diff --git a/errorlog.md b/errorlog.md index e0d87af8..1bcae9b1 100644 --- a/errorlog.md +++ b/errorlog.md @@ -19,6 +19,8 @@ Categories (the `[type]` tag): _(none)_ = skill/command execution failure · +2026-07-06 | Howard-Home | gururmm-build/webhook | [friction] linux webhook build SKIPPED after merge: change-detector excludes agent/Cargo.toml, so a Cargo.toml-only agent change (BUG-024 rustls swap) never rebuilds; had to force build-linux.sh manually as root [ctx: commit=a73dcad ref=build-linux.sh:29] + 2026-07-06 | GURU-5070 | remediation-tool/sharepoint | [correction] assumed SP REST app-only was blocked ('Unsupported app only token') and to use delegated/PnP; correct is the app suite has a CERT-based sharepoint tier — get-token.sh sharepoint mints a cert token with Sites.FullControl.All. Secret is Graph/EXO only. [ctx: client=birth-biologic ref=reference_m365_app_sharepoint_rest_vs_graph] 2026-07-06 | GURU-5070 | wiki-compile | [correction] ran --full (Sonnet rebuild) for a routine post-work capture; plain /wiki-compile client: (update mode) is the fast incremental path for 'just did work, capture it' — reserve --full for structural drift/clean rebuilds diff --git a/session-logs/2026-07/2026-07-06-howard-tech03l-pro-upgrade-tailscale-skill.md b/session-logs/2026-07/2026-07-06-howard-tech03l-pro-upgrade-tailscale-skill.md index 76695eb6..c13d5c5b 100644 --- a/session-logs/2026-07/2026-07-06-howard-tech03l-pro-upgrade-tailscale-skill.md +++ b/session-logs/2026-07/2026-07-06-howard-tech03l-pro-upgrade-tailscale-skill.md @@ -140,3 +140,34 @@ and `.*-b64.txt` were created in the repo root during the RMM work and removed a - Memory: `.claude/memory/reference_windows_edition_upgrade_rmm.md` — verified Home->Pro/PfW path + gotchas. - Wiki pattern: `wiki/patterns/tailscale-client-management.md` — per-client tailnet doctrine. - Tailscale API docs: https://tailscale.com/api ; auth keys https://tailscale.com/kb/1085/auth-keys . + +## Update: 15:09 PT — Tailscale credential hunt (task #4 still blocked) + +Howard said Tailscale "is ran off the server we have control over, you should be able to get the +key" — implying a self-hosted control plane (Headscale) or a stored API token on our infra. I +investigated and found NO such thing on the two most-likely servers: + +- **Vault** — no `tailscale/`/`headscale` entry. **1Password** — none. +- **Jupiter (172.16.3.20, primary Docker host)** — 24 containers (Plex/arr, Gitea, Seafile, NPM, + Discourse, UISP, gururmm-agent, dns-relay, rsync-server, MariaDB, qbittorrent, sabnzbd, emby, + Seerr, radio-archive, P3R-Firefox). **No Headscale, no Tailscale container**; nothing tailscale/ + vpn/zerotier/netbird in `/mnt/user/appdata`. +- **GuruRMM server (172.16.3.30, physical, Ubuntu)** — searched the whole FS **with sudo** (pw from + `infrastructure/gururmm-server` credentials.password): the ONLY tailscale trace is the apt repo + `/etc/apt/sources.list.d/tailscale.list`. **No Headscale binary/config/db, no `tskey-`/API token** + in any config or `.env` (`/opt/gururmm/.env`, `/opt/claudetools/.env` present but no TS creds). +- pfSense (172.16.0.1:2248) and GuruRMM are Tailscale **client nodes** (subnet router / agent), + not a control plane. So on the checked infra, Tailscale reads as **SaaS** with our boxes as nodes. + +Access mechanics established this session (reusable): SSH from Howard-Home has **no sshpass/plink**; +used OpenSSH 10.2 `SSH_ASKPASS`+`SSH_ASKPASS_REQUIRE=force`+`DISPLAY=:0` with a throwaway askpass +script (password via `$JPW` env, script deleted after) for password SSH to Jupiter. GuruRMM uses key +auth `~/.ssh/gururmm-physical` as `guru@172.16.3.30` (NOTE: vault `gururmm-server-physical` lists host +172.16.1.231 but .30 is reachable and correct); `guru` has NO passwordless sudo — feed +`gururmm-server` password via `sudo -S`. + +BLOCKED pending Howard pointing to the exact source: (a) Headscale host + how it runs (then +`headscale apikeys create`), (b) which server + path holds a stored Tailscale SaaS token, or (c) it's +SaaS and he generates an API key / OAuth client (scopes `devices:core` + `auth_keys`) from the admin +console. The `tailscale` skill itself is built, reviewed, committed (f88c7d1), and only needs the +credential vaulted at `tailscale/api-access.sops.yaml` to run the live add/delete verification.