[Pulse] New Service

ChillBill77 · ChillBill77 · commit a5b46c4382b7 · 2026-05-10T17:36:07.000Z
diff --git a/services/pulse/.env b/services/pulse/.env
@@ -0,0 +1,18 @@
+#version=1.1
+#URL=https://github.com/tailscale-dev/ScaleTail
+#COMPOSE_PROJECT_NAME= # Optional: only use when running multiple deployments on the same infrastructure.
+
+# Service Configuration
+SERVICE=pulse
+IMAGE_URL=rcourtman/pulse:latest
+
+# Network Configuration
+SERVICEPORT=7655
+DNS_SERVER=9.9.9.9
+
+# Tailscale Configuration
+# Auth key from https://tailscale.com/admin/authkeys
+TS_AUTHKEY=
+
+# Time Zone setting for containers
+TZ=Europe/Amsterdam
diff --git a/services/pulse/README.md b/services/pulse/README.md
@@ -0,0 +1,48 @@
+# Pulse with Tailscale Sidecar Configuration
+
+This Docker Compose configuration sets up [Pulse](https://hub.docker.com/r/rcourtman/pulse) with Tailscale as a sidecar so the dashboard is reachable only over your Tailnet at `https://pulse.<tailnet-name>.ts.net`.
+
+## Pulse
+
+Pulse is a modern, unified dashboard for monitoring your infrastructure across Proxmox, Docker, and Kubernetes. It consolidates metrics, alerts, and AI-powered insights from all your systems into a single interface, aimed at homelabs, sysadmins, and MSPs who want a "single pane of glass" without the complexity of an enterprise monitoring stack.
+
+## Configuration Overview
+
+The `tailscale-pulse` service runs the Tailscale client to join your Tailnet. The application service uses `network_mode: service:tailscale`, so Pulse listens on TCP `7655` inside the Tailscale container's network namespace and Tailscale Serve proxies HTTPS `443` → `127.0.0.1:7655`. `AllowFunnel` is `false`; the dashboard is **never** exposed to the public internet from this configuration.
+
+## Setup
+
+1. Clone the repository and navigate to the service directory:
+
+   ```bash
+   git clone https://github.com/tailscale-dev/ScaleTail.git
+   cd ScaleTail/services/pulse
+   ```
+
+2. Edit `.env` and paste your Tailscale auth key into `TS_AUTHKEY=`.
+
+3. Pre-create the data directories so Docker does not create them as `root`:
+
+   ```bash
+   mkdir -p pulse-data ts/state
+   ```
+
+4. Start the stack:
+
+   ```bash
+   docker compose up -d
+   ```
+
+5. Open `https://pulse.<tailnet-name>.ts.net` from any Tailnet peer.
+
+## Notes
+
+- Pulse stores its state (Proxmox/Docker/Kubernetes credentials, alert rules, cached metrics) in `./pulse-data` mounted at `/data`. Treat this directory like a secrets vault — it contains tokens used to query your infrastructure.
+- The original upstream `docker run` uses `-p 7655:7655` to bind the port to all host interfaces. In this configuration that direct port mapping is intentionally **not** used — access is via Tailnet only. Uncomment the `ports:` block in `compose.yaml` only if you also want LAN access from non-Tailnet devices.
+- The upstream image's restart policy is `unless-stopped`; this configuration uses `restart: always` to match the rest of the ScaleTail catalog.
+
+## Useful Links
+
+- [rcourtman/pulse on Docker Hub](https://hub.docker.com/r/rcourtman/pulse)
+- [Tailscale Serve docs](https://tailscale.com/kb/1242/tailscale-serve)
+- [Tailscale Docker guide](https://tailscale.com/blog/docker-tailscale-guide)
diff --git a/services/pulse/compose.yaml b/services/pulse/compose.yaml
@@ -0,0 +1,62 @@
+configs:
+  ts-serve:
+    content: |
+      {"TCP":{"443":{"HTTPS":true}},
+      "Web":{"$${TS_CERT_DOMAIN}:443":
+          {"Handlers":{"/":
+          {"Proxy":"http://127.0.0.1:7655"}}}},
+      "AllowFunnel":{"$${TS_CERT_DOMAIN}:443":false}}
+
+services:
+# Make sure you have updated/checked the .env file with the correct variables.
+# All the ${ xx } need to be defined there.
+  # Tailscale Sidecar Configuration
+  tailscale:
+    image: tailscale/tailscale:latest # Image to be used
+    container_name: tailscale-${SERVICE} # Name for local container management
+    hostname: ${SERVICE} # Name used within your Tailscale environment
+    environment:
+      - TS_AUTHKEY=${TS_AUTHKEY}
+      - TS_STATE_DIR=/var/lib/tailscale
+      - TS_SERVE_CONFIG=/config/serve.json # Tailscale Serve configuration to expose the web interface on your local Tailnet
+      - TS_USERSPACE=false
+      - TS_ENABLE_HEALTH_CHECK=true              # Enable healthcheck endpoint: "/healthz"
+      - TS_LOCAL_ADDR_PORT=127.0.0.1:41234       # The <addr>:<port> for the healthz endpoint
+      #- TS_ACCEPT_DNS=true # Uncomment when using MagicDNS
+      - TS_AUTH_ONCE=true
+    configs:
+      - source: ts-serve
+        target: /config/serve.json
+    volumes:
+      - ./config:/config # Config folder used to store Tailscale files
+      - ./ts/state:/var/lib/tailscale # Tailscale state
+    devices:
+      - /dev/net/tun:/dev/net/tun # Network configuration for Tailscale to work
+    cap_add:
+      - net_admin # Tailscale requirement
+    #ports:
+    #  - 0.0.0.0:${SERVICEPORT}:${SERVICEPORT} # Uncomment ONLY if LAN exposure is wanted
+    # If any DNS issues arise, use your preferred DNS provider by uncommenting the config below
+    #dns:
+    #  - ${DNS_SERVER}
+    healthcheck:
+      test: ["CMD", "wget", "--spider", "-q", "http://127.0.0.1:41234/healthz"] # Check Tailscale has a Tailnet IP and is operational
+      interval: 1m
+      timeout: 10s
+      retries: 3
+      start_period: 10s
+    restart: always
+
+  # ${SERVICE}
+  application:
+    image: ${IMAGE_URL} # Image to be used
+    network_mode: service:tailscale # Sidecar configuration to route ${SERVICE} through Tailscale
+    container_name: app-${SERVICE} # Name for local container management
+    environment:
+      - TZ=${TZ}
+    volumes:
+      - ./${SERVICE}-data:/data # Pulse persistent data (configs, alerts, cached metrics)
+    depends_on:
+      tailscale:
+        condition: service_healthy
+    restart: always
