Use Tailscale for developer and CI access to the cluster
Context
Developers and CI runners need to reach cluster services — deploying via Colmena, running database migrations, accessing preview environments (ADR-0055). This was done over SSH tunnels, which were fragile (tunnels drop, need reconnecting) and didn't scale to CI runners that need ephemeral access.
Inter-node communication (Patroni replication, Consul gossip, Nomad scheduling) uses Hetzner's private networking and doesn't go through Tailscale.
Decision
Tailscale mesh VPN for developer and CI access to the cluster. The developer machine and CI runners join the same Tailscale network as the cluster nodes, giving direct access to internal services without SSH tunnels.
CI uses ephemeral machine credentials for access.
Consequences
Reliable access from dev machine and CI to cluster services. Preview deployments and database operations work from GitHub Actions. No more maintaining SSH tunnels.
The cost is a Tailscale dependency for all external access to the cluster. Direct SSH via public IP remains as an emergency fallback.