122.
HN
Vibes: A simple mobile-focused chat app to talk to an agent via the ACP protocol
Vibes is a mobile-focused single-user chat application designed to facilitate seamless interactions with coding agents via the ACP protocol, drawing inspiration from Toad's implementation while offering a Slack-like user interface. It supports mobile interfaces over Tailscale and provides real-time updates through SSE (Server-Sent Events), along with rich media support for Markdown, KaTeX, and Mermaid rendering.
The app shares its web UI with piclaw and features real-time token updates to enhance interactive sessions. A workspace explorer equipped with a file tree sidebar supports drag-and-drop uploads, previews, and keyboard navigation. It includes an integrated code editor based on CodeMirror 6, offering syntax highlighting for 13 languages, Vim mode, search/replace functionality, among other tools. Persistent storage is managed via SQLite, handling messages, media, and full-text search.
The application supports theme switching between dark and light modes according to system preferences and features slash commands for agent control and utilities such as /commands, /model, and /thinking. Its mobile-first design ensures compatibility across various devices, with support for installing a Progressive Web App (PWA) that functions as a standalone web app.
Installation is possible directly from GitHub or through tools like uv for faster setup. Development involves managing dependencies, running tests, linting, and handling frontend builds via Makefile commands. Vibes is open-source software licensed under the MIT license.
Keywords: #phi4, ACP protocol, API endpoints Extracted Keywords: Vibes, API endpoints Keywords: Vibes, CodeMirror 6, KaTeX, Markdown, Mermaid, PWA, SPA, SQLite, SSE, Slack-like, Tailscale, Vibes, chat app, code editor, coding agents, development, development Comma-separated List: Vibes, development Final Keywords: Vibes, installation, mobile-friendly, slash commands, web UI, workspace explorer
github.com 18 hours ago
|
275.
HN
Mercury is a transforming drone anyone can build
The Mercury is an innovative open-source transforming drone designed to be built and customized by anyone interested in advanced drone technology. It features a 1 kg payload bay equipped with RGB, depth, and thermal cameras, which are controlled via the Ardupilot + GPS system. A standout feature of the Mercury is its transformation capabilities, managed through a simple mechanism that users can operate using a mobile app.
To construct the Mercury, several key components are necessary, including linear actuators, propellers, BLDC motors, a Raspberry Pi 5, data dongle, batteries, screws, carbon fiber sheeting, cables, connectors, an IMU, cameras (TOF and USB webcam), buck converter, flight controller, ESCs, and custom PCBs. In terms of software, the project provides autonomy software to be installed on the Raspberry Pi 5, along with scripts such as `start_mavproxy.sh` and `run.sh` for operational guidance.
For individuals seeking comprehensive access to CAD files (.SLDPRT & .STEP), joining the project's Patreon is suggested. The Mercury project also fosters community involvement through its Discord server, encouraging support and collaboration among users. By offering pre-designed components and software assistance, the project aims to promote innovation in drone technology while ensuring ease of use for enthusiasts and developers alike.
Keywords: #phi4, Ardupilot, BLDC Motor, Buck Converter, Cube Flight Controller, DRV8871 H Bridge, Discord server, ESP32S3, EasyEDA CAD, GPS, Lipo Battery, MPU 9250, Mavproxy Bridge, Mercury, PCB files, RGB, Radiolink R8XM, Raspberry Pi, SEQURE ESC, STL files, TOF Camera, Tailscale, USB Webcam, autonomy software, depth, drone, linear actuator, mobile app, prop guard, thermal cameras
github.com a day ago
|
342.
HN
Open source drone that can hold cargo
The MERCURY drone is an open-source cargo-holding model designed with a transformation mechanism that accommodates payloads up to 1 kg within its internal bay. It features advanced sensory capabilities, including RGB, depth, and thermal cameras, which facilitate comprehensive environmental analysis and navigation through the integration of Ardupilot and GPS systems. The drone can be conveniently controlled via a mobile application, enhancing user interaction and accessibility.
The drone's hardware components are meticulously chosen to optimize performance and functionality. These include 4x BLDC Motors (A2812 2812 900KV) paired with 8" propellers, a Raspberry Pi 5 for processing tasks, and dual Lipo Batteries (3S 2200mAh). Additional elements such as an Inertial Measurement Unit (IMU), Time-of-Flight (TOF) camera, Electronic Speed Controllers (ESCs), actuators, custom Printed Circuit Boards (PCBs), along with various screws, CF sheets, cables, and connectors, are integral to its assembly.
To ensure ease of use, users can download STL files necessary for physical assembly and autonomy software tailored for the Raspberry Pi 5. Setup requires creating a virtual environment and installing specific dependencies, while control is facilitated through scripts like `start_mavproxy.sh` and `run.sh`. For extended range communication, Tailscale setup is recommended to enable long-distance control.
The MERCURY drone community offers robust support, providing additional resources such as customizable CAD files accessible via Patreon. Further assistance and engagement are available on Discord channels, where users can seek guidance and share insights with fellow enthusiasts.
Keywords: #phi4, Ardupilot, BLDC Motor, Buck Converter, CAD Files, Cube Flight Controller, DRV8871 H Bridge, Discord server, ESC, ESP32S3, GPS, Lipo Battery, MERCURY, MPU 9250, Mavproxy Bridge, Open source, PCB files, RGB camera, Radiolink R8XM, Raspberry Pi, STL files, TOF Camera, Tailscale, USB Webcam, autonomy software, cargo, depth camera, drone, linear actuator, mobile app, propellers, thermal camera
github.com 2 days ago
https://news.ycombinator.com/showhn.html 2 days ago
|
351.
HN
Peer-to-Peer Networking: Build a VPN Tunnel with Wintun on Windows – Part 2
This article delves into constructing a VPN tunnel akin to Tailscale's peer-to-peer networking framework by implementing it with the Wintun driver on Windows, aiming to demystify the operations of Tailscale using a Layer 3 adapter known as Wintun. The foundation of this setup relies on a predominantly open-source codebase, except for the DERP server used as a relay. At its core is a peer-to-peer mechanism that utilizes direct UDP connections between devices, facilitated by a process called UDP hole punching with the assistance of a STUN server. In this method, devices register their public IP and port with the STUN server to enable direct UDP packet transmission, maintaining the NAT mapping through periodic keepalive packets.
A key insight is the necessity for consistent source ports across sessions to ensure stable connectivity due to router handling of NAT mappings. The author leverages Wintun to simulate a Layer 3 network connection by creating a TUN adapter capable of encapsulating and decapsulating IP packets within UDP packets. Accurate Maximum Transmission Unit (MTU) calculation is crucial here to prevent packet fragmentation or loss, resulting from the overhead introduced during UDP encapsulation. A recommended safe MTU value for the TUN adapter is 1400 bytes, which accounts for a typical 28-byte header.
The implementation involves two main components: `server.go` and `peer.go`, designed to manage connections between Windows PCs using CGNAT addresses as specified in RFC 6598. To prevent conflicts with common private address ranges, the TUN adapters are assigned IP addresses within the 100.64.0.0/10 range, reflecting Tailscale's addressing approach.
However, this setup encounters certain limitations. Direct peer-to-peer connections falter when both peers share a public IP due to Hairpin NAT issues, necessitating specific router configurations for resolution. Additionally, lacking a fallback mechanism such as a TURN server, the system may drop connections if UDP hole punching fails. Overall, the article serves as an introductory exploration into building a Tailscale-like VPN tunnel on Windows using Wintun, while addressing practical challenges and constraints experienced during its implementation.
Keywords: #phi4, CGNAT, Hairpin NAT, L3 Adapter, MTU Calculation, Magicsock, NAT Mapping, Peer-to-Peer, RFC 6598, STUN Server, Source Port, TURN Relay, Tailscale, UDP Hole Punching, VPN, Windows, Wintun, WireGuard
www.0xmm.in 2 days ago
|
475.
HN
Paperclip: Open-source orchestration for zero-human companies
Paperclip is an innovative open-source orchestration platform designed to streamline the operations of autonomous AI companies with minimal human oversight. Built using Node.js and React, it serves as a comprehensive task manager that integrates various organizational elements such as charts, budgets, governance structures, goal alignment strategies, and agent coordination into a single dashboard interface. The platform enables businesses to define strategic objectives (e.g., launching the leading AI note-taking app with $1M in monthly recurring revenue), hire AI agents like OpenClaw or Claude Code, and manage their operations centrally.
Key features of Paperclip include its capacity for orchestrating zero-human companies by allowing users to bring their own AI agents into workflows. It offers a suite of comprehensive management tools that cover goal alignment, cost control, governance, organization charts, ticket systems, multi-company management, and mobile readiness. Additionally, it addresses several operational challenges such as task tracking across multiple sessions, context gathering for AI agents, disorganized agent configurations, runaway processes that incur high costs, and manual job scheduling.
Distinguishing itself from other tools, Paperclip is not a chatbot or workflow builder but focuses on coordinating AI agents into cohesive business operations. It offers advanced features like budget management, governance enforcement, and session maintenance that surpass those found in traditional task management platforms such as Asana or Trello.
Paperclip can be set up locally using Node.js and Postgres without requiring a dedicated account, allowing for the operation of multiple isolated companies within one deployment. As an open-source and self-hosted platform, it provides flexibility in production environments. Developers are encouraged to contribute to its development, which includes improvements like easier OpenClaw onboarding, cloud agent integration, and ClipMart—a feature for buying and selling company templates.
In summary, Paperclip represents a specialized toolset tailored for managing AI-driven companies by focusing on scalability, coordination, and operational efficiency in handling multiple autonomous agents.
Keywords: #phi4, AI agents, Asana, Clipmart, Discord, GitHub, Nodejs, OpenClaw, Paperclip, React UI, Tailscale, Trello, Vercel, agent coordination, atomic execution, autonomous companies, budgets, community Extracted Keywords: Paperclip, community Keywords: Paperclip, contributing, development, goal alignment, governance, governance rollback, isolation, mobile ready, multi-company, orchestration, org charts, persistent state, portable templates, roadmap, runtime skill injection, solo-entrepreneur, task manager
github.com 2 days ago
|
643.
HN
Remotely unlocking an encrypted hard disk
The article presents a method for remotely unlocking an encrypted hard disk at early boot stages by integrating Tailscale and SSH into the initramfs of a Linux system. This solution addresses challenges such as frequent changes in public IP and power outages, which hinder remote access via SSH to systems with encrypted partitions. By embedding Tailscale in the initramfs, networking is established early enough to unlock disks remotely without local input.
The setup involves incorporating Tailscale for network connectivity and Dropbear as an SSH server within the initramfs, ensuring security through measures like Tailscale Access Control Lists (ACLs) and disabling key expiry. This configuration allows SSH access solely for unlocking the encrypted partition via systemd-tty-ask-password-agent, thereby reducing unauthorized shell access risks.
The author provides detailed steps to implement this solution on Arch Linux, which includes installing necessary packages, configuring initramfs hooks, setting up Tailscale tags and keys, and creating secure networking configurations. This approach ensures remote access even if the user's laptop battery dies during travel. The article highlights a creative application of system components to address practical connectivity issues and underscores that with adequate technical expertise, complex tasks can be accomplished on computers.
Keywords: #phi4, ACLs, Arch, Ethernet, Linux, SELinux, SSH, WiFi, authorized_keys, device-timeout, dropbear, early boot, encrypted hard disk, encryption password, init PID, initramfs, initrd, key expiry, mkinitcpio, network interfaces, networking, public IP, security, service management, systemd, tailscale
jyn.dev 3 days ago
https://github.com/gsauthof/dracut-sshd 3 days ago
https://aur.archlinux.org/packages/mkinitcpio-wifi 3 days ago
https://winmagic.com/en/products/full-disk-encrypt 3 days ago
https://www.recompile.se/mandos 3 days ago
https://www.recompile.se/mandos/man/intro.8mandos 3 days ago
https://docs.redhat.com/en/documentation/red_hat_e 3 days ago
https://salsa.debian.org/kernel-team/initramfs-tools&#x 3 days ago
https://news.ycombinator.com/item?id=46676919 3 days ago
https://www.dns-sd.org/ 3 days ago
https://www.rfc-editor.org/rfc/rfc7250 3 days ago
https://www.cyberciti.biz/security/how-to-unlock-luks-u 3 days ago
https://gitlab.archlinux.org/archlinux/mkinitcpio/ 3 days ago
https://nixos.wiki/wiki/Remote_disk_unlocking 3 days ago
https://systemd.io/TPM2_PCR_MEASUREMENTS/ 3 days ago
https://pikvm.org/ 3 days ago
https://github.com/marcan/takeover.sh 2 days ago
https://news.ycombinator.com/item?id=45294440 2 days ago
|
816.
HN
I Wail, for My Tailscale Fails: How My Packets Got Dropped Beyond the Pale
In March 2026, a professional encountered network issues while setting up autocomplete using Ollama on a Windows Subsystem for Linux (WSL) environment connected via Tailscale. The core problem was identified as packet drops occurring when the payload size exceeded specific limits. Initial latency inconsistencies during autocompletion prompted an investigation that revealed connectivity issues between WSL and Tailscale's network interface, particularly involving large payloads.
The issue stemmed from Maximum Transmission Unit (MTU) constraints, where packets larger than 8184 bytes were dropped due to improper handling of fragmentation by Hyper-V’s Network Address Translation (NAT). Unlike root users who could handle larger packet sizes, non-root users faced limitations tied to socket buffer limits. The investigation highlighted that Hyper-V silently discarded UDP packets when there was a mismatch between the declared and actual payload sizes post-fragmentation.
Resolution efforts focused on adjusting MTU settings for network interfaces like eth0 and tailscale0 to account for WireGuard encryption overheads, effectively circumventing some issues. Tailscale provided a workaround specific to WSL by increasing the MTU of eth0 by 20 bytes, though this was not fully explained. The exploration also considered MSS clamping as a solution for TCP packet fragmentation, but it proved insufficient in resolving all problems.
The investigation underscored the complexities involved with network configurations in virtualized environments like WSL and Hyper-V. It revealed differences between WSL's and typical Linux networking behaviors regarding packet fragmentation handling. Ultimately, the MTU settings were properly configured to resolve the issue, highlighting a need for deeper understanding of network layers when troubleshooting such intricate setups.
Further exploration into WireGuard and Tailscale usage exposed additional complexities like MTU mismatches where the actual capacity was lower than anticipated due to overlooked headers from encapsulation. Attempts at MSS clamping failed to address non-TCP packet fragmentation issues, including those seen with ICMP packets. The investigation also highlighted Hyper-V's limitations in handling fragmented packets without sending error notifications back.
The study delved into how WireGuard’s use of the Don't Fragment (DF) bit and Tailscale’s varied connectivity settings based on network types affected performance. Using Tailscale’s TCP-based DERP relay was identified as an effective workaround for fragmentation issues, due to TCP's inherent MTU adjustment capabilities across different network hops.
This document underscores the multifaceted challenges of networking with VPN technologies like WireGuard and Tailscale, especially in environments with inconsistent MTU management. It emphasizes a comprehensive understanding of underlying network layers as critical for effective troubleshooting and highlights various tools and concepts encountered during this investigation, such as conntrack, Wireshark, and different networking settings.
Keywords: #phi4, DERP, Hyper-V, ICMP, Linux kernel, MSS Clamping, MTU, NAT, NAT traversal, TCP, Tailscale, UDP, WSL2, WireGuard, Wireshark, conntrack, encapsulation, encryption, fragmentation, hole-punching, iptables, packet reassembly, routing
jusung.dev 4 days ago
https://news.ycombinator.com/newsguidelines.html 4 days ago
|
985.
HN
Show HN: TailBar – Tailscale menu bar app for macOS
TailBar is a native macOS menu bar application developed using Swift/SwiftUI that simplifies the management of Tailscale networks without needing terminal or browser access. It provides users with an interface to view servers, peers, exit nodes, and connection statuses directly from the menu bar, thus minimizing context switching often required when managing these aspects through a terminal. Installation is straightforward via Homebrew using a simple command or by building from source with Swift 5.10+ on macOS 14 (Sonoma).
The app addresses the inconvenience of managing Tailscale tasks, such as serving HTTPS, checking funnels, and exit node management, by offering an integrated interface that handles these functionalities seamlessly. TailBar monitors servers automatically, detects dev ports, shows real-time peer connections, traffic statistics, key expirations, and allows for browsing and switching exit nodes based on location suggestions. It employs the Tailscale Local API for direct integration and defaults to CLI as needed.
In addition to these features, it supports various keyboard shortcuts that enhance usability by allowing users to quickly switch tabs, search, refresh data, or close windows without navigating away from their current workspace. Compared to the official Tailscale app or CLI/Admin Console, TailBar offers more streamlined functionalities like serve management and real-time updates directly through the menu bar.
Looking ahead, the roadmap for TailBar includes features such as multi-profile switching, file sharing via Taildrop, system notifications, a signed .app bundle, MagicDNS integration, among other enhancements. The development and testing of TailBar are facilitated using Swift, focusing on improving user experience and expanding its capabilities to further integrate with Tailscale services.
Keywords: #phi4, CLI fallback, Homebrew, Local API, MagicDNS integration, Swift/SwiftUI, TailBar, Taildrop, Tailscale, connection status, development, exit nodes, keyboard shortcuts, macOS, menu bar app, multi-profile switching, peers, servers
github.com 4 days ago
|
1291.
HN
Show HN: Cmdop – Check your terminal from your phone, through NAT, free forever
Cmdop is a tool designed to provide comprehensive system management capabilities remotely through a phone interface at no cost indefinitely. It eliminates the need for traditional VPNs, port forwarding, and file transfer protocols like SCP/SFTP by offering full access to users' systems via terminal commands, file operations, browser automation, and AI-driven tasks. The tool's architecture utilizes an agent-based model that facilitates connectivity through any NAT or firewall by establishing outbound connections from a server-side agent. This design ensures seamless operation across various network configurations.
A standout feature of Cmdop is its integration with artificial intelligence, allowing users to execute AI workflows with structured outputs defined using Pydantic models. Additionally, it supports browser automation on target machines, enabling remote web navigation and interaction, along with traditional file operations such as reading, writing, or listing files without relying on conventional protocols. Moreover, Cmdop includes network analysis capabilities for capturing and analyzing API traffic to aid in endpoint discovery.
The tool provides a Python SDK that employs gRPC/HTTP2, efficiently multiplexing all services over a single connection for streamlined interaction. Installation is straightforward via pip with the command `pip install cmdop`, and usage examples are available for various tasks such as terminal operations, file management, AI agent utilization, and browser automation, as demonstrated in a sample Python SDK code snippet.
Cmdop offers two primary methods of establishing connections: remote access through cloud relay to bypass NAT/firewalls, and local direct IPC connection to an already running agent. Compared to conventional tools like Tailscale, ngrok, or SSH, Cmdop provides more integrated system management functionalities, including terminal streaming, file operations, browser automation, and AI tasks, making it a robust solution for managing systems across diverse environments. The tool requires Python 3.10+ along with either a local CMDOP agent or an API key for remote access to function effectively.
Keywords: #phi4, AI agent, API key, CMDOP, NAT, NAT traversal, NetworkAnalyzer, Pydantic, Python, SCP, SDK, SFTP, SSH, Tailscale, VPN, WireGuard, browser automation, cloud relay, file operations, gRPC, multiplexing, ngrok, outbound connection, phone, remote access, skills, structured output, terminal access, terminal streaming
github.com 5 days ago
|
1549.
HN
Tangled: Our €3,8M seed round
Tangled has successfully secured a €3.8M seed financing round, led by byFounders and supported by Bain Capital Crypto, Antler, and influential figures such as Thomas Dohmke and Avery Pennarun. Over the past year, Tangled evolved into a federated code collaboration platform where users maintain ownership of their data, currently serving over 7,000 users with more than 5,000 repositories. The company's mission is to establish itself as a leading code forge and foundational infrastructure for future open-source projects, aligning with byFounders' commitment to community focus and transparency.
Looking forward, Tangled plans to enhance its platform through the release of spindle v2, which will feature micro VMs, protocol-level improvements, customizable dashboards, migration tools from GitHub, improved search functionalities, and performance upgrades. To support these initiatives, Tangled is expanding its team and encourages applications from interested candidates. New users are invited to join via Discord or visit the platform's website for more information, as Tangled extends gratitude to all contributors supporting their journey.
Keywords: #phi4, AT Protocol, Antler, Bain Capital Crypto, CI, CI (spindle v2), CLI, Discord, Discord Keywords: Tangled, GitHub CEO, Nix CI, PRs, Tailscale, Tangled, byFounders, code collaboration, community-driven, federated network, global presence, infrastructure, investors, micro VMs, migration tool, mission control dashboard, open source, performance improvements, repositories, search functionality, seed round, transparency, €38M
blog.tangled.org 6 days ago
https://ufos.microcosm.blue/collection/?nsid=sh.tangled 6 days ago
https://www.byfounders.vc/insights/term-sheet-guide 6 days ago
|
1773.
HN
Computers Should Be Liberating
The "Computers Should Be Liberating" zine, featured on Jyn's website, is an integral part of the 8th issue of PagedOut, an experimental technical magazine. It encompasses a diverse range of topics related to technology, featuring contributions from several authors who explore subjects such as computer operators, persistence models, future technologies, and access control systems. Allan Blomquist discusses Tomorrow Corporation's technological demonstrations; Chip Morningstar delves into capabilities, while Bret Victor provides insights on Dynamicland. Jyn contributes original writings that reflect on the future of terminals, the core principles of Rust programming language, and personal reflections on enjoying coding. The website serves as a comprehensive showcase of Jyn’s interests in both technical advancements and engaging with code creatively, complemented by links to their professional profiles on GitHub and LinkedIn.
Keywords: #phi4, Audacious, CTF, Capabilities, Code, Coherent, Computers, Dynamicland, Fun, Ghosts, GitHub, Joy, Jyn, Liberating, LinkedIn, Operators, PagedOut, Persistence, Pharo, Procrustean, Tailscale, Terminal, Tomorrow, Zine
jyn.dev 8 days ago
|
1784.
HN
Show HN: OpenClaw-kapso, Give OpenClaw a stable WhatsApp number (Go, kapso.ai)
OpenClaw-kapso is a plugin designed to integrate OpenClaw with WhatsApp Cloud API through Kapso, offering a reliable solution for AI agents requiring stable WhatsApp numbers. The tool features three delivery modes: polling (default), Tailscale Funnel (real-time communication under 1-second latency without configuration), and custom domain setup. It leverages the official Cloud API to avoid bans associated with reverse-engineered methods.
Key aspects of OpenClaw-kapso include its architecture, which facilitates interactions between WhatsApp, a poller module, OpenClaw Gateway, and AI agents using Kapso's API. Security is emphasized through sender allowlisting, rate limiting, role tagging, and session isolation, with an inherent default mode restricting interactions to pre-approved numbers only.
Designed for efficiency, it employs a stateless approach, ensuring near-zero idle CPU usage by avoiding persistent connections or session management. Installation is straightforward, requiring minimal environment variables like `KAPSO_API_KEY` and `KAPSO_PHONE_NUMBER_ID`, along with optional configuration via a config file (`config.toml`).
To set up OpenClaw-kapso, users can install it using Go commands or prebuilt binaries from GitHub Releases, configure the OpenClaw agent by incorporating SKILL.md into the workspace, and set necessary environment variables. Security features vary across delivery modes: Allowlist Mode restricts interactions to specified numbers; Tailscale Funnel offers real-time messaging via tunneling without requiring a domain; and Custom Domain Mode necessitates HTTPS for webhook URLs setup through a reverse proxy.
The project is designed with easy development and community contribution in mind, providing tools for building, testing, linting, and installing binaries. Distributed under the MIT license, it encourages open collaboration within its user base.
Keywords: #phi4, API, Go, Kapso, NixOS, OpenClaw, Tailscale, Tailscale Funnel, WhatsApp, agent, allowlist, configuration, delivery, delivery modes, development, environment, environment variables, latency, license, license Keywords: OpenClaw, polling, rate limiting, reverse proxy, security, session, session isolation, webhook
github.com 8 days ago
|
1875.
HN
Remotely unlocking an encrypted hard disk
The article presents a method for remotely unlocking an encrypted hard disk during the early boot process using Linux's initramfs on an Arch-based system. It begins by explaining the role of initramfs as a small initial RAM filesystem that runs at early boot, providing a platform to install necessary software and execute modifications. The author identifies key challenges in setting up secure networking, SSH services, and Tailscale within this environment, emphasizing the need to prevent key expiration and restrict shell access while using Access Control Lists (ACLs) to allow connections only from authorized devices.
The solution involves implementing several critical steps: installing Dropbear for SSH capabilities, configuring it to execute a specific unlock command, and setting up systemd services for networking with sd-network. The setup also includes enabling Tailscale in initramfs through configurations and hooks defined in mkinitcpio.conf, along with configuring network settings during early boot to ensure secure key management.
Detailed steps guide the reader through configuring Arch Linux to support these functionalities by setting up keys, editing necessary configuration files, and rebuilding the initramfs. The article concludes by underscoring that with sufficient technical knowledge and creativity, complex tasks such as remotely unlocking an encrypted disk can be accomplished without sacrificing security. It highlights how understanding and manipulating low-level boot processes enable innovative solutions to specific challenges in computing.
Keywords: #phi4, ACLs, Arch, BIOS, Ethernet, Linux, SSH, WiFi, authorized_keys, device-timeout, dropbear, early boot, encrypted hard disk, initramfs, initrd, key expiry, mkinitcpio, network interfaces, networking, power loss, security, service management, systemd, tailscale
jyn.dev 8 days ago
|
2208.
HN
Show HN: Ambit-OpenCode – Cloud IDE with Seamless Mobile <> Desktop Handoff
Ambit-OpenCode is a cloud-based Integrated Development Environment (IDE) designed to facilitate seamless project transitions between mobile and desktop devices. Utilizing Tailscale for networking and Fly.io for cloud infrastructure, it offers robust features such as secure project storage, an agent-driven interface, and a comprehensive built-in cloud shell pre-configured for user convenience. The platform simplifies the setup process, making it accessible for users. As an open-source solution, Ambit-OpenCode encourages community feedback to enhance its development. Users can explore its capabilities through a one-week free trial offered by Fly.io; after the trial, the service incurs a cost of approximately $5 per month. For additional support or inquiries, users are encouraged to contact the developers via email.
Keywords: #phi4, Ambit-OpenCode, Cloud IDE, Flyio, Mobile Desktop handoff, Tailscale, agent-driven IDE, cloud shell, feedback, free trial, open-source, project storage, setup
github.com 10 days ago
|
2417.
HN
Show HN: Tspages – static site hosting platform for your Tailscale network
Tspages is a streamlined static site hosting platform tailored for integration with the Tailscale network, offering an efficient method to deploy static websites under custom hostnames within a Tailnet environment. It merges elements of public hosting and internal servers by providing secure site hosting without shared secrets or external authentication layers. Its ease of deployment allows users to utilize straightforward methods such as drag-and-drop, archive uploads, or curl commands.
Key features include robust authorization control managed via Tailscale Application Grants with custom capabilities, ensuring identity-based permission enforcement through Tailnet policy. Deployment management is facilitated by easy switching between versions and access to a global feed of all site deployments. Built-in analytics track visitor data on a per-site basis, with options for enabling or disabling tracking as needed.
The architecture assigns each site a unique tsnet hostname within the Tailnet (e.g., `design-system.funky-animal.ts.net`). The control plane serves deploy and admin APIs, while Tailscale’s identity system manages credentials without the need for tokens or API keys, streamlining access controls. Sites can be customized through configuration files that set parameters like SPA fallback routing, custom headers, and redirections.
For usage, users quickly configure tspages with `tspages.toml` settings and deploy sites using curl commands. An admin dashboard provides site management tools and traffic analytics visibility for administrators, while restricting user access to authorized sites only. The API facilitates site management tasks such as deployment uploads and deletion, alongside analytics queries.
Tspages emphasizes security by leveraging Tailscale Application Grants for granular authorization control aligned with user roles and site-specific needs. This platform is ideal for hosting internal documentation and tools efficiently within a secure, identity-based network environment, eliminating the complexity of traditional server setups.
Keywords: #phi4, API, GitHub Actions, HTTPS, Tailscale, admin dashboard, analytics, authorization, capability grants, configuration, control plane, deployment, static site hosting, tspages, upload formats
github.com 10 days ago
|
2529.
HN
I vibe coded my dream macOS presentation app
The author recounts their rapid development of a custom macOS presentation application named Present, crafted in about 45 minutes using Swift and SwiftUI prior to delivering a talk. Designed to address the unreliability of browser-based presentations, Present enables users to create presentations by organizing URLs into slides, which are saved automatically. Notably, it features fullscreen mode with keyboard navigation for seamless slide transitions, enhancing user experience. An innovative aspect is its remote control functionality via a web server accessible on the author's phone, facilitated by Tailscale, allowing cross-device connectivity. Despite Swift being an unfamiliar language to the author, Present's straightforward and functional code demonstrates Swift’s suitability for such development tasks. This project not only offers practical solutions over traditional tools like Keynote or browser tabs but also underscores the potential for personal growth in engineering skills through engaging with new technologies.
Keywords: #phi4, CSRF vulnerabilities, Keynote, Swift, SwiftUI, Tailscale, URLs, Xcode, browser crash, full screen, macOS, presentation app, remote control, socket programming, technical knowledge, vibe coded, web pages
simonwillison.net 11 days ago
|
2780.
HN
From AI Agent to Tamagochi?
The author delves into creating personalized software via "toadie," an AI-powered personal assistant developed using gen coding tools like Claude Code. Initially aimed at replicating dictation features similar to Mac's Superwhisper for Linux, the project expanded into a comprehensive system integrating speech-to-text capabilities accessible across multiple devices, including a Galaxy Watch and mobile phone. The core transcription component employs Deepgram, with cost-saving auto-stop features triggered by silence intervals. To maintain continuous conversations in Claude Code sessions, even when away from the main workstation, tmux integration is utilized.
A custom Kotlin app facilitates dictation directly from the Galaxy Watch, interacting with a local Python server handling audio and text exchanges. This setup ensures secure communication via Tailscale permission hooks, allowing only authorized clients to perform sensitive operations across devices. The mobile phone client "toadie" functions as an interactive assistant akin to tamagotchi, responding to voice commands and wake words powered by Picovoice. This enables the author to manage tasks such as reading notes or controlling home appliances, demonstrating how tailored software can meet specific user needs without resorting to general-purpose tools.
Security is a key focus, with Tailscale providing private network access and additional verification layers to safeguard interactions within the system. The project exemplifies a shift towards custom solutions in software development, driven by individual preferences and unique use cases, showcasing the potential of personalized technology tailored for specific functionalities and user requirements.
Keywords: #phi4, API, CLI, Claude Code, Deepgram, Galaxy Watch, JSONL, Kotlin, Linux, Personal software, PicoVoice, Python, Superwhisper, Tailscale, Wear OS, WebSocket, assistant, automation, bot, coding, dashboard, dictation, hooks, integration, open source, permissions, script, security, speech-to-text, tmux
mfranc.com 12 days ago
|
2951.
HN
OpenClaw: Running a Secure, Capable, Low Cost Claw – Hetzner/Tailscale/ZapierMCP
The author explores running an efficient virtual assistant using OpenClaw on a Hetzner Cloud Server, emphasizing cost-effectiveness without requiring expensive hardware such as Mac Minis. The setup prioritizes security through dedicated SSH keys and Tailscale for network isolation, with firewalls blocking public access but allowing connections via the private tailnet, and disabling device authentication on Tailscale to enhance protection. For maintaining observability and backups, Git tracks OpenClaw's state locally, supported by Hetzner’s snapshot services.
To balance performance and cost, the Claude Sonnet 4.6 model is selected over more expensive alternatives like Claude Opus. Addressing privacy concerns, Discord is chosen for its scoped permission model over WhatsApp to minimize data exposure. Integration with Zapier’s MCP server streamlines secure personal data access through a user-friendly interface, avoiding complex setups like the Google Cloud Console. This integration significantly boosts OpenClaw's functionality by consolidating control over various personal data sources.
Despite current API limitations, the author views this setup as indicative of the potential for a powerful digital assistant and expresses optimism about future advancements in security and usability that could make such configurations more accessible to non-technical users.
Keywords: #phi4, API Keys, Backup, Channel Selection, Cost Efficiency, Discord, Firewall, GitHub, Google Calendar, Hetzner, Integration, LLMs, MCP, Model Selection, OpenClaw, Personal Data, Privacy, Rate Limits, Secure, Server, Tailscale, Technical Skill, Zapier
www.appsoftware.com 12 days ago
|
2966.
HN
Tailscale Aperture
Aperture is a gateway product developed by Tailscale that enhances network security and identity management for AI applications, specifically addressing challenges in managing API keys for large language models (LLMs). It operates within the secure framework of Tailscale's tailnet, leveraging its robust connectivity, security, and identity features. Aperture streamlines the process of securely embedding API keys and logs each access with user identities, thereby improving both security and visibility.
Early adopters, such as Corelight, have commended Aperture for minimizing friction in generative AI workflows by centralizing model access and providing detailed usage insights. Tailscale's internal teams also report increased productivity, noting quicker development cycles for LLM-powered tools without the need to request API keys. The product supports major LLM providers like AWS Bedrock and Google Vertex and integrates with services including Cribl, Oso, Apollo Research, and Cerbos to offer enhanced real-time analysis, dynamic access policy management, and automated least privilege controls.
Additional features of Aperture include an S3 integration for log analysis and a visual editor that allows users to configure model access policies efficiently. Designed to facilitate the deployment of AI applications more safely, swiftly, and cost-effectively, Aperture provides security teams with enhanced control over their systems. Tailscale aims to further expand Aperture's capabilities through future integrations and enhancements focused on optimizing costs and improving real-time management of AI usage.
Keywords: #phi4, API keys, AWS Bedrock, Aperture, CISOs, CTOs, Google Vertex, LLMs, S3 integration, Tailscale, audit logs, authorization management, coding agents, connectivity, cost optimization, data engine model, dynamic access policy management, gateway, identity, security, tsnet, visual editor
tailscale.com 12 days ago
|
3101.
HN
Eac-d – lightweight push-to-deploy for Proxmox LXC (Go, no CI platform)
`eac-d`, short for "easy cd," is a streamlined continuous deployment tool tailored for Proxmox LXC containers, designed to simplify the deployment process by enabling developers to directly push build artifacts onto an LXC container without the need for external CI/CD platforms or cloud services. The system comprises two main components: the client (`eacd`) that operates on the developer's machine and the daemon (`eacdd`) running within the target LXC container. It employs SHA-256 hashes to identify modified files, uploading only changes as compressed archives, while also allowing for pre- and post-deployment hooks execution.
The tool boasts several key features: it supports delta uploads to transfer only altered files, Proxmox-native deployment via a single command (`eacd init`), and inventory management that handles packages, services, and users declaratively. Additionally, `eac-d` provides rollback support through automatic pre-deploy backups, integrates with systemd for managing units during deployment, and offers hook scripts to execute tasks before build or after server deployment. It has minimal dependencies, requiring only standard libraries and a YAML library.
Installation is straightforward: the client can be installed on Linux and macOS using a curl command, while the daemon installation script targets Linux/amd64 servers. Users can quickly start by using the Proxmox wizard for automated LXC container provisioning or manually install the daemon on an existing server, followed by project initialization.
Security is emphasized with recommendations to secure deployment environments through measures such as UFW firewall rules or VPNs like Tailscale to safely access deployments remotely without exposing ports. The philosophy behind `eac-d` centers around simplicity and isolation, deploying each application in its own LXC container while suggesting tools like Ansible or NixOS for more complex needs. As an open-source project licensed under MIT, it encourages user feedback and contributions to enhance deployment workflows for Proxmox users.
Keywords: #phi4, API, API token permissions, Ansible, CI/CD, Cloudflare Tunnel, Go, HTTP API, JSON, LXC, Linux, NixOS, Proxmox, Proxmox VE, Proxmox config, SHA-256 hashes, SSH tunnel, TLS verification, Tailscale, UFW, VPN, WireGuard, YAML, apt-get, build output, client CLI, compressed archive, containers, delta uploads, deployment, deployment snapshot, dnf, eac-d, eacdd, firewall rules, hooks, inventory management, logs, macOS, manifest, ownership tracking, package managers, packages, pacman, rate limits, reverse proxy, rollback, security, self-signed certs, server daemon, services, systemd integration, systemd unit, users, yum
github.com 13 days ago
|
3134.
HN
The Lethal Trifecta: Securing OpenClaw Against Prompt Injection
The article addresses the importance of securing OpenClaw, an AI agent capable of reading emails and executing commands, against prompt injection vulnerabilities. It identifies a "Lethal Trifecta" risk profile comprising system access, execution power, and untrusted ingestion that attackers could exploit through hidden commands in emails or malicious plugins within OpenClaw's ecosystem. These actions might lead to indirect prompt injections or persistent backdoors.
To mitigate these security risks, the article recommends several measures:
1. **True Containment and Immutable Memory**: This involves running OpenClaw in a restricted container or virtual machine with no access to sensitive areas and ensuring core identity files remain immutable to prevent unauthorized modifications.
2. **Harden the Gateway**: To limit network exposure, connections should be bound locally or secured through tunnels, while direct messaging is restricted to prevent unauthorized interactions.
3. **Practice Secret Hygiene**: It's crucial to avoid giving agents access to valuable data by using scoped and temporary tokens and refraining from handling credentials in plaintext.
Implementing these security strategies allows OpenClaw to function as a beneficial AI tool without compromising overall security, ensuring its safe utilization.
Keywords: #phi4, AI vulnerabilities, API tokens, Docker, OpenClaw, Tailscale, VM, autonomous agents, containment, execution power, hardened gateway, immutable memory, indirect attacks, least privilege, malware, persistent backdoors, plugin ecosystem, prompt injection, secret hygiene, secure tunnel, security, system access, threat mitigation, untrusted ingestion
octoclaw.ai 13 days ago
|
3225.
HN
Show, Don't Tell
Exe.dev has adopted a "Show, Don't Tell" marketing strategy to stand out in the saturated AI market by demonstrating their product's value through practical applications. They focus on Shelley, a web UI that allows users to write private apps from mobile devices and share them. Shelley supports creating isolated virtual machines with tools like codex, claude, and an agent designed for mobile use, enabling functionalities such as diagnosing anycast network issues by testing routes across regions.
This strategy highlights exe.dev's capability of developing small, private applications that solve specific problems or perform tasks using large language models (LLMs), allowing quick prototyping without deep code inspection. This marks a shift in software development and sharing paradigms, facilitating the creation of business tools that might be challenging to produce with traditional programming. While LLMs enhance creativity and convenience in app development, the author underscores the importance of careful evaluation when implementing changes to critical infrastructure.
Keywords: #phi4, AI noise, Linux subsystems, Marketing strategy, SNR, Shelley agent, Show don't tell, TLS, Tailscale, VMs, anycast network, app prototyping, auth, business tools, frontend tuning, global frontends, infrastructure, isolated VM, landing page, mobile UI, mtr tool, netops, network namespace, private apps, prompt-based development, route testing, share URL, sqlite DB, web UI
blog.exe.dev 13 days ago
|
3267.
HN
Dealing with a DERPy Server
The author faced significant slowdowns on their public websites hosted on a mini PC at home, despite having sufficient bandwidth. The root cause was identified as reliance on a DERP relay by Tailscale due to the absence of a static IP address. Initially suspecting overload on Tailscale's newly announced Peer Relays, various troubleshooting steps like adjusting firewall settings and network configurations failed to resolve the issue.
Further investigation revealed that an outdated version of Tailscale (three years old) was running on the mini PC, while other devices had more recent versions. This mismatch led to protocol failures, forcing traffic to route through DERP relays instead of establishing a direct connection. Updating Tailscale on the mini PC and resolving configuration issues restored a direct link, eliminating dependence on DERP relays.
Following these updates, website performance improved markedly, with loading times returning to normal levels. This experience underscores the importance of keeping software up-to-date to ensure optimal network performance and reliability.
Keywords: #phi4, Caddy server, DERP, Digital Ocean, Headscale, Reserved IP, Tailscale, UDP traffic, VM, bandwidth, direct connection, latency, network interface, performance improvement, port 41641, protocol failures, software update, tailscaled
yakshed.com 14 days ago
https://news.ycombinator.com/item?id=47063005 14 days ago
|
3387.
HN
Show HN: Notesync, self-hosted note sync and publish engine
Notesync is a self-hosted tool designed to synchronize markdown files, including images, across various personal machines, while also enabling the publication of notes as a static blog. Its key features include multiple synchronization options: "Sync Only," which uses OS-level events to detect changes and push them via REST API, and "Sync + Publish," allowing specific notes marked with `publish: true` to be pushed to a public server for generating a static HTML site. The system resolves conflicts using the "last write wins" method based on file timestamps and manages deletions through tombstones retained for up to 30 days before cleanup. It offers a "Push Only Mode" for clients who wish to sync files created locally, which is particularly useful for distinguishing between personal and work notes. Notesync can be deployed in Docker with various configurations, from full blog setups with automatic HTTPS to minimal server/client components. Deployment options range from inexpensive VPS like Hetzner to private networks using tools such as Tailscale. The author demonstrates a practical use case of syncing notes from a Raspberry Pi to a Hetzner VPS for publishing, highlighting the system's efficiency in ensuring rapid updates across devices with minimal setup and configuration.
Keywords: #phi4, Caddy reverse proxy, Docker, HTTPS, Hetzner, Notesync, REST API, TLS, Tailscale, VPS, authentication token, client-server, conflict resolution, deployment, file events, frontmatter, markdown, personal notes, private network, public-facing server, publish, push only, self-hosted, site builder, static blog, sync engine, sync options, tombstones
nilszeilon.com 14 days ago
|
3399.
HN
Show HN: Microterm runs Linux VM in any browser tab via WASM, RISCV64 emulation
Microterm is a Linux virtual machine accessible via any web browser tab that provides real development and operational capabilities on various devices. It leverages Restty for terminal rendering and TinyEMU to run an Alpine Linux guest using RISC-V64 architecture, ensuring local computation with user privacy as workloads are processed directly on the device. Key features of Microterm include persistent storage up to 40 GB, comprehensive networking functions like SSH and Nginx hosting, and secure Tailscale connectivity for linking devices. The platform supports a range of development tools including bash, Docker-compatible workflows, and Codex AI integration to enhance coding efficiency. Microterm is versatile across desktops, tablets, and phones, with iOS PWA installations facilitating mobile use. It enables users to engage in tasks such as SSH access, Kubernetes exploration, and offline programming within Linux environments directly from their browser or mobile device.
Keywords: #phi4, Alpine Linux, Bun integration, Codex, Docker, Ghostty, JavaScriptCore, Kubernetes, Linux VM, Microterm, PWA, RISCV64, Restty, SSH, Tailscale, TinyEMU, WASM, WebGPU, browser tab, emulation, iOS, local computation, networking, nginx, offline coding, persistent storage, privacy, terminal rendering
microterm.dev 15 days ago
|
