127.0.0.1:8080. With Tailscale enabled, the daemon binds the dashboard to your Tailscale IP address instead, making it reachable from any device on your private Tailnet — your laptop, phone, or any other machine you’ve enrolled — without opening any ports to the public internet.
Prerequisites
- Tailscale installed and authenticated on the machine running Hiroshi
- The
tailscaleCLI available onPATH(it ships with the standard Tailscale install)
Setup
Add the[tailscale] section to ~/.hiroshi/config.toml:
How it works
Whenenabled = true, the daemon runs tailscale ip -4 at startup to resolve the local Tailnet IPv4 address. The web server then binds to that address on port 8080 instead of 127.0.0.1.
If the tailscale ip -4 command fails — for example because Tailscale is not running or the CLI is not on PATH — Hiroshi falls back in order:
- Uses
interface_fallbackif you have set it to a non-empty string. - Falls back to
127.0.0.1ifinterface_fallbackis not set.
Configuration fields
Set to
true to enable Tailscale binding. When false (the default), the dashboard binds to 127.0.0.1 only.A hardcoded IPv4 address to bind to if automatic Tailscale IP detection fails. Optional — if omitted and detection fails, Hiroshi falls back to
127.0.0.1. Set this to your known Tailscale IP (e.g. 100.64.0.1) for a more predictable failure mode.Accessing the dashboard
Once the daemon is running with Tailscale enabled, open the following URL from any device enrolled in your Tailnet:tailscale ip -4 in a terminal, or by checking the Tailscale admin console.
Your Tailnet acts as the access control boundary — only devices that have joined your Tailscale network and been approved in the admin console can reach the dashboard. No additional authentication is needed between trusted Tailnet devices.