Headscale

products/headscale/admin.tf

@@ -1,18 +1,23 @@
 module "admin" {
-  source       = "../../docker/service"
+  source                = "../../docker/service"
-  image        = var.admin_image
+  image                 = var.admin_image
-  service_name = "admin"
+  service_name          = "admin"
-  stack_name   = var.stack_name
+  stack_name            = var.stack_name
-  volumes = {
+  configs               = { "/etc/headscale/config.yaml" = yamlencode(local.config) }
-    "headscale-config" = "/var/lib/headscale"
-  }
-  networks        = [module.network]
-  converge_enable = false
-  traefik = {
-    domain = var.domain
-    ssl    = true
-    rule   = "Host(`${var.domain}`) && PathPrefix(`/admin`)"
-    port   = 80
-  }
   placement_constraints = var.placement_constraints
+  networks              = [module.network]
+  converge_enable       = false
+  ports                 = [{ container = 80 }]
+  traefik = {
+    domain  = var.domain
+    ssl     = true
+    non-ssl = true
+    rule    = "Host(`${var.domain}`) && PathPrefix(`/manager`)"
+    port    = 80
+  }
+  labels = {
+    #"traefik.http.middlewares.stripprefix.stripprefix.prefixes" = "/manager"
+    #"traefik.http.routers.headscale-admin-ssl.middlewares"      = "stripprefix"
+
+  }
 }

products/headscale/build/Dockerfile

@@ -0,0 +1,9 @@
+FROM alpine:3.18 AS headscale-alpine
+RUN apk add --no-cache \
+      ca-certificates \
+      bash
+ENTRYPOINT ["/usr/bin/headscale"]
+CMD ["/usr/bin/headscale", "serve"]
+COPY --from=headscale/headscale:stable /ko-app/headscale /usr/bin/headscale
+RUN chmod +x /usr/bin/headscale && \
+    headscale version

products/headscale/config.tf

@@ -1,6 +1,6 @@
 locals {
   config = {
-    server_url          = "https://${var.domain}"
+    server_url          = "http://${var.domain}"
     listen_addr         = "0.0.0.0:8080"
     metrics_listen_addr = "0.0.0.0:9090"
     grpc_listen_addr    = "0.0.0.0:50443"
@@ -9,10 +9,11 @@ locals {
     noise = {
       private_key_path = "/var/lib/headscale/noise_private.key"
     }
-    ip_prefixes = [
+    prefixes = {
-      #"fd7a:115c:a1e0::/48",
+      #v6 = "fd7a:115c:a1e0::/48"
-      "100.64.0.0/10",
+      v4         = "100.64.0.0/10"
-    ]
+      allocation = "sequential"
+    }
     derp = {
       server = {
         enabled          = false
@@ -33,12 +34,16 @@ locals {
     node_update_check_interval        = "10s"
 
     # Database bits
-    db_type = "postgres"
+    database = {
-    db_host = module.postgres.service_name
+      type = "postgres"
-    db_port = "5432"
+      postgres = {
-    db_name = module.postgres.database
+        host = module.postgres.service_name
-    db_user = module.postgres.username
+        port = 5432
-    db_pass = module.postgres.password
+        name = module.postgres.database
+        user = module.postgres.username
+        pass = module.postgres.password
+      }
+    }
 
     # Lets encrypt bits
     #acme_url = "https://acme-v02.api.letsencrypt.org/directory"
@@ -57,14 +62,15 @@ locals {
     }
 
     # ACL
-    acl_policy_path = ""
+    policy = {
+      path = ""
+    }
 
     # DNS
-    dns_config = {
+    dns = {
-      override_local_dns = true
+      nameservers = ["1.1.1.1"]
-      nameservers        = ["1.1.1.1"]
+      magic_dns   = true
-      magic_dns          = true
+      base_domain = "ts.${var.domain}"
-      base_domain        = var.domain
     }
 
     unix_socket            = "/var/run/headscale.sock"

products/headscale/headscale.tf

@@ -1,22 +1,19 @@
 module "headscale" {
-  source       = "../../docker/service"
+  source                = "../../docker/service"
-  image        = var.image
+  image                 = "matthewbaggett/headscale-alpine:latest"
-  service_name = "headscale"
+  service_name          = "headscale"
-  stack_name   = var.stack_name
+  stack_name            = var.stack_name
-  volumes = {
+  volumes               = { "headscale-config" = "/var/lib/headscale" }
-    "headscale-config" = "/var/lib/headscale"
+  configs               = { "/etc/headscale/config.yaml" = yamlencode(local.config) }
-  }
+  networks              = [module.network]
-  configs = {
+  converge_enable       = false
-    "/etc/headscale/config.yaml" = yamlencode(local.config)
+  command               = ["headscale", "serve"]
-  }
+  placement_constraints = var.placement_constraints
-  networks        = [module.network]
+  ports                 = [{ container = 9090 }, { container = 8080 }]
-  converge_enable = false
-  command         = ["headscale", "serve"]
   traefik = {
     domain = var.domain
     ssl    = true
-    rule   = "Host(`${var.domain}`) && !PathPrefix(`/admin`)"
+    rule   = "Host(`${var.domain}`) && !PathPrefix(`/manager`)"
     port   = 8080
   }
-  placement_constraints = var.placement_constraints
 }

products/headscale/inputs.tf

@@ -4,7 +4,7 @@ variable "image" {
 }
 variable "admin_image" {
   description = "The headscale admin image to deploy"
-  default     = "goodieshq/headscale-admin:0.1.7b"
+  default     = "simcu/headscale-ui"
 }
 variable "stack_name" {
   description = "The name of the stack"

products/headscale/outputs.tf

@@ -0,0 +1,9 @@
+output "postgres" {
+  value = module.postgres.endpoint
+}
+output "auth" {
+  value = {
+    username = random_pet.user.id
+    password = nonsensitive(random_password.password.result)
+  }
+}

products/headscale/postgres.tf

@@ -1,6 +1,5 @@
 module "postgres" {
   source                = "../postgres"
-  postgres_version      = "16"
   stack_name            = var.stack_name
   networks              = [module.network]
   placement_constraints = var.placement_constraints

products/headscale/secrets.tf

@@ -0,0 +1,12 @@
+resource "random_pet" "user" {
+  length    = 2
+  separator = ""
+}
+resource "random_password" "password" {
+  length  = 32
+  special = true
+}
+resource "random_password" "key" {
+  length  = 32
+  special = false
+}