cryodev/docs/services/tailscale.md

# Tailscale Client

Tailscale clients connect to the self-hosted Headscale server to join the mesh VPN.

## References

- [Tailscale Documentation](https://tailscale.com/kb)
- [Headscale Client Setup](https://headscale.net/running-headscale-linux/)

## Setup

### Generate Auth Key

On the Headscale server (cryodev-main):

```bash
# Look up user ID
sudo headscale users list
# Create preauth key (use the user ID for "default")
sudo headscale preauthkeys create --expiration 99y --reusable --user <ID>
```

### Add to Secrets

```bash
sops hosts/<hostname>/secrets.yaml
```

```yaml
tailscale:
  auth-key: "your-preauth-key"
```

### Configuration

```nix
# In your host configuration
{ config, ... }:
{
  sops.secrets."tailscale/auth-key" = { };
  
  services.tailscale = {
    enable = true;
    authKeyFile = config.sops.secrets."tailscale/auth-key".path;
    extraUpFlags = [
      "--login-server=https://headscale.cryodev.xyz"
    ];
  };
}
```

## Usage

### Check Status

```bash
tailscale status
```

### View IP Address

```bash
tailscale ip
```

### Ping Another Node

```bash
tailscale ping <hostname>
```

### SSH to Another Node

```bash
ssh user@<hostname>
# or using Tailscale IP
ssh user@100.64.0.X
```

## MagicDNS

With Headscale's MagicDNS enabled, you can reach nodes by hostname:

```bash
ping cryodev-pi
ssh steffen@cryodev-main
```

## Troubleshooting

### Check Service Status

```bash
sudo systemctl status tailscaled
```

### View Logs

```bash
sudo journalctl -u tailscaled -f
```

### Re-authenticate

If the node is not connecting:

```bash
sudo tailscale up --login-server=https://headscale.cryodev.xyz --force-reauth
```

### Node Not Appearing in Headscale

Check the auth key is valid:

```bash
# On Headscale server
sudo headscale preauthkeys list --user <ID>
```

Verify the login server URL is correct in the client configuration.