From 79403cf015da3483fad6e31a49c01d805c92338b Mon Sep 17 00:00:00 2001 From: Jonas Juselius Date: Sat, 26 Apr 2025 19:05:05 +0200 Subject: [PATCH] feat: add headscale --- apps/headscale.yaml | 21 ++++ values/headscale/values.yaml | 222 +++++++++++++++++++++++++++++++++++ 2 files changed, 243 insertions(+) create mode 100644 apps/headscale.yaml create mode 100644 values/headscale/values.yaml diff --git a/apps/headscale.yaml b/apps/headscale.yaml new file mode 100644 index 00000000..656572bb --- /dev/null +++ b/apps/headscale.yaml @@ -0,0 +1,21 @@ +apiVersion: argoproj.io/v1alpha1 +kind: Application +metadata: + name: headscale + namespace: argocd +spec: + project: default + destination: + server: https://kubernetes.default.svc + namespace: headscale + sources: + - repoURL: https://charts.gabe565.com + targetRevision: 0.16.0 + chart: headscale + helm: + valueFiles: + - $values/values/headscale/values.yaml + - repoURL: https://gitlab.com/oceanbox/manifests.git + targetRevision: main + ref: values + diff --git a/values/headscale/values.yaml b/values/headscale/values.yaml new file mode 100644 index 00000000..4d33c3df --- /dev/null +++ b/values/headscale/values.yaml @@ -0,0 +1,222 @@ +image: + repository: ghcr.io/juanfont/headscale + pullPolicy: IfNotPresent + tag: v0.25.0 + +args: [ "serve" ] + +env: + HEADSCALE_DNS_BASE_DOMAIN: "obx.io" + + HEADSCALE_OIDC_ISSUER: "https://login.microsoftonline.com/3f737008-e9a0-4485-9d27-40329d288089/v2.0" + HEADSCALE_OIDC_CLIENT_ID: "688e9096-f140-4498-a46a-e3d1939184de" + HEADSCALE_OIDC_CLIENT_SECRET: "dPW8Q~1rctY-D0Ih.A1-1KqLl0uj1rX_ixNTcbrh" + + # -- Node IPv4 prefixes + HEADSCALE_PREFIXES_V4: "100.64.0.0/10" + # -- Node IPv6 prefixes + HEADSCALE_PREFIXES_V6: "fd7a:115c:a1e0::/48" + + # -- List of DNS servers to expose to clients. + HEADSCALE_DNS_NAMESERVERS_GLOBAL: "1.1.1.1 1.0.0.1" + # -- Whether to use [MagicDNS](https://tailscale.com/kb/1081/magicdns/). + HEADSCALE_DNS_MAGIC_DNS: "true" + + HEADSCALE_DERP_URLS: "https://controlplane.tailscale.com/derpmap/default" + HEADSCALE_DERP_AUTO_UPDATE_ENABLED: "true" + HEADSCALE_DERP_UPDATE_FREQUENCY: "24h" + + HEADSCALE_EPHEMERAL_NODE_INACTIVITY_TIMEOUT: "30m" + +ingress: + main: + enabled: true + className: "nginx" + annotations: + cert-manager.io/cluster-issuer: letsencrypt-production + nginx.ingress.kubernetes.io/ssl-redirect: "true" + nginx.ingress.kubernetes.io/backend-protocol: HTTP + hosts: + - host: headscale.adm.oceanbox.io + paths: + - path: / + tls: + - secretName: headscale-tls + hosts: + - headscale.adm.oceanbox.io + +persistence: + # -- Configure persistence settings for the chart under this key. + # @default -- See [values.yaml](./values.yaml) + config: + enabled: false + mountPath: /etc/headscale + retain: true + # storageClass: "" + # accessMode: ReadWriteOnce + # size: 1Gi + +# -- Enable and configure postgresql database subchart under this key. +# For more options see [postgresql chart documentation](https://github.com/bitnami/charts/tree/main/bitnami/postgresql) +# @default -- See [values.yaml](./values.yaml) +postgresql: + enabled: false + auth: + database: headscale + postgresPassword: changeme + primary: + persistence: + enabled: false + # storageClass: "" + # size: 8Gi + +serviceMonitor: + main: + # -- Enables or disables the serviceMonitor. + enabled: true + # -- Configures the endpoints for the serviceMonitor. + # @default -- See [values.yaml](./values.yaml) + endpoints: + - port: metrics + scheme: http + path: /metrics + interval: 30s + scrapeTimeout: 10s + +configMaps: + acl: + enabled: true + data: + policy: | + { + // groups are collections of users having a common scope. A user can be in multiple groups + // groups cannot be composed of groups + "groups": { + "group:admin": [ "jonas.juselius", "moritz.jorg" ], + "group:devops": [ "jonas.juselius", "moritz.jorg", "stig.r.jenssen", "radovan.bast", "simen.kirkvik" ], + "group:oceanographer": [ "frank.gaardsted", "ole.nost", "helge.avlesen" ], + "group:manager": [ "svenn.hanssen", "hilde.iversen" ], + "group:dev": [ "ole.tytlandsvik" ], + "group:intern": [ "ole.tytlandsvik" ] + }, + // tagOwners in tailscale is an association between a TAG and the people allowed to set this TAG on a server. + // This is documented [here](https://tailscale.com/kb/1068/acl-tags#defining-a-tag) + // and explained [here](https://tailscale.com/blog/rbac-like-it-was-meant-to-be/) + "tagOwners": { + "tag:k8s": [ "group:admin" ], + "tag:hpc": [ "group:admin" ], + }, + // hosts should be defined using its IP addresses and a subnet mask. + // to define a single host, use a /32 mask. You cannot use DNS entries here, + // as they're prone to be hijacked by replacing their IP addresses. + // see https://github.com/tailscale/tailscale/issues/3800 for more information. + "hosts": { + "ingress.ekman.tos": "10.255.241.99/32", + "ingress.ceph.tos": "10.255.241.10/32", + "ingress.oceanbox.tos": "10.255.241.11/32", + "frontend.ekman.tos": "10.255.241.99/32", + "k8s.oceanbox.tos": "10.255.241.200/32", + "k8s.ekman.tos": "10.255.241.99/32", + "k8s.ceph.tos": "10.255.241.29/32", + "office.tos": "10.132.46.0/24", + "dc.tos": "10.255.241.0/24", + "mgmt.tos": "10.255.240.0/24" + }, + "acls": [ + { + "action": "accept", + "src": [ "group:admin" ], + "dst": [ + "dc.tos:*", + "mgmt.tos:*", + "office.tos:*", + ] + }, + { + "action": "accept", + "src": [ "group:devops" ], + "dst": [ + "k8s.oceanbox.tos:4443", + "k8s.ekman.tos:4443", + "k8s.ceph.tos:4443", + ] + }, + { + "action": "accept", + "src": [ + "group:admin", + "group:devops", + "group:oceanographer", + "group:manager", + "group:dev", + ], + "dst": [ + "ingress.oceanbox.tos:443", + "ingress.ekman.tos:443", + "ingress.ceph.tos:443", + ] + }, + { + "action": "accept", + "src": [ + "group:admin", + "group:devops", + "group:oceanographer", + "group:manager", + "group:dev", + ], + "dst": [ + "100.64.0.1/24:*", + ] + }, + // { + // "action": "accept", + // "src": ["group:dev"], + // "dst": ["dc.tos:443", "frontend.ekman:0"] + // } + ] + } + dns: + enabled: true + data: + records: | + [ + { "name": "auth.oceanbox.io", "type": "A", "value": "10.255.241.11" }, + { "name": "maps.beta.oceanbox.io", "type": "A", "value": "10.255.241.11" }, + { "name": "atlantis.beta.oceanbox.io", "type": "A", "value": "10.255.241.11" }, + + { "name": "grafana.adm.oceanbox.io", "type": "A", "value": "10.255.241.11" }, + { "name": "prometheus.adm.oceanbox.io", "type": "A", "value": "10.255.241.99" }, + { "name": "alertmanager.adm.oceanbox.io", "type": "A", "value": "10.255.241.99" }, + { "name": "auth.adm.oceanbox.io", "type": "A", "value": "10.255.241.11" }, + { "name": "argocd.adm.oceanbox.io", "type": "A", "value": "10.255.241.11" }, + { "name": "hubble.adm.oceanbox.io", "type": "A", "value": "10.255.241.11" }, + { "name": "plausible.adm.oceanbox.io", "type": "A", "value": "10.255.241.11" }, + + { "name": "rabbitmq.srv.oceanbox.io", "type": "A", "value": "10.255.241.11" }, + { "name": "openfga.srv.oceanbox.io", "type": "A", "value": "10.255.241.11" }, + + { "name": "rabbitmq.dev.oceanbox.io", "type": "A", "value": "10.255.241.11" }, + { "name": "yolo-registry.dev.oceanbox.io", "type": "A", "value": "10.255.241.11" }, + { "name": "openfga.dev.oceanbox.io", "type": "A", "value": "10.255.241.11" }, + + { "name": "argocd.ekman.oceanbox.io", "type": "A", "value": "10.255.241.99" }, + { "name": "prometheus.ekman.oceanbox.io", "type": "A", "value": "10.255.241.99" }, + { "name": "alertmanager.ekman.oceanbox.io", "type": "A", "value": "10.255.241.99" }, + { "name": "grafana.ekman.oceanbox.io", "type": "A", "value": "10.255.241.99" }, + { "name": "slurmrestd.ekman.oceanbox.io", "type": "A", "value": "10.255.241.99" }, + { "name": "sorcrerer.ekman.oceanbox.io", "type": "A", "value": "10.255.241.99" }, + + { "name": "dashboard.ob-ceph.local", "type": "A", "value": "10.255.241.10" }, + { "name": "grafana.ob-ceph.local", "type": "A", "value": "10.255.241.10" }, + { "name": "s3.ob-ceph.local", "type": "A", "value": "10.255.241.10" }, + { "name": "prometheus.ob-ceph.local", "type": "A", "value": "10.255.241.10" }, + { "name": "alertmanager.ob-ceph.local", "type": "A", "value": "10.255.241.10" }, + { "name": "huble.ob-ceph.local", "type": "A", "value": "10.255.241.10" }, + + { "name": "stig-atlantis.dev.oceanbox.io", "type": "A", "value": "10.255.241.11" }, + { "name": "stig-sorcerer.ekman.oceanbox.io", "type": "A", "value": "10.255.241.99" }, + { "name": "jonas-atlantis.dev.oceanbox.io", "type": "A", "value": "10.255.241.11" }, + { "name": "jonas-sorcerer.ekman.oceanbox.io", "type": "A", "value": "10.255.241.99" } + ] +