From 745624b87bf083903710e9c139aca4a88f7c8415 Mon Sep 17 00:00:00 2001 From: Michael H Date: Sun, 5 Apr 2026 17:27:21 +0100 Subject: [PATCH 01/24] compose.yml and .env added to paperless service. --- services/paperless/.env | 25 ++++++++ services/paperless/compose.yml | 103 +++++++++++++++++++++++++++++++++ 2 files changed, 128 insertions(+) create mode 100644 services/paperless/.env create mode 100644 services/paperless/compose.yml diff --git a/services/paperless/.env b/services/paperless/.env new file mode 100644 index 00000000..924a89b4 --- /dev/null +++ b/services/paperless/.env @@ -0,0 +1,25 @@ +#version=1.1 +#URL=https://github.com/tailscale-dev/ScaleTail +#COMPOSE_PROJECT_NAME= # Optional: only use when running multiple deployments on the same infrastructure. + +# Service Configuration +SERVICE=paperless +IMAGE_URL=ghcr.io/paperless-ngx/paperless-ngx:latest + +# Network Configuration +SERVICEPORT=80 +DNS_SERVER=9.9.9.9 + +# Tailscale Configuration +TS_AUTHKEY= + +# Optional Service variables +# PUID=1000 + +PAPERLESS_TIME_ZONE=Europe/London +PAPERLESS_OCR_LANGUAGE=eng +PAPERLESS_SECRET_KEY='change this to any random sting' #https://docs.paperless-ngx.com/configuration/#PAPERLESS_SECRET_KEY +PAPERLESS_ADMIN_USER=admin +PAPERLESS_ADMIN_PASSWORD=changeme +POSTGRES_USER=paperless +POSTGRES_PASSWORD=paperless diff --git a/services/paperless/compose.yml b/services/paperless/compose.yml new file mode 100644 index 00000000..9ccfe422 --- /dev/null +++ b/services/paperless/compose.yml @@ -0,0 +1,103 @@ +configs: + ts-serve: + content: | + {"TCP":{"443":{"HTTPS":true}}, + "Web":{"$${TS_CERT_DOMAIN}:443": + {"Handlers":{"/": + {"Proxy":"http://127.0.0.1:80"}}}}, + "AllowFunnel":{"$${TS_CERT_DOMAIN}:443":false}} + +services: +# Make sure you have updated/checked the .env file with the correct variables. +# All the ${ xx } need to be defined there. + # Tailscale Sidecar Configuration + tailscale: + image: tailscale/tailscale:latest # Image to be used + container_name: tailscale-${SERVICE} # Name for local container management + hostname: ${SERVICE} # Name used within your Tailscale environment + environment: + - TS_AUTHKEY=${TS_AUTHKEY} + - TS_STATE_DIR=/var/lib/tailscale + - TS_SERVE_CONFIG=/config/serve.json # Tailscale Serve configuration to expose the web interface on your local Tailnet - remove this line if not required + - TS_USERSPACE=false + - TS_ENABLE_HEALTH_CHECK=true # Enable healthcheck endpoint: "/healthz" + - TS_LOCAL_ADDR_PORT=127.0.0.1:41234 # The : for the healthz endpoint + #- TS_ACCEPT_DNS=true # Uncomment when using MagicDNS + - TS_AUTH_ONCE=true + configs: + - source: ts-serve + target: /config/serve.json + volumes: + - ./config:/config # Config folder used to store Tailscale files - you may need to change the path + - ./ts/state:/var/lib/tailscale # Tailscale requirement - you may need to change the path + devices: + - /dev/net/tun:/dev/net/tun # Network configuration for Tailscale to work + cap_add: + - net_admin # Tailscale requirement + #ports: + # - 0.0.0.0:${SERVICEPORT}:${SERVICEPORT} # Binding port ${SERVICE}PORT to the local network - may be removed if only exposure to your Tailnet is required + # If any DNS issues arise, use your preferred DNS provider by uncommenting the config below + # dns: + # - ${DNS_SERVER} + healthcheck: + test: ["CMD", "wget", "--spider", "-q", "http://127.0.0.1:41234/healthz"] # Check Tailscale has a Tailnet IP and is operational + interval: 1m # How often to perform the check + timeout: 10s # Time to wait for the check to succeed + retries: 3 # Number of retries before marking as unhealthy + start_period: 10s # Time to wait before starting health checks + restart: always + + application: + image: ${IMAGE_URL} + network_mode: service:tailscale + container_name: app-${SERVICE} + depends_on: + tailscale: + condition: service_healthy + db: + condition: service_started + broker: + condition: service_started + healthcheck: + test: ["CMD", "pgrep", "-f", "${SERVICE}"] # Check if ${SERVICE} process is running + interval: 1m # How often to perform the check + timeout: 10s # Time to wait for the check to succeed + retries: 3 # Number of retries before marking as unhealthy + start_period: 30s # Time to wait before starting health checks + restart: always + volumes: + - data:/usr/src/paperless/data + - media:/usr/src/paperless/media + - ./${SERVICE}-export/export:/usr/src/paperless/export + - ./${SERVICE}-consume/consume:/usr/src/paperless/consume + environment: + PAPERLESS_TIME_ZONE: ${PAPERLESS_TIME_ZONE} + PAPERLESS_OCR_LANGUAGE: ${PAPERLESS_OCR_LANGUAGE} + PAPERLESS_SECRET_KEY: ${PAPERLESS_SECRET_KEY} + PAPERLESS_PORT: 80 + PAPERLESS_PROXY_SSL_HEADER: '["HTTP_X_FORWARDED_PROTO", "https"]' + PAPERLESS_ADMIN_USER: ${PAPERLESS_ADMIN_USER} + PAPERLESS_ADMIN_PASSWORD: ${PAPERLESS_ADMIN_PASSWORD} + PAPERLESS_REDIS: redis://broker:6379 + PAPERLESS_DBHOST: db + db: + image: docker.io/library/postgres:18 + container_name: app-${SERVICE}-db # Name for local container management + restart: always + volumes: + - pgdata:/var/lib/postgresql + environment: + POSTGRES_DB: paperless + POSTGRES_USER: ${POSTGRES_USER} + POSTGRES_PASSWORD: ${POSTGRES_PASSWORD} + broker: + image: docker.io/library/redis:8 + container_name: app-${SERVICE}-broker # Name for local container management + restart: always + volumes: + - redisdata:/data +volumes: + data: + media: + pgdata: + redisdata: From ed87cd33c264ef2e9d6b1f22f59324e0741b4610 Mon Sep 17 00:00:00 2001 From: Michael H Date: Sun, 5 Apr 2026 17:36:32 +0100 Subject: [PATCH 02/24] Include paperless service README --- services/paperless/README.md | 12 ++++++++++++ 1 file changed, 12 insertions(+) create mode 100644 services/paperless/README.md diff --git a/services/paperless/README.md b/services/paperless/README.md new file mode 100644 index 00000000..c41e6105 --- /dev/null +++ b/services/paperless/README.md @@ -0,0 +1,12 @@ +# Paperless-ngx with Tailscale Sidecar Configuration + +This Docker Compose configuration sets up [Paperless-ngx](https://docs.paperless-ngx.com/) with Tailscale as a sidecar container to securely deliver push notifications over a private Tailscale network. By integrating Tailscale in a sidecar configuration, you enhance the privacy and security of your ntfy instance, ensuring it is only accessible within your Tailscale network. + +## ntfy + +[Paperless-ngx](https://docs.paperless-ngx.com) is a community-supported open-source document management system that transforms your physical documents into a searchable online archive so you can keep, well, less paper. +## Configuration Overview + +In this setup, the `tailscale-paperless` service runs the Tailscale daemon to provide secure, private networking. The `paperless` service is configured to use Tailscale’s network stack via Docker’s `network_mode: service:` syntax. This binds Paperless network interface to the Tailscale container, making the service available only through your Tailscale network (or locally, if needed). + +This architecture is ideal for self-hosters who want to send and receive notifications from anywhere without exposing Paperless-ngx to the internet, maintaining both ease of access and strict privacy controls. From 8ae55d89ef43dda0b14d622a3fadbca04e811690 Mon Sep 17 00:00:00 2001 From: Michael H Date: Sun, 5 Apr 2026 17:45:26 +0100 Subject: [PATCH 03/24] Error paperless service README --- services/paperless/README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/services/paperless/README.md b/services/paperless/README.md index c41e6105..a25f63ff 100644 --- a/services/paperless/README.md +++ b/services/paperless/README.md @@ -2,7 +2,7 @@ This Docker Compose configuration sets up [Paperless-ngx](https://docs.paperless-ngx.com/) with Tailscale as a sidecar container to securely deliver push notifications over a private Tailscale network. By integrating Tailscale in a sidecar configuration, you enhance the privacy and security of your ntfy instance, ensuring it is only accessible within your Tailscale network. -## ntfy +## Paperless-ngx [Paperless-ngx](https://docs.paperless-ngx.com) is a community-supported open-source document management system that transforms your physical documents into a searchable online archive so you can keep, well, less paper. ## Configuration Overview From 822a8dfa07fea4d7fdd501cf6b58dc80ff18fab7 Mon Sep 17 00:00:00 2001 From: Michael H Date: Mon, 6 Apr 2026 16:34:03 +0100 Subject: [PATCH 04/24] Add PUID, GUID to environment. Align environment variables with template format --- services/paperless/compose.yml | 34 ++++++++++++++++++++++------------ 1 file changed, 22 insertions(+), 12 deletions(-) diff --git a/services/paperless/compose.yml b/services/paperless/compose.yml index 9ccfe422..2972e016 100644 --- a/services/paperless/compose.yml +++ b/services/paperless/compose.yml @@ -71,15 +71,18 @@ services: - ./${SERVICE}-export/export:/usr/src/paperless/export - ./${SERVICE}-consume/consume:/usr/src/paperless/consume environment: - PAPERLESS_TIME_ZONE: ${PAPERLESS_TIME_ZONE} - PAPERLESS_OCR_LANGUAGE: ${PAPERLESS_OCR_LANGUAGE} - PAPERLESS_SECRET_KEY: ${PAPERLESS_SECRET_KEY} - PAPERLESS_PORT: 80 - PAPERLESS_PROXY_SSL_HEADER: '["HTTP_X_FORWARDED_PROTO", "https"]' - PAPERLESS_ADMIN_USER: ${PAPERLESS_ADMIN_USER} - PAPERLESS_ADMIN_PASSWORD: ${PAPERLESS_ADMIN_PASSWORD} - PAPERLESS_REDIS: redis://broker:6379 - PAPERLESS_DBHOST: db + - PUID=1000 + - PGID=1000 + - TZ=Europe/Amsterdam + - PAPERLESS_TIME_ZONE=${PAPERLESS_TIME_ZONE} + - PAPERLESS_OCR_LANGUAGE=${PAPERLESS_OCR_LANGUAGE} + - PAPERLESS_SECRET_KEY=${PAPERLESS_SECRET_KEY} + - PAPERLESS_PORT=80 + - PAPERLESS_PROXY_SSL_HEADER=["HTTP_X_FORWARDED_PROTO", "https"] + - PAPERLESS_ADMIN_USER=${PAPERLESS_ADMIN_USER} + - PAPERLESS_ADMIN_PASSWORD=${PAPERLESS_ADMIN_PASSWORD} + - PAPERLESS_REDIS=redis://broker:6379 + - PAPERLESS_DBHOST=db db: image: docker.io/library/postgres:18 container_name: app-${SERVICE}-db # Name for local container management @@ -87,15 +90,22 @@ services: volumes: - pgdata:/var/lib/postgresql environment: - POSTGRES_DB: paperless - POSTGRES_USER: ${POSTGRES_USER} - POSTGRES_PASSWORD: ${POSTGRES_PASSWORD} + - PUID=1000 + - PGID=1000 + - TZ=Europe/Amsterdam + - POSTGRES_DB=paperless + - POSTGRES_USER=${POSTGRES_USER} + - POSTGRES_PASSWORD=${POSTGRES_PASSWORD} broker: image: docker.io/library/redis:8 container_name: app-${SERVICE}-broker # Name for local container management restart: always volumes: - redisdata:/data + environment: + - PUID=1000 + - PGID=1000 + - TZ=Europe/Amsterdam volumes: data: media: From 24686d6c2c1dc1728c6146f5414c9acace125dc8 Mon Sep 17 00:00:00 2001 From: Michael H Date: Mon, 6 Apr 2026 21:35:14 +0100 Subject: [PATCH 05/24] Remove volumes and incorporate the local storage principle as outlined in templates. --- services/paperless/compose.yml | 17 ++++++----------- 1 file changed, 6 insertions(+), 11 deletions(-) diff --git a/services/paperless/compose.yml b/services/paperless/compose.yml index 2972e016..9b5b125b 100644 --- a/services/paperless/compose.yml +++ b/services/paperless/compose.yml @@ -66,10 +66,10 @@ services: start_period: 30s # Time to wait before starting health checks restart: always volumes: - - data:/usr/src/paperless/data - - media:/usr/src/paperless/media - - ./${SERVICE}-export/export:/usr/src/paperless/export - - ./${SERVICE}-consume/consume:/usr/src/paperless/consume + - ./${SERVICE}-data/data:/usr/src/paperless/data + - ./${SERVICE}-data/media:/usr/src/paperless/media + - ./${SERVICE}-data/export:/usr/src/paperless/export + - ./${SERVICE}-data/consume:/usr/src/paperless/consume environment: - PUID=1000 - PGID=1000 @@ -88,7 +88,7 @@ services: container_name: app-${SERVICE}-db # Name for local container management restart: always volumes: - - pgdata:/var/lib/postgresql + - ./${SERVICE}-data/pgdata:/var/lib/postgresql environment: - PUID=1000 - PGID=1000 @@ -101,13 +101,8 @@ services: container_name: app-${SERVICE}-broker # Name for local container management restart: always volumes: - - redisdata:/data + - ./${SERVICE}-data/redisdata:/data environment: - PUID=1000 - PGID=1000 - TZ=Europe/Amsterdam -volumes: - data: - media: - pgdata: - redisdata: From 216de0891639677a9666589f57ce4ee20cc2915d Mon Sep 17 00:00:00 2001 From: Michael H Date: Mon, 6 Apr 2026 21:41:18 +0100 Subject: [PATCH 06/24] Restored comments. --- services/paperless/.env | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/services/paperless/.env b/services/paperless/.env index 924a89b4..d980b989 100644 --- a/services/paperless/.env +++ b/services/paperless/.env @@ -3,15 +3,15 @@ #COMPOSE_PROJECT_NAME= # Optional: only use when running multiple deployments on the same infrastructure. # Service Configuration -SERVICE=paperless -IMAGE_URL=ghcr.io/paperless-ngx/paperless-ngx:latest +SERVICE=paperless # Service name (e.g., adguard). Used as hostname in Tailscale and for container naming (app-${SERVICE}). +IMAGE_URL=ghcr.io/paperless-ngx/paperless-ngx:latest # Docker image URL from container registry (e.g., adguard/adguard-home). # Network Configuration -SERVICEPORT=80 -DNS_SERVER=9.9.9.9 +SERVICEPORT= # Port to expose to local network. Uncomment the "ports:" section in compose.yaml to enable. +DNS_SERVER=9.9.9.9 # Preferred DNS server for Tailscale. Uncomment the "dns:" section in compose.yaml to enable. # Tailscale Configuration -TS_AUTHKEY= +TS_AUTHKEY= # Auth key from https://tailscale.com/admin/authkeys. See: https://tailscale.com/kb/1085/auth-keys#generate-an-auth-key for instructions. # Optional Service variables # PUID=1000 From 534c6dc27791835123ad47e04ee31634de994230 Mon Sep 17 00:00:00 2001 From: Michael H Date: Mon, 6 Apr 2026 22:10:15 +0100 Subject: [PATCH 07/24] Place TZ in .env --- templates/service-template/.env | 3 +++ 1 file changed, 3 insertions(+) diff --git a/templates/service-template/.env b/templates/service-template/.env index 5673aa7c..6d18cc53 100644 --- a/templates/service-template/.env +++ b/templates/service-template/.env @@ -15,3 +15,6 @@ TS_AUTHKEY= # Auth key from https://tailscale.com/admin/authkeys. See: https://t # Optional Service variables # PUID=1000 + +# Time Zone for container +TZ=Europe/Amsterdam # See: https://en.wikipedia.org/wiki/List_of_tz_database_time_zones From 242a5e2a1f381c12d93ee9f62ccc4cb077f3b691 Mon Sep 17 00:00:00 2001 From: Michael H Date: Mon, 6 Apr 2026 22:11:14 +0100 Subject: [PATCH 08/24] Add TZ variable to environment. --- templates/service-template/compose.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/templates/service-template/compose.yaml b/templates/service-template/compose.yaml index f669ba2f..28ec95fb 100644 --- a/templates/service-template/compose.yaml +++ b/templates/service-template/compose.yaml @@ -55,7 +55,7 @@ services: environment: - PUID=1000 - PGID=1000 - - TZ=Europe/Amsterdam + - TZ=${TZ} volumes: - ./${SERVICE}-data/app/config:/config depends_on: From e853e86ed71c3f3db5d0ef417d4c45e4e7757f54 Mon Sep 17 00:00:00 2001 From: Michael H Date: Mon, 6 Apr 2026 22:47:36 +0100 Subject: [PATCH 09/24] Revert "Restored comments." This reverts commit 216de0891639677a9666589f57ce4ee20cc2915d. --- services/paperless/.env | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/services/paperless/.env b/services/paperless/.env index d980b989..924a89b4 100644 --- a/services/paperless/.env +++ b/services/paperless/.env @@ -3,15 +3,15 @@ #COMPOSE_PROJECT_NAME= # Optional: only use when running multiple deployments on the same infrastructure. # Service Configuration -SERVICE=paperless # Service name (e.g., adguard). Used as hostname in Tailscale and for container naming (app-${SERVICE}). -IMAGE_URL=ghcr.io/paperless-ngx/paperless-ngx:latest # Docker image URL from container registry (e.g., adguard/adguard-home). +SERVICE=paperless +IMAGE_URL=ghcr.io/paperless-ngx/paperless-ngx:latest # Network Configuration -SERVICEPORT= # Port to expose to local network. Uncomment the "ports:" section in compose.yaml to enable. -DNS_SERVER=9.9.9.9 # Preferred DNS server for Tailscale. Uncomment the "dns:" section in compose.yaml to enable. +SERVICEPORT=80 +DNS_SERVER=9.9.9.9 # Tailscale Configuration -TS_AUTHKEY= # Auth key from https://tailscale.com/admin/authkeys. See: https://tailscale.com/kb/1085/auth-keys#generate-an-auth-key for instructions. +TS_AUTHKEY= # Optional Service variables # PUID=1000 From 5fb8e45c645b9a7c66be33e90bd9ed054662d8b5 Mon Sep 17 00:00:00 2001 From: Michael H Date: Mon, 6 Apr 2026 22:59:28 +0100 Subject: [PATCH 10/24] Restore Comments --- services/paperless/.env | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/services/paperless/.env b/services/paperless/.env index 924a89b4..d980b989 100644 --- a/services/paperless/.env +++ b/services/paperless/.env @@ -3,15 +3,15 @@ #COMPOSE_PROJECT_NAME= # Optional: only use when running multiple deployments on the same infrastructure. # Service Configuration -SERVICE=paperless -IMAGE_URL=ghcr.io/paperless-ngx/paperless-ngx:latest +SERVICE=paperless # Service name (e.g., adguard). Used as hostname in Tailscale and for container naming (app-${SERVICE}). +IMAGE_URL=ghcr.io/paperless-ngx/paperless-ngx:latest # Docker image URL from container registry (e.g., adguard/adguard-home). # Network Configuration -SERVICEPORT=80 -DNS_SERVER=9.9.9.9 +SERVICEPORT= # Port to expose to local network. Uncomment the "ports:" section in compose.yaml to enable. +DNS_SERVER=9.9.9.9 # Preferred DNS server for Tailscale. Uncomment the "dns:" section in compose.yaml to enable. # Tailscale Configuration -TS_AUTHKEY= +TS_AUTHKEY= # Auth key from https://tailscale.com/admin/authkeys. See: https://tailscale.com/kb/1085/auth-keys#generate-an-auth-key for instructions. # Optional Service variables # PUID=1000 From d424bcae8fc9ef512713af51f9f5f13343d1981b Mon Sep 17 00:00:00 2001 From: Michael H Date: Tue, 7 Apr 2026 10:03:38 +0100 Subject: [PATCH 11/24] Revert --- README.md | 7 +++++++ services/paperless/.env | 10 +++++----- services/paperless/compose.yml | 17 ++++++----------- 3 files changed, 18 insertions(+), 16 deletions(-) diff --git a/README.md b/README.md index 7644830d..973d066f 100644 --- a/README.md +++ b/README.md @@ -40,11 +40,18 @@ ScaleTail provides ready-to-run [Docker Compose](https://docs.docker.com/compose docker compose up -d ``` +## Contributors + +A huge thank you to all our contributors! ScaleTail wouldn’t be what it is today without your time, effort, and ideas! + +[![Contributors](https://contrib.rocks/image?repo=tailscale-dev/scaletail)](https://github.com/tailscale-dev/scaletail/graphs/contributors) + ## Table of Contents - [ScaleTail - Secure Self-Hosting Made Simple](#scaletail---secure-self-hosting-made-simple) - [Featured by Tailscale](#featured-by-tailscale) - [Quick Start](#quick-start) + - [Contributors](#contributors) - [Table of Contents](#table-of-contents) - [Available Configurations](#available-configurations) - [🌐 Networking and Security](#-networking-and-security) diff --git a/services/paperless/.env b/services/paperless/.env index 924a89b4..d980b989 100644 --- a/services/paperless/.env +++ b/services/paperless/.env @@ -3,15 +3,15 @@ #COMPOSE_PROJECT_NAME= # Optional: only use when running multiple deployments on the same infrastructure. # Service Configuration -SERVICE=paperless -IMAGE_URL=ghcr.io/paperless-ngx/paperless-ngx:latest +SERVICE=paperless # Service name (e.g., adguard). Used as hostname in Tailscale and for container naming (app-${SERVICE}). +IMAGE_URL=ghcr.io/paperless-ngx/paperless-ngx:latest # Docker image URL from container registry (e.g., adguard/adguard-home). # Network Configuration -SERVICEPORT=80 -DNS_SERVER=9.9.9.9 +SERVICEPORT= # Port to expose to local network. Uncomment the "ports:" section in compose.yaml to enable. +DNS_SERVER=9.9.9.9 # Preferred DNS server for Tailscale. Uncomment the "dns:" section in compose.yaml to enable. # Tailscale Configuration -TS_AUTHKEY= +TS_AUTHKEY= # Auth key from https://tailscale.com/admin/authkeys. See: https://tailscale.com/kb/1085/auth-keys#generate-an-auth-key for instructions. # Optional Service variables # PUID=1000 diff --git a/services/paperless/compose.yml b/services/paperless/compose.yml index 2972e016..9b5b125b 100644 --- a/services/paperless/compose.yml +++ b/services/paperless/compose.yml @@ -66,10 +66,10 @@ services: start_period: 30s # Time to wait before starting health checks restart: always volumes: - - data:/usr/src/paperless/data - - media:/usr/src/paperless/media - - ./${SERVICE}-export/export:/usr/src/paperless/export - - ./${SERVICE}-consume/consume:/usr/src/paperless/consume + - ./${SERVICE}-data/data:/usr/src/paperless/data + - ./${SERVICE}-data/media:/usr/src/paperless/media + - ./${SERVICE}-data/export:/usr/src/paperless/export + - ./${SERVICE}-data/consume:/usr/src/paperless/consume environment: - PUID=1000 - PGID=1000 @@ -88,7 +88,7 @@ services: container_name: app-${SERVICE}-db # Name for local container management restart: always volumes: - - pgdata:/var/lib/postgresql + - ./${SERVICE}-data/pgdata:/var/lib/postgresql environment: - PUID=1000 - PGID=1000 @@ -101,13 +101,8 @@ services: container_name: app-${SERVICE}-broker # Name for local container management restart: always volumes: - - redisdata:/data + - ./${SERVICE}-data/redisdata:/data environment: - PUID=1000 - PGID=1000 - TZ=Europe/Amsterdam -volumes: - data: - media: - pgdata: - redisdata: From 14d6ab4d5363ad0ea685ecfc4de83e3e84bc6a33 Mon Sep 17 00:00:00 2001 From: Michael H Date: Tue, 7 Apr 2026 19:36:04 +0100 Subject: [PATCH 12/24] Revert changes made to template files. --- templates/service-template/.env | 3 --- templates/service-template/compose.yaml | 2 +- 2 files changed, 1 insertion(+), 4 deletions(-) diff --git a/templates/service-template/.env b/templates/service-template/.env index 6d18cc53..5673aa7c 100644 --- a/templates/service-template/.env +++ b/templates/service-template/.env @@ -15,6 +15,3 @@ TS_AUTHKEY= # Auth key from https://tailscale.com/admin/authkeys. See: https://t # Optional Service variables # PUID=1000 - -# Time Zone for container -TZ=Europe/Amsterdam # See: https://en.wikipedia.org/wiki/List_of_tz_database_time_zones diff --git a/templates/service-template/compose.yaml b/templates/service-template/compose.yaml index 28ec95fb..f669ba2f 100644 --- a/templates/service-template/compose.yaml +++ b/templates/service-template/compose.yaml @@ -55,7 +55,7 @@ services: environment: - PUID=1000 - PGID=1000 - - TZ=${TZ} + - TZ=Europe/Amsterdam volumes: - ./${SERVICE}-data/app/config:/config depends_on: From 3338b809acefe868936b36d12c96d60fd656307f Mon Sep 17 00:00:00 2001 From: Bart <57799908+crypt0rr@users.noreply.github.com> Date: Tue, 7 Apr 2026 21:10:38 +0200 Subject: [PATCH 13/24] Set SERVICEPORT to 80 in .env configuration --- services/paperless/.env | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/services/paperless/.env b/services/paperless/.env index d980b989..a9035b4d 100644 --- a/services/paperless/.env +++ b/services/paperless/.env @@ -7,7 +7,7 @@ SERVICE=paperless # Service name (e.g., adguard). Used as hostname in Tailscale IMAGE_URL=ghcr.io/paperless-ngx/paperless-ngx:latest # Docker image URL from container registry (e.g., adguard/adguard-home). # Network Configuration -SERVICEPORT= # Port to expose to local network. Uncomment the "ports:" section in compose.yaml to enable. +SERVICEPORT=80 # Port to expose to local network. Uncomment the "ports:" section in compose.yaml to enable. DNS_SERVER=9.9.9.9 # Preferred DNS server for Tailscale. Uncomment the "dns:" section in compose.yaml to enable. # Tailscale Configuration From 082675a863914e68e59bec84dfb1f0febac95199 Mon Sep 17 00:00:00 2001 From: Michael H Date: Tue, 7 Apr 2026 22:14:02 +0100 Subject: [PATCH 14/24] Update to include paperless-ngx --- README.md | 1 + 1 file changed, 1 insertion(+) diff --git a/README.md b/README.md index 973d066f..d7b78502 100644 --- a/README.md +++ b/README.md @@ -106,6 +106,7 @@ A huge thank you to all our contributors! ScaleTail wouldn’t be what it is tod | 🎶 **Navidrome** | Your Personal Streaming Service self-hosted. | [Details](services/navidrome) | | 🎶 **Swing Music** | A fast, beautiful, self-hosted music streaming server for your local audio library. | [Details](services/swingmx) | | 🎬 **Seerr** | A request management and media discovery tool for Plex, Jellyfin and Emby. | [Details](services/seerr) | +| 📚 **Paperless-ngx** | An open-source document management system that transforms physical documents into a searchable archive. | [Details](services/paperless) | | 🎵 **Picard** | MusicBrainz Picard is a cross-platform music tagger for organizing and tagging music files. | [Details](services/picard) | | 🎬 **Plex** | A media server that organizes video, music, and photos from personal media libraries. | [Details](services/plex) | | 📥 **qBittorrent** | An open-source BitTorrent client. | [Details](services/qbittorrent) | From 6ecf74150326524ccd53644f7190c1560aac56bd Mon Sep 17 00:00:00 2001 From: Bart <57799908+crypt0rr@users.noreply.github.com> Date: Wed, 8 Apr 2026 06:18:36 +0200 Subject: [PATCH 15/24] Update README with Tailscale service configuration Added information about Tailscale integration for secure networking. --- services/paperless/README.md | 1 + 1 file changed, 1 insertion(+) diff --git a/services/paperless/README.md b/services/paperless/README.md index a25f63ff..afd80ebb 100644 --- a/services/paperless/README.md +++ b/services/paperless/README.md @@ -5,6 +5,7 @@ This Docker Compose configuration sets up [Paperless-ngx](https://docs.paperless ## Paperless-ngx [Paperless-ngx](https://docs.paperless-ngx.com) is a community-supported open-source document management system that transforms your physical documents into a searchable online archive so you can keep, well, less paper. + ## Configuration Overview In this setup, the `tailscale-paperless` service runs the Tailscale daemon to provide secure, private networking. The `paperless` service is configured to use Tailscale’s network stack via Docker’s `network_mode: service:` syntax. This binds Paperless network interface to the Tailscale container, making the service available only through your Tailscale network (or locally, if needed). From 18f1816fac618250c4fa76c87c27e3d90af1220a Mon Sep 17 00:00:00 2001 From: Michael H Date: Wed, 8 Apr 2026 10:56:27 +0100 Subject: [PATCH 16/24] Add audiobooks, podcasts and metadata volumes. --- services/audiobookshelf/compose.yaml | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/services/audiobookshelf/compose.yaml b/services/audiobookshelf/compose.yaml index 94b375af..debb2cb7 100644 --- a/services/audiobookshelf/compose.yaml +++ b/services/audiobookshelf/compose.yaml @@ -58,7 +58,10 @@ services: - TZ=Europe/Amsterdam volumes: - ./${SERVICE}-data/app/config:/config - depends_on: + - ./${SERVICE}-data/app/audiobooks:/audiobooks + - ./${SERVICE}-data/app/podcasts:/podcasts + - ./${SERVICE}-data/app/metadata:/metadata + depends_on: tailscale: condition: service_healthy healthcheck: From d6d5822971547c15f2da547151edd23f140eae00 Mon Sep 17 00:00:00 2001 From: Michael H Date: Wed, 8 Apr 2026 10:57:32 +0100 Subject: [PATCH 17/24] Move TZ environment variable to .env file --- templates/service-template/.env | 3 +++ templates/service-template/compose.yaml | 2 +- 2 files changed, 4 insertions(+), 1 deletion(-) diff --git a/templates/service-template/.env b/templates/service-template/.env index 5673aa7c..db8ee529 100644 --- a/templates/service-template/.env +++ b/templates/service-template/.env @@ -15,3 +15,6 @@ TS_AUTHKEY= # Auth key from https://tailscale.com/admin/authkeys. See: https://t # Optional Service variables # PUID=1000 + +#Time Zone +TZ=Europe/Amsterdam # See: https://en.wikipedia.org/wiki/List_of_tz_database_time_zones diff --git a/templates/service-template/compose.yaml b/templates/service-template/compose.yaml index f669ba2f..28ec95fb 100644 --- a/templates/service-template/compose.yaml +++ b/templates/service-template/compose.yaml @@ -55,7 +55,7 @@ services: environment: - PUID=1000 - PGID=1000 - - TZ=Europe/Amsterdam + - TZ=${TZ} volumes: - ./${SERVICE}-data/app/config:/config depends_on: From 038034817ab593c372853c6102048f72f4c1ac2c Mon Sep 17 00:00:00 2001 From: Michael H Date: Wed, 8 Apr 2026 13:28:30 +0100 Subject: [PATCH 18/24] Fix indentation. --- services/audiobookshelf/compose.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/services/audiobookshelf/compose.yaml b/services/audiobookshelf/compose.yaml index debb2cb7..23ea681d 100644 --- a/services/audiobookshelf/compose.yaml +++ b/services/audiobookshelf/compose.yaml @@ -61,7 +61,7 @@ services: - ./${SERVICE}-data/app/audiobooks:/audiobooks - ./${SERVICE}-data/app/podcasts:/podcasts - ./${SERVICE}-data/app/metadata:/metadata - depends_on: + depends_on: tailscale: condition: service_healthy healthcheck: From d15e26002b2f60dd84d6124b065ba0e6c7c668ab Mon Sep 17 00:00:00 2001 From: michaelhodges Date: Thu, 9 Apr 2026 16:50:55 +0100 Subject: [PATCH 19/24] Delete templates/service-template/.env --- templates/service-template/.env | 20 -------------------- 1 file changed, 20 deletions(-) delete mode 100644 templates/service-template/.env diff --git a/templates/service-template/.env b/templates/service-template/.env deleted file mode 100644 index db8ee529..00000000 --- a/templates/service-template/.env +++ /dev/null @@ -1,20 +0,0 @@ -#version=1.1 -#URL=https://github.com/tailscale-dev/ScaleTail -#COMPOSE_PROJECT_NAME= # Optional: only use when running multiple deployments on the same infrastructure. - -# Service Configuration -SERVICE= # Service name (e.g., adguard). Used as hostname in Tailscale and for container naming (app-${SERVICE}). -IMAGE_URL= # Docker image URL from container registry (e.g., adguard/adguard-home). - -# Network Configuration -SERVICEPORT= # Port to expose to local network. Uncomment the "ports:" section in compose.yaml to enable. -DNS_SERVER=9.9.9.9 # Preferred DNS server for Tailscale. Uncomment the "dns:" section in compose.yaml to enable. - -# Tailscale Configuration -TS_AUTHKEY= # Auth key from https://tailscale.com/admin/authkeys. See: https://tailscale.com/kb/1085/auth-keys#generate-an-auth-key for instructions. - -# Optional Service variables -# PUID=1000 - -#Time Zone -TZ=Europe/Amsterdam # See: https://en.wikipedia.org/wiki/List_of_tz_database_time_zones From 5b793930d501ff8f06b7203b6de6b6fc54851737 Mon Sep 17 00:00:00 2001 From: michaelhodges Date: Thu, 9 Apr 2026 16:52:31 +0100 Subject: [PATCH 20/24] Create .env --- templates/service-template/.env | 17 +++++++++++++++++ 1 file changed, 17 insertions(+) create mode 100644 templates/service-template/.env diff --git a/templates/service-template/.env b/templates/service-template/.env new file mode 100644 index 00000000..5673aa7c --- /dev/null +++ b/templates/service-template/.env @@ -0,0 +1,17 @@ +#version=1.1 +#URL=https://github.com/tailscale-dev/ScaleTail +#COMPOSE_PROJECT_NAME= # Optional: only use when running multiple deployments on the same infrastructure. + +# Service Configuration +SERVICE= # Service name (e.g., adguard). Used as hostname in Tailscale and for container naming (app-${SERVICE}). +IMAGE_URL= # Docker image URL from container registry (e.g., adguard/adguard-home). + +# Network Configuration +SERVICEPORT= # Port to expose to local network. Uncomment the "ports:" section in compose.yaml to enable. +DNS_SERVER=9.9.9.9 # Preferred DNS server for Tailscale. Uncomment the "dns:" section in compose.yaml to enable. + +# Tailscale Configuration +TS_AUTHKEY= # Auth key from https://tailscale.com/admin/authkeys. See: https://tailscale.com/kb/1085/auth-keys#generate-an-auth-key for instructions. + +# Optional Service variables +# PUID=1000 From 40e1b282c566e21ee77c98dae081d79f0931ddc7 Mon Sep 17 00:00:00 2001 From: michaelhodges Date: Thu, 9 Apr 2026 16:53:18 +0100 Subject: [PATCH 21/24] Update compose.yaml --- templates/service-template/compose.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/templates/service-template/compose.yaml b/templates/service-template/compose.yaml index 28ec95fb..f669ba2f 100644 --- a/templates/service-template/compose.yaml +++ b/templates/service-template/compose.yaml @@ -55,7 +55,7 @@ services: environment: - PUID=1000 - PGID=1000 - - TZ=${TZ} + - TZ=Europe/Amsterdam volumes: - ./${SERVICE}-data/app/config:/config depends_on: From 460f923be08a26b7a674dae562a782d382eaf30c Mon Sep 17 00:00:00 2001 From: Michael H Date: Sun, 12 Apr 2026 13:45:55 +0100 Subject: [PATCH 22/24] Change service name --- services/tailscale-exit-node/.env | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/services/tailscale-exit-node/.env b/services/tailscale-exit-node/.env index 54e2589c..f5132d48 100644 --- a/services/tailscale-exit-node/.env +++ b/services/tailscale-exit-node/.env @@ -3,7 +3,7 @@ #COMPOSE_PROJECT_NAME= # Optional: only use when running multiple deployments on the same infrastructure. # Service Configuration -SERVICE=tailscale-exit-node +SERVICE=exit-node IMAGE_URL=tailscale/tailscale # Network Configuration From e075e987e1385e5a6a37d898b239fb75f6b444f4 Mon Sep 17 00:00:00 2001 From: Michael H Date: Sun, 12 Apr 2026 14:01:08 +0100 Subject: [PATCH 23/24] New service Tailscale App Connector --- README.md | 1 + services/tailscale-app-connector-node/.env | 22 ++++++++++++ .../tailscale-app-connector-node/README.md | 16 +++++++++ .../tailscale-app-connector-node/compose.yaml | 36 +++++++++++++++++++ 4 files changed, 75 insertions(+) create mode 100644 services/tailscale-app-connector-node/.env create mode 100644 services/tailscale-app-connector-node/README.md create mode 100644 services/tailscale-app-connector-node/compose.yaml diff --git a/README.md b/README.md index 41a78e10..08ac4362 100644 --- a/README.md +++ b/README.md @@ -90,6 +90,7 @@ A huge thank you to all our contributors! ScaleTail wouldn’t be what it is tod | 🌐 **Rustdesk Server** | RustDesk is an open source remote control alternative for self-hosting and security. | [Details](services/rustdesk-server)| | 🔒 **Technitium DNS** | An open-source DNS server that can be used for self-hosted DNS services. | [Details](services/technitium) | | 🌐 **Traefik** | A modern reverse proxy and load balancer for microservices. | [Details](services/traefik) | +| 🌐 **Tailscale App Connector Node** | Configure a device to act as a App connector node for your Tailscale network. | [Details](services/tailscale-app-connector-node) | | 🚀 **Tailscale Exit Node** | Configure a device to act as an exit node for your Tailscale network. | [Details](services/tailscale-exit-node) | | 🌐 **Tailscale Subnet Router Node** | Configure a device to act as a subnet router node for your Tailscale network. | [Details](services/tailscale-subnet-router-node) | diff --git a/services/tailscale-app-connector-node/.env b/services/tailscale-app-connector-node/.env new file mode 100644 index 00000000..5af49d0d --- /dev/null +++ b/services/tailscale-app-connector-node/.env @@ -0,0 +1,22 @@ +#version=1.1 +#URL=https://github.com/tailscale-dev/ScaleTail +#COMPOSE_PROJECT_NAME= # Optional: only use when running multiple deployments on the same infrastructure. + +# Service Configuration +SERVICE=subnet-router +IMAGE_URL=tailscale/tailscale + +# Network Configuration +SERVICEPORT= # Port to expose to local network. Uncomment the "ports:" section in compose.yaml to enable. +DNS_SERVER=9.9.9.9 + +# Tailscale Configuration +TS_AUTHKEY=tskey-auth-kDq2WKjSD411CNTRL-cL4SYEvo1dZfZfED2Mc5dZXm1vUqN1jp9 + +# Optional Service variables +# PUID=1000 + +#Time Zone setting for containers +TZ=Europe/Amsterdam # See: https://en.wikipedia.org/wiki/List_of_tz_database_time_zones + +# Any Container environment variables are declared below. See https://docs.docker.com/compose/how-tos/environment-variables/ diff --git a/services/tailscale-app-connector-node/README.md b/services/tailscale-app-connector-node/README.md new file mode 100644 index 00000000..e53d8e55 --- /dev/null +++ b/services/tailscale-app-connector-node/README.md @@ -0,0 +1,16 @@ +# Tailscale App Connector Node Configuration + +This Docker Compose configuration sets up a Tailscale an App Connector Node, allowing devices in your Tailscale network to route their traffic securely through this node to internet services. + +## Tailscale App Connector Node + +App connectors let you route Tailscale network (known as a tailnet) traffic to your software as a service (SaaS), cloud, and self-hosted applications, letting users and devices on the tailnet access applications by domain names instead of IP addresses. You can also incorporate monitoring, optimization, security, and reliability into your app connector setup. [See the App Connector documents for more information:](https://tailscale.com/docs/features/app-connectors/how-to/setup) + +## Configuration Overview + +In this setup, the `tailscale` service runs a Tailscale container configures it as an App Connector Node. + +- **TS_AUTHKEY**: This environment variable in the .env file is where you insert your Tailscale authentication key. +- **TS_EXTRA_ARGS**: The `--advertise-connector` flag is used to designate this container as a App Connector Node within your Tailscale network. +- **Sysctls**: The system controls `net.ipv4.ip_forward` and `net.ipv6.conf.all.forwarding` are enabled to allow IP forwarding, which is necessary for routing traffic through the Exit Node. +- **Network Mode**: The `bridge` network mode is used to create a virtual network interface for the container, enabling it to handle traffic routing. diff --git a/services/tailscale-app-connector-node/compose.yaml b/services/tailscale-app-connector-node/compose.yaml new file mode 100644 index 00000000..767b71d8 --- /dev/null +++ b/services/tailscale-app-connector-node/compose.yaml @@ -0,0 +1,36 @@ +services: +# Make sure you have updated/checked the .env file with the correct variables. +# All the ${ xx } need to be defined there. + # Tailscale Sidecar Configuration + tailscale: + image: tailscale/tailscale:latest # Image to be used + container_name: tailscale-${SERVICE} # Name for local container management + hostname: ${SERVICE} # Name used within your Tailscale environment + environment: + - TS_AUTHKEY=${TS_AUTHKEY} + - TS_STATE_DIR=/var/lib/tailscale + - TS_EXTRA_ARGS=--advertise-connector + - TS_USERSPACE=false + - TS_ENABLE_HEALTH_CHECK=true # Enable healthcheck endpoint: "/healthz" + - TS_LOCAL_ADDR_PORT=127.0.0.1:41234 # The : for the healthz endpoint + #- TS_ACCEPT_DNS=true # Uncomment when using MagicDNS + - TS_AUTH_ONCE=true + volumes: + - ./ts/state:/var/lib/tailscale # Tailscale requirement - you may need to change the path + devices: + - /dev/net/tun:/dev/net/tun # Network configuration for Tailscale to work + dns: + - ${DNS_SERVER} + sysctls: + net.ipv4.ip_forward: 1 + net.ipv6.conf.all.forwarding: 1 + cap_add: + - net_admin # Tailscale requirement + network_mode: bridge + healthcheck: + test: ["CMD", "wget", "--spider", "-q", "http://127.0.0.1:41234/healthz"] # Check Tailscale has a Tailnet IP and is operational + interval: 1m # How often to perform the check + timeout: 10s # Time to wait for the check to succeed + retries: 3 # Number of retries before marking as unhealthy + start_period: 10s # Time to wait before starting health checks + restart: always From fc4509606e8145e43b1b5251abdaa20fcd90584f Mon Sep 17 00:00:00 2001 From: michaelhodges Date: Sun, 12 Apr 2026 14:05:22 +0100 Subject: [PATCH 24/24] Update .env --- services/tailscale-app-connector-node/.env | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/services/tailscale-app-connector-node/.env b/services/tailscale-app-connector-node/.env index 5af49d0d..cc1b9d25 100644 --- a/services/tailscale-app-connector-node/.env +++ b/services/tailscale-app-connector-node/.env @@ -3,7 +3,7 @@ #COMPOSE_PROJECT_NAME= # Optional: only use when running multiple deployments on the same infrastructure. # Service Configuration -SERVICE=subnet-router +SERVICE=app-connector IMAGE_URL=tailscale/tailscale # Network Configuration @@ -11,7 +11,7 @@ SERVICEPORT= # Port to expose to local network. Uncomment the "ports:" section i DNS_SERVER=9.9.9.9 # Tailscale Configuration -TS_AUTHKEY=tskey-auth-kDq2WKjSD411CNTRL-cL4SYEvo1dZfZfED2Mc5dZXm1vUqN1jp9 +TS_AUTHKEY= # Optional Service variables # PUID=1000