Tailscale in docker with nobody user

I’m following the instructions from Tailscale on Fly.io · Tailscale in our Docker container by adding Tailscale as a side process next to our application.

However, I gather that running your Docker application as nobody:nobody is the recommended way. But when doing so Tailscale fails with permission errors:

2023-01-19T11:10:37.084 app[61a8c71f] ams [info] 2023/01/19 11:10:37 LogID: XXX
2023-01-19T11:10:37.084 app[61a8c71f] ams [info] 2023/01/19 11:10:37 logpolicy: using system state directory "/var/lib/tailscale"
2023-01-19T11:10:37.084 app[61a8c71f] ams [info] logpolicy.ConfigFromFile /var/lib/tailscale/tailscaled.log.conf: open /var/lib/tailscale/tailscaled.log.conf: no such file or directory
2023-01-19T11:10:37.084 app[61a8c71f] ams [info] logpolicy.Config.Validate for /var/lib/tailscale/tailscaled.log.conf: config is nil
2023-01-19T11:10:37.089 app[61a8c71f] ams [info] 2023/01/19 11:10:37 wgengine.NewUserspaceEngine(tun "tailscale0") ...
2023-01-19T11:10:37.090 app[61a8c71f] ams [info] 2023/01/19 11:10:37 Linux kernel version: 5.12.2
2023-01-19T11:10:37.094 app[61a8c71f] ams [info] 2023/01/19 11:10:37 is CONFIG_TUN enabled in your kernel? `modprobe tun` failed with: modprobe: can't change directory to '/lib/modules': No such file or directory
2023-01-19T11:10:37.094 app[61a8c71f] ams [info] 2023/01/19 11:10:37 wgengine.NewUserspaceEngine(tun "tailscale0") error: tstun.New("tailscale0"): permission denied
2023-01-19T11:10:37.094 app[61a8c71f] ams [info] 2023/01/19 11:10:37 flushing log.
2023-01-19T11:10:37.094 app[61a8c71f] ams [info] 2023/01/19 11:10:37 logger closing down
2023-01-19T11:10:38.095 app[61a8c71f] ams [info] 2023/01/19 11:10:38 logtail: dial "log.tailscale.io:443" failed: dial tcp: lookup log.tailscale.io: operation was canceled (in 1.007s), trying bootstrap...
2023-01-19T11:10:38.096 app[61a8c71f] ams [info] 2023/01/19 11:10:38 logtail: upload: log upload of 431 bytes compressed failed: Post "https://log.tailscale.io/c/tailnode.log.tailscale.io/XXX": context canceled
2023-01-19T11:10:38.096 app[61a8c71f] ams [info] 2023/01/19 11:10:38 getLocalBackend error: createEngine: tstun.New("tailscale0"): permission denied
2023-01-19T11:10:39.065 app[61a8c71f] ams [info] failed to connect to local tailscaled; it doesn't appear to be running (sudo systemctl start tailscaled ?) 

Our container is Alpine:

FROM XXX AS builder

# Building ...

##################################################

FROM alpine:latest as tailscale

WORKDIR /app

ENV TSFILE=tailscale_1.34.2_amd64.tgz

RUN wget https://pkgs.tailscale.com/stable/${TSFILE} && \
    tar xzf ${TSFILE} --strip-components=1

##################################################

FROM XXX
RUN apk update && apk add ca-certificates iptables ip6tables && rm -rf /var/cache/apk/*

ARG TAILSCALE_AUTH_KEY
ENV HOME /opt/app
ENV TAILSCALE_AUTH_KEY $TAILSCALE_AUTH_KEY

# Create and set home directory
WORKDIR $HOME
EXPOSE $PORT

# Tailscale directories
RUN mkdir -p /var/run/tailscale /var/cache/tailscale /var/lib/tailscale
RUN chown nobody:nobody /var/run/tailscale /var/cache/tailscale /var/lib/tailscale

# RUN modprobe tun
RUN mkdir -p /dev/net && \
    mknod /dev/net/tun c 10 200 && \
    chmod 600 /dev/net/tun

# Copy App
COPY --from=builder --chown=nobody:nobody XXX

# Copy Tailscale
COPY --from=tailscale --chown=nobody:nobody /app/tailscaled /app/tailscaled
COPY --from=tailscale --chown=nobody:nobody /app/tailscale /app/tailscale

# Copy start script
COPY rel/start.sh .
RUN chmod +x $HOME/start.sh

# User change
RUN chown nobody:nobody $HOME
USER nobody:nobody

ENTRYPOINT ["/opt/app/start.sh"]

Our start.sh:

#!/bin/bash

/app/tailscaled --state=/var/lib/tailscale/tailscaled.state --socket=/var/run/tailscale/tailscaled.sock &
/app/tailscale up --authkey=${TAILSCALE_AUTH_KEY}

# ./bin/production start

What are we doing wrong here? Can I combine running everything inside docker as nobody and runngin Tailscale?