Add operational documentation

CloudBeaver database manager guide, Ecija intranet deployment,
Gitea-Coolify auto-deploy and integration docs, monitoring setup
with presentation, remote access guide, security architecture,
and Turbostarter deployment procedure.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

docs/remote-access.md

@@ -0,0 +1,252 @@
+# Remote Access Guide
+
+Two methods for accessing home network remotely: **Tailscale** (recommended) and **WireGuard** (backup).
+
+## Quick Reference
+
+| Method | Use Case | Connection |
+|--------|----------|------------|
+| **Tailscale** | Daily use, zero config | Automatic via mesh |
+| **WireGuard** | Backup, full LAN | `~/wireguard/home-vpn.conf` |
+
+## Tailscale (Recommended)
+
+### Why Tailscale
+- Zero configuration after setup
+- Works through any NAT/firewall
+- Auto-reconnects on network changes
+- No ports exposed on router
+
+### Setup (Already Configured)
+
+**NUC as Subnet Router:**
+```bash
+# On NUC - advertise home LAN
+sudo tailscale up --advertise-routes=192.168.1.0/24 --accept-routes
+```
+
+**Mac - Accept Routes:**
+```bash
+/Applications/Tailscale.app/Contents/MacOS/Tailscale up --accept-routes
+```
+
+### Usage
+
+Once connected to Tailscale, access home LAN directly:
+
+```bash
+# SSH to NUC
+ssh 192.168.1.3
+
+# Access router admin
+open http://192.168.1.1
+
+# Access any LAN device
+ping 192.168.1.x
+```
+
+### Status & Troubleshooting
+
+```bash
+# Check status
+/Applications/Tailscale.app/Contents/MacOS/Tailscale status
+
+# Restart connection
+/Applications/Tailscale.app/Contents/MacOS/Tailscale down
+/Applications/Tailscale.app/Contents/MacOS/Tailscale up --accept-routes
+
+# If logged out
+/Applications/Tailscale.app/Contents/MacOS/Tailscale up
+# Click auth link
+```
+
+### Tailscale Devices
+
+| Device | Tailscale IP | Purpose |
+|--------|--------------|---------|
+| alejandros-macbook-pro | 100.97.192.56 | This Mac |
+| alezmad-nuc | 100.113.153.45 | NUC (subnet router) |
+| nuc-tailscale | 100.110.198.76 | NUC Funnel endpoint |
+
+---
+
+## WireGuard (Backup)
+
+### Why WireGuard Backup
+- Works if Tailscale is down
+- Direct connection (no relay)
+- Full LAN access via OpenWrt
+
+### Architecture
+
+```
+Mac (10.10.10.2)
+    ↓ WireGuard tunnel
+alezmad.duckdns.org:51820 (dynamic DNS)
+    ↓
+OpenWrt Router (10.10.10.1 / 192.168.1.1)
+    ↓
+Home LAN (192.168.1.0/24)
+```
+
+### Server (OpenWrt Router)
+
+| Property | Value |
+|----------|-------|
+| Interface | wg0 |
+| Listen Port | 51820 |
+| Server IP | 10.10.10.1/24 |
+| Public Key | `LWajYq1vGnhnn5vC465nsXFWcbgflDxEHXDtUgTcwQs=` |
+
+### Client Config (Mac)
+
+**File:** `~/wireguard/home-vpn.conf`
+
+```ini
+[Interface]
+PrivateKey = aFklbF6A5dIWmV6gN0NI9A3pv/RmioEsBLWaaXupIns=
+Address = 10.10.10.2/24
+DNS = 192.168.1.1
+
+[Peer]
+PublicKey = LWajYq1vGnhnn5vC465nsXFWcbgflDxEHXDtUgTcwQs=
+Endpoint = alezmad.duckdns.org:51820
+AllowedIPs = 192.168.1.0/24, 10.10.10.0/24
+PersistentKeepalive = 25
+```
+
+### Usage
+
+**WireGuard App (GUI):**
+1. Open WireGuard app
+2. Import `~/wireguard/home-vpn.conf` (already imported)
+3. Toggle "home-vpn" to connect
+
+**CLI:**
+```bash
+# Connect
+sudo wg-quick up ~/wireguard/home-vpn.conf
+
+# Disconnect
+sudo wg-quick down ~/wireguard/home-vpn.conf
+
+# Status
+sudo wg show
+```
+
+---
+
+## DuckDNS (Dynamic IP)
+
+### Why DuckDNS
+- ISP can change public IP anytime
+- DuckDNS tracks current IP
+- WireGuard uses hostname instead of IP
+
+### Configuration
+
+| Property | Value |
+|----------|-------|
+| Subdomain | alezmad.duckdns.org |
+| Token | `8dd8e041-2fa3-4b3d-9317-f62b912214da` |
+| Update Source | OpenWrt router |
+| Check Interval | 10 minutes |
+
+### OpenWrt DDNS Service
+
+```bash
+# Check status
+ssh -i ~/.ssh/id_ed25519_nuc root@192.168.1.1 "cat /var/run/ddns/duckdns.*"
+
+# Manual update
+ssh -i ~/.ssh/id_ed25519_nuc root@192.168.1.1 "/etc/init.d/ddns restart"
+
+# View config
+ssh -i ~/.ssh/id_ed25519_nuc root@192.168.1.1 "uci show ddns"
+```
+
+### Verify DNS Resolution
+
+```bash
+dig +short alezmad.duckdns.org
+# Should return current public IP
+```
+
+---
+
+## Comparison
+
+| Feature | Tailscale | WireGuard |
+|---------|-----------|-----------|
+| Setup complexity | Minimal | Moderate |
+| Port forwarding needed | No | Yes (51820) |
+| NAT traversal | Automatic | Manual |
+| Dynamic IP handling | Automatic | Via DuckDNS |
+| Speed | Good (may relay) | Excellent (direct) |
+| Dependencies | Tailscale service | OpenWrt only |
+
+---
+
+## Troubleshooting
+
+### Tailscale Won't Connect
+```bash
+# Check if running
+ps aux | grep -i tailscale
+
+# Restart app
+killall Tailscale
+open -a Tailscale
+
+# Re-authenticate
+/Applications/Tailscale.app/Contents/MacOS/Tailscale up
+```
+
+### WireGuard Won't Connect
+
+1. **Check DuckDNS resolves:**
+   ```bash
+   dig +short alezmad.duckdns.org
+   ```
+
+2. **Check port 51820 is open:**
+   ```bash
+   nc -zv alezmad.duckdns.org 51820
+   ```
+
+3. **Check WireGuard on router:**
+   ```bash
+   ssh -i ~/.ssh/id_ed25519_nuc root@192.168.1.1 "wg show"
+   ```
+
+4. **IP changed but DuckDNS stale:**
+   ```bash
+   ssh -i ~/.ssh/id_ed25519_nuc root@192.168.1.1 "/etc/init.d/ddns restart"
+   ```
+
+### Can't Access LAN via Tailscale
+
+1. **Check routes accepted on Mac:**
+   ```bash
+   /Applications/Tailscale.app/Contents/MacOS/Tailscale status
+   # Should show alezmad-nuc as "active"
+   ```
+
+2. **Re-enable route acceptance:**
+   ```bash
+   /Applications/Tailscale.app/Contents/MacOS/Tailscale up --accept-routes
+   ```
+
+3. **Check subnet router is advertising:**
+   ```bash
+   ssh nuc "tailscale status"
+   ```
+
+---
+
+## Security Notes
+
+- **Tailscale:** Traffic encrypted end-to-end, keys managed by Tailscale
+- **WireGuard:** Traffic encrypted, keys stored locally
+- **DuckDNS:** Only exposes that a hostname points to your IP (no credentials)
+- **Port 51820:** Only WireGuard handshakes accepted, cryptographically verified