Server on GitHub · iOS beta on TestFlight

Your whole stack,
on your tailnet.
Nothing exposed.

Tailarr is two halves of one idea. A server that deploys your self-hosted services as first-class Tailscale devices, and an iOS app with Tailscale embedded inside it. No open ports, no reverse proxy, no VPN toggle — end to end.

Free & open source · Sonarr · Radarr · Lidarr · SABnzbd · NZBGet · Tautulli · anything in a container

sonarrsonarr.tail1a2b.ts.nethttps
radarrradarr.tail1a2b.ts.nethttps
lidarrlidarr.tail1a2b.ts.nethttps
sabnzbdsabnzbd.tail1a2b.ts.nethttps
tautullitautulli.tail1a2b.ts.nethttps

Tailarr Server

Tailarr tailnet
Sonarr
Radarr
Lidarr
SABnzbd
NZBGet
Tautulli

Tailarr for iOS

Self-hosting remotely used to mean picking your poison — port forwarding, a reverse proxy + TLS certs + auth layer, or a VPN toggle you forget to flip.

Tailarr skips all of it. The tailnet is the stack.

The suite

Two halves. One system.

Each stands on its own — the server works with any browser on your tailnet, and the app works with any tailnet-reachable service. But the combo is the point: deploy on one end, carry the other in your pocket.

Tailarr Server

The backend — deploy services as tailnet devices

  • One line to install on any Debian/Ubuntu box, VM, or container — even a Mac via apple/container.
  • Podman pods, no daemon. Every deployment is a plain shell script you can read before you run it.
  • Each service gets its own hostname, MagicDNS name, HTTPS certificate, and ACL identity on your tailnet.
  • Click-to-install catalog in a web UI that is itself just a tailnet-only pod.
TS_AUTHKEY=tskey-... bash -c "$(curl -fsSL https://raw.githubusercontent.com/scs32/tailarr-server/main/install.sh)"
tailarr-server on GitHub →

Tailarr for iOS

The frontend — your stack in your pocket

  • Full remote control for Sonarr, Radarr, Lidarr, SABnzbd, NZBGet, and Tautulli.
  • Tailscale runs in-process (tsnet) — no system VPN profile, no toggle in iOS Settings.
  • Authenticate once; the node's identity persists on-device. Single-use keys are fine.
  • Open beta on TestFlight, built on the bones of LunaSea.
Tailarr for iOS on GitHub →

Deploy on the server. Control from the app. Share with your people.
Never touch the public internet.

How it works

One key. One line. Zero yaks shaved.

A Tailscale sidecar joins your tailnet for every pod, and the app runs its own node in-process. The connection lives inside the system — not in your firewall rules or your phone's VPN settings.

  1. Bootstrap the server

    One command installs podman and the Tailarr controller, and enrolls it on your tailnet. Open the catalog at tailarr.your-tailnet.ts.net and install services with a click.

  2. Services become devices

    Every pod joins the tailnet under its own name — sonarr.your-tailnet.ts.net — with automatic HTTPS and its own line in your ACLs. Nothing is published on any network.

  3. Open the app. It's all there.

    Tailarr for iOS joins the same tailnet — paste an auth key once and its identity persists. From your couch or another continent, your stack is one tap away.

Features

The whole stack, end to end

From how services are deployed to how you reach them from the couch — every layer assumes the tailnet, so no layer needs a public face.

Sonarr Radarr Lidarr SABnzbd NZBGet Tautulli + any container, via the catalog

Run your services, properly

Queues, calendars, search, history, quality profiles — full remote control for the whole *arr suite in a native-feel iOS app.

Per-service tailnet identity

Every pod is its own device: its own MagicDNS name, its own ts.net HTTPS certificate, its own line in your ACLs. Your tailnet sees services, not a box.

Zero exposure, anywhere

No forwarded ports, no reverse proxy, no published ports on your LAN — and no port conflicts, ever. Outside your tailnet, none of it exists.

Daemonless & readable

Podman pods, no Docker daemon. Every deployment the server generates is a plain shell script — run.sh, stop.sh, diagnose.sh — you can read before you trust.

Tailscale inside, not alongside

The app runs a tsnet node in-process; each pod gets a Tailscale sidecar. No system VPN profile on your phone, no tailscaled to babysit per service.

Open source, all of it

The server, the app, the install script it pipes to your shell — every line is public. Audit it, build it, fork it.

Security

Private by architecture,
not by configuration

Most remote-access setups are secure until you misconfigure them. Tailarr's model has nothing to misconfigure — there is no public surface at all, on any layer.

End-to-end WireGuard®

Every request rides an encrypted tunnel from your phone to the exact pod serving it, with an automatic ts.net certificate on top. Coordination servers exchange keys — they never see traffic.

ACLs at the service level

Because each service is its own tailnet device, Tailscale ACLs scope per service — grant a device access to Jellyfin without it ever seeing Sonarr, the web UI, or the host.

Invisible to the internet

No open ports means no scans, no bots hammering a login page, no zero-day in a reverse proxy to lose sleep over. Auth keys live in mode-600 files, never in generated scripts.

Sharing

Built for the people you built it for

Self-hosting is a team sport. With per-service tailnet devices, giving family access doesn't mean punching holes in your firewall — or handing over the whole box.

FAQ

Questions, answered straight

Do I need both halves?

No — they're better together, but each stands alone. The app controls any Sonarr/Radarr/etc. reachable on your tailnet, however you deployed it. The server's services get HTTPS ts.net URLs any browser on your tailnet can open. The combo just removes every remaining rough edge.

Do I need the Tailscale app on my phone?

No. Tailarr for iOS embeds its own Tailscale node (via tsnet) inside the app. It joins your tailnet as its own device — no system-wide VPN profile, no toggle in iOS Settings, and no conflict if you do also run the Tailscale app.

What does the server need?

A Debian/Ubuntu host — a VM or container works great, including a Mac running a lightweight Linux guest via apple/container. The installer brings in podman; a Tailscale auth key is the only credential it asks for.

Is it free?

Yes. Both halves are free and open source. There's no pricing page because there's no price. Tailscale's own free tier covers personal use — you, your services, and the people you share with.

Is there an Android or web version of the app?

The app is iOS-only for now, in open beta on TestFlight. But every service the server deploys is also just a URL — sonarr.your-tailnet.ts.net — so any browser on your tailnet works today, on any platform.

How is this different from CasaOS or Umbrel?

Those put a dashboard on your LAN and publish ports. Tailarr Server puts nothing on your LAN: every service (including its own web UI) exists only as a tailnet device with automatic HTTPS. And it's daemonless podman generating readable shell scripts, not a black box.

How is the app different from LunaSea?

LunaSea is archived; Tailarr forks it, keeps it building, and adds the headline feature: a Tailscale node embedded in the app, so your services never need public exposure to be reachable.

Close the ports.
Keep the access.

One line for the server. One key for the app. Your stack, everywhere.