--- type: client name: robert-wolkin display_name: Robert Wolkin last_compiled: 2026-06-06 compiled_by: GURU-5070/claude-main sources: - (stub — created 2026-06-06 during Tailscale planning; no session logs yet) backlinks: - patterns/tailscale-client-management --- # Robert Wolkin > **STUB** — created 2026-06-06 to track the Tailscale rollout. Most profile fields are > not yet captured; fill in from Syncro / first session log. Do not treat `[unverified]` > fields as fact. ## Profile - **Company type:** [unverified] - **Contract type:** [unverified] - **Key contacts:** Robert Wolkin — [contact details unverified] - **Environment:** Very small office, non-technical users (enroll/manage everything for them; no self-service login expected). GuruRMM shows 3 Windows 11 Home agents, but only **two are in the Tailscale scope: RSW-Laptop and front**. `DESKTOP-V1JT1SE` is Bob's personal machine and is intentionally **not** part of the Tailscale setup. - **Syncro customer ID:** [unverified] - **GuruRMM client name:** `Wolkin, Robert` (Last, First) — note the form differs from this article's display name. ## Infrastructure ### Tailscale (active rollout) Per [[patterns/tailscale-client-management]] — **dedicated client-owned tailnet, ACG holds Admin**. **Goal: RSW-Laptop accesses shared files AND a shared printer on `front`** (the front-desk PC) over the tailnet. Only those two nodes are enrolled; Bob's personal `DESKTOP-V1JT1SE` is out of scope. Files + printer run over plain **SMB to `front`'s Tailscale address** — no subnet router needed (both live on a node). See the Windows files/printer section in the pattern. **[CONFIRM] Printer type:** is it **USB-attached to `front`** (→ Windows print share, SMB) or a **separate network printer** on the office LAN that `front` prints to (→ would need a subnet router on `front` advertising that LAN, or install it by IP on the laptop)? This changes the design — verify before the printer step. | Field | Value | |---|---| | Tailnet identity (IdP / owner account) | [to fill — Robert's M365/Google or dedicated admin account] | | Plan | [to fill — free tier functional; Starter ~$6/user/mo for commercial footing] | | ACG admin identity (your seat) | [to fill] | | Device tag | `tag:wolkin` (suggested) | | MagicDNS | [enable] | | Auth key (reusable, pre-approved, tagged) | store in vault: `clients/robert-wolkin/tailscale-authkey.sops.yaml` | | Key rotation due | [to fill — ~90 days from issue] | | Scope | Hostname | Tailscale 100.x | Notes | |---|---|---|---| | **In scope** | RSW-Laptop | [after enroll] | Robert's laptop — connects out to `front` | | **In scope** | front | [after enroll] | Front-desk PC — the target the laptop reaches | | Out of scope | DESKTOP-V1JT1SE | — | Bob's personal machine; NOT enrolled in Tailscale | Enrollment: push [`patterns/tailscale-client-enroll.ps1`](../patterns/tailscale-client-enroll.ps1) from GuruRMM with the auth key as a masked parameter (RSW-Laptop + front only). **Post-connect config (push via GuruRMM after both nodes are up):** *On `front` (host):* 1. Firewall — allow SMB only over the tailnet: `New-NetFirewallRule -DisplayName "Tailscale SMB (files+print)" -Direction Inbound -Action Allow -Protocol TCP -LocalPort 445 -RemoteAddress 100.64.0.0/10` 2. Confirm/create the **file share** + a **local user account** for the laptop to authenticate as (Win 11 Home, no domain, insecure guest disabled → real creds required); grant share+NTFS. 3. Confirm the **printer share** (if USB-attached to `front`). *On `RSW-Laptop` (client):* 4. Map the share by FQDN/IP: `\\front..ts.net\` (save creds via `cmdkey`). 5. Add the printer `\\front..ts.net\` — install the driver via RMM (SYSTEM) to dodge Point-and-Print admin prompts for the non-technical user. ### Servers & Services / Email & Identity / Network Not yet documented. [unverified] ## GuruRMM - **Client name:** `Wolkin, Robert` - **Site name:** `Main` - **Site ID:** `2bb05f85-9fc8-4a7e-a5e5-ffe0c46431ac` - **Enrolled agents (3, all online as of 2026-06-06, Windows 11 Home 25H2 build 26200, agent v0.6.57):** | Hostname | Agent ID | Notes | |---|---|---| | DESKTOP-V1JT1SE | `30f6af79-ab19-4ed3-9ebc-71b2bffc2d27` | **Bob's personal machine — NOT in Tailscale scope** | | RSW-Laptop | `043fd673-35a2-4d3d-8f91-ed73ce70cc1e` | Robert's laptop — Tailscale node | | front | `877d311a-4b24-462c-97b1-d2a0f7730a71` | Front-desk PC — Tailscale node (laptop connects here) | - **Enrollment key:** [unverified — not located in vault during this pass; check `clients/robert-wolkin/` or regenerate] ## Access - **Vault path:** `clients/robert-wolkin/` (no entries yet) - **Syncro:** [unverified] ## Active Work - **Tailscale rollout (2026-06-06):** Stand up Robert's tailnet, assign ACG as Admin, set the `tag:wolkin` ACL + MagicDNS, generate a reusable/pre-approved tagged auth key, and enroll **RSW-Laptop + front** via the GuruRMM script (agent IDs above), then push the post-connect SMB config so RSW-Laptop can reach **files + the shared printer on `front`**. Do NOT enroll DESKTOP-V1JT1SE (Bob's personal machine). Open item: confirm printer type (USB-attached vs network). Runbook + Windows files/printer gotchas in [[patterns/tailscale-client-management]]. ## History Highlights | Date | Event | |---|---| | 2026-06-06 | Tailscale client management pattern + enroll script authored; this client stub created to track the rollout. | | 2026-06-06 | GuruRMM scan: client `Wolkin, Robert` / site `Main` has 3 online Windows 11 Home agents (DESKTOP-V1JT1SE, RSW-Laptop, front), agent v0.6.57. Discrepancy flagged: expected 2 machines, found 3. | ## Backlinks - [[patterns/tailscale-client-management]] — MSP Tailscale management pattern + enroll script