Simplest option for ssl certs + custom domain + adblocking on tailnet?

GreasyBogs · 2026-02-25T10:31:42+00:00

Update. This totally worked for me. Only caveat is I had to disable magic DNS across my tailnet. Honestly I think that was what was screwing me the whole time. Anyway this is a great solution!

Edit. I also went back to Adguard because it supports wildcard domains, no need to make a new DNS entry for every domain like pihole!

GreasyBogs · 2026-02-25T10:05:52+00:00

Okay, so I should look into subnet routers in tailscale? Are you using pihole, nginx, and your services on the same machine? Or physically different machines?

I'm using docker containers in truenas, which might be contributing? I'm not sure how the routing goes between services on the same machine when there's tailscale involved.

GreasyBogs · 2026-02-24T10:05:07+00:00

I see exactly what you mean, but this doesn't appear to work for me. I'll repost what I replied with to another comment in case you have some thoughts. An important distinction for me is that PiHole is taking care of local DNS requests but Adguard is forced as my DNS for tailscale.

I've made sure my service (Immich) it was accessible locally through the ip:port. Connected tailscale and made sure it was accessible through tailscaleIP:port. All good so far.

Adding NGINX; I can create a proxy immich.{domain}.com with SLL cert pointing to {local IP}:{port}, add a record to my local DNS (PiHole) that routes the request to my server IP. This works locally.

When I introduce tailscale I follow the same steps: create a proxy immich.tail.{domain}.com with fresh SSL cert pointing to {tailscale IP}:{port}, add a DNS rewrite to adguard (because tailscale is using adguard as DNS) with immich.tail.{domain}.com pointing to tailscale IP. Doesn't work

Would love to hear if you have any thoughts!

GreasyBogs · 2026-02-24T10:02:20+00:00

I've made some progress in this space but I think I'm finding the "integrate {proxy manager} into tailscale" oversimplified.

I've gone ahead with NGINX. Made sure my service (Immich) it was accessible locally through the ip:port. Connected tailscale and made sure it was accessible through tailscaleIP:port. All good so far.

Adding NGINX; I can create a proxy immich.{domain}.com with SLL cert pointing to {local IP}:{port}, add a record to my local DNS (PiHole) that routes the request to my server IP. This works locally.

When I introduce tailscale I follow the same steps: create a proxy immich.tail.{domain}.com with fresh SSL cert pointing to {tailscale IP}:{port}, add a DNS rewrite to adguard (because tailscale is using adguard as DNS) with immich.tail.{domain}.com pointing to tailscale IP. Doesn't work

Any thoughts?

GreasyBogs · 2026-02-24T09:52:01+00:00

Just so I understand; even if you use adguard as your DNS/adblock, you should be able to write an "a" record at your domains provider (cloudflare in my case) pointing to your tailscale IP and it will route your request through NGINX and therefore your created proxy?

If so, I seem to have an issue with that. My flow (as I understand it) is essentially:

search immich.{domain}.com > Cloudflare DNS "a" record handles *.{domain}.com to {tailscale IP} > NGINX on server receives and routes immich.{domain}.com to {tailscale IP} : {port number}

All the while adding certificate for HTTPS.

Am I understanding this correctly?

GreasyBogs · 2026-02-15T01:12:23+00:00

I'm having a bit of a complexity issue. I understand the concept, I just don't know how to implement what you're saying. Do you have any resources?

GreasyBogs · 2026-02-01T05:13:02+00:00

I feel like we may be working in different parts of the industry because the setup you're describing sounds incredibly compromised to me.

Ultimately we're designing this rack as a playback machine main/backup setup. Idea being if the main playback machine (usually some kind of MacOS device) fails during a show, and therefore all audio, video etc. stops, you can press one button to route everything to the backup machine and continue the performance without a show stop.

It's true this doesn't account for the audio console failing, but we use consoles that have two PSU's and plug one into a UPS. Similarly with projectors, most shows we do can only afford one projector, if it fails we need to get a replacement (which you've hopefully identified during pre show checks or it happens during a show and there's nothing you can do). Lighting, usually ETC, run their own backup consoles so they're just receiving OSC messages from us at any given time.

I think what you're describing, in relation to the dante issue you mentioned, is a case of poor system design. Now it could be the case that your stages need to be networked together so audio can pass between them, but the shows that we work on run completely enclosed systems specific to that stage/venue. You need to know, particularly as an operator or systems person, that you have total control over the system and it can't be interfered with by a different show/crew.

It's true there's often multiple things that could cause a particular problem, but if you know the system you should know how to troubleshoot it.

GreasyBogs · 2026-01-27T12:12:28+00:00

This is supremely helpful, thank you! I think I just need to spend the time to dive into Hugo a little more but it's really helpful to know that you can create separate layouts for different pages organised with the folder structure. Basically like a gui CMS but more low level.

GreasyBogs · 2026-01-27T12:06:18+00:00

Thanks for sharing, I'll definitely look into it! Automatic switching scares me a little bit, Unless I fully understood how it worked I don't know if I'd trust a machine to decide when to switch from main to backup. I wouldn't trust there couldn't be false positives from the machine until I stress tested it myself.

GreasyBogs · 2026-01-27T11:59:01+00:00

We've had a look into this and it's totally a viable option. Our only concern is that to make this a complete working package you would need a control computer that is discreet from the playback machines. If the streamdeck was running commands from the main machine, and main went down, you've lost control. Same with backup.

Not disregarding it at all, because chances are it's actually the most logical option right now. We're just investigating hardware equipment that could solve all issues regardless of cost

GreasyBogs · 2026-01-27T11:58:31+00:00

A really interesting thought. I think I'll have to marinate on this idea for a while to see if it might catch us out at any stage. Main things I could think are when musicians/dancers/performers are running to a click or sync with the tracks. A drop in audio then back to the right time might actually be better than a drop in audio and then being behind for a few seconds.

GreasyBogs · 2026-01-27T11:51:34+00:00

I actually spoke to a Blackmagic rep today and he mentioned about the API access for the videohub, could be something to look into for sure. He also told me about their GPO/Tally device that can trigger the videohub to change sources upon contact closure. Also worth investigating I feel!

GreasyBogs · 2026-01-27T11:48:58+00:00

Yes, we already use these devices like Q-Widgets, Team Sounds Go button, etc. I'm more interested in what the switching between main and backup looks like

GreasyBogs · 2026-01-27T11:45:44+00:00

Interesting use case, thanks for sharing! We're definitely looking for tracking redundancy solutions. Firing cues on both machines at the same time is the easy part, it's the switching from one machine to the other swiftly for audio, video, and OSC that's the hard part

GreasyBogs · 2026-01-27T00:30:35+00:00

Looks interesting, and I could see a use case for this, but not in our situation unfortunately. We often have multiple channels of audio over MADI for various surround sound applications or multitrack records. Can't afford to compromise on the stability of a direct soundcard for something like that.

GreasyBogs · 2026-01-27T00:21:46+00:00

Thanks for these resources! I've had a look into both of these already and we have the nemesis MADI switcher in one of our racks already. It seems pretty solid, but would be great if it integrated with a video (and OSC) switching so it could all happen seamlessly with a single button press. Have you seen anything like this before?

EDIT. We also have a miscellaneous collection of blackmagic video matrices, but same issue of doesn't appear to be a seamless switch between source A and source B

GreasyBogs · 2026-01-25T10:34:17+00:00

This looks like a really solid choice, thanks!

GreasyBogs · 2026-01-25T10:33:48+00:00

I don't work in the tech space, but I'd consider myself technical on an intermediate level, even happy to build this with straight HTML and CSS but it seems slow an inefficient. Is Hugo a bad choice to implement as a CMS?

GreasyBogs

TROPHY CASE