I like these sort of "small scale data problems". There is a lot of design space when you in this area when you don't have to be "web scale".
My approach for this particular problem is to check some TeX files into Git. I can render the cocktail recipes in two forms: one for my guests and one for myself that includes precise proportions.
Another approach for small scale data is "JSON files checked into git". (substitute JSON with whatever other text format you may like). This gives you a nice way to replicate data and to track changes to data.
(newbie checking) tsnet is a really interested idea -- that an application can act like a device with networking baked in. that applicatin access can be controlled at the network level via the tailescale ACLs.
The project that has a feature which allows admins to SSH to any computer in the VPN ? [1]
They have a feature called remote SSH access where the agent running on the node allows other VPN users to SSH to another machine on the network without having SSH enabled / public keys set up. I've tested the project at the beginning of the year and it was a big NO for me. They seemed to fix this issue but it appeared again.
I wanted to check it out but they apparently can't even manage to do IPv6 correctly for their own service; advertising an AAAA record but not answering on it even for ICMPv6 let alone TCP 443/80 - apparently on AWS.
yet to try it but both seem to be comparable if you are self-hosting your own network. otherwise, besides two extra users [1][2] netbird seems to provide in the free tier is the sole key differentiator.
I'm also curious how it differs from self hosting headscale, does netbird have the same kinds of features? Something like magic DNS that is equally seamless?
Check out OpenZiti - https://openziti.io/. I work on it. Its OSS, can be self hosted, has its own CA/PKI with the ability to work with any external provider to replace primary or augment as secondary.
As the endpoint consumes the identity to do authN/authZ to the overlay, no log in required (but it can be added if you want that additional protection).
How does adding Tailscale to this example add anything? What does he get by not just adding this site to the regular Internet? Or am I just a Tailscale skeptic?
As with most software, you could do without Tailscale, it's just easier to use their software which glues a bunch of pieces together, rather than glue it together yourself, unless you have good reason to, which is entirely possible.
Specifically:
> As a result, the application is now available at https://libations, with a valid LetsEncrypt certificate, on all of my machines!
So you'd have to setup a VPN on all of your devices, setup a DNS server, set all you're machines to use that DNS server, setup a reverse proxy, buy a domain, setup Let's Encrypt for it... or just use Tailscale. No one's forcing you to use Tailscale, it's your time and you get to choose to use it however you like, but unless you want to make that you're project, instead of the libations app, why spend time configuring all that you don't have to? (Because you want to is an entirely valid reason, mind you.)
tailscale handles the dns, you just need to install tailscale on all the boxes you want on your tailnet.
EDIT: I'd suggest trying it out, they have a very generous free tier. I didn't really understand how much more seamless and feature rich it was than a standard vpn setup that i've ever set up for my home network.
Tailscale adds nothing to the example application, but the example is simple enough to demonstrate adding Tailscale to a project in a single blog post. Many demonstrations like this don't benefit, themselves, from the tools demonstrated, that's why they're called demonstrations.
I'm by no means a tailscale expert (having only recently started playing with it myself), but i see the benefit of having a little bubble of protection or at least obscurity for more private web apps. One's own sort of LAN-ternet of possible apps that can be more safely enjoyed with a family, friends, or just one's self.
For example, I've self-hosted Nextcloud for many years...and while as much as i love nextcloud, managing it is not easy (well, its much easier now)...And separate of the functional annoyances of the platform, there's the constant fear and battle of fending off internet attacks...constantly! So, things like tailscale as wel as other open source solutuions allows for a sort of internet-within-an-internet...so, one could self-host a nextcloud instance that is only available to, say, your family or friends via tailscale, chopping off a big portion of potential baddies. To add to this, your local ISP likely won;t be aware of your selfhosting and hopefully won't unexpectedly block your access to your home servers, etc. Again, i'm not an expert, but i see the potential! And, non-techies need not worry about jumping through too many hoops...all they need is to ensure the tailscale client is on/activated in the background, and they engage some web app in a sort of regular fashion - like they do with other web apps...i guess. I'm gonna stop here cuz i sound like a shill, when really i'm just starting to like this sort of vpn thingy.
zrok would work, OpenZiti (which zrok is built on) is probably a better comparison to Tailscale IMHO. zrok is a 'ziti-native' app which includes functions to replace Ngrok/Cloudflare Tunnels/Tailscale Funnels (i.e., publicly share resources) while also being able to do other use cases, e.g., private shares, VPN replacement, Caddy, filshares.
OpenZiti is the lower-level overlay network which can be configured for any use case. It implements zero trust/deny-by-default principles more rigorously than Tailscale, its open source as you say, and includes SDKs for many languages to enable app-embedded. Unlike 'tsnet', the SDKs do not have a userspace TCP/IP networking stack as its not needed.
zrok, being built on OpenZiti, benefits from the Ziti SDKs too. We already put wrappers around the Golang, Python, and NodeJS SDKs. Could do many more.
Evangelising and telling others how awesome zrok and OpenZiti are, that's where you can help the most my friend. Secondary to that, if there is any improvements, or developments that would help you get more value, we love to hear that. Feel free to joint the support community too - https://openziti.discourse.group/
My approach for this particular problem is to check some TeX files into Git. I can render the cocktail recipes in two forms: one for my guests and one for myself that includes precise proportions.
https://github.com/AustinWise/DrinkMenu
Another approach for small scale data is "JSON files checked into git". (substitute JSON with whatever other text format you may like). This gives you a nice way to replicate data and to track changes to data.
FYI this has been posted here recently.
https://news.ycombinator.com/item?id=41314522
https://news.ycombinator.com/item?id=41309860
are there any equivalents in other languages?
They have a feature called remote SSH access where the agent running on the node allows other VPN users to SSH to another machine on the network without having SSH enabled / public keys set up. I've tested the project at the beginning of the year and it was a big NO for me. They seemed to fix this issue but it appeared again.
[1] https://github.com/netbirdio/netbird/issues/1868
[1] https://netbird.io/pricing
[2] https://www.tailscale.com/pricing
I have been burned by oath a dew times so I cant have tailscale at least hosted.
Any idea if those nebula and other alternatives are good enough ?
Check out OpenZiti - https://openziti.io/. I work on it. Its OSS, can be self hosted, has its own CA/PKI with the ability to work with any external provider to replace primary or augment as secondary.
As the endpoint consumes the identity to do authN/authZ to the overlay, no log in required (but it can be added if you want that additional protection).
Bizarre tech stack and choices!
But, always cool when anyone makes anything work. Enjoy the (nonalcoholic) drinks!
Specifically:
> As a result, the application is now available at https://libations, with a valid LetsEncrypt certificate, on all of my machines!
So you'd have to setup a VPN on all of your devices, setup a DNS server, set all you're machines to use that DNS server, setup a reverse proxy, buy a domain, setup Let's Encrypt for it... or just use Tailscale. No one's forcing you to use Tailscale, it's your time and you get to choose to use it however you like, but unless you want to make that you're project, instead of the libations app, why spend time configuring all that you don't have to? (Because you want to is an entirely valid reason, mind you.)
EDIT: I'd suggest trying it out, they have a very generous free tier. I didn't really understand how much more seamless and feature rich it was than a standard vpn setup that i've ever set up for my home network.
For example, I've self-hosted Nextcloud for many years...and while as much as i love nextcloud, managing it is not easy (well, its much easier now)...And separate of the functional annoyances of the platform, there's the constant fear and battle of fending off internet attacks...constantly! So, things like tailscale as wel as other open source solutuions allows for a sort of internet-within-an-internet...so, one could self-host a nextcloud instance that is only available to, say, your family or friends via tailscale, chopping off a big portion of potential baddies. To add to this, your local ISP likely won;t be aware of your selfhosting and hopefully won't unexpectedly block your access to your home servers, etc. Again, i'm not an expert, but i see the potential! And, non-techies need not worry about jumping through too many hoops...all they need is to ensure the tailscale client is on/activated in the background, and they engage some web app in a sort of regular fashion - like they do with other web apps...i guess. I'm gonna stop here cuz i sound like a shill, when really i'm just starting to like this sort of vpn thingy.
- No bots (it's only accessible within his private Tailscale network)
- No payments for a private domain name
- Selective control over who has access to his site
OpenZiti is the lower-level overlay network which can be configured for any use case. It implements zero trust/deny-by-default principles more rigorously than Tailscale, its open source as you say, and includes SDKs for many languages to enable app-embedded. Unlike 'tsnet', the SDKs do not have a userspace TCP/IP networking stack as its not needed.
zrok, being built on OpenZiti, benefits from the Ziti SDKs too. We already put wrappers around the Golang, Python, and NodeJS SDKs. Could do many more.