diff --git a/templates/config-example.yaml b/templates/config-example.yaml index b4539f4..99ce552 100644 --- a/templates/config-example.yaml +++ b/templates/config-example.yaml @@ -44,9 +44,7 @@ grpc_allow_insecure: false # and Tailscale clients. # The private key file will be autogenerated if it's missing. # -# For production: -# /var/lib/headscale/private.key -private_key_path: ./private.key +private_key_path: /var/lib/headscale/private.key # The Noise section includes specific configuration for the # TS2021 Noise protocol @@ -55,19 +53,17 @@ noise: # traffic between headscale and Tailscale clients when # using the new Noise-based protocol. It must be different # from the legacy private key. - # - # For production: - # private_key_path: /var/lib/headscale/noise_private.key - private_key_path: ./noise_private.key + private_key_path: /var/lib/headscale/noise_private.key # List of IP prefixes to allocate tailaddresses from. # Each prefix consists of either an IPv4 or IPv6 address, # and the associated prefix length, delimited by a slash. -# While this looks like it can take arbitrary values, it -# needs to be within IP ranges supported by the Tailscale -# client. +# It must be within IP ranges supported by the Tailscale +# client - i.e., subnets of 100.64.0.0/10 and fd7a:115c:a1e0::/48. +# See below: # IPv6: https://github.com/tailscale/tailscale/blob/22ebb25e833264f58d7c3f534a8b166894a89536/net/tsaddr/tsaddr.go#LL81C52-L81C71 # IPv4: https://github.com/tailscale/tailscale/blob/22ebb25e833264f58d7c3f534a8b166894a89536/net/tsaddr/tsaddr.go#L33 +# Any other range is NOT supported, and it will cause unexpected issues. ip_prefixes: - fd7a:115c:a1e0::/48 - 100.64.0.0/10 @@ -137,8 +133,7 @@ node_update_check_interval: 10s db_type: sqlite3 # For production: -# db_path: /var/lib/headscale/db.sqlite -db_path: ./db.sqlite +db_path: /var/lib/headscale/db.sqlite # # Postgres config # If using a Unix socket to connect to Postgres, set the socket path in the 'host' field and leave 'port' blank. @@ -172,8 +167,7 @@ tls_letsencrypt_hostname: "" # Path to store certificates and metadata needed by # letsencrypt # For production: -# tls_letsencrypt_cache_dir: /var/lib/headscale/cache -tls_letsencrypt_cache_dir: ./cache +tls_letsencrypt_cache_dir: /var/lib/headscale/cache # Type of ACME challenge to use, currently supported types: # HTTP-01 or TLS-ALPN-01 @@ -258,13 +252,12 @@ dns_config: # Defines the base domain to create the hostnames for MagicDNS. # `base_domain` must be a FQDNs, without the trailing dot. # The FQDN of the hosts will be - # `hostname.namespace.base_domain` (e.g., _myhost.mynamespace.example.com_). + # `hostname.user.base_domain` (e.g., _myhost.myuser.example.com_). base_domain: example.com # Unix socket used for the CLI to connect without authentication # Note: for production you will want to set this to something like: -# unix_socket: /var/run/headscale.sock -unix_socket: ./headscale.sock +unix_socket: /var/run/headscale/headscale.sock unix_socket_permission: "0770" # # headscale supports experimental OpenID connect support, @@ -282,28 +275,39 @@ unix_socket_permission: "0770" # client_secret_path: "${CREDENTIALS_DIRECTORY}/oidc_client_secret" # # client_secret and client_secret_path are mutually exclusive. # -# Customize the scopes used in the OIDC flow, defaults to "openid", "profile" and "email" and add custom query -# parameters to the Authorize Endpoint request. Scopes default to "openid", "profile" and "email". +# # The amount of time from a node is authenticated with OpenID until it +# # expires and needs to reauthenticate. +# # Setting the value to "0" will mean no expiry. +# expiry: 180d +# +# # Use the expiry from the token received from OpenID when the user logged +# # in, this will typically lead to frequent need to reauthenticate and should +# # only been enabled if you know what you are doing. +# # Note: enabling this will cause `oidc.expiry` to be ignored. +# use_expiry_from_token: false +# +# # Customize the scopes used in the OIDC flow, defaults to "openid", "profile" and "email" and add custom query +# # parameters to the Authorize Endpoint request. Scopes default to "openid", "profile" and "email". # # scope: ["openid", "profile", "email", "custom"] # extra_params: # domain_hint: example.com # -# List allowed principal domains and/or users. If an authenticated user's domain is not in this list, the -# authentication request will be rejected. +# # List allowed principal domains and/or users. If an authenticated user's domain is not in this list, the +# # authentication request will be rejected. # # allowed_domains: # - example.com -# Groups from keycloak have a leading '/' +# # Note: Groups from keycloak have a leading '/' # allowed_groups: # - /headscale # allowed_users: # - alice@example.com # -# If `strip_email_domain` is set to `true`, the domain part of the username email address will be removed. -# This will transform `first-name.last-name@example.com` to the namespace `first-name.last-name` -# If `strip_email_domain` is set to `false` the domain part will NOT be removed resulting to the following -# namespace: `first-name.last-name.example.com` +# # If `strip_email_domain` is set to `true`, the domain part of the username email address will be removed. +# # This will transform `first-name.last-name@example.com` to the user `first-name.last-name` +# # If `strip_email_domain` is set to `false` the domain part will NOT be removed resulting to the following +# user: `first-name.last-name.example.com` # # strip_email_domain: true diff --git a/templates/config.yaml.j2 b/templates/config.yaml.j2 index 1f97a82..d596a8e 100644 --- a/templates/config.yaml.j2 +++ b/templates/config.yaml.j2 @@ -64,7 +64,7 @@ dns_config: magic_dns: true base_domain: "{{ headscale_domain }}" -unix_socket: /var/run/headscale.sock +unix_socket: /var/run/headscale/headscale.sock unix_socket_permission: "0770" logtail: