143 lines
3.5 KiB
Markdown
143 lines
3.5 KiB
Markdown
```
|
||
https://github.com/juanfont/headscale/releases/download/v0.27.1/headscale_0.27.1_linux_amd64
|
||
https://raw.githubusercontent.com/juanfont/headscale/main/config-example.yaml
|
||
mkdir /var/lib/headscale
|
||
chown -R headscale:headscale /var/lib/headscale/
|
||
touch /var/lib/headscale/db.sqlite
|
||
|
||
headscale_0.27.1_linux_amd64 /usr/local/bin/headscale
|
||
chmod +x /usr/local/bin/headscale
|
||
mkdir /etc/headscale/
|
||
cp config-example.yaml /etc/headscale/
|
||
|
||
```
|
||
```
|
||
修改配置文件,将 server_url 改为公网 IP 或域名。如果是国内服务器,域名必须要备案。我的域名无法备案,所以我就直接用公网 IP 了。
|
||
如果暂时用不到 DNS 功能,可以先将 magic_dns 设为 false。
|
||
server_url 设置为 http://<PUBLIC_ENDPOINT>:8080,将 <PUBLIC_ENDPOINT> 替换为公网 IP 或者域名。
|
||
建议打开随机端口,将 randomize_client_port 设为 true。
|
||
可自定义私有网段,也可同时开启 IPv4 和 IPv6:
|
||
|
||
ip_prefixes:
|
||
# - fd7a:115c:a1e0::/48
|
||
- 100.64.0.0/16
|
||
```
|
||
vim /etc/systemd/system/headscale.service
|
||
[Unit]
|
||
Description=headscale controller
|
||
After=syslog.target
|
||
After=network.target
|
||
|
||
[Service]
|
||
Type=simple
|
||
User=headscale
|
||
Group=headscale
|
||
ExecStart=/usr/local/bin/headscale serve
|
||
Restart=always
|
||
RestartSec=5
|
||
|
||
# Optional security enhancements
|
||
NoNewPrivileges=yes
|
||
PrivateTmp=yes
|
||
ProtectSystem=strict
|
||
ProtectHome=yes
|
||
ReadWritePaths=/var/lib/headscale /var/run/headscale
|
||
AmbientCapabilities=CAP_NET_BIND_SERVICE
|
||
RuntimeDirectory=headscale
|
||
|
||
[Install]
|
||
WantedBy=multi-user.target
|
||
|
||
```
|
||
### 启动
|
||
```
|
||
systemctl daemon-reload
|
||
systemctl enable --now headscale
|
||
systemctl status headscale.service
|
||
```
|
||
|
||
|
||
#### 完整 egrep -v "#|^$" /etc/headscale/config.yaml
|
||
```
|
||
|
||
egrep -v "#|^$" /etc/headscale/config.yaml
|
||
---
|
||
server_url: http://47.106.140.17:8080
|
||
listen_addr: 0.0.0.0:8080
|
||
metrics_listen_addr: 127.0.0.1:9090
|
||
grpc_listen_addr: 0.0.0.0:50443
|
||
grpc_allow_insecure: false
|
||
noise:
|
||
private_key_path: /var/lib/headscale/noise_private.key
|
||
prefixes:
|
||
v4: 100.64.0.0/10
|
||
v6: fd7a:115c:a1e0::/48
|
||
allocation: sequential
|
||
derp:
|
||
server:
|
||
enabled: false
|
||
region_id: 999
|
||
region_code: "headscale"
|
||
region_name: "Headscale Embedded DERP"
|
||
verify_clients: true
|
||
stun_listen_addr: "0.0.0.0:3478"
|
||
private_key_path: /var/lib/headscale/derp_server_private.key
|
||
automatically_add_embedded_derp_region: true
|
||
ipv4: 198.51.100.1
|
||
ip_allocation: "sequential"
|
||
acl:
|
||
- action: "accept"
|
||
urls:
|
||
- https://controlplane.tailscale.com/derpmap/default
|
||
paths: []
|
||
auto_update_enabled: true
|
||
update_frequency: 3h
|
||
disable_check_updates: false
|
||
ephemeral_node_inactivity_timeout: 30m
|
||
database:
|
||
type: sqlite
|
||
debug: false
|
||
gorm:
|
||
prepare_stmt: true
|
||
parameterized_queries: true
|
||
skip_err_record_not_found: true
|
||
slow_threshold: 1000
|
||
sqlite:
|
||
path: /var/lib/headscale/db.sqlite
|
||
write_ahead_log: true
|
||
wal_autocheckpoint: 1000
|
||
acme_url: https://acme-v02.api.letsencrypt.org/directory
|
||
acme_email: ""
|
||
tls_letsencrypt_hostname: ""
|
||
tls_letsencrypt_cache_dir: /var/lib/headscale/cache
|
||
tls_letsencrypt_challenge_type: HTTP-01
|
||
tls_letsencrypt_listen: ":http"
|
||
tls_cert_path: ""
|
||
tls_key_path: ""
|
||
log:
|
||
level: info
|
||
format: text
|
||
policy:
|
||
mode: file
|
||
path: ""
|
||
dns:
|
||
magic_dns: false
|
||
base_domain: rapha.top
|
||
override_local_dns: true
|
||
nameservers:
|
||
global:
|
||
- 114.114.114.114
|
||
- 233.5.5.5
|
||
- 1.1.1.1
|
||
- 8.8.8.8
|
||
split:
|
||
{}
|
||
search_domains: []
|
||
extra_records: []
|
||
unix_socket: /var/run/headscale/headscale.sock
|
||
unix_socket_permission: "0770"
|
||
logtail:
|
||
enabled: false
|
||
randomize_client_port: false
|
||
|
||
``` |