Add service Tailscale Subnet Router Node

Author: michaelhodges

services/tailscale-subnet-router-node/.env

@@ -0,0 +1,21 @@
+#version=1.1
+#URL=https://github.com/tailscale-dev/ScaleTail
+#COMPOSE_PROJECT_NAME= # Optional: only use when running multiple deployments on the same infrastructure.
+
+# Service Configuration
+SERVICE=tailscale-subnet-router-node
+IMAGE_URL=tailscale/tailscale
+
+# Network Configuration
+SERVICEPORT= # Port to expose to local network. Uncomment the "ports:" section in compose.yaml to enable.
+DNS_SERVER=9.9.9.9
+
+# Tailscale Configuration
+TS_AUTHKEY=
+
+# Optional Service variables
+# PUID=1000
+
+# Tailscale environment
+# Add comma separated list of subnet routes 
+SUBNET_ROUTES=10.1.234.0/24 # See: https://tailscale.com/docs/features/subnet-routers

services/tailscale-subnet-router-node/README.md

@@ -0,0 +1,16 @@
+# Tailscale Subnet Router Node Configuration
+
+This Docker Compose configuration sets up a Tailscale Subnet Router Node, allowing devices in your Tailscale network to route their traffic securely through this node to a local subnet. By configuring a Tailscale Router Node, you can extend your local network of device to tailscale connected clients, such as your home or office.
+
+## Tailscale Subnet Router Node
+Subnet routers let you extend your Tailscale network (known as a tailnet) to include devices that don't or can't run the Tailscale client. They act as gateways between your tailnet and physical subnets, enabling secure access to legacy devices, entire networks, or services without installing Tailscale everywhere. This capability maintains Tailscale's security model while providing flexibility for complex network environments.
+
+## Configuration Overview
+
+In this setup, the `tailscale` service runs a Tailscale container configures it as a Subnet Router Node.
+
+- **TS_AUTHKEY**: This environment variable in the .env file is where you insert your Tailscale authentication key.
+- **SUBNET_ROUTES**: This setting defined in .env file allows the user to set the desired route. More information can be found on the [Tailscale subnet router documents page.](https://tailscale.com/docs/features/subnet-routers)
+- **TS_EXTRA_ARGS**: The `--advertise-routes` flag is used to designate this container as a Subnet Router Node within your Tailscale network.
+- **Sysctls**: The system controls `net.ipv4.ip_forward` and `net.ipv6.conf.all.forwarding` are enabled to allow IP forwarding, which is necessary for routing traffic through the Exit Node.
+- **Network Mode**: The `bridge` network mode is used to create a virtual network interface for the container, enabling it to handle traffic routing.

services/tailscale-subnet-router-node/compose.yaml

@@ -0,0 +1,36 @@
+services:
+# Make sure you have updated/checked the .env file with the correct variables. 
+# All the ${ xx } need to be defined there.
+  # Tailscale Sidecar Configuration
+  tailscale:
+    image: tailscale/tailscale:latest # Image to be used
+    container_name: tailscale-${SERVICE} # Name for local container management
+    hostname: ${SERVICE} # Name used within your Tailscale environment
+    environment:
+      - TS_AUTHKEY=${TS_AUTHKEY}
+      - TS_STATE_DIR=/var/lib/tailscale
+      - TS_EXTRA_ARGS=--advertise-routes=${SUBNET_ROUTES}
+      - TS_USERSPACE=false
+      - TS_ENABLE_HEALTH_CHECK=true              # Enable healthcheck endpoint: "/healthz"
+      - TS_LOCAL_ADDR_PORT=127.0.0.1:41234       # The <addr>:<port> for the healthz endpoint
+      #- TS_ACCEPT_DNS=true # Uncomment when using MagicDNS
+      - TS_AUTH_ONCE=true
+    volumes:
+      - ./ts/state:/var/lib/tailscale # Tailscale requirement - you may need to change the path
+    devices:
+      - /dev/net/tun:/dev/net/tun # Network configuration for Tailscale to work
+    dns:
+      - ${DNS_SERVER}
+    sysctls:
+      net.ipv4.ip_forward: 1
+      net.ipv6.conf.all.forwarding: 1
+    cap_add:
+      - net_admin # Tailscale requirement
+    network_mode: bridge
+    healthcheck:
+      test: ["CMD", "wget", "--spider", "-q", "http://127.0.0.1:41234/healthz"] # Check Tailscale has a Tailnet IP and is operational
+      interval: 1m # How often to perform the check
+      timeout: 10s # Time to wait for the check to succeed
+      retries: 3 # Number of retries before marking as unhealthy
+      start_period: 10s # Time to wait before starting health checks
+    restart: always