feat: add headscale

2025-04-26 19:05:05 +02:00
parent e207b88363
commit 79403cf015
2 changed files with 243 additions and 0 deletions
@@ -0,0 +1,21 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: headscale
+  namespace: argocd
+spec:
+  project: default
+  destination:
+    server: https://kubernetes.default.svc
+    namespace: headscale
+  sources:
+  - repoURL: https://charts.gabe565.com
+    targetRevision: 0.16.0
+    chart: headscale
+    helm:
+      valueFiles:
+        - $values/values/headscale/values.yaml
+  - repoURL: https://gitlab.com/oceanbox/manifests.git
+    targetRevision: main
+    ref: values
+
@@ -0,0 +1,222 @@
+image:
+  repository: ghcr.io/juanfont/headscale
+  pullPolicy: IfNotPresent
+  tag: v0.25.0
+
+args: [ "serve" ]
+
+env:
+  HEADSCALE_DNS_BASE_DOMAIN: "obx.io"
+
+  HEADSCALE_OIDC_ISSUER: "https://login.microsoftonline.com/3f737008-e9a0-4485-9d27-40329d288089/v2.0"
+  HEADSCALE_OIDC_CLIENT_ID: "688e9096-f140-4498-a46a-e3d1939184de"
+  HEADSCALE_OIDC_CLIENT_SECRET: "dPW8Q~1rctY-D0Ih.A1-1KqLl0uj1rX_ixNTcbrh"
+
+  # -- Node IPv4 prefixes
+  HEADSCALE_PREFIXES_V4: "100.64.0.0/10"
+  # -- Node IPv6 prefixes
+  HEADSCALE_PREFIXES_V6: "fd7a:115c:a1e0::/48"
+
+  # -- List of DNS servers to expose to clients.
+  HEADSCALE_DNS_NAMESERVERS_GLOBAL: "1.1.1.1 1.0.0.1"
+  # -- Whether to use [MagicDNS](https://tailscale.com/kb/1081/magicdns/).
+  HEADSCALE_DNS_MAGIC_DNS: "true"
+
+  HEADSCALE_DERP_URLS: "https://controlplane.tailscale.com/derpmap/default"
+  HEADSCALE_DERP_AUTO_UPDATE_ENABLED: "true"
+  HEADSCALE_DERP_UPDATE_FREQUENCY: "24h"
+
+  HEADSCALE_EPHEMERAL_NODE_INACTIVITY_TIMEOUT: "30m"
+
+ingress:
+  main:
+    enabled: true
+    className: "nginx"
+    annotations:
+      cert-manager.io/cluster-issuer: letsencrypt-production
+      nginx.ingress.kubernetes.io/ssl-redirect: "true"
+      nginx.ingress.kubernetes.io/backend-protocol: HTTP
+    hosts:
+      - host: headscale.adm.oceanbox.io
+        paths:
+          - path: /
+    tls:
+      - secretName: headscale-tls
+        hosts:
+          - headscale.adm.oceanbox.io
+
+persistence:
+  # -- Configure persistence settings for the chart under this key.
+  # @default -- See [values.yaml](./values.yaml)
+  config:
+    enabled: false
+    mountPath: /etc/headscale
+    retain: true
+    # storageClass: ""
+    # accessMode: ReadWriteOnce
+    # size: 1Gi
+
+# -- Enable and configure postgresql database subchart under this key.
+#    For more options see [postgresql chart documentation](https://github.com/bitnami/charts/tree/main/bitnami/postgresql)
+# @default -- See [values.yaml](./values.yaml)
+postgresql:
+  enabled: false
+  auth:
+    database: headscale
+    postgresPassword: changeme
+  primary:
+    persistence:
+      enabled: false
+      # storageClass: ""
+      # size: 8Gi
+
+serviceMonitor:
+  main:
+    # -- Enables or disables the serviceMonitor.
+    enabled: true
+    # -- Configures the endpoints for the serviceMonitor.
+    # @default -- See [values.yaml](./values.yaml)
+    endpoints:
+      - port: metrics
+        scheme: http
+        path: /metrics
+        interval: 30s
+        scrapeTimeout: 10s
+
+configMaps:
+  acl:
+    enabled: true
+    data:
+      policy: |
+        {
+          // groups are collections of users having a common scope. A user can be in multiple groups
+          // groups cannot be composed of groups
+          "groups": {
+            "group:admin": [ "jonas.juselius", "moritz.jorg" ],
+            "group:devops": [ "jonas.juselius", "moritz.jorg", "stig.r.jenssen", "radovan.bast", "simen.kirkvik" ],
+            "group:oceanographer": [ "frank.gaardsted", "ole.nost", "helge.avlesen" ],
+            "group:manager": [ "svenn.hanssen", "hilde.iversen" ],
+            "group:dev": [ "ole.tytlandsvik" ],
+            "group:intern": [ "ole.tytlandsvik" ]
+          },
+          // tagOwners in tailscale is an association between a TAG and the people allowed to set this TAG on a server.
+          // This is documented [here](https://tailscale.com/kb/1068/acl-tags#defining-a-tag)
+          // and explained [here](https://tailscale.com/blog/rbac-like-it-was-meant-to-be/)
+          "tagOwners": {
+            "tag:k8s": [ "group:admin" ],
+            "tag:hpc": [ "group:admin" ],
+          },
+          // hosts should be defined using its IP addresses and a subnet mask.
+          // to define a single host, use a /32 mask. You cannot use DNS entries here,
+          // as they're prone to be hijacked by replacing their IP addresses.
+          // see https://github.com/tailscale/tailscale/issues/3800 for more information.
+          "hosts": {
+            "ingress.ekman.tos": "10.255.241.99/32",
+            "ingress.ceph.tos": "10.255.241.10/32",
+            "ingress.oceanbox.tos": "10.255.241.11/32",
+            "frontend.ekman.tos": "10.255.241.99/32",
+            "k8s.oceanbox.tos": "10.255.241.200/32",
+            "k8s.ekman.tos": "10.255.241.99/32",
+            "k8s.ceph.tos": "10.255.241.29/32",
+            "office.tos": "10.132.46.0/24",
+            "dc.tos": "10.255.241.0/24",
+            "mgmt.tos": "10.255.240.0/24"
+          },
+          "acls": [
+            {
+              "action": "accept",
+              "src": [ "group:admin" ],
+              "dst": [
+                 "dc.tos:*",
+                 "mgmt.tos:*",
+                 "office.tos:*",
+              ]
+            },
+            {
+              "action": "accept",
+              "src": [ "group:devops" ],
+              "dst": [
+                 "k8s.oceanbox.tos:4443",
+                 "k8s.ekman.tos:4443",
+                 "k8s.ceph.tos:4443",
+              ]
+            },
+            {
+              "action": "accept",
+              "src": [
+                  "group:admin",
+                  "group:devops",
+                  "group:oceanographer",
+                  "group:manager",
+                  "group:dev",
+              ],
+              "dst": [
+                 "ingress.oceanbox.tos:443",
+                 "ingress.ekman.tos:443",
+                 "ingress.ceph.tos:443",
+              ]
+            },
+            {
+              "action": "accept",
+              "src": [
+                  "group:admin",
+                  "group:devops",
+                  "group:oceanographer",
+                  "group:manager",
+                  "group:dev",
+              ],
+              "dst": [
+                  "100.64.0.1/24:*",
+              ]
+            },
+            // {
+              // "action": "accept",
+              // "src": ["group:dev"],
+              // "dst": ["dc.tos:443", "frontend.ekman:0"]
+            // }
+          ]
+        }
+  dns:
+    enabled: true
+    data:
+      records: |
+        [
+           { "name": "auth.oceanbox.io", "type": "A", "value": "10.255.241.11" },
+           { "name": "maps.beta.oceanbox.io", "type": "A", "value": "10.255.241.11" },
+           { "name": "atlantis.beta.oceanbox.io", "type": "A", "value": "10.255.241.11" },
+
+           { "name": "grafana.adm.oceanbox.io", "type": "A", "value": "10.255.241.11" },
+           { "name": "prometheus.adm.oceanbox.io", "type": "A", "value": "10.255.241.99" },
+           { "name": "alertmanager.adm.oceanbox.io", "type": "A", "value": "10.255.241.99" },
+           { "name": "auth.adm.oceanbox.io", "type": "A", "value": "10.255.241.11" },
+           { "name": "argocd.adm.oceanbox.io", "type": "A", "value": "10.255.241.11" },
+           { "name": "hubble.adm.oceanbox.io", "type": "A", "value": "10.255.241.11" },
+           { "name": "plausible.adm.oceanbox.io", "type": "A", "value": "10.255.241.11" },
+
+           { "name": "rabbitmq.srv.oceanbox.io", "type": "A", "value": "10.255.241.11" },
+           { "name": "openfga.srv.oceanbox.io", "type": "A", "value": "10.255.241.11" },
+
+           { "name": "rabbitmq.dev.oceanbox.io", "type": "A", "value": "10.255.241.11" },
+           { "name": "yolo-registry.dev.oceanbox.io", "type": "A", "value": "10.255.241.11" },
+           { "name": "openfga.dev.oceanbox.io", "type": "A", "value": "10.255.241.11" },
+
+           { "name": "argocd.ekman.oceanbox.io", "type": "A", "value": "10.255.241.99" },
+           { "name": "prometheus.ekman.oceanbox.io", "type": "A", "value": "10.255.241.99" },
+           { "name": "alertmanager.ekman.oceanbox.io", "type": "A", "value": "10.255.241.99" },
+           { "name": "grafana.ekman.oceanbox.io", "type": "A", "value": "10.255.241.99" },
+           { "name": "slurmrestd.ekman.oceanbox.io", "type": "A", "value": "10.255.241.99" },
+           { "name": "sorcrerer.ekman.oceanbox.io", "type": "A", "value": "10.255.241.99" },
+
+           { "name": "dashboard.ob-ceph.local", "type": "A", "value": "10.255.241.10" },
+           { "name": "grafana.ob-ceph.local", "type": "A", "value": "10.255.241.10" },
+           { "name": "s3.ob-ceph.local", "type": "A", "value": "10.255.241.10" },
+           { "name": "prometheus.ob-ceph.local", "type": "A", "value": "10.255.241.10" },
+           { "name": "alertmanager.ob-ceph.local", "type": "A", "value": "10.255.241.10" },
+           { "name": "huble.ob-ceph.local", "type": "A", "value": "10.255.241.10" },
+
+           { "name": "stig-atlantis.dev.oceanbox.io", "type": "A", "value": "10.255.241.11" },
+           { "name": "stig-sorcerer.ekman.oceanbox.io", "type": "A", "value": "10.255.241.99" },
+           { "name": "jonas-atlantis.dev.oceanbox.io", "type": "A", "value": "10.255.241.11" },
+           { "name": "jonas-sorcerer.ekman.oceanbox.io", "type": "A", "value": "10.255.241.99" }
+        ]
+