HEADSCALE_VERSION="0.28.0"
HEADSCALE_ARCH="amd64"
DOMAIN_URL="https://vpn.excloud.in"

wget --output-document=headscale.deb \
 "https://github.com/juanfont/headscale/releases/download/v${HEADSCALE_VERSION}/headscale_${HEADSCALE_VERSION}_linux_${HEADSCALE_ARCH}.deb"

apt install ./headscale.deb

systemctl enable --now headscale

PREAUTH_KEY=$(headscale preauthkeys create --tags tag:headscale-agent)

apt-get install caddy -y

mkdir -p /var/lib/headplane
chown -R $(whoami):$(whoami) /var/lib/headplane
mkdir -p /etc/headplane
touch /etc/headplane/config.yaml

wget https://go.dev/dl/go1.26.0.linux-amd64.tar.gz
tar -C /usr/local -xzf go1.26.0.linux-amd64.tar.gz
echo 'export PATH=$PATH:/usr/local/go/bin' >> /etc/profile
rm go1.26.0.linux-amd64.tar.gz


curl -o- https://raw.githubusercontent.com/nvm-sh/nvm/v0.40.4/install.sh | bash
\. "$HOME/.nvm/nvm.sh"
source ~/.bashrc
nvm install 24

git clone https://github.com/tale/headplane.git
cd headplane
COREPACK_ENABLE_DOWNLOAD_PROMPT=0 corepack enable pnpm
COREPACK_ENABLE_DOWNLOAD_PROMPT=0 corepack install
pnpm install
pnpm build

cat > "/etc/caddy/Caddyfile" <<EOF
# The Caddyfile is an easy way to configure your Caddy web server.
#
# Unless the file starts with a global options block, the first
# uncommented line is always the address of your site.
#
# To use your own domain name (with automatic HTTPS), first make
# sure your domain's A/AAAA DNS records are properly pointed to
# this machine's public IP, then replace ":80" below with your
# domain name.

${DOMAIN_URL} {
	# Set this path to your site's directory.
	# root * /usr/share/caddy

	# Enable the static file server.
	# file_server

	# Another common task is to set up a reverse proxy:
    reverse_proxy /admin* localhost:3000
	reverse_proxy / localhost:8080

	# Or serve a PHP site through php-fpm:
	# php_fastcgi localhost:9000
}

# Refer to the Caddy docs for more information:
# https://caddyserver.com/docs/caddyfile'
EOF

cat > "/etc/headplane/config.yaml" <<EOF
# Configuration for the Headplane server and web application
server:
  # These are the default values, change them as needed
  host: "127.0.0.1"
  port: 3000

  # The base URL for Headplane. Please keep in mind that this will be required
  # for Headscale to properly function going forward AND it should not include
  # the dashboard prefix (/admin) portion.
  base_url: "${DOMAIN_URL}/admin"

  # The secret used to encode and decode web sessions (must be 32 characters)
  # You may also provide 'cookie_secret_path' instead to read a value from disk.
  # See https://headplane.net/configuration/#sensitive-values
  cookie_secret: "$(openssl rand -hex 16 | cut -c-32)"

  # Whether cookies should be marked as Secure
  # * Should be false if running without HTTPs
  # * Should be true if running behind a reverse proxy with HTTPs
  cookie_secure: true

  # The maximum age of the session cookie in seconds
  cookie_max_age: 86400 # 1 day in seconds

  # This is not required, but if you want to restrict the cookie
  # to a specific domain, set it here. Otherwise leave it commented out.
  # This may not work as expected if not using a reverse proxy.
  # cookie_domain: ""

  # The path to persist Headplane specific data. All data going forward
  # is stored in this directory, including the internal database and
  # any cache related files.
  #
  # Data formats prior to 0.6.1 will automatically be migrated.
  # PLEASE ensure this directory is mounted if running in Docker.
  data_path: "/var/lib/headplane"

  # The info secret is optional and allows access to certain debug endpoints
  # that may expose sensitive information about your Headplane instance.
  #
  # As of now, this protects the /api/info endpoint which exposes details about
  # the Headplane and Headscale versions in use. In the future, more endpoints
  # may be protected by this secret.
  #
  # If not set, these endpoints will be disabled.
  # info_secret: "<change_me_to_something_secure!>"

# Headscale specific settings to allow Headplane to talk
# to Headscale and access deep integration features
headscale:
  # The URL to your Headscale instance
  # (All API requests are routed through this URL)
  # (THIS IS NOT the gRPC endpoint, but the HTTP endpoint)
  #
  # IMPORTANT: If you are using TLS this MUST be set to 'https://'
  url: "http://127.0.0.1:8080"

  # If you use the TLS configuration in Headscale, and you are not using
  # Let's Encrypt for your certificate, pass in the path to the certificate.
  # (This has no effect if 'url' does not start with 'https://')
  # tls_cert_path: "/var/lib/headplane/tls.crt"

  # Optional, public URL if its different from the 'headscale.url'
  # This affects certain parts of the web UI which shows Headscale's URL
  public_url: "${DOMAIN_URL}"

  # Path to the Headscale configuration file
  # This is optional, but HIGHLY recommended for the best experience
  # If this is read only, Headplane will show your configuration settings
  # in the Web UI, but they cannot be changed.
  config_path: "/etc/headscale/config.yaml"

  # Whether the Headscale configuration should be strictly validated
  # when reading from 'config_path'. If true, Headplane will not interact
  # with Headscale if there are any issues with the configuration file.
  #
  # This is recommended to be true for production deployments to, however it
  # may not work if you are using a version of Headscale that has configuration
  # options unknown to Headplane.
  config_strict: true

  # If you are using 'dns.extra_records_path' in your Headscale
  # configuration, you need to set this to the path for Headplane
  # to be able to read the DNS records.
  #
  # Pass it in if using Docker and ensure that the file is both
  # readable and writable to the Headplane process.
  # When using this, Headplane will no longer need to automatically
  # restart Headscale for DNS record changes.
  # dns_records_path: "/var/lib/headscale/extra_records.json"

# Integration configurations for Headplane to interact with Headscale
integration:
  # The Headplane agent allows retrieving information about nodes
  # This allows the UI to display version, OS, and connectivity data
  # You will see the Headplane agent in your Tailnet as a node when
  # it connects.
  agent:
    enabled: true

    # To connect to your Tailnet, you need to generate a pre-auth key
    # This can be done via the web UI or through the 'headscale' CLI.
    pre_authkey: "${PREAUTH_KEY}"

    # Optionally change the name of the agent in the Tailnet.
    host_name: "headplane-agent"

    # Configure different caching settings. By default, the agent will store
    # caches in the path below for a maximum of 1 minute. If you want data
    # to update faster, reduce the TTL, but this will increase the frequency
    # of requests to Headscale.
    # cache_ttl: 60
    # cache_path: /var/lib/headplane/agent_cache.json

    # The work_dir represents where the agent will store its data to be able
    # to automatically reauthenticate with your Tailnet. It needs to be
    # writable by the user running the Headplane process.
    #
    # If using Docker, it is best to leave this as the default.
    # work_dir: "/var/lib/headplane/agent"

  # Only one of these should be enabled at a time or you will get errors
  # This does not include the agent integration (above), which can be enabled
  # at the same time as any of these and is recommended for the best experience.
  docker:
    enabled: false

    # By default we check for the presence of a container label (see the docs)
    # to determine the container to signal when changes are made to DNS settings.
    container_label: "me.tale.headplane.target=headscale"

    # HOWEVER, you can fallback to a container name if you desire, but this is
    # not recommended as its brittle and doesn't work with orchestrators that
    # automatically assign container names.
    #
    # If 'container_name' is set, it will override any label checks.
    # container_name: "headscale"

    # The path to the Docker socket (do not change this if you are unsure)
    # Docker socket paths must start with unix:// or tcp:// and at the moment
    # https connections are not supported.
    socket: "unix:///var/run/docker.sock"

  # Please refer to docs/integration/Kubernetes.md for more information
  # on how to configure the Kubernetes integration. There are requirements in
  # order to allow Headscale to be controlled by Headplane in a cluster.
  kubernetes:
    enabled: false
    # Validates the manifest for the Pod to ensure all of the criteria
    # are set correctly. Turn this off if you are having issues with
    # shareProcessNamespace not being validated correctly.
    validate_manifest: true
    # This should be the name of the Pod running Headscale and Headplane.
    # If this isn't static you should be using the Kubernetes Downward API
    # to set this value (refer to docs/Integrated-Mode.md for more info).
    pod_name: "headscale"

  # Proc is the "Native" integration that only works when Headscale and
  # Headplane are running outside of a container. There is no configuration,
  # but you need to ensure that the Headplane process can terminate the
  # Headscale process.
  #
  # (If they are both running under systemd as sudo, this will work).
  proc:
    enabled: false

# OIDC Configuration for simpler authentication
# (This is optional, but recommended for the best experience)
# oidc:
# Set to false to define OIDC config without enabling it.
# Useful for Helm charts or generating docs from config files.
# enabled: true

# The OIDC issuer URL
# issuer: "https://accounts.google.com"

# If you are using OIDC, you need to generate an API key
# that can be used to authenticate other sessions when signing in.
#
# This can be done with 'headscale apikeys create --expiration 999d'
# headscale_api_key: "<your-headscale-api-key>"

# If your OIDC provider does not support discovery (does not have the URL at
# '/.well-known/openid-configuration'), you need to manually set endpoints.
# This also works to override endpoints if you so desire or if your OIDC
# discovery is missing certain endpoints (ie GitHub).
# For some typical providers, see https://headplane.net/features/sso.
# authorization_endpoint: ""
# token_endpoint: ""
# userinfo_endpoint: ""

# The authentication method to use when communicating with the token endpoint.
# This is fully optional and Headplane will attempt to auto-detect the best
# method and fall back to 'client_secret_basic' if unsure.
# token_endpoint_auth_method: "client_secret_post"

# The client ID for the OIDC client
# For the best experience please ensure this is *identical* to the client_id
# you are using for Headscale. because
# client_id: "your-client-id"

# The client secret for the OIDC client
# You may also provide 'client_secret_path' instead to read a value from disk.
# See https://headplane.net/configuration/#sensitive-values
# client_secret: "<your-client-secret>"

# Whether to use PKCE when authenticating users. This is recommended as it
# adds an extra layer of security to the authentication process. Enabling this
# means your OIDC provider must support PKCE and it must be enabled on the
# client.
# use_pkce: true

# If you want to disable traditional login via Headscale API keys
# disable_api_key_login: false

# By default profile pictures are pulled from the OIDC provider when
# we go to fetch the userinfo endpoint. Optionally, this can be set to
# "oidc" or "gravatar" as of 0.6.1.
# profile_picture_source: "gravatar"

# The scopes to request when authenticating users. The default is below.
# scope: "openid email profile"

# Extra query parameters can be passed to the authorization endpoint
# by setting them here. This is useful for providers that require any kind
# of custom hinting.
# extra_params:
#   prompt: "select_account" # Example: force account selection on Google
EOF

NODE_PATH=$(nvm which current)
cat > "/etc/systemd/system/headplane.service" <<EOF
[Unit]
Description=Headplane Service
After=network.target # (or headscale.service if it runs via systemd)
Requires=network.target # (or headscale.service if it runs via systemd)
StartLimitIntervalSec=0

[Service]
Type=simple
WorkingDirectory=/home/ubuntu/headplane
ExecStart=${NODE_PATH} /home/ubuntu/headplane/build/server/index.js
Restart=on-failure
RestartSec=5s

# Uncomment and set if using a custom config path
# Environment=HEADPLANE_CONFIG_PATH=/var/lib/headplane/config.yaml

[Install]
WantedBy=multi-user.target
EOF

systemctl daemon-reload
systemctl enable headplane
systemctl start headplane