headscale config and caddy service

services/caddy/Caddyfile

@@ -0,0 +1,174 @@
+(forward_headers) {
+        header {
+                Permissions-Policy interest-cohort=()
+                Strict-Transport-Security "max-age=31536000; includeSubdomains"
+                X-XSS-Protection "1; mode=block"
+                X-Content-Type-Options "nosniff"
+                X-Robots-Tag noindex, nofollow
+                Referrer-Policy "same-origin"
+                Content-Security-Policy "frame-ancestors {$public_domain }} *.{$public_domain}"
+                -Server
+                Permissions-Policy "geolocation=(self {$public_domain }} *.{$public_domain}), microphone=()"
+        }
+}
+
+auth.{$public_domain} {
+        reverse_proxy ${node_local_ip} {
+                transport http {
+                        tls_insecure_skip_verify
+                }
+        }
+        tls {$email}
+        import forward_headers
+}
+
+audiobookshelf.{$public_domain} {
+        reverse_proxy ${node_local_ip} {
+                transport http {
+                        tls_insecure_skip_verify
+                        }
+        }
+        tls {$email}
+        import forward_headers
+}
+
+gitea.{$public_domain} {
+        reverse_proxy ${node_local_ip} {
+                transport http {
+                        tls_insecure_skip_verify
+                }
+        }
+        tls {$email}
+        import forward_headers
+}
+
+headscale.{$public_domain} {
+        reverse_proxy ${node_local_ip} {
+                transport http {
+                        tls_insecure_skip_verify
+                }
+        }
+        tls {$email}
+        import forward_headers
+}
+
+
+immich.{$public_domain} {
+        reverse_proxy ${node_local_ip} {
+                transport http {
+                        tls_insecure_skip_verify
+                }
+        }
+        tls {$email}
+        import forward_headers
+}
+
+ldap.{$public_domain} {
+        reverse_proxy ${node_local_ip} {
+                transport http {
+                        tls_insecure_skip_verify
+                }
+        }
+        tls {$email}
+        import forward_headers
+}
+
+linkwarden.{$public_domain} {
+        reverse_proxy ${node_local_ip} {
+                transport http {
+                        tls_insecure_skip_verify
+                }
+        }
+        tls {$email}
+        import forward_headers
+}
+
+mealie.{$public_domain} {
+        reverse_proxy ${node_local_ip} {
+                transport http {
+                        tls_insecure_skip_verify
+                }
+        }
+        tls {$email}
+        import forward_headers
+}
+
+paperless.{$public_domain} {
+        reverse_proxy ${node_local_ip} {
+                transport http {
+                        tls_insecure_skip_verify
+                }
+        }
+        tls {$email}
+        import forward_headers
+}
+
+radicale.{$public_domain} {
+        reverse_proxy ${node_local_ip} {
+                transport http {
+                        tls_insecure_skip_verify
+                }
+        }
+        tls {$email}
+        import forward_headers
+}
+
+shlink.{$public_domain} {
+        reverse_proxy ${node_local_ip} {
+                transport http {
+                        tls_insecure_skip_verify
+                }
+        }
+        tls {$email}
+        import forward_headers
+}
+
+stirling-pdf.{$public_domain} {
+        reverse_proxy ${node_local_ip} {
+                transport http {
+                        tls_insecure_skip_verify
+                }
+        }
+        tls {$email}
+        import forward_headers
+}
+
+superset.{$public_domain} {
+        reverse_proxy ${node_local_ip} {
+                transport http {
+                        tls_insecure_skip_verify
+                }
+        }
+        tls {$email}
+        import forward_headers
+}
+
+vaultwarden.{$public_domain} {
+        reverse_proxy ${node_local_ip} {
+                transport http {
+                        tls_insecure_skip_verify
+                        }
+        }
+        tls {$email}
+        import forward_headers
+}
+
+vikunja.{$public_domain} {
+        reverse_proxy ${node_local_ip} {
+                transport http {
+                        tls_insecure_skip_verify
+                }
+        }
+        tls {$email}
+        import forward_headers
+}
+
+{$public_domain} {
+        reverse_proxy ${node_local_ip} {
+                transport http {
+                        tls_insecure_skip_verify
+                }
+        }
+        tls {$email}
+        import forward_headers
+}

services/caddy/caddy.yml

@@ -0,0 +1,30 @@
+services:
+  caddy:
+    extends:
+      file: ${TEMPLATES_PATH}
+      service: default
+    image: caddy 
+    container_name: caddy 
+    volumes:
+      - ${SERVICE_PATH}/caddy/config:/etc/headscale
+      - ${SERVICE_PATH}/caddy/Caddyfile:/etc/caddy/Caddyfile
+      - ${SERVICE_PATH}/caddy/site:/srv
+      - ${SERVICE_PATH}/caddy/data:/data
+      - ${SERVICE_PATH}/caddy/config:/config
+      - ${SERVICE_PATH}/caddy/certs:/certs
+    ports:
+      - "80:80"
+      - "443:443"
+      - "443:443/udp"
+    environment:
+      email: ${EMAIL}
+      public_domain: ${PUBLIC_DOMAIN}
+      private_domain: ${LOCAL_DOMAIN}
+      node_local_ip: ${NODE_LOCAL_IP}
+    cap_add:
+      - NET_ADMIN
+    networks:
+      - ip4net
+    labels:
+      # Watchtower
+      - "com.centurylinklabs.watchtower.enable=true"

services/headscale/config/config.yaml

@@ -10,7 +10,7 @@
 #
 # https://myheadscale.example.com:443
 #
-server_url: http://127.0.0.1:8080
+server_url: http://0.0.0.0:8080
 
 # Address to listen to / bind to on the server
 #
@@ -77,7 +77,7 @@ derp:
   server:
     # If enabled, runs the embedded DERP server and merges it into the rest of the DERP config
     # The Headscale server_url defined above MUST be using https, DERP requires TLS to be in place
-    enabled: false
+    enabled: true 
 
     # Region ID to use for the embedded DERP server.
     # The local DERP prevails if the region ID collides with other region ID coming from