Headscale/docker-compose.yml

# Compose v2 (no "version" key needed)
x-default: &default
  restart: unless-stopped
  networks:
    - traefik
  logging:
    driver: json-file
    options:
      max-size: 50m
      max-file: "2"

services:
  headscale:
    <<: *default
    image: docker.io/headscale/headscale:latest
    container_name: headscale
    command: serve
    # Optional: expose metrics to host only
    ports:
      - "127.0.0.1:9090:9090"
    volumes:
      - ./config:/etc/headscale
      - ./lib:/var/lib/headscale
      - ./run:/var/run/headscale
    healthcheck:
      test: ["CMD", "headscale", "health"]
      interval: 30s
      timeout: 10s
      retries: 5
    labels:
      - "traefik.enable=true"
      # Headscale API at /
      - "traefik.http.routers.headscale.rule=Host(`headscale.rozic-dev.com`)"
      - "traefik.http.routers.headscale.entrypoints=websecure"
      - "traefik.http.routers.headscale.tls.certresolver=letsencrypt"
      - "traefik.http.services.headscale.loadbalancer.server.port=8080"

  headscale-ui:
    <<: *default
    image: ghcr.io/gurucomputing/headscale-ui:latest
    container_name: headscale-ui
    # UI listens on 8080 (and 8443) in the container by default
    labels:
      - "traefik.enable=true"
      # Serve UI at /web on the *same* host to avoid CORS
      - "traefik.http.routers.headscale-ui.rule=Host(`headscale.rozic-dev.com`) && PathPrefix(`/web`)"
      - "traefik.http.routers.headscale-ui.entrypoints=websecure"
      - "traefik.http.routers.headscale-ui.tls.certresolver=letsencrypt"
      - "traefik.http.services.headscale-ui.loadbalancer.server.port=8080"

        # 🔐 BASIC AUTH MIDDLEWARE
      - "traefik.http.middlewares.headscale-ui-basicauth.basicauth.users=Dejan:$$2y$$05$$EAuwBj8Ac5YTRn90WSeQuezJxFZF0ghIC/mBlf6S.x8Bb/5jI49WC"

      # Attach middleware to router
      - "traefik.http.routers.headscale-ui.middlewares=headscale-ui-basicauth"

networks:
  traefik:
    external: true
    name: traefik_default
first commit 2025-11-24 16:58:23 +00:00			`# Compose v2 (no "version" key needed)`
			`x-default: &default`
			`restart: unless-stopped`
			`networks:`
			`- traefik`
			`logging:`
			`driver: json-file`
			`options:`
			`max-size: 50m`
			`max-file: "2"`

			`services:`
			`headscale:`
			`<<: *default`
			`image: docker.io/headscale/headscale:latest`
			`container_name: headscale`
			`command: serve`
			`# Optional: expose metrics to host only`
			`ports:`
			`- "127.0.0.1:9090:9090"`
			`volumes:`
			`- ./config:/etc/headscale`
			`- ./lib:/var/lib/headscale`
			`- ./run:/var/run/headscale`
			`healthcheck:`
			`test: ["CMD", "headscale", "health"]`
			`interval: 30s`
			`timeout: 10s`
			`retries: 5`
			`labels:`
			`- "traefik.enable=true"`
			`# Headscale API at /`
			- "traefik.http.routers.headscale.rule=Host(`headscale.rozic-dev.com`)"
			`- "traefik.http.routers.headscale.entrypoints=websecure"`
			`- "traefik.http.routers.headscale.tls.certresolver=letsencrypt"`
			`- "traefik.http.services.headscale.loadbalancer.server.port=8080"`

			`headscale-ui:`
			`<<: *default`
			`image: ghcr.io/gurucomputing/headscale-ui:latest`
			`container_name: headscale-ui`
			`# UI listens on 8080 (and 8443) in the container by default`
			`labels:`
			`- "traefik.enable=true"`
			`# Serve UI at /web on the same host to avoid CORS`
			- "traefik.http.routers.headscale-ui.rule=Host(`headscale.rozic-dev.com`) && PathPrefix(`/web`)"
			`- "traefik.http.routers.headscale-ui.entrypoints=websecure"`
			`- "traefik.http.routers.headscale-ui.tls.certresolver=letsencrypt"`
			`- "traefik.http.services.headscale-ui.loadbalancer.server.port=8080"`

			`# 🔐 BASIC AUTH MIDDLEWARE`
			`- "traefik.http.middlewares.headscale-ui-basicauth.basicauth.users=Dejan:$$2y$$05$$EAuwBj8Ac5YTRn90WSeQuezJxFZF0ghIC/mBlf6S.x8Bb/5jI49WC"`

			`# Attach middleware to router`
			`- "traefik.http.routers.headscale-ui.middlewares=headscale-ui-basicauth"`

			`networks:`
			`traefik:`
			`external: true`
			`name: traefik_default`