feat: update safeline 9.3.6

将数据目录从 `./data/var/lib` 改为 `./data/state` 并更新挂载路径至 `/var/lib/tailscale`
添加关于目录权限的重要提示说明

README.md

@@ -246,7 +246,7 @@ docker run -d --name=nginx -p 80:80 nginx:latest
 
 🚀 免费的GPT-4和其他大语言模型API接口
 
-<kbd>7.4.7-slim</kbd> • [官网链接](https://github.com/xtekky/gpt4free)
+<kbd>7.5.0-slim</kbd> • [官网链接](https://github.com/xtekky/gpt4free)
 
 </td>
 <td width="33%" align="center">
@@ -289,7 +289,7 @@ docker run -d --name=nginx -p 80:80 nginx:latest
 
 轻量级文档管理系统，支持多人协作编辑与版本控制
 
-<kbd>0.71.1</kbd> • [官网链接](https://github.com/docmost/docmost)
+<kbd>0.80.0</kbd> • [官网链接](https://github.com/docmost/docmost)
 
 </td>
 <td width="33%" align="center">
@@ -354,7 +354,7 @@ docker run -d --name=nginx -p 80:80 nginx:latest
 
 自托管协作书签管理工具，支持网页归档和团队协作
 
-<kbd>2.14.0</kbd> • [官网链接](https://github.com/linkwarden/linkwarden)
+<kbd>2.14.1</kbd> • [官网链接](https://github.com/linkwarden/linkwarden)
 
 </td>
 </tr>
@@ -424,7 +424,7 @@ AI驱动的开源代码知识库与文档协作平台，支持多模型、多数
 
 开源Airtable替代品，将任何数据库转换为智能电子表格
 
-<kbd>2026.04.0</kbd> • [官网链接](https://github.com/nocodb/nocodb)
+<kbd>2026.04.3</kbd> • [官网链接](https://github.com/nocodb/nocodb)
 
 </td>
 <td width="33%" align="center">
@@ -455,7 +455,7 @@ AI驱动的开源代码知识库与文档协作平台，支持多模型、多数
 
 🌐 简单安全去中心化的内网穿透 VPN 组网方案
 
-<kbd>2.6.0</kbd> • [官网链接](https://github.com/EasyTier/Easytier)
+<kbd>2.6.1</kbd> • [官网链接](https://github.com/EasyTier/Easytier)
 
 </td>
 <td width="33%" align="center">
@@ -496,7 +496,7 @@ AI驱动的开源代码知识库与文档协作平台，支持多模型、多数
 
 🛡️ 简单好用的Web应用防火墙(WAF)
 
-<kbd>9.3.3</kbd> • [官网链接](https://github.com/chaitin/SafeLine)
+<kbd>9.3.6</kbd> • [官网链接](https://github.com/chaitin/SafeLine)
 
 </td>
 
@@ -565,7 +565,7 @@ AI驱动的开源代码知识库与文档协作平台，支持多模型、多数
 
 🚀 强大的AI提示词优化工具，支持多种主流大语言模型
 
-<kbd>2.9.3</kbd> • [官网链接](https://github.com/arch3rPro/Prompt-Optimizer)
+<kbd>2.9.4</kbd> • [官网链接](https://github.com/arch3rPro/Prompt-Optimizer)
 
 </td>
 </tr>
@@ -582,7 +582,7 @@ AI驱动的开源代码知识库与文档协作平台，支持多模型、多数
 
 🍥 新一代大模型网关与AI资产管理系统，支持多种模型统一调用
 
-<kbd>0.12.9</kbd> • [官网链接](https://docs.newapi.pro/)
+<kbd>0.13.1-allinone</kbd> • [官网链接](https://docs.newapi.pro/)
 
 </td>
 <td width="33%" align="center">
@@ -623,7 +623,7 @@ AI驱动的开源代码知识库与文档协作平台，支持多模型、多数
 
 🔮 开源可视化AI工作流构建平台，拖拽式设计LLM应用
 
-<kbd>3.1.1</kbd> • [官网链接](https://github.com/FlowiseAI/Flowise)
+<kbd>3.1.2</kbd> • [官网链接](https://github.com/FlowiseAI/Flowise)
 
 </td>
 <td width="33%" align="center">
@@ -705,7 +705,7 @@ AI驱动的开源代码知识库与文档协作平台，支持多模型、多数
 
 🔮 强大的AI应用构建平台，可视化设计AI驱动的工作流和代理
 
-<kbd>1.8.4</kbd> • [官网链接](https://langflow.org/)
+<kbd>1.9.1</kbd> • [官网链接](https://langflow.org/)
 
 </td>
 <td width="33%" align="center">
@@ -729,7 +729,7 @@ AI驱动的开源代码知识库与文档协作平台，支持多模型、多数
 
 🔄 n8n汉化版，具有原生AI能力的Fair-code工作流自动化平台
 
-<kbd>2.17.0</kbd> • [官网链接](https://n8n.io/)
+<kbd>2.18.3</kbd> • [官网链接](https://n8n.io/)
 
 </td>
 </tr>
@@ -746,7 +746,7 @@ AI驱动的开源代码知识库与文档协作平台，支持多模型、多数
 
 🤖 AI驱动的图表创建工具
 
-<kbd>0.4.13</kbd> • [官网链接](https://next-ai-drawio.jiang.jp/)
+<kbd>0.4.15</kbd> • [官网链接](https://next-ai-drawio.jiang.jp/)
 
 </td>
 <td width="33%" align="center">
@@ -787,7 +787,7 @@ AI驱动的开源代码知识库与文档协作平台，支持多模型、多数
 
 🔗 CLIProxyAPI Plus 代理API服务
 
-<kbd>6.9.9-0</kbd> • [官网链接](https://github.com/router-for-me/CLIProxyAPIPlus)
+<kbd>6.9.28-0</kbd> • [官网链接](https://github.com/router-for-me/CLIProxyAPIPlus)
 
 </td>
 <td width="33%" align="center">
@@ -984,7 +984,7 @@ AI驱动的开源代码知识库与文档协作平台，支持多模型、多数
 
 📊 开源 all-in-one 数据洞察中心，集成网站分析、服务监控、服务器状态监控
 
-<kbd>1.31.20</kbd> • [官网链接](https://tianji.msgbyte.com/)
+<kbd>1.31.22</kbd> • [官网链接](https://tianji.msgbyte.com/)
 
 </td>
 <td width="33%" align="center">

apps/axonhub/0.9.37/docker-compose.yml

@@ -1,12 +1,12 @@
 services:
   axonhub:
-    image: looplj/axonhub:v0.9.31
+    image: looplj/axonhub:v0.9.37
     container_name: ${CONTAINER_NAME}
     restart: always
     networks:
       - 1panel-network
     ports:
-      - "${PANEL_APP_PORT_HTTP}:8090"
+      - ${PANEL_APP_PORT_HTTP}:8090
     volumes:
       - ./data:/data
     environment:
@@ -14,7 +14,7 @@ services:
       - AXONHUB_DB_DIALECT=sqlite3
       - AXONHUB_DB_DSN=file:/data/axonhub.db?cache=shared&_fk=1&pragma=journal_mode(WAL)
     labels:
-      createdBy: "Apps"
+      createdBy: Apps
 networks:
   1panel-network:
     external: true

apps/cliproxyapi-plus/6.9.28-0/docker-compose.yml

@@ -1,17 +1,17 @@
 services:
   cliproxyapi-plus:
-    image: eceasy/cli-proxy-api-plus:v6.9.9-0
+    image: eceasy/cli-proxy-api-plus:v6.9.28-0
     container_name: ${CONTAINER_NAME}
     restart: always
     networks:
       - 1panel-network
     ports:
-      - "${PANEL_APP_PORT_HTTP}:8317"
-      - "${PANEL_APP_PORT_PROXY}:8085"
-      - "${PANEL_APP_PORT_1455}:1455"
-      - "${PANEL_APP_PORT_54545}:54545"
-      - "${PANEL_APP_PORT_51121}:51121"
-      - "${PANEL_APP_PORT_11451}:11451"
+      - ${PANEL_APP_PORT_HTTP}:8317
+      - ${PANEL_APP_PORT_PROXY}:8085
+      - ${PANEL_APP_PORT_1455}:1455
+      - ${PANEL_APP_PORT_54545}:54545
+      - ${PANEL_APP_PORT_51121}:51121
+      - ${PANEL_APP_PORT_11451}:11451
     volumes:
       - ./data/config.yaml:/CLIProxyAPI/config.yaml
       - ./data/auths:/root/.cli-proxy-api
@@ -19,8 +19,7 @@ services:
     environment:
       - TZ=${TZ}
     labels:
-      createdBy: "Apps"
-
+      createdBy: Apps
 networks:
   1panel-network:
     external: true

apps/craft-agents/0.8.11/docker-compose.yml

@@ -1,6 +1,6 @@
 services:
   craft-agents:
-    image: ghcr.io/lukilabs/craft-agents-server:0.8.5
+    image: ghcr.io/lukilabs/craft-agents-server:0.8.11
     container_name: ${CONTAINER_NAME}
     restart: always
     networks:

apps/docmost/0.80.0/docker-compose.yml

@@ -11,7 +11,7 @@ services:
       APP_SECRET: 52f235dee223c92a83a934ada13b83075c9855fe966b3cbf9dd86810e2b742ee
       DATABASE_URL: postgresql://docmost:${PANEL_DB_USER_PASSWORD}@db:5432/docmost?schema=public
       REDIS_URL: redis://redis:6379
-    image: docmost/docmost:0.71.1
+    image: docmost/docmost:0.80.0
     labels:
       createdBy: Apps
     depends_on:

apps/easytier/2.6.1/docker-compose.yml

@@ -1,6 +1,6 @@
 services:
   easytier:
-    image: easytier/easytier:v2.6.0
+    image: easytier/easytier:v2.6.1
     container_name: ${CONTAINER_NAME}
     restart: always
     network_mode: host

apps/flowise/3.1.2/docker-compose.yml

@@ -1,6 +1,6 @@
 services:
   flowise:
-    image: flowiseai/flowise:3.1.1
+    image: flowiseai/flowise:3.1.2
     container_name: ${CONTAINER_NAME}
     restart: always
     networks:

apps/gpt4free/7.5.0-slim/docker-compose.yml

@@ -1,6 +1,6 @@
 services:
   gpt4free:
-    image: hlohaus789/g4f:v7.4.7-slim
+    image: hlohaus789/g4f:v7.5.0-slim
     container_name: ${CONTAINER_NAME}
     restart: always
     networks:

apps/gpt4free/7.5.0/docker-compose.yml

@@ -1,6 +1,6 @@
 services:
   gpt4free:
-    image: hlohaus789/g4f:v7.4.7
+    image: hlohaus789/g4f:v7.5.0
     container_name: ${CONTAINER_NAME}
     restart: always
     networks:

apps/langflow/1.9.1/docker-compose.yml

@@ -1,6 +1,6 @@
 services:
   langflow:
-    image: langflowai/langflow:1.8.4
+    image: langflowai/langflow:1.9.1
     container_name: ${CONTAINER_NAME}
     pull_policy: always
     user: root

apps/linkwarden/2.14.1/docker-compose.yml

@@ -1,6 +1,6 @@
 services:
   linkwarden:
-    image: ghcr.io/linkwarden/linkwarden:v2.14.0
+    image: ghcr.io/linkwarden/linkwarden:v2.14.1
     container_name: ${CONTAINER_NAME}
     restart: always
     ports:

apps/litellm/v1.83.3-stable/docker-compose.yml

@@ -1,6 +1,6 @@
 services:
   litellm:
-    image: ghcr.io/berriai/litellm:v1.83.0-nightly
+    image: ghcr.io/berriai/litellm:v1.83.3-stable
     container_name: ${CONTAINER_NAME}
     #########################################
     ## Uncomment these lines to start proxy with a config.yaml file ##

apps/n8n-zh/2.18.3/docker-compose.yml

@@ -1,6 +1,6 @@
 services:
   n8n:
-    image: n8nio/n8n:2.17.0
+    image: n8nio/n8n:2.18.3
     container_name: ${CONTAINER_NAME}
     restart: always
     user: 1000:1000

apps/new-api/0.13.1-allinone/docker-compose.yml

@@ -1,6 +1,6 @@
 services:
   new-api:
-    image: calciumion/new-api:v0.12.3
+    image: calciumion/new-api:v0.13.1
     container_name: ${CONTAINER_NAME}
     restart: always
     ports:

apps/new-api/0.13.1/docker-compose.yml

@@ -1,6 +1,6 @@
 services:
   new-api:
-    image: calciumion/new-api:v0.12.9
+    image: calciumion/new-api:v0.13.1
     container_name: ${CONTAINER_NAME}
     restart: always
     ports:

apps/next-ai-draw-io/0.4.15/docker-compose.yml

@@ -1,6 +1,6 @@
 services:
   next-ai-draw-io:
-    image: ghcr.io/dayuanjiang/next-ai-draw-io:0.4.13
+    image: ghcr.io/dayuanjiang/next-ai-draw-io:0.4.15
     ports:
       - ${PANEL_APP_PORT_HTTP}:3000
     depends_on:

apps/nocodb/2026.04.3/docker-compose.yml

@@ -1,6 +1,6 @@
 services:
   nocodb:
-    image: nocodb/nocodb:2026.04.0
+    image: nocodb/nocodb:2026.04.3
     container_name: ${CONTAINER_NAME}
     restart: always
     networks:

apps/prompt-optimizer/2.9.4/docker-compose.yml

@@ -1,6 +1,6 @@
 services:
   prompt-optimizer:
-    image: linshen/prompt-optimizer:2.9.3
+    image: linshen/prompt-optimizer:2.9.4
     container_name: ${CONTAINER_NAME}
     restart: unless-stopped
     ports:

apps/safeline/9.3.6/docker-compose.yml

@@ -5,7 +5,7 @@ services:
     networks:
       1panel-network:
         ipv4_address: ${SUBNET_PREFIX}.234
-    image: chaitin/safeline-mgt:9.3.3
+    image: chaitin/safeline-mgt:9.3.6
     volumes:
       - /etc/localtime:/etc/localtime:ro
       - ${SAFELINE_DIR}/resources/mgt:/app/data
@@ -33,7 +33,7 @@ services:
     networks:
       1panel-network:
         ipv4_address: ${SUBNET_PREFIX}.235
-    image: chaitin/safeline-detector:9.3.3
+    image: chaitin/safeline-detector:9.3.5
     volumes:
       - ${SAFELINE_DIR}/resources/detector:/resources/detector
       - ${SAFELINE_DIR}/logs/detector:/logs/detector
@@ -45,7 +45,7 @@ services:
   safeline-tengine:
     container_name: ${CONTAINER_NAME}-tengine
     restart: always
-    image: chaitin/safeline-tengine:9.3.3
+    image: chaitin/safeline-tengine:9.3.5
     volumes:
       - /etc/localtime:/etc/localtime:ro
       - /etc/resolv.conf:/etc/resolv.conf:ro
@@ -69,7 +69,7 @@ services:
     networks:
       1panel-network:
         ipv4_address: ${SUBNET_PREFIX}.237
-    image: chaitin/safeline-luigi:9.3.3
+    image: chaitin/safeline-luigi:9.3.5
     volumes:
       - /etc/localtime:/etc/localtime:ro
       - ${SAFELINE_DIR}/resources/luigi:/app/data
@@ -90,7 +90,7 @@ services:
     networks:
       1panel-network:
         ipv4_address: ${SUBNET_PREFIX}.238
-    image: chaitin/safeline-fvm:9.3.3
+    image: chaitin/safeline-fvm:9.3.5
     volumes:
       - /etc/localtime:/etc/localtime:ro
     logging:
@@ -126,7 +126,7 @@ services:
     networks:
       1panel-network:
         ipv4_address: ${SUBNET_PREFIX}.240
-    image: chaitin/safeline-chaos:9.3.3
+    image: chaitin/safeline-chaos:9.3.5
     logging:
       options:
         max-size: 100m

apps/tailscale/1.96.5/data.yml

@@ -0,0 +1,62 @@
+additionalProperties:
+  formFields:
+    - default: ""
+      edit: true
+      envKey: TS_AUTHKEY
+      labelEn: Tailscale Auth Key
+      labelZh: Tailscale 认证密钥
+      required: false
+      rule: paramCommon
+      type: password
+      description:
+        zh: 从 https://login.tailscale.com/admin/settings/keys 获取认证密钥，留空则需要在容器内执行 tailscale up 进行交互登录
+        en: Get auth key from https://login.tailscale.com/admin/settings/keys, leave empty for interactive login via tailscale up
+    - default: "false"
+      edit: true
+      envKey: TS_USERSPACE
+      labelEn: Userspace Mode
+      labelZh: 用户空间模式
+      required: false
+      type: select
+      values:
+        - label: "false (Kernel Networking)"
+          value: "false"
+        - label: "true (Userspace)"
+          value: "true"
+      description:
+        zh: "false 使用内核网络（推荐），true 使用用户空间网络"
+        en: "false for kernel networking (recommended), true for userspace"
+    - default: ""
+      edit: true
+      envKey: TS_ROUTES
+      labelEn: Subnet Routes (Optional)
+      labelZh: 子网路由（可选）
+      required: false
+      rule: paramCommon
+      type: text
+      description:
+        zh: 要广播的子网路由，如 192.168.1.0/24,10.0.0.0/8
+        en: Subnet routes to advertise, e.g. 192.168.1.0/24,10.0.0.0/8
+    - default: "true"
+      edit: true
+      envKey: TS_ACCEPT_DNS
+      labelEn: Accept DNS
+      labelZh: 接受 DNS
+      required: false
+      type: select
+      values:
+        - label: "true"
+          value: "true"
+        - label: "false"
+          value: "false"
+    - default: ""
+      edit: true
+      envKey: TS_EXTRA_ARGS
+      labelEn: Extra Arguments (Optional)
+      labelZh: 额外参数（可选）
+      required: false
+      rule: paramCommon
+      type: text
+      description:
+        zh: tailscale up 命令的额外参数，如 --accept-routes
+        en: Extra arguments for tailscale up command, e.g. --accept-routes

apps/tailscale/1.96.5/docker-compose.yml

@@ -0,0 +1,28 @@
+services:
+  tailscaled:
+    container_name: ${CONTAINER_NAME}
+    image: tailscale/tailscale:v1.96.5
+    hostname: ${HOSTNAME:-tailscale}
+    restart: always
+    volumes:
+      - ./data/state:/var/lib/tailscale
+      - /dev/net/tun:/dev/net/tun
+    cap_add:
+      - NET_ADMIN
+      - SYS_MODULE
+    network_mode: host
+    privileged: true
+    environment:
+      - TS_AUTHKEY=${TS_AUTHKEY}
+      - TS_USERSPACE=${TS_USERSPACE:-false}
+      - TS_STATE_DIR=/var/lib/tailscale
+      - TS_ROUTES=${TS_ROUTES:-}
+      - TS_ACCEPT_DNS=${TS_ACCEPT_DNS:-true}
+      - TS_EXTRA_ARGS=${TS_EXTRA_ARGS:-}
+      - TS_AUTH_ONCE=${TS_AUTH_ONCE:-false}
+    command: containerboot
+    labels:
+      createdBy: "Apps"
+networks:
+  1panel-network:
+    external: true

apps/tailscale/README.md

@@ -0,0 +1,114 @@
+# Tailscale
+
+最简单、最安全的 WireGuard 私有网络组网工具。Tailscale 让您能够轻松创建安全的 mesh 网络，将您的设备连接在一起，无论它们位于何处。
+
+## 功能特点
+
+- **基于 WireGuard**: 使用现代化的 WireGuard 协议，提供高性能和强安全性
+- **自动 NAT 穿透**: 自动处理复杂的网络环境，实现设备间直连
+- **零配置**: 无需手动配置，登录即可使用
+- **端到端加密**: 所有通信都经过端到端加密
+- **多平台支持**: 支持 Linux、Windows、macOS、iOS、Android 等平台
+- **子网路由**: 可将整个子网路由到 Tailscale 网络
+- **魔法 DNS**: 自动为设备分配易记的 DNS 名称
+- **访问控制**: 精细的访问控制策略
+
+## 使用说明
+
+### 认证方式
+
+Tailscale 支持两种认证方式：
+
+#### 方式一：使用认证密钥（推荐）
+
+1. 访问 [Tailscale 管理控制台](https://login.tailscale.com/admin/settings/keys)
+2. 点击 "Generate auth key" 创建认证密钥
+3. 复制生成的密钥，在部署时填写到 "Tailscale 认证密钥" 字段
+4. 部署后自动完成认证，无需额外操作
+
+**注意**：认证密钥有过期时间，请在生成后尽快使用。
+
+#### 方式二：交互登录
+
+1. 部署时留空 "Tailscale 认证密钥" 字段
+2. 部署完成后，在 1Panel 容器列表中点击 "Tailscale" 容器的 "终端" 按钮
+3. 在终端中执行以下命令：
+   ```bash
+   tailscale up
+   ```
+4. 命令会输出一个认证 URL，复制该 URL 到浏览器打开
+5. 登录您的 Tailscale 账号并授权该设备
+6. 认证成功后，容器会自动连接到 Tailscale 网络
+
+### 部署参数说明
+
+- **Tailscale 认证密钥**（可选）：从管理控制台获取的认证密钥，留空则使用交互登录
+- **用户空间模式**: 
+  - `false` (推荐): 使用内核网络模式，性能更好
+  - `true`: 使用用户空间网络模式，兼容性更好
+- **子网路由** (可选): 要广播的子网，如 `192.168.1.0/24,10.0.0.0/8`
+- **接受 DNS**: 是否接受 Tailscale 的 DNS 配置
+- **额外参数** (可选): tailscale up 命令的额外参数，如 `--accept-routes`
+
+### 部署后操作
+
+1. 部署完成后，访问 [Tailscale 管理控制台](https://login.tailscale.com/admin/machines) 查看设备状态
+2. 在其他设备上安装 Tailscale 客户端并登录同一账号
+3. 设备间可以通过 Tailscale IP 或魔法 DNS 名称互相访问
+
+### 高级配置
+
+#### 配置子网路由器
+
+如果您希望将本地网络路由到 Tailscale：
+
+1. 在 `子网路由` 参数中填写要广播的子网，如 `192.168.1.0/24`
+2. 部署后在管理控制台批准该子网路由
+3. 其他 Tailscale 设备即可访问该子网内的设备
+
+#### 使用出口节点
+
+将 Tailscale 配置为出口节点，让其他设备通过此设备访问互联网：
+
+1. 在 `额外参数` 中添加 `--advertise-exit-node`
+2. 部署后在管理控制台批准出口节点
+3. 其他设备可以选择使用此出口节点
+
+#### 仅首次认证
+
+如果希望只在首次启动时使用认证密钥，后续启动使用已有状态：
+
+- 设置环境变量 `TS_AUTH_ONCE=true`（需要在 docker-compose.yml 中手动添加）
+
+### 数据目录
+
+应用数据存储在 `./data/state` 目录，包含 Tailscale 的状态信息（认证状态、配置等）。该目录挂载到容器的 `/var/lib/tailscale`。
+
+**重要提示**：请确保 `data/state` 目录有正确的读写权限，否则状态无法保存，导致每次重启都需要重新认证。
+
+## 环境变量说明
+
+- `TS_AUTHKEY`: Tailscale 认证密钥（可选，支持交互登录）
+- `TS_USERSPACE`: 是否使用用户空间网络模式
+- `TS_STATE_DIR`: 状态文件存储目录（固定为 /var/lib）
+- `TS_ROUTES`: 要广播的子网路由
+- `TS_ACCEPT_DNS`: 是否接受 Tailscale DNS 配置
+- `TS_EXTRA_ARGS`: tailscale up 命令的额外参数
+- `TS_AUTH_ONCE`: 是否仅在首次启动时认证（默认 false）
+
+## 注意事项
+
+- 需要 `privileged` 权限和 `NET_ADMIN`、`SYS_MODULE` 能力
+- 使用 `host` 网络模式以直接管理网络接口
+- 需要访问 `/dev/net/tun` 设备
+- 首次运行时需要有效的认证密钥或进行交互登录
+- 建议在防火墙中允许 UDP 41641 端口（WireGuard 默认端口）
+- 容器重启策略固定为 `always`，由 1Panel 统一管理
+
+## 相关链接
+
+- 官方网站：https://tailscale.com
+- GitHub: https://github.com/tailscale/tailscale
+- 文档：https://tailscale.com/kb
+- 管理控制台：https://login.tailscale.com/admin
+- 下载客户端：https://tailscale.com/download

apps/tailscale/README_en.md

@@ -0,0 +1,114 @@
+# Tailscale
+
+The easiest, most secure way to use WireGuard. Tailscale enables you to create secure mesh networks that connect your devices together, no matter where they are located.
+
+## Features
+
+- **WireGuard-based**: Uses modern WireGuard protocol for high performance and strong security
+- **Automatic NAT Traversal**: Automatically handles complex network environments for direct device connections
+- **Zero Configuration**: No manual setup required, just login and use
+- **End-to-End Encryption**: All communications are encrypted end-to-end
+- **Multi-Platform Support**: Supports Linux, Windows, macOS, iOS, Android and more
+- **Subnet Routing**: Route entire subnets to your Tailscale network
+- **Magic DNS**: Automatically assigns friendly DNS names to devices
+- **Access Control**: Fine-grained access control policies
+
+## Usage Instructions
+
+### Authentication Methods
+
+Tailscale supports two authentication methods:
+
+#### Method 1: Using Auth Key (Recommended)
+
+1. Visit [Tailscale Admin Console](https://login.tailscale.com/admin/settings/keys)
+2. Click "Generate auth key" to create an authentication key
+3. Copy the generated key and fill it in the "Tailscale Auth Key" field during deployment
+4. Authentication completes automatically after deployment
+
+**Note**: Auth keys have an expiration time, please use them as soon as possible after generation.
+
+#### Method 2: Interactive Login
+
+1. Leave the "Tailscale Auth Key" field empty during deployment
+2. After deployment, click the "Terminal" button for the "Tailscale" container in 1Panel
+3. Execute the following command in the terminal:
+   ```bash
+   tailscale up
+   ```
+4. The command will output an authentication URL, copy it to your browser
+5. Log in to your Tailscale account and authorize the device
+6. After successful authentication, the container will automatically connect to the Tailscale network
+
+### Deployment Parameters
+
+- **Tailscale Auth Key** (Optional): Authentication key from admin console, leave empty for interactive login
+- **Userspace Mode**: 
+  - `false` (Recommended): Use kernel networking mode for better performance
+  - `true`: Use userspace networking mode for better compatibility
+- **Subnet Routes** (Optional): Subnets to advertise, e.g., `192.168.1.0/24,10.0.0.0/8`
+- **Accept DNS**: Whether to accept Tailscale DNS configuration
+- **Extra Args** (Optional): Additional arguments for tailscale up command, e.g., `--accept-routes`
+
+### Post-Deployment Steps
+
+1. After deployment, visit [Tailscale Admin Console](https://login.tailscale.com/admin/machines) to check device status
+2. Install Tailscale clients on other devices and login with the same account
+3. Devices can access each other via Tailscale IP or MagicDNS names
+
+### Advanced Configuration
+
+#### Configure Subnet Router
+
+If you want to route your local network to Tailscale:
+
+1. Fill in the subnets to advertise in `Subnet Routes` parameter, e.g., `192.168.1.0/24`
+2. Approve the subnet route in admin console after deployment
+3. Other Tailscale devices can then access devices in that subnet
+
+#### Configure Exit Node
+
+Configure Tailscale as an exit node to allow other devices to access the internet through it:
+
+1. Add `--advertise-exit-node` to `Extra Args` parameter
+2. Approve the exit node in admin console after deployment
+3. Other devices can choose to use this exit node
+
+#### First-Time Authentication Only
+
+If you want to use the auth key only on first startup and use existing state on subsequent starts:
+
+- Set environment variable `TS_AUTH_ONCE=true` (needs to be manually added in docker-compose.yml)
+
+### Data Directory
+
+Application data is stored in `./data/state` directory, containing Tailscale state information (authentication state, configuration, etc.). This directory is mounted to `/var/lib/tailscale` in the container.
+
+**Important**: Ensure the `data/state` directory has correct read/write permissions, otherwise state cannot be persisted and re-authentication will be required on every restart.
+
+## Environment Variables
+
+- `TS_AUTHKEY`: Tailscale authentication key (optional, supports interactive login)
+- `TS_USERSPACE`: Whether to use userspace networking mode
+- `TS_STATE_DIR`: State file storage directory (fixed to /var/lib)
+- `TS_ROUTES`: Subnet routes to advertise
+- `TS_ACCEPT_DNS`: Whether to accept Tailscale DNS configuration
+- `TS_EXTRA_ARGS`: Additional arguments for tailscale up command
+- `TS_AUTH_ONCE`: Whether to authenticate only on first start (default false)
+
+## Notes
+
+- Requires `privileged` mode and `NET_ADMIN`, `SYS_MODULE` capabilities
+- Uses `host` network mode to directly manage network interfaces
+- Requires access to `/dev/net/tun` device
+- A valid auth key or interactive login is required for first run
+- Recommended to allow UDP port 41641 (WireGuard default port) in firewall
+- Container restart policy is fixed to `always`, managed by 1Panel
+
+## Links
+
+- Website: https://tailscale.com
+- GitHub: https://github.com/tailscale/tailscale
+- Documentation: https://tailscale.com/kb
+- Admin Console: https://login.tailscale.com/admin
+- Downloads: https://tailscale.com/download

apps/tailscale/data.yml

@@ -0,0 +1,29 @@
+name: Tailscale
+tags:
+  - 网络工具
+  - 安全
+title: 私有 WireGuard 网络组网工具
+description: 最简单的 WireGuard 私有网络组网解决方案，支持多设备安全互联
+additionalProperties:
+  key: tailscale
+  name: Tailscale
+  tags:
+    - Networking
+    - Security
+  shortDescZh: 私有 WireGuard 网络组网工具
+  shortDescEn: Private WireGuard networking tool
+  description:
+    en: The easiest, most secure way to use WireGuard. Create private networks with secure mesh connectivity between devices.
+    zh: 最简单、最安全的 WireGuard 使用方式。创建设备间安全 mesh 连接的私有网络。
+  type: tool
+  crossVersionUpdate: true
+  limit: 0
+  recommend: 90
+  website: https://tailscale.com
+  github: https://github.com/tailscale/tailscale
+  document: https://tailscale.com/kb
+  architectures:
+    - amd64
+    - arm64
+    - arm/v7
+  hostMode: true

apps/tailscale/latest/data.yml

@@ -0,0 +1,62 @@
+additionalProperties:
+  formFields:
+    - default: ""
+      edit: true
+      envKey: TS_AUTHKEY
+      labelEn: Tailscale Auth Key
+      labelZh: Tailscale 认证密钥
+      required: false
+      rule: paramCommon
+      type: password
+      description:
+        zh: 从 https://login.tailscale.com/admin/settings/keys 获取认证密钥，留空则需要在容器内执行 tailscale up 进行交互登录
+        en: Get auth key from https://login.tailscale.com/admin/settings/keys, leave empty for interactive login via tailscale up
+    - default: "false"
+      edit: true
+      envKey: TS_USERSPACE
+      labelEn: Userspace Mode
+      labelZh: 用户空间模式
+      required: false
+      type: select
+      values:
+        - label: "false (Kernel Networking)"
+          value: "false"
+        - label: "true (Userspace)"
+          value: "true"
+      description:
+        zh: "false 使用内核网络（推荐），true 使用用户空间网络"
+        en: "false for kernel networking (recommended), true for userspace"
+    - default: ""
+      edit: true
+      envKey: TS_ROUTES
+      labelEn: Subnet Routes (Optional)
+      labelZh: 子网路由（可选）
+      required: false
+      rule: paramCommon
+      type: text
+      description:
+        zh: 要广播的子网路由，如 192.168.1.0/24,10.0.0.0/8
+        en: Subnet routes to advertise, e.g. 192.168.1.0/24,10.0.0.0/8
+    - default: "true"
+      edit: true
+      envKey: TS_ACCEPT_DNS
+      labelEn: Accept DNS
+      labelZh: 接受 DNS
+      required: false
+      type: select
+      values:
+        - label: "true"
+          value: "true"
+        - label: "false"
+          value: "false"
+    - default: ""
+      edit: true
+      envKey: TS_EXTRA_ARGS
+      labelEn: Extra Arguments (Optional)
+      labelZh: 额外参数（可选）
+      required: false
+      rule: paramCommon
+      type: text
+      description:
+        zh: tailscale up 命令的额外参数，如 --accept-routes
+        en: Extra arguments for tailscale up command, e.g. --accept-routes

apps/tailscale/latest/docker-compose.yml

@@ -0,0 +1,28 @@
+services:
+  tailscaled:
+    container_name: ${CONTAINER_NAME}
+    image: tailscale/tailscale:latest
+    hostname: ${HOSTNAME:-tailscale}
+    restart: always
+    volumes:
+      - ./data/state:/var/lib/tailscale
+      - /dev/net/tun:/dev/net/tun
+    cap_add:
+      - NET_ADMIN
+      - SYS_MODULE
+    network_mode: host
+    privileged: true
+    environment:
+      - TS_AUTHKEY=${TS_AUTHKEY}
+      - TS_USERSPACE=${TS_USERSPACE:-false}
+      - TS_STATE_DIR=/var/lib/tailscale
+      - TS_ROUTES=${TS_ROUTES:-}
+      - TS_ACCEPT_DNS=${TS_ACCEPT_DNS:-true}
+      - TS_EXTRA_ARGS=${TS_EXTRA_ARGS:-}
+      - TS_AUTH_ONCE=${TS_AUTH_ONCE:-false}
+    command: containerboot
+    labels:
+      createdBy: "Apps"
+networks:
+  1panel-network:
+    external: true

apps/tianji/1.31.22/docker-compose.yml

@@ -2,7 +2,7 @@ services:
   tianji:
     container_name: ${CONTAINER_NAME}
     restart: always
-    image: moonrailgun/tianji:1.31.20
+    image: moonrailgun/tianji:1.31.22
     networks:
       - 1panel-network
     ports: