Tailscale

Tailscale is the glue that allows my CI/CD pipeline to access parts of my infrastructure. It also allows me to do remote administration when I’m not on my home network.

Access controls

I won’t share the details of my access controls config, but the following is generally needed for my templates to work:

Tags

• ci (ephemeral runners)
• infrastructure (proxmox, infisical)

ACLs

• ci to infrastructure

Funnel

• default (owners can configure)

HTTPS certificates must also be enabled under DNS > HTTPS Certificates

OAuth Client

The CI/CD pipeline needs an auth key to temporarily join the tailnet without an interactive logon. OAuth client credentials can be created under Settings > OAuth clients. Give the client a description and enable the following permissions:

• Auth Keys - R/W - tag:ci

Once the OAuth credentials are created, save them for later so they can be added to the Infisical common secrets.

Machines

The following machines need to be added to the tailnet for my templates to work. Use the provided links to see the tailscale setup documentation for each machine.

• Proxmox
• OPNsense
• Infisical (if self-hosting)