Add Tailscale webui (#9)

This PR serves Tailscale's [web
interface](https://tailscale.com/kb/1325/device-web-interface) as part
of the device-admin app, to provide slightly more info about the
machine's Tailscale connectivity (useful for troubleshooting).

This work is tracked on Notion at
https://www.notion.so/Provide-a-GUI-for-inspecting-Tailscale-status-2884e612c78a80dca83ee33a9fbd39ae?source=copy_link

Author: ethanjli

go.mod

@@ -440,6 +440,7 @@ require (
 	github.com/stretchr/testify v1.11.1 // indirect
 	github.com/subosito/gotenv v1.6.0 // indirect
 	github.com/tailscale/go-winio v0.0.0-20231025203758-c4f33415bf55 // indirect
+	github.com/tailscale/web-client-prebuilt v0.0.0-20250124233751-d4cd19a26976 // indirect
 	github.com/tetafro/godot v1.5.4 // indirect
 	github.com/theupdateframework/go-tuf v0.7.0 // indirect
 	github.com/theupdateframework/go-tuf/v2 v2.0.2 // indirect

go.sum

@@ -1191,6 +1191,8 @@ github.com/subosito/gotenv v1.6.0 h1:9NlTDc1FTs4qu0DDq7AEtTPNw6SVm7uBMsUCUjABIf8
 github.com/subosito/gotenv v1.6.0/go.mod h1:Dk4QP5c2W3ibzajGcXpNraDfq2IrhjMIvMSWPKKo0FU=
 github.com/tailscale/go-winio v0.0.0-20231025203758-c4f33415bf55 h1:Gzfnfk2TWrk8Jj4P4c1a3CtQyMaTVCznlkLZI++hok4=
 github.com/tailscale/go-winio v0.0.0-20231025203758-c4f33415bf55/go.mod h1:4k4QO+dQ3R5FofL+SanAUZe+/QfeK0+OIuwDIRu2vSg=
+github.com/tailscale/web-client-prebuilt v0.0.0-20250124233751-d4cd19a26976 h1:UBPHPtv8+nEAy2PD8RyAhOYvau1ek0HDJqLS/Pysi14=
+github.com/tailscale/web-client-prebuilt v0.0.0-20250124233751-d4cd19a26976/go.mod h1:agQPE6y6ldqCOui2gkIh7ZMztTkIQKH049tv8siLuNQ=
 github.com/tailscale/wireguard-go v0.0.0-20250716170648-1d0488a3d7da h1:jVRUZPRs9sqyKlYHHzHjAqKN+6e/Vog6NpHYeNPJqOw=
 github.com/tailscale/wireguard-go v0.0.0-20250716170648-1d0488a3d7da/go.mod h1:BOm5fXUBFM+m9woLNBoxI9TaBXXhGNP50LX/TGIvGb4=
 github.com/tenntenn/modver v1.0.1 h1:2klLppGhDgzJrScMpkj9Ujy3rXPUspSjAcev9tSEBgA=

internal/app/deviceadmin/routes/remote/routes.go

@@ -6,6 +6,7 @@ import (
 	"fmt"
 	"net/http"
 	"net/netip"
+	"strings"
 
 	"github.com/labstack/echo/v4"
 	"github.com/pkg/errors"
@@ -26,10 +27,32 @@ func New(r godest.TemplateRenderer, tsc *ts.Client) *Handlers {
 	}
 }
 
-func (h *Handlers) Register(er godest.EchoRouter) {
+func (h *Handlers) Register(er godest.EchoRouter) error {
 	er.GET(h.r.BasePath+"remote", h.HandleRemoteGet())
 	// assistance
 	er.POST(h.r.BasePath+"remote/assistance", h.HandleAssistancePost())
+	// tailscale
+	tsws, err := h.tsc.InitWebServer(h.r.BasePath + "remote/tailscale")
+	if err != nil {
+		return err
+	}
+	er.GET(h.r.BasePath+"remote/tailscale/", echo.WrapHandler(tsws))
+	er.GET(h.r.BasePath+"remote/tailscale/*", echo.WrapHandler(tsws))
+	er.POST(h.r.BasePath+"remote/tailscale/*", echo.WrapHandler(tsws))
+	er.PATCH(h.r.BasePath+"remote/tailscale/*", echo.WrapHandler(tsws))
+	return nil
+}
+
+func (h *Handlers) TrailingSlashSkipper(c echo.Context) bool {
+	// Tailscale's web UI page assumes that the web page has a trailing slash for loading its JS and
+	// CSS assets from relative paths:
+	return c.Request().URL.Path == h.r.BasePath+"remote/tailscale/"
+}
+
+func (h *Handlers) GzipSkipper(c echo.Context) bool {
+	// We skip gzip for the Tailscale web GUI because its HTTP handler already does its own gzip
+	// compression, and HTTP clients assume that responses don't have two or more layers of gzipping:
+	return strings.HasPrefix(c.Request().URL.Path, h.r.BasePath+"remote/tailscale/")
 }
 
 type RemoteViewData struct {

internal/app/deviceadmin/routes/routes.go

@@ -2,6 +2,8 @@
 package routes
 
 import (
+	"github.com/labstack/echo/v4"
+	"github.com/pkg/errors"
 	"github.com/sargassum-world/godest"
 
 	"github.com/openUC2/device-admin/internal/app/deviceadmin/client"
@@ -16,6 +18,8 @@ import (
 type Handlers struct {
 	r       godest.TemplateRenderer
 	globals *client.Globals
+
+	remote *remote.Handlers
 }
 
 func New(r godest.TemplateRenderer, globals *client.Globals) *Handlers {
@@ -25,12 +29,24 @@ func New(r godest.TemplateRenderer, globals *client.Globals) *Handlers {
 	}
 }
 
-func (h *Handlers) Register(er godest.EchoRouter, em godest.Embeds) {
+func (h *Handlers) Register(er godest.EchoRouter, em godest.Embeds) error {
 	assets.RegisterStatic(h.r.BasePath, er, em)
 	assets.NewTemplated(h.r).Register(er)
 	home.New(h.r).Register(er)
 	identity.New(h.r).Register(er)
 	internet.New(h.r, h.globals.NetworkManager).Register(er)
-	remote.New(h.r, h.globals.Tailscale).Register(er)
+	h.remote = remote.New(h.r, h.globals.Tailscale)
+	if err := h.remote.Register(er); err != nil {
+		return errors.Wrap(err, "couldn't register handlers for remote routes")
+	}
 	osconfig.New(h.r).Register(er)
+	return nil
+}
+
+func (h *Handlers) TrailingSlashSkipper(c echo.Context) bool {
+	return h.remote.TrailingSlashSkipper(c)
+}
+
+func (h *Handlers) GzipSkipper(c echo.Context) bool {
+	return h.remote.GzipSkipper(c)
 }

internal/app/deviceadmin/server.go

@@ -92,14 +92,20 @@ func (s *Server) configureHeaders(e *echo.Echo) error {
 	cspBuilder := cspbuilder.Builder{
 		Directives: map[string][]string{
 			cspbuilder.DefaultSrc: {"'self'"},
-			cspbuilder.ScriptSrc: append(
-				// Warning: script-src 'self' may not be safe to use if we're hosting user-uploaded content.
-				// Then we'll need to provide hashes for scripts & styles we include by URL, and we'll need
-				// to add the SRI integrity attribute to the tags including those files; however, it's
-				// unclear how well-supported they are by browsers.
-				[]string{"'self'", "'unsafe-inline'"},
-				s.Inlines.ComputeJSHashesForCSP()...,
-			),
+			// Note: the following is needed for the Tailscale web GUI to check device status (but the GUI
+			// still works without this permission, it just doesn't report device status):
+			cspbuilder.ConnectSrc: {"*"},
+			// Note: script-src "unsafe-inline" (which is ignored if we provide one or more hashes for
+			// CSP) is needed by the Tailscale web GUI:
+			cspbuilder.ScriptSrc: {"'self'", "'unsafe-inline'"},
+			// cspbuilder.ScriptSrc: append(
+			// 	// Warning: script-src 'self' may not be safe to use if we're hosting user-uploaded content.
+			// 	// Then we'll need to provide hashes for scripts & styles we include by URL, and we'll need
+			// 	// to add the SRI integrity attribute to the tags including those files; however, it's
+			// 	// unclear how well-supported they are by browsers.
+			// 	[]string{"'self'", "'unsafe-inline'"},
+			// 	s.Inlines.ComputeJSHashesForCSP()...,
+			// ),
 			cspbuilder.StyleSrc: append(
 				[]string{
 					"'self'",
@@ -108,9 +114,10 @@ func (s *Server) configureHeaders(e *echo.Echo) error {
 				},
 				s.Inlines.ComputeCSSHashesForCSP()...,
 			),
-			cspbuilder.ObjectSrc:      {"'none'"},
-			cspbuilder.ChildSrc:       {"'self'"},
-			cspbuilder.ImgSrc:         {"*"},
+			cspbuilder.ObjectSrc: {"'none'"},
+			cspbuilder.ChildSrc:  {"'self'"},
+			// Note: img-src with scheme "data:" is needed by the Tailscale web GUI:
+			cspbuilder.ImgSrc:         {"*", "data:"},
 			cspbuilder.BaseURI:        {"'none'"},
 			cspbuilder.FormAction:     {"'self'"},
 			cspbuilder.FrameAncestors: {"'none'"},
@@ -145,17 +152,23 @@ func (s *Server) Register(e *echo.Echo) error {
 	// Compression Middleware
 	e.Use(middleware.Decompress())
 	e.Use(middleware.GzipWithConfig(middleware.GzipConfig{
-		Level: s.Globals.Config.HTTP.GzipLevel,
+		Level:   s.Globals.Config.HTTP.GzipLevel,
+		Skipper: s.Handlers.GzipSkipper,
 	}))
 
 	// Other Middleware
-	e.Pre(middleware.RemoveTrailingSlash())
-	e.Use(gmw.RequireContentTypes(echo.MIMEApplicationForm))
+	e.Pre(middleware.RemoveTrailingSlashWithConfig(middleware.TrailingSlashConfig{
+		Skipper: s.Handlers.TrailingSlashSkipper,
+	}))
+	// application/JSON is needed by the Tailscale web GUI:
+	e.Use(gmw.RequireContentTypes(echo.MIMEApplicationForm, echo.MIMEApplicationJSON))
 	// TODO: enable Prometheus and rate-limiting
 
 	// Handlers
 	e.HTTPErrorHandler = NewHTTPErrorHandler(s.Renderer, s.Embeds.TemplatesFS)
-	s.Handlers.Register(e, s.Embeds)
+	if err := s.Handlers.Register(e, s.Embeds); err != nil {
+		return errors.Wrap(err, "couldn't register HTTP route handlers")
+	}
 
 	return nil
 }
@@ -185,6 +198,7 @@ func (s *Server) Shutdown(ctx context.Context, e *echo.Echo) (err error) {
 	// FIXME: e.Shutdown calls e.Server.Shutdown, which doesn't wait for WebSocket connections. When
 	// starting Echo, we need to call e.Server.RegisterOnShutdown with a function to gracefully close
 	// WebSocket connections!
+	s.Globals.Tailscale.Shutdown()
 	if errEcho := e.Shutdown(ctx); errEcho != nil {
 		s.Globals.Base.Logger.Error(errors.Wrap(errEcho, "couldn't shut down http server"))
 		err = errEcho

internal/clients/tailscale/client.go

@@ -8,15 +8,17 @@ import (
 	"github.com/pkg/errors"
 	"github.com/sargassum-world/godest"
 	tcl "tailscale.com/client/local"
+	tsw "tailscale.com/client/web"
 	"tailscale.com/ipn"
 	"tailscale.com/ipn/ipnstate"
 )
 
 type Client struct {
 	Config Config
 
-	ts *tcl.Client
-	l  godest.Logger
+	ts   *tcl.Client
+	tsws *tsw.Server
+	l    godest.Logger
 }
 
 func NewClient(c Config, l godest.Logger) *Client {
@@ -28,6 +30,25 @@ func NewClient(c Config, l godest.Logger) *Client {
 	}
 }
 
+func (c *Client) InitWebServer(basePath string) (tsws *tsw.Server, err error) {
+	if c.tsws, err = tsw.NewServer(tsw.ServerOpts{
+		Mode:        tsw.LoginServerMode,
+		CGIMode:     true,
+		PathPrefix:  basePath,
+		LocalClient: c.ts,
+		Logf:        c.l.Printf,
+	}); err != nil {
+		return nil, errors.Wrap(err, "couldn't initialize server for Tailscale web GUI")
+	}
+	return c.tsws, nil
+}
+
+func (c *Client) Shutdown() {
+	if c.tsws != nil {
+		c.tsws.Shutdown()
+	}
+}
+
 func (c *Client) Provision(ctx context.Context, deviceAuthKey string) error {
 	prefs, err := c.ts.GetPrefs(ctx)
 	if err != nil {

web/templates/internet/external-network-form.partial.tmpl

@@ -1,5 +1,4 @@
 {{$connProfile := (get . "ConnProfile")}}
-{{$availableSSIDs := (get . "AvailableSSIDs")}}
 {{$Meta := (get . "Meta")}}
 
 {{$conn := $connProfile.Settings.Conn}}
@@ -27,16 +26,6 @@
         required
         size=30
       >
-      <turbo-frame id="{{$Meta.BasePath}}internet/devices/wlan0/access-points">
-        <datalist id="{{$Meta.BasePath}}internet/devices/wlan0/access-points/list">
-          {{range $ssid := $availableSSIDs}}
-            {{if not $ssid}}
-              {{continue}}
-            {{end}}
-            <option value="{{$ssid}}"></option>
-          {{end}}
-        </datalist>
-      </turbo-frame>
     </div>
   </div>
 

web/templates/internet/index.page.tmpl

@@ -14,7 +14,7 @@
 
     <section class="section content">
       <h1>Internet Access</h1>
-      <p>TODO: display an overview of internet connectivity from NetworkManager</p>
+      <!-- <p>TODO: display an overview of internet connectivity from NetworkManager</p> -->
       <article class="message is-info two-card-width">
         <div class="message-body">
           This is a simplified view of your internet settings. If you're an experienced Linux system
@@ -52,14 +52,16 @@
             "Use external network now" button further down this page.
           </div>
         </article>
-        <p>
-          TODO: we could simplify this behavior by making a system service which checks whether the
-          wlan0-internet profile's autoconnect behavior is enabled and, if so, deactivates
-          wlan0-hotspot and activates wlan0-internet instead whenever the wlan0-internet's network
-          is within range. This would effectively be a "always automatically try to connect"
-          behavior, instead of the "autoconnect only during boot" behavior which we currently have
-          with NetworkManager.
-        </p>
+        <!--
+          <p>
+            TODO: simplify this behavior by making a system service which checks whether the
+            wlan0-internet profile's autoconnect behavior is enabled and, if so, deactivate
+            wlan0-hotspot and activate wlan0-internet instead whenever the wlan0-internet's network
+            is within range. This would effectively be a "always automatically try to connect"
+            behavior, instead of the "autoconnect only during boot" behavior which we currently have
+            with NetworkManager.
+          </p>
+        -->
         <div class="card section-card">
           <div class="card-content">
             <turbo-frame id="{{.Meta.BasePath}}internet/devices/wlan0/access-points">
@@ -72,10 +74,6 @@
                 data-turbo-frame="{{.Meta.BasePath}}internet/devices/wlan0/access-points"
                 class="is-inline-block mb-3"
               >
-                <!--
-                  FIXME: for some reason data-turbo-frame isn't working correctly. Maybe we can
-                  instead use Turbo Streams to update the list of networks instead?
-                -->
                 <input type="hidden" name="state" value="refreshed">
                 <input type="hidden" name="redirect-target" value="{{.Meta.Path}}">
                 <div class="field">
@@ -89,13 +87,20 @@
                   </div>
                 </div>
               </form>
-              {{
-                template "internet/external-network-form.partial.tmpl" dict
-                "ConnProfile" .Data.Wlan0InternetConnProfile
-                "AvailableSSIDs" .Data.AvailableSSIDs
-                "Meta" .Meta
-              }}
+              <datalist id="{{.Meta.BasePath}}internet/devices/wlan0/access-points/list">
+                {{range $ssid := .Data.AvailableSSIDs}}
+                  {{if not $ssid}}
+                    {{continue}}
+                  {{end}}
+                  <option value="{{$ssid}}"></option>
+                {{end}}
+              </datalist>
             </turbo-frame>
+            {{
+              template "internet/external-network-form.partial.tmpl" dict
+              "ConnProfile" .Data.Wlan0InternetConnProfile
+              "Meta" .Meta
+            }}
           </div>
         </div>