let5see/clawdbot
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

refactor: drop PAM auth and require password for funnel

Browse Source
This commit is contained in:
Peter Steinberger
2025-12-23 13:13:09 +00:00
parent cd6ed79433
commit c8c807adcc
22 changed files with 47 additions and 278 deletions
Download Patch File Download Diff File Expand all files Collapse all files

24
docs/tailscale.md
View File

@@ -13,7 +13,7 @@ Tailscale provides HTTPS, routing, and (for Serve) identity headers.
## Modes
- `serve`: Tailnet-only HTTPS via `tailscale serve`. The gateway stays on `127.0.0.1`.
- `funnel`: Public HTTPS via `tailscale funnel`. Requires auth.
- `funnel`: Public HTTPS via `tailscale funnel`. Requires a shared password.
- `off`: Default (no Tailscale automation).
## Auth
@@ -22,10 +22,9 @@ Set `gateway.auth.mode` to control the handshake:
- `token` (default when `CLAWDIS_GATEWAY_TOKEN` is set)
- `password` (shared secret via `CLAWDIS_GATEWAY_PASSWORD` or config)
- `system` (PAM, validates your OS password)
When `tailscale.mode = "serve"`, the gateway trusts Tailscale identity headers by
default unless you force `gateway.auth.mode` to `password`/`system` or set
default unless you force `gateway.auth.mode` to `password` or set
`gateway.auth.allowTailscale: false`.
## Config examples
@@ -43,20 +42,6 @@ default unless you force `gateway.auth.mode` to `password`/`system` or set
Open: `https://<magicdns>/ui/`
### Public internet (Funnel + system password)
```json5
{
gateway: {
bind: "loopback",
tailscale: { mode: "funnel" },
auth: { mode: "system" }
}
}
```
Open: `https://<magicdns>/ui/` (public)
### Public internet (Funnel + shared password)
```json5
@@ -75,13 +60,12 @@ Prefer `CLAWDIS_GATEWAY_PASSWORD` over committing a password to disk.
```bash
clawdis gateway --tailscale serve
clawdis gateway --tailscale funnel --auth system
clawdis gateway --tailscale funnel --auth password
```
## Notes
- Tailscale Serve/Funnel requires the `tailscale` CLI to be installed and logged in.
- System auth uses the optional `authenticate-pam` native module; install if missing.
- `tailscale.mode: "funnel"` refuses to start without auth to avoid public exposure.
- `tailscale.mode: "funnel"` refuses to start unless auth mode is `password` to avoid public exposure.
- Set `gateway.tailscale.resetOnExit` if you want Clawdis to undo `tailscale serve`
or `tailscale funnel` configuration on shutdown.