diff --git a/clink/docker-compose.yml b/clink/docker-compose.yml index 1c5fbea..55c6580 100644 --- a/clink/docker-compose.yml +++ b/clink/docker-compose.yml @@ -16,7 +16,7 @@ services: - net_admin - sys_module configs: - - source: serve-config + - source: ts-config target: /ts/serve.json clink: build: . @@ -34,7 +34,7 @@ volumes: clink-data: tailscale: configs: - serve-config: + ts-config: content: | { "TCP": { diff --git a/immich/docker-compose.yml b/immich/docker-compose.yml index fda26f5..248e76d 100644 --- a/immich/docker-compose.yml +++ b/immich/docker-compose.yml @@ -27,7 +27,7 @@ services: - net_admin - sys_module configs: - - source: serve-config + - source: ts-config target: /ts/serve.json immich-server: container_name: immich_server @@ -94,7 +94,7 @@ volumes: model-cache: tailscale: configs: - serve-config: + ts-config: content: | { "TCP": { diff --git a/mealie/docker-compose.yml b/mealie/docker-compose.yml index 87f1b98..a8f49cc 100644 --- a/mealie/docker-compose.yml +++ b/mealie/docker-compose.yml @@ -16,7 +16,7 @@ services: - net_admin - sys_module configs: - - source: serve-config + - source: ts-config target: /ts/serve.json mealie: image: ghcr.io/mealie-recipes/mealie:v1.0.0 @@ -33,7 +33,7 @@ volumes: mealie-data: tailscale: configs: - serve-config: + ts-config: content: | { "TCP": { @@ -51,6 +51,6 @@ configs: } }, "AllowFunnel": { - "$${TS_CERT_DOMAIN}:443": false + "$${TS_CERT_DOMAIN}:443": ${TS_ALLOW_FUNNEL:-false} } } diff --git a/nextcloud/Caddy.Dockerfile b/nextcloud/Caddy.Dockerfile new file mode 100644 index 0000000..52b53b4 --- /dev/null +++ b/nextcloud/Caddy.Dockerfile @@ -0,0 +1,5 @@ +FROM caddy:2.9.1-builder-alpine AS builder +RUN xcaddy build --with github.com/mholt/caddy-l4@87e3e5e2c7f986b34c0df373a5799670d7b8ca03 + +FROM caddy:2.9.1-alpine +COPY --from=builder /usr/bin/caddy /usr/bin/caddy diff --git a/nextcloud/docker-compose.yml b/nextcloud/docker-compose.yml new file mode 100644 index 0000000..8bc02e8 --- /dev/null +++ b/nextcloud/docker-compose.yml @@ -0,0 +1,59 @@ +services: + ts-nextcloud: + image: tailscale/tailscale:latest + container_name: ts-nextcloud + restart: unless-stopped + hostname: ${TS_HOSTNAME} + environment: + - TS_AUTHKEY + - TS_EXTRA_ARGS + - TS_SERVE_CONFIG=/ts/serve.json + volumes: + - tailscale:/var/lib/tailscale + devices: + - /dev/net/tun:/dev/net/tun + cap_add: + - net_admin + - sys_module + configs: + - source: ts-config + target: /ts/serve.json + + nextcloud-aio-mastercontainer: + image: ghcr.io/nextcloud-releases/all-in-one:latest + container_name: nextcloud-aio-mastercontainer + restart: always + init: true + environment: + APACHE_PORT: 11000 + APACHE_IP_BINDING: 0.0.0.0 + APACHE_ADDITIONAL_NETWORK: "" + SKIP_DOMAIN_VALIDATION: "false" + volumes: + - nextcloud_aio_mastercontainer:/mnt/docker-aio-config + - /var/run/docker.sock:/var/run/docker.sock:ro + ports: + - "8080:8080" + +volumes: + nextcloud_aio_mastercontainer: + name: nextcloud_aio_mastercontainer + tailscale: + +configs: + ts-config: + content: | + { + "TCP": { + "80": { + "TCPForward": "127.0.0.1:11000" + }, + "443": { + "TCPForward": "127.0.0.1:11000" + } + }, + "AllowFunnel": { + "${TS_CERT_DOMAIN}:80": false, + "${TS_CERT_DOMAIN}:443": false + } + } diff --git a/nextcloud/docker-compose.yml.checkpoint b/nextcloud/docker-compose.yml.checkpoint new file mode 100644 index 0000000..d07006c --- /dev/null +++ b/nextcloud/docker-compose.yml.checkpoint @@ -0,0 +1,116 @@ +services: + ts-nextcloud: + image: tailscale/tailscale:latest + container_name: ts-nextcloud + restart: unless-stopped + hostname: ${TS_HOSTNAME} + environment: + - TS_AUTHKEY + - TS_EXTRA_ARGS + - TS_SERVE_CONFIG=/ts/serve.json + volumes: + - tailscale:/var/lib/tailscale + devices: + - /dev/net/tun:/dev/net/tun + cap_add: + - net_admin + - sys_module + configs: + - source: ts-config + target: /ts/serve.json + caddy: + build: + context: . + dockerfile: Caddy.Dockerfile + restart: always + #ports: + # - "80:80" + # - "443:443" + volumes: + - caddy_certs:/certs + - caddy_data:/data + - caddy_config:/config + #- tailscale_sock:/var/run/tailscale:ro + configs: + - source: caddy-config + target: /etc/caddy/Caddyfile + network_mode: service:ts-nextcloud + + nextcloud-aio-mastercontainer: + image: ghcr.io/nextcloud-releases/all-in-one:latest + container_name: nextcloud-aio-mastercontainer + restart: always + init: true + environment: + APACHE_PORT: 11000 + APACHE_IP_BINDING: 0.0.0.0 + APACHE_ADDITIONAL_NETWORK: "" + SKIP_DOMAIN_VALIDATION: "false" + volumes: + - nextcloud_aio_mastercontainer:/mnt/docker-aio-config + - /var/run/docker.sock:/var/run/docker.sock:ro + expose: + - "8080" + +volumes: + nextcloud_aio_mastercontainer: + name: nextcloud_aio_mastercontainer + caddy_certs: + caddy_data: + caddy_config: + tailscale: + +configs: + caddy-config: + content: | + { + layer4 { + 127.0.0.1:3478 { + route { + proxy { + upstream nextcloud-aio-talk:3478 + } + } + } + 127.0.0.1:3479 { + route { + proxy { + upstream nextcloud-aio-talk:3479 + } + } + } + } + } + https://${NC_DOMAIN} { + reverse_proxy nextcloud-aio-apache:11000 { + header_up X-Forwarded-Proto "https" + header_up Host {host} + } + } + http://{$NC_DOMAIN} { + reverse_proxy nextcloud-aio-apache:11000 { + header_up X-Forwarded-Proto "http" + header_up Host {host} + } + } + ts-config: + content: | + { + "TCP": { + "443": { + "HTTPS": true + } + }, + "Web": { + "$${TS_CERT_DOMAIN}:443": { + "Handlers": { + "/": { + "Proxy": "http://127.0.0.1:11000" + } + } + } + }, + "AllowFunnel": { + "$${TS_CERT_DOMAIN}:443": ${TS_ALLOW_FUNNEL:-false} + } + } diff --git a/nextcloud/example.env b/nextcloud/example.env new file mode 100644 index 0000000..cfdcfd7 --- /dev/null +++ b/nextcloud/example.env @@ -0,0 +1,5 @@ +TS_HOSTNAME=nextcloud +TS_AUTHKEY=tskey-client-nnn +TS_EXTRA_ARGS=--advertise-tags=tag:container +TS_ALLOW_FUNNEL=false +NC_DOMAIN=nextcloud.your-tailnet.ts.net diff --git a/pacebin/docker-compose.yml b/pacebin/docker-compose.yml index b51d10c..c214e86 100644 --- a/pacebin/docker-compose.yml +++ b/pacebin/docker-compose.yml @@ -16,7 +16,7 @@ services: - net_admin - sys_module configs: - - source: serve-config + - source: ts-config target: /ts/serve.json pacebin: build: . @@ -34,7 +34,7 @@ volumes: pacebin-data: tailscale: configs: - serve-config: + ts-config: content: | { "TCP": { diff --git a/radicale/docker-compose.yml b/radicale/docker-compose.yml new file mode 100644 index 0000000..47b1328 --- /dev/null +++ b/radicale/docker-compose.yml @@ -0,0 +1,77 @@ +# Can be enhanced with an additional compose file +# See also https://docs.docker.com/compose/production/#modify-your-compose-file-for-production + +services: + ts-radicale: + image: tailscale/tailscale:latest + container_name: ts-radicale + restart: unless-stopped + hostname: ${TS_HOSTNAME} + environment: + - TS_AUTHKEY + - TS_EXTRA_ARGS + - TS_SERVE_CONFIG=/ts/serve.json + volumes: + - tailscale:/var/lib/tailscale + devices: + - /dev/net/tun:/dev/net/tun + cap_add: + - net_admin + - sys_module + configs: + - source: ts-config + target: /ts/serve.json + radicale: + image: tomsquest/docker-radicale + container_name: radicale + network_mode: service:ts-radicale + #ports: + # - 127.0.0.1:5232:5232 + init: true + read_only: true + security_opt: + - no-new-privileges:true + cap_drop: + - ALL + cap_add: + - SETUID + - SETGID + - CHOWN + - KILL + deploy: + resources: + limits: + memory: 256M + pids: 50 + healthcheck: + test: curl -f http://127.0.0.1:5232 || exit 1 + interval: 30s + retries: 3 + restart: unless-stopped + volumes: + - ${RADICALE_DATA_DIR}:/data + +volumes: + tailscale: +configs: + ts-config: + content: | + { + "TCP": { + "443": { + "HTTPS": true + } + }, + "Web": { + "$${TS_CERT_DOMAIN}:443": { + "Handlers": { + "/": { + "Proxy": "http://127.0.0.1:5232" + } + } + } + }, + "AllowFunnel": { + "$${TS_CERT_DOMAIN}:443": ${TS_ALLOW_FUNNEL:-false} + } + } diff --git a/radicale/example.env b/radicale/example.env new file mode 100644 index 0000000..cc2a167 --- /dev/null +++ b/radicale/example.env @@ -0,0 +1,6 @@ +TS_HOSTNAME=radicale +TS_AUTHKEY=tskey-client-nnn-nnn +TS_EXTRA_ARGS=--advertise-tags=tag:container +TS_ALLOW_FUNNEL=false +BASE_DATA_DIR=. +RADICALE_DATA_DIR=${BASE_DATA_DIR}/radicale-data