tailscale-dev · lcs-crr · Apr 11, 2026 · Apr 11, 2026 · Apr 11, 2026 · Apr 13, 2026
diff --git a/services/dockge/.env b/services/dockge/.env
@@ -0,0 +1,18 @@
+#version=1.1
+#URL=https://github.com/tailscale-dev/ScaleTail
+#COMPOSE_PROJECT_NAME= # Optional: only use when running multiple deployments on the same infrastructure.
+
+# Service Configuration
+SERVICE=dockge
+IMAGE_URL=louislam/dockge:1
+STACKS_DIR=... # Directory on host to store stack files. Must be bind mounted to the same path in compose.yaml.
+
+# Network Configuration
+SERVICEPORT= # Port to expose to local network. Uncomment the "ports:" section in compose.yaml to enable.
+DNS_SERVER=9.9.9.9 # Preferred DNS server for Tailscale. Uncomment the "dns:" section in compose.yaml to enable.
+
+# Tailscale Configuration
+TS_AUTHKEY=... # Auth key from https://tailscale.com/admin/authkeys. See: https://tailscale.com/kb/1085/auth-keys#generate-an-auth-key for instructions.
+
+# Optional Service variables
+# PUID=1000
diff --git a/services/dockge/README.md b/services/dockge/README.md
@@ -0,0 +1,24 @@
+# Dockge with Tailscale Sidecar Configuration
+
+This Docker Compose configuration sets up [Dockge](https://github.com/louislam/dockge) with Tailscale as a sidecar container to keep the app reachable over your Tailnet.
+
+## Dockge
+
+[Dockge](https://github.com/louislam/dockge) is fancy, easy-to-use and reactive self-hosted docker compose.yaml stack-oriented manager.
+
+## Key Features
+
+- Manage your compose.yaml files
+- Create/Edit/Start/Stop/Restart/Delete
+- Update Docker Images
+- Interactive Editor for compose.yaml
+- Interactive Web Terminal
+- Convert docker run ... commands into compose.yaml
+- File based structure - Dockge won't kidnap your compose files, they are stored on your drive as usual. You can interact with them using normal docker compose commands
+- Reactive - Everything is just responsive. Progress (Pull/Up/Down) and terminal output are in real-time
+- Easy-to-use & fancy UI - If you love Uptime Kuma's UI/UX, you will love this one too
+
+## Configuration Overview
+
+In this setup, the `tailscale-dockge` service runs Tailscale, which manages secure networking for Dockge. The `dockge` service utilizes the Tailscale network stack via Docker's `network_mode: service:` configuration. This keeps the app Tailnet-only unless you intentionally expose ports.
+
diff --git a/services/dockge/compose.yaml b/services/dockge/compose.yaml
@@ -0,0 +1,82 @@
+name: dockge
+services:
+  application:
+    container_name: app-dockge
+    depends_on:
+      tailscale:
+        condition: service_healthy
+        required: true
+    environment:
+      DOCKGE_STACKS_DIR: '...'
+    image: louislam/dockge:1
+    network_mode: service:tailscale
+    restart: always
+    volumes:
+      - type: bind
+        source: /var/run/docker.sock
+        target: /var/run/docker.sock
+        bind: {}
+      - type: bind
+        source: /home/lcs_crr/Projects/ScaleTail/services/dockge/data
+        target: /app/data
+        bind: {}
+      - type: bind
+        source: /home/lcs_crr/Projects/ScaleTail/services/dockge/...
+        target: '...'
+        bind: {}
+  tailscale:
+    cap_add:
+      - net_admin
+    configs:
+      - source: ts-serve
+        target: /config/serve.json
+    container_name: tailscale-dockge
+    devices:
+      - source: /dev/net/tun
+        target: /dev/net/tun
+        permissions: rwm
+    environment:
+      TS_AUTH_ONCE: "true"
+      TS_AUTHKEY: '# Auth key from https://tailscale.com/admin/authkeys. See: https://tailscale.com/kb/1085/auth-keys#generate-an-auth-key for instructions.'
+      TS_ENABLE_HEALTH_CHECK: "true"
+      TS_LOCAL_ADDR_PORT: 127.0.0.1:41234
+      TS_SERVE_CONFIG: /config/serve.json
+      TS_STATE_DIR: /var/lib/tailscale
+      TS_USERSPACE: "false"
+    hostname: dockge
+    healthcheck:
+      test:
+        - CMD
+        - wget
+        - --spider
+        - -q
+        - http://127.0.0.1:41234/healthz
+      timeout: 10s
+      interval: 1m0s
+      retries: 3
+      start_period: 10s
+    image: tailscale/tailscale:latest
+    networks:
+      default: null
+    restart: always
+    volumes:
+      - type: bind
+        source: /home/lcs_crr/Projects/ScaleTail/services/dockge/config
+        target: /config
+        bind: {}
+      - type: bind
+        source: /home/lcs_crr/Projects/ScaleTail/services/dockge/ts/state
+        target: /var/lib/tailscale
+        bind: {}
+networks:
+  default:
+    name: dockge_default
+configs:
+  ts-serve:
+    name: dockge_ts-serve
+    content: |
+      {"TCP":{"443":{"HTTPS":true}},
+      "Web":{"$${TS_CERT_DOMAIN}:443":
+          {"Handlers":{"/":
+          {"Proxy":"http://127.0.0.1:5001"}}}},
+      "AllowFunnel":{"$${TS_CERT_DOMAIN}:443":false}}
diff --git a/services/paperless/.env b/services/paperless/.env
diff --git a/services/paperless/README.md b/services/paperless/README.md
diff --git a/services/paperless/compose.yml b/services/paperless/compose.yml
diff --git a/services/radicale/.env b/services/radicale/.env
@@ -0,0 +1,17 @@
+#version=1.1
+#URL=https://github.com/tailscale-dev/ScaleTail
+#COMPOSE_PROJECT_NAME= # Optional: only use when running multiple deployments on the same infrastructure.
+
+# Service Configuration
+SERVICE=radicale # Service name (e.g., adguard). Used as hostname in Tailscale and for container naming (app-${SERVICE}).
+IMAGE_URL=tomsquest/docker-radicale # Docker image URL from container registry (e.g., adguard/adguard-home).
+
+# Network Configuration
+SERVICEPORT= # Port to expose to local network. Uncomment the "ports:" section in compose.yaml to enable.
+DNS_SERVER=9.9.9.9 # Preferred DNS server for Tailscale. Uncomment the "dns:" section in compose.yaml to enable.
+
+# Tailscale Configuration
+TS_AUTHKEY=... # Auth key from https://tailscale.com/admin/authkeys. See: https://tailscale.com/kb/1085/auth-keys#generate-an-auth-key for instructions.
+
+# Optional Service variables
+# PUID=1000
diff --git a/services/radicale/README.md b/services/radicale/README.md
@@ -0,0 +1,33 @@
+# Radicale with Tailscale Sidecar Configuration
+
+This Docker Compose configuration sets up [Radicale](https://radicale.org/) with Tailscale as a sidecar container to keep the app reachable over your Tailnet.
+
+## Radicale
+
+[Radicale](https://radicale.org/) is a small but powerful CalDAV (calendars, to-do lists) and CardDAV (contacts) server. It is lightweight, easy to configure, and requires minimal resources, making it a great self-hosted alternative to cloud-based calendar and contact sync services.
+
+## Key Features
+
+- CalDAV and CardDAV support for syncing calendars, to-do lists, and contacts
+- Works with any compliant client (Thunderbird, GNOME Calendar, DAVx5, Apple Calendar, etc.)
+- Lightweight with minimal resource usage
+- Simple file-based storage
+- Web interface for managing collections
+- Built-in access control and authentication
+
+## Configuration Overview
+
+In this setup, the `tailscale-radicale` service runs Tailscale, which manages secure networking for Radicale. The `radicale` service utilizes the Tailscale network stack via Docker's `network_mode: service:` configuration. This keeps the app Tailnet-only unless you intentionally expose ports.
+
+The container runs with hardened security settings: read-only filesystem, no new privileges, dropped capabilities, and resource limits (256M memory, 50 pids).
+
+## Prerequisites
+
+- This image uses [tomsquest/docker-radicale](https://github.com/tomsquest/docker-radicale). Refer to their documentation for advanced configuration options.
+- To configure users and authentication, mount a custom config file or refer to the [Radicale documentation](https://radicale.org/v3.html#configuration).
+
+## Files to check
+
+Please check the following contents for validity as some variables need to be defined upfront.
+
+- `.env` // Main variable: `TS_AUTHKEY`