Merge branch 'master' into upgrade-reverse-proxy

headscale/config.yaml

@@ -22,7 +22,7 @@ listen_addr: 0.0.0.0:8080
 # to keep this endpoint private to your internal
 # network
 #
-metrics_listen_addr: 0.0.0.0:9090
+metrics_listen_addr: 127.0.0.1:9090
 
 # Address to listen for gRPC.
 # gRPC is used for controlling a headscale server
@@ -40,19 +40,12 @@ grpc_listen_addr: 127.0.0.1:50443
 # are doing.
 grpc_allow_insecure: false
 
-# Private key used to encrypt the traffic between headscale
-# and Tailscale clients.
-# The private key file will be autogenerated if it's missing.
-#
-private_key_path: /var/lib/headscale/private.key
-
 # The Noise section includes specific configuration for the
 # TS2021 Noise protocol
 noise:
   # The Noise private key is used to encrypt the
   # traffic between headscale and Tailscale clients when
-  # using the new Noise-based protocol. It must be different
+  # using the new Noise-based protocol.
-  # from the legacy private key.
   private_key_path: /var/lib/headscale/noise_private.key
 
 # List of IP prefixes to allocate tailaddresses from.
@@ -60,10 +53,14 @@ noise:
 # and the associated prefix length, delimited by a slash.
 # It must be within IP ranges supported by the Tailscale
 # client - i.e., subnets of 100.64.0.0/10 and fd7a:115c:a1e0::/48.
-# Any other range is NOT supported, and it will cause unexpected issues.
+prefixes:
-ip_prefixes:
+  v6: fd7a:115c:a1e0::/48
-  - fd7a:115c:a1e0::/48
+  v4: 100.64.0.0/10
-  - 100.64.0.0/10
+
+  # Strategy used for allocation of IPs to nodes, available options:
+  # - sequential (default): assigns the next free IP from the previous given IP.
+  # - random: assigns the next free IP from a pseudo-random IP generator (crypto/rand).
+  allocation: sequential
 
 # DERP is a relay system that Tailscale uses when a direct
 # connection cannot be established.
@@ -92,6 +89,24 @@ derp:
     # For more details on how this works, check this great article: https://tailscale.com/blog/how-tailscale-works/
     stun_listen_addr: "0.0.0.0:3478"
 
+    # Private key used to encrypt the traffic between headscale DERP
+    # and Tailscale clients.
+    # The private key file will be autogenerated if it's missing.
+    #
+    private_key_path: /var/lib/headscale/derp_server_private.key
+
+    # This flag can be used, so the DERP map entry for the embedded DERP server is not written automatically,
+    # it enables the creation of your very own DERP map entry using a locally available file with the parameter
+    # DERP.paths
+    # If you enable the DERP server and set this to false, it is required to add the DERP server to the DERP map using
+    # DERP.paths
+    automatically_add_embedded_derp_region: true
+
+    # For better connection stability (especially when using an Exit-Node and DNS is not working),
+    # it is possible to optionally add the public IPv4 and IPv6 address to the Derp-Map using:
+    ipv4: 1.2.3.4
+    ipv6: 2001:db8::1
+
   # List of externally available DERP maps encoded in JSON
   urls:
     - https://controlplane.tailscale.com/derpmap/default
@@ -120,33 +135,37 @@ disable_check_updates: false
 # Time before an inactive ephemeral node is deleted?
 ephemeral_node_inactivity_timeout: 30m
 
-# Period to check for node updates within the tailnet. A value too low will severely affect
+database:
-# CPU consumption of Headscale. A value too high (over 60s) will cause problems
+  # Database type. Available options: sqlite, postgres
-# for the nodes, as they won't get updates or keep alive messages frequently enough.
+  # Please note that using Postgres is highly discouraged as it is only supported for legacy reasons.
-# In case of doubts, do not touch the default 10s.
+  # All new development, testing and optimisations are done with SQLite in mind.
-node_update_check_interval: 10s
+  type: sqlite
 
-# SQLite config
+  # Enable debug mode. This setting requires the log.level to be set to "debug" or "trace".
-db_type: sqlite3
+  debug: false
 
-# For production:
+  # GORM configuration settings.
-db_path: /var/lib/headscale/db.sqlite
+  gorm:
+    # Enable prepared statements.
+    prepare_stmt: true
 
-# # Postgres config
+    # Enable parameterized queries.
-# If using a Unix socket to connect to Postgres, set the socket path in the 'host' field and leave 'port' blank.
+    parameterized_queries: true
-# db_type: postgres
-# db_host: localhost
-# db_port: 5432
-# db_name: headscale
-# db_user: foo
-# db_pass: bar
 
-# If other 'sslmode' is required instead of 'require(true)' and 'disabled(false)', set the 'sslmode' you need
+    # Skip logging "record not found" errors.
-# in the 'db_ssl' field. Refers to https://www.postgresql.org/docs/current/libpq-ssl.html Table 34.1.
+    skip_err_record_not_found: true
-# db_ssl: false
+
+    # Threshold for slow queries in milliseconds.
+    slow_threshold: 1000
+
+  # SQLite config
+  sqlite:
+    path: /var/lib/headscale/db.sqlite
+
+    # Enable WAL mode for SQLite. This is recommended for production environments.
+    # https://www.sqlite.org/wal.html
+    write_ahead_log: true
 
-### TLS configuration
-#
 ## Let's encrypt / ACME
 #
 # headscale supports automatically requesting and setting up
@@ -184,10 +203,17 @@ log:
   format: text
   level: info
 
-# Path to a file containg ACL policies.
+## Policy
-# ACLs can be defined as YAML or HUJSON.
+# headscale supports Tailscale's ACL policies.
-# https://tailscale.com/kb/1018/acls/
+# Please have a look to their KB to better
-acl_policy_path: ""
+# understand the concepts: https://tailscale.com/kb/1018/acls/
+policy:
+  # The mode can be "file" or "database" that defines
+  # where the ACL policies are stored and read from.
+  mode: file
+  # If the mode is set to "file", the path to a
+  # HuJSON file containing ACL policies.
+  path: ""
 
 ## DNS
 #
@@ -198,64 +224,67 @@ acl_policy_path: ""
 # - https://tailscale.com/kb/1081/magicdns/
 # - https://tailscale.com/blog/2021-09-private-dns-with-magicdns/
 #
-dns_config:
+# Please note that for the DNS configuration to have any effect,
-  # Whether to prefer using Headscale provided DNS or use local.
+# clients must have the `--accept-dns=true` option enabled. This is the
-  override_local_dns: true
+# default for the Tailscale client. This option is enabled by default
-
+# in the Tailscale client.
-  # List of DNS servers to expose to clients.
+#
-  nameservers:
+# Setting _any_ of the configuration and `--accept-dns=true` on the
-    - 100.64.0.4
+# clients will integrate with the DNS manager on the client or
-    # - 1.0.0.1
+# overwrite /etc/resolv.conf.
-
+# https://tailscale.com/kb/1235/resolv-conf
-  # NextDNS (see https://tailscale.com/kb/1218/nextdns/).
+#
-  # "abc123" is example NextDNS ID, replace with yours.
+# If you want stop Headscale from managing the DNS configuration
-  #
+# all the fields under `dns` should be set to empty values.
-  # With metadata sharing:
+dns:
-  # nameservers:
-  #   - https://dns.nextdns.io/abc123
-  #
-  # Without metadata sharing:
-  # nameservers:
-  #   - 2a07:a8c0::ab:c123
-  #   - 2a07:a8c1::ab:c123
-
-  # Split DNS (see https://tailscale.com/kb/1054/dns/),
-  # list of search domains and the DNS to query for each one.
-  #
-  # restricted_nameservers:
-  #   foo.bar.com:
-  #     - 1.1.1.1
-  #   darp.headscale.net:
-  #     - 1.1.1.1
-  #     - 8.8.8.8
-
-  # Search domains to inject.
-  domains: []
-
-  # Extra DNS records
-  # so far only A-records are supported (on the tailscale side)
-  # See https://github.com/juanfont/headscale/blob/main/docs/dns-records.md#Limitations
-  # extra_records:
-  #   - name: "grafana.myvpn.example.com"
-  #     type: "A"
-  #     value: "100.64.0.3"
-  #
-  #   # you can also put it in one line
-  #   - { name: "prometheus.myvpn.example.com", type: "A", value: "100.64.0.3" }
-  extra_records:
-    - name: "pi.hole"
-      type: "A"
-      value: "100.64.0.4"
-
   # Whether to use [MagicDNS](https://tailscale.com/kb/1081/magicdns/).
   # Only works if there is at least a nameserver defined.
   magic_dns: true
 
   # Defines the base domain to create the hostnames for MagicDNS.
-  # `base_domain` must be a FQDNs, without the trailing dot.
+  # This domain _must_ be different from the server_url domain.
+  # `base_domain` must be a FQDN, without the trailing dot.
   # The FQDN of the hosts will be
-  # `hostname.user.base_domain` (e.g., _myhost.myuser.example.com_).
+  # `hostname.base_domain` (e.g., _myhost.example.com_).
-  base_domain: vpn.poldebra.me
+  base_domain: lan.poldebra.me
+
+  # List of DNS servers to expose to clients.
+  nameservers:
+    global:
+      - 100.64.0.4
+      # - 1.0.0.1
+
+      # NextDNS (see https://tailscale.com/kb/1218/nextdns/).
+      # "abc123" is example NextDNS ID, replace with yours.
+      # - https://dns.nextdns.io/abc123
+
+    # Split DNS (see https://tailscale.com/kb/1054/dns/),
+    # a map of domains and which DNS server to use for each.
+    split:
+      {}
+      # foo.bar.com:
+      #   - 1.1.1.1
+      # darp.headscale.net:
+      #   - 1.1.1.1
+      #   - 8.8.8.8
+
+  # Set custom DNS search domains. With MagicDNS enabled,
+  # your tailnet base_domain is always the first search domain.
+  search_domains: []
+
+  # Extra DNS records
+  # so far only A-records are supported (on the tailscale side)
+  # See https://github.com/juanfont/headscale/blob/main/docs/dns-records.md#Limitations
+  extra_records:
+    - name: "pi.hole"
+      type: "A"
+      value: "100.64.0.4"
+  # - name: "grafana.myvpn.example.com"
+  #   type: "A"
+  #   value: "100.64.0.3"
+  #
+  # # you can also put it in one line
+  # - { name: "prometheus.myvpn.example.com", type: "A", value: "100.64.0.3" }
 
 # Unix socket used for the CLI to connect without authentication
 # Note: for production you will want to set this to something like:

headscale/docker-compose.yml

@@ -1,12 +1,12 @@
 services:
   headscale:
-    image: headscale/headscale:0.22.3
+    image: headscale/headscale:0.23
     restart: unless-stopped
     container_name: headscale
     volumes:
       - /srv/docker/headscale/data:/var/lib/headscale
       - /srv/docker/headscale/config:/etc/headscale
-    command: headscale serve
+    command: serve
     networks:
       - proxy
     env_file: