Hey all, I started my self-hosting by using the script here and modifying it to suit my needs:

https://github.com/geekau/mediastack

My only question is how I get the authentik/headscale/tailscale/cloudflare pieces working as a reverse proxy.

I think I’ve configured cloudflare correctly since I can hit my external url and it will try to redirect to authentik, but that’s really where I’m stuck.

Has anyone else used a similar stack and got it to work? Is there a guide (other than the ones used for this exact stack because they aren’t good) I can use somewhere?

Edit: to be clear, I’d like to be able to access my jellyseerr and jellyfin instances from an external url at minimum, but the more I can access, the better. I have cloudflare DNS entries for the whole stack, pretty much

  • mustard57@lemmy.worldEnglish
    3·
    18 hours ago

    You don’t need a reverse proxy if your using tailscale. Make the server you exit node and you can access jellyfin and everything else from outside the network.

    • kn0wmad1c@programming.devOPEnglish
      1·
      16 hours ago

      Alright, I’ve configured tailscale as an exit node, but I’m getting an error that might be related to cloudflare? I’m not sure.

      Tailscale logs show Received error: fetch control key: 403 Forbidden

      Is there a guide for configuring cloudflare for this?

      • ragingHungryPanda@piefed.keyboardvagabond.comEnglish
        1·
        12 hours ago

        tailscale is a vpn. you don’t need cloudflare for it. you do need to set up the tail scale container with your credentials from tail scale, which they have guides for. after that, log in on your machine and click the connect toggle and you’re in.

        the exit node is if you want to look like you’re at your host computer.

        • kn0wmad1c@programming.devOPEnglish
          21·
          7 hours ago

          If you look at the docker compose for the stack I’m using, cloudflare is definitely a part of it:

          https://github.com/geekau/mediastack/blob/master/full-download-vpn/docker-compose.yaml

          Headscale requires cloudflare, and tailscale requires Headscale. The documentation for how all of this ties together is really sparse, but I think I’m getting the 403 Forbidden from this part of the tailscale yml:

          --login-server=https://headscale/.$%7BCLOUDFLARE_DNS_ZONE:?err}

          Edit: Lemmy won’t let me remove the / in front of the . in the url above, and it keeps url-encoding the open curly bracket for some reason. The code block markdown should be displayed as a literal, so this feels like a bug.

          • ragingHungryPanda@piefed.keyboardvagabond.comEnglish
            2·
            6 hours ago

            that’s quite a long compose file.

            the way that I use cloud flare is with tunnels since my ISP blocks my ports. I have cloudflared running that connects to the cloudflare tunnel, which has a map of domain name to a service name, which is how services are accessed externally.

            tailscale connects to tail scales main service and that’s how I access internal systems. at least that’s how I’m running it.