tailscale

Private Web based IDE

Nahum Shalman

2 min read

These notes are a riff on a post by Chris Short. The biggest difference is that I will use the Tailscale TLS support rather than using external DNS access and a custom DNS record. This removes the need for a sensitive DNS API key. Chris's post is definitely worth a read first:

code-server, Caddy, Tailscale, and Hugo = My ultimate dev environment
I think I’ve discovered my development environment equivalent to nirvana: code-server, Caddy, Tailscale, and Hugo
ChrisShort.netChris Short

Welcome back. Here's the plan:

  1. Spin up an Ubuntu instance
  2. Add it to my Tailnet
  3. Install and run code-server
  4. Install, configure, and run Caddy
  5. ...
  6. Profit?

When we're done we should be able to go to a browser on any machine in the Tailnet and type http://vscode (I'm assuming you've set the hostname of the new instance to "vscode") and be redirected to the full https URL which will help reassure the browser (even though HTTP over Tailscale is already secure.)

Prerequisites:

  1. An existing Tailscale account and a machine on it to use as the client
  2. A Tailscale Auth Key to use
  3. MagicDNS needs to be enabled on your Tailnet.
  4. The Tailscale HTTPS Beta feature also needs to be enabled on your Tailnet.

Here's the code:

#!/bin/bash
# Customize these
USER=user
TSKEY=tskey-auth-BLAHBLAHBLAH
export DEBIAN_FRONTEND=noninteractive
apt-get update
adduser -q --disabled-password --gecos=${USER?} ${USER?}
curl -fsSL https://tailscale.com/install.sh | sh
tailscale up --operator=${USER?} --ssh --authkey=${TSKEY?}
# When run via cloud-init, code-server needs a HOME
export HOME=/root
curl -fsSL https://code-server.dev/install.sh | sh
systemctl enable --now code-server@${USER?}
tailscale serve / proxy 8080
# Do you feel lucky? You can uncomment this line...
# And only Tailscale SSH will have access.
# systemctl disable --now ssh
view raw user-data-server.sh hosted with ❤ by GitHub
#!/bin/bash
# Customize these
USER=user
TSKEY=tskey-BLAHBLAHBLAH
export DEBIAN_FRONTEND=noninteractive
apt-get update
#apt-get -y upgrade
adduser -q --disabled-password --gecos=${USER?} ${USER?}
curl -fsSL https://tailscale.com/install.sh | sh
tailscale up --operator=${USER?} --ssh --authkey=${TSKEY?}
# When run via cloud-init, code-server needs a HOME
export HOME=/root
curl -fsSL https://code-server.dev/install.sh | sh
systemctl enable --now code-server@${USER?}
CADDY_VERSION=2.5.1
curl -LO https://github.com/caddyserver/caddy/releases/download/v${CADDY_VERSION?}/caddy_${CADDY_VERSION?}_linux_amd64.deb
apt-get -y install ./caddy_${CADDY_VERSION?}_linux_amd64.deb
# Allow Caddy to get cert from Tailscale
echo TS_PERMIT_CERT_UID=caddy >> /etc/default/tailscaled
systemctl restart tailscaled
apt-get -y install jq
SHORT=$(tailscale status --self --json | jq -r '.Self.HostName')
LONG=$(tailscale status --self --json | jq -r '.CertDomains[0]')
tee /etc/caddy/Caddyfile <<EOF
# Don't bind to public IP. This is for private use only
{
default_bind ${LONG?}
}
# Serve up code-server with TLS
${LONG?} {
reverse_proxy 127.0.0.1:8080
}
# Redirect HTTP requests to the short name to the TLS URL
http://${SHORT?} {
redir https://${LONG?}{uri}
}
EOF
systemctl restart caddy.service
view raw user-data.sh hosted with ❤ by GitHub

I tested that code by using it as user-data for cloud-init, so you can go from zero to code-server over Tailscale mostly unattended.

So, spin up Ubuntu in your favorite place and either add that as the user-data or run it as root manually. When it's done you can fetch the default password with:

ssh vscode grep password: .config/code-server/config.yaml

You should be able to navigate to http://vscode (or whatever hostname you used) and get redirected to the TLS-ified URL to log in.

Check back later for more shenanigans where I'll do this inside LX branded zones on illumos!