clawdie/layered-soul
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
layered-soul/skills/herdr-deployment/references/tailscale-ssh-config.md
Hermes & Sam 5c5df32101 Populate layered-soul: identity, memories, skills, plan (Hermes & Sam) 
- SOUL.md: full agent identity, operating principles, voice
- IDENTITY.md: runtime identity, hosts, boundaries
- USER.md: operator context imported from hermes-soul
- AGENTS.md: actual operating rules, infrastructure, quick reference
- memories/curated/: 5 topics (tailscale, forgejo, agents, projects, vaultwarden)
- skills/: 9 cross-harness skills imported from hermes-soul after review
- docs/PLAN-CONFIGURE-PRIVATE-REPO.md: configuration plan
- Validate: passes clean
2026-06-14 00:21:26 +02:00

2.2 KiB
Raw Blame History

Tailscale SSH Config Template for Herdr

Add to ~/.ssh/config. Replace bracketed values with actuals.

Template

# ── Tailscale-only Herdr remote targets ──

Host <host>-ts-herdr
      HostName <tailscale-ip>         # e.g. 100.103.255.41
      User <ssh-user>                 # e.g. clawdija
      IdentityFile ~/.ssh/<key>       # e.g. ~/.ssh/id_123kupola
      IdentitiesOnly yes
      PreferredAuthentications publickey
      StrictHostKeyChecking accept-new
      ForwardAgent no

Design decisions

Setting Why
HostName <tailscale-ip> Traffic stays in WireGuard tunnel — cannot accidentally route over public DNS
IdentitiesOnly yes Prevents SSH from trying agent-forwarded keys
PreferredAuthentications publickey Never falls back to password (Tailscale hosts may not have passwords)
StrictHostKeyChecking accept-new Tailscale IPs are trusted; avoids first-connection prompt
ForwardAgent no Explicit — agent is already the default, but this blocks surprises

Live entries (debby → domedog)

On debby (~/.ssh/config):

Host domedog-ts-herdr
      HostName 100.103.255.41
      User clawdija
      IdentityFile ~/.ssh/id_123kupola
      IdentitiesOnly yes
      PreferredAuthentications publickey
      StrictHostKeyChecking accept-new
      ForwardAgent no

Host debby-ts-herdr
      HostName 100.66.193.10
      User samob
      IdentityFile ~/.ssh/id_123kupola
      IdentitiesOnly yes
      PreferredAuthentications publickey
      StrictHostKeyChecking accept-new
      ForwardAgent no

Live entries (domedog → debby)

On domedog (~/.ssh/config). Note: domedog uses id_infra, NOT id_123kupola:

Host debby-ts-herdr
      HostName 100.66.193.10
      User samob
      IdentityFile ~/.ssh/id_infra
      IdentitiesOnly yes
      PreferredAuthentications publickey
      StrictHostKeyChecking accept-new
      ForwardAgent no

Key coordination: each host's private key must have its public counterpart in the destination's authorized_keys. Hosts can use different keypairs — they don't need to share the same key.

Verify

# Check Tailscale network
tailscale status | grep <host>

# Test SSH over Tailscale
ssh <host>-ts-herdr 'hostname; uname -a'