How are things connected to eachother?

[prescientmoon]

Hi! I am new to the self hosting stuff, and your config is extremly inspiring! I've spent a lot of time trying to understand your setup, but a lot of it is still very confusing.

I am trying to understand the basics of how you handle networking between devices. I'll simplify my question to only involve 3 kind of devices: 1) A server running actual services 2) A cheap vps server running headscale and whatnot 3) A personal device (laptop/phone/etc)

I cannot open ports on the router for my kind (1) device, so if I understand things correctly, I need to point the dns records to (2), and connect (1) and (3) to the headscale network created by (2). I could then use nginx running on (2) to point requests going to a public url to a magicdns url pointing to a server running on (1), effectively managing to expose the service running on (1) to the outside world.

I know very little about the topic, so idk if what I'm saying makes any sense.

A few questions:

• What if I wanted to host a game server (factorio/terraria/satisfactory/etc) on (1). From what I read, those kind of servers don't use http, so something like nginx is useless here, right?
• Assume I own example.com . Can I make it so I can type out service.example.com in my browser to access a service running on (1) which is not accessible from people outside the headspace network? I know I could simply use magicdns, but that would require typing out the port number each time, right?
• Can I host a mailserver on (1) which also gets tunneled through (2)?

I hope asking this here is ok, and thanks in advance!

[Misterio77]

Hello, thanks a lot for your kind words!

About your intended networking setup: yup! That's completely right, and is the way I would do it too.

As for your questions:

• Yeah, they're not http. It's pretty simple to proxy arbitrary TCP/UDP traffic, though! There's a lot of ways to do it, for example: iptables, ncat, or even ssh. I personally use SSH to tunnel traffic from one of my (2) hosts as a reverse proxy for temporary (e.g. development) stuff on my (3) hosts. For your usecase, take a look at the iptables solution, I think it will be the best. Try googling "iptables tcp reverse proxy", you can put these rules into NixOS using networking.firewall.extraCommands.
• English is not my first language so it's possible I misunderstood (let me know if I did). You want to access a (web) service running on (1), through a nginx (to avoid non-standard ports) but make it restricted to people inside your network, is that right? In that case, it's pretty simple! You can simply run nginx on (1) and proxy the service with it. As (1) is not port forwarded, you will only be able to access it from your LAN or tailnet. If you want to be really really sure it's not globally acessible, you can configure nginx to only listen on the tailnet IP using services.nginx.virtualHosts.<name>.listenAddresses. About the domain, here's the cool thing about DNS: it doesn't care if the IP is publicly routable or not. You can totally go to your domain's DNS and make a service.example.com record pointing to your magicdns or tailnet IP.
• Sure! Just proxy the traffic and you're good to go. I'd recommend against it, however. There's a lot of little details that hurt deliverability (e.g. reverse DNS) that are harder to set up right on a consumer ISP. I'd host your mail server on (2) instead. I have a (2)-like server (alcyone) with only 1gb of ram and it can easily host a lot of stuff (my website, headscale, prometheus, radicale, a git remote, a mail server...), mail is pretty lightweight.

Let me know if you have any more questions! Hope I helped you a little bit :)

[prescientmoon]

Hey, thanks a lot for the detailed answers!