tailscale
Comprehensive Tailscale VPN setup, configuration, and management for mesh networking, secure access, and zero-trust infrastructure. Covers installation, CLI commands, subnet routers, exit nodes, Tailscale SSH, ACL/grants configuration, MagicDNS, Tailscale Serve/Funnel, API automation, and production deployment best practices. Use when setting up Tailscale, configuring tailnet access controls, deploying subnet routers or exit nodes, enabling Tailscale SSH, exposing services with Serve/Funnel, automating via the Tailscale API, troubleshooting connectivity, or planning production Tailscale deployments.
What this skill does
# Tailscale Network Management
## Quick Start
```bash
# Install (Linux)
curl -fsSL https://tailscale.com/install.sh | sh
# Install (macOS)
brew install tailscale
# Connect and authenticate
sudo tailscale up
# Check status
tailscale status
# Get your Tailscale IP
tailscale ip -4
```
## Common Operations
### Connection Management
```bash
tailscale up # Connect
tailscale down # Disconnect (daemon stays running)
tailscale status # View peers
tailscale status --json | jq # Detailed network map
tailscale ping machine-name # Test connectivity (ignores ACLs)
tailscale ping --icmp machine-name # Test with ACLs
tailscale set --exit-node=name # Use exit node
tailscale set --exit-node= # Stop using exit node
```
Use `tailscale set` to change settings without reconnecting. Use `tailscale up` for initial setup.
### Subnet Router Setup
Run `scripts/setup_subnet_router.sh <subnet_cidr> [auth_key]` for automated setup.
**Manual steps:**
1. Enable IP forwarding on the router device
2. `sudo tailscale up --advertise-routes=192.168.1.0/24`
3. Approve routes in admin console (Machines > device > Edit route settings)
4. Linux clients: `sudo tailscale up --accept-routes`
### Exit Node Setup
Run `scripts/setup_exit_node.sh [auth_key]` for automated setup.
**Manual steps:**
1. Enable IP forwarding on the exit node
2. `sudo tailscale up --advertise-exit-node`
3. Approve in admin console (Machines > device > Edit route settings > Use as exit node)
4. Clients: `tailscale set --exit-node=node-name --exit-node-allow-lan-access`
### Tailscale SSH
```bash
# Enable on server
sudo tailscale set --ssh
# Connect from client (no special setup needed)
ssh machine-name
```
Requires both network access grant and SSH ACL rule. See [acl-examples.md](references/acl-examples.md) for SSH ACL patterns.
### Serve and Funnel
```bash
# Serve locally to tailnet
tailscale serve 3000
# Expose to public internet (ports 443, 8443, or 10000 only)
tailscale funnel 3000
# TCP forwarding with TLS termination
tailscale serve --tls-terminated-tcp=5432 localhost:5432
# Check status / turn off
tailscale serve status
tailscale serve off
```
## Access Control
Use **Grants** (modern, recommended) over ACLs (legacy). Both work, but Grants support application-layer capabilities.
```json
{
"groups": {
"group:engineering": ["[email protected]"]
},
"tagOwners": {
"tag:server": ["group:engineering"]
},
"grants": [
{
"src": ["group:engineering"],
"dst": ["tag:server"],
"ip": ["22", "443"]
}
]
}
```
**Key patterns:** Use groups for people, tags for machines. Always include both network grants and SSH rules for SSH access.
For detailed ACL scenarios, SSH access patterns, posture checks, auto-approvers, GitOps integration, and common mistakes, see [acl-examples.md](references/acl-examples.md).
## Reference Files
- **[cli-reference.md](references/cli-reference.md)** - Complete CLI command reference with all flags, target formats, and platform-specific notes
- **[acl-examples.md](references/acl-examples.md)** - Detailed ACL/grants configuration: team-based access, dev/staging/prod isolation, SSH patterns, posture checks, auto-approvers, GitOps, migration from ACLs to Grants
- **[api-usage.md](references/api-usage.md)** - REST API, Terraform provider, Python SDK, webhooks, automation examples
- **[troubleshooting.md](references/troubleshooting.md)** - Connectivity diagnostics, subnet router issues, exit node issues, SSH problems, MagicDNS, performance tuning, common error messages
- **[production-setup.md](references/production-setup.md)** - Architecture patterns, HA setup, security hardening, IaC (Terraform/Ansible/K8s), monitoring, DR, operational procedures
## Scripts
- **`scripts/setup_subnet_router.sh <subnet_cidr> [auth_key]`** - Automated subnet router setup (installs Tailscale, enables IP forwarding, configures routes)
- **`scripts/setup_exit_node.sh [auth_key]`** - Automated exit node setup (installs Tailscale, enables IP forwarding, advertises as exit node)
Related in Ads & Marketing
ads
IncludedMulti-platform paid advertising audit and optimization skill. Analyzes Google, Meta, YouTube, LinkedIn, TikTok, Microsoft, and Apple Ads. 250+ checks with scoring, parallel agents, industry templates, and AI creative generation.
banana
IncludedAI image generation Creative Director powered by Google Gemini Nano Banana models. Use this skill for ANY request involving image creation, editing, visual asset production, or creative direction. Triggers on: generate an image, create a photo, edit this picture, design a logo, make a banner, visual for my anything, and all /banana commands. Handles text-to-image, image editing, multi-turn creative sessions, batch workflows, and brand presets.
rpg-migration-analyzer
IncludedAnalyzes legacy RPG (Report Program Generator) programs from AS/400 and IBM i systems for migration to modern Java applications. Extracts business logic from RPG III/IV/ILE source code, identifies data structures (D-specs), file operations (F-specs), program dependencies (CALLB/CALLP), and converts RPG constructs to Java equivalents. Generates migration reports, complexity estimates, and Java implementation strategies with POJO classes, JPA entities, and service methods. Use when modernizing AS/400 or IBM i legacy systems, analyzing RPG source files (.rpg, .rpgle, .RPGLE), converting RPG to Java, mapping data specifications to Java classes, planning legacy system migration, or when user mentions RPG analysis, Report Program Generator, RPG III/IV/ILE, AS/400 modernization, IBM i migration, packed decimal conversion, or mainframe application rewrite.
brand-library-architect
IncludedBuild a complete brand library for a product — visual asset render pipeline, brand documentation set (BRAND, COPY, MANIFESTO, BIOS, FAQ, GLOSSARY, TONE, PRICING), open-source convention files (README, CONTRIBUTING, SECURITY, CODE_OF_CONDUCT), and a self-contained press kit. This skill should be used when the user asks to "build a brand library / brand kit / press kit / brand assets" for a product, "set up a brand library workflow," "create a positioning manifesto plus visual identity," or any combination of brand documentation + visual asset pipeline. Apply phase-by-phase or run end-to-end. Templates are product-agnostic and use {{TOKEN}} placeholders the skill prompts the user to fill.
writing-tech-post
IncludedAuthors engineering blog posts end-to-end: launch deep-dives, incident postmortems, architecture migrations, performance case studies, tutorials, AI/agent system writeups, security disclosures, and research-to-product translations. Picks the correct archetype, plans the abstraction ladder, enforces an evidence cadence (diagrams, benchmarks, profiles, traces, code, ablations), tunes voice against publisher house styles (Datadog, Vercel, GitHub, AWS, Meta, Cloudflare, Jane Street), and runs a pre-publish gate for narrative momentum and disclosure ethics. Use when drafting a new engineering post, restructuring a draft that feels flat, deciding which evidence form belongs where, validating that depth and product context are balanced, or preparing a postmortem, migration, or performance narrative for external publication. Do not use for API reference documentation, README authoring, marketing copy, release notes, generic SEO content, ghost-written executive thought leadership, or non-engineering long-form essays.
blog-google
IncludedGoogle API integration for blog performance: PageSpeed Insights, CrUX Core Web Vitals with 25-week history, Search Console performance, URL Inspection, Indexing API, GA4 organic traffic, NLP entity analysis for E-E-A-T, YouTube video search for embedding, and Google Ads Keyword Planner. Progressive feature availability based on credential tier (API key, OAuth/service account, GA4, Ads). Shares config with claude-seo at ~/.config/claude-seo/google-api.json. Use when user says "google data", "page speed", "core web vitals", "search console", "indexation", "GA4", "keyword research", "nlp entities", "blog performance", "youtube search", "google api setup".