Using tailscale with nginx - managing SSL certs

So i wanted a free way to access my Home Assistant Green from outside my home network. I ended up using tailscale, but only after i’d already set up duckdns for my GPS trackers. So my setup is a little weird, and probably unnecessary, but i didn’t want to break anything already existing (the duckdns access to traccar). As recommended in the setup for duckdns, i set up the nginx reverse proxy. So, when i went to configure the funnel for tailscale, it took a little finagling with Nginx to get it working. Basically, tailscale would not start until nginx allowed it through. So i had to turn off nginx, start tailscale, and then go into the tailscale docker container to run tailscale cert and get ssl certs, put those in /ssl/ and then set up nginx to use custom servers for tailscale, which pointed to these certs in order to start it up. then everything worked! great! except… tailscale state that if you manually run tailscale cert, you’re responsible for manually renewing these certs. But i know that if you let tailscale handle the certs on it’s own, then it will handle the renewal.
i managed to locate the auto-created certs in the tailscale docker container under /data/state/certs/, but here’s my question:
is there a way to copy/link/etc these certs inside the docker container to somewhere outside the container where nginx would be able to reference them? ideally it would be a solution that can be scripted or otherwise automated so that I don’t have to remember to do it manually.
the side question to this is - is there a better way to do this?

thanks, everyone, for creating this community! it’s exactly what i was looking for for years without knowing it.

so in the grand tradition of rubber duck debugging, i asked the question, and then i figured something out myself.

it turns out, it’s trivial to copy something from within a docker container to a bind mount. On HAOS, it turns out that /share/ is one of those bind mounts, so it can be used to ferry files in and out of a running container.

So my solution was to write a bash script that copies the cert files from out of /data/state/certs/ within the tailscale docker container to /share/. Then the script moves them to the /ssl/ directory, and then it fixes permissions (to 600). This script i stored in the /config/ directory to make sure it’s persistent (it’s permissions need to be set to 755 (or at least 700)).

great, the script runs fine when called from the CLI, but how to automate it? you can’t run it from an HA automation, b/c those run from within the homeassistant container, which doesn’t have the docker command installed. so the solution i found was to use crond from inside the Advanced SSH & Web Terminal add-on. This will need protection mode turned off for this to work. The add-on actually has crond installed already, and everything set up to be used, but it just doesn’t start the daemon. So, just launch the crond daemon from the add-on’s init commands with:

sudo crond -b

Then set another init command to copy the script to somewhere that crond can find it:

cp /config/NAME_OF_YOUR_SCRIPT.sh /etc/periodic/daily/

Restart the SSH add-on for these changes to take effect. Then, the script is automatically run every day by crond, which will copy the certs from outside the tailscale container to the /ssl/ directory, where any other component of HAOS will expect to find it. You don’t have to worry about renewing the certs, because tailscale will handle that since it is using it’s default setup and knows where the certs are located. tailscale will handle this process at whatever frequency it’s set up to do - we don’t have to worry about it at all; We have just made sure that we re-copy the certs to our communally accessible location every day, so they will always match the certs that are stored within the tailscale container.

I can provide more details if anyone’s interested, but i’ll leave this as-is unless there’s some interest.