Comment by domh

BTW why bother with TLS over already-encrypted and authenticated Wireguard tunnels? Is this just so that browsers won't complain, or do you have a more complex threat model?

> I use Tailscale...Port numbers and TLS certs are my current main problems with this setup

I've been running a Tailscale container, using the `tailscale serve` feature[0], as a sidecar for each containerized service I want to access. External access, TLS (to make my browser happy), and domain names all come for almost free. This allows me to set up `https://my-cool-service.lemur-pangolin.ts.net` with relative ease.

There's a ton of boilerplate, which drives me a bit nuts. But at least copy/paste is easy to do. Looking just now I have 31 Tailscale containers running that are almost duplicates of each other. You could probably do config generation but for a homelab I'm not motivated to really do that.

The command line interface for this tool is a little bit limited and forces you to share the network stack between your service and the sidecar. I would recommend injecting a config file into each container to give you full flexibility. I put up an example config on pastebin[1].

---

[0] https://tailscale.com/kb/1242/tailscale-serve

[1] https://pastebin.com/raw/PSgLqS0T

Lots of options to proxy and provide automation for certs. I'm personally a huge fan of Traefik, but I know a lot of folks use NPM since it's so simple and Nginx has great performance overall.