instruqt: fix GCP exit node routing deadlock

On GCP, rp_filter=2 alone is not enough. Tailscale's DERP and control
plane connections lack SO_MARK, hitting table 52's default route via
tailscale0 before the tunnel exists. Add a source-based ip rule at
priority 100 so those connections bypass tailscale0 via the main table.

Also add push-instruqt-tailscale.sh for pushing the track to Tailscale's
Instruqt org.

Author: kartikb-tailscale

instruqt/01-hello-tailnet/setup-workshop

@@ -60,6 +60,13 @@ net.ipv4.conf.default.rp_filter = 2
 EOF
 sysctl --system
 
+# rp_filter=2 alone is not sufficient on GCP. Tailscale's DERP and
+# control plane connections don't have SO_MARK set, so they hit table
+# 52's default route (via tailscale0) before the exit node tunnel
+# exists, deadlocking the bootstrap. This source-based rule ensures
+# all traffic from this VM's IP uses the main table directly.
+ip rule add from "$(ip route get 8.8.8.8 | grep -oP 'src \K\S+')/32" lookup main priority 100
+
 # --- Local reverse proxy for Instruqt service tabs ---
 # Instruqt `service` tabs proxy VM ports, not tailnet URLs, and render
 # the proxied site inside an iframe. Caddy listens on :8233 and :80,

scripts/push-instruqt-tailscale.sh

@@ -0,0 +1,21 @@
+#!/bin/zsh
+set -euo pipefail
+
+REPO_ROOT="$(git -C "$(dirname "$0")" rev-parse --show-toplevel)"
+INSTRUQT_DIR="$REPO_ROOT/instruqt"
+
+# Patch track.yml for tailscale org
+sed -i '' 's/^owner: temporal/owner: tailscale/' "$INSTRUQT_DIR/track.yml"
+sed -i '' '/^id: /d' "$INSTRUQT_DIR/track.yml"
+sed -i '' '/mason\.egger@temporal\.io/d' "$INSTRUQT_DIR/track.yml"
+
+# Clear challenge IDs
+for f in "$INSTRUQT_DIR"/*/assignment.md; do
+    sed -i '' '/^id: /d' "$f"
+done
+
+# Push (instruqt requires cwd to be the track directory)
+(builtin cd "$INSTRUQT_DIR" && instruqt track push --force)
+
+# Restore so we don't accidentally commit the patched files
+git -C "$REPO_ROOT" checkout -- instruqt/