what I learned from running my home server
- Tailscale SSH lets you SSH to something on your tailnet without having to expose a port
- Uncomplicated firewall (UFW) is an easy way to control what ports are exposed
- nmap is an easy way to scan an IP for exposed ports, which I used to check my firewall settings were good
- Docker updates iptables which can effectively bypass any UFW rules you've set up. I discovered this with nmap. There are ways around this if you need to use Docker
- Podman is a drop-in replacement for Docker which doesn't mess with iptables and brands itself as a faster and more secure alternative to Docker
- You can have a subdomain point to another domain using a CNAME record. For example, I have an app in fly at the domain canary.fly.dev. I can expose that at canary.ikottman.com by creating a CNAME record "canary.fly.dev." (note the trailing period)
- A CNAME record can only point to another domain name. It cannot point to an IP address
- I could use an A record to point a subdomain to a tailnet IP address, but I would need to create a valid SSL certificate for it, or get all my friends to accept a self-signed certificate
- Tailscale Funnel publicly exposes an app, but I can't have that app at a subdomain of my website, because "Unfortunately, custom domains are not supported at this time by Funnel, but it may be considered in the future"
- Traefik was pretty easy to run with podman-compose, but in the end I didn't use it. I tried path based routing so tailscale-host.com/foo would go to my foo pod, but then the foo pod has to handle traffic at /foo instead of just /. I wanted to deploy the same app publicly at a subdomain, and didn't want to bother with flexing its base path
- Traefik also made it easy to use subdomains locally, so foo.tailscale-host.com goes to foo pod, but that didn't work with tailscale serve because it doesn't support subdomains either (just like funnel)
- When running pods with
podman-compose up -d I have to "enable linger" so processes I start aren't killed by systemd when my SSH session ends. This command enables linger: sudo loginctl enable-linger
last updated 2024-02-25