From 5244ac3e403b08857ddab31b55f5a0806614f885 Mon Sep 17 00:00:00 2001
From: kommandantredundant <kommandantredundant@gmail.com>
Date: Wed, 10 Jun 2026 15:17:12 +0200
Subject: [PATCH 1/5] Added service kitchenowl

---
 README.md                               |  1 +
 services/kitchenowl/.env                | 29 +++++++++++
 services/kitchenowl/README.md           | 12 +++++
 services/kitchenowl/docker-compose.yaml | 68 +++++++++++++++++++++++++
 4 files changed, 110 insertions(+)
 create mode 100755 services/kitchenowl/.env
 create mode 100644 services/kitchenowl/README.md
 create mode 100755 services/kitchenowl/docker-compose.yaml

diff --git a/README.md b/README.md
index 1e2ba83..09d07dd 100644
--- a/README.md
+++ b/README.md
@@ -221,6 +221,7 @@ ScaleTail provides ready-to-run [Docker Compose](https://docs.docker.com/compose
 
 | 🥘 Service             | 📝 Description                                                                                                                                  | 🔗 Link                      |
 | --------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------- | --------------------------- |
+| 🥘 **Kitchenowl** | A self-hosted smart grocery list and recipe manager with features like expense tracking, weekly meal planner, rich recipe import options and OIDC support.  | [Details](services/kitchenowl) |
 | 🥘 **Mealie**          | A self-hosted recipe manager and meal planner with features like shopping lists, scaling, and importing.                                       | [Details](services/mealie)  |
 | 🥘 **Tandoor Recipes** | A self-hosted recipe manager that also serves as a meal planner that has features such as nutrient tracking, shopping lists, importing and AI. | [Details](services/tandoor) |
 
diff --git a/services/kitchenowl/.env b/services/kitchenowl/.env
new file mode 100755
index 0000000..5b50e61
--- /dev/null
+++ b/services/kitchenowl/.env
@@ -0,0 +1,29 @@
+#version=1.1
+#URL=https://github.com/tailscale-dev/ScaleTail
+#COMPOSE_PROJECT_NAME= # Optional: only use when running multiple deployments on the same infrastructure.
+
+# Service Configuration
+SERVICE=kitchenowl
+IMAGE_URL=tombursch/kitchenowl:latest
+
+# Network Configuration
+SERVICEPORT=8080
+DNS_SERVER=9.9.9.9
+
+# Tailscale Configuration
+TS_AUTHKEY= # Auth key from https://tailscale.com/admin/authkeys. See: https://tailscale.com/kb/1085/auth-keys#generate-an-auth-key for instructions.
+
+# Time Zone setting for containers 
+TZ=Europe/Amsterdam # See: https://en.wikipedia.org/wiki/List_of_tz_database_time_zones
+
+# Optional Service variables
+# PUID=1000
+
+#EXAMPLE_VAR="Environment varibale"
+
+JWT_SECRET_KEY= # Generate a random string for JWT secret key, e.g., using: openssl rand -base64 32
+
+FRONT_URL= # the exact URL of your kitchenowl instance, requred when using OIDC authentication, e.g https://kitchenowl.example.com
+OIDC_ISSUER=# your OIDC issuer, e.g https://accounts.google.com
+OIDC_CLIENT_ID= # to be generated by your OIDC provider
+OIDC_CLIENT_SECRET= # to be generated by your OIDC provider
\ No newline at end of file
diff --git a/services/kitchenowl/README.md b/services/kitchenowl/README.md
new file mode 100644
index 0000000..05aefa7
--- /dev/null
+++ b/services/kitchenowl/README.md
@@ -0,0 +1,12 @@
+# Kitchenowl with Tailscale Sidecar Configuration
+
+This Docker Compose configuration sets up [Kitchenowl](https://github.com/TomBursch/kitchenowl) with Tailscale as a sidecar container to securely access your meal planner over a private Tailscale network. By using Tailscale in a sidecar configuration, you can enhance the security and privacy of your Kitchenowl instance, ensuring that it is only accessible within your Tailscale network.
+
+## Kitchenowl
+
+[Kitchenowl](https://kitchenowl.org/) is a smart grocery list and recipe manager with features like expense tracking, weekly meal planner and rich recipe import options. This configuration leverages Tailscale to securely connect to your Kitchenowl dashboard, ensuring that your self-hosted interface is protected from unauthorized access and only reachable via your private Tailscale network. You can find options to set up Open ID Connect [here](https://docs.kitchenowl.org/latest/self-hosting/oidc/).
+
+## Configuration Overview
+
+In this setup, the `tailscale-kitchenowl` service runs Tailscale, which manages secure networking for the Kitchenowl service. The `app-kitchenowl` service uses the Tailscale network stack via Docker's `network_mode: service:` configuration. This setup ensures that Kitchenowl's web interface is only accessible through the Tailscale network (or locally, if preferred), providing an extra layer of security and privacy for your self-hosted meal planner. 
+You can find information on how to set up Open ID Connect [here](https://docs.kitchenowl.org/latest/self-hosting/oidc/). Just uncomment the section in both the .env-file and the docker-compose.yaml and set up your parameters in the .env-file to use them!
diff --git a/services/kitchenowl/docker-compose.yaml b/services/kitchenowl/docker-compose.yaml
new file mode 100755
index 0000000..c89635e
--- /dev/null
+++ b/services/kitchenowl/docker-compose.yaml
@@ -0,0 +1,68 @@
+configs:
+  ts-serve:
+    content: |
+      {"TCP":{"443":{"HTTPS":true}},
+      "Web":{"$${TS_CERT_DOMAIN}:443":
+          {"Handlers":{"/":
+          {"Proxy":"http://127.0.0.1:8080"}}}},
+      "AllowFunnel":{"$${TS_CERT_DOMAIN}:443":false}}
+
+services:
+# Make sure you have updated/checked the .env file with the correct variables. 
+# All the ${ xx } need to be defined there.
+  # Tailscale Sidecar Configuration
+  tailscale:
+    image: tailscale/tailscale:latest # Image to be used
+    container_name: tailscale-${SERVICE} # Name for local container management
+    hostname: ${SERVICE} # Name used within your Tailscale environment
+    environment:
+      - TS_AUTHKEY=${TS_AUTHKEY}
+      - TS_STATE_DIR=/var/lib/tailscale
+      - TS_SERVE_CONFIG=/config/serve.json # Tailscale Serve configuration to expose the web interface on your local Tailnet - remove this line if not required
+      - TS_USERSPACE=false
+      - TS_ENABLE_HEALTH_CHECK=true              # Enable healthcheck endpoint: "/healthz"
+      - TS_LOCAL_ADDR_PORT=127.0.0.1:41234       # The <addr>:<port> for the healthz endpoint
+      #- TS_ACCEPT_DNS=true # Uncomment when using MagicDNS
+      - TS_AUTH_ONCE=true
+    configs:
+      - source: ts-serve
+        target: /config/serve.json
+    volumes:
+      - ./config:/config # Config folder used to store Tailscale files - you may need to change the path
+      - ./ts/state:/var/lib/tailscale # Tailscale requirement - you may need to change the path
+    devices:
+      - /dev/net/tun:/dev/net/tun # Network configuration for Tailscale to work
+    cap_add:
+      - net_admin # Tailscale requirement
+    ports:
+      - 0.0.0.0:${SERVICEPORT}:${SERVICEPORT} # Binding port ${SERVICE}PORT to the local network - may be removed if only exposure to your Tailnet is required
+    # If any DNS issues arise, use your preferred DNS provider by uncommenting the config below
+    # dns: 
+    #   - ${DNS_SERVER}
+    healthcheck:
+      test: ["CMD", "wget", "--spider", "-q", "http://127.0.0.1:41234/healthz"] # Check Tailscale has a Tailnet IP and is operational
+      interval: 1m # How often to perform the check
+      timeout: 10s # Time to wait for the check to succeed
+      retries: 3 # Number of retries before marking as unhealthy
+      start_period: 10s # Time to wait before starting health checks
+    restart: always
+
+  # ${SERVICE}
+  kitchenowl:
+    image: ${IMAGE_URL} # Image to be used
+    network_mode: service:tailscale # Sidecar configuration to route ${SERVICE} through Tailscale
+    container_name: app-${SERVICE} # Name for local container management
+    env_file: .env
+    environment:
+      - JWT_SECRET_KEY=${JWT_SECRET_KEY}  # JWT secret key for authentication - make sure to set this in the .env file
+      ## Optional for OIDC support - make sure to set these in the .env file if required!
+      #- FRONT_URL=${FRONT_URL}
+      #- OIDC_ISSUER=${OIDC_ISSUER}
+      #- OIDC_CLIENT_ID=${OIDC_CLIENT_ID}
+      #- OIDC_CLIENT_SECRET=${OIDC_CLIENT_SECRET}
+    restart: unless-stopped
+    depends_on:
+      tailscale:
+        condition: service_healthy
+    volumes:
+      - ./data:/data
\ No newline at end of file

From 565ab5778e0f19c524b7d274afcec3eb7d07f184 Mon Sep 17 00:00:00 2001
From: crypt0rr <57799908+crypt0rr@users.noreply.github.com>
Date: Fri, 12 Jun 2026 16:44:54 +0200
Subject: [PATCH 2/5] Update .env file with FRONT_URL and comment out OIDC
 variables

---
 services/kitchenowl/.env | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/services/kitchenowl/.env b/services/kitchenowl/.env
index 5b50e61..43895e9 100755
--- a/services/kitchenowl/.env
+++ b/services/kitchenowl/.env
@@ -23,7 +23,7 @@ TZ=Europe/Amsterdam # See: https://en.wikipedia.org/wiki/List_of_tz_database_tim
 
 JWT_SECRET_KEY= # Generate a random string for JWT secret key, e.g., using: openssl rand -base64 32
 
-FRONT_URL= # the exact URL of your kitchenowl instance, requred when using OIDC authentication, e.g https://kitchenowl.example.com
-OIDC_ISSUER=# your OIDC issuer, e.g https://accounts.google.com
-OIDC_CLIENT_ID= # to be generated by your OIDC provider
-OIDC_CLIENT_SECRET= # to be generated by your OIDC provider
\ No newline at end of file
+FRONT_URL=https://kitchenowl.<YOUR_TAILSCALE_DOMAIN>.ts.net # the exact URL of your kitchenowl instance, required when using OIDC authentication, e.g https://kitchenowl.example.com
+#OIDC_ISSUER= # your OIDC issuer, e.g https://accounts.google.com
+#OIDC_CLIENT_ID= # to be generated by your OIDC provider
+#OIDC_CLIENT_SECRET= # to be generated by your OIDC provider
\ No newline at end of file

From 2f9521a8e82bc734d09c18f325e0e1fb72d11fdf Mon Sep 17 00:00:00 2001
From: crypt0rr <57799908+crypt0rr@users.noreply.github.com>
Date: Fri, 12 Jun 2026 16:45:04 +0200
Subject: [PATCH 3/5] Add Tailscale configuration and health check for
 kitchenowl service

---
 services/kitchenowl/{docker-compose.yaml => compose.yaml} | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)
 rename services/kitchenowl/{docker-compose.yaml => compose.yaml} (98%)

diff --git a/services/kitchenowl/docker-compose.yaml b/services/kitchenowl/compose.yaml
similarity index 98%
rename from services/kitchenowl/docker-compose.yaml
rename to services/kitchenowl/compose.yaml
index c89635e..48921be 100755
--- a/services/kitchenowl/docker-compose.yaml
+++ b/services/kitchenowl/compose.yaml
@@ -53,6 +53,8 @@ services:
     network_mode: service:tailscale # Sidecar configuration to route ${SERVICE} through Tailscale
     container_name: app-${SERVICE} # Name for local container management
     env_file: .env
+    volumes:
+      - ./${SERVICE}-data/:/data
     environment:
       - JWT_SECRET_KEY=${JWT_SECRET_KEY}  # JWT secret key for authentication - make sure to set this in the .env file
       ## Optional for OIDC support - make sure to set these in the .env file if required!
@@ -60,9 +62,7 @@ services:
       #- OIDC_ISSUER=${OIDC_ISSUER}
       #- OIDC_CLIENT_ID=${OIDC_CLIENT_ID}
       #- OIDC_CLIENT_SECRET=${OIDC_CLIENT_SECRET}
-    restart: unless-stopped
     depends_on:
       tailscale:
         condition: service_healthy
-    volumes:
-      - ./data:/data
\ No newline at end of file
+    restart: unless-stopped
\ No newline at end of file

From 548267a4cf76dd458861c920556ce7faf63d4bd9 Mon Sep 17 00:00:00 2001
From: crypt0rr <57799908+crypt0rr@users.noreply.github.com>
Date: Fri, 12 Jun 2026 16:48:29 +0200
Subject: [PATCH 4/5] Enhance README for Kitchenowl with detailed Tailscale
 integration and key features

---
 services/kitchenowl/README.md | 54 ++++++++++++++++++++++++++++++++---
 1 file changed, 50 insertions(+), 4 deletions(-)

diff --git a/services/kitchenowl/README.md b/services/kitchenowl/README.md
index 05aefa7..6dc8c93 100644
--- a/services/kitchenowl/README.md
+++ b/services/kitchenowl/README.md
@@ -1,12 +1,58 @@
 # Kitchenowl with Tailscale Sidecar Configuration
 
-This Docker Compose configuration sets up [Kitchenowl](https://github.com/TomBursch/kitchenowl) with Tailscale as a sidecar container to securely access your meal planner over a private Tailscale network. By using Tailscale in a sidecar configuration, you can enhance the security and privacy of your Kitchenowl instance, ensuring that it is only accessible within your Tailscale network.
+This Docker Compose configuration sets up **Kitchenowl** with a Tailscale sidecar container, enabling secure, private access to your self-hosted grocery list, recipe manager, and meal planner over your Tailnet. With this setup, your Kitchenowl instance is **not exposed to the public internet** and is only accessible from authorized devices connected via Tailscale.
 
 ## Kitchenowl
 
-[Kitchenowl](https://kitchenowl.org/) is a smart grocery list and recipe manager with features like expense tracking, weekly meal planner and rich recipe import options. This configuration leverages Tailscale to securely connect to your Kitchenowl dashboard, ensuring that your self-hosted interface is protected from unauthorized access and only reachable via your private Tailscale network. You can find options to set up Open ID Connect [here](https://docs.kitchenowl.org/latest/self-hosting/oidc/).
+[**Kitchenowl**](https://github.com/TomBursch/kitchenowl) is a self-hosted grocery list, recipe manager, and meal planning application designed for households and shared kitchens. It helps you organize shopping lists, recipes, weekly meal plans, pantry items, and household food planning from a central web interface.
+
+Kitchenowl is useful for families, housemates, and home labs that want a private alternative to cloud-hosted grocery and recipe apps. It supports collaborative lists, recipe import workflows, meal planning, and optional account integration features, making it a practical tool for day-to-day kitchen organization.
+
+## Key Features
+
+- 🛒 Shared grocery lists for households and teams
+- 🍽️ Recipe management with rich recipe import options
+- 📅 Weekly meal planning for organizing upcoming meals
+- 💸 Expense tracking for grocery and household food costs
+- 🧺 Pantry and household item organization
+- 👥 Multi-user collaboration for shared kitchens
+- 🔐 Optional OpenID Connect support for external authentication
+- 🛡️ Tailnet-only access when paired with the included Tailscale sidecar
+
+## Tailscale Integration
+
+This setup uses a **Tailscale sidecar container** to provide secure private networking for Kitchenowl. The Kitchenowl container shares the Tailscale container's network stack using Docker's `network_mode: service:<tailscale-service-name>` pattern.
+
+Because of this, Kitchenowl does not need to publish ports directly to the host. Instead, you access the web interface through the Tailscale hostname or Tailnet IP assigned to the sidecar. This keeps the service private, reduces exposure, and avoids the need for public DNS, inbound firewall rules, or a public reverse proxy.
 
 ## Configuration Overview
 
-In this setup, the `tailscale-kitchenowl` service runs Tailscale, which manages secure networking for the Kitchenowl service. The `app-kitchenowl` service uses the Tailscale network stack via Docker's `network_mode: service:` configuration. This setup ensures that Kitchenowl's web interface is only accessible through the Tailscale network (or locally, if preferred), providing an extra layer of security and privacy for your self-hosted meal planner. 
-You can find information on how to set up Open ID Connect [here](https://docs.kitchenowl.org/latest/self-hosting/oidc/). Just uncomment the section in both the .env-file and the docker-compose.yaml and set up your parameters in the .env-file to use them!
+The Compose stack is built around two services:
+
+1. **Tailscale sidecar**  
+   Handles authentication to your Tailnet and provides the private network endpoint for the application.
+
+2. **Kitchenowl application**  
+   Runs the Kitchenowl web interface and uses the Tailscale sidecar's network namespace for secure Tailnet-only access.
+
+Kitchenowl should be configured with persistent storage so recipes, shopping lists, users, pantry data, meal plans, and application settings are retained across container restarts and updates. Review the provided `compose.yaml` and `.env` file before deployment, especially if you want to enable authentication integrations.
+
+## OpenID Connect
+
+Kitchenowl supports OpenID Connect for external authentication providers. This can be useful when integrating Kitchenowl with an existing identity provider such as Authentik, Authelia, Keycloak, or another OIDC-compatible service.
+
+To enable OIDC in this ScaleTail service, review the commented OIDC sections in both the `.env` file and the `compose.yaml` file. Uncomment the relevant values and fill in the required provider details before starting the stack.
+
+You can find the upstream Kitchenowl OIDC documentation here: [Kitchenowl OpenID Connect Documentation](https://docs.kitchenowl.org/latest/self-hosting/oidc/).
+
+## Usage Notes
+
+Once logged in, create your household, configure users, and begin adding grocery lists, recipes, pantry items, and meal plans. Since Kitchenowl is designed for shared household use, review user permissions and authentication settings before inviting other people to the instance.
+
+## References
+
+- [Kitchenowl Website](https://kitchenowl.org/)
+- [Kitchenowl GitHub Repository](https://github.com/TomBursch/kitchenowl)
+- [Kitchenowl Documentation](https://docs.kitchenowl.org/)
+- [Kitchenowl OpenID Connect Documentation](https://docs.kitchenowl.org/latest/self-hosting/oidc/)
+- [Tailscale Docker Documentation](https://tailscale.com/kb/1282/docker)
\ No newline at end of file

From aa64ac45b28a20d0f67dc16d2bfeffc61a424dd2 Mon Sep 17 00:00:00 2001
From: crypt0rr <57799908+crypt0rr@users.noreply.github.com>
Date: Fri, 12 Jun 2026 16:50:53 +0200
Subject: [PATCH 5/5] Fix formatting in README files by ensuring proper newline
 at end of file

---
 README.md                     | 2 +-
 services/kitchenowl/README.md | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/README.md b/README.md
index 3fa15fb..2a8cb0c 100644
--- a/README.md
+++ b/README.md
@@ -274,4 +274,4 @@ See [CONTRIBUTING.md](/CONTRIBUTING.md) for guidance on adding services with the
 
 ## License
 
-[MIT](https://choosealicense.com/licenses/mit/)
\ No newline at end of file
+[MIT](https://choosealicense.com/licenses/mit/)
diff --git a/services/kitchenowl/README.md b/services/kitchenowl/README.md
index 6dc8c93..ac5f3d7 100644
--- a/services/kitchenowl/README.md
+++ b/services/kitchenowl/README.md
@@ -55,4 +55,4 @@ Once logged in, create your household, configure users, and begin adding grocery
 - [Kitchenowl GitHub Repository](https://github.com/TomBursch/kitchenowl)
 - [Kitchenowl Documentation](https://docs.kitchenowl.org/)
 - [Kitchenowl OpenID Connect Documentation](https://docs.kitchenowl.org/latest/self-hosting/oidc/)
-- [Tailscale Docker Documentation](https://tailscale.com/kb/1282/docker)
\ No newline at end of file
+- [Tailscale Docker Documentation](https://tailscale.com/kb/1282/docker)