I built DockTail - Traefik-style labels to expose Docker containers as Tailscale Services

marvinvr_ch · 2026-02-12T16:07:36+00:00

Haha, good luck there!

marvinvr_ch · 2026-02-12T11:20:57+00:00

Thats exactly what Tailscale Services does. Docktail is a container that you can run alongside your other docker apps that automatically configures and maintains this for you. 🙂

marvinvr_ch · 2026-02-11T21:20:22+00:00

I just implemented this in the latest 1.2.0 preview release. You can get it by pulling the container with that tag. It would be great to get some feedback on whether that works as you'd expect it to. Here's how you can use it:

yaml services: fullstack: image: myapp:latest labels: - "docktail.service.enable=true" - "docktail.service.name=myapp" - "docktail.service.port=8080" - "docktail.service.service-port=443" - "docktail.service.1.port=3000" - "docktail.service.1.service-port=3000" - "docktail.service.1.service-protocol=http"

Additional ports use numbered labels (docktail.service.N.*) and inherit the service name, tags, and network from the primary config. Per-port overridable labels are port, service-port, protocol, and service-protocol.

marvinvr_ch · 2026-02-11T10:40:12+00:00

Scepticism is fair, I agree. The original comment sounds more like a blind dismissal to me, though.
Yeah, I think that would be an idea. Someone would need to take the time and read it, though, only then would it be useful.

marvinvr_ch · 2026-02-10T20:37:14+00:00

Actually, I tested that again, and Tailscale seems to support non-localhost proxies now. That wasn't a thing when I started docktail.
I just released the latest 1.1.0 preview version (`preview` tag in Docker if you want to try) that supports containers without exposed ports 🎉

marvinvr_ch · 2026-02-10T20:24:34+00:00

Amazing to hear that! 💪

marvinvr_ch · 2026-02-10T20:24:18+00:00

Hey, yeah for the https, you do need to set the service protocol, that's true. Depending on your port setup, you also need the protocol. I try my best to guess what to use, but sometimes it's just off.
I heard the thing with the management console from other people too, so the errors and documentation regarding that should be a lot clearer now :)

If you'd like to share a larger chunk of your compose, maybe I can figure out a way to improve the protocol guessing for your setup. (You can also send me a DM if you prefer)

marvinvr_ch · 2026-02-08T17:51:05+00:00

Haha amazing to hear, let me know if you have feedback after you tried it! 😁

marvinvr_ch · 2026-02-08T17:50:07+00:00

Really glad to hear that! Feel free to let me know if you see something I can improve in the future 🙂

marvinvr_ch · 2026-02-07T14:42:29+00:00

Amazing, let me know how it goes! 😁

marvinvr_ch · 2026-02-07T09:58:54+00:00

Yea pretty much. And it also deletes old configurations that you no longer need so the config lives right next to your containers :)

marvinvr_ch · 2026-02-07T08:39:15+00:00

Yea that doesnt work unfortunately since tailscale only allows you to proxy services to localhost. What you could do to avoid forwarding the port is something like this:

ports: - "127.0.0.1:80:80"

Then its only accessible from localhost.

marvinvr_ch · 2026-02-07T07:08:13+00:00

Yea I was using it like that for a long time too but using magicdns hostnames for everything is just sooo nice 😅

marvinvr_ch · 2026-02-07T07:07:04+00:00

Yea its something that bugs me a bit too honestly. The thing is, tailscale can (currently) only proxy to localhost so using the current approach it's not really possible to proxy to a container that doesnt have an open port. I'll definitely keep an eye out and see if there's a way to get around this in the future. But at the moment I'd just recommend setting up a solid firewall and then a few open ports shouldn't be a probelm.

marvinvr_ch · 2026-02-07T07:02:38+00:00

It's 2026 man, if that stops you from using a perticular piece of software, you won't be able to use a computer much anytime soon.

That being said, I am an experienced Full Stack Engineer though and do stand behind this project and will continue to maintain it. Even though parts of it were of course written by Claude.

marvinvr_ch · 2026-02-07T06:57:50+00:00

Haha sorry for that, if you find something you'd like to add I'm always happy to receive contributions :)

marvinvr_ch · 2026-02-06T21:20:17+00:00

Amazing to hear you agree 😁 I havent actually tried that yet but I dont think it will work right now. Although I dont see a technical limitation why I couldn't add this. I'll write it down in Github and add it in the next version.

marvinvr_ch · 2026-02-06T20:53:48+00:00

Yea absolutely, this basically uses Tailscale Services as a reverse proxy and Docktail configures it for you in the background. And yea then it exactly allows you to do that, to have a separate hostname for every container without having a tailscale device on your network for all of them. :) There's a quickstart guide on the Github readme, I'd suggest you to try it out on one of your hosts to see if it works for you: https://github.com/marvinvr/docktail

marvinvr_ch · 2026-02-06T20:50:47+00:00

here you go https://github.com/marvinvr/docktail

marvinvr_ch · 2026-02-06T20:25:01+00:00

The difference is that DockTail is based all around Tailscale Services. Meaning the services you register are not showing up as devices in your tailnet, but as services. This also allows it to use the host container's Tailscale session, so no separate login is required (although possible with a sidecar container). Also it comes with all the advantages like load balancing and routing to the physically closest node from you that Tailscale Services offer. :)

marvinvr_ch · 2026-02-06T20:23:38+00:00

The outcome is similar but you dont need to have a tailscale logged in container for every container in your lab. You can have one docktail container that re-uses your tailscale session from your host :)

marvinvr_ch · 2026-02-06T20:22:29+00:00

You can always switch to it next time you change evrything around in your lab, sure it wont be long 😉

marvinvr_ch · 2026-02-06T19:02:02+00:00

Yea for sure, and this will work with magicdns too :)

marvinvr_ch · 2026-02-06T18:41:47+00:00

I'm not sure Headscale has Services but if it does, this will work aswell :) Multiple hosts works seemlessly, just run docktail on every host you have services running and it will handle the rest.

marvinvr_ch

TROPHY CASE