Tailscale Integration#
Sometimes direct remote access to ZFSBootMenu is not possible, like when a computer using ZFSBootMenu is behind a firewall or inside a private network. Adding Tailscale support to ZFSBootMenu can help bridge this gap.
Prerequisites#
Presently, the only known and recommended initramfs module for Tailscale integration is mkinitcpio-tailscale, so this guide requires using mkinitcpio to generate the ZFSBootMenu image.
Remote access should also be set up before following this guide, though the SSH server can be either Dropbear from that guide or Tailscale's built-in SSH server. Note that if using Tailscale's SSH server, remote access will only be possible via Tailscale, not the local network.
Because the Tailscale node key is stored in the initramfs, it should not use the same one as the host system. To ensure this key is useless to anyone trying to access the connected Tailnet, Tailscale ACLs should be used to restrict any ZFSBootMenu Tailscale nodes from connecting to any other node in the Tailnet. For example:
// Example ACLs for mkinitcpio-tailscale and ZFSBootMenu
{
"tagOwners": {
"tag:zfsbootmenu": ["autogroup:admin"],
"tag:local": ["autogroup:admin"],
},
"acls": [
{"action": "accept", "src": ["tag:local"], "dst": ["*:*"]},
],
}
In this example, nodes with tag:local
can connect to any node in the Tailnet, but because there is no rule with
tag:zfsbootmenu
as the source, it cannot initiate any connections, rendering it fairly useless if compromised.
Setup#
First, generate an auth key and save it to /tmp/zbm-ts-authkey
.
The recommended settings for this key are:
not reusable
1 day expiration
not ephemeral
tagged with the relevant ACL tag (
tag:zfsbootmenu
if using ACLs like the example above)
Once used to generate the necessary information, this key is no longer needed and can be revoked or expired safely.
Next, install mkinitcpio-tailscale. This is available as a package on Void Linux. If not available as a package, it can be installed manually:
curl -L https://github.com/classabbyamp/mkinitcpio-tailscale/archive/master.tar.gz | tar -zxvf - -C /tmp
mkdir -p /etc/zfsbootmenu/initcpio/{install,hooks}
cp /tmp/mkinitcpio-tailscale-master/tailscale_hook /etc/zfsbootmenu/initcpio/hooks/tailscale
cp /tmp/mkinitcpio-tailscale-master/tailscale_install /etc/zfsbootmenu/initcpio/install/tailscale
rm -r /tmp/mkinitcpio-tailscale-master
To generate the node key for ZFSBootMenu's Tailscale node:
mkinitcpio-tailscale-setup -k /tmp/zbm-ts-authkey
Once it runs successfully, you should see a machine in the
Tailscale admin console with the name <your hostname>-mkinitcpio
and the ACL tag tag:zfsbootmenu
.
Then, enable the tailscale
module in /etc/zfsbootmenu/mkinitcpio.conf
by manually appending tailscale
to
the HOOKS
array, or by running:
sed -e '/HOOKS.*dropbear/a HOOKS+=(tailscale)' -i /etc/zfsbootmenu/mkinitcpio.conf
If using Tailscale SSH instead of Dropbear, add the necessary flags to /etc/tailscale/tailscaled.conf
:
tailscale_args="--ssh"
With the above configuration complete, running generate-zbm
should produce a ZFSBootMenu image that contains the
necessary components to enable SSH access over Tailscale in your bootloader.
After rebooting, ZFSBootMenu should configure the network interface, launch an SSH server, and connect to Tailscale. Connection to ZFSBootMenu should be possible using either the local IP (if using Dropbear), Tailscale IP, or Tailscale hostname.