# Tailscale/Headscale VPN Choice Integration > **For agentic workers:** REQUIRED SUB-SKILL: Use superpowers:subagent-driven-development (recommended) or superpowers:executing-plans to implement this plan task-by-task. Steps use checkbox (`- [ ]`) syntax for tracking. **Goal:** Allow users to choose between Tailscale (enterprise, fast) and Headscale (self-hosted, open-source) at Stage 4 of the installer. **Architecture:** - New `create_headscale_server_interactive()` helper function follows existing pattern of account setup helpers - Stage 4 presents user choice with neutral, informative framing of both options - Manifest stores `vpn_backend` choice alongside credentials - Stage 8 firewall rules remain backend-agnostic (UFW allows on Tailscale interface for both) **Tech Stack:** Python 3, subprocess, json (existing in interview.py) --- ### Task 1: Write failing test for Headscale helper function **Files:** - Create: `tests/test_interview_vpn.py` - [ ] **Step 1: Write test file with VPN flow tests** ```python """Tests for Tailscale/Headscale VPN choice in interview.py""" import json import sys from pathlib import Path from unittest.mock import patch, MagicMock # Import from interview.py sys.path.insert(0, str(Path(__file__).parent.parent / "scripts")) from interview import create_headscale_server_interactive def test_headscale_helper_returns_none_if_already_setup(): """Test Headscale helper when user already has server running.""" with patch('builtins.input', side_effect=['yes']): # User indicates they already have a Headscale server result = create_headscale_server_interactive() assert result is None or isinstance(result, dict) def test_headscale_helper_shows_setup_steps_if_no_server(): """Test Headscale helper shows Docker setup when user doesn't have server.""" with patch('builtins.input', side_effect=['no', 'https://headscale.example.com', 'hskey_abc123']): # User indicates no server, then provides server URL and key result = create_headscale_server_interactive() # Should return dict with server_url and key, or HEADSCALE_SETUP_REQUIRED assert result is not None def test_stage4_vpn_choice_defaults_to_tailscale(): """Test Stage 4 defaults to Tailscale when user presses Enter.""" # This will be tested via manual flow testing pass def test_stage4_vpn_choice_selects_headscale(): """Test Stage 4 selects Headscale when user enters 2.""" # This will be tested via manual flow testing pass ``` - [ ] **Step 2: Run test to verify it fails** Run: `pytest tests/test_interview_vpn.py -v` Expected: FAIL with "ModuleNotFoundError: No module named 'interview'" or function not found --- ### Task 2: Create `create_headscale_server_interactive()` helper function **Files:** - Modify: `scripts/interview.py` (add new function after `create_tailscale_account_interactive()`) - [ ] **Step 1: Add Headscale helper function** Locate `create_tailscale_account_interactive()` in interview.py (around line 1594). Insert this new function right after it: ```python def create_headscale_server_interactive(): """ Guide user through optional Headscale server setup. Headscale is a self-hosted, open-source alternative to Tailscale. This helper asks if they have a server running, and if not, provides Docker setup instructions. Returns: None if user already has Headscale server set up dict with 'server_url' and 'auth_key' if user provides them "HEADSCALE_SETUP_REQUIRED" if setup is needed and deferred """ print("╔══ Headscale Self-Hosted Setup ══╗\n") print("Headscale is 100% open-source, auditable, and self-hosted.") print("You control the server — no metadata sent to external services.\n") has_server = input("Do you already have a Headscale server running? (y/n): ").strip().lower() if has_server in ('y', 'yes'): print("\n✓ Great! We'll need the connection details.\n") server_url = input("Headscale server URL (e.g., https://headscale.example.com): ").strip() auth_key = input("Headscale auth key (starts with 'hskey_'): ").strip() if server_url and auth_key: print(f"\n✓ Server configured: {server_url}\n") return {"server_url": server_url, "auth_key": auth_key} else: print("\n⚠️ Missing server URL or auth key. Please provide both.\n") return None # User needs to set up a server print("\n→ Headscale Server Setup Guide\n") print("You'll need to run Headscale on a server you control:") print(" • VPS: DigitalOcean, Linode, AWS (~$5-10/month)") print(" • Local: Raspberry Pi, old laptop, NAS") print(" • Cloud: Home server with public IP\n") print("Quick Docker setup (5 minutes):") print(" 1. SSH into your server") print(" 2. Create directory: mkdir -p ~/headscale/config") print(" 3. Download config: wget https://github.com/juanfont/headscale/raw/main/config-example.yaml") print(" 4. Edit config (change 'server_url' to your domain)") print(" 5. Run Docker:") print(" docker run -d --name headscale \\") print(" -v ~/headscale/config:/etc/headscale \\") print(" -p 8080:8080 \\") print(" -p 50443:50443/udp \\") print(" juanfont/headscale:latest\n") print("Once your server is running:") print(" 6. Create an auth key: docker exec headscale headscale apikeys create") print(" 7. Copy the key (starts with 'hskey_')") print(" 8. Run this wizard again and provide the server URL + key\n") open_guide = input("Open Headscale docs in browser? (y/n): ").strip().lower() if open_guide in ('y', 'yes'): webbrowser.open("https://headscale.dev/getting-started/") print("\nℹ️ Once your Headscale server is running, re-run this wizard") print("and select Headscale at Stage 4 to provide your server details.\n") return "HEADSCALE_SETUP_REQUIRED" ``` - [ ] **Step 2: Verify function syntax is correct** Run: `python3 -m py_compile scripts/interview.py` Expected: No output (success) --- ### Task 3: Add HELP_TEXT entry for Headscale **Files:** - Modify: `scripts/interview.py` (update HELP_TEXT dict, around line 97) - [ ] **Step 1: Add Headscale help text** Locate the HELP_TEXT dict and add this entry after the `"tailscale"` entry: ```python "headscale": """ ╔══ Headscale: Self-Hosted Mesh Network ══╗ Headscale is an open-source alternative to Tailscale's control plane. You run the server yourself — full control, zero metadata leaks. When to use Headscale: ✓ Your IT dept requires open-source infrastructure ✓ You need full audit trail of all connections ✓ You prefer self-hosted over cloud ✓ You want zero metadata sent to external services Setup requirements: • A server you control (VPS, Pi, home server, ~$5-10/month) • Docker (comes pre-installed on most VPS) • ~15 minutes to spin up Same encryption as Tailscale (WireGuard), same reliability, just hosted by you instead of Tailscale Inc. → Quick start: https://headscale.dev/getting-started/ """, ``` - [ ] **Step 2: Verify syntax** Run: `python3 -m py_compile scripts/interview.py` Expected: No output (success) --- ### Task 4: Modify Stage 4 to present VPN choice **Files:** - Modify: `scripts/interview.py` (replace Stage 4 section, around lines 2025-2039) - [ ] **Step 1: Find and replace Stage 4 section** Locate this section in interview.py: ```python # ───────────────────────────────────────────────── # STAGE 4: Tailscale Auth Key # ───────────────────────────────────────────────── print("╔══ Stage 4: Tailscale Mesh Network ══╗\n") print("Tailscale creates a secure network between your devices.\n") print(f"→ Get your auth key here: {SERVICE_URLS['tailscale']}\n") tailscale_key = prompt_with_help( "Paste your Tailscale Auth Key: ", "tailscale" ) print() ``` Replace with: ```python # ───────────────────────────────────────────────── # STAGE 4: Mesh Network Backend (Tailscale vs Headscale) # ───────────────────────────────────────────────── print("╔══ Stage 4: Mesh Network Backend ══╗\n") print("Your Jetson needs a secure mesh network to connect with your devices.") print("Two options:\n") print("┌─ Option 1: Tailscale (Recommended for most) ─┐") print(" ✓ Military-grade encryption (WireGuard)") print(" ✓ Approved & trusted by enterprise IT departments") print(" ✓ Zero-config: QR scan + instant connectivity") print(" ✓ Cloud-hosted, globally distributed, ultra-reliable") print(" ✓ ~2 minutes to set up") print(" ✓ No infrastructure needed\n") print("└──────────────────────────────────────────┘\n") print("┌─ Option 2: Headscale (For maximum control) ─┐") print(" ✓ Same encryption as Tailscale (WireGuard)") print(" ✓ 100% open-source (MIT license) — audit any code") print(" ✓ You control the server (full auditability)") print(" ✓ No metadata sent to external services") print(" ✓ Self-hosted on your VPS, Pi, or local hardware") print(" ✓ ~15-20 minutes (includes Docker setup)\n") print(" Best if: Your IT requires open-source infrastructure,") print(" you want zero metadata leakage, or you") print(" prefer ultimate control over the server.\n") print(" Note: Requires a VPS (~$5-10/mo) or existing server.") print(" We'll help you set it up.") print("└──────────────────────────────────────────┘\n") vpn_choice = input("Which backend? [1] Tailscale (default), [2] Headscale: ").strip().lower() # Default to Tailscale if empty or invalid input if vpn_choice in ('2', 'headscale'): print("\n→ Configuring Headscale self-hosted backend...\n") vpn_backend = "headscale" headscale_result = create_headscale_server_interactive() if headscale_result == "HEADSCALE_SETUP_REQUIRED": print("⚠️ Headscale setup required. Pausing here.") print("Once your server is ready, re-run this wizard.\n") tailscale_key = None headscale_server_url = None headscale_auth_key = None elif isinstance(headscale_result, dict): print() tailscale_key = None headscale_server_url = headscale_result.get("server_url") headscale_auth_key = headscale_result.get("auth_key") else: print("⚠️ Invalid Headscale input. Falling back to Tailscale.\n") vpn_backend = "tailscale" tailscale_key = prompt_with_help( f"Paste your Tailscale Auth Key: ", "tailscale" ) headscale_server_url = None headscale_auth_key = None else: # Tailscale (default) print("→ Configuring Tailscale cloud backend...\n") vpn_backend = "tailscale" tailscale_key = prompt_with_help( f"Paste your Tailscale Auth Key: ", "tailscale" ) headscale_server_url = None headscale_auth_key = None print() ``` - [ ] **Step 2: Verify syntax** Run: `python3 -m py_compile scripts/interview.py` Expected: No output (success) --- ### Task 5: Update manifest to store VPN backend choice **Files:** - Modify: `scripts/interview.py` (update Stage 6 config saving, around lines 2110-2125) - [ ] **Step 1: Locate Stage 6 (Saving Configuration)** Find this section: ```python master_account = { "email": email, "nvidia_api_key": nvidia_key, "tailscale_key": tailscale_key, "matrix_access_token": matrix_token, "status": "provisioned" } ``` - [ ] **Step 2: Update to include VPN backend and Headscale details** Replace with: ```python master_account = { "email": email, "nvidia_api_key": nvidia_key, "vpn_backend": vpn_backend, # "tailscale" or "headscale" "status": "provisioned" } # Add VPN-specific credentials based on backend choice if vpn_backend == "tailscale": master_account["tailscale_key"] = tailscale_key elif vpn_backend == "headscale": master_account["headscale_server_url"] = headscale_server_url master_account["headscale_auth_key"] = headscale_auth_key # Matrix token always included master_account["matrix_access_token"] = matrix_token ``` - [ ] **Step 3: Verify syntax** Run: `python3 -m py_compile scripts/interview.py` Expected: No output (success) --- ### Task 6: Update validation to handle both VPN backends **Files:** - Modify: `scripts/interview.py` (update `validate_manifest()` function, around line 1420) - [ ] **Step 1: Find Tailscale key validation** Locate this section: ```python # Check Tailscale key format ts_key = manifest.get("master_account", {}).get("tailscale_key", "") if ts_key and not ts_key.startswith("tskey-"): issues.append("❌ Tailscale key doesn't start with 'tskey-' (invalid format)") elif ts_key: print(f"✓ Tailscale key format valid (starts with 'tskey-')") ``` - [ ] **Step 2: Replace with backend-aware validation** Replace with: ```python # Check VPN backend configuration vpn_backend = manifest.get("master_account", {}).get("vpn_backend", "tailscale") if vpn_backend == "tailscale": ts_key = manifest.get("master_account", {}).get("tailscale_key", "") if ts_key and not ts_key.startswith("tskey-"): issues.append("❌ Tailscale key doesn't start with 'tskey-' (invalid format)") elif ts_key: print(f"✓ Tailscale key format valid (starts with 'tskey-')") else: issues.append("❌ Tailscale backend selected but no auth key provided") elif vpn_backend == "headscale": hs_url = manifest.get("master_account", {}).get("headscale_server_url", "") hs_key = manifest.get("master_account", {}).get("headscale_auth_key", "") if not hs_url: issues.append("❌ Headscale backend selected but server URL missing") elif hs_key and not hs_key.startswith("hskey_"): issues.append("❌ Headscale auth key doesn't start with 'hskey_' (invalid format)") elif hs_key: print(f"✓ Headscale auth key format valid (starts with 'hskey_')") else: issues.append("❌ Headscale backend selected but no auth key provided") ``` - [ ] **Step 3: Verify syntax** Run: `python3 -m py_compile scripts/interview.py` Expected: No output (success) --- ### Task 7: Manual test - Tailscale flow (default) **Files:** - Test: `scripts/interview.py` (Stage 4 interactive) - [ ] **Step 1: Run wizard and accept Tailscale default** ```bash cd /home/geodesix/engram # Run only through Stage 4 python3 scripts/interview.py # At Stage 4 prompt: Press Enter or type "1" to select Tailscale # Provide a valid test Tailscale key (tskey-abc123... format) ``` Expected output: - Stage 4 displays both options clearly - Default input (Enter or "1") selects Tailscale - Prompts for Tailscale auth key - Manifest saves with `vpn_backend: "tailscale"` and `tailscale_key: "..."` - [ ] **Step 2: Verify manifest created correctly** ```bash cat ~/engram/credentials.json | jq '.master_account | {vpn_backend, tailscale_key}' ``` Expected: `{"vpn_backend": "tailscale", "tailscale_key": "tskey_..."}` --- ### Task 8: Manual test - Headscale flow (with existing server) **Files:** - Test: `scripts/interview.py` (Stage 4 interactive) - [ ] **Step 1: Remove existing credentials to start fresh** ```bash rm -f ~/engram/credentials.json ``` - [ ] **Step 2: Run wizard and select Headscale** ```bash cd /home/geodesix/engram python3 scripts/interview.py # At Stage 4 prompt: type "2" to select Headscale # At Headscale prompt: type "yes" (user has server) # Provide test URL: https://headscale.example.com # Provide test key: hskey_abc123... ``` Expected output: - Stage 4 displays both options clearly - Input "2" selects Headscale - Asks if server exists, guides Docker setup if needed - Manifest saves with `vpn_backend: "headscale"`, `headscale_server_url`, `headscale_auth_key` - [ ] **Step 3: Verify manifest created correctly** ```bash cat ~/engram/credentials.json | jq '.master_account | {vpn_backend, headscale_server_url, headscale_auth_key}' ``` Expected: `{"vpn_backend": "headscale", "headscale_server_url": "https://headscale.example.com", "headscale_auth_key": "hskey_..."}` --- ### Task 9: Verify Stage 8 firewall rules work for both backends **Files:** - Review: `scripts/interview.py` (Stage 8 security hardening, around line 1950) - [ ] **Step 1: Verify firewall logic is backend-agnostic** Check `check_tailscale_active()` and firewall rules in Stage 8. These should work for both: - Tailscale uses `tailscale0` interface (existing) - Headscale uses same `tailscale0` interface (after auto-enrollment) Current code should need NO changes — both backends produce the same interface. ```bash grep -n "tailscale0" scripts/interview.py ``` Expected: firewall rules reference `tailscale0` interface only (works for both backends) --- ### Task 10: Final commit **Files:** - Commit: All changes to `scripts/interview.py` + new test file - [ ] **Step 1: Stage changes** ```bash cd /home/geodesix/engram git add scripts/interview.py tests/test_interview_vpn.py git status ``` - [ ] **Step 2: Create commit** ```bash git commit -m "feat: integrate Tailscale/Headscale VPN choice at Stage 4 - Add Stage 4 choice prompt with neutral framing of both options - Create create_headscale_server_interactive() helper function - Support both backends: Tailscale (cloud-hosted) and Headscale (self-hosted) - Store vpn_backend choice in credentials.json manifest - Update validation to check correct credentials per backend - Both backends use same tailscale0 interface for firewall compatibility - Add comprehensive help text for both options - Test flows: default Tailscale + Headscale with server prompt Headscale option designed for users requiring: - Full open-source infrastructure audit - Zero metadata leakage to external services - Maximum control (self-hosted on VPS/Pi/local hardware) Tailscale recommended for most (enterprise-approved, zero-config, fast setup). Both options presented neutrally to let users choose based on their needs. Co-Authored-By: Claude Haiku 4.5 " ``` - [ ] **Step 3: Verify commit** ```bash git log -1 --stat ``` Expected: Single commit with changes to interview.py and new test file