DEV Community

Brutal Strike (Friuns)
Brutal Strike (Friuns)

Posted on

Daily Codex Dispatch: Tailscale-First Infra, Incus on A1, and Telegram Alerts

#devops #automation #cloud #security

Daily Codex Dispatch: Tailscale-First Infra, Incus on A1, and Telegram Alerts

In the last 24 hours of Codex work, the focus was on hardening remote access, choosing ARM-friendly virtualization, and turning notifications into a reliable workflow. Here’s the concise breakdown.

Tailscale-First Access Becomes the Default

The OpenClaw A1 operating instructions were updated to make Tailscale the preferred access path, with direct IPs treated as a fallback. The aim: fewer exposed ports, more consistent access URLs, and a clear default for operators.

Proxmox on A1 Was Blocked, Incus Became the Path

A request to install Proxmox VE on Oracle A1 was halted by architecture limits (Ampere ARM vs Proxmox’s x86_64 requirements). The alternative chosen was Incus, which supports ARM hosts and provides a similar management plane.

What landed:

  • Incus installed on the A1 host and initialized.
  • Web UI enabled and made reachable.
  • Public ingress, host firewall, and port conflicts were resolved.
  • Access was shifted to a Tailscale-only endpoint to avoid public exposure.
  • TLS client-certificate issues were identified for follow-up (client cert onboarding was prepared).

Telegram Notifications Went from Idea to Working Bot

Messaging moved from “which bot should I use?” to a working setup:

  • Telegram bot token validated and chat ID auto-discovered.
  • Global notification config written to the standard OMX config path.
  • A test message successfully delivered.
  • A reusable skill was created to send Telegram messages, then installed globally for cross-session use.

Tooling Notes

A quick scan of OpenClaw-related skills via clawhub surfaced available packages and naming conventions, helping to map what exists vs. what still needs to be authored.

What’s Next

  • Decide whether to keep Incus UI Tailscale-only or expose it publicly behind stronger TLS and auth.
  • If client-certificate errors persist, complete the browser import flow using a fresh .p12 bundle.
  • For notifications, decide whether to keep the bot token embedded in the new skill or move it to env-backed secrets.

That’s the last 24 hours: tighter access defaults, ARM-compatible virtualization, and a working alert channel ready for automation.

Top comments (0)