feat(vpn,sidecar)!: Remove VPN configuration and add Tailscale service with proxy settings in Docker Compose

2025-04-25 02:19:59 +08:00 · 2025-04-25 02:19:59 +08:00 · fba2c07e2c
commit fba2c07e2c
parent b8079666bd
2 changed files with 59 additions and 40 deletions
--- a/.env.example
+++ b/.env.example
@ -8,10 +8,6 @@ CONFIG_ROOT="."
 DATA_ROOT="/mnt/data"
 DOWNLOAD_ROOT="/mnt/data/torrents"
 IMMICH_UPLOAD_LOCATION="/mnt/data/photos"
 PIA_LOCATION=ca
 PIA_USER=
 PIA_PASS=
 PIA_LOCAL_NETWORK="192.168.0.0/16"
 HOSTNAME=localhost
 HOMEASSISTANT_HOSTNAME=
 IMMICH_HOSTNAME=
@ -54,3 +50,11 @@ DECLUTTARR_REMOVE_FAILED_IMPORTS=True
 DECLUTTARR_REMOVE_METADATA_MISSING=True
 DECLUTTARR_REMOVE_MISSING_FILES=True
 DECLUTTARR_REMOVE_ORPHANS=True
 # --- Tailscale Settings ---
 TAILSCALE_AUTHKEY=
 TAILSCALE_HOSTNAME=tailscale-nas
 TAILSCALE_TAGS=tag:nas
 # Define Traefik targets for Tailscale serve
 TAILSCALE_SERVE_TARGET_HTTP=http://traefik:80
 TAILSCALE_SERVE_TARGET_HTTPS=https://traefik:443
--- a/docker-compose.yml
+++ b/docker-compose.yml
@ -307,10 +307,6 @@ services:
        ["CMD", "curl", "--fail", "http://127.0.0.1:8080", "https://google.com"]
      interval: 30s
      retries: 10
    network_mode: "service:vpn"
    depends_on:
      vpn:
        condition: service_healthy
    labels:
      - traefik.enable=true
      - traefik.http.routers.qbittorrent.rule=(Host(`${HOSTNAME}`) && PathPrefix(`/qbittorrent`))
@ -332,40 +328,9 @@ services:
      - homepage.description=Bittorrent client
      - homepage.weight=2
      - homepage.widget.type=qbittorrent
-      - homepage.widget.url=http://vpn:8080
+      - homepage.widget.url=http://qbittorrent:8080
      - homepage.widget.username=${QBITTORRENT_USERNAME}
      - homepage.widget.password=${QBITTORRENT_PASSWORD}
  vpn:
    image: ghcr.io/thrnz/docker-wireguard-pia:latest
    container_name: vpn
    volumes:
      - ${CONFIG_ROOT:-.}/pia:/pia
      - ${CONFIG_ROOT:-.}/pia-shared:/pia-shared
    cap_add:
      - NET_ADMIN
      - SYS_MODULE
    environment:
      - LOC=${PIA_LOCATION}
      - USER=${PIA_USER}
      - PASS=${PIA_PASS}
      - QBT_USER=${QBITTORRENT_USERNAME}
      - QBT_PASS=${QBITTORRENT_PASSWORD}
      - LOCAL_NETWORK=${PIA_LOCAL_NETWORK}
      - PORT_FORWARDING=1
      - PORT_PERSIST=1
      - PORT_SCRIPT=/pia-shared/portupdate-qbittorrent.sh
      - FIREWALL=0
    sysctls:
      - net.ipv4.conf.all.src_valid_mark=1
      - net.ipv6.conf.default.disable_ipv6=1
      - net.ipv6.conf.all.disable_ipv6=1
      - net.ipv6.conf.lo.disable_ipv6=1
    healthcheck:
      test: ping -c 1 www.google.com || exit 1
      interval: 30s
      timeout: 10s
      retries: 3
    restart: always
  unpackerr:
    image: ghcr.io/unpackerr/unpackerr:latest
    container_name: unpackerr
@ -556,6 +521,56 @@ services:
      - AUTOHEAL_CONTAINER_LABEL=all
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock
  tailscale:
    image: tailscale/tailscale:latest
    container_name: tailscale
    hostname: ${TAILSCALE_HOSTNAME:-tailscale-nas} # Hostname for Tailscale access
    environment:
      TS_AUTHKEY: ${TAILSCALE_AUTHKEY} # Needs to be set in .env
      TS_EXTRA_ARGS: "--advertise-tags=${TAILSCALE_TAGS:-tag:nas}" # Keep tags if desired
      TS_STATE_DIR: "/var/lib/tailscale"
      TS_USERSPACE: "false"
      # Define where Tailscale should forward traffic (to Traefik)
      TAILSCALE_SERVE_TARGET_HTTP: "http://traefik:80"
      TAILSCALE_SERVE_TARGET_HTTPS: "https://traefik:443" # Assumes Traefik handles TLS
    volumes:
      - ${CONFIG_ROOT:-.}/tailscale/state:/var/lib/tailscale # Persist state
      - /var/run/docker.sock:/var/run/docker.sock # Optional, keep if needed
    devices:
      - /dev/net/tun:/dev/net/tun
    cap_add:
      - NET_ADMIN
      - NET_RAW
    privileged: true # As requested
    restart: always
    command:
      - /bin/sh
      - -c
      - |
        set -e
        echo "Starting containerboot (tailscaled)..."
        /usr/local/bin/containerboot &
        echo "Waiting for tailscaled to achieve running state..."
        retries=60
        count=0
        until tailscale status --json | grep -q '"BackendState": "Running"'; do
          count=$$(($$count+1))
          if [ $$count -gt $$retries ]; then
            echo "Error: tailscaled did not reach running state after $$retries seconds."
            exit 1
          fi
          echo -n "."
          sleep 1
        done
        echo " Tailscaled is running."
        # Use tailscale serve to proxy HTTP/HTTPS to Traefik
        echo "Setting up Tailscale serve: HTTPS -> $${TAILSCALE_SERVE_TARGET_HTTPS}, HTTP -> $${TAILSCALE_SERVE_TARGET_HTTP}"
        tailscale serve --bg https / $${TAILSCALE_SERVE_TARGET_HTTPS}
        tailscale serve --bg http / $${TAILSCALE_SERVE_TARGET_HTTP}
        echo "Tailscale serve configured to proxy to Traefik. Container will remain running."
        wait
 networks:
  default: