{"id":19866276,"url":"https://github.com/ecliptik/tailscale-privacy-frontends","last_synced_at":"2026-03-07T21:15:54.548Z","repository":{"id":187951621,"uuid":"677654422","full_name":"ecliptik/tailscale-privacy-frontends","owner":"ecliptik","description":"Privacy Friendly Frontends With Tailscale","archived":false,"fork":false,"pushed_at":"2023-09-18T17:31:39.000Z","size":45,"stargazers_count":11,"open_issues_count":0,"forks_count":0,"subscribers_count":1,"default_branch":"main","last_synced_at":"2024-11-12T15:33:05.973Z","etag":null,"topics":["docker","docker-compose","frontends","imgin","imgur","invidious","medium","nitter","privacy","reddit","scribe","searxng","tailscale","teddit","twitter","youtube"],"latest_commit_sha":null,"homepage":"","language":"Shell","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/ecliptik.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2023-08-12T07:22:07.000Z","updated_at":"2024-11-05T15:13:31.000Z","dependencies_parsed_at":"2024-11-12T15:32:23.125Z","dependency_job_id":null,"html_url":"https://github.com/ecliptik/tailscale-privacy-frontends","commit_stats":null,"previous_names":["ecliptik/privacy-stack","ecliptik/tailscale-privacy-stack"],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/ecliptik%2Ftailscale-privacy-frontends","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/ecliptik%2Ftailscale-privacy-frontends/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/ecliptik%2Ftailscale-privacy-frontends/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/ecliptik%2Ftailscale-privacy-frontends/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/ecliptik","download_url":"https://codeload.github.com/ecliptik/tailscale-privacy-frontends/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":251993002,"owners_count":21677022,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["docker","docker-compose","frontends","imgin","imgur","invidious","medium","nitter","privacy","reddit","scribe","searxng","tailscale","teddit","twitter","youtube"],"created_at":"2024-11-12T15:25:22.302Z","updated_at":"2026-03-07T21:15:54.500Z","avatar_url":"https://github.com/ecliptik.png","language":"Shell","funding_links":[],"categories":["Shell"],"sub_categories":[],"readme":"# tailscale-privacy-frontends\nPrivacy Friendly Frontends With Tailscale\n\n## Purpose\n\n[Privacy Friendly Frontends](https://github.com/digitalblossom/alternative-frontends) with Tailscale in Docker Compose.\n\nList of frontends\n- [Nitter](https://github.com/zedeus/nitter) - Twitter\n- [Teddit](https://github.com/teddit-net/teddit) - Reddit\n- [Imgin](https://git.voidnet.tech/kev/imgin.git) - Imgur\n- [Scribe](https://git.sr.ht/~edwardloveall/scribe) - Medium\n- [SearXNG](https://github.com/searxng/searxng) - Google\n- [Invidiuos](https://github.com/iv-org/invidious) - YouTube\n\nFrontends are exposed via [Tailscale](https://tailscale.com/) and only available to devices authorized on a [Tailnet](https://tailscale.com/kb/1136/tailnet/?q=tailnet).\n\nAll frontends are secured over `https` with [Caddy](https://caddyserver.com/).\n\n## Requirements\n\n- [Tailscale Account](Account)\n- [Docker](https://www.docker.com/) (or any OCI container runtime)\n- [Docker Compose](https://docs.docker.com/compose/) (or any `docker-compose` compatible tool)\n\n## Quickstart\n\n1. Update `TS_AUTHKEY`, `TAILNET`, and `HMAC_KEY` variables in `.env`\n2. Run `start.sh`\n\n## Configuration\n\nTailscale Configuration\n1. [Enable HTTPS](https://tailscale.com/kb/1153/enabling-https/)\n2. [Reusable Auth Key](https://tailscale.com/kb/1085/auth-keys/?q=authkey)\n3. [Tailnet Name](https://tailscale.com/kb/1217/tailnet-name/)\n\nPrivacy Stack Configuration\n1. Copy `.env.example` to `.env`\n2. Update `TS_AUTHKEY`, `TAILNET` variables in `.env`\n3. [Generate random key](https://www.random.org/passwords/) for `HMAC_KEY` in `.env`\n\n## Running the Stack\n\nRun with the `start.sh` script.\n\nThis script will update `TS_CHANGEME` and `HMACKEY_CHANGEME` in various configurations from the variables in `.env`.\n\nExample output of `start.sh`,\n\n```\n~/privacy-stack$ ./start.sh\nUpdating caddy configuration\nUpdating nitter configuration\nUpdating redirector configuration\nStarting privacy-stack\n```\n\n## Verifying the Stack\n\nVerify the frontends come up by checking your Tailnet machines and six new names will appear (nitter, imgin, scribe, teddit, searxng, invidious).\n\nIf they do not appear, check the `docker compose logs` for errors.\n\n## Accessing Privacy Frontendsh From Tailscale\n\nWith the stack running, access the services at the `name.tailnet`.\n\nFor example, with a Tailnet name of `tailfe8c.ts.net`, the frontends are at these addresses,\n\n- https://nitter.tailfe8c.ts.net\n- https://teddit.tailfe8c.ts.net\n- https://imgin.tailfe8c.ts.net\n- https://scribe.tailfe8c.ts.net\n- https://teddit.tailfe8c.ts.net\n- https://searxng.tailfe8c.ts.net\n- https://invidious.tailfe8c.ts.net\n\n## Exit Node\n\n`tailscale-router` is configured as an [Exit Node](https://tailscale.com/kb/1103/exit-nodes/) that a Tailscale client can send all traffic through. This can also act as a [subnet router](https://tailscale.com/kb/1019/subnets/) if `--advertise-routes=` is passed in `TS_EXTRA_ARGS` environment variable.\n\n## Redirector Plugin\n\nThe [Redirector Plugin](https://github.com/einaregilsson/Redirector) can modify a link to the upstream site to the appropriate privacy frontend, including all relevant URL information. This makes using a privacy frontend seamless and the default.\n\nFor example any links that go to twitter.com will automatically redirect to https://nitter.tailfe8c.ts.net, passing along the rest of the URL so any links transparency show up in the target privacy frontend.\n\nThe `redirector` directory contains an example Redirector configuration file to use.\n\n## FAQ\n\n**Q: Why?**\n\n**A:** See [Privacy Guide to Frontends](https://www.privacyguides.org/en/frontends/) and [Privacy Frontends](https://www.privacytools.io/privacy-frontends)\n\n**Q: Why not use publicly available frontends?**\n\n**A:** Self-hosting your own frontends can improve performance and gives more control over frontend setup and configuration.\n\n**Q: Doesn't running these yourself make you more visible?**\n\n**A:** This stack can run on a small VPS (tested on a t3.medium) instance to provide an added layer of anonymonity. Layering in a VPN can also help mix traffic.\n\n**Q: Why are there so many containers?**\n\n**A:** Tailscale [Magic DNS](https://tailscale.com/kb/1081/magicdns/) does not currently support wildcard domains, and therefore each frontend needs it's own Tailscale machine so it's hbstname resolves the Tailnet. An alternative is a single hostname to proxy all frontends, but this becomes complicated as almost all frontends assume they are running in their own domain and do not handle relative URL changes easily.\n\n**Q: Why are there so many volumes?**\n\n**A:** The `varlib` volumes allow re-using of an existing Tailscale machine record between container start/stops. Without persisting outside of the container a new Tailscale machine is created every time with an number appended to it, eg `nitter-1`. The `varrun` volume shares the Tailscale socket with Caddy so [Caddy can manage Tailscale HTTPS certificates](https://tailscale.com/blog/caddy/). Instead of volumes, bind mounts could also be used.\n\n**Q: Configuration X makes this insecure, and X should be done instead.**\n\n**A:** Probably. This stack is focused on privacy and not security.\n\n## Additional Details\n\nWIP\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fecliptik%2Ftailscale-privacy-frontends","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fecliptik%2Ftailscale-privacy-frontends","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fecliptik%2Ftailscale-privacy-frontends/lists"}