diff options
| author | Daniel Graña | 2024-02-12 13:53:54 -0300 |
|---|---|---|
| committer | Daniel Graña | 2024-02-12 13:53:54 -0300 |
| commit | 139ba3e461c25c282eaaf69df47e8de1dba346ac (patch) | |
| tree | ea0a1c6b17faf5af75e65fb8358e76497403d679 | |
| parent | b355754af75dce309538956f0ab8717ea3893d3c (diff) | |
| download | aur-139ba3e461c25c282eaaf69df47e8de1dba346ac.tar.gz | |
Pass extra cli flags to tailscale up on setup
| -rw-r--r-- | README.md | 9 | ||||
| -rwxr-xr-x | setup-initcpio-tailscale | 26 |
2 files changed, 25 insertions, 10 deletions
diff --git a/README.md b/README.md index 3a0bc3d679e6..672729bd87f7 100644 --- a/README.md +++ b/README.md @@ -36,6 +36,15 @@ For systemd based initramfs, the insertion order of the `tailscale` hook doesn't For busybox based initramfs, it is recommended to place it after any network related hook and before any blocking hook like `encrypt` or `encryptssh` +### Tailscale SSH server + +The Tailscale daemon can run a builtin SSH server, if enabled, installing _dropbear_ or _tinyssh_ isn't required to access the node remotely. + +To enable it pass `--ssh` option like in: `setup-initcpio-tailscale -- --ssh` + +The main difference of the builtin SSH server to something like _dropbear_ or _tinyssh_ is that the former is only accessible over the tailnet, +the node won't respond to local connections unless the client is also connected to the tailscale network. It is a good thing though. + ## Security Considerations The *Tailscale node key* will be stored in plain text inside the initramfs. Even if the root filesystem is encrypted, remember that the initramfs isn't. diff --git a/setup-initcpio-tailscale b/setup-initcpio-tailscale index d033c8cad462..97c9502c00f2 100755 --- a/setup-initcpio-tailscale +++ b/setup-initcpio-tailscale @@ -3,18 +3,23 @@ set -e CMD0="${0##*/}" TS_HOSTNAME="${HOSTNAME}-initrd" -TS_AUTHKEY="" TS_STATEDIR=/etc/initcpio/tailscale PID="" usage() { cat <<EOF -usage: ${CMD0} [options] +${CMD0} launches and configures Tailscale daemon in an isolated environment that doesn't mess with the system service. + +usage: ${CMD0} [options] [-- [tailscale-up-options...]] Options: -H Hostname to use when registering the node (default: '${TS_HOSTNAME}') - -k Node authorization key; if it begins with "file:", then it's a - path to a file containing the authkey. (default: '${TS_AUTHKEY}') + +Any arguments after '--' (double dash), like in 'setup-initcpio-tailscale -- --ssh' are passed verbatim to 'tailscale up'. +See 'tailscale up --help' output for available flags. i.e.: + + ${CMD0} -H ${TS_HOSTNAME} -- --ssh --login-server=headscale.my.net --authkey=file:node.key + EOF } @@ -27,7 +32,7 @@ cleanup() { rm -rf "${SETUPDIR}" fi if [[ -n "$PID" ]]; then - kill "$PID" + kill "$PID" 2>/dev/null fi exit 0 } @@ -36,7 +41,6 @@ trap "cleanup" EXIT while getopts H:k:d:t:h flag; do case "$flag" in H) TS_HOSTNAME="$OPTARG" ;; - k) TS_AUTHKEY="$OPTARG" ;; ?) usage; exit 0 ;; esac done @@ -51,12 +55,14 @@ tailscaled \ -socket="$socket" \ -no-logs-no-support \ -tun=userspace-networking \ - >"${SETUPDIR}/setup-tailscaled.log" 2>&1 & + >"${SETUPDIR}/setup.log" 2>&1 & PID="$!" -if ! tailscale -socket="$socket" up --qr --authkey="$TS_AUTHKEY" --hostname="$TS_HOSTNAME"; then - cp -f "${SETUPDIR}/setup-tailscaled.log" /tmp/ - die "Failed to configure tailscale. Check daemon logs at /tmp/setup-tailscaled.log" +# --accept-risk=lose-ssh is fine because we are setting up an isolated tailscaled daemon, +# it has nothing to do with system tailscale service. +if ! tailscale --socket="$socket" up --qr --hostname="$TS_HOSTNAME" --accept-risk=lose-ssh "$@"; then + cp -f "${SETUPDIR}/setup.log" /tmp/setup-initcpio-tailscale-daemon.log + die "Failed to configure tailscale. Check daemon logs at /tmp/setup-initcpio-tailscale-daemon.log" fi |