Skip to content

Networking & remote access

hearth assumes a homelab on a trusted LAN with Tailscale for remote access. The firewall is on by default and tight.

Tailscale

Tailscale is enabled (services.tailscale.enable = true). Bring the host onto your tailnet after first boot:

Terminal window
sudo tailscale up

The tailscale0 interface is fully trusted by the firewall. Anything reachable only over the mesh is treated as private, which is the recommended way to reach services that should not face the LAN.

Open ports

On the public (non-Tailscale) interface, the firewall opens only:

PortServiceNotes
22SSHKey-only. Password auth is disabled.
11434Ollama APIHomelab convenience. See the warning below.
8770Map UI (hearth-mapd)Only if hearth.mapui.openFirewall is true (default).

Tightening the map UI

The web map is open on the LAN by default so other devices can view it. To keep it private, set:

hearth.mapui.openFirewall = false;

Then reach it over Tailscale only. See Map dashboard.

Connecting

Terminal window
# over the LAN or Tailscale, as the admin user
ssh operator@<host-ip>

SSH requires a key listed in hearth.adminKeys. The console password (operator / hearth initially) is only a local-console fallback; change it on first boot with passwd.