Index: config-example.yaml
--- config-example.yaml.orig
+++ config-example.yaml
@@ -14,13 +14,13 @@ server_url: http://127.0.0.1:8080
 
 # Address to listen to / bind to on the server
 #
-listen_addr: 0.0.0.0:8080
+listen_addr: 127.0.0.1:8080
 
 # Private key used encrypt the traffic between headscale
 # and Tailscale clients.
 # The private key file which will be
 # autogenerated if it's missing
-private_key_path: /var/lib/headscale/private.key
+private_key_path: ${SYSCONFDIR}/headscale/private.key
 
 # DERP is a relay system that Tailscale uses when a direct
 # connection cannot be established.
@@ -41,7 +41,8 @@ derp:
   #
   # paths:
   #   - /etc/headscale/derp-example.yaml
-  paths: []
+  paths: 
+    - ${SYSCONFDIR}/headscale/derp.yaml
 
   # If enabled, a worker will be set up to periodically
   # refresh the given sources and update the derpmap
@@ -59,7 +60,7 @@ ephemeral_node_inactivity_timeout: 30m
 
 # SQLite config
 db_type: sqlite3
-db_path: /var/lib/headscale/db.sqlite
+db_path: ${VARBASE}/headscale/db.sqlite
 
 # # Postgres config
 # db_type: postgres
@@ -87,7 +88,7 @@ tls_letsencrypt_hostname: ""
 
 # Path to store certificates and metadata needed by
 # letsencrypt
-tls_letsencrypt_cache_dir: /var/lib/headscale/cache
+tls_letsencrypt_cache_dir: "${VARBASE}/headscale/.cache"
 
 # Type of ACME challenge to use, currently supported types:
 # HTTP-01 or TLS_ALPN-01
