cmd/bsky-webhook: add optional tsnet support (#5)

When the (new) --ts-hostname flag is set, run the server as a Tailscale node instead of running locally.
tailscale · Nov 14, 2024 · 0b672a6 · 0b672a6
1 parent 7a2ed17
commit 0b672a6
Show file tree

Hide file tree

Showing 4 changed files with 279 additions and 14 deletions.
diff --git a/README.md b/README.md
@@ -20,16 +20,18 @@ explicitly marked as optional.
 
 Here's the complete table based on the provided Go code:
 
-| Command-line flag    | Environment variable | Default value                           | Description                                                             |
-|----------------------|----------------------|-----------------------------------------|-------------------------------------------------------------------------|
-| `-addr`              | `JETSTREAM_ADDRESS`  | Rotation of all public jetsream servers | The [jetstream][jetstream] hostname to connect to.                      |
-| `-bsky-handle`       | `BSKY_HANDLE`        | none                                    | The Bluesky handle of the account that will make API requests.          |
-| `-bsky-app-password` | `BSKY_APP_PASSWORD`  | none                                    | The Bluesky app password for authentication.                            |
-| `-slack-webhook-url` | `SLACK_WEBHOOK_URL`  | none                                    | The Slack webhook URL for sending notifications.                        |
-| `-bsky-server-url`   | `BSKY_SERVER_URL`    | "https://bsky.social"                   | The Bluesky PDS server to send API requests to URL.                     |
-| `-watch-word`        | `WATCH_WORD`         | "tailscale"                             | The word to watch out for; may support multiple words in the future.    |
-| `-secrets-url`       | `SECRETS_URL`        | none                                    | The address of a [setec][setec] server to fetch secrets from (optional) |
-| `-secrets-prefix`    | `SECRETS_PREFIX`     | ""                                      | A prefix to prepend to secret names fetched from setec (optional)       |
+| Command-line flag    | Environment variable | Default value                           | Description                                                                 |
+|----------------------|----------------------|-----------------------------------------|-----------------------------------------------------------------------------|
+| `-addr`              | `JETSTREAM_ADDRESS`  | Rotation of all public jetsream servers | The [jetstream][jetstream] hostname to connect to.                          |
+| `-bsky-handle`       | `BSKY_HANDLE`        | none                                    | The Bluesky handle of the account that will make API requests.              |
+| `-bsky-app-password` | `BSKY_APP_PASSWORD`  | none                                    | The Bluesky app password for authentication.                                |
+| `-slack-webhook-url` | `SLACK_WEBHOOK_URL`  | none                                    | The Slack webhook URL for sending notifications.                            |
+| `-bsky-server-url`   | `BSKY_SERVER_URL`    | "https://bsky.social"                   | The Bluesky PDS server to send API requests to URL.                         |
+| `-watch-word`        | `WATCH_WORD`         | "tailscale"                             | The word to watch out for; may support multiple words in the future.        |
+| `-secrets-url`       | `SECRETS_URL`        | none                                    | The address of a [setec][setec] server to fetch secrets from (optional)     |
+| `-secrets-prefix`    | `SECRETS_PREFIX`     | ""                                      | A prefix to prepend to secret names fetched from setec (optional)           |
+| `-ts-hotname`        | `TS_HOSTNAME`        | ""                                      | A Tailscale hostname where the server should run (optional)                 |
+| `-ts-state-dir`      | `TS_STATE_DIR`       | none                                    | Where Tailscale state should be stored, if `-ts-hostname` is set (optional) |
 
 [jetstream]: https://github.com/bluesky-social/jetstream
 [setec]: https://github.com/tailscale/setec
diff --git a/cmd/bsky-webhook/main.go b/cmd/bsky-webhook/main.go
@@ -25,6 +25,7 @@ import (
 	bluesky "github.com/karalabe/go-bluesky"
 	"github.com/klauspost/compress/zstd"
 	"github.com/tailscale/setec/client/setec"
+	"tailscale.com/tsnet"
 )
 
 var (
@@ -45,6 +46,10 @@ var (
 		"the URL of a secrets server (if empty, no server is used)")
 	secretsPrefix = flag.String("secrets-prefix", envOr("SECRETS_PREFIX", ""),
 		"the prefix to prepend to secret names fetched from --secrets-url")
+	tsHostname = flag.String("ts-hostname", envOr("TS_HOSTNAME", ""),
+		"the Tailscale hostname the server should advertise (if empty, runs locally)")
+	tsStateDir = flag.String("ts-state-dir", envOr("TS_STATE_DIR", ""),
+		"the Tailscale state directory path (optional)")
 )
 
 // Public addresses of jetstream websocket services.
@@ -93,6 +98,21 @@ func main() {
 	ctx, cancel := signal.NotifyContext(context.Background(), syscall.SIGINT, syscall.SIGTERM)
 	defer cancel()
 
+	if *tsHostname != "" {
+		ts := &tsnet.Server{
+			Hostname: *tsHostname,
+			Dir:      *tsStateDir,
+		}
+		if _, err := ts.Up(ctx); err != nil {
+			log.Fatalf("starting tsnet for %q: %v", *tsHostname, err)
+		}
+
+		// Ensure HTTP and TCP connections go via Tailscale so ACLs work.
+		httpClient = ts.HTTPClient()
+		websocket.DefaultDialer.NetDialContext = ts.Dial
+		log.Printf("running in tsnet as %q", *tsHostname)
+	}
+
 	if *secretsURL != "" {
 		webhookSecret := path.Join(*secretsPrefix, "slack-webhook-url")
 		appKeySecret := path.Join(*secretsPrefix, "bluesky-app-key")

diff --git a/go.mod b/go.mod
@@ -8,22 +8,58 @@ require (
 	github.com/karalabe/go-bluesky v0.0.0-20230506152134-dd72fcf127a8
 	github.com/klauspost/compress v1.17.9
 	github.com/tailscale/setec v0.0.0-20241107175935-3954dc4aade5
+	tailscale.com v1.73.0-pre.0.20240822193108-696711cc17c4
 )
 
 require (
+	filippo.io/edwards25519 v1.1.0 // indirect
+	github.com/akutz/memconn v0.1.0 // indirect
+	github.com/alexbrainman/sspi v0.0.0-20231016080023-1a75b4708caa // indirect
+	github.com/aws/aws-sdk-go-v2 v1.26.1 // indirect
+	github.com/aws/aws-sdk-go-v2/config v1.27.11 // indirect
+	github.com/aws/aws-sdk-go-v2/credentials v1.17.11 // indirect
+	github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.16.1 // indirect
+	github.com/aws/aws-sdk-go-v2/internal/configsources v1.3.5 // indirect
+	github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.6.5 // indirect
+	github.com/aws/aws-sdk-go-v2/internal/ini v1.8.0 // indirect
+	github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.11.2 // indirect
+	github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.11.7 // indirect
+	github.com/aws/aws-sdk-go-v2/service/ssm v1.44.7 // indirect
+	github.com/aws/aws-sdk-go-v2/service/sso v1.20.5 // indirect
+	github.com/aws/aws-sdk-go-v2/service/ssooidc v1.23.4 // indirect
+	github.com/aws/aws-sdk-go-v2/service/sts v1.28.6 // indirect
+	github.com/aws/smithy-go v1.20.2 // indirect
+	github.com/bits-and-blooms/bitset v1.13.0 // indirect
 	github.com/bluesky-social/indigo v0.0.0-20241008040750-06bacb465af7 // indirect
 	github.com/carlmjohnson/versioninfo v0.22.5 // indirect
+	github.com/coder/websocket v1.8.12 // indirect
+	github.com/coreos/go-iptables v0.7.1-0.20240112124308-65c67c9f46e6 // indirect
+	github.com/dblohm7/wingoes v0.0.0-20240119213807-a09d6be7affa // indirect
+	github.com/digitalocean/go-smbios v0.0.0-20180907143718-390a4f403a8e // indirect
 	github.com/felixge/httpsnoop v1.0.4 // indirect
+	github.com/fxamacker/cbor/v2 v2.6.0 // indirect
+	github.com/gaissmai/bart v0.11.1 // indirect
 	github.com/go-json-experiment/json v0.0.0-20231102232822-2e55bd4e08b0 // indirect
 	github.com/go-logr/logr v1.4.2 // indirect
 	github.com/go-logr/stdr v1.2.2 // indirect
+	github.com/go-ole/go-ole v1.3.0 // indirect
 	github.com/goccy/go-json v0.10.2 // indirect
+	github.com/godbus/dbus/v5 v5.1.1-0.20230522191255-76236955d466 // indirect
 	github.com/gogo/protobuf v1.3.2 // indirect
 	github.com/golang-jwt/jwt/v5 v5.2.1 // indirect
+	github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da // indirect
+	github.com/google/btree v1.1.2 // indirect
+	github.com/google/go-cmp v0.6.0 // indirect
+	github.com/google/nftables v0.2.1-0.20240414091927-5e242ec57806 // indirect
 	github.com/google/uuid v1.6.0 // indirect
+	github.com/gorilla/csrf v1.7.2 // indirect
+	github.com/gorilla/securecookie v1.1.2 // indirect
 	github.com/hashicorp/go-cleanhttp v0.5.2 // indirect
 	github.com/hashicorp/go-retryablehttp v0.7.7 // indirect
 	github.com/hashicorp/golang-lru v1.0.2 // indirect
+	github.com/hdevalence/ed25519consensus v0.2.0 // indirect
+	github.com/illarion/gonotify v1.0.1 // indirect
+	github.com/insomniacslk/dhcp v0.0.0-20231206064809-8c70d406f6d2 // indirect
 	github.com/ipfs/bbloom v0.0.4 // indirect
 	github.com/ipfs/go-block-format v0.2.0 // indirect
 	github.com/ipfs/go-cid v0.4.1 // indirect
@@ -37,19 +73,46 @@ require (
 	github.com/ipfs/go-log/v2 v2.5.1 // indirect
 	github.com/ipfs/go-metrics-interface v0.0.1 // indirect
 	github.com/jbenet/goprocess v0.1.4 // indirect
+	github.com/jmespath/go-jmespath v0.4.0 // indirect
+	github.com/josharian/native v1.1.1-0.20230202152459-5c7d0dd6ab86 // indirect
+	github.com/jsimonetti/rtnetlink v1.4.0 // indirect
 	github.com/klauspost/cpuid/v2 v2.2.8 // indirect
+	github.com/kortschak/wol v0.0.0-20200729010619-da482cc4850a // indirect
 	github.com/mattn/go-isatty v0.0.20 // indirect
+	github.com/mdlayher/genetlink v1.3.2 // indirect
+	github.com/mdlayher/netlink v1.7.2 // indirect
+	github.com/mdlayher/sdnotify v1.0.0 // indirect
+	github.com/mdlayher/socket v0.5.0 // indirect
+	github.com/miekg/dns v1.1.58 // indirect
 	github.com/minio/sha256-simd v1.0.1 // indirect
+	github.com/mitchellh/go-ps v1.0.0 // indirect
 	github.com/mr-tron/base58 v1.2.0 // indirect
 	github.com/multiformats/go-base32 v0.1.0 // indirect
 	github.com/multiformats/go-base36 v0.2.0 // indirect
 	github.com/multiformats/go-multibase v0.2.0 // indirect
 	github.com/multiformats/go-multihash v0.2.3 // indirect
 	github.com/multiformats/go-varint v0.0.7 // indirect
 	github.com/opentracing/opentracing-go v1.2.0 // indirect
+	github.com/pierrec/lz4/v4 v4.1.21 // indirect
 	github.com/polydawn/refmt v0.89.1-0.20221221234430-40501e09de1f // indirect
+	github.com/prometheus-community/pro-bing v0.4.0 // indirect
+	github.com/safchain/ethtool v0.3.0 // indirect
 	github.com/spaolacci/murmur3 v1.1.0 // indirect
+	github.com/tailscale/certstore v0.1.1-0.20231202035212-d3fa0460f47e // indirect
+	github.com/tailscale/go-winio v0.0.0-20231025203758-c4f33415bf55 // indirect
+	github.com/tailscale/golang-x-crypto v0.0.0-20240604161659-3fde5e568aa4 // indirect
+	github.com/tailscale/goupnp v1.0.1-0.20210804011211-c64d0f06ea05 // indirect
+	github.com/tailscale/hujson v0.0.0-20221223112325-20486734a56a // indirect
+	github.com/tailscale/netlink v1.1.1-0.20211101221916-cabfb018fe85 // indirect
+	github.com/tailscale/peercred v0.0.0-20240214030740-b535050b2aa4 // indirect
+	github.com/tailscale/web-client-prebuilt v0.0.0-20240226180453-5db17b287bf1 // indirect
+	github.com/tailscale/wireguard-go v0.0.0-20240731203015-71393c576b98 // indirect
+	github.com/tcnksm/go-httpstat v0.2.0 // indirect
+	github.com/u-root/uio v0.0.0-20240118234441-a3c409a6018e // indirect
+	github.com/vishvananda/netlink v1.2.1-beta.2 // indirect
+	github.com/vishvananda/netns v0.0.4 // indirect
 	github.com/whyrusleeping/cbor-gen v0.2.0 // indirect
+	github.com/x448/float16 v0.8.4 // indirect
 	go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.56.0 // indirect
 	go.opentelemetry.io/otel v1.31.0 // indirect
 	go.opentelemetry.io/otel/metric v1.31.0 // indirect
@@ -58,12 +121,21 @@ require (
 	go.uber.org/multierr v1.11.0 // indirect
 	go.uber.org/zap v1.27.0 // indirect
 	go4.org/mem v0.0.0-20220726221520-4f986261bf13 // indirect
+	go4.org/netipx v0.0.0-20231129151722-fdeea329fbba // indirect
 	golang.org/x/crypto v0.28.0 // indirect
 	golang.org/x/exp v0.0.0-20240604190554-fc45aab8b7f8 // indirect
-	golang.org/x/sync v0.7.0 // indirect
+	golang.org/x/mod v0.19.0 // indirect
+	golang.org/x/net v0.27.0 // indirect
+	golang.org/x/sync v0.8.0 // indirect
 	golang.org/x/sys v0.26.0 // indirect
+	golang.org/x/term v0.25.0 // indirect
+	golang.org/x/text v0.19.0 // indirect
+	golang.org/x/time v0.5.0 // indirect
+	golang.org/x/tools v0.23.0 // indirect
 	golang.org/x/xerrors v0.0.0-20240903120638-7835f813f4da // indirect
+	golang.zx2c4.com/wintun v0.0.0-20230126152724-0fa3db229ce2 // indirect
+	golang.zx2c4.com/wireguard/windows v0.5.3 // indirect
 	gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c // indirect
+	gvisor.dev/gvisor v0.0.0-20240722211153-64c016c92987 // indirect
 	lukechampine.com/blake3 v1.3.0 // indirect
-	tailscale.com v1.73.0-pre.0.20240822193108-696711cc17c4 // indirect
 )