Networking
Tailscale mesh, SSH keys, VNC, domains, DNS, and Cloudflare Workers.
Tailscale Mesh
All hosts connected via Tailscale (100.x.x.x). See hosts.md for full IP table.
ACL Tags:
- tag:sandbox — Applied to agent hosts. Can only receive inbound connections, cannot initiate to other Tailscale nodes (except allowed services). Note: On VPS, causes node key expiration — do NOT apply without updating ACL policy first.
Exit Node: Pi4-01 (100.73.159.126) configured as exit node.
SSH Keys
All keys stored in ~/.ssh/ on the MacBook Air M4:
| Key File |
Target Host |
User |
id_ed25519 |
Default key |
— |
dell-stig-1 |
Dell k3s server |
claude@100.95.212.93 |
mac-executor |
Mac Mini M4 (iBuild-E) |
claude@100.92.170.124 |
rpi-claude |
Pi4-03 (Pi-E) |
claude@100.107.48.17 |
rpi-pi4-01 |
Pi4-01 (exit node) |
— |
rpi-pi4-02 |
Pi4-02 (Review-E) |
claude@100.77.12.75 |
vps-srv1099021 |
VPS (Volt-E) |
root@100.111.142.118 |
VNC Endpoints
| Host |
Purpose |
Notes |
| Volt-E (VPS) |
claude login OAuth refresh |
Required periodically |
| Review-E (Pi4-02) |
claude login OAuth refresh |
Required periodically |
Pi-E does NOT need VNC — OAuth tokens pushed from M4 via LaunchAgent.
Cloudflare Domains
| Domain |
Purpose |
Key Services |
| dashecorp.com |
Shared domain for apps without own domain |
Privacy policies, support pages, App Store links |
| invotek.no |
Company website |
Corporate site |
| stigjohnny.no |
Personal website |
Blog, CV |
| nutrie.app |
Nutri-E app domain |
App website, API workers |
| cutiefeedback.com |
Cuti-E platform |
SDK endpoints, dashboard |
Cloudflare Workers (27 total)
Production Workers
| Worker |
Domain |
Purpose |
cutie-worker |
cutiefeedback.com |
Cuti-E platform API |
cutie-worker-sandbox |
— |
Cuti-E sandbox environment |
deadline-tracker-worker |
— |
Deadline tracking (cron: daily 07:00 UTC), D1 backend |
email-inbox |
— |
Email handler (email + fetch triggers) |
infra-monitor |
— |
Infrastructure monitoring (cron: every 15 min), KV backend |
invotek-account-deletion |
invotek.no |
GDPR account deletion endpoint |
invotek-privacy-policy |
invotek.no |
Privacy policy endpoint |
reward-e-website |
— |
Reward-E production website |
reward-e-staging |
— |
Reward-E staging website |
Nutri-E Workers
| Worker |
Variant |
Purpose |
nutrie-apple-webhook-worker-* |
v2, v3, sandbox-v2, sandbox-v3 |
Apple Server Notifications |
nutrie-dsld-worker-* |
v2, v3, sandbox-v2, sandbox-v3 |
DSLD supplement data API |
nutrie-openai-worker-* |
production, v2, v3, sandbox, sandbox-v2, sandbox-v3 |
OpenAI proxy |
nutrie-stats-rss |
— |
Stats RSS feed |
Other
| Worker |
Notes |
site-85a189d3 |
Created 2026-03-14 — verify purpose |
Cloudflare D1 Databases (5)
| Database |
ID |
Size |
Used By |
cutie-production |
3111e614-2200-4c51-b63f-d8d3e46f7503 |
1.8MB |
cutie-worker |
cutie-sandbox |
c5ee2ef3-34e5-4e45-b21e-e5a203a7f177 |
3.7MB |
cutie-worker-sandbox |
email-inbox |
970229bf-a3e1-4a8f-9f9d-73fc14d959da |
82KB |
email-inbox worker |
submission-checklist |
5019587a-5546-40f6-99c2-b235503a7284 |
49KB |
submission-checklist MCP |
deadline-tracker |
f108263d-105e-44eb-94c9-a84e35a69568 |
28KB |
deadline-tracker-worker |
Cloudflare KV Namespaces (10)
| Namespace |
ID |
Used By |
SUBSCRIPTIONS |
17ffbd7939be4c59984fa8220a34fa2e |
Nutri-E Apple webhook (production) |
SUBSCRIPTIONS_SANDBOX |
c823bfef717348c982b00c8a310b6e00 |
Nutri-E Apple webhook (sandbox) |
SUBSCRIPTIONS_DELETED |
b2e12a4d1c1e494396e98c9ef8724b42 |
Nutri-E deleted subscriptions |
SUBSCRIPTIONS_DELETED_SANDBOX |
ebc6dd3e6fea43a090b24606d291fd93 |
Nutri-E deleted subs (sandbox) |
CACHE_KV |
a497291bf1ff41a888902c39281f338d |
Nutri-E DSLD cache (production) |
CACHE_SANDBOX |
3793746890ca4ba49641cacfddb768da |
Nutri-E DSLD cache (sandbox) |
RATE_LIMIT |
56f5968c8a86441aa98bbdee6edf66de |
Nutri-E rate limiting (production) |
RATE_LIMIT_SANDBOX |
f55e2bf148db4359970f63ac37c572f3 |
Nutri-E rate limiting (sandbox) |
production-DEVICE_ACTIVITY |
5a36bf6a3e894a08b15cbec1fa19dba8 |
Nutri-E device activity |
INFRA_MONITOR |
b67b5e912d914ce3b1ab856a3d8c9fc6 |
infra-monitor worker |
Cloudflare Queues (3)
| Queue |
ID |
Producers |
Consumers |
Used By |
cutie-notifications |
27bfce8f |
1 |
1 |
Cuti-E push notifications |
cutie-notifications-sandbox |
bfe8812a |
1 |
1 |
Cuti-E notifications (sandbox) |
cutie-notifications-dlq |
f0ff7f66 |
0 |
0 |
Dead letter queue |
Cloudflare R2
Not enabled on this account.
Email Routing
| Address |
Forwards To |
Domain |
| pi-e@dashecorp.com |
pie.dashecorp@proton.me |
dashecorp.com (Cloudflare Email Routing) |
Tailscale ACL Policy
Source of truth: Stig-Johnny/infra-config/tailscale/acl.json
Current policy is flat — all members can reach all members and the internet (full mesh). tag:sandbox defined but owned by autogroup:admin. SSH access in check mode for all members (nonroot + root).
Cloudflare Tunnels
| Tunnel |
Domain |
Target |
| tablez-vcluster |
grafana.invotek.no |
http://grafana.observability:80 (Tablez vCluster) |
| (vcluster-platform) |
vcluster.invotek.no |
vCluster Platform dashboard (Dell k3s) |
Cloudflare Email Routing
| Address |
Forwards To |
Domain |
| pi-e@dashecorp.com |
pie.dashecorp@proton.me |
dashecorp.com |
| (inbound to email-inbox worker) |
D1 database email-inbox |
invotekas.workers.dev |
Network Security Layers
- Tailscale ACL — tag:sandbox restricts outbound from agent hosts
- Docker iptables — DOCKER-USER chain blocks containers to private ranges (Pi-E, Volt-E)
- macOS pf — Firewall on Mac Mini M4 blocks outbound to Tailscale/LAN
- Host networking — Volt-E uses host networking (Docker bridge incompatible with Tailscale exit node)