-
Notifications
You must be signed in to change notification settings - Fork 40
Add Tailscale sidecar configuration for Configarr, Posterizarr, and Recyclarr services #175
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Merged
Merged
Changes from 2 commits
Commits
Show all changes
5 commits
Select commit
Hold shift + click to select a range
7e86cdb
Add Tailscale sidecar configuration for Configarr, Posterizarr, and R…
jackspiering 73f3889
Update README.md to include Configarr, Posterizarr, and Recyclarr in …
jackspiering f7554d6
Update
crypt0rr 4cedef4
Update service configurations in README.md and adjust volume paths in…
jackspiering 2970c8f
Merge branch 'main' into 20251219-arr
crypt0rr File filter
Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,8 @@ | ||
| #version=1.0 | ||
| #url=https://github.com/2Tiny2Scale/tailscale-docker-sidecar-configs | ||
| #COMPOSE_PROJECT_NAME= // only use in multiple deployments on the same infra | ||
| SERVICE=configarr | ||
| IMAGE_URL=ghcr.io/raydak-labs/configarr:latest | ||
| SERVICEPORT= | ||
| TS_AUTHKEY= | ||
| DNS_SERVER=9.9.9.9 |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,39 @@ | ||
| # Configarr with Tailscale Sidecar Configuration | ||
|
|
||
| This Docker Compose configuration sets up **Configarr** with a Tailscale sidecar container, enabling secure and private management of configuration files for your *Radarr*, *Sonarr*, and broader media automation stack. With this setup, Configarr is **only accessible from within your Tailscale network**, keeping your configuration workflows fully private and under your control. | ||
|
|
||
| ## Configarr | ||
|
|
||
| [**Configarr**](https://github.com/raydak-labs/configarr) is a configuration management tool designed to **declaratively manage and synchronize settings** for Radarr, Sonarr, and related media services. By defining your desired state in version-controlled YAML files, Configarr ensures your media applications remain consistent, reproducible, and easy to maintain. | ||
|
|
||
| ## Key Features | ||
|
|
||
| * ⚙️ **Declarative Configuration Management** – Define Radarr and Sonarr settings in YAML. | ||
| * 🔁 **Idempotent Syncing** – Apply configurations safely and repeatedly without drift. | ||
| * 📦 **Multi-Instance Support** – Manage multiple Radarr/Sonarr instances from a single config. | ||
| * 🧩 **Profile & Root Folder Management** – Keep paths, profiles, and settings aligned. | ||
| * 🛠 **Automation-Friendly** – Ideal for cron jobs, CI pipelines, or GitOps-style workflows. | ||
| * 🧪 **Dry-Run Mode** – Preview configuration changes before applying them. | ||
| * 🐳 **Docker-Native** – Lightweight and easy to deploy in containerized environments. | ||
|
|
||
| ## Why Self-Host? | ||
|
|
||
| Configarr requires **API access to Radarr and Sonarr**, exposing configuration and library metadata that should not be publicly reachable. By self-hosting Configarr behind Tailscale, you gain: | ||
|
|
||
| * Private, encrypted access to all Radarr/Sonarr APIs | ||
| * No need to expose management endpoints to the public Internet | ||
| * Secure remote configuration management across locations | ||
|
|
||
| This is especially useful for homelabs, shared servers, and environments where consistent configuration and security are critical. | ||
|
|
||
| ## Configuration Overview | ||
|
|
||
| In this deployment, a **Tailscale sidecar container** (for example, `tailscale-configarr`) runs the Tailscale client and joins your private Tailscale network. The Configarr service uses: | ||
|
|
||
| ```plain | ||
| network_mode: service:tailscale-configarr | ||
| ``` | ||
|
|
||
| This setup ensures that **all Configarr network traffic flows exclusively through the Tailscale interface**, allowing it to securely communicate with Radarr and Sonarr instances that are also connected via Tailscale. No ports need to be exposed, and the service remains completely inaccessible from the public Internet. | ||
|
|
||
| With this configuration, Configarr can safely enforce and maintain your desired media configuration state — privately, securely, and reproducibly. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,56 @@ | ||
| services: | ||
| # Make sure you have updated/checked the .env file with the correct variables. | ||
| # All the ${ xx } need to be defined there. | ||
| # Tailscale Sidecar Configuration | ||
| tailscale: | ||
| image: tailscale/tailscale:latest # Image to be used | ||
| container_name: tailscale-${SERVICE} # Name for local container management | ||
| hostname: ${SERVICE} # Name used within your Tailscale environment | ||
| environment: | ||
| - TS_AUTHKEY=${TS_AUTHKEY} | ||
| - TS_STATE_DIR=/var/lib/tailscale | ||
| - TS_USERSPACE=false | ||
| - TS_ENABLE_HEALTH_CHECK=true # Enable healthcheck endpoint: "/healthz" | ||
| - TS_LOCAL_ADDR_PORT=127.0.0.1:41234 # The <addr>:<port> for the healthz endpoint | ||
| #- TS_ACCEPT_DNS=true # Uncomment when using MagicDNS | ||
| volumes: | ||
| - ./ts/state:/var/lib/tailscale # Tailscale requirement - you may need to change the path | ||
| devices: | ||
| - /dev/net/tun:/dev/net/tun # Network configuration for Tailscale to work | ||
| cap_add: | ||
| - net_admin # Tailscale requirement | ||
| #ports: | ||
| # - 0.0.0.0:${SERVICEPORT}:${SERVICEPORT} # Binding port ${SERVICE}PORT to the local network - may be removed if only exposure to your Tailnet is required | ||
| # If any DNS issues arise, use your preferred DNS provider by uncommenting the config below | ||
| #dns: | ||
| # - ${DNS_SERVER} | ||
| healthcheck: | ||
| test: ["CMD", "wget", "--spider", "-q", "http://127.0.0.1:41234/healthz"] # Check Tailscale has a Tailnet IP and is operational | ||
| interval: 1m # How often to perform the check | ||
| timeout: 10s # Time to wait for the check to succeed | ||
| retries: 3 # Number of retries before marking as unhealthy | ||
| start_period: 10s # Time to wait before starting health checks | ||
| restart: always | ||
|
|
||
| # ${SERVICE} | ||
| application: | ||
| image: ${IMAGE_URL} # Image to be used | ||
| network_mode: service:tailscale # Sidecar configuration to route ${SERVICE} through Tailscale | ||
| container_name: app-${SERVICE} # Name for local container management | ||
| environment: | ||
| - TZ=Europe/Amsterdam | ||
| volumes: | ||
| - ${PWD}/${SERVICE}-data/config:/app/config | ||
jackspiering marked this conversation as resolved.
Outdated
Show resolved
Hide resolved
|
||
| - ${PWD}/${SERVICE}-data/dockerrepos:/app/repos | ||
| depends_on: | ||
| tailscale: | ||
| condition: service_healthy | ||
| # healthcheck: | ||
jackspiering marked this conversation as resolved.
Show resolved
Hide resolved
|
||
| # test: ["CMD", "pgrep", "-f", "${SERVICE}"] # Check if ${SERVICE} process is running | ||
| # interval: 1m # How often to perform the check | ||
| # timeout: 10s # Time to wait for the check to succeed | ||
| # retries: 3 # Number of retries before marking as unhealthy | ||
| # start_period: 30s # Time to wait before starting health checks | ||
| restart: never | ||
|
|
||
|
|
||
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,8 @@ | ||
| #version=1.0 | ||
| #url=https://github.com/2Tiny2Scale/tailscale-docker-sidecar-configs | ||
| #COMPOSE_PROJECT_NAME= // only use in multiple deployments on the same infra | ||
| SERVICE=posterizarr | ||
| IMAGE_URL=ghcr.io/fscorrupt/posterizarr:latest | ||
| SERVICEPORT=8000 | ||
| TS_AUTHKEY= | ||
| DNS_SERVER=9.9.9.9 |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,39 @@ | ||
| # Posterizarr with Tailscale Sidecar Configuration | ||
|
|
||
| This Docker Compose configuration sets up **Posterizarr** with a Tailscale sidecar container, enabling secure and private access to your automated poster and artwork management service for *Radarr* and *Sonarr*. With this setup, Posterizarr is **only accessible from within your Tailscale network**, keeping your media automation environment clean, private, and secure. | ||
|
|
||
| ## Posterizarr | ||
|
|
||
| [**Posterizarr**](https://github.com/fscorrupt/Posterizarr) is a companion tool for Radarr and Sonarr that **automatically manages posters, backgrounds, and other artwork** based on predefined rules. It ensures a consistent visual style across your media library by automatically applying selected poster sources, resolutions, languages, and artwork types. | ||
|
|
||
| ## Key Features | ||
|
|
||
| * 🖼 **Automated Poster Management** – Automatically updates posters and artwork for movies and series. | ||
| * 🎨 **Consistent Library Aesthetics** – Enforce a uniform look across Radarr and Sonarr. | ||
| * 🔧 **Rule-Based Configuration** – Define poster sources, languages, resolutions, and priorities. | ||
| * 🔄 **Scheduled Syncing** – Periodically checks and updates artwork automatically. | ||
| * 📡 **Radarr & Sonarr Integration** – Uses official APIs to manage media artwork. | ||
| * 🐳 **Docker-Native** – Lightweight container designed for easy self-hosting. | ||
| * 🧩 **Multi-Instance Support** – Manage artwork across multiple Radarr/Sonarr instances. | ||
|
|
||
| ## Why Self-Host? | ||
|
|
||
| Posterizarr requires **API access to Radarr and Sonarr**, which exposes metadata and library structure details. Self-hosting Posterizarr behind Tailscale ensures: | ||
|
|
||
| * Radarr and Sonarr APIs are not publicly exposed | ||
| * Poster and artwork management stays inside your private network | ||
| * Secure remote management without opening firewall ports | ||
|
|
||
| This approach is ideal for homelabs, media servers, and multi-location setups where privacy and security matter. | ||
|
|
||
| ## Configuration Overview | ||
|
|
||
| In this deployment, a **Tailscale sidecar container** (for example, `tailscale-posterizarr`) runs the Tailscale client and connects to your private Tailscale network. The Posterizarr service uses: | ||
|
|
||
| ```plain | ||
| network_mode: service:tailscale-posterizarr | ||
| ``` | ||
|
|
||
| This configuration ensures that **all Posterizarr traffic is routed exclusively through the Tailscale interface**, allowing it to securely communicate with Radarr and Sonarr instances over your private network. No ports are exposed to the public Internet, and the service remains fully isolated. | ||
|
|
||
| With this setup, Posterizarr can reliably enforce consistent artwork standards across your media library — securely, privately, and automatically. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,16 @@ | ||
| { | ||
| "TCP": { | ||
| "443": { | ||
| "HTTPS": true | ||
| } | ||
| }, | ||
| "Web": { | ||
| "${TS_CERT_DOMAIN}:443": { | ||
| "Handlers": { | ||
| "/": { | ||
| "Proxy": "http://127.0.0.1:8000" | ||
| } | ||
| } | ||
| } | ||
| } | ||
| } |
Oops, something went wrong.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Uh oh!
There was an error while loading. Please reload this page.