feat: put Patrizio inside VPN #43

polpetta · 2026-04-17T11:32:05+02:00

polpetta commented

2026-04-17 11:32:05 +02:00

No description provided.

polpetta added the

enhancement

label 2026-04-17 11:32:05 +02:00

polpetta added 22 commits 2026-04-17 11:32:05 +02:00

feat: port old dockerfile definition b9ee458c11

feat(docker): add Tailscale sidecar container and configure networking ba23e35f7e

- Add Tailscale container with hostname 'patrizio' for network connectivity
- Configure health check for Tailscale service availability
- Make patrizio service depend on healthy Tailscale container
- Mount required volumes for Tailscale state and kernel modules
- Grant necessary capabilities (net_admin, sys_module, net_raw) for VPN operation
- Add internal network configuration for service isolation
- Switch patrizio to use published image (ghcr.io/polpetta/patrizio-bot:v0.2.0)
- Standardize logging configuration across both services

fix: remove internal network assignment from tailscale service 44d7a89fc8

The tailscale service no longer needs to be explicitly connected to the internal
network in the docker-compose configuration.

feat(docker-compose): mount patrizio config file into container c3cd273219

Add read-only volume mount for patrizio.toml configuration file to make it
accessible within the container at /etc/patrizio/patrizio.toml

feat(docker): configure patrizio service to use tailscale network dc740ece40

Add network_mode configuration to patrizio service to connect it through the
tailscale service network, enabling secure private network access.

feat(headscale): add ACL rule for Patrizio to access web services 8cf346db12

Add new ACL entry allowing Patrizio tagged devices to access web
services on port 443. Also reformat the entire acl.json file with
consistent 2-space indentation for better readability.

feat(patrizio): enable DNS configuration in tailscale service 03d882907d

Add TS_ACCEPT_DNS environment variable to allow tailscale to manage DNS settings
for the patrizio container.

refactor(patrizio): move tailscale environment to dedicated env file 52313faac2

Replace inline environment variable with env_file reference for better
configuration management. Remove redundant tailscaled command as it's
the default entrypoint.

feat: configure Tailscale to run as daemon with DNS acceptance 454bac9155

Update docker-compose.yml to run tailscaled as a background daemon and execute
tailscale up with DNS acceptance flag. This replaces the previous env_file
configuration approach.

feat(docker-compose): configure custom Tailscale login server af8630bcf7

Add --login-server flag to tailscale up command to use custom VPN server at
vpn.poldebra.me instead of default Tailscale coordination server.

fix(patrizio): simplify tailscale container configuration 5d96b58fa0

Remove unnecessary shell wrapper and startup delay from tailscale
service. Configure DNS directly in docker-compose instead of relying
on --accept-dns flag. This streamlines the container startup process
and removes the 5-second artificial delay.

feat(patrizio): add Cloudflare DNS as fallback for Tailscale d8eac547e8

Add 1.1.1.1 as secondary DNS server to ensure DNS resolution continues
working if Tailscale DNS (100.64.0.4) becomes unavailable.

feat(patrizio): configure Tailscale DNS and automatic connection ec155abe4a

Add custom DNS records for internal services (pihole and ollama) and configure
Tailscale to start automatically with accept-dns flag and custom login server.
Remove static DNS configuration in favor of extra_records approach.

Signed-off-by: Davide Polonio <davide.polonio@infinitaslearning.com>

Remove extra DNS records from Patrizio Tailscale service a949387058

Remove hardcoded DNS A records for pi.hole, pihole.lan.poldebra.me, and
ollama.lan.poldebra.me from the Tailscale container configuration. These DNS
entries are no longer needed in the docker-compose configuration.

feat(docker-compose): add environment file for tailscale service e37fa81f7c

Load tailscale configuration from external env_file for better
secrets management and configuration portability

fix(docker-compose): correct indentation in tailscale command 8bedfa2cff

Normalize whitespace and indentation in the tailscale service command
block for better readability and consistency with yaml formatting
standards.

fix(patrizio): fix MagicDNS resolution for ollama.lan.poldebra.me ddc7e5a1b6

- Run tailscaled with --netfilter-mode=off to avoid iptables failures
  in the container, which were breaking the MagicDNS proxy at 100.100.100.100
- Set dns: 100.100.100.100 so Docker forwards DNS queries to Tailscale's
  MagicDNS proxy instead of Contabo's public DNS, which was resolving
  ollama.lan.poldebra.me to the server's public IP instead of the tailnet IP

fix(patrizio): add extra_hosts to resolve ollama to tailscale IP c2ff70f79d

MagicDNS is broken in the container (DNS proxy returns SERVFAIL with
'no upstream resolvers set'). Use extra_hosts as a reliable workaround
to ensure ollama.lan.poldebra.me resolves to its Tailscale IP 100.64.0.7
instead of the server's public IP which has an expired cert.

fix(patrizio): move extra_hosts to tailscale service 5f69d3b389

Containers using network_mode: service:X share the target container's
network namespace including /etc/hosts. Move the ollama hosts entry
to the tailscale service so it applies to the shared namespace.

fix(patrizio): remove unsupported --netfilter-mode flag from tailscaled a37a359df0

fix(patrizio): remove dns override causing chicken-and-egg on startup 6a81048432

feat: patrizio now works inside the vpn 4ac310e19c

polpetta merged commit a8aee24639 into master

2026-04-17 11:33:00 +02:00

polpetta deleted branch feat/patrizio-vpn

2026-04-17 11:33:00 +02:00

polpetta referenced this issue from a commit

2026-04-17 11:33:01 +02:00

feat: put Patrizio inside VPN (#43)

Sign in to join this conversation.