Add infrastructure setup artifacts (Feb 1-3)

Session notes covering Gitea-Coolify webhook fixes, NocoDB/Vaultwarden
credentials, Stalwart mail server setup, Snappymail config, WhyRating
databases and email, CloudBeaver deployment, and Turbostarter setup.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

.artifacts/2026-02-01_21-35_tailscale-funnel-https.md

@@ -0,0 +1,143 @@
+# Tailscale Funnel - HTTPS for NUC Services
+
+**Date:** 2026-02-01 21:35
+**Context:** Using Tailscale Funnel to expose NUC services with automatic HTTPS
+
+## Why Tailscale Funnel?
+
+| Method | Pros | Cons |
+|--------|------|------|
+| **Tailscale Funnel** | No ports on router, auto HTTPS, handles dynamic IP | Limited to 3 ports |
+| Cloudflare Tunnel | Many features, DDoS protection | Spanish ISPs block shared IPs during LaLiga |
+| Port forwarding | Full control | Exposes router, needs DDNS, manual certs |
+
+**Key advantage:** Tailscale Funnel works even when Cloudflare IPs are blocked by ISPs.
+
+## Tailscale Container
+
+```bash
+# Container name (managed by Coolify)
+tailscale-posgwooww0s0c0okssooc4gw
+
+# Execute commands in container
+ssh nuc "docker exec tailscale-posgwooww0s0c0okssooc4gw tailscale <command>"
+```
+
+## Funnel Basics
+
+### Supported Ports (ONLY these work)
+- **443** - Default HTTPS
+- **8443** - Alternate HTTPS
+- **10000** - Third option
+
+Any other port will fail with an error.
+
+### Public URL
+```
+https://nuc-tailscale.tail58f5ad.ts.net[:port]
+```
+
+## Commands
+
+### Check Current Status
+```bash
+ssh nuc "docker exec tailscale-posgwooww0s0c0okssooc4gw tailscale funnel status"
+```
+
+### Expose a Service (Background)
+```bash
+# Port 443 (default) - expose Homepage
+ssh nuc "docker exec tailscale-posgwooww0s0c0okssooc4gw tailscale funnel --bg http://192.168.1.3:3000"
+
+# Port 8443 - expose Vaultwarden
+ssh nuc "docker exec tailscale-posgwooww0s0c0okssooc4gw tailscale funnel --bg --https=8443 http://192.168.1.3:8222"
+
+# Port 10000 - expose another service
+ssh nuc "docker exec tailscale-posgwooww0s0c0okssooc4gw tailscale funnel --bg --https=10000 http://192.168.1.3:8080"
+```
+
+### Stop a Funnel
+```bash
+# Stop port 443
+ssh nuc "docker exec tailscale-posgwooww0s0c0okssooc4gw tailscale funnel --https=443 off"
+
+# Stop port 8443
+ssh nuc "docker exec tailscale-posgwooww0s0c0okssooc4gw tailscale funnel --https=8443 off"
+```
+
+### Reset All Funnels
+```bash
+ssh nuc "docker exec tailscale-posgwooww0s0c0okssooc4gw tailscale funnel reset"
+```
+
+## Current Configuration
+
+```
+https://nuc-tailscale.tail58f5ad.ts.net (port 443)
+└── / → http://127.0.0.1:3000 (Homepage)
+
+https://nuc-tailscale.tail58f5ad.ts.net:8443
+└── / → http://192.168.1.3:8222 (Vaultwarden)
+```
+
+## Important Notes
+
+### Use Host IP, Not localhost
+When proxying to services outside the Tailscale container:
+```bash
+# WRONG - localhost refers to inside the container
+http://localhost:8222
+
+# CORRECT - use NUC's actual IP
+http://192.168.1.3:8222
+
+# ALSO WORKS - if on same Docker network
+http://host.docker.internal:8222  # May not resolve in all containers
+```
+
+### Persistence
+Funnels configured with `--bg` persist until:
+- Manually stopped
+- Container restart
+- Tailscale logout
+
+For true persistence across container restarts, add to Coolify's container startup or use a cron job.
+
+### Services Requiring HTTPS
+Some services need HTTPS to function (Web Crypto API):
+- **Vaultwarden/Bitwarden** - Password encryption
+- **WebAuthn/Passkeys** - Authentication
+- **Service Workers** - PWA features
+- **Geolocation API** - Location access
+
+## Quick Reference
+
+| Service | Local URL | Funnel Command | Public URL |
+|---------|-----------|----------------|------------|
+| Homepage | http://192.168.1.3:3000 | `funnel --bg http://192.168.1.3:3000` | https://nuc-tailscale.tail58f5ad.ts.net |
+| Vaultwarden | http://192.168.1.3:8222 | `funnel --bg --https=8443 http://192.168.1.3:8222` | https://nuc-tailscale.tail58f5ad.ts.net:8443 |
+
+## Troubleshooting
+
+### "invalid port"
+Only ports 443, 8443, 10000 are allowed for Funnel.
+
+### "connection refused"
+- Service not running on target port
+- Wrong IP (use 192.168.1.3, not localhost)
+- Firewall blocking connection
+
+### Funnel not accessible
+```bash
+# Check if Funnel is enabled on Tailscale admin
+# https://login.tailscale.com/admin/machines
+
+# Verify funnel status
+ssh nuc "docker exec tailscale-posgwooww0s0c0okssooc4gw tailscale funnel status"
+```
+
+## Related
+
+- Tailscale Admin: https://login.tailscale.com/admin/machines
+- CLAUDE.md: Public Access & Security Architecture section
+- Vaultwarden credentials: `.artifacts/2026-02-01_21-25_vaultwarden-credentials.md`