// install & deploy / tailscale

Install PlikShare with Tailscale.

Run PlikShare entirely inside your tailnet. No ports open to the internet, no TLS certificate to manage — WireGuard already encrypts every byte between your devices.

Public share links won't work outside your tailnet. PlikShare is only reachable by devices that have joined your Tailscale network and have permission to access this server. If you need to send files to people who aren't on Tailscale, pick Caddy, Nginx or Cloudflare Tunnel instead.
one-line install
sudo /bin/bash -c "$(curl -fsSL https://raw.githubusercontent.com/damian-krychowski/plikshare/refs/heads/main/deployment/plikshare-install-tailscale.sh)"

Prefer to read before you run? Inspect the script on GitHub first.

Before you run it

  1. A Tailscale account. Free for personal use, up to 100 devices and 3 users. Sign up at tailscale.com with Google, GitHub or any OIDC provider.
  2. An auth key. In the Tailscale admin console go to Settings → Keys → Generate auth key. Pre-authorized + tagged keys are recommended so the server joins automatically without a manual approval step. The install script will ask you for this key.

No domain name, no DNS records and no certificate are needed. Tailscale's MagicDNS gives the server a hostname inside your tailnet automatically.

What the script does

  1. Installs prerequisites - Docker plus the Tailscale daemon.
  2. Joins the tailnet - authenticates the server with your auth key. After this the box has a tailnet IP and a MagicDNS hostname.
  3. Collects setup details - admin email, initial admin password, encryption passwords and storage volumes. No domain prompt — the tailnet hostname is used.
  4. Installs PlikShare - generates a Docker Compose file with one service (PlikShare) bound to the tailnet interface. No reverse proxy, no exposed ports on the public network.
  5. Exposes PlikShare over HTTPS via Tailscale Serve - so any tailnet device can reach it at https://<hostname>.<your-tailnet>.ts.net. Certificates are issued automatically by Tailscale.
  6. Sets up cron jobs - optional nightly PlikShare updates.

When it finishes, every device on your tailnet can reach PlikShare. Devices that aren't on the tailnet cannot — that's the whole point.

Adding more people

Invite each user to your tailnet from the Tailscale admin console. Once they install the Tailscale client and join, they will see the PlikShare hostname automatically and can sign in like any other PlikShare user. Use Tailscale ACLs if you want to restrict which devices on the tailnet are allowed to reach the PlikShare server.

Want to adjust the configuration?

Every environment variable, volume layout and the update procedure are documented on the manual configuration page.

Manual configuration →
// talk to a human

Rather not run it yourself?

If you'd like a hand getting PlikShare running, or you want it fully managed by someone else, let's have a quick chat.

  • Initial setup on your server - Docker, SSL, reverse proxy
  • Storage (S3 / R2 / B2 / Azure / GCS) and email provider
  • Ongoing updates, backups and migrations