TSDproxy: proxy for tailscale containers

Currently trying to get this working. Seems like a good thing to help people keep their services behind Tailscale with certs. You don’t need a tailscale sidecar container for each service.

So, if you get this setup right you can have URLs like:

https://jellyfin.TAILSCALENAME.ts.net
https://immich.TAILSCALENAME.ts.net

You won’t get those scary self-signed certificate warnings, too. After you get some family members on your Tailnet, there will be much less friction when they use your services.

Has anybody tried this yet?

i’ve got it working with jellyfin but not immich. If someone figures out how to get it working with immich, please lmk

Hello!
Would you mind posting your config here? I’d like to compare with mine.

I have tried getting it working with Jellyfin and some other dummy services with Yunohost but I haven’t had any luck yet.

I was able to get it working for immich too.
A couple of pointers:

  • Jellyfin has an option to enable remote connections which you must do on the lan version first in order for the tdyproxy/tailscale url to work
  • Before running immich with tsdproxy, make sure you are running immich completely from scratch. I.e. delete your upload and db folders so that it needs to recreate them.

Here is my config:

---
services:

  ## tsdproxy
  tsdproxy:
    image: almeidapaulopt/tsdproxy:latest
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock
      - datadir:/data
      - /home/gleb/tsdproxy:/config
    restart: unless-stopped
  
  ## Jellyfin
  jellyfin:
    image: jellyfin/jellyfin
    container_name: jellyfin
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock
      - /home/gleb/jellyfin/config:/config
      - /home/gleb/jellyfin/cache:/cache
      - /mnt/media1:/media
    labels:
      tsdproxy.enable: true
      tsdproxy.name: jellyfin
      tsdproxy.container_port: 8096 
    restart: unless-stopped

  immich-server:
    container_name: immich_server
    image: ghcr.io/immich-app/immich-server:${IMMICH_VERSION:-release}
    # extends:
    #   file: hwaccel.transcoding.yml
    #   service: cpu # set to one of [nvenc, quicksync, rkmpp, vaapi, vaapi-wsl] for accelerated transcoding
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock
      # Do not edit the next line. If you want to change the media storage location on your system, edit the value of UPLOAD_LOCATION in the .env file
      - ${UPLOAD_LOCATION}:/usr/src/app/upload
      - /etc/localtime:/etc/localtime:ro
    labels:
      tsdproxy.enable: true
      tsdproxy.name: immich-server
    env_file:
      - .env
    ports:
      - '2283:2283'
    depends_on:
      - redis
      - database
    restart: always
    healthcheck:
      disable: false

  immich-machine-learning:
    container_name: immich_machine_learning
    # For hardware acceleration, add one of -[armnn, cuda, openvino] to the image tag.
    # Example tag: ${IMMICH_VERSION:-release}-cuda
    image: ghcr.io/immich-app/immich-machine-learning:${IMMICH_VERSION:-release}
    # extends: # uncomment this section for hardware acceleration - see https://immich.app/docs/features/ml-hardware-acceleration
    #   file: hwaccel.ml.yml
    #   service: cpu # set to one of [armnn, cuda, openvino, openvino-wsl] for accelerated inference - use the `-wsl` version for WSL2 where applicable
    volumes:
      - model-cache:/cache
    env_file:
      - .env
    restart: always
    healthcheck:
      disable: false

  redis:
    container_name: immich_redis
    image: docker.io/redis:6.2-alpine@sha256:eaba718fecd1196d88533de7ba49bf903ad33664a92debb24660a922ecd9cac8
    healthcheck:
      test: redis-cli ping || exit 1
    restart: always

  database:
    container_name: immich_postgres
    image: docker.io/tensorchord/pgvecto-rs:pg14-v0.2.0@sha256:90724186f0a3517cf6914295b5ab410db9ce23190a2d9d0b9dd6463e3fa298f0
    environment:
      POSTGRES_PASSWORD: ${DB_PASSWORD}
      POSTGRES_USER: ${DB_USERNAME}
      POSTGRES_DB: ${DB_DATABASE_NAME}
      POSTGRES_INITDB_ARGS: '--data-checksums'
    volumes:
      # Do not edit the next line. If you want to change the database storage location on your system, edit the value of DB_DATA_LOCATION in the .env file
      - ${DB_DATA_LOCATION}:/var/lib/postgresql/data
    healthcheck:
      test: pg_isready --dbname='${DB_DATABASE_NAME}' --username='${DB_USERNAME}' || exit 1; Chksum="$$(psql --dbname='${DB_DATABASE_NAME}' --username='${DB_USERNAME}' --tuples-only --no-align --command='SELECT COALESCE(SUM(checksum_failures), 0) FROM pg_stat_database')"; echo "checksum failure count is $$Chksum"; [ "$$Chksum" = '0' ] || exit 1
      interval: 5m
      start_interval: 30s
      start_period: 5m
    command:
      [
        'postgres',
        '-c',
        'shared_preload_libraries=vectors.so',
        '-c',
        'search_path="$$user", public, vectors',
        '-c',
        'logging_collector=on',
        '-c',
        'max_wal_size=2GB',
        '-c',
        'shared_buffers=512MB',
        '-c',
        'wal_compression=on',
      ]
    restart: always

volumes:
  datadir:
  model-cache:
1 Like

I got a good setup going now too but having difficult makning multiple servers work together.

VPS server:
tsdproxy working there with local containers

yunohost server on local lan:
can’t get VPS TSDProxy to find my docker containers there.

have you tried out that feature?