platform/manifests
1
1
Fork 0
Code Issues 7 Pull Requests 6 Actions Packages Projects Releases Wiki Activity
Files
04f2db17b745bdc79dd9016de3b3cc9df4eb7f5d
manifests/values/headscale/values.yaml
T

251 lines
9.3 KiB
YAML
Raw Blame History

image:
repository: ghcr.io/juanfont/headscale
pullPolicy: IfNotPresent
tag: v0.25.1
args: [ "serve" ]
env:
HEADSCALE_DNS_BASE_DOMAIN: "obx.hs"
HEADSCALE_OIDC_ONLY_START_IF_OIDC_IS_AVAILABLE: "true"
HEADSCALE_OIDC_ISSUER: "https://login.microsoftonline.com/3f737008-e9a0-4485-9d27-40329d288089/v2.0"
HEADSCALE_OIDC_CLIENT_ID: "688e9096-f140-4498-a46a-e3d1939184de"
HEADSCALE_OIDC_CLIENT_SECRET: "dPW8Q~1rctY-D0Ih.A1-1KqLl0uj1rX_ixNTcbrh"
# -- Node IPv4 prefixes
HEADSCALE_PREFIXES_V4: "100.64.0.0/10"
# -- Node IPv6 prefixes
HEADSCALE_PREFIXES_V6: "fd7a:115c:a1e0::/48"
# -- List of DNS servers to expose to clients.
HEADSCALE_DNS_NAMESERVERS_GLOBAL: "1.1.1.1 1.0.0.1"
# -- Whether to use [MagicDNS](https://tailscale.com/kb/1081/magicdns/).
HEADSCALE_DNS_MAGIC_DNS: "true"
HEADSCALE_DERP_URLS: "https://controlplane.tailscale.com/derpmap/default"
HEADSCALE_DERP_AUTO_UPDATE_ENABLED: "true"
HEADSCALE_DERP_UPDATE_FREQUENCY: "24h"
HEADSCALE_EPHEMERAL_NODE_INACTIVITY_TIMEOUT: "30m"
ingress:
main:
enabled: true
className: "nginx"
annotations:
cert-manager.io/cluster-issuer: letsencrypt-production
nginx.ingress.kubernetes.io/ssl-redirect: "true"
nginx.ingress.kubernetes.io/backend-protocol: HTTP
hosts:
- host: headscale.svc.oceanbox.io
paths:
- path: /
tls:
- secretName: headscale-tls
hosts:
- headscale.svc.oceanbox.io
persistence:
config:
enabled: true
mountPath: /etc/headscale
retain: true
# storageClass: ""
# accessMode: ReadWriteOnce
# size: 1Gi
# -- Enable and configure postgresql database subchart under this key.
# For more options see [postgresql chart documentation](https://github.com/bitnami/charts/tree/main/bitnami/postgresql)
# @default -- See [values.yaml](./values.yaml)
postgresql:
enabled: false
auth:
database: headscale
postgresPassword: changeme
primary:
persistence:
enabled: false
# storageClass: ""
# size: 8Gi
serviceMonitor:
main:
# -- Enables or disables the serviceMonitor.
enabled: true
# -- Configures the endpoints for the serviceMonitor.
# @default -- See [values.yaml](./values.yaml)
endpoints:
- port: metrics
scheme: http
path: /metrics
interval: 30s
scrapeTimeout: 10s
configMaps:
acl:
enabled: true
data:
policy: |
{
// groups are collections of users having a common scope. A user can be in multiple groups
// groups cannot be composed of groups
"groups": {
"group:admin": [
"jonas.juselius@oceanbox.io",
"moritz.jorg@oceanbox.io",
"system-tos",
],
"group:devops": [
"jonas.juselius@oceanbox.io",
"moritz.jorg@oceanbox.io",
"stig.r.jensen@oceanbox.io",
"radovan.bast@oceanbox.io",
"simen.kirkvik@oceanbox.io",
"Ole.Tytlandsvik@tromso.serit.no",
],
"group:oceanographer": [
"frank.gaardsted@oceanbox.io",
"ole.anders.nost@oceanbox.io",
"helge.avlesen@oceanbox.io",
"isabella.rosso@oceanbox.io",
"jonathan.lilly@oceanbox.io",
],
"group:manager": [
"svenn.hanssen@oceanbox.io",
"hilde.iversen@oceanbox.io",
],
"group:dev": [],
"group:intern": [],
},
// tagOwners in tailscale is an association between a TAG and the people allowed to set this TAG on a server.
// This is documented [here](https://tailscale.com/kb/1068/acl-tags#defining-a-tag)
// and explained [here](https://tailscale.com/blog/rbac-like-it-was-meant-to-be/)
"tagOwners": {
"tag:k8s": [ "group:admin" ],
"tag:hpc": [ "group:admin" ],
},
// hosts should be defined using its IP addresses and a subnet mask.
// to define a single host, use a /32 mask. You cannot use DNS entries here,
// as they're prone to be hijacked by replacing their IP addresses.
// see https://github.com/tailscale/tailscale/issues/3800 for more information.
"hosts": {
"ingress.ekman.tos": "10.255.241.99/32",
"ingress.ceph.tos": "10.255.241.10/32",
"ingress.oceanbox.tos": "10.255.241.11/32",
"frontend.ekman.tos": "10.255.241.99/32",
"k8s.oceanbox.tos": "10.255.241.200/32",
"k8s.ekman.tos": "10.255.241.99/32",
"k8s.ceph.tos": "10.255.241.29/32",
"printer.office.tos": "10.132.46.108/32",
"net.office.tos": "10.132.46.0/24",
"net.dc.tos": "10.255.241.0/24",
"net.mgmt.tos": "10.255.240.0/24"
},
"acls": [
{
"action": "accept",
"src": [
"group:admin",
"group:devops",
"group:oceanographer",
"group:manager",
"group:dev",
],
"dst": [ "mumindalen:0" ]
},
{
"action": "accept",
"src": [ "group:admin" ],
"dst": [
"net.dc.tos:*",
"net.mgmt.tos:*",
"net.office.tos:*",
]
},
{
"action": "accept",
"src": [ "group:devops" ],
"dst": [
"k8s.oceanbox.tos:6443",
"k8s.ekman.tos:4443",
]
},
{
"action": "accept",
"src": [
"group:admin",
"group:devops",
"group:oceanographer",
"group:manager",
"group:dev",
],
"dst": [
"ingress.oceanbox.tos:443",
"ingress.ekman.tos:443",
"printer.office.tos:631",
"10.255.241.99/32:22",
"10.255.241.100/32:22",
]
},
{
"action": "accept",
"src": [
"group:admin",
"group:devops",
"group:oceanographer",
"group:manager",
"group:dev",
],
"dst": [
"100.64.0.1/24:*",
"autogroup:internet:*",
]
},
]
}
dns:
enabled: true
data:
records: |
[
{ "name": "maps.beta.oceanbox.io", "type": "A", "value": "10.255.241.11" },
{ "name": "atlantis.beta.oceanbox.io", "type": "A", "value": "10.255.241.11" },
{ "name": "auth.adm.oceanbox.io", "type": "A", "value": "10.255.241.11" },
{ "name": "keycloak.adm.oceanbox.io", "type": "A", "value": "10.255.241.11" },
{ "name": "grafana.adm.oceanbox.io", "type": "A", "value": "10.255.241.11" },
{ "name": "prometheus.adm.oceanbox.io", "type": "A", "value": "10.255.241.99" },
{ "name": "alertmanager.adm.oceanbox.io", "type": "A", "value": "10.255.241.99" },
{ "name": "argocd.adm.oceanbox.io", "type": "A", "value": "10.255.241.11" },
{ "name": "hubble.adm.oceanbox.io", "type": "A", "value": "10.255.241.11" },
{ "name": "plausible.adm.oceanbox.io", "type": "A", "value": "10.255.241.11" },
{ "name": "rabbitmq.srv.oceanbox.io", "type": "A", "value": "10.255.241.11" },
{ "name": "openfga.srv.oceanbox.io", "type": "A", "value": "10.255.241.11" },
{ "name": "rabbitmq.dev.oceanbox.io", "type": "A", "value": "10.255.241.11" },
{ "name": "yolo-registry.dev.oceanbox.io", "type": "A", "value": "10.255.241.11" },
{ "name": "openfga.dev.oceanbox.io", "type": "A", "value": "10.255.241.11" },
{ "name": "argocd.ekman.oceanbox.io", "type": "A", "value": "10.255.241.99" },
{ "name": "prometheus.ekman.oceanbox.io", "type": "A", "value": "10.255.241.99" },
{ "name": "alertmanager.ekman.oceanbox.io", "type": "A", "value": "10.255.241.99" },
{ "name": "grafana.ekman.oceanbox.io", "type": "A", "value": "10.255.241.99" },
{ "name": "slurmrestd.ekman.oceanbox.io", "type": "A", "value": "10.255.241.99" },
{ "name": "sorcrerer.ekman.oceanbox.io", "type": "A", "value": "10.255.241.99" },
{ "name": "dashboard.ob-ceph.local", "type": "A", "value": "10.255.241.10" },
{ "name": "grafana.ob-ceph.local", "type": "A", "value": "10.255.241.10" },
{ "name": "s3.ob-ceph.local", "type": "A", "value": "10.255.241.10" },
{ "name": "prometheus.ob-ceph.local", "type": "A", "value": "10.255.241.10" },
{ "name": "alertmanager.ob-ceph.local", "type": "A", "value": "10.255.241.10" },
{ "name": "huble.ob-ceph.local", "type": "A", "value": "10.255.241.10" },
{ "name": "stig-atlantis.dev.oceanbox.io", "type": "A", "value": "10.255.241.11" },
{ "name": "stig-sorcerer.ekman.oceanbox.io", "type": "A", "value": "10.255.241.99" },
{ "name": "jonas-atlantis.dev.oceanbox.io", "type": "A", "value": "10.255.241.11" },
{ "name": "jonas-sorcerer.ekman.oceanbox.io", "type": "A", "value": "10.255.241.99" }
]
Reference in New Issue View Git Blame Copy Permalink