From 6c1e6b57006a8d1b1213dabeaadf81045a34adc5 Mon Sep 17 00:00:00 2001 From: aki Date: Fri, 25 Apr 2025 03:04:23 +0800 Subject: [PATCH] feat(tailscale): update Tailscale configuration to enable Funnel and remove Traefik targets --- .env.example | 5 +-- docker-compose.yml | 96 ++++++++++++++++++++++++---------------------- 2 files changed, 52 insertions(+), 49 deletions(-) diff --git a/.env.example b/.env.example index f1c169d..7ac73f7 100644 --- a/.env.example +++ b/.env.example @@ -48,6 +48,5 @@ DECLUTTARR_REMOVE_ORPHANS=True TAILSCALE_AUTHKEY= TAILSCALE_HOSTNAME=tailscale-nas TAILSCALE_TAGS=tag:nas -# Define Traefik targets for Tailscale serve -TAILSCALE_SERVE_TARGET_HTTP=http://traefik:80 -TAILSCALE_SERVE_TARGET_HTTPS=https://traefik:443 +# Enable Tailscale Funnel (public access) for HTTPS? Set to 'true' or 'false'. +ENABLE_FUNNEL_HTTPS=false diff --git a/docker-compose.yml b/docker-compose.yml index e26b5e6..ebd5a52 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -9,9 +9,6 @@ services: - --providers.docker.exposedbydefault=false - --entrypoints.web.address=:80 - --entrypoints.web-secure.address=:443 - - --entrypoints.web.http.redirections.entryPoint.to=web-secure - - --entrypoints.web.http.redirections.entryPoint.scheme=https - - --entrypoints.web.http.redirections.entrypoint.permanent=true - --experimental.plugins.rewrite-body.modulename=github.com/packruler/rewrite-body - --experimental.plugins.rewrite-body.version=v1.2.0 - --experimental.plugins.rewriteHeaders.modulename=github.com/XciD/traefik-plugin-rewrite-headers @@ -35,8 +32,8 @@ services: - PGID=${GROUP_ID} - TZ=${TIMEZONE} volumes: - - ${CONFIG_ROOT:-.}/sonarr:/config - - ${DATA_ROOT}:/data + - ${CONFIG_ROOT:-.}/sonarr:/config:Z + - ${DATA_ROOT}:/data:Z restart: always healthcheck: test: ["CMD", "curl", "--fail", "http://127.0.0.1:8989/sonarr/ping"] @@ -45,7 +42,7 @@ services: labels: - traefik.enable=true - traefik.http.routers.sonarr.rule=(Host(`${HOSTNAME}`) && PathPrefix(`/sonarr`)) - - traefik.http.routers.sonarr.tls=true + - traefik.http.routers.sonarr.entrypoints=web - traefik.http.services.sonarr.loadbalancer.server.port=8989 - homepage.group=Media - homepage.name=Sonarr @@ -64,8 +61,8 @@ services: - PGID=${GROUP_ID} - TZ=${TIMEZONE} volumes: - - ${CONFIG_ROOT:-.}/radarr:/config - - ${DATA_ROOT}:/data + - ${CONFIG_ROOT:-.}/radarr:/config:Z + - ${DATA_ROOT}:/data:Z restart: always healthcheck: test: ["CMD", "curl", "--fail", "http://127.0.0.1:7878/radarr/ping"] @@ -74,7 +71,7 @@ services: labels: - traefik.enable=true - traefik.http.routers.radarr.rule=(Host(`${HOSTNAME}`) && PathPrefix(`/radarr`)) - - traefik.http.routers.radarr.tls=true + - traefik.http.routers.radarr.entrypoints=web - traefik.http.services.radarr.loadbalancer.server.port=7878 - homepage.group=Media - homepage.name=Radarr @@ -93,8 +90,8 @@ services: - PGID=${GROUP_ID} - TZ=${TIMEZONE} volumes: - - ${CONFIG_ROOT:-.}/lidarr:/config - - ${DATA_ROOT}:/data + - ${CONFIG_ROOT:-.}/lidarr:/config:Z + - ${DATA_ROOT}:/data:Z restart: always healthcheck: test: ["CMD", "curl", "--fail", "http://127.0.0.1:8686/lidarr/ping"] @@ -103,7 +100,7 @@ services: labels: - traefik.enable=true - traefik.http.routers.lidarr.rule=(Host(`${HOSTNAME}`) && PathPrefix(`/lidarr`)) - - traefik.http.routers.lidarr.tls=true + - traefik.http.routers.lidarr.entrypoints=web - traefik.http.services.lidarr.loadbalancer.server.port=8686 - homepage.group=Media - homepage.name=Lidarr @@ -124,8 +121,8 @@ services: - PGID=${GROUP_ID} - TZ=${TIMEZONE} volumes: - - ${CONFIG_ROOT:-.}/bazarr/config:/config - - ${DATA_ROOT}:/data + - ${CONFIG_ROOT:-.}/bazarr/config:/config:Z + - ${DATA_ROOT}:/data:Z restart: always healthcheck: test: ["CMD", "curl", "--fail", "http://127.0.0.1:6767/bazarr/ping"] @@ -134,7 +131,7 @@ services: labels: - traefik.enable=true - traefik.http.routers.bazarr.rule=(Host(`${HOSTNAME}`) && PathPrefix(`/bazarr`)) - - traefik.http.routers.bazarr.tls=true + - traefik.http.routers.bazarr.entrypoints=web - traefik.http.services.bazarr.loadbalancer.server.port=6767 - homepage.group=Download - homepage.name=Bazarr @@ -152,7 +149,7 @@ services: - LOG_LEVEL=debug - TZ=${TIMEZONE} volumes: - - ${CONFIG_ROOT:-.}/jellyseerr:/app/config + - ${CONFIG_ROOT:-.}/jellyseerr:/app/config:Z restart: always healthcheck: test: @@ -168,7 +165,7 @@ services: labels: - traefik.enable=true - traefik.http.routers.jellyseerr.rule=(Host(`${HOSTNAME}`) && PathPrefix(`/jellyseerr`)) - - traefik.http.routers.jellyseerr.tls=true + - traefik.http.routers.jellyseerr.entrypoints=web - traefik.http.services.jellyseerr.loadbalancer.server.port=5055 - traefik.http.routers.jellyseerr.middlewares=jellyseerr-stripprefix,jellyseerr-rewrite,jellyseerr-rewriteHeaders - traefik.http.middlewares.jellyseerr-stripprefix.stripPrefix.prefixes=/jellyseerr @@ -233,7 +230,7 @@ services: - PGID=${GROUP_ID} - TZ=${TIMEZONE} volumes: - - ${CONFIG_ROOT:-.}/prowlarr:/config + - ${CONFIG_ROOT:-.}/prowlarr:/config:Z restart: always healthcheck: test: ["CMD", "curl", "--fail", "http://127.0.0.1:9696/prowlarr/ping"] @@ -242,7 +239,7 @@ services: labels: - traefik.enable=true - traefik.http.routers.prowlarr.rule=(Host(`${HOSTNAME}`) && PathPrefix(`/prowlarr`)) - - traefik.http.routers.prowlarr.tls=true + - traefik.http.routers.prowlarr.entrypoints=web - traefik.http.services.prowlarr.loadbalancer.server.port=9696 - homepage.group=Download - homepage.name=Prowlarr @@ -265,7 +262,7 @@ services: labels: - traefik.enable=true - traefik.http.routers.flaresolverr.rule=PathPrefix(`/flaresolverr`) - - traefik.http.routers.flaresolverr.tls=true + - traefik.http.routers.flaresolverr.entrypoints=web - traefik.http.services.flaresolverr.loadbalancer.server.port=8191 profiles: - flaresolverr @@ -279,8 +276,8 @@ services: - WEBUI_PORT=8080 - DOCKER_MODS=ghcr.io/gabe565/linuxserver-mod-vuetorrent volumes: - - ${CONFIG_ROOT:-.}/qbittorrent:/config - - ${DOWNLOAD_ROOT}:/data/torrents + - ${CONFIG_ROOT:-.}/qbittorrent:/config:Z + - ${DOWNLOAD_ROOT}:/data/torrents:Z restart: always healthcheck: # Container may fail if the PIA's token expired, so mark as unhealthy when there is no internet connection @@ -292,7 +289,7 @@ services: labels: - traefik.enable=true - traefik.http.routers.qbittorrent.rule=(Host(`${HOSTNAME}`) && PathPrefix(`/qbittorrent`)) - - traefik.http.routers.qbittorrent.tls=true + - traefik.http.routers.qbittorrent.entrypoints=web - traefik.http.services.qbittorrent.loadbalancer.server.port=8080 - traefik.http.routers.qbittorrent.middlewares=qbittorrent-strip-slash,qbittorrent-stripprefix # https://github.com/qbittorrent/qBittorrent/issues/5693#issuecomment-552146296 @@ -316,7 +313,7 @@ services: image: ghcr.io/unpackerr/unpackerr:latest container_name: unpackerr volumes: - - ${DOWNLOAD_ROOT}:/data/torrents + - ${DOWNLOAD_ROOT}:/data/torrents:Z restart: always user: ${USER_ID}:${GROUP_ID} environment: @@ -335,13 +332,13 @@ services: - PGID=${GROUP_ID} - TZ=${TIMEZONE} volumes: - - ${CONFIG_ROOT:-.}/sabnzbd:/config - - ${DATA_ROOT}:/data + - ${CONFIG_ROOT:-.}/sabnzbd:/config:Z + - ${DATA_ROOT}:/data:Z restart: always labels: - traefik.enable=true - traefik.http.routers.sabnzbd.rule=(Host(`${HOSTNAME}`) && PathPrefix(`/sabnzbd`) || PathPrefix(`/sabnzbd`)) - - traefik.http.routers.sabnzbd.tls=true + - traefik.http.routers.sabnzbd.entrypoints=web - traefik.http.services.sabnzbd.loadbalancer.server.port=8080 - homepage.group=Download - homepage.name=Sabnzbd @@ -363,8 +360,8 @@ services: - TZ=${TIMEZONE} - JELLYFIN_PublishedServerUrl=${HOSTNAME}/jellyfin volumes: - - ${CONFIG_ROOT:-.}/jellyfin:/config - - ${DATA_ROOT}:/data + - ${CONFIG_ROOT:-.}/jellyfin:/config:Z + - ${DATA_ROOT}:/data:Z ports: - "7359:7359/udp" - "1900:1900/udp" @@ -376,7 +373,7 @@ services: labels: - traefik.enable=true - traefik.http.routers.jellyfin.rule=(Host(`${HOSTNAME}`) && PathPrefix(`/jellyfin`)) - - traefik.http.routers.jellyfin.tls=true + - traefik.http.routers.jellyfin.entrypoints=web - traefik.http.services.jellyfin.loadbalancer.server.port=8096 - homepage.group=Media - homepage.name=Jellyfin @@ -397,8 +394,8 @@ services: - DOCKER_MODS=linuxserver/mods:universal-calibre - OAUTHLIB_RELAX_TOKEN_SCOPE=1 volumes: - - ${CONFIG_ROOT:-.}/calibre-web:/config - - ${DATA_ROOT}/books:/books + - ${CONFIG_ROOT:-.}/calibre-web:/config:Z + - ${DATA_ROOT}/books:/books:Z restart: unless-stopped labels: - traefik.enable=true @@ -407,7 +404,7 @@ services: - traefik.http.middlewares.calibre-stripprefixregex.stripPrefixRegex.regex=/calibre - traefik.http.routers.calibre.middlewares=calibre-headers,calibre-stripprefixregex - traefik.http.routers.calibre.rule=(Host(`${HOSTNAME}`) && PathPrefix(`/calibre`)) - - traefik.http.routers.calibre.tls=true + - traefik.http.routers.calibre.entrypoints=web - traefik.http.services.calibre.loadbalancer.server.port=8083 - homepage.group=Media - homepage.name=Calibre-Web @@ -471,16 +468,16 @@ services: - HOMEPAGE_VAR_WEATHER_UNIT=${HOMEPAGE_VAR_WEATHER_UNIT} - HOMEPAGE_ALLOWED_HOSTS=${HOSTNAME} volumes: - - ${CONFIG_ROOT:-.}/homepage:/app/config + - ${CONFIG_ROOT:-.}/homepage:/app/config:Z - /var/run/docker.sock:/var/run/docker.sock:ro - - ${DATA_ROOT}:/data + - ${DATA_ROOT}:/data:Z restart: always command: [sh, -c, "cp -n /app/config/tpl/*.yaml /app/config && node server.js"] labels: - traefik.enable=true - traefik.http.routers.homepage.rule=(Host(`${HOSTNAME}`) && PathPrefix(`/`)) - - traefik.http.routers.homepage.tls=true + - traefik.http.routers.homepage.entrypoints=web - traefik.http.services.homepage.loadbalancer.server.port=3000 watchtower: image: ghcr.io/containrrr/watchtower:latest @@ -507,11 +504,10 @@ services: TS_EXTRA_ARGS: "--advertise-tags=${TAILSCALE_TAGS:-tag:nas}" # Keep tags if desired TS_STATE_DIR: "/var/lib/tailscale" TS_USERSPACE: "false" - # Define where Tailscale should forward traffic (to Traefik) - TAILSCALE_SERVE_TARGET_HTTP: "http://traefik:80" - TAILSCALE_SERVE_TARGET_HTTPS: "https://traefik:443" # Assumes Traefik handles TLS + # Switch to enable Funnel (public access) or Serve (Tailnet only) + ENABLE_FUNNEL_HTTPS: ${ENABLE_FUNNEL_HTTPS:-false} volumes: - - ${CONFIG_ROOT:-.}/tailscale/state:/var/lib/tailscale # Persist state + - ${CONFIG_ROOT:-.}/tailscale/state:/var/lib/tailscale:Z # Persist state - /var/run/docker.sock:/var/run/docker.sock # Optional, keep if needed devices: - /dev/net/tun:/dev/net/tun @@ -541,13 +537,21 @@ services: done echo " Tailscaled is running." - # Use tailscale serve to proxy HTTP/HTTPS to Traefik - echo "Setting up Tailscale serve: HTTPS -> $${TAILSCALE_SERVE_TARGET_HTTPS}, HTTP -> $${TAILSCALE_SERVE_TARGET_HTTP}" - tailscale serve --bg https / $${TAILSCALE_SERVE_TARGET_HTTPS} - tailscale serve --bg http / $${TAILSCALE_SERVE_TARGET_HTTP} + # --- Start Tailscale Funnel/Serve --- + # Check the ENABLE_FUNNEL_HTTPS variable + if [ "${ENABLE_FUNNEL_HTTPS}" = "true" ]; then + echo "ENABLE_FUNNEL_HTTPS is true. Setting up Funnel: HTTPS -> http://traefik:80..." + tailscale funnel --bg https / http://traefik:80 + echo "Tailscale Funnel configured." + else + echo "ENABLE_FUNNEL_HTTPS is false. Setting up Serve: HTTPS -> http://traefik:80..." + tailscale serve --bg https / http://traefik:80 + echo "Tailscale Serve configured." + fi + # --- End Tailscale Funnel/Serve --- - echo "Tailscale serve configured to proxy to Traefik. Container will remain running." - wait + echo "Tailscale forwarding configured. Container will remain running." + wait # Wait indefinitely for background processes networks: default: