headscale config yaml

1. # headscale will look for a configuration file named `config.yaml` (or `config.json`) in the following order:
2. #
3. # - `/etc/headscale`
4. # - `~/.headscale`
5. # - current working directory
6.  
7. # The url clients will connect to.
8. # Typically this will be a domain like:
9. #
10. # https://myheadscale.example.com:443
11. #
12. server_url: https://hs.xxhome.com:8080
13.  
14. # Address to listen to / bind to on the server
15. #
16. # For production:
17. # listen_addr: 0.0.0.0:8080
18. listen_addr: 0.0.0.0:8080
19.  
20. # Address to listen to /metrics and /debug, you may want
21. # to keep this endpoint private to your internal network
22. metrics_listen_addr: 127.0.0.1:9090
23.  
24. # Address to listen for gRPC.
25. # gRPC is used for controlling a headscale server
26. # remotely with the CLI
27. # Note: Remote access _only_ works if you have
28. # valid certificates.
29. #
30. # For production:
31. # grpc_listen_addr: 0.0.0.0:50443
32. grpc_listen_addr: 127.0.0.1:50443
33.  
34. # Allow the gRPC admin interface to run in INSECURE
35. # mode. This is not recommended as the traffic will
36. # be unencrypted. Only enable if you know what you
37. # are doing.
38. grpc_allow_insecure: false
39.  
40. # The Noise section includes specific configuration for the
41. # TS2021 Noise protocol
42. noise:
43. # The Noise private key is used to encrypt the traffic between headscale and
44. # Tailscale clients when using the new Noise-based protocol. A missing key
45. # will be automatically generated.
46. private_key_path: /var/lib/headscale/noise_private.key
47.  
48. # List of IP prefixes to allocate tailaddresses from.
49. # Each prefix consists of either an IPv4 or IPv6 address,
50. # and the associated prefix length, delimited by a slash.
51. # It must be within IP ranges supported by the Tailscale
52. # client - i.e., subnets of 100.64.0.0/10 and fd7a:115c:a1e0::/48.
53. # See below:
54. # IPv6: https://github.com/tailscale/tailscale/blob/22ebb25e833264f58d7c3f534a8b166894a89536/net/tsaddr/tsaddr.go#LL81C52-L81C71
55. # IPv4: https://github.com/tailscale/tailscale/blob/22ebb25e833264f58d7c3f534a8b166894a89536/net/tsaddr/tsaddr.go#L33
56. # Any other range is NOT supported, and it will cause unexpected issues.
57. prefixes:
58. v4: 100.64.0.0/10
59. v6: fd7a:115c:a1e0::/48
60.  
61. # Strategy used for allocation of IPs to nodes, available options:
62. # - sequential (default): assigns the next free IP from the previous given IP.
63. # - random: assigns the next free IP from a pseudo-random IP generator (crypto/rand).
64. allocation: sequential
65.  
66. # DERP is a relay system that Tailscale uses when a direct
67. # connection cannot be established.
68. # https://tailscale.com/blog/how-tailscale-works/#encrypted-tcp-relays-derp
69. #
70. # headscale needs a list of DERP servers that can be presented
71. # to the clients.
72. derp:
73. server:
74. # If enabled, runs the embedded DERP server and merges it into the rest of the DERP config
75. # The Headscale server_url defined above MUST be using https, DERP requires TLS to be in place
76. enabled: false
77.  
78. # Region ID to use for the embedded DERP server.
79. # The local DERP prevails if the region ID collides with other region ID coming from
80. # the regular DERP config.
81. region_id: 999
82.  
83. # Region code and name are displayed in the Tailscale UI to identify a DERP region
84. region_code: "headscale"
85. region_name: "Headscale Embedded DERP"
86.  
87. # Listens over UDP at the configured address for STUN connections - to help with NAT traversal.
88. # When the embedded DERP server is enabled stun_listen_addr MUST be defined.
89. #
90. # For more details on how this works, check this great article: https://tailscale.com/blog/how-tailscale-works/
91. stun_listen_addr: "0.0.0.0:3478"
92.  
93. # Private key used to encrypt the traffic between headscale DERP and
94. # Tailscale clients. A missing key will be automatically generated.
95. private_key_path: /var/lib/headscale/derp_server_private.key
96.  
97. # This flag can be used, so the DERP map entry for the embedded DERP server is not written automatically,
98. # it enables the creation of your very own DERP map entry using a locally available file with the parameter DERP.paths
99. # If you enable the DERP server and set this to false, it is required to add the DERP server to the DERP map using DERP.paths
100. automatically_add_embedded_derp_region: true
101.  
102. # For better connection stability (especially when using an Exit-Node and DNS is not working),
103. # it is possible to optionally add the public IPv4 and IPv6 address to the Derp-Map using:
104. ipv4: 1.2.3.4
105. ipv6: 2001:db8::1
106.  
107. # List of externally available DERP maps encoded in JSON
108. urls:
109. - https://controlplane.tailscale.com/derpmap/default
110.  
111. # Locally available DERP map files encoded in YAML
112. #
113. # This option is mostly interesting for people hosting
114. # their own DERP servers:
115. # https://tailscale.com/kb/1118/custom-derp-servers/
116. #
117. # paths:
118. # - /etc/headscale/derp-example.yaml
119. paths: []
120.  
121. # If enabled, a worker will be set up to periodically
122. # refresh the given sources and update the derpmap
123. # will be set up.
124. auto_update_enabled: true
125.  
126. # How often should we check for DERP updates?
127. update_frequency: 24h
128.  
129. # Disables the automatic check for headscale updates on startup
130. disable_check_updates: false
131.  
132. # Time before an inactive ephemeral node is deleted?
133. ephemeral_node_inactivity_timeout: 30m
134.  
135. database:
136. # Database type. Available options: sqlite, postgres
137. # Please note that using Postgres is highly discouraged as it is only supported for legacy reasons.
138. # All new development, testing and optimisations are done with SQLite in mind.
139. type: sqlite
140.  
141. # Enable debug mode. This setting requires the log.level to be set to "debug" or "trace".
142. debug: false
143.  
144. # GORM configuration settings.
145. gorm:
146. # Enable prepared statements.
147. prepare_stmt: true
148.  
149. # Enable parameterized queries.
150. parameterized_queries: true
151.  
152. # Skip logging "record not found" errors.
153. skip_err_record_not_found: true
154.  
155. # Threshold for slow queries in milliseconds.
156. slow_threshold: 1000
157.  
158. # SQLite config
159. sqlite:
160. path: /var/lib/headscale/db.sqlite
161.  
162. # Enable WAL mode for SQLite. This is recommended for production environments.
163. # https://www.sqlite.org/wal.html
164. write_ahead_log: true
165.  
166. # Maximum number of WAL file frames before the WAL file is automatically checkpointed.
167. # https://www.sqlite.org/c3ref/wal_autocheckpoint.html
168. # Set to 0 to disable automatic checkpointing.
169. wal_autocheckpoint: 1000
170.  
171. # # Postgres config
172. # Please note that using Postgres is highly discouraged as it is only supported for legacy reasons.
173. # See database.type for more information.
174. # postgres:
175. # # If using a Unix socket to connect to Postgres, set the socket path in the 'host' field and leave 'port' blank.
176. # host: localhost
177. # port: 5432
178. # name: headscale
179. # user: foo
180. # pass: bar
181. # max_open_conns: 10
182. # max_idle_conns: 10
183. # conn_max_idle_time_secs: 3600
184.  
185. # # If other 'sslmode' is required instead of 'require(true)' and 'disabled(false)', set the 'sslmode' you need
186. # # in the 'ssl' field. Refers to https://www.postgresql.org/docs/current/libpq-ssl.html Table 34.1.
187. # ssl: false
188.  
189. ### TLS configuration
190. #
191. ## Let's encrypt / ACME
192. #
193. # headscale supports automatically requesting and setting up
194. # TLS for a domain with Let's Encrypt.
195. #
196. # URL to ACME directory
197. #acme_url: https://acme-v02.api.letsencrypt.org/directory
198.  
199. # Email to register with ACME provider
200. #acme_email: "[email protected]"
201.  
202. # Domain name to request a TLS certificate for:
203. #tls_letsencrypt_hostname: "hs.xxhome.com"
204.  
205. # Path to store certificates and metadata needed by
206. # letsencrypt
207. # For production:
208. #tls_letsencrypt_cache_dir: /var/lib/headscale/cache
209.  
210. # Type of ACME challenge to use, currently supported types:
211. # HTTP-01 or TLS-ALPN-01
212. # See: docs/ref/tls.md for more information
213. #tls_letsencrypt_challenge_type: HTTP-01
214. # When HTTP-01 challenge is chosen, letsencrypt must set up a
215. # verification endpoint, and it will be listening on:
216. # :http = port 80
217. #tls_letsencrypt_listen: ":http"
218.  
219. ## Use already defined certificates:
220. #tls_cert_path: ""
221. #tls_key_path: ""
222.  
223. log:
224. # Output formatting for logs: text or json
225. format: text
226. level: info
227.  
228. ## Policy
229. # headscale supports Tailscale's ACL policies.
230. # Please have a look to their KB to better
231. # understand the concepts: https://tailscale.com/kb/1018/acls/
232. policy:
233. # The mode can be "file" or "database" that defines
234. # where the ACL policies are stored and read from.
235. mode: file
236. # If the mode is set to "file", the path to a
237. # HuJSON file containing ACL policies.
238. path: ""
239.  
240. ## DNS
241. #
242. # headscale supports Tailscale's DNS configuration and MagicDNS.
243. # Please have a look to their KB to better understand the concepts:
244. #
245. # - https://tailscale.com/kb/1054/dns/
246. # - https://tailscale.com/kb/1081/magicdns/
247. # - https://tailscale.com/blog/2021-09-private-dns-with-magicdns/
248. #
249. # Please note that for the DNS configuration to have any effect,
250. # clients must have the `--accept-dns=true` option enabled. This is the
251. # default for the Tailscale client. This option is enabled by default
252. # in the Tailscale client.
253. #
254. # Setting _any_ of the configuration and `--accept-dns=true` on the
255. # clients will integrate with the DNS manager on the client or
256. # overwrite /etc/resolv.conf.
257. # https://tailscale.com/kb/1235/resolv-conf
258. #
259. # If you want stop Headscale from managing the DNS configuration
260. # all the fields under `dns` should be set to empty values.
261. dns:
262. # Whether to use [MagicDNS](https://tailscale.com/kb/1081/magicdns/).
263. magic_dns: true
264.  
265. # Defines the base domain to create the hostnames for MagicDNS.
266. # This domain _must_ be different from the server_url domain.
267. # `base_domain` must be a FQDN, without the trailing dot.
268. # The FQDN of the hosts will be
269. # `hostname.base_domain` (e.g., _myhost.example.com_).
270. base_domain: cgwhome.com
271.  
272. # Whether to use the local DNS settings of a node (default) or override the
273. # local DNS settings and force the use of Headscale's DNS configuration.
274. override_local_dns: false
275.  
276. # List of DNS servers to expose to clients.
277. nameservers:
278. global:
279. - 1.1.1.1
280. - 1.0.0.1
281. - 2606:4700:4700::1111
282. - 2606:4700:4700::1001
283.  
284. # NextDNS (see https://tailscale.com/kb/1218/nextdns/).
285. # "abc123" is example NextDNS ID, replace with yours.
286. # - https://dns.nextdns.io/abc123
287.  
288. # Split DNS (see https://tailscale.com/kb/1054/dns/),
289. # a map of domains and which DNS server to use for each.
290. split:
291. {}
292. # foo.bar.com:
293. # - 1.1.1.1
294. # darp.headscale.net:
295. # - 1.1.1.1
296. # - 8.8.8.8
297.  
298. # Set custom DNS search domains. With MagicDNS enabled,
299. # your tailnet base_domain is always the first search domain.
300. search_domains: []
301.  
302. # Extra DNS records
303. # so far only A and AAAA records are supported (on the tailscale side)
304. # See: docs/ref/dns.md
305. extra_records: []
306. # - name: "grafana.myvpn.example.com"
307. # type: "A"
308. # value: "100.64.0.3"
309. #
310. # # you can also put it in one line
311. # - { name: "prometheus.myvpn.example.com", type: "A", value: "100.64.0.3" }
312. #
313. # Alternatively, extra DNS records can be loaded from a JSON file.
314. # Headscale processes this file on each change.
315. # extra_records_path: /var/lib/headscale/extra-records.json
316.  
317. # Unix socket used for the CLI to connect without authentication
318. # Note: for production you will want to set this to something like:
319. unix_socket: /var/run/headscale/headscale.sock
320. unix_socket_permission: "0770"
321. #
322. # headscale supports experimental OpenID connect support,
323. # it is still being tested and might have some bugs, please
324. # help us test it.
325. # OpenID Connect
326. # oidc:
327. # only_start_if_oidc_is_available: true
328. # issuer: "https://your-oidc.issuer.com/path"
329. # client_id: "your-oidc-client-id"
330. # client_secret: "your-oidc-client-secret"
331. # # Alternatively, set `client_secret_path` to read the secret from the file.
332. # # It resolves environment variables, making integration to systemd's
333. # # `LoadCredential` straightforward:
334. # client_secret_path: "${CREDENTIALS_DIRECTORY}/oidc_client_secret"
335. # # client_secret and client_secret_path are mutually exclusive.
336. #
337. # # The amount of time from a node is authenticated with OpenID until it
338. # # expires and needs to reauthenticate.
339. # # Setting the value to "0" will mean no expiry.
340. # expiry: 180d
341. #
342. # # Use the expiry from the token received from OpenID when the user logged
343. # # in, this will typically lead to frequent need to reauthenticate and should
344. # # only been enabled if you know what you are doing.
345. # # Note: enabling this will cause `oidc.expiry` to be ignored.
346. # use_expiry_from_token: false
347. #
348. # # Customize the scopes used in the OIDC flow, defaults to "openid", "profile" and "email" and add custom query
349. # # parameters to the Authorize Endpoint request. Scopes default to "openid", "profile" and "email".
350. #
351. # scope: ["openid", "profile", "email", "custom"]
352. # extra_params:
353. # domain_hint: example.com
354. #
355. # # List allowed principal domains and/or users. If an authenticated user's domain is not in this list, the
356. # # authentication request will be rejected.
357. #
358. # allowed_domains:
359. # - example.com
360. # # Note: Groups from keycloak have a leading '/'
361. # allowed_groups:
362. # - /headscale
363. # allowed_users:
364. # - [email protected]
365. #
366. # # Optional: PKCE (Proof Key for Code Exchange) configuration
367. # # PKCE adds an additional layer of security to the OAuth 2.0 authorization code flow
368. # # by preventing authorization code interception attacks
369. # # See https://datatracker.ietf.org/doc/html/rfc7636
370. # pkce:
371. # # Enable or disable PKCE support (default: false)
372. # enabled: false
373. # # PKCE method to use:
374. # # - plain: Use plain code verifier
375. # # - S256: Use SHA256 hashed code verifier (default, recommended)
376. # method: S256
377.  
378. # Logtail configuration
379. # Logtail is Tailscales logging and auditing infrastructure, it allows the control panel
380. # to instruct tailscale nodes to log their activity to a remote server.
381. logtail:
382. # Enable logtail for this headscales clients.
383. # As there is currently no support for overriding the log server in headscale, this is
384. # disabled by default. Enabling this will make your clients send logs to Tailscale Inc.
385. enabled: false
386.  
387. # Enabling this option makes devices prefer a random port for WireGuard traffic over the
388. # default static port 41641. This option is intended as a workaround for some buggy
389. # firewall devices. See https://tailscale.com/kb/1181/firewalls/ for more information.
390. randomize_client_port: false