[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"project-82716":3},{"id":4,"name":5,"fullName":6,"owner":7,"repo":5,"description":8,"homepage":9,"htmlUrl":10,"language":11,"languages":10,"totalLinesOfCode":10,"stars":12,"forks":13,"watchers":14,"openIssues":15,"contributorsCount":15,"subscribersCount":15,"size":15,"stars1d":15,"stars7d":16,"stars30d":17,"stars90d":15,"forks30d":15,"starsTrendScore":13,"compositeScore":18,"rankGlobal":10,"rankLanguage":10,"license":10,"archived":19,"fork":19,"defaultBranch":20,"hasWiki":19,"hasPages":19,"topics":21,"createdAt":10,"pushedAt":10,"updatedAt":22,"readmeContent":23,"aiSummary":24,"trendingCount":15,"starSnapshotCount":15,"syncStatus":25,"lastSyncTime":26,"discoverSource":27},82716,"tailscale-macos-vm","highpost\u002Ftailscale-macos-vm","highpost","Using Tailscale with an OrbStack VM on macOS","",null,"Shell",131,3,110,0,6,12,43.01,false,"main",[],"2026-06-12 04:01:38","# Using Tailscale with an OrbStack VM on macOS\n\nThis repository demonstrates how to use **OrbStack** on macOS to provision an Ubuntu virtual machine (VM), and then add it to your tailnet.\n\nUnlike minimal container runtimes that lack native kernel modules, OrbStack provides a fully capable Linux kernel environment. This allows Tailscale to leverage standard kernel networking (`\u002Fdev\u002Fnet\u002Ftun`) rather than relying on userspace-networking workarounds.\n\nOrbStack first spins up a temporary VM instance which allows `cloud-init` to pull its configuration from `dev-server.yml` and then stops the VM. Then OrbStack wakes up the pre-configured VM, adds it to your tailnet using an auth key and enables Tailscale SSH. You can then SSH to your VM from anywhere, without exposing host ports.\n\nThis example also demonstrates a macOS-specific method for securely storing your Tailscale auth key in Apple Keychain. Due to macOS security sandbox restrictions, the guest VM cannot directly execute `security find-generic-password` to pull secrets from the host. Instead, the credential must be injected from the host macOS environment during provisioning, as shown in `run.sh`.\n\n## macOS notes\n\n### Keychain limitations\n\nApple's Security Framework is designed around an interactive desktop login session. Remote SSH sessions are not the same as local GUI login sessions, so they don't usually have access to the user's unlocked login keychain. In practice, this means you can't remotely run the `run.sh` script to create an OrbStack VM.\n\n### DNS limitations\n\nIn a scenario where you're trying to use a Mac mini as a server hosting OrbStack VMs, and you want to be able to reach these with Tailscale SSH, you will need to run the open source Tailscale package on both the Mac mini and the VM. This works elegantly for connecting with SSH from a remote MacBook to your OrbStack VM.\n\nBut this can also lead to confusion about what macOS DNS can resolve. The easiest workaround is to use Tailscale DNS for name resolution and add a specific entry to your SSH config file for your VM.\n\n```\nHost dev-server\n    HostName w.x.y.z\n    User player1\n```\n\n## Modify access controls\n\nBefore launching the VM, configure your Tailscale Access Control Lists (ACLs) to handle the automated registration and permissions.\n\n### Create a tag\n\nGo to [Access controls > Tags](https:\u002F\u002Flogin.tailscale.com\u002Fadmin\u002Facls\u002Fvisual\u002Ftags) and define a server tag:\n\n* **Tag name:** `myservers`\n* **Tag owners:** `your-email@example.com`\n\n### Modify the Tailscale SSH access controls\n\nGo to [**Access controls > Tailscale SSH**](https:\u002F\u002Flogin.tailscale.com\u002Fadmin\u002Facls\u002Fvisual\u002Ftailscale-ssh\u002F) and ensure your policy permits access to the tagged servers and specified users:\n\n```json\n\"ssh\": [\n\t\u002F\u002F Any tailnet member (autogroup:member) can SSH as a non-root user\n\t\u002F\u002F to their own devices (autogroup:self).\n\t{\n\t\t\"src\":    [\"autogroup:member\"],\n\t\t\"dst\":    [\"autogroup:self\"],\n\t\t\"users\":  [\"autogroup:nonroot\", \"player1\", \"player2\"],\n\t\t\"action\": \"accept\",\n\t},\n\t\u002F\u002F Any tailnet member (autogroup:member) can SSH as a non-root user\n\t\u002F\u002F to any device tagged with myservers.\n\t{\n\t\t\"src\":    [\"autogroup:member\"],\n\t\t\"dst\":    [\"tag:myservers\"],\n\t\t\"users\":  [\"autogroup:nonroot\", \"player1\", \"player2\"],\n\t\t\"action\": \"accept\",\n\t},\n\t\u002F\u002F Allow tagged servers to SSH into other tagged servers.\n\t{\n\t\t\"src\":    [\"tag:myservers\"],\n\t\t\"dst\":    [\"tag:myservers\"],\n\t\t\"users\":  [\"autogroup:nonroot\", \"player1\", \"player2\"],\n\t\t\"action\": \"accept\",\n\t},\n],\n```\n\n* Add your new tag (`\"myservers\"`) to the **Destination** (`dst`) array.\n* Add the Linux usernames defined in your `cloud-config` (`\"player1\", \"player2\"`) to the **Destination users** (`users`) array.\n* Change `\"action\"` from `\"check\"` to `\"accept\"` for seamless SSH access.\n\n## Create a Tailscale auth key\n\n1. Generate an auth key via the [Tailscale Admin Keys panel](https:\u002F\u002Flogin.tailscale.com\u002Fadmin\u002Fsettings\u002Fkeys) with these configurations:\n* **Reusable:** Enabled\n* **Pre-authorized:** Enabled\n* **Tags:** Choose the newly created tag: `tag:myservers`\n\n2. Store the newly created auth key in Keychain:\n\n```\n.\u002Fstore-ts-key-keychain.sh\n```\n\n*(Note: This creates an entry named `tailscale-auth-key-dev-server` in your Keychain).*\n\n## Build and provision the VM\n\n```\n.\u002Fbuild.sh\n```\n\n## Start the VM and add it to your tailnet\n\n```\n.\u002Frun.sh\n```\n\n## Connect to the VM\n\nOnce `run.sh` finishes authenticating the machine, you can connect directly over your tailnet using Tailscale SSH or jump straight into the machine locally via OrbStack:\n\n* **MagicDNS name:** `ssh player1@dev-server`\n* **built-in local SSH proxy:** `ssh player1@dev-server@orb`\n* **CLI:** `orb -m dev-server`\n\n## Example: git\n\nOnce Tailscale SSH is setup correctly, it's simple to use `git` remotely. Let's\nassume that we have a `git` repo on `dev-server`. We can simply clone it directly without any extra authentication:\n\n```\ngit clone https:\u002F\u002Fgithub.com\u002Fplayer1\u002Fmy_proj\n```\n\n---\n\n## Files\n\n* `dev-server.yml`: A `cloud-init` recipe that specifies environment configurations, system locales, default development packages, user access profiles and installation tasks for the Tailscale engine.\n* `build.sh`: Builds and provisions an Ubuntu 25.10 environment using the `cloud.init` configuration in `dev-server.yml`.\n* `run.sh`: Pulls the auth key from Keychain and brings up the Tailscale interface (`tailscale up`) inside the VM with SSH enabled.\n* `cleanup.sh`: Fully tears down the setup. It logs out the VM from your tailnet, destroys the OrbStack instance, and wipes the auth key from Keychain.\n* `store-ts-key-keychain.sh`: Copies the auth key from the system clipboard and stores it in Keychain.\n","该项目展示了如何在macOS上使用OrbStack创建一个Ubuntu虚拟机，并将其加入Tailscale网络。核心功能包括通过OrbStack提供完整的Linux内核环境，使Tailscale能够利用标准的内核网络接口而非用户空间网络解决方案。此外，项目还介绍了一种将Tailscale认证密钥安全存储于Apple Keychain的方法，并提供了针对macOS特定限制的工作流程。适合需要在macOS环境下快速搭建开发或测试环境，并希望通过Tailscale实现远程访问与管理的场景。",2,"2026-06-11 04:09:00","CREATED_QUERY"]