how I run Tailscale on an immutable Linux system

GNOME OS, to be specific. There is no package manager here, and I don’t understand how to build sysexts, so this is my solution.

You can install Tailscale without touching any files outside your home directory. This is how I did it, and it’s been serving me well for a few months.

(Instructions for systemd.)

Create systemd unit

We’re going to run tailscaled as a user service, so create a file called tailscaled.service in ~/.config/systemd/user/ with the following contents:

[Unit]
Description=Tailscale node agent -- modified to run as user service
Documentation=https://tailscale.com/kb/
After=network-online.target
Wants=network-online.target

[Service]
Type=notify
Restart=on-failure

# TODO: don't hardcode .local/bin, use $XDG_BIN_HOME
# problem: that's not set on most systems, and systemd env var
# expansion doesn't support default values
ExecStart=%h/.local/bin/tailscaled --state=${STATE_DIRECTORY}/tailscaled.state --socket=${RUNTIME_DIRECTORY}/tailscaled.sock -tun=userspace-networking --port=41641
ExecStopPost=%h/.local/bin/tailscaled --cleanup

# allocate directories under xdg paths
RuntimeDirectory=tailscale
RuntimeDirectoryMode=0755
StateDirectory=tailscale
StateDirectoryMode=0700
CacheDirectory=tailscale
CacheDirectoryMode=0750

[Install]
WantedBy=default.target

I wrote this based on the unit file Tailscale ships combined with some other unit files I saw online.

Install Tailscale binaries

Go to https://pkgs.tailscale.com/stable/#static to download the latest static binary builds of Tailscale. Extract and place the tailscale and tailscaled files in ~/.local/bin/.

I wrote a script I use that does this, and starts up the service (needs systemd unit file to be created first):

#!/usr/bin/env bash
set -Eeuo pipefail

tmp=$(mktemp -d)

tarball=$(curl -sL https://pkgs.tailscale.com/stable/?mode=json | jq -r .Tarballs.amd64)

echo "Downloading Tailscale into $tmp"
curl "https://pkgs.tailscale.com/stable/$tarball" | tar -xzC "$tmp"

systemctl --user stop tailscaled.service

tsdir=$(find "$tmp" -name 'tailscale_*' -type d | head -n1)
cp "$tsdir"/{tailscale,tailscaled} ~/.local/bin/

systemctl --user enable tailscaled.service
systemctl --user start  tailscaled.service