df37d1a639
Websockets, in which DERP is based, requires a TLS certificate. At the same time, if we use a certificate it must be valid... otherwise Tailscale wont connect (does not have an Insecure option). So there is no option to expose insecure here
207 lines
6.1 KiB
YAML
207 lines
6.1 KiB
YAML
---
|
|
# headscale will look for a configuration file named `config.yaml` (or `config.json`) in the following order:
|
|
#
|
|
# - `/etc/headscale`
|
|
# - `~/.headscale`
|
|
# - current working directory
|
|
|
|
# The url clients will connect to.
|
|
# Typically this will be a domain like:
|
|
#
|
|
# https://myheadscale.example.com:443
|
|
#
|
|
server_url: http://127.0.0.1:8080
|
|
|
|
# Address to listen to / bind to on the server
|
|
#
|
|
listen_addr: 0.0.0.0:8080
|
|
|
|
# Address to listen to /metrics, you may want
|
|
# to keep this endpoint private to your internal
|
|
# network
|
|
#
|
|
metrics_listen_addr: 127.0.0.1:9090
|
|
|
|
# Address to listen for gRPC.
|
|
# gRPC is used for controlling a headscale server
|
|
# remotely with the CLI
|
|
# Note: Remote access _only_ works if you have
|
|
# valid certificates.
|
|
grpc_listen_addr: 0.0.0.0:50443
|
|
|
|
# Allow the gRPC admin interface to run in INSECURE
|
|
# mode. This is not recommended as the traffic will
|
|
# be unencrypted. Only enable if you know what you
|
|
# are doing.
|
|
grpc_allow_insecure: false
|
|
|
|
# Private key used encrypt the traffic between headscale
|
|
# and Tailscale clients.
|
|
# The private key file which will be
|
|
# autogenerated if it's missing
|
|
private_key_path: /var/lib/headscale/private.key
|
|
|
|
# List of IP prefixes to allocate tailaddresses from.
|
|
# Each prefix consists of either an IPv4 or IPv6 address,
|
|
# and the associated prefix length, delimited by a slash.
|
|
ip_prefixes:
|
|
- fd7a:115c:a1e0::/48
|
|
- 100.64.0.0/10
|
|
|
|
# DERP is a relay system that Tailscale uses when a direct
|
|
# connection cannot be established.
|
|
# https://tailscale.com/blog/how-tailscale-works/#encrypted-tcp-relays-derp
|
|
#
|
|
# headscale needs a list of DERP servers that can be presented
|
|
# to the clients.
|
|
derp:
|
|
server:
|
|
# If enabled, runs the embedded DERP server and merges it into the rest of the DERP config
|
|
# The Headscale server_url defined above MUST be using https, DERP requires TLS to be in place
|
|
enabled: false
|
|
|
|
# List of externally available DERP maps encoded in JSON
|
|
urls:
|
|
- https://controlplane.tailscale.com/derpmap/default
|
|
|
|
# Locally available DERP map files encoded in YAML
|
|
#
|
|
# This option is mostly interesting for people hosting
|
|
# their own DERP servers:
|
|
# https://tailscale.com/kb/1118/custom-derp-servers/
|
|
#
|
|
# paths:
|
|
# - /etc/headscale/derp-example.yaml
|
|
paths: []
|
|
|
|
# If enabled, a worker will be set up to periodically
|
|
# refresh the given sources and update the derpmap
|
|
# will be set up.
|
|
auto_update_enabled: true
|
|
|
|
# How often should we check for DERP updates?
|
|
update_frequency: 24h
|
|
|
|
# Disables the automatic check for headscale updates on startup
|
|
disable_check_updates: false
|
|
|
|
# Time before an inactive ephemeral node is deleted?
|
|
ephemeral_node_inactivity_timeout: 30m
|
|
|
|
# SQLite config
|
|
db_type: sqlite3
|
|
db_path: /var/lib/headscale/db.sqlite
|
|
|
|
# # Postgres config
|
|
# db_type: postgres
|
|
# db_host: localhost
|
|
# db_port: 5432
|
|
# db_name: headscale
|
|
# db_user: foo
|
|
# db_pass: bar
|
|
|
|
### TLS configuration
|
|
#
|
|
## Let's encrypt / ACME
|
|
#
|
|
# headscale supports automatically requesting and setting up
|
|
# TLS for a domain with Let's Encrypt.
|
|
#
|
|
# URL to ACME directory
|
|
acme_url: https://acme-v02.api.letsencrypt.org/directory
|
|
|
|
# Email to register with ACME provider
|
|
acme_email: ""
|
|
|
|
# Domain name to request a TLS certificate for:
|
|
tls_letsencrypt_hostname: ""
|
|
|
|
# Client (Tailscale/Browser) authentication mode (mTLS)
|
|
# Acceptable values:
|
|
# - disabled: client authentication disabled
|
|
# - relaxed: client certificate is required but not verified
|
|
# - enforced: client certificate is required and verified
|
|
tls_client_auth_mode: relaxed
|
|
|
|
# Path to store certificates and metadata needed by
|
|
# letsencrypt
|
|
tls_letsencrypt_cache_dir: /var/lib/headscale/cache
|
|
|
|
# Type of ACME challenge to use, currently supported types:
|
|
# HTTP-01 or TLS_ALPN-01
|
|
# See [docs/tls.md](docs/tls.md) for more information
|
|
tls_letsencrypt_challenge_type: HTTP-01
|
|
# When HTTP-01 challenge is chosen, letsencrypt must set up a
|
|
# verification endpoint, and it will be listning on:
|
|
# :http = port 80
|
|
tls_letsencrypt_listen: ":http"
|
|
|
|
## Use already defined certificates:
|
|
tls_cert_path: ""
|
|
tls_key_path: ""
|
|
|
|
log_level: info
|
|
|
|
# Path to a file containg ACL policies.
|
|
# ACLs can be defined as YAML or HUJSON.
|
|
# https://tailscale.com/kb/1018/acls/
|
|
acl_policy_path: ""
|
|
|
|
## DNS
|
|
#
|
|
# headscale supports Tailscale's DNS configuration and MagicDNS.
|
|
# Please have a look to their KB to better understand the concepts:
|
|
#
|
|
# - https://tailscale.com/kb/1054/dns/
|
|
# - https://tailscale.com/kb/1081/magicdns/
|
|
# - https://tailscale.com/blog/2021-09-private-dns-with-magicdns/
|
|
#
|
|
dns_config:
|
|
# List of DNS servers to expose to clients.
|
|
nameservers:
|
|
- 1.1.1.1
|
|
|
|
# Split DNS (see https://tailscale.com/kb/1054/dns/),
|
|
# list of search domains and the DNS to query for each one.
|
|
#
|
|
# restricted_nameservers:
|
|
# foo.bar.com:
|
|
# - 1.1.1.1
|
|
# darp.headscale.net:
|
|
# - 1.1.1.1
|
|
# - 8.8.8.8
|
|
|
|
# Search domains to inject.
|
|
domains: []
|
|
|
|
# Whether to use [MagicDNS](https://tailscale.com/kb/1081/magicdns/).
|
|
# Only works if there is at least a nameserver defined.
|
|
magic_dns: true
|
|
|
|
# Defines the base domain to create the hostnames for MagicDNS.
|
|
# `base_domain` must be a FQDNs, without the trailing dot.
|
|
# The FQDN of the hosts will be
|
|
# `hostname.namespace.base_domain` (e.g., _myhost.mynamespace.example.com_).
|
|
base_domain: example.com
|
|
|
|
# Unix socket used for the CLI to connect without authentication
|
|
# Note: for local development, you probably want to change this to:
|
|
# unix_socket: ./headscale.sock
|
|
unix_socket: /var/run/headscale.sock
|
|
unix_socket_permission: "0770"
|
|
#
|
|
# headscale supports experimental OpenID connect support,
|
|
# it is still being tested and might have some bugs, please
|
|
# help us test it.
|
|
# OpenID Connect
|
|
# oidc:
|
|
# issuer: "https://your-oidc.issuer.com/path"
|
|
# client_id: "your-oidc-client-id"
|
|
# client_secret: "your-oidc-client-secret"
|
|
#
|
|
# If `strip_email_domain` is set to `true`, the domain part of the username email address will be removed.
|
|
# This will transform `first-name.last-name@example.com` to the namespace `first-name.last-name`
|
|
# If `strip_email_domain` is set to `false` the domain part will NOT be removed resulting to the following
|
|
# namespace: `first-name.last-name.example.com`
|
|
#
|
|
# strip_email_domain: true
|