first commit

2025-11-24 16:58:23 +00:00 · 2025-11-24 16:58:23 +00:00 · a7f5c4b3e7
commit a7f5c4b3e7
12 changed files with 319 additions and 0 deletions
--- a/config/config.yaml
+++ b/config/config.yaml
@ -0,0 +1,41 @@
+server_url: https://headscale.rozic-dev.com
+listen_addr: 0.0.0.0:8080
+metrics_listen_addr: 0.0.0.0:9090
+
+noise:
+  private_key_path: /var/lib/headscale/noise_private.key
+
+prefixes:
+  v4: 100.64.0.0/10
+  v6: fd7a:115c:a1e0::/48
+
+derp:
+  server:
+    enabled: false
+  urls:
+    - https://controlplane.tailscale.com/derpmap/default
+  auto_update_enabled: true
+  update_frequency: 3h
+
+dns:
+  magic_dns: true
+  base_domain: tailnet.rozic-dev.com
+  override_local_dns: true
+  nameservers:
+    global:
+      - 1.1.1.1
+      - 8.8.8.8
+
+log:
+  level: info
+  format: text
+
+database:
+  type: sqlite
+  sqlite:
+    path: /var/lib/headscale/db.sqlite
+    write_ahead_log: true
+    wal_autocheckpoint: 1000
+
+unix_socket: /var/run/headscale/headscale.sock
+unix_socket_permission: "0770"
--- a/config/config.yaml.bak
+++ b/config/config.yaml.bak
@ -0,0 +1,31 @@
+server_url: https://headscale.rozic-dev.com
+listen_addr: 0.0.0.0:8080
+
+# REQUIRED by newer Headscale (TS2021/Noise)
+noise:
+  private_key_path: /var/lib/headscale/noise_private.key
+
+# Tailnet address pools
+prefixes:
+  v4: 100.64.0.0/10
+  v6: fd7a:115c:a1e0::/48
+
+# Use Tailscale public DERP (built-in disabled so you don't need extra ports)
+derp:
+  server:
+    enabled: false
+  urls:
+    - https://controlplane.tailscale.com/derpmap/default
+
+# NEW DNS schema (dns_config is deprecated). Since override_local_dns is true,
+# nameservers.global MUST be set.
+dns:
+  override_local_dns: true
+  nameservers:
+    global:
+      - 1.1.1.1
+      - 8.8.8.8
+
+log:
+  level: info
+  format: text
--- a/data/db.sqlite
+++ b/data/db.sqlite
--- a/data/noise_private.key
+++ b/data/noise_private.key
@ -0,0 +1 @@
+privkey:70c34ac681bd47a23e573560825f98c9cef03b6b02e6656b57b9d98f75fe1a58
--- a/docker-compose.yml
+++ b/docker-compose.yml
@ -0,0 +1,60 @@
+# Compose v2 (no "version" key needed)
+x-default: &default
+  restart: unless-stopped
+  networks:
+    - traefik
+  logging:
+    driver: json-file
+    options:
+      max-size: 50m
+      max-file: "2"
+
+services:
+  headscale:
+    <<: *default
+    image: docker.io/headscale/headscale:latest
+    container_name: headscale
+    command: serve
+    # Optional: expose metrics to host only
+    ports:
+      - "127.0.0.1:9090:9090"
+    volumes:
+      - ./config:/etc/headscale
+      - ./lib:/var/lib/headscale
+      - ./run:/var/run/headscale
+    healthcheck:
+      test: ["CMD", "headscale", "health"]
+      interval: 30s
+      timeout: 10s
+      retries: 5
+    labels:
+      - "traefik.enable=true"
+      # Headscale API at /
+      - "traefik.http.routers.headscale.rule=Host(`headscale.rozic-dev.com`)"
+      - "traefik.http.routers.headscale.entrypoints=websecure"
+      - "traefik.http.routers.headscale.tls.certresolver=letsencrypt"
+      - "traefik.http.services.headscale.loadbalancer.server.port=8080"
+
+  headscale-ui:
+    <<: *default
+    image: ghcr.io/gurucomputing/headscale-ui:latest
+    container_name: headscale-ui
+    # UI listens on 8080 (and 8443) in the container by default
+    labels:
+      - "traefik.enable=true"
+      # Serve UI at /web on the *same* host to avoid CORS
+      - "traefik.http.routers.headscale-ui.rule=Host(`headscale.rozic-dev.com`) && PathPrefix(`/web`)"
+      - "traefik.http.routers.headscale-ui.entrypoints=websecure"
+      - "traefik.http.routers.headscale-ui.tls.certresolver=letsencrypt"
+      - "traefik.http.services.headscale-ui.loadbalancer.server.port=8080"
+
+        # 🔐 BASIC AUTH MIDDLEWARE
+      - "traefik.http.middlewares.headscale-ui-basicauth.basicauth.users=Dejan:$$2y$$05$$EAuwBj8Ac5YTRn90WSeQuezJxFZF0ghIC/mBlf6S.x8Bb/5jI49WC"
+
+      # Attach middleware to router
+      - "traefik.http.routers.headscale-ui.middlewares=headscale-ui-basicauth"
+
+networks:
+  traefik:
+    external: true
+    name: traefik_default
--- a/head-scale-connect.sh
+++ b/head-scale-connect.sh
@ -0,0 +1,65 @@
+#!/usr/bin/env bash
+set -e
+
+# ============================
+# CONFIG
+# ============================
+HEADSCALE_URL="https://headscale.rozic-dev.com"
+TAILSCALE_BIN="tailscale"
+DEFAULT_HOSTNAME="$(hostname)"
+
+require_cmd() {
+  if ! command -v "$1" >/dev/null 2>&1; then
+    echo "ERROR: Command '$1' not found. Please install it first." >&2
+    exit 1
+  fi
+}
+
+require_cmd "$TAILSCALE_BIN"
+
+if ! command -v sudo >/dev/null 2>&1 && [[ $EUID -ne 0 ]]; then
+  echo "WARNING: 'sudo' not found and you are not root."
+  echo "You must run this script as root for 'tailscale up' to work."
+  exit 1
+fi
+
+AUTHKEY="${1:-}"
+
+if [[ -z "$AUTHKEY" ]]; then
+  echo -n "Enter Headscale pre-auth key: "
+  read -r AUTHKEY
+fi
+
+if [[ -z "$AUTHKEY" ]]; then
+  echo "ERROR: No auth key provided." >&2
+  exit 1
+fi
+
+echo -n "Hostname to register on Headscale [${DEFAULT_HOSTNAME}]: "
+read -r CUSTOM_HOSTNAME
+HOSTNAME_TO_USE="${CUSTOM_HOSTNAME:-$DEFAULT_HOSTNAME}"
+
+echo
+echo "Connecting this device to Headscale:"
+echo "  Server : ${HEADSCALE_URL}"
+echo "  Host   : ${HOSTNAME_TO_USE}"
+echo
+
+TS_CMD=(
+  "$TAILSCALE_BIN" up
+  --reset
+  --login-server="${HEADSCALE_URL}"
+  --auth-key="${AUTHKEY}"
+  --hostname="${HOSTNAME_TO_USE}"
+)
+
+if [[ $EUID -ne 0 ]]; then
+  echo "Running: sudo ${TS_CMD[*]}"
+  sudo "${TS_CMD[@]}"
+else
+  echo "Running: ${TS_CMD[*]}"
+  "${TS_CMD[@]}"
+fi
+
+echo
+echo "✅ Done! This device should now be visible in Headscale."
--- a/install.sh
+++ b/install.sh
@ -0,0 +1,119 @@
+#!/bin/bash
+set -e
+
+# ===============================================================
+#  Headscale Self-Hosted Installation Script
+#  Compatible with Traefik (network: traefik_default)
+# ===============================================================
+
+# --- Configuration ---
+DOMAIN="headscale.rozic-dev.com"
+EMAIL="your@email.com"     # For Let's Encrypt via Traefik
+NETWORK="traefik_default"
+INSTALL_DIR="/home/Dejan/Docker/Headscale"
+
+# --- Create folders ---
+echo "📁 Creating folder structure..."
+mkdir -p "${INSTALL_DIR}/config" "${INSTALL_DIR}/data"
+cd "${INSTALL_DIR}"
+
+# --- Create config.yaml ---
+echo "📝 Creating Headscale config file..."
+cat > "${INSTALL_DIR}/config/config.yaml" <<EOF
+server_url: https://${DOMAIN}
+listen_addr: 0.0.0.0:8080
+prefixes:
+  v4: 100.64.0.0/10
+  v6: fd7a:115c:a1e0::/48
+derp:
+  server:
+    enabled: true
+    region_id: 999
+    region_code: slovenia
+    region_name: "Headscale Slovenia"
+  urls:
+    - https://controlplane.tailscale.com/derpmap/default
+dns_config:
+  nameservers:
+    - 1.1.1.1
+    - 8.8.8.8
+log_level: info
+ip_prefixes:
+  v4: 100.64.0.0/10
+  v6: fd7a:115c:a1e0::/48
+EOF
+
+# --- Create docker-compose.yml ---
+echo "🐳 Creating docker-compose.yml..."
+cat > "${INSTALL_DIR}/docker-compose.yml" <<'EOF'
+version: "3.8"
+
+x-default: &default
+  restart: unless-stopped
+  networks:
+    - traefik
+  logging:
+    driver: json-file
+    options:
+      max-size: 50m
+      max-file: "2"
+
+services:
+  headscale:
+    <<: *default
+    image: headscale/headscale:latest
+    container_name: headscale
+    command: serve
+    environment:
+      - HEADSCALE_LOG_LEVEL=info
+      - HEADSCALE_SERVER_URL=https://headscale.rozic-dev.com
+      - HEADSCALE_LISTEN_ADDR=0.0.0.0:8080
+      - HEADSCALE_DB_TYPE=sqlite3
+      - HEADSCALE_DB_PATH=/var/lib/headscale/db.sqlite
+      - HEADSCALE_EPHEMERAL_NODE_INACTIVITY_TIMEOUT=30m
+    volumes:
+      - ./data:/var/lib/headscale
+      - ./config:/etc/headscale
+    labels:
+      - "traefik.enable=true"
+      - "traefik.http.routers.headscale.rule=Host(`headscale.rozic-dev.com`)"
+      - "traefik.http.routers.headscale.entrypoints=websecure"
+      - "traefik.http.routers.headscale.tls.certresolver=letsencrypt"
+      - "traefik.http.services.headscale.loadbalancer.server.port=8080"
+
+networks:
+  traefik:
+    external: true
+    name: traefik_default
+EOF
+
+# --- Start container ---
+echo "🚀 Starting Headscale container..."
+docker compose up -d
+
+# --- Wait for container startup ---
+sleep 5
+
+# --- Create user and auth key ---
+echo "👤 Creating default Headscale user..."
+docker exec -it headscale headscale users create dejan || true
+
+echo "🔑 Creating reusable pre-auth key..."
+docker exec -it headscale headscale preauthkeys create --user dejan --reusable --ephemeral=false
+
+echo
+echo "✅ Headscale is now running!"
+echo "🌍 URL: https://${DOMAIN}"
+echo "💡 To connect a client:"
+echo "    tailscale up --login-server https://${DOMAIN} --authkey <KEY>"
+echo
+EOF
+
+---
+
+## 🧠 Usage
+
+1. Copy this file to your server, e.g.:
+
+```bash
+nano install.sh
--- a/1
+++ b/1
@ -0,0 +1 @@
+1. -F1mrl1.xK7SrZqjJ2mEHUN1HP0Rj-YHkED179tN
--- a/lib/db.sqlite
+++ b/lib/db.sqlite
--- a/lib/db.sqlite-shm
+++ b/lib/db.sqlite-shm
--- a/lib/db.sqlite-wal
+++ b/lib/db.sqlite-wal
--- a/lib/noise_private.key
+++ b/lib/noise_private.key
@ -0,0 +1 @@
+privkey:78376c92546f9fecdffd10e45dd95e2d56e88c3a8a890843c1439a13b3d16a47
				`@ -0,0 +1 @@`
				`privkey:70c34ac681bd47a23e573560825f98c9cef03b6b02e6656b57b9d98f75fe1a58`
				`@ -0,0 +1 @@`
				`privkey:78376c92546f9fecdffd10e45dd95e2d56e88c3a8a890843c1439a13b3d16a47`