44 comments

[ 4.1 ms ] story [ 87.9 ms ] thread
Do I understand correctly that NixOS is a layer on top of a standard Linux distribution? I’m a bit familiar with nix the command line tool (just a bit). Given the name NixOS I expected it to be its own distribution. Is it instead a set of tools (nix package manager) and abstractions?
It isn't built on top of a Debian or a rpm based distro. It is a separate distribution itself: https://nixos.org/

But you can try it's package manager nix and it's package set nixpkgs in any other Linux distribution.

It is its own distribution - but like Nix itself, it installs just about everything into /nix. That means you can bootstrap it on another distribution as described here: https://nixos.org/manual/nixos/stable/#sec-installing-from-o...

> Because Nix (the package manager) & Nixpkgs (the Nix packages collection) can both be installed on any (most?) Linux distributions, they can be used to install NixOS in various creative ways. You can, for instance:

> 2. Install NixOS on the same partition (in place!), from your existing non-NixOS Linux distribution using NIXOS_LUSTRATE.

> /etc/NIXOS_LUSTRATE tells the NixOS bootup scripts to move everything that's in the root partition to /old-root. This will move your existing distribution out of the way in the very early stages of the NixOS bootup.

which is what the nixos-infect script does, because DO doesn't have native NixOS images.

Can someone explain why it's useful? Normally I start a new MC server in a minute on a bare metal machine with Java installed. This includes starting a new Tmux session, copying the template directory and editing server.properties.
I think this is more of a hello world demonstration rather than an example of where these tools are useful.
Which is odd, lots of 'Hello world' demonstrations coming out of Tailscale but in this case we have a personal user wanting to connect to a server with a public IP - this is easily setup using Wireguard as it is. What benefit do I get creating a gmail account and going through Tailscale?

I still prefer Wireguard or Zerotier depending on my own use cases - I don't see how tailscale adds value (for me)

Tailscale IS wireguard underneath. And it's painless. I mean really painless. My network is small (Arch Linux, MBP and an android phone) right now but will be adding my wifes machines soon. I am Planning to run dnsmasq (my next project). Tailscale has 'MagicDNS' but doesn't (yet?) support aliases, which is nice for hosted services (eg photos.domain.vpn)

I will be running self hosted services that we use and available anywhere in the world (with a connection) that I don't need a VPS for.

I am waiting for broader availability of their sharing feature: my extended family can each have their own networks and then I can expose self hosted services to them (ie photos, recipes, updates/posts, etc).

tailscale is more or less zerotier, just based on wireguard.

So it would give you most of the same benifits.

In this case I think the advantage is that minecraft server dont have to listen to a public ip adress.

ZeroTier is L2 while WireGuard is L3. That's a HUGE difference between the two. Unless TailScale is doing VXLAN over WireGuard or something fishy to move L2 around.
So everybody who wants to join the Minecraft server has to be in my Tailscale network? Why would I want that?
Disclaimer: I know next to nothing about admin-ing minecraft.

You can set an allowlist of mojang account identifiers in your server.properties.

I don't know how airtight that is, though, and I guess if you're running a public server on the default port 25565, you can expect to receive a bunch of connection attempts from people you don't know that will ultimately be unsuccessful but will take some CPU to reject (just like SSH on port 22).

It's probably less likely to receive UDP traffic on tailscale's default port these days than TCP on 25565. Even then, I would bet that it's cheaper to discard the tailscale/wireguard packets that you don't trust / aren't authenticated than it is for minecraft.jar to either fail to authn a client with mojang's servers or authenticate a client and then see that it's not in the allow list.

That is mentioned in the article

> You can also use node sharing to invite people you trust to your server. Generate an invite link in the admin panel and they can use that to join your adventure.

Though I did try to find the node sharing link generator in my control panel and failed - maybe it isn't available for non paying customers or maybe I'm just not very good at looking for stuff!

https://tailscale.com/kb/1084/sharing

It seems to be in an invite only beta. Maybe the article was scheduled and mistimed?

(Tailscale employee here)

I wouldn't say mistimed so much as "we were excited to get the post up". Node sharing is indeed in invite-only beta, though we're planning on opening that up very soon. Apologies for any frustration/confusion.

I was expecting the domain name to be christine.website, and I am not disappointed.
Tailscale is incredibly simple to set up, and just worked when I connected a Google Cloud VPC+subnets. One problem though: There's no way for a server to maintain an auth token for more than three months. You have to manually renew it.
Nope, you can just go to the machine admin page[1], tap the three dots at the end of the line and select "Disable key expiry".

[1] https://login.tailscale.com/admin/machines

It doesn't work for automatically deployed virtual machines that one would like to be connected to the vpn without interaction. You'll need to do a manual login before you can disable key expiry.
I get instantly turned off with these solutions where I need an account somewhere just to set up a secure connections between two things.

Am I too grumpy?

SaaS really is easier to use and easier to monetize. There are various self-hosted alternatives if that's what you want.
Whenever somebody writes a "do X in Y minutes" thing, I wonder how long it took them to get it to work and how many false starts there were along the way.
Author of the post here. It took me about 30 minutes to get it working (thanks to yaml), and I had two false starts thanks to yaml grammar being terrible.
Maybe you should try Guix?
The YAML is due to Digital Ocean, not Nix.
Not really related to this solution specifically but:

   # wait for tailscaled to settle
   sleep 2
This is going to break one day. They're already using systemd units - why not make tailscale notify when it's done with the startup? We have better tools than old initd - let's use them.
My thought also.

As well, maybe a little over-picky, but I’m not a fan of “22” in the firewall config. I assume there’s something like config.ssh.port

There is a `services.openssh.openFirewall = true` option that will open ports for all listener directives for you
Author of the post here. Yes, I'm aware. I've added systemd-notify support to git main, however it's not been released yet. As soon as it is released (and it percolates down to nixpkgs) that hack will be irrelevant and can be purged.
Why behind a vpn? It sounds painful to manage. What is the reason to not deploy this setup directly on internet with let's say a firewall or other security mechanisms?

- edit: Is it because it's not possible to have a good Minecraft gaming experience without it? I am really curious to understand why would people need that extra layer zero config vpn?

Also interested in this question.
NAT punching. Probably. Especially now that CGNAT is becoming endemic.

God I wish ipv6 had taken off. P2P has taken a huge hit because of NAT.

I don't think it's easy for most people to make device behind their IPv4 nat available.

Also the firewall won't provide the same security, here afaik it also handle auth for you (only approved clients can connect), so you don't have to worry about how secure the auth is on the server you're exposing.

(for most people doing all those things securily would likely take much longer than 10min, and unless they're very technically savy I'm not sure how much secure it would be)

So the main reason is mostly NAT is difficult to configure for home user and it also sometimes break gaming experience in some weird CGNAT setup? I like the anser and thanks for the info.

Anyone else have other reasons in minds why it's useful?

My ISP rotates my public IP frequently, for some reason. I have had it switch several times in a day. Dynamic DNS helps a bit, but a VPN would simplify that a lot.
Because Tailscale's product is a VPN, that's why. No other reason really.
Just a little note Tailscale isn't painful to manage - that's their base product: easy to use Wireguard.

As for whether you need it for a Minecraft server.. well I wouldn't personally have questioned it, we're on a site called hacker news after all. If anything I'd love more posts like this from people who are tinkering with things.

If you remove the DigitalOcean part though and add in a home PC you do then get the benefits of being able to just connect. No port forwards, no faff.

If we're really really unironically asking why.. because Tailscale wants more customers, it's what companies do.

> easy to use Wireguard

It gets easier?!

I love how easy Wireguard is, stock, so perhaps I'll try Tailscale.

Also, a good reason to do this would be to play with friends easily, sometimes NAT and other things make it hard to connect to a gaming server, and also servers like Minecraft run a lot of code from inexperienced devs, so probably lots of security concerns there. Setting up a firewall to do that is a bit harder, you need to know your friends IPs and such.

please forgive my ignorance, what is the point of tailscale in this? i read it but couldnt understand? is it like one of those "this assumes everyone is in the same local network witout firewall hassles? why not use something like zerotier?

does this do something else?

You're pretty much there.

Lots of kids and people without public IPs they can write NAT rules for setup Minecraft servers at home etc. This is the classic example that can be solved with ZeroTier, TailScale etc.

Tailscale and Zerotier are in roughly the same business: mesh VPN. And you might use this because you don't already have Zerotier setup, and are trying to determine how to use this.

And you might decide to use this instead of Zerotier because you don't trust the protocol behind Zerotier, being some weird custom thing, but Tailscale is just a fancy management layer over Wireguard.

Why 10 minutes? Why not 10 seconds? .... Why not 1 second for that matter.
It would be faster if DigitalOcean had a NixOS image.