Index: config-example.yaml
--- config-example.yaml.orig
+++ config-example.yaml
@@ -44,7 +44,7 @@ grpc_allow_insecure: false
 # and Tailscale clients.
 # The private key file will be autogenerated if it's missing.
 #
-private_key_path: /var/lib/headscale/private.key
+private_key_path: ${SYSCONFDIR}/headscale/private.key
 
 # The Noise section includes specific configuration for the
 # TS2021 Noise protocol
@@ -53,7 +53,7 @@ noise:
   # traffic between headscale and Tailscale clients when
   # using the new Noise-based protocol. It must be different
   # from the legacy private key.
-  private_key_path: /var/lib/headscale/noise_private.key
+  private_key_path: ${SYSCONFDIR}/headscale/noise_private.key
 
 # List of IP prefixes to allocate tailaddresses from.
 # Each prefix consists of either an IPv4 or IPv6 address,
@@ -107,7 +107,8 @@ derp:
   #
   # paths:
   #   - /etc/headscale/derp-example.yaml
-  paths: []
+  paths:
+    - ${SYSCONFDIR}/headscale/derp.yaml
 
   # If enabled, a worker will be set up to periodically
   # refresh the given sources and update the derpmap
@@ -133,7 +134,7 @@ node_update_check_interval: 10s
 db_type: sqlite3
 
 # For production:
-db_path: /var/lib/headscale/db.sqlite
+db_path: ${LOCALSTATEDIR}/db/headscale/db.sqlite
 
 # # Postgres config
 # If using a Unix socket to connect to Postgres, set the socket path in the 'host' field and leave 'port' blank.
@@ -167,7 +168,7 @@ tls_letsencrypt_hostname: ""
 # Path to store certificates and metadata needed by
 # letsencrypt
 # For production:
-tls_letsencrypt_cache_dir: /var/lib/headscale/cache
+tls_letsencrypt_cache_dir: ${LOCALSTATEDIR}/db/headscale/cache
 
 # Type of ACME challenge to use, currently supported types:
 # HTTP-01 or TLS-ALPN-01
@@ -257,7 +258,7 @@ dns_config:
 
 # Unix socket used for the CLI to connect without authentication
 # Note: for production you will want to set this to something like:
-unix_socket: /var/run/headscale/headscale.sock
+unix_socket: ${LOCALSTATEDIR}/run/headscale/headscale.sock
 unix_socket_permission: "0770"
 #
 # headscale supports experimental OpenID connect support,
