Erich Blume
3da455e49c
## Summary - Rename section index files to match their titles (tutorials.md, reference.md, how-to.md, explanation.md) so all filenames are unique - Convert all ~47 path-based wiki-links to simple filename format across 15 files - Update doc-filenames task to no longer skip index.md files - Update doc-links task to reject path-based links containing '/' This ensures all wiki-links work correctly in obsidian.nvim by making links resolvable by filename alone. ## Testing - `mise run doc-filenames` - all unique - `mise run doc-links` - no broken or path-based links - `mise run doc-titles` - no duplicates Reviewed-on: https://forge.ops.eblu.me/eblume/blumeops/pulls/109
3.3 KiB
| title | tags | |||
|---|---|---|---|---|
| tailscale-setup |
|
Setting Up Tailscale
Audiences: Replicator
This tutorial walks through establishing a Tailscale mesh network as the foundation for your homelab infrastructure.
Why Tailscale?
Tailscale solves several problems at once:
- Secure connectivity - WireGuard-encrypted traffic between all devices
- No port forwarding - Devices connect directly through NATs and firewalls
- MagicDNS - Human-readable names like
server.tailnet.ts.net - ACLs - Fine-grained access control between devices
For BlumeOps context, see tailscale.
Step 1: Create Your Tailnet
- Sign up at tailscale.com
- Choose your identity provider (Google, Microsoft, GitHub, etc.)
- Note your tailnet name (e.g.,
yourname.ts.net)
Step 2: Install on Your Devices
macOS
brew install tailscale
sudo tailscaled &
tailscale up
Linux
curl -fsSL https://tailscale.com/install.sh | sh
sudo tailscale up
Other Platforms
See Tailscale Downloads for iOS, Android, Windows, etc.
Step 3: Verify Connectivity
After installing on two devices:
tailscale status
# Shows all connected devices
ping <other-device>.yourname.ts.net
# Should work immediately
Step 4: Configure ACLs
Default Tailscale allows all-to-all connectivity. For a homelab, you'll want restrictions.
Create policy.hujson (or use the web admin):
{
"groups": {
"group:admin": ["your-email@example.com"]
},
"tagOwners": {
"tag:homelab": ["group:admin"]
},
"acls": [
// Admins can access everything
{"action": "accept", "src": ["group:admin"], "dst": ["*:*"]},
// Homelab servers can reach NAS
{"action": "accept", "src": ["tag:homelab"], "dst": ["tag:nas:*"]}
]
}
BlumeOps manages ACLs via Pulumi - see tailscale for the actual configuration.
Step 5: Enable MagicDNS
In the Tailscale admin console:
- Go to DNS settings
- Enable MagicDNS
- Optionally add a search domain
Now ssh server works instead of ssh 100.x.y.z.
Step 6: Tag Your Devices
Tags enable role-based access control:
# On your server
sudo tailscale up --advertise-tags=tag:homelab
Tags must be defined in ACLs before use.
What You Now Have
- Encrypted mesh network between all your devices
- DNS names for each device
- Foundation for exposing services securely
Next Steps
With networking established:
- core-services - Install Forgejo and optionally a container registry
- kubernetes-bootstrap - Your cluster will join the tailnet
BlumeOps Specifics
BlumeOps' Tailscale configuration includes:
- Multiple device tags (
homelab,nas,registry,k8s-api) - Group-based access for family members
- SSH access rules with authentication requirements
See tailscale for full details.
Troubleshooting
| Problem | Solution |
|---|---|
| Device won't connect | Check firewall allows UDP 41641 |
| Can't reach other devices | Verify ACLs don't block traffic |
| DNS not resolving | Enable MagicDNS in admin console |
| Tags not applying | Ensure tags defined in ACL policy |