/root

Avoiding Port Conflicts Between Watchtower and Tailscale Serve on TrueNAS

December 21st, 2025

I use Watchtower to automatically update my Docker applications on TrueNAS SCALE. At the same time, I use Tailscale Serve as a reverse proxy to provide secure HTTPS access to my home lab services.

This setup works well most of the time — except during updates.

The problem

When Watchtower updates a container, it stops and recreates it.
If the container exposes ports such as 80 or 443, the restart can fail because Tailscale Serve is already bound to those ports.

The result is:

failed container restarts,
services going offline,
and manual intervention required.

The solution

The solution is to temporarily disable Tailscale Serve, run Watchtower once, and then restore Tailscale Serve afterward.

On TrueNAS SCALE, Tailscale runs inside its own Docker container (for example: ix-tailscale-tailscale-1). This makes it possible to control Serve using docker exec.

The script below does exactly that:

Backs up the current Tailscale Serve configuration
Stops all Tailscale Serve listeners (freeing ports)
Runs Watchtower in --run-once mode
Restores Tailscale Serve safely

Public Script: Pause Tailscale Serve During Watchtower Updates

Save as

/mnt/zfs_tank/scripts/watchtower-with-tailscale-serve.sh

(Adjust the pool name if yours is not zfs_tank.)

#!/usr/bin/env bash
set -euo pipefail

# ------------------------------------------------------------------------------
# watchtower-with-tailscale-serve.sh
#
# Purpose:
#   Prevent port conflicts between Watchtower and Tailscale Serve by:
#     1. Backing up the current Tailscale Serve configuration
#     2. Temporarily disabling Tailscale Serve
#     3. Running Watchtower once
#     4. Restoring Tailscale Serve
#
# Designed for:
#   - TrueNAS SCALE
#   - Tailscale running in a Docker container (TrueNAS app)
# ------------------------------------------------------------------------------

# =========================
# CONFIGURATION
# =========================

# Name of the Tailscale container (TrueNAS default shown here)
TS_CONTAINER_NAME="ix-tailscale-tailscale-1"

# Persistent directory for backups (must survive reboots/updates)
STATE_DIR="/mnt/zfs_tank/scripts/state"

# Watchtower image
WATCHTOWER_IMAGE="nickfedor/watchtower"

# Watchtower environment variables
WATCHTOWER_ENV=(
  "-e" "TZ=Europe/Berlin"
  "-e" "WATCHTOWER_CLEANUP=true"
  "-e" "WATCHTOWER_INCLUDE_STOPPED=true"
)

mkdir -p "$STATE_DIR"

SERVE_JSON="${STATE_DIR}/tailscale-serve.json"

# =========================
# FUNCTIONS
# =========================

ts() {
  docker exec "$TS_CONTAINER_NAME" tailscale "$@"
}

# =========================
# MAIN
# =========================

echo "==> Using Tailscale container: $TS_CONTAINER_NAME"

# Ensure Tailscale container exists
docker inspect "$TS_CONTAINER_NAME" >/dev/null

# 1) Backup current Serve configuration (CLI-managed Serve)
echo "==> Backing up Tailscale Serve configuration"
if ts serve status --json > "${SERVE_JSON}.tmp" 2>/dev/null; then
  mv "${SERVE_JSON}.tmp" "$SERVE_JSON"
else
  rm -f "${SERVE_JSON}.tmp" || true
  echo "WARN: No Serve configuration exported (may be file-managed or empty)."
fi

# 2) Stop all Serve listeners
echo "==> Stopping Tailscale Serve"
ts serve reset || true

# 3) Run Watchtower once
echo "==> Running Watchtower"
docker run --rm \
  -v /var/run/docker.sock:/var/run/docker.sock \
  "${WATCHTOWER_ENV[@]}" \
  "$WATCHTOWER_IMAGE" --run-once

# 4) Restore Serve configuration (if present and non-empty)
echo "==> Restoring Tailscale Serve"
if [[ -s "$SERVE_JSON" ]] && [[ "$(cat "$SERVE_JSON")" != "{}" ]]; then
  docker exec -i "$TS_CONTAINER_NAME" tailscale serve set-raw < "$SERVE_JSON" || true
else
  echo "INFO: No Serve configuration to restore."
fi

echo "==> Done"

Make the script executable

chmod +x /mnt/zfs_tank/scripts/watchtower-with-tailscale-serve.sh

How to run it manually

sudo /mnt/zfs_tank/scripts/watchtower-with-tailscale-serve.sh

Scheduling (recommended)

In the TrueNAS UI:

Go to System Settings → Advanced → Cron Jobs
Command:

/mnt/zfs_tank/scripts/watchtower-with-tailscale-serve.sh

User: root

Schedule: daily (for example, 03:00)

Disable Watchtower’s internal schedule (WATCHTOWER_SCHEDULE) to avoid conflicts

The repository containing the code:

https://github.com/chrislongros/watchtower-with-tailscale-serve

TrueNAS 26.04 with WebSharing and Indexing!!

December 20th, 2025
immich v2.4.0

December 19th, 2025

https://github.com/immich-app/immich/releases/tag/v2.4.0
FreeBSD 15.0 goes official!

December 16th, 2025

After months and months of work that went to this version of FreeBSD, the time has now come! FreeBSD 15.0 is now globally available for the general public! This version of FreeBSD aims to be more welcoming to new users and to maintain the reproducible builds, alongside many improvements to come. The ISO images can […]
FreeBSD 15.0 goes official!
FreeBSD 15 installation on VirtualBox

December 15th, 2025
FreeBSD HEAD branch brings finally support for the Realtek RTL8125 ethernet driver !!

December 12th, 2025

The driver will be ported from OpenBSD. Didn’t know that OpenBSD was far ahead when it comes to this issue …
Rust is no more experimental in Linux kernel

December 10th, 2025
SSL certificates for my home server – no more https warnings for God’s shake!!

December 9th, 2025

It is quite annoying getting notifications for unencrypted http connections on my home servers. One solution for Synology is to set a scheduled task with the following command:

tailscale configure synology-cert

This command issues a Let’s Encrypt certificate with 90 day expiration that get’s automatically renewed depending on the task frequency.

For my TrueNAS I use tailscale serve to securely expose my services and apps (immich etc) through a HTTPS website in my tailnet. Enabling HTTPS via tailscale admin panel is required.

The next step it to execute: tailscale serve –https=port_number localhost:port_number

You can execute the command in the background with –bg or in foreground and interrupt it with Ctrl+C.
December 7th, 2025
Micron is killing Crucial SSDs and memory in AI pivot — company refocuses on HBM and enterprise customers

December 6th, 2025

https://www.tomshardware.com/pc-components/dram/micron-is-killing-crucial-ssds-and-memory-in-ai-pivot-company-refocuses-on-hbm-and-enterprise-customers
How To Setup Immich on TrueNAS

December 5th, 2025
TrueNAS file indexing with Diskover

December 4th, 2025

It is important to note that diskover indexes file metadata and does not access file contents ! sist2 is another solution that provides elasticsearch while also accessing file contents.

My docker compose file configuration I uses in my TrueNAS server in Portainer:

version: ‘2’
services:
diskover:
image: lscr.io/linuxserver/diskover
container_name: diskover
environment:
– PUID=1000
– PGID=1000
– TZ=Europe/Berlin
– ES_HOST=elasticsearch
– ES_PORT=9200
volumes:
– /mnt/zfs_tank/Applications/diskover/config/:/config
– /mnt/zfs_tank/:/data
ports:
– 8085:80
mem_limit: 4096m
restart: unless-stopped
depends_on:
– elasticsearch
elasticsearch:
container_name: elasticsearch
image: docker.elastic.co/elasticsearch/elasticsearch:7.17.22
environment:
– discovery.type=single-node
– xpack.security.enabled=false
– bootstrap.memory_lock=true
– “ES_JAVA_OPTS=-Xms1g -Xmx1g”
ulimits:
memlock:
soft: -1
hard: -1
volumes:
– /mnt/zfs_tank/Applications/diskover/data/:/usr/share/elasticsearch/data
ports:
– 9200:9200
depends_on:
– elasticsearch-helper
restart: unless-stopped
elasticsearch-helper:
image: alpine
command: sh -c “sysctl -w vm.max_map_count=262144”
privileged: true

https://hub.docker.com/r/linuxserver/diskover
FreeBSD 15 RELEASE Announcement

December 3rd, 2025

FreeBSD 15 become officially a production release.

https://www.freebsd.org/releases/15.0R/announce/
FreeBSD 15.0

November 30th, 2025

General

New PKGBASE way of organizing/updating the FreeBSD Base System using pkg(8) tool.

More about PKGBASE is available in separate Brave New PKGBASE World article.

Since 15.0-RC3 the OpenZFS 2.4.0 (RC4) has been added which brings gems such as rewrite.

Many operations in C library now use simd(7) extensions for improved performance.

The pf(4) now supports the OpenBSD style NAT syntax.

New precious_machine safety switch in /etc/rc.conf file – for instance /var/run/noshutdown file is created to prevent shutdown(8) on wrong machine.

FreeBSD bsdinstall(8) installer now supports downloading/installing firmware packages.

The FreeBSD pkg(8) repo is renamed to FreeBSD-ports.

The FreeBSD-kmods pkg(8) repo is renamed to FreeBSD-ports-kmods

The FreeBSD-ports-kmods is now included in /etc/pkg/FreeBSD.conf pkg(8) config.

Now sysctl(8) runs inside Jails. Examples: sysctl -j JAILNAME -Ja or sysctl -j JAILNAME net.fibs=2.

Fixed gradual slowdowns in drm-kmod with AMD and Intel GPUs.

Multiple flaws fixed in NUMA code by omitting re-examine same domain multiple times.

VNC server in bhyve(8) will now show correct colors when using www/novnc client.

Under Hyper-V TLB flushes are now performed using hypercalls rather than IPIs providing up to 40% improvement.

New networking(7) man page provides guide to connecting system to networks including WiFi.

New pkgbase(7) man page provides overview of PKGBASE reality.

The adduser(8) utility now creates ZFS dataset for new user home dir.

The date(1) now supports nanoseconds.

The dtrace(1) tool can now generate machine readable output in JSON/XML/HTML using libxo(3).

The usbconfig(8) now reads descriptions of USB vendor/products from /usr/share/misc/usb_vendors file.

The ps(1) is now POSIX compatible – matches current user processes using effective user ID.

FreeBSD now natively implements Linux inotify(2) interface.

The mac_do(4) is now production ready and supports changing rules within Jails with security.mac.do.rules knob.

The nvme(4) and nvmecontrol(8) are now enabled on all architectures.

The mountd(8) now uses strunvis(3) to decode dir names in exports(5) file which allows spaces use in dir name.

New sysctl(8) knobs kern.rpc.unenc and kern.rpc.tls allows to show how much NFS-over-TLS is used.

A lot of needed loader(8) improvements regarding reading additional configs and UEFI/SMBIOS.

The arp(4) support for 802 standard networks has been restored.

It is possible to build FreeBSD kernel with IPv6 support (INET6) without IPv4 (INET).

Major regression in UDP performance introduced in FreeBSD 12.0 – including NFS over UDP – is fixed.

Sound

The sound(4) can allocate vchans on demand.

New sound(4) new dsp_chn_alloc() function for using free HW channel or allocating new vchan.

New sound(4) hw.snd.vchans_enable (previously hw.snd.maxautovchans).

Now sound(4) dev.pcm.X.{play|rec}.vchans enables/disables vchans.

Audio now supports asynchronous device detach which greatly simplifies hot (un)plugging USB headsets.

Cloud

Support for cloud-init(1) including nuageinit(7) script and config-drive partition. OpenStack compatible.

FreeBSD is now publishing OCI compatible containers and Oracle Cloud Infrastructure images.

WiFi

The net/wifi-firmware-kmod@release package added to DVD in order to provide necessary firmware for WiFi drivers.

New rtw88(4) Realtek driver based on Linux 6.17 added.

New rtw89(4) Realtek driver based on Linux 6.17 added.

The rtwn(4) driver supports 802.11ac (VHT) for RTL8812A and RTL8821A chips.

New iwlwifi(4) Intel MVM/MLD driver based on Linux 6.17.

Numerous stability improvements for iwlwifi(4) driver for Intel WiFi cards.

The iwlwifi(4) driver now supports 802.11ac (VHT) for some Intel WiFi 5 and all WiFi 6/7 cards

The iwlwififw(4) firmware was removed from Base System in favor of FreeBSD Ports based fwget(8) tool.

More about fwget(8) is available in separate New fwget(8) FreeBSD Firmware Tool article.

The iwx(4) driver added supporting Intel WiFi 6 series of M.2 cards.

The iwx(4) driver supports 802.11ac (VHT) for Intel WiFi 6 cards

Removed

The fdisk(8) has been deprecated in favor of gpart(8) tool.

The gvinum(8) is removed in 15.0.

The agp(4) has been planned for removal in FreeBSD 15.0

The firewire(4) have deprecation notice that it will be removed in 16.0.

Soft Updates now enabled by default when creating new UFS file system with newfs(8) command.

The ifconfig(8) utility will no longer accept assigning IP addresses to underlying member interfaces of a bridge(4).

Add net.link.bridge.member_ifaddrs to allow ifconfig(8) to assigning IP to member interfaces of bridge(4).

Source: https://vermaden.wordpress.com/2025/11/30/valuable-freebsd-15-0-release-updates/
r-docker – running RStudio Server remotely on my main home server

November 30th, 2025

https://towardsdatascience.com/running-rstudio-inside-a-container-e9db5e809ff8/