1ca79938cd
Integrate headplane (ghcr.io/tale/headplane) into the headscale stack, served by Caddy at /admin. API-only (no Docker socket); deploy.sh mints a headscale API key on first run, generates headplane.yaml, and wires optional OIDC login via pocket-id (second client, /admin/oidc/callback). Adds HEADPLANE_* env, compose service, Caddy routing; rebuild embedded archive.
47 lines
1.2 KiB
Caddyfile
47 lines
1.2 KiB
Caddyfile
# Caddyfile for headscale stack.
|
|
#
|
|
# Auto-issues a Let's Encrypt cert for $HEADSCALE_DOMAIN and reverse-proxies
|
|
# to headscale's HTTP listener on :8080. Tailscale clients require this
|
|
# exact hostname over HTTPS.
|
|
{
|
|
email {$ACME_EMAIL}
|
|
}
|
|
|
|
{$HEADSCALE_DOMAIN} {
|
|
encode zstd gzip
|
|
|
|
# Headplane web UI lives at /admin. Pass the path through unchanged
|
|
# (headplane serves itself under /admin). Everything else is headscale's
|
|
# control protocol.
|
|
@admin path /admin /admin/*
|
|
handle @admin {
|
|
reverse_proxy headplane:3000
|
|
}
|
|
|
|
handle {
|
|
reverse_proxy headscale:8080 {
|
|
header_up X-Real-IP {http.request.remote.host}
|
|
# Long-lived noise/wireguard control streams; lift the default
|
|
# idle limit so they don't get torn down.
|
|
flush_interval -1
|
|
transport http {
|
|
read_timeout 10m
|
|
write_timeout 10m
|
|
}
|
|
}
|
|
}
|
|
|
|
header {
|
|
Strict-Transport-Security "max-age=31536000; includeSubDomains"
|
|
X-Content-Type-Options "nosniff"
|
|
Referrer-Policy "strict-origin-when-cross-origin"
|
|
-Server
|
|
}
|
|
|
|
log {
|
|
output stdout
|
|
format console
|
|
}
|
|
}
|