Merge pull request #113 from kradalby/apple-mobileconfig

Apple macOS profile support

README.md

@@ -22,20 +22,18 @@ Headscale implements this coordination server.
 - [x] Namespace support (~equivalent to multi-user in Tailscale.com)
 - [x] Routing (advertise & accept, including exit nodes)
 - [x] Node registration via pre-auth keys (including reusable keys, and ephemeral node support)
-- [X] JSON-formatted output
-- [X] ACLs
-- [X] Support for alternative IP ranges in the tailnets (default Tailscale's 100.64.0.0/10)
-- [X] DNS (passing DNS servers to nodes)
-- [X] Share nodes between ~~users~~ namespaces
+- [x] JSON-formatted output
+- [x] ACLs
+- [x] Taildrop (File Sharing)
+- [x] Support for alternative IP ranges in the tailnets (default Tailscale's 100.64.0.0/10)
+- [x] DNS (passing DNS servers to nodes)
+- [x] Share nodes between ~~users~~ namespaces
 - [ ] MagicDNS / Smart DNS
 
-
 ## Roadmap 🤷
 
 Suggestions/PRs welcomed!
 
-
-
 ## Running it
 
 1. Download the Headscale binary https://github.com/juanfont/headscale/releases, and place it somewhere in your PATH or use the docker container
@@ -43,109 +41,125 @@ Suggestions/PRs welcomed!
    ```shell
    docker pull headscale/headscale:x.x.x
    ```
-  <!--
-   or
-   ```shell
-   docker pull ghrc.io/juanfont/headscale:x.x.x
-   ``` -->
+
+   <!--
+    or
+    ```shell
+    docker pull ghrc.io/juanfont/headscale:x.x.x
+    ``` -->
 
 2. (Optional, you can also use SQLite) Get yourself a PostgreSQL DB running
 
-    ```shell
-    docker run --name headscale -e POSTGRES_DB=headscale -e \
-      POSTGRES_USER=foo -e POSTGRES_PASSWORD=bar -p 5432:5432 -d postgres
-    ```
+   ```shell
+   docker run --name headscale -e POSTGRES_DB=headscale -e \
+     POSTGRES_USER=foo -e POSTGRES_PASSWORD=bar -p 5432:5432 -d postgres
+   ```
 
 3. Set some stuff up (headscale Wireguard keys & the config.json file)
-    ```shell
-    wg genkey > private.key
-    wg pubkey < private.key > public.key  # not needed
 
-    # Postgres
-    cp config.json.postgres.example config.json
-    # or
-    # SQLite
-    cp config.json.sqlite.example config.json
-    ```
+   ```shell
+   wg genkey > private.key
+   wg pubkey < private.key > public.key  # not needed
+
+   # Postgres
+   cp config.json.postgres.example config.json
+   # or
+   # SQLite
+   cp config.json.sqlite.example config.json
+   ```
 
 4. Create a namespace (a namespace is a 'tailnet', a group of Tailscale nodes that can talk to each other)
-    ```shell
-    headscale namespaces create myfirstnamespace
-    ```
-    or docker:
 
-    the db.sqlite mount is only needed if you use sqlite
-    ```shell
-    touch db.sqlite
-    docker run -v $(pwd)/private.key:/private.key -v $(pwd)/config.json:/config.json -v $(pwd)/derp.yaml:/derp.yaml -v $(pwd)/db.sqlite:/db.sqlite -p 127.0.0.1:8000:8000 headscale/headscale:x.x.x headscale namespaces create myfirstnamespace
-    ```
-    or if your server is already running in docker:
-    ```shell
-    docker exec <container_name> headscale create myfirstnamespace
-    ```
+   ```shell
+   headscale namespaces create myfirstnamespace
+   ```
+
+   or docker:
+
+   the db.sqlite mount is only needed if you use sqlite
+
+   ```shell
+   touch db.sqlite
+   docker run -v $(pwd)/private.key:/private.key -v $(pwd)/config.json:/config.json -v $(pwd)/derp.yaml:/derp.yaml -v $(pwd)/db.sqlite:/db.sqlite -p 127.0.0.1:8000:8000 headscale/headscale:x.x.x headscale namespaces create myfirstnamespace
+   ```
+
+   or if your server is already running in docker:
+
+   ```shell
+   docker exec <container_name> headscale create myfirstnamespace
+   ```
 
 5. Run the server
-    ```shell
-    headscale serve
-    ```
-    or docker:
 
-    the db.sqlite mount is only needed if you use sqlite
-    ```shell
-    docker run -v $(pwd)/private.key:/private.key -v $(pwd)/config.json:/config.json -v $(pwd)/derp.yaml:/derp.yaml -v $(pwd)/db.sqlite:/db.sqlite -p 127.0.0.1:8000:8000 headscale/headscale:x.x.x headscale serve
-    ```
+   ```shell
+   headscale serve
+   ```
+
+   or docker:
+
+   the db.sqlite mount is only needed if you use sqlite
+
+   ```shell
+   docker run -v $(pwd)/private.key:/private.key -v $(pwd)/config.json:/config.json -v $(pwd)/derp.yaml:/derp.yaml -v $(pwd)/db.sqlite:/db.sqlite -p 127.0.0.1:8000:8000 headscale/headscale:x.x.x headscale serve
+   ```
 
 6. If you used tailscale.com before in your nodes, make sure you clear the tailscald data folder
-    ```shell
-    systemctl stop tailscaled
-    rm -fr /var/lib/tailscale
-    systemctl start tailscaled
-    ```
+
+   ```shell
+   systemctl stop tailscaled
+   rm -fr /var/lib/tailscale
+   systemctl start tailscaled
+   ```
 
 7. Add your first machine
-    ```shell
-    tailscale up -login-server YOUR_HEADSCALE_URL
-    ```
+
+   ```shell
+   tailscale up -login-server YOUR_HEADSCALE_URL
+   ```
 
 8. Navigate to the URL you will get with `tailscale up`, where you'll find your machine key.
 
 9. In the server, register your machine to a namespace with the CLI
-    ```shell
-    headscale -n myfirstnamespace node register YOURMACHINEKEY
-    ```
-    or docker:
-    ```shell
-    docker run -v $(pwd)/private.key:/private.key -v $(pwd)/config.json:/config.json -v $(pwd)/derp.yaml:/derp.yaml headscale/headscale:x.x.x headscale -n myfirstnamespace node register YOURMACHINEKEY
-    ```
-    or if your server is already running in docker:
-    ```shell
-    docker exec <container_name> headscale -n myfistnamespace node register YOURMACHINEKEY
-    ```
+   ```shell
+   headscale -n myfirstnamespace node register YOURMACHINEKEY
+   ```
+   or docker:
+   ```shell
+   docker run -v $(pwd)/private.key:/private.key -v $(pwd)/config.json:/config.json -v $(pwd)/derp.yaml:/derp.yaml headscale/headscale:x.x.x headscale -n myfirstnamespace node register YOURMACHINEKEY
+   ```
+   or if your server is already running in docker:
+   ```shell
+   docker exec <container_name> headscale -n myfistnamespace node register YOURMACHINEKEY
+   ```
 
 Alternatively, you can use Auth Keys to register your machines:
 
 1. Create an authkey
-    ```shell
-    headscale -n myfirstnamespace preauthkeys create --reusable --expiration 24h
-    ```
-    or docker:
-    ```shell
-    docker run -v $(pwd)/private.key:/private.key -v $(pwd)/config.json:/config.json -v$(pwd)/derp.yaml:/derp.yaml -v $(pwd)/db.sqlite:/db.sqlite headscale/headscale:x.x.x headscale -n myfirstnamespace preauthkeys create --reusable --expiration 24h
-    ```
-    or if your server is already running in docker:
-    ```shell
-    docker exec <container_name> headscale -n myfirstnamespace preauthkeys create --reusable --expiration 24h
-    ```
+
+   ```shell
+   headscale -n myfirstnamespace preauthkeys create --reusable --expiration 24h
+   ```
+
+   or docker:
+
+   ```shell
+   docker run -v $(pwd)/private.key:/private.key -v $(pwd)/config.json:/config.json -v$(pwd)/derp.yaml:/derp.yaml -v $(pwd)/db.sqlite:/db.sqlite headscale/headscale:x.x.x headscale -n myfirstnamespace preauthkeys create --reusable --expiration 24h
+   ```
+
+   or if your server is already running in docker:
+
+   ```shell
+   docker exec <container_name> headscale -n myfirstnamespace preauthkeys create --reusable --expiration 24h
+   ```
 
 2. Use the authkey from your machine to register it
-    ```shell
-    tailscale up -login-server YOUR_HEADSCALE_URL --authkey YOURAUTHKEY
-    ```
+   ```shell
+   tailscale up -login-server YOUR_HEADSCALE_URL --authkey YOURAUTHKEY
+   ```
 
 If you create an authkey with the `--ephemeral` flag, that key will create ephemeral nodes. This implies that `--reusable` is true.
 
-Please bear in mind that all the commands from headscale support adding `-o json` or `-o json-line`  to get a nicely JSON-formatted output.
-
+Please bear in mind that all the commands from headscale support adding `-o json` or `-o json-line` to get a nicely JSON-formatted output.
 
 ## Configuration reference
 
@@ -162,6 +176,7 @@ Headscale's configuration file is named `config.json` or `config.yaml`. Headscal
 ```
     "log_level": "debug"
 ```
+
 `log_level` can be used to set the Log level for Headscale, it defaults to `debug`, and the available levels are: `trace`, `debug`, `info`, `warn` and `error`.
 
 ```
@@ -192,7 +207,6 @@ Headscale's configuration file is named `config.json` or `config.yaml`. Headscal
 
 The fields starting with `db_` are used for the PostgreSQL connection information.
 
-
 ### Running the service via TLS (optional)
 
 ```
@@ -226,21 +240,21 @@ Alternatively, `tls_letsencrypt_challenge_type` can be set to `TLS-ALPN-01`. In
 Headscale implements the same policy ACLs as Tailscale.com, adapted to the self-hosted environment.
 
 For instance, instead of referring to users when defining groups you must
- use namespaces (which are the equivalent to user/logins in Tailscale.com).
+use namespaces (which are the equivalent to user/logins in Tailscale.com).
 
 Please check https://tailscale.com/kb/1018/acls/, and `./tests/acls/` in this repo for working examples.
 
+### Apple devices
+
+An endpoint with information on how to connect your Apple devices (currently macOS only) is available at `/apple` on your running instance.
 
 ## Disclaimer
 
 1. We have nothing to do with Tailscale, or Tailscale Inc.
 2. The purpose of writing this was to learn how Tailscale works.
 
-
-
 ## More on Tailscale
 
 - https://tailscale.com/blog/how-tailscale-works/
 - https://tailscale.com/blog/tailscale-key-management/
 - https://tailscale.com/blog/an-unlikely-database-migration/
-

app.go

@@ -168,6 +168,8 @@ func (h *Headscale) Serve() error {
 	r.GET("/register", h.RegisterWebAPI)
 	r.POST("/machine/:id/map", h.PollNetMapHandler)
 	r.POST("/machine/:id", h.RegistrationHandler)
+	r.GET("/apple", h.AppleMobileConfig)
+	r.GET("/apple/:platform", h.ApplePlatformConfig)
 	var err error
 
 	timeout := 30 * time.Second

apple_mobileconfig.go

@@ -0,0 +1,226 @@
+package headscale
+
+import (
+	"bytes"
+	"net/http"
+	"text/template"
+
+	"github.com/rs/zerolog/log"
+
+	"github.com/gin-gonic/gin"
+	"github.com/gofrs/uuid"
+)
+
+// AppleMobileConfig shows a simple message in the browser to point to the CLI
+// Listens in /register
+func (h *Headscale) AppleMobileConfig(c *gin.Context) {
+	t := template.Must(template.New("apple").Parse(`
+<html>
+	<body>
+		<h1>Apple configuration profiles</h1>
+		<p>
+		    This page provides <a href="https://support.apple.com/guide/mdm/mdm-overview-mdmbf9e668/web">configuration profiles</a> for the official Tailscale clients for <a href="https://apps.apple.com/us/app/tailscale/id1470499037?ls=1">iOS</a> and <a href="https://apps.apple.com/ca/app/tailscale/id1475387142?mt=12">macOS</a>.
+		</p>
+		<p>
+		    The profiles will configure Tailscale.app to use {{.Url}} as its control server.
+		</p>
+
+		<h3>Caution</h3>
+		<p>You should always inspect the profile before installing it:</p>
+		<!--
+		<p><code>curl {{.Url}}/apple/ios</code></p>
+		-->
+		<p><code>curl {{.Url}}/apple/macos</code></p>
+		
+		<h2>Profiles</h2>
+
+		<!--
+		<h3>iOS</h3>
+		<p>
+		    <a href="/apple/ios" download="headscale_ios.mobileconfig">iOS profile</a>
+		</p>
+		-->
+		
+		<h3>macOS</h3>
+		<p>Headscale can be set to the default server by installing a Headscale configuration profile:</p>
+		<p>
+		    <a href="/apple/macos" download="headscale_macos.mobileconfig">macOS profile</a>
+		</p>
+
+		<ol>
+		<li>Download the profile, then open it. When it has been opened, there should be a notification that a profile can be installed</li>
+		<li>Open System Preferences and go to "Profiles"</li>
+		<li>Find and install the Headscale profile</li>
+		<li>Restart Tailscale.app and log in</li>
+		</ol>
+
+		<p>Or</p>
+		<p>Use your terminal to configure the default setting for Tailscale by issuing:</p>
+		<code>defaults write io.tailscale.ipn.macos ControlURL {{.Url}}</code>
+
+		<p>Restart Tailscale.app and log in.</p>
+	
+	</body>
+</html>`))
+
+	config := map[string]interface{}{
+		"Url": h.cfg.ServerURL,
+	}
+
+	var payload bytes.Buffer
+	if err := t.Execute(&payload, config); err != nil {
+		log.Error().
+			Str("handler", "AppleMobileConfig").
+			Err(err).
+			Msg("Could not render Apple index template")
+		c.Data(http.StatusInternalServerError, "text/html; charset=utf-8", []byte("Could not render Apple index template"))
+		return
+	}
+
+	c.Data(http.StatusOK, "text/html; charset=utf-8", payload.Bytes())
+}
+
+func (h *Headscale) ApplePlatformConfig(c *gin.Context) {
+	platform := c.Param("platform")
+
+	id, err := uuid.NewV4()
+	if err != nil {
+		log.Error().
+			Str("handler", "ApplePlatformConfig").
+			Err(err).
+			Msg("Failed not create UUID")
+		c.Data(http.StatusInternalServerError, "text/html; charset=utf-8", []byte("Failed to create UUID"))
+		return
+	}
+
+	contentId, err := uuid.NewV4()
+	if err != nil {
+		log.Error().
+			Str("handler", "ApplePlatformConfig").
+			Err(err).
+			Msg("Failed not create UUID")
+		c.Data(http.StatusInternalServerError, "text/html; charset=utf-8", []byte("Failed to create UUID"))
+		return
+	}
+
+	platformConfig := AppleMobilePlatformConfig{
+		UUID: contentId,
+		Url:  h.cfg.ServerURL,
+	}
+
+	var payload bytes.Buffer
+
+	switch platform {
+	case "macos":
+		if err := macosTemplate.Execute(&payload, platformConfig); err != nil {
+			log.Error().
+				Str("handler", "ApplePlatformConfig").
+				Err(err).
+				Msg("Could not render Apple macOS template")
+			c.Data(http.StatusInternalServerError, "text/html; charset=utf-8", []byte("Could not render Apple macOS template"))
+			return
+		}
+	case "ios":
+		if err := iosTemplate.Execute(&payload, platformConfig); err != nil {
+			log.Error().
+				Str("handler", "ApplePlatformConfig").
+				Err(err).
+				Msg("Could not render Apple iOS template")
+			c.Data(http.StatusInternalServerError, "text/html; charset=utf-8", []byte("Could not render Apple iOS template"))
+			return
+		}
+	default:
+		c.Data(http.StatusOK, "text/html; charset=utf-8", []byte("Invalid platform, only ios and macos is supported"))
+		return
+	}
+
+	config := AppleMobileConfig{
+		UUID:    id,
+		Url:     h.cfg.ServerURL,
+		Payload: payload.String(),
+	}
+
+	var content bytes.Buffer
+	if err := commonTemplate.Execute(&content, config); err != nil {
+		log.Error().
+			Str("handler", "ApplePlatformConfig").
+			Err(err).
+			Msg("Could not render Apple platform template")
+		c.Data(http.StatusInternalServerError, "text/html; charset=utf-8", []byte("Could not render Apple platform template"))
+		return
+	}
+
+	c.Data(http.StatusOK, "application/x-apple-aspen-config; charset=utf-8", content.Bytes())
+}
+
+type AppleMobileConfig struct {
+	UUID    uuid.UUID
+	Url     string
+	Payload string
+}
+
+type AppleMobilePlatformConfig struct {
+	UUID uuid.UUID
+	Url  string
+}
+
+var commonTemplate = template.Must(template.New("mobileconfig").Parse(`<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
+<plist version="1.0">
+  <dict>
+    <key>PayloadUUID</key>
+    <string>{{.UUID}}</string>
+    <key>PayloadDisplayName</key>
+    <string>Headscale</string>
+    <key>PayloadDescription</key>
+    <string>Configure Tailscale login server to: {{.Url}}</string>
+    <key>PayloadIdentifier</key>
+    <string>com.github.juanfont.headscale</string>
+    <key>PayloadRemovalDisallowed</key>
+    <false/>
+    <key>PayloadType</key>
+    <string>Configuration</string>
+    <key>PayloadVersion</key>
+    <integer>1</integer>
+    <key>PayloadContent</key>
+    <array>
+    {{.Payload}}
+    </array>
+  </dict>
+</plist>`))
+
+var iosTemplate = template.Must(template.New("iosTemplate").Parse(`
+    <dict>
+        <key>PayloadType</key>
+        <string>io.tailscale.ipn.ios</string>
+        <key>PayloadUUID</key>
+        <string>{{.UUID}}</string>
+        <key>PayloadIdentifier</key>
+        <string>com.github.juanfont.headscale</string>
+        <key>PayloadVersion</key>
+        <integer>1</integer>
+        <key>PayloadEnabled</key>
+        <true/>
+
+        <key>ControlURL</key>
+        <string>{{.Url}}</string>
+    </dict>
+`))
+
+var macosTemplate = template.Must(template.New("macosTemplate").Parse(`
+    <dict>
+        <key>PayloadType</key>
+        <string>io.tailscale.ipn.macos</string>
+        <key>PayloadUUID</key>
+        <string>{{.UUID}}</string>
+        <key>PayloadIdentifier</key>
+        <string>com.github.juanfont.headscale</string>
+        <key>PayloadVersion</key>
+        <integer>1</integer>
+        <key>PayloadEnabled</key>
+        <true/>
+
+        <key>ControlURL</key>
+        <string>{{.Url}}</string>
+    </dict>
+`))

go.mod

@@ -10,6 +10,7 @@ require (
 	github.com/docker/cli v20.10.8+incompatible // indirect
 	github.com/docker/docker v20.10.8+incompatible // indirect
 	github.com/efekarakus/termcolor v1.0.1
+	github.com/gofrs/uuid v4.0.0+incompatible // indirect
 	github.com/gin-gonic/gin v1.7.4
 	github.com/hako/durafmt v0.0.0-20210608085754-5c1018a4e16b
 	github.com/klauspost/compress v1.13.5

integration_test.go

@@ -21,6 +21,7 @@ import (
 	"github.com/ory/dockertest/v3/docker"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/suite"
+	"tailscale.com/client/tailscale/apitype"
 	"tailscale.com/ipn/ipnstate"
 
 	"inet.af/netaddr"
@@ -93,13 +94,14 @@ func TestIntegrationTestSuite(t *testing.T) {
 	}
 }
 
-func executeCommand(resource *dockertest.Resource, cmd []string) (string, error) {
+func executeCommand(resource *dockertest.Resource, cmd []string, env []string) (string, error) {
 	var stdout bytes.Buffer
 	var stderr bytes.Buffer
 
 	exitCode, err := resource.Exec(
 		cmd,
 		dockertest.ExecOptions{
+			Env:    env,
 			StdOut: &stdout,
 			StdErr: &stderr,
 		},
@@ -277,6 +279,7 @@ func (s *IntegrationTestSuite) SetupSuite() {
 		result, err := executeCommand(
 			&headscale,
 			[]string{"headscale", "namespaces", "create", namespace},
+			[]string{},
 		)
 		assert.Nil(s.T(), err)
 		fmt.Println("headscale create namespace result: ", result)
@@ -285,6 +288,7 @@ func (s *IntegrationTestSuite) SetupSuite() {
 		authKey, err := executeCommand(
 			&headscale,
 			[]string{"headscale", "--namespace", namespace, "preauthkeys", "create", "--reusable", "--expiration", "24h"},
+			[]string{},
 		)
 		assert.Nil(s.T(), err)
 
@@ -299,6 +303,7 @@ func (s *IntegrationTestSuite) SetupSuite() {
 			result, err := executeCommand(
 				&tailscale,
 				command,
+				[]string{},
 			)
 			fmt.Println("tailscale result: ", result)
 			assert.Nil(s.T(), err)
@@ -324,6 +329,7 @@ func (s *IntegrationTestSuite) TestListNodes() {
 		result, err := executeCommand(
 			&headscale,
 			[]string{"headscale", "--namespace", namespace, "nodes", "list"},
+			[]string{},
 		)
 		assert.Nil(s.T(), err)
 
@@ -374,6 +380,7 @@ func (s *IntegrationTestSuite) TestStatus() {
 				result, err := executeCommand(
 					&tailscale,
 					command,
+					[]string{},
 				)
 				assert.Nil(t, err)
 
@@ -435,6 +442,7 @@ func (s *IntegrationTestSuite) TestPingAllPeers() {
 						result, err := executeCommand(
 							&tailscale,
 							command,
+							[]string{},
 						)
 						assert.Nil(t, err)
 						fmt.Printf("Result for %s: %s\n", hostname, result)
@@ -453,6 +461,7 @@ func (s *IntegrationTestSuite) TestSharedNodes() {
 	result, err := executeCommand(
 		&headscale,
 		[]string{"headscale", "nodes", "list", "-o", "json", "--namespace", "shared"},
+		[]string{},
 	)
 	assert.Nil(s.T(), err)
 
@@ -465,6 +474,7 @@ func (s *IntegrationTestSuite) TestSharedNodes() {
 		result, err := executeCommand(
 			&headscale,
 			[]string{"headscale", "nodes", "share", "--namespace", "shared", fmt.Sprint(machine.ID), "main"},
+			[]string{},
 		)
 		assert.Nil(s.T(), err)
 
@@ -474,6 +484,7 @@ func (s *IntegrationTestSuite) TestSharedNodes() {
 	result, err = executeCommand(
 		&headscale,
 		[]string{"headscale", "nodes", "list", "--namespace", "main"},
+		[]string{},
 	)
 	assert.Nil(s.T(), err)
 	fmt.Println("Nodelist after sharing", result)
@@ -529,6 +540,108 @@ func (s *IntegrationTestSuite) TestSharedNodes() {
 	// }
 }
 
+func (s *IntegrationTestSuite) TestTailDrop() {
+	for _, scales := range s.namespaces {
+		ips, err := getIPs(scales.tailscales)
+		assert.Nil(s.T(), err)
+		apiURLs, err := getAPIURLs(scales.tailscales)
+		assert.Nil(s.T(), err)
+
+		for hostname, tailscale := range scales.tailscales {
+			command := []string{"touch", fmt.Sprintf("/tmp/file_from_%s", hostname)}
+			_, err := executeCommand(
+				&tailscale,
+				command,
+				[]string{},
+			)
+			assert.Nil(s.T(), err)
+			for peername, ip := range ips {
+				s.T().Run(fmt.Sprintf("%s-%s", hostname, peername), func(t *testing.T) {
+					if peername != hostname {
+
+						// Under normal circumstances, we should be able to send a file
+						// using `tailscale file cp` - but not in userspace networking mode
+						// So curl!
+						peerAPI, ok := apiURLs[ip]
+						assert.True(t, ok)
+
+						// TODO(juanfont): We still have some issues with the test infrastructure, so
+						// lets run curl multiple times until it works.
+						attempts := 0
+						var err error
+						for {
+							command := []string{
+								"curl",
+								"--retry-connrefused",
+								"--retry-delay",
+								"30",
+								"--retry",
+								"10",
+								"--connect-timeout",
+								"60",
+								"-X",
+								"PUT",
+								"--upload-file",
+								fmt.Sprintf("/tmp/file_from_%s", hostname),
+								fmt.Sprintf("%s/v0/put/file_from_%s", peerAPI, hostname),
+							}
+							fmt.Printf("Sending file from %s (%s) to %s (%s)\n", hostname, ips[hostname], peername, ip)
+							_, err = executeCommand(
+								&tailscale,
+								command,
+								[]string{"ALL_PROXY=socks5://localhost:1055/"},
+							)
+							if err == nil {
+								break
+							} else {
+								time.Sleep(10 * time.Second)
+								attempts++
+								if attempts > 10 {
+									break
+								}
+							}
+						}
+						assert.Nil(t, err)
+					}
+				})
+			}
+		}
+
+		for hostname, tailscale := range scales.tailscales {
+			command := []string{
+				"tailscale", "file",
+				"get",
+				"/tmp/",
+			}
+			_, err := executeCommand(
+				&tailscale,
+				command,
+				[]string{},
+			)
+			assert.Nil(s.T(), err)
+			for peername, ip := range ips {
+				s.T().Run(fmt.Sprintf("%s-%s", hostname, peername), func(t *testing.T) {
+					if peername != hostname {
+						command := []string{
+							"ls",
+							fmt.Sprintf("/tmp/file_from_%s", peername),
+						}
+						fmt.Printf("Checking file in %s (%s) from %s (%s)\n", hostname, ips[hostname], peername, ip)
+						result, err := executeCommand(
+							&tailscale,
+							command,
+							[]string{},
+						)
+						assert.Nil(t, err)
+						fmt.Printf("Result for %s: %s\n", peername, result)
+						assert.Equal(t, result, fmt.Sprintf("/tmp/file_from_%s\n", peername))
+					}
+				})
+			}
+		}
+	}
+}
+
 func getIPs(tailscales map[string]dockertest.Resource) (map[string]netaddr.IP, error) {
 	ips := make(map[string]netaddr.IP)
 	for hostname, tailscale := range tailscales {
@@ -537,6 +650,7 @@ func getIPs(tailscales map[string]dockertest.Resource) (map[string]netaddr.IP, e
 		result, err := executeCommand(
 			&tailscale,
 			command,
+			[]string{},
 		)
 		if err != nil {
 			return nil, err
@@ -551,3 +665,37 @@ func getIPs(tailscales map[string]dockertest.Resource) (map[string]netaddr.IP, e
 	}
 	return ips, nil
 }
+
+func getAPIURLs(tailscales map[string]dockertest.Resource) (map[netaddr.IP]string, error) {
+	fts := make(map[netaddr.IP]string)
+	for _, tailscale := range tailscales {
+		command := []string{
+			"curl",
+			"--unix-socket",
+			"/run/tailscale/tailscaled.sock",
+			"http://localhost/localapi/v0/file-targets",
+		}
+		result, err := executeCommand(
+			&tailscale,
+			command,
+			[]string{},
+		)
+		if err != nil {
+			return nil, err
+		}
+
+		var pft []apitype.FileTarget
+		if err := json.Unmarshal([]byte(result), &pft); err != nil {
+			return nil, fmt.Errorf("invalid JSON: %w", err)
+		}
+		for _, ft := range pft {
+			n := ft.Node
+			for _, a := range n.Addresses { // just add all the addresses
+				if _, ok := fts[a.IP()]; !ok {
+					fts[a.IP()] = ft.PeerAPIURL
+				}
+			}
+		}
+	}
+	return fts, nil
+}

machine.go

@@ -167,6 +167,7 @@ func (m Machine) toNode(includeRoutes bool) (*tailcfg.Node, error) {
 
 		KeepAlive:         true,
 		MachineAuthorized: m.Registered,
+		Capabilities:      []string{tailcfg.CapabilityFileSharing},
 	}
 	return &n, nil
 }