I have tailscale, which is great for ssh-ing onto my Nas from the outside world. But to access my services, is a VPN the best way to do it?

The main point about Tailscale that I see people on here often get wrong is that they compare it to a “classic” hub-and-spoke VPN, when in fact it is an end-to-end zero trust encrypted mesh network. End-to-end does not mean machine-to-machine, it means user to service. So in your case, you should place one tailscale node in each pod (collection of containers that make up one service) as a sidekick. That way, a user need to authenticate in order to even open a network connection for a specific service, which is a very secure solution.

If you like pass, you might want to look into passage

The main downside of docker images is app developers don’t tend to play a lot of attention to the images that they produce beyond shipping their app. While software installed via your distribution benefits from meticulous scrutiny of security teams making sure security issues are fixed in a timely fashion, those fixes rarely trickle down the chain of images that your container ultimately depends on. While your distributions package manager sets up a cron job to install fixes from the security channel automatically, with Docker you are back to keeping track of this by yourself, hoping that the app developer takes this serious enough to supply new images in a timely fashion. This multies by number of images, so you are always only as secure as the least well maintained image.

Most images, including latest, are piss pour quality from a security standpoint. Because of that, professionals do not tend to grab “off the shelve” images from random sources of the internet. If they do, they pay extra attention to ensure that these containers run in sufficient isolated environment.

Self hosting communities do not often pay attention to this. You’ll have to decide for yourself how relevant this is for you.

Syncthing uses inotify to watch for changes, so it’s pretty much instant

Yeah, and for that reason, I opted for syncthing instead of Git for this use case.

Never had merge conflicts I take it 😄

Does not have great UX on phones though.

I ran a funnel test and yes it works, but still have to use the ts.net

Out of curiosity, why is that a deal breaker for you?

Cloudflare can decrypt the data before it hits my site before it encrypts it

Give Tailscale funnel a try, it provides similar functionality but does not need to terminate yout TLS to do it.

Precisely. Except there is no “Tailscale manage them for you”.

So you could summarize your answer as " Tailscale certificates work like let encrypt".

That’s just not true. When you run an nginx proxy on a tailscale node, that nginx will terminate the TLS. There is no “gap” between your browser and that server.

Both CF and Tailscale play MITM with your HTTPS connection

That’s not correct, tailscale does not intercept the traffic, TLS is terminated on the node. Tailscale mandates HTTPS / TLS with ts.net certificates so it can route traffic to the correct node in your tailnet.

Except you can condense that whole thread into

1. Install Tailscale

Is there any other way?

For all intends and purposes, let’s assume there isn’t. Running a DNS server on the ‘open internet’ is notoriously difficult if you are not familiar with the intricacies, especially with regards to security. Running it through a VPN is really the best option you have here.

I absolutely agree with this. If you cannot easily reproduce you configuration, all you are doing is pushing the problems down the line. Eventually, even simple things will get uncomfortable because it becomes uncomfortable to make. Better address the problem now while its still small

I disagree. With licenses that are “straight proprietary”, it’s obviously whats going on. The FSL is proprietary but tries to gaslight you into thinking that maybe its kinda not. That’s clearly worse because it relies on manipulation and can only ever be useful to someone acting in bad faith.

Sure, you can do all of that, fine by me. What you should not do is take that proprietary construct, slap the term “freedom” on in and try to muddy the waters of the FOSS licensing landscape neven further for your own gain.

Except its not like Linux at all. Linux uses the GPL which imposes no usage restrictions. This is why the GPL is a free software license and the FSL is a proprietary software license.

I would actually entertain the argument of protecting themselves against free-riding if and only if they would publish a transparency report detailing how they reimburse open source projects for the “common infrastructure” like, say, Linux, that they use to build and run their commercial offering and how they arrive at the amount they consider fair for their use. So far, I have not been able to find anything remotely like that, so their while argument is marketing and gas lighting.

The GPL is a fair play license as it offers everyone the same opportunities to use the software either for commercial purposes or otherwise. This license is a grants one party substantial rights over others, thus missing the main point of free software: free as in freedom, not free as in beer. That is also why free software organizations like the OSI won’t accept licenses like this as “open”.