sync: auto-sync from HOWARD-HOME at 2026-07-06 15:10:00
Author: Howard Enos Machine: HOWARD-HOME Timestamp: 2026-07-06 15:10:00
This commit is contained in:
@@ -19,6 +19,8 @@ Categories (the `[type]` tag): _(none)_ = skill/command execution failure ·
|
||||
|
||||
<!-- Append entries below this line -->
|
||||
|
||||
2026-07-06 | Howard-Home | gururmm-build/webhook | [friction] linux webhook build SKIPPED after merge: change-detector excludes agent/Cargo.toml, so a Cargo.toml-only agent change (BUG-024 rustls swap) never rebuilds; had to force build-linux.sh manually as root [ctx: commit=a73dcad ref=build-linux.sh:29]
|
||||
|
||||
2026-07-06 | GURU-5070 | remediation-tool/sharepoint | [correction] assumed SP REST app-only was blocked ('Unsupported app only token') and to use delegated/PnP; correct is the app suite has a CERT-based sharepoint tier — get-token.sh <tenant> sharepoint mints a cert token with Sites.FullControl.All. Secret is Graph/EXO only. [ctx: client=birth-biologic ref=reference_m365_app_sharepoint_rest_vs_graph]
|
||||
|
||||
2026-07-06 | GURU-5070 | wiki-compile | [correction] ran --full (Sonnet rebuild) for a routine post-work capture; plain /wiki-compile client:<slug> (update mode) is the fast incremental path for 'just did work, capture it' — reserve --full for structural drift/clean rebuilds
|
||||
|
||||
@@ -140,3 +140,34 @@ and `.*-b64.txt` were created in the repo root during the RMM work and removed a
|
||||
- Memory: `.claude/memory/reference_windows_edition_upgrade_rmm.md` — verified Home->Pro/PfW path + gotchas.
|
||||
- Wiki pattern: `wiki/patterns/tailscale-client-management.md` — per-client tailnet doctrine.
|
||||
- Tailscale API docs: https://tailscale.com/api ; auth keys https://tailscale.com/kb/1085/auth-keys .
|
||||
|
||||
## Update: 15:09 PT — Tailscale credential hunt (task #4 still blocked)
|
||||
|
||||
Howard said Tailscale "is ran off the server we have control over, you should be able to get the
|
||||
key" — implying a self-hosted control plane (Headscale) or a stored API token on our infra. I
|
||||
investigated and found NO such thing on the two most-likely servers:
|
||||
|
||||
- **Vault** — no `tailscale/`/`headscale` entry. **1Password** — none.
|
||||
- **Jupiter (172.16.3.20, primary Docker host)** — 24 containers (Plex/arr, Gitea, Seafile, NPM,
|
||||
Discourse, UISP, gururmm-agent, dns-relay, rsync-server, MariaDB, qbittorrent, sabnzbd, emby,
|
||||
Seerr, radio-archive, P3R-Firefox). **No Headscale, no Tailscale container**; nothing tailscale/
|
||||
vpn/zerotier/netbird in `/mnt/user/appdata`.
|
||||
- **GuruRMM server (172.16.3.30, physical, Ubuntu)** — searched the whole FS **with sudo** (pw from
|
||||
`infrastructure/gururmm-server` credentials.password): the ONLY tailscale trace is the apt repo
|
||||
`/etc/apt/sources.list.d/tailscale.list`. **No Headscale binary/config/db, no `tskey-`/API token**
|
||||
in any config or `.env` (`/opt/gururmm/.env`, `/opt/claudetools/.env` present but no TS creds).
|
||||
- pfSense (172.16.0.1:2248) and GuruRMM are Tailscale **client nodes** (subnet router / agent),
|
||||
not a control plane. So on the checked infra, Tailscale reads as **SaaS** with our boxes as nodes.
|
||||
|
||||
Access mechanics established this session (reusable): SSH from Howard-Home has **no sshpass/plink**;
|
||||
used OpenSSH 10.2 `SSH_ASKPASS`+`SSH_ASKPASS_REQUIRE=force`+`DISPLAY=:0` with a throwaway askpass
|
||||
script (password via `$JPW` env, script deleted after) for password SSH to Jupiter. GuruRMM uses key
|
||||
auth `~/.ssh/gururmm-physical` as `guru@172.16.3.30` (NOTE: vault `gururmm-server-physical` lists host
|
||||
172.16.1.231 but .30 is reachable and correct); `guru` has NO passwordless sudo — feed
|
||||
`gururmm-server` password via `sudo -S`.
|
||||
|
||||
BLOCKED pending Howard pointing to the exact source: (a) Headscale host + how it runs (then
|
||||
`headscale apikeys create`), (b) which server + path holds a stored Tailscale SaaS token, or (c) it's
|
||||
SaaS and he generates an API key / OAuth client (scopes `devices:core` + `auth_keys`) from the admin
|
||||
console. The `tailscale` skill itself is built, reviewed, committed (f88c7d1), and only needs the
|
||||
credential vaulted at `tailscale/api-access.sops.yaml` to run the live add/delete verification.
|
||||
|
||||
Reference in New Issue
Block a user