Sanitized mirror from private repository - 2026-04-18 11:19:59 UTC

hosts/synology/calypso/headplane-config.yaml

@@ -0,0 +1,40 @@
+# Headplane Configuration - Reference Copy
+# ==========================================
+# Live file location on Calypso: /volume1/docker/headscale/headplane/config.yaml
+# This file is NOT auto-deployed - must be manually placed on Calypso.
+#
+# To deploy/update config on Calypso:
+#   scp -P 62000 headplane-config.yaml Vish@100.103.48.78:/volume1/docker/headscale/headplane/config.yaml
+#   docker restart headplane
+#
+# Secrets are redacted here - see Authentik provider pk=16 (app slug=headplane) for OIDC creds.
+# Headscale API key managed via: docker exec headscale headscale apikeys list
+
+headscale:
+  # Internal Docker network URL - headplane and headscale share headscale-net
+  url: http://headscale:8080
+  # Path to headscale config inside the container (shared volume mount)
+  config_path: /etc/headscale/config.yaml
+
+server:
+  host: 0.0.0.0
+  port: 3000
+  # Public URL used for OIDC redirect URIs - must include :8443, no /admin suffix
+  base_url: https://headscale.vish.gg:8443
+  # Must be EXACTLY 32 characters: openssl rand -base64 24 | tr -d '=\n'
+  cookie_secret: "REDACTED_SEE_CALYPSO"  # pragma: allowlist secret
+
+oidc:
+  # Authentik OIDC provider pk=16, app slug=headplane
+  issuer: https://sso.vish.gg/application/o/headplane/
+  client_id: "REDACTED_CLIENT_ID"  # pragma: allowlist secret
+  client_secret: "REDACTED_CLIENT_SECRET"  # pragma: allowlist secret
+  # Headscale API key used by Headplane during the OIDC auth flow
+  # Generate: docker exec headscale headscale apikeys create --expiration 999d
+  headscale_api_key: "REDACTED_API_KEY"  # pragma: allowlist secret
+
+integration:
+  docker:
+    # Enables Settings and DNS UI by allowing Headplane to restart headscale
+    # after config changes via the read-only Docker socket mount
+    enabled: true