chore: update to headscale beta for compose dev

2024-08-04 11:33:11 -04:00 · 2024-08-04 11:33:11 -04:00 · 224cbbdcaf
commit 224cbbdcaf
parent 75ba3a3dc7
2 changed files with 44 additions and 40 deletions
--- a/compose.yaml
+++ b/compose.yaml
@ -2,14 +2,13 @@
 # IT IS NOT AN EXAMPLE OF SOMETHING YOU DEPLOY
 # I ONLY USE IT FOR DEVELOPING HEADPLANE

-version: '3.9'
 networks:
  headplane-dev:
    name: 'headplane-dev'
    driver: 'bridge'
 services:
  headscale:
-    image: 'headscale/headscale:0.23.0-alpha5'
+    image: 'headscale/headscale:0.23.0-beta1'
    container_name: 'headscale'
    restart: 'unless-stopped'
    command: 'serve'
--- a/test/config.yaml
+++ b/test/config.yaml
@ -186,7 +186,8 @@ log:
 # Path to a file containg ACL policies.
 # ACLs can be defined as YAML or HUJSON.
 # https://tailscale.com/kb/1018/acls/
-acl_policy_path: /etc/headscale/acl.json
+policy:
+  mode: 'database'

 ## DNS
 #
@ -253,6 +254,10 @@ dns_config:
  # The FQDN of the hosts will be
  # `hostname.user.base_domain` (e.g., _myhost.myuser.example.com_).
  base_domain: ts.net
+  extra_records:
+    - name: test.example.com
+      type: A
+      value: 1.1.1.1

 # Unix socket used for the CLI to connect without authentication
 # Note: for production you will want to set this to something like:
@ -268,46 +273,46 @@ oidc:
  issuer: "https://sso.example.com"
  client_id: "headscale"
  client_secret: "super_secret_client_secret"
-#   # Alternatively, set `client_secret_path` to read the secret from the file.
-#   # It resolves environment variables, making integration to systemd's
-#   # `LoadCredential` straightforward:
-#   client_secret_path: "${CREDENTIALS_DIRECTORY}/oidc_client_secret"
-#   # client_secret and client_secret_path are mutually exclusive.
-#
-#   # The amount of time from a node is authenticated with OpenID until it
-#   # expires and needs to reauthenticate.
-#   # Setting the value to "0" will mean no expiry.
+  #   # Alternatively, set `client_secret_path` to read the secret from the file.
+  #   # It resolves environment variables, making integration to systemd's
+  #   # `LoadCredential` straightforward:
+  #   client_secret_path: "${CREDENTIALS_DIRECTORY}/oidc_client_secret"
+  #   # client_secret and client_secret_path are mutually exclusive.
+  #
+  #   # The amount of time from a node is authenticated with OpenID until it
+  #   # expires and needs to reauthenticate.
+  #   # Setting the value to "0" will mean no expiry.
  expiry: 180d
-#
-#   # Use the expiry from the token received from OpenID when the user logged
-#   # in, this will typically lead to frequent need to reauthenticate and should
-#   # only been enabled if you know what you are doing.
-#   # Note: enabling this will cause `oidc.expiry` to be ignored.
-#   use_expiry_from_token: false
-#
-#   # Customize the scopes used in the OIDC flow, defaults to "openid", "profile" and "email" and add custom query
-#   # parameters to the Authorize Endpoint request. Scopes default to "openid", "profile" and "email".
-#
-#   scope: ["openid", "profile", "email", "custom"]
-#   extra_params:
-#     domain_hint: example.com
-#
-#   # List allowed principal domains and/or users. If an authenticated user's domain is not in this list, the
-#   # authentication request will be rejected.
-#
+  #
+  #   # Use the expiry from the token received from OpenID when the user logged
+  #   # in, this will typically lead to frequent need to reauthenticate and should
+  #   # only been enabled if you know what you are doing.
+  #   # Note: enabling this will cause `oidc.expiry` to be ignored.
+  #   use_expiry_from_token: false
+  #
+  #   # Customize the scopes used in the OIDC flow, defaults to "openid", "profile" and "email" and add custom query
+  #   # parameters to the Authorize Endpoint request. Scopes default to "openid", "profile" and "email".
+  #
+  #   scope: ["openid", "profile", "email", "custom"]
+  #   extra_params:
+  #     domain_hint: example.com
+  #
+  #   # List allowed principal domains and/or users. If an authenticated user's domain is not in this list, the
+  #   # authentication request will be rejected.
+  #
  allowed_domains:
    - example.com
-#   # Note: Groups from keycloak have a leading '/'
-#   allowed_groups:
-#     - /headscale
-#   allowed_users:
-#     - alice@example.com
-#
-#   # If `strip_email_domain` is set to `true`, the domain part of the username email address will be removed.
-#   # This will transform `first-name.last-name@example.com` to the user `first-name.last-name`
-#   # If `strip_email_domain` is set to `false` the domain part will NOT be removed resulting to the following
-#   user: `first-name.last-name.example.com`
-#
+  #   # Note: Groups from keycloak have a leading '/'
+  #   allowed_groups:
+  #     - /headscale
+  #   allowed_users:
+  #     - alice@example.com
+  #
+  #   # If `strip_email_domain` is set to `true`, the domain part of the username email address will be removed.
+  #   # This will transform `first-name.last-name@example.com` to the user `first-name.last-name`
+  #   # If `strip_email_domain` is set to `false` the domain part will NOT be removed resulting to the following
+  #   user: `first-name.last-name.example.com`
+  #
  strip_email_domain: true

 # Logtail configuration