image: repository: ghcr.io/juanfont/headscale pullPolicy: IfNotPresent tag: v0.27.1 args: [ "serve" ] env: HEADSCALE_DNS_BASE_DOMAIN: "relay.obx" # HACK: Workaround for fortigate block of WG udp port HEADSCALE_RANDOMIZE_CLIENT_PORT: "true" HEADSCALE_OIDC_ONLY_START_IF_OIDC_IS_AVAILABLE: "true" HEADSCALE_OIDC_ISSUER: "https://login.microsoftonline.com/3f737008-e9a0-4485-9d27-40329d288089/v2.0" HEADSCALE_OIDC_CLIENT_ID: "688e9096-f140-4498-a46a-e3d1939184de" HEADSCALE_OIDC_CLIENT_SECRET: "wms8Q~RC7xyAmIoocVe.gIFGpJw-Odmtep0ZObDn" # -- Split DNS for obx and ts.obx HEADSCALE_DNS_NAMESERVERS_SPLIT: | { "obx": [ "10.255.241.210" ] } # -- Node IPv4 prefixes HEADSCALE_PREFIXES_V4: "100.64.0.0/10" # -- Node IPv6 prefixes HEADSCALE_PREFIXES_V6: "fd7a:115c:a1e0::/48" # -- Whether to use [MagicDNS](https://tailscale.com/kb/1081/magicdns/). HEADSCALE_DNS_MAGIC_DNS: "true" # -- List of DNS servers to expose to clients. HEADSCALE_DNS_NAMESERVERS_GLOBAL: "1.1.1.1 1.0.0.1" HEADSCALE_DERP_URLS: "https://controlplane.tailscale.com/derpmap/default" HEADSCALE_DERP_AUTO_UPDATE_ENABLED: "true" HEADSCALE_DERP_UPDATE_FREQUENCY: "24h" HEADSCALE_EPHEMERAL_NODE_INACTIVITY_TIMEOUT: "30m" ingress: main: enabled: true className: "nginx" annotations: cert-manager.io/cluster-issuer: letsencrypt-production nginx.ingress.kubernetes.io/ssl-redirect: "true" nginx.ingress.kubernetes.io/backend-protocol: HTTP hosts: - host: headscale-router.adm.oceanbox.io paths: - path: / tls: - secretName: headscale-router-tls hosts: - headscale-router.adm.oceanbox.io persistence: config: enabled: true mountPath: /etc/headscale retain: true # storageClass: "" # accessMode: ReadWriteOnce # size: 1Gi # -- Enable and configure postgresql database subchart under this key. # @default -- See [values.yaml](./values.yaml) postgresql: enabled: false auth: database: headscale postgresPassword: changeme primary: persistence: enabled: false # storageClass: "" # size: 8Gi serviceMonitor: main: # -- Enables or disables the serviceMonitor. enabled: true # -- Configures the endpoints for the serviceMonitor. # @default -- See [values.yaml](./values.yaml) endpoints: - port: metrics scheme: http path: /metrics interval: 30s scrapeTimeout: 10s configMaps: acl: enabled: true data: policy: | { "groups": { "group:admin": [ "jonas.juselius@oceanbox.io", "Moritz.Jorg@oceanbox.io", "simen.kirkvik@oceanbox.io", "stig.r.jensen@oceanbox.io", "system@" ], }, "tagOwners": { "tag:k8s": [ "group:admin" ], "tag:hpc": [ "group:admin" ], "tag:tos-router": [ "group:admin" ], "tag:vtn-router": [ "group:admin" ], // "tag:hel1-router": [ "group:admin" ], "tag:mumindalen": [ "group:admin" ], "tag:ekman": [ "group:admin" ], "tag:rossby": [ "group:admin" ], }, // hosts should be defined using its IP addresses and a subnet mask. // to define a single host, use a /32 mask. You cannot use DNS entries here, // as they're prone to be hijacked by replacing their IP addresses. // see https://github.com/tailscale/tailscale/issues/3800 for more information. "hosts": { "office.tos.net": "10.132.46.0/24", "dc.tos.net": "10.255.241.0/24", "100gbe.tos.net": "10.255.244.0/24", "mgmt.tos.net": "10.255.240.0/24", "dc.vtn.net": "172.16.239.0/24", "mgmt.vtn.net": "172.16.238.0/24", // "dc.hel1.net": "10.0.1.0/24", }, "acls": [ { "action": "accept", "src": [ "tag:tos-router", "dc.tos.net", "group:admin", ], "dst": [ "tag:vtn-router:*", "dc.vtn.net:*", // "tag:hel1-router:*", // "dc.hel1.net:*", "*:*", ] }, { "action": "accept", "src": [ "tag:vtn-router", "dc.vtn.net", "group:admin", ], "dst": [ "tag:tos-router:*", "dc.tos.net:*", // "tag:hel1-router:*", // "dc.hel1.net:*", "*:*", ] }, // { // "action": "accept", // "src": [ // "tag:hel1-router", // "dc.hel1.net", // "group:admin", // ], // "dst": [ // "tag:tos-router:*", // "tag:vtn-router:*", // "dc.tos.net:*", // "dc.vtn.net:*", // "*:*", // ] // }, { "action": "accept", "src": [ "group:admin", ], "dst": [ "*:*", ] }, ] } dns: enabled: true data: records: | [ { "name": "auth.oceanbox.io", "type": "A", "value": "10.255.241.11" }, { "name": "auth.adm.oceanbox.io", "type": "A", "value": "10.255.241.11" }, { "name": "keycloak.adm.oceanbox.io", "type": "A", "value": "10.255.241.11" }, { "name": "grafana.adm.oceanbox.io", "type": "A", "value": "10.255.241.11" }, { "name": "prometheus.adm.oceanbox.io", "type": "A", "value": "10.255.241.11" }, { "name": "alertmanager.adm.oceanbox.io", "type": "A", "value": "10.255.241.11" }, { "name": "argocd.adm.oceanbox.io", "type": "A", "value": "10.255.241.11" }, { "name": "hubble.adm.oceanbox.io", "type": "A", "value": "10.255.241.11" }, { "name": "umami.adm.oceanbox.io", "type": "A", "value": "10.255.241.11" }, { "name": "dapr.adm.oceanbox.io", "type": "A", "value": "10.255.241.11" } ]