ScaleTail: Private Docker Services over Tailscale

What this is

ScaleTail is a collection of ready-to-run Docker Compose stacks that attach common self-hosted apps to a Tailscale tailnet through a sidecar container. The useful idea is simple: make private tools reachable from your own devices without turning every dashboard, password vault, document archive, or admin panel into a public web service.

Best use case

Use this when you run services such as Vaultwarden, Paperless-ngx, Jellyfin, Immich, Pi-hole, AdGuard Home, Home Assistant, Open WebUI, Portainer, or Uptime Kuma and want remote access without a new router port, reverse-proxy rule, or public DNS entry for every app.

Workflow

1. Create a reusable Tailscale auth key in the Tailscale admin console.
2. Pick the ScaleTail template matching your service.
3. Review the Docker Compose file before running it, especially volumes, environment variables, and exposed ports.
4. Bind the app container to the Tailscale sidecar network stack with the template's network_mode: service: pattern.
5. Start the stack with Docker Compose and confirm the service appears in your Tailnet.
6. Use Tailscale Serve for private Tailnet access. Only use Funnel when the service is intentionally public.

Security notes

• ScaleTail reduces accidental public exposure, but it does not replace Docker hardening, backups, patching, or least-privilege access controls.
• Treat every template as code: inspect the image source, tags, volume mounts, environment variables, and update policy before production use.
• Keep admin panels, password managers, document stores, and local AI interfaces private unless you have a strong reason to expose them publicly.
• Do not confuse Tailscale Serve with Funnel: Serve is private to the Tailnet, while Funnel publishes a service to the public internet.

Quick decision table

Source check

The Tarnkappe article explains the privacy angle, the Serve/Funnel distinction, and why ScaleTail fits self-hosted Docker services that should not be exposed publicly by default. The ScaleTail GitHub repository confirms that the project provides Docker Compose sidecar configurations for connecting self-hosted apps to a Tailnet. Tailscale's own Docker documentation provides the official baseline for running Tailscale with containers.