silviupanaite/tailscale-podman.sh

## tailscale-podman.sh
# tailscale under podman on fedora
# tested on Fedora IOT (arm64 and amd64) and Silverblue (amd64).
# ensure the tun module is loaded by default
modprobe run
echo tun > /etc/modules-load.d/tun.conf
# ensure iptables xt_mark module is enabled and loaded
modprobe xt_mark
echo xt_mark > /etc/modules-load.d/xt_mark.conf
# ensure iptables ip6table_filter module is enabled and loaded
modprobe ip6tables_filter
echo ip6table_filter > /etc/modules-load.d/ip6table_filter.conf

## The following steps to use iptables-legacy rather than nftables for firewalld are only required for Exit or Subnet Routers.
# iptables rather than nftables, for compatibility
# 2022-11-01 - this no longer seems required, we can stick with nftables.
#rpm-ostree install iptables-legacy
#sed -i 's/^FirewallBackend=.*/FirewallBackend=iptables/' /etc/firewalld/firewalld.conf

# create storage for state
podman volume create tailscaled-state
# launch the container, $HOSTNAME will be used to identify the default name of the tailscale client (e.g. in magic DNS). feel free to replace the variable with your own name choice.
# for further --env flags check out https://github.com/tailscale/tailscale/blob/main/docs/k8s/run.sh
# e.g. `--env TS_ROUTES=10.0.0.0/24` will advertise routing for the specified subnet.
podman run -d \
  --rm \
  --name tailscaled \
  --hostname $HOSTNAME \
  --env TS_USERSPACE=false \
  --env TS_STATE_DIR=/var/lib/tailscale \
  --label "io.containers.autoupdate=registry" \
  --volume tailscaled-state:/var/lib/tailscale \
  --volume /lib/modules:/lib/modules:ro \
  --device /dev/net/tun \
  --network host \
  --privileged `#Highway To The Danger Zone! You could also try --cap-add net_admin,net_raw` \
  ghcr.io/guest42069/tailscale:latest
(cd /etc/systemd/system && podman generate systemd --new --name --files tailscaled) && systemctl enable --now container-tailscaled
# ... authenticate via provided link in the logs ...
podman logs tailscaled
# check the status or run other commands, note the custom socket path.
podman exec tailscaled tailscale --socket=/tmp/tailscaled.sock status
	# tailscale under podman on fedora
	# tested on Fedora IOT (arm64 and amd64) and Silverblue (amd64).
	# ensure the tun module is loaded by default
	modprobe run
	echo tun > /etc/modules-load.d/tun.conf
	# ensure iptables xt_mark module is enabled and loaded
	modprobe xt_mark
	echo xt_mark > /etc/modules-load.d/xt_mark.conf
	# ensure iptables ip6table_filter module is enabled and loaded
	modprobe ip6tables_filter
	echo ip6table_filter > /etc/modules-load.d/ip6table_filter.conf

	## The following steps to use iptables-legacy rather than nftables for firewalld are only required for Exit or Subnet Routers.
	# iptables rather than nftables, for compatibility
	# 2022-11-01 - this no longer seems required, we can stick with nftables.
	#rpm-ostree install iptables-legacy
	#sed -i 's/^FirewallBackend=.*/FirewallBackend=iptables/' /etc/firewalld/firewalld.conf

	# create storage for state
	podman volume create tailscaled-state
	# launch the container, $HOSTNAME will be used to identify the default name of the tailscale client (e.g. in magic DNS). feel free to replace the variable with your own name choice.
	# for further --env flags check out https://github.com/tailscale/tailscale/blob/main/docs/k8s/run.sh
	# e.g. `--env TS_ROUTES=10.0.0.0/24` will advertise routing for the specified subnet.
	podman run -d \
	--rm \
	--name tailscaled \
	--hostname $HOSTNAME \
	--env TS_USERSPACE=false \
	--env TS_STATE_DIR=/var/lib/tailscale \
	--label "io.containers.autoupdate=registry" \
	--volume tailscaled-state:/var/lib/tailscale \
	--volume /lib/modules:/lib/modules:ro \
	--device /dev/net/tun \
	--network host \
	--privileged `#Highway To The Danger Zone! You could also try --cap-add net_admin,net_raw` \
	ghcr.io/guest42069/tailscale:latest
	(cd /etc/systemd/system && podman generate systemd --new --name --files tailscaled) && systemctl enable --now container-tailscaled
	# ... authenticate via provided link in the logs ...
	podman logs tailscaled
	# check the status or run other commands, note the custom socket path.
	podman exec tailscaled tailscale --socket=/tmp/tailscaled.sock status