1ca79938cd
Integrate headplane (ghcr.io/tale/headplane) into the headscale stack, served by Caddy at /admin. API-only (no Docker socket); deploy.sh mints a headscale API key on first run, generates headplane.yaml, and wires optional OIDC login via pocket-id (second client, /admin/oidc/callback). Adds HEADPLANE_* env, compose service, Caddy routing; rebuild embedded archive.
44 lines
2.2 KiB
Bash
44 lines
2.2 KiB
Bash
# Copy to .env and fill in. docker compose picks .env up automatically.
|
|
|
|
# ─── Public hostnames ───────────────────────────────────────────────────────
|
|
# Bare hostname (no scheme) where headscale will be reached. Tailscale
|
|
# clients connect here over HTTPS.
|
|
HEADSCALE_DOMAIN=hs.example.com
|
|
|
|
# Email for Let's Encrypt registration / expiry notifications.
|
|
ACME_EMAIL=admin@example.com
|
|
|
|
# Magic-DNS suffix for nodes inside the tailnet. Example: with
|
|
# TAILNET_DOMAIN=tail.example.com, a host called "laptop" will resolve to
|
|
# laptop.tail.example.com. MUST be different from HEADSCALE_DOMAIN.
|
|
TAILNET_DOMAIN=tail.example.com
|
|
|
|
# ─── OIDC (pocket-id) ───────────────────────────────────────────────────────
|
|
# Hostname (no scheme) of your pocket-id deployment, used as the OIDC
|
|
# issuer. Must match the issuer URL pocket-id advertises at
|
|
# /.well-known/openid-configuration.
|
|
POCKETID_DOMAIN=auth.example.com
|
|
|
|
# Register a new OIDC client in pocket-id's admin UI with redirect URI:
|
|
# https://${HEADSCALE_DOMAIN}/oidc/callback
|
|
# Then paste the credentials here.
|
|
OIDC_CLIENT_ID=
|
|
OIDC_CLIENT_SECRET=
|
|
|
|
# ─── Headplane (web UI at /admin) ───────────────────────────────────────────
|
|
# Generated on first deploy; leave blank.
|
|
HEADPLANE_COOKIE_SECRET=
|
|
# Auto-created from headscale on first deploy (the UI's API access); leave blank.
|
|
HEADPLANE_HS_API_KEY=
|
|
# Optional: OIDC login for headplane via pocket-id. Register a SECOND OIDC
|
|
# client in pocket-id with redirect URI:
|
|
# https://${HEADSCALE_DOMAIN}/admin/oidc/callback
|
|
# Leave both blank to use headplane's API-key login instead.
|
|
HEADPLANE_OIDC_CLIENT_ID=
|
|
HEADPLANE_OIDC_CLIENT_SECRET=
|
|
|
|
# ─── Image tags ─────────────────────────────────────────────────────────────
|
|
HEADSCALE_TAG=0.28.0
|
|
HEADPLANE_TAG=latest
|
|
CADDY_TAG=2-alpine
|