Add initial configuration files for Kavita with Tailscale sidecar

services/kavita/.env

@@ -0,0 +1,8 @@
+#version=1.0
+#url=https://github.com/2Tiny2Scale/tailscale-docker-sidecar-configs
+#COMPOSE_PROJECT_NAME= // only use in multiple deployments on the same infra
+SERVICE=kavita
+IMAGE_URL=jvmilazz0/kavita:latest
+SERVICEPORT=5000
+TS_AUTHKEY=
+DNS_SERVER=9.9.9.9

services/kavita/README.md

@@ -0,0 +1,28 @@
+# Kavita with Tailscale Sidecar Configuration
+
+This Docker Compose configuration sets up [Kavita](https://github.com/Kareadita/Kavita) with Tailscale as a sidecar container to securely serve your comics, manga, and ebooks over a private Tailscale network. By running Tailscale as a sidecar, you restrict access to your Kavita instance to devices authenticated on your Tailnet, avoiding public exposure.
+
+## Kavita
+
+[Kavita](https://github.com/Kareadita/Kavita) is an open-source, self-hosted digital library manager optimized for comics, manga, and ebooks. It provides a modern web UI for browsing collections, reading in-browser, managing metadata, and syncing reading progress across devices. Kavita supports multiple users, libraries, and common archive formats.
+
+## Key Features
+
+* **Library Management** – Organize comics, manga, and ebooks with metadata, tags, and collections.
+* **In-Browser Reader** – Read content directly in the browser with smooth navigation and zoom controls.
+* **Multi-User Support** – Create accounts with individualized reading progress and permissions.
+* **Archive Support** – Handles CBZ, CBR, EPUB, and other common formats.
+* **Self-Hosted & Private** – Keep your media on your infrastructure.
+* **Private by Default with Tailscale** – Access Kavita only from devices on your Tailnet.
+
+## Configuration Overview
+
+In this setup, the `tailscale-kavita` service runs the Tailscale client to join your private mesh network. The `kavita` service is configured with `network_mode: service:tailscale-kavita`, so all network traffic for Kavita is routed through the Tailscale container. This ensures the web UI and API are reachable only via your Tailscale network (or locally), adding an extra layer of privacy and security to your self-hosted library.
+
+## Files to check
+
+Please verify the following files and variables before deploying:
+
+* `.env` — define SERVICE, IMAGE_URL, SERVICEPORT, TS_AUTHKEY, etc.
+* `./config/serve.json` — optional Tailscale Serve configuration if you want to expose specific ports within the Tailnet.
+* `./kavita-data` — ensure persistent volumes for libraries and config are correctly mapped.

services/kavita/config/serve.json

@@ -0,0 +1,16 @@
+{
+  "TCP": {
+    "443": {
+      "HTTPS": true
+    }
+  },
+  "Web": {
+    "${TS_CERT_DOMAIN}:443": {
+      "Handlers": {
+        "/": {
+          "Proxy": "http://127.0.0.1:5000"
+        }
+      }
+    }
+  }
+}

services/kavita/docker-compose.yml

@@ -0,0 +1,58 @@
+services:
+# Make sure you have updated/checked the .env file with the correct variables. 
+# All the ${ xx } need to be defined there.
+  # Tailscale Sidecar Configuration
+  tailscale:
+    image: tailscale/tailscale:latest # Image to be used
+    container_name: tailscale-${SERVICE} # Name for local container management
+    hostname: ${SERVICE} # Name used within your Tailscale environment
+    environment:
+      - TS_AUTHKEY=${TS_AUTHKEY}
+      - TS_STATE_DIR=/var/lib/tailscale
+      - TS_SERVE_CONFIG=/config/serve.json # Tailscale Serve configuration to expose the web interface on your local Tailnet - remove this line if not required
+      - TS_USERSPACE=false
+      - TS_ENABLE_HEALTH_CHECK=true              # Enable healthcheck endpoint: "/healthz"
+      - TS_LOCAL_ADDR_PORT=127.0.0.1:41234       # The <addr>:<port> for the healthz endpoint
+      #- TS_ACCEPT_DNS=true # Uncomment when using MagicDNS
+    volumes:
+      - ./config:/config # Config folder used to store Tailscale files - you may need to change the path
+      - ./ts/state:/var/lib/tailscale # Tailscale requirement - you may need to change the path
+    devices:
+      - /dev/net/tun:/dev/net/tun # Network configuration for Tailscale to work
+    cap_add:
+      - net_admin # Tailscale requirement
+    #ports:
+    #  - 0.0.0.0:${SERVICEPORT}:${SERVICEPORT} # Binding port ${SERVICE}PORT to the local network - may be removed if only exposure to your Tailnet is required
+    # If any DNS issues arise, use your preferred DNS provider by uncommenting the config below
+    #dns: 
+    #  - ${DNS_SERVER}
+    healthcheck:
+      test: ["CMD", "wget", "--spider", "-q", "http://127.0.0.1:41234/healthz"] # Check Tailscale has a Tailnet IP and is operational
+      interval: 1m # How often to perform the check
+      timeout: 10s # Time to wait for the check to succeed
+      retries: 3 # Number of retries before marking as unhealthy
+      start_period: 10s # Time to wait before starting health checks
+    restart: always
+
+  # ${SERVICE}
+  application:
+    image: ${IMAGE_URL} # Image to be used
+    network_mode: service:tailscale # Sidecar configuration to route ${SERVICE} through Tailscale
+    container_name: app-${SERVICE} # Name for local container management
+    environment:
+      - TZ=Europe/Amsterdam
+    volumes:
+      - ./${SERVICE}-data/manga:/manga
+      - ./${SERVICE}-data/comics:/comics
+      - ./${SERVICE}-data/books:/books
+      - ./${SERVICE}-data/config:/kavita/config
+    depends_on:
+      tailscale:
+        condition: service_healthy
+    healthcheck:
+      test: ["CMD", "pgrep", "-f", "${SERVICE}"] # Check if ${SERVICE} process is running
+      interval: 1m # How often to perform the check
+      timeout: 10s # Time to wait for the check to succeed
+      retries: 3 # Number of retries before marking as unhealthy
+      start_period: 30s # Time to wait before starting health checks
+    restart: always