merge updates to example config at headscale:v0.22.3

templates/config-example.yaml

@@ -44,9 +44,7 @@ grpc_allow_insecure: false
 # and Tailscale clients.
 # The private key file will be autogenerated if it's missing.
 #
-# For production:
-# /var/lib/headscale/private.key
-private_key_path: ./private.key
+private_key_path: /var/lib/headscale/private.key
 
 # The Noise section includes specific configuration for the
 # TS2021 Noise protocol
@@ -55,19 +53,17 @@ noise:
   # traffic between headscale and Tailscale clients when
   # using the new Noise-based protocol. It must be different
   # from the legacy private key.
-  #
-  # For production:
-  # private_key_path: /var/lib/headscale/noise_private.key
-  private_key_path: ./noise_private.key
+  private_key_path: /var/lib/headscale/noise_private.key
 
 # List of IP prefixes to allocate tailaddresses from.
 # Each prefix consists of either an IPv4 or IPv6 address,
 # and the associated prefix length, delimited by a slash.
-# While this looks like it can take arbitrary values, it
-# needs to be within IP ranges supported by the Tailscale
-# client.
+# It must be within IP ranges supported by the Tailscale
+# client - i.e., subnets of 100.64.0.0/10 and fd7a:115c:a1e0::/48.
+# See below:
 # IPv6: https://github.com/tailscale/tailscale/blob/22ebb25e833264f58d7c3f534a8b166894a89536/net/tsaddr/tsaddr.go#LL81C52-L81C71
 # IPv4: https://github.com/tailscale/tailscale/blob/22ebb25e833264f58d7c3f534a8b166894a89536/net/tsaddr/tsaddr.go#L33
+# Any other range is NOT supported, and it will cause unexpected issues.
 ip_prefixes:
   - fd7a:115c:a1e0::/48
   - 100.64.0.0/10
@@ -137,8 +133,7 @@ node_update_check_interval: 10s
 db_type: sqlite3
 
 # For production:
-# db_path: /var/lib/headscale/db.sqlite
-db_path: ./db.sqlite
+db_path: /var/lib/headscale/db.sqlite
 
 # # Postgres config
 # If using a Unix socket to connect to Postgres, set the socket path in the 'host' field and leave 'port' blank.
@@ -172,8 +167,7 @@ tls_letsencrypt_hostname: ""
 # Path to store certificates and metadata needed by
 # letsencrypt
 # For production:
-# tls_letsencrypt_cache_dir: /var/lib/headscale/cache
-tls_letsencrypt_cache_dir: ./cache
+tls_letsencrypt_cache_dir: /var/lib/headscale/cache
 
 # Type of ACME challenge to use, currently supported types:
 # HTTP-01 or TLS-ALPN-01
@@ -258,13 +252,12 @@ dns_config:
   # Defines the base domain to create the hostnames for MagicDNS.
   # `base_domain` must be a FQDNs, without the trailing dot.
   # The FQDN of the hosts will be
-  # `hostname.namespace.base_domain` (e.g., _myhost.mynamespace.example.com_).
+  # `hostname.user.base_domain` (e.g., _myhost.myuser.example.com_).
   base_domain: example.com
 
 # Unix socket used for the CLI to connect without authentication
 # Note: for production you will want to set this to something like:
-# unix_socket: /var/run/headscale.sock
-unix_socket: ./headscale.sock
+unix_socket: /var/run/headscale/headscale.sock
 unix_socket_permission: "0770"
 #
 # headscale supports experimental OpenID connect support,
@@ -282,28 +275,39 @@ unix_socket_permission: "0770"
 #   client_secret_path: "${CREDENTIALS_DIRECTORY}/oidc_client_secret"
 #   # client_secret and client_secret_path are mutually exclusive.
 #
-#   Customize the scopes used in the OIDC flow, defaults to "openid", "profile" and "email" and add custom query
-#   parameters to the Authorize Endpoint request. Scopes default to "openid", "profile" and "email".
+#   # The amount of time from a node is authenticated with OpenID until it
+#   # expires and needs to reauthenticate.
+#   # Setting the value to "0" will mean no expiry.
+#   expiry: 180d
+#
+#   # Use the expiry from the token received from OpenID when the user logged
+#   # in, this will typically lead to frequent need to reauthenticate and should
+#   # only been enabled if you know what you are doing.
+#   # Note: enabling this will cause `oidc.expiry` to be ignored.
+#   use_expiry_from_token: false
+#
+#   # Customize the scopes used in the OIDC flow, defaults to "openid", "profile" and "email" and add custom query
+#   # parameters to the Authorize Endpoint request. Scopes default to "openid", "profile" and "email".
 #
 #   scope: ["openid", "profile", "email", "custom"]
 #   extra_params:
 #     domain_hint: example.com
 #
-#   List allowed principal domains and/or users. If an authenticated user's domain is not in this list, the
-#   authentication request will be rejected.
+#   # List allowed principal domains and/or users. If an authenticated user's domain is not in this list, the
+#   # authentication request will be rejected.
 #
 #   allowed_domains:
 #     - example.com
-# Groups from keycloak have a leading '/'
+#   # Note: Groups from keycloak have a leading '/'
 #   allowed_groups:
 #     - /headscale
 #   allowed_users:
 #     - alice@example.com
 #
-#   If `strip_email_domain` is set to `true`, the domain part of the username email address will be removed.
-#   This will transform `first-name.last-name@example.com` to the namespace `first-name.last-name`
-#   If `strip_email_domain` is set to `false` the domain part will NOT be removed resulting to the following
-#   namespace: `first-name.last-name.example.com`
+#   # If `strip_email_domain` is set to `true`, the domain part of the username email address will be removed.
+#   # This will transform `first-name.last-name@example.com` to the user `first-name.last-name`
+#   # If `strip_email_domain` is set to `false` the domain part will NOT be removed resulting to the following
+#   user: `first-name.last-name.example.com`
 #
 #   strip_email_domain: true
 

templates/config.yaml.j2

@@ -64,7 +64,7 @@ dns_config:
   magic_dns: true
   base_domain: "{{ headscale_domain }}"
 
-unix_socket: /var/run/headscale.sock
+unix_socket: /var/run/headscale/headscale.sock
 unix_socket_permission: "0770"
 
 logtail: