diff --git a/Headscale/README.md b/Headscale/README.md index e69de29..23ce9d4 100644 --- a/Headscale/README.md +++ b/Headscale/README.md @@ -0,0 +1,5 @@ +# Headscale +Headscale is a self-hosted TailScale server. As far as I can tell, there isn't really a web frontend provided with the container image and all management actions are done on the command line + +## Using this kubernetes config +Set the headscale domain name in `ingress.yml`. This config assumes you have cert-manager installed on your cluster, so if you want to provide HTTPS another way, feel free to comment out the `spec.tls` section (the annotation shouldn't affect anything, but you can comment it out as well if you want). Then look through the `config.yml` file and configure Headscale to fit your needs. \ No newline at end of file diff --git a/Headscale/config.yml b/Headscale/config.yml index 5bbb2e9..75587da 100644 --- a/Headscale/config.yml +++ b/Headscale/config.yml @@ -15,14 +15,13 @@ data: # # https://myheadscale.example.com:443 # - # server_url: http://127.0.0.1:8080 - server_url: https://headscale.foxhawk.co.uk + server_url: http://127.0.0.1:8080 # Address to listen to / bind to on the server # # For production: - listen_addr: 0.0.0.0:8080 - # listen_addr: 127.0.0.1:8080 + # listen_addr: 0.0.0.0:8080 + listen_addr: 127.0.0.1:8080 # Address to listen to /metrics and /debug, you may want # to keep this endpoint private to your internal network @@ -207,31 +206,31 @@ data: # TLS for a domain with Let's Encrypt. # # URL to ACME directory - #acme_url: https://acme-v02.api.letsencrypt.org/directory + acme_url: https://acme-v02.api.letsencrypt.org/directory # Email to register with ACME provider - #acme_email: "" + acme_email: "" # Domain name to request a TLS certificate for: - #tls_letsencrypt_hostname: "" + tls_letsencrypt_hostname: "" # Path to store certificates and metadata needed by # letsencrypt # For production: - #tls_letsencrypt_cache_dir: /var/lib/headscale/cache + tls_letsencrypt_cache_dir: /var/lib/headscale/cache # Type of ACME challenge to use, currently supported types: # HTTP-01 or TLS-ALPN-01 # See: docs/ref/tls.md for more information - #tls_letsencrypt_challenge_type: HTTP-01 + tls_letsencrypt_challenge_type: HTTP-01 # When HTTP-01 challenge is chosen, letsencrypt must set up a # verification endpoint, and it will be listening on: # :http = port 80 - #tls_letsencrypt_listen: ":http" + tls_letsencrypt_listen: ":http" ## Use already defined certificates: - #tls_cert_path: "" - #tls_key_path: "" + tls_cert_path: "" + tls_key_path: "" log: # Valid log levels: panic, fatal, error, warn, info, debug, trace @@ -282,7 +281,7 @@ data: # `base_domain` must be a FQDN, without the trailing dot. # The FQDN of the hosts will be # `hostname.base_domain` (e.g., _myhost.example.com_). - base_domain: foxhawk.vpn + base_domain: example.com # Whether to use the local DNS settings of a node or override the local DNS # settings (default) and force the use of Headscale's DNS configuration. diff --git a/Headscale/deployment.yml b/Headscale/deployment.yml index dae7cc7..472fa57 100644 --- a/Headscale/deployment.yml +++ b/Headscale/deployment.yml @@ -19,7 +19,7 @@ spec: - serve resources: limits: - memory: "128Mi" + memory: "512Mi" cpu: "500m" ports: - containerPort: 8080 diff --git a/Headscale/ingress.yml b/Headscale/ingress.yml index e3eb297..b67425e 100644 --- a/Headscale/ingress.yml +++ b/Headscale/ingress.yml @@ -2,9 +2,15 @@ apiVersion: networking.k8s.io/v1 kind: Ingress metadata: name: headscale + annotations: + cert-manager.io/cluster-issuer: "letsencrypt-production" spec: + tls: + - hosts: + - + secret-name: headscale-tls rules: - - host: headscale.foxhawk.co.uk + - host: http: paths: - pathType: Prefix