Enable Tailscale's builtin inbound HTTPS proxy

tailscale/DOCS.md

@@ -62,6 +62,7 @@ tags:
   - tag:example
   - tag:homeassistant
 taildrop: true
+proxy: true
 ```
 
 ### Option: `advertise_exit_node`
@@ -121,6 +122,49 @@ When not set, this option is enabled by default.
 
 Received files are stored in the `/share/taildrop` directory.
 
+### Option: `proxy`
+
+When not set, this option is enabled by default.
+
+Tailscale can provide a TLS certificate for your Home Assistant instance within
+your tailnet domain.
+
+This can prevent browsers from warning that HTTP URLs to your Home Assistant instance
+look unencrypted (browsers are not aware of the connections between Tailscale
+nodes are secured with end-to-end encryption).
+
+More information: [Enabling HTTPS][tailscale_info_https]
+
+1. Configure Home Assistant to be accessible through an HTTP connection (this is
+   the default). See [HTTP integration documentation][http_integration] for more
+   information. If you still want to use another HTTPS connection to access Home
+   Assistant, please use a reverse proxy add-on.
+
+1. Home Assistant, by default, blocks requests from reverse proxies, like the
+   Tailscale Proxy. To enable it, add the following lines to your
+   `configuration.yaml`, without changing anything:
+
+   ```yaml
+   http:
+     use_x_forwarded_for: true
+     trusted_proxies:
+       - 127.0.0.1
+   ```
+
+1. Navigate to the [DNS page][tailscale_dns] of the admin console:
+
+   - Choose a Tailnet name.
+
+   - Enable MagicDNS if not already enabled.
+
+   - Under HTTPS Certificates section, click Enable HTTPS.
+
+1. Restart the add-on.
+
+**Note:** _You should not use any port number in the URL that you used
+previously to access Home Assistant. Tailscale Proxy works on the default HTTPS
+port 443._
+
 ## Changelog & Releases
 
 This repository keeps a change log using [GitHub's releases][releases]
@@ -188,9 +232,12 @@ SOFTWARE.
 [forum]: https://community.home-assistant.io/?u=frenck
 [frenck]: https://github.com/frenck
 [headscale]: https://github.com/juanfont/headscale
+[http_integration]: https://www.home-assistant.io/integrations/http/
 [issue]: https://github.com/hassio-addons/addon-tailscale/issues
 [reddit]: https://reddit.com/r/homeassistant
 [releases]: https://github.com/hassio-addons/addon-tailscale/releases
 [semver]: https://semver.org/spec/v2.0.0.html
 [taildrop]: https://tailscale.com/taildrop/
+[tailscale_dns]: https://login.tailscale.com/admin/dns
+[tailscale_info_https]: https://tailscale.com/kb/1153/enabling-https/
 [tailscale_info_key_expiry]: https://tailscale.com/kb/1028/key-expiry/

tailscale/config.yaml

@@ -33,3 +33,4 @@ schema:
   login_server: url?
   tags: ["match(^tag:[a-zA-Z0-9]-?[a-zA-Z0-9]+$)?"]
   taildrop: bool?
+  proxy: bool?

tailscale/rootfs/etc/s6-overlay/s6-rc.d/proxy/run

@@ -0,0 +1,45 @@
+#!/command/with-contenv bashio
+# shellcheck shell=bash
+# ==============================================================================
+# Home Assistant Community Add-on: Tailscale
+# Enables Tailscale Proxy feature
+# ==============================================================================
+
+declare domain
+
+# Wait for the network to be available and logged in
+while ! bashio::fs.socket_exists "/var/run/tailscale/tailscaled.sock" || \
+  ! /opt/tailscale status --json --peers=false --self=false \
+    | jq --exit-status '.BackendState == "Running"' > /dev/null
+do
+  sleep 2
+done
+
+# Check if Tailscale HTTPS is enabled
+if ! /opt/tailscale status --self=true --peers=false --json \
+  | jq -rce ".CertDomains[0]" > /dev/null;
+then
+  bashio::log.notice "Tailscale's HTTPS support is disabled, therefore add-on's Tailscale Proxy functionality is disabled"
+  bashio::exit.ok
+fi
+
+domain=$(/opt/tailscale status --self=true --peers=false --json | jq -rc ".CertDomains[0]")
+
+# Checking if SSL is used
+if bashio::var.true "$(bashio::core.ssl)"; then
+  bashio::log.error "Tailscale's HTTPS support is enabled, but Home Assistant is not accessible through plain HTTP connection"
+  bashio::exit.nok
+fi
+
+# Set up proxy
+# Note: Configuration is persistent between reboots, though configuring the same value won't cause duplicate entries,
+#       but will overwite previous entry if core.port has been changed
+# Note: If a tailnet node is renamed, there will be deprecated entries in status json under .Web.<different-domain:443>,
+#       those can't be removed, no command for that situation currently
+if ! /opt/tailscale serve https:443 / "http://127.0.0.1:$(bashio::core.port)"; then
+  bashio::log.error "Unable to configure Tailscale Proxy"
+  bashio::exit.nok
+fi
+bashio::log.info "Tailscale Proxy is enabled:"
+bashio::log.info "  Your Home Assistant instance is available within your Tailnet VPN at"
+bashio::log.info "  https://${domain}"

tailscale/rootfs/etc/s6-overlay/s6-rc.d/proxy/type

@@ -0,0 +1 @@
+oneshot

tailscale/rootfs/etc/s6-overlay/s6-rc.d/proxy/up

@@ -0,0 +1 @@
+/etc/s6-overlay/s6-rc.d/proxy/run

tailscale/rootfs/etc/s6-overlay/scripts/stage2_hook.sh

@@ -9,3 +9,8 @@
 if bashio::config.false 'taildrop'; then
     rm /etc/s6-overlay/s6-rc.d/user/contents.d/taildrop
 fi
+
+# Disable proxy service when it is has been explicitly disabled
+if bashio::config.false 'proxy'; then
+    rm /etc/s6-overlay/s6-rc.d/user/contents.d/proxy
+fi

tailscale/translations/en.yaml

@@ -35,3 +35,9 @@ configuration:
       This option allows you to enable Taildrop, a file sharing service
       that allows you to share files with other Tailscale nodes.
       When not set, this option is enabled by default.
+  proxy:
+    name: Tailscale Proxy
+    description: >-
+      This option allows you to enable Tailscale's Proxy feature to present your
+      Home Assistant instance on your tailnet with a valid certificate.
+      When not set, this option is enabled by default.