# Tailscale SSH Config Template for Herdr

Add to `~/.ssh/config`. Replace bracketed values with actuals.

## Template

```
# ── Tailscale-only Herdr remote targets ──

Host <host>-ts-herdr
      HostName <tailscale-ip>         # e.g. ${DOMEDOG_TS_IP}
      User <ssh-user>                 # e.g. clawdija
      IdentityFile ~/.ssh/<key>       # e.g. ~/.ssh/id_123kupola
      IdentitiesOnly yes
      PreferredAuthentications publickey
      StrictHostKeyChecking accept-new
      ForwardAgent no
```

## Design decisions

| Setting                              | Why                                                                           |
| ------------------------------------ | ----------------------------------------------------------------------------- |
| `HostName <tailscale-ip>`            | Traffic stays in WireGuard tunnel — cannot accidentally route over public DNS |
| `IdentitiesOnly yes`                 | Prevents SSH from trying agent-forwarded keys                                 |
| `PreferredAuthentications publickey` | Never falls back to password (Tailscale hosts may not have passwords)         |
| `StrictHostKeyChecking accept-new`   | Tailscale IPs are trusted; avoids first-connection prompt                     |
| `ForwardAgent no`                    | Explicit — agent is already the default, but this blocks surprises            |

## Live entries (debby → domedog)

On debby (`~/.ssh/config`):

```
Host domedog-ts-herdr
      HostName ${DOMEDOG_TS_IP}
      User clawdija
      IdentityFile ~/.ssh/id_123kupola
      IdentitiesOnly yes
      PreferredAuthentications publickey
      StrictHostKeyChecking accept-new
      ForwardAgent no

Host debby-ts-herdr
      HostName ${DEBBY_TS_IP}
      User samob
      IdentityFile ~/.ssh/id_123kupola
      IdentitiesOnly yes
      PreferredAuthentications publickey
      StrictHostKeyChecking accept-new
      ForwardAgent no
```

## Live entries (domedog → debby)

On domedog (`~/.ssh/config`). Note: domedog uses `id_infra`, NOT `id_123kupola`:

```
Host debby-ts-herdr
      HostName ${DEBBY_TS_IP}
      User samob
      IdentityFile ~/.ssh/id_infra
      IdentitiesOnly yes
      PreferredAuthentications publickey
      StrictHostKeyChecking accept-new
      ForwardAgent no
```

**Key coordination**: each host's private key must have its public counterpart
in the destination's `authorized_keys`. Hosts can use different keypairs —
they don't need to share the same key.

## Verify

```bash
# Check Tailscale network
tailscale status | grep <host>

# Test SSH over Tailscale
ssh <host>-ts-herdr 'hostname; uname -a'
```