manifests/values/headscale-router/values/values.yaml

image:
  repository: ghcr.io/juanfont/headscale
  pullPolicy: IfNotPresent
  tag: v0.27.1

args: [ "serve" ]

env:
  HEADSCALE_DNS_BASE_DOMAIN: "relay.obx"

  # HACK: Workaround for fortigate block of WG udp port
  HEADSCALE_RANDOMIZE_CLIENT_PORT: "true"
  HEADSCALE_OIDC_ONLY_START_IF_OIDC_IS_AVAILABLE: "true"
  HEADSCALE_OIDC_ISSUER: "https://login.microsoftonline.com/3f737008-e9a0-4485-9d27-40329d288089/v2.0"
  HEADSCALE_OIDC_CLIENT_ID: "688e9096-f140-4498-a46a-e3d1939184de"
  HEADSCALE_OIDC_CLIENT_SECRET: "wms8Q~RC7xyAmIoocVe.gIFGpJw-Odmtep0ZObDn"

  # -- Split DNS for obx and ts.obx
  HEADSCALE_DNS_NAMESERVERS_SPLIT: |
    {
      "obx": [ "10.255.241.210" ]
    }

  # -- Node IPv4 prefixes
  HEADSCALE_PREFIXES_V4: "100.64.0.0/10"
  # -- Node IPv6 prefixes
  HEADSCALE_PREFIXES_V6: "fd7a:115c:a1e0::/48"

  # -- Whether to use [MagicDNS](https://tailscale.com/kb/1081/magicdns/).
  HEADSCALE_DNS_MAGIC_DNS: "true"
  # -- List of DNS servers to expose to clients.
  HEADSCALE_DNS_NAMESERVERS_GLOBAL: "1.1.1.1 1.0.0.1"

  HEADSCALE_DERP_URLS: "https://controlplane.tailscale.com/derpmap/default"
  HEADSCALE_DERP_AUTO_UPDATE_ENABLED: "true"
  HEADSCALE_DERP_UPDATE_FREQUENCY: "24h"

  HEADSCALE_EPHEMERAL_NODE_INACTIVITY_TIMEOUT: "30m"

ingress:
  main:
    enabled: true
    className: "nginx"
    annotations:
      cert-manager.io/cluster-issuer: letsencrypt-production
      nginx.ingress.kubernetes.io/ssl-redirect: "true"
      nginx.ingress.kubernetes.io/backend-protocol: HTTP
    hosts:
      - host: headscale-router.adm.oceanbox.io
        paths:
          - path: /
    tls:
      - secretName: headscale-router-tls
        hosts:
          - headscale-router.adm.oceanbox.io

persistence:
  config:
    enabled: true
    mountPath: /etc/headscale
    retain: true
    # storageClass: ""
    # accessMode: ReadWriteOnce
    # size: 1Gi

# -- Enable and configure postgresql database subchart under this key.
# @default -- See [values.yaml](./values.yaml)
postgresql:
  enabled: false
  auth:
    database: headscale
    postgresPassword: changeme
  primary:
    persistence:
      enabled: false
      # storageClass: ""
      # size: 8Gi

serviceMonitor:
  main:
    # -- Enables or disables the serviceMonitor.
    enabled: true
    # -- Configures the endpoints for the serviceMonitor.
    # @default -- See [values.yaml](./values.yaml)
    endpoints:
      - port: metrics
        scheme: http
        path: /metrics
        interval: 30s
        scrapeTimeout: 10s

configMaps:
  acl:
    enabled: true
    data:
      policy: |
        {
          "groups": {
            "group:admin": [
              "jonas.juselius@oceanbox.io",
              "Moritz.Jorg@oceanbox.io",
              "simen.kirkvik@oceanbox.io",
              "stig.r.jensen@oceanbox.io",
              "system@"
            ],
          },
          "tagOwners": {
            "tag:k8s": [ "group:admin" ],
            "tag:hpc": [ "group:admin" ],
            "tag:tos-router": [ "group:admin" ],
            "tag:vtn-router": [ "group:admin" ],
            // "tag:hel1-router": [ "group:admin" ],
            "tag:mumindalen": [ "group:admin" ],
            "tag:ekman": [ "group:admin" ],
            "tag:rossby": [ "group:admin" ],
          },
          // hosts should be defined using its IP addresses and a subnet mask.
          // to define a single host, use a /32 mask. You cannot use DNS entries here,
          // as they're prone to be hijacked by replacing their IP addresses.
          // see https://github.com/tailscale/tailscale/issues/3800 for more information.
          "hosts": {
            "office.tos.net": "10.132.46.0/24",
            "dc.tos.net": "10.255.241.0/24",
            "100gbe.tos.net": "10.255.244.0/24",
            "mgmt.tos.net": "10.255.240.0/24",
            "dc.vtn.net": "172.16.239.0/24",
            "mgmt.vtn.net": "172.16.238.0/24",
            // "dc.hel1.net": "10.0.1.0/24",
          },
          "acls": [
              {
                "action": "accept",
                "src": [
                  "tag:tos-router",
                  "dc.tos.net",
                  "group:admin",
                ],
                "dst": [
                   "tag:vtn-router:*",
                   "dc.vtn.net:*",
                   // "tag:hel1-router:*",
                   // "dc.hel1.net:*",
                   "*:*",
                ]
              },
              {
                "action": "accept",
                "src": [
                  "tag:vtn-router",
                  "dc.vtn.net",
                  "group:admin",
                ],
                "dst": [
                   "tag:tos-router:*",
                   "dc.tos.net:*",
                   // "tag:hel1-router:*",
                   // "dc.hel1.net:*",
                   "*:*",
                ]
              },
              // {
              //   "action": "accept",
              //   "src": [
              //     "tag:hel1-router",
              //     "dc.hel1.net",
              //     "group:admin",
              //   ],
              //   "dst": [
              //      "tag:tos-router:*",
              //      "tag:vtn-router:*",
              //      "dc.tos.net:*",
              //      "dc.vtn.net:*",
              //      "*:*",
              //   ]
              // },
              {
                "action": "accept",
                "src": [ "group:admin", ],
                "dst": [ "*:*", ]
              },
          ]
        }
  dns:
    enabled: true
    data:
      records: |
        [
           { "name": "auth.oceanbox.io", "type": "A", "value": "10.255.241.11" },
           { "name": "auth.adm.oceanbox.io", "type": "A", "value": "10.255.241.11" },
           { "name": "keycloak.adm.oceanbox.io", "type": "A", "value": "10.255.241.11" },
           { "name": "grafana.adm.oceanbox.io", "type": "A", "value": "10.255.241.11" },
           { "name": "prometheus.adm.oceanbox.io", "type": "A", "value": "10.255.241.11" },
           { "name": "alertmanager.adm.oceanbox.io", "type": "A", "value": "10.255.241.11" },
           { "name": "argocd.adm.oceanbox.io", "type": "A", "value": "10.255.241.11" },
           { "name": "hubble.adm.oceanbox.io", "type": "A", "value": "10.255.241.11" },
           { "name": "umami.adm.oceanbox.io", "type": "A", "value": "10.255.241.11" },
           { "name": "dapr.adm.oceanbox.io", "type": "A", "value": "10.255.241.11" }
        ]