A Docker Compose setup for running Firefly III personal finance manager with Tailscale VPN integration for secure remote access.
- Firefly III: Full-featured personal finance manager
- Data Importer: Import transactions from banks and financial institutions
- Tailscale VPN: Secure remote access without exposing ports
- Nginx Proxy: Unified access through a single Tailscale endpoint
- MariaDB: Reliable database backend
- Automated Cron: Scheduled tasks for recurring transactions
- Docker and Docker Compose installed
- A Tailscale account and auth key
- Basic understanding of Docker and environment variables
-
Clone the repository
git clone https://github.com/yourusername/firefly-tailscale.git cd firefly-tailscale -
Copy example environment files
cp .env.example .env cp .db.env.example .db.env cp tailscale.env.example tailscale.env cp .importer.env.example .importer.env
-
Configure environment variables
.env - Main Firefly III configuration:
- Generate a 32-character
APP_KEY:openssl rand -base64 32 | head -c 32 - Generate a 32-character
STATIC_CRON_TOKEN:openssl rand -base64 32 | head -c 32 - Set
DB_PASSWORDto a secure password
.db.env - Database configuration:
- Set
MYSQL_PASSWORDto matchDB_PASSWORDin.env
tailscale.env - Tailscale configuration:
- Get an auth key from https://login.tailscale.com/admin/settings/keys
- Set
TS_AUTHKEYto your Tailscale auth key - Optionally customize
TS_HOSTNAME
.importer.env - Data Importer configuration:
- Set
VANITY_URLto your Firefly III access URL - After starting Firefly III, create a Personal Access Token and set
FIREFLY_III_ACCESS_TOKEN
- Generate a 32-character
-
Start the services
docker compose up -d
-
Access Firefly III
- Through Tailscale:
http://[tailscale-hostname](your configured hostname) - Locally:
http://localhost(only when nginx is exposed)
- Through Tailscale:
-
Configure Data Importer
- Create a Personal Access Token in Firefly III (Profile > OAuth > Personal Access Tokens)
- Set the callback URL to
http://localhost:81/callback - Uncheck "Confidential"
- Add the token to
.importer.env - Restart the importer:
docker compose restart importer
┌─────────────────┐ ┌─────────────────┐
│ Tailscale │ │ Nginx │
│ (VPN/Mesh) │────▶│ (Reverse Proxy)│
└─────────────────┘ └─────────────────┘
│
┌────────────┴────────────┐
│ │
┌─────▼─────┐ ┌───────▼───────┐
│ Firefly III│ │ Data Importer │
│ (App) │ │ │
└─────┬─────┘ └───────────────┘
│
┌─────▼─────┐
│ MariaDB │
│ Database │
└───────────┘
When accessed through Tailscale:
- Firefly III:
http://[tailscale-hostname]/ - Data Importer:
http://[tailscale-hostname]/importer/
- Never commit real environment files - All
.envfiles are gitignored - Use strong passwords - Generate secure passwords for database access
- Protect your tokens - Keep your Tailscale auth key and Firefly access tokens secure
- Regular backups - Back up your database regularly
- Check logs:
docker compose logs -f [service-name] - Verify all required environment variables are set
- Ensure passwords match between
.envand.db.env
- Verify Tailscale container is running:
docker compose ps tailscale - Check Tailscale status:
docker compose exec tailscale tailscale status - Ensure the device appears in your Tailscale admin console
- Verify
FIREFLY_III_ACCESS_TOKENis set correctly - Check that
FIREFLY_III_URLishttp://app:8080(internal Docker networking) - Ensure the token was created with the correct callback URL
docker compose exec db mysqldump -u firefly -p firefly > backup.sqldocker compose pull
docker compose up -ddocker compose logs -fContributions are welcome! Please submit pull requests or open issues for any improvements.
This Docker Compose configuration is provided as-is. Firefly III is licensed under the AGPL-3.0 License.