More

ghthor · 2026-05-01T01:42:56 1777599776

You can disable extensions and download them in advance and load those from file path. This is how I’m pinning extensions for a self hosted version of duckdb I setup at work.

ghthor · 2026-04-29T01:40:48 1777426848

Keep your friends close and your enemies closer

ghthor · 2026-04-28T12:50:41 1777380641

Yet the Linux kernel is a monorepo

guipsp · 2026-04-28T16:32:41 1777393961

The Linux kernel is pretty small

mohsen1 · 2026-04-28T15:20:04 1777389604

Try google3

ghthor · 2026-04-28T09:58:52 1777370332

Yeah, but no needs to pay for software SaaS anymore so no-one is going to be getting a lucky 100MRR business off pure vibecoded software as anyone can just make that in house.

ghthor · 2026-04-23T13:07:07 1776949627

You can ack based on groups, and you can out users into groups. So if you auth a node, it’s now your node and the ACL for your user / group will apply.

But yes I don’t think you can ACL based o the hostname

andrew-d · 2026-04-23T13:42:49 1776951769

Hi there, I work at Tailscale.

Part of the reason that we don't (currently) let you do this is that a hostname is a user-reported field, and can change over time; it's not a durable form of identity that you can write ACLs on. One could imagine, for example:

1. Creating an ACL rule that allows hostname "webserver" to hostname "db".

2. (time passes)

3. Hostname "webserver" is deleted/changed to "web"/etc.

4. Someone can now register a user device with the system hostname set to "webserver"

Should they be allowed to inherit the pre-existing ACL rule?

However, you can accomplish something very close to what you're asking for, I think, by defining a "host" in the policy file (https://tailscale.com/docs/reference/syntax/policy-file#host...) that points to a single Tailscale IP. Since we don't allow non-admins to change their Tailscale IP, this uniquely identifies a single device even if the hostname changes, and thus you can write a policy similar to:

  "hosts": {
    "myhost": "100.64.1.2",
  },
  "grants": [
    {
      "src": ["myhost"],
      "dst": ["tag:db"],
    },
  ]

ghthor · 2026-04-28T11:44:30 1777376670

Yes I noticed that when designing our ACL usage. I didn’t find it all that useful unless we were inheriting some non tailscale systems with static IPs that we were going to subnet proxy to w/ tailscale.

Tags are just a better way to do this for tailscale only nodes, as now the ACL doesn’t require any change during a device key rotation.

LoganDark · 2026-04-24T20:30:27 1777062627

That's why my next instinct was to try specifying a node key, which does not change unless the device is re-registered, but that does not work either.

ghthor · 2026-04-23T12:55:24 1776948924

We run nomad at work. I’m very happy with it from an administrative standpoint.

ghthor · 2026-04-21T02:28:14 1776738494

I believe you can disable this and it isn’t really required for TS to work

ghthor · 2026-04-16T02:03:13 1776304993

Still use Wander everyday <3

ghthor · 2026-04-13T22:01:36 1776117696

Yep, very happy with graphite at work.

heeton · 2026-04-14T13:00:30 1776171630

Same, our team has been on it for a year and it's very good.

ghthor · 2026-04-06T00:17:50 1775434670

If you’re brewing from ground you really don’t want boiling 212F water as you’ll burn the grounds. I do my pour over at 185F and get smooth ready to drink hot coffee with no/low acidity.

Error9632 · 2026-04-06T01:41:02 1775439662

If you (for some reason) want low-acidity coffee, it’s better to just get a darker roast (if you can stand the taste defects).

Ideal brewing temperature depends on a lot of factors but even ultralight roasts don’t require anything near boiling.