diff --git a/README.md b/README.md index 7cf4a6b..bf88dfd 100644 --- a/README.md +++ b/README.md @@ -87,6 +87,7 @@ A huge thank you to all our contributors! ScaleTail wouldn’t be what it is tod | 🗃️ **Netbox** | NetBox is the leading solution for modeling and documenting modern networks. | [Details](services/netbox) | | 🧩 **Pi-hole** | A network-level ad blocker that acts as a DNS sinkhole. | [Details](services/pihole) | | 🆔 **Pocket ID** | A self-hosted decentralized identity (OIDC) solution for secure authentication. | [Details](services/pocket-id) | +| 🌐 **Rustdesk Server** | RustDesk is an open source remote control alternative for self-hosting and security. | [Details](services/rustdesk-server)| | 🔒 **Technitium DNS** | An open-source DNS server that can be used for self-hosted DNS services. | [Details](services/technitium) | | 🌐 **Traefik** | A modern reverse proxy and load balancer for microservices. | [Details](services/traefik) | | 🚀 **Tailscale Exit Node** | Configure a device to act as an exit node for your Tailscale network. | [Details](services/tailscale-exit-node) | diff --git a/services/rustdesk-server/.env b/services/rustdesk-server/.env new file mode 100644 index 0000000..446d11a --- /dev/null +++ b/services/rustdesk-server/.env @@ -0,0 +1,23 @@ +#version=1.1 +#URL=https://github.com/tailscale-dev/ScaleTail +#COMPOSE_PROJECT_NAME= # Optional: only use when running multiple deployments on the same infrastructure. + +# Service Configuration +SERVICE=rustdesk-server # Service name (e.g., adguard). Used as hostname in Tailscale and for container naming (app-${SERVICE}). +IMAGE_URL=rustdesk/rustdesk-server:latest # Docker image URL from container registry (e.g., adguard/adguard-home). + +# Network Configuration +SERVICEPORT=80 # Port to expose to local network. Uncomment the "ports:" section in compose.yaml to enable. +DNS_SERVER=9.9.9.9 # Preferred DNS server for Tailscale. Uncomment the "dns:" section in compose.yaml to enable. + +# Tailscale Configuration +TS_AUTHKEY= # Auth key from https://tailscale.com/admin/authkeys. See: https://tailscale.com/kb/1085/auth-keys#generate-an-auth-key for instructions. + +# Optional Service variables +# PUID=1000 + +# Time zone +TZ=Europe/Amsterdam + +# Always use the relay. As this is run in tailnet and relays aren't needed, this setting in most cases should remain off. +ALWAYS_USE_RELAY=N diff --git a/services/rustdesk-server/README.md b/services/rustdesk-server/README.md new file mode 100644 index 0000000..bd8ed48 --- /dev/null +++ b/services/rustdesk-server/README.md @@ -0,0 +1,27 @@ +# Rustdesk Server with Tailscale Sidecar Configuration + +This Docker Compose configuration sets up [Rustdesk Server](https://rustdesk.com/docs/en/) with Tailscale as a sidecar container to keep the app reachable over your Tailnet. + +## Rustdesk Server + +[Rustdesk Server](https://rustdesk.com/docs/en/) information about the service. Explain what the app does in 2-3 sentences and why someone would pair it with Tailscale. + +## Configuration Overview + +In this setup, the `tailscale-rustdesk-server` service runs Tailscale, which manages secure networking for Rustdesk Server. The `Rustdesk Server` service utilizes the Tailscale network stack via Docker's `network_mode: service:` configuration. This keeps the app Tailnet-only unless you intentionally expose ports. + +## Client setup + +- Service Configuration: The Rustdesk client public Key credentials are generated at first run and stored in the **id_ed25519.pub** file. This is found in the compose directory **./rustdesk-server-data/hbbs/** Clients can be setup using the --config switch. e.g. **rustdesk.exe --config "host=rustdesk.your-tailnet.ts,key=thetextfromkey"** or in the client Setting -> Network -> ID/Relay Server. There is no need to configure the relay or API server. + +Links: + +- [Client setup](https://github.com/rustdesk/rustdesk/discussions/7118) +- [Rustdesk](https://rustdesk.com/) +- [Client Configuration](https://rustdesk.com/docs/en/self-host/client-configuration/) + +## Files to check + +Please check the following contents for validity as some variables need to be defined upfront. + +- `.env` // Main variable `TS_AUTHKEY` diff --git a/services/rustdesk-server/compose.yml b/services/rustdesk-server/compose.yml new file mode 100644 index 0000000..9ca8b0b --- /dev/null +++ b/services/rustdesk-server/compose.yml @@ -0,0 +1,81 @@ +configs: + ts-serve: + content: | + {"TCP":{"443":{"HTTPS":true}}, + "Web":{"$${TS_CERT_DOMAIN}:443": + {"Handlers":{"/": + {"Proxy":"http://127.0.0.1:80"}}}}, + "AllowFunnel":{"$${TS_CERT_DOMAIN}:443":false}} + +services: +# Make sure you have updated/checked the .env file with the correct variables. +# All the ${ xx } need to be defined there. + # Tailscale Sidecar Configuration + tailscale: + image: tailscale/tailscale:latest # Image to be used + container_name: tailscale-${SERVICE} # Name for local container management + hostname: ${SERVICE} # Name used within your Tailscale environment + environment: + - TS_AUTHKEY=${TS_AUTHKEY} + - TS_STATE_DIR=/var/lib/tailscale + - TS_SERVE_CONFIG=/config/serve.json # Tailscale Serve configuration to expose the web interface on your local Tailnet - remove this line if not required + - TS_USERSPACE=false + - TS_ENABLE_HEALTH_CHECK=true # Enable healthcheck endpoint: "/healthz" + - TS_LOCAL_ADDR_PORT=127.0.0.1:41234 # The : for the healthz endpoint + #- TS_ACCEPT_DNS=true # Uncomment when using MagicDNS + - TS_AUTH_ONCE=true + configs: + - source: ts-serve + target: /config/serve.json + volumes: + - ./config:/config # Config folder used to store Tailscale files - you may need to change the path + - ./ts/state:/var/lib/tailscale # Tailscale requirement - you may need to change the path + devices: + - /dev/net/tun:/dev/net/tun # Network configuration for Tailscale to work + cap_add: + - net_admin # Tailscale requirement + #ports: + # - 0.0.0.0:${SERVICEPORT}:${SERVICEPORT} # Binding port ${SERVICE}PORT to the local network - may be removed if only exposure to your Tailnet is required + # If any DNS issues arise, use your preferred DNS provider by uncommenting the config below + #dns: + # - ${DNS_SERVER} + healthcheck: + test: ["CMD", "wget", "--spider", "-q", "http://127.0.0.1:41234/healthz"] # Check Tailscale has a Tailnet IP and is operational + interval: 1m # How often to perform the check + timeout: 10s # Time to wait for the check to succeed + retries: 3 # Number of retries before marking as unhealthy + start_period: 10s # Time to wait before starting health checks + restart: always + + # ${SERVICE} + application: + image: ${IMAGE_URL} + container_name: app-${SERVICE}-hbbs # Name for local container management + network_mode: service:tailscale # Sidecar configuration to route ${SERVICE} through Tailscale + command: hbbs + volumes: + - ./${SERVICE}-data/hbbs:/root + environment: + - PUID=1000 + - PGID=1000 + - TZ=${TZ} + - ALWAYS_USE_RELAY=${ALWAYS_USE_RELAY} + depends_on: + tailscale: + condition: service_healthy + hbbr: + condition: service_started + restart: always + + hbbr: + image: ${IMAGE_URL} + container_name: app-${SERVICE}-hbbr # Name for local container management + command: hbbr + volumes: + - ./${SERVICE}-data/hbbr:/root + environment: + - PUID=1000 + - PGID=1000 + - TZ=${TZ} + network_mode: service:tailscale # Sidecar configuration to route ${SERVICE} through Tailscale + restart: always