From 0f90778b532096f5d07e8652c43bff95b80b6972 Mon Sep 17 00:00:00 2001 From: lucalise Date: Sat, 14 Feb 2026 21:54:06 -0800 Subject: [PATCH] refactor!: deploy headscale --- nix/homelab/config.toml | 7 ++ nix/homelab/kustomize/headscale-migrate.yaml | 18 ++++ nix/homelab/kustomize/kustomization.yaml | 3 + .../networking/headscale/config.yaml | 50 +++++++++++ .../networking/headscale/headscale.yaml | 88 +++++++++++++++++++ nix/homelab/kustomize/routes.yaml | 18 +++- nix/modules/default.nix | 2 +- 7 files changed, 184 insertions(+), 2 deletions(-) create mode 100644 nix/homelab/kustomize/headscale-migrate.yaml create mode 100644 nix/homelab/kustomize/networking/headscale/config.yaml create mode 100644 nix/homelab/kustomize/networking/headscale/headscale.yaml diff --git a/nix/homelab/config.toml b/nix/homelab/config.toml index a77fe2d..c0cc58e 100644 --- a/nix/homelab/config.toml +++ b/nix/homelab/config.toml @@ -101,6 +101,13 @@ routes = [ service = "prometheus-stack-grafana", port = 80, private = true + }, + { + name = "mesh", + namespace = "networking", + service = "headscale", + port = 8080, + private = false } ] diff --git a/nix/homelab/kustomize/headscale-migrate.yaml b/nix/homelab/kustomize/headscale-migrate.yaml new file mode 100644 index 0000000..d4d20f8 --- /dev/null +++ b/nix/homelab/kustomize/headscale-migrate.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Pod +metadata: + name: headscale-migrate + namespace: networking +spec: + restartPolicy: Never + containers: + - name: migrate + image: nouchka/sqlite3 + command: ["sleep", "infinity"] + volumeMounts: + - name: data + mountPath: /var/lib/headscale + volumes: + - name: data + persistentVolumeClaim: + claimName: headscale-data diff --git a/nix/homelab/kustomize/kustomization.yaml b/nix/homelab/kustomize/kustomization.yaml index ad4f1a9..489562e 100644 --- a/nix/homelab/kustomize/kustomization.yaml +++ b/nix/homelab/kustomize/kustomization.yaml @@ -15,3 +15,6 @@ resources: - ./media/radarr.yaml - ./media/qbittorrent.yaml - ./media/flaresolverr.yaml + + - ./networking/headscale/config.yaml + - ./networking/headscale/headscale.yaml diff --git a/nix/homelab/kustomize/networking/headscale/config.yaml b/nix/homelab/kustomize/networking/headscale/config.yaml new file mode 100644 index 0000000..5a21336 --- /dev/null +++ b/nix/homelab/kustomize/networking/headscale/config.yaml @@ -0,0 +1,50 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + name: headscale-config + namespace: networking +data: + acl.json: | + { + "tagOwners": { + "tag:personal": ["lucalise@"], + }, + "acls": [ + {"action": "accept", "src": ["tag:personal"], "dst": ["tag:personal:*"]}, + {"action": "accept", "src": ["tag:personal"], "dst": ["autogroup:internet:*"]}, + {"action": "accept", "src": ["tag:personal"], "dst": ["192.168.15.0/27:*", "192.168.27.0/24:*", "192.168.20.0/26:*"]} + ] + } + config.yaml: | + server_url: https://mesh.lucalise.ca + listen_addr: 0.0.0.0:8080 + metrics_listen_addr: 0.0.0.0:9090 + + noise: + private_key_path: /var/lib/headscale/noise_private.key + + prefixes: + v4: 10.100.0.0/24 + v6: fd7a:115c:a1e0::/48 + + database: + type: sqlite3 + sqlite: + path: /var/lib/headscale/db.sqlite + policy: + path: /etc/headscale/acl.json + + dns: + override_local_dns: false + base_domain: m.net + + derp: + server: + enabled: false + urls: + - https://controlplane.tailscale.com/derpmap/default + auto_update_enabled: true + update_frequency: 24h + + log: + level: info diff --git a/nix/homelab/kustomize/networking/headscale/headscale.yaml b/nix/homelab/kustomize/networking/headscale/headscale.yaml new file mode 100644 index 0000000..71c8caf --- /dev/null +++ b/nix/homelab/kustomize/networking/headscale/headscale.yaml @@ -0,0 +1,88 @@ +apiVersion: v1 +kind: PersistentVolumeClaim +metadata: + name: headscale-data + namespace: networking +spec: + accessModes: + - ReadWriteMany + resources: + requests: + storage: 2Gi +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: headscale + namespace: networking + labels: + app: headscale +spec: + replicas: 1 + selector: + matchLabels: + app: headscale + template: + metadata: + labels: + app: headscale + spec: + containers: + - name: headscale + image: docker.io/headscale/headscale + command: ["headscale", "serve"] + ports: + - containerPort: 8080 + name: http + - containerPort: 9090 + resources: + requests: + cpu: 100m + memory: 256Mi + limits: + cpu: 512m + memory: 1Gi + livenessProbe: + httpGet: + path: /health + port: http + initialDelaySeconds: 10 + periodSeconds: 30 + readinessProbe: + httpGet: + path: /health + port: http + initialDelaySeconds: 5 + periodSeconds: 10 + volumeMounts: + - name: headscale-data + mountPath: /var/lib/headscale + - name: headscale-config + mountPath: /etc/headscale/config.yaml + subPath: config.yaml + - name: headscale-config + mountPath: /etc/headscale/acl.json + subPath: acl.json + volumes: + - name: headscale-data + persistentVolumeClaim: + claimName: headscale-data + - name: headscale-config + configMap: + name: headscale-config +--- +apiVersion: v1 +kind: Service +metadata: + name: headscale + namespace: networking + labels: + app: headscale +spec: + selector: + app: headscale + ports: + - port: 8080 + targetPort: http + protocol: TCP + name: http diff --git a/nix/homelab/kustomize/routes.yaml b/nix/homelab/kustomize/routes.yaml index c228458..32789ac 100644 --- a/nix/homelab/kustomize/routes.yaml +++ b/nix/homelab/kustomize/routes.yaml @@ -277,4 +277,20 @@ spec: extensionRef: group: traefik.io kind: Middleware - name: private-networks \ No newline at end of file + name: private-networks +--- +apiVersion: gateway.networking.k8s.io/v1 +kind: HTTPRoute +metadata: + name: mesh + namespace: networking +spec: + parentRefs: + - name: traefik-gateway + namespace: kube-system + hostnames: + - mesh.lucalise.ca + rules: + - backendRefs: + - name: headscale + port: 8080 \ No newline at end of file diff --git a/nix/modules/default.nix b/nix/modules/default.nix index 2870ea4..5500617 100644 --- a/nix/modules/default.nix +++ b/nix/modules/default.nix @@ -22,6 +22,6 @@ ./mounts.nix ./nfs-mesh.nix ./rust.nix - ./networking/wireguard-mesh.nix + # ./networking/wireguard-mesh.nix ]; }