privacyint · EdGeraghty · Nov 5, 2025 · Aug 24, 2025 · Aug 24, 2025 · Aug 25, 2025
diff --git a/Dockerfile b/Dockerfile
@@ -4,8 +4,8 @@
 # Tool version arguments
 # Bump these every time there is a new release.
 # We're pulling these from github source, don't forget to bump the checksum!
-ARG HEADSCALE_VERSION="0.26.1"
-ARG HEADSCALE_SHA256="5012577e6fc5d4234aab7b4be0d6e271ea1a4ec38521a8aa472f80ea1fe81cba"
+ARG HEADSCALE_VERSION="0.27.0"
+ARG HEADSCALE_SHA256="d7f61f8078c6c1767b30bf8166b714fe15f4bf72162d4c2619b2f69280a597a5"
 
 ARG LITESTREAM_VERSION="0.5.2"
 ARG LITESTREAM_SHA256="235da234edd2c7140b702f1a53ecdad996040b7afaf03b4dcf9620d7998cd830"

diff --git a/README.md b/README.md
@@ -7,7 +7,7 @@ Deploy [Headscale][headscale-wob] using a "serverless" immutable docker image wi
 | Tool | Upstream Repository | Version |
 |---|---|---|
 | [`Alpine Linux`][alpine-linux-wob] | [Alpine Linux Repo][alpine-linux-repo] | [`v3.22.1`](https://git.alpinelinux.org/aports/log/?h=v3.22.1) |
-| [`Headscale`][headscale-wob] | [Headscale Repo][headscale-repo] | [`v0.26.1`](https://github.com/juanfont/headscale/releases/tag/v0.26.1) |
+| [`Headscale`][headscale-wob] | [Headscale Repo][headscale-repo] | [`v0.27.0`](https://github.com/juanfont/headscale/releases/tag/v0.27.0) |
 | [`Headscale-Admin`][headscale-admin-wob] | [Headscale-Admin Repo][headscale-admin-repo] | [`0.26.0`](https://github.com/GoodiesHQ/headscale-admin/commit/6cf2bc7d59165757a70f4c918a032225eb5e6e7d) |
 | [`Litestream`][litestream-wob] | [Litestream Repo][litestream-repo] | [`v0.5.2`](https://github.com/benbjohnson/litestream/releases/tag/v0.5.2) |
 | [`Caddy`][caddy-wob] | [Caddy Repo][caddy-repo] | [`v2.10.2`](https://github.com/caddyserver/caddy/releases/tag/v2.10.2) |

diff --git a/scripts/container-entrypoint.sh b/scripts/container-entrypoint.sh
@@ -170,35 +170,34 @@ check_headscale_environment_vars() {
 	check_litestream_replica_url
 	validate_oidc_settings
 	validate_extra_records
-	check_env_var_or_set_default "MAGIC_DNS" "${headscale_magic_dns_default}" "^(true|false)$" "Invalid 'MAGIC_DNS'. Must be 'true' or 'false'."
-	check_env_var_or_set_default "IPV6_PREFIX" "${headscale_ipv6_prefix_default}"
-	check_env_var_or_set_default "IPV4_PREFIX" "${headscale_ipv4_prefix_default}"
+	check_env_var_or_set_default "HEADSCALE_OVERRIDE_LOCAL_DNS" "true" "^(true|false)$" "Invalid 'HEADSCALE_OVERRIDE_LOCAL_DNS'. Must be 'true' (default) or 'false'."
 	check_env_var_or_set_default "IP_ALLOCATION" "${headscale_ip_allocation_default}" "^(sequential|random)$" "Invalid 'IP_ALLOCATION'. Must be either 'sequential' (default) or 'random'."
+	check_env_var_or_set_default "IPV4_PREFIX" "${headscale_ipv4_prefix_default}"
+	check_env_var_or_set_default "IPV6_PREFIX" "${headscale_ipv6_prefix_default}"
+	check_env_var_or_set_default "MAGIC_DNS" "${headscale_magic_dns_default}" "^(true|false)$" "Invalid 'MAGIC_DNS'. Must be 'true' or 'false'."
 	require_env_var "PUBLIC_SERVER_URL"
 	require_env_var "HEADSCALE_DNS_BASE_DOMAIN"
-	#This is for the v0.26.0 bump.
-	if env_var_is_defined "HEADSCALE_POLICY_V1" ; then
-		export HEADSCALE_POLICY_V1=1
-		log_warn "Using Headscale policy version 1. Please migrate and remove this variable."
-	fi
 }
 
 #######################################
 # Create our Headscale configuration file
 #######################################
 create_headscale_config() {
 	# Ensure all template variables are exported for envsubst
-	local template_vars=(
-		"ACME_EAB_BLOCK"
-		"CLOUDFLARE_ACME_BLOCK"
-		"SECURITY_HEADERS_BLOCK"
-		"PUBLIC_LISTEN_PORT"
-		"MAGIC_DNS"
-		"IPV6_PREFIX"
-		"IPV4_PREFIX"
-		"IP_ALLOCATION"
-		"HEADSCALE_EXTRA_RECORDS_PATH"
-	)
+    local template_vars=(
+        "ACME_EAB_BLOCK"
+        "CLOUDFLARE_ACME_BLOCK"
+        "SECURITY_HEADERS_BLOCK"
+        "PUBLIC_SERVER_URL"
+        "PUBLIC_LISTEN_PORT"
+        "HEADSCALE_DNS_BASE_DOMAIN"
+        "HEADSCALE_OVERRIDE_LOCAL_DNS"
+        "MAGIC_DNS"
+        "IPV6_PREFIX"
+        "IPV4_PREFIX"
+        "IP_ALLOCATION"
+        "HEADSCALE_EXTRA_RECORDS_PATH"
+    )
 	for var in "${template_vars[@]}"; do
 		export "${var}=${!var}"
 	done
@@ -393,6 +392,25 @@ check_config_files() {
 
 	check_caddy_environment_variables
 
+	# Ensure all template variables are exported for envsubst
+	local template_vars=(
+		"ACME_EAB_BLOCK"
+		"CLOUDFLARE_ACME_BLOCK"
+		"SECURITY_HEADERS_BLOCK"
+		"PUBLIC_SERVER_URL"
+		"PUBLIC_LISTEN_PORT"
+		"HEADSCALE_DNS_BASE_DOMAIN"
+		"HEADSCALE_OVERRIDE_LOCAL_DNS"
+		"MAGIC_DNS"
+		"IPV6_PREFIX"
+		"IPV4_PREFIX"
+		"IP_ALLOCATION"
+		"HEADSCALE_EXTRA_RECORDS_PATH"
+	)
+	for var in "${template_vars[@]}"; do
+		export "${var}=${!var}"
+	done
+
 	create_headscale_config
 
 	create_caddyfile

diff --git a/scripts/defaults.sh b/scripts/defaults.sh
@@ -8,6 +8,7 @@ headscale_ipv6_prefix_default="fd7a:115c:a1e0::/48"
 headscale_ipv4_prefix_default="100.64.0.0/10"
 headscale_ip_allocation_default="sequential"
 headscale_gomaxprocs_default=1
+headscale_override_local_dns_default="true"
 
 caddyfile_cleartext=/etc/caddy/Caddyfile-http
 caddyfile_https=/etc/caddy/Caddyfile-https

diff --git a/templates/headscale.template.yaml b/templates/headscale.template.yaml
@@ -85,6 +85,9 @@ derp:
     region_code: "headscale"
     region_name: "Headscale Embedded DERP"
 
+    # Only allow clients associated with this server access
+    verify_clients: true
+
     # Listens over UDP at the configured address for STUN connections - to help with NAT traversal.
     # When the embedded DERP server is enabled stun_listen_addr MUST be defined.
     #
@@ -127,7 +130,7 @@ derp:
   auto_update_enabled: true
 
   # How often should we check for DERP updates?
-  update_frequency: 24h
+  update_frequency: 3h
 
 # Disables the automatic check for headscale updates on startup
 disable_check_updates: true
@@ -224,9 +227,11 @@ tls_cert_path: ""
 tls_key_path: ""
 
 log:
+  # Valid log levels: panic, fatal, error, warn, info, debug, trace
+  level: info
+
   # Output formatting for logs: text or json
   format: text
-  level: info
 
 ## Policy
 # headscale supports Tailscale's ACL policies.
@@ -272,9 +277,9 @@ dns:
   # `hostname.base_domain` (e.g., _myhost.example.com_).
   base_domain: $HEADSCALE_DNS_BASE_DOMAIN
 
-  # Whether to use the local DNS settings of a node (default) or override the
-  # local DNS settings and force the use of Headscale's DNS configuration.
-  override_local_dns: false
+  # Whether to use the local DNS settings of a node or override the local DNS
+  # settings (default) and force the use of Headscale's DNS configuration.
+  override_local_dns: $HEADSCALE_OVERRIDE_LOCAL_DNS
 
   # List of DNS servers to expose to clients.
   nameservers: