Initial skills documentation — 25 categories, all SKILL.md + references + scripts
This commit is contained in:
@@ -0,0 +1,80 @@
|
||||
# Tailscale Infrastructure Access
|
||||
|
||||
Standard for accessing servers and services that don't need public internet exposure. All IT Pro Partner infrastructure joins the same tailnet.
|
||||
|
||||
## Installation (server side)
|
||||
|
||||
```bash
|
||||
curl -fsSL https://tailscale.com/install.sh | sh
|
||||
tailscale up
|
||||
```
|
||||
|
||||
This prints a one-time auth URL. Send it to the user to open in their browser. The command times out after 15s if the URL isn't opened — that's expected, the URL is still valid. Re-run `tailscale up` for a fresh URL if needed.
|
||||
|
||||
Rename the hostname from the auto-generated to a clean name:
|
||||
```bash
|
||||
tailscale set --hostname <name>
|
||||
```
|
||||
|
||||
## Installation (client devices)
|
||||
|
||||
| Device | Download |
|
||||
|---|---|
|
||||
| macOS | tailscale.com/download-mac |
|
||||
| iPhone/iPad | App Store → "Tailscale" |
|
||||
| Linux | `curl -fsSL https://tailscale.com/install.sh \| sh` |
|
||||
|
||||
Sign in with the same Google account on every device. Devices auto-discover.
|
||||
|
||||
## Post-setup verification
|
||||
|
||||
```bash
|
||||
tailscale status # list all connected devices
|
||||
tailscale ip -4 # get this box's tailscale IP
|
||||
```
|
||||
|
||||
## Tailscale-only service access (with HTTPS)
|
||||
|
||||
For Vaultwarden and other internal-only services:
|
||||
|
||||
```bash
|
||||
# Expose a local Docker port via Tailscale HTTPS
|
||||
tailscale serve --bg --https 443 --set-path / http://127.0.0.1:<port>
|
||||
|
||||
# Verify
|
||||
tailscale serve status
|
||||
# → https://<hostname>.tail<random>.ts.net/ → proxy http://127.0.0.1:<port>
|
||||
```
|
||||
|
||||
The `.ts.net` URL has a valid auto-TLS certificate. Only reachable from tailnet devices.
|
||||
|
||||
## UFW rules
|
||||
|
||||
Creating a Tailscale-only service is a multi-step process — don't close the UFW port until the Tailscale Serve is verified:
|
||||
|
||||
```bash
|
||||
ufw allow <port>/tcp comment 'temp' # step 1: open for testing
|
||||
# ... test Tailscale access ...
|
||||
ufw delete allow <port>/tcp # step 2: close when verified
|
||||
ufw reload
|
||||
```
|
||||
|
||||
For services that must also be accessible locally (SSH, HTTP management), keep those ports open.
|
||||
|
||||
## Renaming a Tailscale node
|
||||
|
||||
```bash
|
||||
tailscale set --hostname <new-name>
|
||||
# Takes effect immediately in status and admin console
|
||||
# Taliscale Serve: turn off and re-enable to pick up the new hostname
|
||||
```
|
||||
|
||||
Important: if the auto-generated hostname has confusable characters (`0` vs `O`), rename before deploying services. Some mobile apps (Bitwarden) silently corrupt zero characters in URL text fields.
|
||||
|
||||
## Pitfalls
|
||||
|
||||
- `tailscale up` times out after 15s — expected. The URL stays valid.
|
||||
- The 100.x.x.x IP can change on re-authentication. Use the `.ts.net` hostname for stable references.
|
||||
- After a reboot, run `tailscale up` again.
|
||||
- UFW does NOT auto-deny — new ports are public unless explicitly blocked. For tailnet-only services, verify with `ufw status`.
|
||||
- Safari on iOS/Mac shows "Not Secure" on HTTP over tailnet — cosmetic. Use Tailscale Serve HTTPS for browser-based services.
|
||||
Reference in New Issue
Block a user