docker compose + traefik + tailscale
Alternatives To Selfhosted
Project NameStarsDownloadsRepos Using ThisPackages Using ThisMost Recent CommitTotal ReleasesLatest ReleaseOpen IssuesLicenseLanguage
Docker Pi Hole6,523
16 days ago29Shell
Pi-hole in a docker container
2 days ago117agpl-3.0Python
The SimpleLogin back-end
19 hours ago51April 25, 2021138mitGo
VPN client in a thin Docker container for multiple VPN providers, written in Go, and using OpenVPN or Wireguard, DNS over TLS, with a few proxy servers built-in.
Netflix Proxy3,523
25 days ago6mitPython
Smart DNS proxy to watch Netflix
3 months ago67gpl-3.0Python
4 months ago41
WireHole is a combination of WireGuard, Pi-hole, and Unbound in a docker-compose project with the intent of enabling users to quickly and easily create a personally managed full or split-tunnel WireGuard VPN with ad blocking capabilities thanks to Pi-hole, and DNS caching, additional privacy options, and upstream providers via Unbound.
Play With Docker2,488
3 months ago10September 07, 202178mitJavaScript
You know it, you use it, now it's time to improve it. PWD!.
4 years ago1August 08, 201826mitRuby
faster, friendlier Docker on OS X
17 hours ago126Shell
📦 Build code for NextcloudPi: Raspberry Pi, Odroid, Rock64, Docker, curl installer...
Cloudflare Ddns1,763
3 days ago12gpl-3.0Python
🎉🌩️ Dynamic DNS (DDNS) service based on Cloudflare! Access your home network remotely via a custom domain name without a static IP!
Alternatives To Selfhosted
Select To Compare

Alternative Project Comparisons

docker selfhosted services

with docker-compose and traefik

Uptime Robot ratio (30 days) Build Status

This repo contains my production docker services accessible from anywhere over HTTPS using traefik. These services (and others) run on a single server. It used to be rootless-mode but slirp4net was too slow and too much of the docker advanced configuration (permissions flags, mostly) were missing.

  • Jellyfin
  • Sonarr, Radarr, Prowlarr
  • Calibre Web
  • Kobo book downloader (kobodl)
  • Transmission torrent server
  • AdGuard Home DNS
  • Drone CI and runner
  • Duplicati
  • Watchtower
  • Cloudflare DNS Automation
  • Portainer


I've also written some intermediate to advanced generic usage docs for traefik, docker, pihole, and home networking. These articles are generally applicable, but some may be more useful than others.

More great documentation.


  • A recent version of ubuntu server with Docker CE installed (see below)
  • A router or firewall capable of dnsmasq. I use a Ubiquiti EdgeRouter X.
  • A domain name.
  • A cloudflare account.

Home network prep

  • You need to make sure that ports 80 and 443 are port-forwarded through your router to whatever host this will be on.
  • Your server should be assigned a static private IP by DNS. ifconfig will list your interfaces.
  • Refer to the docker-pi-hole docs and my docs for further network setup related to that service. Even though I use AdGuard Home, those docs are relevant.

DNS Configuration

UPDATE: This is now done automatically with Docker Traefik Cloudflare Companion. Instructions below are left as an explanation of how this works.

In this setup, each container's service will serve from a different subdomain of your Cloudflare hosted zone dyndns subdomain.

  • Create an A record for to point to your public IP.
  • For each service, you'll need to create CNAME records for each to point to because all of your services are running on the same host but the host needs to be able to do virtual host routing based on domain name.
  • Your services will be publically available on

Dynamic DNS (recommended)

Resolving the IP address of your home network is annoying because most DNS providers change your IP every now and again. Services like No-IP combat this, but they aren't the most reliable. However, setting DNS programatically is pretty easy with Cloudflare API.


  1. start with ubuntu lts
  2. Enable Unattended Upgrades
  3. clone this repo
  4. Sign into any private docker registries
  5. install docker a Understanding UID remapping a. ignore the env exports it says to set, see below
  6. make sure UsePAM yes is set in /etc/ssh/sshd_config read more
cd selfhosted
cp .env.example .env # edit this

# make mount points
mkdir /media/local /media/primary /media/secondary

# install mounts
systemctl link media-primary.mount
systemctl link media-secondary.mount

# install logrotate
systenctl --user link $HOME/selfhosted/logrotate.timer
systenctl --user link $HOME/selfhosted/logrotate.service
systemctl --user enable logrotate.timer --now

# enable traefik logrotate
cp etc/traefik-logrotate.conf /etc/logrotate.d/traefik

# Add to .profile
# export DOCKER_HOST=unix://$XDG_RUNTIME_DIR/docker.sock
nano .profile

Set up docker daemon.json. Otherwise, you may end up with subnet ranges inside your containers that overlap with the real LAN and make hosts unreachable.

    "default-address-pools": [

Edit /lib/systemd/system/[email protected] to include dependencies on mounts

[email protected]%i.service media-primary.mount media-secondary.mount

Automatic deployments and drone

  • Create a github api app. Follow drone setup instructions.
  • Make sure the user filtering config is set correctly so other users can't log in
  • Add secrets ssh_key, ssh_host, ssh_user for your deploy user.
  • Open and finish configuring your repo.

Adguard DNS

You may need to disable ubuntu's default dns service and remove resolf.conf read more.

After disabling systemd-resolved.service, I ususally set a different DNS server in /etc/resolv.conf so that DNS doesn't break when I screw up the stack.

systemd-resolve --help is your friend.

WireGurad and subnet overlap

  • use wg-quick for simplicity

  • May need to install or symlink resolvconf

  • Need to avoid overlapping subnets.

  • Set MTU down to 1280 for issues with cellular networks, on BOTH sides of the connection.

    • Update: As of September 19, had to drop to 1250 for TMobile LTE to work....
  • My subnet is

  • The mask is

  • The default LAN will be

  • The gateway is

Gateway: 11000000.10101000.0011 | 0100.00000001
Mask:    11111111.11111111.1111 | 0000.00000000
  • The upper 4 bits will be used for VLANs (16).
  • The lower 8 shoud belong to a single VLAN.

Using wireguard:

sudo systemctl enable [email protected] --now

I have aliases wgup and wgdown for this in my .bashrc.


Some references I encountered while rolling out ipv6.

My full edgerouter config

Other useful nonsense

# set own IP, delete set
ifconfig eth0 netmask up
ifconfig en1 delete
Popular Docker Projects
Popular Dns Projects
Popular Virtualization Categories
Related Searches

Get A Weekly Email With Trending Projects For These Categories
No Spam. Unsubscribe easily at any time.