Merge pull request #24 from buildkite/codex/tailscale-services-listen

feat(server): add Tailscale Services listen mode

Author: lox

README.md

@@ -56,6 +56,19 @@ Then connect with:
 cleanroom exec --host http://cleanroom.tailnet.ts.net:7777 -c /path/to/repo -- "npm test"
 ```
 
+To expose the API as a Tailscale Service using the local `tailscaled` daemon:
+
+```bash
+cleanroom serve --listen tssvc://cleanroom
+```
+
+This configures `svc:cleanroom` with HTTPS on port 443 and advertises the
+service from this host. Connect from another tailnet device with:
+
+```bash
+cleanroom exec --host https://cleanroom.<your-tailnet>.ts.net -- "npm test"
+```
+
 ### 3) Launch -> Run -> Terminate via API
 
 ```bash

internal/cli/cli.go

@@ -80,7 +80,7 @@ type ConsoleCommand struct {
 }
 
 type ServeCommand struct {
-	Listen   string `help:"Listen endpoint for control API (defaults to runtime endpoint; supports tsnet://hostname[:port])"`
+	Listen   string `help:"Listen endpoint for control API (defaults to runtime endpoint; supports tsnet://hostname[:port] and tssvc://service[:local-port])"`
 	LogLevel string `help:"Server log level (debug|info|warn|error)"`
 }
 
@@ -205,6 +205,9 @@ func (e *ExecCommand) Run(ctx *runtimeContext) error {
 	if err != nil {
 		return err
 	}
+	if err := validateClientEndpoint(ep); err != nil {
+		return err
+	}
 	var cwd string
 	if ep.Scheme != "unix" {
 		if e.Chdir == "" {
@@ -410,6 +413,9 @@ func (c *ConsoleCommand) Run(ctx *runtimeContext) error {
 	if err != nil {
 		return err
 	}
+	if err := validateClientEndpoint(ep); err != nil {
+		return err
+	}
 	var cwd string
 	if ep.Scheme != "unix" {
 		if c.Chdir == "" {
@@ -728,6 +734,13 @@ func resolveBackendName(requested, configuredDefault string) string {
 	return "firecracker"
 }
 
+func validateClientEndpoint(ep endpoint.Endpoint) error {
+	if ep.Scheme != "tssvc" {
+		return nil
+	}
+	return errors.New("tssvc:// endpoints are listen-only; use https://<service>.<your-tailnet>.ts.net for --host")
+}
+
 func mergeFirecrackerConfig(cwd string, e *ExecCommand, cfg runtimeconfig.Config) backend.FirecrackerConfig {
 	out := backend.FirecrackerConfig{
 		BinaryPath:      cfg.Backends.Firecracker.BinaryPath,

internal/cli/console_integration_test.go

@@ -203,3 +203,20 @@ func TestConsoleIntegrationInterruptCancelsExecution(t *testing.T) {
 		t.Fatalf("unexpected console exit code: got %d want %d (err=%v)", got, want, outcome.err)
 	}
 }
+
+func TestConsoleRejectsTailscaleServiceListenEndpointAsHost(t *testing.T) {
+	outcome := runConsoleWithCapture(ConsoleCommand{
+		Host: "tssvc://cleanroom",
+	}, "", runtimeContext{
+		CWD: t.TempDir(),
+	})
+	if outcome.cause != nil {
+		t.Fatalf("capture failure: %v", outcome.cause)
+	}
+	if outcome.err == nil {
+		t.Fatal("expected host validation error")
+	}
+	if !strings.Contains(outcome.err.Error(), "listen-only") {
+		t.Fatalf("expected listen-only host error, got %v", outcome.err)
+	}
+}

internal/cli/exec_integration_test.go

@@ -442,3 +442,21 @@ func TestParseSandboxID(t *testing.T) {
 		t.Fatalf("expected empty sandbox id for invalid input, got %q", got)
 	}
 }
+
+func TestExecRejectsTailscaleServiceListenEndpointAsHost(t *testing.T) {
+	outcome := runExecWithCapture(ExecCommand{
+		Host:    "tssvc://cleanroom",
+		Command: []string{"echo", "hi"},
+	}, runtimeContext{
+		CWD: t.TempDir(),
+	})
+	if outcome.cause != nil {
+		t.Fatalf("capture failure: %v", outcome.cause)
+	}
+	if outcome.err == nil {
+		t.Fatal("expected host validation error")
+	}
+	if !strings.Contains(outcome.err.Error(), "listen-only") {
+		t.Fatalf("expected listen-only host error, got %v", outcome.err)
+	}
+}

internal/controlserver/server.go

@@ -40,10 +40,25 @@ type tsnetServer interface {
 	Close() error
 }
 
-var newTSNetServer = func(ep endpoint.Endpoint, stateDir string) tsnetServer {
+var newTSNetServer = func(ep endpoint.Endpoint, stateDir string, tsLogf func(format string, args ...any)) tsnetServer {
 	return &tsnet.Server{
 		Dir:      stateDir,
 		Hostname: ep.TSNetHostname,
+		Logf:     tsLogf,
+	}
+}
+
+func tsnetLogf(logger *log.Logger) func(format string, args ...any) {
+	if logger == nil {
+		return nil
+	}
+	tsLogger := logger.With("subsystem", "tsnet")
+	return func(format string, args ...any) {
+		msg := strings.TrimSpace(fmt.Sprintf(format, args...))
+		if msg == "" {
+			return
+		}
+		tsLogger.Debug(msg)
 	}
 }
 
@@ -606,7 +621,7 @@ func (s *Server) handleTerminateCleanroom(w http.ResponseWriter, r *http.Request
 }
 
 func Serve(ctx context.Context, ep endpoint.Endpoint, handler http.Handler, logger *log.Logger) error {
-	listener, cleanup, err := listen(ep)
+	listener, cleanup, err := listen(ep, logger)
 	if err != nil {
 		return err
 	}
@@ -653,7 +668,7 @@ func Serve(ctx context.Context, ep endpoint.Endpoint, handler http.Handler, logg
 	}
 }
 
-func listen(ep endpoint.Endpoint) (net.Listener, func() error, error) {
+func listen(ep endpoint.Endpoint, logger *log.Logger) (net.Listener, func() error, error) {
 	if ep.Scheme == "unix" {
 		if err := os.MkdirAll(filepath.Dir(ep.Address), 0o755); err != nil {
 			return nil, nil, err
@@ -680,7 +695,7 @@ func listen(ep endpoint.Endpoint) (net.Listener, func() error, error) {
 		if err := os.MkdirAll(stateDir, 0o700); err != nil {
 			return nil, nil, fmt.Errorf("create tsnet state directory: %w", err)
 		}
-		server := newTSNetServer(ep, stateDir)
+		server := newTSNetServer(ep, stateDir, tsnetLogf(logger))
 		listener, err := server.Listen("tcp", ep.Address)
 		if err != nil {
 			_ = server.Close()
@@ -689,6 +704,20 @@ func listen(ep endpoint.Endpoint) (net.Listener, func() error, error) {
 		return listener, server.Close, nil
 	}
 
+	if ep.Scheme == "tssvc" {
+		listener, err := net.Listen("tcp", ep.Address)
+		if err != nil {
+			return nil, nil, fmt.Errorf("start tailscale service listener for %q: %w", ep.Address, err)
+		}
+		setupCtx, cancel := context.WithTimeout(context.Background(), 10*time.Second)
+		defer cancel()
+		if err := configureTailscaleService(setupCtx, ep, listener.Addr().String()); err != nil {
+			_ = listener.Close()
+			return nil, nil, err
+		}
+		return listener, nil, nil
+	}
+
 	if ep.Scheme == "https" {
 		return nil, nil, errors.New("https listen endpoints are not supported yet: TLS configuration is not implemented")
 	}