Have you looked at using the Funnel feature in Tailscale, instead of port mapping? This gets external traffic onto your Tailscale network (for anyone who doesn’t have Tailscale) for specific resources, courtesy of Tailscale servers.
If you’re just going to open ports to the world, Tailscale isn’t really necessary (it’s useful for you and anyone on TS, since you can use the Serve feature to permit other Tailscale networks to have access to specific resources).
This sounds like exactly what I need. If I wanted to share my Linux Distros share with my dad, he wouldn’t need to install tailscale and feck with all that?
The problem is that Tailscale gives your server a “magic” ip, which isn’t the same one as on your local network. On your local network, do you access them by port? Or reverse proxy?
I think this is what you should look into. Are the services in Heimdall listed with the local IP or host names? Or are they referenced with the tailscale IP?
Three things I want to add here:
On tailscale I can only access my home lab’s root page with the services being accessible with something like domain.tld/service.
service.domain.tld is not supported by tailscale. (See github issue)
The local domain is different to the tailscale domain. If you want to use them with a reverse proxy (nginx, caddy) you need to have rules configured for your tailscale magic DNS domain too.
What I have is a vps with wireguard and nginx proxy manager. Traffic comes in though the vps and is routed internally. I have firewalls and isolation for everything that is in the danger zone if something gets compromised.
Free, private (can be self-hosted), and open source. You don’t need to create an account to use it. If I remember correctly, this was created in response to the recent changes to Splitwise.
Hey, I’m the author of Spliit.app, thanks for the mention :)
Indeed I created Spliit as an open source because I believe that some tools should be open source, especially those used on the long term (I have Splitwise account from many years ago).
PiVPN is elegant. Easy install, and I am impressed with the ascii QR code it generates.
But I could not make it work. I am guessing that my Android setup is faulty, orrrr maybe something with the Pi? This is incredibly difficult to troubleshoot.
You would want to setup a VPN server on your linux server and vpn clients on android and laptop. I’m not knowledgeable enough to help, but you can look into wireguard
That was my impression as well. But since I’m on a low-RAM VPS any overhead in RAM adds up, and I wanted to know how process deduplication works before I get into it.
I would suggest having an nginx as a reverse proxy (I prefer avoiding a container as it’s easier to manage) and the have your services in whatever medium you prefer.
Are all services running on the same machine? You mentioned same network… you also said you added your “docker instance” to tailscale. I think some clarifications on what those two things mean could help narrow down the problem.
E.g. do you have multiple physical machines running docker containers? Each one you want to access needs to be added to tailscale, OR, set up a tailscale gateway?
So from what i get reading your question, i would recommend reading more about container, compose files and how they work.
To your question, i assume when you are talking about adding to container you are actually referring to compose files (often called ‘stacks’)? Containers are basically almost no computational overhead.
I keep my services in extra compose files. Every service that needs a db gets a extra one. This helps to keep things simple and modular.
I need to upgrade a db from a service? -> i do just that and can leave everything else untouched.
Also, typically compose automatically creates a network where all the containing services of that stack communicate. Separating the compose files help to isolate them a little bit with the default settings.
Aren’t containers the product of compose files? i.e. the compose files spin up containers. I understand the architecture, I’m just not sure about how docker streamlines separate containers running the same process (eg, mysql).
I’m getting some answers saying that it deduplicates, and others saying that it doesn’t. It looks more likely that it’s the former though.
A compose file is just the configuration of one or many containers. The container is downloaded from the chosen registry and pretty much does not get touched.
A compose file ‘composes’ multiple containers together. Thats where the name comes from.
When you run multiple databases then those run parallel. So every database has its own processes. You can even see them on the host system by running something like top or htop. The container images themself can get deduplicated that means that container images that contain the same layer just use the already downloaded files from that layer. A layer is nothing else as multiple files bundled. For example you can choose a ‘ubuntu layer’ for the base of your container image and every container that you want to download using that same layer will just simply use those files on creation time. But that basically does not matter. We are talking about a few 10th or 100th of MB in extreme cases.
But important, thoses files are just shared statically and changing a file in one container does not affect the other. Every container has its own isolated filesystem.
I understand the architecture, I’m just not sure about how docker streamlines separate containers running the same process (eg, mysql).
Quite simple actually. It gives every container its own environment thats to namespacing. Every process thinks (more or less) it is running on its own machine.
There are quite simple docker implementations with just a couple of hundreds lines of code.
Not expert, but basically you should port forward wireguard port 51820 to your server, install wireguard server, create client(s) and load QR code (or config) on android/laptop and you are set. Pi hole DNS and everything else should work just like when you are on home wifi.
You can leave your CF for public access, but do you really need PF 80 and 443 if you are using CF tunnels? (I thought you dont, but I never used CF. Feels like its more safe to hve CF tunnels if you dont need to PF, but you have a middle man you have to trust)
Yes this is what I want to do. My question is how docker manages shared processes between these apps (for example, if app1 uses mysql and app2 also uses mysql).
Does it take up the RAM of 2 mysql processes? It seems wasteful if that’s the case, especially since I’m on a low-RAM VPS. I’m getting conflicting answers, so it looks like I’ll have to try it out and see.
Nah, that’s not how it works ! I have over 10 applications and half of them have databases, and that’s the prime objective of containers ! Less resource intensive and easier to deploy on low end machines. If I had to deploy 10 VMs for my 10 applications, my computer would not be able to handle it !
I have no idea how it works underneath, that’s a more technical question on how container engines work. But if you searx it or ask chatGPT (if you use this kind of tool) i’m sure you will find out how it works :).
selfhosted
Oldest
This magazine is from a federated server and may be incomplete. Browse more on the original instance.