From 5e3ce51caae8d6515d5153c1b25a44df921983cb Mon Sep 17 00:00:00 2001 From: surtur Date: Sun, 30 Jul 2023 00:24:19 +0200 Subject: [PATCH] add + use headscale role --- ansible/host_vars/nbgw.yml | 118 ++++++- ansible/playbooks/nbgw.yml | 1 + ansible/roles/headscale/tasks/main.yml | 152 ++++++++ .../roles/headscale/templates/Caddyfile.j2 | 42 +++ .../headscale/templates/caddy-hs.service.j2 | 49 +++ .../roles/headscale/templates/config.yaml.j2 | 331 ++++++++++++++++++ 6 files changed, 680 insertions(+), 13 deletions(-) create mode 100644 ansible/roles/headscale/tasks/main.yml create mode 100644 ansible/roles/headscale/templates/Caddyfile.j2 create mode 100644 ansible/roles/headscale/templates/caddy-hs.service.j2 create mode 100644 ansible/roles/headscale/templates/config.yaml.j2 diff --git a/ansible/host_vars/nbgw.yml b/ansible/host_vars/nbgw.yml index 8ef60c9..24416c1 100644 --- a/ansible/host_vars/nbgw.yml +++ b/ansible/host_vars/nbgw.yml @@ -1,14 +1,106 @@ $ANSIBLE_VAULT;1.1;AES256 -64366163333835636664306634613565653864386430393861623065313539616335636661356130 -6361633336323865633366643763633931646363616539320a396236646461323462623232666332 -33336235303936626235643838353166623236626161336138613962323235373161633534653066 -3966316361613838390a303164616232626636306234313830313437373431346539653161393831 -36383365353563626266643266616461663236643938373464393830353130356166616638363932 -32343230393863623037316266353933303265393639666633626635336238616163653164343838 -66613131373033353261663931616634623532613065376565343465613263373939653566316465 -64613331323836306463333563383962353530383166353062313762353362633034366432383935 -66363838366239383735383261343931376265373463333837336164633461306663666265396238 -64646163383463653063626166646432613539363439313938396466663136363732353536383162 -32623261386466626430306432613061303437666439393237333732323830663462323632326536 -38383732343634663866323634316331373739643063313839363335396436383235656666323164 -61333131306433626630313165373635303035666338663434306165663630383033 +37623662663035316139326630323161613465386436383133613139636266646439656165336562 +6362626334613638353864386261306333636432663265340a646433623837366338333637373932 +65613938366138613062303236303065386338393266303330303865356536333332613637626466 +3962353262363466330a383733386534656536316564666634656664336438363339363561613730 +35323132656634653738643231383661353630363839663561636333623762346165656565393230 +64316335616464376536303030663637346439326162396164316531613632323136633031306166 +64306236306135656338653830346431326235643137396265303961643438393864666134346238 +39653061636134313764386439666239383431626562323566353239376637313538613562636432 +38636162646632613935643834626632313663663339363966663337663434323362313465303663 +62326231376261343661393330386163643838383966333038346437323033613563376233633964 +31643834373161343134363131316135633262303230323737326234396630383634656437623234 +35383438333633623736333137396364623139373862366165306230343061643565373364363863 +35323436313466383334626466653936613432653938636435383838396436313633656165343531 +65376134316361663832303639643937326361323363633161613130303636343638313839326166 +63363165363565663261346362326631643337343031393834626139646366623661643364616334 +35633538396663666532633435313330373736376530623936616138646235356137336338353932 +31313362396164656437353938363264313236643839336636353338633639316163663261663231 +63333134383635386135663861336136336666626564636166646639303830623130623432316562 +36663531336237623835366162636637303136666466353762376333656439303730666164396164 +61393265623432656336613261363964326539386161653534313233393738323637373937623361 +62336165353431333330633861393233323437303166326265396435373966333264616232333830 +31316365303231373636373463343338386434333161333564666162373161316438383931633937 +63386165396336373765313833303034613034343664656431376334326638353632666564303765 +63303461393133353634323034356136396364373231313031306136353462633136363163636162 +64663730366230316666333933633938386635623539373335353264303739353134383531313733 +64613039396361653237373032316261386432613332663165383763303534663833663736663936 +31656262326238393562616361663636316264313966313961316236313461383735613465646330 +34336230333731383036383233356136623736333731353631353364303635623136383837636666 +30303234616538643462373165353738316439643537343561336539656665323261313139323137 +36396435636239396261343862336364646532663030313031333961363061396562616232633464 +62306362613931353937616461646637333362393335303164363861313465316232633938386639 +36623966613534396339633432663133363230653335333734333461386535346362666132383264 +30373062653437613630316131313362323237323333633930386330303065396631643030333531 +66646566313062643063613730393964336630353539373963383364613038373534363563333461 +31323033666537306533373331323932613432623763636532626161373638626264656230643633 +65323338633334393834383236323862353636663865656461643866663938323439633466373062 +62326566336633303835373439626233643061303932306537643463336663396664333966656630 +63386230396434336631363330313731353163393032313331343237623763373430386361383837 +63363764663130366463346332376332323536306338666334343063346237353065376234356365 +39326162383164363939346633373233653731326433323661323332386164633766366136393432 +39363939343930356261303664623861613935653461636232656235303864653564383066646430 +38316236393766393437393436363334383132343133613461633765336631653637633762366236 +63316263663766626335323862316665666161376231363532613465613236393534343438363333 +35353232343666386637643330376233613232353166336631353261376665636562626566636333 +62333535323139353430643439303836363762303538353436306433613539393063363862356466 +38303333393966666365633839633831353834386664386133373166656165613134363036346566 +63376131326430363538663761643133653066326261373766353531626339316532356331383664 +37346661633738386634656231326432313734663638376532646463373961313934666636616131 +38353637653338313933373636346633353662336630613833393537303065396163376566613630 +65663664303134383736653266623964363961653930396230616130386330366134316364383932 +30376433333036306162303564356262623334643362613234376630616564643531303131323638 +39643439643736323937366439323136393532633730613462393230643239396362613838623838 +37313639633333616564323066393535353830663936326335623439353736616462396333396534 +65633935653237336662333732323161353464353431336464386337653932663837636333333537 +62343466666266643330643532386531646661316137663965303331393565663265313936626539 +66613736383063636565303337663838613763363762343332626563303536383863326661353231 +63386538366432643938386364663739303436383666373161623034623534373939383838643131 +34393561396135363039613735313838383164313932303863376636646334336534653066313336 +31356262396162306362343562666134353838613063646333373039346164316565396163316634 +35383864653165373133343163613562666436326338643363393136636639366630626338633232 +62343165643138303534613733396132373237336461363238343866386561633039643330343735 +32306631346438623933333933633031616133636364393832383665666434326264343237336366 +34626365633238653436323262616533363064383562306138366133313333663838666165316666 +38303438356335653531363038666466383037623536616461383863656564643861343839363937 +35313233366163626537626636373664313636636662613337396564343665666532633533383534 +33366430393161343663363862623363316561323137313431633439366535373834393461306361 +62646636343566383436373336623832313336333765306236663966666361306361343463313137 +31626363643535336331353661363032376235633131623166376261646537306234666337366536 +65323762303864343235653831353237623337313030616265643061316435333935613562316632 +31613762643931656665333934343962393664373866613363383565623837623335653765656631 +38336437326634643161623433643435643537363439616261663835363030656437623337326164 +66376162633732393635386462663430316432653735666263633333393466633837363030386538 +34366363616139656266313238313361373362316531643661623733376136646461376561366433 +66313030653361646463383961376236616438313235326163643638353665646537393065363037 +32393765633334333766326664653263616532653764353761363331653236636463343434396236 +32633663313564623666303266663939306532353437333731653139353739303763346335646537 +34616461343435333964323830346563633939313135383737656139356162663730313165306235 +65353264653230613131656130613838636638343861303764376234323133626235616230336233 +36336430633864633562316433346139633364353836636566366364643266616366363366323761 +62333335623239613635343461643164386162316534626632663635643265353763383037363934 +32386138613831353063316137333166313966393565663364633739316334666231616532613264 +38323863386663323831353464616436636337346464326538343639353436366335653638396538 +61373333633731646665313530643130316538373038336134343533306139313338303033633336 +35643666633634626231336661626136396662623163383935646330316339616436373932613565 +64366130383539613664623132633763353961613035336137303734353030326636396331346666 +39363239623263643832373239626432636535336232316362643136303333633438366561346261 +63613766383739363131653533343339333039356232643537633561643039633765633631343934 +37353132666230326336366633303262383430636430313030643565316337666235366635343564 +35373164626332336232656638343537336233666163333964303462366333356131393431633232 +62343063383662383465613435393839353136633438633566633336373762376566383266643030 +37666664663038356339306434393361323032326539386231373239626638626637376566386333 +33663533646163383365313264663638646239373233613666336164653530356265396664313465 +33373666303639316330396131396231363332643232383834656139333463636264653838376462 +38666534653936326435383433386534366462343762346666376230303035313431346564303939 +37343937353335303566323930653363363337633065646436646232343665653064626661303132 +35626465306138306632306438383535323335383662366530316130383965643035393361316366 +39363063313761633162313733396163353235633238353264313266393665356166353262336339 +64666136326136376236663330666137316133623761323230303331363131663834336562653832 +64356532663532333730643561343465343261333135353233613738393062613565616633376263 +34306339613237396232636563653561613565393766396534383338303339353531666431346561 +62376230373864343362393861373037386561316561363866626263653266643162373766366539 +39666636393030303531343538633939333834386630363464663036653461343538393532386636 +62343666613933613162323437393135386264313939633639643030303337663566663362626637 +65663032623033303438393762613836613133376664373266663535623361663631643731626433 +6431 diff --git a/ansible/playbooks/nbgw.yml b/ansible/playbooks/nbgw.yml index 9846601..2842365 100644 --- a/ansible/playbooks/nbgw.yml +++ b/ansible/playbooks/nbgw.yml @@ -9,4 +9,5 @@ - role: pkg vars: pkgs_to_install: "{{ nbgw.pkgs.install }}" + - headscale ... diff --git a/ansible/roles/headscale/tasks/main.yml b/ansible/roles/headscale/tasks/main.yml new file mode 100644 index 0000000..e21adcd --- /dev/null +++ b/ansible/roles/headscale/tasks/main.yml @@ -0,0 +1,152 @@ +--- +- name: Create headscale group + ansible.builtin.group: + name: "{{ headscale.group }}" + state: present + +- name: Create headscale user + ansible.builtin.user: + name: "{{ headscale.user.name }}" + comment: "{{ headscale.user.comment }}" + create_home: "{{ headscale.user.create_home }}" + group: "{{ headscale.group }}" + groups: "{{ headscale.user.groups }}" + append: "{{ headscale.user.groups_append }}" + shell: "{{ headscale.user.shell }}" + system: "{{ headscale.user.system }}" + +- name: Create folder structure + ansible.builtin.file: + path: "{{ item }}" + state: directory + owner: "{{ headscale.user.name }}" + group: "{{ headscale.group }}" + mode: 0700 + loop: + - /var/lib/headscale + - /run/headscale + - /etc/headscale + +- name: Install headscale config + ansible.builtin.template: + src: config.yaml.j2 + dest: /etc/headscale/config.yaml + owner: "{{ headscale.user.name }}" + group: "{{ headscale.group }}" + +- name: Create a state folder for Caddy + ansible.builtin.file: + path: "{{ caddy.home }}" + state: directory + mode: 0700 + +- name: Install Caddyfile + ansible.builtin.template: + src: Caddyfile.j2 + dest: "{{ caddy.home }}/Caddyfile" + owner: root + group: root + mode: 0600 + # multiple validate subcommands is not-a-feature atm... + # https://github.com/ansible/ansible/issues/72561 + # + # caddy inline config validation: + # https://github.com/caddyserver/caddy/issues/3897 + validate: >- + bash -c + 'caddy fmt "$1" + && caddy validate --adapter caddyfile --config "$1"' + - "%s" + register: caddyfile + +# - name: Install xcaddy +# ansible.builtin.command: +# cmd: > +# go install -v +# github.com/caddyserver/xcaddy/cmd/xcaddy@{{ caddy.xcaddy_version }} +# creates: /root/go/bin/xcaddy +# environment: +# GOPATH: /usr/bin +# +# - name: Symlink xcaddy to /bin +# ansible.builtin.file: +# src: /root/go/bin/xcaddy +# dest: /usr/bin/xcaddy +# state: link +# +# - name: Build Caddy + njalla plugin +# ansible.builtin.command: +# cmd: > +# xcaddy build +# --with github.com/caddy-dns/njalla +# --output /usr/bin/nucaddy +# creates: /usr/bin/nucaddy +# environment: +# GOPATH: /usr/bin +# XCADDY_GO_BUILD_FLAGS: "-ldflags '-w s'" +# XCADDY_SKIP_CLEANUP: 1 + +- name: Install caddy-hs systemd service + ansible.builtin.template: + src: caddy-hs.service.j2 + dest: /etc/systemd/system/caddy-hs.service + owner: root + group: root + register: caddysystemd + +- name: Enable + start caddy-hs systemd service + ansible.builtin.systemd: + name: caddy-hs + state: started + enabled: true + daemon_reload: true + +- name: Restart caddy-hs + ansible.builtin.systemd: + name: caddy-hs + state: restarted + when: caddyfile.changed or caddysystemd.changed + +- name: Fetch crt,key + ansible.builtin.fetch: + src: "{{ caddy.home }}/.local/share/caddy/certificates/{{ caddy.acme_url }}/{{ headscale.dns.base_domain }}/{{ headscale.dns.base_domain}}.{{ item }}" + dest: "/tmp/.{{ headscale.dns.base_domain }}-certs" + loop: + - crt + - key + +- name: Copy to altcrtpath + ansible.builtin.copy: + src: "/tmp/.{{ headscale.dns.base_domain }}-certs/{{ ansible_host }}{{ caddy.home }}/.local/share/caddy/certificates/{{ caddy.acme_url }}/{{ headscale.dns.base_domain }}/{{ headscale.dns.base_domain}}.{{ item }}" + dest: "{{ headscale.altcrtpath }}/" + loop: + - crt + - key + +- name: Run headscale container + containers.podman.podman_container: + name: headscale + state: started + recreate: true + image: "docker.io/headscale/headscale:{{ headscale.version }}" + ports: "{{ headscale.ports }}" + cap_add: "{{ headscale.cap_add }}" + restart_policy: always + volume: + - "{{ headscale.homedir }}:/var/lib/headscale:Z" + - "{{ headscale.rundir }}:/var/run/headscale:Z" + - "{{ headscale.etcdir }}:/etc/headscale:Z" + - "{{ headscale.altcrtpath }}:{{ headscale.le.certsroot }}:Z,ro" + command: headscale serve + vars: + crtpath: "{{ headscale.altcrtpath }}/{{ headscale.dns.base_domain }}" + +- name: Run headscale-ui container + containers.podman.podman_container: + name: headscale-ui + state: started + recreate: true + image: "ghcr.io/gurucomputing/headscale-ui:{{ headscale.ui.version }}" + ports: "{{ headscale.ui.ports }}" + restart_policy: always +... diff --git a/ansible/roles/headscale/templates/Caddyfile.j2 b/ansible/roles/headscale/templates/Caddyfile.j2 new file mode 100644 index 0000000..e9822f5 --- /dev/null +++ b/ansible/roles/headscale/templates/Caddyfile.j2 @@ -0,0 +1,42 @@ +# {{ ansible_managed }} +{ + # acme_dns njalla < place here caddy.njalla_api_token if needed later > + key_type ed25519 + + log default { + output stdout + format json + include http.log.access admin.api + } +} + +https://{{ headscale.dns.base_domain }} { + reverse_proxy /web* https://{{ headscale.ui.listen_url }} + + reverse_proxy * https://{{ headscale.listen_addr }} { + transport http { + tls_insecure_skip_verify + } + } + + # headers + header /web* { + x-frame-options "sameorigin" + x-content-type-options "nosniff" + x-xss-protection "1; mode=block" + content-security-policy " + upgrade-insecure-requests; + default-src 'self'; + style-src 'self'; + script-src 'self' {{ headscale.server_url }}; + font-src 'self'; + img-src data: 'self'; + form-action 'self'; + connect-src 'self'; + frame-ancestors 'none'; + " + cross-origin-opener-policy "same-origin" + permissions-policy "geolocation=(), midi=(), sync-xhr=(), microphone=(), camera=(), magnetometer=(), gyroscope=(), fullscreen=(self), payment=()" + referrer-policy "no-referrer; strict-origin-when-cross-origin" + } +} diff --git a/ansible/roles/headscale/templates/caddy-hs.service.j2 b/ansible/roles/headscale/templates/caddy-hs.service.j2 new file mode 100644 index 0000000..e0f01b7 --- /dev/null +++ b/ansible/roles/headscale/templates/caddy-hs.service.j2 @@ -0,0 +1,49 @@ +# {{ ansible_managed }} +[Unit] +Description=Caddy-based headscale proxy +Documentation=https://caddyserver.com/docs/ +Wants=network-online.target +# After=network-online.target +After=network.target + +[Service] +Environment=CADDYPATH="{{ caddy.home }}" +Environment=HOME="{{ caddy.home }}" +# ExecStartPre=nucaddy validate --config "{{ caddy.home }}/Caddyfile" +# ExecStart=nucaddy run --config "{{ caddy.home }}/Caddyfile" +# ExecReload=nucaddy reload --config "{{ caddy.home }}/Caddyfile" +##ExecStart=caddy reverse-proxy --from "{{ headscale.dns.base_domain }}" --to "{{ headscale.listen_addr }}" +ExecStartPre=caddy validate --config "{{ caddy.home }}/Caddyfile" +ExecStart=caddy run --config "{{ caddy.home }}/Caddyfile" +ExecReload=caddy reload --config "{{ caddy.home }}/Caddyfile" + +TimeoutStopSec=10s +TimeoutStartSec=10s +RestartSec=10s +Restart=always + +ReadWritePaths="{{ caddy.home }}" + +AmbientCapabilities=CAP_NET_BIND_SERVICE +DeviceAllow= +LockPersonality=true +MemoryDenyWriteExecute=false +NoNewPrivileges=true +PrivateDevices=true +PrivateTmp=true +ProtectClock=true +ProtectControlGroups=true +ProtectSystem=strict +ProtectHome=true +ProtectHostname=true +ProtectKernelLogs=true +ProtectKernelModules=true +ProtectKernelTunables=true +ProtectProc=invisible +RemoveIPC=true +RestrictAddressFamilies=AF_INET AF_INET6 AF_UNIX +RestrictNamespaces=true +RestrictRealtime=true + +[Install] +WantedBy=multi-user.target diff --git a/ansible/roles/headscale/templates/config.yaml.j2 b/ansible/roles/headscale/templates/config.yaml.j2 new file mode 100644 index 0000000..834c1ce --- /dev/null +++ b/ansible/roles/headscale/templates/config.yaml.j2 @@ -0,0 +1,331 @@ +--- +# {{ ansible_managed }} +# +# headscale will look for a configuration file named `config.yaml` (or `config.json`) in the following order: +# +# - `/etc/headscale` +# - `~/.headscale` +# - current working directory + +# The url clients will connect to. +# Typically this will be a domain like: +# +# https://myheadscale.example.com:443 +# +server_url: {{ headscale.server_url }} + +# Address to listen to / bind to on the server +# +# For production: +# listen_addr: 0.0.0.0:8080 +listen_addr: {{ headscale.container_listen_addr }} + +# Address to listen to /metrics, you may want +# to keep this endpoint private to your internal +# network +# +metrics_listen_addr: {{ headscale.metrics_addr }} + +# Address to listen for gRPC. +# gRPC is used for controlling a headscale server +# remotely with the CLI +# Note: Remote access _only_ works if you have +# valid certificates. +# +# For production: +# grpc_listen_addr: 0.0.0.0:50443 +grpc_listen_addr: {{ headscale.container_grpc_listen_addr }} + +# Allow the gRPC admin interface to run in INSECURE +# mode. This is not recommended as the traffic will +# be unencrypted. Only enable if you know what you +# are doing. +grpc_allow_insecure: {{ headscale.grpc_allow_insecure }} + +# Private key used to encrypt the traffic between headscale +# and Tailscale clients. +# The private key file will be autogenerated if it's missing. +# +private_key_path: /var/lib/headscale/private.key + +# The Noise section includes specific configuration for the +# TS2021 Noise protocol +noise: + # The Noise private key is used to encrypt the + # traffic between headscale and Tailscale clients when + # using the new Noise-based protocol. It must be different + # from the legacy private key. + private_key_path: /var/lib/headscale/noise_private.key + +# List of IP prefixes to allocate tailaddresses from. +# Each prefix consists of either an IPv4 or IPv6 address, +# and the associated prefix length, delimited by a slash. +# It must be within IP ranges supported by the Tailscale +# client - i.e., subnets of 100.64.0.0/10 and fd7a:115c:a1e0::/48. +# See below: +# IPv6: https://github.com/tailscale/tailscale/blob/22ebb25e833264f58d7c3f534a8b166894a89536/net/tsaddr/tsaddr.go#LL81C52-L81C71 +# IPv4: https://github.com/tailscale/tailscale/blob/22ebb25e833264f58d7c3f534a8b166894a89536/net/tsaddr/tsaddr.go#L33 +# Any other range is NOT supported, and it will cause unexpected issues. +ip_prefixes: + - fd7a:115c:a1e0::/48 + - 100.64.0.0/10 + +# DERP is a relay system that Tailscale uses when a direct +# connection cannot be established. +# https://tailscale.com/blog/how-tailscale-works/#encrypted-tcp-relays-derp +# +# headscale needs a list of DERP servers that can be presented +# to the clients. +derp: + server: + # If enabled, runs the embedded DERP server and merges it into the rest of the DERP config + # The Headscale server_url defined above MUST be using https, DERP requires TLS to be in place + enabled: {{ headscale.derp_enabled }} + + # Region ID to use for the embedded DERP server. + # The local DERP prevails if the region ID collides with other region ID coming from + # the regular DERP config. + region_id: {{ headscale.derp_region_id }} + + # Region code and name are displayed in the Tailscale UI to identify a DERP region + region_code: "headscale" + region_name: "Headscale Embedded DERP" + + # Listens over UDP at the configured address for STUN connections - to help with NAT traversal. + # When the embedded DERP server is enabled stun_listen_addr MUST be defined. + # + # For more details on how this works, check this great article: https://tailscale.com/blog/how-tailscale-works/ + stun_listen_addr: "{{ headscale.stun_listen_addr }}" + + # List of externally available DERP maps encoded in JSON + urls: + - https://controlplane.tailscale.com/derpmap/default + + # Locally available DERP map files encoded in YAML + # + # This option is mostly interesting for people hosting + # their own DERP servers: + # https://tailscale.com/kb/1118/custom-derp-servers/ + # + # paths: + # - /etc/headscale/derp-example.yaml + paths: [] + + # If enabled, a worker will be set up to periodically + # refresh the given sources and update the derpmap + # will be set up. + auto_update_enabled: true + + # How often should we check for DERP updates? + update_frequency: 24h + +# Disables the automatic check for headscale updates on startup +disable_check_updates: false + +# Time before an inactive ephemeral node is deleted? +ephemeral_node_inactivity_timeout: 30m + +# Period to check for node updates within the tailnet. A value too low will severely affect +# CPU consumption of Headscale. A value too high (over 60s) will cause problems +# for the nodes, as they won't get updates or keep alive messages frequently enough. +# In case of doubts, do not touch the default 10s. +node_update_check_interval: 10s + +# SQLite config +db_type: sqlite3 + +# For production: +db_path: /var/lib/headscale/db.sqlite + +# # Postgres config +# If using a Unix socket to connect to Postgres, set the socket path in the 'host' field and leave 'port' blank. +# db_type: postgres +# db_host: localhost +# db_port: 5432 +# db_name: headscale +# db_user: foo +# db_pass: bar + +# If other 'sslmode' is required instead of 'require(true)' and 'disabled(false)', set the 'sslmode' you need +# in the 'db_ssl' field. Refers to https://www.postgresql.org/docs/current/libpq-ssl.html Table 34.1. +# db_ssl: false + +### TLS configuration +# +## Let's encrypt / ACME +# +# headscale supports automatically requesting and setting up +# TLS for a domain with Let's Encrypt. +# +# URL to ACME directory +# e.g.: acme_url: https://acme-v02.api.letsencrypt.org/directory +acme_url: {{ headscale.le.acme_url }} + +# Email to register with ACME provider +acme_email: "{{ headscale.le.email }}" + +# Domain name to request a TLS certificate for: +# tls_letsencrypt_hostname: "{{ headscale.dns.base_domain }}" +tls_letsencrypt_hostname: "" + +# Path to store certificates and metadata needed by +# letsencrypt +# For production: +tls_letsencrypt_cache_dir: /var/lib/headscale/cache + +# Type of ACME challenge to use, currently supported types: +# HTTP-01 or TLS-ALPN-01 +# See [docs/tls.md](docs/tls.md) for more information +#tls_letsencrypt_challenge_type: HTTP-01 +tls_letsencrypt_challenge_type: TLS-ALPN-01 +# When HTTP-01 challenge is chosen, letsencrypt must set up a +# verification endpoint, and it will be listening on: +# :http = port 80 +tls_letsencrypt_listen: ":http" + +# Use already defined certificates: +tls_cert_path: "{{ headscale.le.crtpath }}" +tls_key_path: "{{ headscale.le.keypath }}" + +log: + # Output formatting for logs: text or json + format: text + level: info + +# Path to a file containg ACL policies. +# ACLs can be defined as YAML or HUJSON. +# https://tailscale.com/kb/1018/acls/ +acl_policy_path: "" + +## DNS +# +# headscale supports Tailscale's DNS configuration and MagicDNS. +# Please have a look to their KB to better understand the concepts: +# +# - https://tailscale.com/kb/1054/dns/ +# - https://tailscale.com/kb/1081/magicdns/ +# - https://tailscale.com/blog/2021-09-private-dns-with-magicdns/ +# +dns_config: + # Whether to prefer using Headscale provided DNS or use local. + override_local_dns: true + + # List of DNS servers to expose to clients. + nameservers: + - 84.200.69.80 + + # NextDNS (see https://tailscale.com/kb/1218/nextdns/). + # "abc123" is example NextDNS ID, replace with yours. + # + # With metadata sharing: + # nameservers: + # - https://dns.nextdns.io/abc123 + # + # Without metadata sharing: + # nameservers: + # - 2a07:a8c0::ab:c123 + # - 2a07:a8c1::ab:c123 + + # Split DNS (see https://tailscale.com/kb/1054/dns/), + # list of search domains and the DNS to query for each one. + # + # restricted_nameservers: + # foo.bar.com: + # - 1.1.1.1 + # darp.headscale.net: + # - 1.1.1.1 + # - 8.8.8.8 + + # Search domains to inject. + domains: [] + + # Extra DNS records + # so far only A-records are supported (on the tailscale side) + # See https://github.com/juanfont/headscale/blob/main/docs/dns-records.md#Limitations + # extra_records: + # - name: "grafana.myvpn.example.com" + # type: "A" + # value: "100.64.0.3" + # + # # you can also put it in one line + # - { name: "prometheus.myvpn.example.com", type: "A", value: "100.64.0.3" } + + # Whether to use [MagicDNS](https://tailscale.com/kb/1081/magicdns/). + # Only works if there is at least a nameserver defined. + magic_dns: true + + # Defines the base domain to create the hostnames for MagicDNS. + # `base_domain` must be a FQDNs, without the trailing dot. + # The FQDN of the hosts will be + # `hostname.user.base_domain` (e.g., _myhost.myuser.example.com_). + base_domain: {{ headscale.dns.base_domain }} + +# Unix socket used for the CLI to connect without authentication +# Note: for production you will want to set this to something like: +unix_socket: /var/run/headscale/headscale.sock +unix_socket_permission: "0770" +# +# headscale supports experimental OpenID connect support, +# it is still being tested and might have some bugs, please +# help us test it. +# OpenID Connect +# oidc: +# only_start_if_oidc_is_available: true +# issuer: "https://your-oidc.issuer.com/path" +# client_id: "your-oidc-client-id" +# client_secret: "your-oidc-client-secret" +# # Alternatively, set `client_secret_path` to read the secret from the file. +# # It resolves environment variables, making integration to systemd's +# # `LoadCredential` straightforward: +# client_secret_path: "${CREDENTIALS_DIRECTORY}/oidc_client_secret" +# # client_secret and client_secret_path are mutually exclusive. +# +# # The amount of time from a node is authenticated with OpenID until it +# # expires and needs to reauthenticate. +# # Setting the value to "0" will mean no expiry. +# expiry: 180d +# +# # Use the expiry from the token received from OpenID when the user logged +# # in, this will typically lead to frequent need to reauthenticate and should +# # only been enabled if you know what you are doing. +# # Note: enabling this will cause `oidc.expiry` to be ignored. +# use_expiry_from_token: false +# +# # Customize the scopes used in the OIDC flow, defaults to "openid", "profile" and "email" and add custom query +# # parameters to the Authorize Endpoint request. Scopes default to "openid", "profile" and "email". +# +# scope: ["openid", "profile", "email", "custom"] +# extra_params: +# domain_hint: example.com +# +# # List allowed principal domains and/or users. If an authenticated user's domain is not in this list, the +# # authentication request will be rejected. +# +# allowed_domains: +# - example.com +# # Note: Groups from keycloak have a leading '/' +# allowed_groups: +# - /headscale +# allowed_users: +# - alice@example.com +# +# # If `strip_email_domain` is set to `true`, the domain part of the username email address will be removed. +# # This will transform `first-name.last-name@example.com` to the user `first-name.last-name` +# # If `strip_email_domain` is set to `false` the domain part will NOT be removed resulting to the following +# user: `first-name.last-name.example.com` +# +# strip_email_domain: true + +# Logtail configuration +# Logtail is Tailscales logging and auditing infrastructure, it allows the control panel +# to instruct tailscale nodes to log their activity to a remote server. +logtail: + # Enable logtail for this headscales clients. + # As there is currently no support for overriding the log server in headscale, this is + # disabled by default. Enabling this will make your clients send logs to Tailscale Inc. + enabled: false + +# Enabling this option makes devices prefer a random port for WireGuard traffic over the +# default static port 41641. This option is intended as a workaround for some buggy +# firewall devices. See https://tailscale.com/kb/1181/firewalls/ for more information. +randomize_client_port: false