Move VCN lockdown to final step (after verifying everything works)

This commit is contained in:
Frank Harris 2026-01-26 13:53:47 -05:00 committed by Pocket Clawd
parent ba3381392e
commit b094050fa4

View File

@ -91,19 +91,7 @@ tailscale status
**From now on, connect via Tailscale:** `ssh ubuntu@clawdbot` (or use the Tailscale IP). **From now on, connect via Tailscale:** `ssh ubuntu@clawdbot` (or use the Tailscale IP).
## 5) Lock Down VCN Security ## 5) Install Homebrew (ARM)
Now that Tailscale is running, lock down the VCN to block all traffic except Tailscale. OCI's Virtual Cloud Network acts as a firewall at the network edge — traffic is blocked before it reaches your instance.
1. Go to **Networking → Virtual Cloud Networks** in the OCI Console
2. Click your VCN → **Security Lists** → Default Security List
3. **Remove** all ingress rules except:
- `0.0.0.0/0 UDP 41641` (Tailscale)
4. Keep default egress rules (allow all outbound)
This blocks SSH on port 22, HTTP, HTTPS, and everything else at the network edge. You'll only be able to connect via Tailscale from now on.
## 6) Install Homebrew (ARM)
```bash ```bash
/bin/bash -c "$(curl -fsSL https://raw.githubusercontent.com/Homebrew/install/HEAD/install.sh)" /bin/bash -c "$(curl -fsSL https://raw.githubusercontent.com/Homebrew/install/HEAD/install.sh)"
@ -118,7 +106,7 @@ source ~/.bashrc
brew install gcc brew install gcc
``` ```
## 7) Install Clawdbot ## 6) Install Clawdbot
```bash ```bash
curl -fsSL https://clawd.bot/install.sh | bash curl -fsSL https://clawd.bot/install.sh | bash
@ -127,7 +115,7 @@ source ~/.bashrc
When prompted "How do you want to hatch your bot?", select **"Do this later"**. When prompted "How do you want to hatch your bot?", select **"Do this later"**.
## 8) Configure Gateway with Tailscale Serve ## 7) Configure Gateway with Tailscale Serve
```bash ```bash
clawdbot config set gateway.bind loopback clawdbot config set gateway.bind loopback
@ -143,7 +131,7 @@ This configures:
- Tailscale Serve provides HTTPS and handles external routing - Tailscale Serve provides HTTPS and handles external routing
- Authentication via Tailscale identity headers (no tokens needed) - Authentication via Tailscale identity headers (no tokens needed)
## 9) Verify ## 8) Verify
```bash ```bash
# Check version # Check version
@ -159,6 +147,18 @@ tailscale serve status
curl http://localhost:18789 curl http://localhost:18789
``` ```
## 9) Lock Down VCN Security
Now that everything is working, lock down the VCN to block all traffic except Tailscale. OCI's Virtual Cloud Network acts as a firewall at the network edge — traffic is blocked before it reaches your instance.
1. Go to **Networking → Virtual Cloud Networks** in the OCI Console
2. Click your VCN → **Security Lists** → Default Security List
3. **Remove** all ingress rules except:
- `0.0.0.0/0 UDP 41641` (Tailscale)
4. Keep default egress rules (allow all outbound)
This blocks SSH on port 22, HTTP, HTTPS, and everything else at the network edge. From now on, you can only connect via Tailscale.
--- ---
## Access the Control UI ## Access the Control UI
@ -180,7 +180,7 @@ No SSH tunnel needed. Tailscale provides:
## Security: Why VCN + Tailscale Is Enough ## Security: Why VCN + Tailscale Is Enough
With the VCN configured as above (only UDP 41641 open), you have **defense in depth** that makes traditional VPS hardening redundant. With the VCN locked down (only UDP 41641 open), you have **defense in depth** that makes traditional VPS hardening redundant.
**How it works:** The VCN blocks traffic at the network edge — before it reaches your instance. Combined with Tailscale SSH (which bypasses sshd entirely), there's no attack surface for typical threats. **How it works:** The VCN blocks traffic at the network edge — before it reaches your instance. Combined with Tailscale SSH (which bypasses sshd entirely), there's no attack surface for typical threats.