Networking & remote access
hearth assumes a homelab on a trusted LAN with Tailscale for remote access. The firewall is on by default and tight.
Tailscale
Tailscale is enabled (services.tailscale.enable = true). Bring the host onto
your tailnet after first boot:
sudo tailscale upThe tailscale0 interface is fully trusted by the firewall. Anything reachable
only over the mesh is treated as private, which is the recommended way to reach
services that should not face the LAN.
Open ports
On the public (non-Tailscale) interface, the firewall opens only:
| Port | Service | Notes |
|---|---|---|
| 22 | SSH | Key-only. Password auth is disabled. |
| 11434 | Ollama API | Homelab convenience. See the warning below. |
| 8770 | Map UI (hearth-mapd) | Only if hearth.mapui.openFirewall is true (default). |
Tightening the map UI
The web map is open on the LAN by default so other devices can view it. To keep it private, set:
hearth.mapui.openFirewall = false;Then reach it over Tailscale only. See Map dashboard.
Connecting
# over the LAN or Tailscale, as the admin userssh operator@<host-ip>SSH requires a key listed in hearth.adminKeys.
The console password (operator / hearth initially) is only a local-console
fallback; change it on first boot with passwd.