@ebowwa/hetzner 0.3.1 → 0.3.2

package/dist/bootstrap/kernel-hardening.d.ts

@@ -0,0 +1,69 @@
+/**
+ * Kernel Hardening Cloud-Init Components
+ *
+ * Composable cloud-init blocks for securing the Linux kernel on new servers.
+ * Implements 2026 best practices for network stack hardening, IP spoofing
+ * protection, SYN flood mitigation, and secure core dump policies.
+ *
+ * Background: Public-facing VPS servers are constantly probed and attacked.
+ * Default Linux kernel settings prioritize compatibility over security. This
+ * module applies CIS Benchmark-aligned hardening via /etc/sysctl.d/ which
+ * persists across reboots and overrides defaults.
+ *
+ * Three composable functions return cloud-init line arrays for splicing into
+ * the appropriate YAML sections:
+ *   - kernelHardeningPackages()    → packages: section (currently empty, reserved)
+ *   - kernelHardeningWriteFiles()  → write_files: section (drops sysctl config)
+ *   - kernelHardeningRunCmd()      → runcmd: section (applies settings immediately)
+ *
+ * Security Measures Implemented:
+ * 1. Network Stack Hardening: SYN cookies, ICMP rate limits, martian packet logging
+ * 2. IP Spoofing Protection: Reverse path filtering, source address verification
+ * 3. SYN Flood Protection: TCP SYN cookies, reuse time_wait connections
+ * 4. Core Dump Restrictions: Disable setuid dumps, limit core dump size to 0
+ * 5. File Permissions: Hard links, symlinks, FIFO protection
+ * 6. Memory Protection: ASLR, randomize_va_space
+ *
+ * References:
+ * - CIS Benchmark for Ubuntu Linux 24.04
+ * - NIST SP 800-53 Revision 5
+ * - https://www.kernel.org/doc/Documentation/networking/ip-sysctl.txt
+ */
+/**
+ * Packages required for kernel hardening.
+ * Returns cloud-init YAML lines for the `packages:` section.
+ *
+ * Note: All kernel hardening is done via sysctl configuration, which uses
+ * built-in kernel functionality. No additional packages are required.
+ * This function is reserved for future expansion (e.g., auditd, kexec-tools).
+ */
+export declare function kernelHardeningPackages(): string[];
+/**
+ * Kernel sysctl configuration file for comprehensive hardening.
+ * Returns cloud-init YAML lines for the `write_files:` section.
+ *
+ * Drops /etc/sysctl.d/99-security-hardening.conf which:
+ * - Takes precedence over /etc/sysctl.conf (99- prefix ensures last load)
+ * - Persists across reboots (sysctl.d files are applied on boot)
+ * - Can be applied immediately via `sysctl --system` (see runcmd)
+ *
+ * Settings organized by category:
+ * 1. IP Spoofing Protection: rp_filter, secure redirects
+ * 2. SYN Flood Protection: syncookies, tcp_tw_reuse
+ * 3. Network Stack: ICMP rate limits, martian logging, ignore broadcasts
+ * 4. Core Dumps: Disabled for setuid programs, limited for all processes
+ * 5. Memory Protection: ASLR, randomize_va_space
+ * 6. Filesystem: Hard link/symlink protection
+ */
+export declare function kernelHardeningWriteFiles(): string[];
+/**
+ * Commands to apply kernel hardening settings immediately at first boot.
+ * Returns cloud-init YAML lines for the `runcmd:` section.
+ *
+ * Order matters:
+ *   1. Load all sysctl settings from /etc/sysctl.d/*.conf
+ *   2. Apply settings immediately (don't wait for reboot)
+ *   3. Log applied settings for audit trail
+ *   4. Display summary for cloud-init output verification
+ */
+export declare function kernelHardeningRunCmd(): string[];

package/dist/bootstrap/security-audit.d.ts

@@ -0,0 +1,45 @@
+/**
+ * Security Audit Cloud-Init Components
+ *
+ * Composable cloud-init blocks for running post-bootstrap security audits.
+ * Generates comprehensive security reports for verification and compliance.
+ *
+ * This module runs LAST in the bootstrap sequence, after all other security
+ * hardening is applied. It captures the state of the system for verification.
+ *
+ * Three composable functions return cloud-init line arrays for splicing into
+ * the appropriate YAML sections:
+ *   - securityAuditPackages()    → packages: section
+ *   - securityAuditWriteFiles()  → write_files: section
+ *   - securityAuditRunCmd()      → runcmd: section
+ */
+/**
+ * Packages required for security auditing.
+ * Returns cloud-init YAML lines for the `packages:` section.
+ *
+ * - lynis: Comprehensive security auditing tool
+ */
+export declare function securityAuditPackages(): string[];
+/**
+ * Files to write at first boot for security auditing.
+ * Returns cloud-init YAML lines for the `write_files:` section.
+ *
+ * Drops 1 file onto the server:
+ *
+ * 1. /opt/monitoring/security-audit.sh
+ *    - Collects security metrics (UFW, fail2ban, sshd, sysctl)
+ *    - Runs Lynis audit with warnings-only output
+ *    - Generates JSON report at /var/log/security-audit.json
+ *    - Logs summary to /var/log/security-audit.log
+ */
+export declare function securityAuditWriteFiles(): string[];
+/**
+ * Commands to run security audit at first boot.
+ * Returns cloud-init YAML lines for the `runcmd:` section.
+ *
+ * Order matters:
+ *   1. Create /opt/monitoring directory (audit script target)
+ *   2. Run security audit script (captures state after all hardening)
+ *   3. Log audit completion for verification
+ */
+export declare function securityAuditRunCmd(): string[];

package/dist/bootstrap/ssh-hardening.d.ts

@@ -0,0 +1,67 @@
+/**
+ * SSH Hardening Cloud-Init Components
+ *
+ * Composable cloud-init blocks for securing sshd on new servers.
+ * Includes: hardened sshd config, fail2ban, and health monitoring.
+ *
+ * Background: Hetzner public IPs get brute-forced constantly (~5k failed SSH
+ * logins per 24h observed on genesis). Without hardening, the default sshd
+ * MaxStartups (10:30:100) gets overwhelmed and legitimate connections time out
+ * with "Timed out while waiting for handshake".
+ *
+ * This module is imported by both cloud-init.ts (seed/worker nodes) and
+ * genesis.ts (control plane) so every new server gets hardened at first boot.
+ *
+ * Three composable functions return cloud-init line arrays for splicing into
+ * the appropriate YAML sections:
+ *   - sshdHardeningPackages()    → packages: section
+ *   - sshdHardeningWriteFiles()  → write_files: section
+ *   - sshdHardeningRunCmd()      → runcmd: section
+ */
+/**
+ * Packages required for SSH hardening.
+ * Returns cloud-init YAML lines for the `packages:` section.
+ *
+ * - fail2ban: bans IPs after repeated failed SSH attempts (3 tries → 1hr ban)
+ */
+export declare function sshdHardeningPackages(): string[];
+/**
+ * Files to write at first boot for SSH hardening.
+ * Returns cloud-init YAML lines for the `write_files:` section.
+ *
+ * Drops 5 files onto the server:
+ *
+ * 1. /etc/ssh/sshd_config.d/hardened.conf
+ *    - Disables password auth entirely (key-only)
+ *    - Raises MaxStartups from default 10:30:100 → 20:50:60 so brute-force
+ *      traffic doesn't starve legitimate connections
+ *    - Reduces LoginGraceTime from 2min → 30s (attackers hold slots open)
+ *    - Limits MaxAuthTries to 3 per connection
+ *    - Enables keepalive (30s interval, 3 missed = disconnect)
+ *
+ * 2. /etc/fail2ban/jail.local
+ *    - Monitors sshd via systemd journal
+ *    - Bans IP for 1 hour after 3 failures within 10 minutes
+ *    - Uses nftables (Ubuntu 24.04 default firewall backend)
+ *
+ * 3. /opt/monitoring/sshd-health.sh
+ *    - Collects sshd + fail2ban + system metrics into JSON
+ *    - Writes to /var/log/sshd-health.json (read by the app via SSH)
+ *    - Auto-restarts sshd if it detects it's down
+ *
+ * 4. /etc/systemd/system/sshd-health.service (oneshot runner)
+ * 5. /etc/systemd/system/sshd-health.timer (runs every 60 seconds)
+ */
+export declare function sshdHardeningWriteFiles(): string[];
+/**
+ * Commands to activate all SSH hardening services at first boot.
+ * Returns cloud-init YAML lines for the `runcmd:` section.
+ *
+ * Order matters:
+ *   1. Create /opt/monitoring dir (health script target)
+ *   2. Reload sshd to pick up hardened.conf (fallback: full restart)
+ *   3. Enable + start fail2ban (reads jail.local immediately)
+ *   4. Reload systemd to pick up the health service/timer units
+ *   5. Enable + start the health timer (begins 60s monitoring loop)
+ */
+export declare function sshdHardeningRunCmd(): string[];

package/dist/client.d.ts

@@ -0,0 +1,62 @@
+/**
+ * Hetzner Cloud API client
+ * For server-side use only (requires API token)
+ *
+ * TODO: RE-REVIEW https://docs.hetzner.cloud/reference/cloud#authentication
+ * - https://tailscale.com/kb/1150/cloud-hetzner
+ */
+import { ServerOperations } from "./servers.js";
+import { ActionOperations } from "./actions.js";
+import { PricingOperations } from "./pricing.js";
+import { SSHKeyOperations } from "./ssh-keys.js";
+import { VolumeOperations } from "./volumes.js";
+import type { RateLimitInfo } from "./types.js";
+export declare class HetznerClient {
+    private apiToken;
+    constructor(apiToken?: string);
+    get isAuthenticated(): boolean;
+    /**
+     * Make a request to the Hetzner Cloud API
+     *
+     * @param endpoint - API endpoint (e.g., "/servers")
+     * @param options - RequestInit options
+     * @returns Parsed JSON response
+     * @throws {HetznerAPIError} On API errors
+     */
+    request<T>(endpoint: string, options?: RequestInit): Promise<T>;
+    /**
+     * Validate Hetzner API response with Zod schema
+     *
+     * @param schema - Zod schema to validate against
+     * @param data - Data to validate
+     * @returns Validated data
+     */
+    private validateResponse;
+    /**
+     * Handle rate limit information from response headers
+     *
+     * @param rateLimit - Rate limit info from response
+     */
+    private handleRateLimit;
+    /**
+     * Get current rate limit information
+     *
+     * Makes a lightweight request to check rate limit status
+     *
+     * @returns Rate limit info or null if not available
+     */
+    getRateLimit(): Promise<RateLimitInfo | null>;
+    readonly servers: ServerOperations;
+    readonly actions: ActionOperations;
+    readonly pricing: PricingOperations;
+    readonly ssh_keys: SSHKeyOperations;
+    readonly volumes: VolumeOperations;
+    listServers(): Promise<import("./types.js").HetznerServer[]>;
+    getServer(id: number): Promise<import("./types.js").HetznerServer>;
+    createServer(options: import("./types.js").CreateServerOptions): Promise<import("./types.js").CreateServerResponse>;
+    deleteServer(id: number): Promise<import("./types.js").HetznerAction>;
+    powerOn(id: number): Promise<import("./types.js").HetznerAction>;
+    powerOff(id: number): Promise<import("./types.js").HetznerAction>;
+    reboot(id: number): Promise<import("./types.js").HetznerAction>;
+}
+export type * from "./types.js";

package/dist/config.d.ts

@@ -0,0 +1,4 @@
+/**
+ * Hetzner Cloud API configuration
+ */
+export declare const HETZNER_API_BASE = "https://api.hetzner.cloud/v1";

package/dist/errors.d.ts

@@ -0,0 +1,170 @@
+/**
+ * Hetzner Cloud API error types and utilities
+ */
+import type { RateLimitInfo, ActionError } from "./types.js";
+export type { ActionError };
+/**
+ * Hetzner API error codes
+ * @see https://docs.hetzner.cloud/#errors
+ */
+export declare enum HetznerErrorCode {
+    Unauthorized = "unauthorized",
+    InvalidInput = "invalid_input",
+    JSONError = "json_error",
+    Forbidden = "forbidden",
+    NotFound = "not_found",
+    ResourceLocked = "locked",
+    ResourceLimitExceeded = "resource_limit_exceeded",
+    UniquenessError = "uniqueness_error",
+    RateLimitExceeded = "rate_limit_exceeded",
+    Conflict = "conflict",
+    ServiceError = "service_error",
+    ServerNotStopped = "server_not_stopped",
+    ServerAlreadyStopped = "server_already_stopped",
+    InvalidServerType = "invalid_server_type",
+    IpNotOwned = "ip_not_owned",
+    IpAlreadyAssigned = "ip_already_assigned",
+    VolumeAlreadyAttached = "volume_already_attached",
+    VolumeSizeNotMultiple = "volume_size_not_multiple",
+    FirewallInUse = "firewall_in_use",
+    CertificateValidationFailed = "certificate_validation_failed",
+    CertificatePending = "certificate_pending"
+}
+/**
+ * Base Hetzner API error
+ */
+export declare class HetznerAPIError extends Error {
+    code?: string;
+    details?: unknown;
+    constructor(message: string, code?: string, details?: unknown);
+}
+/**
+ * Authentication error (401)
+ */
+export declare class HetznerUnauthorizedError extends HetznerAPIError {
+    constructor(message?: string);
+}
+/**
+ * Forbidden error (403)
+ */
+export declare class HetznerForbiddenError extends HetznerAPIError {
+    constructor(message?: string);
+}
+/**
+ * Resource not found error (404)
+ */
+export declare class HetznerNotFoundError extends HetznerAPIError {
+    constructor(resource: string, id: number | string);
+}
+/**
+ * Rate limit exceeded error (429)
+ */
+export declare class HetznerRateLimitError extends HetznerAPIError {
+    rateLimitInfo?: RateLimitInfo;
+    constructor(message?: string, rateLimitInfo?: RateLimitInfo);
+    /**
+     * Get the number of milliseconds until the rate limit resets
+     */
+    get resetInMs(): number;
+    /**
+     * Get a human-readable reset time
+     */
+    get resetTime(): string;
+}
+/**
+ * Resource locked error
+ */
+export declare class HetznerResourceLockedError extends HetznerAPIError {
+    actionInProgress?: string;
+    constructor(resource: string, id: number | string, actionInProgress?: string);
+}
+/**
+ * Resource limit exceeded error
+ */
+export declare class HetznerResourceLimitError extends HetznerAPIError {
+    constructor(resource: string, limit: number);
+}
+/**
+ * Invalid input error
+ */
+export declare class HetznerInvalidInputError extends HetznerAPIError {
+    fields?: Record<string, string>;
+    constructor(message: string, fields?: Record<string, string>);
+}
+/**
+ * Conflict error
+ */
+export declare class HetznerConflictError extends HetznerAPIError {
+    constructor(message: string, details?: unknown);
+}
+/**
+ * Service error (5xx)
+ */
+export declare class HetznerServiceError extends HetznerAPIError {
+    statusCode?: number;
+    constructor(message: string, statusCode?: number);
+}
+/**
+ * Action failed error
+ */
+export declare class HetznerActionError extends HetznerAPIError {
+    actionError: ActionError;
+    actionId: number;
+    constructor(actionError: ActionError, actionId: number);
+}
+/**
+ * Timeout error for action polling
+ */
+export declare class HetznerTimeoutError extends HetznerAPIError {
+    lastProgress: number;
+    constructor(actionId: number, timeout: number, lastProgress: number);
+}
+/**
+ * Parse Hetzner API error response and create appropriate error
+ */
+export declare function createHetznerError(statusCode: number, body: {
+    error?: {
+        code: string;
+        message: string;
+        details?: unknown;
+    };
+}): HetznerAPIError;
+/**
+ * Check if an error is retryable
+ */
+export declare function isRetryableError(error: unknown): boolean;
+/**
+ * Check if an error is a rate limit error
+ */
+export declare function isRateLimitError(error: unknown): error is HetznerRateLimitError;
+/**
+ * Check if an error is a resource locked error
+ */
+export declare function isResourceLockedError(error: unknown): error is HetznerResourceLockedError;
+/**
+ * Calculate retry delay with exponential backoff
+ */
+export declare function calculateRetryDelay(attempt: number, baseDelay?: number, maxDelay?: number): number;
+/**
+ * Error handler function type
+ */
+export type ErrorHandler = (error: HetznerAPIError) => void | Promise<void>;
+/**
+ * Error handler options
+ */
+export interface ErrorHandlerContext {
+    /** Maximum number of retry attempts */
+    maxRetries?: number;
+    /** Base delay for exponential backoff in milliseconds */
+    baseDelay?: number;
+    /** Maximum delay between retries in milliseconds */
+    maxDelay?: number;
+    /** Optional error handler callback */
+    onError?: ErrorHandler;
+    /** Whether to log errors */
+    logErrors?: boolean;
+}
+/**
+ * Default error handler that logs to console
+ */
+export declare function defaultErrorHandler(error: HetznerAPIError): void;

package/dist/index.d.ts

@@ -0,0 +1,21 @@
+/**
+ * Hetzner Cloud API client
+ * For server-side use only (requires API token)
+ *
+ * TODO:
+ * - Certificate actions: https://docs.hetzner.cloud/reference/cloud#certificate-actions
+ * - DNS operations
+ */
+export { HetznerClient } from "./client.js";
+export { ServerOperations } from "./servers.js";
+export { VolumeOperations } from "./volumes.js";
+export { ActionOperations } from "./actions.js";
+export { SSHKeyOperations } from "./ssh-keys.js";
+export { getTokenFromCLI, isAuthenticated, resolveApiToken } from "./auth.js";
+export { HETZNER_API_BASE } from "./config.js";
+export * from "./types.js";
+export * from "./schemas.js";
+export * from "./errors.js";
+export { waitForAction, waitForMultipleActions, waitForMultipleActionsWithLimit, batchCheckActions, getActionTimeout, isActionRunning, isActionSuccess, isActionError, formatActionProgress, getActionDescription, getPollInterval, getAdaptivePollInterval, waitForActionAdaptive, parseRateLimitHeaders, isRateLimitLow, formatRateLimitStatus, waitForRateLimitReset, createProgressLogger, ACTION_TIMEOUTS, } from "./actions.js";
+export * from "./bootstrap/index.js";
+export * from "./onboarding/index.js";

package/dist/onboarding/claude.d.ts

@@ -0,0 +1,37 @@
+/**
+ * Claude Code Onboarding
+ *
+ * Install and configure Claude Code on remote servers.
+ * Uses official installer: curl -fsSL https://claude.ai/install.sh | bash
+ */
+import type { SSHOptions } from "@ebowwa/terminal/types";
+export interface ClaudeConfig {
+    /** Skip installation if already installed */
+    skipIfInstalled?: boolean;
+}
+/**
+ * Install Claude Code on a remote server
+ *
+ * @param host - Server IP or hostname
+ * @param config - Claude configuration
+ * @param sshOptions - SSH options
+ * @returns Success status
+ */
+export declare function onboardClaude(host: string, config?: ClaudeConfig, sshOptions?: Partial<SSHOptions>): Promise<{
+    success: boolean;
+    message: string;
+    version?: string;
+}>;
+/**
+ * Check Claude Code status on a remote server
+ *
+ * @param host - Server IP or hostname
+ * @param sshOptions - SSH options
+ * @returns Claude status
+ */
+export declare function checkClaudeStatus(host: string, sshOptions?: Partial<SSHOptions>): Promise<{
+    configured: boolean;
+    version?: string;
+    path?: string;
+    message: string;
+}>;

package/dist/onboarding/doppler.d.ts

@@ -0,0 +1,37 @@
+/**
+ * Doppler Onboarding
+ *
+ * Configure Doppler CLI service token on remote servers.
+ * This enables doppler run to inject secrets into processes.
+ */
+import type { SSHOptions } from "@ebowwa/terminal/types";
+export interface DopplerConfig {
+    token: string;
+    project?: string;
+    config?: string;
+}
+/**
+ * Configure Doppler on a remote server
+ *
+ * @param host - Server IP or hostname
+ * @param config - Doppler configuration
+ * @param sshOptions - SSH options
+ * @returns Success status
+ */
+export declare function onboardDoppler(host: string, config: DopplerConfig, sshOptions?: Partial<SSHOptions>): Promise<{
+    success: boolean;
+    message: string;
+}>;
+/**
+ * Check Doppler status on a remote server
+ *
+ * @param host - Server IP or hostname
+ * @param sshOptions - SSH options
+ * @returns Doppler status
+ */
+export declare function checkDopplerStatus(host: string, sshOptions?: Partial<SSHOptions>): Promise<{
+    configured: boolean;
+    project?: string;
+    config?: string;
+    message: string;
+}>;

package/dist/onboarding/git.d.ts

@@ -0,0 +1,38 @@
+/**
+ * Git Onboarding
+ *
+ * Configure Git credentials on remote servers.
+ * Sets up GitHub token for gh cli and git credential helper.
+ */
+import type { SSHOptions } from "@ebowwa/terminal/types";
+export interface GitConfig {
+    username?: string;
+    email?: string;
+    githubToken?: string;
+}
+/**
+ * Configure Git on a remote server
+ *
+ * @param host - Server IP or hostname
+ * @param config - Git configuration
+ * @param sshOptions - SSH options
+ * @returns Success status
+ */
+export declare function onboardGit(host: string, config: GitConfig, sshOptions?: Partial<SSHOptions>): Promise<{
+    success: boolean;
+    message: string;
+}>;
+/**
+ * Check Git status on a remote server
+ *
+ * @param host - Server IP or hostname
+ * @param sshOptions - SSH options
+ * @returns Git status
+ */
+export declare function checkGitStatus(host: string, sshOptions?: Partial<SSHOptions>): Promise<{
+    configured: boolean;
+    username?: string;
+    email?: string;
+    hasToken: boolean;
+    message: string;
+}>;

package/dist/onboarding/index.d.ts

@@ -0,0 +1,19 @@
+/**
+ * Hetzner Onboarding Module
+ *
+ * Post-boot configuration for newly provisioned servers.
+ * Handles services that require secrets/tokens:
+ * - Doppler (secrets management)
+ * - Tailscale (VPN)
+ * - Git (credentials)
+ * - Claude Code (AI assistant)
+ *
+ * This is Phase 2 of the bootstrap process, running after
+ * cloud-init completes the initial installation.
+ */
+export type { OnboardingConfig, OnboardingStatus, OnboardingResult, BatchOnboardingResult, ServiceStatus } from "./types";
+export { onboardDoppler, checkDopplerStatus } from "./doppler";
+export { onboardTailscale, checkTailscaleStatus } from "./tailscale";
+export { onboardGit, checkGitStatus } from "./git";
+export { onboardClaude, checkClaudeStatus } from "./claude";
+export { onboardServer, checkOnboardingStatus, onboardBatch } from "./onboarding";

package/dist/onboarding/onboarding.d.ts

@@ -0,0 +1,41 @@
+/**
+ * Server Onboarding
+ *
+ * Main onboarding orchestration.
+ * Coordinates Doppler, Tailscale, and Git onboarding.
+ */
+import type { SSHOptions } from "@ebowwa/terminal/types";
+import type { OnboardingConfig, OnboardingStatus, OnboardingResult, BatchOnboardingResult } from "./types";
+/**
+ * Onboard a single server with all configured services
+ *
+ * @param config - Onboarding configuration
+ * @param sshOptions - Additional SSH options
+ * @returns Onboarding result
+ */
+export declare function onboardServer(config: OnboardingConfig, sshOptions?: Partial<SSHOptions>): Promise<OnboardingResult>;
+/**
+ * Check onboarding status of a server
+ *
+ * @param host - Server IP or hostname
+ * @param sshOptions - SSH options
+ * @returns Onboarding status
+ */
+export declare function checkOnboardingStatus(host: string, sshOptions?: Partial<SSHOptions>): Promise<OnboardingStatus>;
+/**
+ * Onboard multiple servers in parallel
+ *
+ * @param hosts - List of server IPs/hostnames
+ * @param sharedConfig - Shared onboarding config for all servers
+ * @param sshOptions - SSH options
+ * @returns Batch onboarding result
+ */
+export declare function onboardBatch(hosts: string[], sharedConfig: Omit<OnboardingConfig, "host">, sshOptions?: Partial<SSHOptions>): Promise<BatchOnboardingResult>;
+/**
+ * Quick onboarding check for multiple servers
+ *
+ * @param hosts - List of server IPs/hostnames
+ * @param sshOptions - SSH options
+ * @returns Map of host to onboarding status
+ */
+export declare function checkBatchStatus(hosts: string[], sshOptions?: Partial<SSHOptions>): Promise<Map<string, OnboardingStatus>>;

package/dist/onboarding/tailscale.d.ts

@@ -0,0 +1,38 @@
+/**
+ * Tailscale Onboarding
+ *
+ * Join Tailscale network on remote servers.
+ * Enables secure VPN access to servers.
+ */
+import type { SSHOptions } from "@ebowwa/terminal/types";
+export interface TailscaleConfig {
+    authKey: string;
+    hostname?: string;
+    tags?: string[];
+}
+/**
+ * Join Tailscale network on a remote server
+ *
+ * @param host - Server IP or hostname
+ * @param config - Tailscale configuration
+ * @param sshOptions - SSH options
+ * @returns Success status with Tailscale IP
+ */
+export declare function onboardTailscale(host: string, config: TailscaleConfig, sshOptions?: Partial<SSHOptions>): Promise<{
+    success: boolean;
+    message: string;
+    tailscaleIp?: string;
+}>;
+/**
+ * Check Tailscale status on a remote server
+ *
+ * @param host - Server IP or hostname
+ * @param sshOptions - SSH options
+ * @returns Tailscale status
+ */
+export declare function checkTailscaleStatus(host: string, sshOptions?: Partial<SSHOptions>): Promise<{
+    configured: boolean;
+    tailscaleIp?: string;
+    hostname?: string;
+    message: string;
+}>;