77 lines
3.4 KiB
Markdown
77 lines
3.4 KiB
Markdown
---
|
|
title: Tailscale, caddy, and nixos containers
|
|
date: 2023-05-16
|
|
tags:
|
|
- nixos
|
|
- caddy
|
|
- tailscale
|
|
- self-hosting
|
|
draft: false
|
|
---
|
|
For a little while now I've been running some services (jellyfin etc.) on an old laptop in my house. I'm not trying to sound like a podcast ad but as a networking novice, the simplicity [tailscale](https://tailscale.com/) brings to accessing these services remotely is very nice. Until recently though, I had been accessing my services like a heathen with http and port numbers (eg http://tailscale-ip:service-port). This works and is perfectly secure thanks to tailscale though it lacks a certain finesse. In an ideal world you'd have a reverse proxy and set up SSL certs so your browser doesn't get stressed and you dont have to rememeber ip addresses and port numbers.
|
|
|
|
When I initially looked at how to do this it seemed like it was above my paygrade and not worth the stress; that was until I came across [this](https://caddy.community/t/https-in-your-vpn-caddy-now-uses-tls-certificates-from-tailscale/15380). This works great and is as simple as advertised though there is one drawback: you can only reverse proxy one service per host. So for my usecase of the laptop with multiple services running on it I could only use the magic caddy tailscale auto-https thing for one of them.
|
|
|
|
### what to do?
|
|
|
|
Seeing as I was already using nixos on my latop server I turned to a slightly cumbersome nixos solution. One [nixos-container](https://nixos.wiki/wiki/NixOS_Containers) for each service I wanted over https. I'd be lying If I said I completely understand all of this NAT business but this was the config I cobbled together (copied from the nixos docs).
|
|
|
|
```nix
|
|
networking.nat = {
|
|
enable = true;
|
|
internalInterfaces = ["ve-+"];
|
|
externalInterface = "ens3";
|
|
};
|
|
|
|
containers.jellyfin = {
|
|
autoStart = true;
|
|
enableTun = true;
|
|
privateNetwork = true;
|
|
hostAddress = "192.168.100.10";
|
|
localAddress = "192.168.100.11";
|
|
bindMounts = {
|
|
"/films" = {
|
|
hostPath = "/mnt/films";
|
|
};
|
|
};
|
|
|
|
config = { pkgs, ... }: {
|
|
|
|
services.tailscale = {
|
|
enable = true;
|
|
# permit caddy to get certs from tailscale
|
|
permitCertUid = "caddy";
|
|
};
|
|
|
|
services.jellyfin = {
|
|
enable = true;
|
|
openFirewall = true;
|
|
};
|
|
|
|
services.caddy = {
|
|
enable = true;
|
|
extraConfig = ''
|
|
|
|
jellyfin.tailnet-name.ts.net {
|
|
reverse_proxy localhost:8096
|
|
}
|
|
|
|
'';
|
|
};
|
|
|
|
|
|
# open https port
|
|
networking.firewall.allowedTCPPorts = [ 443 ];
|
|
|
|
system.stateVersion = "23.05";
|
|
|
|
};
|
|
};
|
|
}
|
|
```
|
|
|
|
This example enables the jellyfin, tailscale, and caddy services, mounts a film folder from the host, and lets the container talk to the internet.
|
|
|
|
Once you've logged into the container `sudo nixos-container root-login jellyfin` and authenticated with tailscale `sudo tailscale up`, you should be able to access your jellyfin in your browser at `https://jellyfin.tailnet-name.ts.net`.
|
|
|
|
As well as solving the multiple services problem, separating services onto their own hosts is nice if you want to [share](https://tailscale.com/kb/1084/sharing/) a particular service with someone else. I personaly feel happier just sharing one container running jellyfin rather than the whole host with multiple things on it. Anyway thanks for listening to my TED talk.
|