Tailscale

Oracle cloud doesn’t enable any ports other than SSH by default, which somehow doesn’t affect any Tailscale services but breaks the ability to negotiate a TLS certificate over ports 80 and 443.

A simple guide to setting up private services on NixOS using Tailscale and Caddy with authentication.

Services being routed by caddy-tailscale are treated as full-fledged Tailscale nodes and thus follow the ACL policies of deny-by-default. If I want to be able to ping a Tailscale address from the server I will have to add an ACL grant allowing the server’s tag to access the tag applied to the service. This was necessary today for the Firefly-iii data importer to be able to access the Firefly-iii instance running on the same server.

Tailscale on NixOS requires setting services.tailscale.useRoutingFeatures = "client" on the non-exit-node machines to allow routing to work.