version: '3.5' services: headscale: image: headscale/headscale:v0.23-debug container_name: headscale volumes: - ./config:/etc/headscale # Headscale 的配置目录 - ./data:/var/lib/headscale # 数据存储目录 - ./run:/var/run/headscale - ./logs:/var/log/headscale network_mode: bridge ports: - "127.0.0.1:8081:8080" # 只在本地监听 API 端口 restart: unless-stopped command: serve # 启动 headscale 服务 headscale-ui: image: ghcr.io/gurucomputing/headscale-ui:latest container_name: headscale-ui volumes: - ./ui-config:/etc/headscale # 为 UI 配置单独目录 network_mode: bridge ports: - "127.0.0.1:8080:8080" # 在本地监听 UI 端口 restart: unless-stopped environment: - HTTP_PORT=8080 - HTTPS_PORT=8443 # 也可以通过环境变量指定端口 derper: image: fredliang/derper container_name: derper network_mode: bridge volumes: - /etc/nginx/ssl/wildcard.jmsu.top/fullchain.pem:/app/certs/headscale.jmsu.top.crt # SSL 证书映射 - /etc/nginx/ssl/wildcard.jmsu.top/private.key:/app/certs/headscale.jmsu.top.key # 私钥映射 - shared-tailscale:/var/run/tailscale # 共享 Tailscale 运行时目录 ports: - "3477:3477" # DERP 服务端口 - "3478:3478/udp" # STUN 端口 restart: always environment: - DERP_CERT_MODE=manual # 手动证书管理模式 - DERP_ADDR=:3477 - DERP_VERIFY_CLIENTS=true # 只允许认证用户使用 DERP - DERP_VERIFY_CLIENT_URL=https://headscale.jmsu.top # 客户端认证 URL - DERP_DOMAIN=headscale.jmsu.top tailscaled: container_name: tailscaled image: tailscale/tailscale:unstable-v1.77.41 network_mode: host # 直接使用主机网络 privileged: true # 需要权限访问 TUN 设备 restart: always cap_add: - net_admin - sys_module devices: - /dev/net/tun:/dev/net/tun volumes: - ./lib/:/var/lib/tailscale # 使状态路径挂载为 tailscaled 使用的状态目录 - /dev/net/tun:/dev/net/tun # 访问 TUN 设备 - shared-tailscale:/var/run/tailscale # 共享 Tailscale 运行时目录 - /var/run/dbus:/var/run/dbus environment: - TS_AUTHKEY=21c768657ba8aa6c0436eba69d28fa8d626da767a44f055d # 使用认证密钥 - TS_STATE_DIR=/var/lib/tailscale # 状态保存路径 - TS_USERSPACE=false # 使用内核的 TUN 设备 - TS_EXTRA_ARGS=--login-server=https://headscale.jmsu.top # 指定 Headscale 登录服务器 volumes: shared-tailscale: driver: local