Keyboard shortcuts

Press or to navigate between chapters

Press S or / to search in the book

Press ? to show this help

Press Esc to hide this help

Tailscale

Tailscale is workstation-only platform connectivity in v1. Dubnium enables the daemon and CLI, but enrollment is manual until secrets and OAuth policy are settled.

First Activation

Build and switch the workstation configuration:

sudo nixos-rebuild switch --flake .#workstation

Enroll the node manually:

sudo tailscale up

Follow the browser/device login flow. Do not pass --ssh, --advertise-routes, or --advertise-exit-node for v1.

Verification

Check the daemon:

systemctl status tailscaled

Check tailnet state:

tailscale status
tailscale ip -4

Regular OpenSSH can be used over the assigned tailnet IP if SSH is allowed by the host firewall and OpenSSH configuration.

vLLM Over Tailnet

Dubnium exposes vllm.service on port 8000 over the Tailscale interface only. From another tailnet machine, use the node’s Tailscale IP or MagicDNS name:

curl http://<dubnium-tailnet-name>:8000/v1/models

The local alias ai.dubnium is a host-local convenience entry on Dubnium. To use that same name from other machines, add a tailnet DNS/hosts alias that points ai.dubnium at the Dubnium node’s Tailscale IP.

Deferred Automation

Automatic enrollment should use services.tailscale.authKeyFile only after Dubnium has a settled secrets policy. The intended future shape is:

services.tailscale.authKeyFile = "/run/secrets/tailscale-auth-key";

OAuth or auth-key enrollment should be paired with explicit key scope, expiration, tagging, and rotation decisions.

Deferred Routing Options

Subnet router support would require:

  • services.tailscale.useRoutingFeatures = "server" or "both"
  • sudo tailscale up --advertise-routes=...
  • Tailscale admin approval for the advertised routes
  • firewall, forwarding, and reverse-path-filtering review

Exit-node support would require:

  • services.tailscale.useRoutingFeatures = "server" or "both"
  • sudo tailscale up --advertise-exit-node
  • Tailscale admin approval
  • stronger trust and privacy review, because the node can carry client traffic

Deferred Tailscale SSH

Tailscale SSH is not enabled in v1. If enabled later, it should be tied to a written Tailscale ACL policy and explicit operator intent.

Future manual enrollment would use:

sudo tailscale up --ssh

Future declarative enrollment could add:

services.tailscale.extraUpFlags = [ "--ssh" ];

Until that policy exists, use regular OpenSSH over the tailnet IP.