From 7b54261cb4a7edf469bda1c1ff1726fc0f109049 Mon Sep 17 00:00:00 2001
From: Digital Asset Management <kevin.riordan@damconsulting.llc>
Date: Mon, 21 Apr 2025 23:47:36 -0500
Subject: [PATCH] Initial commit

---
 README.md                   | 108 ++++++++++++++++++++++++++++++++++++
 docker-compose.yml          |  21 +++++++
 tailscale/config/serve.json |  19 +++++++
 3 files changed, 148 insertions(+)
 create mode 100644 README.md
 create mode 100644 docker-compose.yml
 create mode 100644 tailscale/config/serve.json

diff --git a/README.md b/README.md
new file mode 100644
index 0000000..421f25e
--- /dev/null
+++ b/README.md
@@ -0,0 +1,108 @@
+# {{Service}} with Tailscale Integration
+
+![{{Service}} with Tailscale](https://damconsulting.llc/images/logo_yellow.svg "{{Service}}")
+
+This project sets up a {{Service}} instance with Tailscale VPN integration using Docker Compose. It creates a secure, private network connection for your {{Service}} instance using Tailscale.
+
+## Prerequisites
+
+- Docker and Docker Compose installed on your system
+- A Tailscale account and auth key (get one from https://login.tailscale.com/admin/authkeys)
+- Basic understanding of Docker and networking concepts
+
+## Project Structure
+```
+ts-{{service}}/
+├── docker-compose.yml
+├── tailscale/
+│   ├── tailscale-data/     # Persistent Tailscale state
+│   └── config/             # Tailscale configuration files
+└── {{service}}/
+    └── config/             # {{Service}} configuration files
+```
+
+## Setup Instructions
+
+1. **Clone the Repository**
+   ```bash
+   git clone https://gitea.damconsulting.llc/DAM/ts-{{service}}
+   cd ts-{{service}}
+   ```
+2. Create Required Directories
+    ```bash
+    mkdir -p tailscale/tailscale-data
+    ```
+3. Configure Tailscale
+    - Replace `{{YOUR_TAILSCALE_AUTHKEY}}` in the docker-compose.yml with your actual Tailscale auth key
+    - Optionally, update the file in `tailscale/config/serve.json` if you need specific Tailscale serve configurations
+        - CAUTION: Changing `"${TS_CERT_DOMAIN}:443": false` to `true` will expose the service to the internet
+
+4. Configure {{Service}}
+    - See the [documentation]({{service_docs}}) for configuration options
+
+5. Start the Services
+    ```bash
+    docker compose up -d
+    ```
+
+6. Wait for Certificate to propagate [~2m] 
+
+7. Login 
+    - After starting the services your service should be available via tailnet at https://{{service}}.{{YOUR_TAILNET_DOMAIN}}.ts.net ie https://{{service}}.tail12345.ts.net/
+
+## Services
+
+### {{service}}-ts (Tailscale)
+
+- Runs Tailscale VPN client
+- Image: tailscale/tailscale:latest
+- Container name: {{service}}-ts
+- Hostname: {{service}}
+- Requires NET_ADMIN and SYS_MODULE capabilities
+- Persists state in ./tailscale/tailscale-data
+- Uses configuration from ./tailscale/config
+
+### {{service}}
+
+- Depends on {{service}}-ts service
+
+## Usage
+
+- After starting the services your service should be available via tailnet at `https://{{service}}.{{YOUR_TAILNET_DOMAIN}}.ts.net` ie `https://{{service}}.tail12345.ts.net/`
+- To manually get the Tailscale IP/hostname of your container:
+    ```bash
+    docker logs {{service}}-ts
+    ```
+    Look for the Tailscale IP address in the logs.
+
+## Optional Features
+
+- Uncomment and adjust the ports mapping if you need direct access (without Tailscale):
+    ```yaml
+    ports:
+    - 3000:3000
+    ```
+- Stopping the Services
+    ```bash
+    docker compose down
+    ```
+
+## Troubleshooting
+- Check container logs:
+    ```bash
+    docker logs {{service}}-ts
+    docker logs {{service}}
+    ```
+- Ensure your Tailscale auth key is valid and not expired
+- Verify the configuration files have proper permissions
+- Make sure required directories exist before starting
+
+## Notes
+- The {{Service}} service uses the Tailscale service's network stack via `network_mode: service:{{service}}-ts`
+- Direct port mapping is disabled by default as Tailscale handles the networking
+- Services restart automatically unless explicitly stopped
+- For more information:
+    - Tailscale documentation: https://tailscale.com/kb/
+    - {{Service}} [documentation]({{service_docs}})
+    - {{Service}} [repository]({{service_repo}})
+    - {{Service}} [linuxserve.io]({{service_lcsr}})
\ No newline at end of file
diff --git a/docker-compose.yml b/docker-compose.yml
new file mode 100644
index 0000000..72aa767
--- /dev/null
+++ b/docker-compose.yml
@@ -0,0 +1,21 @@
+services:
+  {{service}}-ts:
+    image: tailscale/tailscale:latest
+    hostname: {{service}}
+    container_name: {{service}}-ts
+    environment:
+      - TS_AUTHKEY={{YOUR_TAILSCALE_AUTHKEY}}
+      - TS_STATE_DIR=/var/lib/tailscale
+      - TS_SERVE_CONFIG=/config/serve.json
+    volumes:
+      - ./tailscale/tailscale-data:/var/lib/tailscale
+      - ./tailscale/config:/config
+      - /dev/net/tun:/dev/net/tun
+    cap_add:
+      - net_admin
+      - sys_module
+    restart: unless-stopped
+  {{service-compose}}
+    network_mode: service:{{service}}-ts
+    depends_on: 
+      - {{service}}-ts
\ No newline at end of file
diff --git a/tailscale/config/serve.json b/tailscale/config/serve.json
new file mode 100644
index 0000000..121ffb8
--- /dev/null
+++ b/tailscale/config/serve.json
@@ -0,0 +1,19 @@
+{
+    "TCP": {
+      "443": {
+        "HTTPS": true
+      }
+    },
+    "Web": {
+      "${TS_CERT_DOMAIN}:443": {
+        "Handlers": {
+          "/": {
+            "Proxy": "http://127.0.0.1:3000"
+          }
+        }
+      }
+    },
+    "AllowFunnel": {
+      "${TS_CERT_DOMAIN}:443": false
+    }
+  }
\ No newline at end of file