operator/charts/apps/headscale/templates/config-map.yaml

apiVersion: v1
kind: ConfigMap
metadata:
  name: '{{ .Release.Name }}-config-template'
data:
  config.yaml.template: |
    server_url: ${PUBLIC_URL}
    listen_addr: 0.0.0.0:8080
    metrics_listen_addr: 0.0.0.0:9090
    grpc_listen_addr: 0.0.0.0:50443

    private_key_path: /var/lib/headscale/private_key # Path inside the container

    noise:
      private_key_path: /var/lib/headscale/noise_private_key # Path inside the container

    listen_routes: false 
    base_domain: "${PUBLIC_URL}" # For client routes and DNS push.

    derp:
      server:
        enabled: false
        region_id: 999
        region_code: "headscale"
        region_name: "Headscale Embedded DERP"
        stun_listen_addr: "0.0.0.0:3478"
        automatically_add_embedded_derp_region: true
      urls:
        - https://controlplane.tailscale.com/derpmap/default
      auto_update_enabled: true
      update_frequency: 24h

    oidc:
      enabled: true
      only_start_if_oidc_is_available: true
      issuer: "${OIDC_ISSUER_URL}"
      client_id: "${OIDC_CLIENT_ID}"
      client_secret: "${OIDC_CLIENT_SECRET}"
      scopes: ["openid", "profile", "email"]
      redirect_url: "${PUBLIC_URL}/oidc/callback"
      pkce:
        enabled: true
        method: S256


    # DNS configuration
    dns:
      magic_dns: false
      override_local_dns: true # Push Headscale's DNS settings to clients
      ttl: 60
      nameservers:
        global:
          - 1.1.1.1 # Cloudflare DNS
          #- 10.43.0.10 # Replace with your ClusterIP for kube-dns/CoreDNS
      # Domains to search for (e.g., for Kubernetes services)
      search_domains:
        - svc.cluster.local
        - cluster.local

    auto_create_users: true

    oidc_user_property: preferred_username # Or 'email' or 'sub'

    prefixes:
      v4: 10.20.20.0/24 # Example: A /24 subnet for your VPN clients

    database:
      type: sqlite
      sqlite:
        path: /var/lib/headscale/db.sqlite