feat(vpn,sidecar)!: Remove VPN configuration and add Tailscale service with proxy settings in Docker Compose
Some checks failed
/ validate-docker-compose (push) Has been cancelled
Some checks failed
/ validate-docker-compose (push) Has been cancelled
This commit is contained in:
parent
b8079666bd
commit
fba2c07e2c
12
.env.example
12
.env.example
@ -8,10 +8,6 @@ CONFIG_ROOT="."
|
||||
DATA_ROOT="/mnt/data"
|
||||
DOWNLOAD_ROOT="/mnt/data/torrents"
|
||||
IMMICH_UPLOAD_LOCATION="/mnt/data/photos"
|
||||
PIA_LOCATION=ca
|
||||
PIA_USER=
|
||||
PIA_PASS=
|
||||
PIA_LOCAL_NETWORK="192.168.0.0/16"
|
||||
HOSTNAME=localhost
|
||||
HOMEASSISTANT_HOSTNAME=
|
||||
IMMICH_HOSTNAME=
|
||||
@ -54,3 +50,11 @@ DECLUTTARR_REMOVE_FAILED_IMPORTS=True
|
||||
DECLUTTARR_REMOVE_METADATA_MISSING=True
|
||||
DECLUTTARR_REMOVE_MISSING_FILES=True
|
||||
DECLUTTARR_REMOVE_ORPHANS=True
|
||||
|
||||
# --- Tailscale Settings ---
|
||||
TAILSCALE_AUTHKEY=
|
||||
TAILSCALE_HOSTNAME=tailscale-nas
|
||||
TAILSCALE_TAGS=tag:nas
|
||||
# Define Traefik targets for Tailscale serve
|
||||
TAILSCALE_SERVE_TARGET_HTTP=http://traefik:80
|
||||
TAILSCALE_SERVE_TARGET_HTTPS=https://traefik:443
|
||||
|
||||
@ -307,10 +307,6 @@ services:
|
||||
["CMD", "curl", "--fail", "http://127.0.0.1:8080", "https://google.com"]
|
||||
interval: 30s
|
||||
retries: 10
|
||||
network_mode: "service:vpn"
|
||||
depends_on:
|
||||
vpn:
|
||||
condition: service_healthy
|
||||
labels:
|
||||
- traefik.enable=true
|
||||
- traefik.http.routers.qbittorrent.rule=(Host(`${HOSTNAME}`) && PathPrefix(`/qbittorrent`))
|
||||
@ -332,40 +328,9 @@ services:
|
||||
- homepage.description=Bittorrent client
|
||||
- homepage.weight=2
|
||||
- homepage.widget.type=qbittorrent
|
||||
- homepage.widget.url=http://vpn:8080
|
||||
- homepage.widget.url=http://qbittorrent:8080
|
||||
- homepage.widget.username=${QBITTORRENT_USERNAME}
|
||||
- homepage.widget.password=${QBITTORRENT_PASSWORD}
|
||||
vpn:
|
||||
image: ghcr.io/thrnz/docker-wireguard-pia:latest
|
||||
container_name: vpn
|
||||
volumes:
|
||||
- ${CONFIG_ROOT:-.}/pia:/pia
|
||||
- ${CONFIG_ROOT:-.}/pia-shared:/pia-shared
|
||||
cap_add:
|
||||
- NET_ADMIN
|
||||
- SYS_MODULE
|
||||
environment:
|
||||
- LOC=${PIA_LOCATION}
|
||||
- USER=${PIA_USER}
|
||||
- PASS=${PIA_PASS}
|
||||
- QBT_USER=${QBITTORRENT_USERNAME}
|
||||
- QBT_PASS=${QBITTORRENT_PASSWORD}
|
||||
- LOCAL_NETWORK=${PIA_LOCAL_NETWORK}
|
||||
- PORT_FORWARDING=1
|
||||
- PORT_PERSIST=1
|
||||
- PORT_SCRIPT=/pia-shared/portupdate-qbittorrent.sh
|
||||
- FIREWALL=0
|
||||
sysctls:
|
||||
- net.ipv4.conf.all.src_valid_mark=1
|
||||
- net.ipv6.conf.default.disable_ipv6=1
|
||||
- net.ipv6.conf.all.disable_ipv6=1
|
||||
- net.ipv6.conf.lo.disable_ipv6=1
|
||||
healthcheck:
|
||||
test: ping -c 1 www.google.com || exit 1
|
||||
interval: 30s
|
||||
timeout: 10s
|
||||
retries: 3
|
||||
restart: always
|
||||
unpackerr:
|
||||
image: ghcr.io/unpackerr/unpackerr:latest
|
||||
container_name: unpackerr
|
||||
@ -556,6 +521,56 @@ services:
|
||||
- AUTOHEAL_CONTAINER_LABEL=all
|
||||
volumes:
|
||||
- /var/run/docker.sock:/var/run/docker.sock
|
||||
tailscale:
|
||||
image: tailscale/tailscale:latest
|
||||
container_name: tailscale
|
||||
hostname: ${TAILSCALE_HOSTNAME:-tailscale-nas} # Hostname for Tailscale access
|
||||
environment:
|
||||
TS_AUTHKEY: ${TAILSCALE_AUTHKEY} # Needs to be set in .env
|
||||
TS_EXTRA_ARGS: "--advertise-tags=${TAILSCALE_TAGS:-tag:nas}" # Keep tags if desired
|
||||
TS_STATE_DIR: "/var/lib/tailscale"
|
||||
TS_USERSPACE: "false"
|
||||
# Define where Tailscale should forward traffic (to Traefik)
|
||||
TAILSCALE_SERVE_TARGET_HTTP: "http://traefik:80"
|
||||
TAILSCALE_SERVE_TARGET_HTTPS: "https://traefik:443" # Assumes Traefik handles TLS
|
||||
volumes:
|
||||
- ${CONFIG_ROOT:-.}/tailscale/state:/var/lib/tailscale # Persist state
|
||||
- /var/run/docker.sock:/var/run/docker.sock # Optional, keep if needed
|
||||
devices:
|
||||
- /dev/net/tun:/dev/net/tun
|
||||
cap_add:
|
||||
- NET_ADMIN
|
||||
- NET_RAW
|
||||
privileged: true # As requested
|
||||
restart: always
|
||||
command:
|
||||
- /bin/sh
|
||||
- -c
|
||||
- |
|
||||
set -e
|
||||
echo "Starting containerboot (tailscaled)..."
|
||||
/usr/local/bin/containerboot &
|
||||
echo "Waiting for tailscaled to achieve running state..."
|
||||
retries=60
|
||||
count=0
|
||||
until tailscale status --json | grep -q '"BackendState": "Running"'; do
|
||||
count=$$(($$count+1))
|
||||
if [ $$count -gt $$retries ]; then
|
||||
echo "Error: tailscaled did not reach running state after $$retries seconds."
|
||||
exit 1
|
||||
fi
|
||||
echo -n "."
|
||||
sleep 1
|
||||
done
|
||||
echo " Tailscaled is running."
|
||||
|
||||
# Use tailscale serve to proxy HTTP/HTTPS to Traefik
|
||||
echo "Setting up Tailscale serve: HTTPS -> $${TAILSCALE_SERVE_TARGET_HTTPS}, HTTP -> $${TAILSCALE_SERVE_TARGET_HTTP}"
|
||||
tailscale serve --bg https / $${TAILSCALE_SERVE_TARGET_HTTPS}
|
||||
tailscale serve --bg http / $${TAILSCALE_SERVE_TARGET_HTTP}
|
||||
|
||||
echo "Tailscale serve configured to proxy to Traefik. Container will remain running."
|
||||
wait
|
||||
|
||||
networks:
|
||||
default:
|
||||
|
||||
Loading…
x
Reference in New Issue
Block a user