{"id":13581881,"url":"https://github.com/function61/tailscale-discovery","last_synced_at":"2025-04-09T17:14:53.260Z","repository":{"id":52149517,"uuid":"432240007","full_name":"function61/tailscale-discovery","owner":"function61","description":"An readonly API that returns only hostnames and IP addresses for the devices.","archived":false,"fork":false,"pushed_at":"2024-09-16T08:30:41.000Z","size":61,"stargazers_count":5,"open_issues_count":0,"forks_count":0,"subscribers_count":2,"default_branch":"master","last_synced_at":"2025-04-09T17:14:41.305Z","etag":null,"topics":["tailscale","tailscale-control-server"],"latest_commit_sha":null,"homepage":"https://function61.com/","language":"Go","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/function61.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2021-11-26T16:28:39.000Z","updated_at":"2025-03-18T12:50:49.000Z","dependencies_parsed_at":"2024-11-05T21:33:42.032Z","dependency_job_id":null,"html_url":"https://github.com/function61/tailscale-discovery","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/function61%2Ftailscale-discovery","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/function61%2Ftailscale-discovery/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/function61%2Ftailscale-discovery/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/function61%2Ftailscale-discovery/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/function61","download_url":"https://codeload.github.com/function61/tailscale-discovery/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":248074923,"owners_count":21043490,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["tailscale","tailscale-control-server"],"created_at":"2024-08-01T15:02:17.694Z","updated_at":"2025-04-09T17:14:53.237Z","avatar_url":"https://github.com/function61.png","language":"Go","funding_links":[],"categories":["Go"],"sub_categories":[],"readme":"⬆️ For table of contents, click the above icon\n\n\n![Build status](https://github.com/function61/tailscale-discovery/workflows/Build/badge.svg)\n\nTailscale discovery\n\nRuns on AWS Lambda as an readonly API that returns only hostnames and IP addresses for the devices.\n\n\nWhy?\n----\n\nCurrently Tailscale's API token gives ultimate root access to your network, even allows configuring\nsubnet routers to your devices so it would allow an attacker gaining access to the API key to expose\nany internal networks the Tailscale devices are connected to.\n\nI just want to do device discovery with an readonly auth token that exposes a subset of device data.\nThis way if the token gets exposed it is not a big deal.\n\n\nUsage\n-----\n\n- Create API key in Tailscale and set it as ENV var `TAILSCALE_API_KEY`\n- Set your [tailnet ID](https://github.com/tailscale/tailscale/blob/main/api.md#tailnet) as `TAILSCALE_TAILNET`\n\nServe this Lambda function from Lambda. It is assumed that you have a reverse proxy in front of it\nthat implements your authorization (even though this is not very sensitive data).\n\n\nKeeping the Tailscale API key updated in Lambda\n-----------------------------------------------\n\nThere is a CLI command which updates the API key (stored as Lambda ENV variable).\n\nThis will soon be hooked up to Cloudwatch scheduled events so it does it automatically. TODO tasks:\n\n- [ ] Automatically request new API key from Tailscale control panel (before the old has expired)\n\nIt is a good idea to use this IAM policy for your CLI session (or Lambda handler) to limit the AWS\naccess keys' power to only update config of this specific function. Here's the inline policy:\n\n```json\n{\n    \"Version\": \"2012-10-17\",\n    \"Statement\": [\n        {\n            \"Effect\": \"Allow\",\n            \"Action\": \"lambda:UpdateFunctionConfiguration\",\n            \"Resource\": \"arn:aws:lambda:*:*:function:WebTailscaleDiscovery\"\n        }\n    ]\n}\n```\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Ffunction61%2Ftailscale-discovery","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Ffunction61%2Ftailscale-discovery","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Ffunction61%2Ftailscale-discovery/lists"}