Add Tailscale sidecar configuration for Configarr, Posterizarr, and Recyclarr services

README.md

@@ -66,6 +66,10 @@ If you would like to add your own config, you can use the [service-template](tem
 | 📡 **Sonarr**         | A PVR for Usenet and BitTorrent users to manage TV series.                                 | [Details](services/sonarr)         |
 | 🔗 **Slink**          | A fast, self-hosted alternative to ShareDrop for secure local file sharing.                | [Details](services/slink)          |
 | 📊 **Tautulli**       | A monitoring and tracking tool for Plex Media Server.                                      | [Details](services/tautulli)       |
+| ⚙️ **Configarr**      | Manage and sync configuration for Radarr, Sonarr, and related services.                    | [Details](services/configarr)      |
+| 🖼️ **Posterizarr**    | Automatically generates and updates posters/artwork for media libraries.                   | [Details](services/posterizarr)    |
+| ♻️ **Recyclarr**      | Tools for managing, migrating, and maintaining indexers and quality profiles.              | [Details](services/recyclarr)      |
+
 
 ### 💼 Productivity and Collaboration
 
@@ -161,7 +165,7 @@ If you would like to add your own config, you can use the [service-template](tem
 
 ### Tailscale Funnel vs. Tailscale Serve
 
-Tailscale Funnel securely exposes services to the public internet. Tailscale Serve is for sharing content within a private Tailscale network (Tailnet). You'll need to decide how you want to expose the service, the configurations in this repository exposes the local Tailnet.
+Tailscale Funnel securely exposes services to the public internet. Tailscale Serve is for sharing content within a private Tailscale network (Tailnet). You'll need to decide how you want to expose the service, the configurations in this repository exposes the local Tailnet.
 
 ### Tailscale Funnel
 

services/configarr/.env

@@ -0,0 +1,8 @@
+#version=1.0
+#url=https://github.com/2Tiny2Scale/tailscale-docker-sidecar-configs
+#COMPOSE_PROJECT_NAME= // only use in multiple deployments on the same infra
+SERVICE=configarr
+IMAGE_URL=ghcr.io/raydak-labs/configarr:latest
+SERVICEPORT=
+TS_AUTHKEY=
+DNS_SERVER=9.9.9.9

services/configarr/README.md

@@ -0,0 +1,39 @@
+# Configarr with Tailscale Sidecar Configuration
+
+This Docker Compose configuration sets up **Configarr** with a Tailscale sidecar container, enabling secure and private management of configuration files for your *Radarr*, *Sonarr*, and broader media automation stack. With this setup, Configarr is **only accessible from within your Tailscale network**, keeping your configuration workflows fully private and under your control.
+
+## Configarr
+
+[**Configarr**](https://github.com/raydak-labs/configarr) is a configuration management tool designed to **declaratively manage and synchronize settings** for Radarr, Sonarr, and related media services. By defining your desired state in version-controlled YAML files, Configarr ensures your media applications remain consistent, reproducible, and easy to maintain.
+
+## Key Features
+
+* ⚙️ **Declarative Configuration Management** – Define Radarr and Sonarr settings in YAML.
+* 🔁 **Idempotent Syncing** – Apply configurations safely and repeatedly without drift.
+* 📦 **Multi-Instance Support** – Manage multiple Radarr/Sonarr instances from a single config.
+* 🧩 **Profile & Root Folder Management** – Keep paths, profiles, and settings aligned.
+* 🛠 **Automation-Friendly** – Ideal for cron jobs, CI pipelines, or GitOps-style workflows.
+* 🧪 **Dry-Run Mode** – Preview configuration changes before applying them.
+* 🐳 **Docker-Native** – Lightweight and easy to deploy in containerized environments.
+
+## Why Self-Host?
+
+Configarr requires **API access to Radarr and Sonarr**, exposing configuration and library metadata that should not be publicly reachable. By self-hosting Configarr behind Tailscale, you gain:
+
+* Private, encrypted access to all Radarr/Sonarr APIs
+* No need to expose management endpoints to the public Internet
+* Secure remote configuration management across locations
+
+This is especially useful for homelabs, shared servers, and environments where consistent configuration and security are critical.
+
+## Configuration Overview
+
+In this deployment, a **Tailscale sidecar container** (for example, `tailscale-configarr`) runs the Tailscale client and joins your private Tailscale network. The Configarr service uses:
+
+```plain
+network_mode: service:tailscale-configarr
+```
+
+This setup ensures that **all Configarr network traffic flows exclusively through the Tailscale interface**, allowing it to securely communicate with Radarr and Sonarr instances that are also connected via Tailscale. No ports need to be exposed, and the service remains completely inaccessible from the public Internet.
+
+With this configuration, Configarr can safely enforce and maintain your desired media configuration state — privately, securely, and reproducibly.

services/configarr/docker-compose.yml

@@ -0,0 +1,56 @@
+services:
+# Make sure you have updated/checked the .env file with the correct variables. 
+# All the ${ xx } need to be defined there.
+  # Tailscale Sidecar Configuration
+  tailscale:
+    image: tailscale/tailscale:latest # Image to be used
+    container_name: tailscale-${SERVICE} # Name for local container management
+    hostname: ${SERVICE} # Name used within your Tailscale environment
+    environment:
+      - TS_AUTHKEY=${TS_AUTHKEY}
+      - TS_STATE_DIR=/var/lib/tailscale
+      - TS_USERSPACE=false
+      - TS_ENABLE_HEALTH_CHECK=true              # Enable healthcheck endpoint: "/healthz"
+      - TS_LOCAL_ADDR_PORT=127.0.0.1:41234       # The <addr>:<port> for the healthz endpoint
+      #- TS_ACCEPT_DNS=true # Uncomment when using MagicDNS
+    volumes:
+      - ./ts/state:/var/lib/tailscale # Tailscale requirement - you may need to change the path
+    devices:
+      - /dev/net/tun:/dev/net/tun # Network configuration for Tailscale to work
+    cap_add:
+      - net_admin # Tailscale requirement
+    #ports:
+    #  - 0.0.0.0:${SERVICEPORT}:${SERVICEPORT} # Binding port ${SERVICE}PORT to the local network - may be removed if only exposure to your Tailnet is required
+    # If any DNS issues arise, use your preferred DNS provider by uncommenting the config below
+    #dns: 
+    #  - ${DNS_SERVER}
+    healthcheck:
+      test: ["CMD", "wget", "--spider", "-q", "http://127.0.0.1:41234/healthz"] # Check Tailscale has a Tailnet IP and is operational
+      interval: 1m # How often to perform the check
+      timeout: 10s # Time to wait for the check to succeed
+      retries: 3 # Number of retries before marking as unhealthy
+      start_period: 10s # Time to wait before starting health checks
+    restart: always
+
+  # ${SERVICE}
+  application:
+    image: ${IMAGE_URL} # Image to be used
+    network_mode: service:tailscale # Sidecar configuration to route ${SERVICE} through Tailscale
+    container_name: app-${SERVICE} # Name for local container management
+    environment:
+      - TZ=Europe/Amsterdam
+    volumes:
+      - ./${SERVICE}-data/config:/app/config
+      - ${PWD}/${SERVICE}-data/dockerrepos:/app/repos
+    depends_on:
+      tailscale:
+        condition: service_healthy
+    # healthcheck:
+    #   test: ["CMD", "pgrep", "-f", "${SERVICE}"] # Check if ${SERVICE} process is running
+    #   interval: 1m # How often to perform the check
+    #   timeout: 10s # Time to wait for the check to succeed
+    #   retries: 3 # Number of retries before marking as unhealthy
+    #   start_period: 30s # Time to wait before starting health checks
+    restart: never
+
+

services/posterizarr/.env

@@ -0,0 +1,8 @@
+#version=1.0
+#url=https://github.com/2Tiny2Scale/tailscale-docker-sidecar-configs
+#COMPOSE_PROJECT_NAME= // only use in multiple deployments on the same infra
+SERVICE=posterizarr
+IMAGE_URL=ghcr.io/fscorrupt/posterizarr:latest
+SERVICEPORT=8000
+TS_AUTHKEY=
+DNS_SERVER=9.9.9.9

services/posterizarr/README.md

@@ -0,0 +1,39 @@
+# Posterizarr with Tailscale Sidecar Configuration
+
+This Docker Compose configuration sets up **Posterizarr** with a Tailscale sidecar container, enabling secure and private access to your automated poster and artwork management service for *Radarr* and *Sonarr*. With this setup, Posterizarr is **only accessible from within your Tailscale network**, keeping your media automation environment clean, private, and secure.
+
+## Posterizarr
+
+[**Posterizarr**](https://github.com/fscorrupt/Posterizarr) is a companion tool for Radarr and Sonarr that **automatically manages posters, backgrounds, and other artwork** based on predefined rules. It ensures a consistent visual style across your media library by automatically applying selected poster sources, resolutions, languages, and artwork types.
+
+## Key Features
+
+* 🖼 **Automated Poster Management** – Automatically updates posters and artwork for movies and series.
+* 🎨 **Consistent Library Aesthetics** – Enforce a uniform look across Radarr and Sonarr.
+* 🔧 **Rule-Based Configuration** – Define poster sources, languages, resolutions, and priorities.
+* 🔄 **Scheduled Syncing** – Periodically checks and updates artwork automatically.
+* 📡 **Radarr & Sonarr Integration** – Uses official APIs to manage media artwork.
+* 🐳 **Docker-Native** – Lightweight container designed for easy self-hosting.
+* 🧩 **Multi-Instance Support** – Manage artwork across multiple Radarr/Sonarr instances.
+
+## Why Self-Host?
+
+Posterizarr requires **API access to Radarr and Sonarr**, which exposes metadata and library structure details. Self-hosting Posterizarr behind Tailscale ensures:
+
+* Radarr and Sonarr APIs are not publicly exposed
+* Poster and artwork management stays inside your private network
+* Secure remote management without opening firewall ports
+
+This approach is ideal for homelabs, media servers, and multi-location setups where privacy and security matter.
+
+## Configuration Overview
+
+In this deployment, a **Tailscale sidecar container** (for example, `tailscale-posterizarr`) runs the Tailscale client and connects to your private Tailscale network. The Posterizarr service uses:
+
+```plain
+network_mode: service:tailscale-posterizarr
+```
+
+This configuration ensures that **all Posterizarr traffic is routed exclusively through the Tailscale interface**, allowing it to securely communicate with Radarr and Sonarr instances over your private network. No ports are exposed to the public Internet, and the service remains fully isolated.
+
+With this setup, Posterizarr can reliably enforce consistent artwork standards across your media library — securely, privately, and automatically.

services/posterizarr/config/serve.json

@@ -0,0 +1,16 @@
+{
+  "TCP": {
+    "443": {
+      "HTTPS": true
+    }
+  },
+  "Web": {
+    "${TS_CERT_DOMAIN}:443": {
+      "Handlers": {
+        "/": {
+          "Proxy": "http://127.0.0.1:8000"
+        }
+      }
+    }
+  }
+}

services/posterizarr/docker-compose.yml

@@ -0,0 +1,61 @@
+services:
+# Make sure you have updated/checked the .env file with the correct variables. 
+# All the ${ xx } need to be defined there.
+  # Tailscale Sidecar Configuration
+  tailscale:
+    image: tailscale/tailscale:latest # Image to be used
+    container_name: tailscale-${SERVICE} # Name for local container management
+    hostname: ${SERVICE} # Name used within your Tailscale environment
+    environment:
+      - TS_AUTHKEY=${TS_AUTHKEY}
+      - TS_STATE_DIR=/var/lib/tailscale
+      - TS_SERVE_CONFIG=/config/serve.json # Tailscale Serve configuration to expose the web interface on your local Tailnet - remove this line if not required
+      - TS_USERSPACE=false
+      - TS_ENABLE_HEALTH_CHECK=true              # Enable healthcheck endpoint: "/healthz"
+      - TS_LOCAL_ADDR_PORT=127.0.0.1:41234       # The <addr>:<port> for the healthz endpoint
+      #- TS_ACCEPT_DNS=true # Uncomment when using MagicDNS
+    volumes:
+      - ./config:/config # Config folder used to store Tailscale files - you may need to change the path
+      - ./ts/state:/var/lib/tailscale # Tailscale requirement - you may need to change the path
+    devices:
+      - /dev/net/tun:/dev/net/tun # Network configuration for Tailscale to work
+    cap_add:
+      - net_admin # Tailscale requirement
+    #ports:
+    #  - 0.0.0.0:${SERVICEPORT}:${SERVICEPORT} # Binding port ${SERVICE}PORT to the local network - may be removed if only exposure to your Tailnet is required
+    # If any DNS issues arise, use your preferred DNS provider by uncommenting the config below
+    #dns: 
+    #  - ${DNS_SERVER}
+    healthcheck:
+      test: ["CMD", "wget", "--spider", "-q", "http://127.0.0.1:41234/healthz"] # Check Tailscale has a Tailnet IP and is operational
+      interval: 1m # How often to perform the check
+      timeout: 10s # Time to wait for the check to succeed
+      retries: 3 # Number of retries before marking as unhealthy
+      start_period: 10s # Time to wait before starting health checks
+    restart: always
+
+  # ${SERVICE}
+  application:
+    image: ${IMAGE_URL} # Image to be used
+    network_mode: service:tailscale # Sidecar configuration to route ${SERVICE} through Tailscale
+    container_name: app-${SERVICE} # Name for local container management
+    environment:
+      - TZ=Europe/Amsterdam 
+      - TERM=xterm 
+      - RUN_TIME=disabled 
+    user: "1000:1000" 
+    volumes:
+      - ./${SERVICE}-data/config:/config:rw
+      - ./${SERVICE}-data/assets:/assets:rw
+      - ./${SERVICE}-data/assetsbackup:/assetsbackup:rw
+      - ./${SERVICE}-data/manualassets:/manualassets:rw
+    depends_on:
+      tailscale:
+        condition: service_healthy
+    healthcheck:
+      test: ["CMD", "pgrep", "-f", "${SERVICE}"] # Check if ${SERVICE} process is running
+      interval: 1m # How often to perform the check
+      timeout: 10s # Time to wait for the check to succeed
+      retries: 3 # Number of retries before marking as unhealthy
+      start_period: 30s # Time to wait before starting health checks
+    restart: always

services/recyclarr/.env

@@ -0,0 +1,8 @@
+#version=1.0
+#url=https://github.com/2Tiny2Scale/tailscale-docker-sidecar-configs
+#COMPOSE_PROJECT_NAME= // only use in multiple deployments on the same infra
+SERVICE=recyclarr
+IMAGE_URL=ghcr.io/recyclarr/recyclarr
+SERVICEPORT=
+TS_AUTHKEY=
+DNS_SERVER=9.9.9.9

services/recyclarr/README.md

@@ -0,0 +1,39 @@
+# Recyclarr with Tailscale Sidecar Configuration
+
+This Docker Compose configuration sets up **Recyclarr** with a Tailscale sidecar container, allowing secure and private synchronization of quality profiles, custom formats, and media settings across your *Radarr* and *Sonarr* instances. With this setup, Recyclarr is **only reachable from within your Tailscale network**, keeping your media automation infrastructure fully private and protected.
+
+## Recyclarr
+
+[**Recyclarr**](https://github.com/recyclarr/recyclarr) is an automation tool designed to **synchronize TRaSH-Guides–based quality profiles and custom formats** to Radarr and Sonarr. Instead of manually configuring and maintaining complex quality rules, Recyclarr allows you to define everything declaratively in YAML and keep your media stack consistent and reproducible.
+
+## Key Features
+
+* ♻️ **TRaSH-Guides Integration** – Automatically syncs recommended quality profiles and custom formats.
+* 📐 **Declarative Configuration** – Manage Radarr and Sonarr settings using simple YAML files.
+* 🔄 **Consistent Media Rules** – Keep multiple Radarr/Sonarr instances aligned.
+* 🧩 **Custom Format Management** – Automatically create, update, and score custom formats.
+* 🧪 **Dry-Run Support** – Preview changes before applying them.
+* 🐳 **Docker-Friendly** – Lightweight container designed for scheduled or on-demand runs.
+* 🛠 **Automation-First** – Ideal for cron jobs, CI pipelines, or homelab orchestration.
+
+## Why Self-Host?
+
+Recyclarr requires **API access to Radarr and Sonarr**, which often exposes sensitive configuration details about your media infrastructure. By self-hosting Recyclarr and restricting access via Tailscale, you ensure:
+
+* Your Radarr/Sonarr APIs are never exposed publicly
+* All synchronization traffic stays inside your private network
+* Remote management remains secure, even when traveling or managing multiple sites
+
+This is especially valuable in homelabs, seedbox setups, or multi-location media deployments.
+
+## Configuration Overview
+
+In this deployment, a **Tailscale sidecar container** (for example, `tailscale-recyclarr`) runs the Tailscale client and joins your private Tailscale network. The Recyclarr service uses:
+
+```plain
+network_mode: service:tailscale-recyclarr
+```
+
+This setup ensures that **all Recyclarr traffic flows exclusively through the Tailscale interface**, allowing it to securely reach Radarr and Sonarr instances that are also on your Tailscale network. No ports need to be exposed, and the container remains completely inaccessible from the public Internet.
+
+With this configuration, Recyclarr can safely automate and enforce your media quality standards across your entire media stack — privately, securely, and reproducibly.

services/recyclarr/docker-compose.yml

@@ -0,0 +1,55 @@
+services:
+  # Make sure you have updated/checked the .env file with the correct variables. 
+  # All the ${ xx } need to be defined there.
+  # Tailscale Sidecar Configuration
+  tailscale:
+    image: tailscale/tailscale:latest # Image to be used
+    container_name: tailscale-${SERVICE} # Name for local container management
+    hostname: ${SERVICE} # Name used within your Tailscale environment
+    environment:
+      - TS_AUTHKEY=${TS_AUTHKEY}
+      - TS_STATE_DIR=/var/lib/tailscale
+      - TS_USERSPACE=false
+      - TS_ENABLE_HEALTH_CHECK=true              # Enable healthcheck endpoint: "/healthz"
+      - TS_LOCAL_ADDR_PORT=127.0.0.1:41234       # The <addr>:<port> for the healthz endpoint
+      #- TS_ACCEPT_DNS=true # Uncomment when using MagicDNS
+    volumes:
+      - ./ts/state:/var/lib/tailscale # Tailscale requirement - you may need to change the path
+    devices:
+      - /dev/net/tun:/dev/net/tun # Network configuration for Tailscale to work
+    cap_add:
+      - net_admin # Tailscale requirement
+    #ports:
+    #  - 0.0.0.0:${SERVICEPORT}:${SERVICEPORT} # Binding port ${SERVICE}PORT to the local network - may be removed if only exposure to your Tailnet is required
+    # If any DNS issues arise, use your preferred DNS provider by uncommenting the config below
+    #dns: 
+    #  - ${DNS_SERVER}
+    healthcheck:
+      test: ["CMD", "wget", "--spider", "-q", "http://127.0.0.1:41234/healthz"] # Check Tailscale has a Tailnet IP and is operational
+      interval: 1m # How often to perform the check
+      timeout: 10s # Time to wait for the check to succeed
+      retries: 3 # Number of retries before marking as unhealthy
+      start_period: 10s # Time to wait before starting health checks
+    restart: always
+
+  # ${SERVICE}
+  application:
+    image: ${IMAGE_URL} # Image to be used
+    network_mode: service:tailscale # Sidecar configuration to route ${SERVICE} through Tailscale
+    container_name: app-${SERVICE} # Name for local container management
+    volumes:
+      - ./${SERVICE}-data/config:/config
+    environment:
+      - TZ=Europe/Amsterdam
+      - RECYCLARR_CREATE_CONFIG=true
+    user: 1000:1000
+    depends_on:
+      tailscale:
+        condition: service_healthy
+    # healthcheck:
+    #   test: ["CMD", "pgrep", "-f", "yarn"] # Check if ${SERVICE} process is running
+    #   interval: 1m # How often to perform the check
+    #   timeout: 10s # Time to wait for the check to succeed
+    #   retries: 3 # Number of retries before marking as unhealthy
+    #   start_period: 30s # Time to wait before starting health checks
+    # restart: unless-stopped