You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Investigation / spike (not a committed build): evaluate Tailscale (WireGuard mesh VPN) as an opt-in, default-off way to reach the dashboard — and other stack services — securely from anywhere, with no exposed ports and no public IP. Decide a recommended pattern (sidecar container vs host install, tailscale serve for the dashboard) and whether it warrants a small compose profile + a doc, or docs-only.
Why this is scheduled alongside #79 / #121 / #99 (the alerting work)
Alerting tells the operator "something's wrong." It does not give them a way to look and act. Tailscale is the response path to the alerts:
Tailscale: tap a link → on the dashboard over an E2E-encrypted mesh, zero inbound firewall holes, no public IP. Strictly better than the public-exposure path we already discourage.
Shipping alerts without a clean remote-look path leaves the loop half-closed — hence: investigate it in the same v1.2 slice.
Viability — looks high, low effort (to confirm)
Sidecar pattern: a tailscale/tailscale container running tailscaled in userspace-networking mode, joined via an auth key; other services reach the tailnet through it (or it shares the host's network namespace). Standard, well-documented.
Privacy caveat — must be addressed head-on (this is a Tor-first project, see #160)
Tailscale's data plane is E2E WireGuard, but its control plane is a SaaS coordination server (Tailscale Inc.) that sees node metadata (keys, endpoints, coordination). That's a philosophical wrinkle for a Tor-everything stack.
Flag Headscale (open-source, self-hostable drop-in control server) as the privacy-pure option — config must allow a custom control-server URL, not just Tailscale's.
Honest positioning: this is a convenience tier over the existing Tor onion path, not a new capability. The onion service stays the privacy-maximalist default; Tailscale is for operators who find Tor too slow/clunky for a live dashboard on mobile.
Alternatives to weigh in the spike
Tor onion service (already the project's remote path) — keep as default; Tailscale is the opt-in convenience layer.
Headscale — self-hosted control plane; the privacy answer.
Plain WireGuard — no SaaS at all, but manual key/peer management (more setup friction).
Cloudflare Tunnel / Nebula — another SaaS / more setup; worse privacy or worse ergonomics. Note and move on.
Config sketch (config.json, default off — to be refined by the spike)
"tailscale": {
"enabled": false,
"auth_key": "", // ephemeral, tagged; secret → .env, owner-only, never logged"control_url": "", // blank = Tailscale SaaS; set for self-hosted Headscale"serve_dashboard": true, // publish dashboard via `tailscale serve` (HTTPS + MagicDNS)"hostname": "pithead"
}
Outputs / acceptance criteria (it's a spike — deliver decisions + a recommendation)
Goal
Investigation / spike (not a committed build): evaluate Tailscale (WireGuard mesh VPN) as an opt-in, default-off way to reach the dashboard — and other stack services — securely from anywhere, with no exposed ports and no public IP. Decide a recommended pattern (sidecar container vs host install,
tailscale servefor the dashboard) and whether it warrants a small compose profile + a doc, or docs-only.Why this is scheduled alongside #79 / #121 / #99 (the alerting work)
Alerting tells the operator "something's wrong." It does not give them a way to look and act. Tailscale is the response path to the alerts:
Shipping alerts without a clean remote-look path leaves the loop half-closed — hence: investigate it in the same v1.2 slice.
Viability — looks high, low effort (to confirm)
tailscale/tailscalecontainer runningtailscaledin userspace-networking mode, joined via an auth key; other services reach the tailnet through it (or it shares the host's network namespace). Standard, well-documented.tailscale serve: publish the dashboard over HTTPS within the tailnet with an auto-provisioned cert and a stable MagicDNS name (e.g.https://pithead.<tailnet>.ts.net) — no manual TLS, no Caddy. Directly relevant to Secure Dashboard: authentication/login + safe public exposure (re-evaluate Caddy/TLS) #8.api_key/ Telegram alerting (notifications-only): node/worker down + recovered (config.json, default off) #121'sbot_token→.env, owner-only, never logged. Prefer ephemeral, pre-authorized, tagged keys; document ACL-tag scoping.Privacy caveat — must be addressed head-on (this is a Tor-first project, see #160)
Alternatives to weigh in the spike
Config sketch (
config.json, default off — to be refined by the spike)Outputs / acceptance criteria (it's a spike — deliver decisions + a recommendation)
tailscale servecleanly fronts the dashboard over HTTPS + MagicDNS with no exposed host ports; document the resulting URL pattern.control_urlworks as the privacy-pure path..env, owner-only, never logged); ephemeral + tagged keys documented.docs/privacy.md([Epic] Privacy: no clearnet egress outside Tor — close leaks + privacy-first defaults #160/Docs: add docs/privacy.md egress reference + correct 'home IP not exposed' overclaims #164): what the control plane sees, what it doesn't, and the Headscale alternative.docs/remote-access.md, or docs-only, or defer.Related
tailscale servemay obsolete the Caddy question), Warn when the host has a public IP (stratum :3333 is unauthenticated) — setup/doctor + dashboard badge #113 (public-IP warning — Tailscale avoids the exposure entirely), [Epic] Privacy: no clearnet egress outside Tor — close leaks + privacy-first defaults #160/Docs: add docs/privacy.md egress reference + correct 'home IP not exposed' overclaims #164 (privacy / egress), Bootable USB installers: self-provisioning appliance images for the stack host and RigForge miner #77 (appliance image could bake it in).