howto/cumin.md

@@ -133,6 +133,15 @@ The tunnel will be shutdown as soon as it's done, and fired up as
 needed. You *will* need to tap your YubiKey, as normal, to get it to
 work of course.
 
+Note that the same automatic tunnel can be setup for the Tails infra by creating
+a second pair of systemd user units, say `tails-puppetdb-tunnel.socket` and
+`tails-puppetdb-tunnel@.service`. In those unit files you'll want to change the
+port number that the socket is listening to and change the destination host for
+the ssh connection in the `.service` file to `puppet.lizard` instead. Then you
+can either ssh manually to your localhost socket-bound port or create an
+alternative cumin configuration file that points to this port instead and use
+this with e.g. `cumin -c ~/.config/cumin/tails-config.yaml`.
+
 This is different from a `-N` "daemon" configuration where the daemon
 stays around for a long-lived connection. This is the only way we've
 found to make it work with socket activation. The alternative to that