Skip to content

WIP: tailscale and headscale VPN #913

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
wants to merge 2 commits into
base: main
Choose a base branch
from
Open

WIP: tailscale and headscale VPN #913

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
ef1b7f7
WIP: tailscale and headscale VPN
sawall Aug 1, 2025
88c554e
WIP: tailscale VPN
sawall Aug 12, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
182 changes: 182 additions & 0 deletions nomad/headscale.hcl
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,182 @@
variable "dc" {
type = string
}

variable "headscale_hostname" {
type = string
}

variable "headscale_version" {
type = string
default = "latest"
}

variable "headscale_count" {
type = number
default = 1
}

job "[JOB_NAME]" {
datacenters = ["${var.dc}"]
type = "service"
priority = 50

constraint {
attribute = "${attr.kernel.name}"
value = "linux"
}

group "headscale" {
count = var.headscale_count

constraint {
attribute = "${meta.pool_type}"
operator = "set_contains_any"
value = "consul,general"
}

restart {
attempts = 2
interval = "30m"
delay = "15s"
mode = "fail"
}

ephemeral_disk {
size = 1000
}

network {
port "http" {
to = 8080
}
port "grpc" {
to = 50443
}
port "metrics" {
to = 9090
}
}

task "headscale" {
driver = "docker"

vault {
change_mode = "restart"
}

config {
image = "headscale/headscale:${var.headscale_version}"
force_pull = false
ports = ["http", "grpc", "metrics"]
volumes = [
"local/config.yaml:/etc/headscale/config.yaml",
"alloc/data:/var/lib/headscale"
]
command = "serve"
}

template {
destination = "local/config.yaml"
data = <<EOF
server_url: https://${var.headscale_hostname}/
listen_addr: 0.0.0.0:8080
metrics_listen_addr: 0.0.0.0:9090
grpc_listen_addr: 0.0.0.0:50443
grpc_allow_insecure: false

private_key_path: /var/lib/headscale/private.key
noise:
private_key_path: /var/lib/headscale/noise_private.key

prefixes:
v6: fd7a:115c:a1e0::/48
v4: 100.64.0.0/10

derp:
server:
enabled: false

urls:
- https://controlplane.tailscale.com/derpmap/default

auto_update_enabled: true
update_frequency: 24h

disable_check_updates: false

ephemeral_node_inactivity_timeout: 30m

node_update_check_interval: 10s

database:
type: sqlite3
sqlite:
path: /var/lib/headscale/db.sqlite

acme_url: https://acme-v02.api.letsencrypt.org/directory
acme_email: ""

tls_letsencrypt_hostname: ""
tls_cert_path: ""
tls_key_path: ""

log:
format: text
level: info

oidc:
only_start_if_oidc_is_available: false
issuer: ""
client_id: ""
client_secret_path: ""
scope: ["openid", "profile", "email"]
extra_params: {}
allowed_domains: []
allowed_users: []
allowed_groups: []

logtail:
enabled: false

randomize_client_port: false

dns:
override_local_dns: true
nameservers:
global:
- 1.1.1.1
- 8.8.8.8
search_domains: []
magic_dns: true
base_domain: "headscale.local"
EOF
}

resources {
cpu = 200
memory = 256
}

service {
name = "headscale"
tags = ["int-urlprefix-${var.headscale_hostname}/"]
port = "http"

check {
name = "headscale-health"
type = "http"
path = "/health"
port = "http"
interval = "10s"
timeout = "2s"
}

meta {
grpc = "${NOMAD_HOST_PORT_grpc}"
metrics = "${NOMAD_HOST_PORT_metrics}"
}
}
}
}
}
128 changes: 128 additions & 0 deletions nomad/ouroboros.hcl
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,128 @@
variable "dc" {
type = string
}

variable "ouroboros_hostname" {
type = string
}

variable "ouroboros_version" {
type = string
default = "latest"
}

variable "ouroboros_count" {
type = number
default = 1
}

variable "headscale_url" {
type = string
description = "URL of the Headscale server"
}

job "[JOB_NAME]" {
datacenters = ["${var.dc}"]
type = "service"
priority = 50

constraint {
attribute = "${attr.kernel.name}"
value = "linux"
}

group "ouroboros" {
count = var.ouroboros_count

constraint {
attribute = "${meta.pool_type}"
operator = "set_contains_any"
value = "consul,general"
}

restart {
attempts = 2
interval = "30m"
delay = "15s"
mode = "fail"
}

ephemeral_disk {
size = 300
}

network {
port "http" {
to = 8080
}
}

task "ouroboros" {
driver = "docker"

vault {
change_mode = "restart"
}

config {
image = "ouroboros/ouroboros:${var.ouroboros_version}"
force_pull = false
ports = ["http"]
}

template {
destination = "local/env"
env = true
data = <<EOF
# Headscale connection
HEADSCALE_URL=${var.headscale_url}
{{ with secret "secret/default/headscale/api" }}
HEADSCALE_API_KEY={{ .Data.data.api_key }}
{{ end }}

# OIDC configuration for Okta
{{ with secret "secret/default/ouroboros/oidc" }}
OIDC_ISSUER={{ .Data.data.issuer }}
OIDC_CLIENT_ID={{ .Data.data.client_id }}
OIDC_CLIENT_SECRET={{ .Data.data.client_secret }}
{{ end }}
OIDC_REDIRECT_URL=https://${var.ouroboros_hostname}/auth/oidc/callback

# Application settings
BIND_ADDR=0.0.0.0:8080
LOG_LEVEL=info
BASE_URL=https://${var.ouroboros_hostname}

# Security settings
SESSION_SECRET={{ with secret "secret/default/ouroboros/session" }}{{ .Data.data.secret }}{{ end }}
CSRF_SECRET={{ with secret "secret/default/ouroboros/csrf" }}{{ .Data.data.secret }}{{ end }}

# Feature flags
ENABLE_OIDC=true
DISABLE_API_KEY_LOGIN=true
ALLOW_USER_REGISTRATION=false
EOF
}

resources {
cpu = 200
memory = 256
}

service {
name = "ouroboros"
tags = ["int-urlprefix-${var.ouroboros_hostname}/"]
port = "http"

check {
name = "ouroboros-health"
type = "http"
path = "/health"
port = "http"
interval = "10s"
timeout = "2s"
}
}
}
}
}
Loading