Support tunnel mode for connections#20
Open
kerthcet wants to merge 4 commits into
Open
Conversation
Signed-off-by: kerthcet <kerthcet@gmail.com>
Signed-off-by: kerthcet <kerthcet@gmail.com>
InftyAI-Agent
added
needs-triage
Contributor
There was a problem hiding this comment.
Pull request overview
This PR adds “tunnel mode” connectivity (via Tailscale/Headscale) for SandD controller and daemon workflows, along with supporting packaging, Docker, and documentation updates.
Changes:
- Added tunnel-mode support to the Rust controller (PyO3 bindings) and Rust daemon CLI.
- Introduced
TunnelConfigin the Python API and expanded docs/examples for Headscale-based setups. - Reorganized E2E Docker assets under
hack/docker/and updated test/build wiring accordingly.
Reviewed changes
Copilot reviewed 19 out of 23 changed files in this pull request and generated 10 comments.
Show a summary per file
| File | Description |
|---|---|
| server/src/server.rs | Tweaks daemon registration log formatting. |
| server/src/lib.rs | Adds TunnelConfig + tunnel-mode setup logic in Rust/PyO3 server constructor. |
| sandd/src/main.rs | Adds daemon CLI tunnel flags and a Tailscale join routine. |
| README.md | Updates install + quickstart docs and introduces tunnel mode section. |
| python/tests/test_e2e.py | Points E2E tests at the relocated compose file. |
| python/sandd/server.py | Exposes connect/tunnel_config options in the Python Server wrapper. |
| python/sandd/init.py | Exports TunnelConfig from the extension module. |
| pyproject.toml | Updates maturin manifest path and packaging excludes. |
| Makefile | Updates E2E docker-compose path usages. |
| hack/scripts/install.sh | Adds a daemon installation script (currently incomplete/broken). |
| hack/docker/README.md | Documents Docker assets and tunnel-capable images. |
| hack/docker/Dockerfile.tunnel-release | Adds release-mode tunnel server image (PyPI-based). |
| hack/docker/Dockerfile.tunnel | Adds source-build tunnel server image (maturin build). |
| hack/docker/Dockerfile.rocky | Adds Rocky-based daemon image for E2E coverage. |
| hack/docker/Dockerfile.debian | Adds Debian-based daemon image for E2E coverage. |
| hack/docker/Dockerfile.daemon-tunnel-release | Adds release-mode tunnel daemon image (GitHub release binary). |
| hack/docker/Dockerfile.daemon-tunnel | Adds source-build tunnel daemon image. |
| hack/docker/Dockerfile.alpine | Adds Alpine-based daemon image for E2E coverage. |
| hack/docker/docker-compose.e2e.yml | Adds new E2E compose definition for multiple daemon images. |
| examples/tunnel-simple/README.md | Adds a step-by-step tunnel example walkthrough. |
| examples/tunnel-simple/headscale-config.yaml | Adds a minimal Headscale config for the example. |
| examples/tunnel-simple/docker-compose.yml | Adds a complete tunnel-mode example compose stack. |
| docs/TUNNEL.md | Adds extensive tunnel-mode documentation and security guidance. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Comment on lines
+67
to
+70
| verbose: bool, | ||
| connect: String, | ||
| tunnel_config: Option<TunnelConfig>, | ||
| ) -> PyResult<Self> { |
Comment on lines
+101
to
+102
| let config = tunnel_config.unwrap(); | ||
|
|
Comment on lines
+482
to
+485
| let tailscale_check = Command::new("which") | ||
| .arg("tailscale") | ||
| .output(); | ||
|
|
Comment on lines
+495
to
+500
| // Start tailscaled in background (if not already running) | ||
| let _tailscaled = Command::new("tailscaled") | ||
| .arg("--tun=userspace-networking") | ||
| .arg("--state=/var/lib/tailscale/tailscaled.state") | ||
| .spawn(); | ||
|
|
Comment on lines
+470
to
+472
| // Check if tailscale is installed | ||
| let tailscale_check = Command::new("which").arg("tailscale").output(); | ||
|
|
Comment on lines
+482
to
+487
| // Start tailscaled in background (if not already running) | ||
| let _tailscaled = Command::new("tailscaled") | ||
| .arg("--tun=userspace-networking") | ||
| .arg("--state=/var/lib/tailscale/tailscaled.state") | ||
| .spawn(); | ||
|
|
Comment on lines
+138
to
+140
| from sandd import Server | ||
|
|
||
| server = Server(connect="tunnel") # Secure tunnel mode |
Comment on lines
41
to
44
| exclude = [ | ||
| "Cargo.toml", | ||
| "sandd/**/*", | ||
| "/sandd", # Only exclude root sandd/ directory (Rust daemon source) | ||
| "target/**/*", |
Comment on lines
+59
to
+65
| if connect not in ["direct", "tunnel"]: | ||
| raise ValueError( | ||
| f"connect must be 'direct' or 'tunnel', got '{connect}'" | ||
| ) | ||
|
|
||
| if connect == "tunnel" and tunnel_config is None: | ||
| raise ValueError( |
Signed-off-by: kerthcet <kerthcet@gmail.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
What this PR does / why we need it
Which issue(s) this PR fixes
Fixes #
Special notes for your reviewer
Does this PR introduce a user-facing change?