Sam & Claude
a5139b5f7f
Real tailnet IPs and Telegram bot handles were being committed in docs/
memories/skills. Scrubbed all tracked markdown to ${VAR} placeholders; real
values now live in fleet.env (gitignored) and stay live via 'tailscale status'.
- add fleet.env.example (committed) + fleet.env (gitignored); .gitignore *.env
- AGENTS.md + HOST-MATRIX: masking convention so it can't recur
- also: domedog registered as Colibri agent (image-render/ffmpeg/build lane);
correct CAPABILITY-ROUTING example to real registered caps (domedog headless)
Past commits not rewritten (history moves to Codeberg at v1.0); this fixes HEAD.
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
81 lines
2.6 KiB
Markdown
81 lines
2.6 KiB
Markdown
# Tailscale SSH Config Template for Herdr
|
|
|
|
Add to `~/.ssh/config`. Replace bracketed values with actuals.
|
|
|
|
## Template
|
|
|
|
```
|
|
# ── Tailscale-only Herdr remote targets ──
|
|
|
|
Host <host>-ts-herdr
|
|
HostName <tailscale-ip> # e.g. ${DOMEDOG_TS_IP}
|
|
User <ssh-user> # e.g. clawdija
|
|
IdentityFile ~/.ssh/<key> # e.g. ~/.ssh/id_123kupola
|
|
IdentitiesOnly yes
|
|
PreferredAuthentications publickey
|
|
StrictHostKeyChecking accept-new
|
|
ForwardAgent no
|
|
```
|
|
|
|
## Design decisions
|
|
|
|
| Setting | Why |
|
|
| ------------------------------------ | ----------------------------------------------------------------------------- |
|
|
| `HostName <tailscale-ip>` | Traffic stays in WireGuard tunnel — cannot accidentally route over public DNS |
|
|
| `IdentitiesOnly yes` | Prevents SSH from trying agent-forwarded keys |
|
|
| `PreferredAuthentications publickey` | Never falls back to password (Tailscale hosts may not have passwords) |
|
|
| `StrictHostKeyChecking accept-new` | Tailscale IPs are trusted; avoids first-connection prompt |
|
|
| `ForwardAgent no` | Explicit — agent is already the default, but this blocks surprises |
|
|
|
|
## Live entries (debby → domedog)
|
|
|
|
On debby (`~/.ssh/config`):
|
|
|
|
```
|
|
Host domedog-ts-herdr
|
|
HostName ${DOMEDOG_TS_IP}
|
|
User clawdija
|
|
IdentityFile ~/.ssh/id_123kupola
|
|
IdentitiesOnly yes
|
|
PreferredAuthentications publickey
|
|
StrictHostKeyChecking accept-new
|
|
ForwardAgent no
|
|
|
|
Host debby-ts-herdr
|
|
HostName ${DEBBY_TS_IP}
|
|
User samob
|
|
IdentityFile ~/.ssh/id_123kupola
|
|
IdentitiesOnly yes
|
|
PreferredAuthentications publickey
|
|
StrictHostKeyChecking accept-new
|
|
ForwardAgent no
|
|
```
|
|
|
|
## Live entries (domedog → debby)
|
|
|
|
On domedog (`~/.ssh/config`). Note: domedog uses `id_infra`, NOT `id_123kupola`:
|
|
|
|
```
|
|
Host debby-ts-herdr
|
|
HostName ${DEBBY_TS_IP}
|
|
User samob
|
|
IdentityFile ~/.ssh/id_infra
|
|
IdentitiesOnly yes
|
|
PreferredAuthentications publickey
|
|
StrictHostKeyChecking accept-new
|
|
ForwardAgent no
|
|
```
|
|
|
|
**Key coordination**: each host's private key must have its public counterpart
|
|
in the destination's `authorized_keys`. Hosts can use different keypairs —
|
|
they don't need to share the same key.
|
|
|
|
## Verify
|
|
|
|
```bash
|
|
# Check Tailscale network
|
|
tailscale status | grep <host>
|
|
|
|
# Test SSH over Tailscale
|
|
ssh <host>-ts-herdr 'hostname; uname -a'
|
|
```
|