refactor!: deploy headscale

2026-02-14 21:54:06 -08:00
parent dec32b9766
commit 0f90778b53
7 changed files with 184 additions and 2 deletions
--- a/nix/homelab/kustomize/headscale-migrate.yaml
+++ b/nix/homelab/kustomize/headscale-migrate.yaml
@@ -0,0 +1,18 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: headscale-migrate
+  namespace: networking
+spec:
+  restartPolicy: Never
+  containers:
+    - name: migrate
+      image: nouchka/sqlite3
+      command: ["sleep", "infinity"]
+      volumeMounts:
+        - name: data
+          mountPath: /var/lib/headscale
+  volumes:
+    - name: data
+      persistentVolumeClaim:
+        claimName: headscale-data
--- a/nix/homelab/kustomize/kustomization.yaml
+++ b/nix/homelab/kustomize/kustomization.yaml
@@ -15,3 +15,6 @@ resources:
  - ./media/radarr.yaml
  - ./media/qbittorrent.yaml
  - ./media/flaresolverr.yaml
+
+  - ./networking/headscale/config.yaml
+  - ./networking/headscale/headscale.yaml
--- a/nix/homelab/kustomize/networking/headscale/config.yaml
+++ b/nix/homelab/kustomize/networking/headscale/config.yaml
@@ -0,0 +1,50 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: headscale-config
+  namespace: networking
+data:
+  acl.json: |
+    {
+      "tagOwners": {
+        "tag:personal": ["lucalise@"],
+      },
+      "acls": [
+        {"action": "accept", "src": ["tag:personal"], "dst": ["tag:personal:*"]},
+        {"action": "accept", "src": ["tag:personal"], "dst": ["autogroup:internet:*"]},
+        {"action": "accept", "src": ["tag:personal"], "dst": ["192.168.15.0/27:*", "192.168.27.0/24:*", "192.168.20.0/26:*"]}
+      ]
+    }
+  config.yaml: |
+    server_url: https://mesh.lucalise.ca
+    listen_addr: 0.0.0.0:8080
+    metrics_listen_addr: 0.0.0.0:9090
+    
+    noise:
+      private_key_path: /var/lib/headscale/noise_private.key
+    
+    prefixes:
+      v4: 10.100.0.0/24
+      v6: fd7a:115c:a1e0::/48
+    
+    database:
+      type: sqlite3
+      sqlite:
+        path: /var/lib/headscale/db.sqlite
+    policy:
+      path: /etc/headscale/acl.json
+    
+    dns:
+      override_local_dns: false
+      base_domain: m.net
+
+    derp:
+      server:
+        enabled: false
+      urls:
+        - https://controlplane.tailscale.com/derpmap/default
+      auto_update_enabled: true
+      update_frequency: 24h
+    
+    log:
+      level: info
--- a/nix/homelab/kustomize/networking/headscale/headscale.yaml
+++ b/nix/homelab/kustomize/networking/headscale/headscale.yaml
@@ -0,0 +1,88 @@
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: headscale-data
+  namespace: networking
+spec:
+  accessModes:
+    - ReadWriteMany
+  resources:
+    requests:
+      storage: 2Gi
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: headscale
+  namespace: networking
+  labels:
+    app: headscale
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: headscale
+  template:
+    metadata:
+      labels:
+        app: headscale
+    spec:
+      containers:
+        - name: headscale
+          image: docker.io/headscale/headscale
+          command: ["headscale", "serve"]
+          ports:
+            - containerPort: 8080
+              name: http
+            - containerPort: 9090
+          resources:
+            requests:
+              cpu: 100m
+              memory: 256Mi
+            limits:
+              cpu: 512m
+              memory: 1Gi 
+          livenessProbe:
+            httpGet:
+              path: /health
+              port: http
+            initialDelaySeconds: 10
+            periodSeconds: 30
+          readinessProbe:
+            httpGet:
+              path: /health
+              port: http
+            initialDelaySeconds: 5
+            periodSeconds: 10
+          volumeMounts:
+            - name: headscale-data
+              mountPath: /var/lib/headscale
+            - name: headscale-config
+              mountPath: /etc/headscale/config.yaml
+              subPath: config.yaml
+            - name: headscale-config
+              mountPath: /etc/headscale/acl.json
+              subPath: acl.json
+      volumes:
+        - name: headscale-data
+          persistentVolumeClaim:
+            claimName: headscale-data
+        - name: headscale-config
+          configMap:
+            name: headscale-config
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: headscale
+  namespace: networking
+  labels:
+    app: headscale
+spec:
+  selector:
+    app: headscale
+  ports:
+    - port: 8080
+      targetPort: http
+      protocol: TCP
+      name: http
--- a/nix/homelab/kustomize/routes.yaml
+++ b/nix/homelab/kustomize/routes.yaml
@@ -277,4 +277,20 @@ spec:
          extensionRef:
            group: traefik.io
            kind: Middleware
-            name: private-networks
+            name: private-networks
+---
+apiVersion: gateway.networking.k8s.io/v1
+kind: HTTPRoute
+metadata:
+  name: mesh
+  namespace: networking
+spec:
+  parentRefs:
+    - name: traefik-gateway
+      namespace: kube-system
+  hostnames:
+    - mesh.lucalise.ca
+  rules:
+    - backendRefs:
+        - name: headscale
+          port: 8080