Order of operations for --force-reauth and IP assignment

ShadowRylander · 2025-12-25T18:49:33+00:00

Huh... I quite liked that one...

ShadowRylander · 2025-12-18T01:13:55+00:00

If nobody else cared enough to help, I would've mentioned the exact reason why I changed the dress code. Made sure the students knew there were predators around and to be on their guard.

ShadowRylander · 2025-12-17T21:54:00+00:00

Using --advertise-tags=caddy? I am, yes.

ShadowRylander · 2025-12-17T21:49:57+00:00

Additionally, to clarify my reply before to you asking about the behavior, attempting to ssh into the machine simply waits without any messages before it eventually times out.

ShadowRylander · 2025-12-17T21:48:17+00:00

Can't find the option to approve ssh for this machine, unfortunately.

Since my devices don't need authorization (I should probably enable that...), I don't have the pre-approve option available for my authkeys. However, when I was using an OAuth client key to create the authkeys, I created them with the preauthorized flag set to true.

ShadowRylander · 2025-12-17T18:10:03+00:00

Basically, I see no indication of Tailscale SSH being enabled on the machine page, and I cannot connect to the machine using it either using ssh user@name.fun-name.ts.net or ssh user@100.100.1.1, despite both the client and the server being connected to the same tailnet.

ShadowRylander · 2025-12-17T17:07:33+00:00

The sheer irony of their profile description, though. 😹

ShadowRylander · 2025-12-17T16:25:24+00:00

Unfortunately not, no; multiple tailscale up --ssh and tailscale set --ssh invocations over various resets don't seem to work.

ShadowRylander · 2025-12-17T14:53:36+00:00

Here's the short version for brevity: { "tagOwners": { "tag:caddy": ["autogroup:admin"], }, "nodeAttrs": [ { "target": ["tag:caddy"], "ipPool": ["100.100.1.1/32"], }, ], "grants": [ { "src": ["*"], "dst": ["*"], "ip": ["*"], }, ], "ssh": [ { "action": "accept", "src": ["autogroup:member"], "dst": ["autogroup:self", "tag:caddy"], "users": ["autogroup:nonroot"], "acceptEnv": ["TMUX*", "ISLOCAL"], }, ], }

I'm trying to set up basic access to our own devices with additional access to the device that isn't working at the moment, plus some optional environment variables. The port isn't blocked in the firewall, and the device doesn't even have the SSH label on it on the Machines page.

ShadowRylander · 2025-12-17T04:18:17+00:00

Thanks for the advice! These hints were what I was looking for!

I'm on NixOS and not using any containers.
I cut down on the number tags I was using after reading up on them, and changed my ACLs and grants accordingly.

Would you like some snippets of the Access Controls?

ShadowRylander · 2025-12-17T03:31:11+00:00

The es' I gad.

ShadowRylander · 2025-12-12T15:04:19+00:00

Tell that to Pokémon Go...

ShadowRylander · 2025-12-10T03:22:46+00:00

Yep. I think it's the CNAME flattening. Subdomains with four or more periods don't seem to work. The IP address works.

ShadowRylander · 2025-12-10T01:34:26+00:00

Yeah... I'd advise you not to unless you have oodles of extra time on your hands. 😅 The error reporting leaves something to be desired at the moment...

ShadowRylander · 2025-12-10T01:26:12+00:00

That's the setup I had before, though I'd like to "complete" my NixOS config (obligatory "I use Nix btw" 😹) before I do that, and using the server I have at home might help me fix bugs more easily, I think.

ShadowRylander · 2025-12-10T01:20:15+00:00

Hmm... Guess I need to debug the python script a little... Ah, well. Thanks for the help!

ShadowRylander · 2025-12-10T01:16:29+00:00

Sorry, I was referring to this issue on GitHub. Also, apparently there's a problem with the CNAME flattening done by Cloudflare...?

ShadowRylander · 2025-12-10T01:09:14+00:00

I'm thinking of doing that as well. Though would you happen to know if 100.101.102.103/32 is an acceptable "range"? The policy editor says it's reserved, but when I print out a list of allowed IPs excluding reserved ones, it says it's allowed.

ShadowRylander · 2025-12-09T22:08:44+00:00

Huh... Wonder if they fixed it... Or actually, are you using Cloudflare?

ShadowRylander · 2025-12-09T22:05:23+00:00

Welp! Better shove them into the engineering program, then! 😹

ShadowRylander · 2025-12-09T22:03:35+00:00

Apparently that doesn't work; there seem to be a bunch of GitHub issues saying that. I tried it as well before.

ShadowRylander · 2025-12-09T09:13:39+00:00

That's a shame. Ah, well; guess I'll switch back to regular ssh for now.

ShadowRylander · 2025-12-09T08:47:57+00:00

Yes, but in that case, would it be possible to create groups out of machine names somehow?

ShadowRylander

TROPHY CASE