From d67ae30a991a9ab387d611cf2a40cee8d91328b3 Mon Sep 17 00:00:00 2001 From: wayne Date: Mon, 27 Apr 2026 22:34:44 -0400 Subject: [PATCH] v2.2: bake in tailscale (AUR) + tun device + NET_ADMIN cap --- Dockerfile | 1 + README.md | 40 +++++++++++++++++++++++++++++++++++++++- docker-compose.yml | 5 +++++ 3 files changed, 45 insertions(+), 1 deletion(-) diff --git a/Dockerfile b/Dockerfile index 15a654c..afb28a7 100644 --- a/Dockerfile +++ b/Dockerfile @@ -42,6 +42,7 @@ RUN sudo -u aurbuild yay -S --noconfirm --needed \ eza \ wl-clipboard \ trash-cli \ + tailscale \ && sudo -u aurbuild yay -Scc --noconfirm # ── Dev user ────────────────────────────────────────────────────────────────── diff --git a/README.md b/README.md index ecf1e42..8f4f151 100644 --- a/README.md +++ b/README.md @@ -24,7 +24,7 @@ Kanagawa Wave · rolling release · AUR-powered · git-snapshotted home - Claude Code CLI (snapshot after install + login) - Gemini CLI - Aider -- nvm + Node.js (for any AI tool that needs it) +- nvm + Node.js (for AI tools that need it) ### v2.1 — Image & ASCII tooling - ImageMagick — image manipulation @@ -33,6 +33,26 @@ Kanagawa Wave · rolling release · AUR-powered · git-snapshotted home Workflow: AI rough sketch → `chafa --symbols ascii` → hand-tweak +### v2.2 — Tailscale +- Tailscale baked in via AUR +- `/dev/net/tun` device pass-through for kernel-mode networking +- `NET_ADMIN` + `NET_RAW` capabilities granted +- First-run auth, then `snap tailscale` for persistence + +```bash +# Inside container, first time: +sudo tailscaled & +sudo tailscale up # follow auth URL +snap tailscale "authenticated to tailnet" +``` + +### v2.3 — Companion plugin (separate repo) +**`tailscale.nvim`** — original FOSS work, no equivalent exists yet: +- Lualine status component +- Telescope peer picker +- Quick IP copy + status window +- Repo: github.com//tailscale.nvim + --- ## v1.7 — What's there now @@ -85,6 +105,21 @@ Reset home to factory: `docker volume rm _arch-dev-home` --- +## Container Capabilities + +The container drops ALL capabilities then re-adds only what's needed: + +| Cap | Why | +|---|---| +| `NET_BIND_SERVICE` | Bind to ports < 1024 (mosh) | +| `SETUID` / `SETGID` | sudo | +| `AUDIT_WRITE` | sudoers_audit plugin | +| `NET_ADMIN` / `NET_RAW` | Tailscale | + +Plus device pass-through for `/dev/net/tun` (Tailscale kernel mode). + +--- + ## State Tracking — Two Systems | System | What | Where | @@ -105,3 +140,6 @@ Set `MOBILE=1` in Termius host profile env vars to activate: - habamax colorscheme (kanagawa needs truecolor) - termguicolors disabled in neovim - Bufferline disabled + +With Tailscale (v2.2+), you can reach arch-dev from any device on your +tailnet without exposing ports — perfect for mobile dev anywhere. diff --git a/docker-compose.yml b/docker-compose.yml index c93901a..4234734 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -30,6 +30,11 @@ services: - SETUID - SETGID - AUDIT_WRITE + - NET_ADMIN + - NET_RAW + + devices: + - /dev/net/tun:/dev/net/tun volumes: arch-dev-home: