updated config

headscale/config/config.yaml

@@ -10,7 +10,7 @@
 #
 # https://myheadscale.example.com:443
 #
-server_url: http://192.168.1.32
+server_url: http://192.168.1.32:8080
 
 # Address to listen to / bind to on the server
 #
@@ -18,10 +18,8 @@ server_url: http://192.168.1.32
 # listen_addr: 0.0.0.0:8080
 listen_addr: 0.0.0.0:8080
 
-# Address to listen to /metrics, you may want
+# Address to listen to /metrics and /debug, you may want
-# to keep this endpoint private to your internal
+# to keep this endpoint private to your internal network
-# network
-#
 metrics_listen_addr: 0.0.0.0:9090
 
 # Address to listen for gRPC.
@@ -43,9 +41,9 @@ grpc_allow_insecure: false
 # The Noise section includes specific configuration for the
 # TS2021 Noise protocol
 noise:
-  # The Noise private key is used to encrypt the
+  # The Noise private key is used to encrypt the traffic between headscale and
-  # traffic between headscale and Tailscale clients when
+  # Tailscale clients when using the new Noise-based protocol. A missing key
-  # using the new Noise-based protocol.
+  # will be automatically generated.
   private_key_path: /var/lib/headscale/noise_private.key
 
 # List of IP prefixes to allocate tailaddresses from.
@@ -58,8 +56,8 @@ noise:
 # IPv4: https://github.com/tailscale/tailscale/blob/22ebb25e833264f58d7c3f534a8b166894a89536/net/tsaddr/tsaddr.go#L33
 # Any other range is NOT supported, and it will cause unexpected issues.
 prefixes:
-  v6: fd7a:115c:a1e0::/48
   v4: 100.64.0.0/10
+  v6: fd7a:115c:a1e0::/48
 
   # Strategy used for allocation of IPs to nodes, available options:
   # - sequential (default): assigns the next free IP from the previous given IP.
@@ -93,10 +91,8 @@ derp:
     # For more details on how this works, check this great article: https://tailscale.com/blog/how-tailscale-works/
     stun_listen_addr: "0.0.0.0:3478"
 
-    # Private key used to encrypt the traffic between headscale DERP
+    # Private key used to encrypt the traffic between headscale DERP and
-    # and Tailscale clients.
+    # Tailscale clients. A missing key will be automatically generated.
-    # The private key file will be autogenerated if it's missing.
-    #
     private_key_path: /var/lib/headscale/derp_server_private.key
 
     # This flag can be used, so the DERP map entry for the embedded DERP server is not written automatically,
@@ -138,8 +134,28 @@ disable_check_updates: false
 ephemeral_node_inactivity_timeout: 30m
 
 database:
+  # Database type. Available options: sqlite, postgres
+  # Please note that using Postgres is highly discouraged as it is only supported for legacy reasons.
+  # All new development, testing and optimisations are done with SQLite in mind.
   type: sqlite
 
+  # Enable debug mode. This setting requires the log.level to be set to "debug" or "trace".
+  debug: false
+
+  # GORM configuration settings.
+  gorm:
+    # Enable prepared statements.
+    prepare_stmt: true
+
+    # Enable parameterized queries.
+    parameterized_queries: true
+
+    # Skip logging "record not found" errors.
+    skip_err_record_not_found: true
+
+    # Threshold for slow queries in milliseconds.
+    slow_threshold: 1000
+
   # SQLite config
   sqlite:
     path: /var/lib/headscale/db.sqlite
@@ -148,7 +164,14 @@ database:
     # https://www.sqlite.org/wal.html
     write_ahead_log: true
 
+    # Maximum number of WAL file frames before the WAL file is automatically checkpointed.
+    # https://www.sqlite.org/c3ref/wal_autocheckpoint.html
+    # Set to 0 to disable automatic checkpointing.
+    wal_autocheckpoint: 1000
+
   # # Postgres config
+  # Please note that using Postgres is highly discouraged as it is only supported for legacy reasons.
+  # See database.type for more information.
   # postgres:
   #   # If using a Unix socket to connect to Postgres, set the socket path in the 'host' field and leave 'port' blank.
   #   host: localhost
@@ -187,7 +210,7 @@ database:
 
 # Type of ACME challenge to use, currently supported types:
 # HTTP-01 or TLS-ALPN-01
-# See [docs/tls.md](docs/tls.md) for more information
+# See: docs/ref/tls.md for more information
 # tls_letsencrypt_challenge_type: HTTP-01
 # When HTTP-01 challenge is chosen, letsencrypt must set up a
 # verification endpoint, and it will be listening on:
@@ -203,10 +226,17 @@ log:
   format: text
   level: info
 
-# Path to a file containing ACL policies.
+## Policy
-# ACLs can be defined as YAML or HUJSON.
+# headscale supports Tailscale's ACL policies.
-# https://tailscale.com/kb/1018/acls/
+# Please have a look to their KB to better
-acl_policy_path: ""
+# understand the concepts: https://tailscale.com/kb/1018/acls/
+policy:
+  # The mode can be "file" or "database" that defines
+  # where the ACL policies are stored and read from.
+  mode: file
+  # If the mode is set to "file", the path to a
+  # HuJSON file containing ACL policies.
+  path: ""
 
 ## DNS
 #
@@ -217,68 +247,73 @@ acl_policy_path: ""
 # - https://tailscale.com/kb/1081/magicdns/
 # - https://tailscale.com/blog/2021-09-private-dns-with-magicdns/
 #
-dns_config:
+# Please note that for the DNS configuration to have any effect,
-  # Whether to prefer using Headscale provided DNS or use local.
+# clients must have the `--accept-dns=true` option enabled. This is the
-  override_local_dns: true
+# default for the Tailscale client. This option is enabled by default
+# in the Tailscale client.
+#
+# Setting _any_ of the configuration and `--accept-dns=true` on the
+# clients will integrate with the DNS manager on the client or
+# overwrite /etc/resolv.conf.
+# https://tailscale.com/kb/1235/resolv-conf
+#
+# If you want stop Headscale from managing the DNS configuration
+# all the fields under `dns` should be set to empty values.
+dns:
+  # Whether to use [MagicDNS](https://tailscale.com/kb/1081/magicdns/).
+  magic_dns: true
+
+  # Defines the base domain to create the hostnames for MagicDNS.
+  # This domain _must_ be different from the server_url domain.
+  # `base_domain` must be a FQDN, without the trailing dot.
+  # The FQDN of the hosts will be
+  # `hostname.base_domain` (e.g., _myhost.example.com_).
+  base_domain: akanealw.com
+
+  # Whether to use the local DNS settings of a node (default) or override the
+  # local DNS settings and force the use of Headscale's DNS configuration.
+  override_local_dns: false
 
   # List of DNS servers to expose to clients.
   nameservers:
-    - 1.1.1.1
+    global:
+      - 1.1.1.1
+      - 1.0.0.1
+      - 2606:4700:4700::1111
+      - 2606:4700:4700::1001
 
-  # NextDNS (see https://tailscale.com/kb/1218/nextdns/).
+      # NextDNS (see https://tailscale.com/kb/1218/nextdns/).
-  # "abc123" is example NextDNS ID, replace with yours.
+      # "abc123" is example NextDNS ID, replace with yours.
-  #
+      # - https://dns.nextdns.io/abc123
-  # With metadata sharing:
-  # nameservers:
-  #   - https://dns.nextdns.io/abc123
-  #
-  # Without metadata sharing:
-  # nameservers:
-  #   - 2a07:a8c0::ab:c123
-  #   - 2a07:a8c1::ab:c123
 
-  # Split DNS (see https://tailscale.com/kb/1054/dns/),
+    # Split DNS (see https://tailscale.com/kb/1054/dns/),
-  # list of search domains and the DNS to query for each one.
+    # a map of domains and which DNS server to use for each.
-  #
+    split:
-  # restricted_nameservers:
+      {}
-  #   foo.bar.com:
+      # foo.bar.com:
-  #     - 1.1.1.1
+      #   - 1.1.1.1
-  #   darp.headscale.net:
+      # darp.headscale.net:
-  #     - 1.1.1.1
+      #   - 1.1.1.1
-  #     - 8.8.8.8
+      #   - 8.8.8.8
 
-  # Search domains to inject.
+  # Set custom DNS search domains. With MagicDNS enabled,
-  domains: []
+  # your tailnet base_domain is always the first search domain.
+  search_domains: []
 
   # Extra DNS records
-  # so far only A-records are supported (on the tailscale side)
+  # so far only A and AAAA records are supported (on the tailscale side)
-  # See https://github.com/juanfont/headscale/blob/main/docs/dns-records.md#Limitations
+  # See: docs/ref/dns.md
-  # extra_records:
+  extra_records: []
   #   - name: "grafana.myvpn.example.com"
   #     type: "A"
   #     value: "100.64.0.3"
   #
   #   # you can also put it in one line
   #   - { name: "prometheus.myvpn.example.com", type: "A", value: "100.64.0.3" }
-
+  #
-  # Whether to use [MagicDNS](https://tailscale.com/kb/1081/magicdns/).
+  # Alternatively, extra DNS records can be loaded from a JSON file.
-  # Only works if there is at least a nameserver defined.
+  # Headscale processes this file on each change.
-  magic_dns: true
+  # extra_records_path: /var/lib/headscale/extra-records.json
-
-  # DEPRECATED
-  # Use the username as part of the DNS name for nodes, with this option enabled:
-  # node1.username.example.com
-  # while when this is disabled:
-  # node1.example.com
-  # This is a legacy option as Headscale has have this wrongly implemented
-  # while in upstream Tailscale, the username is not included.
-  use_username_in_magic_dns: false
-
-  # Defines the base domain to create the hostnames for MagicDNS.
-  # `base_domain` must be a FQDNs, without the trailing dot.
-  # The FQDN of the hosts will be
-  # `hostname.user.base_domain` (e.g., _myhost.myuser.example.com_).
-  base_domain: akanealw.com
 
 # Unix socket used for the CLI to connect without authentication
 # Note: for production you will want to set this to something like:
@@ -329,12 +364,30 @@ unix_socket_permission: "0770"
 #   allowed_users:
 #     - alice@example.com
 #
-#   # If `strip_email_domain` is set to `true`, the domain part of the username email address will be removed.
+#   # Optional: PKCE (Proof Key for Code Exchange) configuration
-#   # This will transform `first-name.last-name@example.com` to the user `first-name.last-name`
+#   # PKCE adds an additional layer of security to the OAuth 2.0 authorization code flow
-#   # If `strip_email_domain` is set to `false` the domain part will NOT be removed resulting to the following
+#   # by preventing authorization code interception attacks
-#   user: `first-name.last-name.example.com`
+#   # See https://datatracker.ietf.org/doc/html/rfc7636
+#   pkce:
+#     # Enable or disable PKCE support (default: false)
+#     enabled: false
+#     # PKCE method to use:
+#     # - plain: Use plain code verifier
+#     # - S256: Use SHA256 hashed code verifier (default, recommended)
+#     method: S256
 #
-#   strip_email_domain: true
+#   # Map legacy users from pre-0.24.0 versions of headscale to the new OIDC users
+#   # by taking the username from the legacy user and matching it with the username
+#   # provided by the OIDC. This is useful when migrating from legacy users to OIDC
+#   # to force them using the unique identifier from the OIDC and to give them a
+#   # proper display name and picture if available.
+#   # Note that this will only work if the username from the legacy user is the same
+#   # and there is a possibility for account takeover should a username have changed
+#   # with the provider.
+#   # When this feature is disabled, it will cause all new logins to be created as new users.
+#   # Note this option will be removed in the future and should be set to false
+#   # on all new installations, or when all users have logged in with OIDC once.
+#   map_legacy_users: false
 
 # Logtail configuration
 # Logtail is Tailscales logging and auditing infrastructure, it allows the control panel