-
-
Save bcat/6409c7b0ef46b4e3a15e7d759c8e3f40 to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/bin/sh | |
set -o errexit -o nounset | |
if [ -z "${TS_AUTHKEY:-}" ]; then | |
printf "TS_AUTHKEY unset.\n" >&2 | |
exit 1 | |
fi | |
JAIL_NAME=$(hostname)-tailscale | |
JAIL_ROOT=$(dirname "$(readlink -f "$(command -v jlmkr)")")/jails/$JAIL_NAME/rootfs | |
# Create the jail. Make the following changes to the default configuration. | |
# | |
# Additional flags: --capability=CAP_NET_ADMIN,CAP_NET_RAW | |
jlmkr create "$JAIL_NAME" | |
# Wait for the jail to be able to execute commands. (`machinectl show` lists the | |
# jail as "running" before `systemd-run` succeeds. Probably something to do with | |
# systemd inside the container not being ready immediately.) | |
while ! jlmkr exec "$JAIL_NAME" true >/dev/null 2>&1; do | |
printf 'Waiting for jail to start...\n' | |
sleep 1 | |
done | |
# Upgrade the container's base system. | |
jlmkr exec "$JAIL_NAME" apt update | |
jlmkr exec "$JAIL_NAME" apt upgrade | |
# Install certificate authorities to allow custom keys to be used by APT. | |
jlmkr exec "$JAIL_NAME" apt install -y ca-certificates | |
# Determine what Debian release should be used for custom APT repos. | |
# shellcheck disable=SC2016 | |
APT_CODENAME=$(jlmkr exec "$JAIL_NAME" sh -c '. /etc/os-release && printf "%s" \ | |
"$VERSION_CODENAME"') | |
# Install Tailscale (https://tailscale.com/kb/1174/install-debian-bookworm/). | |
curl -Lo \ | |
"$JAIL_ROOT/usr/share/keyrings/tailscale-archive-keyring.gpg" \ | |
"https://pkgs.tailscale.com/stable/debian/$APT_CODENAME.noarmor.gpg" | |
printf \ | |
'deb [signed-by=/usr/share/keyrings/tailscale-archive-keyring.gpg] https://pkgs.tailscale.com/stable/debian %s main\n' \ | |
"$APT_CODENAME" >"$JAIL_ROOT/etc/apt/sources.list.d/tailscale.list" | |
jlmkr exec "$JAIL_NAME" apt update | |
jlmkr exec "$JAIL_NAME" apt install -y tailscale | |
# Authenticate with Tailscale and bring up the tailscale0 interface on the | |
# TrueNAS host. | |
# | |
# Disable "MagicDNS" since it only updates `/etc/resolve.conf` inside the | |
# container, which isn't especially useful. | |
# | |
# Also customize the hostname since Tailscale defaults to using the container's | |
# hostname, but we are exposing the TrueNAS host instead, so using showing the | |
# TrueNAS hostname in the Tailscale admin UI makes more sense. | |
jlmkr exec "$JAIL_NAME" tailscale up --accept-dns=false \ | |
--authkey="$TS_AUTHKEY" --hostname="$(hostname)" |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment