docs(wiki): SMB files+printer over Tailscale (Windows) + Wolkin scope

Robert Wolkin use case is RSW-Laptop accessing file shares + a shared
printer on front. Add a reusable Windows files/printer section to the
pattern (SMB over the tailnet, the 445 firewall-on-Tailscale-interface
gotcha scoped to 100.64.0.0/10, local-account auth on Home, MagicDNS
FQDN, Point-and-Print via RMM, Taildrive alternative). Record the
concrete per-host post-connect config and the printer-type open item in
the client doc.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

wiki/clients/robert-wolkin.md

@@ -34,8 +34,17 @@ backlinks:
 ### Tailscale (active rollout)
 
 Per [[patterns/tailscale-client-management]] — **dedicated client-owned tailnet, ACG holds
-Admin**. **Goal: RSW-Laptop reaches `front` (the front-desk PC).** Only those two nodes are
-enrolled; Bob's personal `DESKTOP-V1JT1SE` is out of scope.
+Admin**. **Goal: RSW-Laptop accesses shared files AND a shared printer on `front`** (the
+front-desk PC) over the tailnet. Only those two nodes are enrolled; Bob's personal
+`DESKTOP-V1JT1SE` is out of scope.
+
+Files + printer run over plain **SMB to `front`'s Tailscale address** — no subnet router
+needed (both live on a node). See the Windows files/printer section in the pattern.
+
+**[CONFIRM] Printer type:** is it **USB-attached to `front`** (→ Windows print share, SMB) or a
+**separate network printer** on the office LAN that `front` prints to (→ would need a subnet
+router on `front` advertising that LAN, or install it by IP on the laptop)? This changes the
+design — verify before the printer step.
 
 | Field | Value |
 |---|---|
@@ -54,7 +63,21 @@ enrolled; Bob's personal `DESKTOP-V1JT1SE` is out of scope.
 | Out of scope | DESKTOP-V1JT1SE | — | Bob's personal machine; NOT enrolled in Tailscale |
 
 Enrollment: push [`patterns/tailscale-client-enroll.ps1`](../patterns/tailscale-client-enroll.ps1)
-from GuruRMM with the auth key as a masked parameter.
+from GuruRMM with the auth key as a masked parameter (RSW-Laptop + front only).
+
+**Post-connect config (push via GuruRMM after both nodes are up):**
+
+*On `front` (host):*
+1. Firewall — allow SMB only over the tailnet:
+   `New-NetFirewallRule -DisplayName "Tailscale SMB (files+print)" -Direction Inbound -Action Allow -Protocol TCP -LocalPort 445 -RemoteAddress 100.64.0.0/10`
+2. Confirm/create the **file share** + a **local user account** for the laptop to authenticate
+   as (Win 11 Home, no domain, insecure guest disabled → real creds required); grant share+NTFS.
+3. Confirm the **printer share** (if USB-attached to `front`).
+
+*On `RSW-Laptop` (client):*
+4. Map the share by FQDN/IP: `\\front.<tailnet>.ts.net\<Share>` (save creds via `cmdkey`).
+5. Add the printer `\\front.<tailnet>.ts.net\<PrinterShare>` — install the driver via RMM
+   (SYSTEM) to dodge Point-and-Print admin prompts for the non-technical user.
 
 ### Servers & Services / Email & Identity / Network
 
@@ -84,8 +107,10 @@ Not yet documented. [unverified]
 
 - **Tailscale rollout (2026-06-06):** Stand up Robert's tailnet, assign ACG as Admin, set
   the `tag:wolkin` ACL + MagicDNS, generate a reusable/pre-approved tagged auth key, and
-  enroll **RSW-Laptop + front** via the GuruRMM script (agent IDs above). Goal: RSW-Laptop
-  reaches `front`. Do NOT enroll DESKTOP-V1JT1SE (Bob's personal machine). Runbook in
+  enroll **RSW-Laptop + front** via the GuruRMM script (agent IDs above), then push the
+  post-connect SMB config so RSW-Laptop can reach **files + the shared printer on `front`**.
+  Do NOT enroll DESKTOP-V1JT1SE (Bob's personal machine). Open item: confirm printer type
+  (USB-attached vs network). Runbook + Windows files/printer gotchas in
   [[patterns/tailscale-client-management]].
 
 ## History Highlights