DEV Community: Aryan Iyappan The latest articles on DEV Community by Aryan Iyappan (@aryaniyaps). https://dev.to/aryaniyaps https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F664689%2Ffe45d2e0-7876-4c54-8e03-3b77a771fb58.png DEV Community: Aryan Iyappan https://dev.to/aryaniyaps en How I Self-Hosted Postiz with Tailscale (and the Env Vars the Docs Don't Tell You About) Aryan Iyappan Wed, 03 Jun 2026 08:22:47 +0000 https://dev.to/aryaniyaps/how-i-self-hosted-postiz-with-tailscale-and-the-env-vars-the-docs-dont-tell-you-about-4i8g https://dev.to/aryaniyaps/how-i-self-hosted-postiz-with-tailscale-and-the-env-vars-the-docs-dont-tell-you-about-4i8g <h1> How I Self-Hosted Postiz with Tailscale (and the Env Vars the Docs Don't Tell You About) </h1> <p><strong>A step-by-step guide to running your own social media scheduler behind Tailscale — with the gotchas that cost me an afternoon.</strong></p> <p>I wanted a social media scheduler that I control. Not another SaaS subscription. Not another dashboard I log into that owns my data. Postiz is the best open-source option out there — 28+ platform integrations, a CLI, and a clean UI — but self-hosting it has a learning curve.</p> <p>The docs will get you 80% of the way there. The other 20% — the env vars nobody mentions, the Tailscale networking trick, the Temporal stack — is what this post covers.</p> <p>By the end, you'll have Postiz running on your server, accessible from anywhere via Tailscale's MagicDNS, with automatic HTTPS. No port forwarding. No Cloudflare Tunnels. No domain registrar.</p> <h2> What We're Building </h2> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>┌──────────────────────────────────────────────┐ │ Your Server │ │ │ │ ┌──────────┐ ┌─────────────────────────┐ │ │ │ Tailscale │◄───│ network_mode: service │ │ │ │ Container │ │ (Postiz rides Tailscale's │ │ │ │ │ │ network stack) │ │ │ │ :443→5000 │ └─────────────────────────┘ │ │ └──────────┘ │ │ │ │ ▼ │ │ │ ┌─────────────────┐ │ │ │ │ Postiz App │ │ │ │ │ (port 5000) │ │ │ │ └────────┬────────┘ │ │ │ │ │ │ ▼ ▼ │ │ MagicDNS HTTPS ┌──────────────┐ │ │ postiz.tailXXXX │ PostgreSQL │ │ │ .ts.net │ Redis │ │ │ │ Temporal │ │ │ └──────────────┘ │ └──────────────────────────────────────────────┘ </code></pre> </div> <p>The key insight: Postiz doesn't expose any ports to the host. Instead, it uses <code>network_mode: service:tailscale</code> to piggyback on Tailscale's network stack. Tailscale handles DNS, HTTPS certificates, and the encrypted tunnel. Postiz just thinks it's serving HTTP on localhost.</p> <h2> Prerequisites </h2> <ul> <li>A Linux server (Ubuntu 24.04 recommended) with at least <strong>2GB RAM</strong> and <strong>2 vCPUs</strong> </li> <li>Docker and Docker Compose installed</li> <li>A [Tailscale](undefined account (free tier is fine)</li> <li>Basic comfort with editing YAML files</li> </ul> <h2> Step 1: Get Your Tailscale Auth Key </h2> <p>This is the key that lets your container join your Tailnet without manual authentication.</p> <ol> <li>Go to [Tailscale Admin Console → Settings → Keys](undefined</li> <li>Click <strong>Generate auth key</strong> </li> <li>Set it to <strong>Reusable</strong> and <strong>Ephemeral: Off</strong> </li> <li>Add a tag like <code>tag:containers</code> (you'll need this in your ACL later)</li> <li>Copy the key — it starts with <code>tskey-auth-</code> </li> </ol> <p><strong>Note:</strong> The free tier gives you 3 users and 100 devices. One container = one device, so you've got plenty of room.</p> <h2> Step 2: Clone the Postiz Docker Compose Repo </h2> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>git clone undefined <span class="nb">cd </span>postiz-docker-compose </code></pre> </div> <p>This gives you the base <code>docker-compose.yaml</code> plus the Temporal dynamic config files. Don't run it yet — we're going to modify it significantly.</p> <h2> Step 3: The Tailscale Service (This Is the Secret Sauce) </h2> <p>Add this service to your <code>docker-compose.yaml</code>. It sits <strong>above</strong> Postiz in the network stack:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">services</span><span class="pi">:</span> <span class="na">tailscale</span><span class="pi">:</span> <span class="na">image</span><span class="pi">:</span> <span class="s">tailscale/tailscale:latest</span> <span class="na">container_name</span><span class="pi">:</span> <span class="s">postiz-tailscale</span> <span class="na">restart</span><span class="pi">:</span> <span class="s">unless-stopped</span> <span class="na">hostname</span><span class="pi">:</span> <span class="s">postiz</span> <span class="na">environment</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">TS_AUTHKEY=tskey-auth-xxxxxxxxxxxxxxxxxxxx</span> <span class="pi">-</span> <span class="s">TS_EXTRA_ARGS=--advertise-tags=tag:containers</span> <span class="pi">-</span> <span class="s">TS_SERVE_CONFIG=/config/ts.json</span> <span class="pi">-</span> <span class="s">TS_STATE_DIR=/var/lib/tailscale</span> <span class="na">volumes</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">./tailscale-state:/var/lib/tailscale</span> <span class="pi">-</span> <span class="s">./tailscale-config:/config</span> <span class="pi">-</span> <span class="s">/dev/net/tun:/dev/net/tun</span> <span class="na">cap_add</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">NET_ADMIN</span> <span class="pi">-</span> <span class="s">NET_RAW</span> <span class="na">healthcheck</span><span class="pi">:</span> <span class="na">test</span><span class="pi">:</span> <span class="pi">[</span><span class="s2">"</span><span class="s">CMD-SHELL"</span><span class="pi">,</span> <span class="s2">"</span><span class="s">tailscale</span><span class="nv"> </span><span class="s">status</span><span class="nv"> </span><span class="s">--peers=false</span><span class="nv"> </span><span class="s">--json</span><span class="nv"> </span><span class="s">|</span><span class="nv"> </span><span class="s">grep</span><span class="nv"> </span><span class="s">-q</span><span class="nv"> </span><span class="s">'Online.*true'"</span><span class="pi">]</span> <span class="na">interval</span><span class="pi">:</span> <span class="s">15s</span> <span class="na">timeout</span><span class="pi">:</span> <span class="s">5s</span> <span class="na">retries</span><span class="pi">:</span> <span class="m">10</span> <span class="na">start_period</span><span class="pi">:</span> <span class="s">30s</span> <span class="na">networks</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">postiz-network</span> <span class="pi">-</span> <span class="s">temporal-network</span> </code></pre> </div> <p>What's happening here:</p> <ul> <li> <strong><code>TS_AUTHKEY</code></strong> authenticates the container to your Tailnet</li> <li> <strong><code>TS_EXTRA_ARGS</code></strong> advertises the <code>tag:containers</code> ACL tag</li> <li> <strong><code>TS_SERVE_CONFIG</code></strong> points to a JSON file that tells Tailscale how to route traffic</li> <li> <strong><code>/dev/net/tun</code></strong> is the kernel tunnel device — required for Tailscale to create its virtual network interface</li> <li> <strong><code>NET_ADMIN</code></strong> and <code>NET_RAW</code>** capabilities let Tailscale manipulate the network stack</li> <li>The <strong>healthcheck</strong> waits for Tailscale to report <code>Online: true</code> before Postiz starts</li> </ul> <h3> The Tailscale Serve Config </h3> <p>Create <code>tailscale-config/ts.json</code>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="p">{</span><span class="w"> </span><span class="nl">"TCP"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"443"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"HTTPS"</span><span class="p">:</span><span class="w"> </span><span class="kc">true</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">},</span><span class="w"> </span><span class="nl">"Web"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"postiz.taila7d0df.ts.net:443"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"Handlers"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"/"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"Proxy"</span><span class="p">:</span><span class="w"> </span><span class="s2">"undefined"</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <p>This tells Tailscale:</p> <ol> <li>Listen on port 443 (HTTPS)</li> <li>When a request comes in for <code>postiz.tailXXXX.ts.net</code>, proxy it to <code>undefined</code> (where Postiz listens)</li> </ol> <p><strong>Tailscale automatically provisions a Let's Encrypt certificate</strong> for <code>*.ts.net</code> domains. You get HTTPS with zero configuration.</p> <blockquote> <p>⚠️ Replace <code>postiz.taila7d0df.ts.net</code> with your actual Tailscale MagicDNS name. You can find it in the Tailscale admin console under the machine's details, or run <code>tailscale status</code> once the container is up.</p> </blockquote> <h2> Step 4: The Postiz Service — Env Vars That Actually Matter </h2> <p>Here's the Postiz service, modified to work with Tailscale. This is where the docs fall short.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code> <span class="na">postiz</span><span class="pi">:</span> <span class="na">image</span><span class="pi">:</span> <span class="s">ghcr.io/gitroomhq/postiz-app:v2.21.8</span> <span class="na">container_name</span><span class="pi">:</span> <span class="s">postiz</span> <span class="na">restart</span><span class="pi">:</span> <span class="s">always</span> <span class="na">network_mode</span><span class="pi">:</span> <span class="s">service:tailscale</span> <span class="c1"># ← THIS IS THE KEY LINE</span> <span class="na">environment</span><span class="pi">:</span> <span class="c1"># === URLs — MUST match your Tailscale MagicDNS name</span> <span class="na">MAIN_URL</span><span class="pi">:</span> <span class="s1">'</span><span class="s">undefined'</span> <span class="na">FRONTEND_URL</span><span class="pi">:</span> <span class="s1">'</span><span class="s">undefined'</span> <span class="na">NEXT_PUBLIC_BACKEND_URL</span><span class="pi">:</span> <span class="s1">'</span><span class="s">undefined'</span> <span class="c1"># === Database &amp; Redis</span> <span class="na">JWT_SECRET</span><span class="pi">:</span> <span class="s1">'</span><span class="s">your-random-secret-string-here'</span> <span class="na">DATABASE_URL</span><span class="pi">:</span> <span class="s1">'</span><span class="s">postgresql://postiz-user:postiz-password@postiz-postgres:5432/postiz-db-local'</span> <span class="na">REDIS_URL</span><span class="pi">:</span> <span class="s1">'</span><span class="s">redis://postiz-redis:6379'</span> <span class="c1"># === Internal Communication (CRITICAL!)</span> <span class="na">BACKEND_INTERNAL_URL</span><span class="pi">:</span> <span class="s1">'</span><span class="s">http://localhost:3000'</span> <span class="na">TEMPORAL_ADDRESS</span><span class="pi">:</span> <span class="s1">'</span><span class="s">temporal:7233'</span> <span class="c1"># === Feature Flags</span> <span class="na">IS_GENERAL</span><span class="pi">:</span> <span class="s1">'</span><span class="s">true'</span> <span class="na">DISABLE_REGISTRATION</span><span class="pi">:</span> <span class="s1">'</span><span class="s">false'</span> <span class="na">RUN_CRON</span><span class="pi">:</span> <span class="s1">'</span><span class="s">true'</span> <span class="na">NOT_SECURED</span><span class="pi">:</span> <span class="s1">'</span><span class="s">false'</span> <span class="c1"># === Storage (Cloudflare R2)</span> <span class="na">STORAGE_PROVIDER</span><span class="pi">:</span> <span class="s1">'</span><span class="s">cloudflare'</span> <span class="na">CLOUDFLARE_ACCOUNT_ID</span><span class="pi">:</span> <span class="s1">'</span><span class="s">your-account-id'</span> <span class="na">CLOUDFLARE_ACCESS_KEY</span><span class="pi">:</span> <span class="s1">'</span><span class="s">your-access-key'</span> <span class="na">CLOUDFLARE_SECRET_ACCESS_KEY</span><span class="pi">:</span> <span class="s1">'</span><span class="s">your-secret-key'</span> <span class="na">CLOUDFLARE_BUCKETNAME</span><span class="pi">:</span> <span class="s1">'</span><span class="s">your-bucket-name'</span> <span class="na">CLOUDFLARE_BUCKET_URL</span><span class="pi">:</span> <span class="s1">'</span><span class="s">undefined'</span> <span class="na">CLOUDFLARE_REGION</span><span class="pi">:</span> <span class="s1">'</span><span class="s">auto'</span> <span class="c1"># === Platform API Keys (fill in the platforms you use)</span> <span class="na">X_API_KEY</span><span class="pi">:</span> <span class="s1">'</span><span class="s">'</span> <span class="na">X_API_SECRET</span><span class="pi">:</span> <span class="s1">'</span><span class="s">'</span> <span class="na">LINKEDIN_CLIENT_ID</span><span class="pi">:</span> <span class="s1">'</span><span class="s">'</span> <span class="na">LINKEDIN_CLIENT_SECRET</span><span class="pi">:</span> <span class="s1">'</span><span class="s">'</span> <span class="c1"># ... (add keys for platforms you want to use)</span> <span class="c1"># === Misc</span> <span class="na">OPENAI_API_KEY</span><span class="pi">:</span> <span class="s1">'</span><span class="s">'</span> <span class="na">API_LIMIT</span><span class="pi">:</span> <span class="m">30</span> <span class="na">volumes</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">postiz-config:/config/</span> <span class="pi">-</span> <span class="s">postiz-uploads:/uploads/</span> <span class="na">depends_on</span><span class="pi">:</span> <span class="na">tailscale</span><span class="pi">:</span> <span class="na">condition</span><span class="pi">:</span> <span class="s">service_healthy</span> <span class="na">postiz-postgres</span><span class="pi">:</span> <span class="na">condition</span><span class="pi">:</span> <span class="s">service_healthy</span> <span class="na">postiz-redis</span><span class="pi">:</span> <span class="na">condition</span><span class="pi">:</span> <span class="s">service_healthy</span> </code></pre> </div> <h3> The Env Vars That Cost Me an Afternoon </h3> <p>Here's what the official docs don't emphasize enough:</p> <h4> 1. <code>BACKEND_INTERNAL_URL: 'http://localhost:3000'</code> </h4> <p><strong>This is the most important env var you've never heard of.</strong> Postiz's server-side code makes API calls to itself. If this is wrong, OAuth callbacks fail silently, image uploads break, and you get mysterious 500 errors with no useful logs.</p> <p>Always set this to <code>http://localhost:3000</code> — <strong>not</strong> your public URL. The app listens on port 3000 internally. The <code>network_mode: service:tailscale</code> trick means Tailscale's port 5000 (or 443) proxies to this internal port. But the <em>app itself</em> needs to reach itself at <code>localhost:3000</code>.</p> <h4> 2. <code>NEXT_PUBLIC_BACKEND_URL</code> <strong>MUST</strong> end with <code>/api</code> </h4> <p>This is the URL your browser uses to talk to the backend. If you forget the <code>/api</code> suffix, the frontend loads but every API call returns a 404. You'll stare at a blank dashboard wondering why nothing works.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>✅ NEXT_PUBLIC_BACKEND_URL: 'undefined' ❌ NEXT_PUBLIC_BACKEND_URL: 'undefined' </code></pre> </div> <p>The <code>/api</code> suffix is how the Next.js frontend routes API requests. Without it, the frontend sends requests to <code>/graphql</code> instead of <code>/api/graphql</code>, and nothing resolves.</p> <h4> 3. <code>MAIN_URL</code> and <code>FRONTEND_URL</code> must be identical </h4> <p>In most web apps, these can be different. In Postiz, they interact with OAuth redirects, cookie domains, and CORS in ways that are not fully documented. Set them both to your full HTTPS URL and save yourself the debugging.</p> <h4> 4. <code>RUN_CRON: 'true'</code> </h4> <p>Without this, your scheduled posts will never publish. Postiz uses an internal cron system (backed by Temporal) to fire posts at their scheduled time. If this is <code>false</code> or missing, posts sit in the queue forever.</p> <h4> 5. <code>NOT_SECURED: 'false'</code> </h4> <p>When running behind a reverse proxy (Tailscale, in our case), this tells Postiz "trust the upstream HTTPS, don't enforce your own." If you set it to <code>true</code>, you'll get redirect loops and mixed content warnings.</p> <h2> Step 5: The Supporting Cast (PostgreSQL, Redis, Temporal) </h2> <p>Postiz needs Temporal for scheduling. The minimum stack looks like this:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code> <span class="na">postiz-postgres</span><span class="pi">:</span> <span class="na">image</span><span class="pi">:</span> <span class="s">postgres:17-alpine</span> <span class="na">container_name</span><span class="pi">:</span> <span class="s">postiz-postgres</span> <span class="na">restart</span><span class="pi">:</span> <span class="s">always</span> <span class="na">environment</span><span class="pi">:</span> <span class="na">POSTGRES_PASSWORD</span><span class="pi">:</span> <span class="s">postiz-password</span> <span class="na">POSTGRES_USER</span><span class="pi">:</span> <span class="s">postiz-user</span> <span class="na">POSTGRES_DB</span><span class="pi">:</span> <span class="s">postiz-db-local</span> <span class="na">volumes</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">postgres-volume:/var/lib/postgresql/data</span> <span class="na">networks</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">postiz-network</span> <span class="na">healthcheck</span><span class="pi">:</span> <span class="na">test</span><span class="pi">:</span> <span class="s">pg_isready -U postiz-user -d postiz-db-local</span> <span class="na">interval</span><span class="pi">:</span> <span class="s">10s</span> <span class="na">timeout</span><span class="pi">:</span> <span class="s">3s</span> <span class="na">retries</span><span class="pi">:</span> <span class="m">3</span> <span class="na">postiz-redis</span><span class="pi">:</span> <span class="na">image</span><span class="pi">:</span> <span class="s">redis:7.2</span> <span class="na">container_name</span><span class="pi">:</span> <span class="s">postiz-redis</span> <span class="na">restart</span><span class="pi">:</span> <span class="s">always</span> <span class="na">healthcheck</span><span class="pi">:</span> <span class="na">test</span><span class="pi">:</span> <span class="s">redis-cli ping</span> <span class="na">interval</span><span class="pi">:</span> <span class="s">10s</span> <span class="na">timeout</span><span class="pi">:</span> <span class="s">3s</span> <span class="na">retries</span><span class="pi">:</span> <span class="m">3</span> <span class="na">volumes</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">postiz-redis-data:/data</span> <span class="na">networks</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">postiz-network</span> <span class="c1"># Temporal stack (required for scheduled publishing)</span> <span class="na">temporal-postgresql</span><span class="pi">:</span> <span class="na">container_name</span><span class="pi">:</span> <span class="s">temporal-postgresql</span> <span class="na">image</span><span class="pi">:</span> <span class="s">postgres:16</span> <span class="na">environment</span><span class="pi">:</span> <span class="na">POSTGRES_PASSWORD</span><span class="pi">:</span> <span class="s">temporal</span> <span class="na">POSTGRES_USER</span><span class="pi">:</span> <span class="s">temporal</span> <span class="na">networks</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">temporal-network</span> <span class="na">volumes</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">/var/lib/postgresql/data</span> <span class="na">temporal</span><span class="pi">:</span> <span class="na">container_name</span><span class="pi">:</span> <span class="s">temporal</span> <span class="na">ports</span><span class="pi">:</span> <span class="pi">-</span> <span class="s1">'</span><span class="s">7233:7233'</span> <span class="na">image</span><span class="pi">:</span> <span class="s">temporalio/auto-setup:1.28.1</span> <span class="na">depends_on</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">temporal-postgresql</span> <span class="na">environment</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">DB=postgres12</span> <span class="pi">-</span> <span class="s">DB_PORT=5432</span> <span class="pi">-</span> <span class="s">POSTGRES_USER=temporal</span> <span class="pi">-</span> <span class="s">POSTGRES_PWD=temporal</span> <span class="pi">-</span> <span class="s">POSTGRES_SEEDS=temporal-postgresql</span> <span class="pi">-</span> <span class="s">DYNAMIC_CONFIG_FILE_PATH=config/dynamicconfig/development-sql.yaml</span> <span class="na">networks</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">temporal-network</span> <span class="na">volumes</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">./dynamicconfig:/etc/temporal/config/dynamicconfig</span> </code></pre> </div> <p><strong>Why Temporal?</strong> Postiz uses Temporal for its background job engine. When you schedule a post for "tomorrow at 2 PM," a Temporal workflow sleeps until the right time, then fires the publishing pipeline. Without Temporal running, cron jobs work but scheduled publishing silently fails.</p> <blockquote> <p>💡 <strong>Resource tip:</strong> Temporal + its PostgreSQL can consume 500MB-1GB RAM. If you're on a tight VPS, consider running Temporal on a separate machine or scaling down to 1GB RAM (set <code>ES_JAVA_OPTS=-Xms100m -Xmx100m</code> if using Elasticsearch).</p> </blockquote> <h2> Step 6: Networks and Volumes </h2> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">volumes</span><span class="pi">:</span> <span class="na">postgres-volume</span><span class="pi">:</span> <span class="na">external</span><span class="pi">:</span> <span class="kc">false</span> <span class="na">postiz-redis-data</span><span class="pi">:</span> <span class="na">external</span><span class="pi">:</span> <span class="kc">false</span> <span class="na">postiz-config</span><span class="pi">:</span> <span class="na">external</span><span class="pi">:</span> <span class="kc">false</span> <span class="na">postiz-uploads</span><span class="pi">:</span> <span class="na">external</span><span class="pi">:</span> <span class="kc">false</span> <span class="na">networks</span><span class="pi">:</span> <span class="na">postiz-network</span><span class="pi">:</span> <span class="na">external</span><span class="pi">:</span> <span class="kc">false</span> <span class="na">temporal-network</span><span class="pi">:</span> <span class="na">driver</span><span class="pi">:</span> <span class="s">bridge</span> <span class="na">name</span><span class="pi">:</span> <span class="s">temporal-network</span> </code></pre> </div> <p>Two separate networks keep Postiz app data and Temporal data isolated. The Tailscale container bridges both networks so Postiz (which rides on Tailscale) can reach Temporal at <code>temporal:7233</code>.</p> <h2> Step 7: Bring It Up </h2> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Make the directories Tailscale needs</span> <span class="nb">mkdir</span> <span class="nt">-p</span> tailscale-state tailscale-config <span class="c"># Create the Tailscale serve config (edit the hostname!)</span> <span class="nb">cat</span> <span class="o">&gt;</span> tailscale-config/ts.json <span class="o">&lt;&lt;</span> <span class="sh">'</span><span class="no">EOF</span><span class="sh">' { "TCP": { "443": { "HTTPS": true } }, "Web": { "postiz.YOUR-TAILNET.ts.net:443": { "Handlers": { "/": { "Proxy": "undefined" } } } } } </span><span class="no">EOF </span><span class="c"># Start everything</span> docker compose up <span class="nt">-d</span> </code></pre> </div> <p>Wait about 60-90 seconds for everything to initialize. Tailscale needs to authenticate, provision certificates, and report healthy. Postgres and Redis need to accept connections. Temporal needs to set up its schemas.</p> <p>Watch the logs to see what's happening:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Watch all services</span> docker compose logs <span class="nt">-f</span> <span class="c"># Just Postiz</span> docker compose logs <span class="nt">-f</span> postiz <span class="c"># Just Tailscale (see if it authenticated)</span> docker compose logs <span class="nt">-f</span> tailscale </code></pre> </div> <h2> Verifying Everything Works </h2> <h3> 1. Check Tailscale connectivity </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>docker <span class="nb">exec </span>postiz-tailscale tailscale status </code></pre> </div> <p>You should see the container listed as <code>online</code> with your MagicDNS name.</p> <h3> 2. Check Postiz health </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>curl <span class="nt">-I</span> undefined </code></pre> </div> <p>Should return <code>HTTP/2 200</code>. If it hangs, Tailscale isn't online yet — check the logs.</p> <h3> 3. Open it in your browser </h3> <p>Navigate to <code>undefined</code>. You should see the Postiz login page. Register your admin account.</p> <p><strong>Important:</strong> After registering, immediately add your social platform integrations from the dashboard. The platform API keys you put in <code>docker-compose.yaml</code> enable backend communication, but you still need to connect each platform through the UI.</p> <h2> The Complete Gotcha List </h2> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Gotcha</th> <th>Symptom</th> <th>Fix</th> </tr> </thead> <tbody> <tr> <td>Missing <code>/api</code> in <code>NEXT_PUBLIC_BACKEND_URL</code> </td> <td>Dashboard loads but no data, 404s in console</td> <td>Add <code>/api</code> suffix</td> </tr> <tr> <td>Wrong <code>BACKEND_INTERNAL_URL</code> </td> <td>OAuth callbacks fail, uploads silently break</td> <td>Set to <code>http://localhost:3000</code> </td> </tr> <tr> <td> <code>RUN_CRON</code> not set</td> <td>Scheduled posts never publish</td> <td>Add <code>RUN_CRON: 'true'</code> </td> </tr> <tr> <td> <code>MAIN_URL</code> ≠ <code>FRONTEND_URL</code> </td> <td>CORS errors, cookie issues</td> <td>Make them identical</td> </tr> <tr> <td>Tailscale healthcheck too aggressive</td> <td>Postiz starts before Tailscale is ready</td> <td>Increase <code>start_period</code> to 60s</td> </tr> <tr> <td>Port 5000 exposed directly</td> <td>Bypasses Tailscale entirely</td> <td>Comment out/remove <code>ports</code> from Postiz</td> </tr> <tr> <td>Temporal not running</td> <td>Scheduling silently fails</td> <td>Ensure <code>TEMPORAL_ADDRESS</code> points to the right container</td> </tr> </tbody> </table></div> <h2> Why Go Through All This? </h2> <p>You could use Postiz Cloud. It's great. But here's why I self-host:</p> <ol> <li><p><strong>Data ownership.</strong> Every API token, every scheduled post, every analytics data point lives on <em>my</em> server. Not someone else's.</p></li> <li><p><strong>No monthly SaaS fee.</strong> The only costs are my VPS and API usage. Postiz itself is free.</p></li> <li><p><strong>Tailscale means zero firewall configuration.</strong> I don't expose port 443 to the internet. I don't configure nginx. Tailscale's WireGuard tunnel handles all of it. My server could sit behind a NAT with no public IP and this would still work.</p></li> <li><p><strong>Platform API key security.</strong> All API keys live in environment variables on my server. They never touch Postiz's cloud. Given that these keys have write access to my social accounts, this matters.</p></li> <li><p><strong>Learning.</strong> Setting this up taught me more about Docker networking, Tailscale Serve, and Next.js deployment patterns than any tutorial could.</p></li> </ol> <h2> What's Next? </h2> <p>Now that Postiz is running, here's what I'm building on top of it:</p> <ul> <li> <strong>Hermes Agent integration:</strong> An AI agent that drafts posts using my voice, uploads them via the Postiz CLI, and schedules them. Zero manual posting.</li> <li> <strong>Analytics pipeline:</strong> Postiz's built-in analytics fed into a dashboard that tracks what's working across platforms.</li> <li> <strong>Multi-user setup:</strong> Adding collaborators through Postiz's team features, all behind the same Tailscale barrier.</li> </ul> <p><strong>What about you?</strong> Are you self-hosting your social media tooling, or do you trust the cloud providers? I'm genuinely curious — every self-hoster I've met has a story about the one time their config broke at 2 AM. Drop yours in the comments.</p> devops opensource tutorial beginners