diff --git a/apps/tailscale/1.96.5/data.yml b/apps/tailscale/1.96.5/data.yml new file mode 100644 index 0000000..c8e20af --- /dev/null +++ b/apps/tailscale/1.96.5/data.yml @@ -0,0 +1,62 @@ +additionalProperties: + formFields: + - default: "" + edit: true + envKey: TS_AUTHKEY + labelEn: Tailscale Auth Key + labelZh: Tailscale 认证密钥 + required: false + rule: paramCommon + type: password + description: + zh: 从 https://login.tailscale.com/admin/settings/keys 获取认证密钥,留空则需要在容器内执行 tailscale up 进行交互登录 + en: Get auth key from https://login.tailscale.com/admin/settings/keys, leave empty for interactive login via tailscale up + - default: "false" + edit: true + envKey: TS_USERSPACE + labelEn: Userspace Mode + labelZh: 用户空间模式 + required: false + type: select + values: + - label: "false (Kernel Networking)" + value: "false" + - label: "true (Userspace)" + value: "true" + description: + zh: "false 使用内核网络(推荐),true 使用用户空间网络" + en: "false for kernel networking (recommended), true for userspace" + - default: "" + edit: true + envKey: TS_ROUTES + labelEn: Subnet Routes (Optional) + labelZh: 子网路由(可选) + required: false + rule: paramCommon + type: text + description: + zh: 要广播的子网路由,如 192.168.1.0/24,10.0.0.0/8 + en: Subnet routes to advertise, e.g. 192.168.1.0/24,10.0.0.0/8 + - default: "true" + edit: true + envKey: TS_ACCEPT_DNS + labelEn: Accept DNS + labelZh: 接受 DNS + required: false + type: select + values: + - label: "true" + value: "true" + - label: "false" + value: "false" + - default: "" + edit: true + envKey: TS_EXTRA_ARGS + labelEn: Extra Arguments (Optional) + labelZh: 额外参数(可选) + required: false + rule: paramCommon + type: text + description: + zh: tailscale up 命令的额外参数,如 --accept-routes + en: Extra arguments for tailscale up command, e.g. --accept-routes diff --git a/apps/tailscale/1.96.5/docker-compose.yml b/apps/tailscale/1.96.5/docker-compose.yml new file mode 100644 index 0000000..e2dacec --- /dev/null +++ b/apps/tailscale/1.96.5/docker-compose.yml @@ -0,0 +1,28 @@ +services: + tailscaled: + container_name: ${CONTAINER_NAME} + image: tailscale/tailscale:v1.96.5 + hostname: ${HOSTNAME:-tailscale} + restart: always + volumes: + - ./data/var/lib:/var/lib + - /dev/net/tun:/dev/net/tun + cap_add: + - NET_ADMIN + - SYS_MODULE + network_mode: host + privileged: true + environment: + - TS_AUTHKEY=${TS_AUTHKEY} + - TS_USERSPACE=${TS_USERSPACE:-false} + - TS_STATE_DIR=/var/lib + - TS_ROUTES=${TS_ROUTES:-} + - TS_ACCEPT_DNS=${TS_ACCEPT_DNS:-true} + - TS_EXTRA_ARGS=${TS_EXTRA_ARGS:-} + - TS_AUTH_ONCE=${TS_AUTH_ONCE:-false} + command: containerboot + labels: + createdBy: "Apps" +networks: + 1panel-network: + external: true diff --git a/apps/tailscale/README.md b/apps/tailscale/README.md new file mode 100644 index 0000000..79d2090 --- /dev/null +++ b/apps/tailscale/README.md @@ -0,0 +1,112 @@ +# Tailscale + +最简单、最安全的 WireGuard 私有网络组网工具。Tailscale 让您能够轻松创建安全的 mesh 网络,将您的设备连接在一起,无论它们位于何处。 + +## 功能特点 + +- **基于 WireGuard**: 使用现代化的 WireGuard 协议,提供高性能和强安全性 +- **自动 NAT 穿透**: 自动处理复杂的网络环境,实现设备间直连 +- **零配置**: 无需手动配置,登录即可使用 +- **端到端加密**: 所有通信都经过端到端加密 +- **多平台支持**: 支持 Linux、Windows、macOS、iOS、Android 等平台 +- **子网路由**: 可将整个子网路由到 Tailscale 网络 +- **魔法 DNS**: 自动为设备分配易记的 DNS 名称 +- **访问控制**: 精细的访问控制策略 + +## 使用说明 + +### 认证方式 + +Tailscale 支持两种认证方式: + +#### 方式一:使用认证密钥(推荐) + +1. 访问 [Tailscale 管理控制台](https://login.tailscale.com/admin/settings/keys) +2. 点击 "Generate auth key" 创建认证密钥 +3. 复制生成的密钥,在部署时填写到 "Tailscale 认证密钥" 字段 +4. 部署后自动完成认证,无需额外操作 + +**注意**:认证密钥有过期时间,请在生成后尽快使用。 + +#### 方式二:交互登录 + +1. 部署时留空 "Tailscale 认证密钥" 字段 +2. 部署完成后,在 1Panel 容器列表中点击 "Tailscale" 容器的 "终端" 按钮 +3. 在终端中执行以下命令: + ```bash + tailscale up + ``` +4. 命令会输出一个认证 URL,复制该 URL 到浏览器打开 +5. 登录您的 Tailscale 账号并授权该设备 +6. 认证成功后,容器会自动连接到 Tailscale 网络 + +### 部署参数说明 + +- **Tailscale 认证密钥**(可选):从管理控制台获取的认证密钥,留空则使用交互登录 +- **用户空间模式**: + - `false` (推荐): 使用内核网络模式,性能更好 + - `true`: 使用用户空间网络模式,兼容性更好 +- **子网路由** (可选): 要广播的子网,如 `192.168.1.0/24,10.0.0.0/8` +- **接受 DNS**: 是否接受 Tailscale 的 DNS 配置 +- **额外参数** (可选): tailscale up 命令的额外参数,如 `--accept-routes` + +### 部署后操作 + +1. 部署完成后,访问 [Tailscale 管理控制台](https://login.tailscale.com/admin/machines) 查看设备状态 +2. 在其他设备上安装 Tailscale 客户端并登录同一账号 +3. 设备间可以通过 Tailscale IP 或魔法 DNS 名称互相访问 + +### 高级配置 + +#### 配置子网路由器 + +如果您希望将本地网络路由到 Tailscale: + +1. 在 `子网路由` 参数中填写要广播的子网,如 `192.168.1.0/24` +2. 部署后在管理控制台批准该子网路由 +3. 其他 Tailscale 设备即可访问该子网内的设备 + +#### 使用出口节点 + +将 Tailscale 配置为出口节点,让其他设备通过此设备访问互联网: + +1. 在 `额外参数` 中添加 `--advertise-exit-node` +2. 部署后在管理控制台批准出口节点 +3. 其他设备可以选择使用此出口节点 + +#### 仅首次认证 + +如果希望只在首次启动时使用认证密钥,后续启动使用已有状态: + +- 设置环境变量 `TS_AUTH_ONCE=true`(需要在 docker-compose.yml 中手动添加) + +### 数据目录 + +应用数据存储在 `./data/var/lib` 目录,包含 Tailscale 的状态信息。该目录已自动挂载到容器的 `/var/lib`。 + +## 环境变量说明 + +- `TS_AUTHKEY`: Tailscale 认证密钥(可选,支持交互登录) +- `TS_USERSPACE`: 是否使用用户空间网络模式 +- `TS_STATE_DIR`: 状态文件存储目录(固定为 /var/lib) +- `TS_ROUTES`: 要广播的子网路由 +- `TS_ACCEPT_DNS`: 是否接受 Tailscale DNS 配置 +- `TS_EXTRA_ARGS`: tailscale up 命令的额外参数 +- `TS_AUTH_ONCE`: 是否仅在首次启动时认证(默认 false) + +## 注意事项 + +- 需要 `privileged` 权限和 `NET_ADMIN`、`SYS_MODULE` 能力 +- 使用 `host` 网络模式以直接管理网络接口 +- 需要访问 `/dev/net/tun` 设备 +- 首次运行时需要有效的认证密钥或进行交互登录 +- 建议在防火墙中允许 UDP 41641 端口(WireGuard 默认端口) +- 容器重启策略固定为 `always`,由 1Panel 统一管理 + +## 相关链接 + +- 官方网站:https://tailscale.com +- GitHub: https://github.com/tailscale/tailscale +- 文档:https://tailscale.com/kb +- 管理控制台:https://login.tailscale.com/admin +- 下载客户端:https://tailscale.com/download diff --git a/apps/tailscale/README_en.md b/apps/tailscale/README_en.md new file mode 100644 index 0000000..f6af893 --- /dev/null +++ b/apps/tailscale/README_en.md @@ -0,0 +1,112 @@ +# Tailscale + +The easiest, most secure way to use WireGuard. Tailscale enables you to create secure mesh networks that connect your devices together, no matter where they are located. + +## Features + +- **WireGuard-based**: Uses modern WireGuard protocol for high performance and strong security +- **Automatic NAT Traversal**: Automatically handles complex network environments for direct device connections +- **Zero Configuration**: No manual setup required, just login and use +- **End-to-End Encryption**: All communications are encrypted end-to-end +- **Multi-Platform Support**: Supports Linux, Windows, macOS, iOS, Android and more +- **Subnet Routing**: Route entire subnets to your Tailscale network +- **Magic DNS**: Automatically assigns friendly DNS names to devices +- **Access Control**: Fine-grained access control policies + +## Usage Instructions + +### Authentication Methods + +Tailscale supports two authentication methods: + +#### Method 1: Using Auth Key (Recommended) + +1. Visit [Tailscale Admin Console](https://login.tailscale.com/admin/settings/keys) +2. Click "Generate auth key" to create an authentication key +3. Copy the generated key and fill it in the "Tailscale Auth Key" field during deployment +4. Authentication completes automatically after deployment + +**Note**: Auth keys have an expiration time, please use them as soon as possible after generation. + +#### Method 2: Interactive Login + +1. Leave the "Tailscale Auth Key" field empty during deployment +2. After deployment, click the "Terminal" button for the "Tailscale" container in 1Panel +3. Execute the following command in the terminal: + ```bash + tailscale up + ``` +4. The command will output an authentication URL, copy it to your browser +5. Log in to your Tailscale account and authorize the device +6. After successful authentication, the container will automatically connect to the Tailscale network + +### Deployment Parameters + +- **Tailscale Auth Key** (Optional): Authentication key from admin console, leave empty for interactive login +- **Userspace Mode**: + - `false` (Recommended): Use kernel networking mode for better performance + - `true`: Use userspace networking mode for better compatibility +- **Subnet Routes** (Optional): Subnets to advertise, e.g., `192.168.1.0/24,10.0.0.0/8` +- **Accept DNS**: Whether to accept Tailscale DNS configuration +- **Extra Args** (Optional): Additional arguments for tailscale up command, e.g., `--accept-routes` + +### Post-Deployment Steps + +1. After deployment, visit [Tailscale Admin Console](https://login.tailscale.com/admin/machines) to check device status +2. Install Tailscale clients on other devices and login with the same account +3. Devices can access each other via Tailscale IP or MagicDNS names + +### Advanced Configuration + +#### Configure Subnet Router + +If you want to route your local network to Tailscale: + +1. Fill in the subnets to advertise in `Subnet Routes` parameter, e.g., `192.168.1.0/24` +2. Approve the subnet route in admin console after deployment +3. Other Tailscale devices can then access devices in that subnet + +#### Configure Exit Node + +Configure Tailscale as an exit node to allow other devices to access the internet through it: + +1. Add `--advertise-exit-node` to `Extra Args` parameter +2. Approve the exit node in admin console after deployment +3. Other devices can choose to use this exit node + +#### First-Time Authentication Only + +If you want to use the auth key only on first startup and use existing state on subsequent starts: + +- Set environment variable `TS_AUTH_ONCE=true` (needs to be manually added in docker-compose.yml) + +### Data Directory + +Application data is stored in `./data/var/lib` directory, containing Tailscale state information. This directory is automatically mounted to `/var/lib` in the container. + +## Environment Variables + +- `TS_AUTHKEY`: Tailscale authentication key (optional, supports interactive login) +- `TS_USERSPACE`: Whether to use userspace networking mode +- `TS_STATE_DIR`: State file storage directory (fixed to /var/lib) +- `TS_ROUTES`: Subnet routes to advertise +- `TS_ACCEPT_DNS`: Whether to accept Tailscale DNS configuration +- `TS_EXTRA_ARGS`: Additional arguments for tailscale up command +- `TS_AUTH_ONCE`: Whether to authenticate only on first start (default false) + +## Notes + +- Requires `privileged` mode and `NET_ADMIN`, `SYS_MODULE` capabilities +- Uses `host` network mode to directly manage network interfaces +- Requires access to `/dev/net/tun` device +- A valid auth key or interactive login is required for first run +- Recommended to allow UDP port 41641 (WireGuard default port) in firewall +- Container restart policy is fixed to `always`, managed by 1Panel + +## Links + +- Website: https://tailscale.com +- GitHub: https://github.com/tailscale/tailscale +- Documentation: https://tailscale.com/kb +- Admin Console: https://login.tailscale.com/admin +- Downloads: https://tailscale.com/download diff --git a/apps/tailscale/data.yml b/apps/tailscale/data.yml new file mode 100644 index 0000000..125f510 --- /dev/null +++ b/apps/tailscale/data.yml @@ -0,0 +1,29 @@ +name: Tailscale +tags: + - 网络工具 + - 安全 +title: 私有 WireGuard 网络组网工具 +description: 最简单的 WireGuard 私有网络组网解决方案,支持多设备安全互联 +additionalProperties: + key: tailscale + name: Tailscale + tags: + - Networking + - Security + shortDescZh: 私有 WireGuard 网络组网工具 + shortDescEn: Private WireGuard networking tool + description: + en: The easiest, most secure way to use WireGuard. Create private networks with secure mesh connectivity between devices. + zh: 最简单、最安全的 WireGuard 使用方式。创建设备间安全 mesh 连接的私有网络。 + type: tool + crossVersionUpdate: true + limit: 0 + recommend: 90 + website: https://tailscale.com + github: https://github.com/tailscale/tailscale + document: https://tailscale.com/kb + architectures: + - amd64 + - arm64 + - arm/v7 + hostMode: true diff --git a/apps/tailscale/latest/data.yml b/apps/tailscale/latest/data.yml new file mode 100644 index 0000000..c8e20af --- /dev/null +++ b/apps/tailscale/latest/data.yml @@ -0,0 +1,62 @@ +additionalProperties: + formFields: + - default: "" + edit: true + envKey: TS_AUTHKEY + labelEn: Tailscale Auth Key + labelZh: Tailscale 认证密钥 + required: false + rule: paramCommon + type: password + description: + zh: 从 https://login.tailscale.com/admin/settings/keys 获取认证密钥,留空则需要在容器内执行 tailscale up 进行交互登录 + en: Get auth key from https://login.tailscale.com/admin/settings/keys, leave empty for interactive login via tailscale up + - default: "false" + edit: true + envKey: TS_USERSPACE + labelEn: Userspace Mode + labelZh: 用户空间模式 + required: false + type: select + values: + - label: "false (Kernel Networking)" + value: "false" + - label: "true (Userspace)" + value: "true" + description: + zh: "false 使用内核网络(推荐),true 使用用户空间网络" + en: "false for kernel networking (recommended), true for userspace" + - default: "" + edit: true + envKey: TS_ROUTES + labelEn: Subnet Routes (Optional) + labelZh: 子网路由(可选) + required: false + rule: paramCommon + type: text + description: + zh: 要广播的子网路由,如 192.168.1.0/24,10.0.0.0/8 + en: Subnet routes to advertise, e.g. 192.168.1.0/24,10.0.0.0/8 + - default: "true" + edit: true + envKey: TS_ACCEPT_DNS + labelEn: Accept DNS + labelZh: 接受 DNS + required: false + type: select + values: + - label: "true" + value: "true" + - label: "false" + value: "false" + - default: "" + edit: true + envKey: TS_EXTRA_ARGS + labelEn: Extra Arguments (Optional) + labelZh: 额外参数(可选) + required: false + rule: paramCommon + type: text + description: + zh: tailscale up 命令的额外参数,如 --accept-routes + en: Extra arguments for tailscale up command, e.g. --accept-routes diff --git a/apps/tailscale/latest/docker-compose.yml b/apps/tailscale/latest/docker-compose.yml new file mode 100644 index 0000000..a26edaf --- /dev/null +++ b/apps/tailscale/latest/docker-compose.yml @@ -0,0 +1,28 @@ +services: + tailscaled: + container_name: ${CONTAINER_NAME} + image: tailscale/tailscale:latest + hostname: ${HOSTNAME:-tailscale} + restart: always + volumes: + - ./data/var/lib:/var/lib + - /dev/net/tun:/dev/net/tun + cap_add: + - NET_ADMIN + - SYS_MODULE + network_mode: host + privileged: true + environment: + - TS_AUTHKEY=${TS_AUTHKEY} + - TS_USERSPACE=${TS_USERSPACE:-false} + - TS_STATE_DIR=/var/lib + - TS_ROUTES=${TS_ROUTES:-} + - TS_ACCEPT_DNS=${TS_ACCEPT_DNS:-true} + - TS_EXTRA_ARGS=${TS_EXTRA_ARGS:-} + - TS_AUTH_ONCE=${TS_AUTH_ONCE:-false} + command: containerboot + labels: + createdBy: "Apps" +networks: + 1panel-network: + external: true diff --git a/apps/tailscale/logo.png b/apps/tailscale/logo.png new file mode 100644 index 0000000..0b7934f Binary files /dev/null and b/apps/tailscale/logo.png differ