diff --git a/infrastructure/headscale/deployment.yaml b/infrastructure/headscale/deployment.yaml
new file mode 100644
index 0000000..9a82c2d
--- /dev/null
+++ b/infrastructure/headscale/deployment.yaml
@@ -0,0 +1,77 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name:  headscale
+  labels:
+    app:  headscale
+spec:
+  selector:
+    matchLabels:
+      app: headscale
+  replicas: 1
+  template:
+    metadata:
+      labels:
+        app: headscale
+    spec:
+      shareProcessNamespace: true
+      serviceAccountName: default
+      containers:
+      - name: headplane
+        image: headplane
+        env:
+        # Set these if the pod name for Headscale is not static
+        # We will use the downward API to get the pod name instead
+        - name: HEADPLANE_LOAD_ENV_OVERRIDES
+          value: 'true'
+        - name: 'HEADPLANE_INTEGRATION__KUBERNETES__POD_NAME'
+          valueFrom:
+            fieldRef:
+              fieldPath: metadata.name
+        ports:
+        - containerPort: 3000
+        volumeMounts:
+        - name: headscale-config
+          mountPath: /etc/headscale/config.yaml
+          subPath: config.yaml
+        - name: headplane-config
+          mountPath: /etc/headplane/config.yaml
+          subPath: config.yaml
+        - name: headplane-data
+          mountPath: /var/lib/headplane
+
+      - name: headscale
+        image: headscale
+        args: ["serve"]
+        resources:
+          requests:
+            cpu: 100m
+            memory: 100Mi
+          limits:
+            cpu: 100m
+            memory: 100Mi
+        # env:
+        ports:
+        - containerPort: 8080
+        volumeMounts:
+        - name: headscale-config
+          mountPath: /etc/headscale/config.yaml
+          subPath: config.yaml
+        - mountPath: /persistence
+          name: headscale-data
+
+      terminationGracePeriodSeconds: 30
+      volumes:
+      - name: headscale-config
+        configMap:
+          name: headscale-config
+      - name: headscale-data
+        persistentVolumeClaim:
+          claimName: headscale-data
+
+      - name: headplane-config
+        configMap:
+          name: headplane-config
+      - name: headplane-data
+        persistentVolumeClaim:
+          claimName: headplane-data
diff --git a/infrastructure/headscale/ingress.yaml b/infrastructure/headscale/ingress.yaml
new file mode 100644
index 0000000..11024da
--- /dev/null
+++ b/infrastructure/headscale/ingress.yaml
@@ -0,0 +1,17 @@
+apiVersion: traefik.io/v1alpha1
+kind: IngressRoute
+metadata:
+  name: headscale-ingressroute
+
+spec:
+  entryPoints:
+    - websecure
+  routes:
+  - match: Host(`headscale.kluster.moll.re`)
+    kind: Rule
+    services:
+    - name: headscale-web
+      port: 8080
+
+  tls:
+    certResolver: default-tls 
diff --git a/infrastructure/headscale/kustomization.yaml b/infrastructure/headscale/kustomization.yaml
new file mode 100644
index 0000000..da2ada0
--- /dev/null
+++ b/infrastructure/headscale/kustomization.yaml
@@ -0,0 +1,22 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+
+namespace: headscale
+
+resources:
+  - namespace.yaml
+  - headscale-config.configmap.yaml
+  - headplane-config.configmap.yaml
+  - pvc.yaml
+  - deployment.yaml
+  - serviceaccount.yaml
+  - service.yaml
+  - ingress.yaml
+
+images:
+  - name: headscale
+    newName: headscale/headscale # has all plugins
+    newTag: v0.25.1
+  - name: headplane
+    newName: ghcr.io/tale/headplane
+    newTag: "0.5.10"
diff --git a/infrastructure/headscale/namespace.yaml b/infrastructure/headscale/namespace.yaml
new file mode 100644
index 0000000..1178cee
--- /dev/null
+++ b/infrastructure/headscale/namespace.yaml
@@ -0,0 +1,6 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: placeholder
+  labels:
+    pod-security.kubernetes.io/enforce: privileged 
diff --git a/infrastructure/headscale/pvc.yaml b/infrastructure/headscale/pvc.yaml
new file mode 100644
index 0000000..fc1835b
--- /dev/null
+++ b/infrastructure/headscale/pvc.yaml
@@ -0,0 +1,23 @@
+kind: PersistentVolumeClaim
+apiVersion: v1
+metadata:
+  name: headscale-data
+spec:
+  storageClassName: "nfs-client"
+  accessModes:
+    - ReadWriteOnce
+  resources:
+    requests:
+      storage: 1Gi
+---
+kind: PersistentVolumeClaim
+apiVersion: v1
+metadata:
+  name: headplane-data
+spec:
+  storageClassName: "nfs-client"
+  accessModes:
+    - ReadWriteOnce
+  resources:
+    requests:
+      storage: 1Gi
\ No newline at end of file
diff --git a/infrastructure/headscale/service.yaml b/infrastructure/headscale/service.yaml
new file mode 100644
index 0000000..9b8a304
--- /dev/null
+++ b/infrastructure/headscale/service.yaml
@@ -0,0 +1,10 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: headscale-web
+spec:
+  selector:
+    app: headscale
+  ports:
+  - port: 8080
+    targetPort: 8080
diff --git a/infrastructure/headscale/serviceaccount.yaml b/infrastructure/headscale/serviceaccount.yaml
new file mode 100644
index 0000000..f9de355
--- /dev/null
+++ b/infrastructure/headscale/serviceaccount.yaml
@@ -0,0 +1,26 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: headplane-agent
+  # namespace: default # Adjust namespace as needed
+rules:
+- apiGroups: ['']
+  resources: ['pods']
+  verbs: ['get', 'list']
+- apiGroups: ['apps']
+  resources: ['deployments']
+  verbs: ['get', 'list']
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: headplane-agent
+  # namespace: default # Adjust namespace as needed
+roleRef:
+    apiGroup: rbac.authorization.k8s.io
+    kind: Role
+    name: headplane-agent
+subjects:
+- kind: ServiceAccount
+  name: default # If you use a different service account, change this
+  # namespace: default # Adjust namespace as needed
\ No newline at end of file