-
Notifications
You must be signed in to change notification settings - Fork 2
Expand file tree
/
Copy path.env.example
More file actions
61 lines (51 loc) · 2.41 KB
/
.env.example
File metadata and controls
61 lines (51 loc) · 2.41 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
# CONTAINER VERSIONS (PINNING)
HEADSCALE_VERSION=latest
CADDY_VERSION=latest
CROWDSEC_VERSION=latest
# OPTIONAL Set your timezone (e.g., "America/New_York", "Europe/London", "Asia/Tokyo")
# TZ=Europe/Rome
# CADDY & CROWDSEC & CLOUDFLARE
CF_API_TOKEN=
CROWDSEC_BOUNCER_KEY=INSERT_GENERATED_KEY_HERE
DOMAIN=example.com
SUBDOMAIN=vpn
# GEOIP FILTERING
# Set allowed country code (ISO 3166-1 alpha-2) separate by space.
# Es: IT (Italy), CH (Switzerland), US (United States), etc.
ALLOWED_COUNTRIES="IT CH US"
# CROWDSEC NOTIFICATIONS NTFY / GOTIFY (OPTIONAL),remember to remove in line comments if you want to use it.
# IF USING NTFY:
# CROWDSEC_NOTIFY_URL=https://ntfy.sh/topic
# CROWDSEC_NOTIFY_AUTH_HEADER=Authorization (if using auth)
# CROWDSEC_NOTIFY_AUTH_TOKEN="Bearer TOKEN" (leave blank if public)
#
# IF USING GOTIFY:
# CROWDSEC_NOTIFY_URL=https://gotify.domain.com/message
# CROWDSEC_NOTIFY_AUTH_HEADER=X-Gotify-Key
# CROWDSEC_NOTIFY_AUTH_TOKEN="app token"
# You can also use other services that support simple HTTP POST with custom headers, just adapt the variables accordingly.
# Note: If you don't want to use notifications, just leave the variables empty as they are by default.
CROWDSEC_NOTIFY_URL=
CROWDSEC_NOTIFY_AUTH_HEADER=
CROWDSEC_NOTIFY_AUTH_TOKEN=
# HEADSCALE MagicDNS or your custom domain
HEADSCALE_DNS_BASE_DOMAIN=ts.net
# HEADSCALE Log level (trace, debug, info, warn, error)
HEADSCALE_LOG_LEVEL=info
# HEADSCALE OIDC AUTHENTICATION (OPTIONAL, RECOMMENDED FOR PUBLIC DEPLOYMENTS)
HEADSCALE_OIDC_ONLY_START_IF_OIDC_IS_AVAILABLE=true
HEADSCALE_OIDC_ISSUER=https://accounts.google.com
HEADSCALE_OIDC_CLIENT_ID=client_id
HEADSCALE_OIDC_CLIENT_SECRET=client_secret
# ==========================================
# OIDC WHITELIST (ACCESS CONTROL)
# ==========================================
# IMPORTANT: Choose ONLY ONE of the following methods to restrict access.
# Uncomment the one you want to use and leave the others commented out.
# Method 1: Allowed Users (Best for families/friends using public IdPs like Google)
HEADSCALE_OIDC_ALLOWED_USERS="email1@gmail.com email2@gmail.com"
# Method 2: Allowed Domains (Best if you have a Google Workspace or custom domain IdP)
# WARNING: Never use public domains like "gmail.com" here!
#HEADSCALE_OIDC_ALLOWED_DOMAINS="yourcompany.com internal.org"
# Method 3: Allowed Groups (Best for Authentik, Keycloak, or Authelia with RBAC)
#HEADSCALE_OIDC_ALLOWED_GROUPS="headscale-admins vpn-users"