From 0c7fe219f703042e57d243c2fd306913a61ae227 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Sebastian=20Kr=C3=BCger?= Date: Fri, 28 Nov 2025 08:32:26 +0100 Subject: [PATCH] feat: tailscale sidecar --- ai/compose.yaml | 15 ++-- net/compose.yaml | 195 ++++++++++++++++++++++++++--------------------- 2 files changed, 111 insertions(+), 99 deletions(-) diff --git a/ai/compose.yaml b/ai/compose.yaml index 4810ed7..188f72e 100644 --- a/ai/compose.yaml +++ b/ai/compose.yaml @@ -96,8 +96,7 @@ services: image: ghcr.io/berriai/litellm:main-latest container_name: ${AI_COMPOSE_PROJECT_NAME}_litellm restart: unless-stopped - dns: - - 100.100.100.100 # Tailscale's MagicDNS resolver + network_mode: "service:tailscale" environment: TZ: ${TIMEZONE:-Europe/Berlin} ANTHROPIC_API_KEY: ${ANTHROPIC_API_KEY} @@ -188,8 +187,7 @@ services: image: nginx:alpine container_name: ${AI_COMPOSE_PROJECT_NAME}_comfyui restart: unless-stopped - dns: - - 100.100.100.100 # Tailscale's MagicDNS resolver + network_mode: "service:tailscale" environment: TZ: ${TIMEZONE:-Europe/Berlin} GPU_SERVICE_HOST: ${GPU_TAILSCALE_HOST} @@ -222,8 +220,7 @@ services: image: nginx:alpine container_name: ${AI_COMPOSE_PROJECT_NAME}_audiocraft restart: unless-stopped - dns: - - 100.100.100.100 # Tailscale's MagicDNS resolver + network_mode: "service:tailscale" environment: TZ: ${TIMEZONE:-Europe/Berlin} GPU_SERVICE_HOST: ${GPU_TAILSCALE_HOST} @@ -256,8 +253,7 @@ services: image: nginx:alpine container_name: ${AI_COMPOSE_PROJECT_NAME}_upscale restart: unless-stopped - dns: - - 100.100.100.100 # Tailscale's MagicDNS resolver + network_mode: "service:tailscale" environment: TZ: ${TIMEZONE:-Europe/Berlin} GPU_SERVICE_HOST: ${GPU_TAILSCALE_HOST} @@ -291,8 +287,7 @@ services: image: dev.pivoine.art/valknar/supervisor-ui:latest container_name: ${AI_COMPOSE_PROJECT_NAME}_supervisor_ui restart: unless-stopped - dns: - - 100.100.100.100 # Tailscale's MagicDNS resolver + network_mode: "service:tailscale" environment: TZ: ${TIMEZONE:-Europe/Berlin} NODE_ENV: production diff --git a/net/compose.yaml b/net/compose.yaml index 67536ef..5f9bdd3 100644 --- a/net/compose.yaml +++ b/net/compose.yaml @@ -6,49 +6,49 @@ services: restart: unless-stopped command: # API & Dashboard - - '--api.dashboard=true' - - '--api.insecure=false' + - "--api.dashboard=true" + - "--api.insecure=false" # Ping endpoint for healthcheck - - '--ping=true' + - "--ping=true" # Experimental plugins - - '--experimental.plugins.sablier.modulename=github.com/acouvreur/sablier' - - '--experimental.plugins.sablier.version=v1.8.0' + - "--experimental.plugins.sablier.modulename=github.com/acouvreur/sablier" + - "--experimental.plugins.sablier.version=v1.8.0" # Logging - - '--log.level=${NET_PROXY_LOG_LEVEL:-INFO}' - - '--accesslog=true' + - "--log.level=${NET_PROXY_LOG_LEVEL:-INFO}" + - "--accesslog=true" # Global - - '--global.sendAnonymousUsage=false' - - '--global.checkNewVersion=true' + - "--global.sendAnonymousUsage=false" + - "--global.checkNewVersion=true" # Docker Provider - - '--providers.docker=true' - - '--providers.docker.exposedbydefault=false' - - '--providers.docker.network=${NETWORK_NAME}' + - "--providers.docker=true" + - "--providers.docker.exposedbydefault=false" + - "--providers.docker.network=${NETWORK_NAME}" # File Provider for dynamic configuration - - '--providers.file.directory=/etc/traefik/dynamic' - - '--providers.file.watch=true' + - "--providers.file.directory=/etc/traefik/dynamic" + - "--providers.file.watch=true" # Entrypoints - - '--entrypoints.web.address=:${NET_PROXY_PORT_HTTP:-80}' - - '--entrypoints.web-secure.address=:${NET_PROXY_PORT_HTTPS:-443}' + - "--entrypoints.web.address=:${NET_PROXY_PORT_HTTP:-80}" + - "--entrypoints.web-secure.address=:${NET_PROXY_PORT_HTTPS:-443}" # Global HTTP to HTTPS redirect - - '--entrypoints.web.http.redirections.entryPoint.to=web-secure' - - '--entrypoints.web.http.redirections.entryPoint.scheme=https' - - '--entrypoints.web.http.redirections.entryPoint.permanent=true' + - "--entrypoints.web.http.redirections.entryPoint.to=web-secure" + - "--entrypoints.web.http.redirections.entryPoint.scheme=https" + - "--entrypoints.web.http.redirections.entryPoint.permanent=true" # Security Headers (applied globally) - - '--entrypoints.web-secure.http.middlewares=security-headers@file' + - "--entrypoints.web-secure.http.middlewares=security-headers@file" # Let's Encrypt - - '--certificatesresolvers.resolver.acme.tlschallenge=true' - - '--certificatesresolvers.resolver.acme.email=${ADMIN_EMAIL}' - - '--certificatesresolvers.resolver.acme.storage=/letsencrypt/acme.json' + - "--certificatesresolvers.resolver.acme.tlschallenge=true" + - "--certificatesresolvers.resolver.acme.email=${ADMIN_EMAIL}" + - "--certificatesresolvers.resolver.acme.storage=/letsencrypt/acme.json" healthcheck: test: ["CMD", "traefik", "healthcheck", "--ping"] @@ -74,20 +74,20 @@ services: - ./dynamic:/etc/traefik/dynamic:ro labels: - - 'traefik.enable=true' + - "traefik.enable=true" # HTTP to HTTPS redirect - - 'traefik.http.middlewares.${NET_COMPOSE_PROJECT_NAME}-traefik-redirect-web-secure.redirectscheme.scheme=https' - - 'traefik.http.routers.${NET_COMPOSE_PROJECT_NAME}-traefik-web.middlewares=${NET_COMPOSE_PROJECT_NAME}-traefik-redirect-web-secure' - - 'traefik.http.routers.${NET_COMPOSE_PROJECT_NAME}-traefik-web.rule=Host(`${NET_PROXY_TRAEFIK_HOST}`)' - - 'traefik.http.routers.${NET_COMPOSE_PROJECT_NAME}-traefik-web.entrypoints=web' + - "traefik.http.middlewares.${NET_COMPOSE_PROJECT_NAME}-traefik-redirect-web-secure.redirectscheme.scheme=https" + - "traefik.http.routers.${NET_COMPOSE_PROJECT_NAME}-traefik-web.middlewares=${NET_COMPOSE_PROJECT_NAME}-traefik-redirect-web-secure" + - "traefik.http.routers.${NET_COMPOSE_PROJECT_NAME}-traefik-web.rule=Host(`${NET_PROXY_TRAEFIK_HOST}`)" + - "traefik.http.routers.${NET_COMPOSE_PROJECT_NAME}-traefik-web.entrypoints=web" # HTTPS router with auth - - 'traefik.http.routers.${NET_COMPOSE_PROJECT_NAME}-traefik-web-secure.rule=Host(`${NET_PROXY_TRAEFIK_HOST}`)' - - 'traefik.http.routers.${NET_COMPOSE_PROJECT_NAME}-traefik-web-secure.tls.certresolver=resolver' - - 'traefik.http.routers.${NET_COMPOSE_PROJECT_NAME}-traefik-web-secure.entrypoints=web-secure' - - 'traefik.http.routers.${NET_COMPOSE_PROJECT_NAME}-traefik-web-secure.service=api@internal' - - 'traefik.http.routers.${NET_COMPOSE_PROJECT_NAME}-traefik-web-secure.middlewares=${NET_COMPOSE_PROJECT_NAME}-authelia,security-headers@file' - - 'traefik.http.services.${NET_COMPOSE_PROJECT_NAME}-traefik-web-secure.loadbalancer.server.port=8080' - - 'traefik.docker.network=${NETWORK_NAME}' + - "traefik.http.routers.${NET_COMPOSE_PROJECT_NAME}-traefik-web-secure.rule=Host(`${NET_PROXY_TRAEFIK_HOST}`)" + - "traefik.http.routers.${NET_COMPOSE_PROJECT_NAME}-traefik-web-secure.tls.certresolver=resolver" + - "traefik.http.routers.${NET_COMPOSE_PROJECT_NAME}-traefik-web-secure.entrypoints=web-secure" + - "traefik.http.routers.${NET_COMPOSE_PROJECT_NAME}-traefik-web-secure.service=api@internal" + - "traefik.http.routers.${NET_COMPOSE_PROJECT_NAME}-traefik-web-secure.middlewares=${NET_COMPOSE_PROJECT_NAME}-authelia,security-headers@file" + - "traefik.http.services.${NET_COMPOSE_PROJECT_NAME}-traefik-web-secure.loadbalancer.server.port=8080" + - "traefik.docker.network=${NETWORK_NAME}" # Netdata - Real-time monitoring netdata: @@ -128,23 +128,23 @@ services: networks: - compose_network labels: - - 'traefik.enable=${NET_TRAEFIK_ENABLED}' + - "traefik.enable=${NET_TRAEFIK_ENABLED}" # HTTP to HTTPS redirect - - 'traefik.http.middlewares.${NET_COMPOSE_PROJECT_NAME}-netdata-redirect-web-secure.redirectscheme.scheme=https' - - 'traefik.http.routers.${NET_COMPOSE_PROJECT_NAME}-netdata-web.middlewares=${NET_COMPOSE_PROJECT_NAME}-netdata-redirect-web-secure' - - 'traefik.http.routers.${NET_COMPOSE_PROJECT_NAME}-netdata-web.rule=Host(`${NET_NETDATA_TRAEFIK_HOST}`)' - - 'traefik.http.routers.${NET_COMPOSE_PROJECT_NAME}-netdata-web.entrypoints=web' + - "traefik.http.middlewares.${NET_COMPOSE_PROJECT_NAME}-netdata-redirect-web-secure.redirectscheme.scheme=https" + - "traefik.http.routers.${NET_COMPOSE_PROJECT_NAME}-netdata-web.middlewares=${NET_COMPOSE_PROJECT_NAME}-netdata-redirect-web-secure" + - "traefik.http.routers.${NET_COMPOSE_PROJECT_NAME}-netdata-web.rule=Host(`${NET_NETDATA_TRAEFIK_HOST}`)" + - "traefik.http.routers.${NET_COMPOSE_PROJECT_NAME}-netdata-web.entrypoints=web" # HTTPS router - - 'traefik.http.routers.${NET_COMPOSE_PROJECT_NAME}-netdata-web-secure.rule=Host(`${NET_NETDATA_TRAEFIK_HOST}`)' - - 'traefik.http.routers.${NET_COMPOSE_PROJECT_NAME}-netdata-web-secure.tls.certresolver=resolver' - - 'traefik.http.routers.${NET_COMPOSE_PROJECT_NAME}-netdata-web-secure.entrypoints=web-secure' - - 'traefik.http.middlewares.${NET_COMPOSE_PROJECT_NAME}-netdata-compress.compress=true' - - 'traefik.http.routers.${NET_COMPOSE_PROJECT_NAME}-netdata-web-secure.middlewares=${NET_COMPOSE_PROJECT_NAME}-netdata-compress,${NET_COMPOSE_PROJECT_NAME}-authelia,security-headers@file' + - "traefik.http.routers.${NET_COMPOSE_PROJECT_NAME}-netdata-web-secure.rule=Host(`${NET_NETDATA_TRAEFIK_HOST}`)" + - "traefik.http.routers.${NET_COMPOSE_PROJECT_NAME}-netdata-web-secure.tls.certresolver=resolver" + - "traefik.http.routers.${NET_COMPOSE_PROJECT_NAME}-netdata-web-secure.entrypoints=web-secure" + - "traefik.http.middlewares.${NET_COMPOSE_PROJECT_NAME}-netdata-compress.compress=true" + - "traefik.http.routers.${NET_COMPOSE_PROJECT_NAME}-netdata-web-secure.middlewares=${NET_COMPOSE_PROJECT_NAME}-netdata-compress,${NET_COMPOSE_PROJECT_NAME}-authelia,security-headers@file" # Service - - 'traefik.http.services.${NET_COMPOSE_PROJECT_NAME}-netdata.loadbalancer.server.port=19999' - - 'traefik.docker.network=${NETWORK_NAME}' + - "traefik.http.services.${NET_COMPOSE_PROJECT_NAME}-netdata.loadbalancer.server.port=19999" + - "traefik.docker.network=${NETWORK_NAME}" # Watchtower - - 'com.centurylinklabs.watchtower.enable=${WATCHTOWER_LABEL_ENABLE}' + - "com.centurylinklabs.watchtower.enable=${WATCHTOWER_LABEL_ENABLE}" # Watchtower - Automatic container updates watchtower: @@ -202,7 +202,8 @@ services: - compose_network healthcheck: - test: ["CMD-SHELL", "curl -f http://localhost:3000/api/heartbeat || exit 1"] + test: + ["CMD-SHELL", "curl -f http://localhost:3000/api/heartbeat || exit 1"] interval: 30s timeout: 10s retries: 5 @@ -210,21 +211,21 @@ services: labels: # Traefik Configuration - - 'traefik.enable=${NET_TRAEFIK_ENABLED}' + - "traefik.enable=${NET_TRAEFIK_ENABLED}" # HTTP to HTTPS redirect - - 'traefik.http.middlewares.${NET_COMPOSE_PROJECT_NAME}-umami-redirect-web-secure.redirectscheme.scheme=https' - - 'traefik.http.routers.${NET_COMPOSE_PROJECT_NAME}-umami-web.middlewares=${NET_COMPOSE_PROJECT_NAME}-umami-redirect-web-secure' - - 'traefik.http.routers.${NET_COMPOSE_PROJECT_NAME}-umami-web.rule=Host(`${NET_TRACK_TRAEFIK_HOST}`)' - - 'traefik.http.routers.${NET_COMPOSE_PROJECT_NAME}-umami-web.entrypoints=web' - - 'traefik.http.routers.${NET_COMPOSE_PROJECT_NAME}-umami-web-secure.rule=Host(`${NET_TRACK_TRAEFIK_HOST}`)' - - 'traefik.http.routers.${NET_COMPOSE_PROJECT_NAME}-umami-web-secure.tls.certresolver=resolver' - - 'traefik.http.routers.${NET_COMPOSE_PROJECT_NAME}-umami-web-secure.entrypoints=web-secure' - - 'traefik.http.routers.${NET_COMPOSE_PROJECT_NAME}-umami-web-secure.middlewares=security-headers@file' - - 'traefik.http.services.${NET_COMPOSE_PROJECT_NAME}-umami-web-secure.loadbalancer.server.port=3000' - - 'traefik.docker.network=${NETWORK_NAME}' + - "traefik.http.middlewares.${NET_COMPOSE_PROJECT_NAME}-umami-redirect-web-secure.redirectscheme.scheme=https" + - "traefik.http.routers.${NET_COMPOSE_PROJECT_NAME}-umami-web.middlewares=${NET_COMPOSE_PROJECT_NAME}-umami-redirect-web-secure" + - "traefik.http.routers.${NET_COMPOSE_PROJECT_NAME}-umami-web.rule=Host(`${NET_TRACK_TRAEFIK_HOST}`)" + - "traefik.http.routers.${NET_COMPOSE_PROJECT_NAME}-umami-web.entrypoints=web" + - "traefik.http.routers.${NET_COMPOSE_PROJECT_NAME}-umami-web-secure.rule=Host(`${NET_TRACK_TRAEFIK_HOST}`)" + - "traefik.http.routers.${NET_COMPOSE_PROJECT_NAME}-umami-web-secure.tls.certresolver=resolver" + - "traefik.http.routers.${NET_COMPOSE_PROJECT_NAME}-umami-web-secure.entrypoints=web-secure" + - "traefik.http.routers.${NET_COMPOSE_PROJECT_NAME}-umami-web-secure.middlewares=security-headers@file" + - "traefik.http.services.${NET_COMPOSE_PROJECT_NAME}-umami-web-secure.loadbalancer.server.port=3000" + - "traefik.docker.network=${NETWORK_NAME}" # Watchtower - - 'com.centurylinklabs.watchtower.enable=${WATCHTOWER_LABEL_ENABLE}' + - "com.centurylinklabs.watchtower.enable=${WATCHTOWER_LABEL_ENABLE}" # Mailpit - SMTP server with web UI mailpit: @@ -250,22 +251,22 @@ services: networks: - compose_network labels: - - 'traefik.enable=${NET_TRAEFIK_ENABLED}' + - "traefik.enable=${NET_TRAEFIK_ENABLED}" # HTTP to HTTPS redirect - - 'traefik.http.middlewares.${NET_COMPOSE_PROJECT_NAME}-mailpit-redirect-web-secure.redirectscheme.scheme=https' - - 'traefik.http.routers.${NET_COMPOSE_PROJECT_NAME}-mailpit-web.middlewares=${NET_COMPOSE_PROJECT_NAME}-mailpit-redirect-web-secure' - - 'traefik.http.routers.${NET_COMPOSE_PROJECT_NAME}-mailpit-web.rule=Host(`${NET_MAILPIT_TRAEFIK_HOST}`)' - - 'traefik.http.routers.${NET_COMPOSE_PROJECT_NAME}-mailpit-web.entrypoints=web' + - "traefik.http.middlewares.${NET_COMPOSE_PROJECT_NAME}-mailpit-redirect-web-secure.redirectscheme.scheme=https" + - "traefik.http.routers.${NET_COMPOSE_PROJECT_NAME}-mailpit-web.middlewares=${NET_COMPOSE_PROJECT_NAME}-mailpit-redirect-web-secure" + - "traefik.http.routers.${NET_COMPOSE_PROJECT_NAME}-mailpit-web.rule=Host(`${NET_MAILPIT_TRAEFIK_HOST}`)" + - "traefik.http.routers.${NET_COMPOSE_PROJECT_NAME}-mailpit-web.entrypoints=web" # HTTPS router with auth - - 'traefik.http.routers.${NET_COMPOSE_PROJECT_NAME}-mailpit-web-secure.rule=Host(`${NET_MAILPIT_TRAEFIK_HOST}`)' - - 'traefik.http.routers.${NET_COMPOSE_PROJECT_NAME}-mailpit-web-secure.tls.certresolver=resolver' - - 'traefik.http.routers.${NET_COMPOSE_PROJECT_NAME}-mailpit-web-secure.entrypoints=web-secure' - - 'traefik.http.routers.${NET_COMPOSE_PROJECT_NAME}-mailpit-web-secure.middlewares=${NET_COMPOSE_PROJECT_NAME}-authelia,security-headers@file' + - "traefik.http.routers.${NET_COMPOSE_PROJECT_NAME}-mailpit-web-secure.rule=Host(`${NET_MAILPIT_TRAEFIK_HOST}`)" + - "traefik.http.routers.${NET_COMPOSE_PROJECT_NAME}-mailpit-web-secure.tls.certresolver=resolver" + - "traefik.http.routers.${NET_COMPOSE_PROJECT_NAME}-mailpit-web-secure.entrypoints=web-secure" + - "traefik.http.routers.${NET_COMPOSE_PROJECT_NAME}-mailpit-web-secure.middlewares=${NET_COMPOSE_PROJECT_NAME}-authelia,security-headers@file" # Service - - 'traefik.http.services.${NET_COMPOSE_PROJECT_NAME}-mailpit-web-secure.loadbalancer.server.port=8025' - - 'traefik.docker.network=${NETWORK_NAME}' + - "traefik.http.services.${NET_COMPOSE_PROJECT_NAME}-mailpit-web-secure.loadbalancer.server.port=8025" + - "traefik.docker.network=${NETWORK_NAME}" # Watchtower - - 'com.centurylinklabs.watchtower.enable=${WATCHTOWER_LABEL_ENABLE}' + - "com.centurylinklabs.watchtower.enable=${WATCHTOWER_LABEL_ENABLE}" # Authelia - SSO and authentication portal authelia: @@ -285,27 +286,41 @@ services: networks: - compose_network labels: - - 'traefik.enable=${NET_TRAEFIK_ENABLED}' + - "traefik.enable=${NET_TRAEFIK_ENABLED}" # HTTP to HTTPS redirect - - 'traefik.http.middlewares.${NET_COMPOSE_PROJECT_NAME}-authelia-redirect-web-secure.redirectscheme.scheme=https' - - 'traefik.http.routers.${NET_COMPOSE_PROJECT_NAME}-authelia-web.middlewares=${NET_COMPOSE_PROJECT_NAME}-authelia-redirect-web-secure' - - 'traefik.http.routers.${NET_COMPOSE_PROJECT_NAME}-authelia-web.rule=Host(`${NET_AUTHELIA_TRAEFIK_HOST}`)' - - 'traefik.http.routers.${NET_COMPOSE_PROJECT_NAME}-authelia-web.entrypoints=web' + - "traefik.http.middlewares.${NET_COMPOSE_PROJECT_NAME}-authelia-redirect-web-secure.redirectscheme.scheme=https" + - "traefik.http.routers.${NET_COMPOSE_PROJECT_NAME}-authelia-web.middlewares=${NET_COMPOSE_PROJECT_NAME}-authelia-redirect-web-secure" + - "traefik.http.routers.${NET_COMPOSE_PROJECT_NAME}-authelia-web.rule=Host(`${NET_AUTHELIA_TRAEFIK_HOST}`)" + - "traefik.http.routers.${NET_COMPOSE_PROJECT_NAME}-authelia-web.entrypoints=web" # HTTPS router - - 'traefik.http.routers.${NET_COMPOSE_PROJECT_NAME}-authelia-web-secure.rule=Host(`${NET_AUTHELIA_TRAEFIK_HOST}`)' - - 'traefik.http.routers.${NET_COMPOSE_PROJECT_NAME}-authelia-web-secure.tls.certresolver=resolver' - - 'traefik.http.routers.${NET_COMPOSE_PROJECT_NAME}-authelia-web-secure.entrypoints=web-secure' - - 'traefik.http.routers.${NET_COMPOSE_PROJECT_NAME}-authelia-web-secure.middlewares=security-headers@file' + - "traefik.http.routers.${NET_COMPOSE_PROJECT_NAME}-authelia-web-secure.rule=Host(`${NET_AUTHELIA_TRAEFIK_HOST}`)" + - "traefik.http.routers.${NET_COMPOSE_PROJECT_NAME}-authelia-web-secure.tls.certresolver=resolver" + - "traefik.http.routers.${NET_COMPOSE_PROJECT_NAME}-authelia-web-secure.entrypoints=web-secure" + - "traefik.http.routers.${NET_COMPOSE_PROJECT_NAME}-authelia-web-secure.middlewares=security-headers@file" # Service - - 'traefik.http.services.${NET_COMPOSE_PROJECT_NAME}-authelia-web-secure.loadbalancer.server.port=9091' - - 'traefik.docker.network=${NETWORK_NAME}' + - "traefik.http.services.${NET_COMPOSE_PROJECT_NAME}-authelia-web-secure.loadbalancer.server.port=9091" + - "traefik.docker.network=${NETWORK_NAME}" # ForwardAuth middleware for other services - - 'traefik.http.middlewares.${NET_COMPOSE_PROJECT_NAME}-authelia.forwardAuth.address=http://net_authelia:9091/api/authz/forward-auth' - - 'traefik.http.middlewares.${NET_COMPOSE_PROJECT_NAME}-authelia.forwardAuth.trustForwardHeader=true' - - 'traefik.http.middlewares.${NET_COMPOSE_PROJECT_NAME}-authelia.forwardAuth.authResponseHeaders=Remote-User,Remote-Groups,Remote-Name,Remote-Email' - - 'traefik.http.middlewares.${NET_COMPOSE_PROJECT_NAME}-authelia.forwardAuth.authResponseHeadersRegex=^Remote-' + - "traefik.http.middlewares.${NET_COMPOSE_PROJECT_NAME}-authelia.forwardAuth.address=http://net_authelia:9091/api/authz/forward-auth" + - "traefik.http.middlewares.${NET_COMPOSE_PROJECT_NAME}-authelia.forwardAuth.trustForwardHeader=true" + - "traefik.http.middlewares.${NET_COMPOSE_PROJECT_NAME}-authelia.forwardAuth.authResponseHeaders=Remote-User,Remote-Groups,Remote-Name,Remote-Email" + - "traefik.http.middlewares.${NET_COMPOSE_PROJECT_NAME}-authelia.forwardAuth.authResponseHeadersRegex=^Remote-" # Watchtower - - 'com.centurylinklabs.watchtower.enable=${WATCHTOWER_LABEL_ENABLE}' + - "com.centurylinklabs.watchtower.enable=${WATCHTOWER_LABEL_ENABLE}" + + tailscale: + image: tailscale/tailscale:latest + hostname: vps + cap_add: + - NET_ADMIN + - SYS_MODULE + volumes: + - tailscale-state:/var/lib/tailscale + - /dev/net/tun:/dev/net/tun + environment: + - TS_AUTHKEY=${TAILSCALE_AUTHKEY} + - TS_STATE_DIR=/var/lib/tailscale + restart: unless-stopped volumes: letsencrypt_data: @@ -320,6 +335,8 @@ volumes: name: ${NET_COMPOSE_PROJECT_NAME}_mailpit_data authelia_config: name: ${NET_COMPOSE_PROJECT_NAME}_authelia_config + tailscale-state: + name: ${NET_COMPOSE_PROJECT_NAME}_tailscale_state networks: compose_network: