# Headplane Configuration - Reference Copy
# ==========================================
# Live file location on Calypso: /volume1/docker/headscale/headplane/config.yaml
# This file is NOT auto-deployed - must be manually placed on Calypso.
#
# To deploy/update config on Calypso:
#   scp -P 62000 headplane-config.yaml Vish@100.103.48.78:/volume1/docker/headscale/headplane/config.yaml
#   docker restart headplane
#
# Secrets are redacted here - see Authentik provider pk=16 (app slug=headplane) for OIDC creds.
# Headscale API key managed via: docker exec headscale headscale apikeys list

headscale:
  # Internal Docker network URL - headplane and headscale share headscale-net
  url: http://headscale:8080
  # Path to headscale config inside the container (shared volume mount)
  config_path: /etc/headscale/config.yaml

server:
  host: 0.0.0.0
  port: 3000
  # Public URL used for OIDC redirect URIs - must include :8443, no /admin suffix
  base_url: https://headscale.vish.gg:8443
  # Must be EXACTLY 32 characters: openssl rand -base64 24 | tr -d '=\n'
  cookie_secret: "REDACTED_SEE_CALYPSO"  # pragma: allowlist secret

oidc:
  # Authentik OIDC provider pk=16, app slug=headplane
  issuer: https://sso.vish.gg/application/o/headplane/
  client_id: "REDACTED_CLIENT_ID"  # pragma: allowlist secret
  client_secret: "REDACTED_CLIENT_SECRET"  # pragma: allowlist secret
  # Headscale API key used by Headplane during the OIDC auth flow
  # Generate: docker exec headscale headscale apikeys create --expiration 999d
  headscale_api_key: "REDACTED_API_KEY"  # pragma: allowlist secret

integration:
  docker:
    # Enables Settings and DNS UI by allowing Headplane to restart headscale
    # after config changes via the read-only Docker socket mount
    enabled: true