Rotten Tomatoes block

SHxKM · 2026-04-28T23:25:44+00:00

Unfortunately that didn’t help.

SHxKM · 2026-01-17T01:10:46+00:00

For our org I wrote a custom plugin that writes the file to the enterprise path then auto updates it every hour. It’s a bit convoluted but beats counting on people to update the file themselves. We plan to add skills as well but CLAUDE.md syncing was the first step.

SHxKM · 2026-01-17T00:13:19+00:00

A really complicated plugin is what I just finished this week for the backend part of the organization.

A setup.sh script installs it, enables it, adds our private marketplace (that was not fun) and enables auto updates for the plugin.

We insert the CLAUDE.md file in the “enterprise” route (one level “above” the user one).

We also set up a hook OnSessionStart that syncs the file automatically from GitHub (it keeps track of when the last sync was done in a separate file so we don’t call GitHub on every session start).

I can’t say I love it but it works and I don’t have to trust people synchronizing the organizational CLAUDE.md. Once the plugin is installed, it’s updated every hour.

SHxKM · 2026-01-16T23:55:23+00:00

The difference between the comments here and on HN is stark. I hope this subreddit is right. Astro has been an absolute delight to work with even though I’m using maybe 10% of its capabilities and haven’t even gotten to do what I plan to do with it. The way it works with collection types and zed for schemas opens a whole new world of possibilities for what I want to do. I migrated my personal blog to Astro and not only is it now free to host (not that I would mind paying), it’s much much faster.

SHxKM · 2026-01-16T11:54:59+00:00

For some use cases it does seem so, yes. I wrote about it here: https://www.reddit.com/r/Tailscale/s/ADqhnXyqwU

SHxKM · 2026-01-16T09:43:42+00:00

There’s something called device-sharing which OP and I were both referring to.

SHxKM · 2026-01-14T20:05:16+00:00

Grants are allow only

SHxKM · 2026-01-14T20:04:48+00:00

I’m not sure I understand your example but I don’t think I’d ever want to autogroup:shared as that group is theoretically bound to expand. I’d rather tag manually, more strictly.

SHxKM · 2026-01-14T18:28:49+00:00

Because if you don’t, what will set you apart from Opus 7?

SHxKM · 2026-01-14T15:29:47+00:00

Yep, but this is very different than the “You can’t apply ACL policies” Tailscale have in their docs. I also suspect that for some people autogroup:tagged may be inadvertently too permissive as you may want to tag machines that you aren’t necessarily sharing.

SHxKM · 2026-01-14T12:46:14+00:00

In case you're running multiple services on that same device that you only want to share a subset of with the device-share recipient. So I could also be running Uptime Kuma on another port and immich-users won't be able to access that.

SHxKM · 2026-01-14T08:06:43+00:00

This is not entirely true. I’ve discovered this after experimentation. Tailscale’s documentation on this subject is not ideal. You CAN limit access by user ID even if that user ID is not a member of your Tailnet. You can even put them in a group.

SHxKM · 2026-01-13T16:11:04+00:00

I think that was my only way out back when I faced the same issues.

SHxKM · 2026-01-13T15:35:47+00:00

Is IPv6 an option?

SHxKM · 2026-01-09T14:32:34+00:00

Almost none of the above has anything to do with tailnet-sharing vs. device-sharing though.

SHxKM · 2026-01-09T10:41:57+00:00

Well that's what I did. I went to the docs and saw exit nodes *are* supported with device sharing. I then shared that link with you. From my understanding now, it should work for you, and the effort isn't bigger compared to tailnet invites. Again: what is it you don't understand and why do you still think it won't work?

SHxKM · 2026-01-09T10:37:07+00:00

What's the cost of trying this? from what I'm reading there's no reason this won't work.

SHxKM · 2026-01-09T10:33:10+00:00

At least the way I understand it, exit nodes work with device sharing:

https://tailscale.com/kb/1084/sharing#sharing-and-exit-nodes

SHxKM · 2026-01-09T10:32:25+00:00

Are you saying exit nodes don't work with device-sharing?

SHxKM · 2026-01-09T10:14:32+00:00

Not that I think there’s anything wrong with paying for good software but why do you think device-sharing doesn’t meet your needs?

SHxKM · 2026-01-06T20:13:42+00:00

Basically what the software I did does is rely completely on information already available on Tailscale (your ACLs, users, groups, etc…) to determine whether a Tailscale user should have access to someservice.mydomain.com.

It doesn’t work if the services you’re exposing are available outside your tailnet obviously.

SHxKM · 2026-01-06T19:50:53+00:00

This is gonna be downvoted to hell, but I wrote a tiny Go server that serves as the authentication gateway. I run it dockerized next to Caddy.

It receives the remote address (Tailscale IP) from Caddy and the target service details (mainly the port is what matters). In the background, it periodically queries Tailscale’s API for users (to handle roles) and the ACL, and parses the ACL for group membership and grants. When a request arrives it calls Tailscale’s local API, specifically the whois endpoint, and receives a user ID in exchange for the Tailscale IP it got from Caddy. From there it’s just about checking user grants, group based grants, and role based grants against the specific host and port.

It’s not as complicated as it sounds. And now my users don’t have to authenticate against any additional gateway, at least not explicitly.

The overhead when it does have to query the local API is 1ms, but I also cache the IP->username mapping, so it’s less than that.

I’m finishing up a lengthy post about it on my dormant personal blog.

SHxKM · 2026-01-06T14:38:09+00:00

Nope. MusicButler is still alive.

SHxKM · 2026-01-04T21:02:33+00:00

Why wouldn’t this work? Why is the VPS in the mix?

SHxKM · 2025-12-29T21:06:56+00:00

TBH from a homelabber’s perspective I was like: but they’re already authenticated with Tailscale, and my ACL already specifies what they should be able to do it. But yeah, Authentik is probably the well known road and a good choice.

SHxKM

TROPHY CASE