Ephemeral Castle Tailnet Security
TazLab networking follows a strict Zero Trust model where identity is managed via Tailscale tags and enforced by an ACL policy managed as code.
Identity Governance (acl.json)
Tag Owners
tag:tazpod: Managed byroberto.tazzoli@gmail.com.tag:tazlab-vault: Managed by the operator and TazPod.tag:tazlab-k8s: Managed by the operator.tag:tazlab-db: Managed by the operator.
ACL Rules (Direct Access)
| Source Tag | Destination Tag | Port(s) | Purpose |
|---|---|---|---|
tag:tazpod | tag:tazlab-vault | 22, 6443, 50000 | Admin & Control. |
tag:tazpod | tag:tazlab-k8s | 6443, 50000 | K8s API & Talos API. |
tag:tazpod | tag:vault-api | 8200 | Vault operations. |
tag:tazlab-k8s | tag:vault-api | 8200 | App secret retrieval. |
tag:tazlab-vault | tag:tazlab-db | 5432 | DB access (Planned). |
tag:tazlab-vault | tag:tazlab-vault | 8201 | Raft cluster gossip. |
Automation via OAuth
The tailscale/main.tf file defines a tailscale_oauth_client named tazlab-bootstrap.
- Scopes:
auth_keys,devices. - Tags: Automatically assigns
tag:tazpodandtag:tazlab-k8sto new devices. - This allows for the Automatic AuthKey Minting during rebirth.
See Also
- Bridge: Tailscale Bridge
- Protocol: Rebirth Protocol
- Hub: Ephemeral Castle Hub