this post was submitted on 14 Jan 2025
9 points (90.9% liked)

Selfhosted

41084 readers
448 users here now

A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don't control.

Rules:

  1. Be civil: we're here to support and learn from one another. Insults won't be tolerated. Flame wars are frowned upon.

  2. No spam posting.

  3. Posts have to be centered around self-hosting. There are other communities for discussing hardware or home computing. If it's not obvious why your post topic revolves around selfhosting, please include details to make it clear.

  4. Don't duplicate the full text of your blog or github here. Just post the link for folks to click.

  5. Submission headline should match the article title (don’t cherry-pick information from the title to fit your agenda).

  6. No trolling.

Resources:

Any issues on the community? Report it using the report flag.

Questions? DM the mods!

founded 2 years ago
MODERATORS
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
9
Add Tailscale sidecar to a custom nextcloud:fpm stack? (discuss.tchncs.de)
submitted 19 hours ago by [email protected] to c/[email protected]
5 comments fedilink hide all child comments
 

I am currently planning to set up nextcloud as it is described in https://help.nextcloud.com/t/nextcloud-docker-compose-setup-with-caddy-2024/204846 and make it available via tailscale.

I found a tailscale reverse proxy example for the AIO Version: https://github.com/nextcloud/all-in-one/discussions/5439 which also uses caddy as reverse proxy.

It might be possible to adjust it to the nextcloud:fpm stack.

But it might also be possible to use the built in reverse proxy of the tailscale sidecar by using a TS_SERVE_CONFIG . In this json file the multiple paths (/push/* and the / root) can be configured and can redirect to the right internal dns name and port (notify_push:7867 and web:80) https://tailscale.com/blog/docker-tailscale-guide

Has anyone done that? Can someone share a complete example?

you are viewing a single comment's thread
view the rest of the comments
[–] [email protected] 2 points 18 hours ago* (last edited 13 hours ago)

Partially yes, the tricky thing is that when using network_mode: "service:tailscale" (presumably on the caddy container since that's what needs to receive traffic from the tailscale network), you won't be able to attach the caddy container to any networks since it's using the tailscale network stack. This means that in order for caddy to reach your containers, you will need to add the tailscale container itself to the relevant networks. Any attached containers will be connected as well.

(Not sure if I misread the first time or if you edited but the way you say it is right, add the tailscale container to the proxy network so that caddy will also be added and can reach the containers)

Here's the super condensed version of what matters for connecting traefik/caddy to a VPN like wireguard/tailscale.

  • I left out all WG config since presumably you know how to configure tailscale
  • Left out acme / letsencrypt stuff since that would be different on caddy anyway
  • You may need to configure caddy to trust the tailscale tunnel IP of the machine on the other end that will be reverse proxying over the tunnel.
  • Traefik I guess requires you to specify the docker network to use to reach stuff, I just put anything that should be accessible into "ingress" as you can see. I'm not sure if my setup supports using a different proxy network per app but maybe caddy allows that.

My traefik compose:

services:
  wireguard:
    container_name: wireguard
    networks:
      - ingress

  traefik:
    network_mode: "service:wireguard"
    depends_on:
      - wireguard
    command:
      - "--entryPoints.web.proxyProtocol.trustedIPs=10.13.13.1" # Trust remote tunnel IP, the WG container is 10.13.13.2
      - "--entrypoints.websecure.address=:443"
      - "--entryPoints.websecure.proxyProtocol.trustedIPs=10.13.13.1"
      - "--entrypoints.web.http.redirections.entrypoint.to=websecure"
      - "--entrypoints.web.http.redirections.entrypoint.scheme=https"
      - "--entrypoints.web.http.redirections.entrypoint.priority=100"
      - "--providers.docker.exposedByDefault=false"
      - "--providers.docker.network=ingress"

networks:
  ingress:
    external: true

And then in a service's docker-compose:

services:
  ui:
    image: myapp
    read_only: true
    restart: always
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.myapp.rule=Host(`xxxx.xxxx.xxxx`)"
      - "traefik.http.services.myapp.loadbalancer.server.port=80"
      - "traefik.http.routers.myapp.entrypoints=websecure"
      - "traefik.http.routers.myapp.tls.certresolver=mytlschallenge"
    networks:
      - ingress

networks:
  ingress:
    external: true

(edited to fix formatting on mobile)