Making it easy (for me) to deploy production-ready setup
It should be easier to deploy Headscale to Fly.io, without much configuration files.
This repository aims to provide that while still providing a good backup strategy and ensuring your Headscale configuration is persisted, using Litestream
- Fly's account and CLI installed
- An existing S3-compatible bucket (Eg. Digital Ocean, Scaleway, Exoscale)
- Access Key & Secret Key with access to the bucket
- A domain name to use
Give a unique name to your application, something memorable, or use a random
one generated by Fly's automatically (using --generate-name instead).
Remember to change FLY_APP with the app name you want to use:
$ flyctl apps create FLY_APPNow, we need to create a volume in Fly that will be used to store Headscale's configuration and database. This needs to be connected to the application created before:
$ flyctl volumes create --app FLY_APP --region REGION --size 1 FLY_VOLUMEReplace FLY_VOLUME with the name for the volume to be used by this
application (Eg. hs_data). Also replace REGION to one of Fly's regions
closer to your location (see possible values in flyctl platform regions)
With those in place, we can now set them as environment variables (FLY_APP
and FLY_VOLUME) and copy our Fly's application template:
$ FLY_APP=my-headscale-app FLY_VOLUME=hs_data envsubst < templates/fly.template.toml > fly.tomlRemember to replace above values with the real names you gave to the both the application and the volume.
This will generate a file named fly.toml that will be used in future steps.
Before we can setup a domain for our application, we need to allocate an IP address to it.
Let's allocate both IPv4 and IPv6:
$ flyctl ips allocate-v4
$ flyctl ips allocate-v6Use these IP addresses and update your DNS records to the domain or subdomain
that Headscale will use. For example, we can create A and AAAA
records for hs.example.com which will be pointing to this app.
Once DNS has been updated, you can request an SSL certificate be provisioned for the application:
$ flyctl certs add hs.example.comWith the domain name and the S3 configuration, you can copy the template
templates/secrets.template.env and enter the appropriate values:
$ cp templates/secrets.template.env secrets.envMake sure you update HEADSCALE_SERVER_URL and HEADSCALE_BASE_DOMAIN to
point to the Headscale server URL and the domain you want to use.
Do not forget to include the scheme (https) and the port (443) in the
server URL. Example:
HEADSCALE_SERVER_URL=https://hs.example.com:443/
HEADSCALE_BASE_DOMAIN=tn.example.com
Now, you need to enter your S3 credentials, bucket and endpoint, necessary for Litestream to work correctly.
Note that this setup requires an S3 storage and will not work without it. (Also, is not recommended deploy something without a proper backup strategy).
Refer to the documentation of each S3-compatible provider to populate all
the S3_* variables.
Once done, you can load those into your application:
$ flyctl secrets import < secrets.envWith all the settings in place, we are ready to deploy the application:
$ flyctl deployOnce app is deployed and green, you can create your first user by using the console:
$ flyctl ssh consoleFollow Headscale's own documentation (steps 8 and registration of each machine or preauth keys), example:
$ headscale users create homelabNow that Headscale is running, to have a 100% reproducible setup, we need to
ensure that private keys initialized by our installation are persisted, so
we need to capture the contents of /data/private.key and
/data/noise_private.key and place into secrets of our application.
Within the same Fly console from previous step, obtain the contents of these files:
$ cat /data/private.key
$ cat /data/noise_private.keyCopy those to your clipboard and terminate Fly's console.
Locally, use flyctl to set HEADSCALE_PRIVATE_KEY and
HEADSCALE_NOISE_PRIVATE_KEY with the values obtained before, respectively
$ flyctl secrets set HEADSCALE_PRIVATE_KEY=privkey:abc123... HEADSCALE_NOISE_PRIVATE_KEY=privkey:def456...Note that applying these two variables will cause your application to restart, but afterwards no other change will be necessary.