2.2 KiB
2.2 KiB
summary, read_when
| summary | read_when | ||
|---|---|---|---|
| Integrated Tailscale Serve/Funnel for the Gateway dashboard |
|
Tailscale (Gateway dashboard)
Clawdis can auto-configure Tailscale Serve (tailnet) or Funnel (public) for the Gateway dashboard and WebSocket port. This keeps the Gateway bound to loopback while Tailscale provides HTTPS, routing, and (for Serve) identity headers.
Modes
serve: Tailnet-only HTTPS viatailscale serve. The gateway stays on127.0.0.1.funnel: Public HTTPS viatailscale funnel. Requires auth.off: Default (no Tailscale automation).
Auth
Set gateway.auth.mode to control the handshake:
token(default whenCLAWDIS_GATEWAY_TOKENis set)password(shared secret viaCLAWDIS_GATEWAY_PASSWORDor config)system(PAM, validates your OS password)
When tailscale.mode = "serve", the gateway trusts Tailscale identity headers by
default unless you force gateway.auth.mode to password/system or set
gateway.auth.allowTailscale: false.
Config examples
Tailnet-only (Serve)
{
gateway: {
bind: "loopback",
tailscale: { mode: "serve" }
}
}
Open: https://<magicdns>/ui/
Public internet (Funnel + system password)
{
gateway: {
bind: "loopback",
tailscale: { mode: "funnel" },
auth: { mode: "system" }
}
}
Open: https://<magicdns>/ui/ (public)
Public internet (Funnel + shared password)
{
gateway: {
bind: "loopback",
tailscale: { mode: "funnel" },
auth: { mode: "password", password: "replace-me" }
}
}
Prefer CLAWDIS_GATEWAY_PASSWORD over committing a password to disk.
CLI examples
clawdis gateway --tailscale serve
clawdis gateway --tailscale funnel --auth system
Notes
- Tailscale Serve/Funnel requires the
tailscaleCLI to be installed and logged in. - System auth uses the optional
authenticate-pamnative module; install if missing. tailscale.mode: "funnel"refuses to start without auth to avoid public exposure.- Set
gateway.tailscale.resetOnExitif you want Clawdis to undotailscale serveortailscale funnelconfiguration on shutdown.