blumeops/docs/reference/infrastructure/tailscale.md

---
title: tailscale
tags:
  - infrastructure
  - networking
---

# Tailscale

Tailnet `tail8d86e.ts.net` provides secure networking for all BlumeOps infrastructure.

## ACL Management

ACLs managed via Pulumi in `pulumi/policy.hujson`.

## Groups

| Group | Members | Purpose |
|-------|---------|---------|
| `group:allisonflix` | admin, member | [[jellyfin]] media access |

## Device Tags

| Tag | Devices | Purpose |
|-----|---------|---------|
| `tag:homelab` | indri | Server infrastructure |
| `tag:nas` | sifaka | Network-attached storage |
| `tag:blumeops` | indri, sifaka | Pulumi IaC managed resources |
| `tag:registry` | indri | Container registry access |
| `tag:k8s-api` | indri | Kubernetes API server access |

**Important:** Don't tag user-owned devices (like gilbert). Tagging converts them to "tagged devices" which lose user identity and break user-based SSH rules.

## Access Matrix

| Source | Kiwix | Forge | PyPI | Miniflux | PostgreSQL | NAS | Grafana | Loki |
|--------|-------|-------|------|----------|------------|-----|---------|------|
| `autogroup:admin` | Y | Y | Y | Y | Y | Y | Y | Y |
| `autogroup:member` | Y | Y | Y | Y | Y | - | - | - |
| `tag:homelab` | - | - | - | - | - | Y | - | - |

- **Admins** - full access to all services
- **Members** - member services only, no Grafana/Loki/NAS

## SSH Access

| Source | Destinations | Auth |
|--------|--------------|------|
| `autogroup:member` | `autogroup:self` | check |
| `autogroup:admin` | `tag:homelab` | check (12h) |
| `autogroup:admin` | `tag:nas` | check (12h) |

## OAuth Credentials

Pulumi uses OAuth client from 1Password (blumeops vault):
- Scopes: acl, dns, devices, services
- Auto-applies `tag:blumeops` to IaC-managed resources

## Related

- [[routing|Routing]] - Service URLs
- [[hosts|Hosts]] - Device inventory
Phase 2: Add Reference section with 24 technical reference cards (#88) ## Summary - Create `docs/reference/` section with 24 technical reference cards - Services (16): alloy, argocd, borgmatic, 1password, forgejo, grafana, jellyfin, kiwix, loki, miniflux, navidrome, postgresql, prometheus, teslamate, transmission, zot - Infrastructure (3): hosts, tailscale, routing - Kubernetes (2): cluster, apps - Storage (2): sifaka, backups - Update README to mark Phase 2 as complete - Add towncrier changelog fragment ## Deployment and Testing - [ ] Build docs locally to verify wiki-links resolve - [ ] Deploy via ArgoCD and verify at docs.ops.eblu.me/reference/ 🤖 Generated with [Claude Code](https://claude.com/claude-code) Reviewed-on: https://forge.ops.eblu.me/eblume/blumeops/pulls/88 2026-02-03 14:27:37 -08:00			`---`
Convert wiki-link titles to lowercase slugs (#92) ## Summary - Convert all frontmatter titles to lowercase-hyphenated format (e.g., `grafana-alloy` instead of `Grafana Alloy`) - Update all wiki-links to use the new slug format - Update `doc-titles` task to validate slug format (lowercase, hyphens only) Quartz appears to require titles without spaces for wiki-link resolution. ## Deployment and Testing - [x] Pre-commit hooks pass (`doc-titles` and `doc-links`) - [ ] Build docs v1.0.8 and deploy - [ ] Verify wiki-links resolve correctly (e.g., `[[grafana-alloy]]`) 🤖 Generated with [Claude Code](https://claude.com/claude-code) Reviewed-on: https://forge.ops.eblu.me/eblume/blumeops/pulls/92 2026-02-03 16:06:35 -08:00			`title: tailscale`
Phase 2: Add Reference section with 24 technical reference cards (#88) ## Summary - Create `docs/reference/` section with 24 technical reference cards - Services (16): alloy, argocd, borgmatic, 1password, forgejo, grafana, jellyfin, kiwix, loki, miniflux, navidrome, postgresql, prometheus, teslamate, transmission, zot - Infrastructure (3): hosts, tailscale, routing - Kubernetes (2): cluster, apps - Storage (2): sifaka, backups - Update README to mark Phase 2 as complete - Add towncrier changelog fragment ## Deployment and Testing - [ ] Build docs locally to verify wiki-links resolve - [ ] Deploy via ArgoCD and verify at docs.ops.eblu.me/reference/ 🤖 Generated with [Claude Code](https://claude.com/claude-code) Reviewed-on: https://forge.ops.eblu.me/eblume/blumeops/pulls/88 2026-02-03 14:27:37 -08:00			`tags:`
			`- infrastructure`
Fix doc tag inconsistencies and add missing ai changelog type (#114) ## Summary - Add missing `ai` changelog fragment type to the update-documentation how-to guide (comment and table) - Consolidate `cicd` → `ci-cd` tag on forgejo.md - Consolidate `network` → `networking` tag on routing.md and tailscale.md Found during random doc review via `docs-review-tags`. Reviewed-on: https://forge.ops.eblu.me/eblume/blumeops/pulls/114 2026-02-06 18:52:36 -08:00			`- networking`
Phase 2: Add Reference section with 24 technical reference cards (#88) ## Summary - Create `docs/reference/` section with 24 technical reference cards - Services (16): alloy, argocd, borgmatic, 1password, forgejo, grafana, jellyfin, kiwix, loki, miniflux, navidrome, postgresql, prometheus, teslamate, transmission, zot - Infrastructure (3): hosts, tailscale, routing - Kubernetes (2): cluster, apps - Storage (2): sifaka, backups - Update README to mark Phase 2 as complete - Add towncrier changelog fragment ## Deployment and Testing - [ ] Build docs locally to verify wiki-links resolve - [ ] Deploy via ArgoCD and verify at docs.ops.eblu.me/reference/ 🤖 Generated with [Claude Code](https://claude.com/claude-code) Reviewed-on: https://forge.ops.eblu.me/eblume/blumeops/pulls/88 2026-02-03 14:27:37 -08:00			`---`

			`# Tailscale`

			Tailnet `tail8d86e.ts.net` provides secure networking for all BlumeOps infrastructure.

			`## ACL Management`

			ACLs managed via Pulumi in `pulumi/policy.hujson`.

			`## Groups`

			`\| Group \| Members \| Purpose \|`
			`\|-------\|---------\|---------\|`
Convert wiki-link titles to lowercase slugs (#92) ## Summary - Convert all frontmatter titles to lowercase-hyphenated format (e.g., `grafana-alloy` instead of `Grafana Alloy`) - Update all wiki-links to use the new slug format - Update `doc-titles` task to validate slug format (lowercase, hyphens only) Quartz appears to require titles without spaces for wiki-link resolution. ## Deployment and Testing - [x] Pre-commit hooks pass (`doc-titles` and `doc-links`) - [ ] Build docs v1.0.8 and deploy - [ ] Verify wiki-links resolve correctly (e.g., `[[grafana-alloy]]`) 🤖 Generated with [Claude Code](https://claude.com/claude-code) Reviewed-on: https://forge.ops.eblu.me/eblume/blumeops/pulls/92 2026-02-03 16:06:35 -08:00			\| `group:allisonflix` \| admin, member \| [[jellyfin]] media access \|
Phase 2: Add Reference section with 24 technical reference cards (#88) ## Summary - Create `docs/reference/` section with 24 technical reference cards - Services (16): alloy, argocd, borgmatic, 1password, forgejo, grafana, jellyfin, kiwix, loki, miniflux, navidrome, postgresql, prometheus, teslamate, transmission, zot - Infrastructure (3): hosts, tailscale, routing - Kubernetes (2): cluster, apps - Storage (2): sifaka, backups - Update README to mark Phase 2 as complete - Add towncrier changelog fragment ## Deployment and Testing - [ ] Build docs locally to verify wiki-links resolve - [ ] Deploy via ArgoCD and verify at docs.ops.eblu.me/reference/ 🤖 Generated with [Claude Code](https://claude.com/claude-code) Reviewed-on: https://forge.ops.eblu.me/eblume/blumeops/pulls/88 2026-02-03 14:27:37 -08:00
			`## Device Tags`

			`\| Tag \| Devices \| Purpose \|`
			`\|-----\|---------\|---------\|`
			\| `tag:homelab` \| indri \| Server infrastructure \|
			\| `tag:nas` \| sifaka \| Network-attached storage \|
			\| `tag:blumeops` \| indri, sifaka \| Pulumi IaC managed resources \|
			\| `tag:registry` \| indri \| Container registry access \|
			\| `tag:k8s-api` \| indri \| Kubernetes API server access \|

			`Important: Don't tag user-owned devices (like gilbert). Tagging converts them to "tagged devices" which lose user identity and break user-based SSH rules.`

			`## Access Matrix`

			`\| Source \| Kiwix \| Forge \| PyPI \| Miniflux \| PostgreSQL \| NAS \| Grafana \| Loki \|`
			`\|--------\|-------\|-------\|------\|----------\|------------\|-----\|---------\|------\|`
			\| `autogroup:admin` \| Y \| Y \| Y \| Y \| Y \| Y \| Y \| Y \|
			\| `autogroup:member` \| Y \| Y \| Y \| Y \| Y \| - \| - \| - \|
			\| `tag:homelab` \| - \| - \| - \| - \| - \| Y \| - \| - \|

			`- Admins - full access to all services`
			`- Members - member services only, no Grafana/Loki/NAS`

			`## SSH Access`

			`\| Source \| Destinations \| Auth \|`
			`\|--------\|--------------\|------\|`
			\| `autogroup:member` \| `autogroup:self` \| check \|
			\| `autogroup:admin` \| `tag:homelab` \| check (12h) \|
			\| `autogroup:admin` \| `tag:nas` \| check (12h) \|

			`## OAuth Credentials`

			`Pulumi uses OAuth client from 1Password (blumeops vault):`
			`- Scopes: acl, dns, devices, services`
			- Auto-applies `tag:blumeops` to IaC-managed resources

			`## Related`

Enforce unique doc filenames and simple wiki-links (#109) ## Summary - Rename section index files to match their titles (tutorials.md, reference.md, how-to.md, explanation.md) so all filenames are unique - Convert all ~47 path-based wiki-links to simple filename format across 15 files - Update doc-filenames task to no longer skip index.md files - Update doc-links task to reject path-based links containing '/' This ensures all wiki-links work correctly in obsidian.nvim by making links resolvable by filename alone. ## Testing - `mise run doc-filenames` - all unique - `mise run doc-links` - no broken or path-based links - `mise run doc-titles` - no duplicates Reviewed-on: https://forge.ops.eblu.me/eblume/blumeops/pulls/109 2026-02-04 17:21:34 -08:00			`- [[routing\|Routing]] - Service URLs`
			`- [[hosts\|Hosts]] - Device inventory`