I currently have my home services set up in a way I like, and think I understand. I have an S12 pro w/ *arr, Overseerr, Immich, paperless, etc running. The only things exposed are immich, paperless, and overseerr. This is via swag/dockerproxy over a cloudflare tunnel. This makes it so I don’t have to do anything on the cloudflare end or my router to add a new service. DockerProxy picks up a new container, swag configures a reverse proxy automatically (assuming it recognizes the container, but it also supports custom configs) using the container_id as the subdomain.
I’m looking at setting up a VPS to host authentik and uptima kuma (to start - maybe ntfy in the future). What I’d like to do is have the public interface on these containers use the same cloudflare tunnel I’m currently using… or a second one, if necessary. For the interface back to my home server, I’d like to use Tailscale. I already have it running on my home server, and I expect I’ll install it on my VPS. The goal here is the “public” connection uses the cloudflare tunnel, and the backend connection is over tailscale.
I’ve tested that I can spin up swag/dockerproxy on a second box in my lab and it will connect to cloudflare. I have not yet tested standing up a container on that box to see if the proxy works as expected.
So, questions:
- Tailscale on VPS: container or no? Obviously, if I can’t install it locally, I’ll put it in a container
- How to I configure a container to use these 2 networks? I’m fairily good on getting the cloudflare part working. The TS part is new to me, and all the documentation I’ve seen doesn’t really cover other containers using the tailnet.
- Am I overthinking this? If I put these services on tailnet alone, will the cloudflare tunnel… tunnel back and forth to/from clients not on tailnet?