Skip to content

Instantly share code, notes, and snippets.

@pirogoeth
Created July 14, 2023 15:59
Show Gist options
  • Save pirogoeth/2d05603bd4991a733908c2a38e2c23f7 to your computer and use it in GitHub Desktop.
Save pirogoeth/2d05603bd4991a733908c2a38e2c23f7 to your computer and use it in GitHub Desktop.
coder w/ tailscale tunneling

assumptions:

  • your Docker setup isn't using 172.20/16 already
    • update the network at networks.tailnet.ipam.config.0 to be an unused network if already in use
    • also set a TS_ROUTES=your-network/24 environment variable to change the routing for the Tailscale network
  • you're not running rootless Docker/Podman
  • traefik is configured in your stack. specifically:
    • is attached to a Docker network called "servicenet", which is the network all "publically exposed" services listen on
    • consumes docker container labels to build the service catalog
    • has a TLS cert resolver called "default-le" (set TRAEFIK_TLS_RESOLVER=<your resolver name>, otherwise)

required environment variables:

FRONTEND_HOST=<HTTP host to listen on (ex., code.example.org)>
CODER_ACCESS_URL=<full HTTPS URL (ex., https://code.example.org/)>
TS_AUTHKEY=<get a Tailscale auth key>
CODER_VERSION=v0.23.7
version: "3.9"
networks:
backend: {}
outbound: {}
tailnet:
ipam:
driver: default
config:
- subnet: 172.20.0.0/16
ip_range: 172.20.0.0/24
gateway: 172.20.0.1
servicenet:
external: true
volumes:
coder-data:
external: true
tailscale-data: {}
services:
coder:
image: ghcr.io/coder/coder:${CODER_VERSION:-latest}
environment:
CODER_PG_CONNECTION_URL: "postgresql://${POSTGRES_USER:-username}:${POSTGRES_PASSWORD:-password}@database/${POSTGRES_DB:-coder}?sslmode=disable"
CODER_ADDRESS: "0.0.0.0:7080"
# You'll need to set CODER_ACCESS_URL to an IP or domain
# that workspaces can reach. This cannot be localhost
# or 127.0.0.1 for non-Docker templates!
CODER_ACCESS_URL: "${CODER_ACCESS_URL}"
# If the coder user does not have write permissions on
# the docker socket, you can uncomment the following
# lines and set the group ID to one that has write
# permissions on the docker socket.
group_add:
- "997" # docker group on host
volumes:
- /var/run/docker.sock:/var/run/docker.sock
depends_on:
database:
condition: service_healthy
networks:
- servicenet
- backend
labels:
- "appname=coder"
- "traefik.enable=true"
- "traefik.http.routers.coder.rule=Host(`${FRONTEND_HOST}`)"
- "traefik.http.routers.coder.entrypoints=web-secure"
- "traefik.http.routers.coder.service=coder"
- "traefik.http.routers.coder.tls=true"
- "traefik.http.routers.coder.tls.certResolver=${TRAEFIK_TLS_RESOLVER:-default-le}"
- "traefik.http.services.coder.loadbalancer.server.port=7080"
- "traefik.http.services.coder.loadbalancer.passhostheader=true"
database:
image: "postgres:14.2"
environment:
POSTGRES_USER: ${POSTGRES_USER:-username} # The PostgreSQL user (useful to connect to the database)
POSTGRES_PASSWORD: ${POSTGRES_PASSWORD:-password} # The PostgreSQL password (useful to connect to the database)
POSTGRES_DB: ${POSTGRES_DB:-coder} # The PostgreSQL default database (automatically created at first launch)
volumes:
- coder-data:/var/lib/postgresql/data # Use "docker volume rm coder-data" to reset Coder
networks:
- backend
healthcheck:
test:
[
"CMD-SHELL",
"pg_isready -U ${POSTGRES_USER:-username} -d ${POSTGRES_DB:-coder}",
]
interval: 5s
timeout: 5s
retries: 5
tailscale:
image: "tailscale/tailscale:stable"
cap_add:
- NET_ADMIN
- NET_RAW
environment:
TS_AUTHKEY: "${TS_AUTHKEY}"
TS_ACCEPT_DNS: "${TS_ACCEPT_DNS:-true}"
TS_EXTRA_ARGS: "${TS_EXTRA_ARGS}"
TS_ROUTES: "${TS_ROUTES:-172.20.0.0/24}"
TS_USERSPACE: "${TS_USERSPACE:-false}"
volumes:
- tailscale-data:/var/lib
devices:
- /dev/net/tun:/dev/net/tun
sysctls:
net.ipv4.ip_forward: 1
net.ipv6.conf.all.forwarding: 1
networks:
- outbound
- tailnet
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment