Adoption

Agent Skills are supported by leading AI development tools.

VS Code Gemini CLI GitHub Goose Amp Cursor Claude Code Letta OpenCode Claude OpenAI Codex Factory VS Code Gemini CLI GitHub Goose Amp Cursor Claude Code Letta OpenCode Claude OpenAI Codex Factory

renatocaliari/cali-deploy-github-tailscale

Name: cali-deploy-github-tailscale
Author: renatocaliari

skills/local/cali-deploy-github-tailscale/SKILL.md

npx skillsauth add renatocaliari/agent-sync-public-skills cali-deploy-github-tailscale

Clean

TrivyContainer and dependency vulnerability scanner

Clean

SemgrepStatic code analysis for vulnerabilities

Clean

mcp-scan (Snyk)Model Context Protocol security validation

Skipped

Snyk (dep)Open source security scanning

Skipped

Socket.devSupply chain security analysis

Skipped

VirusTotalMulti-engine malware detection

Skipped

CrowdStrikeAdvanced threat intelligence

Skipped

OSV-ScannerOpen Source Vulnerability database check

Skipped

OWASP Dep-Check

Deploy to Private Server via Tailscale OIDC

Zero-trust deployment: ephemeral OIDC credentials, restricted SSH keys, WireGuard tunnel.

Architecture

GITHUB RUNNER                    SERVER (100.120.175.47)
   │                                 │
   │ Tailscale OIDC (ephemeral)      │
   │ OpenSSH porta 2222              │
   │ chave ed25519 restrita          │
   │ command= limita comandos        │
   └─────────────────────────────────┘
         │
   UFW: só tailscale0
   Internet: bloqueada

Prerequisites

[ ] Tailscale account + admin access
[ ] Server with Ubuntu/Debian + root SSH access
[ ] Tailscale installed on server (curl -fsSL https://tailscale.com/install.sh | sh)
[ ] Docker + Docker Compose on server
[ ] GitHub repo with Actions enabled

Setup Steps

Phase 1: Tailscale ACLs

Go to https://login.tailscale.com/admin/acls

Add tag owner:

"tagOwners": {
  "tag:continuous-integration": ["autogroup:admin"]
}

Add grants:

{
  "src": ["autogroup:member", "tag:continuous-integration"],
  "dst": ["<SERVER_IP>"],
  "ip": ["tcp:22", "tcp:2222"]
}

Create OIDC credential at https://login.tailscale.com/admin/settings/oauth
- Issuer: GitHub
- Subject: repo:{owner}/{repo}:ref:refs/heads/{branch}
- Scope: Auth Keys → Write
- Tag: tag:continuous-integration
- Copy Client ID + Audience

Phase 2: Server Setup

Run as root on the server:

# Enable Tailscale SSH
tailscale set --ssh=true

# Discover Tailscale IP
TAILSCALE_IP=$(ip -4 addr show tailscale0 | grep -oP 'inet \K[\d.]+')

# Add port 2222 to SSH socket (Ubuntu systemd)
mkdir -p /etc/systemd/system/ssh.socket.d
cat > /etc/systemd/system/ssh.socket.d/override.conf << EOF
[Socket]
ListenStream=
ListenStream=0.0.0.0:22
ListenStream=[::]:22
ListenStream=$TAILSCALE_IP:2222
FreeBind=yes
EOF
systemctl daemon-reload
systemctl restart ssh.socket
systemctl restart ssh

# Firewall
ufw default deny incoming
ufw default allow outgoing
ufw allow in on tailscale0 to any port 22
ufw allow in on tailscale0 to any port 2222
ufw allow 80/tcp
ufw allow 443/tcp
ufw --force enable

# Create deploy user
adduser --disabled-password --gecos "" deploy
usermod -aG docker deploy

# Restricted SSH key
cat > /home/deploy/.ssh/authorized_keys << 'KEYEOF'
command="cd /opt/{project} && docker compose pull && docker rm -f {container} 2>/dev/null; docker compose up -d && docker image prune -f",no-agent-forwarding,no-port-forwarding,no-user-rc,no-X11-forwarding ssh-ed25519 AAA... github-actions-deploy-{project}
KEYEOF
chmod 600 /home/deploy/.ssh/authorized_keys
chown -R deploy:deploy /home/deploy/.ssh

# Copy Docker registry auth to deploy user
cp /root/.docker/config.json /home/deploy/.docker/config.json
chown -R deploy:deploy /home/deploy/.docker

Phase 3: GitHub Secrets

| Secret | Value | |---|---| | TS_OAUTH_CLIENT_ID | OIDC Client ID | | TS_AUDIENCE | OIDC Audience | | DEPLOY_SSH_KEY | Private ed25519 key |

Phase 4: Workflow

See references/workflow-template.yml for the full template.

Key elements:

id-token: write permission for OIDC
tailscale/github-action@v4 for ephemeral auth
SSH with restricted key + command=

Security Measures

| Measure | What it protects | |---|---| | OIDC (ephemeral JWT) | No permanent credentials on runner | | command= in authorized_keys | Even with key, only docker compose allowed | | Port 2222 on Tailscale IP only | Invisible on internet | | UFW + tailscale0 interface | Only WireGuard traffic | | deploy user (non-root) | Least privilege | | Tailscale SSH (personal) | You access without keys, by identity | | Ephemeral runner node | Disappears after workflow |

Examples

Example 1: First-time setup

# On server (as root):
curl -fsSL https://tailscale.com/install.sh | sh
tailscale set --ssh=true
tailscale status  # verify connection

# Create deploy user + restricted key
adduser --disabled-password --gecos "" deploy
usermod -aG docker deploy

Example 2: Deploy from GitHub Actions

- name: Authenticate with Tailscale
  uses: tailscale/github-action@v4
  with:
    oauth-client-id: ${{ secrets.TS_OAUTH_CLIENT_ID }}
    audience: ${{ secrets.TS_AUDIENCE }}
    tags: tag:continuous-integration

- name: Deploy
  shell: bash
  run: |
    echo "$SSH_KEY" > /tmp/deploy_key && chmod 600 /tmp/deploy_key
    ssh -i /tmp/deploy_key -p 2222 [email protected] \
      'cd /opt/app && docker compose pull && docker compose up -d'

Example 3: Verify deployment

# Check deploy user
ssh [email protected]  # should NOT get shell (command= restricts)
ssh [email protected] whoami  # should fail (command= only allows docker)

# Check UFW
sudo ufw status verbose  # should show only tailscale0 ports

Edge Cases

OIDC token expired

Runner must complete within token TTL (usually 1 hour)
If expired, re-run the workflow — new OIDC token is minted automatically

Server unreachable from runner

Verify Tailscale status: tailscale status on both ends
Check ACL grants include the server IP
Verify UFW allows port 2222 on tailscale0

Deploy user can't pull images

Copy Docker registry auth: cp /root/.docker/config.json /home/deploy/.docker/config.json
Verify ghcr.io token is valid

Port 2222 not listening

Check systemd socket override: systemctl status ssh.socket
Verify ListenStream includes Tailscale IP
Restart: systemctl daemon-reload && systemctl restart ssh.socket

Test Cases

Should

[ ] Server only accepts SSH on port 22 (Tailscale) and 2222 (Tailscale IP)
[ ] Internet cannot reach SSH ports (UFW blocks)
[ ] Deploy user cannot get a shell (command= restricts)
[ ] Deploy user can run docker compose pull/up
[ ] OIDC token is ephemeral (no permanent credentials)
[ ] Runner node disappears after workflow

Should NOT

[ ] Deploy user should NOT have root access
[ ] Deploy user should NOT be able to run arbitrary commands
[ ] SSH key should NOT have agent forwarding
[ ] Port 2222 should NOT be accessible from internet
[ ] Runner should NOT store permanent credentials

References

references/workflow-template.yml — Full GitHub Actions workflow
references/server-setup.sh — Server setup script
references/security-checklist.md — Pre-deploy security verification

renatocaliari/cali-deploy-github-tailscale

skills/local/cali-deploy-github-tailscale/SKILL.md

[Cali] Deploy to a private server via Tailscale OIDC with ephemeral credentials. Use when: setting up CI/CD deploy pipeline, configuring Tailscale SSH + OpenSSH for GitHub Actions, creating deploy users with restricted access, writing deploy.yml workflows, or troubleshooting deploy authentication failures. Triggers: "deploy to server", "tailscale deploy", "deploy pipeline", "CI/CD deploy", "deploy workflow", "deploy setup", "deploy key", "deploy user".

1 stars

testing

Updated May 29, 2026

$ install --global

skillsauth

npx skillsauth add renatocaliari/agent-sync-public-skills cali-deploy-github-tailscale

Install this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.

Security Scan Results

3 of 9 scanners reported clean

Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.

Scanners Passed

Scanners in report

Clean

TrivyContainer and dependency vulnerability scanner

95%

Clean

SemgrepStatic code analysis for vulnerabilities

95%

Clean

mcp-scan (Snyk)Model Context Protocol security validation

95%

Skipped

Snyk (dep)Open source security scanning

50%

Skipped

Socket.devSupply chain security analysis

50%

Skipped

VirusTotalMulti-engine malware detection

50%

Skipped

CrowdStrikeAdvanced threat intelligence

50%

Skipped

OSV-ScannerOpen Source Vulnerability database check

50%

Skipped

OWASP Dep-Check

50%

Last scanned: May 29, 2026, 4:14 AM167.9s4 files scanned

SKILL.md

name:: cali-deploy-github-tailscale
description:: >
Use when:: setting up CI/CD deploy pipeline, configuring Tailscale SSH + OpenSSH
Triggers:: deploy to server", "tailscale deploy", "deploy pipeline", "CI/CD deploy",
frequency:: rare
category:: infra
context-cost:: low
disable-model-invocation:: true

Deploy to Private Server via Tailscale OIDC

Zero-trust deployment: ephemeral OIDC credentials, restricted SSH keys, WireGuard tunnel.

Architecture

GITHUB RUNNER                    SERVER (100.120.175.47)
   │                                 │
   │ Tailscale OIDC (ephemeral)      │
   │ OpenSSH porta 2222              │
   │ chave ed25519 restrita          │
   │ command= limita comandos        │
   └─────────────────────────────────┘
         │
   UFW: só tailscale0
   Internet: bloqueada

Prerequisites

[ ] Tailscale account + admin access
[ ] Server with Ubuntu/Debian + root SSH access
[ ] Tailscale installed on server (curl -fsSL https://tailscale.com/install.sh | sh)
[ ] Docker + Docker Compose on server
[ ] GitHub repo with Actions enabled

Setup Steps

Phase 1: Tailscale ACLs

Go to https://login.tailscale.com/admin/acls

Add tag owner:

"tagOwners": {
  "tag:continuous-integration": ["autogroup:admin"]
}

Add grants:

{
  "src": ["autogroup:member", "tag:continuous-integration"],
  "dst": ["<SERVER_IP>"],
  "ip": ["tcp:22", "tcp:2222"]
}

Create OIDC credential at https://login.tailscale.com/admin/settings/oauth
- Issuer: GitHub
- Subject: repo:{owner}/{repo}:ref:refs/heads/{branch}
- Scope: Auth Keys → Write
- Tag: tag:continuous-integration
- Copy Client ID + Audience

Phase 2: Server Setup

Run as root on the server:

# Enable Tailscale SSH
tailscale set --ssh=true

# Discover Tailscale IP
TAILSCALE_IP=$(ip -4 addr show tailscale0 | grep -oP 'inet \K[\d.]+')

# Add port 2222 to SSH socket (Ubuntu systemd)
mkdir -p /etc/systemd/system/ssh.socket.d
cat > /etc/systemd/system/ssh.socket.d/override.conf << EOF
[Socket]
ListenStream=
ListenStream=0.0.0.0:22
ListenStream=[::]:22
ListenStream=$TAILSCALE_IP:2222
FreeBind=yes
EOF
systemctl daemon-reload
systemctl restart ssh.socket
systemctl restart ssh

# Firewall
ufw default deny incoming
ufw default allow outgoing
ufw allow in on tailscale0 to any port 22
ufw allow in on tailscale0 to any port 2222
ufw allow 80/tcp
ufw allow 443/tcp
ufw --force enable

# Create deploy user
adduser --disabled-password --gecos "" deploy
usermod -aG docker deploy

# Restricted SSH key
cat > /home/deploy/.ssh/authorized_keys << 'KEYEOF'
command="cd /opt/{project} && docker compose pull && docker rm -f {container} 2>/dev/null; docker compose up -d && docker image prune -f",no-agent-forwarding,no-port-forwarding,no-user-rc,no-X11-forwarding ssh-ed25519 AAA... github-actions-deploy-{project}
KEYEOF
chmod 600 /home/deploy/.ssh/authorized_keys
chown -R deploy:deploy /home/deploy/.ssh

# Copy Docker registry auth to deploy user
cp /root/.docker/config.json /home/deploy/.docker/config.json
chown -R deploy:deploy /home/deploy/.docker

Phase 3: GitHub Secrets

| Secret | Value | |---|---| | TS_OAUTH_CLIENT_ID | OIDC Client ID | | TS_AUDIENCE | OIDC Audience | | DEPLOY_SSH_KEY | Private ed25519 key |

Phase 4: Workflow

See references/workflow-template.yml for the full template.

Key elements:

id-token: write permission for OIDC
tailscale/github-action@v4 for ephemeral auth
SSH with restricted key + command=

Security Measures

Examples

Example 1: First-time setup

# On server (as root):
curl -fsSL https://tailscale.com/install.sh | sh
tailscale set --ssh=true
tailscale status  # verify connection

# Create deploy user + restricted key
adduser --disabled-password --gecos "" deploy
usermod -aG docker deploy

Example 2: Deploy from GitHub Actions

- name: Authenticate with Tailscale
  uses: tailscale/github-action@v4
  with:
    oauth-client-id: ${{ secrets.TS_OAUTH_CLIENT_ID }}
    audience: ${{ secrets.TS_AUDIENCE }}
    tags: tag:continuous-integration

- name: Deploy
  shell: bash
  run: |
    echo "$SSH_KEY" > /tmp/deploy_key && chmod 600 /tmp/deploy_key
    ssh -i /tmp/deploy_key -p 2222 [email protected] \
      'cd /opt/app && docker compose pull && docker compose up -d'

Example 3: Verify deployment

# Check deploy user
ssh [email protected]  # should NOT get shell (command= restricts)
ssh [email protected] whoami  # should fail (command= only allows docker)

# Check UFW
sudo ufw status verbose  # should show only tailscale0 ports

Edge Cases

OIDC token expired

Runner must complete within token TTL (usually 1 hour)
If expired, re-run the workflow — new OIDC token is minted automatically

Server unreachable from runner

Verify Tailscale status: tailscale status on both ends
Check ACL grants include the server IP
Verify UFW allows port 2222 on tailscale0

Deploy user can't pull images

Copy Docker registry auth: cp /root/.docker/config.json /home/deploy/.docker/config.json
Verify ghcr.io token is valid

Port 2222 not listening

Check systemd socket override: systemctl status ssh.socket
Verify ListenStream includes Tailscale IP
Restart: systemctl daemon-reload && systemctl restart ssh.socket

Test Cases

Should

[ ] Server only accepts SSH on port 22 (Tailscale) and 2222 (Tailscale IP)
[ ] Internet cannot reach SSH ports (UFW blocks)
[ ] Deploy user cannot get a shell (command= restricts)
[ ] Deploy user can run docker compose pull/up
[ ] OIDC token is ephemeral (no permanent credentials)
[ ] Runner node disappears after workflow

Should NOT

[ ] Deploy user should NOT have root access
[ ] Deploy user should NOT be able to run arbitrary commands
[ ] SSH key should NOT have agent forwarding
[ ] Port 2222 should NOT be accessible from internet
[ ] Runner should NOT store permanent credentials

References

references/workflow-template.yml — Full GitHub Actions workflow
references/server-setup.sh — Server setup script
references/security-checklist.md — Pre-deploy security verification

Related Skills

renatocaliari/pocketbase

development

VerifiedTrustedCommunity

PocketBase v0.39+ development - API rules, auth, collections, SDK, realtime, files, Go/JS extending, deployment, production tuning.

1SKILL.mdUpdated Jun 7, 2026

renatocaliari/pocketbase

renatocaliari/cali-lat-md-seed

tools

VerifiedTrustedCommunity

Auto-initialize structured documentation for any project using lat.md (knowledge graph of markdown files with [[wiki links]], // @lat: code refs, and semantic search). Detects cali-product-workflow artifacts (spec-product.md, spec-tech.md, critiques) and uses them as seed material. Falls back to extracting business rules, architecture, and design decisions directly from the codebase. Use when a project lacks structured documentation or when lat.md/ is missing. After seeding, lat.md extension hooks keep documentation alive automatically.

1SKILL.mdUpdated Jun 2, 2026

renatocaliari/cali-lat-md-seed

renatocaliari/cali-ops-server-security

testing

VerifiedTrustedCommunity

[Cali] Server security audit and hardening for private servers behind Tailscale. Use when: auditing server security, hardening SSH/firewall/Docker, checking for vulnerabilities, setting up fail2ban, reviewing port exposure, or responding to security alerts. Covers 6 layers: CloudFlare, UFW, Tailscale, SSH, Docker, Application. Triggers: "server security", "security audit", "harden server", "SSH hardening", "firewall rules", "UFW config", "fail2ban", "port security", "Docker security", "vulnerability check", "security review".

1SKILL.mdUpdated May 30, 2026

renatocaliari/cali-ops-server-security

renatocaliari/cali-ops-package-audit

tools

VerifiedTrustedCommunity

Run supply chain security scans before installing packages or before releases. Triggers when: user installs a package (npm, pip, go get, brew), user asks to 'scan dependencies', 'check vulnerabilities', 'supply chain', 'security audit', 'run trivy', 'run socket', or before any release/deployment. Also triggers on mentions of: socket.dev, trivy, OSV-scanner, dotenvx, CVE, dependency audit. Covers all four tools with concrete commands.

1SKILL.mdUpdated May 30, 2026

renatocaliari/cali-ops-package-audit

Download

For Claude Desktop. Download once, then upload the file in the app — no terminal needed.

Need help? View full Cowork setup guide →

Install manually

Choose your platform

# Clone the repo
git clone https://github.com/renatocaliari/agent-sync-public-skills.git

# Copy into Claude Code skills folder (global)
cp -r agent-sync-public-skills/skills/local/cali-deploy-github-tailscale ~/.claude/skills/

Claude Code Skills — official skills path docs.

Repository

renatocaliari/agent-sync-public-skills

1 stars

Compatible with

Claude Code

OpenAI Codex CLI

ChatGPT