Using Tailscale inside your builds on sr.ht are a little trickier then you might expect, since it’s done in a way thats counter to how Tailscale outlines the process of using it in CI inside their own docs. I had to learn this the hard way trying to get my own .builds.yml configured for this very blog, as the server it’s hosted on can only be accessed outside of HTTPS via the tailnet, and am now able to pass this knowledge onto you.

Initial Setup

You’ll need a tailscale authkey that is ephemeral, reusable, and pre-approved.

This authkey must be stored as a build secret as a file with the path ~/.tailkey, with the mode of 644.

Build.yml

Normally in a build environment like Google Cloud Run, you are restricted in running daemonized commands. Not so in sr.ht builds.

In my buildfile, I use alpine/edge, and have a task setup as follows:

tasks:
- tailscale: |
    sudo rc-update add tailscale
    sudo rc-service tailscale start
    sleep 5
    set +x
    source ~/.tailscale
    sudo tailscale up --authkey=$TKEY --hostname=builds.sr.ht
    set -x

The critical part of this is the “sleep 5”; set it any lower or remove it and the build will fail. I leave it as an exercise to the reader to figure out why.