The goal is to share an http service privately on my tailnet but with an HTTPs connection. It seems others have spent lots of time figuring out and never sharing their solutions. I just got a setup to work satisfactorily so I'll share it. Criticism is welcome. First a few notes:

• I'm using headscale on a VPS behind Caddy.
• Official tailscale allegedly can do this out of the box with tailscale serve or tailscale cert.
• Headscale supports tailscale serve but not with https. Maybe if I removed caddy and let headscale to https directly it would. I haven't tested that yet.
• Yes I know https over wireguard is redundant. This effort is not only to make Firefox shut up but to make some clients that demand https work.

I also have deliberately avoided the "Private CA" because installing the cert of every client on my tailnet sounds like a nightmare. If someone can prove me wrong there, please share.

The context

1. I have a VPS and a public domain with DNS A and AAAA records that point all sub domains *.mydomain.net to that VPS.
2. The VPS runs caddy and headscale and is on the tailnet itself.
3. Caddy route the hs subdomain to headscale.
4. I have numerous devices on my tailnet, many running different http services but only some of them I want public.
5. I can publicly expose a service with https by simply adding an entry to caddy like so,

publicservice.mydomain.net {
    reverse_proxy privatehost:8080
}

Restart caddy and that's it.

The solution

First, I used sub domains of the public domain instead of headscales base domain. eg Use *.ts.mydomain.net instead of ts.net. I made a *.ts.mydomain.net A record pointing to my servers public IP. Caddy will automatically fetch https certificates for any *.mydomain.net domains automatically. It cannot for a domain not routed to it. (DNS01 authentication might circumvent this but I haven't tested that yet).

Second, I restrict caddy to only accept tailscale connections by using the bind directive. Otherwise it will accept and route public traffic. A caddy entry for a private service would look like this,

privateservice.ts.mydomain.net {
    bind 100.64.0.1 [fd7a:115c:a1e0::1]
    reverse_proxy privatehost:8081
}

The IP addresses come from the output of tailscale ip on the caddy/headscale machine.

Now privateservice.ts.mydomain.net routes to the caddy server with https but it gets a default blank 200 response from caddy because its coming from the machine's public IP instead of the tailnet.

The last step is to configure headscale's DNS to route private services to the headscale server on its its tailscale IP instead of the public IP.

# /etc/headscale/config.yaml
# ...
dns:
  magic_dns: true
  # base_domain is irrelevant
  nameservers:
    global: [ whatever ]
    split:
        # required to override the public dns records
        ts.mydomain.net: 100.100.100.100
  extra_records:
     - type: "A"
       name: "privateservice.mydomain.net"
       value: "100.64.0.1"
     - type: "AAAA"
       name: "privateservice.mydomain.net"
       value: "fd7a:115c:a1e0::1"
     # repeat for each service, always the same IPs

You can have base_domain be whatever or make it ts.mydomain.net if you want to be consistent and aren't worried about collisions with your extra records.

I tried using wildcard DNS records in headscale and it didn't work. It felt like it completely broke DNS without any clear warnings or errors. Idk if that's a bug or what. DNS just timed out internally

Limitations

All internal HTTPS traffic is routed through my VPS instead of directly peer to peer, which is a real bummer for internal latency. I think the only way around that is to give each internal host their own caddy server, have the DNS records point directly to them, but then use a private CA and all the hassle that's worth. Maybe DNS01 challenges will work...

Also while I have no public records indicating what private subdomains I have beyond *.ts.mydomain.net for DNS, I do have them for my TLS certificates... somewhere. I'm not super concerned about that though. I think only a private CA will hide those.

I recently swapped motherboards between two builds. One went well but the other is being very finicky with detecting the CPU. Right now its laying on its side like a beached whale with the left side panel open. The heatsink is simply sitting on the CPU, no mounts, no fans. Sometimes I can strap the heatsink down, stand up the box, and close the case, but never with the fans on. Its like that's too much weight and some connection is broken. Is anyone familiar with this problem?

I had this issue previously with a different motherboard and fixed it by using a stock heatsink. But this is a fairly simple CoolerMaster 212. Its not massive. I feel like its a problem with the board or the socket.

More details: when uninstalled the old motherboard in this build, it had the same CM212 heatsink in it. When I removed that heatsink the CPU (Ryzen 5700) came out with it to my horror. Neither that CPU or that motherboard are in this build though. But that CPU was supposed it be. It did have bent pins and I did try to install it before discovering the bent pins. After straightening them the CPU still didn't work so i switched to an old Ryzen 1600, which is currently being finicky. Maybe I damaged the motherboard socket?

I start my coding workspaces in tmux sessions which persist when I log out. If I switch from a wayland session to an x11 session, then my copy and paste functionality in those neovim sessions are broken because it's still trying to use wl-copy. To be more precise:

1. Start a wayland session.
2. Open a terminal and start a tmux session.
3. Open neovim and do some work.
4. Log out of wayland, log into an X11 environment
5. Open a terminal and reconnect to the tmux session
6. "+y broken. clipboard: error invoking wl-copy: Failed to connect to a Wayland server...

Restarting neovim isn't sufficient. I have to restart the entire tmux session or switch back to wayland. Is there some short cut I can take here?

Everything I read says it's a feature enabled in what ever compositor you choose, if your compositor supports it. Why isn't there a general purpose keybinding program like setxkbmap? Does it just not exist yet or must it be built into the compositor?

I've read [this stackexchange thread] on something related but it all seems to be using XKB which should imply I'm using XWayland?