Why not use systemd user units [0]? You can drop service files under `~/.config/systemd/user/` and enable them to be launched at login with `systemctl --user enable foo`. This is how the Crankshaft plugin loader autostarts itself on the Steam Deck [1]. It's published as a Flatpak [2] which you can install and update from SteamOS's built-in Discover software manager - on first run, the Flatpak drops the service file and enables it.
Also great for running an SSH Agent, since they aren't coupled to some magic invocation in some bashrc but will always be started when the user session starts and cleanly terminated when you log out (or linger if you set that up)
His method already does that. Creating a target for a single service is very much overkill. Though creating a target like setup or pre-default and putting in there might be a fine idea if you have other services you want to run that way.
But, since the unit is already setting a fixed path for the agent, I would just put that path in my .profile and call it a day. Having systems do environment variable injection seems too fragile to me, especially for static variables.
Xe here! Fun fact: the original draft of that article went on a slight diatribe on what "spicy" means in that context. I think it was something like this:
> When I add something to my daily notes, if it's most directly related to another thing then I will try to describe it as a "spicy" or "diet" version of that other thing. "Spicy" means that there were things added and "diet" means things were removed. A systemd timer is a spicy cronjob because you can do a lot more with it than cron can on its own. An OpenRC service is a diet systemd service because you can do a lot more with systemd than with OpenRC. Think about how to describe things you don't really understand like this in your notes. It will help you a lot.
For some reason "spicy" also makes me think more opinionated? I like it. (There's also probably a place for "boneless skinless" in the arsenal somewhere)
Its pretty crazy how frequently her personal blogs and company articles come up when I'm looking for answers the past several months. Sure, most of what I'm looking for is Nix related, but shes written (and recorded) a ton of useful material. Its saved me so much time / frustration. Thanks Xe!
You're welcome! I wish I could do more of this as my dayjob, but that's just not in the cards for now. Most of what I do now as devrel is things focused on Tailscale and doing the production work (writing, making slides, filming, compositing, editing and publishing) for whatever conference talks I get accepted to.
This article jumps through so many weird hoops to avoid reinstalling Tailscale on (relatively rare) system OS updates and while I appreciate the author's creativity and dedication to user experience - just write a script. Your actual _settings_ / config / user data doesn't get overwritten, it's just the stuff in /usr so reinstalling means everything is exactly back to where it was before
Every system update (which again, is rare, Steam Client updates are much more common and don't change the OS), I SSH in and run `sudo ./reinstall-software.sh`.
I think the last point gives away the reason. He wants to make it a packaged thing that users can install with very little knowledge. The blog post is more as an insight into a dev process than it is a 'howto' for others - although obviously it's that as well!
Bingo! This post was originally intended as an "engineering log" to work you through my thought process as I attacked putting Tailscale on the thing. It was also an exercise in trying to document how to think laterally and abuse second and third order properties of immutable operating systems to get them to do what you want.
Also as an aside, please use they or she to refer to me. I try to not be intrusive about it, but you are making a factual error by referring to me as "he".
You're welcome. I've unfortunately gotten used to it. With this kind of thing you either be polite and accept things with grace or you become a bitter sad person. It is really hard to stop myself from becoming bitter about all of this. I wish reality was better and that I didn't have to be literally an expert in so many things to be taken seriously.
I can look into that, but it may be a good idea to just stop assuming that tech is full of dudes. I'd need to think about how to do it without being an asshole about it, which is kind of hard. I may just make it show up only when hacker news is the referer.
I've had my deck since launch and have gone through several OS updates, it's not super common but I wouldn't call it relatively rare.
The only reason I noticed every update is because it kept wiping the screen keyboard I installed, because I couldn't get the built in one working at first. It wasn't until later that I found out the actual steam client has to be running in the desktop environment for the built in keyboard to work.
I didn't know about the Steam Deck. A sleek handheld gaming console with PC hardware running Arch Linux under the hood. Looks like it even supports multiple operating systems. Didn't think I'd ever see something like this. As expected, it's held back by the massive power consumption of PC hardware. Imagine an Apple M1 Steam Deck...
I'd really like a handheld programming device. I wonder how easy it is to write software with it.
>As expected, it's held back by the massive power consumption of PC hardware.
Massive power consumption.. ?
I've never seen it report more than 20W being discharged from the battery (this is easily found in the menu) even during gaming
>I wonder how easy it is to write software with it.
I'd call it borderline unusable for that unless you use a physical keyboard with it
> Massive power consumption.. ? I've never seen it report more than 20W being discharged from the battery
For comparison, this is the same peek power consumption of the M1 base SoC. A debate could be had if the M1 would be faster overall (I don't think it would be in games if Rosetta is involved), but it's not going to lower power consumption.
Yes. All reviews I looked up complained about battery life. Some cited figures of 1-2 hours when playing demanding games. Is that wrong?
I assumed it had higher power consumption than the Apple M1 computers since they have a reputation for insane battety life. Not sure exactly how many watts they draw.
> I'd call it borderline unusable for that unless you use a physical keyboard with it
Well, I've written code using my phone... Can't be worse than that, can it?
Yeah, battery life varies greatly. More demanding games are in that ballpark. Sometimes you can squeeze more out by reducing the graphics settings and ensuring you have a set framerate cap. Older and less demanding titles get a lot better battery life. It can get 6 hours in something less demanding IME.
You can also easily use a physical keyboard and mouse with the Steam Deck either through Bluetooth or any old USB C hub. Video out works too and it supports MST so it's possible to do multiple external monitors even though it has a single USB C port (can't be done with M1!). It has a full fledged desktop mode that's basically just a normal distro with KDE. By default you can't use pacman to install Arch packages but you can easily enable it if you want. Flatpaks are easily installable by default though.
I'm not sure M1 would be much more efficient playing AAA games either. Some of the battery life advantage is just the fact that they have more room for more battery.
I also suggest being wary of early reviews of battery life. Later software updates introduced useful features that can improve battery life, such as 40 Hz refresh mode and FidelityFX Super Resolution (FSR).
Most early reviews wouldn't have taken that into account.
M1 machines do have better battery life (i think the m1 chip itself is 10W?) And a bigger battery by virtue of being in an ipad or a full laptop, as opposed to being crammed in a handheld. There's also the advantage of being an arm64 machine over a bloated x86_64, notorious for the complexity and power draw
But also you have to consider that m1 macs don't offer you 8 zen3 cores and 8 rdna 2 gpu units. Apple device are notorious for being less powerful than the competition, but making it up in software, which you can't really do when the task is gaming, since that is basicaly as close as a full synthetic benchmark you can get.
Disregarding the arm/x86 compat layer that would be needed to play most games and its overhead, getting anywhere as close to steam deck framerate would probably take about 25 W worth of m1 chips. For 20 W, this thing is actually a beast. Like seriously, it runs Elden Ring (almost) well.
The Steam Deck is x86 despite being a handheld for compatibility with PC games.
There is already a compatibility layer software-wise (Proton to run Windows games on Linux), adding one more compatibility layer for hardware this time will add more problems to run games.
So unfortunately until PC game developers massively start to support ARM architectures, we're stuck with x86.
> So unfortunately until PC game developers massively start to support ARM architectures, we're stuck with x86.
No. All it needs is someone other than Apple to do what Apple did with the M1 - people have shown that you can run games perfectly fine in Rosetta [1].
Running games under Rosetta comes with a performance hit. A small hit, sure, but it definitely appears to be a large enough hit to kill the M1's power efficiency advantage. It's not far fetched that the AMD SoC in the deck is more powerful efficient than M1 with Rosetta, even, especially since M1's GPU performance in games is notably below par.
Oddly enough I was just talking to some friends about my plan for the Steam Deck and my confusion on its update process - since the source code showed both partition image updates and pacman updates.
My day 1 goal is to get the system working with tailscale and games over NFS. Second is getting that managed by home-manager as a OK workaround for the A/B update system.
The long term project is to get the stock OS recreated in NixOS. Testing the system using a newer kernel for better Btrfs and Zen performance and faster gamescope (Wayland micron compositor) updates seems like a really interesting project.
Every systemd-sysext image needs the OS and version hard coded in. In order to provide canned downloads, I'd need to make at least 4 images per release (one for every publicly available version of SteamOS) and it's honestly easier and arguably better to have the target device take what we already ship and make an image out of that on the heckin device.
I don't quite understand what this project is. How does it work with Moonlight or is it a replacement for Moonlight? (The docs don't seem to explain why I'd want to use it.)
Moonlight is a client for Nvidia GameStream, a local streaming server solution. A computer running GeForce Experience hosts the GameStream server - a client device running Moonlight receives the stream.
Typically GameStream is only hosted from a computer running GeForce Experience, which I believe is Windows-only and only compatible with Nvidia graphics cards. This Sunshine project is an alternative GameStream server, so that it can be hosted on macOS and Linux as well.
It's because they've achieved darling status on HN, which is what happens when a startup has founder/product/community/technical/intellectual fit and knows how to write.
I wrote a longer description of this phenomenon at https://news.ycombinator.com/item?id=30070287 (in the bottom third of the comment, starting with "Stripe succeeded on HN" - skip the tedious stuff before that).
There was also an entire thread about this a few weeks ago:
I actually learned how to write well as a result of my posts getting on Hacker News so much! I have you people to thank in the comments for my writing style getting so much better over the years. Thanks!
The links are very relevant. It seems a well-known phenomenon.
I think a core set of high-karma people heavily promoted Tailscale on HN in early days (and until recently). Like, not just commenting on Tailscale’s posts, but actively advertising it on various social media. I think that was crucial.
I don’t think it works well if you are not connected to or supported by these people.
If you mean "actively advertising Tailscale on social media", that's true. Tailscale is amazing. One of the most impressive things I've seen in my whole career. Of course people are talking it up.
If you mean "actively advertising Tailscale HN submissions on social media", no, no way. It wouldn't even work. The watchword of people with long experience on HN and who care about submissions is "don't talk about submissions on social media"; it trips the voting ring detector, which nobody knows how it works, and it is incredibly embarrassing talking to Dan to ask "did the voting ring detector flag this post (or are we just not as cool as we think we are)".
On top of that: Tailscalers were notable for their technical blogging before Tailscale existed. Avery's posts have been doing well on HN for years.
Finally, there is, if not a formula, then a sort of base recipe, like of a French mother sauce, for a strong HN post. Tailscale reliably hits all the notes. Dan has posted some of them in his Launch HN advice, if you're interested. There's a good chance Tailscale would rank well even if the product wasn't universally beloved by everyone, just because they've got their writing tuned the right way.
Add all that up and it's surprising to me that Tailscale isn't on HN more than it is.
I really don't think that's true. I'd be happy to look at past data to check that, if you have any links that you recall giving you this impression, but in my memory, the Tailscale people did basically nothing to promote themselves on HN and the user reaction (including from whatever high-karma users) was completely organic.
I do think the pedigree of the founders helps them a lot, but that's a different issue and also counts as completely organic. It's just harder to pull off if you haven't put in 20 years of hard work beforehand.
It's so soul- and bone-crushingly difficult for most startups to get attention on HN that I understand why it seems like these 'darling' successes must be pulling strings or knobs or levers, but it's really not like that. It's actually the other way around: if anyone does try to pull strings or knobs or levers, but without doing work and writing content that the community is genuinely excited by, the result would be a community backlash.
The other side is that the 'darling status' phenomenon is interesting and contains lessons for people who do hope to get attention for their work on HN.
Absolutely false. Tailscale is a darling exactly due to merit. They’ve earned every ounce of my love just by their product being so damn solid, easy to use, and elegant.
It. Just. Works. And it uses WireGuard. It solved every issue I had with WireGuard, which was mainly access control, user provisioning/auth, and device clients.
I’ve said it before, I’d happily pay them more than I pay now for 10 users.
Have you used their product? It’s a gd joy to use. In casual use, I haven’t run into any bugs at all. It took me all of about ten minutes to get set up, it just works, and I didn’t have to think too hard about it.
What’s their secret? A great product that people want to talk about.
Tailscale employee here. Imagine wireguard being even less effort to set up. Imagine no more firewall rules required. Imagine it being so easy it takes 5 minutes to put 2 devices on your network. That's what tailscale brings at its core. Then we can talk about things like ACLs, SSH, Tailauth, and more built on top of it.
There is also the automatic NAT traversal. Sure for devices on a home network, one can often set up port forwarding (or be lucky enough to have working ipv6). Corporate networks though often have NAT that regular employees cannot reconfigure, and probably don’t want to set up port forwarding to your machine.
Now imagine your workstation is on corp 1 network behind a NAT, and you are out at a corporate client with your laptop, behind another NAT, and need to access your workstation. With traditional wireguard, this situation would require negotiating port forwarding with one of the corps, or require using some form publically available bastion host.
With tailscale these things are not even a consideration. You will be able to access your workstation by name, without having to do anything extra.
Even where the corporate client has a crazy restrictive outbound firewall allowing only port 80 and port 443 to the public internet, you will be able to access your machine without having to do anything special. (In this case you would definitely be using tailscale’s Relay servers, so would have limited bandwidth, but it will still work seamlessly from your perspective.
And assuming the tailnet you are using is your companies (rather than you adding you workstation to a personal tailnet), you could access not just your workstation, but any other machine that has tailscale installed connected to the same tailnet that the tailscale ACLs allow access to. So for example, the corporate documentation file share server, perhaps the reporting database server, etc.
I know that Xe previously had a rather nice manual Wireguard configuration that is either completely ripped out, or is at least seldom used, because tailscale is just simpler.
You don’t need any port forwarding, even in infinitely complex corporate networks: All users in the private network connect to a Wireguard access VPN that runs on a VPS, and talk to each other.
That VPN needs to listen to a port. But with mesh VPN, that’s exchanged with a coordination and/or relay server that listen to a port and facilitate the connection, at a minimum in the initial phase. There are open ports in mesh VPNs too.
The advantage of the old school access VPN is that, 1) fewer third parties are to be trusted, 2) your VPS is likely going to be in your geographical area area, so if you are in a restrictive corporate network (considering that you emphasized this example), you get fast connection speeds vs potentially slow relays.
You may say, the access VPN may be far from the users. If you have a global business, sure, you need several VPS, which you may replace with several DERP nodes around the world in Tailscale, but for home users and some businesses, users are often in the same region.
Don’t get me wrong. I like mesh VPNs. They are convenient and useful, especially for small businesses. I tried Tailscale, it was simple and clean. But sometimes people make incorrect statements; just pointing this out.
Sure you don't need it, but you may _want_ it. Consider that some people really don't want to set up a reflector server in the cloud (not to mention how that means your reflector server's bandwidth limit becomes your whole VPN's bandwidth limit). Having the nitty-gritty of the data plane be peer to peer as much as possible means that your network has practically unlimited data. If I am trying to SSH into one of the machines under my desk I shouldn't need to poke a server in a datacenter downtown to do it.
There's also a bunch of people that want the convenience of being able to access things like their Synology NAS remotely. I'm almost certain that none of them want to set up a server in the cloud, or even understand what that means. Not everyone is super technically apt, and as a matter of policy we shouldn't try and make things with the assumption that everyone using them is a computing god already. People have to start from somewhere and it's perfectly okay for some people to not want to deep dive into the unrestrained horror of managing linux servers.
Things you don't have to do are easier than things you have to do.
Using a wireguard vpn concentrator “works”, but it has limitations like having a higher chance of interfering with access to the the local network while connected. (Because the private addresses the remote network is using have a reasonable chance of clashing with the addresses on the local network.)
Also, you absolutely need either port forwarding (or other forms of static NAT mapping) for the concentrator, or to run the concentrator outside of the NAT. (Which might be by running the software on the router that does NAT, or a seperate device with a routable address).
Setting up vpn concentration solutions that limit your network access to only specific devices depending on who you sign in as is often quite complicated, to the point where I rarely see it done well. Often if you are you are connected, you get full access to several corporate subnets, and you are mostly limited by things like router acls not allowing VPN connections direct access to the some production subnets.
I ripped it out completely. My wireguard network was a "plan b" to get back into my servers, but I have another contingency plan now that I've removed manually managed WireGuard from the equation. Tailscale is just so damn convenient, it hurts lol.
If it was _only_ for my use, I might consider that option. However, my wife would laugh at me if I asked her to set up wireguard on any of her devices. Yes, it's documented. Yes, she could probably figure it out. But why should she have to when there's an even easier option? And why should I have to administer a Wireguard server somewhere when I could just not do that?
Not everybody needs/wants to do things manually. It's literally the reason for the existence of paid services.
I get your point - most people just don't like using computers and networking is scary (but are non-technical people part of the customer base here?). I'm just not convinced that the amount of work to set up wireguard is more than the amount of work to install and set up tailscale. Copy-paste IP and public key vs. download and login.
I don't see much value-add when I'm already going to be running servers anyway - wireguard is basically free as it's in-kernel everywhere. What's the argument for increasing my attack surface and introducing a centralized failure point and new recurring payment?
> most people just don't like using computers and networking is scary
Yes and also I don't want another thing to maintain.
> but are non-technical people part of the customer base here?
Yes. I'm 100% sure that there are companies that use Tailscale that employ nontechnical people who need access to resources only available on the VPN.
> I'm just not convinced that the amount of work to set up wireguard is more than the amount of work to install and set up tailscale. Copy-paste IP and public key vs. download and login.
For you, maybe it's so simple it's not worth thinking about different options. For me, it doesn't make much sense. I've made a concerted effort to remove publicly accessible, self-managed infrastructure from my network. I just don't want to deal with it. I do not have a VPS to install a Wireguard server on, I'm not interested in setting one up, and I really don't need it in the first place (especially if Tailscale gets me into my home network).
> wireguard is basically free as it's in-kernel everywhere
Not everyone runs Linux. There is a time cost for user set up as well - even if I wanted to run my own wireguard server, I'm probably not going to hand out access to people to SSH in and do a self-service type signup. Therefore, it falls on me. With Tailscale, I (or somebody else) can just add a Github user to an org and the rest can be done by an end user. The majority of the people who I'd want on my Tailscale network are already in a Github org that I control, so I usually don't even need to do that.
> What's the argument for increasing my attack surface and introducing a centralized failure point and new recurring payment?
The same as it is for any other paid service: running this myself requires more time and effort than it's worth (not just setup -- end user support, maintenance, upgrades, etc factor in too) + I'm willing to let somebody else take care of it for me. For my uses, Tailscale is actually free but I'm thinking about switching away from the Github Community Plan to a paid plan specifically because the product is good enough that I want to pay for it.
> In casual use, I haven’t run into any bugs at all. It took me all of about ten minutes to get set up, it just works, and I didn’t have to think too hard about it.
The one issue I have with Tailscale is that the on-demand/automatically activating VPN functions on iOS don't work correctly [0] [1]. Everything else about it, including the business model, makes me overjoyed. It's a great product.
Last time I posted on an HN thread about Tailscale someone else mentioned Tailscale mobile battery use issues on android.
I’m currently travelling and am staying in an area with terrible internet. Can now confirm that, in that situation, Tailscale battery use gets totally out of hand. In my case I only really had it on out of habit, so it’s easy to just not run it on my phone for the time being.
Caveat to say; I still love everything about Tailscale. I’ve switched to using Tailscale ssh for work and it’s an absolute joy.
I haven’t run into that one. I mostly use Tailscale for my home network, so I connect when I need access to something at home. I imagine they’ll figure that out though. Seems relatively straightforward to reproduce/debug.
The post from earlier today got me thinking about their blog post about the Steam Deck from last month. I was kinda surprised that someone hadn't already submitted it.
for what its worth a lot of the stuff in this post can be applied to a lot of things that aren't tailscale. you can just consider tailscale an arbitrary example of something really cool that you can do with your steam deck.
that said tailscale is also just an awesome company with an awesome product
Some fun background information: in the process of writing this article I actually got a Steam Deck scalped off of eBay and was able to expense it. To this day it is the weirdest/most surreal expense I have ever filed and I am shocked I got away with it. I literally filed it under "development hardware" and it became a meme among my friends.
[0] https://wiki.archlinux.org/title/systemd/User
[1] https://crankshaft.space/docs/usage/autostart
[2] https://flathub.org/apps/details/space.crankshaft.Crankshaft