feat:添加headscale到列表

2025-07-13 21:02:18 +08:00 · 2023-12-13 23:05:14 +08:00 · 2023-12-13 23:05:14 +08:00 · b4f16b898a
commit b4f16b898a
parent e4c1ca574d
9 changed files with 628 additions and 0 deletions
--- a/apps/headscale/0.23.0-alpha2/.env.sample
+++ b/apps/headscale/0.23.0-alpha2/.env.sample
@ -0,0 +1,3 @@
 CONTAINER_NAME="headscale"
 PANEL_APP_PORT_HTTP="40183"
 SUBNET="172.18.0.241"
--- a/apps/headscale/0.23.0-alpha2/data.yml
+++ b/apps/headscale/0.23.0-alpha2/data.yml
@ -0,0 +1,17 @@
 additionalProperties:
    formFields:
        - default: 40183
          edit: true
          envKey: PANEL_APP_PORT_HTTP
          labelEn: Port (Corresponding to internal 8080)
          labelZh: 端口 (对应内部 8080)
          required: true
          rule: paramPort
          type: number
        - default: 172.18.0.241
          edit: true
          envKey: SUBNET
          labelEn: 1panel-network Subnet IP (View the docker network to obtain the CIDR block)
          labelZh: 1panel-network 子网 IP (查看docker网络获取网段)
          required: true
          type: text
--- a/apps/headscale/0.23.0-alpha2/data/config/config.yaml
+++ b/apps/headscale/0.23.0-alpha2/data/config/config.yaml
@ -0,0 +1,328 @@
 ---
 # headscale will look for a configuration file named `config.yaml` (or `config.json`) in the following order:
 #
 # - `/etc/headscale`
 # - `~/.headscale`
 # - current working directory
 # The url clients will connect to.
 # Typically this will be a domain like:
 #
 # https://myheadscale.example.com:443
 #
 server_url: https://myheadscale.example.com:443
 # Address to listen to / bind to on the server
 #
 # For production:
 # listen_addr: 0.0.0.0:8080
 listen_addr: 0.0.0.0:8080
 # Address to listen to /metrics, you may want
 # to keep this endpoint private to your internal
 # network
 #
 metrics_listen_addr: 0.0.0.0:9090
 # Address to listen for gRPC.
 # gRPC is used for controlling a headscale server
 # remotely with the CLI
 # Note: Remote access _only_ works if you have
 # valid certificates.
 #
 # For production:
 # grpc_listen_addr: 0.0.0.0:50443
 grpc_listen_addr: 0.0.0.0:50443
 # Allow the gRPC admin interface to run in INSECURE
 # mode. This is not recommended as the traffic will
 # be unencrypted. Only enable if you know what you
 # are doing.
 grpc_allow_insecure: false
 # The Noise section includes specific configuration for the
 # TS2021 Noise protocol
 noise:
  # The Noise private key is used to encrypt the
  # traffic between headscale and Tailscale clients when
  # using the new Noise-based protocol.
  private_key_path: /var/lib/headscale/noise_private.key
 # List of IP prefixes to allocate tailaddresses from.
 # Each prefix consists of either an IPv4 or IPv6 address,
 # and the associated prefix length, delimited by a slash.
 # It must be within IP ranges supported by the Tailscale
 # client - i.e., subnets of 100.64.0.0/10 and fd7a:115c:a1e0::/48.
 # See below:
 # IPv6: https://github.com/tailscale/tailscale/blob/22ebb25e833264f58d7c3f534a8b166894a89536/net/tsaddr/tsaddr.go#LL81C52-L81C71
 # IPv4: https://github.com/tailscale/tailscale/blob/22ebb25e833264f58d7c3f534a8b166894a89536/net/tsaddr/tsaddr.go#L33
 # Any other range is NOT supported, and it will cause unexpected issues.
 ip_prefixes:
  - fd7a:115c:a1e0::/48
  - 100.64.0.0/10
 # DERP is a relay system that Tailscale uses when a direct
 # connection cannot be established.
 # https://tailscale.com/blog/how-tailscale-works/#encrypted-tcp-relays-derp
 #
 # headscale needs a list of DERP servers that can be presented
 # to the clients.
 derp:
  server:
    # If enabled, runs the embedded DERP server and merges it into the rest of the DERP config
    # The Headscale server_url defined above MUST be using https, DERP requires TLS to be in place
    enabled: false
    # Region ID to use for the embedded DERP server.
    # The local DERP prevails if the region ID collides with other region ID coming from
    # the regular DERP config.
    region_id: 999
    # Region code and name are displayed in the Tailscale UI to identify a DERP region
    region_code: "headscale"
    region_name: "Headscale Embedded DERP"
    # Listens over UDP at the configured address for STUN connections - to help with NAT traversal.
    # When the embedded DERP server is enabled stun_listen_addr MUST be defined.
    #
    # For more details on how this works, check this great article: https://tailscale.com/blog/how-tailscale-works/
    stun_listen_addr: "0.0.0.0:3478"
    # Private key used to encrypt the traffic between headscale DERP
    # and Tailscale clients.
    # The private key file will be autogenerated if it's missing.
    #
    private_key_path: /var/lib/headscale/derp_server_private.key
  # List of externally available DERP maps encoded in JSON
  urls:
    - https://controlplane.tailscale.com/derpmap/default
  # Locally available DERP map files encoded in YAML
  #
  # This option is mostly interesting for people hosting
  # their own DERP servers:
  # https://tailscale.com/kb/1118/custom-derp-servers/
  #
  # paths:
  #   - /etc/headscale/derp-example.yaml
  paths: []
  #paths:
  #  - /etc/headscale/derp.yaml
  # If enabled, a worker will be set up to periodically
  # refresh the given sources and update the derpmap
  # will be set up.
  auto_update_enabled: true
  # How often should we check for DERP updates?
  update_frequency: 24h
 # Disables the automatic check for headscale updates on startup
 disable_check_updates: true
 # Time before an inactive ephemeral node is deleted?
 ephemeral_node_inactivity_timeout: 30m
 # Period to check for node updates within the tailnet. A value too low will severely affect
 # CPU consumption of Headscale. A value too high (over 60s) will cause problems
 # for the nodes, as they won't get updates or keep alive messages frequently enough.
 # In case of doubts, do not touch the default 10s.
 node_update_check_interval: 10s
 # SQLite config
 db_type: sqlite3
 # For production:
 db_path: /var/lib/headscale/db.sqlite
 # # Postgres config
 # If using a Unix socket to connect to Postgres, set the socket path in the 'host' field and leave 'port' blank.
 # db_type: postgres
 # db_host: localhost
 # db_port: 5432
 # db_name: headscale
 # db_user: foo
 # db_pass: bar
 # If other 'sslmode' is required instead of 'require(true)' and 'disabled(false)', set the 'sslmode' you need
 # in the 'db_ssl' field. Refers to https://www.postgresql.org/docs/current/libpq-ssl.html Table 34.1.
 # db_ssl: false
 ### TLS configuration
 #
 ## Let's encrypt / ACME
 #
 # headscale supports automatically requesting and setting up
 # TLS for a domain with Let's Encrypt.
 #
 # URL to ACME directory
 acme_url: https://acme-v02.api.letsencrypt.org/directory
 # Email to register with ACME provider
 acme_email: ""
 # Domain name to request a TLS certificate for:
 tls_letsencrypt_hostname: ""
 # Path to store certificates and metadata needed by
 # letsencrypt
 # For production:
 tls_letsencrypt_cache_dir: /var/lib/headscale/cache
 # Type of ACME challenge to use, currently supported types:
 # HTTP-01 or TLS-ALPN-01
 # See [docs/tls.md](docs/tls.md) for more information
 tls_letsencrypt_challenge_type: HTTP-01
 # When HTTP-01 challenge is chosen, letsencrypt must set up a
 # verification endpoint, and it will be listening on:
 # :http = port 80
 tls_letsencrypt_listen: ":http"
 ## Use already defined certificates:
 tls_cert_path: ""
 tls_key_path: ""
 log:
  # Output formatting for logs: text or json
  format: text
  level: info
 # Path to a file containg ACL policies.
 # ACLs can be defined as YAML or HUJSON.
 # https://tailscale.com/kb/1018/acls/
 acl_policy_path: ""
 ## DNS
 #
 # headscale supports Tailscale's DNS configuration and MagicDNS.
 # Please have a look to their KB to better understand the concepts:
 #
 # - https://tailscale.com/kb/1054/dns/
 # - https://tailscale.com/kb/1081/magicdns/
 # - https://tailscale.com/blog/2021-09-private-dns-with-magicdns/
 #
 dns_config:
  # Whether to prefer using Headscale provided DNS or use local.
  override_local_dns: false
  # List of DNS servers to expose to clients.
  nameservers:
    - 223.5.5.5
    - 1.1.1.1
  # NextDNS (see https://tailscale.com/kb/1218/nextdns/).
  # "abc123" is example NextDNS ID, replace with yours.
  #
  # With metadata sharing:
  # nameservers:
  #   - https://dns.nextdns.io/abc123
  #
  # Without metadata sharing:
  # nameservers:
  #   - 2a07:a8c0::ab:c123
  #   - 2a07:a8c1::ab:c123
  # Split DNS (see https://tailscale.com/kb/1054/dns/),
  # list of search domains and the DNS to query for each one.
  #
  # restricted_nameservers:
  #   foo.bar.com:
  #     - 1.1.1.1
  #   darp.headscale.net:
  #     - 1.1.1.1
  #     - 8.8.8.8
  # Search domains to inject.
  domains: []
  # Extra DNS records
  # so far only A-records are supported (on the tailscale side)
  # See https://github.com/juanfont/headscale/blob/main/docs/dns-records.md#Limitations
  # extra_records:
  #   - name: "grafana.myvpn.example.com"
  #     type: "A"
  #     value: "100.64.0.3"
  #
  #   # you can also put it in one line
  #   - { name: "prometheus.myvpn.example.com", type: "A", value: "100.64.0.3" }
  # Whether to use [MagicDNS](https://tailscale.com/kb/1081/magicdns/).
  # Only works if there is at least a nameserver defined.
  magic_dns: true
  # Defines the base domain to create the hostnames for MagicDNS.
  # `base_domain` must be a FQDNs, without the trailing dot.
  # The FQDN of the hosts will be
  # `hostname.user.base_domain` (e.g., _myhost.myuser.example.com_).
  base_domain: example.com
 # Unix socket used for the CLI to connect without authentication
 # Note: for production you will want to set this to something like:
 unix_socket: /var/run/headscale/headscale.sock
 unix_socket_permission: "0770"
 #
 # headscale supports experimental OpenID connect support,
 # it is still being tested and might have some bugs, please
 # help us test it.
 # OpenID Connect
 # oidc:
 #   only_start_if_oidc_is_available: true
 #   issuer: "https://your-oidc.issuer.com/path"
 #   client_id: "your-oidc-client-id"
 #   client_secret: "your-oidc-client-secret"
 #   # Alternatively, set `client_secret_path` to read the secret from the file.
 #   # It resolves environment variables, making integration to systemd's
 #   # `LoadCredential` straightforward:
 #   client_secret_path: "${CREDENTIALS_DIRECTORY}/oidc_client_secret"
 #   # client_secret and client_secret_path are mutually exclusive.
 #
 #   # The amount of time from a node is authenticated with OpenID until it
 #   # expires and needs to reauthenticate.
 #   # Setting the value to "0" will mean no expiry.
 #   expiry: 180d
 #
 #   # Use the expiry from the token received from OpenID when the user logged
 #   # in, this will typically lead to frequent need to reauthenticate and should
 #   # only been enabled if you know what you are doing.
 #   # Note: enabling this will cause `oidc.expiry` to be ignored.
 #   use_expiry_from_token: false
 #
 #   # Customize the scopes used in the OIDC flow, defaults to "openid", "profile" and "email" and add custom query
 #   # parameters to the Authorize Endpoint request. Scopes default to "openid", "profile" and "email".
 #
 #   scope: ["openid", "profile", "email", "custom"]
 #   extra_params:
 #     domain_hint: example.com
 #
 #   # List allowed principal domains and/or users. If an authenticated user's domain is not in this list, the
 #   # authentication request will be rejected.
 #
 #   allowed_domains:
 #     - example.com
 #   # Note: Groups from keycloak have a leading '/'
 #   allowed_groups:
 #     - /headscale
 #   allowed_users:
 #     - alice@example.com
 #
 #   # If `strip_email_domain` is set to `true`, the domain part of the username email address will be removed.
 #   # This will transform `first-name.last-name@example.com` to the user `first-name.last-name`
 #   # If `strip_email_domain` is set to `false` the domain part will NOT be removed resulting to the following
 #   user: `first-name.last-name.example.com`
 #
 #   strip_email_domain: true
 # Logtail configuration
 # Logtail is Tailscales logging and auditing infrastructure, it allows the control panel
 # to instruct tailscale nodes to log their activity to a remote server.
 logtail:
  # Enable logtail for this headscales clients.
  # As there is currently no support for overriding the log server in headscale, this is
  # disabled by default. Enabling this will make your clients send logs to Tailscale Inc.
  enabled: false
 # Enabling this option makes devices prefer a random port for WireGuard traffic over the
 # default static port 41641. This option is intended as a workaround for some buggy
 # firewall devices. See https://tailscale.com/kb/1181/firewalls/ for more information.
 randomize_client_port: true
--- a/apps/headscale/0.23.0-alpha2/data/config/derp.yaml
+++ b/apps/headscale/0.23.0-alpha2/data/config/derp.yaml
@ -0,0 +1,33 @@
 # /etc/headscale/derp.yaml
 regions:
  900:
    regionid: 900
    regioncode: thk
    regionname: Tencent Hongkong
    nodes:
      - name: 900a
        regionid: 900
        hostname: xxxx
        ipv4: xxxx #非必须
        stunport: 3478
        stunonly: false
        derpport: 40184
      - name: 900b
        regionid: 900
        hostname: xxxx
        ipv4: xxxx
        stunport: 3478
        stunonly: false
        derpport: 12345
  901:
    regionid: 901
    regioncode: tsh
    regionname: Tencent Shanghai
    nodes:
      - name: 901a
        regionid: 901
        hostname: xxxx
        ipv4: xxxx
        stunport: 3478
        stunonly: false
        derpport: 40184
--- a/apps/headscale/0.23.0-alpha2/data/data/db.sqlite
+++ b/apps/headscale/0.23.0-alpha2/data/data/db.sqlite
--- a/apps/headscale/0.23.0-alpha2/docker-compose.yml
+++ b/apps/headscale/0.23.0-alpha2/docker-compose.yml
@ -0,0 +1,28 @@
 version: '3'
 services:
  headscale:
    container_name: ${CONTAINER_NAME}
    restart: always
    networks:
      1panel-network:
        ipv4_address: ${SUBNET}
    ports:
      - "${PANEL_APP_PORT_HTTP}:8080"
    volumes:
      - "./data/config:/etc/headscale"
      - "./data/data:/var/lib/headscale"
    cap_add:
      - NET_ADMIN
      - NET_RAW
      - SYS_MODULE
    sysctls:
      - net.ipv4.ip_forward=1
      - net.ipv6.conf.all.forwarding=1
    command: ['headscale', 'serve']
    image: headscale/headscale:0.23.0-alpha2
    labels:  
      createdBy: "Apps"
 networks:  
  1panel-network:  
    external: true
--- a/apps/headscale/README.md
+++ b/apps/headscale/README.md
@ -0,0 +1,199 @@
 # 使用说明
 ## 宿主机可通过以下命令创建、获取所需
 - 容器名按需修改
 ```shell
 # 创建名为 "username" 的用户
 docker exec -it headscale headscale users create username
 # 创建一个有效期为 10000 天的 API 密钥
 docker exec -it headscale headscale apikeys create -e 10000d
 # 创建一个有效期为 10000 天、可重复使用的预授权密钥，并关联到特定的用户名 "username"
 docker exec -it headscale headscale preauthkeys create -e 10000d --reusable -u username
 ```
 ## 1Panel 容器管理页面连接容器终端
 ```shell
 # 创建名为 "username" 的用户
 headscale users create username
 # 创建一个有效期为 10000 天的 API 密钥
 headscale apikeys create -e 10000d
 # 创建一个有效期为 10000 天、可重复使用的预授权密钥，并关联到特定的用户名 "username"
 headscale preauthkeys create -e 10000d --reusable -u username
 ```
 # 原始相关
 ***
 ![ci](https://github.com/juanfont/headscale/actions/workflows/test.yml/badge.svg)
 An open source, self-hosted implementation of the Tailscale control server.
 Join our [Discord](https://discord.gg/c84AZQhmpx) server for a chat.
 **Note:** Always select the same GitHub tag as the released version you use
 to ensure you have the correct example configuration and documentation.
 The `main` branch might contain unreleased changes.
 ## What is Tailscale
 Tailscale is [a modern VPN](https://tailscale.com/) built on top of
 [Wireguard](https://www.wireguard.com/).
 It [works like an overlay network](https://tailscale.com/blog/how-tailscale-works/)
 between the computers of your networks - using
 [NAT traversal](https://tailscale.com/blog/how-nat-traversal-works/).
 Everything in Tailscale is Open Source, except the GUI clients for proprietary OS
 (Windows and macOS/iOS), and the control server.
 The control server works as an exchange point of Wireguard public keys for the
 nodes in the Tailscale network. It assigns the IP addresses of the clients,
 creates the boundaries between each user, enables sharing machines between users,
 and exposes the advertised routes of your nodes.
 A [Tailscale network (tailnet)](https://tailscale.com/kb/1136/tailnet/) is private
 network which Tailscale assigns to a user in terms of private users or an
 organisation.
 ## Design goal
 Headscale aims to implement a self-hosted, open source alternative to the Tailscale
 control server.
 Headscale's goal is to provide self-hosters and hobbyists with an open-source
 server they can use for their projects and labs.
 It implements a narrow scope, a single Tailnet, suitable for a personal use, or a small
 open-source organisation.
 ## Supporting Headscale
 If you like `headscale` and find it useful, there is a sponsorship and donation
 buttons available in the repo.
 ## Features
 - Full "base" support of Tailscale's features
 - Configurable DNS
  - [Split DNS](https://tailscale.com/kb/1054/dns/#using-dns-settings-in-the-admin-console)
 - Node registration
  - Single-Sign-On (via Open ID Connect)
  - Pre authenticated key
 - Taildrop (File Sharing)
 - [Access control lists](https://tailscale.com/kb/1018/acls/)
 - [MagicDNS](https://tailscale.com/kb/1081/magicdns)
 - Support for multiple IP ranges in the tailnet
 - Dual stack (IPv4 and IPv6)
 - Routing advertising (including exit nodes)
 - Ephemeral nodes
 - Embedded [DERP server](https://tailscale.com/blog/how-tailscale-works/#encrypted-tcp-relays-derp)
 ## Client OS support
 | OS      | Supports headscale                                        |
 | ------- | --------------------------------------------------------- |
 | Linux   | Yes                                                       |
 | OpenBSD | Yes                                                       |
 | FreeBSD | Yes                                                       |
 | macOS   | Yes (see `/apple` on your headscale for more information) |
 | Windows | Yes [docs](./docs/windows-client.md)                      |
 | Android | Yes [docs](./docs/android-client.md)                      |
 | iOS     | Yes [docs](./docs/iOS-client.md)                          |
 ## Running headscale
 **Please note that we do not support nor encourage the use of reverse proxies
 and container to run Headscale.**
 Please have a look at the [`documentation`](https://headscale.net/).
 ## Talks
 - Fosdem 2023 (video): [Headscale: How we are using integration testing to reimplement Tailscale](https://fosdem.org/2023/schedule/event/goheadscale/)
  - presented by Juan Font Alonso and Kristoffer Dalby
 ## Disclaimer
 1. This project is not associated with Tailscale Inc.
 2. The purpose of Headscale is maintaining a working, self-hosted Tailscale control panel.
 ## Contributing
 Headscale is "Open Source, acknowledged contribution", this means that any
 contribution will have to be discussed with the Maintainers before being submitted.
 This model has been chosen to reduce the risk of burnout by limiting the
 maintenance overhead of reviewing and validating third-party code.
 Headscale is open to code contributions for bug fixes without discussion.
 If you find mistakes in the documentation, please submit a fix to the documentation.
 ### Requirements
 To contribute to headscale you would need the lastest version of [Go](https://golang.org)
 and [Buf](https://buf.build)(Protobuf generator).
 We recommend using [Nix](https://nixos.org/) to setup a development environment. This can
 be done with `nix develop`, which will install the tools and give you a shell.
 This guarantees that you will have the same dev env as `headscale` maintainers.
 ### Code style
 To ensure we have some consistency with a growing number of contributions,
 this project has adopted linting and style/formatting rules:
 The **Go** code is linted with [`golangci-lint`](https://golangci-lint.run) and
 formatted with [`golines`](https://github.com/segmentio/golines) (width 88) and
 [`gofumpt`](https://github.com/mvdan/gofumpt).
 Please configure your editor to run the tools while developing and make sure to
 run `make lint` and `make fmt` before committing any code.
 The **Proto** code is linted with [`buf`](https://docs.buf.build/lint/overview) and
 formatted with [`clang-format`](https://clang.llvm.org/docs/ClangFormat.html).
 The **rest** (Markdown, YAML, etc) is formatted with [`prettier`](https://prettier.io).
 Check out the `.golangci.yaml` and `Makefile` to see the specific configuration.
 ### Install development tools
 - Go
 - Buf
 - Protobuf tools
 Install and activate:
 ```shell
 nix develop
 ```
 ### Testing and building
 Some parts of the project require the generation of Go code from Protobuf
 (if changes are made in `proto/`) and it must be (re-)generated with:
 ```shell
 make generate
 ```
 **Note**: Please check in changes from `gen/` in a separate commit to make it easier to review.
 To run the tests:
 ```shell
 make test
 ```
 To build the program:
 ```shell
 nix build
 ```
 or
 ```shell
 make build
 ```
--- a/apps/headscale/data.yml
+++ b/apps/headscale/data.yml
@ -0,0 +1,20 @@
 name: Headscale
 tags:
    - 工具
 title: Tailscale 控制服务器的开源自托管实现
 type: 工具
 description: Tailscale 控制服务器的开源自托管实现
 additionalProperties:
    key: headscale
    name: Headscale
    tags:
        - Tool
    shortDescZh: Tailscale 控制服务器的开源自托管实现
    shortDescEn: An open source, self-hosted implementation of the Tailscale control server
    type: tool
    crossVersionUpdate: true
    limit: 0
    recommend: 0
    website: https://headscale.net
    github: https://github.com/juanfont/headscale
    document: https://headscale.net
--- a/apps/headscale/logo.png
+++ b/apps/headscale/logo.png