fix(patrizio): remove dns override causing chicken-and-egg on startup

fix(patrizio): remove unsupported --netfilter-mode flag from tailscaled
fix(patrizio): move extra_hosts to tailscale service
2026-04-06 22:50:44 +02:00 · 2026-04-06 22:49:07 +02:00 · 2026-04-06 22:47:21 +02:00 · 2026-04-06 22:46:03 +02:00 · 2026-04-06 22:40:21 +02:00 · 2026-04-06 19:32:27 +02:00
3 changed files with 101 additions and 39 deletions
--- a/.gitignore
+++ b/.gitignore
@ -9,3 +9,4 @@ nextcloud/nextcloud.env
 kodokanjudoeste/import/
 mezzotre/
 patrizio-bot/
+patrizio/data/
--- a/headscale/acl.json
+++ b/headscale/acl.json
@ -1,41 +1,51 @@
 {
-	"groups": {
-		"group:admin": ["davide"],
-		"group:family": ["davide", "dario"],
-		"group:services": ["services"],
-		"group:external": []
-	},
-	"tagOwners": {
-		"tag:web": ["group:admin"],
-		"tag:dns": ["group:admin"],
-		"tag:exitnode": ["group:admin"],
-		"tag:game": ["group:admin", "group:family"]
-	},
-	"acls": [
-		// Family and admin should be able to access everything
-		{
-			"action": "accept",
-			"src": ["group:admin", "group:family"],
-			"dst": [
-				"*:*"
-			]
-		},
-		// External can access only hosted games
-		{
-			"action": "accept",
-			"src": ["group:external"],
-			"dst": [
-				"tag:game:*"
-			]
-		},
-		// Everyone should access DNS server (or we break their internet connection)
-		{
-			"action": "accept",
-			"src": ["*"],
-			"proto": "udp",
-			"dst": [
-				"tag:dns:53"
-			]
-		}
-	]
+  "groups": {
+    "group:admin": ["davide"],
+    "group:family": ["davide", "dario"],
+    "group:services": ["services"],
+    "group:external": []
+  },
+  "tagOwners": {
+    "tag:web": ["group:admin"],
+    "tag:dns": ["group:admin"],
+    "tag:exitnode": ["group:admin"],
+    "tag:game": ["group:admin", "group:family"]
+  },
+  "acls": [
+    // Family and admin should be able to access everything
+    {
+      "action": "accept",
+      "src": ["group:admin", "group:family"],
+      "dst": [
+        "*:*"
+      ]
+    },
+    // External can access only hosted games
+    {
+      "action": "accept",
+      "src": ["group:external"],
+      "dst": [
+        "tag:game:*"
+      ]
+    },
+    // Everyone should access DNS server (or we break their internet connection)
+    {
+      "action": "accept",
+      "src": ["*"],
+      "proto": "udp",
+      "dst": [
+        "tag:dns:53"
+      ]
+    },
+    // Patrizio needs access to web services
+    {
+        "action": "accept",
+        "src": [
+            "tag:patrizio"
+        ],
+        "dst": [
+            "tag:web:443"
+        ]
+    }
+  ]
 }
--- a/patrizio/docker-compose.yml
+++ b/patrizio/docker-compose.yml
@ -0,0 +1,51 @@
+services:
+  patrizio:
+    image: ghcr.io/polpetta/patrizio-bot:v0.2.0
+    network_mode: service:tailscale
+    restart: unless-stopped
+    command: -f /data/ serve
+    volumes:
+      - ./data:/data:rw
+      - ./patrizio.toml:/etc/patrizio/patrizio.toml:ro
+    depends_on:
+      tailscale:
+        condition: service_healthy
+    logging:
+      driver: "json-file"
+      options:
+        mode: "non-blocking"
+        max-size: "10m"
+        max-file: "3"
+  tailscale:
+    hostname: patrizio
+    image: tailscale/tailscale:latest
+    restart: unless-stopped
+    extra_hosts:
+      - "ollama.lan.poldebra.me:100.64.0.7"
+    env_file:
+      - tailscale.env
+    command: >
+      sh -c "tailscaled &
+             sleep 5 &&
+             tailscale up --accept-dns=true --login-server=https://vpn.poldebra.me &&
+             wait"
+    healthcheck:
+      test: ["CMD-SHELL", "tailscale status"]
+      interval: 1s
+      timeout: 5s
+      retries: 60
+    volumes:
+      - /srv/docker/patrizio/tailscale:/var/lib
+      - /lib/modules:/lib/modules:ro
+    devices:
+      - /dev/net/tun:/dev/net/tun
+    cap_add:
+      - net_admin
+      - sys_module
+      - net_raw
+    logging:
+      driver: "json-file"
+      options:
+        mode: "non-blocking"
+        max-size: "10m"
+        max-file: "3"
Author	SHA1	Message	Date
Davide Polonio	6a81048432	fix(patrizio): remove dns override causing chicken-and-egg on startup	2026-04-06 22:50:44 +02:00
Davide Polonio	a37a359df0	fix(patrizio): remove unsupported --netfilter-mode flag from tailscaled	2026-04-06 22:49:07 +02:00
Davide Polonio	5f69d3b389	fix(patrizio): move extra_hosts to tailscale service Containers using network_mode: service:X share the target container's network namespace including /etc/hosts. Move the ollama hosts entry to the tailscale service so it applies to the shared namespace.	2026-04-06 22:47:21 +02:00
Davide Polonio	c2ff70f79d	fix(patrizio): add extra_hosts to resolve ollama to tailscale IP MagicDNS is broken in the container (DNS proxy returns SERVFAIL with 'no upstream resolvers set'). Use extra_hosts as a reliable workaround to ensure ollama.lan.poldebra.me resolves to its Tailscale IP 100.64.0.7 instead of the server's public IP which has an expired cert.	2026-04-06 22:46:03 +02:00
Davide Polonio	ddc7e5a1b6	fix(patrizio): fix MagicDNS resolution for ollama.lan.poldebra.me - Run tailscaled with --netfilter-mode=off to avoid iptables failures in the container, which were breaking the MagicDNS proxy at 100.100.100.100 - Set dns: 100.100.100.100 so Docker forwards DNS queries to Tailscale's MagicDNS proxy instead of Contabo's public DNS, which was resolving ollama.lan.poldebra.me to the server's public IP instead of the tailnet IP	2026-04-06 22:40:21 +02:00
Davide Polonio	8bedfa2cff	fix(docker-compose): correct indentation in tailscale command Normalize whitespace and indentation in the tailscale service command block for better readability and consistency with yaml formatting standards.	2026-04-06 19:32:27 +02:00
Davide Polonio	e37fa81f7c	feat(docker-compose): add environment file for tailscale service Load tailscale configuration from external env_file for better secrets management and configuration portability	2026-04-06 19:31:13 +02:00
Davide Polonio	a949387058	Remove extra DNS records from Patrizio Tailscale service Remove hardcoded DNS A records for pi.hole, pihole.lan.poldebra.me, and ollama.lan.poldebra.me from the Tailscale container configuration. These DNS entries are no longer needed in the docker-compose configuration.	2026-04-06 19:28:45 +02:00
Davide Polonio	ec155abe4a	feat(patrizio): configure Tailscale DNS and automatic connection Add custom DNS records for internal services (pihole and ollama) and configure Tailscale to start automatically with accept-dns flag and custom login server. Remove static DNS configuration in favor of extra_records approach. Signed-off-by: Davide Polonio <davide.polonio@infinitaslearning.com>	2026-04-06 19:25:50 +02:00
Davide Polonio	d8eac547e8	feat(patrizio): add Cloudflare DNS as fallback for Tailscale Add 1.1.1.1 as secondary DNS server to ensure DNS resolution continues working if Tailscale DNS (100.64.0.4) becomes unavailable.	2026-04-06 19:21:45 +02:00
Davide Polonio	5d96b58fa0	fix(patrizio): simplify tailscale container configuration Remove unnecessary shell wrapper and startup delay from tailscale service. Configure DNS directly in docker-compose instead of relying on --accept-dns flag. This streamlines the container startup process and removes the 5-second artificial delay.	2026-04-06 19:19:52 +02:00
Davide Polonio	af8630bcf7	feat(docker-compose): configure custom Tailscale login server Add --login-server flag to tailscale up command to use custom VPN server at vpn.poldebra.me instead of default Tailscale coordination server.	2026-04-06 19:18:44 +02:00
Davide Polonio	454bac9155	feat: configure Tailscale to run as daemon with DNS acceptance Update docker-compose.yml to run tailscaled as a background daemon and execute tailscale up with DNS acceptance flag. This replaces the previous env_file configuration approach.	2026-04-06 19:17:01 +02:00
Davide Polonio	52313faac2	refactor(patrizio): move tailscale environment to dedicated env file Replace inline environment variable with env_file reference for better configuration management. Remove redundant tailscaled command as it's the default entrypoint.	2026-04-06 19:11:42 +02:00
Davide Polonio	03d882907d	feat(patrizio): enable DNS configuration in tailscale service Add TS_ACCEPT_DNS environment variable to allow tailscale to manage DNS settings for the patrizio container.	2026-04-06 19:07:04 +02:00
Davide Polonio	8cf346db12	feat(headscale): add ACL rule for Patrizio to access web services Add new ACL entry allowing Patrizio tagged devices to access web services on port 443. Also reformat the entire acl.json file with consistent 2-space indentation for better readability.	2026-04-06 18:57:38 +02:00
Davide Polonio	dc740ece40	feat(docker): configure patrizio service to use tailscale network Add network_mode configuration to patrizio service to connect it through the tailscale service network, enabling secure private network access.	2026-04-06 18:33:21 +02:00
Davide Polonio	c3cd273219	feat(docker-compose): mount patrizio config file into container Add read-only volume mount for patrizio.toml configuration file to make it accessible within the container at /etc/patrizio/patrizio.toml	2026-04-06 18:17:48 +02:00
Davide Polonio	44d7a89fc8	fix: remove internal network assignment from tailscale service The tailscale service no longer needs to be explicitly connected to the internal network in the docker-compose configuration.	2026-04-06 18:06:04 +02:00
Davide Polonio	ba23e35f7e	feat(docker): add Tailscale sidecar container and configure networking - Add Tailscale container with hostname 'patrizio' for network connectivity - Configure health check for Tailscale service availability - Make patrizio service depend on healthy Tailscale container - Mount required volumes for Tailscale state and kernel modules - Grant necessary capabilities (net_admin, sys_module, net_raw) for VPN operation - Add internal network configuration for service isolation - Switch patrizio to use published image (ghcr.io/polpetta/patrizio-bot:v0.2.0) - Standardize logging configuration across both services	2026-04-06 18:03:36 +02:00
Davide Polonio	b9ee458c11	feat: port old dockerfile definition	2026-04-06 17:49:59 +02:00