Rustdesk Server (New Service) (#256)

michaelhodges · Michael H · crypt0rr · web-flow · commit a0eeb755e2cc · 2026-04-11T21:50:50.000+02:00
* compose.yml and .env added to paperless service. * Include paperless service README * Error paperless service README * Add PUID, GUID to environment. Align environment variables with template format * Remove volumes and incorporate the local storage principle as outlined in templates. * Restored comments. * Place TZ in .env * Add TZ variable to environment. * Revert "Restored comments." This reverts commit 216de08. * Restore Comments * Revert * Revert changes made to template files. * Set SERVICEPORT to 80 in .env configuration * Update to include paperless-ngx * Update README with Tailscale service configuration Added information about Tailscale integration for secure networking. * Add audiobooks, podcasts and metadata volumes. * Fix indentation. * New service Rustdesk server * Update README to include Rustdesk Server * Cleanup markdown * Cleanup markdown * Cleanup list markdown * Delete services/audiobookshelf/compose.yaml * Update compose.yml * Add files via upload * Update .env * Change time zone from Dublin to Amsterdam --------- Co-authored-by: Michael H <michael@hplaptop.local> Co-authored-by: Bart <57799908+crypt0rr@users.noreply.github.com>
diff --git a/README.md b/README.md
@@ -87,6 +87,7 @@ A huge thank you to all our contributors! ScaleTail wouldn’t be what it is tod
 | 🗃️ **Netbox**              | NetBox is the leading solution for modeling and documenting modern networks.    | [Details](services/netbox)              |
 | 🧩 **Pi-hole**             | A network-level ad blocker that acts as a DNS sinkhole.                         | [Details](services/pihole)              |
 | 🆔 **Pocket ID**           | A self-hosted decentralized identity (OIDC) solution for secure authentication. | [Details](services/pocket-id)           |
+| 🌐 **Rustdesk Server**     | RustDesk is an open source remote control alternative for self-hosting and security. | [Details](services/rustdesk-server)|
 | 🔒 **Technitium DNS**      | An open-source DNS server that can be used for self-hosted DNS services.        | [Details](services/technitium)          |
 | 🌐 **Traefik**             | A modern reverse proxy and load balancer for microservices.                     | [Details](services/traefik)             |
 | 🚀 **Tailscale Exit Node** | Configure a device to act as an exit node for your Tailscale network.           | [Details](services/tailscale-exit-node) |
diff --git a/services/rustdesk-server/.env b/services/rustdesk-server/.env
@@ -0,0 +1,23 @@
+#version=1.1
+#URL=https://github.com/tailscale-dev/ScaleTail
+#COMPOSE_PROJECT_NAME= # Optional: only use when running multiple deployments on the same infrastructure.
+
+# Service Configuration
+SERVICE=rustdesk-server # Service name (e.g., adguard). Used as hostname in Tailscale and for container naming (app-${SERVICE}).
+IMAGE_URL=rustdesk/rustdesk-server:latest # Docker image URL from container registry (e.g., adguard/adguard-home).
+
+# Network Configuration
+SERVICEPORT=80 # Port to expose to local network. Uncomment the "ports:" section in compose.yaml to enable.
+DNS_SERVER=9.9.9.9 # Preferred DNS server for Tailscale. Uncomment the "dns:" section in compose.yaml to enable.
+
+# Tailscale Configuration
+TS_AUTHKEY= # Auth key from https://tailscale.com/admin/authkeys. See: https://tailscale.com/kb/1085/auth-keys#generate-an-auth-key for instructions.
+
+# Optional Service variables
+# PUID=1000
+
+# Time zone
+TZ=Europe/Amsterdam
+
+# Always use the relay. As this is run in tailnet and relays aren't needed, this setting in most cases should remain off. 
+ALWAYS_USE_RELAY=N
diff --git a/services/rustdesk-server/README.md b/services/rustdesk-server/README.md
@@ -0,0 +1,27 @@
+# Rustdesk Server with Tailscale Sidecar Configuration
+
+This Docker Compose configuration sets up [Rustdesk Server](https://rustdesk.com/docs/en/) with Tailscale as a sidecar container to keep the app reachable over your Tailnet.
+
+## Rustdesk Server
+
+[Rustdesk Server](https://rustdesk.com/docs/en/) information about the service. Explain what the app does in 2-3 sentences and why someone would pair it with Tailscale.
+
+## Configuration Overview
+
+In this setup, the `tailscale-rustdesk-server` service runs Tailscale, which manages secure networking for Rustdesk Server. The `Rustdesk Server` service utilizes the Tailscale network stack via Docker's `network_mode: service:` configuration. This keeps the app Tailnet-only unless you intentionally expose ports.
+
+## Client setup
+
+- Service Configuration: The Rustdesk client public Key credentials are generated at first run and stored in the **id_ed25519.pub** file. This is found in the compose directory **./rustdesk-server-data/hbbs/**  Clients can be setup using the --config switch. e.g. **rustdesk.exe --config "host=rustdesk.your-tailnet.ts,key=thetextfromkey"** or in the client Setting -> Network -> ID/Relay Server.  There is no need to configure the relay or API server.
+
+Links:
+
+- [Client setup](https://github.com/rustdesk/rustdesk/discussions/7118)
+- [Rustdesk](https://rustdesk.com/)
+- [Client Configuration](https://rustdesk.com/docs/en/self-host/client-configuration/)
+
+## Files to check
+
+Please check the following contents for validity as some variables need to be defined upfront.
+
+- `.env` // Main variable `TS_AUTHKEY`
diff --git a/services/rustdesk-server/compose.yml b/services/rustdesk-server/compose.yml
@@ -0,0 +1,81 @@
+configs:
+  ts-serve:
+    content: |
+      {"TCP":{"443":{"HTTPS":true}},
+      "Web":{"$${TS_CERT_DOMAIN}:443":
+          {"Handlers":{"/":
+          {"Proxy":"http://127.0.0.1:80"}}}},
+      "AllowFunnel":{"$${TS_CERT_DOMAIN}:443":false}}
+
+services:
+# Make sure you have updated/checked the .env file with the correct variables. 
+# All the ${ xx } need to be defined there.
+  # Tailscale Sidecar Configuration
+  tailscale:
+    image: tailscale/tailscale:latest # Image to be used
+    container_name: tailscale-${SERVICE} # Name for local container management
+    hostname: ${SERVICE} # Name used within your Tailscale environment
+    environment:
+      - TS_AUTHKEY=${TS_AUTHKEY}
+      - TS_STATE_DIR=/var/lib/tailscale
+      - TS_SERVE_CONFIG=/config/serve.json # Tailscale Serve configuration to expose the web interface on your local Tailnet - remove this line if not required
+      - TS_USERSPACE=false
+      - TS_ENABLE_HEALTH_CHECK=true              # Enable healthcheck endpoint: "/healthz"
+      - TS_LOCAL_ADDR_PORT=127.0.0.1:41234       # The <addr>:<port> for the healthz endpoint
+      #- TS_ACCEPT_DNS=true # Uncomment when using MagicDNS
+      - TS_AUTH_ONCE=true
+    configs:
+      - source: ts-serve
+        target: /config/serve.json
+    volumes:
+      - ./config:/config # Config folder used to store Tailscale files - you may need to change the path
+      - ./ts/state:/var/lib/tailscale # Tailscale requirement - you may need to change the path
+    devices:
+      - /dev/net/tun:/dev/net/tun # Network configuration for Tailscale to work
+    cap_add:
+      - net_admin # Tailscale requirement
+    #ports:
+    #  - 0.0.0.0:${SERVICEPORT}:${SERVICEPORT} # Binding port ${SERVICE}PORT to the local network - may be removed if only exposure to your Tailnet is required
+    # If any DNS issues arise, use your preferred DNS provider by uncommenting the config below
+    #dns: 
+    #  - ${DNS_SERVER}
+    healthcheck:
+      test: ["CMD", "wget", "--spider", "-q", "http://127.0.0.1:41234/healthz"] # Check Tailscale has a Tailnet IP and is operational
+      interval: 1m # How often to perform the check
+      timeout: 10s # Time to wait for the check to succeed
+      retries: 3 # Number of retries before marking as unhealthy
+      start_period: 10s # Time to wait before starting health checks
+    restart: always
+
+  # ${SERVICE}
+  application:
+    image: ${IMAGE_URL}
+    container_name: app-${SERVICE}-hbbs # Name for local container management
+    network_mode: service:tailscale # Sidecar configuration to route ${SERVICE} through Tailscale
+    command: hbbs
+    volumes:
+      -  ./${SERVICE}-data/hbbs:/root
+    environment:
+      - PUID=1000
+      - PGID=1000
+      - TZ=${TZ}
+      - ALWAYS_USE_RELAY=${ALWAYS_USE_RELAY}
+    depends_on:
+      tailscale:
+        condition: service_healthy
+      hbbr: 
+        condition: service_started
+    restart: always
+
+  hbbr:
+    image: ${IMAGE_URL}
+    container_name: app-${SERVICE}-hbbr # Name for local container management
+    command: hbbr
+    volumes:
+      -  ./${SERVICE}-data/hbbr:/root
+    environment:
+      - PUID=1000
+      - PGID=1000
+      - TZ=${TZ}
+    network_mode: service:tailscale # Sidecar configuration to route ${SERVICE} through Tailscale
+    restart: always
