v2.2: bake in tailscale (AUR) + tun device + NET_ADMIN cap

2026-04-27 22:34:44 -04:00 · 2026-04-27 22:34:44 -04:00 · d67ae30a99
commit d67ae30a99
parent 942014eeb8
3 changed files with 45 additions and 1 deletions
--- a/1
+++ b/1
@ -42,6 +42,7 @@ RUN sudo -u aurbuild yay -S --noconfirm --needed \
    eza \
    wl-clipboard \
    trash-cli \
+    tailscale \
    && sudo -u aurbuild yay -Scc --noconfirm

 # ── Dev user ──────────────────────────────────────────────────────────────────
--- a/README.md
+++ b/README.md
@ -24,7 +24,7 @@ Kanagawa Wave · rolling release · AUR-powered · git-snapshotted home
 - Claude Code CLI (snapshot after install + login)
 - Gemini CLI
 - Aider
- nvm + Node.js (for any AI tool that needs it)
+- nvm + Node.js (for AI tools that need it)

 ### v2.1 — Image & ASCII tooling
 - ImageMagick — image manipulation
@ -33,6 +33,26 @@ Kanagawa Wave · rolling release · AUR-powered · git-snapshotted home

 Workflow: AI rough sketch → `chafa --symbols ascii` → hand-tweak

+### v2.2 — Tailscale
+- Tailscale baked in via AUR
+- `/dev/net/tun` device pass-through for kernel-mode networking
+- `NET_ADMIN` + `NET_RAW` capabilities granted
+- First-run auth, then `snap tailscale` for persistence
+
+```bash
+# Inside container, first time:
+sudo tailscaled &
+sudo tailscale up    # follow auth URL
+snap tailscale "authenticated to tailnet"
+```
+
+### v2.3 — Companion plugin (separate repo)
+**`tailscale.nvim`** — original FOSS work, no equivalent exists yet:
+- Lualine status component
+- Telescope peer picker
+- Quick IP copy + status window
+- Repo: github.com/<you>/tailscale.nvim
+
 ---

 ## v1.7 — What's there now
@ -85,6 +105,21 @@ Reset home to factory: `docker volume rm <project>_arch-dev-home`

 ---

+## Container Capabilities
+
+The container drops ALL capabilities then re-adds only what's needed:
+
+| Cap | Why |
+|---|---|
+| `NET_BIND_SERVICE` | Bind to ports < 1024 (mosh) |
+| `SETUID` / `SETGID` | sudo |
+| `AUDIT_WRITE` | sudoers_audit plugin |
+| `NET_ADMIN` / `NET_RAW` | Tailscale |
+
+Plus device pass-through for `/dev/net/tun` (Tailscale kernel mode).
+
+---
+
 ## State Tracking — Two Systems

 | System | What | Where |
@ -105,3 +140,6 @@ Set `MOBILE=1` in Termius host profile env vars to activate:
 - habamax colorscheme (kanagawa needs truecolor)
 - termguicolors disabled in neovim
 - Bufferline disabled
+
+With Tailscale (v2.2+), you can reach arch-dev from any device on your
+tailnet without exposing ports — perfect for mobile dev anywhere.
--- a/docker-compose.yml
+++ b/docker-compose.yml
@ -30,6 +30,11 @@ services:
      - SETUID
      - SETGID
      - AUDIT_WRITE
+      - NET_ADMIN
+      - NET_RAW
+
+    devices:
+      - /dev/net/tun:/dev/net/tun

 volumes:
  arch-dev-home: