headscale-console/docker-compose.yaml at main · rickli-cloud/headscale-console · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
version: "3.9" # legacy
name: headscale

networks:
  proxy:
    name: proxy # Correlates with traefik's --providers.docker.network option
    driver: bridge

volumes:
  letsencrypt:
    name: traefik-letsencrypt
  headscale-data:
    name: headscale-data

services:
  traefik:
    image: traefik:${TRAEFIK_VERSION:-latest}
    container_name: traefik
    restart: always
    command:
      - --ping=true
      - --providers.docker.endpoint=unix:///var/run/docker.sock
      - --providers.docker.exposedbydefault=false
      - --providers.docker.network=proxy
      - --entrypoints.http.address=:80
      - --entrypoints.https.address=:443
      - --entrypoints.http.http.redirections.entrypoint.to=https
      - --entrypoints.http.http.redirections.entrypoint.scheme=https
      - --entrypoints.http.http.redirections.entrypoint.permanent=true
      - --certificatesresolvers.letsencrypt.acme.tlschallenge=true # Use ACME TLS challenge
      - --certificatesresolvers.letsencrypt.acme.storage=/letsencrypt/acme.json
      # - --serversTrnasport.insecureSkipVerify=true # if you're using self-signed certificates for upstream services
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock:ro
      - letsencrypt:/letsencrypt:rw
    ports:
      - ${TRAEFIK_LISTEN_ADDR:-0.0.0.0}:80:80/tcp
      - ${TRAEFIK_LISTEN_ADDR:-0.0.0.0}:443:443/tcp
    networks:
      - proxy

  headscale:
    image: headscale/headscale:${HEADSCALE_VERSION:?required}
    container_name: headscale
    restart: always
    command: serve
    volumes:
      - ./config.yaml:/etc/headscale/config.yaml:ro
      - headscale-data:/var/lib/headscale:rw
    expose:
      - 8080 #  Main server
      - 9090 #  Metrics
      - 50443 # GRPC
    ports:
      - 0.0.0.0:3478:3478/udp # stun
    networks:
      - proxy
    labels:
      traefik.enable: true
      traefik.http.routers.headscale.rule: Host(`${HEADSCALE_SERVER_HOSTNAME:?required}`)
      traefik.http.routers.headscale.entrypoints: https
      traefik.http.routers.headscale.tls.certresolver: letsencrypt
      traefik.http.services.headscale.loadbalancer.server.port: 8080
    depends_on:
      traefik:
        condition: service_started

  headscale-console:
    image: ghcr.io/rickli-cloud/headscale-console:${HEADSCALE_CONSOLE_VERSION:-latest}
    container_name: headscale-console
    restart: always
    command: serve
    expose:
      - 3000
    networks:
      - proxy
    labels:
      traefik.enable: true
      traefik.http.routers.headscale-console.rule: Host(`${HEADSCALE_SERVER_HOSTNAME:?required}`) && PathPrefix(`/admin`)
      traefik.http.routers.headscale-console.entrypoints: https
      traefik.http.routers.headscale-console.tls.certresolver: letsencrypt
      traefik.http.services.headscale-console.loadbalancer.server.port: 3000