docs(setup): add Podman SELinux note and enhance Tailscale access instructions in README
Some checks failed
/ validate-docker-compose (push) Has been cancelled
Some checks failed
/ validate-docker-compose (push) Has been cancelled
This commit is contained in:
parent
44cdc60ab3
commit
3f05975393
38
README.md
38
README.md
@ -95,8 +95,18 @@ For the first time, run `./update-config.sh` to update the applications base URL
|
||||
|
||||
If you want to show Jellyfin information in the homepage, create it in Jellyfin settings and fill `JELLYFIN_API_KEY`.
|
||||
|
||||
### Podman / SELinux Note (Rootful Mode)
|
||||
|
||||
If you are running `podman compose` with `sudo` (rootful mode) on an SELinux-enabled system (like Fedora, CentOS, RHEL) and encounter 'permission denied' errors when containers (like Watchtower, Autoheal, Traefik) try to access `/var/run/docker.sock`, you likely need to allow containers to manage the host system's container resources. Run the following command on your host system to enable this persistently:
|
||||
|
||||
```bash
|
||||
sudo setsebool -P container_manage_cgroup on
|
||||
```
|
||||
|
||||
## Environment Variables
|
||||
|
||||
Before starting, copy `.env.example` to `.env` and ensure all necessary variables are set according to your environment. This includes user/group IDs (`USER_ID`/`GROUP_ID`), paths (`CONFIG_ROOT`, `DATA_ROOT`, `DOWNLOAD_ROOT`), credentials (like `TAILSCALE_AUTHKEY`, `PIA_USER`/`PASS` if using VPN), your desired `HOSTNAME`, and any API keys required for Homepage widgets (`SONARR_API_KEY`, `RADARR_API_KEY`, etc.).
|
||||
|
||||
| Variable | Description | Default |
|
||||
|--------------------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|--------------------------------------------------|
|
||||
| `COMPOSE_FILE` | Docker compose files to load | |
|
||||
@ -303,23 +313,27 @@ Certificate generation can be disabled by setting `DNS_CHALLENGE` to `false`.
|
||||
|
||||
### Accessing from the outside with Tailscale
|
||||
|
||||
If we want to make it reachable from outside the network without opening ports or exposing it to the internet, I found
|
||||
[Tailscale](https://tailscale.com) to be a great solution: create a network, run the client on both the NAS and the device
|
||||
you are connecting from, and they will see each other.
|
||||
This setup includes a `tailscale` sidecar container to manage external access via your Tailnet, handling HTTPS termination. If we want to make the services reachable from outside the local network without opening router ports or exposing them directly to the internet, [Tailscale](https://tailscale.com) is a great solution.
|
||||
|
||||
In this case, the A record should point to the IP Tailscale assigned to the NAS, eg `100.xxx.xxx.xxx`:
|
||||
**How it works:**
|
||||
1. The `tailscale` container authenticates to your Tailnet using the `TAILSCALE_AUTHKEY` provided in your `.env` file.
|
||||
2. Based on the `ENABLE_FUNNEL_HTTPS` variable in `.env`:
|
||||
* If `true`, Tailscale Funnel is enabled, making your services accessible publicly via your Tailscale domain (`<TAILSCALE_HOSTNAME>.<your-tailnet-name>.ts.net`).
|
||||
* If `false` (default), Tailscale Serve is used, making your services accessible only to devices logged into your Tailnet via the Tailscale domain or the container's Tailscale IP.
|
||||
3. Tailscale handles the incoming HTTPS connection and terminates the TLS encryption.
|
||||
4. It then forwards the decrypted HTTP request internally to Traefik (`http://traefik:80`), which routes it to the correct application based on the hostname/path.
|
||||
|
||||
**DNS Setup:**
|
||||
For this to work seamlessly with your `HOSTNAME` (e.g., `nas.domain.com`), you need a DNS record pointing to the Tailscale IP of the `tailscale` container.
|
||||
```
|
||||
nas.domain.com. 1 IN A 100.xxx.xxx.xxx
|
||||
nas.domain.com. 1 IN A <TAILSCALE_NAS_IP>
|
||||
```
|
||||
You can find the Tailscale IP in the Tailscale admin console or by running `tailscale ip -4` inside the container (or on the host if Tailscale is also installed there).
|
||||
|
||||
See [here](https://tailscale.com/kb/installation) for installation instructions.
|
||||
**Local Access:**
|
||||
Using the Tailscale IP means you will always need to be connected to Tailscale to access your NAS via its hostname, even locally. This can be remedied by overriding the DNS entry for the NAS domain in your local DNS resolver (like Pi-hole or AdGuard Home) to point to the NAS's *local* IP address (`192.168.x.x`).
|
||||
|
||||
However, this means you will always need to be connected to Tailscale to access your NAS, even locally.
|
||||
This can be remedied by overriding the DNS entry for the NAS domain like `192.168.0.10 nas.domain.com`
|
||||
in your local DNS resolver such as Pi-Hole.
|
||||
|
||||
This way, when connected to the local network, the NAS is accessible directly from the private IP,
|
||||
and from the outside you need to connect to Tailscale first, then the NAS domain will be accessible.
|
||||
This way, when connected to the local network, the NAS is accessible directly via its local IP, and from the outside, you connect via Tailscale, and the Tailscale DNS resolves the hostname correctly.
|
||||
|
||||
## Optional Services
|
||||
|
||||
|
||||
Loading…
x
Reference in New Issue
Block a user