diff --git a/tailscale/DOCS.md b/tailscale/DOCS.md index f313a5b7..9550c07a 100644 --- a/tailscale/DOCS.md +++ b/tailscale/DOCS.md @@ -57,6 +57,7 @@ device. See [Key expiry][tailscale_info_key_expiry] for more information. ```yaml accept_dns: true advertise_exit_node: true +funnel: true log_level: info login_server: "https://controlplane.tailscale.com" tags: @@ -89,6 +90,57 @@ More information: When not set, this option is enabled by default. +### Option: `funnel` + +This requires Tailscale Proxy to be enabled. + +**Important:** See also the "Option: `proxy`" section of this documentation for the +necessary configuration changes in Home Assistant! + +When not set, this option is enabled by default. + +With the Tailscale Funnel feature, you can access your Home Assistant instance +from the wider internet using your Tailscale domain (like +`https://homeassistant.tail1234.ts.net`) even from devices **without installed +Tailscale VPN client** (for example, on general phones, tablets, and laptops). + +**Client** ⇒ _Internet_ ⇒ **Tailscale Funnel** (TCP proxy) ⇒ +_VPN_ ⇒ **Tailscale Proxy** (HTTPS proxy) → **HA** (HTTP web-server) + +Without the Tailscale Funnel feature, you will be able to access your Home +Assistant instance only when your devices (for example, phones, tablets, and laptops) +are connected to your Tailscale VPN, there will be no Internet ⇒ VPN TCP +proxying for HTTPS communication. + +More information: [Tailscale Funnel][tailscale_info_funnel] + +1. Navigate to the [Access controls page][tailscale_acls] of the admin console, + and add the below policy entries to the policy file. See [Server role + accounts using ACL tags][tailscale_info_acls] for more information. + + ```json + { + "nodeAttrs": [ + { + "target": ["autogroup:members"], + "attr": ["funnel"] + } + ] + } + ``` + +1. Restart the add-on. + +**Note**: _After initial setup, it can take up to 10 minutes for the domain to +be publicly available._ + +**Note:** _You should not use any port number in the URL that you used +previously to access Home Assistant. Tailscale Funnel works on the default HTTPS +port 443._ + +**Note:** _If you encounter strange browser behaviour or strange error messages, +try to clear all site related cookies, clear all browser cache, restart browser._ + ### Option: `log_level` Optionally enable tailscaled debug messages in the add-on's log. Turn it on only @@ -253,6 +305,9 @@ SOFTWARE. [releases]: https://github.com/hassio-addons/addon-tailscale/releases [semver]: https://semver.org/spec/v2.0.0.html [taildrop]: https://tailscale.com/taildrop/ +[tailscale_acls]: https://login.tailscale.com/admin/acls [tailscale_dns]: https://login.tailscale.com/admin/dns +[tailscale_info_acls]: https://tailscale.com/kb/1068/acl-tags/ +[tailscale_info_funnel]: https://tailscale.com/kb/1223/tailscale-funnel/ [tailscale_info_https]: https://tailscale.com/kb/1153/enabling-https/ [tailscale_info_key_expiry]: https://tailscale.com/kb/1028/key-expiry/ diff --git a/tailscale/config.yaml b/tailscale/config.yaml index 8862bed7..9ede88e4 100644 --- a/tailscale/config.yaml +++ b/tailscale/config.yaml @@ -29,6 +29,7 @@ map: schema: accept_dns: bool? advertise_exit_node: bool? + funnel: bool? log_level: list(trace|debug|info|notice|warning|error|fatal)? login_server: url? tags: ["match(^tag:[a-zA-Z0-9]-?[a-zA-Z0-9]+$)?"] diff --git a/tailscale/rootfs/etc/s6-overlay/s6-rc.d/funnel/dependencies.d/proxy b/tailscale/rootfs/etc/s6-overlay/s6-rc.d/funnel/dependencies.d/proxy new file mode 100644 index 00000000..e69de29b diff --git a/tailscale/rootfs/etc/s6-overlay/s6-rc.d/funnel/run b/tailscale/rootfs/etc/s6-overlay/s6-rc.d/funnel/run new file mode 100755 index 00000000..ac124bd0 --- /dev/null +++ b/tailscale/rootfs/etc/s6-overlay/s6-rc.d/funnel/run @@ -0,0 +1,35 @@ +#!/command/with-contenv bashio +# shellcheck shell=bash +# ============================================================================== +# Home Assistant Community Add-on: Tailscale +# Enables Tailscale Funnel feature +# ============================================================================== + +declare domain + +# Check if Tailscale HTTPS is enabled +if ! /opt/tailscale status --self=true --peers=false --json \ + | jq -rce '.Self.CapMap | has("https")' > /dev/null; +then + bashio::log.notice "Tailscale's HTTPS support is disabled. Therefore, the add-on's Tailscale Funnel functionality is disabled." + bashio::exit.ok +fi + +domain=$(/opt/tailscale status --self=true --peers=false --json | jq -rc ".CertDomains[0]") + +# Check if Funnel is available +if ! /opt/tailscale status --self=true --peers=false --json \ + | jq -rce '.Self.CapMap | has("funnel")' > /dev/null; +then + bashio::log.notice "Tailscale's Funnel support is disabled. Therefore, the add-on's Tailscale Funnel functionality is disabled." + bashio::exit.ok +fi + +# Set up funnel +if ! /opt/tailscale funnel 443 on; then + bashio::log.error "Unable to configure Tailscale Funnel" + bashio::exit.nok +fi +bashio::log.info "Tailscale Funnel is enabled:" +bashio::log.info " Your Home Assistant instance is publicly available on the internet at" +bashio::log.info " https://${domain}" diff --git a/tailscale/rootfs/etc/s6-overlay/s6-rc.d/funnel/type b/tailscale/rootfs/etc/s6-overlay/s6-rc.d/funnel/type new file mode 100644 index 00000000..bdd22a18 --- /dev/null +++ b/tailscale/rootfs/etc/s6-overlay/s6-rc.d/funnel/type @@ -0,0 +1 @@ +oneshot diff --git a/tailscale/rootfs/etc/s6-overlay/s6-rc.d/funnel/up b/tailscale/rootfs/etc/s6-overlay/s6-rc.d/funnel/up new file mode 100644 index 00000000..53789cff --- /dev/null +++ b/tailscale/rootfs/etc/s6-overlay/s6-rc.d/funnel/up @@ -0,0 +1 @@ +/etc/s6-overlay/s6-rc.d/funnel/run diff --git a/tailscale/rootfs/etc/s6-overlay/s6-rc.d/user/contents.d/funnel b/tailscale/rootfs/etc/s6-overlay/s6-rc.d/user/contents.d/funnel new file mode 100644 index 00000000..e69de29b diff --git a/tailscale/rootfs/etc/s6-overlay/scripts/stage2_hook.sh b/tailscale/rootfs/etc/s6-overlay/scripts/stage2_hook.sh index c82b6945..3139ff53 100755 --- a/tailscale/rootfs/etc/s6-overlay/scripts/stage2_hook.sh +++ b/tailscale/rootfs/etc/s6-overlay/scripts/stage2_hook.sh @@ -14,3 +14,8 @@ fi if bashio::config.false 'proxy'; then rm /etc/s6-overlay/s6-rc.d/user/contents.d/proxy fi + +# Disable funnel service when it is has been explicitly disabled +if bashio::config.false 'proxy' || bashio::config.false 'funnel'; then + rm /etc/s6-overlay/s6-rc.d/user/contents.d/funnel +fi diff --git a/tailscale/translations/en.yaml b/tailscale/translations/en.yaml index 8a6346d3..3153a701 100644 --- a/tailscale/translations/en.yaml +++ b/tailscale/translations/en.yaml @@ -13,6 +13,13 @@ configuration: By setting a device on your network as an exit node, you can use it to route all your public internet traffic as needed, like a consumer VPN. When not set, this option is enabled by default. + funnel: + name: Tailscale Funnel + description: >- + This option allows you to enable Tailscale's Funnel feature to present your + Home Assistant instance on the wider internet using your Tailscale domain. + This requires Tailscale Proxy to be enabled. + When not set, this option is enabled by default. log_level: name: Log level description: >- @@ -24,6 +31,12 @@ configuration: This option allows you to specify a custom control server for this Tailscale instance, for example, a self-host Headscale instance. By default, it uses the control server provided by Tailscale. + proxy: + name: Tailscale Proxy + description: >- + This option allows you to enable Tailscale's Proxy feature to present your + Home Assistant instance on your tailnet with a valid certificate. + When not set, this option is enabled by default. tags: name: Tags description: >- @@ -35,9 +48,3 @@ configuration: This option allows you to enable Taildrop, a file sharing service that allows you to share files with other Tailscale nodes. When not set, this option is enabled by default. - proxy: - name: Tailscale Proxy - description: >- - This option allows you to enable Tailscale's Proxy feature to present your - Home Assistant instance on your tailnet with a valid certificate. - When not set, this option is enabled by default.