|
|
|
|
@@ -29,18 +29,17 @@ Actions (gitea's implementation) has me excited because it makes spinning up a n
|
|
|
|
|
|
|
|
|
|
## Integration with Tailscale
|
|
|
|
|
|
|
|
|
|
> **2024-02-10**: I had originally written this post to include [Tailscale-Traefik Proxy Integration](https://traefik.io/blog/exploring-the-tailscale-traefik-proxy-integration/), but I have since decided to remove it in favour of Tailscale Serve and Funnel after learning from this [example](https://github.com/tailscale-dev/docker-guide-code-examples). This simplifies the setup and reduces the number of moving parts.
|
|
|
|
|
|
|
|
|
|
So how does Tailscale help here? Well, more recently I've been exposing my self-hosted services using Tailscale [Serve](https://tailscale.com/kb/1312/serve) and [Funnel](https://tailscale.com/kb/1223/funnel). This allows for a nice looking dns name (i.e. gitea.my-tailnet-name.ts.net), automatic tls certificate management, and optionally allowing the address to be publically accessible (using Funnel).
|
|
|
|
|
So how does Tailscale help here? Well, more recently I've been exposing my self-hosted services through a combination of traefik and the tailscale (through the tailscale-traefik proxy integration described [here](https://traefik.io/blog/exploring-the-tailscale-traefik-proxy-integration/)). This allows for a nice looking dns name (i.e. gitea.my-tailnet-name.ts.net) and automatic tls certificate management. I can also share this tailscale node securely with other tailscale users without configuring any firewall rules on my router.
|
|
|
|
|
|
|
|
|
|
## Deploying Gitea, Traefik, and Tailscale
|
|
|
|
|
|
|
|
|
|
In my case, the following is already set up:
|
|
|
|
|
|
|
|
|
|
- [docker-compose is installed](https://docs.docker.com/compose/install/linux/)
|
|
|
|
|
- [tailscale is installed on the gitea host](https://tailscale.com/kb/1017/install/)
|
|
|
|
|
- [tailscale magic dns is enabled](https://tailscale.com/kb/1081/magicdns/)
|
|
|
|
|
|
|
|
|
|
My preferred approach to deploying code in a homelab environment is with docker compose. I have deployed this in a lxc container on Proxmox. You could run this on a virtual machine or a physical host as well.
|
|
|
|
|
My preferred approach to deploying code in a homelab environment is with docker compose. I have deployed this in a [proxmox lxc container](https://pve.proxmox.com/wiki/Linux_Container) based on debian with a hostname `gitea`. This could be deployed in any environment and with any hostname (as long you updated the tailscale machine name to your preferred subdomain for magic dns).
|
|
|
|
|
|
|
|
|
|
The `docker-compose.yaml` file looks like:
|
|
|
|
|
|
|
|
|
|
@@ -50,7 +49,6 @@ services:
|
|
|
|
|
gitea:
|
|
|
|
|
image: gitea/gitea:1.21.1
|
|
|
|
|
container_name: gitea
|
|
|
|
|
network_mode: service:ts-gitea
|
|
|
|
|
environment:
|
|
|
|
|
- USER_UID=1000
|
|
|
|
|
- USER_GID=1000
|
|
|
|
|
@@ -64,38 +62,54 @@ services:
|
|
|
|
|
- ./data:/data
|
|
|
|
|
- /etc/timezone:/etc/timezone:ro
|
|
|
|
|
- /etc/localtime:/etc/localtime:ro
|
|
|
|
|
ts-gitea:
|
|
|
|
|
image: tailscale/tailscale:v1.58
|
|
|
|
|
container_name: ts-gitea
|
|
|
|
|
hostname: gitea
|
|
|
|
|
environment:
|
|
|
|
|
- TS_AUTHKEY=<FILL THIS IN>
|
|
|
|
|
- TS_SERVE_CONFIG=/config/gitea.json
|
|
|
|
|
- TS_STATE_DIR=/var/lib/tailscale
|
|
|
|
|
volumes:
|
|
|
|
|
- ${PWD}/state:/var/lib/tailscale
|
|
|
|
|
- ${PWD}/config:/config
|
|
|
|
|
- /dev/net/tun:/dev/net/tun
|
|
|
|
|
cap_add:
|
|
|
|
|
- net_admin
|
|
|
|
|
- sys_module
|
|
|
|
|
traefik:
|
|
|
|
|
image: traefik:v3.0.0-beta4
|
|
|
|
|
container_name: traefik
|
|
|
|
|
security_opt:
|
|
|
|
|
- no-new-privileges:true
|
|
|
|
|
restart: unless-stopped
|
|
|
|
|
ports:
|
|
|
|
|
- 80:80
|
|
|
|
|
- 443:443
|
|
|
|
|
volumes:
|
|
|
|
|
- ./traefik/data/traefik.yaml:/traefik.yaml:ro
|
|
|
|
|
- ./traefik/data/dynamic.yaml:/dynamic.yaml:ro
|
|
|
|
|
- /var/run/tailscale/tailscaled.sock:/var/run/tailscale/tailscaled.sock
|
|
|
|
|
```
|
|
|
|
|
|
|
|
|
|
Note that you must specify a `TS_AUTHKEY` in the `ts-gitea` service. You can generate an auth key [here](https://login.tailscale.com/admin/settings/keys).
|
|
|
|
|
|
|
|
|
|
`config/gitea.json`:
|
|
|
|
|
`traefik/data/traefik.yaml`:
|
|
|
|
|
|
|
|
|
|
```yaml
|
|
|
|
|
{
|
|
|
|
|
"TCP": { "443": { "HTTPS": true } },
|
|
|
|
|
"Web":
|
|
|
|
|
{
|
|
|
|
|
"${TS_CERT_DOMAIN}:443":
|
|
|
|
|
{ "Handlers": { "/": { "Proxy": "http://127.0.0.1:3000" } } },
|
|
|
|
|
},
|
|
|
|
|
"AllowFunnel": { "${TS_CERT_DOMAIN}:443": true },
|
|
|
|
|
}
|
|
|
|
|
entryPoints:
|
|
|
|
|
https:
|
|
|
|
|
address: ":443"
|
|
|
|
|
providers:
|
|
|
|
|
file:
|
|
|
|
|
filename: dynamic.yaml
|
|
|
|
|
certificatesResolvers:
|
|
|
|
|
myresolver:
|
|
|
|
|
tailscale: {}
|
|
|
|
|
log:
|
|
|
|
|
level: INFO
|
|
|
|
|
```
|
|
|
|
|
|
|
|
|
|
and finally `traefik/data/dynamic/dynamic.yaml`:
|
|
|
|
|
|
|
|
|
|
```yaml
|
|
|
|
|
http:
|
|
|
|
|
routers:
|
|
|
|
|
gitea:
|
|
|
|
|
rule: Host(`gitea.my-tailnet-name.ts.net`)
|
|
|
|
|
entrypoints:
|
|
|
|
|
- "https"
|
|
|
|
|
service: gitea
|
|
|
|
|
tls:
|
|
|
|
|
certResolver: myresolver
|
|
|
|
|
services:
|
|
|
|
|
gitea:
|
|
|
|
|
loadBalancer:
|
|
|
|
|
servers:
|
|
|
|
|
- url: "http://gitea:3000"
|
|
|
|
|
```
|
|
|
|
|
|
|
|
|
|
Something to consider is whether or not you want to use ssh with git. One method to get this to work with containers is to use [ssh container passthrough](https://docs.gitea.com/installation/install-with-docker#ssh-container-passthrough). I decided to keep it simple and not use ssh, since communicating over https is perfectly fine for my use case.
|
|
|
|
|
|
