From 5cebaa085adec63c42ccf8feb59b6f54e938d564 Mon Sep 17 00:00:00 2001 From: Julian Foad Date: Mon, 16 Jan 2023 16:14:54 +0000 Subject: [PATCH] merge updates to example config at headscale:v0.18.0 --- templates/config-example.yaml | 104 ++++++++++++++++++++++++++-------- templates/config.yaml.j2 | 10 +++- 2 files changed, 86 insertions(+), 28 deletions(-) diff --git a/templates/config-example.yaml b/templates/config-example.yaml index 2019a13..b4539f4 100644 --- a/templates/config-example.yaml +++ b/templates/config-example.yaml @@ -14,7 +14,9 @@ server_url: http://127.0.0.1:8080 # Address to listen to / bind to on the server # -listen_addr: 0.0.0.0:8080 +# For production: +# listen_addr: 0.0.0.0:8080 +listen_addr: 127.0.0.1:8080 # Address to listen to /metrics, you may want # to keep this endpoint private to your internal @@ -27,7 +29,10 @@ metrics_listen_addr: 127.0.0.1:9090 # remotely with the CLI # Note: Remote access _only_ works if you have # valid certificates. -grpc_listen_addr: 0.0.0.0:50443 +# +# For production: +# grpc_listen_addr: 0.0.0.0:50443 +grpc_listen_addr: 127.0.0.1:50443 # Allow the gRPC admin interface to run in INSECURE # mode. This is not recommended as the traffic will @@ -35,24 +40,34 @@ grpc_listen_addr: 0.0.0.0:50443 # are doing. grpc_allow_insecure: false -# Private key used encrypt the traffic between headscale +# Private key used to encrypt the traffic between headscale # and Tailscale clients. -# The private key file which will be -# autogenerated if it's missing -private_key_path: /var/lib/headscale/private.key +# The private key file will be autogenerated if it's missing. +# +# For production: +# /var/lib/headscale/private.key +private_key_path: ./private.key # The Noise section includes specific configuration for the -# TS2021 Noise procotol +# TS2021 Noise protocol noise: # The Noise private key is used to encrypt the # traffic between headscale and Tailscale clients when # using the new Noise-based protocol. It must be different # from the legacy private key. - private_key_path: /var/lib/headscale/noise_private.key + # + # For production: + # private_key_path: /var/lib/headscale/noise_private.key + private_key_path: ./noise_private.key # List of IP prefixes to allocate tailaddresses from. # Each prefix consists of either an IPv4 or IPv6 address, # and the associated prefix length, delimited by a slash. +# While this looks like it can take arbitrary values, it +# needs to be within IP ranges supported by the Tailscale +# client. +# IPv6: https://github.com/tailscale/tailscale/blob/22ebb25e833264f58d7c3f534a8b166894a89536/net/tsaddr/tsaddr.go#LL81C52-L81C71 +# IPv4: https://github.com/tailscale/tailscale/blob/22ebb25e833264f58d7c3f534a8b166894a89536/net/tsaddr/tsaddr.go#L33 ip_prefixes: - fd7a:115c:a1e0::/48 - 100.64.0.0/10 @@ -78,7 +93,7 @@ derp: region_code: "headscale" region_name: "Headscale Embedded DERP" - # Listens in UDP at the configured address for STUN connections to help on NAT traversal. + # Listens over UDP at the configured address for STUN connections - to help with NAT traversal. # When the embedded DERP server is enabled stun_listen_addr MUST be defined. # # For more details on how this works, check this great article: https://tailscale.com/blog/how-tailscale-works/ @@ -112,15 +127,18 @@ disable_check_updates: false # Time before an inactive ephemeral node is deleted? ephemeral_node_inactivity_timeout: 30m -# Period to check for node updates in the tailnet. A value too low will severily affect +# Period to check for node updates within the tailnet. A value too low will severely affect # CPU consumption of Headscale. A value too high (over 60s) will cause problems -# to the nodes, as they won't get updates or keep alive messages in time. +# for the nodes, as they won't get updates or keep alive messages frequently enough. # In case of doubts, do not touch the default 10s. node_update_check_interval: 10s # SQLite config db_type: sqlite3 -db_path: /var/lib/headscale/db.sqlite + +# For production: +# db_path: /var/lib/headscale/db.sqlite +db_path: ./db.sqlite # # Postgres config # If using a Unix socket to connect to Postgres, set the socket path in the 'host' field and leave 'port' blank. @@ -130,6 +148,9 @@ db_path: /var/lib/headscale/db.sqlite # db_name: headscale # db_user: foo # db_pass: bar + +# If other 'sslmode' is required instead of 'require(true)' and 'disabled(false)', set the 'sslmode' you need +# in the 'db_ssl' field. Refers to https://www.postgresql.org/docs/current/libpq-ssl.html Table 34.1. # db_ssl: false ### TLS configuration @@ -148,23 +169,18 @@ acme_email: "" # Domain name to request a TLS certificate for: tls_letsencrypt_hostname: "" -# Client (Tailscale/Browser) authentication mode (mTLS) -# Acceptable values: -# - disabled: client authentication disabled -# - relaxed: client certificate is required but not verified -# - enforced: client certificate is required and verified -tls_client_auth_mode: relaxed - # Path to store certificates and metadata needed by # letsencrypt -tls_letsencrypt_cache_dir: /var/lib/headscale/cache +# For production: +# tls_letsencrypt_cache_dir: /var/lib/headscale/cache +tls_letsencrypt_cache_dir: ./cache # Type of ACME challenge to use, currently supported types: # HTTP-01 or TLS-ALPN-01 # See [docs/tls.md](docs/tls.md) for more information tls_letsencrypt_challenge_type: HTTP-01 # When HTTP-01 challenge is chosen, letsencrypt must set up a -# verification endpoint, and it will be listning on: +# verification endpoint, and it will be listening on: # :http = port 80 tls_letsencrypt_listen: ":http" @@ -172,7 +188,10 @@ tls_letsencrypt_listen: ":http" tls_cert_path: "" tls_key_path: "" -log_level: info +log: + # Output formatting for logs: text or json + format: text + level: info # Path to a file containg ACL policies. # ACLs can be defined as YAML or HUJSON. @@ -189,10 +208,25 @@ acl_policy_path: "" # - https://tailscale.com/blog/2021-09-private-dns-with-magicdns/ # dns_config: + # Whether to prefer using Headscale provided DNS or use local. + override_local_dns: true + # List of DNS servers to expose to clients. nameservers: - 1.1.1.1 + # NextDNS (see https://tailscale.com/kb/1218/nextdns/). + # "abc123" is example NextDNS ID, replace with yours. + # + # With metadata sharing: + # nameservers: + # - https://dns.nextdns.io/abc123 + # + # Without metadata sharing: + # nameservers: + # - 2a07:a8c0::ab:c123 + # - 2a07:a8c1::ab:c123 + # Split DNS (see https://tailscale.com/kb/1054/dns/), # list of search domains and the DNS to query for each one. # @@ -206,6 +240,17 @@ dns_config: # Search domains to inject. domains: [] + # Extra DNS records + # so far only A-records are supported (on the tailscale side) + # See https://github.com/juanfont/headscale/blob/main/docs/dns-records.md#Limitations + # extra_records: + # - name: "grafana.myvpn.example.com" + # type: "A" + # value: "100.64.0.3" + # + # # you can also put it in one line + # - { name: "prometheus.myvpn.example.com", type: "A", value: "100.64.0.3" } + # Whether to use [MagicDNS](https://tailscale.com/kb/1081/magicdns/). # Only works if there is at least a nameserver defined. magic_dns: true @@ -217,9 +262,9 @@ dns_config: base_domain: example.com # Unix socket used for the CLI to connect without authentication -# Note: for local development, you probably want to change this to: -# unix_socket: ./headscale.sock -unix_socket: /var/run/headscale.sock +# Note: for production you will want to set this to something like: +# unix_socket: /var/run/headscale.sock +unix_socket: ./headscale.sock unix_socket_permission: "0770" # # headscale supports experimental OpenID connect support, @@ -227,9 +272,15 @@ unix_socket_permission: "0770" # help us test it. # OpenID Connect # oidc: +# only_start_if_oidc_is_available: true # issuer: "https://your-oidc.issuer.com/path" # client_id: "your-oidc-client-id" # client_secret: "your-oidc-client-secret" +# # Alternatively, set `client_secret_path` to read the secret from the file. +# # It resolves environment variables, making integration to systemd's +# # `LoadCredential` straightforward: +# client_secret_path: "${CREDENTIALS_DIRECTORY}/oidc_client_secret" +# # client_secret and client_secret_path are mutually exclusive. # # Customize the scopes used in the OIDC flow, defaults to "openid", "profile" and "email" and add custom query # parameters to the Authorize Endpoint request. Scopes default to "openid", "profile" and "email". @@ -243,6 +294,9 @@ unix_socket_permission: "0770" # # allowed_domains: # - example.com +# Groups from keycloak have a leading '/' +# allowed_groups: +# - /headscale # allowed_users: # - alice@example.com # diff --git a/templates/config.yaml.j2 b/templates/config.yaml.j2 index c99dc68..c5765a5 100644 --- a/templates/config.yaml.j2 +++ b/templates/config.yaml.j2 @@ -2,8 +2,10 @@ # see: https://github.com/juanfont/headscale/blob/main/docs/running-headscale-container.md server_url: "https://{{ headscale_domain }}" + listen_addr: 0.0.0.0:8080 -metrics_listen_addr: 0.0.0.0:9090 + +metrics_listen_addr: 127.0.0.1:9090 grpc_listen_addr: 0.0.0.0:50443 grpc_allow_insecure: false @@ -42,14 +44,15 @@ db_path: /var/lib/headscale/db.sqlite acme_url: https://acme-v02.api.letsencrypt.org/directory acme_email: "" tls_letsencrypt_hostname: "" -tls_client_auth_mode: relaxed tls_letsencrypt_cache_dir: /var/lib/headscale/cache tls_letsencrypt_challenge_type: HTTP-01 tls_letsencrypt_listen: ":http" tls_cert_path: "" tls_key_path: "" -log_level: info +log: + format: text + level: info acl_policy_path: "" @@ -58,6 +61,7 @@ dns_config: - 1.1.1.1 domains: [] magic_dns: true + base_domain: "{{ headscale_domain }}" unix_socket: /var/run/headscale.sock