sahensley · December 4, 2022 02:17
diff --git a/tailscale-podman.sh b/tailscale-podman.sh
 # tailscale under podman on fedora
 # tested on Fedora IOT (arm64 and amd64) and Silverblue (amd64).
 # ensure the tun module is loaded by default
 modprobe run
 echo tun > /etc/modules-load.d/tun.conf
 # ensure iptables xt_mark module is enabled and loaded
 modprobe xt_mark
 echo xt_mark > /etc/modules-load.d/xt_mark.conf
 # ensure iptables ip6table_filter module is enabled and loaded
 modprobe ip6tables_filter
 echo ip6table_filter > /etc/modules-load.d/ip6table_filter.conf

 ## The following steps to use iptables-legacy rather than nftables for firewalld are only required for Exit or Subnet Routers.
 # iptables rather than nftables, for compatibility
 # 2022-11-01 - this no longer seems required, we can stick with nftables.
 #rpm-ostree install iptables-legacy
 #sed -i 's/^FirewallBackend=.*/FirewallBackend=iptables/' /etc/firewalld/firewalld.conf

 # create storage for state
 podman volume create tailscaled-state
 # launch the container, $HOSTNAME will be used to identify the default name of the tailscale client (e.g. in magic DNS). feel free to replace the variable with your own name choice.
 # for further --env flags check out https://github.com/tailscale/tailscale/blob/main/docs/k8s/run.sh
 # e.g. `--env TS_ROUTES=10.0.0.0/24` will advertise routing for the specified subnet.
 podman run -d \
  --rm \
  --name tailscaled \
  --hostname $HOSTNAME \
  --env TS_USERSPACE=false \
  --env TS_STATE_DIR=/var/lib/tailscale \
  --label "io.containers.autoupdate=registry" \
  --volume tailscaled-state:/var/lib/tailscale \
  --volume /lib/modules:/lib/modules:ro \
  --device /dev/net/tun \
  --network host \
  --privileged `#Highway To The Danger Zone! You could also try --cap-add net_admin,net_raw` \
  ghcr.io/guest42069/tailscale:latest
 (cd /etc/systemd/system && podman generate systemd --new --name --files tailscaled) && systemctl enable --now container-tailscaled
 # ... authenticate via provided link in the logs ...
 podman logs tailscaled
 # check the status or run other commands, note the custom socket path.
 podman exec tailscaled tailscale --socket=/tmp/tailscaled.sock status
	# tailscale under podman on fedora
	# tested on Fedora IOT (arm64 and amd64) and Silverblue (amd64).
	# ensure the tun module is loaded by default
	modprobe run
	echo tun > /etc/modules-load.d/tun.conf
	# ensure iptables xt_mark module is enabled and loaded
	modprobe xt_mark
	echo xt_mark > /etc/modules-load.d/xt_mark.conf
	# ensure iptables ip6table_filter module is enabled and loaded
	modprobe ip6tables_filter
	echo ip6table_filter > /etc/modules-load.d/ip6table_filter.conf

	## The following steps to use iptables-legacy rather than nftables for firewalld are only required for Exit or Subnet Routers.
	# iptables rather than nftables, for compatibility
	# 2022-11-01 - this no longer seems required, we can stick with nftables.
	#rpm-ostree install iptables-legacy
	#sed -i 's/^FirewallBackend=.*/FirewallBackend=iptables/' /etc/firewalld/firewalld.conf

	# create storage for state
	podman volume create tailscaled-state
	# launch the container, $HOSTNAME will be used to identify the default name of the tailscale client (e.g. in magic DNS). feel free to replace the variable with your own name choice.
	# for further --env flags check out https://github.com/tailscale/tailscale/blob/main/docs/k8s/run.sh
	# e.g. `--env TS_ROUTES=10.0.0.0/24` will advertise routing for the specified subnet.
	podman run -d \
	--rm \
	--name tailscaled \
	--hostname $HOSTNAME \
	--env TS_USERSPACE=false \
	--env TS_STATE_DIR=/var/lib/tailscale \
	--label "io.containers.autoupdate=registry" \
	--volume tailscaled-state:/var/lib/tailscale \
	--volume /lib/modules:/lib/modules:ro \
	--device /dev/net/tun \
	--network host \
	--privileged `#Highway To The Danger Zone! You could also try --cap-add net_admin,net_raw` \
	ghcr.io/guest42069/tailscale:latest
	(cd /etc/systemd/system && podman generate systemd --new --name --files tailscaled) && systemctl enable --now container-tailscaled
	# ... authenticate via provided link in the logs ...
	podman logs tailscaled
	# check the status or run other commands, note the custom socket path.
	podman exec tailscaled tailscale --socket=/tmp/tailscaled.sock status