--- title: Tailscale, caddy, and nixos containers date: 2023-05-16 tags: - nixos - caddy - tailscale - self-hosting draft: false --- For a little while now I've been running some services (jellyfin etc.) on an old laptop in my house. I'm not trying to sound like a podcast ad but as a networking novice, the simplicity [tailscale](https://tailscale.com/) brings to accessing these services remotely is very nice. Until recently though, I had been accessing my services like a heathen with http and port numbers (eg http://tailscale-ip:service-port). This works and is perfectly secure thanks to tailscale though it lacks a certain finesse. In an ideal world you'd have a reverse proxy and set up SSL certs so your browser doesn't get stressed and you dont have to rememeber ip addresses and port numbers. When I initially looked at how to do this it seemed like it was above my paygrade and not worth the stress; that was until I came across [this](https://caddy.community/t/https-in-your-vpn-caddy-now-uses-tls-certificates-from-tailscale/15380). This works great and is as simple as advertised though there is one drawback: you can only reverse proxy one service per host. So for my usecase of the laptop with multiple services running on it I could only use the magic caddy tailscale auto-https thing for one of them. ### what to do? Seeing as I was already using nixos on my latop server I turned to a slightly cumbersome nixos solution. One [nixos-container](https://nixos.wiki/wiki/NixOS_Containers) for each service I wanted over https. I'd be lying If I said I completely understand all of this NAT business but this was the config I cobbled together (copied from the nixos docs). ```nix networking.nat = { enable = true; internalInterfaces = ["ve-+"]; externalInterface = "ens3"; }; containers.jellyfin = { autoStart = true; enableTun = true; privateNetwork = true; hostAddress = "192.168.100.10"; localAddress = "192.168.100.11"; bindMounts = { "/films" = { hostPath = "/mnt/films"; }; }; config = { pkgs, ... }: { services.tailscale = { enable = true; # permit caddy to get certs from tailscale permitCertUid = "caddy"; }; services.jellyfin = { enable = true; openFirewall = true; }; services.caddy = { enable = true; extraConfig = '' jellyfin.tailnet-name.ts.net { reverse_proxy localhost:8096 } ''; }; # open https port networking.firewall.allowedTCPPorts = [ 443 ]; system.stateVersion = "23.05"; }; }; } ``` This example enables the jellyfin, tailscale, and caddy services, mounts a film folder from the host, and lets the container talk to the internet. Once you've logged into the container `sudo nixos-container root-login jellyfin` and authenticated with tailscale `sudo tailscale up`, you should be able to access your jellyfin in your browser at `https://jellyfin.tailnet-name.ts.net`. As well as solving the multiple services problem, separating services onto their own hosts is nice if you want to [share](https://tailscale.com/kb/1084/sharing/) a particular service with someone else. I personaly feel happier just sharing one container running jellyfin rather than the whole host with multiple things on it. Anyway thanks for listening to my TED talk.