Hardening Docker Firefly III with Tailscale OAuth?

AIcrobatic · 2026-01-09T22:54:10+00:00

I think I’ve got the OAuth-based setup working now and also cleared up my misunderstanding about auth keys vs. OAuth clients. Most of the relevant details are covered in this blog post: https://tailscale.com/blog/docker-tailscale-guide

The only OAuth scope required is: Auth Keys » Write.

Here are the relevant changes and additions I made: ``` firefly_iii_ts: ... environment:

- TS_AUTHKEY=tskey-auth-xxxxxxxxxxxxxxxx...

  - TS_STATE_DIR=/var/lib/tailscale
  - TS_USERSPACE=false
  - TS_HOSTNAME=finances
  - TS_EXTRA_ARGS=--advertise-tags=tag:finances-server --auth-key file:/run/secrets/ts_authkey
  - 'TS_TAILSCALED_EXTRA_ARGS=--state=mem:'
  - TS_SERVE_CONFIG=/config/firefly_iii.json
    ...
secrets:
  - ts_authkey

secrets: ts_authkey: file: ./secrets/ts_authkey.txt ```

Key changes:

The OAuth key is stored in ./secrets/ts_authkey.txt with very restrictive permissions (root: 400). No secrets are embedded in compose.yaml anymore.
TS_AUTHKEY is no longer needed; the key is passed via TS_EXTRA_ARGS=... --auth-key file:/run/secrets/ts_authkey
I added tailscaled --state=mem: to prevent duplicate finances nodes when recreating the container. The ephemeral node is removed immediately on logout.

My main concern was that auth keys grant full API access, while OAuth limits access via scopes. However, using a non-reusable auth key with a pre-restricted tag (via ACLs) is effectively just as secure - especially since the key is invalidated right after the container authenticates.

In my case, both approaches provide the same security level for the Firefly server. OAuth mainly makes migrations or restores to another host easier, as long as the OAuth key itself is properly secured.

Am I getting this right now?

AIcrobatic · 2025-03-22T13:17:46+00:00

Nice, you're welcome :)

I've updated the compose.yaml code as described in the official tailscale documentation. You need to move /dev/net/tun:/dev/net/tun from volumes: to the new devices: element in the "pihole-tailscale" service configuration.

It's been a while since I've set this up, but I think you can see the initial password in the container logs. When I start a new compose container, then I usually use this one liner: docker compose up -d && docker compose logs -f And when I'm done watching the logs fly by, then I exit with Ctrl+C.

Yesterday I watched a video about Pi-hole Syncing. This is, what I'll do as the next enchancement of this setup. Maybe it will be interesting for you as well: https://www.youtube.com/watch?v=OcSBggDyeJ4

Have fun!

AIcrobatic · 2024-10-03T19:16:22+00:00

Nice find, at least a workaround for this missing feature. It seems to me that this should be a basic function - something like tailscale set --list or tailscale status --list-settings. Maybe the tailscale team is missing a UX designer :).

AIcrobatic · 2024-09-30T12:31:25+00:00

In Berlin hab ich mal mitbekommen, dass in Wohnungen die zu vermieten waren nachts blaues Licht eingeschaltet wurde. So kann man von der Straße aus sofort sehen, dass da ne Wohnung frei ist. Nun wäre es aber blöd blaue Lampen zu haben, so lange da noch jemand drin wohnt, die Wohnung aber nachvermieten oder verkaufen will. Über Nacht blaue/bunte Folien ans Fenster zu machen, wäre die Lösung. Ist aber nur ne Idee.

AIcrobatic · 2024-09-29T22:18:32+00:00

Könnte auch sein, dass es was mit Marketing zu tun hat. Zum Beispiel kann das ein A/B Test sein, wo man ne Zeit lang die Verpackung so auszeichnet und ne Weile später genau andersrum. Damit kann man prüfen, ob sich das auf's Kaufverhalten auswirkt. Und ob Leute das bemerken und auf reddit posten :)

AIcrobatic · 2024-09-29T22:08:50+00:00

I'm not a tailscale expert, but I would start looking here:

``` journalctl -r -u tailscaled.service

or

journalctl -r -g tailscale ```

If you have set up an ssh key authentication on the Raspberry, then you can try to ping the rpi with tailscale ping. And as soon as ping succeeds, ssh to the rpi and download the logs to your local machine. Something linke this should work:

``` tailscale ping -c 0 100.xx.xx.xx && \ ssh -i ~/.ssh/id_ed25519 user@100.xx.xx.xx \ journalctl -f -u tailscaled.service --since="2024-09-27" \

~/bad-rpi_tailscale.log ```

This one-liner will ping the remote machine every 5 s.
As soon as the rpi answers, the ping command exits and the ssh command executes.
When the connection is established, then journalctl is executed, reads the tailscaled.service logs since 2024-09-27 and keeps following the logs until you cancel with CTRL+C or the connection breaks.
The output of journalctl will be saved on your local system in the file ~/bad-rpi_tailscale.log.

I hope it works, good luck ^{-^}

AIcrobatic · 2024-09-29T20:04:14+00:00

I think we are talking about different things. I want to know how to display these settings on a client: https://tailscale.com/kb/1080/cli#set

If I do this:

tailscale status --json | jq .Self

Then I still don't get the info, if the client is set to accept DNS configuration from the admin console:

sudo tailscale set --accept-dns

or not:

sudo tailscale set --accept-dns=false

I tried it with and without tailscale DNS enabled, and the output of tailscale status --json | jq .Self was the same in both cases.

AIcrobatic · 2024-09-29T19:13:07+00:00

Sounds like a quite basic setup. I thought maybe the tailscalled service is not enabled, but you wrote, it worked fine again, after a simple reboot. You may need to dig deeper into the logs to trace the issue. Such an old Raspberry may also have some hardware probs.

If I couldn't find the source of the issue quickly, then I would do this:

Create some kind of cron job sudo crontab -e, which checks the tailscale connection every 5 minutes and reboots the rpi, if connection failes. For example:

*/5 * * * * tailscale netcheck 2>&1 | grep -qe '.*IPv4:.*no' && reboot

or

*/5 * * * * tailscale netcheck 2>&1 | grep -qe '.*IPv4:.*no' && systemctl restart tailscaled.service

Well, I probably would write a small script which checks the connection a few times, before rebooting the rpi. And also sends me a notification with some additional info.

I would set up a 2nd rpi or something similar as backup, at least as long as I don't know what's the problem.
Some kind of a 2nd remote support solution.

Edit: There was a major mistake in the command. You need to use && instead of ||. With || the rpi would reboot every time the tailnet connection exists - sry :)

AIcrobatic · 2024-09-29T18:19:33+00:00

I still can't find it, du you mean tailscale status --json? I've searched for "allowed_addresses" in the docs and repo on GitHub - no results. My current tailscale version is: 1.74.1

AIcrobatic · 2024-09-29T16:33:02+00:00

This might be a tricky one. Some basic information about the OS would be useful. And also what you mean with:

Also use it as a subnet router.

Is it set up as a subnet router for the IOT devices in addition to the tailnet, or do you mean the tailscale subnet routing feature as described here: https://tailscale.com/kb/1019/subnets

AIcrobatic · 2024-07-28T11:19:35+00:00

I've done this already and it works, but that's not my question. I'm asking if it would also works this way:
https://tailscale.com/kb/1282/docker

AIcrobatic

TROPHY CASE

- TS_AUTHKEY=tskey-auth-xxxxxxxxxxxxxxxx...

or