diff --git a/infrastructure/headscale/ingress.yaml b/infrastructure/headscale/ingress.yaml
new file mode 100644
index 0000000..11024da
--- /dev/null
+++ b/infrastructure/headscale/ingress.yaml
@@ -0,0 +1,17 @@
+apiVersion: traefik.io/v1alpha1
+kind: IngressRoute
+metadata:
+  name: headscale-ingressroute
+
+spec:
+  entryPoints:
+    - websecure
+  routes:
+  - match: Host(`headscale.kluster.moll.re`)
+    kind: Rule
+    services:
+    - name: headscale-web
+      port: 8080
+
+  tls:
+    certResolver: default-tls 
diff --git a/infrastructure/headscale/kustomization.yaml b/infrastructure/headscale/kustomization.yaml
new file mode 100644
index 0000000..da2ada0
--- /dev/null
+++ b/infrastructure/headscale/kustomization.yaml
@@ -0,0 +1,22 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+
+namespace: headscale
+
+resources:
+  - namespace.yaml
+  - headscale-config.configmap.yaml
+  - headplane-config.configmap.yaml
+  - pvc.yaml
+  - deployment.yaml
+  - serviceaccount.yaml
+  - service.yaml
+  - ingress.yaml
+
+images:
+  - name: headscale
+    newName: headscale/headscale # has all plugins
+    newTag: v0.25.1
+  - name: headplane
+    newName: ghcr.io/tale/headplane
+    newTag: "0.5.10"
diff --git a/infrastructure/headscale/namespace.yaml b/infrastructure/headscale/namespace.yaml
new file mode 100644
index 0000000..1178cee
--- /dev/null
+++ b/infrastructure/headscale/namespace.yaml
@@ -0,0 +1,6 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: placeholder
+  labels:
+    pod-security.kubernetes.io/enforce: privileged 
diff --git a/infrastructure/headscale/pvc.yaml b/infrastructure/headscale/pvc.yaml
new file mode 100644
index 0000000..fc1835b
--- /dev/null
+++ b/infrastructure/headscale/pvc.yaml
@@ -0,0 +1,23 @@
+kind: PersistentVolumeClaim
+apiVersion: v1
+metadata:
+  name: headscale-data
+spec:
+  storageClassName: "nfs-client"
+  accessModes:
+    - ReadWriteOnce
+  resources:
+    requests:
+      storage: 1Gi
+---
+kind: PersistentVolumeClaim
+apiVersion: v1
+metadata:
+  name: headplane-data
+spec:
+  storageClassName: "nfs-client"
+  accessModes:
+    - ReadWriteOnce
+  resources:
+    requests:
+      storage: 1Gi
\ No newline at end of file
diff --git a/infrastructure/headscale/service.yaml b/infrastructure/headscale/service.yaml
new file mode 100644
index 0000000..9b8a304
--- /dev/null
+++ b/infrastructure/headscale/service.yaml
@@ -0,0 +1,10 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: headscale-web
+spec:
+  selector:
+    app: headscale
+  ports:
+  - port: 8080
+    targetPort: 8080
diff --git a/infrastructure/headscale/serviceaccount.yaml b/infrastructure/headscale/serviceaccount.yaml
new file mode 100644
index 0000000..f9de355
--- /dev/null
+++ b/infrastructure/headscale/serviceaccount.yaml
@@ -0,0 +1,26 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: headplane-agent
+  # namespace: default # Adjust namespace as needed
+rules:
+- apiGroups: ['']
+  resources: ['pods']
+  verbs: ['get', 'list']
+- apiGroups: ['apps']
+  resources: ['deployments']
+  verbs: ['get', 'list']
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: headplane-agent
+  # namespace: default # Adjust namespace as needed
+roleRef:
+    apiGroup: rbac.authorization.k8s.io
+    kind: Role
+    name: headplane-agent
+subjects:
+- kind: ServiceAccount
+  name: default # If you use a different service account, change this
+  # namespace: default # Adjust namespace as needed
\ No newline at end of file