@ssdavidai/zo-tailscale 1.0.0

package/bin/zo-tailscale.js

@@ -0,0 +1,47 @@
+#!/usr/bin/env node
+'use strict';
+
+const command = process.argv[2];
+
+const USAGE = `
+zo-tailscale — Tailscale sidecar for Zo workspaces
+
+Usage:
+  zo-tailscale setup      Interactive setup: install sidecar, connect to tailnet
+  zo-tailscale status     Show Tailscale connection status
+  zo-tailscale cleanup    Remove offline/stale nodes via Tailscale API
+  zo-tailscale teardown   Remove Tailscale sidecar from this workspace
+`;
+
+async function main() {
+  switch (command) {
+    case 'setup': {
+      const { runSetup } = require('../lib/setup');
+      await runSetup();
+      break;
+    }
+    case 'status': {
+      const { runStatus } = require('../lib/status');
+      await runStatus();
+      break;
+    }
+    case 'cleanup': {
+      const { runCleanup } = require('../lib/cleanup');
+      await runCleanup();
+      break;
+    }
+    case 'teardown': {
+      const { runTeardown } = require('../lib/teardown');
+      await runTeardown();
+      break;
+    }
+    default:
+      console.log(USAGE);
+      process.exit(command ? 1 : 0);
+  }
+}
+
+main().catch((err) => {
+  console.error(`\nError: ${err.message}`);
+  process.exit(1);
+});

package/lib/cleanup.js

@@ -0,0 +1,121 @@
+'use strict';
+
+const https = require('https');
+const readline = require('readline');
+const { getSecret, setSecret, prompt } = require('./setup');
+
+function apiRequest(method, path, apiKey, body) {
+  return new Promise((resolve, reject) => {
+    const options = {
+      hostname: 'api.tailscale.com',
+      path,
+      method,
+      headers: {
+        'Authorization': `Bearer ${apiKey}`,
+        'Content-Type': 'application/json',
+      },
+    };
+
+    const req = https.request(options, (res) => {
+      let data = '';
+      res.on('data', (chunk) => (data += chunk));
+      res.on('end', () => {
+        if (res.statusCode >= 200 && res.statusCode < 300) {
+          resolve(data ? JSON.parse(data) : null);
+        } else {
+          reject(new Error(`API ${res.statusCode}: ${data}`));
+        }
+      });
+    });
+
+    req.on('error', reject);
+    if (body) req.write(JSON.stringify(body));
+    req.end();
+  });
+}
+
+async function runCleanup() {
+  console.log('\n🧹 Tailscale Node Cleanup\n');
+
+  // Get API key
+  let apiKey = getSecret('TAILSCALE_API_KEY');
+
+  if (apiKey) {
+    const reuse = await prompt(`Found existing API key (${apiKey.slice(0, 20)}...). Use it? [Y/n] `);
+    if (reuse.toLowerCase() === 'n') {
+      apiKey = await prompt('Enter your Tailscale API key (https://login.tailscale.com/admin/settings/keys): ');
+      setSecret('TAILSCALE_API_KEY', apiKey);
+    }
+  } else {
+    apiKey = await prompt('Enter your Tailscale API key (https://login.tailscale.com/admin/settings/keys): ');
+    if (!apiKey) {
+      console.error('API key is required for cleanup.');
+      process.exit(1);
+    }
+    setSecret('TAILSCALE_API_KEY', apiKey);
+    console.log('✓ API key saved to ~/.zo_secrets');
+  }
+
+  // Fetch devices
+  console.log('\nFetching devices...');
+  let devices;
+  try {
+    const result = await apiRequest('GET', '/api/v2/tailnet/-/devices', apiKey);
+    devices = result.devices || [];
+  } catch (e) {
+    console.error('Failed to fetch devices:', e.message);
+    process.exit(1);
+  }
+
+  // Find offline nodes
+  const now = Date.now();
+  const offline = devices.filter((d) => {
+    const lastSeen = new Date(d.lastSeen).getTime();
+    const offlineMs = now - lastSeen;
+    // Consider offline if not seen in 5+ minutes
+    return offlineMs > 5 * 60 * 1000;
+  });
+
+  if (offline.length === 0) {
+    console.log(`All ${devices.length} devices are online. Nothing to clean up.`);
+    return;
+  }
+
+  console.log(`\nFound ${offline.length} offline node(s):\n`);
+  offline.forEach((d, i) => {
+    const lastSeen = new Date(d.lastSeen);
+    const ago = humanizeAge(now - lastSeen.getTime());
+    console.log(`  ${i + 1}. ${d.name.padEnd(35)} last seen: ${ago} ago`);
+  });
+
+  const answer = await prompt(`\nDelete all ${offline.length} offline node(s)? [y/N] `);
+  if (answer.toLowerCase() !== 'y') {
+    console.log('Cancelled.');
+    return;
+  }
+
+  // Delete nodes
+  let deleted = 0;
+  for (const device of offline) {
+    try {
+      await apiRequest('DELETE', `/api/v2/device/${device.id}`, apiKey);
+      console.log(`  ✓ Deleted ${device.name}`);
+      deleted++;
+    } catch (e) {
+      console.log(`  ✗ Failed to delete ${device.name}: ${e.message}`);
+    }
+  }
+
+  console.log(`\n✅ Deleted ${deleted}/${offline.length} offline node(s).`);
+}
+
+function humanizeAge(ms) {
+  const minutes = Math.floor(ms / 60000);
+  if (minutes < 60) return `${minutes}m`;
+  const hours = Math.floor(minutes / 60);
+  if (hours < 24) return `${hours}h ${minutes % 60}m`;
+  const days = Math.floor(hours / 24);
+  return `${days}d ${hours % 24}h`;
+}
+
+module.exports = { runCleanup };

package/lib/setup.js

@@ -0,0 +1,161 @@
+'use strict';
+
+const fs = require('fs');
+const path = require('path');
+const { execSync } = require('child_process');
+const readline = require('readline');
+const {
+  hasTailscaleProgram,
+  injectTailscaleProgram,
+  reloadSupervisor,
+  getTailscaleStatus,
+} = require('./supervisor');
+
+const SECRETS_FILE = '/root/.zo_secrets';
+const STARTUP_SCRIPT = '/usr/local/bin/start-tailscale.sh';
+const TEMPLATE = path.join(__dirname, '..', 'templates', 'start-tailscale.sh');
+
+function prompt(question) {
+  const rl = readline.createInterface({ input: process.stdin, output: process.stdout });
+  return new Promise((resolve) => {
+    rl.question(question, (answer) => {
+      rl.close();
+      resolve(answer.trim());
+    });
+  });
+}
+
+function checkTailscaleBinary() {
+  try {
+    execSync('which tailscaled', { encoding: 'utf8' });
+    return true;
+  } catch {
+    return false;
+  }
+}
+
+function readSecrets() {
+  if (!fs.existsSync(SECRETS_FILE)) return '';
+  return fs.readFileSync(SECRETS_FILE, 'utf8');
+}
+
+function setSecret(name, value) {
+  let content = readSecrets();
+  const line = `export ${name}="${value}"`;
+  const regex = new RegExp(`^export ${name}=.*$`, 'm');
+
+  if (regex.test(content)) {
+    content = content.replace(regex, line);
+  } else {
+    content = content.trimEnd() + '\n' + line + '\n';
+  }
+
+  fs.writeFileSync(SECRETS_FILE, content);
+}
+
+function getSecret(name) {
+  const content = readSecrets();
+  const match = content.match(new RegExp(`^export ${name}="?([^"\\n]*)"?`, 'm'));
+  return match ? match[1] : null;
+}
+
+function writeStartupScript(hostname) {
+  let template = fs.readFileSync(TEMPLATE, 'utf8');
+  template = template.replace('__HOSTNAME__', hostname);
+  fs.writeFileSync(STARTUP_SCRIPT, template, { mode: 0o755 });
+}
+
+function waitForTailscale(maxWait = 30) {
+  for (let i = 0; i < maxWait; i++) {
+    try {
+      const result = execSync('tailscale status --json 2>/dev/null', {
+        encoding: 'utf8',
+        timeout: 5000,
+      });
+      const status = JSON.parse(result);
+      if (status.BackendState === 'Running') return status;
+    } catch {
+      // not ready yet
+    }
+    execSync('sleep 1');
+  }
+  return null;
+}
+
+async function runSetup() {
+  console.log('\n🔧 zo-tailscale setup\n');
+
+  // Step 1: Check binary
+  if (!checkTailscaleBinary()) {
+    console.error('tailscaled binary not found. Is Tailscale installed on this workspace?');
+    process.exit(1);
+  }
+  console.log('✓ tailscaled binary found');
+
+  // Step 2: Auth key
+  const existingKey = getSecret('TAILSCALE_AUTHKEY');
+  let authKey;
+
+  if (existingKey) {
+    const reuse = await prompt(`Found existing auth key (${existingKey.slice(0, 20)}...). Use it? [Y/n] `);
+    if (reuse.toLowerCase() === 'n') {
+      authKey = await prompt('Enter your Tailscale auth key (https://login.tailscale.com/admin/settings/keys): ');
+    } else {
+      authKey = existingKey;
+    }
+  } else {
+    authKey = await prompt('Enter your Tailscale auth key (https://login.tailscale.com/admin/settings/keys): ');
+  }
+
+  if (!authKey || !authKey.startsWith('tskey-auth-')) {
+    console.error('Invalid auth key. It should start with "tskey-auth-".');
+    process.exit(1);
+  }
+
+  // Step 3: Hostname
+  const hostname = (await prompt('Hostname for this node [zo-workspace]: ')) || 'zo-workspace';
+
+  // Step 4: Save auth key
+  console.log('\nConfiguring...');
+  setSecret('TAILSCALE_AUTHKEY', authKey);
+  console.log('✓ Auth key saved to ~/.zo_secrets');
+
+  // Step 5: Write startup script
+  writeStartupScript(hostname);
+  console.log('✓ Startup script written to ' + STARTUP_SCRIPT);
+
+  // Step 6: Supervisor config
+  if (hasTailscaleProgram()) {
+    console.log('✓ Supervisor config already has tailscale program');
+  } else {
+    injectTailscaleProgram();
+    console.log('✓ Injected tailscale program into supervisor config');
+  }
+
+  // Step 7: Reload supervisor
+  console.log('\nStarting Tailscale...');
+  try {
+    reloadSupervisor();
+    console.log('✓ Supervisor reloaded');
+  } catch (e) {
+    console.error('Warning: Could not reload supervisor:', e.message);
+  }
+
+  // Step 8: Wait for connection
+  console.log('Waiting for Tailscale to connect...');
+  const status = waitForTailscale();
+
+  if (status) {
+    const self = status.Self;
+    console.log(`\n✅ Tailscale is connected!`);
+    console.log(`   Hostname: ${self.HostName}`);
+    console.log(`   IP:       ${self.TailscaleIPs ? self.TailscaleIPs[0] : 'N/A'}`);
+    console.log(`   State:    ${status.BackendState}`);
+  } else {
+    console.log('\n⚠️  Tailscale did not connect within 30s.');
+    console.log('   Check logs: cat /dev/shm/tailscale_err.log');
+    console.log('   Supervisor: ' + getTailscaleStatus());
+  }
+}
+
+module.exports = { runSetup, getSecret, setSecret, prompt };

package/lib/status.js

@@ -0,0 +1,46 @@
+'use strict';
+
+const { execSync } = require('child_process');
+const { getTailscaleStatus } = require('./supervisor');
+
+function runStatus() {
+  console.log('\n📡 Tailscale Status\n');
+
+  // Supervisor status
+  const supervisorStatus = getTailscaleStatus();
+  console.log(`Supervisor: ${supervisorStatus}`);
+
+  // Tailscale status
+  try {
+    const jsonStr = execSync('tailscale status --json 2>/dev/null', {
+      encoding: 'utf8',
+      timeout: 5000,
+    });
+    const status = JSON.parse(jsonStr);
+    const self = status.Self;
+
+    console.log(`\nBackend:    ${status.BackendState}`);
+    console.log(`Hostname:   ${self.HostName}`);
+    console.log(`Tailnet:    ${status.MagicDNSSuffix || 'N/A'}`);
+
+    if (self.TailscaleIPs) {
+      console.log(`IPs:        ${self.TailscaleIPs.join(', ')}`);
+    }
+
+    // Show peers
+    const peers = Object.values(status.Peer || {});
+    if (peers.length > 0) {
+      console.log(`\nPeers (${peers.length}):`);
+      for (const peer of peers) {
+        const online = peer.Online ? '●' : '○';
+        const ips = peer.TailscaleIPs ? peer.TailscaleIPs[0] : '';
+        console.log(`  ${online} ${peer.HostName.padEnd(30)} ${ips.padEnd(18)} ${peer.OS || ''}`);
+      }
+    }
+  } catch {
+    console.log('\nTailscale is not running or not connected.');
+    console.log('Run "zo-tailscale setup" to configure.');
+  }
+}
+
+module.exports = { runStatus };

package/lib/supervisor.js

@@ -0,0 +1,107 @@
+'use strict';
+
+const fs = require('fs');
+const { execSync } = require('child_process');
+
+const SUPERVISOR_CONF = '/etc/zo/supervisord-user.conf';
+const SUPERVISOR_URL = 'http://127.0.0.1:29011';
+const PROGRAM_NAME = 'tailscale';
+
+const TAILSCALE_BLOCK = `
+[program:tailscale]
+command=/usr/local/bin/start-tailscale.sh
+directory=/root
+autostart=true
+autorestart=true
+startretries=10
+startsecs=5
+stdout_logfile=/dev/shm/tailscale.log
+stderr_logfile=/dev/shm/tailscale_err.log
+stdout_logfile_maxbytes=10MB
+stdout_logfile_backups=3
+stopsignal=TERM
+stopasgroup=true
+killasgroup=true
+stopwaitsecs=10
+`.trimStart();
+
+function hasTailscaleProgram() {
+  if (!fs.existsSync(SUPERVISOR_CONF)) return false;
+  const content = fs.readFileSync(SUPERVISOR_CONF, 'utf8');
+  return content.includes('[program:tailscale]');
+}
+
+function injectTailscaleProgram() {
+  if (hasTailscaleProgram()) {
+    return false; // already present
+  }
+
+  let content = fs.readFileSync(SUPERVISOR_CONF, 'utf8');
+
+  // Find the first [program:*] section and insert before it
+  const programMatch = content.match(/^(\[program:)/m);
+  if (programMatch) {
+    const idx = content.indexOf(programMatch[0]);
+    content = content.slice(0, idx) + TAILSCALE_BLOCK + '\n' + content.slice(idx);
+  } else {
+    // No programs yet, append
+    content = content.trimEnd() + '\n\n' + TAILSCALE_BLOCK;
+  }
+
+  fs.writeFileSync(SUPERVISOR_CONF, content);
+  return true;
+}
+
+function removeTailscaleProgram() {
+  if (!hasTailscaleProgram()) return false;
+
+  let content = fs.readFileSync(SUPERVISOR_CONF, 'utf8');
+
+  // Remove the [program:tailscale] block (from header to next section or EOF)
+  const regex = /\[program:tailscale\][^\[]*(?=\[|$)/s;
+  content = content.replace(regex, '');
+
+  // Clean up extra blank lines
+  content = content.replace(/\n{3,}/g, '\n\n');
+
+  fs.writeFileSync(SUPERVISOR_CONF, content);
+  return true;
+}
+
+function supervisorctl(cmd) {
+  return execSync(`supervisorctl -s ${SUPERVISOR_URL} ${cmd}`, {
+    encoding: 'utf8',
+    timeout: 15000,
+  }).trim();
+}
+
+function reloadSupervisor() {
+  supervisorctl('reread');
+  return supervisorctl('update');
+}
+
+function getTailscaleStatus() {
+  try {
+    return supervisorctl(`status ${PROGRAM_NAME}`);
+  } catch (e) {
+    return e.stdout || e.message;
+  }
+}
+
+function stopTailscale() {
+  try {
+    return supervisorctl(`stop ${PROGRAM_NAME}`);
+  } catch (e) {
+    return e.stdout || e.message;
+  }
+}
+
+module.exports = {
+  SUPERVISOR_CONF,
+  hasTailscaleProgram,
+  injectTailscaleProgram,
+  removeTailscaleProgram,
+  reloadSupervisor,
+  getTailscaleStatus,
+  stopTailscale,
+};

package/lib/teardown.js

@@ -0,0 +1,80 @@
+'use strict';
+
+const fs = require('fs');
+const readline = require('readline');
+const {
+  hasTailscaleProgram,
+  removeTailscaleProgram,
+  reloadSupervisor,
+  stopTailscale,
+} = require('./supervisor');
+
+const SECRETS_FILE = '/root/.zo_secrets';
+const STARTUP_SCRIPT = '/usr/local/bin/start-tailscale.sh';
+
+function prompt(question) {
+  const rl = readline.createInterface({ input: process.stdin, output: process.stdout });
+  return new Promise((resolve) => {
+    rl.question(question, (answer) => {
+      rl.close();
+      resolve(answer.trim());
+    });
+  });
+}
+
+function removeSecret(name) {
+  if (!fs.existsSync(SECRETS_FILE)) return;
+  let content = fs.readFileSync(SECRETS_FILE, 'utf8');
+  const regex = new RegExp(`^export ${name}=.*\\n?`, 'gm');
+  content = content.replace(regex, '');
+  fs.writeFileSync(SECRETS_FILE, content);
+}
+
+async function runTeardown() {
+  console.log('\n🗑️  zo-tailscale teardown\n');
+
+  const answer = await prompt('This will remove Tailscale sidecar from this workspace. Continue? [y/N] ');
+  if (answer.toLowerCase() !== 'y') {
+    console.log('Cancelled.');
+    return;
+  }
+
+  // Stop tailscale via supervisor
+  console.log('\nStopping Tailscale...');
+  try {
+    stopTailscale();
+    console.log('✓ Tailscale stopped');
+  } catch {
+    console.log('  (was not running)');
+  }
+
+  // Remove supervisor config
+  if (hasTailscaleProgram()) {
+    removeTailscaleProgram();
+    console.log('✓ Removed tailscale from supervisor config');
+    try {
+      reloadSupervisor();
+      console.log('✓ Supervisor reloaded');
+    } catch (e) {
+      console.log('  Warning: Could not reload supervisor:', e.message);
+    }
+  } else {
+    console.log('  Supervisor config already clean');
+  }
+
+  // Remove startup script
+  if (fs.existsSync(STARTUP_SCRIPT)) {
+    fs.unlinkSync(STARTUP_SCRIPT);
+    console.log('✓ Removed ' + STARTUP_SCRIPT);
+  }
+
+  // Remove secrets
+  removeSecret('TAILSCALE_AUTHKEY');
+  removeSecret('TAILSCALE_API_KEY');
+  console.log('✓ Removed Tailscale keys from ~/.zo_secrets');
+
+  console.log('\n✅ Tailscale has been removed from this workspace.');
+  console.log('   Note: The tailscale/tailscaled binaries were not removed.');
+}
+
+module.exports = { runTeardown };

package/package.json

@@ -0,0 +1,22 @@
+{
+  "name": "@ssdavidai/zo-tailscale",
+  "version": "1.0.0",
+  "description": "Set up Tailscale on your Zo workspace with auto-restart on session reboot",
+  "bin": {
+    "zo-tailscale": "./bin/zo-tailscale.js"
+  },
+  "files": [
+    "bin/",
+    "lib/",
+    "templates/"
+  ],
+  "keywords": ["zo", "tailscale", "vpn", "sidecar"],
+  "license": "MIT",
+  "publishConfig": {
+    "access": "public"
+  },
+  "repository": {
+    "type": "git",
+    "url": "https://github.com/ssdavidai/zo-tailscale.git"
+  }
+}

package/templates/start-tailscale.sh

@@ -0,0 +1,29 @@
+#!/bin/bash
+# Tailscale sidecar startup script
+# Runs tailscaled in userspace networking mode and authenticates
+
+set -e
+
+source /root/.zo_secrets
+# TAILSCALE_AUTHKEY is loaded from ~/.zo_secrets
+TAILSCALE_STATE_DIR="/var/lib/tailscale"
+
+mkdir -p "$TAILSCALE_STATE_DIR"
+
+# Start tailscaled in userspace networking mode (no iptables/netfilter needed)
+tailscaled --tun=userspace-networking --state="$TAILSCALE_STATE_DIR/tailscaled.state" --socket=/var/run/tailscale/tailscaled.sock &
+DAEMON_PID=$!
+
+# Wait for the socket to be ready
+for i in $(seq 1 30); do
+  if [ -S /var/run/tailscale/tailscaled.sock ]; then
+    break
+  fi
+  sleep 1
+done
+
+# Authenticate and connect
+tailscale up --authkey="$TAILSCALE_AUTHKEY" --hostname="__HOSTNAME__" --accept-routes
+
+# Keep the script running as long as tailscaled is alive
+wait $DAEMON_PID