feat: Update Headscale template to v0.28.0

[uyloal]

Summary

This PR updates the Headscale template from version 0.24.1 to 0.28.0, syncing the configuration with the official v0.28.0 release.

Changes

Version Updates

• Headscale: 0.24.1-debug → 0.28.0-debug
• Headplane: 0.3.9 → 0.6.2

Configuration Fixes

• Fixed hardcoded server_url: Changed from hardcoded https://headscale-rewcdzwp.clawcloudhzh.site to dynamic variable https://headscale-${{ defaults.app_suffix }}.${{ CLAWCLOUD_CLOUD_DOMAIN }}

New Configuration Options (from v0.28.0)

Database

• Added database.debug - Enable debug mode for database operations
• Added database.gorm section with:
  • prepare_stmt - Enable prepared statements
  • parameterized_queries - Enable parameterized queries
  • skip_err_record_not_found - Skip logging "record not found" errors
  • slow_threshold - Threshold for slow queries (milliseconds)
• Added database.sqlite.wal_autocheckpoint - WAL automatic checkpoint configuration

DERP Server

• Added derp.server.verify_clients - Only allow clients associated with this server

DNS

• Added dns.override_local_dns - Override local DNS settings

OIDC

• Added oidc.email_verified_required - Require verified email addresses
• Added oidc.pkce section for PKCE (Proof Key for Code Exchange) configuration:
  • enabled - Enable/disable PKCE
  • method - PKCE method (plain or S256)

Features

• Added taildrop configuration for file sharing (enabled by default)
• Added tuning section (commented) for advanced performance tuning

Documentation Improvements

• Updated comments to match official v0.28.0 documentation
• Fixed TLS documentation reference: docs/tls.md → docs/ref/tls.md
• Improved log level documentation with all valid levels listed
• Commented out hardcoded ipv4/ipv6 DERP addresses (now examples only)

References

• Headscale v0.28.0 Release
• Official v0.28.0 config-example.yaml