Alrighty, for a while I’ve been using Tailscale to get remote access to things on the homelab when I am out and about. I have a few services running on a ridiculously overpowered Unraid Server. The unraid server is some parts from my first gaming machine in Ireland, and some stuff I bought off eBay. And doesn’t exactly sip power.
I also bought a Synology NAS back in 2016 or so, and have been doing various things on and off of it over the years. Lately I’m wanting to put all my homelab stuff that isn’t really a lab on the synology. So Immich, Mealie, Calibre, etc - the things I want to always be working, not the things that I am willing to have blow up because I want to experiment with something else on the same server. None of those things are massively compute intensive, so my DS1621+ with 32G of RAM (yes, I hoard RAM - I’m expecting to sell it and pay off a mortgage or something the way current prices are going) should be able to keep up with most of these services. If I do this right (spoilers, he did it right - eventually) I should even be able to host my Unifi control software on there, and bootstrap the network overhaul from that.
Getting Traefik installed on the synology was pretty easy, I am using Container Manager (yeah, I’m sure I’ll regret that eventually and will need to switch to whatever the portainer alternative ends up being) and docker-compose files to launch the container. It’s running and if I go to the admin port I even get a pretty dashboard. But… I can’t configure anything through the UI, so I need to ssh into the synology.
Oh, wait. I distracted myself because I remembered I have the Tailscale plugin installed on the synology already and surely that will be sufficient to connect traefik to my tailnet (spoilers: it wasn’t - and the real solution was actually easier.). I’ll still need a way to hook my real domain name to my tailnet
Ok, sorry for the tonal shift, but it’s two days later and I’ve scrapped a big portion of this plan (Traefik) and replaced it with TSDProxy. TSDProxy is from a member of the Tailscale user community, not an official app - but it should be. Basically, you install the TSDProxy container, give it an AuthKey for your Tailnet and you’re done (this is why I didn’t need the Tailscale plugin on Synology). After that if you stick a label on any container you want on the tailnet, TSDProxy sees the label and does the magic. The first time you try to connect to the container over your tailnet there will be some delay as the SSL cert is created on first demand, not on deploy. Under a minute and you are up and remotely accessing.
So now I don’t need to hook a wildcard to lab.cacophonyoffailure.ie or whatever and point it at Traefik so I can route to internal containers, and I don’t need to install Tailscale on every container. I can just get on my tailnet from anywhere and connect to any labelled container.
I am on the 1.x branch of TSDProxy (v2 is out in Beta, and I’m not confident enough that I’d be able to isolate a beta issue vs a PEBKAC issue), and the big snag for me getting this deployed was I used a tab in the config file. (SEE! That PEBKAC took an hour - so I shouldn’t hop on the betas yet.) In my defence I was ssh’d into the synology and don’t have my normal Vim config (or Vim) automatically replacing tabs with spaces. This is one of those situations that comes up in discussions about putting so many guardrails up that we forget what to do if they aren’t there.
Oh. The other big snag for me is that I installed FreshRSS, I figured that since I am making this blog available over RSS (still tweaking that part, but it’s there) I should start using more RSS. Well I had that container up, I set up some feeds that I was interested in, and then started down this TSDProxy path, and once it was working the first thing I tagged was the FressRSS container. That triggered a rebuild. That’s when I found out that I f’d up the settings on the container and my personalizations (all the feeds I had already added) were not persistent. Once I figure all that out, I’ll be sure to complain blog about it so you can chuckle and hopefully not make the same mistakes I made. The good news is that I didn’t make that mistake with Immich, and so I didn’t lose all the photos I have going back to 2011.
Yes, there will be BlueTeam content on here eventually, but right now I’m doing network housekeeping and dragging you along for the ride.