In part one I spoke about the start of my journey, which was driven by playing with my smart home playground on topics of energy saving. My home servers have been in place since 2018 – yet, one thing I could never fully solve was how to make it available outside of my home network. For people into DevOps there will be little new here, but I’m no DevOps guy, so I had new things to discover I’d like to share.
So my challenge was to make my home server available via the internet, without making it public.
I was toying with a DynDNS setup at one point, but I never felt comfortable with exposing the full device to the internet. I know my way around Linux, but server security can become a bigger beast. I also didn’t want to invest in a virtual private server setup for this.
This is where Tailscale was a small revelation to me.
Tailscale is a service provider for virtual private networks. Basically, you install client apps on your devices building a virtual network and making machines available even when they are physically apart.
For example, I’m traveling and by flipping a switch on my phone, I see my PCs, my home server, my second phone, and I can access them as if they were in the same room with me. Each device gets a fixed IP and URL in the network and becomes way easier to access than remembering IPs and ports. I could add the Tailscale client to my Home Assistant OS running Raspberry and can access it from everywhere, as long as the Tailscale client is running on my device.
This was straight forward.
What took me some time to learn was integrating not only physical devices, but also virtual containers. What is a virtual container? Basically, systems like Docker or Podman simulate a very slim computer environment specifically set-up and optimized to run one particular software stack. For example I can set up a web blog with the client frontend, backend server and database – each running isolated in their own Docker containers – easy to scale. Here you can find more about the basics of Docker and how to get into it step by step.
I had my first contact with Docker in 2018, but never got around to fully embrace it until now, but grew to love docker-compose
quickly. This allows you to create and find recipes to quickly set up full tool stacks easily and self-host your own software infrastructure.
So I was playing and eventually fell into the sweet hole of self-hostable apps, extending my personal toolchain – especially for services for which I never found a good replacement. Now I run my Commafeed RSS reader, a gitea for my most private git projects, Jellyfin as a small media server and netflix alternative, Invidous giving an alternative frontend to Youtube and finally Immich.
What is Immich? I wanted to get rid of Google Fotos. I used the service for a long time with much appreciation, but eventually wanted to have more control over my data on the eve of Google using its foto database for AI training, I wanted to withdraw my pictures and also have better organized backups.
The easiest alternative I can recommend is ente.io which also comes with more tools around data security and multifactor-authentication (MFA). This option is simple to switch to, but still your data is not in your own infrastructure.
Immich has very similar functionality to Google Fotos and quick to set-up with Docker.
You can import your existing fotos either as an external library (very straight forward and simple, but at the cost of small limitations around cleanup options) or by importing all pictures via the API by uploading through the the web interface, the Mobile API, command-line scripts or additional tools like Immich-Go. My photo library has been growing in my filesystem since 2002 and while it is generally well maintained, it slowly became messy, incomplete, metadata was lacking and suffered from duplications. These were all topics Immich and its extended toolchain helped to address.
That is, if the photographs are imported in the “right way”. For me it involved three attempts on my side as image duplications on upload, mistaken metadata and lack of testing my own cleanup scripts (xD) caused several broken attempts with Immich. The software is stable and good, but my ambition in cleaning my library was just too big. May the backups be thanked – these setbacks did not cause any data loss – just wasted time. On the third attempt it worked well.up. I picked Immich as one example, but there are plenty more tools available to self-host and especially play nice with Tailscale.
Immich runs on my NUC 11 in a Docker-Compose setup and thus was now available in my home network, but again I wanted it accessible when I’m away from home. This is where we come back to Tailscale.
Above we only added physical machines to Tailscale, but it is also possible to add virtual containers to the private network. Each container becomes available as its own machine which now becomes available to everyone in your network to access.
Everyone? Oh, yes, I forgot. You can share your private applications in two ways.
You can invite up to 3 people (in the personal free account) to your network and they can have access to all machines if you allow it. Alternative you can share access to single machines to people who already run their own Tailscale network. This way you and your peers are building their own private little part of the internet hosted on your own infrastructure. You can also define machines as exit nodes and thus create your own little distributed VPN. Invite trusted friends over the world and you can run traffic through each other’s exit nodes and now I can watch German Netflix and my friends in Germany can watch Austrian ORF.
Tailscale is providing a good bundle to start your DevOps networking journey. All it offers can be done in other ways with less reliance on a central service orchestrating this network as Tailscale does. However doing this this manually is difficult, complex with a high risk of mistakes that compromises data security – these are factors I’d like to entrust to experts. Tailscale also has a learning curve, but one that is much faster to handle to get into the basics.
Through Tailscale and Docker I have a new toolchain that runs at home, that I have a lot of control over including full ability and responsibility to backup. I picked Immich as one example, but there are plenty more tools available to self-host and especially play nice with Tailscale.
In my next article, I will look into another example, that grew out of Docker and Tailscale at work and that describes a self-hosted alternative approach to a Data Intelligence pipeline in the context of a non-technical company.