initial

.env.couchdb.sample

@@ -0,0 +1,2 @@
+COUCHDB_USER=[your-favourite-user-name]
+COUCHDB_PASSWORD=[and-your-favourite-password]

.env.tailscale-app.sample

@@ -0,0 +1,7 @@
+TS_AUTHKEY=[HERE_FOR_YOUR_TAILSCALE_AUTHKEY]
+TS_EXTRA_ARGS=--advertise-tags=tag:container
+TS_SERVE_CONFIG=/config/ts-serve.json
+TS_STATE_DIR=/var/lib/tailscale
+TS_SOCKET=/var/run/tailscale/tailscaled.sock
+TS_USERSPACE=false
+TS_PRIVACY=public

.gitignore

@@ -0,0 +1,2 @@
+.env*
+!.env.*.sample

conf/local.ini

@@ -0,0 +1,22 @@
+[couchdb]
+single_node=true
+max_document_size = 50000000
+
+[chttpd]
+require_valid_user = true
+max_http_request_size = 4294967296
+
+[chttpd_auth]
+require_valid_user = true
+authentication_redirect = /_utils/session.html
+
+[httpd]
+WWW-Authenticate = Basic realm="couchdb"
+enable_cors = true
+
+[cors]
+origins = app://obsidian.md,capacitor://localhost,http://localhost
+credentials = true
+headers = accept, authorization, content-type, origin, referer
+methods = GET, PUT, POST, HEAD, DELETE
+max_age = 3600

docker-compose.yml

@@ -0,0 +1,31 @@
+services:
+  tailscale-app:
+    image: tailscale/tailscale:latest
+    hostname: couch-tailscale
+    env_file: .env.tailscale-app
+    volumes:
+      - tailscale-data:/var/lib/tailscale
+      - ${PWD}/ts-conf/ts-serve.json:/config/ts-serve.json:ro
+      - /dev/net/tun:/dev/net/tun
+    cap_add:
+      - net_admin
+      - sys_module
+    restart: unless-stopped
+  app:
+    image: couchdb:3.4.2
+    network_mode: service:tailscale-app
+    depends_on:
+      - tailscale-app
+    env_file: .env.couchdb
+    volumes:
+        # The files' owner will be id:5984 when you launch the image.
+        # Because CouchDB writes on-the-fly configurations into local.ini.
+        # So when you want to perform git pull or change something, you have to change owners back.
+        - couchdb-data:/opt/couchdb/data
+        - ${PWD}/conf/local.ini:/opt/couchdb/etc/local.ini
+    restart: unless-stopped
+volumes:
+  tailscale-data:
+    driver: local
+  couchdb-data:
+    driver: local

readme.md

@@ -0,0 +1,42 @@
+## CouchDB image for Self-hosted LiveSync with Tailscale funnel 
+
+### What is this
+- CouchDB Server which configured about CORS for Obsidian and Self-hosted LiveSync.
+- Instead of using your SSL Certificate or Domains, Using [tailScale](https://tailscale.com/) funnel.
+
+### Prerequisites
+- You should have an account of tailscale.
+- Your tailscale account should enabled funnel once.
+
+(To more instructions, read the [official document](https://tailscale.com/blog/docker-tailscale-guide)).
+
+### How to use
+- Rename `.env.couchdb.sample` to `.env.couchdb`.
+- Fill [your-favourite-user-name] and [and-your-favourite-password] in `.env.couchdb`.
+- Rename `.env.tailscale-app.sample` to `.env.tailscale-app`.
+- Fill [HERE_FOR_YOUR_TAILSCALE_AUTHKEY] in `.env.tailscale-app`.
+  - Note: This should be `OAuth` key.
+- run `docker compose up`
+
+
+Note: If you are first to this, some interaction will be shown. Please follow messages. And if you have been simply failed, please run `docker exec -it  tailscale_couchdb-tailscale-app tailscale funnel 5984` from the other terminal. The message like following will be shown.
+
+```
+docker exec -it  tailscale_couchdb-tailscale-app  tailscale funnel 5984
+
+Funnel is enabled, but the list of allowed nodes in the tailnet policy file does not include the one you are using.
+To give access to this node you can edit the tailnet policy file, or visit:
+
+         https://login.tailscale.com/f/funnel?node=something random
+
+```
+
+And, if you have completed the configuration, following will also be shown.
+
+```
+Success.
+Available on the internet:
+
+https://xxxxxxxxxx.xxxxxxx.ts.net/
+|-- proxy http://127.0.0.1:5984
+```

ts-conf/ts-serve.json

@@ -0,0 +1,19 @@
+{
+    "TCP": {
+        "443": {
+            "HTTPS": true
+        }
+    },
+    "Web": {
+        "${TS_CERT_DOMAIN}:443": {
+            "Handlers": {
+                "/": {
+                    "Proxy": "http://127.0.0.1:5984"
+                }
+            }
+        }
+    },
+    "AllowFunnel": {
+        "${TS_CERT_DOMAIN}:443": true
+    }
+}