Module: Harbor::HostAgent

Defined in:: lib/harbor/host_agent.rb

Overview

Harbor host agent — HTTP daemon that runs on each Kamal host. Exposes a narrow API that the Harbor-web control plane calls over the tailnet. Bearer-token auth on every write endpoint; /version + /health intentionally unauthenticated so control plane can probe connectivity and version compatibility before authenticating.

Recommended deployment:

- Bind to the host's tailnet IP (100.x.x.x), not 0.0.0.0
- Listen on :8443
- Run as a dedicated `harbor` Unix user (NOT root) — daemon needs
  docker group + narrow sudoers for systemctl on ttyd units
- Managed by systemd (harbor-host.service)

TLS is NOT terminated here. Tailscale’s WireGuard layer provides transport encryption. Control plane talks plaintext HTTP over the tailnet, which is end-to-end encrypted at the WireGuard layer.

Call path:

control plane → HTTP over tailnet → this daemon → Harbor::Tools
kernel → kamal_adapter → local kamal subprocess → docker

Defined Under Namespace

Classes: Server

Constant Summary collapse

DEFAULT_PORT =

DEFAULT_BIND =

"127.0.0.1"