I am currently planning to set up nextcloud as it is described in https://help.nextcloud.com/t/nextcloud-docker-compose-setup-with-caddy-2024/204846 and make it available via tailscale.
I found a tailscale reverse proxy example for the AIO Version: https://github.com/nextcloud/all-in-one/discussions/5439 which also uses caddy as reverse proxy.
It might be possible to adjust it to the nextcloud:fpm stack.
But it might also be possible to use the built in reverse proxy of the tailscale sidecar by using a TS_SERVE_CONFIG . In this json file the multiple paths (/push/* and the / root) can be configured and can redirect to the right internal dns name and port (notify_push:7867 and web:80) https://tailscale.com/blog/docker-tailscale-guide
Has anyone done that? Can someone share a complete example?
The manual istall now seems too cluttered for me, aswell as the caddy webserver configuration. The AIO probably has an more up to date configuration which is vetted by the community.
I will try to configure the AIO version how i like it, but still apply what i have learned connecting tailscale (https://github.com/nextcloud/all-in-one/discussions/5439)
@BakedCatboy@lemmy.ml your example helped clarify the network and service linking, thank you.
I’ve done something similar but I’m not sure how helpful my example would be because I use wireguard instead of tailscale and traefik instead of caddy.
The principle is the same though, iirc I have my traefik container set to network_mode: “service:wireguard” so that the traefik container uses the wireguard container’s network stack. That way the traefik container also sees the wireguard interface and can receive traffic going to the wireguard IP. Then at the other end of the wireguard tunnel I can use haproxy to pass traffic to the wireguard IP through the tunnel and it automatically hits traefik.
So that means i need to link the webserver to the tailscale service
network_mode: service:tailscaleAnd also add the tailscale to the “proxy” network that is created (like also done in the aio example with
networks: - nextcloud-aio)
Partially yes, the tricky thing is that when using
network_mode: "service:tailscale"(presumably on the caddy container since that’s what needs to receive traffic from the tailscale network), you won’t be able to attach the caddy container to any networks since it’s using the tailscale network stack. This means that in order for caddy to reach your containers, you will need to add the tailscale container itself to the relevant networks. Any attached containers will be connected as well.(Not sure if I misread the first time or if you edited but the way you say it is right, add the tailscale container to the proxy network so that caddy will also be added and can reach the containers)
Here’s the super condensed version of what matters for connecting traefik/caddy to a VPN like wireguard/tailscale.
- I left out all WG config since presumably you know how to configure tailscale
- Left out acme / letsencrypt stuff since that would be different on caddy anyway
- You may need to configure caddy to trust the tailscale tunnel IP of the machine on the other end that will be reverse proxying over the tunnel.
- Traefik I guess requires you to specify the docker network to use to reach stuff, I just put anything that should be accessible into “ingress” as you can see. I’m not sure if my setup supports using a different proxy network per app but maybe caddy allows that.
My traefik compose:
services: wireguard: container_name: wireguard networks: - ingress traefik: network_mode: "service:wireguard" depends_on: - wireguard command: - "--entryPoints.web.proxyProtocol.trustedIPs=10.13.13.1" # Trust remote tunnel IP, the WG container is 10.13.13.2 - "--entrypoints.websecure.address=:443" - "--entryPoints.websecure.proxyProtocol.trustedIPs=10.13.13.1" - "--entrypoints.web.http.redirections.entrypoint.to=websecure" - "--entrypoints.web.http.redirections.entrypoint.scheme=https" - "--entrypoints.web.http.redirections.entrypoint.priority=100" - "--providers.docker.exposedByDefault=false" - "--providers.docker.network=ingress" networks: ingress: external: trueAnd then in a service’s docker-compose:
services: ui: image: myapp read_only: true restart: always labels: - "traefik.enable=true" - "traefik.http.routers.myapp.rule=Host(`xxxx.xxxx.xxxx`)" - "traefik.http.services.myapp.loadbalancer.server.port=80" - "traefik.http.routers.myapp.entrypoints=websecure" - "traefik.http.routers.myapp.tls.certresolver=mytlschallenge" networks: - ingress networks: ingress: external: true(edited to fix formatting on mobile)
I had the hardest time with this. What I ended up doing instead was provisioning a dedicated vm to run as a tailscale subnet router, then just advertise my gateway and the applicable container IPs via /32 CIDRs. Tailscale will let you do multiple comma separated IPs when advertising routes, so it’s easy to append a new service via IP.