mirror of
https://github.com/juanfont/headscale.git
synced 2025-01-18 18:00:04 +09:00
Set title for code listings
This commit is contained in:
parent
0acb2b5647
commit
bbc93a90a2
7 changed files with 16 additions and 16 deletions
|
@ -59,7 +59,7 @@ process. Headscale logs the result of ACL policy processing after each reload.
|
||||||
|
|
||||||
Here are the ACL's to implement the same permissions as above:
|
Here are the ACL's to implement the same permissions as above:
|
||||||
|
|
||||||
```json
|
```json title="acl.json"
|
||||||
{
|
{
|
||||||
// groups are collections of users having a common scope. A user can be in multiple groups
|
// groups are collections of users having a common scope. A user can be in multiple groups
|
||||||
// groups cannot be composed of groups
|
// groups cannot be composed of groups
|
||||||
|
|
|
@ -30,7 +30,7 @@ hostname and port combination "http://hostname-in-magic-dns.myvpn.example.com:30
|
||||||
|
|
||||||
=== "Static entries, via `dns.extra_records`"
|
=== "Static entries, via `dns.extra_records`"
|
||||||
|
|
||||||
```yaml
|
```yaml title="config.yaml"
|
||||||
dns:
|
dns:
|
||||||
...
|
...
|
||||||
extra_records:
|
extra_records:
|
||||||
|
@ -48,7 +48,7 @@ hostname and port combination "http://hostname-in-magic-dns.myvpn.example.com:30
|
||||||
|
|
||||||
=== "Dynamic entries, via `dns.extra_records_path`"
|
=== "Dynamic entries, via `dns.extra_records_path`"
|
||||||
|
|
||||||
```json
|
```json title="extra-records.json"
|
||||||
[
|
[
|
||||||
{
|
{
|
||||||
"name": "grafana.myvpn.example.com",
|
"name": "grafana.myvpn.example.com",
|
||||||
|
@ -93,7 +93,7 @@ hostname and port combination "http://hostname-in-magic-dns.myvpn.example.com:30
|
||||||
The motivating example here was to be able to access internal monitoring services on the same host without
|
The motivating example here was to be able to access internal monitoring services on the same host without
|
||||||
specifying a port, depicted as NGINX configuration snippet:
|
specifying a port, depicted as NGINX configuration snippet:
|
||||||
|
|
||||||
```
|
```nginx title="nginx.conf"
|
||||||
server {
|
server {
|
||||||
listen 80;
|
listen 80;
|
||||||
listen [::]:80;
|
listen [::]:80;
|
||||||
|
|
|
@ -23,7 +23,7 @@ Running headscale behind a cloudflare proxy or cloudflare tunnel is not supporte
|
||||||
|
|
||||||
Headscale can be configured not to use TLS, leaving it to the reverse proxy to handle. Add the following configuration values to your headscale config file.
|
Headscale can be configured not to use TLS, leaving it to the reverse proxy to handle. Add the following configuration values to your headscale config file.
|
||||||
|
|
||||||
```yaml
|
```yaml title="config.yaml"
|
||||||
server_url: https://<YOUR_SERVER_NAME> # This should be the FQDN at which headscale will be served
|
server_url: https://<YOUR_SERVER_NAME> # This should be the FQDN at which headscale will be served
|
||||||
listen_addr: 0.0.0.0:8080
|
listen_addr: 0.0.0.0:8080
|
||||||
metrics_listen_addr: 0.0.0.0:9090
|
metrics_listen_addr: 0.0.0.0:9090
|
||||||
|
@ -35,7 +35,7 @@ tls_key_path: ""
|
||||||
|
|
||||||
The following example configuration can be used in your nginx setup, substituting values as necessary. `<IP:PORT>` should be the IP address and port where headscale is running. In most cases, this will be `http://localhost:8080`.
|
The following example configuration can be used in your nginx setup, substituting values as necessary. `<IP:PORT>` should be the IP address and port where headscale is running. In most cases, this will be `http://localhost:8080`.
|
||||||
|
|
||||||
```Nginx
|
```nginx title="nginx.conf"
|
||||||
map $http_upgrade $connection_upgrade {
|
map $http_upgrade $connection_upgrade {
|
||||||
default upgrade;
|
default upgrade;
|
||||||
'' close;
|
'' close;
|
||||||
|
@ -113,7 +113,7 @@ spec:
|
||||||
|
|
||||||
The following Caddyfile is all that is necessary to use Caddy as a reverse proxy for headscale, in combination with the `config.yaml` specifications above to disable headscale's built in TLS. Replace values as necessary - `<YOUR_SERVER_NAME>` should be the FQDN at which headscale will be served, and `<IP:PORT>` should be the IP address and port where headscale is running. In most cases, this will be `localhost:8080`.
|
The following Caddyfile is all that is necessary to use Caddy as a reverse proxy for headscale, in combination with the `config.yaml` specifications above to disable headscale's built in TLS. Replace values as necessary - `<YOUR_SERVER_NAME>` should be the FQDN at which headscale will be served, and `<IP:PORT>` should be the IP address and port where headscale is running. In most cases, this will be `localhost:8080`.
|
||||||
|
|
||||||
```
|
```none title="Caddyfile"
|
||||||
<YOUR_SERVER_NAME> {
|
<YOUR_SERVER_NAME> {
|
||||||
reverse_proxy <IP:PORT>
|
reverse_proxy <IP:PORT>
|
||||||
}
|
}
|
||||||
|
@ -127,7 +127,7 @@ For a slightly more complex configuration which utilizes Docker containers to ma
|
||||||
|
|
||||||
The following minimal Apache config will proxy traffic to the headscale instance on `<IP:PORT>`. Note that `upgrade=any` is required as a parameter for `ProxyPass` so that WebSockets traffic whose `Upgrade` header value is not equal to `WebSocket` (i. e. Tailscale Control Protocol) is forwarded correctly. See the [Apache docs](https://httpd.apache.org/docs/2.4/mod/mod_proxy_wstunnel.html) for more information on this.
|
The following minimal Apache config will proxy traffic to the headscale instance on `<IP:PORT>`. Note that `upgrade=any` is required as a parameter for `ProxyPass` so that WebSockets traffic whose `Upgrade` header value is not equal to `WebSocket` (i. e. Tailscale Control Protocol) is forwarded correctly. See the [Apache docs](https://httpd.apache.org/docs/2.4/mod/mod_proxy_wstunnel.html) for more information on this.
|
||||||
|
|
||||||
```
|
```apache title="apache.conf"
|
||||||
<VirtualHost *:443>
|
<VirtualHost *:443>
|
||||||
ServerName <YOUR_SERVER_NAME>
|
ServerName <YOUR_SERVER_NAME>
|
||||||
|
|
||||||
|
|
|
@ -11,7 +11,7 @@ Known limitations:
|
||||||
|
|
||||||
In your `config.yaml`, customize this to your liking:
|
In your `config.yaml`, customize this to your liking:
|
||||||
|
|
||||||
```yaml
|
```yaml title="config.yaml"
|
||||||
oidc:
|
oidc:
|
||||||
# Block further startup until the OIDC provider is healthy and available
|
# Block further startup until the OIDC provider is healthy and available
|
||||||
only_start_if_oidc_is_available: true
|
only_start_if_oidc_is_available: true
|
||||||
|
@ -56,7 +56,7 @@ oidc:
|
||||||
|
|
||||||
In order to integrate headscale with Azure Active Directory, we'll need to provision an App Registration with the correct scopes and redirect URI. Here with Terraform:
|
In order to integrate headscale with Azure Active Directory, we'll need to provision an App Registration with the correct scopes and redirect URI. Here with Terraform:
|
||||||
|
|
||||||
```hcl
|
```hcl title="terraform.hcl"
|
||||||
resource "azuread_application" "headscale" {
|
resource "azuread_application" "headscale" {
|
||||||
display_name = "Headscale"
|
display_name = "Headscale"
|
||||||
|
|
||||||
|
@ -127,7 +127,7 @@ output "headscale_client_secret" {
|
||||||
|
|
||||||
And in your headscale `config.yaml`:
|
And in your headscale `config.yaml`:
|
||||||
|
|
||||||
```yaml
|
```yaml title="config.yaml"
|
||||||
oidc:
|
oidc:
|
||||||
issuer: "https://login.microsoftonline.com/<tenant-UUID>/v2.0"
|
issuer: "https://login.microsoftonline.com/<tenant-UUID>/v2.0"
|
||||||
client_id: "<client-id-from-terraform>"
|
client_id: "<client-id-from-terraform>"
|
||||||
|
@ -162,7 +162,7 @@ However if you don't have a domain, or need to add users outside of your domain,
|
||||||
8. Click `Save` at the bottom of the form
|
8. Click `Save` at the bottom of the form
|
||||||
9. Take note of the `Client ID` and `Client secret`, you can also download it for reference if you need it.
|
9. Take note of the `Client ID` and `Client secret`, you can also download it for reference if you need it.
|
||||||
10. Edit your headscale config, under `oidc`, filling in your `client_id` and `client_secret`:
|
10. Edit your headscale config, under `oidc`, filling in your `client_id` and `client_secret`:
|
||||||
```yaml
|
```yaml title="config.yaml"
|
||||||
oidc:
|
oidc:
|
||||||
issuer: "https://accounts.google.com"
|
issuer: "https://accounts.google.com"
|
||||||
client_id: ""
|
client_id: ""
|
||||||
|
|
|
@ -54,7 +54,7 @@ headscale apikeys expire --prefix "<PREFIX>"
|
||||||
|
|
||||||
=== "Minimal YAML configuration file"
|
=== "Minimal YAML configuration file"
|
||||||
|
|
||||||
```yaml
|
```yaml title="config.yaml"
|
||||||
cli:
|
cli:
|
||||||
address: <HEADSCALE_ADDRESS>:<PORT>
|
address: <HEADSCALE_ADDRESS>:<PORT>
|
||||||
api_key: <API_KEY_FROM_PREVIOUS_STEP>
|
api_key: <API_KEY_FROM_PREVIOUS_STEP>
|
||||||
|
|
|
@ -4,7 +4,7 @@
|
||||||
|
|
||||||
Headscale can be configured to expose its web service via TLS. To configure the certificate and key file manually, set the `tls_cert_path` and `tls_cert_path` configuration parameters. If the path is relative, it will be interpreted as relative to the directory the configuration file was read from.
|
Headscale can be configured to expose its web service via TLS. To configure the certificate and key file manually, set the `tls_cert_path` and `tls_cert_path` configuration parameters. If the path is relative, it will be interpreted as relative to the directory the configuration file was read from.
|
||||||
|
|
||||||
```yaml
|
```yaml title="config.yaml"
|
||||||
tls_cert_path: ""
|
tls_cert_path: ""
|
||||||
tls_key_path: ""
|
tls_key_path: ""
|
||||||
```
|
```
|
||||||
|
@ -15,7 +15,7 @@ The certificate should contain the full chain, else some clients, like the Tails
|
||||||
|
|
||||||
To get a certificate automatically via [Let's Encrypt](https://letsencrypt.org/), set `tls_letsencrypt_hostname` to the desired certificate hostname. This name must resolve to the IP address(es) headscale is reachable on (i.e., it must correspond to the `server_url` configuration parameter). The certificate and Let's Encrypt account credentials will be stored in the directory configured in `tls_letsencrypt_cache_dir`. If the path is relative, it will be interpreted as relative to the directory the configuration file was read from.
|
To get a certificate automatically via [Let's Encrypt](https://letsencrypt.org/), set `tls_letsencrypt_hostname` to the desired certificate hostname. This name must resolve to the IP address(es) headscale is reachable on (i.e., it must correspond to the `server_url` configuration parameter). The certificate and Let's Encrypt account credentials will be stored in the directory configured in `tls_letsencrypt_cache_dir`. If the path is relative, it will be interpreted as relative to the directory the configuration file was read from.
|
||||||
|
|
||||||
```yaml
|
```yaml title="config.yaml"
|
||||||
tls_letsencrypt_hostname: ""
|
tls_letsencrypt_hostname: ""
|
||||||
tls_letsencrypt_listen: ":http"
|
tls_letsencrypt_listen: ":http"
|
||||||
tls_letsencrypt_cache_dir: ".cache"
|
tls_letsencrypt_cache_dir: ".cache"
|
||||||
|
|
|
@ -94,7 +94,7 @@ systemd.
|
||||||
1. In `/etc/headscale/config.yaml`, override the default `headscale` unix socket with a path that is writable by the
|
1. In `/etc/headscale/config.yaml`, override the default `headscale` unix socket with a path that is writable by the
|
||||||
`headscale` user or group:
|
`headscale` user or group:
|
||||||
|
|
||||||
```yaml
|
```yaml title="config.yaml"
|
||||||
unix_socket: /var/run/headscale/headscale.sock
|
unix_socket: /var/run/headscale/headscale.sock
|
||||||
```
|
```
|
||||||
|
|
||||||
|
|
Loading…
Reference in a new issue