values. 140 + Replace the example domains with your actual domains. 139 141 140 142 --- 141 143 ··· 252 254 253 255 ## Monitoring 254 256 255 - Netdata is included for real-time monitoring, exposed via Caddy with basic auth. 257 + Netdata is included for real-time monitoring, accessible via Tailscale. 256 258 257 259 ### Access Netdata 258 260 259 - Open https://netdata.assistant.yourdomain.com and enter your basic auth credentials. 261 + From any device on your Tailscale network, open: 262 + ``` 263 + http://YOUR_TAILSCALE_IP:19999 264 + ``` 265 + 266 + Or use the Tailscale hostname: 267 + ``` 268 + http://assistant:19999 269 + ``` 260 270 261 271 ### What you get 262 272 ··· 268 278 269 279 For alerts and multi-server dashboards: 270 280 271 - 1. Sign up at https://app.netdata.cloud 272 - 2. Get your claim token 273 - 3. Add to `.env`: 274 - ``` 275 - NETDATA_CLAIM_TOKEN=your_token 276 - ``` 277 - 4. Restart: `docker compose -f docker-compose.yml -f docker-compose.prod.yml up -d` 281 + - Sign up at https://app.netdata.cloud 282 + - Get your claim token 283 + - Add `NETDATA_CLAIM_TOKEN=your_token` to `.env` 284 + - Restart: `docker compose -f docker-compose.yml -f docker-compose.prod.yml up -d` 278 285 279 286 --- 280 287 ··· 359 366 ## Architecture 360 367 361 368 ``` 362 - Internet 363 - │ 364 - ▼ 365 - ┌─────────────────────────────────────────────────────┐ 366 - │ Hetzner CX33 (Debian 13 + Docker) │ 367 - │ │ 368 - │ ┌──────────────────────────────────────┐ │ 369 - │ │ Caddy (:80/:443) - auto-SSL │ │ 370 - │ │ ├─► app:3000 (assistant.*) │ │ 371 - │ │ └─► netdata:19999 (netdata.*) │ │ 372 - │ └──────────────────────────────────────┘ │ 373 - │ │ │ 374 - │ ▼ │ 375 - │ ┌──────────────────┐ │ 376 - │ │ app (Bun :3000) │ │ 377 - │ │ Telegram webhook │ │ 378 - │ └────────┬─────────┘ │ 379 - │ │ │ 380 - │ ▼ │ 381 - │ ┌──────────────────┐ ┌───────────────┐ │ 382 - │ │ letta (:8283) │ │ netdata │ │ 383 - │ │ Agent + Memory │ │ monitoring │ │ 384 - │ └────────┬─────────┘ └───────────────┘ │ 385 - │ │ │ 386 - │ ▼ │ 387 - │ ┌──────────────────┐ │ 388 - │ │ litellm (:4000) │ │ 389 - │ └────────┬─────────┘ │ 390 - │ │ │ 391 - │ ▼ │ 392 - │ ┌──────────────────┐ │ 393 - │ │ auth-adapter │ │ 394 - │ │ (:4002) headers │ │ 395 - │ └────────┬─────────┘ │ 396 - │ │ │ 397 - │ ▼ │ 398 - │ ┌──────────────────┐ │ 399 - │ │ anthropic-proxy │ │ 400 - │ │ (:4001) OAuth │ │ 401 - │ └────────┬─────────┘ │ 402 - └───────────────────┼─────────────────────────────────┘ 369 + Internet Tailscale Network 370 + │ │ 371 + ▼ ▼ 372 + ┌────────────────────────────────────────────────────────────┐ 373 + │ Hetzner CX33 (Debian 13 + Docker + Tailscale) │ 374 + │ │ 375 + │ ┌──────────────────────────────────────┐ │ 376 + │ │ Caddy (:80/:443) - auto-SSL │ │ 377 + │ │ ├─► app:3000 (assistant.*) │ │ 378 + │ │ └─► letta:8283 (letta.*) │ │ 379 + │ └──────────────────────────────────────┘ │ 380 + │ │ │ 381 + │ ▼ │ 382 + │ ┌──────────────────┐ ┌───────────────────────┐ │ 383 + │ │ app (Bun :3000) │ │ netdata (:19999) │ │ 384 + │ │ Telegram webhook │ │ via Tailscale only │ │ 385 + │ └────────┬─────────┘ └───────────────────────┘ │ 386 + │ │ │ 387 + │ ▼ │ 388 + │ ┌──────────────────┐ │ 389 + │ │ letta (:8283) │ │ 390 + │ │ Agent + Memory │ │ 391 + │ └────────┬─────────┘ │ 392 + │ │ │ 393 + │ ▼ │ 394 + │ ┌──────────────────┐ │ 395 + │ │ litellm (:4000) │ │ 396 + │ └────────┬─────────┘ │ 397 + │ │ │ 398 + │ ▼ │ 399 + │ ┌──────────────────┐ │ 400 + │ │ auth-adapter │ │ 401 + │ │ (:4002) headers │ │ 402 + │ └────────┬─────────┘ │ 403 + │ │ │ 404 + │ ▼ │ 405 + │ ┌──────────────────┐ │ 406 + │ │ anthropic-proxy │ │ 407 + │ │ (:4001) OAuth │ │ 408 + │ └────────┬─────────┘ │ 409 + └───────────────────┼────────────────────────────────────────┘ 403 410 │ 404 411 ▼ 405 412 Anthropic API

+3 -1

docker-compose.prod.yml

··· 48 48 - app 49 49 50 50 # Netdata: Real-time monitoring 51 - # Access via https://netdata.assistant.mosphere.at (basic auth protected) 51 + # Access via Tailscale: http://TAILSCALE_IP:19999 52 52 netdata: 53 53 image: netdata/netdata 54 54 restart: unless-stopped 55 55 hostname: assistant 56 + ports: 57 + - '19999:19999' 56 58 cap_add: 57 59 - SYS_PTRACE 58 60 security_opt:

Configure Feed

Configure Feed