The Cloud
Sign inSign up
🔐

Tailscale Setup Scope — RemoteStack / LocalStack

KindoKindo

Tailscale Setup Scope

Goal: Replace IP whitelisting. The Studios + Daniel's laptop reachable securely from anywhere, by name, gated by identity — not IP.

The tailnet already exists — it's Daniel's (teka.ai). Adib does not log into Daniel's account. He joins each Studio with an auth key Daniel generates (Step 1). No identity-provider decision needed.

Done when: from any network, with no whitelist, Daniel can ssh both Studios by name — and they're not exposed to the public internet.

Who does what

  • Daniel: generate the auth key, send it to Adib when he's ready, then disable key expiry once the Studios are on.

  • Adib: install the Standalone app on each Mac Studio and run one tailscale up command with Daniel's key.

Step 1 — Daniel: generate the auth key

login.tailscale.com/admin/settings/keys → Generate auth key

  • Description: RemoteStack — Kindo Studios

  • Reusable: ✅ Yes — one key covers both Studios

  • Ephemeral: ❌ No — the Studios are persistent

  • Pre-approved: ✅ Yes — skips manual device approval

  • Tags: tag:remotestack — lets Daniel scope ACLs to these boxes later

  • Expiration: 24h

Copy the tskey-auth-… string somewhere safe. Send it to Adib only when he's ready to run it — don't post it anywhere public; the 24h expiry contains the risk if it leaks.

Step 2 — Adib: install on each Mac Studio

Use the Standalone variant (the .pkg from tailscale.com/download) — not the App Store version. It's the only one that runs before login, ships the tailscale CLI, and supports Tailscale SSH. Never install both variants on the same Mac; it breaks the network extension.

On each Studio:

  1. Download + run the Standalone .pkg from tailscale.com/download.

  2. Approve the macOS prompts — System Extension + VPN configuration (System Settings → Login Items & Extensions, plus the VPN permission dialog).

  3. Join the tailnet with the key — different hostname per box:

- sudo tailscale up --authkey=<key> --ssh --hostname=remotestack-29

- sudo tailscale up --authkey=<key> --ssh --hostname=remotestack-4

--hostname gives clean MagicDNS names so the pair is identifiable as RemoteStack, not mixed into Daniel's personal devices. --ssh turns on keyless, ACL-gated, audited SSH.

Step 3 — Adib: keep the Studios always-on

For each Studio:

  1. Energy: never sleep on power, keep running when idle. Quick way: sudo pmset -c sleep 0 disablesleep 1

  2. Confirm it reconnects after a reboot — the standalone variant starts before login, so it should come back on its own.

Step 4 — Daniel: disable key expiry

In the admin console, open each Studio → disable key expiry, so they never silently drop off and force a re-auth.

Step 5 — Daniel's laptop (LocalStack)

This one's Daniel's, so he just logs in normally:

  1. Install the Standalone .pkg, open Tailscale, log in to Daniel's teka.ai tailnet.

  2. tailscale up --ssh --hostname=localstack

Step 6 — Lock down + cut over

  1. Set ACLs (least privilege) — only Daniel's account reaches the Studios, only on the ports in use. Keep the ACL file in version control. tag:remotestack from Step 1 makes this clean.

  2. Test before cutover: from Daniel's phone on cellular (not the cafe wifi), ssh sysadmin@remotestack-29. If that works with no whitelist, it's ready.

  3. Remove the public ports / drop the coffee-shop + home IP allowlist. The Studios are now tailnet-only.

Out of scope (later, builds on this)

  • The Cloud surfacing which agents run on which stack — relies on the clean remotestack-* / localstack naming set here.

  • Laptop-close → cloud handoff — same naming/addressing foundation.


The Cloud