From 186ebe57b06cdb4aec778d7d643b1cf0202c2221 Mon Sep 17 00:00:00 2001 From: Jonas Juselius Date: Sun, 27 Apr 2025 19:38:46 +0200 Subject: [PATCH 1/8] fix: update headscale --- values/headscale/values.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/values/headscale/values.yaml b/values/headscale/values.yaml index 8227a5b3..315c56b6 100644 --- a/values/headscale/values.yaml +++ b/values/headscale/values.yaml @@ -1,7 +1,7 @@ image: repository: ghcr.io/juanfont/headscale pullPolicy: IfNotPresent - tag: v0.25.0 + tag: v0.25.1 args: [ "serve" ] From 2b53bc519e37c9f1e39147b3fc0e96b54f6259a2 Mon Sep 17 00:00:00 2001 From: Jonas Juselius Date: Mon, 28 Apr 2025 08:45:38 +0200 Subject: [PATCH 2/8] fix: fix headscale user names --- values/headscale/values.yaml | 32 ++++++++++++++++++++++++++------ 1 file changed, 26 insertions(+), 6 deletions(-) diff --git a/values/headscale/values.yaml b/values/headscale/values.yaml index 315c56b6..e78c3c30 100644 --- a/values/headscale/values.yaml +++ b/values/headscale/values.yaml @@ -90,12 +90,32 @@ configMaps: // groups are collections of users having a common scope. A user can be in multiple groups // groups cannot be composed of groups "groups": { - "group:admin": [ "jonas.juselius", "moritz.jorg" ], - "group:devops": [ "jonas.juselius", "moritz.jorg", "stig.r.jenssen", "radovan.bast", "simen.kirkvik" ], - "group:oceanographer": [ "frank.gaardsted", "ole.nost", "helge.avlesen" ], - "group:manager": [ "svenn.hanssen", "hilde.iversen" ], - "group:dev": [ "ole.tytlandsvik" ], - "group:intern": [ "ole.tytlandsvik" ] + "group:admin": [ + "jonas.juselius@oceanbox.io", + "moritz.jorg@oceanbox.io", + ], + "group:devops": [ + "jonas.juselius@oceanbox.io", + "moritz.jorg@oceanbox.io", + "stig.r.jenssen@oceanbox.io", + "radovan.bast@oceanbox.io", + "simen.kirkvik@oceanbox.io", + ], + "group:oceanographer": [ + "frank.gaardsted@oceanbox.io", + "ole.nost@oceanbox.io", + "helge.avlesen@oceanbox.io", + "isabella.rossi@oceanbox.io", + "jonathan.lilly@oceanbox.io", + ], + "group:manager": [ + "svenn.hanssen@oceanbox.io", + "hilde.iversen@oceanbox.io", + ], + "group:dev": [ + "ole.tytlandsvik@oceanbox.io", + ], + "group:intern": [] }, // tagOwners in tailscale is an association between a TAG and the people allowed to set this TAG on a server. // This is documented [here](https://tailscale.com/kb/1068/acl-tags#defining-a-tag) From 94d01a84b0cef2c6db013548419acf6ce18a3b0e Mon Sep 17 00:00:00 2001 From: Jonas Juselius Date: Mon, 28 Apr 2025 10:25:33 +0200 Subject: [PATCH 3/8] fix: fix exit node acls + some typos --- values/headscale/values.yaml | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/values/headscale/values.yaml b/values/headscale/values.yaml index e78c3c30..1d91a872 100644 --- a/values/headscale/values.yaml +++ b/values/headscale/values.yaml @@ -8,6 +8,7 @@ args: [ "serve" ] env: HEADSCALE_DNS_BASE_DOMAIN: "obx.io" + HEADSCALE_OIDC_ONLY_START_IF_OIDC_IS_AVAILABLE: "true" HEADSCALE_OIDC_ISSUER: "https://login.microsoftonline.com/3f737008-e9a0-4485-9d27-40329d288089/v2.0" HEADSCALE_OIDC_CLIENT_ID: "688e9096-f140-4498-a46a-e3d1939184de" HEADSCALE_OIDC_CLIENT_SECRET: "dPW8Q~1rctY-D0Ih.A1-1KqLl0uj1rX_ixNTcbrh" @@ -93,11 +94,12 @@ configMaps: "group:admin": [ "jonas.juselius@oceanbox.io", "moritz.jorg@oceanbox.io", + "system-tos", ], "group:devops": [ "jonas.juselius@oceanbox.io", "moritz.jorg@oceanbox.io", - "stig.r.jenssen@oceanbox.io", + "stig.r.jensen@oceanbox.io", "radovan.bast@oceanbox.io", "simen.kirkvik@oceanbox.io", ], @@ -184,7 +186,8 @@ configMaps: "group:dev", ], "dst": [ - "100.64.0.1/24:*", + "100.64.0.1/24:*", + "autogroup:internet:*", ] }, // { From d1776f3693ca2af42a937227ccb91df238c5fbf1 Mon Sep 17 00:00:00 2001 From: Jonas Juselius Date: Mon, 28 Apr 2025 10:33:49 +0200 Subject: [PATCH 4/8] fix: allow tailscale users to access gw-tos --- values/headscale/values.yaml | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/values/headscale/values.yaml b/values/headscale/values.yaml index 1d91a872..5e3ecbb6 100644 --- a/values/headscale/values.yaml +++ b/values/headscale/values.yaml @@ -143,6 +143,17 @@ configMaps: "mgmt.tos": "10.255.240.0/24" }, "acls": [ + { + "action": "accept", + "src": [ + "group:admin", + "group:devops", + "group:oceanographer", + "group:manager", + "group:dev", + ], + "dst": [ "gw-tos:0" ] + }, { "action": "accept", "src": [ "group:admin" ], From cbf00643d125aae2e662fc7560ea97708354aead Mon Sep 17 00:00:00 2001 From: Jonas Juselius Date: Tue, 29 Apr 2025 08:53:15 +0200 Subject: [PATCH 5/8] fix: change tailnet domain to hs --- values/headscale/values.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/values/headscale/values.yaml b/values/headscale/values.yaml index 5e3ecbb6..014562c2 100644 --- a/values/headscale/values.yaml +++ b/values/headscale/values.yaml @@ -6,7 +6,7 @@ image: args: [ "serve" ] env: - HEADSCALE_DNS_BASE_DOMAIN: "obx.io" + HEADSCALE_DNS_BASE_DOMAIN: "obx.hs" HEADSCALE_OIDC_ONLY_START_IF_OIDC_IS_AVAILABLE: "true" HEADSCALE_OIDC_ISSUER: "https://login.microsoftonline.com/3f737008-e9a0-4485-9d27-40329d288089/v2.0" From 7a0a737e9891487b84ed97cab178f8a71ceab7c8 Mon Sep 17 00:00:00 2001 From: Jonas Juselius Date: Wed, 30 Apr 2025 08:42:26 +0200 Subject: [PATCH 6/8] fix: fix keycloak magicdns --- values/headscale/values.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/values/headscale/values.yaml b/values/headscale/values.yaml index 014562c2..e26c3b5f 100644 --- a/values/headscale/values.yaml +++ b/values/headscale/values.yaml @@ -213,14 +213,14 @@ configMaps: data: records: | [ - { "name": "auth.oceanbox.io", "type": "A", "value": "10.255.241.11" }, { "name": "maps.beta.oceanbox.io", "type": "A", "value": "10.255.241.11" }, { "name": "atlantis.beta.oceanbox.io", "type": "A", "value": "10.255.241.11" }, + { "name": "auth.adm.oceanbox.io", "type": "A", "value": "10.255.241.11" }, + { "name": "keycloak.adm.oceanbox.io", "type": "A", "value": "10.255.241.11" }, { "name": "grafana.adm.oceanbox.io", "type": "A", "value": "10.255.241.11" }, { "name": "prometheus.adm.oceanbox.io", "type": "A", "value": "10.255.241.99" }, { "name": "alertmanager.adm.oceanbox.io", "type": "A", "value": "10.255.241.99" }, - { "name": "auth.adm.oceanbox.io", "type": "A", "value": "10.255.241.11" }, { "name": "argocd.adm.oceanbox.io", "type": "A", "value": "10.255.241.11" }, { "name": "hubble.adm.oceanbox.io", "type": "A", "value": "10.255.241.11" }, { "name": "plausible.adm.oceanbox.io", "type": "A", "value": "10.255.241.11" }, From 3c1d289568085850f4668e07c01382287fa2b7b6 Mon Sep 17 00:00:00 2001 From: Jonas Juselius Date: Fri, 2 May 2025 13:22:42 +0200 Subject: [PATCH 7/8] fix: add oty to devops group --- values/headscale/values.yaml | 1 + 1 file changed, 1 insertion(+) diff --git a/values/headscale/values.yaml b/values/headscale/values.yaml index e26c3b5f..43e3ca6b 100644 --- a/values/headscale/values.yaml +++ b/values/headscale/values.yaml @@ -102,6 +102,7 @@ configMaps: "stig.r.jensen@oceanbox.io", "radovan.bast@oceanbox.io", "simen.kirkvik@oceanbox.io", + "ole.tytlandsvik@tromso.serit.no", ], "group:oceanographer": [ "frank.gaardsted@oceanbox.io", From e4de293820f027c001744eb955a924982ca5dc7b Mon Sep 17 00:00:00 2001 From: Jonas Juselius Date: Fri, 2 May 2025 13:49:42 +0200 Subject: [PATCH 8/8] fix: add ekman and frontend 22 --- values/headscale/values.yaml | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/values/headscale/values.yaml b/values/headscale/values.yaml index 43e3ca6b..834e60c9 100644 --- a/values/headscale/values.yaml +++ b/values/headscale/values.yaml @@ -153,7 +153,7 @@ configMaps: "group:manager", "group:dev", ], - "dst": [ "gw-tos:0" ] + "dst": [ "mumindalen:0" ] }, { "action": "accept", @@ -186,6 +186,8 @@ configMaps: "ingress.oceanbox.tos:443", "ingress.ekman.tos:443", "ingress.ceph.tos:443", + "ekman:22", + "frontend:22", ] }, {