Ephemeral Castle Tailnet Security

TazLab networking follows a strict Zero Trust model where identity is managed via Tailscale tags and enforced by an ACL policy managed as code.

Identity Governance (acl.json)

Tag Owners

  • tag:tazpod: Managed by roberto.tazzoli@gmail.com.
  • tag:tazlab-vault: Managed by the operator and TazPod.
  • tag:tazlab-k8s: Managed by the operator.
  • tag:tazlab-db: Managed by the operator.
  • tag:vault-api: Managed by the operator and TazPod.

ACL Rules (Direct Access)

Source TagDestination TagPort(s)Purpose
tag:tazpodtag:tazlab-vault22, 6443, 50000Admin & Control.
tag:tazpodtag:tazlab-k8s6443, 50000K8s API & Talos API.
tag:tazpodtag:vault-api8200Vault operations.
tag:tazpodtag:tazlab-db5432DB access (Planned).
tag:tazlab-k8stag:vault-api8200App secret retrieval.
tag:tazlab-vaulttag:tazlab-db5432DB access (Planned).
tag:tazlab-vaulttag:tazlab-vault8201Raft cluster gossip.

Automation via OAuth

The tailscale/main.tf file defines a tailscale_oauth_client named tazlab-bootstrap.

  • Scopes: auth_keys, devices.
  • Tags: Automatically assigns tag:tazpod and tag:tazlab-k8s to new devices.
  • This allows for the Automatic AuthKey Minting during rebirth.

Operational Join Path

  • Standard operator entrypoint: AGENTS.ctx/tools/tailscale/start.sh
  • The script starts tailscaled in the background, so the shell does not block while the daemon initializes.
  • It joins the tailnet using a short-lived auth key minted from the OAuth client credentials.
  • After join, peer reachability is verified with tailscale status and tailscale ping against lushycorp-vault and tazlab-k8s-control-plane-01.

Important Vault Hostname Note

The Vault runtime tailnet registration is lushycorp-vault (MagicDNS FQDN: lushycorp-vault.magellanic-gondola.ts.net). The old custom alias lushycorp-api.ts.tazlab.net is runtime-defined TLS glue, not a Tailscale-owned name, and is tracked as architecture debt (TD-020).

See Also