Tailscale
Tailscale provides the private network (tailnet) connecting the web VPS and tools VPS. All inter-VPS traffic uses Tailscale IPs (100.x.x.x). Neither server exposes management ports to the public internet.
Node addresses
| Node | Tailscale IP | Role |
|---|---|---|
| Web VPS | 100.101.148.89 | Ops dashboard, cloudflared |
| Tools VPS | 100.81.122.65 | Gitea (:3000/:2222), Woodpecker (:8000), Portainer (:9000) |
Dashboard widget
The Tailscale widget uses the Tailscale cloud API — not the local daemon API, which is unreachable from Docker bridge networks.
Auth: OAuth client credentials — non-expiring client ID + secret exchanged for short-lived bearer tokens. Tokens are cached in-process for their lifetime (~1 hour).
Configuration
Add to /home/level147.net/.env:
TAILSCALE_CLIENT_ID=<client_id>TAILSCALE_CLIENT_SECRET=<client_secret>Create credentials at tailscale.com/admin/settings/oauth with devices:read scope.
Why OAuth instead of API access tokens
Personal API access tokens expire after a maximum of 90 days. OAuth client credentials are permanent and are the correct approach for server-to-server use.
Why not the local API
| Approach | Status |
|---|---|
Local API via 100.100.100.100 | Not reachable from bridge network |
Local API with network_mode: host | Not implemented — changes container isolation model |
| Cloud API via OAuth | In use |
The Tailscale local API is served by the daemon on the host. Docker containers on proxy-net cannot reach host-only services.