From ddfd19b285db1b07ef6231f2f14483c3959ffb55 Mon Sep 17 00:00:00 2001
From: aki <aki@mailserver.opossum-arcturus.ts.net>
Date: Fri, 25 Apr 2025 02:17:30 +0800
Subject: [PATCH] Remove PIA VPN configuration and add Tailscale service with
 proxy settings for Traefik

---
 .env.example       | 12 ++++---
 docker-compose.yml | 87 +++++++++++++++++++++++++++-------------------
 2 files changed, 59 insertions(+), 40 deletions(-)

diff --git a/.env.example b/.env.example
index cfbfea7..2aaa518 100644
--- a/.env.example
+++ b/.env.example
@@ -8,10 +8,6 @@ CONFIG_ROOT="."
 DATA_ROOT="/mnt/data"
 DOWNLOAD_ROOT="/mnt/data/torrents"
 IMMICH_UPLOAD_LOCATION="/mnt/data/photos"
-PIA_LOCATION=ca
-PIA_USER=
-PIA_PASS=
-PIA_LOCAL_NETWORK="192.168.0.0/16"
 HOSTNAME=localhost
 HOMEASSISTANT_HOSTNAME=
 IMMICH_HOSTNAME=
@@ -54,3 +50,11 @@ DECLUTTARR_REMOVE_FAILED_IMPORTS=True
 DECLUTTARR_REMOVE_METADATA_MISSING=True
 DECLUTTARR_REMOVE_MISSING_FILES=True
 DECLUTTARR_REMOVE_ORPHANS=True
+
+# --- Tailscale Settings ---
+TAILSCALE_AUTHKEY=
+TAILSCALE_HOSTNAME=tailscale-nas
+TAILSCALE_TAGS=tag:nas
+# Define Traefik targets for Tailscale serve
+TAILSCALE_SERVE_TARGET_HTTP=http://traefik:80
+TAILSCALE_SERVE_TARGET_HTTPS=https://traefik:443
diff --git a/docker-compose.yml b/docker-compose.yml
index 6e36b6f..13f1635 100644
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -307,10 +307,6 @@ services:
         ["CMD", "curl", "--fail", "http://127.0.0.1:8080", "https://google.com"]
       interval: 30s
       retries: 10
-    network_mode: "service:vpn"
-    depends_on:
-      vpn:
-        condition: service_healthy
     labels:
       - traefik.enable=true
       - traefik.http.routers.qbittorrent.rule=(Host(`${HOSTNAME}`) && PathPrefix(`/qbittorrent`))
@@ -332,40 +328,9 @@ services:
       - homepage.description=Bittorrent client
       - homepage.weight=2
       - homepage.widget.type=qbittorrent
-      - homepage.widget.url=http://vpn:8080
+      - homepage.widget.url=http://qbittorrent:8080
       - homepage.widget.username=${QBITTORRENT_USERNAME}
       - homepage.widget.password=${QBITTORRENT_PASSWORD}
-  vpn:
-    image: ghcr.io/thrnz/docker-wireguard-pia:latest
-    container_name: vpn
-    volumes:
-      - ${CONFIG_ROOT:-.}/pia:/pia
-      - ${CONFIG_ROOT:-.}/pia-shared:/pia-shared
-    cap_add:
-      - NET_ADMIN
-      - SYS_MODULE
-    environment:
-      - LOC=${PIA_LOCATION}
-      - USER=${PIA_USER}
-      - PASS=${PIA_PASS}
-      - QBT_USER=${QBITTORRENT_USERNAME}
-      - QBT_PASS=${QBITTORRENT_PASSWORD}
-      - LOCAL_NETWORK=${PIA_LOCAL_NETWORK}
-      - PORT_FORWARDING=1
-      - PORT_PERSIST=1
-      - PORT_SCRIPT=/pia-shared/portupdate-qbittorrent.sh
-      - FIREWALL=0
-    sysctls:
-      - net.ipv4.conf.all.src_valid_mark=1
-      - net.ipv6.conf.default.disable_ipv6=1
-      - net.ipv6.conf.all.disable_ipv6=1
-      - net.ipv6.conf.lo.disable_ipv6=1
-    healthcheck:
-      test: ping -c 1 www.google.com || exit 1
-      interval: 30s
-      timeout: 10s
-      retries: 3
-    restart: always
   unpackerr:
     image: ghcr.io/unpackerr/unpackerr:latest
     container_name: unpackerr
@@ -556,6 +521,56 @@ services:
       - AUTOHEAL_CONTAINER_LABEL=all
     volumes:
       - /var/run/docker.sock:/var/run/docker.sock
+  tailscale:
+    image: tailscale/tailscale:latest
+    container_name: tailscale
+    hostname: ${TAILSCALE_HOSTNAME:-tailscale-nas} # Hostname for Tailscale access
+    environment:
+      TS_AUTHKEY: ${TAILSCALE_AUTHKEY} # Needs to be set in .env
+      TS_EXTRA_ARGS: "--advertise-tags=${TAILSCALE_TAGS:-tag:nas}" # Keep tags if desired
+      TS_STATE_DIR: "/var/lib/tailscale"
+      TS_USERSPACE: "false"
+      # Define where Tailscale should forward traffic (to Traefik)
+      TAILSCALE_SERVE_TARGET_HTTP: "http://traefik:80"
+      TAILSCALE_SERVE_TARGET_HTTPS: "https://traefik:443" # Assumes Traefik handles TLS
+    volumes:
+      - ${CONFIG_ROOT:-.}/tailscale/state:/var/lib/tailscale # Persist state
+      - /var/run/docker.sock:/var/run/docker.sock # Optional, keep if needed
+    devices:
+      - /dev/net/tun:/dev/net/tun
+    cap_add:
+      - NET_ADMIN
+      - NET_RAW
+    privileged: true # As requested
+    restart: always
+    command:
+      - /bin/sh
+      - -c
+      - |
+        set -e
+        echo "Starting containerboot (tailscaled)..."
+        /usr/local/bin/containerboot &
+        echo "Waiting for tailscaled to achieve running state..."
+        retries=60
+        count=0
+        until tailscale status --json | grep -q '"BackendState": "Running"'; do
+          count=$$(($$count+1))
+          if [ $$count -gt $$retries ]; then
+            echo "Error: tailscaled did not reach running state after $$retries seconds."
+            exit 1
+          fi
+          echo -n "."
+          sleep 1
+        done
+        echo " Tailscaled is running."
+
+        # Use tailscale serve to proxy HTTP/HTTPS to Traefik
+        echo "Setting up Tailscale serve: HTTPS -> $${TAILSCALE_SERVE_TARGET_HTTPS}, HTTP -> $${TAILSCALE_SERVE_TARGET_HTTP}"
+        tailscale serve --bg https / $${TAILSCALE_SERVE_TARGET_HTTPS}
+        tailscale serve --bg http / $${TAILSCALE_SERVE_TARGET_HTTP}
+
+        echo "Tailscale serve configured to proxy to Traefik. Container will remain running."
+        wait
 
 networks:
   default: