Add Tailscale sidecar for internal Outline API access

- ts-outline-sync sidecar joins Tailscale and shares network namespace with the app container (network_mode: service:ts-*) - Traefik labels on sidecar; app container has no direct network exposure - OUTLINE_URL now uses internal Docker IP 172.29.0.7:3000 via Tailscale subnet route (domverse.de advertises 172.29.0.0/16) - Add TAILSCALE_PRD.md documenting the full setup and admin checklist Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-03-07 21:27:04 +01:00
parent fe5bfd9e1c
commit 319a96adac
2 changed files with 223 additions and 6 deletions
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -1,13 +1,21 @@
 name: outline-sync

 services:
-  outline-sync-ui:
-    build: .
-    container_name: outline-sync-ui
-    restart: unless-stopped
+  ts-outline-sync:
+    image: tailscale/tailscale
+    container_name: ts-outline-sync
+    hostname: outline-sync
    environment:
-      - OUTLINE_URL=${OUTLINE_URL:-https://outline.domverse.de}
-      - OUTLINE_TOKEN=${OUTLINE_TOKEN}
+      - TS_AUTHKEY=${TS_AUTHKEY}
+      - TS_STATE_DIR=/var/lib/tailscale
+      - TS_USERSPACE=false
+    volumes:
+      - tailscale-state:/var/lib/tailscale
+      - /dev/net/tun:/dev/net/tun
+    cap_add:
+      - NET_ADMIN
+      - NET_RAW
+    restart: unless-stopped
    networks:
      - default
      - domverse
@@ -20,6 +28,21 @@ services:
      - "traefik.http.routers.outline-sync.middlewares=authentik@docker"
      - "traefik.http.services.outline-sync.loadbalancer.server.port=8080"

+  outline-sync-ui:
+    build: .
+    container_name: outline-sync-ui
+    restart: unless-stopped
+    depends_on:
+      - ts-outline-sync
+    network_mode: "service:ts-outline-sync"
+    environment:
+      - OUTLINE_URL=${OUTLINE_URL:-http://172.29.0.7:3000}
+      - OUTLINE_TOKEN=${OUTLINE_TOKEN}
+
+volumes:
+  tailscale-state:
+    driver: local
+
 networks:
  default: {}
  domverse: