├── app ├── Dockerfile ├── config.ini ├── requirements.txt ├── headscale.py ├── tailscale.py ├── config.py ├── cloudflare.py └── app.py ├── LICENSE ├── .gitignore ├── .github └── workflows │ └── docker-publish.yml └── README.md /app/Dockerfile: -------------------------------------------------------------------------------- 1 | FROM python:3.8 2 | WORKDIR /app 3 | ADD . /app 4 | RUN pip install --upgrade pip 5 | RUN pip install -r requirements.txt 6 | CMD ["python", "app.py"] -------------------------------------------------------------------------------- /app/config.ini: -------------------------------------------------------------------------------- 1 | [DEFAULT] 2 | mode= 3 | 4 | cf-key= 5 | cf-domain= 6 | cf-sub= 7 | 8 | ts-tailnet= 9 | ts-key= 10 | ts-client-id= 11 | ts-client-secret= 12 | 13 | hs-baseurl= 14 | hs-apikey= 15 | -------------------------------------------------------------------------------- /app/requirements.txt: -------------------------------------------------------------------------------- 1 | certifi==2025.1.31 2 | charset-normalizer==3.4.1 3 | idna==3.10 4 | ipaddress==1.0.23 5 | oauthlib==3.2.2 6 | packaging==24.2 7 | requests==2.32.3 8 | requests-oauthlib==2.0.0 9 | termcolor==2.5.0 10 | urllib3==2.3.0 11 | -------------------------------------------------------------------------------- /app/headscale.py: -------------------------------------------------------------------------------- 1 | import requests, json 2 | from termcolor import colored 3 | from tailscale import alterHostname 4 | 5 | def getHeadscaleDevice(apikey, baseurl): 6 | url = "{baseurl}/api/v1/node".format(baseurl=baseurl) 7 | payload={} 8 | headers = { 9 | "Authorization": "Bearer {apikey}".format(apikey=apikey) 10 | } 11 | response = requests.request("GET", url, headers=headers, data=payload) 12 | 13 | output=[] 14 | 15 | data = json.loads(response.text) 16 | if (response.status_code == 200): 17 | output = [] 18 | for device in data['nodes']: 19 | for address in device['ipAddresses']: 20 | if not device['givenName'].lower().startswith('localhost'): 21 | output.append({'hostname': alterHostname(device['givenName'].split('.')[0].lower()), 'address': address}) 22 | return output 23 | else: 24 | exit(colored("getTailscaleDevice() - {status}, {error}".format(status=str(response.status_code), error=data['message']), "red")) 25 | -------------------------------------------------------------------------------- /LICENSE: -------------------------------------------------------------------------------- 1 | MIT License 2 | 3 | Copyright (c) 2021 marc1307 4 | 5 | Permission is hereby granted, free of charge, to any person obtaining a copy 6 | of this software and associated documentation files (the "Software"), to deal 7 | in the Software without restriction, including without limitation the rights 8 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell 9 | copies of the Software, and to permit persons to whom the Software is 10 | furnished to do so, subject to the following conditions: 11 | 12 | The above copyright notice and this permission notice shall be included in all 13 | copies or substantial portions of the Software. 14 | 15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 17 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER 19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, 20 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE 21 | SOFTWARE. 22 | -------------------------------------------------------------------------------- /.gitignore: -------------------------------------------------------------------------------- 1 | # Byte-compiled / optimized / DLL files 2 | __pycache__/ 3 | *.py[cod] 4 | *$py.class 5 | 6 | # C extensions 7 | *.so 8 | 9 | # Distribution / packaging 10 | .Python 11 | build/ 12 | develop-eggs/ 13 | dist/ 14 | downloads/ 15 | eggs/ 16 | .eggs/ 17 | lib/ 18 | lib64/ 19 | parts/ 20 | sdist/ 21 | var/ 22 | wheels/ 23 | pip-wheel-metadata/ 24 | share/python-wheels/ 25 | *.egg-info/ 26 | .installed.cfg 27 | *.egg 28 | MANIFEST 29 | 30 | # PyInstaller 31 | # Usually these files are written by a python script from a template 32 | # before PyInstaller builds the exe, so as to inject date/other infos into it. 33 | *.manifest 34 | *.spec 35 | 36 | # Installer logs 37 | pip-log.txt 38 | pip-delete-this-directory.txt 39 | 40 | # Unit test / coverage reports 41 | htmlcov/ 42 | .tox/ 43 | .nox/ 44 | .coverage 45 | .coverage.* 46 | .cache 47 | nosetests.xml 48 | coverage.xml 49 | *.cover 50 | *.py,cover 51 | .hypothesis/ 52 | .pytest_cache/ 53 | 54 | # Translations 55 | *.mo 56 | *.pot 57 | 58 | # Django stuff: 59 | *.log 60 | local_settings.py 61 | db.sqlite3 62 | db.sqlite3-journal 63 | 64 | # Flask stuff: 65 | instance/ 66 | .webassets-cache 67 | 68 | # Scrapy stuff: 69 | .scrapy 70 | 71 | # Sphinx documentation 72 | docs/_build/ 73 | 74 | # PyBuilder 75 | target/ 76 | 77 | # Jupyter Notebook 78 | .ipynb_checkpoints 79 | 80 | # IPython 81 | profile_default/ 82 | ipython_config.py 83 | 84 | # pyenv 85 | .python-version 86 | 87 | # pipenv 88 | # According to pypa/pipenv#598, it is recommended to include Pipfile.lock in version control. 89 | # However, in case of collaboration, if having platform-specific dependencies or dependencies 90 | # having no cross-platform support, pipenv may install dependencies that don't work, or not 91 | # install all needed dependencies. 92 | #Pipfile.lock 93 | 94 | # PEP 582; used by e.g. github.com/David-OConnor/pyflow 95 | __pypackages__/ 96 | 97 | # Celery stuff 98 | celerybeat-schedule 99 | celerybeat.pid 100 | 101 | # SageMath parsed files 102 | *.sage.py 103 | 104 | # Environments 105 | .env 106 | .venv 107 | env/ 108 | venv/ 109 | ENV/ 110 | env.bak/ 111 | venv.bak/ 112 | 113 | # Spyder project settings 114 | .spyderproject 115 | .spyproject 116 | 117 | # Rope project settings 118 | .ropeproject 119 | 120 | # mkdocs documentation 121 | /site 122 | 123 | # mypy 124 | .mypy_cache/ 125 | .dmypy.json 126 | dmypy.json 127 | 128 | # Pyre type checker 129 | .pyre/ 130 | -------------------------------------------------------------------------------- /app/tailscale.py: -------------------------------------------------------------------------------- 1 | import requests, json 2 | import ipaddress 3 | from requests.auth import HTTPBasicAuth 4 | from oauthlib.oauth2 import BackendApplicationClient 5 | from requests_oauthlib import OAuth2Session 6 | from termcolor import colored 7 | 8 | ### Get Data 9 | def getTailscaleDevice(apikey, clientid, clientsecret, tailnet): 10 | if clientid and clientsecret: 11 | token = OAuth2Session(client=BackendApplicationClient(client_id=clientid)).fetch_token(token_url='https://api.tailscale.com/api/v2/oauth/token', client_id=clientid, client_secret=clientsecret) 12 | apikey = token["access_token"] 13 | url = "https://api.tailscale.com/api/v2/tailnet/{tailnet}/devices".format(tailnet=tailnet) 14 | payload={} 15 | headers = { 16 | } 17 | response = requests.request("GET", url, headers=headers, data=payload, auth=HTTPBasicAuth(username=apikey, password="")) 18 | # print(response.text) 19 | # print(json.dumps(json.loads(response.text), indent=2)) 20 | 21 | output=[] 22 | 23 | data = json.loads(response.text) 24 | if (response.status_code == 200): 25 | output = [] 26 | for device in data['devices']: 27 | #print(device['hostname']+": "+json.dumps(device['addresses'])) 28 | for address in device['addresses']: 29 | output.append({'hostname': alterHostname(device['hostname']), 'address': address}) 30 | if device['name'].split('.')[0].lower() != device['hostname'].lower(): 31 | output.append({'hostname': alterHostname(device['name'].split('.')[0].lower()), 'address': address}) 32 | return output 33 | else: 34 | exit(colored("getTailscaleDevice() - {status}, {error}".format(status=str(response.status_code), error=data['message']), "red")) 35 | 36 | def isTailscaleIP(ip): 37 | ip = ipaddress.ip_address(ip) 38 | 39 | if (ip.version == 6): 40 | if (ip in ipaddress.IPv6Network('fd7a:115c:a1e0::/48')): 41 | return True 42 | else: 43 | return False 44 | elif (ip.version == 4): 45 | if (ip in ipaddress.IPv4Network('100.64.0.0/10')): 46 | return True 47 | else: 48 | return False 49 | else: 50 | exit("isTailscaleIP(): - unknown IP version") 51 | 52 | def alterHostname(hostname): 53 | from config import getConfig 54 | config = getConfig() 55 | pre = config.get("prefix", "") 56 | post = config.get("postfix", "") 57 | 58 | newHostname = "{pre}{hostname}{post}".format(pre=pre, post=post, hostname=hostname) 59 | return newHostname 60 | 61 | if __name__ == '__main__': 62 | print(json.dumps(getTailscaleDevice(), indent=2)) -------------------------------------------------------------------------------- /.github/workflows/docker-publish.yml: -------------------------------------------------------------------------------- 1 | name: Docker 2 | 3 | # This workflow uses actions that are not certified by GitHub. 4 | # They are provided by a third-party and are governed by 5 | # separate terms of service, privacy policy, and support 6 | # documentation. 7 | 8 | on: 9 | push: 10 | branches: [ main ] 11 | # Publish semver tags as releases. 12 | tags: [ 'v*.*.*' ] 13 | pull_request: 14 | branches: [ main ] 15 | 16 | env: 17 | # Use docker.io for Docker Hub if empty 18 | REGISTRY: ghcr.io 19 | # github.repository as / 20 | IMAGE_NAME: ${{ github.repository }} 21 | 22 | 23 | jobs: 24 | build: 25 | 26 | runs-on: ubuntu-latest 27 | permissions: 28 | contents: read 29 | packages: write 30 | 31 | steps: 32 | - name: Checkout repository 33 | uses: actions/checkout@v2 34 | 35 | # Login against a Docker registry except on PR 36 | # https://github.com/docker/login-action 37 | - name: Log into registry ${{ env.REGISTRY }} 38 | if: github.event_name != 'pull_request' 39 | uses: docker/login-action@v1 40 | with: 41 | registry: ${{ env.REGISTRY }} 42 | username: ${{ github.actor }} 43 | password: ${{ secrets.GITHUB_TOKEN }} 44 | 45 | - name: Set up QEMU 46 | uses: docker/setup-qemu-action@v2 47 | with: 48 | platforms: all 49 | 50 | - name: Set up Docker Buildx 51 | id: buildx 52 | uses: docker/setup-buildx-action@v2 53 | with: 54 | version: latest 55 | install: true 56 | use: true 57 | 58 | # Extract metadata (tags, labels) for Docker 59 | # https://github.com/docker/metadata-action 60 | - name: Extract Docker metadata 61 | id: meta 62 | uses: docker/metadata-action@v3 63 | with: 64 | images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }} 65 | 66 | # Build and push Docker image with Buildx (don't push on PR) 67 | # https://github.com/docker/build-push-action 68 | - name: Build and push Docker image 69 | uses: docker/build-push-action@v2 70 | with: 71 | context: ./app 72 | push: ${{ github.event_name != 'pull_request' }} 73 | tags: ${{ steps.meta.outputs.tags }} 74 | labels: ${{ steps.meta.outputs.labels }} 75 | platforms: |- 76 | linux/386, 77 | linux/amd64, 78 | linux/arm/v5, 79 | linux/arm/v6, 80 | linux/arm/v7, 81 | linux/arm64/v8, 82 | linux/386, 83 | linux/mips64le, 84 | linux/ppc64le, 85 | linux/s390x 86 | -------------------------------------------------------------------------------- /app/config.py: -------------------------------------------------------------------------------- 1 | import configparser, os 2 | import os.path 3 | from sys import path 4 | from termcolor import cprint 5 | 6 | keysToImport = ['cf-key', 'cf-domain', 'ts-tailnet'] 7 | keysOptional = ['cf-sub', 'prefix', 'postfix', 'ts-key', 'ts-client-id', 'ts-client-secret', "mode", "hs-baseurl", "hs-apikey"] 8 | 9 | def importkey(name, optional=False): 10 | key = name 11 | envKey = key.replace("-", "_") 12 | 13 | secretPath = "/run/secrets/"+key 14 | if (os.path.isfile(secretPath)): 15 | secret = open(secretPath, "r") 16 | out = "{}".format(secret.readline().strip()) 17 | return out 18 | elif (key in os.environ): 19 | return os.environ.get(key) 20 | elif (envKey in os.environ): 21 | return os.environ.get(envKey) 22 | else: 23 | try: 24 | cfgPath = os.path.dirname(os.path.realpath(__file__))+'/config.ini' 25 | with open(cfgPath, 'r') as file: 26 | config = configparser.ConfigParser() 27 | config.read(cfgPath) 28 | cfg=config['DEFAULT'] 29 | except Exception as e: 30 | print(e) 31 | if optional: 32 | return "" 33 | exit('could not read config file') 34 | finally: 35 | try: 36 | out = cfg[key] 37 | return out 38 | except: 39 | if optional: 40 | return "" 41 | cprint("ERROR: mandatory configuration not found: {}".format(key), "red") 42 | 43 | def getConfig(): 44 | # static = { 45 | # 'cf-key': '', 46 | # 'cf-domain': "".lower(), 47 | # 'ts-key': 'tskey-', 48 | # 'ts-tailnet': '' 49 | # } 50 | static = {} 51 | 52 | for key in keysToImport: 53 | static[key] = importkey(key) 54 | for key in keysOptional: 55 | static[key] = importkey(key, True) 56 | 57 | # check for tailscale config 58 | if static['mode'] == "" or static['mode'] == "tailscale": 59 | static['mode'] = "tailscale" 60 | if not static['ts-key'] and not (static['ts-client-id'] and static['ts-client-secret']): 61 | cprint("ERROR: mandatory tailscale configuration not found: ts-key or ts-client-id/ts-client-secret missing", "red") 62 | exit(1) 63 | # check for headscale Config 64 | if static['mode'] == "headscale": 65 | if not (static['hs-baseurl'] and static['hs-apikey']): 66 | cprint("ERROR: mandatory headscale configuration not found: hs-baseurl and/or hs-apikey missing", "red") 67 | exit(1) 68 | # unkown mode unfigured 69 | if static['mode'] not in ["", "tailscale", "headscale"]: 70 | cprint("ERROR: unknown mode configured (got: {mode})".format(mode=static['mode']), "red") 71 | exit(1) 72 | 73 | return static 74 | 75 | if __name__ == '__main__': 76 | from pprint import pprint 77 | pprint(getConfig()) 78 | -------------------------------------------------------------------------------- /app/cloudflare.py: -------------------------------------------------------------------------------- 1 | import requests, json, re 2 | 3 | from termcolor import cprint, colored 4 | from requests.models import Response 5 | 6 | def getZoneId(token, domain): 7 | url = "https://api.cloudflare.com/client/v4/zones" 8 | payload={} 9 | headers = { 10 | 'Authorization': "Bearer {}".format(token) 11 | } 12 | response = requests.request("GET", url, headers=headers, data=payload) 13 | data = json.loads(response.text) 14 | 15 | if data['success']: 16 | for zone in data['result']: 17 | if zone['name'] == domain: 18 | return zone['id'] 19 | else: 20 | exit(colored('getZoneId(): '+json.dumps(data['errors'], indent=2), "red")) 21 | 22 | 23 | def getZoneRecords(token, domain, hostname=False, zoneId=False): 24 | if zoneId != False: 25 | url = "https://api.cloudflare.com/client/v4/zones/{zone_identifier}/dns_records?per_page=150".format(zone_identifier=zoneId) 26 | else: 27 | url = "https://api.cloudflare.com/client/v4/zones/{zone_identifier}/dns_records?per_page=150".format(zone_identifier=getZoneId(token, domain)) 28 | payload={} 29 | headers = { 30 | 'Authorization': "Bearer {}".format(token) 31 | } 32 | 33 | response = requests.request("GET", url, headers=headers, data=payload) 34 | data = json.loads(response.text) 35 | 36 | output = [] 37 | 38 | if data['success']: 39 | for record in data['result']: 40 | if record['type'] in ['A', 'AAAA']: 41 | #print("{name} {ttl} in {type} {content}".format(name=record['name'], ttl=record['ttl'], type=record['type'], content=record['content'])) 42 | output.append(record) 43 | return output 44 | else: 45 | exit(colored("getZoneRecords() - error\n{}".format(json.dumps(data['errors'], indent=2)), "red")) 46 | 47 | def createDNSRecord(token, domain, name, type, content, subdomain=None, zoneId=False, priority=False, ttl=120): 48 | if zoneId != False: 49 | url = "https://api.cloudflare.com/client/v4/zones/{zone_identifier}/dns_records".format(zone_identifier=zoneId) 50 | else: 51 | url = "https://api.cloudflare.com/client/v4/zones/{zone_identifier}/dns_records".format(zone_identifier=getZoneId(token, domain)) 52 | if subdomain: 53 | fqdn = name+"."+subdomain+"."+domain 54 | else: 55 | fqdn = name+"."+domain 56 | 57 | payload={ 58 | 'type': type, 59 | 'name': fqdn, 60 | 'content': content, 61 | 'ttl': ttl 62 | } 63 | headers = { 64 | 'Authorization': "Bearer {}".format(token) 65 | } 66 | 67 | response = requests.request("POST", url, headers=headers, data=json.dumps(payload)) 68 | data = json.loads(response.text) 69 | 70 | if data['success'] == True: 71 | print("--> [CLOUDFLARE] [{code}] {msg}".format(code=response.status_code, msg=colored('record created', "green"))) 72 | return True 73 | else: 74 | cprint("[ERROR]", 'red') 75 | exit("createDNSRecord(): "+json.dumps(data['errors'], indent=2)) 76 | 77 | def deleteDNSRecord(token, domain, id, zoneId=False): 78 | if zoneId != False: 79 | url = "https://api.cloudflare.com/client/v4/zones/{zone_identifier}/dns_records/{identifier}".format(zone_identifier=zoneId, identifier=id) 80 | else: 81 | url = "https://api.cloudflare.com/client/v4/zones/{zone_identifier}/dns_records/{identifier}".format(zone_identifier=getZoneId(token, domain), identifier=id) 82 | headers = { 83 | 'Authorization': "Bearer {}".format(token) 84 | } 85 | response = requests.request("DELETE", url, headers=headers) 86 | data = json.loads(response.text) 87 | print("--> [CLOUDFLARE] [{code}] {msg}".format(code=response.status_code, msg=colored('record deleted', "green"))) 88 | 89 | def isValidDNSRecord(name): 90 | regex = "^([a-zA-Z]|\d|-|\.)*$" 91 | return re.match(regex, name) 92 | 93 | 94 | 95 | if __name__ == '__main__': 96 | token = "" 97 | domain = "" 98 | print(getZoneId(token, domain)) 99 | print(json.dumps(getZoneRecords(token, domain), indent=2)) 100 | -------------------------------------------------------------------------------- /app/app.py: -------------------------------------------------------------------------------- 1 | import ipaddress 2 | import json 3 | 4 | from requests.api import delete 5 | from termcolor import colored, cprint 6 | 7 | from cloudflare import createDNSRecord, deleteDNSRecord, getZoneRecords, isValidDNSRecord, getZoneId 8 | from tailscale import getTailscaleDevice, isTailscaleIP 9 | from config import getConfig 10 | 11 | import sys 12 | 13 | def main(): 14 | config = getConfig() 15 | cf_ZoneId = getZoneId(config['cf-key'], config['cf-domain']) 16 | cf_recordes = getZoneRecords(config['cf-key'], config['cf-domain'], zoneId=cf_ZoneId) 17 | 18 | # Get records depeneding on mode 19 | if config['mode'] == "tailscale": 20 | ts_records = getTailscaleDevice(config['ts-key'], config['ts-client-id'], config['ts-client-secret'], config['ts-tailnet']) 21 | if config['mode'] == "headscale": 22 | from headscale import getHeadscaleDevice 23 | ts_records = getHeadscaleDevice(config['hs-apikey'], config['hs-baseurl']) 24 | 25 | records_typemap = { 26 | 4: 'A', 27 | 6: 'AAAA' 28 | } 29 | 30 | print(colored("runnning in ","blue")+colored(config['mode'],"red"),colored("mode", "blue")+"\n") 31 | 32 | cprint("Adding new devices:", "blue") 33 | 34 | # Check if current hosts already have records: 35 | for ts_rec in ts_records: 36 | #if ts_rec['hostname'] in cf_recordes['name']: 37 | if config.get("cf-sub"): 38 | sub = "." + config.get("cf-sub").lower() 39 | else: 40 | sub = "" 41 | tsfqdn = ts_rec['hostname'].lower()+sub+"."+config['cf-domain'] 42 | if any(c['name'] == tsfqdn and c['content'] == ts_rec['address'] for c in cf_recordes): 43 | print("[{state}]: {host} -> {ip}".format(host=tsfqdn, ip=ts_rec['address'], state=colored("FOUND", "green"))) 44 | else: 45 | ip = ipaddress.ip_address(ts_rec['address']) 46 | if isValidDNSRecord(ts_rec['hostname']): 47 | print("[{state}]: {host} -> {ip}".format(host=tsfqdn, ip=ts_rec['address'], state=colored("ADDING", "yellow"))) 48 | createDNSRecord(config['cf-key'], config['cf-domain'], ts_rec['hostname'], records_typemap[ip.version], ts_rec['address'],subdomain=config["cf-sub"], zoneId=cf_ZoneId) 49 | else: 50 | print("[{state}]: {host}.{tld} -> {ip} -> (Hostname: \"{host}.{tld}\" is not valid)".format(host=ts_rec['hostname'], ip=ts_rec['address'], state=colored("SKIPING", "red"), tld=config['cf-domain'])) 51 | 52 | 53 | 54 | cprint("Cleaning up old records:", "blue") 55 | # Check for old records: 56 | cf_recordes = getZoneRecords(config['cf-key'], config['cf-domain']) 57 | 58 | # set tailscale hostnames to lower cause dns is 59 | for i in range(len(ts_records)): 60 | ts_records[i]['hostname'] = ts_records[i]['hostname'].lower() 61 | 62 | 63 | for cf_rec in cf_recordes: 64 | if config.get('cf-sub'): 65 | sub = '.' + config.get('cf-sub').lower() 66 | else: sub = "" 67 | cf_name = cf_rec['name'].rsplit(sub + '.' + config['cf-domain'], 1)[0] 68 | 69 | # Ignore any records not matching our prefix/postfix 70 | if not cf_name.startswith(config.get('prefix', '')): 71 | continue 72 | if not cf_name.endswith(config.get('postfix', '')): 73 | continue 74 | 75 | # Ignore any records not matching our subdomain 76 | if not cf_rec['name'].endswith(sub.lower() + '.' + config['cf-domain']): 77 | continue 78 | 79 | if any(a['hostname'] == cf_name and a['address'] == cf_rec['content'] for a in ts_records): 80 | print("[{state}]: {host} -> {ip}".format(host=cf_rec['name'], ip=cf_rec['content'], state=colored("IN USE", "green"))) 81 | else: 82 | if (not isTailscaleIP(cf_rec['content'])): 83 | print("[{state}]: {host} -> {ip} (IP does not belong to a tailscale host. please remove manualy)".format(host=cf_rec['name'], ip=cf_rec['content'], state=colored('SKIP DELETE', "red"))) 84 | continue 85 | 86 | print("[{state}]: {host} -> {ip}".format(host=cf_rec['name'], ip=cf_rec['content'], state=colored('DELETING', "yellow"))) 87 | deleteDNSRecord(config['cf-key'], config['cf-domain'], cf_rec['id'], zoneId=cf_ZoneId) 88 | 89 | 90 | 91 | 92 | 93 | 94 | 95 | if __name__ == '__main__': 96 | main() 97 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # tailscale-cloudflare-dnssync 2 | Syncs Tailscale (or Headscale) host IPs to a cloudflare hosted DNS zone. 3 | Basically works like Magic DNS, but with your domain. 4 | The main benefit for me is the ability to use letsencrypt with certbot + dns challenge 5 | 6 | ## Features 7 | - Adds ipv4 and ipv6 records for all devices 8 | - Removes DNS records for deleted devices 9 | - Updates DNS records after the hostname/alias changes 10 | - Add a pre- and/or postfixes to dns records 11 | - Checks if DNS records is part of tailscale network (100.64.0.0/12 or fd7a:115c:a1e0::/48) before deleting records :P 12 | - Support Tailscale and Headscale (tested with v0.22.3) 13 | 14 | 15 | ## Run 16 | ### Run using docker (using env var) 17 | ```shell 18 | docker run --rm -it --env-file ~/git/tailscale-cloudflare-dnssync/env.txt ghcr.io/marc1307/tailscale-cloudflare-dnssync:latest 19 | ``` 20 | Envfile: 21 | ```env 22 | # mode= 23 | cf-key= 24 | cf-domain= 25 | # cf-sub= 26 | 27 | ts-key= 28 | ts-tailnet= 29 | # ts-clientid= 30 | # ts-clientsecret= 31 | 32 | # prefix= 33 | # postfix= 34 | ``` 35 | > **ts-tailnet** can be found in the [Tailscale Settings](https://login.tailscale.com/admin/settings/general) 36 | ```Settings -> General -> Organization``` or at the top left on the admin panel. 37 | 38 | ### Run using docker (using secrets) 39 | ```yaml 40 | secrets: 41 | cf-key: 42 | file: "./cloudflare-key.txt" 43 | # either, use ts-key for an api key or ts-clientid and ts-clientsecret for oauth 44 | ts-key: 45 | file: "./tailscale-key.txt" 46 | ts-clientid: 47 | file: "./tailscale-clientid.txt" 48 | ts-clientsecret: 49 | file: "./tailscale-clientsecret.txt" 50 | 51 | services: 52 | cloudflare-dns-sync: 53 | image: ghcr.io/marc1307/tailscale-cloudflare-dnssync:latest 54 | environment: 55 | - ts_tailnet= 56 | - cf_domain=example.com 57 | - cf_sub=sub # optional, uses sub domain for dns records 58 | - prefix=ts- # optional, adds prefix to dns records 59 | - postfix=-ts # optional, adds postfix to dns records 60 | secrets: 61 | - cf-key 62 | - ts-key 63 | ``` 64 | 65 | ### Run native using python 66 | #### setup environment 67 | ``` 68 | python3 -m venv env 69 | source env/bin/activate 70 | pip install -r app/requirements.txt 71 | cd app 72 | python app.py 73 | ``` 74 | #### config.ini 75 | ```ini 76 | [DEFAULT] 77 | mode= # optional; tailscale or headscale; defaults to tailscale 78 | 79 | cf-key= # mandatory; cloudflare api key 80 | cf-domain= # mandatory; cloudflare domain 81 | cf-sub= # optional; add a subdomain 82 | 83 | ts-tailnet= # mandatory in tailscale mode; tailnet name 84 | ts-key= # mandatory in tailscale mode if apikey is used; tailscale api 85 | ts-client-id= # mandatory in tailscale mode if oauth is used; tailscale oauth client id 86 | ts-client-secret= # mandatory in tailscale mode if oauth is used; tailscale oauth client secret 87 | 88 | hs-baseurl= # mandatory in headscale mode; headscale url 89 | hs-apikey= # mandatory in headscale mode; headscale apikey 90 | ``` 91 | 92 | ## Run with headscale 93 | ### Env Example 94 | ```env 95 | mode=headscale 96 | cf-key= 97 | cf-domain= 98 | 99 | hs-baseurl=https://headscale.example.com 100 | hs-apikey=≤headscale api key> 101 | ``` 102 | 103 | ## How to get API Keys 104 | ### Cloudflare 105 | 1. Login to Cloudflare Dashboard 106 | 2. Create API Key at https://dash.cloudflare.com/profile/api-tokens 107 | 3. Template: Edit Zone 108 | 4. Permissions: 109 | ``` 110 | Permission | Zone - DNS - edit 111 | Resource | include - specific zone - 112 | ``` 113 | 114 | ### Tailscale 115 | #### API Key 116 | 1. Login to Tailscale website 117 | 2. Create API key at: https://login.tailscale.com/admin/settings/authkeys 118 | 119 | #### OAuth 120 | 1. Login to Tailscale website 121 | 2. Create OAuth client at: https://login.tailscale.com/admin/settings/oauth with Devices Read permission 122 | 123 | ### Headscale 124 | #### API Key 125 | 1. Create a API Key using ```headscale apikeys create --expiration 90d``` 126 | 127 | Docs: [Controlling headscale with remote CLI](https://github.com/juanfont/headscale/blob/main/docs/remote-cli.md#create-an-api-key) 128 | --------------------------------------------------------------------------------