Comments (8)
gtsatsis
commented on July 24, 2024
You can use systemd (or any other init system) to serve as a background process (service), here's an example systemd unit file:
[Unit]
Description=headscale
After=network.target
[Service]
User=headscale
Group=headscale
WorkingDirectory=/etc/headscale
ExecStart=/usr/bin/headscale serve
AmbientCapabilities=CAP_NET_BIND_SERVICE
CapabilityBoundingSet=CAP_NET_BIND_SERVICE
SecureBits=keep-caps
NoNewPrivileges=yes
[Install]
WantedBy=multi-user.target
This unitfile assumes that you have a user and group named headscale, that your configs are in /etc/headscale (and that the user has permission to access them), and allows you to run it on privileged ports via the CAP_NET_BIND_SERVICE (80, 443 as prime examples) [note that you might have to run sudo setcap CAP_NET_BIND_SERVICE=+eip /usr/bin/headscale to actually let the binary also have that capability).
As for the debug mode, it actually says in the message- You can set the environment variable GIN_MODE to release, which you can also do in the systemd unitfile by adding Environment=GIN_MODE=release under [Service]. ^-^
from headscale.
bharathmsd7
commented on July 24, 2024
You can use systemd (or any other init system) to serve as a background process (service), here's an example systemd unit file:
[Unit] Description=headscale After=network.target [Service] User=headscale Group=headscale WorkingDirectory=/etc/headscale ExecStart=/usr/bin/headscale serve AmbientCapabilities=CAP_NET_BIND_SERVICE CapabilityBoundingSet=CAP_NET_BIND_SERVICE SecureBits=keep-caps NoNewPrivileges=yes [Install] WantedBy=multi-user.targetThis unitfile assumes that you have a user and group named
headscale, that your configs are in/etc/headscale(and that the user has permission to access them), and allows you to run it on privileged ports via theCAP_NET_BIND_SERVICE(80, 443 as prime examples) [note that you might have to runsudo setcap CAP_NET_BIND_SERVICE=+eip /usr/bin/headscaleto actually let the binary also have that capability).As for the debug mode, it actually says in the message- You can set the environment variable
GIN_MODEtorelease, which you can also do in the systemd unitfile by addingEnvironment=GIN_MODE=releaseunder[Service]. ^-^
Can you share how to run this systemd unit file.
And I am not sure whether i need to create user and group named headscale, if yes how should I do it.
I am new to linux. Testing this in my Ubuntu 18.04 machine.
from headscale.
gtsatsis
commented on July 24, 2024
Sure, but please do take some time to give the documentation a read for yourself, there's a lot more than what I can cover here, haha!
First, copy/move the headscale binary to somewhere like /usr/bin/, so it's in the default path. That'll make it much easier to control headscale, as you can run it from anywhere.
Proceed to creating a [system] user, setting its home directory to /etc/headscale, and denying it access to a shell with sudo useradd --system --home /etc/headscale --shell /bin/false headscale. We'll run headscale as this [low-privileged] user.
Now, ensure that the headscale binary is executable (sudo chmod +x /usr/bin/headscale), and that the headscale user & group can access /etc/headscale (sudo chown -R headscale:headscale /etc/headscale).
To set up the Systemd unit, go ahead and make a file in/called /etc/systemd/system/headscale.service, with the contents mentioned above. Run sudo systemctl daemon-reload to reload systemd's services, and let it know about headscale.service.
If your configs are not already in /etc/headscale, go ahead and move them there along with your WireGuard private key file and the derp.yaml file [if you're using SQLite, also move the database over]. Once done, all that's left to do is sudo systemctl enable --now headscale, which will enable the service to start on boot, as well as start it immediately (--now).
from headscale.
bharathmsd7
commented on July 24, 2024
Thanks for spending time in this @gtsatsis
It worked 🥳🥳🥳.
from headscale.
bharathmsd7
commented on July 24, 2024
Hi @gtsatsis
Trying to logging in my peer using
sudo tailscale up -login-server YOUR_HEADSCALE_URL --authkey YOURAUTHKEY
It seems it doesn't responding
In peer checking status of tailscale it shows Logged out
But in Headscale it shows the peer name by executing
headscale -n namespace nodes list
from headscale.
juanfont
commented on July 24, 2024
@bharathmsd7 are you running headscale behind a proxy?
from headscale.
bharathmsd7
commented on July 24, 2024
Yep behind an Nginx proxy
from headscale.
juanfont
commented on July 24, 2024
Then I am going to close this issue. We are tracking the issues with nginx here #56
from headscale.
Related Issues (20)
- alpha9 takes 90 seconds to stop HOT 7
- [Bug] Tailscale Android beta app doesn't create routes when using Headscale HOT 1
- [Bug] OIDC not working with Authentik > 2024.2? HOT 20
- [Feature] Support tailscale serve HOT 3
- [Bug] latest upstream version is wrongly detected HOT 1
- [Bug] panic: public key moved between nodeIDs (dup node entry) HOT 1
- [Feature] strict config validation HOT 1
- [Bug] Minor issue, where headscale thinks alpha9 is newer than alpha11 HOT 2
- [Bug] restricted_nameserver is configured containing custom DNS records, clients do not resolve correctly HOT 2
- [Bug] Tailscale doesn't connect after phone reboot with Tailscale connection on HOT 1
- Received error: control server is too old; no noise key HOT 1
- [Question] What happened to headscale_last_update_seconds ? HOT 3
- [Feature] Restricted nameservers without search domains HOT 1
- [Feature] Expose OIDC server status via monitoring
- [Bug] macOS unable to connect, node has an open stream(..), rejecting new stream HOT 6
- [Bug] Unify integration test docker
- [Feature] Support for derp's verify-client-url HOT 4
- [Bug] Unstable tailscale client Integration Test fails HOT 1
- [Bug] ACL can't work with netmask smaller than /24 HOT 7
- [Bug] v0.23 does not work with PostgreSQL HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from headscale.