From 224cbbdcafbddb27ad499d763b6a49647c4c9821 Mon Sep 17 00:00:00 2001
From: Aarnav Tale <aarnavtale@icloud.com>
Date: Sun, 4 Aug 2024 11:33:11 -0400
Subject: [PATCH] chore: update to headscale beta for compose dev

---
 compose.yaml     |  3 +-
 test/config.yaml | 81 +++++++++++++++++++++++++-----------------------
 2 files changed, 44 insertions(+), 40 deletions(-)

diff --git a/compose.yaml b/compose.yaml
index 8c6ec7e..333dbf7 100644
--- a/compose.yaml
+++ b/compose.yaml
@@ -2,14 +2,13 @@
 # IT IS NOT AN EXAMPLE OF SOMETHING YOU DEPLOY
 # I ONLY USE IT FOR DEVELOPING HEADPLANE
 
-version: '3.9'
 networks:
   headplane-dev:
     name: 'headplane-dev'
     driver: 'bridge'
 services:
   headscale:
-    image: 'headscale/headscale:0.23.0-alpha5'
+    image: 'headscale/headscale:0.23.0-beta1'
     container_name: 'headscale'
     restart: 'unless-stopped'
     command: 'serve'
diff --git a/test/config.yaml b/test/config.yaml
index 57d4821..d5e10f0 100644
--- a/test/config.yaml
+++ b/test/config.yaml
@@ -186,7 +186,8 @@ log:
 # Path to a file containg ACL policies.
 # ACLs can be defined as YAML or HUJSON.
 # https://tailscale.com/kb/1018/acls/
-acl_policy_path: /etc/headscale/acl.json
+policy:
+  mode: 'database'
 
 ## DNS
 #
@@ -253,6 +254,10 @@ dns_config:
   # The FQDN of the hosts will be
   # `hostname.user.base_domain` (e.g., _myhost.myuser.example.com_).
   base_domain: ts.net
+  extra_records:
+    - name: test.example.com
+      type: A
+      value: 1.1.1.1
 
 # Unix socket used for the CLI to connect without authentication
 # Note: for production you will want to set this to something like:
@@ -268,46 +273,46 @@ oidc:
   issuer: "https://sso.example.com"
   client_id: "headscale"
   client_secret: "super_secret_client_secret"
-#   # Alternatively, set `client_secret_path` to read the secret from the file.
-#   # It resolves environment variables, making integration to systemd's
-#   # `LoadCredential` straightforward:
-#   client_secret_path: "${CREDENTIALS_DIRECTORY}/oidc_client_secret"
-#   # client_secret and client_secret_path are mutually exclusive.
-#
-#   # The amount of time from a node is authenticated with OpenID until it
-#   # expires and needs to reauthenticate.
-#   # Setting the value to "0" will mean no expiry.
+  #   # Alternatively, set `client_secret_path` to read the secret from the file.
+  #   # It resolves environment variables, making integration to systemd's
+  #   # `LoadCredential` straightforward:
+  #   client_secret_path: "${CREDENTIALS_DIRECTORY}/oidc_client_secret"
+  #   # client_secret and client_secret_path are mutually exclusive.
+  #
+  #   # The amount of time from a node is authenticated with OpenID until it
+  #   # expires and needs to reauthenticate.
+  #   # Setting the value to "0" will mean no expiry.
   expiry: 180d
-#
-#   # Use the expiry from the token received from OpenID when the user logged
-#   # in, this will typically lead to frequent need to reauthenticate and should
-#   # only been enabled if you know what you are doing.
-#   # Note: enabling this will cause `oidc.expiry` to be ignored.
-#   use_expiry_from_token: false
-#
-#   # Customize the scopes used in the OIDC flow, defaults to "openid", "profile" and "email" and add custom query
-#   # parameters to the Authorize Endpoint request. Scopes default to "openid", "profile" and "email".
-#
-#   scope: ["openid", "profile", "email", "custom"]
-#   extra_params:
-#     domain_hint: example.com
-#
-#   # List allowed principal domains and/or users. If an authenticated user's domain is not in this list, the
-#   # authentication request will be rejected.
-#
+  #
+  #   # Use the expiry from the token received from OpenID when the user logged
+  #   # in, this will typically lead to frequent need to reauthenticate and should
+  #   # only been enabled if you know what you are doing.
+  #   # Note: enabling this will cause `oidc.expiry` to be ignored.
+  #   use_expiry_from_token: false
+  #
+  #   # Customize the scopes used in the OIDC flow, defaults to "openid", "profile" and "email" and add custom query
+  #   # parameters to the Authorize Endpoint request. Scopes default to "openid", "profile" and "email".
+  #
+  #   scope: ["openid", "profile", "email", "custom"]
+  #   extra_params:
+  #     domain_hint: example.com
+  #
+  #   # List allowed principal domains and/or users. If an authenticated user's domain is not in this list, the
+  #   # authentication request will be rejected.
+  #
   allowed_domains:
     - example.com
-#   # Note: Groups from keycloak have a leading '/'
-#   allowed_groups:
-#     - /headscale
-#   allowed_users:
-#     - alice@example.com
-#
-#   # If `strip_email_domain` is set to `true`, the domain part of the username email address will be removed.
-#   # This will transform `first-name.last-name@example.com` to the user `first-name.last-name`
-#   # If `strip_email_domain` is set to `false` the domain part will NOT be removed resulting to the following
-#   user: `first-name.last-name.example.com`
-#
+  #   # Note: Groups from keycloak have a leading '/'
+  #   allowed_groups:
+  #     - /headscale
+  #   allowed_users:
+  #     - alice@example.com
+  #
+  #   # If `strip_email_domain` is set to `true`, the domain part of the username email address will be removed.
+  #   # This will transform `first-name.last-name@example.com` to the user `first-name.last-name`
+  #   # If `strip_email_domain` is set to `false` the domain part will NOT be removed resulting to the following
+  #   user: `first-name.last-name.example.com`
+  #
   strip_email_domain: true
 
 # Logtail configuration