UnRaid / Tailscale / Docker

I need some help here. I’m currently using a community tailscale app for unraid, however I can’t figure out how to use the cert command.

I was thinking I would just launch my own docker / tailscale, but for the life of me I can not figure out what the flags should be to get it working. Every time it shows up as “ephemeral” which I don’t want - I need the IP to remain the same over reboots.

Can anyone point me to the “official” flags that should be used to run tailscale in a container? Also, where is the list of flags that could be used?

Hi Jeryd,

If you want the tailscale identity to persist, You need to map /var/lib/tailscale inside the container to stable storage somewhere on the host. This folder will contain the node key, which Tailscale uses to identify and assign the IP address.

If you run tailscale --help or tailscale up --help you will get a list of the flags available.

1 Like

Hey @jeryd ,

I went with the following in docker-compose:

    tailscale-myservice:
        image: tailscale/tailscale:v1.30
        network_mode: 'service:myservice'
        volumes:
            - ./data/tailscale-gitea:/var/lib/tailscale
            - gitea_keys:/ssl_certificate
        env_file:
            - tailscale-myservice.env
        environment:
            - TS_USERSPACE=true
            - TS_STATE_DIR=/var/lib/tailscale/ # sets state directory env var so that state is persisted
        cpus: 2
        mem_limit: 4096m
        restart: on-failure
        init: true

And then in tailscale-myservice.env you put a key that you generate in the admin panel where you can disable the ‘ephemeral’ flag:

TS_AUTH_KEY=tskey-XXXXXX-YYYYY

That should do the trick.

Note: this method of using a container in parallel with the actual service you want to expose still has some quirks. If you restart the service container you also need to restart the tailscale container in order to re-enable the connectivity to the service from your tailnet. As far as I understand this is due to a limitation on how docker works when you use the ‘service:myservice’ network mode.

Hope this helps,
Lieven.

1 Like

Additionally: when you use the TS_USERSPACE setting and you try to execute a command in the tailscale container e.g. to check the status, then you need to pass the --socket=/tmp/tailscaled.sock parameter to the command so that tailscale knows where to find the tailscaled. It took some time for me to figure that out so I thought I’d share this info too…

Best regards,
Lieven

1 Like

Thank you all! I will set this up this weekend.

@Lieven why did you limit the CPUs to 2?

Hey @jeryd

no specific reason but to restrict the possible amount of system resources that are used by this specific container.

Best regards,
Lieven.