sunbeam-net/tests/config/headscale.yaml

# Headscale configuration for integration tests.
# Ephemeral SQLite, embedded DERP, no OIDC.

server_url: https://headscale:8443
listen_addr: 0.0.0.0:8443
metrics_listen_addr: 0.0.0.0:9090

# Self-signed cert covering localhost, 127.0.0.1, and the docker-network
# hostname `headscale`. Generated by tests/run.sh on first run; the
# integration tests connect with derp_tls_insecure: true so they don't
# need to trust this CA.
tls_cert_path: /etc/headscale/test-cert.pem
tls_key_path: /etc/headscale/test-key.pem

# Noise protocol (auto-generates key on first start)
noise:
  private_key_path: /var/lib/headscale/noise_private.key

# Ephemeral SQLite
database:
  type: sqlite
  sqlite:
    path: /tmp/headscale.db

ip_prefixes:
  - 100.64.0.0/10
  - fd7a:115c:a1e0::/48

# Embedded DERP relay — clients can relay through Headscale itself
derp:
  server:
    enabled: true
    region_id: 999
    region_code: test
    region_name: "Integration Test"
    stun_listen_addr: 0.0.0.0:3478
    private_key_path: /var/lib/headscale/derp_server_private.key
  urls: []
  auto_update_enabled: false

dns:
  magic_dns: false
  base_domain: test.sunbeam.internal

prefixes:
  v4: 100.64.0.0/10
  v6: fd7a:115c:a1e0::/48
  allocation: sequential

log:
  level: warn
test(net): add integration test harness against Headscale Spins up Headscale 0.23 (with embedded DERP) plus two Tailscale peers in docker compose, generates pre-auth keys, and runs three integration tests behind the `integration` feature: - test_register_and_receive_netmap: full TS2021 → register → first netmap fetch - test_proxy_listener_accepts: starts the daemon and waits for it to reach the Running state - test_daemon_lifecycle: full lifecycle including DERP connect, then clean shutdown via the DaemonHandle Run with `sunbeam-net/tests/run.sh` (handles compose up/down + auth key provisioning) or manually via cargo nextest with the env vars SUNBEAM_NET_TEST_AUTH_KEY and SUNBEAM_NET_TEST_COORD_URL set. 2026-04-07 13:42:46 +01:00			`# Headscale configuration for integration tests.`
			`# Ephemeral SQLite, embedded DERP, no OIDC.`

test(net): TLS-enabled docker stack and active e2e test The docker-compose stack now serves Headscale (and its embedded DERP) over TLS on port 8443 with a self-signed cert covering localhost, 127.0.0.1, and the docker-network hostname `headscale`. Tailscale peers trust the cert via SSL_CERT_FILE; our test daemon uses `derp_tls_insecure: true` (gated on the SUNBEAM_NET_TEST_DERP_INSECURE env var) since pinning a self-signed root in tests is more trouble than it's worth. With TLS DERP working, the previously-ignored `test_e2e_tcp_through_tunnel` test now passes: the daemon spawns, registers, completes a Noise handshake over TLS, opens a TLS DERP relay session, runs a real WireGuard handshake with peer-a (verified via boringtun ↔ tailscale interop), and TCP-tunnels an HTTP GET through smoltcp ↔ engine ↔ proxy ↔ test client. The 191-byte echo response round-trips and the test asserts on its body. - tests/config/headscale.yaml: tls_cert_path + tls_key_path, listen on 8443, server_url=https://headscale:8443 - tests/config/test-cert.pem + test-key.pem: 365-day self-signed RSA cert with SAN DNS:localhost, DNS:headscale, IP:127.0.0.1 - tests/docker-compose.yml: mount certs into headscale + both peers, set SSL_CERT_FILE on the peers, expose 8443 instead of 8080 - tests/run.sh: switch to https://localhost:8443, set SUNBEAM_NET_TEST_DERP_INSECURE=1 - tests/integration.rs: drop the #[ignore] on test_e2e_tcp_through_tunnel, read derp_tls_insecure from env in all four test configs 2026-04-07 15:29:03 +01:00			`server_url: https://headscale:8443`
			`listen_addr: 0.0.0.0:8443`
test(net): add integration test harness against Headscale Spins up Headscale 0.23 (with embedded DERP) plus two Tailscale peers in docker compose, generates pre-auth keys, and runs three integration tests behind the `integration` feature: - test_register_and_receive_netmap: full TS2021 → register → first netmap fetch - test_proxy_listener_accepts: starts the daemon and waits for it to reach the Running state - test_daemon_lifecycle: full lifecycle including DERP connect, then clean shutdown via the DaemonHandle Run with `sunbeam-net/tests/run.sh` (handles compose up/down + auth key provisioning) or manually via cargo nextest with the env vars SUNBEAM_NET_TEST_AUTH_KEY and SUNBEAM_NET_TEST_COORD_URL set. 2026-04-07 13:42:46 +01:00			`metrics_listen_addr: 0.0.0.0:9090`

test(net): TLS-enabled docker stack and active e2e test The docker-compose stack now serves Headscale (and its embedded DERP) over TLS on port 8443 with a self-signed cert covering localhost, 127.0.0.1, and the docker-network hostname `headscale`. Tailscale peers trust the cert via SSL_CERT_FILE; our test daemon uses `derp_tls_insecure: true` (gated on the SUNBEAM_NET_TEST_DERP_INSECURE env var) since pinning a self-signed root in tests is more trouble than it's worth. With TLS DERP working, the previously-ignored `test_e2e_tcp_through_tunnel` test now passes: the daemon spawns, registers, completes a Noise handshake over TLS, opens a TLS DERP relay session, runs a real WireGuard handshake with peer-a (verified via boringtun ↔ tailscale interop), and TCP-tunnels an HTTP GET through smoltcp ↔ engine ↔ proxy ↔ test client. The 191-byte echo response round-trips and the test asserts on its body. - tests/config/headscale.yaml: tls_cert_path + tls_key_path, listen on 8443, server_url=https://headscale:8443 - tests/config/test-cert.pem + test-key.pem: 365-day self-signed RSA cert with SAN DNS:localhost, DNS:headscale, IP:127.0.0.1 - tests/docker-compose.yml: mount certs into headscale + both peers, set SSL_CERT_FILE on the peers, expose 8443 instead of 8080 - tests/run.sh: switch to https://localhost:8443, set SUNBEAM_NET_TEST_DERP_INSECURE=1 - tests/integration.rs: drop the #[ignore] on test_e2e_tcp_through_tunnel, read derp_tls_insecure from env in all four test configs 2026-04-07 15:29:03 +01:00			`# Self-signed cert covering localhost, 127.0.0.1, and the docker-network`
			# hostname `headscale`. Generated by tests/run.sh on first run; the
			`# integration tests connect with derp_tls_insecure: true so they don't`
			`# need to trust this CA.`
			`tls_cert_path: /etc/headscale/test-cert.pem`
			`tls_key_path: /etc/headscale/test-key.pem`

test(net): add integration test harness against Headscale Spins up Headscale 0.23 (with embedded DERP) plus two Tailscale peers in docker compose, generates pre-auth keys, and runs three integration tests behind the `integration` feature: - test_register_and_receive_netmap: full TS2021 → register → first netmap fetch - test_proxy_listener_accepts: starts the daemon and waits for it to reach the Running state - test_daemon_lifecycle: full lifecycle including DERP connect, then clean shutdown via the DaemonHandle Run with `sunbeam-net/tests/run.sh` (handles compose up/down + auth key provisioning) or manually via cargo nextest with the env vars SUNBEAM_NET_TEST_AUTH_KEY and SUNBEAM_NET_TEST_COORD_URL set. 2026-04-07 13:42:46 +01:00			`# Noise protocol (auto-generates key on first start)`
			`noise:`
			`private_key_path: /var/lib/headscale/noise_private.key`

			`# Ephemeral SQLite`
			`database:`
			`type: sqlite`
			`sqlite:`
			`path: /tmp/headscale.db`

			`ip_prefixes:`
			`- 100.64.0.0/10`
			`- fd7a:115c:a1e0::/48`

			`# Embedded DERP relay — clients can relay through Headscale itself`
			`derp:`
			`server:`
			`enabled: true`
			`region_id: 999`
			`region_code: test`
			`region_name: "Integration Test"`
			`stun_listen_addr: 0.0.0.0:3478`
			`private_key_path: /var/lib/headscale/derp_server_private.key`
			`urls: []`
			`auto_update_enabled: false`

			`dns:`
			`magic_dns: false`
			`base_domain: test.sunbeam.internal`

			`prefixes:`
			`v4: 100.64.0.0/10`
			`v6: fd7a:115c:a1e0::/48`
			`allocation: sequential`

			`log:`
			`level: warn`