diff --git a/README.md b/README.md index 34c28ba..483b0c5 100644 --- a/README.md +++ b/README.md @@ -27,6 +27,26 @@ be automatically removed by the coordination server a short time after they finish their run. The nodes are also [marked Preapproved](https://tailscale.com/kb/1085/auth-keys/) on tailnets which use [Device Approval](https://tailscale.com/kb/1099/device-approval/) +## Tailnet Lock + +If you are using this Action in a [Tailnet +Lock](https://tailscale.com/kb/1226/tailnet-lock) enabled network, you need to: + +* Authenticate using an ephemeral reusable [pre-signed auth key]( + https://tailscale.com/kb/1226/tailnet-lock#add-a-node-using-a-pre-signed-auth-key) + rather than an OAuth client. +* Specify a [state directory]( + https://tailscale.com/kb/1278/tailscaled#flags-to-tailscaled) for the + client to store the Tailnet Key Authority data in. + +```yaml + - name: Tailscale + uses: tailscale/github-action@v2 + with: + authkey: tskey-auth-... + statedir: /tmp/tailscale-state/ +``` + ## Defining Tailscale version Which Tailscale version to use can be set like this: diff --git a/action.yml b/action.yml index a3bbe04..332cb88 100644 --- a/action.yml +++ b/action.yml @@ -40,6 +40,10 @@ inputs: description: 'Fixed hostname to use.' required: false default: '' + statedir: + description: 'Optional state directory to use (if unset, memory state is used)' + required: false + default: '' runs: using: 'composite' steps: @@ -95,8 +99,15 @@ runs: shell: bash env: ADDITIONAL_DAEMON_ARGS: ${{ inputs.tailscaled-args }} + STATEDIR: ${{ inputs.statedir }} run: | - sudo -E tailscaled --state=mem: ${ADDITIONAL_DAEMON_ARGS} 2>~/tailscaled.log & + if [ "$STATEDIR" == "" ]; then + STATE_ARGS="--state=mem:" + else + STATE_ARGS="--statedir=${STATEDIR}" + mkdir -p "$STATEDIR" + fi + sudo -E tailscaled ${STATE_ARGS} ${ADDITIONAL_DAEMON_ARGS} 2>~/tailscaled.log & # And check that tailscaled came up. The CLI will block for a bit waiting # for it. And --json will make it exit with status 0 even if we're logged # out (as we will be). Without --json it returns an error if we're not up.