Index: config-example.yaml --- config-example.yaml.orig +++ config-example.yaml @@ -44,7 +44,7 @@ grpc_allow_insecure: false # and Tailscale clients. # The private key file will be autogenerated if it's missing. # -private_key_path: /var/lib/headscale/private.key +private_key_path: ${SYSCONFDIR}/headscale/private.key # The Noise section includes specific configuration for the # TS2021 Noise protocol @@ -53,7 +53,7 @@ noise: # traffic between headscale and Tailscale clients when # using the new Noise-based protocol. It must be different # from the legacy private key. - private_key_path: /var/lib/headscale/noise_private.key + private_key_path: ${SYSCONFDIR}/headscale/noise_private.key # List of IP prefixes to allocate tailaddresses from. # Each prefix consists of either an IPv4 or IPv6 address, @@ -106,7 +106,8 @@ derp: # # paths: # - /etc/headscale/derp-example.yaml - paths: [] + paths: + - ${SYSCONFDIR}/headscale/derp.yaml # If enabled, a worker will be set up to periodically # refresh the given sources and update the derpmap @@ -132,7 +133,7 @@ node_update_check_interval: 10s db_type: sqlite3 # For production: -db_path: /var/lib/headscale/db.sqlite +db_path: ${LOCALSTATEDIR}/db/headscale/db.sqlite # # Postgres config # If using a Unix socket to connect to Postgres, set the socket path in the 'host' field and leave 'port' blank. @@ -166,7 +167,7 @@ tls_letsencrypt_hostname: "" # Path to store certificates and metadata needed by # letsencrypt # For production: -tls_letsencrypt_cache_dir: /var/lib/headscale/cache +tls_letsencrypt_cache_dir: ${LOCALSTATEDIR}/db/headscale/cache # Type of ACME challenge to use, currently supported types: # HTTP-01 or TLS-ALPN-01 @@ -256,7 +257,7 @@ dns_config: # Unix socket used for the CLI to connect without authentication # Note: for production you will want to set this to something like: -unix_socket: /var/run/headscale/headscale.sock +unix_socket: ${LOCALSTATEDIR}/run/headscale.sock unix_socket_permission: "0770" # # headscale supports experimental OpenID connect support,