Hi,

I'm writing to ask for advice for configuring the "headscale" port 
regarding the TLS part of the config.

For context, the headscale port runs under user "_headscale" and comes 
with a mostly complete

configuration. The developers on the GitHub readme specify that they 
discourage the use of reverse

proxies like nginx and relayd as headscale is meant to run completely on 
its own

(see 
https://github.com/juanfont/headscale?tab=readme-ov-file#running-headscale). 



Additionally, it's designed to administer its own certs. On OpenBSD, 
ports lower than 1024 are only

accessible by root processes, so headscale running under user _headscale 
has a bit of an issue. What's

the recommended approach here? Would it be a good idea to make the 
iptables forward any incoming

connection from port 80 to another port that headscale has access to 
(i.e. 8081)?

-- 
Regards,
Yiannis Charalambous