diff --git a/_apps/headscale.yaml b/_apps/headscale.yaml new file mode 100644 index 0000000..4c3bc62 --- /dev/null +++ b/_apps/headscale.yaml @@ -0,0 +1,21 @@ +apiVersion: argoproj.io/v1alpha1 +kind: Application +metadata: + name: headscale + namespace: argocd + finalizers: + - resources-finalizer.argocd.argoproj.io +spec: + destination: + namespace: headscale + server: https://kubernetes.default.svc + project: system + source: + path: headscale + repoURL: https://git.tbrnt.ch/tobru/gitops-tbrnt.git + targetRevision: HEAD +--- +apiVersion: v1 +kind: Namespace +metadata: + name: headscale diff --git a/headscale/configmap.yaml b/headscale/configmap.yaml new file mode 100644 index 0000000..fe20d52 --- /dev/null +++ b/headscale/configmap.yaml @@ -0,0 +1,32 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + name: headscale-etc +data: + config.yaml: | + server_url: http://headscale.tbrnt.ch + listen_addr: 0.0.0.0:8080 + metrics_listen_addr: 0.0.0.0:9090 + grpc_listen_addr: 0.0.0.0:50443 + ip_prefixes: + - fd7a:115c:a1e0::/48 + - 100.64.0.0/10 + ephemeral_node_inactivity_timeout: 30m + db_type: sqlite3 + db_path: /vol/data/db.sqlite + private_key_path: /vol/secret/private.key + derp: + server: + enabled: true + region_id: 999 + region_code: "headscale" + region_name: "Headscale Embedded DERP" + stun_listen_addr: "0.0.0.0:3478" + urls: + - https://controlplane.tailscale.com/derpmap/default + auto_update_enabled: true + update_frequency: 24h + dns_config: + nameservers: + - 9.9.9.9 + base_domain: vpn.tobru.ch diff --git a/headscale/ingress.yaml b/headscale/ingress.yaml new file mode 100644 index 0000000..387b3d7 --- /dev/null +++ b/headscale/ingress.yaml @@ -0,0 +1,22 @@ +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: headscale + annotations: + cert-manager.io/cluster-issuer: letsencrypt-prod +spec: + rules: + - host: headscale.tbrnt.ch + http: + paths: + - backend: + service: + name: headscale + port: + number: 8080 + path: / + pathType: Prefix + tls: + - hosts: + - headscale.tbrnt.ch + secretName: ingress-cert diff --git a/headscale/service.yaml b/headscale/service.yaml new file mode 100644 index 0000000..61f83e9 --- /dev/null +++ b/headscale/service.yaml @@ -0,0 +1,13 @@ +apiVersion: v1 +kind: Service +metadata: + labels: + app: headscale + name: headscale +spec: + ports: + - name: http + port: 8080 + targetPort: http + selector: + app: headscale diff --git a/headscale/statefulset.yaml b/headscale/statefulset.yaml new file mode 100644 index 0000000..dcc1e50 --- /dev/null +++ b/headscale/statefulset.yaml @@ -0,0 +1,59 @@ +apiVersion: apps/v1 +kind: StatefulSet +metadata: + name: headscale +spec: + replicas: 1 + selector: + matchLabels: + app: headscale + serviceName: headscale + template: + metadata: + labels: + app: headscale + spec: + containers: + - command: + - headscale + - serve + image: ghcr.io/juanfont/headscale:0.15.0 + imagePullPolicy: IfNotPresent + env: + - name: GIN_MODE + value: release + livenessProbe: + initialDelaySeconds: 30 + periodSeconds: 15 + tcpSocket: + port: http + timeoutSeconds: 5 + name: headscale + ports: + - containerPort: 8080 + name: http + protocol: TCP + volumeMounts: + - mountPath: /vol/data + name: data + - mountPath: /vol/secret + name: secret + - mountPath: /etc/headscale + name: etc + volumes: + - configMap: + name: headscale-etc + name: etc + - name: secret + secret: + secretName: headscale + volumeClaimTemplates: + - metadata: + name: data + spec: + accessModes: + - ReadWriteOnce + resources: + requests: + storage: 1Gi + storageClassName: local-path