Open OpenHands UI to all interfaces

Was bound to 127.0.0.1:3030 — overcautious on a Tailscale-only box where Phoenix/Beszel/OpenWebUI are all reached the same way. Updated the homepage tile description and added a security note in the README for the case where the host ever leaves the tailnet. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-05-08 12:04:35 -04:00
parent 178d7d3c0f
commit 5d3fce22a1
4 changed files with 23 additions and 22 deletions
--- a/pyinfra/framework/compose/openhands.yml
+++ b/pyinfra/framework/compose/openhands.yml
@@ -18,10 +18,13 @@ services:
    restart: unless-stopped

    # 3030 host-side because :3000 is OpenWebUI and :3001 is OpenLIT.
-    # Loopback-only — reach via SSH tunnel or Tailscale, don't expose
-    # this directly.
+    # Bound to all interfaces — fine on a Tailscale-only box where every
+    # other service is reached the same way. If you ever expose this
+    # host to the LAN/internet, change this to "127.0.0.1:3030:3000"
+    # and tunnel in (this orchestrator has docker.sock access and
+    # spawns code-running sandboxes — not something you want public).
    ports:
-      - "127.0.0.1:3030:3000"
+      - "3030:3000"

    volumes:
      # Required: orchestrator spawns sandbox containers via the host daemon.