auto-commit 2026-02-04: update USER.md, daily notes, experimenta-tailscale docs

2026-02-04 00:00:09 +01:00
parent 5a31e17027
commit a8602ea07c
4 changed files with 82 additions and 1 deletions
--- a/memory/experimenta-tailscale-vpn-tunnel.md
+++ b/memory/experimenta-tailscale-vpn-tunnel.md
@@ -158,4 +158,46 @@ tailscale up --accept-routes

 ---

-*Erstellt: 2026-01-31*
+## Headscale Nodes & Users
+
+| Node | IP | User | Status |
+|------|-----|------|--------|
+| gl-mt3000 | 100.64.0.11 | xportal | online |
+| air4 | 100.64.0.5 | bam | online |
+| sp4c3 | 100.64.0.7 | bam | online |
+| heimdall | 100.64.0.4 | heimdall | online |
+| docker-intranet | 100.64.0.3 | npm | online |
+| glkvm-pve | 100.64.0.9 | glkvm-pve | online |
+
+## Headscale ACL-Policy (Entwurf)
+
+```json
+{
+  "groups": {
+    "group:allow": ["bam@", "heimdall@", "npm@", "glkvm@", "glkvm-pve@"]
+  },
+  "acls": [
+    { "action": "accept", "src": ["group:allow"], "dst": ["group:allow:*"] },
+    { "action": "accept", "src": ["bam@"], "dst": ["xportal@:*"] },
+    { "action": "accept", "src": ["bam@"], "dst": ["192.168.222.0/24:*", "192.168.228.0/24:*"] },
+    { "action": "accept", "src": ["xportal@"], "dst": ["xportal@:*"] }
+  ],
+  "ssh": [
+    { "action": "accept", "src": ["bam@"], "dst": ["*"], "users": ["bam", "root"] }
+  ]
+}
+```
+
+**Wichtig:** Routes müssen explizit in ACL stehen (nicht implizit über xportal@:*)
+**Kill-Switch:** Routes in Headscale deaktivieren reicht um Tunnel abzuschalten
+
+## Offene Probleme
+
+- **Tailscale Login nach Reboot:** GL-MT3000 verliert Login-State
+  - State-File: `/etc/tailscale/tailscaled.state` (korrekt konfiguriert)
+  - `tailscaled --cleanup` im init-script evtl. Ursache?
+  - Noch zu debuggen: State-Datei nach Login prüfen vs. nach Reboot
+
+---
+
+*Erstellt: 2026-01-31 | Aktualisiert: 2026-02-03*