I currently have my home services set up in a way I like, and think I understand. I have an S12 pro w/ *arr, Overseerr, Immich, paperless, etc running. The only things exposed are immich, paperless, and overseerr. This is via swag/dockerproxy over a cloudflare tunnel. This makes it so I don’t have to do anything on the cloudflare end or my router to add a new service. DockerProxy picks up a new container, swag configures a reverse proxy automatically (assuming it recognizes the container, but it also supports custom configs) using the container_id as the subdomain.

I’m looking at setting up a VPS to host authentik and uptima kuma (to start - maybe ntfy in the future). What I’d like to do is have the public interface on these containers use the same cloudflare tunnel I’m currently using… or a second one, if necessary. For the interface back to my home server, I’d like to use Tailscale. I already have it running on my home server, and I expect I’ll install it on my VPS. The goal here is the “public” connection uses the cloudflare tunnel, and the backend connection is over tailscale.

I’ve tested that I can spin up swag/dockerproxy on a second box in my lab and it will connect to cloudflare. I have not yet tested standing up a container on that box to see if the proxy works as expected.

So, questions:

  • Tailscale on VPS: container or no? Obviously, if I can’t install it locally, I’ll put it in a container
  • How to I configure a container to use these 2 networks? I’m fairily good on getting the cloudflare part working. The TS part is new to me, and all the documentation I’ve seen doesn’t really cover other containers using the tailnet.
  • Am I overthinking this? If I put these services on tailnet alone, will the cloudflare tunnel… tunnel back and forth to/from clients not on tailnet?
  • d00phy@lemmy.worldOP
    link
    fedilink
    English
    arrow-up
    1
    ·
    1 month ago

    Just reread you comment and I guess it’s the network that will cause issues. To be clear, I think I can make the cloudflare portion work one way or another (I have a second domain i can use if necessary). If my thinking is correct the tailnet communication would be over that IP space - not trying to route to my LAN net. Unless I’m missing something.