Tailscale

Tailscale is the private network layer. It gives trusted devices stable tailnet identity, MagicDNS names, and encrypted paths to private services.

Ownership

LayerOwns
conf/shared.nixEnables tailscaled, opens firewall, installs CLI.
Tailscale admin consoleMagicDNS, HTTPS, device approval, expiry, users, groups, ACLs.
Service pagesHow individual services use tailnet access.

How This Repo Uses It

UsePolicy
HostnamesPrefer MagicDNS names such as nix-baxcalibur.
Git writesUse SSH over the tailnet.
Forgejo private/admin accessKeep on the tailnet.
KavitaPublish private HTTPS through Tailscale Serve.
Public exposureUse Funnel only when intentionally needed.

Host Setup

After a rebuild on a new host, authenticate once with sudo tailscale up. Approve the device in the admin console if the tailnet requires it.

For long-lived servers, disable key expiry only after confirming the device identity. Do not disable expiry for casual clients by default.

Checks

CheckCommand
Daemonsystemctl status tailscaled
Tailnet statetailscale status
Local tailnet IPtailscale ip
MagicDNStailscale ip nix-baxcalibur
SSH pathssh owais@nix-baxcalibur
Serve routestailscale serve status

Serve

Use Serve for private HTTPS access to a local service. The usual shape is a tailnet HTTPS endpoint forwarding to a service bound on 127.0.0.1.

ServiceLocal endpointExposure
Kavita127.0.0.1:5000Tailscale Serve
Forgejo admin/private use127.0.0.1:3030Tailnet first
Tangled Knot SSHsystem SSH on 22Tailnet SSH path

Funnel is public internet exposure. Treat it as temporary or explicitly intentional service policy, not the default.

Troubleshooting

SymptomCheck
Name does not resolveMagicDNS enabled, client on correct tailnet, device online.
SSH hangsACLs, MagicDNS result, and target sshd.
Serve URL missingTailnet HTTPS enabled and Serve route configured.
Device repeatedly expiresAdmin console expiry policy for that node.

References