clawdie/layered-soul
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
layered-soul/skills/herdr-deployment/references/tailscale-ssh-config.md

82 lines
2.6 KiB
Markdown
Raw Normal View History

Populate layered-soul: identity, memories, skills, plan (Hermes & Sam) - SOUL.md: full agent identity, operating principles, voice - IDENTITY.md: runtime identity, hosts, boundaries - USER.md: operator context imported from hermes-soul - AGENTS.md: actual operating rules, infrastructure, quick reference - memories/curated/: 5 topics (tailscale, forgejo, agents, projects, vaultwarden) - skills/: 9 cross-harness skills imported from hermes-soul after review - docs/PLAN-CONFIGURE-PRIVATE-REPO.md: configuration plan - Validate: passes clean
2026-06-14 00:21:26 +02:00
# Tailscale SSH Config Template for Herdr
Add to `~/.ssh/config`. Replace bracketed values with actuals.
## Template
```
# ── Tailscale-only Herdr remote targets ──
Host <host>-ts-herdr
HostName <tailscale-ip> # e.g. 100.103.255.41
User <ssh-user> # e.g. clawdija
IdentityFile ~/.ssh/<key> # e.g. ~/.ssh/id_123kupola
IdentitiesOnly yes
PreferredAuthentications publickey
StrictHostKeyChecking accept-new
ForwardAgent no
```
## Design decisions
docs: apply Prettier to current markdown (Sam & Codex) Normalize markdown formatting after the latest main updates.\n\nChecks: python3 scripts/layered_soul.py validate .; npx --yes prettier@3 --check '**/*.md'; git diff --check.
2026-06-14 01:48:32 +02:00
| Setting | Why |
| ------------------------------------ | ----------------------------------------------------------------------------- |
| `HostName <tailscale-ip>` | Traffic stays in WireGuard tunnel — cannot accidentally route over public DNS |
| `IdentitiesOnly yes` | Prevents SSH from trying agent-forwarded keys |
| `PreferredAuthentications publickey` | Never falls back to password (Tailscale hosts may not have passwords) |
| `StrictHostKeyChecking accept-new` | Tailscale IPs are trusted; avoids first-connection prompt |
| `ForwardAgent no` | Explicit — agent is already the default, but this blocks surprises |
Populate layered-soul: identity, memories, skills, plan (Hermes & Sam) - SOUL.md: full agent identity, operating principles, voice - IDENTITY.md: runtime identity, hosts, boundaries - USER.md: operator context imported from hermes-soul - AGENTS.md: actual operating rules, infrastructure, quick reference - memories/curated/: 5 topics (tailscale, forgejo, agents, projects, vaultwarden) - skills/: 9 cross-harness skills imported from hermes-soul after review - docs/PLAN-CONFIGURE-PRIVATE-REPO.md: configuration plan - Validate: passes clean
2026-06-14 00:21:26 +02:00
## Live entries (debby → domedog)
On debby (`~/.ssh/config`):
```
Host domedog-ts-herdr
HostName 100.103.255.41
User clawdija
IdentityFile ~/.ssh/id_123kupola
IdentitiesOnly yes
PreferredAuthentications publickey
StrictHostKeyChecking accept-new
ForwardAgent no
Host debby-ts-herdr
HostName 100.66.193.10
User samob
IdentityFile ~/.ssh/id_123kupola
IdentitiesOnly yes
PreferredAuthentications publickey
StrictHostKeyChecking accept-new
ForwardAgent no
```
## Live entries (domedog → debby)
On domedog (`~/.ssh/config`). Note: domedog uses `id_infra`, NOT `id_123kupola`:
```
Host debby-ts-herdr
HostName 100.66.193.10
User samob
IdentityFile ~/.ssh/id_infra
IdentitiesOnly yes
PreferredAuthentications publickey
StrictHostKeyChecking accept-new
ForwardAgent no
```
**Key coordination**: each host's private key must have its public counterpart
in the destination's `authorized_keys`. Hosts can use different keypairs —
they don't need to share the same key.
## Verify
```bash
# Check Tailscale network
tailscale status | grep <host>
# Test SSH over Tailscale
ssh <host>-ts-herdr 'hostname; uname -a'
```
Reference in a new issue Copy permalink