fix(headscale): Drop exit node in favor of opnsense, disable stun

Author: eaglesemanation

k8s/apps/network/headscale/acl.jsonc

@@ -5,7 +5,7 @@
         ],
         "group:internal": [
             "eaglesemanation@",
-            "laser532@"
+            "laser532@",
         ],
     },
     "tagOwners": {
@@ -27,12 +27,14 @@
             "dst": [
                 "tag:exit-node:*",
                 "autogroup:internet:*",
+                "${SVC_DNS_ADDR}:53",
+                "${SVC_INGRESS_INTERNAL_ADDR}:80,443",
             ],
         },
         {
             "action": "accept",
             "src": [
-                "group:internal"
+                "group:internal",
             ],
             "dst": [
                 "${LOCAL_CIDR}:*",

k8s/apps/network/headscale/config.yaml

@@ -70,7 +70,7 @@ derp:
   server:
     # If enabled, runs the embedded DERP server and merges it into the rest of the DERP config
     # The Headscale server_url defined above MUST be using https, DERP requires TLS to be in place
-    enabled: true
+    enabled: false
 
     # Region ID to use for the embedded DERP server.
     # The local DERP prevails if the region ID collides with other region ID coming from
@@ -81,6 +81,9 @@ derp:
     region_code: "headscale"
     region_name: "Headscale Embedded DERP"
 
+    # Only allow clients associated with this server access
+    verify_clients: true
+
     # Listens over UDP at the configured address for STUN connections - to help with NAT traversal.
     # When the embedded DERP server is enabled stun_listen_addr MUST be defined.
     #
@@ -122,7 +125,7 @@ derp:
   auto_update_enabled: true
 
   # How often should we check for DERP updates?
-  update_frequency: 24h
+  update_frequency: 3h
 
 # Disables the automatic check for headscale updates on startup
 disable_check_updates: true
@@ -263,6 +266,10 @@ dns:
   # `hostname.base_domain` (e.g., _myhost.example.com_).
   base_domain: ts.${CLUSTER_DOMAIN}
 
+  # Whether to use the local DNS settings of a node or override the local DNS
+  # settings (default) and force the use of Headscale's DNS configuration.
+  override_local_dns: true
+
   # List of DNS servers to expose to clients.
   nameservers:
     global:

k8s/apps/network/headscale/deployment.k8s.yaml

@@ -130,57 +130,3 @@ spec:
           emptyDir: {}
         - name: home-local
           emptyDir: {}
----
-apiVersion: apps/v1
-kind: Deployment
-metadata:
-  name: tailscale-exit-node
-  namespace: headscale
-  labels:
-    app.kubernetes.io/name: tailscale
-    app.kubernetes.io/instance: tailscale-exit-node
-spec:
-  strategy:
-    type: Recreate
-  replicas: 1
-  selector:
-    matchLabels:
-      app.kubernetes.io/name: tailscale
-      app.kubernetes.io/instance: tailscale-exit-node
-  template:
-    metadata:
-      labels:
-        app.kubernetes.io/name: tailscale
-        app.kubernetes.io/instance: tailscale-exit-node
-    spec:
-      serviceAccountName: tailscale-exit-node
-      containers:
-        - name: tailscale
-          image: ghcr.io/tailscale/tailscale:v1.90.6
-          env:
-            - name: TS_USERSPACE
-              value: "0"
-            - name: TS_ROUTES
-              value: "${LOCAL_CIDR}"
-            - name: TS_EXTRA_ARGS
-              value: "--advertise-tags=tag:exit-node --advertise-exit-node --login-server=https://headscale.${CLUSTER_DOMAIN}"
-            - name: TS_KUBE_SECRET
-              value: tailscale-exit-node-state
-            - name: TS_HOSTNAME
-              value: "emnt-k8s"
-            - name: POD_NAME
-              valueFrom:
-                fieldRef:
-                  fieldPath: metadata.name
-            - name: POD_UID
-              valueFrom:
-                fieldRef:
-                  fieldPath: metadata.uid
-          envFrom:
-            - secretRef:
-                name: tailscale-exit-node
-          securityContext:
-            privileged: true
-          resources:
-            limits:
-              squat.ai/tun: 1

k8s/apps/network/headscale/exit-node-sa.k8s.yaml

@@ -28,35 +28,3 @@ spec:
                 name: headscale-ui
                 port:
                   name: web
----
-# yaml-language-server: $schema=https://raw.githubusercontent.com/datreeio/CRDs-catalog/main/traefik.io/ingressrouteudp_v1alpha1.json
-apiVersion: traefik.io/v1alpha1
-kind: IngressRouteUDP
-metadata:
-  name: headscale-stun-external
-  namespace: headscale
-  annotations:
-    kubernetes.io/ingress.class: ingress-external-traefik
-spec:
-  entryPoints:
-    - stun
-  routes:
-    - services:
-        - name: headscale
-          port: stun
----
-# yaml-language-server: $schema=https://raw.githubusercontent.com/datreeio/CRDs-catalog/main/traefik.io/ingressrouteudp_v1alpha1.json
-apiVersion: traefik.io/v1alpha1
-kind: IngressRouteUDP
-metadata:
-  name: headscale-stun-internal
-  namespace: headscale
-  annotations:
-    kubernetes.io/ingress.class: ingress-internal-traefik
-spec:
-  entryPoints:
-    - stun
-  routes:
-    - services:
-        - name: headscale
-          port: stun

k8s/apps/network/headscale/ingress.k8s.yaml

@@ -7,7 +7,6 @@ resources:
   - svc.k8s.yaml
   - ingress.k8s.yaml
   - secrets.sops.yaml
-  - exit-node-sa.k8s.yaml
 configMapGenerator:
   - name: headscale-config
     namespace: headscale

k8s/apps/network/headscale/kustomization.yaml

@@ -4,84 +4,40 @@ metadata:
     name: headscale
     namespace: headscale
 stringData:
-    oidc_secret_key: ENC[AES256_GCM,data:nvAvHL8ApRKT0B0qro40DtKLdTDECQvstRMahdCPah2moA21SXmu3GzMkK9y4V3Rj9mNr9AQ+U5oxGlT4lJFtIxqOsIZgQKRWIwJYTpr3XJeH4jlTpzMpbe3DaRwcIlqsrQEbI2WG/P1Jpn9y8n0Cl8QUZsdirDy8pIsHisQJUI=,iv:6Ctx3wPT8lY4q+B498Mm1j8IUn1+fNdrXhtfs/GQ7fo=,tag:WIeIZNZnDrTO7Hk1kXMbTQ==,type:str]
+    oidc_secret_key: ENC[AES256_GCM,data:NAUzYjuxT2tXXlcz/QQNqwDGkjMLONV0GUnC8N5vdkuwAwSB44WpXQwrCYcY7jFWeO6N9bEaVIIYvZ4i4DeG8jeRLzG1RIi3kF7X91MtW6BTZZSrHpr41ZE6VXwkggO2brigZapgzKMDSVNqZTGR0x7KzmnIUaDpem5ZTL+5K9E=,iv:O6/ecOuKeiAtkEk7xZEHKpCzGcfanq3h9ukqJ/3B9Jc=,tag:NZuvGePEZSs7MroyZTSdDg==,type:str]
 sops:
     age:
         - recipient: age1exncnhces66v0uc67xm009v2d2237hgdxtaa8tdy0hvusexjry0qye4ad2
           enc: |
             -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBvZDRYRmVaUndZRmxkWmFN
-            c3pKQXRrbEJGakIxWUdOUnQ5T3JPSEJERlNjCldLclFzbHUxR01VZDZLZkFtSHVU
-            bVk2bEJLZ3JIdGpCdE9reTA4YU5Bc1kKLS0tIHpHZTZ0YkNsTnZ3ck9aY2J2dFQz
-            a3lBZldOR09KNXFPMjl5bGd6VGY1cncKHolDJPBob+uY4I/1Mq81xDYtt3xQONsx
-            cvzDXRbgDSPTOvhT0EUer7jIAuHGc9+pXwqetvzAjF7pRQ+ZyhI75w==
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA0WnRGMGlvWE5xL0tYYXMv
+            OHp6TXF2SjQ3U1Y3bXNCajg1NUV3UnI2QWxNCmZFT1JZR1g4ZS9qdXJ5NXVRRnQv
+            bHJ6R2hTOGtjREQrMmtMelozb3hyM00KLS0tIG8wdDQraXJzQ2FudTEzd2dxM0hN
+            bUhWK2xRM25OZWplTTVGbEYrcTNKWk0KhtaRTC3nfrGBTuGajEFCVesYaTFXlCfc
+            GwajQ9DX6xsWOmqFuAL+ukJqnelzGDQWwbi9WnSCS6/Np5fu99JG5w==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2025-07-09T10:02:55Z"
-    mac: ENC[AES256_GCM,data:cNYE9KGbyHihY0UUCDsog/qxUWNmLgnCZqoyYFONUhd/Ch37AYo8kjLhj7kAwdKWai/I9ffTuZShR2Jr4CdtM+INI1UW/LT1GcHX25DP85DVZtaQhj6KbZyKyZvGr1RnWozYxrew7cX4IK6eRUYme55Ev/m0S4MycyNK8G74SCE=,iv:7Vsyj6SdPjb2zNwXs/CNa0E0MJdr+WdKj0/3j7RJbyY=,tag:BLv2/l3JVw6HqkXnnK/V5A==,type:str]
+    lastmodified: "2025-11-15T02:21:17Z"
+    mac: ENC[AES256_GCM,data:eCpuqQWaEL5IW/VaSPT5gfdDyi7Yl7RW/hgfHm3Tkxt9U/eBnTvixeFc0hRfnxn/uesmRU/FL8hRGt+orD7aqNaUwPltISurXFC33yv/S0QE8LOLIT19VmgM8dnJjmIoKd7M55Rg/R+GmbasX9AFrPFB8IK5vIKX5g/vKG/LbHQ=,iv:XGtjz0wNg57XKQViIpRYVzVjV/cwK5IGKe+1jmwkNec=,tag:DbqImEzwSSBs8mcYL1I4gQ==,type:str]
     pgp:
-        - created_at: "2025-07-09T10:02:55Z"
+        - created_at: "2025-11-15T02:21:17Z"
           enc: |-
             -----BEGIN PGP MESSAGE-----
 
-            hQIMAwVH6sRf6ijOAQ//RXIfb9z5MQLXJQIsGauBcP9JGmrZ+CMjeGLOiiW4xB92
-            VUkVn+kHmUwiunyg4I+MRL6qwOpGUi76mhFPETLyh1z8ipvanoBbbGz72Y3Ikmyw
-            lRUjaaC84Nv1WKMzDaJYPbJm12L7Bxp7S9Dg/8cZximzBETERRRa2jwfBhm0dPh1
-            GHbleMXmtsWLPfx/s657nG8IywCEz9rLUdd/ajEbc2y6/gjhh+RqHT/m1TM3m9AF
-            gDi+4kmh0gjzV5mMBq9zbOMCkLjqivi5Kl8dsswO9kik2yTFvxp7l3S1jCmDTXBH
-            Te0UErjxHHCwi/XaBB2gCBG10EltJhCdvQZEeZmbsGjrGOQFcnJgolQPcqtXaFlY
-            XHi+QBgs+EWQ/P1w/KOMmTABJH6Baez8w1VCpErxgBmtzxFngVDZUfDMaYGev8oD
-            XzTOL6AamF/FUE67HfwLh86eJ/c+iPyceHc4UAnPAs6Y5yGgNylYLCaGiS8BVlOz
-            xpKuGUQM99WHGrrFKB1qE/HUtUrUlS5ttdNi68nw5qFbZKHJ/P3x1HybamvW+ENr
-            wpUu+IlzO6/UUM3gxMbnYlYitR1iBJR8ON9md8Snlxelw1ugvhCagbFSb66SWx+l
-            MkfjpavN4gpNAIaKXZCi1meTkTjYZF9rlBU/gui+4NS4WJ0mKji2CXueZ3T9SzjS
-            XgHLrjyiJ2rWyU1Gd4yZpp/ljzEfg3PvR4NQdPXAQEO6CVsfO9U/oe9rhqG0a7Rt
-            7JLciAYAzDrK8weRDP8VSQVolcYHWcOvvsLrzO5HSH7d8/ELRMnP1NirNvF6DMk=
-            =bM9d
+            hQIMAwVH6sRf6ijOARAAhOOdkR0SZ/mRunrsVqlnfuq5Wk/1iG+iDCd2Wf9Ygt5+
+            s0SdezLexKB5M1834eiHron6oNbqJOmhbnnTYRU8mgSygJgKC6wFrLdRibGxJCzg
+            MHW1ah+uuMjUY5J4XfTdYrqLC6kIYbNon6TPqg8qLI1dAWjSgocM+g0i3XrXXktL
+            U+r37hGNbxtV4bFF42t7LqO002Vk8g7OO6TastmY7D0jfIL+UhN5ayqS2eRo0pgW
+            TWNke/N9sz2P7PJeSx7pyi+2YshCYLZFfmnIZJMZoOxSJyGLDmz6LTerC7yrYLjR
+            KONMGo5T1ncQAtOPaF8RWozXSjHpwwX/ksQHzbywKnp/X7SHxe3wu4IxVbwD9PqI
+            +YP4Ej7TCLpw2O44I3rvl4l5sia3lMIAyIqczvDxkFtEkCfVO2TEdNrNCnHLlXY6
+            vyoS/n8XBLfEaVfyhk/hKFiH88be4ZH1j860hNkgd88+BxM9HC/om1thbLm2FatB
+            YZ6/PS+2VAxsKvz6ILO1ly3+lUk0aQd+PsOPAktAwI6bQvci4cs7JxMHwCl6XPh0
+            QBz56+eFFGUnqUFXmAPSn760PKCihhhtdLJpRgZs/IIEbzVnk4s7YrSvy79JAKFm
+            cimXFzxE73jGlFabcTiWd5lzy8VGKPcq29U3MnEAQBOzlCF7cWHu1wEkzmUgk77S
+            XgGbKwVT+MWdpTwVnzfEXqMJUGgS7B1VKe1A6mFy1PWf8fZsQCstYjjmbqq0lnuT
+            3DkYaEVRn6PFeWuQSNYX/shTW/DLnM0Q+YduJDnxjODXezKjq6BFDfzOUkJA/JU=
+            =R1O0
             -----END PGP MESSAGE-----
           fp: C5B9ADB07DBE5A2E
     encrypted_regex: ^(data|stringData|crowdsecLapiKey)$
-    version: 3.10.2
----
-apiVersion: v1
-kind: Secret
-metadata:
-    name: tailscale-exit-node
-    namespace: headscale
-stringData:
-    TS_AUTHKEY: ENC[AES256_GCM,data:Ex0o0sk+Fe2FLVMoeY0Xxt2+E3kn4t9m889BkM8xgpKSgOLqP04FO1LFrlG+qPDA,iv:MEZm8Hde0rTtlITeFEuSFk+c/2p/W90B86HLP8gG+WM=,tag:9m7lP9A+qoK9LpBtJ6bO1Q==,type:str]
-sops:
-    age:
-        - recipient: age1exncnhces66v0uc67xm009v2d2237hgdxtaa8tdy0hvusexjry0qye4ad2
-          enc: |
-            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBvZDRYRmVaUndZRmxkWmFN
-            c3pKQXRrbEJGakIxWUdOUnQ5T3JPSEJERlNjCldLclFzbHUxR01VZDZLZkFtSHVU
-            bVk2bEJLZ3JIdGpCdE9reTA4YU5Bc1kKLS0tIHpHZTZ0YkNsTnZ3ck9aY2J2dFQz
-            a3lBZldOR09KNXFPMjl5bGd6VGY1cncKHolDJPBob+uY4I/1Mq81xDYtt3xQONsx
-            cvzDXRbgDSPTOvhT0EUer7jIAuHGc9+pXwqetvzAjF7pRQ+ZyhI75w==
-            -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2025-07-09T10:02:55Z"
-    mac: ENC[AES256_GCM,data:cNYE9KGbyHihY0UUCDsog/qxUWNmLgnCZqoyYFONUhd/Ch37AYo8kjLhj7kAwdKWai/I9ffTuZShR2Jr4CdtM+INI1UW/LT1GcHX25DP85DVZtaQhj6KbZyKyZvGr1RnWozYxrew7cX4IK6eRUYme55Ev/m0S4MycyNK8G74SCE=,iv:7Vsyj6SdPjb2zNwXs/CNa0E0MJdr+WdKj0/3j7RJbyY=,tag:BLv2/l3JVw6HqkXnnK/V5A==,type:str]
-    pgp:
-        - created_at: "2025-07-09T10:02:55Z"
-          enc: |-
-            -----BEGIN PGP MESSAGE-----
-
-            hQIMAwVH6sRf6ijOAQ//RXIfb9z5MQLXJQIsGauBcP9JGmrZ+CMjeGLOiiW4xB92
-            VUkVn+kHmUwiunyg4I+MRL6qwOpGUi76mhFPETLyh1z8ipvanoBbbGz72Y3Ikmyw
-            lRUjaaC84Nv1WKMzDaJYPbJm12L7Bxp7S9Dg/8cZximzBETERRRa2jwfBhm0dPh1
-            GHbleMXmtsWLPfx/s657nG8IywCEz9rLUdd/ajEbc2y6/gjhh+RqHT/m1TM3m9AF
-            gDi+4kmh0gjzV5mMBq9zbOMCkLjqivi5Kl8dsswO9kik2yTFvxp7l3S1jCmDTXBH
-            Te0UErjxHHCwi/XaBB2gCBG10EltJhCdvQZEeZmbsGjrGOQFcnJgolQPcqtXaFlY
-            XHi+QBgs+EWQ/P1w/KOMmTABJH6Baez8w1VCpErxgBmtzxFngVDZUfDMaYGev8oD
-            XzTOL6AamF/FUE67HfwLh86eJ/c+iPyceHc4UAnPAs6Y5yGgNylYLCaGiS8BVlOz
-            xpKuGUQM99WHGrrFKB1qE/HUtUrUlS5ttdNi68nw5qFbZKHJ/P3x1HybamvW+ENr
-            wpUu+IlzO6/UUM3gxMbnYlYitR1iBJR8ON9md8Snlxelw1ugvhCagbFSb66SWx+l
-            MkfjpavN4gpNAIaKXZCi1meTkTjYZF9rlBU/gui+4NS4WJ0mKji2CXueZ3T9SzjS
-            XgHLrjyiJ2rWyU1Gd4yZpp/ljzEfg3PvR4NQdPXAQEO6CVsfO9U/oe9rhqG0a7Rt
-            7JLciAYAzDrK8weRDP8VSQVolcYHWcOvvsLrzO5HSH7d8/ELRMnP1NirNvF6DMk=
-            =bM9d
-            -----END PGP MESSAGE-----
-          fp: C5B9ADB07DBE5A2E
-    encrypted_regex: ^(data|stringData|crowdsecLapiKey)$
-    version: 3.10.2
+    version: 3.11.0

k8s/apps/network/headscale/secrets.sops.yaml

@@ -21,10 +21,6 @@ spec:
     - name: grpc
       port: 50443
       targetPort: 50443
-    - name: stun
-      port: 3478
-      targetPort: 3478
-      protocol: UDP
 ---
 apiVersion: v1
 kind: Service

k8s/apps/network/headscale/svc.k8s.yaml

@@ -165,14 +165,6 @@ spec:
         exposedPort: 993
         proxyProtocol:
           trustedIPs: [10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16]
-      stun:
-        protocol: UDP
-        port: 3478
-        expose:
-          default: true
-        exposedPort: 3478
-        proxyProtocol:
-          trustedIPs: [10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16]
       jvb:
         protocol: UDP
         port: 10000

k8s/apps/network/ingress/helmrelease-external.k8s.yaml

@@ -134,14 +134,6 @@ spec:
         exposedPort: 993
         proxyProtocol:
           trustedIPs: [10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16]
-      stun:
-        protocol: UDP
-        port: 3478
-        expose:
-          default: true
-        exposedPort: 3478
-        proxyProtocol:
-          trustedIPs: [10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16]
       jvb:
         protocol: UDP
         port: 10000