Add Phase 3 tutorials with audience targeting

Create tutorials directory with learning-oriented content: - what-is-blumeops: High-level orientation (Reader, AI) - exploring-the-docs: Navigation guide (All audiences) - ai-assistance-guide: Context for AI assistance (AI, Owner) - contributing: First contribution workflow (Contributor) - replicating-blumeops: Overview for replicators Add replication sub-tutorials: - tailscale-setup: Networking foundation - kubernetes-bootstrap: Cluster setup - argocd-config: GitOps configuration - observability-stack: Metrics, logs, dashboards Each tutorial explicitly identifies target audiences and links heavily to reference material rather than re-explaining. Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
2026-02-03 17:51:32 -08:00 · 2026-02-03 17:51:32 -08:00 · 50046f42f8
commit 50046f42f8
parent bf03d71780
12 changed files with 1361 additions and 7 deletions
--- a/docs/tutorials/replication/tailscale-setup.md
+++ b/docs/tutorials/replication/tailscale-setup.md
@ -0,0 +1,134 @@
+---
+title: tailscale-setup
+tags:
+  - tutorials
+  - replication
+  - tailscale
+---
+
+# Setting Up Tailscale
+
+> **Audiences:** Replicator
+
+This tutorial walks through establishing a Tailscale mesh network as the foundation for your homelab infrastructure.
+
+## Why Tailscale?
+
+Tailscale solves several problems at once:
+- **Secure connectivity** - WireGuard-encrypted traffic between all devices
+- **No port forwarding** - Devices connect directly through NATs and firewalls
+- **MagicDNS** - Human-readable names like `server.tailnet.ts.net`
+- **ACLs** - Fine-grained access control between devices
+
+For BlumeOps context, see [[tailscale|Tailscale Reference]].
+
+## Step 1: Create Your Tailnet
+
+1. Sign up at [tailscale.com](https://tailscale.com)
+2. Choose your identity provider (Google, Microsoft, GitHub, etc.)
+3. Note your tailnet name (e.g., `yourname.ts.net`)
+
+## Step 2: Install on Your Devices
+
+### macOS
+
+```bash
+brew install tailscale
+sudo tailscaled &
+tailscale up
+```
+
+### Linux
+
+```bash
+curl -fsSL https://tailscale.com/install.sh | sh
+sudo tailscale up
+```
+
+### Other Platforms
+
+See [Tailscale Downloads](https://tailscale.com/download) for iOS, Android, Windows, etc.
+
+## Step 3: Verify Connectivity
+
+After installing on two devices:
+```bash
+tailscale status
+# Shows all connected devices
+
+ping <other-device>.yourname.ts.net
+# Should work immediately
+```
+
+## Step 4: Configure ACLs
+
+Default Tailscale allows all-to-all connectivity. For a homelab, you'll want restrictions.
+
+Create `policy.hujson` (or use the web admin):
+```json
+{
+  "groups": {
+    "group:admin": ["your-email@example.com"]
+  },
+  "tagOwners": {
+    "tag:homelab": ["group:admin"]
+  },
+  "acls": [
+    // Admins can access everything
+    {"action": "accept", "src": ["group:admin"], "dst": ["*:*"]},
+    // Homelab servers can reach NAS
+    {"action": "accept", "src": ["tag:homelab"], "dst": ["tag:nas:*"]}
+  ]
+}
+```
+
+BlumeOps manages ACLs via Pulumi - see [[tailscale|Tailscale Reference]] for the actual configuration.
+
+## Step 5: Enable MagicDNS
+
+In the Tailscale admin console:
+1. Go to DNS settings
+2. Enable MagicDNS
+3. Optionally add a search domain
+
+Now `ssh server` works instead of `ssh 100.x.y.z`.
+
+## Step 6: Tag Your Devices
+
+Tags enable role-based access control:
+```bash
+# On your server
+sudo tailscale up --advertise-tags=tag:homelab
+```
+
+Tags must be defined in ACLs before use.
+
+## What You Now Have
+
+- Encrypted mesh network between all your devices
+- DNS names for each device
+- Foundation for exposing services securely
+
+## Next Steps
+
+With networking established:
+- [[tutorials/replication/kubernetes-bootstrap | Bootstrap Kubernetes]] - Your cluster will join the tailnet
+- Set up your server and storage devices
+
+## BlumeOps Specifics
+
+BluemeOps' Tailscale configuration includes:
+- Multiple device tags (`homelab`, `nas`, `registry`, `k8s-api`)
+- Group-based access for family members
+- SSH access rules with authentication requirements
+
+See [[tailscale|Tailscale Reference]] for full details.
+
+## Troubleshooting
+
+| Problem | Solution |
+|---------|----------|
+| Device won't connect | Check firewall allows UDP 41641 |
+| Can't reach other devices | Verify ACLs don't block traffic |
+| DNS not resolving | Enable MagicDNS in admin console |
+| Tags not applying | Ensure tags defined in ACL policy |