Keyboard shortcuts

Press or to navigate between chapters

Press S or / to search in the book

Press ? to show this help

Press Esc to hide this help

ADR-0006: Tailscale Platform Connectivity

Status: accepted

Context

Dubnium needs stable remote reachability for the workstation without moving user-level shell, editor, or agent configuration into the system repository. Tailscale is machine and network identity, so it belongs with Dubnium’s platform policy rather than dotfiles.

Tailscale can also provide subnet routing, exit-node behavior, automatic enrollment, and Tailscale SSH. Those features change routing, firewalling, access control, and trust boundaries, so they should not be enabled as an incidental side effect of installing the client daemon.

Decision

Enable Tailscale as workstation-only platform connectivity in v1.

Dubnium will enable tailscaled and the tailscale CLI on the workstation, but node enrollment remains manual with sudo tailscale up.

Do not enable auth-key or OAuth enrollment, subnet routing, exit-node behavior, or Tailscale SSH in v1. Document those as future options that require explicit routing, ACL, firewall, and secrets-policy review.

Consequences

  • The workstation can join the tailnet with a small, reviewable system change.
  • Dotfiles remains responsible for user-level tooling only.
  • First enrollment is an operator action instead of a rebuild side effect.
  • Future subnet router, exit-node, and Tailscale SSH support has a documented path without widening v1 network exposure.