Headscale

`services.headscale.address`

Listening address of headscale.

Type: string

Default

"127.0.0.1"

Example

"0.0.0.0"

Declared by: https://github.com/nixos/nixpkgs/blob/master/nixos/modules/services/networking/headscale.nix

`services.headscale.enable`

Whether to enable headscale, Open Source coordination server for Tailscale. Type: boolean

Default

false

Example

true

Declared by: https://github.com/nixos/nixpkgs/blob/master/nixos/modules/services/networking/headscale.nix

`services.headscale.group`

Group under which headscale runs.

::: {.note} If left as the default value this group will automatically be created on system activation, otherwise you are responsible for ensuring the user exists before the headscale service starts. :::

Type: string

Default

"headscale"

Declared by: https://github.com/nixos/nixpkgs/blob/master/nixos/modules/services/networking/headscale.nix

`services.headscale.package`

The headscale package to use. Type: package

Default

pkgs.headscale

Declared by: https://github.com/nixos/nixpkgs/blob/master/nixos/modules/services/networking/headscale.nix

`services.headscale.port`

Listening port of headscale.

Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)

Default

8080

Example

443

Declared by: https://github.com/nixos/nixpkgs/blob/master/nixos/modules/services/networking/headscale.nix

`services.headscale.settings`

Overrides to {file}config.yaml as a Nix attribute set. Check the example config for possible options.

Type: YAML value

Declared by: https://github.com/nixos/nixpkgs/blob/master/nixos/modules/services/networking/headscale.nix

`services.headscale.settings.acl_policy_path`

Path to a file containing ACL policies.

Type: null or path

Default

null

Declared by: https://github.com/nixos/nixpkgs/blob/master/nixos/modules/services/networking/headscale.nix

`services.headscale.settings.db_host`

Database host address. Type: null or string

Default

null

Example

"127.0.0.1"

Declared by: https://github.com/nixos/nixpkgs/blob/master/nixos/modules/services/networking/headscale.nix

`services.headscale.settings.db_name`

Database name. Type: null or string

Default

null

Example

"headscale"

Declared by: https://github.com/nixos/nixpkgs/blob/master/nixos/modules/services/networking/headscale.nix

`services.headscale.settings.db_password_file`

A file containing the password corresponding to {option}database.user.

Type: null or path

Default

null

Example

"/run/keys/headscale-dbpassword"

Declared by: https://github.com/nixos/nixpkgs/blob/master/nixos/modules/services/networking/headscale.nix

`services.headscale.settings.db_path`

Path to the sqlite3 database file. Type: null or string

Default

"/var/lib/headscale/db.sqlite"

Declared by: https://github.com/nixos/nixpkgs/blob/master/nixos/modules/services/networking/headscale.nix

`services.headscale.settings.db_port`

Database host port. Type: null or 16 bit unsigned integer; between 0 and 65535 (both inclusive)

Default

null

Example

3306

Declared by: https://github.com/nixos/nixpkgs/blob/master/nixos/modules/services/networking/headscale.nix

`services.headscale.settings.db_type`

Database engine to use. Type: one of "sqlite3", "postgres"

Default

"sqlite3"

Example

"postgres"

Declared by: https://github.com/nixos/nixpkgs/blob/master/nixos/modules/services/networking/headscale.nix

`services.headscale.settings.db_user`

Database user. Type: null or string

Default

null

Example

"headscale"

Declared by: https://github.com/nixos/nixpkgs/blob/master/nixos/modules/services/networking/headscale.nix

`services.headscale.settings.derp.auto_update_enable`

Whether to automatically update DERP maps on a set frequency.

Type: boolean

Default

true

Example

false

Declared by: https://github.com/nixos/nixpkgs/blob/master/nixos/modules/services/networking/headscale.nix

`services.headscale.settings.derp.paths`

List of file paths containing DERP maps. See How Tailscale works for more information on DERP maps.

Type: list of path

Default

[ ]

Declared by: https://github.com/nixos/nixpkgs/blob/master/nixos/modules/services/networking/headscale.nix

`services.headscale.settings.derp.update_frequency`

Frequency to update DERP maps.

Type: string

Default

"24h"

Example

"5m"

Declared by: https://github.com/nixos/nixpkgs/blob/master/nixos/modules/services/networking/headscale.nix

`services.headscale.settings.derp.urls`

List of urls containing DERP maps. See How Tailscale works for more information on DERP maps.

Type: list of string

Default

["https://controlplane.tailscale.com/derpmap/default"]

Declared by: https://github.com/nixos/nixpkgs/blob/master/nixos/modules/services/networking/headscale.nix

`services.headscale.settings.dns_config.base_domain`

Defines the base domain to create the hostnames for MagicDNS. {option}baseDomain must be a FQDNs, without the trailing dot. The FQDN of the hosts will be hostname.namespace.base_domain (e.g. myhost.mynamespace.example.com).

Type: string

Default

""

Declared by: https://github.com/nixos/nixpkgs/blob/master/nixos/modules/services/networking/headscale.nix

`services.headscale.settings.dns_config.domains`

Search domains to inject to Tailscale clients.

Type: list of string

Default

[ ]

Example

["mydomain.internal"]

Declared by: https://github.com/nixos/nixpkgs/blob/master/nixos/modules/services/networking/headscale.nix

`services.headscale.settings.dns_config.magic_dns`

Whether to use MagicDNS. Only works if there is at least a nameserver defined.

Type: boolean

Default

true

Example

false

Declared by: https://github.com/nixos/nixpkgs/blob/master/nixos/modules/services/networking/headscale.nix

`services.headscale.settings.dns_config.nameservers`

List of nameservers to pass to Tailscale clients.

Type: list of string

Default

["1.1.1.1"]

Declared by: https://github.com/nixos/nixpkgs/blob/master/nixos/modules/services/networking/headscale.nix

`services.headscale.settings.dns_config.override_local_dns`

Whether to use Override local DNS.

Type: boolean

Default

false

Example

true

Declared by: https://github.com/nixos/nixpkgs/blob/master/nixos/modules/services/networking/headscale.nix

`services.headscale.settings.ephemeral_node_inactivity_timeout`

Time before an inactive ephemeral node is deleted.

Type: string

Default

"30m"

Example

"5m"

Declared by: https://github.com/nixos/nixpkgs/blob/master/nixos/modules/services/networking/headscale.nix

`services.headscale.settings.log.format`

headscale log format.

Type: string

Default

"text"

Example

"json"

Declared by: https://github.com/nixos/nixpkgs/blob/master/nixos/modules/services/networking/headscale.nix

`services.headscale.settings.log.level`

headscale log level.

Type: string

Default

"info"

Example

"debug"

Declared by: https://github.com/nixos/nixpkgs/blob/master/nixos/modules/services/networking/headscale.nix

`services.headscale.settings.noise.private_key_path`

Path to noise private key file, generated automatically if it does not exist.

Type: path

Default

"/var/lib/headscale/noise_private.key"

Declared by: https://github.com/nixos/nixpkgs/blob/master/nixos/modules/services/networking/headscale.nix

`services.headscale.settings.oidc.allowed_domains`

Allowed principal domains. if an authenticated user's domain is not in this list authentication request will be rejected.

Type: list of string

Default

[ ]

Example

["example.com"]

Declared by: https://github.com/nixos/nixpkgs/blob/master/nixos/modules/services/networking/headscale.nix

`services.headscale.settings.oidc.allowed_users`

Users allowed to authenticate even if not in allowedDomains.

Type: list of string

Default

[ ]

Example

["alice@example.com"]

Declared by: https://github.com/nixos/nixpkgs/blob/master/nixos/modules/services/networking/headscale.nix

`services.headscale.settings.oidc.client_id`

OpenID Connect client ID.

Type: string

Default

""

Declared by: https://github.com/nixos/nixpkgs/blob/master/nixos/modules/services/networking/headscale.nix

`services.headscale.settings.oidc.client_secret_path`

Path to OpenID Connect client secret file. Expands environment variables in format ${VAR}.

Type: null or string

Default

null

Declared by: https://github.com/nixos/nixpkgs/blob/master/nixos/modules/services/networking/headscale.nix

`services.headscale.settings.oidc.extra_params`

Custom query parameters to send with the Authorize Endpoint request.

Type: attribute set of string

Default

{ }

Example

{domain_hint = "example.com";}

Declared by: https://github.com/nixos/nixpkgs/blob/master/nixos/modules/services/networking/headscale.nix

`services.headscale.settings.oidc.issuer`

URL to OpenID issuer.

Type: string

Default

""

Example

"https://openid.example.com"

Declared by: https://github.com/nixos/nixpkgs/blob/master/nixos/modules/services/networking/headscale.nix

`services.headscale.settings.oidc.scope`

Scopes used in the OIDC flow.

Type: list of string

Default

["openid""profile""email"]

Declared by: https://github.com/nixos/nixpkgs/blob/master/nixos/modules/services/networking/headscale.nix

`services.headscale.settings.oidc.strip_email_domain`

Whether the domain part of the email address should be removed when generating namespaces.

Type: boolean

Default

true

Declared by: https://github.com/nixos/nixpkgs/blob/master/nixos/modules/services/networking/headscale.nix

`services.headscale.settings.private_key_path`

Path to private key file, generated automatically if it does not exist.

Type: path

Default

"/var/lib/headscale/private.key"

Declared by: https://github.com/nixos/nixpkgs/blob/master/nixos/modules/services/networking/headscale.nix

`services.headscale.settings.server_url`

The url clients will connect to.

Type: string

Default

"http://127.0.0.1:8080"

Example

"https://myheadscale.example.com:443"

Declared by: https://github.com/nixos/nixpkgs/blob/master/nixos/modules/services/networking/headscale.nix

`services.headscale.settings.tls_cert_path`

Path to already created certificate.

Type: null or path

Default

null

Declared by: https://github.com/nixos/nixpkgs/blob/master/nixos/modules/services/networking/headscale.nix

`services.headscale.settings.tls_key_path`

Path to key for already created certificate.

Type: null or path

Default

null

Declared by: https://github.com/nixos/nixpkgs/blob/master/nixos/modules/services/networking/headscale.nix

`services.headscale.settings.tls_letsencrypt_challenge_type`

Type of ACME challenge to use, currently supported types: HTTP-01 or TLS-ALPN-01.

Type: one of "TLS-ALPN-01", "HTTP-01"

Default

"HTTP-01"

Declared by: https://github.com/nixos/nixpkgs/blob/master/nixos/modules/services/networking/headscale.nix

`services.headscale.settings.tls_letsencrypt_hostname`

Domain name to request a TLS certificate for.

Type: null or string

Default

""

Declared by: https://github.com/nixos/nixpkgs/blob/master/nixos/modules/services/networking/headscale.nix

`services.headscale.settings.tls_letsencrypt_listen`

When HTTP-01 challenge is chosen, letsencrypt must set up a verification endpoint, and it will be listening on: :http = port 80.

Type: null or string

Default

":http"

Declared by: https://github.com/nixos/nixpkgs/blob/master/nixos/modules/services/networking/headscale.nix

`services.headscale.user`

User account under which headscale runs.

::: {.note} If left as the default value this user will automatically be created on system activation, otherwise you are responsible for ensuring the user exists before the headscale service starts. :::

Type: string

Default

"headscale"

Declared by: https://github.com/nixos/nixpkgs/blob/master/nixos/modules/services/networking/headscale.nix