Vish/homelab-optimized
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
9fa5b7654e9dd19238308fb4cc8eb5b1eacbc88d
homelab-optimized/docs/infrastructure/mobile-device-setup.md
Gitea Mirror Bot 9fa5b7654e
Some checks failed
Documentation / Deploy to GitHub Pages (push) Has been cancelled
Details
Documentation / Build Docusaurus (push) Has been cancelled
Details
Sanitized mirror from private repository - 2026-04-16 07:18:01 UTC
2026-04-16 07:18:01 +00:00

776 lines
19 KiB
Markdown
Raw Blame History

# 📱 Mobile Device Setup Guide
**🟡 Intermediate Guide**
This guide covers setting up Tailscale on all mobile and desktop platforms (iOS, macOS, Linux, iPadOS, Android, Debian, Rocky Linux) for secure homelab access with a disposable device philosophy.
## 🎯 Mobile Security Philosophy
### **Disposable Device Model**
- **No critical data stored locally** - Everything accessed remotely
- **Zero trust approach** - Assume devices will be lost/stolen/broken
- **Cloud-based authentication** - Bitwarden, iCloud Keychain, Google Password Manager
- **Remote wipe capability** - All devices can be wiped remotely
- **Minimal local storage** - Only cached data and temporary files
- **VPN-first access** - All homelab access through Tailscale
---
## 📱 iOS Setup (iPhone 16 Pro Max)
### **Install and Configure Tailscale**
#### **Installation**
```bash
# Install from App Store
# Search: "Tailscale"
# Developer: Tailscale Inc.
# Install and open app
# Compatible with iPhone 16 Pro Max running iOS 18+
```
#### **Initial Setup**
```bash
# 1. Open Tailscale app
# 2. Tap "Sign in"
# 3. Choose your identity provider:
# - Google (recommended for personal)
# - Microsoft (for work accounts)
# - GitHub (for developers)
# 4. Complete authentication
# 5. Allow VPN configuration when prompted
# 6. Device will appear in Tailscale admin console
```
#### **iOS-Specific Configuration**
```bash
# Enable key features in Tailscale app:
# Settings → General
Use Tailscale DNS: ✅ Enabled
Accept DNS Configuration: ✅ Enabled
Use Exit Nodes: ✅ Enabled (for privacy)
# Settings → Exit Nodes
Select: atlantis.vish.local (your homelab exit node)
Allow LAN Access: ✅ Enabled (access homelab services)
# Settings → Preferences
Start on Boot: ✅ Enabled
Use Cellular Data: ✅ Enabled (for mobile access)
```
### **iOS Shortcuts for Homelab Access**
#### **Create Homelab Shortcuts**
```bash
# Open Shortcuts app and create:
# Shortcut 1: "Connect Homelab"
Actions:
1. Set Variable: "tailscale_status" to "Get Network Details"
2. If (Tailscale connected):
- Show Notification: "Homelab Connected"
3. Otherwise:
- Open App: Tailscale
- Wait 2 seconds
- Show Notification: "Connecting to Homelab..."
# Shortcut 2: "Open Grafana"
Actions:
1. Open URLs: https://atlantis.vish.local:3000
2. (Will open in Safari with Tailscale routing)
# Shortcut 3: "Open Plex"
Actions:
1. Open URLs: https://atlantis.vish.local:32400/web
# Shortcut 4: "Open Home Assistant"
Actions:
1. Open URLs: https://concord-nuc.vish.local:8123
```
### **Essential iOS Apps for Homelab**
#### **Core Apps**
```bash
# VPN & Network
- Tailscale (primary VPN)
- Network Analyzer (troubleshooting)
- Ping (network testing)
# Remote Access
- Termius (SSH client)
- Microsoft Remote Desktop (RDP)
- VNC Viewer (Linux desktop access)
- Jump Desktop (comprehensive remote access)
# File Management
- Documents by Readdle (SFTP/SSH file access)
- FileBrowser (web-based file management)
- Working Copy (Git client)
# Password Management
- Bitwarden (primary password manager)
- Built-in iCloud Keychain (backup)
# Monitoring & Services
- Grafana mobile app (monitoring dashboards)
- Home Assistant Companion (smart home)
- Plex (media streaming)
- Immich (photo management)
```
#### **iOS Configuration for Each App**
**Termius SSH Client:**
```bash
# Add homelab hosts
Host: atlantis
Address: atlantis.vish.local
Username: vish
Authentication: SSH Key
Port: 22
# Import SSH key (if needed)
# Settings → Keys → Add Key → Import from Files
# Or generate new key pair in Termius
```
**Documents by Readdle:**
```bash
# Add SFTP connections
Name: Atlantis Files
Protocol: SFTP
Server: atlantis.vish.local
Username: vish
Authentication: SSH Key or Password
Port: 22
Path: /volume1/homes/vish
```
---
## 💻 macOS Setup
### **Install Tailscale**
#### **Installation Methods**
```bash
# Method 1: Direct Download
# Visit: https://tailscale.com/download/mac
# Download and install .pkg file
# Method 2: Homebrew
brew install --cask tailscale
# Method 3: Mac App Store
# Search for "Tailscale" and install
```
#### **Configuration**
```bash
# Launch Tailscale from Applications
# Sign in with your account
# Configure in System Preferences → Network
# Tailscale Preferences:
Use Tailscale DNS: ✅ Enabled
Accept Routes: ✅ Enabled
Use Exit Node: atlantis.vish.local
Allow LAN Access: ✅ Enabled
Start at Login: ✅ Enabled
```
### **macOS Integration Features**
#### **Menu Bar Access**
```bash
# Tailscale menu bar icon provides:
- Connection status
- Quick exit node switching
- Device list with status
- Admin console access
- Preferences shortcut
```
#### **Keychain Integration**
```bash
# Store SSH keys in Keychain
ssh-add --apple-use-keychain ~/.ssh/homelab_ed25519
# Configure SSH to use Keychain
echo "UseKeychain yes" >> ~/.ssh/config
echo "AddKeysToAgent yes" >> ~/.ssh/config
```
### **macOS Homelab Workflow**
#### **Terminal Setup**
```bash
# Install essential tools
brew install htop tmux git wget curl
# Configure SSH for homelab
cat >> ~/.ssh/config << 'EOF'
Host *.vish.local
User vish
IdentityFile ~/.ssh/homelab_ed25519
ServerAliveInterval 60
ServerAliveCountMax 3
UseKeychain yes
AddKeysToAgent yes
EOF
# Create homelab aliases
cat >> ~/.zshrc << 'EOF'
# Homelab aliases
alias atlantis='ssh atlantis.vish.local'
alias calypso='ssh calypso.vish.local'
alias homelab='ssh homelab-vm.vish.local'
alias grafana='open https://atlantis.vish.local:3000'
alias plex='open https://atlantis.vish.local:32400/web'
alias homeassistant='open https://concord-nuc.vish.local:8123'
EOF
```
---
## 🐧 Linux Setup (Debian/Ubuntu)
### **Install Tailscale**
#### **Official Installation**
```bash
# Add Tailscale repository
curl -fsSL https://tailscale.com/install.sh | sh
# Alternative manual installation
curl -fsSL https://pkgs.tailscale.com/stable/debian/bullseye.noarmor.gpg | sudo tee /usr/share/keyrings/tailscale-archive-keyring.gpg >/dev/null
curl -fsSL https://pkgs.tailscale.com/stable/debian/bullseye.list | sudo tee /etc/apt/sources.list.d/tailscale.list
sudo apt update
sudo apt install tailscale
# Start and enable service
sudo systemctl enable --now tailscaled
```
#### **Authentication and Configuration**
```bash
# Connect to tailnet
sudo tailscale up --accept-dns --accept-routes
# Use exit node for privacy
sudo tailscale up --exit-node=atlantis.vish.local --accept-dns --accept-routes
# Check status
tailscale status
tailscale ip -4
```
### **Linux Desktop Integration**
#### **GNOME Integration**
```bash
# Install GNOME extensions for network management
sudo apt install gnome-shell-extensions
# Network Manager integration
# Tailscale will appear in network settings
# Can be controlled via GUI
```
#### **KDE Integration**
```bash
# KDE Plasma network widget shows Tailscale
# System Settings → Network → Connections
# Tailscale appears as VPN connection
```
---
## 🏔️ Rocky Linux Setup
### **Install Tailscale**
#### **RPM Installation**
```bash
# Add Tailscale repository
sudo dnf config-manager --add-repo https://pkgs.tailscale.com/stable/rhel/9/tailscale.repo
# Install Tailscale
sudo dnf install tailscale
# Enable and start service
sudo systemctl enable --now tailscaled
# Configure firewall
sudo firewall-cmd --permanent --add-port=41641/udp
sudo firewall-cmd --reload
```
#### **SELinux Configuration**
```bash
# Allow Tailscale through SELinux
sudo setsebool -P use_vpn_generic 1
# If needed, create custom policy
sudo ausearch -c 'tailscaled' --raw | audit2allow -M tailscale-policy
sudo semodule -i tailscale-policy.pp
```
#### **Rocky Linux Specific Setup**
```bash
# Connect to tailnet
sudo tailscale up --accept-dns --accept-routes --exit-node=atlantis.vish.local
# Configure NetworkManager (if using GUI)
sudo nmcli connection modify tailscale0 connection.autoconnect yes
# Verify configuration
tailscale status
ip route | grep tailscale
```
---
## 📱 iPadOS Setup (iPad Pro 12.9" 6th Gen)
### **Installation and Configuration**
```bash
# Same as iOS installation process
# App Store → Search "Tailscale" → Install
# iPad Pro 12.9" 6th Gen specific features:
# - M2 chip performance for demanding remote work
# - 12.9" Liquid Retina XDR display for detailed work
# - Split View support for SSH + web browsing
# - External keyboard shortcuts (Magic Keyboard compatible)
# - Mouse/trackpad support for remote desktop
# - Files app integration for SFTP
# - USB-C connectivity for external storage
# - Thunderbolt 4 support for high-speed connections
```
### **iPadOS Productivity Setup**
#### **Split Screen Workflows**
```bash
# Common split-screen combinations:
# 1. Termius (SSH) + Safari (web services)
# 2. Working Copy (Git) + Textastic (code editor)
# 3. Documents (files) + Grafana (monitoring)
# 4. Home Assistant + Plex (entertainment + automation)
```
#### **External Keyboard Shortcuts (Magic Keyboard)**
```bash
# Configure in Settings → General → Keyboard → Hardware Keyboard
# Magic Keyboard for iPad Pro 12.9" provides laptop-like experience
# Essential shortcuts for homelab work:
Cmd+Tab: Switch between apps
Cmd+Space: Spotlight search (find apps quickly)
Cmd+Shift+4: Screenshot (for documentation)
Cmd+`: Switch between windows of same app
Cmd+H: Hide current app
Cmd+Option+D: Show/hide dock
F1-F12: Function keys for terminal work
Brightness/Volume: Dedicated keys on Magic Keyboard
# iPad Pro specific shortcuts:
Cmd+Shift+A: Open App Library
Cmd+Shift+H: Go to Home Screen
Cmd+Control+Space: Emoji picker
```
### **iPadOS-Specific Apps**
#### **Professional Apps**
```bash
# Development
- Working Copy (Git client with SSH)
- Textastic (code editor)
- Prompt 3 (SSH client)
- Blink Shell (terminal emulator)
# System Administration
- Termius (SSH with sync)
- Network Analyzer (network diagnostics)
- iStat Menus (system monitoring)
# File Management
- Documents by Readdle (SFTP/cloud integration)
- FileBrowser (web-based file management)
- Secure ShellFish (SSH file manager)
```
---
## 🤖 Android Setup
### **Install Tailscale**
#### **Installation**
```bash
# Google Play Store
# Search: "Tailscale"
# Install official Tailscale app
# F-Droid (alternative)
# Add Tailscale repository if available
# Or sideload APK from GitHub releases
```
#### **Android Configuration**
```bash
# Open Tailscale app
# Sign in with your account
# Grant VPN permission when prompted
# Settings within Tailscale app:
Use Tailscale DNS: ✅ Enabled
Accept Routes: ✅ Enabled
Use Exit Node: atlantis.vish.local
Allow LAN Access: ✅ Enabled
Start on Boot: ✅ Enabled
Use Mobile Data: ✅ Enabled
```
### **Android Integration**
#### **Always-On VPN**
```bash
# Android Settings → Network & Internet → VPN
# Select Tailscale
# Enable "Always-on VPN"
# Enable "Block connections without VPN"
# This ensures all traffic goes through Tailscale
```
#### **Battery Optimization**
```bash
# Prevent Android from killing Tailscale
# Settings → Apps → Tailscale → Battery
# Battery Optimization: Don't optimize
# Background Activity: Allow
```
### **Essential Android Apps**
#### **Core Homelab Apps**
```bash
# Remote Access
- Termux (terminal emulator)
- JuiceSSH (SSH client)
- Microsoft Remote Desktop (RDP)
- VNC Viewer (Linux desktop)
# File Management
- Solid Explorer (SFTP support)
- Material Files (open source file manager)
- Syncthing (file synchronization)
# Monitoring & Services
- Grafana mobile app
- Home Assistant Companion
- Plex for Android
- Immich mobile app
# Password Management
- Bitwarden
- Google Password Manager (backup)
```
#### **Android Automation**
**Tasker Integration:**
```bash
# Create Tasker profiles for homelab automation
# Profile 1: Auto-connect Tailscale when leaving home WiFi
Trigger: WiFi Disconnected (home network)
Action: Launch App → Tailscale
# Profile 2: Open homelab dashboard when connected
Trigger: Tailscale connected
Action: Browse URL → https://atlantis.vish.local:3000
# Profile 3: Backup photos to Immich
Trigger: WiFi Connected (any network) + Tailscale active
Action: HTTP Post to Immich API
```
---
## 🔒 Cross-Platform Security
### **Device Management**
#### **Tailscale Admin Console**
```bash
# Access: https://login.tailscale.com/admin/machines
# For each device, configure:
Device Name: Descriptive name (iPhone-Personal, MacBook-Work)
Key Expiry: 90 days (shorter for mobile devices)
Tags: mobile, personal, work (for ACL rules)
Approval: Require approval for new devices
```
#### **Access Control Lists (ACLs)**
```bash
# Configure device-specific access rules
# Tailscale Admin → Access Controls
{
"groups": {
"group:mobile": ["user@domain.com"],
"group:admin": ["user@domain.com"]
},
"acls": [
// Mobile devices - limited access
{
"action": "accept",
"src": ["group:mobile"],
"dst": [
"atlantis.vish.local:443", // HTTPS services
"atlantis.vish.local:3000", // Grafana
"atlantis.vish.local:32400", // Plex
"concord-nuc.vish.local:8123" // Home Assistant
]
},
// Admin devices - full access
{
"action": "accept",
"src": ["group:admin"],
"dst": ["*:*"]
}
],
"nodeAttrs": [
{
"target": ["tag:mobile"],
"attr": ["funnel"]
}
]
}
```
### **Remote Device Management**
#### **Find My Device / Find My iPhone**
```bash
# iOS: Settings → [Your Name] → Find My → Find My iPhone
# Enable: Find My iPhone, Find My network, Send Last Location
# Android: Settings → Security → Find My Device
# Enable: Find My Device, Send last location
# macOS: System Preferences → Apple ID → iCloud → Find My Mac
# Enable: Find My Mac, Find My network
# These work even with Tailscale VPN active
```
#### **Remote Wipe Procedures**
```bash
# iOS Remote Wipe:
# 1. Visit icloud.com/find
# 2. Select device
# 3. Click "Erase iPhone/iPad"
# 4. Confirm erasure
# Android Remote Wipe:
# 1. Visit android.com/find
# 2. Select device
# 3. Click "Erase device"
# 4. Confirm erasure
# macOS Remote Wipe:
# 1. Visit icloud.com/find
# 2. Select Mac
# 3. Click "Erase Mac"
# 4. Confirm erasure
```
---
## 📊 Mobile Monitoring and Management
### **Device Health Monitoring**
#### **Tailscale Status Monitoring**
```bash
# Create monitoring script for mobile devices
# Run on homelab server to check mobile connectivity
#!/bin/bash
# ~/scripts/check-mobile-devices.sh
DEVICES=(
"iPhone-Personal"
"iPad-Work"
"Android-Phone"
"MacBook-Travel"
)
for device in "${DEVICES[@]}"; do
if tailscale ping "$device" >/dev/null 2>&1; then
echo "$device is online"
else
echo "$device is offline"
# Send notification to admin
curl -X POST "https://ntfy.sh/REDACTED_TOPIC" \
-d "Device $device is offline"
fi
done
```
#### **Grafana Mobile Dashboard**
```bash
# Create mobile-optimized Grafana dashboard
# Panel 1: Device connectivity status
# Panel 2: Bandwidth usage by device
# Panel 3: Connection duration
# Panel 4: Geographic location (if enabled)
# Panel 5: Battery status (if available)
```
### **Usage Analytics**
#### **Track Mobile Usage Patterns**
```bash
# Prometheus metrics for mobile devices
# Add to prometheus.yml:
- job_name: 'tailscale-mobile'
static_configs:
- targets: ['localhost:9090']
metrics_path: /api/v2/tailnet/tailnet-name/devices
params:
format: ['prometheus']
```
---
## 🚀 Mobile Workflows
### **Daily Mobile Workflows**
#### **Morning Routine**
```bash
# 1. Check Tailscale connection status
# 2. Open Home Assistant to check house status
# 3. Review Grafana alerts from overnight
# 4. Check Uptime Kuma for service status
# 5. Browse Immich for new photos backed up
```
#### **Work Day Access**
```bash
# From mobile device:
# 1. SSH to homelab-vm for development work
# 2. Access GitLab for code repositories
# 3. Monitor services via Grafana mobile
# 4. Use Vaultwarden for password access
# 5. Stream music via Navidrome
```
#### **Travel Scenarios**
```bash
# Airport/Plane WiFi:
# 1. Connect to WiFi
# 2. Verify Tailscale connects automatically
# 3. Check exit node is active (IP shows home location)
# 4. Access homelab services normally
# 5. Stream media via Plex for entertainment
# Hotel WiFi:
# 1. Connect to hotel network
# 2. Tailscale auto-connects and secures traffic
# 3. Work normally with full homelab access
# 4. No need to trust hotel network security
```
### **Emergency Procedures**
#### **Device Loss/Theft**
```bash
# Immediate actions (within 5 minutes):
# 1. Use Find My Device to locate
# 2. If not recoverable, initiate remote wipe
# 3. Log into Tailscale admin console
# 4. Disable/delete the compromised device
# 5. Change critical passwords if device had saved credentials
# 6. Monitor homelab logs for suspicious access
```
#### **Network Connectivity Issues**
```bash
# Troubleshooting steps:
# 1. Check cellular/WiFi connectivity
# 2. Force-quit and restart Tailscale app
# 3. Try different exit node
# 4. Check Tailscale status page
# 5. Use mobile hotspot as backup
# 6. Contact homelab admin if persistent issues
```
---
## 📋 Mobile Device Checklist
### **Initial Setup Checklist**
```bash
☐ Install Tailscale from official app store
☐ Sign in with homelab account
☐ Configure exit node (atlantis.vish.local)
☐ Enable DNS settings and route acceptance
☐ Test connectivity to homelab services
☐ Install essential homelab apps
☐ Configure SSH keys and authentication
☐ Set up remote wipe capability
☐ Configure device in Tailscale admin console
☐ Test emergency procedures
```
### **Security Checklist**
```bash
☐ Enable device lock screen with strong passcode/biometrics
☐ Configure automatic lock timeout (5 minutes max)
☐ Enable remote wipe capability
☐ Configure Find My Device/iPhone
☐ Use password manager for all credentials
☐ Enable two-factor authentication where possible
☐ Regular security updates installed
☐ VPN always-on configured
☐ No critical data stored locally
☐ Regular backup of device settings
```
### **Maintenance Checklist**
```bash
☐ Weekly: Check Tailscale connectivity and performance
☐ Monthly: Review device access logs in admin console
☐ Monthly: Update all homelab-related apps
☐ Quarterly: Rotate SSH keys and passwords
☐ Quarterly: Test remote wipe procedures
☐ Quarterly: Review and update ACL rules
☐ Annually: Full security audit of mobile access
```
---
## 🔗 Related Documentation
- [Tailscale Setup Guide](tailscale-setup-guide.md) - Complete Tailscale infrastructure setup
- [👨‍👩‍👧‍👦 Family Network Integration](family-network-integration.md) - **NEW!** Connect family devices to homelab
- [Laptop Travel Setup](laptop-travel-setup.md) - Laptop-specific travel configuration
- [Disaster Recovery Guide](../troubleshooting/disaster-recovery.md) - Emergency procedures
- [Offline Password Access](../troubleshooting/offline-password-access.md) - Password management
- [Security Model](security.md) - Overall security architecture
---
**💡 Pro Tip**: Treat mobile devices as disposable terminals for accessing your homelab. Keep no critical data locally, use strong authentication, and maintain the ability to remotely wipe any device. This approach provides maximum security and flexibility for accessing your homelab from anywhere!
Reference in New Issue View Git Blame Copy Permalink