I was reading about routing Docker traffic through Tailscale sidecar container and though if it would be feasible to have multiple instances of Tailscale in NixOS serve as “sidecars” for other services (e.g. nextcloud or similar). That would replace reverse proxies like caddy and nginx currently in use to terminate TLS and expose HTTP services securely. The benefit of Tailscale is that services are shared on a private P2P network and don’t require public DNS records and public IPs while still accessible to tailnet users from anywhere.
Maybe could be done with network namespaces? I know recent systemd had gained more support for them, but if all else fails can probably be done with shell scripts. (I have something similar set up on Ubuntu with raw wire guard.)
I have solved this with nspawn containers. My containers aren’t really sidecars as they contain an instance of tailscale as well as the service that they serve. This brings a bunch of complexity and issues (secrets, state, etc) so I am in the process of turning them into real sidecars by transferring the services back to the main host and only forwarding the port of the service into the container where then tailscale serves it.
This is my current setup. But as I said I am in the process of improving it. When I am done I will hopefully have a really neat little module that can be reused for a bunch of services. I will post it here when I’m done.
I have found that using tailscale with userspace networking doesn’t work for me as it prevents reaching other tailscale devices from that instance (at least the last time I tried it).