Skip to content

security: run hal0-api as non-root 'hal0' user (drop root); keep 0.0.0.0; document mandatory edge-proxy #614

Open
Open
security: run hal0-api as non-root 'hal0' user (drop root); keep 0.0.0.0; document mandatory edge-proxy#614
Labels
enhancementNew feature or requestoss-readiness2026-06-07 codebase-audit OSS-readiness backlogready-for-agentPRD is fully scoped and ready for an AFK agent to pick up
@thinmintdev

Description

@thinmintdev
thinmintdev
opened on Jun 7, 2026

What to build

hal0-api currently runs as root on 0.0.0.0:8080 with no in-app gate. Decision (audit Q3.2): run the service as the existing non-root hal0 nologin system user, keep the 0.0.0.0 bind (zero-config LAN dashboard), and document loudly that any non-loopback/internet exposure requires a reverse proxy in front (Traefik / nginx / Cloudflare Tunnel), matching ADR-0012.

Pointers: installer/install.sh:160,640,643. Audit Q3.2.

Acceptance criteria

  • hal0-api systemd unit runs as the hal0 user, not root
  • 0.0.0.0:8080 bind preserved; LAN dashboard works out of the box
  • File/dir ownership + permissions adjusted so the hal0 user can read config/state
  • Install/operate docs state edge-proxy is required for any non-LAN exposure

Blocked by

None - can start immediately

Metadata

Metadata

Assignees

No one assigned

    Labels

    enhancementNew feature or requestoss-readiness2026-06-07 codebase-audit OSS-readiness backlogready-for-agentPRD is fully scoped and ready for an AFK agent to pick up

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions