Skip to main content
This guide walks you through deploying Jellyfin, a self-hosted media server, with Tailscale sidecar configuration. You’ll have a secure, Tailnet-accessible service running in under 10 minutes.

Prerequisites

Before you begin, ensure you have:
1

Tailscale account

Create a free account at tailscale.com if you don’t have one already.
2

Generate an auth key

Navigate to Tailscale Admin Console and generate an auth key:
  • Mark it as Reusable if you plan to deploy multiple services
  • Set an appropriate expiration time (or never expire)
  • Save the key securely - you’ll need it in the next step
3

Docker installed

Verify Docker and Docker Compose are installed:
docker --version
docker compose version
If not installed, follow the official Docker installation guide.

Deploy Jellyfin with Tailscale

1

Clone the repository

Get the ScaleTail repository with all service configurations:
git clone https://github.com/tailscale-dev/ScaleTail.git
cd ScaleTail/services/jellyfin
2

Configure environment variables

Create a .env file with your configuration:
.env
# Tailscale Configuration
TS_AUTHKEY=tskey-auth-xxxxxxxxxxxxx-xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
TS_CERT_DOMAIN=jellyfin.tail1234.ts.net

# Service Configuration
SERVICE=jellyfin
IMAGE_URL=lscr.io/linuxserver/jellyfin:latest

# Optional: DNS Server
# DNS_SERVER=1.1.1.1
Replace TS_AUTHKEY with your actual Tailscale auth key. The TS_CERT_DOMAIN will be your Tailscale hostname once the service is running.
3

Create required directories

Create directories for Jellyfin media and configuration:
mkdir -p jellyfin-data/config
mkdir -p media/movies media/tvseries
Add your media files to media/movies and media/tvseries directories. You can do this before or after starting the service.
4

Start the services

Launch both Tailscale and Jellyfin containers:
docker compose up -d
Check that both containers are running:
docker compose ps
You should see both tailscale-jellyfin and app-jellyfin with status “Up” and “healthy”.
5

Verify the deployment

Check the Tailscale container logs to confirm connection:
docker compose logs tailscale
Look for a message indicating successful connection to your Tailnet and the assigned hostname.

Access Your Service

1

Find your Tailscale hostname

Your service is accessible at https://jellyfin.tail-scale.ts.net:443 (replace with your actual Tailnet name).You can also check the Tailscale Admin Console to see your new device and its hostname.
2

Complete Jellyfin setup

Open your browser and navigate to your Jellyfin Tailscale URL. You’ll see the Jellyfin setup wizard:
  • Select your preferred language
  • Create an admin account
  • Add your media libraries (pointing to /data/movies and /data/tvshows)
  • Configure any additional settings
3

Access from any device

Install Tailscale on your phone, tablet, or other computers. Once connected to your Tailnet, you can access Jellyfin from anywhere using the same Tailscale URL.
By default, your service is only accessible within your Tailnet (private network). To expose it publicly, you would need to enable Tailscale Funnel by setting "AllowFunnel" to true in the serve configuration.

Understanding the Configuration

Here’s what the Jellyfin Docker Compose file does: 
services:
  tailscale:
    image: tailscale/tailscale:latest
    container_name: tailscale-jellyfin
    hostname: jellyfin
    environment:
      - TS_AUTHKEY=${TS_AUTHKEY}
      - TS_SERVE_CONFIG=/config/serve.json
      - TS_ENABLE_HEALTH_CHECK=true
    volumes:
      - ./config:/config
      - ./ts/state:/var/lib/tailscale
    devices:
      - /dev/net/tun:/dev/net/tun
    cap_add:
      - net_admin

  application:
    image: lscr.io/linuxserver/jellyfin:latest
    network_mode: service:tailscale  # Routes through Tailscale
    container_name: app-jellyfin
    volumes:
      - ./jellyfin-data/config:/config
      - ./media/movies:/data/movies
      - ./media/tvseries:/data/tvshows
    depends_on:
      tailscale:
        condition: service_healthy
Key points:
  • Tailscale container: Manages the secure network connection
  • Application container: Runs Jellyfin using Tailscale’s network via network_mode: service:tailscale
  • Health checks: Ensures Tailscale is ready before starting Jellyfin
  • Serve configuration: Exposes Jellyfin on port 8096 through Tailscale HTTPS

Next Steps

Explore Core Concepts

Learn about Tailscale sidecars, Serve vs Funnel, and how the network stack works

Browse More Services

Discover 95+ pre-configured services you can deploy with Tailscale

Configuration Guide

Modify environment variables, health checks, and serve configurations

Deployment Guide

Run multiple services on the same host with Docker Compose

Troubleshooting

Check the health check logs:
docker inspect --format='{{json .State.Health}}' tailscale-jellyfin
Common issues:
  • Invalid TS_AUTHKEY - generate a new key
  • TUN device not available - ensure /dev/net/tun exists
  • Network connectivity issues - check your internet connection
Verify:
  • Other devices are connected to the same Tailnet
  • The Tailscale container shows as “healthy”
  • You’re using the correct Tailscale hostname
  • Tailscale Serve is configured correctly (check compose.yaml configs section)
Check volume mappings:
docker compose exec application ls -la /data/movies
docker compose exec application ls -la /data/tvshows
Ensure:
  • Media files exist in ./media/movies and ./media/tvseries on your host
  • File permissions allow the container to read them (PUID=1000, PGID=1000)

Build docs developers (and LLMs) love

Get started for freeTalk to us