server_url: "https://{{ headscale_domain }}"
listen_addr: 0.0.0.0:8080
grpc_listen_addr: 0.0.0.0:50443
grpc_allow_insecure: false

private_key_path: /var/lib/headscale/private.key
noise:
  private_key_path: /var/lib/headscale/noise_private.key

prefixes:
  v6: fd7a:115c:a1e0::/48
  v4: 100.64.0.0/10
  allocation: sequential

derp:
  server:
    enabled: false
  urls:
    - https://controlplane.tailscale.com/derpmap/default
  auto_update_enabled: true
  update_frequency: 24h

disable_check_updates: true
ephemeral_node_inactivity_timeout: 30m

database:
  type: sqlite
  sqlite:
    path: /var/lib/headscale/db.sqlite

log:
  format: text
  level: info

dns:
  magic_dns: true
  base_domain: "{{ base_domain }}"
  nameservers:
    global:
      - 1.1.1.1
      - 8.8.8.8

oidc:
  only_start_if_oidc_is_available: true
  issuer: "https://{{ authentik_domain }}/application/o/headscale/"
  client_id: "headscale"
  client_secret: "changeme_headscale_oidc_secret"
  scope: ["openid", "profile", "email"]
  extra_params:
    domain_hint: "{{ base_domain }}"