feat(tailscale): add login/authentication support with custom login server

Author: cgossiaux

tailscale/BarWidget.qml

@@ -89,13 +89,20 @@ Item {
     id: contextMenu
 
     model: [
+      {
+        "label": pluginApi?.tr("context.login"),
+        "action": "login",
+        "icon": "login",
+        "visible": mainInstance?.needsLogin ?? false
+      },
       {
         "label": (mainInstance?.tailscaleRunning ?? false)
           ? pluginApi?.tr("context.disconnect")
           : pluginApi?.tr("context.connect"),
         "action": "toggle-tailscale",
         "icon": (mainInstance?.tailscaleRunning ?? false) ? "plug-x" : "plug",
-        "enabled": mainInstance?.tailscaleInstalled ?? false
+        "enabled": mainInstance?.tailscaleInstalled ?? false,
+        "visible": !(mainInstance?.needsLogin ?? false)
       },
       {
         "label": pluginApi?.tr("actions.widget-settings"),
@@ -114,6 +121,10 @@ Item {
         if (mainInstance) {
           mainInstance.toggleTailscale()
         }
+      } else if (action === "login") {
+        if (mainInstance) {
+          mainInstance.loginTailscale()
+        }
       }
     }
   }

tailscale/Main.qml

@@ -55,6 +55,7 @@ Item {
   property bool tailscaleRunning: false
   property string tailscaleIp: ""
   property string tailscaleStatus: ""
+  property bool needsLogin: false
   property int peerCount: 0
   property bool isRefreshing: false
   property string lastToggleAction: ""
@@ -153,8 +154,15 @@ Item {
         try {
           var data = JSON.parse(stdout);
           root.tailscaleRunning = data.BackendState === "Running";
+          root.needsLogin = data.BackendState === "NeedsLogin";
 
-          if (root.tailscaleRunning && data.Self && data.Self.TailscaleIPs && data.Self.TailscaleIPs.length > 0) {
+          if (root.needsLogin) {
+            root.tailscaleIp = "";
+            root.tailscaleStatus = "NeedsLogin";
+            root.peerCount = 0;
+            root._realPeerList = [];
+            root.exitNodeStatus = null;
+          } else if (root.tailscaleRunning && data.Self && data.Self.TailscaleIPs && data.Self.TailscaleIPs.length > 0) {
             root.tailscaleIp = filterIPv4(data.Self.TailscaleIPs)[0] || data.Self.TailscaleIPs[0];
             root.tailscaleStatus = "Connected";
 
@@ -198,11 +206,13 @@ Item {
         } catch (e) {
           Logger.e("Tailscale", "Failed to parse status: " + e);
           root.tailscaleRunning = false;
+          root.needsLogin = false;
           root.tailscaleStatus = "Error";
           root._realPeerList = [];
         }
       } else {
         root.tailscaleRunning = false;
+        root.needsLogin = false;
         root.tailscaleStatus = "Disconnected";
         root.tailscaleIp = "";
         root.peerCount = 0;
@@ -236,6 +246,50 @@ Item {
 
   property string lastExitNodeAction: ""
 
+  property bool _loginUrlOpened: false
+
+  Process {
+    id: loginProcess
+
+    function _handleLine(data) {
+      if (root._loginUrlOpened) return;
+      var line = data.trim();
+      Logger.d("Tailscale", "Login output: " + line);
+      var urlMatch = line.match(/https?:\/\/\S+/);
+      if (urlMatch) {
+        root._loginUrlOpened = true;
+        Qt.openUrlExternally(urlMatch[0]);
+        ToastService.showNotice(
+          pluginApi?.tr("toast.title"),
+          pluginApi?.tr("toast.login-browser-opened"),
+          "external-link"
+        );
+      }
+    }
+
+    stdout: SplitParser {
+      onRead: data => loginProcess._handleLine(data)
+    }
+
+    stderr: SplitParser {
+      onRead: data => loginProcess._handleLine(data)
+    }
+
+    onExited: function (exitCode, exitStatus) {
+      Logger.d("Tailscale", "Login exited (code " + exitCode + "), urlOpened=" + root._loginUrlOpened);
+      if (exitCode !== 0 && !root._loginUrlOpened) {
+        ToastService.showError(
+          pluginApi?.tr("toast.title"),
+          pluginApi?.tr("toast.login-failed"),
+          "alert-circle"
+        );
+        Logger.e("Tailscale", "Login failed (exit " + exitCode + ")");
+      }
+      root._loginUrlOpened = false;
+      statusDelayTimer.start();
+    }
+  }
+
   // ─── Taildrop state ──────────────────────────────────────────────────────
 
   // Possible values: "idle", "receiving", "sending", "error"
@@ -455,6 +509,7 @@ Item {
   function updateTailscaleStatus() {
     if (!root.tailscaleInstalled) {
       root.tailscaleRunning = false;
+      root.needsLogin = false;
       root.tailscaleIp = "";
       root.tailscaleStatus = "Not installed";
       root.peerCount = 0;
@@ -480,6 +535,18 @@ Item {
     toggleProcess.running = true;
   }
 
+  function loginTailscale() {
+    if (!root.tailscaleInstalled)
+      return;
+    var loginServer = pluginApi?.pluginSettings?.loginServer || "";
+    var cmd = ["tailscale", "up", "--accept-routes"];
+    if (loginServer.trim() !== "") {
+      cmd.push("--login-server=" + loginServer.trim());
+    }
+    loginProcess.command = cmd;
+    loginProcess.running = true;
+  }
+
   Timer {
     id: updateTimer
     interval: refreshInterval
@@ -519,14 +586,19 @@ Item {
         "running": root.tailscaleRunning,
         "ip": root.tailscaleIp,
         "status": root.tailscaleStatus,
-        "peers": root.peerCount
+        "peers": root.peerCount,
+        "needsLogin": root.needsLogin
       };
     }
 
     function refresh() {
       updateTailscaleStatus();
     }
 
+    function login() {
+      loginTailscale();
+    }
+
     // Taildrop IPC: qs ipc call plugin:tailscale receive
     function receive() {
       startTaildropReceive();

tailscale/Panel.qml

@@ -353,7 +353,7 @@ Item {
             NText {
               text: mainInstance?.tailscaleRunning
                 ? (mainInstance?.peerList?.length || 0) + " " + (pluginApi?.tr("panel.peers"))
-                : pluginApi?.tr("panel.not-connected")
+                : (mainInstance?.needsLogin ? pluginApi?.tr("panel.not-authenticated") : pluginApi?.tr("panel.not-connected"))
               pointSize: Style.fontSizeS
               color: Color.mOnSurfaceVariant
             }
@@ -625,7 +625,23 @@ Item {
 
       NButton {
         Layout.fillWidth: true
-        text: mainInstance?.tailscaleRunning 
+        visible: mainInstance?.needsLogin ?? false
+        text: pluginApi?.tr("context.login")
+        icon: "login"
+        backgroundColor: Color.mPrimary
+        textColor: Color.mOnPrimary
+        enabled: mainInstance?.tailscaleInstalled ?? false
+        onClicked: {
+          if (mainInstance) {
+            mainInstance.loginTailscale()
+          }
+        }
+      }
+
+      NButton {
+        Layout.fillWidth: true
+        visible: !(mainInstance?.needsLogin ?? false)
+        text: mainInstance?.tailscaleRunning
           ? pluginApi?.tr("context.disconnect")
           : pluginApi?.tr("context.connect")
         icon: mainInstance?.tailscaleRunning ? "plug-x" : "plug"

tailscale/README.md

@@ -72,6 +72,7 @@ Right-click any online peer in the panel and choose **Send File**. A file picker
 | `taildropEnabled` | `true` | Enable Taildrop send/receive. When false, hides the Receive button and Send File option. |
 | `taildropDownloadDir` | `"~/Downloads"` | Directory where received files are saved |
 | `taildropReceiveMode` | `"operator"` | Taildrop receive mode: `operator` or `pkexec` |
+| `loginServer` | `""` | Custom login server URL (e.g. Headscale). Leave empty for default Tailscale. |
 
 ## IPC Commands
 
@@ -90,6 +91,7 @@ qs -c noctalia-shell ipc call plugin:tailscale <command>
 | `togglePanel` | Toggle Tailscale panel | `qs -c noctalia-shell ipc call plugin:tailscale togglePanel` |
 | `status` | Get current Tailscale status | `qs -c noctalia-shell ipc call plugin:tailscale status` |
 | `refresh` | Force refresh Tailscale status | `qs -c noctalia-shell ipc call plugin:tailscale refresh` |
+| `login` | Trigger Tailscale login (opens browser) | `qs -c noctalia-shell ipc call plugin:tailscale login` |
 | `receive` | Fetch any pending Taildrop files | `qs -c noctalia-shell ipc call plugin:tailscale receive` |
 
 ## Usage

tailscale/Settings.qml

@@ -75,6 +75,11 @@ ColumnLayout {
     pluginApi?.manifest?.metadata?.defaultSettings?.taildropReceiveMode ||
     "operator"
 
+  property string editLoginServer:
+    pluginApi?.pluginSettings?.loginServer ||
+    pluginApi?.manifest?.metadata?.defaultSettings?.loginServer ||
+    ""
+
   spacing: Style.marginM
 
   // Title section
@@ -185,6 +190,26 @@ ColumnLayout {
     onToggled: checked => root.editHideMullvadExitNodes = checked
   }
 
+  // Authentication section
+  NDivider {
+    Layout.fillWidth: true
+    Layout.topMargin: Style.marginM
+    Layout.bottomMargin: Style.marginM
+  }
+
+  NLabel {
+    label: pluginApi?.tr("settings.authentication")
+  }
+
+  NTextInput {
+    Layout.fillWidth: true
+    label: pluginApi?.tr("settings.login-server")
+    description: pluginApi?.tr("settings.login-server-desc")
+    placeholderText: "https://login.tailscale.com"
+    text: root.editLoginServer
+    onTextChanged: root.editLoginServer = text
+  }
+
   // Terminal section
   NDivider {
     Layout.fillWidth: true
@@ -316,6 +341,7 @@ ColumnLayout {
     pluginApi.pluginSettings.taildropEnabled = root.editTaildropEnabled
     pluginApi.pluginSettings.taildropDownloadDir = root.editTaildropDownloadDir
     pluginApi.pluginSettings.taildropReceiveMode = root.editTaildropReceiveMode
+    pluginApi.pluginSettings.loginServer = root.editLoginServer
 
     pluginApi.saveSettings()
 

tailscale/i18n/de.json

@@ -34,7 +34,10 @@
     "taildrop-receive-mode": "Empfangsmodus",
     "taildrop-receive-mode-desc": "Wie 'tailscale file get' ausgeführt wird. Der Operator-Modus erfordert keine Eingabeaufforderung, wenn 'sudo tailscale set --operator $USER' ausgeführt wurde.",
     "taildrop-receive-mode-operator": "Operator (keine Eingabeaufforderung)",
-    "taildrop-receive-mode-pkexec": "pkexec (jedes Mal Eingabeaufforderung)"
+    "taildrop-receive-mode-pkexec": "pkexec (jedes Mal Eingabeaufforderung)",
+    "authentication": "Authentifizierung",
+    "login-server": "Anmeldeserver",
+    "login-server-desc": "Benutzerdefinierte Anmeldeserver-URL (z. B. Headscale). Leer lassen für den Standard-Tailscale-Server."
   },
   "actions": {
     "widget-settings": "Widget Einstellungen"
@@ -49,7 +52,8 @@
     "ssh": "SSH zum Host",
     "ping": "Host anpingen",
     "use-exit-node": "Als Ausgangsknoten verwenden",
-    "send-file": "Datei senden"
+    "send-file": "Datei senden",
+    "login": "Anmelden"
   },
   "toast": {
     "title": "Tailscale",
@@ -66,12 +70,15 @@
     "terminal-not-configured": {
       "title": "Terminal nicht konfiguriert",
       "message": "Bitte leg einen Terminalbefehl in den Plugin Einstellungen fest"
-    }
+    },
+    "login-browser-opened": "Authentifizierungsseite im Browser geöffnet",
+    "login-failed": "Anmeldung fehlgeschlagen"
   },
   "panel": {
     "title": "Tailscale Netzwerk",
     "peers": "Peers",
     "not-connected": "Nicht verbunden",
+    "not-authenticated": "Nicht authentifiziert",
     "no-peers": "Keine verbundenen Peers",
     "admin-console": "Admin Konsole",
     "terminal-warning": {

tailscale/i18n/en.json

@@ -34,7 +34,10 @@
     "taildrop-receive-mode": "Receive Mode",
     "taildrop-receive-mode-desc": "How to run 'tailscale file get'. Operator mode requires no prompts if you have run 'sudo tailscale set --operator $USER'.",
     "taildrop-receive-mode-operator": "Operator (no prompt)",
-    "taildrop-receive-mode-pkexec": "pkexec (prompt each time)"
+    "taildrop-receive-mode-pkexec": "pkexec (prompt each time)",
+    "authentication": "Authentication",
+    "login-server": "Login Server",
+    "login-server-desc": "Custom login server URL (e.g. Headscale). Leave empty for default Tailscale server."
   },
   "actions": {
     "widget-settings": "Widget Settings"
@@ -49,7 +52,8 @@
     "ssh": "SSH to host",
     "ping": "Ping host",
     "use-exit-node": "Use as Exit Node",
-    "send-file": "Send File"
+    "send-file": "Send File",
+    "login": "Login"
   },
   "toast": {
     "title": "Tailscale",
@@ -66,12 +70,15 @@
     "terminal-not-configured": {
       "title": "Terminal Not Configured",
       "message": "Please set a terminal command in plugin settings"
-    }
+    },
+    "login-browser-opened": "Authentication page opened in browser",
+    "login-failed": "Login failed"
   },
   "panel": {
     "title": "Tailscale Network",
     "peers": "peers",
     "not-connected": "Not connected",
+    "not-authenticated": "Not authenticated",
     "no-peers": "No connected peers",
     "admin-console": "Admin Console",
     "terminal-warning": {

tailscale/i18n/fr.json

@@ -34,7 +34,10 @@
     "taildrop-receive-mode": "Mode de réception",
     "taildrop-receive-mode-desc": "Comment exécuter 'tailscale file get'. Le mode opérateur ne nécessite pas de confirmation si vous avez exécuté 'sudo tailscale set --operator $USER'.",
     "taildrop-receive-mode-operator": "Opérateur (sans confirmation)",
-    "taildrop-receive-mode-pkexec": "pkexec (confirmation à chaque fois)"
+    "taildrop-receive-mode-pkexec": "pkexec (confirmation à chaque fois)",
+    "authentication": "Authentification",
+    "login-server": "Serveur de connexion",
+    "login-server-desc": "URL du serveur de connexion personnalisé (ex. Headscale). Laisser vide pour le serveur Tailscale par défaut."
   },
   "actions": {
     "widget-settings": "Paramètres du widget"
@@ -49,7 +52,8 @@
     "ssh": "SSH vers l'hôte",
     "ping": "Ping l'hôte",
     "use-exit-node": "Utiliser comme nœud de sortie",
-    "send-file": "Envoyer un fichier"
+    "send-file": "Envoyer un fichier",
+    "login": "Se connecter"
   },
   "toast": {
     "title": "Tailscale",
@@ -66,12 +70,15 @@
     "terminal-not-configured": {
       "title": "Terminal non configuré",
       "message": "Veuillez définir une commande de terminal dans les paramètres du plugin"
-    }
+    },
+    "login-browser-opened": "Page d'authentification ouverte dans le navigateur",
+    "login-failed": "Échec de la connexion"
   },
   "panel": {
     "title": "Réseau Tailscale",
     "peers": "pairs",
     "not-connected": "Non connecté",
+    "not-authenticated": "Non authentifié",
     "no-peers": "Aucun pair connecté",
     "admin-console": "Console d'administration",
     "terminal-warning": {