| 26 Jul 2025 |
 ElvishJerricco | right well the convenient thing about tailscale is not having to do that :P | 07:29:43 |
 Zhaofeng Li | yeah, but it's actually not bad with automation (dnscontrol/octodns) | 07:30:38 |
| ElvishJerricco | yea I mean I know how to do stuff like that | 07:31:21 |
| ElvishJerricco | but it's also nice to use the private dns records of your tailnet rather than public dns records | 07:33:03 |
| ElvishJerricco | and I don't think there's a way to distribute custom dns over tailscale | 07:34:01 |
| ElvishJerricco | (I'm also bad at networking and might have this all wrong) | 07:34:43 |
| Zhaofeng Li | there is, you can force a resolver across all your devices | 07:34:49 |
| Zhaofeng Li | (I force it to controld because I'm lazy, but you can point it at your unbound for example) | 07:35:23 |
| ElvishJerricco | oh I see. You can add a nameserver in the control plane ui, and I could just point that at one of my tailscale machines and have that distribute custom records for a domain I own, then get certs manually for that domain with LetsEncrypt | 07:37:35 |
| ElvishJerricco | Zhaofeng Li: does that sound like what you're thinking? | 07:37:49 |
| Zhaofeng Li | yeah exactly, and you can add some ad-blocking hosts files while you are at it too | 07:39:00 |
| ElvishJerricco | that is still frustratingly manual, but at least the dns is private | 07:39:38 |
| Zhaofeng Li | yeah it does take some setup but should be manageable | 07:41:39 |
 K900 | In reply to @elvishjerricco:matrix.org
oh I see. You can add a nameserver in the control plane ui, and I could just point that at one of my tailscale machines and have that distribute custom records for a domain I own, then get certs manually for that domain with LetsEncrypt I just do normal ACME with DNS challenge | 07:41:42 |
| Zhaofeng Li | (well I feel like a hypocrite saying this because I don't do it myself :p) | 07:41:53 |
| Zhaofeng Li | I personally don't care about the private DNS part, like my miniflux is at news.naive.network which is publicly resolvable but it points at a tailscale address | 07:43:09 |
| ElvishJerricco | yea sure I said "manual" but I just meant "tailscale's not going to provision it for me" | 07:44:54 |
| K900 | Wait Tailscale can do that? | 07:46:53 |
| ElvishJerricco | tailscale serve? | 07:47:04 |
| ElvishJerricco | it basically just does an https proxy and handles getting the cert for $machine.$net.ts.net automatically | 07:47:58 |
| Zhaofeng Li | yeah, it's pretty convenient but one cert per device and you can't really control the $net part | 07:48:22 |
| ElvishJerricco | that's what makes sidecars attractive; you just hit the button and it does all the stuff | 07:48:23 |
 magic_rb | my bpi is officially running openwrt 🥲 | 13:58:12 |
| 27 Jul 2025 |
 antifuchs | In reply to @elvishjerricco:matrix.org
the point being that one machine can have a variety of services each with its own e.g. https://jellyfin.my-net.ts.net I wrote tsnsrv for that purpose: https://github.com/boinkor-net/tsnsrv | 00:57:52 |
| antifuchs | Best thing about it is that you can define acls for specific services that way too | 00:58:27 |
| antifuchs | * Best thing about it is that you can define acls for specific services that way too (as opposed to ports alone) | 00:58:50 |
| ElvishJerricco | ooh this is interesting | 00:59:37 |
| ElvishJerricco | I mean the caveats in the readme make me feel like I need to read every line of code for myself :P But I'm interested enough | 00:59:58 |
 Sandro 🐧 | If you trust the traffic in your tailscale net then the caveats are not that big | 01:01:36 |
| Sandro 🐧 | the listener is not even exposed to the normal os | 01:01:45 |
