elpatron/octo-funnel
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases 3 Activity

feat: Tailscale serve/funnel (new CLI) support; UI bindings; Gitea update.json; docs sudo; bump 0.1.2

Browse Source
This commit is contained in:
Markus F.J. Busche
2025-09-20 15:59:11 +02:00
parent 62ccfc4a00
commit 667ecc5e72
9 changed files with 172 additions and 35 deletions
Download Patch File Download Diff File Expand all files Collapse all files

51
octoprint_tailscale_funnel/README.md
View File

@@ -35,6 +35,42 @@ The plugin adds a new section to OctoPrint's settings panel with the following o
* **Port**: The port to expose via Funnel (default: 80)
* **Confirm Enable**: Require confirmation before enabling Funnel (default: True)
## Runtime Permissions (sudo)
Some Tailscale operations (serve/funnel) may require elevated privileges depending on your setup. The plugin executes `tailscale` from the OctoPrint process user. If enabling/disabling Funnel fails with permission errors or HTTP 500, configure passwordless sudo for the OctoPrint user to run `tailscale`:
1. Determine the OctoPrint service user (common: `octoprint` or `pi`):
```bash
systemctl show -p User octoprint | sed 's/User=//'
```
2. Allow passwordless sudo for `tailscale` for that user (replace <USER>):
```bash
echo '<USER> ALL=(root) NOPASSWD: /usr/bin/tailscale *' | sudo tee /etc/sudoers.d/octoprint-tailscale
sudo chmod 440 /etc/sudoers.d/octoprint-tailscale
sudo visudo -cf /etc/sudoers.d/octoprint-tailscale
```
3. Test (should not prompt for a password):
```bash
sudo -n tailscale status --json >/dev/null && echo OK || echo FAIL
```
Security note: Restricting the sudo rule to `/usr/bin/tailscale *` limits elevated access to the Tailscale CLI.
## Initial Tailscale Serve/Funnel setup (optional)
If you prefer preconfiguring Tailscale manually (instead of letting the plugin set it up), these commands map OctoPrint on port 80 to the root path and enable Funnel using current Tailscale CLI syntax:
```bash
# Tailnet-only mapping at /
sudo tailscale serve --bg --http 80 http://127.0.0.1:80
# Public internet via Funnel (HTTPS will be available on 443)
sudo tailscale funnel --bg 80
```
Disable/reset if needed:
```bash
sudo tailscale serve --http=80 off
sudo tailscale funnel reset
```
## Security Considerations
Enabling Funnel makes your OctoPrint instance accessible from the public internet. Only enable it when needed and disable it when finished. The plugin will show a confirmation dialog before enabling Funnel if the "Confirm Enable" option is checked.
@@ -47,6 +83,21 @@ The plugin exposes the following API endpoints:
* `POST /api/plugin/tailscale_funnel/enable` - Enable Tailscale Funnel
* `POST /api/plugin/tailscale_funnel/disable` - Disable Tailscale Funnel
## Updates via Gitea (update.json)
This plugin can announce new versions via a JSON file hosted in your Gitea repo. The plugin is configured to read:
`https://gitea.elpatron.me/elpatron/octo-funnel/raw/branch/main/update.json`
Workflow for a new release (example to bump 0.1.1 → 0.1.2):
1. Update the version in `setup.py` (`plugin_version = "0.1.2"`).
2. Build artifacts (sdist/wheel/ZIP).
3. Upload the ZIP to Gitea Releases or ensure the archive URL resolves for the tag.
4. Commit and push `update.json` with the new version:
```json
{ "version": "0.1.2" }
```
5. In OctoPrint: open Software Update and trigger a re-check (or restart).
## License
AGPLv3