I want to access a private network behind Tailscale network so that I can make an API call to update my personal indexing service when a GitHub repo changes.
I could use webhooks but I’ve set up Dokku on AWS to be completely private with no ports opened. Supporting webhooks would mean punching a hole in the network for the public internet. (Which could be done with Tailscale Funnel but that’s for later).
To get notified on changes, I made a workflow in the repo that uses the Tailscale GitHub action.
- Create an oauth key with only write permission on the devices category from a tag specified in the workflow step (tag:ci in my case)
- Add the oauth client ID and key to the GitHub repo’s Action secrets so it can be made available to the runner
- Create a GitHub actions workflow and add a step for setting up Tailscale
- Add a step to
curlthe API in the private tailnet
Example workflow:
name: Notify
on:
push:
branches:
- main
jobs:
notify-index:
runs-on: ubuntu-latest
steps:
- name: Tailscale
uses: tailscale/github-action@v2
with:
oauth-client-id: ${{ secrets.TAILSCALE_OAUTH_CLIENT_ID }}
oauth-secret: ${{ secrets.TAILSCALE_OAUTH_SECRET }}
tags: tag:ci
- name: Call the private API
id: call_api
run: |
#!/bin/bash
curl -X POST http://my-private-api.com/do-something