polpetta/server-dotfiles
2
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

Compare commits

merge into: polpetta:master
Branches Tags
polpetta:master
polpetta:feat/patrizio-vpn
polpetta:vrising
...
pull from: polpetta:feat/patrizio-vpn
Branches Tags
polpetta:feat/patrizio-vpn
polpetta:master
polpetta:vrising

21 Commits
master ... feat/patri

Author SHA1 Message Date
Davide Polonio
6a81048432 fix(patrizio): remove dns override causing chicken-and-egg on startup 2026-04-06 22:50:44 +02:00
Davide Polonio
a37a359df0 fix(patrizio): remove unsupported --netfilter-mode flag from tailscaled 2026-04-06 22:49:07 +02:00
Davide Polonio
5f69d3b389 fix(patrizio): move extra_hosts to tailscale service 
Containers using network_mode: service:X share the target container's
network namespace including /etc/hosts. Move the ollama hosts entry
to the tailscale service so it applies to the shared namespace.
 2026-04-06 22:47:21 +02:00
Davide Polonio
c2ff70f79d fix(patrizio): add extra_hosts to resolve ollama to tailscale IP 
MagicDNS is broken in the container (DNS proxy returns SERVFAIL with
'no upstream resolvers set'). Use extra_hosts as a reliable workaround
to ensure ollama.lan.poldebra.me resolves to its Tailscale IP 100.64.0.7
instead of the server's public IP which has an expired cert.
 2026-04-06 22:46:03 +02:00
Davide Polonio
ddc7e5a1b6 fix(patrizio): fix MagicDNS resolution for ollama.lan.poldebra.me 
- Run tailscaled with --netfilter-mode=off to avoid iptables failures
  in the container, which were breaking the MagicDNS proxy at 100.100.100.100
- Set dns: 100.100.100.100 so Docker forwards DNS queries to Tailscale's
  MagicDNS proxy instead of Contabo's public DNS, which was resolving
  ollama.lan.poldebra.me to the server's public IP instead of the tailnet IP
 2026-04-06 22:40:21 +02:00
Davide Polonio
8bedfa2cff fix(docker-compose): correct indentation in tailscale command 
Normalize whitespace and indentation in the tailscale service command
block for better readability and consistency with yaml formatting
standards.
 2026-04-06 19:32:27 +02:00
Davide Polonio
e37fa81f7c feat(docker-compose): add environment file for tailscale service 
Load tailscale configuration from external env_file for better
secrets management and configuration portability
 2026-04-06 19:31:13 +02:00
Davide Polonio
a949387058 Remove extra DNS records from Patrizio Tailscale service 
Remove hardcoded DNS A records for pi.hole, pihole.lan.poldebra.me, and
ollama.lan.poldebra.me from the Tailscale container configuration. These DNS
entries are no longer needed in the docker-compose configuration.
 2026-04-06 19:28:45 +02:00
Davide Polonio
ec155abe4a feat(patrizio): configure Tailscale DNS and automatic connection 
Add custom DNS records for internal services (pihole and ollama) and configure
Tailscale to start automatically with accept-dns flag and custom login server.
Remove static DNS configuration in favor of extra_records approach.

Signed-off-by: Davide Polonio <davide.polonio@infinitaslearning.com>
 2026-04-06 19:25:50 +02:00
Davide Polonio
d8eac547e8 feat(patrizio): add Cloudflare DNS as fallback for Tailscale 
Add 1.1.1.1 as secondary DNS server to ensure DNS resolution continues
working if Tailscale DNS (100.64.0.4) becomes unavailable.
 2026-04-06 19:21:45 +02:00
Davide Polonio
5d96b58fa0 fix(patrizio): simplify tailscale container configuration 
Remove unnecessary shell wrapper and startup delay from tailscale
service. Configure DNS directly in docker-compose instead of relying
on --accept-dns flag. This streamlines the container startup process
and removes the 5-second artificial delay.
 2026-04-06 19:19:52 +02:00
Davide Polonio
af8630bcf7 feat(docker-compose): configure custom Tailscale login server 
Add --login-server flag to tailscale up command to use custom VPN server at
vpn.poldebra.me instead of default Tailscale coordination server.
 2026-04-06 19:18:44 +02:00
Davide Polonio
454bac9155 feat: configure Tailscale to run as daemon with DNS acceptance 
Update docker-compose.yml to run tailscaled as a background daemon and execute
tailscale up with DNS acceptance flag. This replaces the previous env_file
configuration approach.
 2026-04-06 19:17:01 +02:00
Davide Polonio
52313faac2 refactor(patrizio): move tailscale environment to dedicated env file 
Replace inline environment variable with env_file reference for better
configuration management. Remove redundant tailscaled command as it's
the default entrypoint.
 2026-04-06 19:11:42 +02:00
Davide Polonio
03d882907d feat(patrizio): enable DNS configuration in tailscale service 
Add TS_ACCEPT_DNS environment variable to allow tailscale to manage DNS settings
for the patrizio container.
 2026-04-06 19:07:04 +02:00
Davide Polonio
8cf346db12 feat(headscale): add ACL rule for Patrizio to access web services 
Add new ACL entry allowing Patrizio tagged devices to access web
services on port 443. Also reformat the entire acl.json file with
consistent 2-space indentation for better readability.
 2026-04-06 18:57:38 +02:00
Davide Polonio
dc740ece40 feat(docker): configure patrizio service to use tailscale network 
Add network_mode configuration to patrizio service to connect it through the
tailscale service network, enabling secure private network access.
 2026-04-06 18:33:21 +02:00
Davide Polonio
c3cd273219 feat(docker-compose): mount patrizio config file into container 
Add read-only volume mount for patrizio.toml configuration file to make it
accessible within the container at /etc/patrizio/patrizio.toml
 2026-04-06 18:17:48 +02:00
Davide Polonio
44d7a89fc8 fix: remove internal network assignment from tailscale service 
The tailscale service no longer needs to be explicitly connected to the internal
network in the docker-compose configuration.
 2026-04-06 18:06:04 +02:00
Davide Polonio
ba23e35f7e feat(docker): add Tailscale sidecar container and configure networking 
- Add Tailscale container with hostname 'patrizio' for network connectivity
- Configure health check for Tailscale service availability
- Make patrizio service depend on healthy Tailscale container
- Mount required volumes for Tailscale state and kernel modules
- Grant necessary capabilities (net_admin, sys_module, net_raw) for VPN operation
- Add internal network configuration for service isolation
- Switch patrizio to use published image (ghcr.io/polpetta/patrizio-bot:v0.2.0)
- Standardize logging configuration across both services
 2026-04-06 18:03:36 +02:00
Davide Polonio
b9ee458c11 feat: port old dockerfile definition 2026-04-06 17:49:59 +02:00
3 changed files with 101 additions and 39 deletions
Show Stats Expand all files Collapse all files

1
.gitignore vendored
View File

@ -9,3 +9,4 @@ nextcloud/nextcloud.env
kodokanjudoeste/import/
mezzotre/
patrizio-bot/
patrizio/data/

10
headscale/acl.json
View File

@ -36,6 +36,16 @@
"dst": [
"tag:dns:53"
]
},
// Patrizio needs access to web services
{
"action": "accept",
"src": [
"tag:patrizio"
],
"dst": [
"tag:web:443"
]
}
]
}

51
patrizio/docker-compose.yml Normal file
View File

@ -0,0 +1,51 @@
services:
patrizio:
image: ghcr.io/polpetta/patrizio-bot:v0.2.0
network_mode: service:tailscale
restart: unless-stopped
command: -f /data/ serve
volumes:
- ./data:/data:rw
- ./patrizio.toml:/etc/patrizio/patrizio.toml:ro
depends_on:
tailscale:
condition: service_healthy
logging:
driver: "json-file"
options:
mode: "non-blocking"
max-size: "10m"
max-file: "3"
tailscale:
hostname: patrizio
image: tailscale/tailscale:latest
restart: unless-stopped
extra_hosts:
- "ollama.lan.poldebra.me:100.64.0.7"
env_file:
- tailscale.env
command: >
sh -c "tailscaled &
sleep 5 &&
tailscale up --accept-dns=true --login-server=https://vpn.poldebra.me &&
wait"
healthcheck:
test: ["CMD-SHELL", "tailscale status"]
interval: 1s
timeout: 5s
retries: 60
volumes:
- /srv/docker/patrizio/tailscale:/var/lib
- /lib/modules:/lib/modules:ro
devices:
- /dev/net/tun:/dev/net/tun
cap_add:
- net_admin
- sys_module
- net_raw
logging:
driver: "json-file"
options:
mode: "non-blocking"
max-size: "10m"
max-file: "3"