marcel/familienarchiv
1
0
Fork 0
Code Issues 118 Pull Requests 2 Actions 4 Packages Projects Releases Wiki Activity

Add Hetzner VPS to Tailscale tailnet for private deployment access #141

New Issue
Open
opened 2026-03-28 10:31:17 +01:00 by marcel · 0 comments
marcel commented 2026-03-28 10:31:17 +01:00
Owner
Copy Link

Why

The Gitea instance and act-runner live on the home LAN — not reachable from the public internet. The Hetzner VPS is on the public internet. For CI to deploy to the VPS, the two need a secure private channel.

Tailscale is already used on the home network. Adding the VPS to the same tailnet gives the act-runner a stable, authenticated route to the VPS over WireGuard — no open firewall ports, no VPN server to maintain, no dynamic IP problems.

This is a prerequisite for the CI deploy pipeline (#142 and #143).

What to do

1. Install Tailscale on the VPS

curl -fsSL https://tailscale.com/install.sh | sh

2. Authenticate and join the tailnet

Generate a reusable auth key in the Tailscale admin console (tailscale.com/admin/settings/keys):

  • Set it as reusable if you may need to re-register
  • Tag it (e.g. tag:vps) so it gets the right ACL policy
tailscale up --authkey=<your-auth-key> --hostname=familienarchiv-vps

3. Verify connectivity from the act-runner host

From the home server where the act-runner runs:

tailscale ping familienarchiv-vps
# Should show: pong from familienarchiv-vps (100.x.x.x)

Note the assigned Tailscale IP (tailscale ip -4 on the VPS).

4. Lock down the VPS firewall

The VPS should only accept SSH over Tailscale, not from the public internet. Only ports 80 and 443 (Caddy) need to be publicly open.

# Using ufw
ufw default deny incoming
ufw allow 80/tcp    # HTTP (Caddy, for Let's Encrypt challenge)
ufw allow 443/tcp   # HTTPS
ufw allow 443/udp   # HTTP/3
ufw allow in on tailscale0   # allow all traffic over Tailscale interface
ufw enable

This means ssh user@<public-ip> stops working — SSH only works via ssh user@<tailscale-ip>. That is intentional.

5. Create a deploy user on the VPS

Avoid using root or your personal user for CI deploys. Create a dedicated deploy user with Docker access:

useradd -m -s /bin/bash deploy
usermod -aG docker deploy
mkdir -p /home/deploy/.ssh
chmod 700 /home/deploy/.ssh

The deploy user's authorized_keys will be populated in #142 (SSH key setup).

6. Store the Tailscale IP as a Gitea secret

In Gitea → repo settings → Secrets:

  • Name: VPS_TAILSCALE_IP
  • Value: the Tailscale IP of the VPS (e.g. 100.64.x.x)

This secret is used by the deploy job in #142.

Acceptance criteria

  • tailscale ping familienarchiv-vps succeeds from the home server.
  • ssh deploy@<VPS_TAILSCALE_IP> works from the home server.
  • ssh deploy@<VPS_PUBLIC_IP> is refused (firewall blocks public SSH).
  • Ports 80 and 443 are reachable from the public internet (needed for Caddy TLS).
  • VPS_TAILSCALE_IP secret exists in Gitea repo settings.
## Why The Gitea instance and act-runner live on the home LAN — not reachable from the public internet. The Hetzner VPS is on the public internet. For CI to deploy to the VPS, the two need a secure private channel. Tailscale is already used on the home network. Adding the VPS to the same tailnet gives the act-runner a stable, authenticated route to the VPS over WireGuard — no open firewall ports, no VPN server to maintain, no dynamic IP problems. This is a prerequisite for the CI deploy pipeline (#142 and #143). ## What to do ### 1. Install Tailscale on the VPS ```bash curl -fsSL https://tailscale.com/install.sh | sh ``` ### 2. Authenticate and join the tailnet Generate a reusable auth key in the Tailscale admin console (tailscale.com/admin/settings/keys): - Set it as reusable if you may need to re-register - Tag it (e.g. `tag:vps`) so it gets the right ACL policy ```bash tailscale up --authkey=<your-auth-key> --hostname=familienarchiv-vps ``` ### 3. Verify connectivity from the act-runner host From the home server where the act-runner runs: ```bash tailscale ping familienarchiv-vps # Should show: pong from familienarchiv-vps (100.x.x.x) ``` Note the assigned Tailscale IP (`tailscale ip -4` on the VPS). ### 4. Lock down the VPS firewall The VPS should only accept SSH over Tailscale, not from the public internet. Only ports 80 and 443 (Caddy) need to be publicly open. ```bash # Using ufw ufw default deny incoming ufw allow 80/tcp # HTTP (Caddy, for Let's Encrypt challenge) ufw allow 443/tcp # HTTPS ufw allow 443/udp # HTTP/3 ufw allow in on tailscale0 # allow all traffic over Tailscale interface ufw enable ``` This means `ssh user@<public-ip>` stops working — SSH only works via `ssh user@<tailscale-ip>`. That is intentional. ### 5. Create a deploy user on the VPS Avoid using root or your personal user for CI deploys. Create a dedicated `deploy` user with Docker access: ```bash useradd -m -s /bin/bash deploy usermod -aG docker deploy mkdir -p /home/deploy/.ssh chmod 700 /home/deploy/.ssh ``` The deploy user's `authorized_keys` will be populated in #142 (SSH key setup). ### 6. Store the Tailscale IP as a Gitea secret In Gitea → repo settings → Secrets: - **Name:** `VPS_TAILSCALE_IP` - **Value:** the Tailscale IP of the VPS (e.g. `100.64.x.x`) This secret is used by the deploy job in #142. ## Acceptance criteria - `tailscale ping familienarchiv-vps` succeeds from the home server. - `ssh deploy@<VPS_TAILSCALE_IP>` works from the home server. - `ssh deploy@<VPS_PUBLIC_IP>` is refused (firewall blocks public SSH). - Ports 80 and 443 are reachable from the public internet (needed for Caddy TLS). - `VPS_TAILSCALE_IP` secret exists in Gitea repo settings.
marcel added the devopsphase-3: prod-compose labels 2026-03-28 10:46:49 +01:00
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
Clear labels
P0-critical
Blocks a core user journey, causes data loss, or is a security/accessibility barrier. Work on this before P1+.
 P1-high
Significant friction on a main user journey; workaround exists but is non-obvious. Next up after P0.
 P2-medium
Noticeable improvement; doesn't block anything; schedule opportunistically.
 P3-later
Cosmetic or parking-lot work; fine to stay open indefinitely.
 audit
Read-only audit / assessment work; produces a report rather than changing code
 bug
Something isn't working
 cleanup
Removal of dead code, vague comments, naming violations, and scratch artifacts
 collaboration
We want to extend the family archive to have more collaboration tools
 conversation
descoped
We will do that later
 devops
documentation
README, ARCHITECTURE, GLOSSARY, CONTRIBUTING, per-domain docs
 epic
Marker for epic-level issues that group multiple child issues
 feature
file-upload
legibility
Codebase Legibility Refactor — preparing the codebase for human evaluation and bus-factor reduction
 notification
person
phase-1: security
Security hygiene — must be done first
 phase-2: container-images
Production-ready multi-stage Docker images
 phase-3: prod-compose
Production compose overlay + Caddy reverse proxy
 phase-4: spring-prod-profile
Spring Boot production configuration profile
 phase-5: backups
Database and object storage backup strategy
 phase-6: deployment-docs
.env.example, DEPLOYMENT.md, runbook
 phase-7: monitoring
Prometheus, Loki, Grafana, Alertmanager
 refactor
Code restructuring without behaviour change
 security
test
ui
UI/UX and accessibility issues
 user
No Label devops phase-3: prod-compose
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
Jens marcel
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: marcel/familienarchiv#141
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?