clawdie/layered-soul
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
layered-soul/skills/herdr-deployment/references/tailscale-ssh-config.md
Sam & Claude a5139b5f7f security(docs): mask Tailscale IPs + bot handles behind fleet.env 
Real tailnet IPs and Telegram bot handles were being committed in docs/
memories/skills. Scrubbed all tracked markdown to ${VAR} placeholders; real
values now live in fleet.env (gitignored) and stay live via 'tailscale status'.

- add fleet.env.example (committed) + fleet.env (gitignored); .gitignore *.env
- AGENTS.md + HOST-MATRIX: masking convention so it can't recur
- also: domedog registered as Colibri agent (image-render/ffmpeg/build lane);
  correct CAPABILITY-ROUTING example to real registered caps (domedog headless)

Past commits not rewritten (history moves to Codeberg at v1.0); this fixes HEAD.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
2026-06-19 18:19:32 +02:00

2.6 KiB
Raw Blame History

Tailscale SSH Config Template for Herdr

Add to ~/.ssh/config. Replace bracketed values with actuals.

Template

# ── Tailscale-only Herdr remote targets ──

Host <host>-ts-herdr
      HostName <tailscale-ip>         # e.g. ${DOMEDOG_TS_IP}
      User <ssh-user>                 # e.g. clawdija
      IdentityFile ~/.ssh/<key>       # e.g. ~/.ssh/id_123kupola
      IdentitiesOnly yes
      PreferredAuthentications publickey
      StrictHostKeyChecking accept-new
      ForwardAgent no

Design decisions

Setting Why
HostName <tailscale-ip> Traffic stays in WireGuard tunnel — cannot accidentally route over public DNS
IdentitiesOnly yes Prevents SSH from trying agent-forwarded keys
PreferredAuthentications publickey Never falls back to password (Tailscale hosts may not have passwords)
StrictHostKeyChecking accept-new Tailscale IPs are trusted; avoids first-connection prompt
ForwardAgent no Explicit — agent is already the default, but this blocks surprises

Live entries (debby → domedog)

On debby (~/.ssh/config):

Host domedog-ts-herdr
      HostName ${DOMEDOG_TS_IP}
      User clawdija
      IdentityFile ~/.ssh/id_123kupola
      IdentitiesOnly yes
      PreferredAuthentications publickey
      StrictHostKeyChecking accept-new
      ForwardAgent no

Host debby-ts-herdr
      HostName ${DEBBY_TS_IP}
      User samob
      IdentityFile ~/.ssh/id_123kupola
      IdentitiesOnly yes
      PreferredAuthentications publickey
      StrictHostKeyChecking accept-new
      ForwardAgent no

Live entries (domedog → debby)

On domedog (~/.ssh/config). Note: domedog uses id_infra, NOT id_123kupola:

Host debby-ts-herdr
      HostName ${DEBBY_TS_IP}
      User samob
      IdentityFile ~/.ssh/id_infra
      IdentitiesOnly yes
      PreferredAuthentications publickey
      StrictHostKeyChecking accept-new
      ForwardAgent no

Key coordination: each host's private key must have its public counterpart in the destination's authorized_keys. Hosts can use different keypairs — they don't need to share the same key.

Verify

# Check Tailscale network
tailscale status | grep <host>

# Test SSH over Tailscale
ssh <host>-ts-herdr 'hostname; uname -a'