alt Hacker NewsTailscale is the only non-self-hosted part of my setup now and this has bugged me since. I use a custom Nameserver rule to point all my subdomains to a Caddy container sitting on my Tailnet. Caddy handles the SSL and routes everything to the right containers. I skipped Tailscale Funnel on purpose; since these are just family services, I’d rather keep them locked behind the VPN than open them up to the web. This project looks promising as a replacement for my current setup and for its digital sovereignity of self hosting the server. I'm looking to manage several embedded devices remotely via Tailscale, but I've hit a major roadblock: the 90-day maximum expiration for Auth Keys. Constantly renewing these tokens is a significant maintenance burden, so I'm searching for a more permanent, 'set-and-forget' solution for my remote hardware.
Replies
You can manually disable key expiration for hosts in Tailscale, and I think you can do it with tags too...
https://tailscale.com/kb/1028/key-expiry#disabling-key-expir...
+1 for caddy in Tailnet, working well for us too!
Use tag-based node authentication. Login as a user and then switch the device to use a tag. I just recently did that and retained the usual 6 months expiry. I can also disable key expiry completely.
Headscale is a self hosted drop-in control plane replacement that has been pretty stable for us.
Tailscale allows you to disable the expiration time - I do this for my gateways.
My other simplifier is having everything at home get a .home dns name, and telling Tailscale to route all these via tailnet.