Tailscale

Overview

Tailscale provides a private mesh VPN for direct access to homelab services. While Cloudflare Tunnel handles public/third-party access with email-based authentication, Tailscale is the private/admin channel — used for services like Home Assistant’s iOS app, SSH, Backrest, and Cockpit where Cloudflare Access prompts are inconvenient.

Access Model

Method	Purpose	URL Pattern
Cloudflare	Public/third-party access	https://<svc>-home.javiersc.com
Tailscale	Private/admin access (no login prompt)	http://<tailscale-ip>:<port>

First-Time Setup

After deploying this module, authenticate the node once:

sudo tailscale up --accept-routes --ssh

Follow the link in the output to log in to your Tailscale account. After the first login, Tailscale persists authentication in /var/lib/tailscale and reconnects automatically on subsequent boots.

If re-provisioning from scratch, generate a new reusable auth key in the Tailscale admin console and store it in 1Password as Tailscale - Auth Key. The tailscale-secrets systemd service will inject it before tailscaled starts.

Ports

Port	Protocol	Purpose
41641	UDP	WireGuard (Tailscale)

The tailscale0 interface is trusted (all traffic allowed through it).

Configuration

• --accept-routes: Accepts subnet routes advertised by other Tailscale nodes.
• --ssh: Enables Tailscale SSH for secure shell access without key management.
• No exit node: The miniPC does not route all traffic for connected devices.
• No Tailscale Funnel: Services are not exposed through Funnel.

Home Assistant iOS

The Home Assistant iOS app should connect via the Tailscale IP (e.g., http://100.82.100.68:8123) instead of the Cloudflare Access URL. This avoids the login prompt entirely.

Configure the Home Assistant companion app with the Tailscale IP as both internal and external URL.

Backup

Tailscale state (/var/lib/tailscale) is included in Restic backups. The .local subdirectory (temporary files) is excluded.