This configuration will,

• Start and authenticate Tailscale with Userspace Networking
• Start nginx listening on port 80 and 443 sharing the local directory on /
• Create a Docker volume called varlib to store Tailscale state and Let's Encrypt Certificates

This guide assumes the following,

• A Tailscale account is setup
• MagicDNS is enabled
• HTTPS in Tailscale is enabled

Update the hostname and Tailnet in the following files to match your own,

• server_name in default.conf
• ssl_certificate and ssl_certificate_key file locations in shared.conf
• hostname in docker-compose.yml

Generate a Auth Key to use for the container. This will

• Automatically authenticate node on start
• Replace/reuse the existing IP after registration

Generate the key with,

• Reusable: No
• Expiration: 90 Days
• Ephemeral: No
• Pre-approved: Yes

Tailscale state is stored in the varlib volume mounted on /var/lib, this keeps the hostname and IP if the container is restarted.

On first run, start up the containers with the Auth Key from above. This is only needed the first time docker compose is run.

TS_AUTHKEY=tskey-auth-XXXXXXXX docker compose up

Nginx will fail to start due to missing the Let's Encrypt certificates.

While the containers are still running, generate the Let's Encrypt certs for the hostname and domain in the tailscale container. This will store them in the shared varlib volume so the Nginx container will have access.

docker exec -it tailscale sh -c 'cd /var/lib ; tailscale cert HOSTNAME.tailnet-XXXX.ts.net'

Bring the containers down and back up and nginx will successfully start using the certificatres.

Open up the host in a web browser and it will show the current directoyr listing over https.