Skip to content

Configuration Reference

ionscale uses the YAML file format for configuration. A full configuration reference file is shown below, this provides comments and all available options.

# The HTTP(S) listen address to serve the control plane.
listen_addr: ":8080"

# The STUN listen address when using the embedded DERP.
stun_listen_addr: ":3478"

# The address to bind to for the metrics.
metrics_listen_addr: ":9091"

# The DNS name of the server HTTP(S) endpoint as accessible by clients and the CLI.
public_addr: "ionscale.example.com:443"

# The DNS name of the STUN endpoint as accessible by clients.
stun_public_addr: "ionscale.example.com:3478"

tls:
  # Disable TLS (not recommended)
  # Use this flag to disable TLS e.g. when running behind a reverse proxy
  disable: false
  # Redirect HTTP requests to HTTPS requests
  force_https: true
  # The path to the certificate for TLS.
  # Required when TLS is enabled and ACME disabled
  cert_file: ""
  # The path to the private key for the certificate.
  # Required when TLS is enabled and ACME disabled
  key_file: ""
  # Enable automatic TLS certificates provisioning with Let's Encrypt
  acme: false
  # An email address, used when creating an ACME account and keeping you up-to-date regarding your certificates
  acme_email: ""
  # The URL to the ACME CA's directory.
  acme_ca: "https://acme-v02.api.letsencrypt.org/directory"
  # Path to store certificates and metadata needed by ACME
  acme_path: "./data"

database:
  # Type of databas to use, supported values are sqlite or postgres
  type: "sqlite"
  # The URL for connecting to the database
  # e.g
  # url: "/data/ionscale.db?_pragma=busy_timeout(5000)&_pragma=journal_mode(WAL)"
  # url: "postgres://ionscale:ionscale@localhost/ionscale?sslmode=disable"
  url: "./ionscale.db"

derp:
  server:
    disabled:     false
    region_id:    1000
    region_code:  "ionscale"
    region_name:  "ionscale Embedded DERP"
  sources:
    - https://controlplane.tailscale.com/derpmap/default

keys:
  # A private, 32 bytes in hex, system admin key
  # Use this key with the CLI when configuring system-wide resources like tailnets
  # A key can be generated by:
  # - ionscale genkey
  # - openssl rand -hex 32
  system_admin_key: ""

poll_net:
  # Period to send keep alive messages to the connected devices
  keep_alive_interval: "60s"

# Optional authentication configuration
auth:
  # OIDC provider configuration
  provider:
    # OIDC issuer URL where ionscale can find the OpenID Provider Configuration Document
    issuer: ""
    # OIDC client id and secrets
    client_id: ""
    client_secret: ""
    # additional OIDC scopes used in the OIDC flow
    additional_scopes: ""
  # IAM policy to mark some authenticated users as System Admin
  system_admins:
    # A list of emails of users that are System Admin
    emails: []
    # A list of ID (sub OIDC claim) of users that are System Admin
    subs: []
    # A list of BEXPR filters to mark authenticated users as System Admin
    filters: []

dns:
  # The base domain of the MagicDNS FQDN hostnames
  magic_dns_suffix: "ionscale.net"
  # A DNS provider for setting public TXT records
  # This is a requirement to enable Tailscale HTTPS certs.
  provider:
    # name of your provider, currently supported implementations:
    # - azure (https://github.com/libdns/azure)
    # - cloudflare (https://github.com/libdns/cloudflare)
    # - digitialocean (https://github.com/libdns/digitalocean)
    # - googleclouddns (https://github.com/libdns/googleclouddns)
    # - route53 (https://github.com/libdns/route53)
    name: ""
    # DNS zone
    zone: ""
    # Provider specific configuration
    config: {}

logging:
  # Output formatting for logs: text or json
  format: "text"
  level: "info"
  # Path of a target log file, if omitted logs are written to stdout
  file: ""