Ephemeral Castle Tailscale Foundation

Scope

This page describes the Tailscale control-plane and networking foundation work that lives inside ephemeral-castle/.

Current Synthesis

Inside ephemeral-castle/, Tailscale is a first-class macro-area rather than an incidental utility. It acts as the private network backbone for operator access, runtime connectivity, and cluster-adjacent exposure patterns, and it is managed as infrastructure-as-code through the tailscale/ path.

The repository treats tailscale/acl.json as the policy source of truth, main.tf as the Terraform object model, and setup.sh as the idempotent bootstrap path that publishes the OAuth client back into TazPod.

Main Responsibilities

• define tailnet ACL and tag ownership rules
• bootstrap Tailscale OAuth credentials
• support operator access to infrastructure and runtime surfaces
• provide the networking backbone used by multiple TazLab tracks

Code Map

• acl.json - tag ownership and ACL rules
• main.tf - tailnet settings plus OAuth bootstrap client
• setup.sh - Terraform apply, credential extraction, vault update, S3 push
• variables.tf - API key and tailnet inputs
• outputs.tf - bootstrap outputs for the OAuth client
• logs/ - structured setup logs

Important Operational Characteristics

• tailscale_tailnet_settings disables device auto-updates and sets key duration to 180 days
• the bootstrap client uses auth_keys and devices scopes
• ACL source of truth lives in ephemeral-castle/tailscale/acl.json
• live execution forced policy fixes such as tag:tazpod owning tag:tazlab-vault and tag:vault-api
• SSH on port 22 had to be explicitly included for the tag:tazpod to tag:tazlab-vault path
• in the current operator environment, userspace-networking can require tailscale nc or SSH proxy behavior rather than assuming normal kernel routing

ACL Shape

• tag:tazpod can own tag:tazlab-vault, tag:vault-api, and itself
• tag:tazlab-k8s can own its own tag
• tag:tazlab-vault is allowed to reach itself on 8201, tag:tazlab-db on 5432, and the TazPod operator on 22,6443,50000
• tag:tazpod can reach tag:vault-api:8200 and tag:tazlab-db:5432

Relationships

• parent repository hub: ephemeral-castle
• part of the TazLab Cluster Delivery Flow
• supports the runtime connectivity assumptions in Ephemeral Castle Hetzner Vault Runtime
• intersects the TazLab Secret And Identity Flow because OAuth bootstrap material is handled through the operator secret model
• belongs to Ephemeral Castle Repository Map

Source Basis

• AGENTS.ctx/ephemeral-castle/CONTEXT.md
• AGENTS.ctx/memory/system-state.md