refactor(tailscale): reworked tailscale app with params (#3802)

2024-06-16 23:03:53 +02:00 · 2024-06-16 23:03:53 +02:00 · ef33a1441c
commit ef33a1441c
parent 0b9abf6d05
3 changed files with 78 additions and 20 deletions
--- a/apps/tailscale/config.json
+++ b/apps/tailscale/config.json
@ -2,16 +2,70 @@
  "$schema": "../schema.json",
  "name": "Tailscale",
  "available": true,
+  "exposable": false,
+  "no_gui": true,
  "port": 8093,
  "id": "tailscale",
-  "tipi_version": 28,
+  "tipi_version": 29,
  "version": "1.66.4",
-  "categories": ["network", "security"],
+  "categories": [
+    "network",
+    "security"
+  ],
  "description": "Zero config VPN. Installs on any device in minutes, manages firewall rules for you, and works from anywhere.",
  "short_desc": "The easiest, most secure way to use WireGuard and 2FA.",
  "author": "© Tailscale Inc.",
  "source": "https://github.com/tailscale/tailscale",
  "website": "https://tailscale.com/",
-  "form_fields": [],
-  "supported_architectures": ["arm64", "amd64"]
-}
+  "form_fields": [
+    {
+      "type": "boolean",
+      "label": "TS_ACCEPT_DNS > Accept DNS configuration from the admin console. Not accepted by default.",
+      "env_variable": "TAILSCALE_ACCEPT_DNS"
+    },
+    {
+      "type": "boolean",
+      "label": "TS_AUTH_ONCE > Attempt to log in only if not already logged in. False by default, to forcibly log in every time the container starts.",
+      "env_variable": "TAILSCALE_AUTH_ONCE"
+    },
+    {
+      "type": "text",
+      "label": "TS_AUTHKEY > An auth key used to authenticate the container. It is also possible to use an OAuth client secret. To mark a containerized node as ephemeral append ?ephemeral=true to the auth key or OAuth client secret.",
+      "placeholder": "tskey-abcdef1432341818",
+      "env_variable": "TAILSCALE_AUTHKEY"
+    },
+    {
+      "type": "text",
+      "label": "TS_HOSTNAME > Use the specified hostname for the node.",
+      "placeholder": "runtipi",
+      "env_variable": "TAILSCALE_HOSTNAME"
+    },
+    {
+      "type": "text",
+      "label": "TS_ROUTES > Advertise subnet routes. To accept advertised routes, use TS_EXTRA_ARGS to pass in --accept-routes.",
+      "placeholder": "10.0.0.0/8,192.168.0.0/24",
+      "env_variable": "TAILSCALE_ROUTES"
+    },
+    {
+      "type": "text",
+      "label": "TS_SERVE_CONFIG > Accepts a JSON file to programatically configure Serve and Funnel functionality. Located in app-data/tailscale/data/config/*",
+      "placeholder": "/config/serve-config.json",
+      "env_variable": "TAILSCALE_SERVE_CONFIG"
+    },
+    {
+      "type": "text",
+      "label": "TS_EXTRA_ARGS > Any other flags to pass in to the Tailscale CLI.",
+      "placeholder": "--accept-routes --advertise-tags=tag:container",
+      "env_variable": "TAILSCALE_EXTRA_ARGS"
+    },
+    {
+      "type": "boolean",
+      "label": "TS_USERSPACE > Enable userspace networking, instead of kernel networking. Enabled by default.",
+      "env_variable": "TAILSCALE_USERSPACE"
+    }
+  ],
+  "supported_architectures": [
+    "arm64",
+    "amd64"
+  ]
+}
--- a/apps/tailscale/docker-compose.yml
+++ b/apps/tailscale/docker-compose.yml
@ -1,20 +1,22 @@
-version: "3.8"
-
 services:
  tailscale:
    container_name: tailscale
-    network_mode: "host" # TODO: Find a way to remove this
    image: tailscale/tailscale:v1.66.4
-    privileged: true
-    restart: on-failure
-    stop_grace_period: 1m
-    command: "sh -c 'tailscale web --listen 0.0.0.0:${APP_PORT} & exec tailscaled --tun=userspace-networking'"
+    environment:
+      - TS_SERVE_CONFIG=${TAILSCALE_SERVE_CONFIG}
+      - TS_ACCEPT_DNS=${TAILSCALE_ACCEPT_DNS-false}
+      - TS_AUTH_ONCE=${TAILSCALE_AUTH_ONCE-false}
+      - TS_AUTHKEY=${TAILSCALE_AUTHKEY}
+      - TS_HOSTNAME=${TAILSCALE_HOSTNAME-runtipi}
+      - TS_ROUTES=${TAILSCALE_ROUTES}
+      - TS_EXTRA_ARGS=${TAILSCALE_EXTRA_ARGS}
+      - TS_USERSPACE=${TAILSCALE_USERSPACE-true}
+      - TS_STATE_DIR=/var/lib/tailscale
+    cap_add:
+      - net_admin
+      - sys_module
+    restart: unless-stopped
    volumes:
-      - /var/lib:/var/lib
+      - ${APP_DATA_DIR}/data/state:/var/lib/tailscale
+      - ${APP_DATA_DIR}/data/config:/config
      - /dev/net/tun:/dev/net/tun
-    healthcheck:
-      test: wget --no-verbose --tries=1 --spider http://localhost:${APP_PORT}
-      interval: 10s
-      timeout: 5s
-      retries: 5
-      start_period: 30s
--- a/apps/tailscale/metadata/description.md
+++ b/apps/tailscale/metadata/description.md
@ -4,4 +4,6 @@ Zero config VPN. Installs on any device in minutes, manages firewall rules for y
 Create a secure network between your servers, computers, and cloud instances. Even when separated by firewalls or subnets, Tailscale just works.
 Devices only connect after signing in through your existing identity provider. Easily enforce multi-factor authentication, deauthorize employees who’ve moved on, and more.

-![Screenshot](https://tailscale.com/static/images/marketing/home-illustration-2080w.webp)
+![Screenshot](https://tailscale.com/static/images/marketing/home-illustration-2080w.webp)
+
+**Documentation:** https://tailscale.com/kb/1282/docker#parameters