| 26 Jul 2025 |
 ElvishJerricco | hm yea I haven't been brave enough to do headscale | 07:16:51 |
 K900 | So I just have "jellyfin.ts.0upti.me A 100.64.0.5" or whatever | 07:17:15 |
| K900 | I assume the normal control plane also has a setting for that? | 07:17:32 |
| ElvishJerricco | if it does that's news to me | 07:17:45 |
| K900 | Would be weird if it's in the API but not in the UI | 07:18:13 |
| K900 | I haven't actually used the normal control plane in a bit | 07:18:14 |
| ElvishJerricco | yea I don't see a way to add another dns record for a node | 07:20:24 |
| ElvishJerricco | plus I don't see how tailscale would be meant to do its cert stuff that way anyway. You can't get a wildcard cert | 07:22:49 |
| ElvishJerricco | * plus I don't see how tailscale would be meant to do its cert stuff that way anyway. You can't get a wildcard cert (I think) | 07:23:04 |
 Zhaofeng Li | you do need to get your own certs and do your own DNS | 07:29:19 |
| ElvishJerricco | right well the convenient thing about tailscale is not having to do that :P | 07:29:43 |
| Zhaofeng Li | yeah, but it's actually not bad with automation (dnscontrol/octodns) | 07:30:38 |
| ElvishJerricco | yea I mean I know how to do stuff like that | 07:31:21 |
| ElvishJerricco | but it's also nice to use the private dns records of your tailnet rather than public dns records | 07:33:03 |
| ElvishJerricco | and I don't think there's a way to distribute custom dns over tailscale | 07:34:01 |
| ElvishJerricco | (I'm also bad at networking and might have this all wrong) | 07:34:43 |
| Zhaofeng Li | there is, you can force a resolver across all your devices | 07:34:49 |
| Zhaofeng Li | (I force it to controld because I'm lazy, but you can point it at your unbound for example) | 07:35:23 |
| ElvishJerricco | oh I see. You can add a nameserver in the control plane ui, and I could just point that at one of my tailscale machines and have that distribute custom records for a domain I own, then get certs manually for that domain with LetsEncrypt | 07:37:35 |
| ElvishJerricco | Zhaofeng Li: does that sound like what you're thinking? | 07:37:49 |
| Zhaofeng Li | yeah exactly, and you can add some ad-blocking hosts files while you are at it too | 07:39:00 |
| ElvishJerricco | that is still frustratingly manual, but at least the dns is private | 07:39:38 |
| Zhaofeng Li | yeah it does take some setup but should be manageable | 07:41:39 |
| K900 | In reply to @elvishjerricco:matrix.org
oh I see. You can add a nameserver in the control plane ui, and I could just point that at one of my tailscale machines and have that distribute custom records for a domain I own, then get certs manually for that domain with LetsEncrypt I just do normal ACME with DNS challenge | 07:41:42 |
| Zhaofeng Li | (well I feel like a hypocrite saying this because I don't do it myself :p) | 07:41:53 |
| Zhaofeng Li | I personally don't care about the private DNS part, like my miniflux is at news.naive.network which is publicly resolvable but it points at a tailscale address | 07:43:09 |
| ElvishJerricco | yea sure I said "manual" but I just meant "tailscale's not going to provision it for me" | 07:44:54 |
| K900 | Wait Tailscale can do that? | 07:46:53 |
| ElvishJerricco | tailscale serve? | 07:47:04 |
| ElvishJerricco | it basically just does an https proxy and handles getting the cert for $machine.$net.ts.net automatically | 07:47:58 |
