tailscale routing
edge vps
- install tailscale
- authenticate into the tailnet
- advertise as an exit node
- run haproxy bound to the public ipv4
tailscale up --advertise-exit-node --ssh
approve the exit node in the tailscale admin console.
lab k3s node
- install tailscale
- authenticate into the same tailnet
- optionally use the vps as exit node for egress
tailscale up --exit-node=<vps-tailnet-name-or-ip> --exit-node-allow-lan-access=true --ssh
ingress path
haproxy forwards public tcp :443 to <lab-node-tailscale-ip>:443, where caddy is bound directly on the k3s node via hostNetwork: true.
split-horizon path
local/tailscale clients can skip the vps by resolving app hostnames directly to the lab node tailscale ip:
*.k3x.dev -> <lab-node-tailscale-ip>
see docs/split-horizon-dns.md.
future tcp forwards
additional tcp services can be added as new haproxy frontends/backends. keep public exposure explicit and documented.