james/blog
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

.

Browse source
This commit is contained in:
ryfrd 2025-03-06 17:27:32 +00:00
parent 478c5823e3
commit 0e6cfb0d23
150 changed files with 40696 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

77
content/posts/tailscale-caddy-nixos-containers.md Normal file
View file

@ -0,0 +1,77 @@
---
title: tailscale, caddy, and nixos containers - a match made in heaven
date: 2023-05-16
tags:
- nixos
- caddy
- tailscale
- self-hosting
draft: false
---
For a little while now I've been running some services (jellyfin etc.) on an old laptop in my house. I'm not trying to sound like a podcast ad but as a networking novice, the simplicity [tailscale](https://tailscale.com/) brings to accessing these services remotely is very nice. Until recently though, I had been accessing my services like a heathen with http and port numbers (eg http://tailscale-ip:service-port). This works and is perfectly secure thanks to tailscale though it lacks a certain finesse. In an ideal world you'd have a reverse proxy and set up SSL certs so your browser doesn't get stressed and you dont have to rememeber ip addresses and port numbers.
When I initially looked at how to do this it seemed like it was above my paygrade and not worth the stress; that was until I came across [this](https://caddy.community/t/https-in-your-vpn-caddy-now-uses-tls-certificates-from-tailscale/15380). This works great and is as simple as advertised though there is one drawback: you can only reverse proxy one service per host. So for my usecase of the laptop with multiple services running on it I could only use the magic caddy tailscale auto-https thing for one of them.
### what to do?
Seeing as I was already using nixos on my latop server I turned to a slightly cumbersome nixos solution. One [nixos-container](https://nixos.wiki/wiki/NixOS_Containers) for each service I wanted over https. I'd be lying If I said I completely understand all of this NAT business but this was the config I cobbled together (copied from the nixos docs).
```nix
networking.nat = {
enable = true;
internalInterfaces = ["ve-+"];
externalInterface = "ens3";
};
containers.jellyfin = {
autoStart = true;
enableTun = true;
privateNetwork = true;
hostAddress = "192.168.100.10";
localAddress = "192.168.100.11";
bindMounts = {
"/films" = {
hostPath = "/mnt/films";
};
};
config = { pkgs, ... }: {
services.tailscale = {
enable = true;
# permit caddy to get certs from tailscale
permitCertUid = "caddy";
};
services.jellyfin = {
enable = true;
openFirewall = true;
};
services.caddy = {
enable = true;
extraConfig = ''
jellyfin.tailnet-name.ts.net {
reverse_proxy localhost:8096
}
'';
};
# open https port
networking.firewall.allowedTCPPorts = [ 443 ];
system.stateVersion = "23.05";
};
};
}
```
This example enables the jellyfin, tailscale, and caddy services, mounts a film folder from the host, and lets the container talk to the internet.
Once you've logged into the container `sudo nixos-container root-login jellyfin` and authenticated with tailscale `sudo tailscale up`, you should be able to access your jellyfin in your browser at `https://jellyfin.tailnet-name.ts.net`.
As well as solving the multiple services problem, separating services onto their own hosts is nice if you want to [share](https://tailscale.com/kb/1084/sharing/) a particular service with someone else. I personaly feel happier just sharing one container running jellyfin rather than the whole host with multiple things on it. Anyway thanks for listening to my TED talk.