I'm an avid note taker and have migrated through a series of different tools to take notes, some proprietary and some open source. I've gone through Quiver, Inkdrop, Agenda, and recently I migrated everything to Joplin. But I wanted to be able to sync my notes between devices and I didn't want it anywhere accessible to the public. Since I run TrueNAS Scale at home, and there's a TrueCharts application for the beta Joplin Server... I figured it was worth a shot.

It worked great and I've been syncing the Joplin client on my desktop to the TrueNAS-based Joplin Server for some time but not without HTTPS, which wasn't really an issue since it was only available in my home network and the notes are encrypted, but I was having issues trying to get Joplin on my iPad to work and from what I'd read, having it sync over HTTPS rather than HTTP was the way to resolve it.

Took a bit of time and effort, had to change the TrueNAS Scale system from being a single-IP via DHCP to a static IP with an alias, to bind all the kubernetes applications to the second IP address, setting up another wildcard Let's Encrypt certificate to work with Traefik (which I also installed as an application). Now I can connect to Joplin Server and my PiHole application via HTTPS on their own dedicated subdomain. It's actually quite slick.

My main reason for noting this here is because I have a terrible memory (hence the long journey through a number of note-taking applications!) and I wanted to reference this YouTub video: Secure HTTPS for all your TrueNAS Scale Apps (traefik) which was an amazing help and got me through the setup pretty quickly.

I find some of the application configuration to be quite overwhelming, so noting here the most important pieces to remember when configuring an application to use Traefik in your applications.

Under Networking and Services you want to set the "Service Type" to ClusterIP (Do Not Expose Ports) because Traefik is your ingress service, so only expose the application to the internal kubernetes network.

Under Ingress you want to tick Enable Ingress under the "Main Ingress" section. You'll need to add a Host and give it a HostName to reach the application on (i.e. joplin.subdomain.mynetwork.com or whatever (in this example I'd have a Let's Encrypt wildcard certificate for *.subdomain.mynetwork.com. You need to add a Path but it will typically just be /.

Under TLS Settings you want to add a Certificate Host which will have the same hostname as your main ingress host above (joplin.subdomain.mynetwork.com). In the "Use TrueNAS SCALE Certificate (Deprecated)" you want to select your wildcard Let's Encrypt certifcate. Not sure why it's labelled "depricated" because it works (maybe it goes away in the future?).

The rest can pretty much be left alone. So even though Joplin Server listens to port 22300, doing the above you can connect on port 443 of the wildcard domain, using HTTPS, and synchronize just fine.

Obnoxiously, the iPad client is throwing a different error now:

Last error: Error: Error 404 Not Found: Invalid origin:
http://joplin.subdomain.mynetwork.com:443

This error makes no sense as I have the Joplin Server URL in the iPad client set to https://, not http:// ... so something to figure out later I suppose.

At any rate, I didn't get it precisely where I wanted it, but now it has full end-to-end encryption and I can configure PiHole over TLS which always makes me happier.