Enable Tailscale's Funnel feature (#197)

Co-authored-by: Franck Nijhof <[email protected]>

tailscale/DOCS.md

@@ -57,6 +57,7 @@ device. See [Key expiry][tailscale_info_key_expiry] for more information.
 ```yaml
 accept_dns: true
 advertise_exit_node: true
+funnel: true
 log_level: info
 login_server: "https://controlplane.tailscale.com"
 proxy: true
@@ -89,6 +90,57 @@ More information: <https://tailscale.com/kb/1103/exit-nodes/>
 
 When not set, this option is enabled by default.
 
+### Option: `funnel`
+
+This requires Tailscale Proxy to be enabled.
+
+**Important:** See also the "Option: `proxy`" section of this documentation for the
+necessary configuration changes in Home Assistant!
+
+When not set, this option is enabled by default.
+
+With the Tailscale Funnel feature, you can access your Home Assistant instance
+from the wider internet using your Tailscale domain (like
+`https://homeassistant.tail1234.ts.net`) even from devices **without installed
+Tailscale VPN client** (for example, on general phones, tablets, and laptops).
+
+**Client** &#8658; _Internet_ &#8658; **Tailscale Funnel** (TCP proxy) &#8658;
+_VPN_ &#8658; **Tailscale Proxy** (HTTPS proxy) &#8594; **HA** (HTTP web-server)
+
+Without the Tailscale Funnel feature, you will be able to access your Home
+Assistant instance only when your devices (for example, phones, tablets, and laptops)
+are connected to your Tailscale VPN, there will be no Internet &#8658; VPN TCP
+proxying for HTTPS communication.
+
+More information: [Tailscale Funnel][tailscale_info_funnel]
+
+1. Navigate to the [Access controls page][tailscale_acls] of the admin console,
+   and add the below policy entries to the policy file. See [Server role
+   accounts using ACL tags][tailscale_info_acls] for more information.
+
+   ```json
+   {
+     "nodeAttrs": [
+       {
+         "target": ["autogroup:members"],
+         "attr": ["funnel"]
+       }
+     ]
+   }
+   ```
+
+1. Restart the add-on.
+
+**Note**: _After initial setup, it can take up to 10 minutes for the domain to
+be publicly available._
+
+**Note:** _You should not use any port number in the URL that you used
+previously to access Home Assistant. Tailscale Funnel works on the default HTTPS
+port 443._
+
+**Note:** _If you encounter strange browser behaviour or strange error messages,
+try to clear all site related cookies, clear all browser cache, restart browser._
+
 ### Option: `log_level`
 
 Optionally enable tailscaled debug messages in the add-on's log. Turn it on only
@@ -253,6 +305,9 @@ SOFTWARE.
 [releases]: https://github.com/hassio-addons/addon-tailscale/releases
 [semver]: https://semver.org/spec/v2.0.0.html
 [taildrop]: https://tailscale.com/taildrop/
+[tailscale_acls]: https://login.tailscale.com/admin/acls
 [tailscale_dns]: https://login.tailscale.com/admin/dns
+[tailscale_info_acls]: https://tailscale.com/kb/1068/acl-tags/
+[tailscale_info_funnel]: https://tailscale.com/kb/1223/tailscale-funnel/
 [tailscale_info_https]: https://tailscale.com/kb/1153/enabling-https/
 [tailscale_info_key_expiry]: https://tailscale.com/kb/1028/key-expiry/

tailscale/config.yaml

@@ -29,6 +29,7 @@ map:
 schema:
   accept_dns: bool?
   advertise_exit_node: bool?
+  funnel: bool?
   log_level: list(trace|debug|info|notice|warning|error|fatal)?
   login_server: url?
   proxy: bool?

tailscale/rootfs/etc/s6-overlay/s6-rc.d/funnel/run

@@ -0,0 +1,35 @@
+#!/command/with-contenv bashio
+# shellcheck shell=bash
+# ==============================================================================
+# Home Assistant Community Add-on: Tailscale
+# Enables Tailscale Funnel feature
+# ==============================================================================
+
+declare domain
+
+# Check if Tailscale HTTPS is enabled
+if ! /opt/tailscale status --self=true --peers=false --json \
+  | jq -rce '.Self.CapMap | has("https")' > /dev/null;
+then
+  bashio::log.notice "Tailscale's HTTPS support is disabled. Therefore, the add-on's Tailscale Funnel functionality is disabled."
+  bashio::exit.ok
+fi
+
+domain=$(/opt/tailscale status --self=true --peers=false --json | jq -rc ".CertDomains[0]")
+
+# Check if Funnel is available
+if ! /opt/tailscale status --self=true --peers=false --json \
+  | jq -rce '.Self.CapMap | has("funnel")' > /dev/null;
+then
+  bashio::log.notice "Tailscale's Funnel support is disabled. Therefore, the add-on's Tailscale Funnel functionality is disabled."
+  bashio::exit.ok
+fi
+
+# Set up funnel
+if ! /opt/tailscale funnel 443 on; then
+  bashio::log.error "Unable to configure Tailscale Funnel"
+  bashio::exit.nok
+fi
+bashio::log.info "Tailscale Funnel is enabled:"
+bashio::log.info "  Your Home Assistant instance is publicly available on the internet at"
+bashio::log.info "  https://${domain}"

tailscale/rootfs/etc/s6-overlay/s6-rc.d/funnel/type

@@ -0,0 +1 @@
+oneshot

tailscale/rootfs/etc/s6-overlay/s6-rc.d/funnel/up

@@ -0,0 +1 @@
+/etc/s6-overlay/s6-rc.d/funnel/run

tailscale/rootfs/etc/s6-overlay/scripts/stage2_hook.sh

@@ -14,3 +14,8 @@ fi
 if bashio::config.false 'proxy'; then
     rm /etc/s6-overlay/s6-rc.d/user/contents.d/proxy
 fi
+
+# Disable funnel service when it is has been explicitly disabled
+if bashio::config.false 'proxy' || bashio::config.false 'funnel'; then
+    rm /etc/s6-overlay/s6-rc.d/user/contents.d/funnel
+fi

tailscale/translations/en.yaml

@@ -13,6 +13,13 @@ configuration:
       By setting a device on your network as an exit node, you can use it to
       route all your public internet traffic as needed, like a consumer VPN.
       When not set, this option is enabled by default.
+  funnel:
+    name: Tailscale Funnel
+    description: >-
+      This option allows you to enable Tailscale's Funnel feature to present your
+      Home Assistant instance on the wider internet using your Tailscale domain.
+      This requires Tailscale Proxy to be enabled.
+      When not set, this option is enabled by default.
   log_level:
     name: Log level
     description: >-