| 26 Jul 2025 |
 ElvishJerricco | Has anyone ever done tailscale "sidecars" with nixos? Wondering what's the best way to set stuff like that up with just nixos and not the docker stuff the rest of the world uses. | 07:11:01 |
| ElvishJerricco | the point being that one machine can have a variety of services each with its own e.g. https://jellyfin.my-net.ts.net | 07:11:36 |
 K900 | I don't do it with sidecars | 07:16:10 |
| K900 | I just added a bunch of extra records to Headscale config | 07:16:21 |
| K900 | And then route by host at nginx level | 07:16:31 |
| ElvishJerricco | hm yea I haven't been brave enough to do headscale | 07:16:51 |
| K900 | So I just have "jellyfin.ts.0upti.me A 100.64.0.5" or whatever | 07:17:15 |
| K900 | I assume the normal control plane also has a setting for that? | 07:17:32 |
| ElvishJerricco | if it does that's news to me | 07:17:45 |
| K900 | Would be weird if it's in the API but not in the UI | 07:18:13 |
| K900 | I haven't actually used the normal control plane in a bit | 07:18:14 |
| ElvishJerricco | yea I don't see a way to add another dns record for a node | 07:20:24 |
| ElvishJerricco | plus I don't see how tailscale would be meant to do its cert stuff that way anyway. You can't get a wildcard cert | 07:22:49 |
| ElvishJerricco | * plus I don't see how tailscale would be meant to do its cert stuff that way anyway. You can't get a wildcard cert (I think) | 07:23:04 |
 Zhaofeng Li | you do need to get your own certs and do your own DNS | 07:29:19 |
| ElvishJerricco | right well the convenient thing about tailscale is not having to do that :P | 07:29:43 |
| Zhaofeng Li | yeah, but it's actually not bad with automation (dnscontrol/octodns) | 07:30:38 |
| ElvishJerricco | yea I mean I know how to do stuff like that | 07:31:21 |
| ElvishJerricco | but it's also nice to use the private dns records of your tailnet rather than public dns records | 07:33:03 |
| ElvishJerricco | and I don't think there's a way to distribute custom dns over tailscale | 07:34:01 |
| ElvishJerricco | (I'm also bad at networking and might have this all wrong) | 07:34:43 |
| Zhaofeng Li | there is, you can force a resolver across all your devices | 07:34:49 |
| Zhaofeng Li | (I force it to controld because I'm lazy, but you can point it at your unbound for example) | 07:35:23 |
| ElvishJerricco | oh I see. You can add a nameserver in the control plane ui, and I could just point that at one of my tailscale machines and have that distribute custom records for a domain I own, then get certs manually for that domain with LetsEncrypt | 07:37:35 |
| ElvishJerricco | Zhaofeng Li: does that sound like what you're thinking? | 07:37:49 |
| Zhaofeng Li | yeah exactly, and you can add some ad-blocking hosts files while you are at it too | 07:39:00 |
| ElvishJerricco | that is still frustratingly manual, but at least the dns is private | 07:39:38 |
| Zhaofeng Li | yeah it does take some setup but should be manageable | 07:41:39 |
| K900 | In reply to @elvishjerricco:matrix.org
oh I see. You can add a nameserver in the control plane ui, and I could just point that at one of my tailscale machines and have that distribute custom records for a domain I own, then get certs manually for that domain with LetsEncrypt I just do normal ACME with DNS challenge | 07:41:42 |
| Zhaofeng Li | (well I feel like a hypocrite saying this because I don't do it myself :p) | 07:41:53 |
