Erich Blume 7ebac4aef6 Add Phase 3 tutorials with audience targeting (#94 )

## Summary
- Create tutorials directory structure with index page
- Add 5 main tutorials targeting different audiences:
  - **what-is-blumeops** (Reader, AI) - High-level orientation
  - **exploring-the-docs** (All) - Navigation guide
  - **ai-assistance-guide** (AI, Owner) - Context for AI-assisted operations
  - **contributing** (Contributor) - First contribution workflow
  - **replicating-blumeops** (Replicator) - Overview for building similar setup
- Add 4 replication sub-tutorials:
  - tailscale-setup, kubernetes-bootstrap, argocd-config, observability-stack
- Update README.md to mark Phase 3 complete
- Add changelog fragment

Each tutorial explicitly identifies its target audiences and links to reference material rather than re-explaining concepts.

## Deployment and Testing
- [x] All pre-commit hooks pass (doc-links validates wiki links)
- [ ] Build docs via workflow to verify rendering
- [ ] Review content for accuracy

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Reviewed-on: https://forge.ops.eblu.me/eblume/blumeops/pulls/94

2026-02-03 18:51:57 -08:00

3.2 KiB

Raw Blame History

title

Setting Up Tailscale

Audiences: Replicator

This tutorial walks through establishing a Tailscale mesh network as the foundation for your homelab infrastructure.

Why Tailscale?

Tailscale solves several problems at once:

Secure connectivity - WireGuard-encrypted traffic between all devices
No port forwarding - Devices connect directly through NATs and firewalls
MagicDNS - Human-readable names like server.tailnet.ts.net
ACLs - Fine-grained access control between devices

For BlumeOps context, see tailscale.

Step 1: Create Your Tailnet

Sign up at tailscale.com
Choose your identity provider (Google, Microsoft, GitHub, etc.)
Note your tailnet name (e.g., yourname.ts.net)

Step 2: Install on Your Devices

macOS

brew install tailscale
sudo tailscaled &
tailscale up

Linux

curl -fsSL https://tailscale.com/install.sh | sh
sudo tailscale up

Other Platforms

See Tailscale Downloads for iOS, Android, Windows, etc.

Step 3: Verify Connectivity

After installing on two devices:

tailscale status
# Shows all connected devices

ping <other-device>.yourname.ts.net
# Should work immediately

Step 4: Configure ACLs

Default Tailscale allows all-to-all connectivity. For a homelab, you'll want restrictions.

Create policy.hujson (or use the web admin):

{
  "groups": {
    "group:admin": ["your-email@example.com"]
  },
  "tagOwners": {
    "tag:homelab": ["group:admin"]
  },
  "acls": [
    // Admins can access everything
    {"action": "accept", "src": ["group:admin"], "dst": ["*:*"]},
    // Homelab servers can reach NAS
    {"action": "accept", "src": ["tag:homelab"], "dst": ["tag:nas:*"]}
  ]
}

BlumeOps manages ACLs via Pulumi - see tailscale for the actual configuration.

Step 5: Enable MagicDNS

In the Tailscale admin console:

Go to DNS settings
Enable MagicDNS
Optionally add a search domain

Now ssh server works instead of ssh 100.x.y.z.

Step 6: Tag Your Devices

Tags enable role-based access control:

# On your server
sudo tailscale up --advertise-tags=tag:homelab

Tags must be defined in ACLs before use.

What You Now Have

Encrypted mesh network between all your devices
DNS names for each device
Foundation for exposing services securely

Next Steps

With networking established:

tutorials/replication/kubernetes-bootstrap - Your cluster will join the tailnet
Set up your server and storage devices

BlumeOps Specifics

BluemeOps' Tailscale configuration includes:

Multiple device tags (homelab, nas, registry, k8s-api)
Group-based access for family members
SSH access rules with authentication requirements

See tailscale for full details.

Troubleshooting

Problem	Solution
Device won't connect	Check firewall allows UDP 41641
Can't reach other devices	Verify ACLs don't block traffic
DNS not resolving	Enable MagicDNS in admin console
Tags not applying	Ensure tags defined in ACL policy

3.2 KiB Raw Blame History