1
Home
Jeff Clement edited this page 2024-04-09 17:00:10 +00:00
Table of Contents
Some notes on my collection of Docker files.
Typically my approach is:
- Self contained. Each compose file contains everything it needs including a database server. To heck with memory!
- Store all data in ./data folder under each container. This makes it easy to move a container between hosts.
- Network connectivity is either:
- Tailnet-only (exposed on Tailscale)
- Public-facing via. Cloudflare Tunnel
- A mix. Tailnet-only with some part of URL space exposed publicly (see n8n example)
Notes on Tailnet-only services
# Tailscale authorization key
TS_AUTHKEY=tskey-auth-
# Tailscale tailnet node name
TS_NAME=git
TS_SUFFIX=???.ts.net
The setup is fairly obvious. I'm using Caddy to setup TLS for my tailnet-only service. Tailnet communication is already protected, but it's nice having a TLS certificate for services rather than having to fight the browser to connect to an HTTP-only service.
services:
tailscale:
hostname: ${TAILNET_NAME}
image: tailscale/tailscale
volumes:
- ./data/tailscale:/tailscale
- /dev/net/tun:/dev/net/tun
- ./data/tailscaled.run:/tmp
cap_add:
- net_admin
- sys_module
environment:
TS_AUTHKEY: ${TS_AUTHKEY}
TS_AUTH_ONCE: true
TS_STATE_DIR: /tailscale
restart: unless-stopped
caddy:
image: caddy:alpine
network_mode: service:tailscale
volumes:
- ./data/caddy_data:/data
- ./data/tailscaled.run:/var/run/tailscale
depends_on:
- tailscale
- server
command: ["caddy", "reverse-proxy", "--from", "${TS_NAME}.${TS_HOSTNAME}", "--to", "server:3000"]
restart: unless-stopped
server:
# server exposes HTTP service on port 3000 (or change above). Requires mapping on the Cloudflare side.
Notes on public-facing services
TUNNEL_TOKEN= #token from CloudFlare tunnel
services:
tunnel:
image: cloudflare/cloudflared
command: tunnel --no-autoupdate run
restart: unless-stopped
environment:
TUNNEL_TOKEN: $TUNNEL_TOKEN
networks:
- backend
depends_on:
- server
server:
# server exposes HTTP service