I currently have my home services set up in a way I like, and think I understand. I have an S12 pro w/ *arr, Overseerr, Immich, paperless, etc running. The only things exposed are immich, paperless, and overseerr. This is via swag/dockerproxy over a cloudflare tunnel. This makes it so I don’t have to do anything on the cloudflare end or my router to add a new service. DockerProxy picks up a new container, swag configures a reverse proxy automatically (assuming it recognizes the container, but it also supports custom configs) using the container_id as the subdomain.

I’m looking at setting up a VPS to host authentik and uptima kuma (to start - maybe ntfy in the future). What I’d like to do is have the public interface on these containers use the same cloudflare tunnel I’m currently using… or a second one, if necessary. For the interface back to my home server, I’d like to use Tailscale. I already have it running on my home server, and I expect I’ll install it on my VPS. The goal here is the “public” connection uses the cloudflare tunnel, and the backend connection is over tailscale.

I’ve tested that I can spin up swag/dockerproxy on a second box in my lab and it will connect to cloudflare. I have not yet tested standing up a container on that box to see if the proxy works as expected.

So, questions:

  • Tailscale on VPS: container or no? Obviously, if I can’t install it locally, I’ll put it in a container
  • How to I configure a container to use these 2 networks? I’m fairily good on getting the cloudflare part working. The TS part is new to me, and all the documentation I’ve seen doesn’t really cover other containers using the tailnet.
  • Am I overthinking this? If I put these services on tailnet alone, will the cloudflare tunnel… tunnel back and forth to/from clients not on tailnet?
  • just_another_person@lemmy.world
    link
    fedilink
    English
    arrow-up
    2
    ·
    2 months ago

    Can you make it work? Yes

    Should you make it work? No

    It’s going to flakey beyond belief for a number of reasons, and you’ll need some pretty complex routing to make it work how I think you’re describing. I would look at using a clustered setup for your auth instead so you never get locked out due to network issues.

    • d00phy@lemmy.worldOP
      link
      fedilink
      English
      arrow-up
      1
      arrow-down
      1
      ·
      2 months ago

      So I learned today that I need to play with the conflate tunnel if I want two systems using one domain. I’m hoping a second api key will help. Honestly, until I tested the second server on the tunnel, that’s been rock solid. Or are you saying using both networks will inject flakiness?

      Also, I appreciate the suggestion of clustered with, but none of this is mission critical. If it’s down until I can login/fix, I’m ok with that. Only a 2-3 people using it.

      • d00phy@lemmy.worldOP
        link
        fedilink
        English
        arrow-up
        1
        arrow-down
        2
        ·
        2 months ago

        Just reread you comment and I guess it’s the network that will cause issues. To be clear, I think I can make the cloudflare portion work one way or another (I have a second domain i can use if necessary). If my thinking is correct the tailnet communication would be over that IP space - not trying to route to my LAN net. Unless I’m missing something.