claudetools/wiki/clients/robert-wolkin.md

---
type: client
name: robert-wolkin
display_name: Robert Wolkin
last_compiled: 2026-06-06
compiled_by: GURU-5070/claude-main
sources:
  - (stub — created 2026-06-06 during Tailscale planning; no session logs yet)
backlinks:
  - patterns/tailscale-client-management
---

# Robert Wolkin

> **STUB** — created 2026-06-06 to track the Tailscale rollout. Most profile fields are
> not yet captured; fill in from Syncro / first session log. Do not treat `[unverified]`
> fields as fact.

## Profile

- **Company type:** [unverified]
- **Contract type:** [unverified]
- **Key contacts:** Robert Wolkin — [contact details unverified]
- **Environment:** Very small office, non-technical users (enroll/manage everything for
  them; no self-service login expected). GuruRMM shows 3 Windows 11 Home agents, but only
  **two are in the Tailscale scope: RSW-Laptop and front**. `DESKTOP-V1JT1SE` is Bob's
  personal machine and is intentionally **not** part of the Tailscale setup.
- **Syncro customer ID:** [unverified]
- **GuruRMM client name:** `Wolkin, Robert` (Last, First) — note the form differs from
  this article's display name.

## Infrastructure

### Tailscale (active rollout)

Per [[patterns/tailscale-client-management]] — **dedicated client-owned tailnet, ACG holds
Admin**. **Goal: RSW-Laptop accesses shared files AND a shared printer on `front`** (the
front-desk PC) over the tailnet. Only those two nodes are enrolled; Bob's personal
`DESKTOP-V1JT1SE` is out of scope.

Files + printer run over plain **SMB to `front`'s Tailscale address** — no subnet router
needed (both live on a node). See the Windows files/printer section in the pattern.

**[CONFIRM] Printer type:** is it **USB-attached to `front`** (→ Windows print share, SMB) or a
**separate network printer** on the office LAN that `front` prints to (→ would need a subnet
router on `front` advertising that LAN, or install it by IP on the laptop)? This changes the
design — verify before the printer step.

| Field | Value |
|---|---|
| Tailnet identity (IdP / owner account) | [to fill — Robert's M365/Google or dedicated admin account] |
| Plan | [to fill — free tier functional; Starter ~$6/user/mo for commercial footing] |
| ACG admin identity (your seat) | [to fill] |
| Device tag | `tag:wolkin` (suggested) |
| MagicDNS | [enable] |
| Auth key (reusable, pre-approved, tagged) | store in vault: `clients/robert-wolkin/tailscale-authkey.sops.yaml` |
| Key rotation due | [to fill — ~90 days from issue] |

| Scope | Hostname | Tailscale 100.x | Notes |
|---|---|---|---|
| **In scope** | RSW-Laptop | [after enroll] | Robert's laptop — connects out to `front` |
| **In scope** | front | [after enroll] | Front-desk PC — the target the laptop reaches |
| Out of scope | DESKTOP-V1JT1SE | — | Bob's personal machine; NOT enrolled in Tailscale |

Enrollment: push [`patterns/tailscale-client-enroll.ps1`](../patterns/tailscale-client-enroll.ps1)
from GuruRMM with the auth key as a masked parameter (RSW-Laptop + front only).

**Post-connect config (push via GuruRMM after both nodes are up):**

*On `front` (host):*
1. Firewall — allow SMB only over the tailnet:
   `New-NetFirewallRule -DisplayName "Tailscale SMB (files+print)" -Direction Inbound -Action Allow -Protocol TCP -LocalPort 445 -RemoteAddress 100.64.0.0/10`
2. Confirm/create the **file share** + a **local user account** for the laptop to authenticate
   as (Win 11 Home, no domain, insecure guest disabled → real creds required); grant share+NTFS.
3. Confirm the **printer share** (if USB-attached to `front`).

*On `RSW-Laptop` (client):*
4. Map the share by FQDN/IP: `\\front.<tailnet>.ts.net\<Share>` (save creds via `cmdkey`).
5. Add the printer `\\front.<tailnet>.ts.net\<PrinterShare>` — install the driver via RMM
   (SYSTEM) to dodge Point-and-Print admin prompts for the non-technical user.

### Servers & Services / Email & Identity / Network

Not yet documented. [unverified]

## GuruRMM

- **Client name:** `Wolkin, Robert`
- **Site name:** `Main`
- **Site ID:** `2bb05f85-9fc8-4a7e-a5e5-ffe0c46431ac`
- **Enrolled agents (3, all online as of 2026-06-06, Windows 11 Home 25H2 build 26200, agent v0.6.57):**

| Hostname | Agent ID | Notes |
|---|---|---|
| DESKTOP-V1JT1SE | `30f6af79-ab19-4ed3-9ebc-71b2bffc2d27` | **Bob's personal machine — NOT in Tailscale scope** |
| RSW-Laptop | `043fd673-35a2-4d3d-8f91-ed73ce70cc1e` | Robert's laptop — Tailscale node |
| front | `877d311a-4b24-462c-97b1-d2a0f7730a71` | Front-desk PC — Tailscale node (laptop connects here) |

- **Enrollment key:** [unverified — not located in vault during this pass; check `clients/robert-wolkin/` or regenerate]

## Access

- **Vault path:** `clients/robert-wolkin/` (no entries yet)
- **Syncro:** [unverified]

## Active Work

- **Tailscale rollout (2026-06-06):** Stand up Robert's tailnet, assign ACG as Admin, set
  the `tag:wolkin` ACL + MagicDNS, generate a reusable/pre-approved tagged auth key, and
  enroll **RSW-Laptop + front** via the GuruRMM script (agent IDs above), then push the
  post-connect SMB config so RSW-Laptop can reach **files + the shared printer on `front`**.
  Do NOT enroll DESKTOP-V1JT1SE (Bob's personal machine). Open item: confirm printer type
  (USB-attached vs network). Runbook + Windows files/printer gotchas in
  [[patterns/tailscale-client-management]].

## History Highlights

| Date | Event |
|---|---|
| 2026-06-06 | Tailscale client management pattern + enroll script authored; this client stub created to track the rollout. |
| 2026-06-06 | GuruRMM scan: client `Wolkin, Robert` / site `Main` has 3 online Windows 11 Home agents (DESKTOP-V1JT1SE, RSW-Laptop, front), agent v0.6.57. Discrepancy flagged: expected 2 machines, found 3. |

## Backlinks

- [[patterns/tailscale-client-management]] — MSP Tailscale management pattern + enroll script