aki/docker-compose-nas
1
0
Fork 0
Code Issues Pull Requests 1 Actions Packages Projects Releases Wiki Activity

feat: Refactor Tailscale & Traefik Integration
Some checks failed
/ validate-docker-compose (push) Has been cancelled
Details

Browse Source 
- Integrate Traefik directly with Tailscale network using `network_mode: service:tailscale`.
- Remove direct port mappings for Traefik (80, 443).
- Configure Tailscale container to use `tailscale serve` (Tailnet only) or `tailscale funnel` (public HTTPS) based on `ENABLE_FUNNEL_HTTPS` env var.
- Update Traefik routing rules (`Host()`) to use `${TAILSCALE_HOSTNAME}.${TAILSCALE_TAILNET_DOMAIN}` for all services.
- Update Homepage path to `/home` and adjust its Traefik rule.
- Remove Homepage basic authentication variables (`HOMEPAGE_AUTH_USER`, `HOMEPAGE_AUTH_HASH`) from `.env.example` and `README.md`.
- Update `README.md` to reflect new access methods, hostname configuration, and removal of basic auth.
- Add `extra_hosts` to Tailscale service for `host.docker.internal`.
This commit is contained in:
Jose Daniel G. Percy 2025-04-25 14:15:44 +08:00
parent 8c5cdb111d
commit cf78372b71
3 changed files with 42 additions and 25 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

19
.env.example
View File

@ -59,10 +59,21 @@ HOMEPAGE_VAR_WEATHER_CITY=
HOMEPAGE_VAR_WEATHER_LAT= HOMEPAGE_VAR_WEATHER_LAT=
HOMEPAGE_VAR_WEATHER_LONG= HOMEPAGE_VAR_WEATHER_LONG=
HOMEPAGE_VAR_WEATHER_UNIT=metric HOMEPAGE_VAR_WEATHER_UNIT=metric
# Homepage Basic Authentication (Optional) - Generate hash with htpasswd (e.g., `htpasswd -nb user password`)
# See README for details. Leave blank to disable auth. # --- Authelia Settings ---
HOMEPAGE_AUTH_USER= # Generate strong random secrets for these using tools like `openssl rand -hex 32`
HOMEPAGE_AUTH_HASH= AUTHELIA_JWT_SECRET= # Example: your_strong_jwt_secret
AUTHELIA_SESSION_SECRET= # Example: your_strong_session_secret
AUTHELIA_STORAGE_ENCRYPTION_KEY= # Example: your_strong_storage_encryption_key
AUTHELIA_REDIS_PASSWORD= # Example: your_strong_redis_password
# Google OIDC Provider Settings (Get from Google Cloud Console - https://console.cloud.google.com/apis/credentials)
AUTHELIA_GOOGLE_OIDC_CLIENT_ID= # Example: your-google-client-id.apps.googleusercontent.com
AUTHELIA_GOOGLE_OIDC_CLIENT_SECRET= # Example: GOCSPX-your-google-client-secret
# Authelia Session Configuration
AUTHELIA_SESSION_DOMAIN=${TAILSCALE_HOSTNAME}.${TAILSCALE_TAILNET_DOMAIN}
AUTHELIA_DEFAULT_REDIRECT_URL=https://${TAILSCALE_HOSTNAME}.${TAILSCALE_TAILNET_DOMAIN}/home
# --- API Keys & Integration Tokens (Optional - Mainly for Homepage Widgets) --- # --- API Keys & Integration Tokens (Optional - Mainly for Homepage Widgets) ---
# Find API keys within each application's settings (usually Settings > General or Security) # Find API keys within each application's settings (usually Settings > General or Security)

25
README.md
View File

@ -86,7 +86,7 @@ These are fundamental for basic operation and permissions.
* **Note:** Using the correct IDs is crucial for file permissions, especially for accessing media files on the host. * **Note:** Using the correct IDs is crucial for file permissions, especially for accessing media files on the host.
* `TIMEZONE`: Your local timezone (e.g., `America/New_York`, `Europe/London`, `Asia/Manila`). Find yours from [this list](https://en.wikipedia.org/wiki/List_of_tz_database_time_zones). * `TIMEZONE`: Your local timezone (e.g., `America/New_York`, `Europe/London`, `Asia/Manila`). Find yours from [this list](https://en.wikipedia.org/wiki/List_of_tz_database_time_zones).
* *Default:* `America/New_York` * *Default:* `America/New_York`
* `HOSTNAME`: The primary hostname or IP address you intend to use to access your services. Traefik uses this for routing. Can be a local IP or a fully qualified domain name (e.g., `tailscale-nas.your-tailnet.ts.net`). * `HOSTNAME`: **(Deprecated - Now derived)** The primary hostname used by Traefik for routing. This is now automatically constructed from `TAILSCALE_HOSTNAME` and `TAILSCALE_TAILNET_DOMAIN`. You generally don't need to set this directly unless overriding the default behavior.
* *Default:* `${TAILSCALE_HOSTNAME}.${TAILSCALE_TAILNET_DOMAIN}` * *Default:* `${TAILSCALE_HOSTNAME}.${TAILSCALE_TAILNET_DOMAIN}`
--- ---
@ -203,18 +203,29 @@ These settings are for enabling automatic HTTPS certificate generation via Let's
## Service Access ## Service Access
With the default Tailscale setup, services are securely accessible via HTTPS using your Tailscale node's name or IP, followed by the service path: With the default Tailscale setup, services are securely accessible via HTTPS using your Tailscale node's name or IP, followed by the service path. Replace `<TAILSCALE_NODE>` with your Tailscale device name (e.g., `tailscale-nas.your-tailnet.ts.net`) or its Tailscale IP address.
* **Homepage:** `https://<TAILSCALE_NODE>/` * **Homepage:** `https://<TAILSCALE_NODE>/home`
* **Sonarr:** `https://<TAILSCALE_NODE>/sonarr` * **Sonarr:** `https://<TAILSCALE_NODE>/sonarr`
* **Radarr:** `https://<TAILSCALE_NODE>/radarr` * **Radarr:** `https://<TAILSCALE_NODE>/radarr`
* **Lidarr:** `https://<TAILSCALE_NODE>/lidarr` (If profile enabled)
* **Bazarr:** `https://<TAILSCALE_NODE>/bazarr`
* **Jellyseerr:** `https://<TAILSCALE_NODE>/jellyseerr`
* **Prowlarr:** `https://<TAILSCALE_NODE>/prowlarr`
* **qBittorrent:** `https://<TAILSCALE_NODE>/qbittorrent` * **qBittorrent:** `https://<TAILSCALE_NODE>/qbittorrent`
* **SABnzbd:** `https://<TAILSCALE_NODE>/sabnzbd` (If profile enabled)
* **Jellyfin:** `https://<TAILSCALE_NODE>/jellyfin` * **Jellyfin:** `https://<TAILSCALE_NODE>/jellyfin`
* ...and so on. * **Calibre-Web:** `https://<TAILSCALE_NODE>/calibre` (If profile enabled)
* **AdGuard Home:** `http://<TAILSCALE_NODE_IP>:3000` (If profile enabled, access via IP/port initially)
* **Tandoor Recipes:** `https://<TAILSCALE_NODE>/recipes` (If profile enabled)
* **Joplin Server:** `https://<TAILSCALE_NODE>/joplin` (If profile enabled)
* **Home Assistant:** `http://<TAILSCALE_NODE_IP>:8123` (If profile enabled, access via IP/port initially)
* **Immich:** `http://<TAILSCALE_NODE_IP>:2283` (If profile enabled, access via IP/port initially)
Replace `<TAILSCALE_NODE>` with your Tailscale device name (e.g., `tailscale-nas.your-tailnet.ts.net`) or its Tailscale IP address. **Note:**
* `<TAILSCALE_NODE>` refers to the full Tailscale name (e.g., `tailscale-nas.your-tailnet.ts.net`).
If you configure DNS for your `HOSTNAME` variable to point to the Tailscale IP, you can use `https://<HOSTNAME>/<service_path>`. * `<TAILSCALE_NODE_IP>` refers to the Tailscale IP address of the NAS.
* Some services (AdGuard, HA, Immich) might require initial setup via their direct IP and port before Tailscale/Traefik routing is fully effective or configured within the application. Authentication for most services will be handled by Authelia (configured later).
## Optional Services ## Optional Services

23
docker-compose.yml
View File

@ -131,7 +131,7 @@ services:
retries: 10 retries: 10
labels: labels:
- traefik.enable=true - traefik.enable=true
- traefik.http.routers.bazarr.rule=PathPrefix(`/bazarr`) - traefik.http.routers.bazarr.rule=Host(`${TAILSCALE_HOSTNAME}.${TAILSCALE_TAILNET_DOMAIN}`) && PathPrefix(`/bazarr`)
- traefik.http.routers.bazarr.entrypoints=web - traefik.http.routers.bazarr.entrypoints=web
- traefik.http.services.bazarr.loadbalancer.server.port=6767 - traefik.http.services.bazarr.loadbalancer.server.port=6767
- homepage.group=Download - homepage.group=Download
@ -289,7 +289,7 @@ services:
retries: 10 retries: 10
labels: labels:
- traefik.enable=true - traefik.enable=true
- traefik.http.routers.qbittorrent.rule=PathPrefix(`/qbittorrent`) - traefik.http.routers.qbittorrent.rule=Host(`${TAILSCALE_HOSTNAME}.${TAILSCALE_TAILNET_DOMAIN}`) && PathPrefix(`/qbittorrent`)
- traefik.http.routers.qbittorrent.entrypoints=web - traefik.http.routers.qbittorrent.entrypoints=web
- traefik.http.services.qbittorrent.loadbalancer.server.port=8080 - traefik.http.services.qbittorrent.loadbalancer.server.port=8080
- traefik.http.routers.qbittorrent.middlewares=qbittorrent-strip-slash,qbittorrent-stripprefix - traefik.http.routers.qbittorrent.middlewares=qbittorrent-strip-slash,qbittorrent-stripprefix
@ -359,7 +359,7 @@ services:
- PUID=${USER_ID} - PUID=${USER_ID}
- PGID=${GROUP_ID} - PGID=${GROUP_ID}
- TZ=${TIMEZONE} - TZ=${TIMEZONE}
- JELLYFIN_PublishedServerUrl=${HOSTNAME}/jellyfin - JELLYFIN_PublishedServerUrl=${TAILSCALE_HOSTNAME}.${TAILSCALE_TAILNET_DOMAIN}/jellyfin
volumes: volumes:
- ${CONFIG_ROOT:-.}/jellyfin:/config:Z - ${CONFIG_ROOT:-.}/jellyfin:/config:Z
- ${DATA_ROOT}:/data:Z - ${DATA_ROOT}:/data:Z
@ -404,7 +404,7 @@ services:
- traefik.http.middlewares.calibre-headers.headers.customRequestHeaders.X-Script-Name=/calibre - traefik.http.middlewares.calibre-headers.headers.customRequestHeaders.X-Script-Name=/calibre
- traefik.http.middlewares.calibre-stripprefixregex.stripPrefixRegex.regex=/calibre - traefik.http.middlewares.calibre-stripprefixregex.stripPrefixRegex.regex=/calibre
- traefik.http.routers.calibre.middlewares=calibre-headers,calibre-stripprefixregex - traefik.http.routers.calibre.middlewares=calibre-headers,calibre-stripprefixregex
- traefik.http.routers.calibre.rule=PathPrefix(`/calibre`) - traefik.http.routers.calibre.rule=Host(`${TAILSCALE_HOSTNAME}.${TAILSCALE_TAILNET_DOMAIN}`) && PathPrefix(`/calibre`)
- traefik.http.routers.calibre.entrypoints=web - traefik.http.routers.calibre.entrypoints=web
- traefik.http.services.calibre.loadbalancer.server.port=8083 - traefik.http.services.calibre.loadbalancer.server.port=8083
- homepage.group=Media - homepage.group=Media
@ -467,11 +467,8 @@ services:
- HOMEPAGE_VAR_WEATHER_LONG=${HOMEPAGE_VAR_WEATHER_LONG} - HOMEPAGE_VAR_WEATHER_LONG=${HOMEPAGE_VAR_WEATHER_LONG}
- HOMEPAGE_VAR_WEATHER_TIME=${TIMEZONE} - HOMEPAGE_VAR_WEATHER_TIME=${TIMEZONE}
- HOMEPAGE_VAR_WEATHER_UNIT=${HOMEPAGE_VAR_WEATHER_UNIT} - HOMEPAGE_VAR_WEATHER_UNIT=${HOMEPAGE_VAR_WEATHER_UNIT}
# Allow access from localhost, the service name, and the primary HOSTNAME # Explicitly allow the hostname constructed from Tailscale variables
- HOMEPAGE_ALLOWED_HOSTS=localhost,homepage,${HOSTNAME} - HOMEPAGE_ALLOWED_HOSTS=${TAILSCALE_HOSTNAME}.${TAILSCALE_TAILNET_DOMAIN}
# Pass auth user/hash if set (optional, for potential future use by homepage itself, though Traefik handles it)
- HOMEPAGE_AUTH_USER=${HOMEPAGE_AUTH_USER}
- HOMEPAGE_AUTH_HASH=${HOMEPAGE_AUTH_HASH}
volumes: volumes:
- ${CONFIG_ROOT:-.}/homepage:/app/config:Z - ${CONFIG_ROOT:-.}/homepage:/app/config:Z
- /var/run/docker.sock:/var/run/docker.sock:ro - /var/run/docker.sock:/var/run/docker.sock:ro
@ -481,12 +478,10 @@ services:
[sh, -c, "cp -n /app/config/tpl/*.yaml /app/config && node server.js"] [sh, -c, "cp -n /app/config/tpl/*.yaml /app/config && node server.js"]
labels: labels:
- traefik.enable=true - traefik.enable=true
- traefik.http.routers.homepage.rule=PathPrefix(`/`) # Change path to /home and use specific Tailscale host
- traefik.http.routers.homepage.rule=Host(`${TAILSCALE_HOSTNAME}.${TAILSCALE_TAILNET_DOMAIN}`) && PathPrefix(`/home`)
- traefik.http.routers.homepage.entrypoints=web - traefik.http.routers.homepage.entrypoints=web
# Define Basic Auth Middleware (only active if HOMEPAGE_AUTH_HASH is set in .env) # Authelia middleware will be added in a later commit
- traefik.http.middlewares.homepage-auth.basicAuth.users=${HOMEPAGE_AUTH_HASH}
# Apply Middleware to Router
- traefik.http.routers.homepage.middlewares=homepage-auth@docker
- traefik.http.services.homepage.loadbalancer.server.port=3000 - traefik.http.services.homepage.loadbalancer.server.port=3000
watchtower: watchtower:
image: ghcr.io/containrrr/watchtower:latest image: ghcr.io/containrrr/watchtower:latest