Ephemeral Castle Tailnet Security
TazLab networking follows a strict Zero Trust model where identity is managed via Tailscale tags and enforced by an ACL policy managed as code.
Identity Governance (acl.json)
Tag Owners
tag:tazpod: Managed byroberto.tazzoli@gmail.com.tag:tazlab-vault: Managed by the operator and TazPod.tag:tazlab-k8s: Managed by the operator.tag:tazlab-db: Managed by the operator.tag:vault-api: Managed by the operator and TazPod.
ACL Rules (Direct Access)
| Source Tag | Destination Tag | Port(s) | Purpose |
|---|---|---|---|
tag:tazpod | tag:tazlab-vault | 22, 6443, 50000 | Admin & Control. |
tag:tazpod | tag:tazlab-k8s | 6443, 50000 | K8s API & Talos API. |
tag:tazpod | tag:vault-api | 8200 | Vault operations. |
tag:tazpod | tag:tazlab-db | 5432 | DB access (Planned). |
tag:tazlab-k8s | tag:vault-api | 8200 | App secret retrieval. |
tag:tazlab-vault | tag:tazlab-db | 5432 | DB access (Planned). |
tag:tazlab-vault | tag:tazlab-vault | 8201 | Raft cluster gossip. |
Automation via OAuth
The tailscale/main.tf file defines a tailscale_oauth_client named tazlab-bootstrap.
- Scopes:
auth_keys,devices. - Tags: Automatically assigns
tag:tazpodandtag:tazlab-k8sto new devices. - This allows for the Automatic AuthKey Minting during rebirth.
Operational Join Path
- Standard operator entrypoint:
AGENTS.ctx/tools/tailscale/start.sh - The script starts
tailscaledin the background, so the shell does not block while the daemon initializes. - It joins the tailnet using a short-lived auth key minted from the OAuth client credentials.
- After join, peer reachability is verified with
tailscale statusandtailscale pingagainstlushycorp-vaultandtazlab-k8s-control-plane-01.
Important Vault Hostname Note
The Vault runtime tailnet registration is lushycorp-vault (MagicDNS FQDN: lushycorp-vault.magellanic-gondola.ts.net). The old custom alias lushycorp-api.ts.tazlab.net is runtime-defined TLS glue, not a Tailscale-owned name, and is tracked as architecture debt (TD-020).
See Also
- Bridge: Tailscale Bridge
- Vault Contract: Tailscale Vault Contract
- Detail: ACL Policy Detail
- Protocol: Rebirth Protocol
- Hub: Ephemeral Castle Hub
- Entity: Tailscale