update: i have since moved this setup to be run off a raspberry pi in my basement, still using tailscale so that i can connect to it while away from home
this is the topic that originally motivated me to setup this site: i really wanted to talk about it but whenever i did it would cause people visible discomfort with how boring it was.
the gist of this setup is putting vaultwarden, a web server for the bitwarden password manager on but not exposing this sucker to the public internet. keeping it off the public internet is a lot less risky when it comes to security.
that's where tailscale comes in: i sign into tailscale with my github account, and then i can magically visit this machine by putting it's name into my browser's url bar. pretty cool! no dns entries needed. no one else can do that since the machine doesn't have any ports exposed in it's fly configuration
this all seemed to be adequate until i learned that vaultwarden doesn't really work without https. and the web server they ship with doesn't do https that well, so after reading that caddy
will automatically get me the https certs i need from letsencrypt
sold! the way caddy fits in is that my computer and phone connect to the caddy server via wireguard by way of tailscale and their https support. caddy proxies the request to the vaultwarden server through fly.io's internal wireguard network.
for a variety of reasons this was a huge pain in the ass to get working so i wanted to save some poor schmuck like me a bit of time by publishing my dockerfiles. this should be obvious but please note that i don't know what i'm doing.
scale-to-zero would be particularly nice for stuff like this so i hope fly adds that like they say they will
i had a problem where every time i deployed caddy i'd need to make a new tailscale key, and haven't bothered figuring it out given i haven't deployed this since i initially got it working a few months ago
i was totally happy using 1password for years until they decided the only way i can sync my passwords from my computer to my phone was through their website