Skip to content
LBZF Design Docs

Tailscale-only remote access for Phase I; defer Cloudflare Tunnel to Phase II

Context

Section titled “Context”

Round-1 design agents proposed three conflicting positions on Jetson remote access:

  1. Backend agent: Cloudflare Tunnel on the Jetson (cloudflared daemon publishing jetson-api.lbzfai.com), so lbzfai.com Workers can fetch live data without users needing Tailscale.
  2. Frontend agent: Tailscale-only on the Jetson for Phase I; defer Cloudflare Tunnel to Phase II.
  3. Hardware agent: Explicitly forbid Cloudflare Tunnel (“only Tailscale clients see :5000”).

This contradiction is the load-bearing seam for the entire integration story between lbzfai.com and the Jetson dashboard.

Decision

Section titled “Decision”

For Phase I: Tailscale-only remote access to the Jetson. Cloudflare Tunnel is parked to docs/design/60-parking/.

Why:

  • Small user set. Phase I users are Sophia, Andrew, Armando, Ronald, Mariana, plus 4-6 ITBA team members. All of them can install Tailscale on their own devices — installing it on Mariana’s phone is the only non-trivial ask, and she can manage it once with help.
  • Already configured. Tailscale is already tested for the BA twin handoff (per ADR-006). No new infrastructure to debug.
  • Cloudflare Tunnel adds dependency surface. cloudflared install on the Jetson, named-hostname routing, shared secret between Worker and FastAPI middleware — meaningful work that isn’t needed for Phase I.
  • Cost. Phase I needs Tailscale Starter tier (~$6/user/mo × ~9 users ≈ $45/mo) because the free tier blocks at 3 users. This is the right tradeoff vs. Cloudflare Tunnel engineering time.

Consequences

Section titled “Consequences”
  • Mariana-on-phone without Tailscale is deferred. If Mariana wants to view the dashboard from her phone without installing Tailscale, that’s a Phase II feature.
  • Tailscale paid tier needed by 2026-05-15. Sophia must upgrade before the BA flight so ITBA team members can be added to the tailnet.
  • Park Cloudflare Tunnel design. Move backend agent’s cloudflared proposal into docs/design/60-parking/cloudflare-tunnel-from-jetson.md (when content is migrated).
  • lbzfai.com Phase I scope shrinks. The landing page remains static + Auth0; it does not proxy to the Jetson in Phase I. Any “live data on lbzfai.com” feature is Phase II.

References

Section titled “References”
  • Round-1 cross-doc contradictions, Critique I (cross-doc coherence)
  • Round-2 synthesis SEAMS table