This file, as well as the .gitignore-file, should end up next to every stack. Some stacks only need certain environment variable (remove parts acordingly). I recommend putting each docker-compose.yml into a folder named based on the part before the underscore (_) in the gists .yml-filename.
You should not commit secrets to git.
Traefik should really be updated to the latest version I'm still using Version 1.7.
before running create a .env file in this folder with
TS_AUTHKEY=SOME_HEX_STRING # generate this key inside your headscale server container HOSTNAME=docker-home #prefix used to generated the hostname visible in tailscale
The tailscale docs on docker talk about some neat support for tailscale serve
.
It seamed to me as this is no longer working, I think the docs may simply be outdated here.
Ticket I've created: tailscale-dev/docker-guide-code-examples#9
The whole tailscale https feature currently doesn't work with headscale. Source: juanfont/headscale#1921
There's no support for tailscales funnel feature in headscale either.
Personally I decided, I don't like most of the headscale DNS features. I'm handleing DNS myself and don't use magic DNS. I just set the the headscale DNS to my pihole. I handle all custom A records in pihole. For all devices that are permanently at home I've disabled the DNS feature of tailscale (at least on GUI clients, servers may be different). The reason for this is that tailscale has no working support for split DNS from my testing and I still want to reach device within my home network, that aren't on the tailnet via hostname (eg. fritz.box etc.). To accomplish that I've configured my pihole as upstream DNS in my fritz-box.
Thus this basically limits the use of headscale to just the bare basics of setting up the tunels, with a seperate ip range and "static" or at least sticky IPs for each client.