home · login to get plonkin'

uptime-kuma + headscale + headplane docker compose + config files

@did:plc:zx3ymzn7kyjvdnrfkhzplwyl · 15d ago · plaintext · 592 loc · raw · 0 comments

1#####2# docker-compose.yml3#####45version: '3'6networks:7  default:8    name: 'proxy_network'9services:10  uptime-kuma:11    image: louislam/uptime-kuma:112    restart: unless-stopped13    volumes:14      - /srv/uptime:/app/data15    labels:16      caddy: uptime.nekomimi.pet17      caddy.reverse_proxy: "* {{upstreams 3001}}"18  headscale:19    image:  headscale/headscale:v0.25.120    restart: unless-stopped21    ports:22      - "8080:8080"23    volumes:24      - ./headscale/config:/etc/headscale25      - ./headscale:/var/lib/headscale26    command: serve27    labels:28      caddy: headscale.nekomimi.pet29      caddy.reverse_proxy: "* {{upstreams 8080}}"30    sysctls:31      - net.ipv4.ip_forward=132      - net.ipv6.conf.all.forwarding=133    dns:34      - "1.1.1.1"35      - "8.8.8.8"3637  headplane:38    image: ghcr.io/tale/headplane:0.5.1039    container_name: headplane40    restart: unless-stopped41    volumes:42      - './headplane/config/config.yaml:/etc/headplane/config.yaml'43      - './headscale/config/config.yaml:/etc/headscale/config.yaml'44      - './headplane:/var/lib/headplane'45      - '/var/run/docker.sock:/var/run/docker.sock:ro'46    labels:47      caddy: hui.nekomimi.pet48      caddy.reverse_proxy: "* {{upstreams 3000}}"4950  caddy:51    image: "lucaslorentz/caddy-docker-proxy:ci-alpine"52    ports:53      - "80:80"54      - "443:443"55    volumes:56      - /var/run/docker.sock:/var/run/docker.sock:ro57      - /srv/caddy/:/data58    restart: unless-stopped59    environment:60      - CADDY_INGRESS_NETWORKS=proxy_network6162#####63# headscale/config/config.yaml64#####6566---67# headscale will look for a configuration file named `config.yaml` (or `config.json`) in the following order:68#69# - `/etc/headscale`70# - `~/.headscale`71# - current working directory7273# The url clients will connect to.74# Typically this will be a domain like:75#76# https://myheadscale.example.com:44377#78server_url: https://headscale.nekomimi.pet7980# Address to listen to / bind to on the server81#82# For production:83listen_addr: 0.0.0.0:808084#listen_addr: 127.0.0.1:80808586# Address to listen to /metrics and /debug, you may want87# to keep this endpoint private to your internal network88metrics_listen_addr: 127.0.0.1:90908990# Address to listen for gRPC.91# gRPC is used for controlling a headscale server92# remotely with the CLI93# Note: Remote access _only_ works if you have94# valid certificates.95#96# For production:97# grpc_listen_addr: 0.0.0.0:5044398grpc_listen_addr: 127.0.0.1:5044399100# Allow the gRPC admin interface to run in INSECURE101# mode. This is not recommended as the traffic will102# be unencrypted. Only enable if you know what you103# are doing.104grpc_allow_insecure: false105106# The Noise section includes specific configuration for the107# TS2021 Noise protocol108noise:109  # The Noise private key is used to encrypt the traffic between headscale and110  # Tailscale clients when using the new Noise-based protocol. A missing key111  # will be automatically generated.112  private_key_path: /var/lib/headscale/noise_private.key113114# List of IP prefixes to allocate tailaddresses from.115# Each prefix consists of either an IPv4 or IPv6 address,116# and the associated prefix length, delimited by a slash.117# It must be within IP ranges supported by the Tailscale118# client - i.e., subnets of 100.64.0.0/10 and fd7a:115c:a1e0::/48.119# See below:120# IPv6: https://github.com/tailscale/tailscale/blob/22ebb25e833264f58d7c3f534a8b166894a89536/net/tsaddr/tsaddr.go#LL81C52-L81C71121# IPv4: https://github.com/tailscale/tailscale/blob/22ebb25e833264f58d7c3f534a8b166894a89536/net/tsaddr/tsaddr.go#L33122# Any other range is NOT supported, and it will cause unexpected issues.123prefixes:124  v4: 100.64.0.0/10125  v6: fd7a:115c:a1e0::/48126127  # Strategy used for allocation of IPs to nodes, available options:128  # - sequential (default): assigns the next free IP from the previous given IP.129  # - random: assigns the next free IP from a pseudo-random IP generator (crypto/rand).130  allocation: sequential131132# DERP is a relay system that Tailscale uses when a direct133# connection cannot be established.134# https://tailscale.com/blog/how-tailscale-works/#encrypted-tcp-relays-derp135#136# headscale needs a list of DERP servers that can be presented137# to the clients.138derp:139  server:140    # If enabled, runs the embedded DERP server and merges it into the rest of the DERP config141    # The Headscale server_url defined above MUST be using https, DERP requires TLS to be in place142    enabled: false143144    # Region ID to use for the embedded DERP server.145    # The local DERP prevails if the region ID collides with other region ID coming from146    # the regular DERP config.147    region_id: 999148149    # Region code and name are displayed in the Tailscale UI to identify a DERP region150    region_code: "headscale"151    region_name: "Headscale Embedded DERP"152153    # Listens over UDP at the configured address for STUN connections - to help with NAT traversal.154    # When the embedded DERP server is enabled stun_listen_addr MUST be defined.155    #156    # For more details on how this works, check this great article: https://tailscale.com/blog/how-tailscale-works/157    stun_listen_addr: "0.0.0.0:3478"158159    # Private key used to encrypt the traffic between headscale DERP and160    # Tailscale clients. A missing key will be automatically generated.161    private_key_path: /var/lib/headscale/derp_server_private.key162163    # This flag can be used, so the DERP map entry for the embedded DERP server is not written automatically,164    # it enables the creation of your very own DERP map entry using a locally available file with the parameter DERP.paths165    # If you enable the DERP server and set this to false, it is required to add the DERP server to the DERP map using DERP.paths166    automatically_add_embedded_derp_region: true167168    # For better connection stability (especially when using an Exit-Node and DNS is not working),169    # it is possible to optionally add the public IPv4 and IPv6 address to the Derp-Map using:170    ipv4: 1.2.3.4171    ipv6: 2001:db8::1172173  # List of externally available DERP maps encoded in JSON174  urls:175    - https://controlplane.tailscale.com/derpmap/default176177  # Locally available DERP map files encoded in YAML178  #179  # This option is mostly interesting for people hosting180  # their own DERP servers:181  # https://tailscale.com/kb/1118/custom-derp-servers/182  #183  # paths:184  #   - /etc/headscale/derp-example.yaml185  paths: []186187  # If enabled, a worker will be set up to periodically188  # refresh the given sources and update the derpmap189  # will be set up.190  auto_update_enabled: true191192  # How often should we check for DERP updates?193  update_frequency: 24h194195# Disables the automatic check for headscale updates on startup196disable_check_updates: false197198# Time before an inactive ephemeral node is deleted?199ephemeral_node_inactivity_timeout: 30m200201database:202  # Database type. Available options: sqlite, postgres203  # Please note that using Postgres is highly discouraged as it is only supported for legacy reasons.204  # All new development, testing and optimisations are done with SQLite in mind.205  type: sqlite206207  # Enable debug mode. This setting requires the log.level to be set to "debug" or "trace".208  debug: false209210  # GORM configuration settings.211  gorm:212    # Enable prepared statements.213    prepare_stmt: true214215    # Enable parameterized queries.216    parameterized_queries: true217218    # Skip logging "record not found" errors.219    skip_err_record_not_found: true220221    # Threshold for slow queries in milliseconds.222    slow_threshold: 1000223224  # SQLite config225  sqlite:226    path: /var/lib/headscale/db.sqlite227228    # Enable WAL mode for SQLite. This is recommended for production environments.229    # https://www.sqlite.org/wal.html230    write_ahead_log: true231232    # Maximum number of WAL file frames before the WAL file is automatically checkpointed.233    # https://www.sqlite.org/c3ref/wal_autocheckpoint.html234    # Set to 0 to disable automatic checkpointing.235    wal_autocheckpoint: 1000236  # # Postgres config237  # Please note that using Postgres is highly discouraged as it is only supported for legacy reasons.238  # See database.type for more information.239  # postgres:240  #   # If using a Unix socket to connect to Postgres, set the socket path in the 'host' field and leave 'port' blank.241  #   host: localhost242  #   port: 5432243  #   name: headscale244  #   user: foo245  #   pass: bar246  #   max_open_conns: 10247  #   max_idle_conns: 10248  #   conn_max_idle_time_secs: 3600249250  #   # If other 'sslmode' is required instead of 'require(true)' and 'disabled(false)', set the 'sslmode' you need251  #   # in the 'ssl' field. Refers to https://www.postgresql.org/docs/current/libpq-ssl.html Table 34.1.252  #   ssl: false253254  ### TLS configuration255  #256  ## Let's encrypt / ACME257  #258  # headscale supports automatically requesting and setting up259  # TLS for a domain with Let's Encrypt.260  #261  # URL to ACME directory262acme_url: https://acme-v02.api.letsencrypt.org/directory263264# Email to register with ACME provider265acme_email: ""266267# Domain name to request a TLS certificate for:268tls_letsencrypt_hostname: ""269270# Path to store certificates and metadata needed by271# letsencrypt272# For production:273tls_letsencrypt_cache_dir: /var/lib/headscale/cache274275# Type of ACME challenge to use, currently supported types:276# HTTP-01 or TLS-ALPN-01277# See: docs/ref/tls.md for more information278tls_letsencrypt_challenge_type: HTTP-01279# When HTTP-01 challenge is chosen, letsencrypt must set up a280# verification endpoint, and it will be listening on:281# :http = port 80282tls_letsencrypt_listen: ":http"283284## Use already defined certificates:285tls_cert_path: ""286tls_key_path: ""287288log:289  # Output formatting for logs: text or json290  format: text291  level: info292293## Policy294# headscale supports Tailscale's ACL policies.295# Please have a look to their KB to better296# understand the concepts: https://tailscale.com/kb/1018/acls/297policy:298  # The mode can be "file" or "database" that defines299  # where the ACL policies are stored and read from.300  mode: file301  # If the mode is set to "file", the path to a302  # HuJSON file containing ACL policies.303  path: ""304305## DNS306#307# headscale supports Tailscale's DNS configuration and MagicDNS.308# Please have a look to their KB to better understand the concepts:309#310# - https://tailscale.com/kb/1054/dns/311# - https://tailscale.com/kb/1081/magicdns/312# - https://tailscale.com/blog/2021-09-private-dns-with-magicdns/313#314# Please note that for the DNS configuration to have any effect,315# clients must have the `--accept-dns=true` option enabled. This is the316# default for the Tailscale client. This option is enabled by default317# in the Tailscale client.318#319# Setting _any_ of the configuration and `--accept-dns=true` on the320# clients will integrate with the DNS manager on the client or321# overwrite /etc/resolv.conf.322# https://tailscale.com/kb/1235/resolv-conf323#324# If you want stop Headscale from managing the DNS configuration325# all the fields under `dns` should be set to empty values.326dns:327  # Whether to use [MagicDNS](https://tailscale.com/kb/1081/magicdns/).328  magic_dns: true329330  # Defines the base domain to create the hostnames for MagicDNS.331  # This domain _must_ be different from the server_url domain.332  # `base_domain` must be a FQDN, without the trailing dot.333  # The FQDN of the hosts will be334  # `hostname.base_domain` (e.g., _myhost.example.com_).335  base_domain: dns.sharkgirl.pet336337  # List of DNS servers to expose to clients.338  nameservers:339    global:340      - 100.64.0.15341      - 1.1.1.1342      - 1.0.0.1343      - 2606:4700:4700::1111344      - 2606:4700:4700::1001345    split: {}346      # foo.bar.com:347      #   - 1.1.1.1348      # darp.headscale.net:349      #   - 1.1.1.1350      #   - 8.8.8.8351352  # Set custom DNS search domains. With MagicDNS enabled,353  # your tailnet base_domain is always the first search domain.354  search_domains: []355356  # Extra DNS records357  # so far only A and AAAA records are supported (on the tailscale side)358  # See: docs/ref/dns.md359  extra_records: []360  #   - name: "grafana.myvpn.example.com"361  #     type: "A"362  #     value: "100.64.0.3"363  #364  #   # you can also put it in one line365  #   - { name: "prometheus.myvpn.example.com", type: "A", value: "100.64.0.3" }366  #367  # Alternatively, extra DNS records can be loaded from a JSON file.368  # Headscale processes this file on each change.369  # extra_records_path: /var/lib/headscale/extra-records.json370371  # Unix socket used for the CLI to connect without authentication372  # Note: for production you will want to set this to something like:373unix_socket: /var/run/headscale/headscale.sock374unix_socket_permission: "0770"375#376# headscale supports experimental OpenID connect support,377# it is still being tested and might have some bugs, please378# help us test it.379# OpenID Connect380oidc:381  only_start_if_oidc_is_available: true382  issuer: "https://MYOIDC.nekomimi.pet"383  client_id: "CLIENTID"384  client_secret: "CLIENTSECRET"385  pkce:386    enabled: true387    method: S256388389  #issuer: "https://authelia.nekomimi.pet/application/o/headscale/"390  #client_id: "CLIENTID"391  #client_secret: "CLIENTSECRET\392  #  "393  #scope: [ "openid", "profile", "email", "custom" ]394  #extra_params:395  #  domain_hint: nekomimi.pet396397# oidc:398#   only_start_if_oidc_is_available: true399#   issuer: "https://your-oidc.issuer.com/path"400#   client_id: "your-oidc-client-id"401#   client_secret: "your-oidc-client-secret"402#   # Alternatively, set `client_secret_path` to read the secret from the file.403#   # It resolves environment variables, making integration to systemd's404#   # `LoadCredential` straightforward:405#   client_secret_path: "${CREDENTIALS_DIRECTORY}/oidc_client_secret"406#   # client_secret and client_secret_path are mutually exclusive.407#408#   # The amount of time from a node is authenticated with OpenID until it409#   # expires and needs to reauthenticate.410#   # Setting the value to "0" will mean no expiry.411#   expiry: 180d412#413#   # Use the expiry from the token received from OpenID when the user logged414#   # in, this will typically lead to frequent need to reauthenticate and should415#   # only been enabled if you know what you are doing.416#   # Note: enabling this will cause `oidc.expiry` to be ignored.417#   use_expiry_from_token: false418#419#   # Customize the scopes used in the OIDC flow, defaults to "openid", "profile" and "email" and add custom query420#   # parameters to the Authorize Endpoint request. Scopes default to "openid", "profile" and "email".421#422#   scope: ["openid", "profile", "email", "custom"]423#   extra_params:424#     domain_hint: example.com425#426#   # List allowed principal domains and/or users. If an authenticated user's domain is not in this list, the427#   # authentication request will be rejected.428#429#   allowed_domains:430#     - example.com431#   # Note: Groups from keycloak have a leading '/'432#   allowed_groups:433#     - /headscale434#   allowed_users:435#     - alice@example.com436#437#   # Optional: PKCE (Proof Key for Code Exchange) configuration438#   # PKCE adds an additional layer of security to the OAuth 2.0 authorization code flow439#   # by preventing authorization code interception attacks440#   # See https://datatracker.ietf.org/doc/html/rfc7636441#   pkce:442#     # Enable or disable PKCE support (default: false)443#     enabled: false444#     # PKCE method to use:445#     # - plain: Use plain code verifier446#     # - S256: Use SHA256 hashed code verifier (default, recommended)447#     method: S256448#449#   # Map legacy users from pre-0.24.0 versions of headscale to the new OIDC users450#   # by taking the username from the legacy user and matching it with the username451#   # provided by the OIDC. This is useful when migrating from legacy users to OIDC452#   # to force them using the unique identifier from the OIDC and to give them a453#   # proper display name and picture if available.454#   # Note that this will only work if the username from the legacy user is the same455#   # and there is a possibility for account takeover should a username have changed456#   # with the provider.457#   # When this feature is disabled, it will cause all new logins to be created as new users.458#   # Note this option will be removed in the future and should be set to false459#   # on all new installations, or when all users have logged in with OIDC once.460#   map_legacy_users: false461462# Logtail configuration463# Logtail is Tailscales logging and auditing infrastructure, it allows the control panel464# to instruct tailscale nodes to log their activity to a remote server.465logtail:466  # Enable logtail for this headscales clients.467  # As there is currently no support for overriding the log server in headscale, this is468  # disabled by default. Enabling this will make your clients send logs to Tailscale Inc.469  enabled: false470471# Enabling this option makes devices prefer a random port for WireGuard traffic over the472# default static port 41641. This option is intended as a workaround for some buggy473# firewall devices. See https://tailscale.com/kb/1181/firewalls/ for more information.474randomize_client_port: false475476#####477# headplane/config/config.yaml478#####479480server:481  host: "0.0.0.0"482  port: 3000483484  # The secret used to encode and decode web sessions485  # Ensure that this is exactly 32 characters long486  cookie_secret: "COOKIESECRET"487488  # Should the cookies only work over HTTPS?489  # Set to false if running via HTTP without a proxy490  # (I recommend this is true in production)491  cookie_secure: true492493# Headscale specific settings to allow Headplane to talk494# to Headscale and access deep integration features495headscale:496  # The URL to your Headscale instance497  # (All API requests are routed through this URL)498  # (THIS IS NOT the gRPC endpoint, but the HTTP endpoint)499  #500  # IMPORTANT: If you are using TLS this MUST be set to `https://`501  url: "http://headscale:8080"502503  # If you use the TLS configuration in Headscale, and you are not using504  # Let's Encrypt for your certificate, pass in the path to the certificate.505  # (This has no effect `url` does not start with `https://`)506  # tls_cert_path: "/var/lib/headplane/tls.crt"507508  # Optional, public URL if they differ509  # This affects certain parts of the web UI510  public_url: "https://headscale.nekomimi.pet"511512  # Path to the Headscale configuration file513  # This is optional, but HIGHLY recommended for the best experience514  # If this is read only, Headplane will show your configuration settings515  # in the Web UI, but they cannot be changed.516  config_path: "/etc/headscale/config.yaml"517518  # Headplane internally validates the Headscale configuration519  # to ensure that it changes the configuration in a safe way.520  # If you want to disable this validation, set this to false.521  config_strict: true522523# Integration configurations for Headplane to interact with Headscale524# Only one of these should be enabled at a time or you will get errors525integration:526  docker:527    enabled: true528    # The name (or ID) of the container running Headscale529    container_name: "headscale"530    # The path to the Docker socket (do not change this if you are unsure)531    # Docker socket paths must start with unix:// or tcp:// and at the moment532    # https connections are not supported.533    socket: "unix:///var/run/docker.sock"534  # Please refer to docs/integration/Kubernetes.md for more information535  # on how to configure the Kubernetes integration. There are requirements in536  # order to allow Headscale to be controlled by Headplane in a cluster.537  kubernetes:538    enabled: false539    # Validates the manifest for the Pod to ensure all of the criteria540    # are set correctly. Turn this off if you are having issues with541    # shareProcessNamespace not being validated correctly.542    validate_manifest: true543    # This should be the name of the Pod running Headscale and Headplane.544    # If this isn't static you should be using the Kubernetes Downward API545    # to set this value (refer to docs/Integrated-Mode.md for more info).546    pod_name: "headscale"547548  # Proc is the "Native" integration that only works when Headscale and549  # Headplane are running outside of a container. There is no configuration,550  # but you need to ensure that the Headplane process can terminate the551  # Headscale process.552  #553  # (If they are both running under systemd as sudo, this will work).554  proc:555    enabled: false556557# OIDC Configuration for simpler authentication558# (This is optional, but recommended for the best experience)559oidc:560  issuer: "https://MYOIDC.nekomimi.pet"561  client_id: "CLIENTID"562563  # The client secret for the OIDC client564  # Either this or `client_secret_path` must be set for OIDC to work565  client_secret: "CLIENTSECRET"566567  # You can alternatively set `client_secret_path` to read the secret from disk.568  # The path specified can resolve environment variables, making integration569  # with systemd's `LoadCredential` straightforward:570  # client_secret_path: "${CREDENTIALS_DIRECTORY}/oidc_client_secret"571572  disable_api_key_login: false573  token_endpoint_auth_method: "client_secret_post"574575  # If you are using OIDC, you need to generate an API key576  # that can be used to authenticate other sessions when signing in.577  #578  # This can be done with `headscale apikeys create --expiration 999d`579  headscale_api_key: "MYAPIKEY"580581  # Optional, but highly recommended otherwise Headplane582  # will attempt to automatically guess this from the issuer583  #584  # This should point to your publicly accessibly URL585  # for your Headplane instance with /admin/oidc/callback586  redirect_uri: "https://hui.nekomimi.pet/admin/oidc/callback"587588  # Stores the users and their permissions for Headplane589  # This is a path to a JSON file, default is specified below.590  user_storage_file: "/var/lib/headplane/users.json"591592#

login to post a comment

made by @oppi.li