feat(tailscale): 添加 Tailscale 应用配置和文档

添加 Tailscale 应用的完整配置，包括：
- 基础数据配置 (data.yml)
- Docker Compose 部署文件
- 详细的中英文使用文档
- 应用 logo 图片

支持通过认证密钥或交互式登录两种认证方式，并提供子网路由、出口节点等高级功能配置

apps/tailscale/1.96.5/data.yml

@@ -0,0 +1,62 @@
+additionalProperties:
+  formFields:
+    - default: ""
+      edit: true
+      envKey: TS_AUTHKEY
+      labelEn: Tailscale Auth Key
+      labelZh: Tailscale 认证密钥
+      required: false
+      rule: paramCommon
+      type: password
+      description:
+        zh: 从 https://login.tailscale.com/admin/settings/keys 获取认证密钥，留空则需要在容器内执行 tailscale up 进行交互登录
+        en: Get auth key from https://login.tailscale.com/admin/settings/keys, leave empty for interactive login via tailscale up
+    - default: "false"
+      edit: true
+      envKey: TS_USERSPACE
+      labelEn: Userspace Mode
+      labelZh: 用户空间模式
+      required: false
+      type: select
+      values:
+        - label: "false (Kernel Networking)"
+          value: "false"
+        - label: "true (Userspace)"
+          value: "true"
+      description:
+        zh: "false 使用内核网络（推荐），true 使用用户空间网络"
+        en: "false for kernel networking (recommended), true for userspace"
+    - default: ""
+      edit: true
+      envKey: TS_ROUTES
+      labelEn: Subnet Routes (Optional)
+      labelZh: 子网路由（可选）
+      required: false
+      rule: paramCommon
+      type: text
+      description:
+        zh: 要广播的子网路由，如 192.168.1.0/24,10.0.0.0/8
+        en: Subnet routes to advertise, e.g. 192.168.1.0/24,10.0.0.0/8
+    - default: "true"
+      edit: true
+      envKey: TS_ACCEPT_DNS
+      labelEn: Accept DNS
+      labelZh: 接受 DNS
+      required: false
+      type: select
+      values:
+        - label: "true"
+          value: "true"
+        - label: "false"
+          value: "false"
+    - default: ""
+      edit: true
+      envKey: TS_EXTRA_ARGS
+      labelEn: Extra Arguments (Optional)
+      labelZh: 额外参数（可选）
+      required: false
+      rule: paramCommon
+      type: text
+      description:
+        zh: tailscale up 命令的额外参数，如 --accept-routes
+        en: Extra arguments for tailscale up command, e.g. --accept-routes

apps/tailscale/1.96.5/docker-compose.yml

@@ -0,0 +1,28 @@
+services:
+  tailscaled:
+    container_name: ${CONTAINER_NAME}
+    image: tailscale/tailscale:v1.96.5
+    hostname: ${HOSTNAME:-tailscale}
+    restart: always
+    volumes:
+      - ./data/var/lib:/var/lib
+      - /dev/net/tun:/dev/net/tun
+    cap_add:
+      - NET_ADMIN
+      - SYS_MODULE
+    network_mode: host
+    privileged: true
+    environment:
+      - TS_AUTHKEY=${TS_AUTHKEY}
+      - TS_USERSPACE=${TS_USERSPACE:-false}
+      - TS_STATE_DIR=/var/lib
+      - TS_ROUTES=${TS_ROUTES:-}
+      - TS_ACCEPT_DNS=${TS_ACCEPT_DNS:-true}
+      - TS_EXTRA_ARGS=${TS_EXTRA_ARGS:-}
+      - TS_AUTH_ONCE=${TS_AUTH_ONCE:-false}
+    command: containerboot
+    labels:
+      createdBy: "Apps"
+networks:
+  1panel-network:
+    external: true

apps/tailscale/README.md

@@ -0,0 +1,112 @@
+# Tailscale
+
+最简单、最安全的 WireGuard 私有网络组网工具。Tailscale 让您能够轻松创建安全的 mesh 网络，将您的设备连接在一起，无论它们位于何处。
+
+## 功能特点
+
+- **基于 WireGuard**: 使用现代化的 WireGuard 协议，提供高性能和强安全性
+- **自动 NAT 穿透**: 自动处理复杂的网络环境，实现设备间直连
+- **零配置**: 无需手动配置，登录即可使用
+- **端到端加密**: 所有通信都经过端到端加密
+- **多平台支持**: 支持 Linux、Windows、macOS、iOS、Android 等平台
+- **子网路由**: 可将整个子网路由到 Tailscale 网络
+- **魔法 DNS**: 自动为设备分配易记的 DNS 名称
+- **访问控制**: 精细的访问控制策略
+
+## 使用说明
+
+### 认证方式
+
+Tailscale 支持两种认证方式：
+
+#### 方式一：使用认证密钥（推荐）
+
+1. 访问 [Tailscale 管理控制台](https://login.tailscale.com/admin/settings/keys)
+2. 点击 "Generate auth key" 创建认证密钥
+3. 复制生成的密钥，在部署时填写到 "Tailscale 认证密钥" 字段
+4. 部署后自动完成认证，无需额外操作
+
+**注意**：认证密钥有过期时间，请在生成后尽快使用。
+
+#### 方式二：交互登录
+
+1. 部署时留空 "Tailscale 认证密钥" 字段
+2. 部署完成后，在 1Panel 容器列表中点击 "Tailscale" 容器的 "终端" 按钮
+3. 在终端中执行以下命令：
+   ```bash
+   tailscale up
+   ```
+4. 命令会输出一个认证 URL，复制该 URL 到浏览器打开
+5. 登录您的 Tailscale 账号并授权该设备
+6. 认证成功后，容器会自动连接到 Tailscale 网络
+
+### 部署参数说明
+
+- **Tailscale 认证密钥**（可选）：从管理控制台获取的认证密钥，留空则使用交互登录
+- **用户空间模式**: 
+  - `false` (推荐): 使用内核网络模式，性能更好
+  - `true`: 使用用户空间网络模式，兼容性更好
+- **子网路由** (可选): 要广播的子网，如 `192.168.1.0/24,10.0.0.0/8`
+- **接受 DNS**: 是否接受 Tailscale 的 DNS 配置
+- **额外参数** (可选): tailscale up 命令的额外参数，如 `--accept-routes`
+
+### 部署后操作
+
+1. 部署完成后，访问 [Tailscale 管理控制台](https://login.tailscale.com/admin/machines) 查看设备状态
+2. 在其他设备上安装 Tailscale 客户端并登录同一账号
+3. 设备间可以通过 Tailscale IP 或魔法 DNS 名称互相访问
+
+### 高级配置
+
+#### 配置子网路由器
+
+如果您希望将本地网络路由到 Tailscale：
+
+1. 在 `子网路由` 参数中填写要广播的子网，如 `192.168.1.0/24`
+2. 部署后在管理控制台批准该子网路由
+3. 其他 Tailscale 设备即可访问该子网内的设备
+
+#### 使用出口节点
+
+将 Tailscale 配置为出口节点，让其他设备通过此设备访问互联网：
+
+1. 在 `额外参数` 中添加 `--advertise-exit-node`
+2. 部署后在管理控制台批准出口节点
+3. 其他设备可以选择使用此出口节点
+
+#### 仅首次认证
+
+如果希望只在首次启动时使用认证密钥，后续启动使用已有状态：
+
+- 设置环境变量 `TS_AUTH_ONCE=true`（需要在 docker-compose.yml 中手动添加）
+
+### 数据目录
+
+应用数据存储在 `./data/var/lib` 目录，包含 Tailscale 的状态信息。该目录已自动挂载到容器的 `/var/lib`。
+
+## 环境变量说明
+
+- `TS_AUTHKEY`: Tailscale 认证密钥（可选，支持交互登录）
+- `TS_USERSPACE`: 是否使用用户空间网络模式
+- `TS_STATE_DIR`: 状态文件存储目录（固定为 /var/lib）
+- `TS_ROUTES`: 要广播的子网路由
+- `TS_ACCEPT_DNS`: 是否接受 Tailscale DNS 配置
+- `TS_EXTRA_ARGS`: tailscale up 命令的额外参数
+- `TS_AUTH_ONCE`: 是否仅在首次启动时认证（默认 false）
+
+## 注意事项
+
+- 需要 `privileged` 权限和 `NET_ADMIN`、`SYS_MODULE` 能力
+- 使用 `host` 网络模式以直接管理网络接口
+- 需要访问 `/dev/net/tun` 设备
+- 首次运行时需要有效的认证密钥或进行交互登录
+- 建议在防火墙中允许 UDP 41641 端口（WireGuard 默认端口）
+- 容器重启策略固定为 `always`，由 1Panel 统一管理
+
+## 相关链接
+
+- 官方网站：https://tailscale.com
+- GitHub: https://github.com/tailscale/tailscale
+- 文档：https://tailscale.com/kb
+- 管理控制台：https://login.tailscale.com/admin
+- 下载客户端：https://tailscale.com/download

apps/tailscale/README_en.md

@@ -0,0 +1,112 @@
+# Tailscale
+
+The easiest, most secure way to use WireGuard. Tailscale enables you to create secure mesh networks that connect your devices together, no matter where they are located.
+
+## Features
+
+- **WireGuard-based**: Uses modern WireGuard protocol for high performance and strong security
+- **Automatic NAT Traversal**: Automatically handles complex network environments for direct device connections
+- **Zero Configuration**: No manual setup required, just login and use
+- **End-to-End Encryption**: All communications are encrypted end-to-end
+- **Multi-Platform Support**: Supports Linux, Windows, macOS, iOS, Android and more
+- **Subnet Routing**: Route entire subnets to your Tailscale network
+- **Magic DNS**: Automatically assigns friendly DNS names to devices
+- **Access Control**: Fine-grained access control policies
+
+## Usage Instructions
+
+### Authentication Methods
+
+Tailscale supports two authentication methods:
+
+#### Method 1: Using Auth Key (Recommended)
+
+1. Visit [Tailscale Admin Console](https://login.tailscale.com/admin/settings/keys)
+2. Click "Generate auth key" to create an authentication key
+3. Copy the generated key and fill it in the "Tailscale Auth Key" field during deployment
+4. Authentication completes automatically after deployment
+
+**Note**: Auth keys have an expiration time, please use them as soon as possible after generation.
+
+#### Method 2: Interactive Login
+
+1. Leave the "Tailscale Auth Key" field empty during deployment
+2. After deployment, click the "Terminal" button for the "Tailscale" container in 1Panel
+3. Execute the following command in the terminal:
+   ```bash
+   tailscale up
+   ```
+4. The command will output an authentication URL, copy it to your browser
+5. Log in to your Tailscale account and authorize the device
+6. After successful authentication, the container will automatically connect to the Tailscale network
+
+### Deployment Parameters
+
+- **Tailscale Auth Key** (Optional): Authentication key from admin console, leave empty for interactive login
+- **Userspace Mode**: 
+  - `false` (Recommended): Use kernel networking mode for better performance
+  - `true`: Use userspace networking mode for better compatibility
+- **Subnet Routes** (Optional): Subnets to advertise, e.g., `192.168.1.0/24,10.0.0.0/8`
+- **Accept DNS**: Whether to accept Tailscale DNS configuration
+- **Extra Args** (Optional): Additional arguments for tailscale up command, e.g., `--accept-routes`
+
+### Post-Deployment Steps
+
+1. After deployment, visit [Tailscale Admin Console](https://login.tailscale.com/admin/machines) to check device status
+2. Install Tailscale clients on other devices and login with the same account
+3. Devices can access each other via Tailscale IP or MagicDNS names
+
+### Advanced Configuration
+
+#### Configure Subnet Router
+
+If you want to route your local network to Tailscale:
+
+1. Fill in the subnets to advertise in `Subnet Routes` parameter, e.g., `192.168.1.0/24`
+2. Approve the subnet route in admin console after deployment
+3. Other Tailscale devices can then access devices in that subnet
+
+#### Configure Exit Node
+
+Configure Tailscale as an exit node to allow other devices to access the internet through it:
+
+1. Add `--advertise-exit-node` to `Extra Args` parameter
+2. Approve the exit node in admin console after deployment
+3. Other devices can choose to use this exit node
+
+#### First-Time Authentication Only
+
+If you want to use the auth key only on first startup and use existing state on subsequent starts:
+
+- Set environment variable `TS_AUTH_ONCE=true` (needs to be manually added in docker-compose.yml)
+
+### Data Directory
+
+Application data is stored in `./data/var/lib` directory, containing Tailscale state information. This directory is automatically mounted to `/var/lib` in the container.
+
+## Environment Variables
+
+- `TS_AUTHKEY`: Tailscale authentication key (optional, supports interactive login)
+- `TS_USERSPACE`: Whether to use userspace networking mode
+- `TS_STATE_DIR`: State file storage directory (fixed to /var/lib)
+- `TS_ROUTES`: Subnet routes to advertise
+- `TS_ACCEPT_DNS`: Whether to accept Tailscale DNS configuration
+- `TS_EXTRA_ARGS`: Additional arguments for tailscale up command
+- `TS_AUTH_ONCE`: Whether to authenticate only on first start (default false)
+
+## Notes
+
+- Requires `privileged` mode and `NET_ADMIN`, `SYS_MODULE` capabilities
+- Uses `host` network mode to directly manage network interfaces
+- Requires access to `/dev/net/tun` device
+- A valid auth key or interactive login is required for first run
+- Recommended to allow UDP port 41641 (WireGuard default port) in firewall
+- Container restart policy is fixed to `always`, managed by 1Panel
+
+## Links
+
+- Website: https://tailscale.com
+- GitHub: https://github.com/tailscale/tailscale
+- Documentation: https://tailscale.com/kb
+- Admin Console: https://login.tailscale.com/admin
+- Downloads: https://tailscale.com/download

apps/tailscale/data.yml

@@ -0,0 +1,29 @@
+name: Tailscale
+tags:
+  - 网络工具
+  - 安全
+title: 私有 WireGuard 网络组网工具
+description: 最简单的 WireGuard 私有网络组网解决方案，支持多设备安全互联
+additionalProperties:
+  key: tailscale
+  name: Tailscale
+  tags:
+    - Networking
+    - Security
+  shortDescZh: 私有 WireGuard 网络组网工具
+  shortDescEn: Private WireGuard networking tool
+  description:
+    en: The easiest, most secure way to use WireGuard. Create private networks with secure mesh connectivity between devices.
+    zh: 最简单、最安全的 WireGuard 使用方式。创建设备间安全 mesh 连接的私有网络。
+  type: tool
+  crossVersionUpdate: true
+  limit: 0
+  recommend: 90
+  website: https://tailscale.com
+  github: https://github.com/tailscale/tailscale
+  document: https://tailscale.com/kb
+  architectures:
+    - amd64
+    - arm64
+    - arm/v7
+  hostMode: true

apps/tailscale/latest/data.yml

@@ -0,0 +1,62 @@
+additionalProperties:
+  formFields:
+    - default: ""
+      edit: true
+      envKey: TS_AUTHKEY
+      labelEn: Tailscale Auth Key
+      labelZh: Tailscale 认证密钥
+      required: false
+      rule: paramCommon
+      type: password
+      description:
+        zh: 从 https://login.tailscale.com/admin/settings/keys 获取认证密钥，留空则需要在容器内执行 tailscale up 进行交互登录
+        en: Get auth key from https://login.tailscale.com/admin/settings/keys, leave empty for interactive login via tailscale up
+    - default: "false"
+      edit: true
+      envKey: TS_USERSPACE
+      labelEn: Userspace Mode
+      labelZh: 用户空间模式
+      required: false
+      type: select
+      values:
+        - label: "false (Kernel Networking)"
+          value: "false"
+        - label: "true (Userspace)"
+          value: "true"
+      description:
+        zh: "false 使用内核网络（推荐），true 使用用户空间网络"
+        en: "false for kernel networking (recommended), true for userspace"
+    - default: ""
+      edit: true
+      envKey: TS_ROUTES
+      labelEn: Subnet Routes (Optional)
+      labelZh: 子网路由（可选）
+      required: false
+      rule: paramCommon
+      type: text
+      description:
+        zh: 要广播的子网路由，如 192.168.1.0/24,10.0.0.0/8
+        en: Subnet routes to advertise, e.g. 192.168.1.0/24,10.0.0.0/8
+    - default: "true"
+      edit: true
+      envKey: TS_ACCEPT_DNS
+      labelEn: Accept DNS
+      labelZh: 接受 DNS
+      required: false
+      type: select
+      values:
+        - label: "true"
+          value: "true"
+        - label: "false"
+          value: "false"
+    - default: ""
+      edit: true
+      envKey: TS_EXTRA_ARGS
+      labelEn: Extra Arguments (Optional)
+      labelZh: 额外参数（可选）
+      required: false
+      rule: paramCommon
+      type: text
+      description:
+        zh: tailscale up 命令的额外参数，如 --accept-routes
+        en: Extra arguments for tailscale up command, e.g. --accept-routes

apps/tailscale/latest/docker-compose.yml

@@ -0,0 +1,28 @@
+services:
+  tailscaled:
+    container_name: ${CONTAINER_NAME}
+    image: tailscale/tailscale:latest
+    hostname: ${HOSTNAME:-tailscale}
+    restart: always
+    volumes:
+      - ./data/var/lib:/var/lib
+      - /dev/net/tun:/dev/net/tun
+    cap_add:
+      - NET_ADMIN
+      - SYS_MODULE
+    network_mode: host
+    privileged: true
+    environment:
+      - TS_AUTHKEY=${TS_AUTHKEY}
+      - TS_USERSPACE=${TS_USERSPACE:-false}
+      - TS_STATE_DIR=/var/lib
+      - TS_ROUTES=${TS_ROUTES:-}
+      - TS_ACCEPT_DNS=${TS_ACCEPT_DNS:-true}
+      - TS_EXTRA_ARGS=${TS_EXTRA_ARGS:-}
+      - TS_AUTH_ONCE=${TS_AUTH_ONCE:-false}
+    command: containerboot
+    labels:
+      createdBy: "Apps"
+networks:
+  1panel-network:
+    external: true