homelab-optimized/docs/diagrams/tailscale-mesh.md

# 🔗 Tailscale Mesh Network

## Overview

All homelab locations are connected via Tailscale, creating a secure mesh VPN that allows seamless access between sites regardless of NAT or firewall configurations.

**Total Devices: 28 Headscale nodes** across 4 physical locations + cloud + mobile devices.

**Control Server:** Headscale (self-hosted) on Calypso — `headscale.vish.gg`
**MagicDNS:** `*.tail.vish.gg` (resolved by AdGuard, not native MagicDNS)
**DERP Relays:** Atlantis (`derp-atl.vish.gg`), Seattle VPS (`derp-sea.vish.gg`)

---

## 📊 Complete Device Inventory

### 🟢 Online Nodes (verified 2026-04-18 from Headscale)

#### Exit Nodes
| Device | Tailscale IP | Type | Location | Notes |
|--------|--------------|------|----------|-------|
| **atlantis** | 100.83.230.112 | Synology NAS | Concord | Exit node, Primary NAS |
| **calypso** | 100.103.48.78 | Synology NAS | Concord | Exit node, Headscale host |
| **setillo** | 100.125.0.20 | Synology NAS | Tucson | Exit node, off-site backup |
| **seattle** | 100.82.197.124 | Cloud VPS | Seattle | Exit node, Contabo |
| **vish-concord-nuc** | 100.72.55.21 | Intel NUC | Concord (Backup ISP) | Exit node |
| **homeassistant** | 100.112.186.90 | HA Green | Concord | Exit node (via GL-MT3600BE subnet) |
| **gl-mt3600be** | 100.64.0.10 | GL.iNet Beryl 7 | Remote | Exit node + subnet router `192.168.12.0/24` (replaces GL-MT3000, 2026-04-16) |

#### Servers & VMs
| Device | Tailscale IP | Type | Location | Notes |
|--------|--------------|------|----------|-------|
| **homelab** | 100.67.40.126 | Proxmox VM | Concord | Primary VM — monitoring, tools, NetBox, Semaphore, Dashboard |
| **matrix-ubuntu** | 100.85.21.51 | Atlantis VM | Concord | NPM, Matrix, Mastodon, LiveKit, CrowdSec (4 vCPU, 16GB RAM, 1TB disk) |
| **pve** | 100.87.12.28 | Proxmox Host | Concord | VM hypervisor |
| **truenas-scale** | 100.75.252.64 | TrueNAS Scale | Concord | Guava, 10GbE, ZFS |
| **jellyfish** | 100.69.121.120 | Remote workstation | Remote | Behind GL-MT3600BE; LAN backup + photo workflows |
| **shinku-ryuu** | 100.98.93.15 | Windows | Concord | Desktop workstation, 10GbE |
| **moon** | 100.64.0.6 | Linux | Honolulu | Sibling's PC (192.168.12.223 behind GL-MT3600BE) |
| **pi-5** | 100.77.151.40 | RPi 5 | Concord | Uptime Kuma, monitoring |

#### Network Devices
| Device | Tailscale IP | Type | Location | Notes |
|--------|--------------|------|----------|-------|
| **headscale-test** | 100.64.0.1 | Linux | Concord | Headscale test node |

#### Mobile
| Device | Tailscale IP | Type | Status |
|--------|--------------|------|--------|
| **iphone16-pro-max** | 100.79.252.108 | iOS | Online |

### 💤 Offline Nodes
| Device | Tailscale IP | Type | Notes |
|--------|--------------|------|-------|
| **gl-mt3000** | 100.126.243.15 | GL.iNet Beryl AX | **Retired 2026-04-16**, spare/travel router (replaced by GL-MT3600BE) |
| **gl-be3600** | 100.105.59.123 | GL.iNet Slate AX | Exit node, subnet `192.168.8.0/24` — frequently offline |
| **ipad-pro** | 100.68.71.48 | iOS | iPad Pro |
| **mah-pc** | 100.64.0.4 | Windows | Concord (Backup ISP), sibling's PC |
| **mastodon-rocky** | 100.64.0.3 | Linux | Legacy, decommissioned |
| **olares** | 100.64.0.5 | Linux | Olares K8s node (host Tailscale conflicts with K8s pod) |
| **uqiyoe** | 100.124.91.52 | Windows | Laptop |
| **vishdebian** | 100.64.0.2 | Linux | Legacy Debian VM |
| **pixel-10-pro** | 100.64.0.7 | Android | Phone |
| **samsung-galaxy-tab-s9** | 100.64.0.8 | Android | Tablet |
| **kevins-laptop** | 100.64.0.9 | Laptop | Kevin's laptop |
| **moon** (status) | 100.64.0.6 | — | Currently online; may toggle |

---

## 🕸️ Mesh Topology (Mermaid)

```mermaid
graph TB
    subgraph Tailscale["🔐 Headscale Mesh Network (28 Nodes)"]
        
        subgraph Concord_Primary["🏠 Concord Primary - 25Gbps Fiber"]
            subgraph NAS_Cluster["📦 NAS + VMs"]
                A_ATL["🗄️ atlantis<br/>100.83.230.112<br/>⚡ EXIT NODE"]
                A_MATRIX["🐧 matrix-ubuntu<br/>100.85.21.51<br/>VM on Atlantis"]
            end
            A_CAL["🗄️ calypso<br/>100.103.48.78<br/>⚡ EXIT NODE<br/>Headscale host"]
            A_GUAVA["💻 guava<br/>100.75.252.64<br/>TrueNAS Scale"]
            A_DESKTOP["🖥️ shinku-ryuu<br/>100.98.93.15"]
            A_PVE["🖥️ pve<br/>100.87.12.28"]
            A_JELLY["🐟 jellyfish<br/>100.69.121.120"]
            A_HA["🏠 homeassistant<br/>100.112.186.90<br/>⚡ EXIT NODE<br/>(via GL-MT3600BE)"]
            A_PI["🥧 pi-5<br/>100.77.151.40"]
            A_GL_BERYL7["📡 gl-mt3600be (Beryl 7)<br/>100.64.0.10<br/>⚡ EXIT NODE<br/>subnet 192.168.12.0/24"]
            A_GL_BE["📡 gl-be3600<br/>100.105.59.123<br/>⚡ EXIT NODE<br/>subnet 192.168.8.0/24"]
            
            subgraph Proxmox_VMs["Proxmox VMs"]
                A_HLB["homelab<br/>100.67.40.126"]
            end
        end
        
        subgraph Concord_Backup["🏠 Concord Backup - 2Gbps"]
            B_NUC["🖥️ vish-concord-nuc<br/>100.72.55.21<br/>⚡ EXIT NODE"]
            B_PI_K["🥧 pi-5-kevin<br/>100.123.246.75"]
            B_MAH["💻 mah-pc<br/>100.64.0.4"]
        end
        
        subgraph Tucson["🌵 Tucson, AZ"]
            T_SET["🗄️ setillo<br/>100.125.0.20<br/>⚡ EXIT NODE"]
        end
        
        subgraph Honolulu["🌺 Honolulu, HI"]
            H_MOON["💻 moon<br/>100.64.0.6<br/>(aka bluecrownpassionflower)"]
        end
        
        subgraph Seattle["🌲 Seattle (Cloud)"]
            S_SEA["☁️ seattle<br/>100.82.197.124<br/>⚡ EXIT NODE"]
        end
        
        subgraph Mobile["📱 Mobile Devices"]
            M_IPHONE["📱 iphone16"]
            M_PIXEL["📱 pixel-10-pro"]
            M_IPAD["📱 ipad-pro"]
            M_TAB["📱 samsung-tablet"]
            M_KLAP["💻 kevinlaptop"]
        end
    end

    %% VM relationships
    A_ATL -->|"Hosts VM"| A_MATRIX
    A_PVE -->|"Hosts VM"| A_HLB
    
    %% Primary mesh connections
    A_ATL <-->|"10GbE LAN"| A_CAL
    A_ATL <-->|"10GbE LAN"| A_GUAVA
    A_ATL <-->|"10GbE LAN"| A_DESKTOP
    
    %% Cross-location Tailscale
    A_ATL <-.->|"Tailscale"| T_SET
    A_ATL <-.->|"Tailscale"| S_SEA
    A_ATL <-.->|"Tailscale"| B_NUC
    
    %% GL router subnets
    A_GL_BERYL7 -->|"subnet route"| A_HA
    
    %% Honolulu local
    H_MOON <-.->|"Tailscale"| A_ATL

    classDef nas fill:#3498db,stroke:#333,stroke-width:2px,color:#fff
    classDef exit fill:#e74c3c,stroke:#333,stroke-width:2px,color:#fff
    classDef compute fill:#9b59b6,stroke:#333,stroke-width:2px,color:#fff
    classDef mobile fill:#1abc9c,stroke:#333,stroke-width:2px,color:#fff
    classDef network fill:#f39c12,stroke:#333,stroke-width:2px,color:#fff
    
    class A_ATL,A_CAL,T_SET nas
    class S_SEA,B_NUC,A_HA exit
    class A_GUAVA,A_DESKTOP,A_PVE,A_HLB,A_MATRIX,A_JELLY compute
    class M_IPHONE,M_PIXEL,M_IPAD,M_TAB,M_KLAP mobile
    class A_GL_BERYL7,A_GL_BE network
```

---

## 📝 ASCII Tailscale Network Map

```
╔══════════════════════════════════════════════════════════════════════════════════════════╗
║              HEADSCALE MESH NETWORK (self-hosted Tailscale control server)                ║
║                  28 Nodes • 7 Exit Nodes • 4 Locations • Full Mesh                      ║
║                  Control: headscale.vish.gg (Calypso)                                   ║
║                  DERP Relays: Atlantis (derp-atl), Seattle VPS (derp-sea)               ║
║                  DNS: AdGuard resolves *.tail.vish.gg → Tailscale IPs                   ║
╚══════════════════════════════════════════════════════════════════════════════════════════╝

                                    ┌─────────────────┐
                                    │  TAILSCALE      │
                                    │  COORDINATION   │
                                    │  (DERP Relays)  │
                                    └────────┬────────┘
                                             │
     ┌───────────────────────────────────────┼───────────────────────────────────────┐
     │                                       │                                       │
     ▼                                       ▼                                       ▼

┌────────────────────────────────────────────────────────────────────────────────────────┐
│  🏠 CONCORD, CA - PRIMARY (25Gbps Fiber)                                               │
│  ══════════════════════════════════════════════════════════════════════════════════════│
│                                                                                         │
│  ┌─────────────────────────────────────────────────────────────────────────────────┐   │
│  │  10GbE BACKBONE (TP-Link TL-SX1008)                                              │   │
│  │  ────────────────────────────────────────────────────────────────────────────── │   │
│  │                                                                                  │   │
│  │  ┌─────────────────┐  ┌─────────────────┐  ┌─────────────────┐                  │   │
│  │  │ ⚡ ATLANTIS     │  │ ⚡ CALYPSO      │  │    GUAVA        │                  │   │
│  │  │ 100.83.230.112  │  │ 100.103.48.78   │  │ 100.75.252.64   │                  │   │
│  │  │ DS1823xs+       │  │ DS723+          │  │ Physical Host   │                  │   │
│  │  │ EXIT NODE       │  │ EXIT NODE       │  │                 │                  │   │
│  │  │                 │  │                 │  │                 │                  │   │
│  │  │ ┌─────────────┐ │  │                 │  │                 │                  │   │
│  │  │ │matrix-ubuntu│ │  │                 │  │                 │                  │   │
│  │  │ │100.85.21.51 │ │  │                 │  │                 │                  │   │
│  │  │ │Mastodon/    │ │  │                 │  │                 │                  │   │
│  │  │ │Matrix/MM    │ │  │                 │  │                 │                  │   │
│  │  │ └─────────────┘ │  │                 │  │                 │                  │   │
│  │  └─────────────────┘  └─────────────────┘  └─────────────────┘                  │   │
│  │                                                                                  │   │
│  │  ┌─────────────────┐                                                            │   │
│  │  │  SHINKU-RYUU    │  Desktop Workstation                                       │   │
│  │  │  100.98.93.15   │                                                            │   │
│  │  └─────────────────┘                                                            │   │
│  └─────────────────────────────────────────────────────────────────────────────────┘   │
│                                                                                         │
│  ┌─────────────────────────────────────────────────────────────────────────────────┐   │
│  │  2.5GbE / 1GbE DEVICES                                                           │   │
│  │  ────────────────────────────────────────────────────────────────────────────── │   │
│  │  ┌─────────────┐ ┌─────────────┐ ┌─────────────┐ ┌─────────────┐ ┌────────────┐ │   │
│  │  │ PVE         │ │ JELLYFISH   │ │⚡HOMEASSIST │ │ PI-5        │ │ HOMELAB VM │ │   │
│  │  │100.87.12.28 │ │100.69.121.120│ │100.112.186.90│ │100.77.151.40│ │100.67.40.126│ │   │
│  │  │ Proxmox     │ │ Server      │ │ EXIT NODE   │ │ RPi 5       │ │ (on PVE)   │ │   │
│  │  │             │ │             │ │via Beryl 7  │ │             │ │            │ │   │
│  │  └─────────────┘ └─────────────┘ └─────────────┘ └─────────────┘ └────────────┘ │   │
│  │  ┌─────────────────────┐  ┌─────────────────────┐                                │   │
│  │  │ ⚡ GL-BE3600        │  │ ⚡ GL-MT3600BE      │                                │   │
│  │  │ 100.105.59.123      │  │ 100.64.0.10 (Beryl 7)│                                │   │
│  │  │ EXIT NODE           │  │ EXIT NODE + subnet  │                                │   │
│  │  │ 192.168.8.0/24      │  │ 192.168.12.0/24     │                                │   │
│  │  └─────────────────────┘  └─────────────────────┘                                │   │
│  └─────────────────────────────────────────────────────────────────────────────────┘   │
│                                                                                         │
└─────────────────────────────────────────────────────────────────────────────────────────┘

┌────────────────────────────────────────────────────────────────────────────────────────┐
│  🏠 CONCORD BACKUP ISP (2Gbps/500Mbps)                                                 │
│  ══════════════════════════════════════════════════════════════════════════════════════│
│  ┌─────────────────────┐  ┌─────────────────────┐  ┌─────────────────────┐              │
│  │ ⚡ VISH-CONCORD-NUC │  │    PI-5-KEVIN       │  │    MAH-PC           │              │
│  │ 100.72.55.21        │  │ 100.123.246.75      │  │ 100.64.0.4          │              │
│  │ Intel NUC           │  │ RPi 5               │  │ Windows PC          │              │
│  │ EXIT NODE           │  │                     │  │ Sibling's PC        │              │
│  └─────────────────────┘  └─────────────────────┘  └─────────────────────┘              │
└────────────────────────────────────────────────────────────────────────────────────────┘

     ◄─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ TAILSCALE MESH ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─►

┌───────────────────────────┐  ┌───────────────────────────┐  ┌───────────────────────────┐
│  🌵 TUCSON, AZ            │  │  🌺 HONOLULU, HI          │  │  🌲 SEATTLE (CLOUD)       │
│  ═════════════════════════│  │  ═════════════════════════│  │  ═════════════════════════│
│                           │  │                           │  │                           │
│  ┌─────────────────────┐  │  │  ┌─────────────────────┐  │  │  ┌─────────────────────┐  │
│  │ ⚡ SETILLO          │  │  │  │ MOON (bluecrownpassion) │  │  │  │ ⚡ SEATTLE          │  │
│  │ 100.125.0.20        │  │  │  │ 100.64.0.6 — online     │  │  │  │ 100.82.197.124      │  │
│  │ DS223j NAS          │  │  │  │                     │  │  │  │ Contabo VPS         │  │
│  │ EXIT NODE           │  │  │  └─────────────────────┘  │  │  │ EXIT NODE           │  │
│  │ Off-site Backup     │  │  │                           │  │  └─────────────────────┘  │
│  └─────────────────────┘  │  │                           │  │                           │
│                           │  │                           │  └───────────────────────────┘
└───────────────────────────┘  └───────────────────────────┘

┌────────────────────────────────────────────────────────────────────────────────────────┐
│  📱 MOBILE DEVICES                                                                      │
│  ══════════════════════════════════════════════════════════════════════════════════════│
│                                                                                         │
│  ┌──────────────┐ ┌──────────────┐ ┌──────────────┐ ┌──────────────┐ ┌──────────────┐  │
│  │ 📱 iphone16  │ │ 📱 pixel-10  │ │ 📱 ipad-pro  │ │ 📱 samsung   │ │ 💻 kevinlap  │  │
│  │100.79.252.108│ │100.122.119.40│ │100.68.71.48  │ │100.72.118.117│ │100.89.160.65 │  │
│  └──────────────┘ └──────────────┘ └──────────────┘ └──────────────┘ └──────────────┘  │
│                                                                                         │
└────────────────────────────────────────────────────────────────────────────────────────┘

╔════════════════════════════════════════════════════════════════════════════════════════╗
║  EXIT NODE SUMMARY (7 Total)                                                            ║
║  ══════════════════════════                                                             ║
║  • atlantis (100.83.230.112)       - Primary exit, Concord 25Gbps                      ║
║  • calypso (100.103.48.78)         - Secondary exit, Concord 25Gbps (Headscale host)   ║
║  • setillo (100.125.0.20)          - Tucson exit, DS223j off-site NAS                  ║
║  • seattle (100.82.197.124)        - Cloud exit, Contabo VPS Seattle                   ║
║  • vish-concord-nuc (100.72.55.21) - Backup ISP exit, Concord 2Gbps                    ║
║  • homeassistant (100.112.186.90)  - Home automation exit (via GL-MT3600BE subnet)     ║
║  • gl-be3600 (100.105.59.123)      - GL.iNet router exit, subnet 192.168.8.0/24        ║
║  • gl-mt3600be (100.64.0.10)       - GL.iNet Beryl 7, subnet 192.168.12.0/24           ║
╚════════════════════════════════════════════════════════════════════════════════════════╝
```

---

## 🖥️ Matrix-Ubuntu VM Details

This VM runs on **Atlantis** (Synology DS1823xs+ via Virtual Machine Manager):

| Specification | Value |
|---------------|-------|
| **Hostname** | matrix-ubuntu |
| **Tailscale IP** | 100.85.21.51 |
| **LAN IP** | 192.168.0.154 |
| **OS** | Ubuntu 24.04 LTS |
| **CPU** | 4 vCPU (AMD Ryzen Embedded V1780B) |
| **RAM** | 16 GB |
| **Storage** | 1 TB (~1005 GB LV) |
| **SSH Port** | 22 (via Tailscale or `ssh matrix-ubuntu`) |

### Services Running
| Service | Domain | Status |
|---------|--------|--------|
| **Nginx Proxy Manager** | npm.vish.gg (:81) | ✅ Running (reverse proxy for all domains, Let's Encrypt wildcards) |
| **CrowdSec** | — | ✅ Running (nftables bouncer) |
| Mastodon | mastodon.vish.gg | ✅ Running |
| Matrix (Synapse) | mx.vish.gg | ✅ Running |
| LiveKit | livekit.mx.vish.gg | ✅ Running (WebRTC SFU, UDP 50000-50100) |
| PostgreSQL, Redis | - | ✅ Running (shared) |

---

## 🔗 Related Diagrams
- [Network Topology](network-topology.md) - Physical network layout
- [Service Architecture](service-architecture.md) - How services connect
- [Location Overview](location-overview.md) - Geographic distribution