Using a NervesHub support script to connect to tailscale

lawik · March 28, 2025, 8:07am

This is a ridiculous hack that I did yesterday to verify something we might want to tool up properly for NervesHub.

If you have Tailscale and a Nerves device with NervesHubLink connected to a NervesHub (such as NervesCloud.com) you can add the script below as a Support Script and if you run the script, the device should join your Tailnet and become routable.

It will also start EPMD and make the device an Erlang node. Then you could ridiculous and use a variant of my nerves_node hack to make the nodes connect up into a cluster. That’s not what we want to do. Rather we open a Livebook, then add a Smart cell for Remote Execution. Grab the cookie and host that the script prints. Bob is now your uncle.

You get all of Kino and access to pull things from your device. You can also connect the Livebook to the device but Mix.install won’t work for you and you’ll be quite limited in what you can do. But it has uses.

I don’t recommend this for production quite yet. I realized while writing this that I should restrict epmd to listen only to the Tailscale IP to be diligent for example. But it is probably already a pretty good debug tool if you need more direct access to your node. It means you can SSH via terminal (unless you’ve switched that off) and that also means you can deliver firmware via mix upload.

Enough of that. The hack script itself:

:inets.start()
:ssl.start()

url = ~c"https://pkgs.tailscale.com/stable/tailscale_1.82.0_arm64.tgz"
# You can use an ephemeral key to make ephemeral devices
# tags should be good for categorizing devices
# re-usable is required for it to work multiple times
tailscale_key = "MY_TAILSCALE_AUTH_KEY"
headers = []

tailscale_dir = "/data/tailscale"
File.mkdir_p!(tailscale_dir)
tmp_path = Path.join(tailscale_dir, "tailscale.tgz")

filepaths = Path.wildcard(Path.join(tailscale_dir, "/**"))

daemon_path =
  Enum.find(filepaths, fn path ->
    Path.basename(path) == "tailscaled"
  end)

cli_path =
  Enum.find(filepaths, fn path ->
    Path.basename(path) == "tailscale"
  end)

if is_nil(daemon_path) and is_nil(cli_path) do
  http_request_opts = [
    ssl: [
      cacerts: :public_key.cacerts_get(),
      customize_hostname_check: [
        match_fun: :public_key.pkix_verify_hostname_match_fun(:https)
      ]
    ]
  ]

  IO.puts("to path: #{tmp_path}")

  {:ok, :saved_to_file} =
    :httpc.request(:get, {url, headers}, http_request_opts, stream: String.to_charlist(tmp_path))

  # {:ok, file} = :file.open(tmp_path, [:read, :compressed, :raw])

  {:ok, files} =
    :erl_tar.extract({:binary, File.read!(tmp_path)}, [:memory, :verbose, :compressed])

  Enum.each(files, fn {filename, content} ->
    IO.puts(filename)
    File.mkdir_p!(Path.dirname(Path.join(tailscale_dir, filename)))
    File.write!(Path.join(tailscale_dir, filename), content)
  end)
end

filepaths = Path.wildcard(Path.join(tailscale_dir, "/**"))

daemon_path =
  Enum.find(filepaths, fn path ->
    Path.basename(path) == "tailscaled"
  end)

cli_path =
  Enum.find(filepaths, fn path ->
    Path.basename(path) == "tailscale"
  end)

File.chmod(daemon_path, 0o700)
File.chmod(cli_path, 0o700)

case Process.whereis(Tailscale) do
  nil ->
    {:ok, _pid} =
      MuonTrap.Daemon.start_link(
        daemon_path,
        [
          "--tun=userspace-networking",
          "--statedir=#{tailscale_dir}"
        ],
        name: Tailscale
      )

  _ ->
    :ok
end

{output, 0} =
  System.cmd(cli_path, ["up", "--auth-key=#{tailscale_key}", "--accept-routes"],
    stderr_to_stdout: true
  )

{ip, 0} =
  System.cmd(cli_path, ["ip", "-4"])

ip = String.trim(ip)

cookie = Base.encode64(:crypto.strong_rand_bytes(64))

case Process.whereis(EPMD) do
  nil ->
    {:ok, pid} = MuonTrap.Daemon.start_link("epmd", [], name: EPMD)

  _ ->
    :ok
end

Node.stop()
{:ok, _pid} = Node.start(:"nerves@#{ip}")

Node.set_cookie(String.to_atom(cookie))
IO.puts("Host: nerves@#{ip}")
IO.puts("Cookie: #{cookie}")

I tried making it fairly idempotent. It shouldn’t redo very much work and it should work if it has half-succeeded in the past. A reboot will shut it all down and I name the processes so you can make a script to shut it back down.

A fun nuance is that most of the practical management ends up on the tailscale key configuration. There are things we could do while calling the Tailscale CLI, but since your key can be set to tag devices and decide if they are ephemeral or permanent the script can be quite dumb.

lawik · March 28, 2025, 8:11am

I’ve bothered @hugobarauna a little bit about being able to use this via livebook.dev/run and pass some parameters along aside from the URL. Ideally I’d want to smuggle the node string and cookie over there so I could pick it up from the Livebook itself.

Give a smooth integration between NervesHub and Livebook Desktop/Teams.

If any of you try this on your Nerves devices, let me know how it goes.

lawik · March 28, 2025, 8:14am

Oh, btw, if you don’t use NervesHub you could still do this in console, should be fine.

If you want to run this without Nerves you’ll need to pick different directories and you might replace the calls to MuonTrap with System.cmd or something. Perfectly doable stuff in just Elixir as well.

nix2intel · March 28, 2025, 9:24pm

this is awesome!

n0gg1n · March 29, 2025, 1:39pm

This looks great!
Is there any reason you didn’t use tailscale bundled with buildroot?

lawik · March 29, 2025, 1:52pm

Yes. First, I don’t know how committed tailscale are to backwards compatibility and how lively the maintenance of that package is in buildroot. Probably fine but a few unknowns.

Second, it would have meant a new system build. And anyone who wanted to try it would need to do that step. This was both faster and quite reasonable. Especiall for a PoC.

A production-grade version of this for me would probably do this same maneuver but download tailscale at build time and make it part of a library’s priv dir. This script ends up with tailscale binaries in the data partition, not ideal, having it in the read-only rootfs would be preferable and a library would do that.

There is nothing wrong with the buildroot version to my knowledge, it is mostly about ease of integration. Adding to buildroot is one layer deeper and comes with the nuisance of a big build step. Small thing for a production project, kind of a hurdle for hobbyists.

n0gg1n · March 29, 2025, 1:59pm

That are valid points, thanks for the quick and detailed response

AdrianPaulCarrieres · April 3, 2025, 3:53pm

As far as I know Tailscale tries to never break backwards compatibility!

Either way, really super interesting, thank you for that!

kevinschweikert · April 3, 2025, 3:56pm

Maybe https://netbird.io/ could be an alternative to Tailscale

lawik · April 3, 2025, 4:22pm

Seems like it would be trivial to make that variant, yeah

joshknz · April 4, 2025, 1:53am

I worked through a variant of netbird with a NervesCloud customer, although they already had netbird setup on the device.

I’d be happy to share these scripts if its helpful.