image: repository: ghcr.io/juanfont/headscale pullPolicy: IfNotPresent tag: v0.25.1 args: [ "serve" ] env: HEADSCALE_DNS_BASE_DOMAIN: "obx.hs" HEADSCALE_OIDC_ONLY_START_IF_OIDC_IS_AVAILABLE: "true" HEADSCALE_OIDC_ISSUER: "https://login.microsoftonline.com/3f737008-e9a0-4485-9d27-40329d288089/v2.0" HEADSCALE_OIDC_CLIENT_ID: "688e9096-f140-4498-a46a-e3d1939184de" HEADSCALE_OIDC_CLIENT_SECRET: "dPW8Q~1rctY-D0Ih.A1-1KqLl0uj1rX_ixNTcbrh" # -- Node IPv4 prefixes HEADSCALE_PREFIXES_V4: "100.64.0.0/10" # -- Node IPv6 prefixes HEADSCALE_PREFIXES_V6: "fd7a:115c:a1e0::/48" # -- List of DNS servers to expose to clients. HEADSCALE_DNS_NAMESERVERS_GLOBAL: "1.1.1.1 1.0.0.1" # -- Whether to use [MagicDNS](https://tailscale.com/kb/1081/magicdns/). HEADSCALE_DNS_MAGIC_DNS: "true" HEADSCALE_DERP_URLS: "https://controlplane.tailscale.com/derpmap/default" HEADSCALE_DERP_AUTO_UPDATE_ENABLED: "true" HEADSCALE_DERP_UPDATE_FREQUENCY: "24h" HEADSCALE_EPHEMERAL_NODE_INACTIVITY_TIMEOUT: "30m" ingress: main: enabled: true className: "nginx" annotations: cert-manager.io/cluster-issuer: letsencrypt-production nginx.ingress.kubernetes.io/ssl-redirect: "true" nginx.ingress.kubernetes.io/backend-protocol: HTTP hosts: - host: headscale.svc.oceanbox.io paths: - path: / tls: - secretName: headscale-tls hosts: - headscale.svc.oceanbox.io persistence: config: enabled: true mountPath: /etc/headscale retain: true # storageClass: "" # accessMode: ReadWriteOnce # size: 1Gi # -- Enable and configure postgresql database subchart under this key. # For more options see [postgresql chart documentation](https://github.com/bitnami/charts/tree/main/bitnami/postgresql) # @default -- See [values.yaml](./values.yaml) postgresql: enabled: false auth: database: headscale postgresPassword: changeme primary: persistence: enabled: false # storageClass: "" # size: 8Gi serviceMonitor: main: # -- Enables or disables the serviceMonitor. enabled: true # -- Configures the endpoints for the serviceMonitor. # @default -- See [values.yaml](./values.yaml) endpoints: - port: metrics scheme: http path: /metrics interval: 30s scrapeTimeout: 10s configMaps: acl: enabled: true data: policy: | { // groups are collections of users having a common scope. A user can be in multiple groups // groups cannot be composed of groups "groups": { "group:admin": [ "jonas.juselius@oceanbox.io", "Moritz.Jorg@oceanbox.io", "system-tos", ], "group:devops": [ "jonas.juselius@oceanbox.io", "Moritz.Jorg@oceanbox.io", "stig.r.jensen@oceanbox.io", "radovan.bast@oceanbox.io", "simen.kirkvik@oceanbox.io", "Ole.Tytlandsvik@tromso.serit.no", ], "group:oceanographer": [ "frank.gaardsted@oceanbox.io", "ole.anders.nost@oceanbox.io", "helge.avlesen@oceanbox.io", "isa.rosso@oceanbox.io", "jonathan.lilly@oceanbox.io", ], "group:manager": [ "svenn.hanssen@oceanbox.io", "hilde.iversen@oceanbox.io", ], "group:dev": [], "group:intern": [], }, // tagOwners in tailscale is an association between a TAG and the people allowed to set this TAG on a server. // This is documented [here](https://tailscale.com/kb/1068/acl-tags#defining-a-tag) // and explained [here](https://tailscale.com/blog/rbac-like-it-was-meant-to-be/) "tagOwners": { "tag:k8s": [ "group:admin" ], "tag:hpc": [ "group:admin" ], }, // hosts should be defined using its IP addresses and a subnet mask. // to define a single host, use a /32 mask. You cannot use DNS entries here, // as they're prone to be hijacked by replacing their IP addresses. // see https://github.com/tailscale/tailscale/issues/3800 for more information. "hosts": { "ingress.ekman.tos": "10.255.241.99/32", "ingress.ceph.tos": "10.255.241.10/32", "ingress.oceanbox.tos": "10.255.241.11/32", "frontend.ekman.tos": "10.255.241.99/32", "k8s.oceanbox.tos": "10.255.241.200/32", "k8s.ekman.tos": "10.255.241.99/32", "k8s.ceph.tos": "10.255.241.29/32", "printer.office.tos": "10.132.46.108/32", "net.office.tos": "10.132.46.0/24", "net.dc.tos": "10.255.241.0/24", "net.ceph.tos": "10.255.244.0/24", "net.mgmt.tos": "10.255.240.0/24" }, "acls": [ { "action": "accept", "src": [ "group:admin", "group:devops", "group:oceanographer", "group:manager", "group:dev", ], "dst": [ "mumindalen:0" ] }, { "action": "accept", "src": [ "group:admin" ], "dst": [ "net.dc.tos:*", "net.mgmt.tos:*", "net.ceph.tos:*", "net.office.tos:*", ] }, { "action": "accept", "src": [ "group:devops" ], "dst": [ "k8s.oceanbox.tos:6443", "k8s.ekman.tos:4443", ] }, { "action": "accept", "src": [ "group:admin", "group:devops", "group:oceanographer", "group:manager", "group:dev", ], "dst": [ "ingress.oceanbox.tos:443", "ingress.ekman.tos:443", "printer.office.tos:631", "10.255.241.99/32:22", "10.255.241.100/32:22", ] }, { "action": "accept", "src": [ "group:admin", "group:devops", "group:oceanographer", "group:manager", "group:dev", ], "dst": [ "100.64.0.1/24:*", "autogroup:internet:*", ] }, ] } dns: enabled: true data: records: | [ { "name": "maps.beta.oceanbox.io", "type": "A", "value": "10.255.241.11" }, { "name": "atlantis.beta.oceanbox.io", "type": "A", "value": "10.255.241.11" }, { "name": "auth.adm.oceanbox.io", "type": "A", "value": "10.255.241.11" }, { "name": "keycloak.adm.oceanbox.io", "type": "A", "value": "10.255.241.11" }, { "name": "grafana.adm.oceanbox.io", "type": "A", "value": "10.255.241.11" }, { "name": "prometheus.adm.oceanbox.io", "type": "A", "value": "10.255.241.99" }, { "name": "alertmanager.adm.oceanbox.io", "type": "A", "value": "10.255.241.99" }, { "name": "argocd.adm.oceanbox.io", "type": "A", "value": "10.255.241.11" }, { "name": "hubble.adm.oceanbox.io", "type": "A", "value": "10.255.241.11" }, { "name": "plausible.adm.oceanbox.io", "type": "A", "value": "10.255.241.11" }, { "name": "rabbitmq.srv.oceanbox.io", "type": "A", "value": "10.255.241.11" }, { "name": "openfga.srv.oceanbox.io", "type": "A", "value": "10.255.241.11" }, { "name": "rabbitmq.dev.oceanbox.io", "type": "A", "value": "10.255.241.11" }, { "name": "yolo-registry.dev.oceanbox.io", "type": "A", "value": "10.255.241.11" }, { "name": "openfga.dev.oceanbox.io", "type": "A", "value": "10.255.241.11" }, { "name": "argocd.ekman.oceanbox.io", "type": "A", "value": "10.255.241.99" }, { "name": "prometheus.ekman.oceanbox.io", "type": "A", "value": "10.255.241.99" }, { "name": "alertmanager.ekman.oceanbox.io", "type": "A", "value": "10.255.241.99" }, { "name": "grafana.ekman.oceanbox.io", "type": "A", "value": "10.255.241.99" }, { "name": "slurmrestd.ekman.oceanbox.io", "type": "A", "value": "10.255.241.99" }, { "name": "sorcrerer.ekman.oceanbox.io", "type": "A", "value": "10.255.241.99" }, { "name": "dashboard.ob-ceph.local", "type": "A", "value": "10.255.241.10" }, { "name": "grafana.ob-ceph.local", "type": "A", "value": "10.255.241.10" }, { "name": "s3.ob-ceph.local", "type": "A", "value": "10.255.241.10" }, { "name": "prometheus.ob-ceph.local", "type": "A", "value": "10.255.241.10" }, { "name": "alertmanager.ob-ceph.local", "type": "A", "value": "10.255.241.10" }, { "name": "huble.ob-ceph.local", "type": "A", "value": "10.255.241.10" }, { "name": "jonas-atlantis.dev.oceanbox.io", "type": "A", "value": "10.255.241.11" }, { "name": "jonas-sorcerer.ekman.oceanbox.io", "type": "A", "value": "10.255.241.99" }, { "name": "stig-atlantis.dev.oceanbox.io", "type": "A", "value": "10.255.241.11" }, { "name": "stig-sorcerer.ekman.oceanbox.io", "type": "A", "value": "10.255.241.99" }, { "name": "radovan-atlantis.dev.oceanbox.io", "type": "A", "value": "10.255.241.11" }, { "name": "radovan-sorcerer.ekman.oceanbox.io", "type": "A", "value": "10.255.241.99" }, { "name": "mrtz-atlantis.dev.oceanbox.io", "type": "A", "value": "10.255.241.11" }, { "name": "mrtz-sorcerer.ekman.oceanbox.io", "type": "A", "value": "10.255.241.99" }, { "name": "simen-atlantis.dev.oceanbox.io", "type": "A", "value": "10.255.241.11" }, { "name": "simen-sorcerer.ekman.oceanbox.io", "type": "A", "value": "10.255.241.99" }, { "name": "ole-atlantis.dev.oceanbox.io", "type": "A", "value": "10.255.241.11" }, { "name": "ole-sorcerer.ekman.oceanbox.io", "type": "A", "value": "10.255.241.99" } ]