add headscale

Reviewed-on: #423

apps/adguard/kustomization.yaml

@@ -10,7 +10,7 @@ resources:
 images:
   - name: adguard/adguardhome
     newName: adguard/adguardhome
-    newTag: v0.107.56
+    newTag: v0.107.61
 
 namespace: adguard
 

apps/audiobookshelf/kustomization.yaml

@@ -12,4 +12,4 @@ namespace: audiobookshelf
 images:
   - name: audiobookshelf
     newName: ghcr.io/advplyr/audiobookshelf
-    newTag: "2.19.0"
+    newTag: "2.20.0"

apps/code-server/kustomization.yaml

@@ -12,4 +12,4 @@ namespace: code-server
 images:
   - name: code-server
     newName: ghcr.io/coder/code-server
-    newTag: 4.96.4-fedora
+    newTag: 4.99.3-fedora

apps/files/kustomization.yaml

@@ -13,4 +13,4 @@ namespace: files
 images:
   - name: ocis
     newName: owncloud/ocis
-    newTag: "7.0.0"
+    newTag: "7.1.2"

apps/finance/kustomization.yaml

@@ -13,4 +13,4 @@ resources:
 images:
   - name: actualbudget
     newName: actualbudget/actual-server
-    newTag: 25.2.0
+    newTag: 25.4.0

apps/grafana/kustomization.yaml

@@ -17,5 +17,5 @@ helmCharts:
   - releaseName: grafana
     name: grafana
     repo: https://grafana.github.io/helm-charts
-    version: 8.8.5
+    version: 8.12.1
     valuesFile: grafana.values.yaml

apps/homeassistant/kustomization.yaml

@@ -15,4 +15,4 @@ resources:
 images:
   - name: homeassistant
     newName: homeassistant/home-assistant
-    newTag: "2025.2"
+    newTag: "2025.4"

apps/immich/kustomization.yaml

@@ -15,20 +15,20 @@ namespace: immich
 helmCharts:
   - name: immich
     releaseName: immich
-    version: 0.9.0
+    version: 0.9.2
     valuesFile: values.yaml
     repo: https://immich-app.github.io/immich-charts
 
 
 images:
   - name: ghcr.io/immich-app/immich-machine-learning
-    newTag: v1.125.7
+    newTag: v1.130.3
   - name: ghcr.io/immich-app/immich-server
-    newTag: v1.125.7
+    newTag: v1.130.3
 
 
 patches:
   - path: patch-redis-pvc.yaml
     target:
       kind: StatefulSet
-      name: immich-redis-master
+      name: immich-redis-master

apps/immich/values.yaml

@@ -37,10 +37,6 @@ immich:
       existingClaim: data
 
 # Dependencies
-
-postgresql:
-  enabled: false
-
 redis:
   enabled: true
   architecture: standalone

apps/kitchenowl/kustomization.yaml

@@ -14,4 +14,4 @@ namespace: kitchenowl
 images:
   - name: kitchenowl
     newName: tombursch/kitchenowl
-    newTag: v0.6.8
+    newTag: v0.6.11

apps/linkding/kustomization.yaml

@@ -13,4 +13,4 @@ namespace: linkding
 images:
   - name: linkding
     newName: sissbruecker/linkding
-    newTag: "1.37.0"
+    newTag: "1.39.1"

apps/media/kustomization.yaml

@@ -12,4 +12,4 @@ resources:
 images:
   - name: jellyfin/jellyfin
     newName: jellyfin/jellyfin
-    newTag: 10.10.5
+    newTag: 10.10.7

apps/minecraft/curseforge.sealedsecret.yaml

@@ -7,7 +7,7 @@ metadata:
   namespace: minecraft
 spec:
   encryptedData:
-    key: AgBYeAiejdmxDBorvgnxQX5YvUhR3NId2vfWybMKlc27e6D/bKglLNyZMk70xSnFAPjcDmZ20mYjFPYvDOr9T6IU/REJ8QlzoKAn0xW779R4SkIxRToT+dJv+OM2avgQ9uqp7vja29xeXMjYAnQML+QGZKcrT8mE04G/Ty8rdUiv3yUXK5HFAR3SUF35aVLdlthLjpRkv1s0R7GAP4L2pNzBJNV3i37viceUSSjU0zpOa23fsQOkPAs67AIukAJBqh/hyF/hR9H1GeYZNTI3OcHcvC2iNk/XGstvv0Zy6ApzoebsfWGdsbVn+QUI0EBw+mSTPqpl71cbkz0v4S4XAVndosxWpe6AIgm5MBTU0FXIyGyoFDe1aMPq8BXiQikYVwB48oVNh9KF0xXX5AOG0whB/FEsL3OJsiNQvQ3R/Hru43JBn64oxjVtLfM3E7u8v/xr1VQahX8dylDmb4s5EV01U6O4y19Ou4td1eEMlhpJb0fBPDRUYuWxZAEDGmp+U4tAakyPed11VkcZPPn9fKAAcv8sGs3TYAbbF18hqsBnv2Wd+i7ZEvKwmdmfR/T0r1TJGsvKI7jaW0QtH256XrSxQp7a52qMKMVQWOSKw2k27t/IkRhxT2Prw4GfJvaVr4RozUaBf3LV/hfDWlDfmM2zg3X9W8HkzjotGg021OLxsa0Wzmhffvb8h4bvZwxeq3U1xaJocqXui7z0rT2pF4z3wYHR/lPtexHcOA2M8gfBGKb1rBKh+kW+N+/ZfVLNI0mokg5vrTO2nR2rb4c=
+    key: AgDG6apUvB38rB9tH+/ya5Af/32IUJjHiEGZFdYYqesuqyPB/qf99EtC/7CwqD6bDQQPVycJVcxwZuF8QtYfPXzv//yMkqEUJ2G1/Q5J8I6bjNGLR636UhliUpCkH1QDOspWJUjwKDVxlFN9l0g9UajvxnqLyGzbWPeay0sJEBvAY8ltEZpLP21V+GD+HgPk3HIfSFFBMsULS6GPCjMaFxkxQb6cG3K4Ej4NHCHRGOmax+4Rk7lwMyAHlXLlrwj/ytxrnHDWrugLIJE9KKmJn6UVNTuk6olgkhleg2PixV7oOiDVyu9ZQP8wbdppzRix6dnIcFEYJ1ZDK1rNF5QErYO0gBytiJnSsdFO0jUMsdBrho2FgUc5GgIdmgXWJJz3lrGFqXaRVvbPsBZTUAsQRh2+4IfqfWmAkEjBcjs1K8WWJfS+rO9e02KoHBT4decdsd8Qfr5EFdPIzMrkUoRMI9CJnIa5u2nR08Hhd9iojbL64FZ26kXMODtEdKmlo+HwjufLX5rYJVSfOyZYzivd/kgKA87YTFaMLKej07w3ofGrPYSoCnmLfJyoQdNyJhdonBDsgM1GgRWQZDpgJ1df0SB02A5lZ4V7lHWr8KlANv9YLuMoZnVehsH1NZjNQHDInIRiTLahEBbjcJzQz4vU1UWG100ATszEYKOUVkzPnTgkqKYU99ZQ23bHP8z7iAWQeumb6V84NTi6jNITBvU4yTFLuAiI3nW34Vb1mFVLwfWqMjEYX8gBB4yMSaVshB/japfkyXU0pYg4mK9gsB4=
   template:
     metadata:
       creationTimestamp: null

apps/minecraft/job.yaml

@@ -4,6 +4,9 @@ metadata:
   name: start-server
 spec:
   template:
+    metadata:
+      labels:
+        app: minecraft-server
     spec:
       restartPolicy: OnFailure
       containers:
@@ -11,7 +14,7 @@ spec:
         image: minecraft
         resources:
           limits:
-            memory: "10000Mi"
+            memory: "11000Mi"
             cpu: "5"
           requests:
             memory: "1500Mi"
@@ -29,13 +32,13 @@ spec:
               name: curseforge-api
               key: key
         - name: CF_PAGE_URL
-          value: "https://www.curseforge.com/minecraft/modpacks/vault-hunters-1-18-2/files/5413446"
+          value: "https://www.curseforge.com/minecraft/modpacks/vault-hunters-1-18-2/files/5925838"
         - name: VERSION
           value: "1.18.2"
         - name: INIT_MEMORY
           value: "1G"
         - name: MAX_MEMORY
-          value: "8G"
+          value: "10G"
         - name: MOTD
           value: "VaultHunters baby!"
         - name: ENABLE_RCON
@@ -43,7 +46,7 @@ spec:
         - name: CREATE_CONSOLE_IN_PIPE
           value: "true"
         - name: ONLINE_MODE
-          value: "true"
+          value: "false"
         - name: ENABLE_AUTOSTOP
           value: "true"
         

apps/paperless/kustomization.yaml

@@ -14,14 +14,14 @@ namespace: paperless
 images:
   - name: paperless
     newName: ghcr.io/paperless-ngx/paperless-ngx
-    newTag: "2.14.7"
+    newTag: "2.15.3"
 
 
 helmCharts:
   - name: redis
     releaseName: redis
     repo: https://charts.bitnami.com/bitnami
-    version: 20.7.0
+    version: 20.13.0
     valuesInline:
       auth:
         enabled: false

apps/recipes/kustomization.yaml

@@ -13,5 +13,5 @@ resources:
 
 images:
   - name: mealie
-    newTag: v2.5.0
+    newTag: v2.8.0
     newName: ghcr.io/mealie-recipes/mealie

infrastructure/authelia/authelia.values.yaml

@@ -12,7 +12,7 @@ pod:
 ## Authelia Config Map Generator
 ##
 configMap:
-  key: 'configuration.yml'
+  key: 'configuration.yaml'
   # include sub-maps wich OVERRIDE the values generated by the helm chart
   extraConfigs:
     - /secrets/authelia-smtp/smtp.yml
@@ -78,10 +78,6 @@ configMap:
       file: /config/db.sqlite3
 
 
-  # notifier:
-  # notifier is configured via the smtp secret and merged by authelia upon startup
-
-
   identity_validation:
     reset_password:
       secret:
@@ -243,6 +239,11 @@ configMap:
             - email
             - profile
 
+
+  # notifier
+  # is set through a secret
+
+
 persistence:
   enabled: true
   storageClass: 'nfs-client'

infrastructure/authelia/kustomization.yaml

@@ -27,6 +27,6 @@ images:
 helmCharts:
   - name: authelia
     releaseName: authelia
-    version: 0.9.15
+    version: 0.10.4
     repo: https://charts.authelia.com
     valuesFile: authelia.values.yaml

infrastructure/external-dns/kustomization.yaml

@@ -11,8 +11,8 @@ resources:
 images:
   - name: octodns
     newName: octodns/octodns # has all plugins
-    newTag: "2024.09"
+    newTag: "2025.04"
 
   - name: git
     newName: alpine/git
-    newTag: "v2.47.1"
+    newTag: "v2.47.2"

infrastructure/gitea/kustomization.yaml

@@ -23,6 +23,6 @@ helmCharts:
   - name: gitea
     namespace: gitea # needs to be set explicitly for svc to be referenced correctly
     releaseName: gitea
-    version: 10.6.0
+    version: 11.0.1
     valuesFile: gitea.values.yaml
     repo: https://dl.gitea.io/charts/

infrastructure/headscale/deployment.yaml

@@ -0,0 +1,77 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name:  headscale
+  labels:
+    app:  headscale
+spec:
+  selector:
+    matchLabels:
+      app: headscale
+  replicas: 1
+  template:
+    metadata:
+      labels:
+        app: headscale
+    spec:
+      shareProcessNamespace: true
+      serviceAccountName: default
+      containers:
+      - name: headplane
+        image: headplane
+        env:
+        # Set these if the pod name for Headscale is not static
+        # We will use the downward API to get the pod name instead
+        - name: HEADPLANE_LOAD_ENV_OVERRIDES
+          value: 'true'
+        - name: 'HEADPLANE_INTEGRATION__KUBERNETES__POD_NAME'
+          valueFrom:
+            fieldRef:
+              fieldPath: metadata.name
+        ports:
+        - containerPort: 3000
+        volumeMounts:
+        - name: headscale-config
+          mountPath: /etc/headscale/config.yaml
+          subPath: config.yaml
+        - name: headplane-config
+          mountPath: /etc/headplane/config.yaml
+          subPath: config.yaml
+        - name: headplane-data
+          mountPath: /var/lib/headplane
+
+      - name: headscale
+        image: headscale
+        args: ["serve"]
+        resources:
+          requests:
+            cpu: 100m
+            memory: 100Mi
+          limits:
+            cpu: 100m
+            memory: 100Mi
+        # env:
+        ports:
+        - containerPort: 8080
+        volumeMounts:
+        - name: headscale-config
+          mountPath: /etc/headscale/config.yaml
+          subPath: config.yaml
+        - mountPath: /persistence
+          name: headscale-data
+
+      terminationGracePeriodSeconds: 30
+      volumes:
+      - name: headscale-config
+        configMap:
+          name: headscale-config
+      - name: headscale-data
+        persistentVolumeClaim:
+          claimName: headscale-data
+
+      - name: headplane-config
+        configMap:
+          name: headplane-config
+      - name: headplane-data
+        persistentVolumeClaim:
+          claimName: headplane-data

infrastructure/headscale/headplane-config.configmap.yaml

@@ -0,0 +1,99 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: headplane-config
+data:
+  config.yaml: |
+    # Configuration for the Headplane server and web application
+    server:
+      host: "0.0.0.0"
+      port: 3000
+
+      # The secret used to encode and decode web sessions
+      # Ensure that this is exactly 32 characters long
+      cookie_secret: "<change_me_to_something_secure!>"
+
+      # Should the cookies only work over HTTPS?
+      # Set to false if running via HTTP without a proxy
+      # (I recommend this is true in production)
+      cookie_secure: true
+
+    # Headscale specific settings to allow Headplane to talk
+    # to Headscale and access deep integration features
+    headscale:
+      # The URL to your Headscale instance
+      # (All API requests are routed through this URL)
+      # (THIS IS NOT the gRPC endpoint, but the HTTP endpoint)
+      #
+      # IMPORTANT: If you are using TLS this MUST be set to `https://`
+      url: "http://0.0.0.0:8080"
+
+      # If you use the TLS configuration in Headscale, and you are not using
+      # Let's Encrypt for your certificate, pass in the path to the certificate.
+      # (This has no effect `url` does not start with `https://`)
+      # tls_cert_path: "/var/lib/headplane/tls.crt"
+
+      # Optional, public URL if they differ
+      # This affects certain parts of the web UI
+      # public_url: "https://headscale.example.com"
+
+      # Path to the Headscale configuration file
+      # This is optional, but HIGHLY recommended for the best experience
+      # If this is read only, Headplane will show your configuration settings
+      # in the Web UI, but they cannot be changed.
+      config_path: "/etc/headscale/config.yaml"
+
+      # Headplane internally validates the Headscale configuration
+      # to ensure that it changes the configuration in a safe way.
+      # If you want to disable this validation, set this to false.
+      config_strict: true
+
+    # Integration configurations for Headplane to interact with Headscale
+    # Only one of these should be enabled at a time or you will get errors
+    integration:
+      kubernetes:
+        enabled: true
+        # Validates the manifest for the Pod to ensure all of the criteria
+        # are set correctly. Turn this off if you are having issues with
+        # shareProcessNamespace not being validated correctly.
+        validate_manifest: true
+        # This should be the name of the Pod running Headscale and Headplane.
+        # If this isn't static you should be using the Kubernetes Downward API
+        # to set this value (refer to docs/Integrated-Mode.md for more info).
+        pod_name: "headscale"
+
+
+
+    # # OIDC Configuration for simpler authentication
+    # # (This is optional, but recommended for the best experience)
+    # oidc:
+    #   issuer: "https://accounts.google.com"
+    #   client_id: "your-client-id"
+
+    #   # The client secret for the OIDC client
+    #   # Either this or `client_secret_path` must be set for OIDC to work
+    #   client_secret: "<your-client-secret>"
+    #   # You can alternatively set `client_secret_path` to read the secret from disk.
+    #   # The path specified can resolve environment variables, making integration
+    #   # with systemd's `LoadCredential` straightforward:
+    #   # client_secret_path: "${CREDENTIALS_DIRECTORY}/oidc_client_secret"
+
+    #   disable_api_key_login: false
+    #   token_endpoint_auth_method: "client_secret_post"
+
+    #   # If you are using OIDC, you need to generate an API key
+    #   # that can be used to authenticate other sessions when signing in.
+    #   #
+    #   # This can be done with `headscale apikeys create --expiration 999d`
+    #   headscale_api_key: "<your-headscale-api-key>"
+
+    #   # Optional, but highly recommended otherwise Headplane
+    #   # will attempt to automatically guess this from the issuer
+    #   #
+    #   # This should point to your publicly accessibly URL
+    #   # for your Headplane instance with /admin/oidc/callback
+    #   redirect_uri: "http://localhost:3000/admin/oidc/callback"
+
+    #   # Stores the users and their permissions for Headplane
+    #   # This is a path to a JSON file, default is specified below.
+    #   user_storage_file: "/var/lib/headplane/users.json"

infrastructure/headscale/headscale-config.configmap.yaml

@@ -0,0 +1,376 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: headscale-config
+data:
+  config.yaml: |
+    server_url: http://127.0.0.1:8080
+
+    # Address to listen to / bind to on the server
+    #
+    # For production:
+    listen_addr: 0.0.0.0:8080
+
+    # Address to listen to /metrics and /debug, you may want
+    # to keep this endpoint private to your internal network
+    metrics_listen_addr: 127.0.0.1:9090
+
+    # Address to listen for gRPC.
+    # gRPC is used for controlling a headscale server
+    # remotely with the CLI
+    # Note: Remote access _only_ works if you have
+    # valid certificates.
+    #
+    # For production:
+    # grpc_listen_addr: 0.0.0.0:50443
+    grpc_listen_addr: 127.0.0.1:50443
+
+    # Allow the gRPC admin interface to run in INSECURE
+    # mode. This is not recommended as the traffic will
+    # be unencrypted. Only enable if you know what you
+    # are doing.
+    grpc_allow_insecure: false
+
+    # The Noise section includes specific configuration for the
+    # TS2021 Noise protocol
+    noise:
+      # The Noise private key is used to encrypt the traffic between headscale and
+      # Tailscale clients when using the new Noise-based protocol. A missing key
+      # will be automatically generated.
+      private_key_path: /var/lib/headscale/noise_private.key
+
+    # List of IP prefixes to allocate tailaddresses from.
+    # Each prefix consists of either an IPv4 or IPv6 address,
+    # and the associated prefix length, delimited by a slash.
+    # It must be within IP ranges supported by the Tailscale
+    # client - i.e., subnets of 100.64.0.0/10 and fd7a:115c:a1e0::/48.
+    # See below:
+    # IPv6: https://github.com/tailscale/tailscale/blob/22ebb25e833264f58d7c3f534a8b166894a89536/net/tsaddr/tsaddr.go#LL81C52-L81C71
+    # IPv4: https://github.com/tailscale/tailscale/blob/22ebb25e833264f58d7c3f534a8b166894a89536/net/tsaddr/tsaddr.go#L33
+    # Any other range is NOT supported, and it will cause unexpected issues.
+    prefixes:
+      v4: 100.64.0.0/10
+      v6: fd7a:115c:a1e0::/48
+
+      # Strategy used for allocation of IPs to nodes, available options:
+      # - sequential (default): assigns the next free IP from the previous given IP.
+      # - random: assigns the next free IP from a pseudo-random IP generator (crypto/rand).
+      allocation: sequential
+
+    # DERP is a relay system that Tailscale uses when a direct
+    # connection cannot be established.
+    # https://tailscale.com/blog/how-tailscale-works/#encrypted-tcp-relays-derp
+    #
+    # headscale needs a list of DERP servers that can be presented
+    # to the clients.
+    derp:
+      server:
+        # If enabled, runs the embedded DERP server and merges it into the rest of the DERP config
+        # The Headscale server_url defined above MUST be using https, DERP requires TLS to be in place
+        enabled: false
+
+        # Region ID to use for the embedded DERP server.
+        # The local DERP prevails if the region ID collides with other region ID coming from
+        # the regular DERP config.
+        region_id: 999
+
+        # Region code and name are displayed in the Tailscale UI to identify a DERP region
+        region_code: "headscale"
+        region_name: "Headscale Embedded DERP"
+
+        # Listens over UDP at the configured address for STUN connections - to help with NAT traversal.
+        # When the embedded DERP server is enabled stun_listen_addr MUST be defined.
+        #
+        # For more details on how this works, check this great article: https://tailscale.com/blog/how-tailscale-works/
+        stun_listen_addr: "0.0.0.0:3478"
+
+        # Private key used to encrypt the traffic between headscale DERP and
+        # Tailscale clients. A missing key will be automatically generated.
+        private_key_path: /var/lib/headscale/derp_server_private.key
+
+        # This flag can be used, so the DERP map entry for the embedded DERP server is not written automatically,
+        # it enables the creation of your very own DERP map entry using a locally available file with the parameter DERP.paths
+        # If you enable the DERP server and set this to false, it is required to add the DERP server to the DERP map using DERP.paths
+        automatically_add_embedded_derp_region: true
+
+        # For better connection stability (especially when using an Exit-Node and DNS is not working),
+        # it is possible to optionally add the public IPv4 and IPv6 address to the Derp-Map using:
+        ipv4: 1.2.3.4
+        ipv6: 2001:db8::1
+
+      # List of externally available DERP maps encoded in JSON
+      urls:
+        - https://controlplane.tailscale.com/derpmap/default
+
+      # Locally available DERP map files encoded in YAML
+      #
+      # This option is mostly interesting for people hosting
+      # their own DERP servers:
+      # https://tailscale.com/kb/1118/custom-derp-servers/
+      #
+      # paths:
+      #   - /etc/headscale/derp-example.yaml
+      paths: []
+
+      # If enabled, a worker will be set up to periodically
+      # refresh the given sources and update the derpmap
+      # will be set up.
+      auto_update_enabled: true
+
+      # How often should we check for DERP updates?
+      update_frequency: 24h
+
+    # Disables the automatic check for headscale updates on startup
+    disable_check_updates: false
+
+    # Time before an inactive ephemeral node is deleted?
+    ephemeral_node_inactivity_timeout: 30m
+
+    database:
+      # Database type. Available options: sqlite, postgres
+      # Please note that using Postgres is highly discouraged as it is only supported for legacy reasons.
+      # All new development, testing and optimisations are done with SQLite in mind.
+      type: sqlite
+
+      # Enable debug mode. This setting requires the log.level to be set to "debug" or "trace".
+      debug: false
+
+      # GORM configuration settings.
+      gorm:
+        # Enable prepared statements.
+        prepare_stmt: true
+
+        # Enable parameterized queries.
+        parameterized_queries: true
+
+        # Skip logging "record not found" errors.
+        skip_err_record_not_found: true
+
+        # Threshold for slow queries in milliseconds.
+        slow_threshold: 1000
+
+      # SQLite config
+      sqlite:
+        path: /persistence/db.sqlite
+
+        # Enable WAL mode for SQLite. This is recommended for production environments.
+        # https://www.sqlite.org/wal.html
+        write_ahead_log: true
+
+        # Maximum number of WAL file frames before the WAL file is automatically checkpointed.
+        # https://www.sqlite.org/c3ref/wal_autocheckpoint.html
+        # Set to 0 to disable automatic checkpointing.
+        wal_autocheckpoint: 1000
+
+
+    ### TLS configuration
+    #
+    ## Let's encrypt / ACME
+    #
+    # headscale supports automatically requesting and setting up
+    # TLS for a domain with Let's Encrypt.
+    #
+    # URL to ACME directory
+    acme_url: https://acme-v02.api.letsencrypt.org/directory
+
+    # Email to register with ACME provider
+    acme_email: ""
+
+    # Domain name to request a TLS certificate for:
+    tls_letsencrypt_hostname: ""
+
+    # Path to store certificates and metadata needed by
+    # letsencrypt
+    # For production:
+    tls_letsencrypt_cache_dir: /var/lib/headscale/cache
+
+    # Type of ACME challenge to use, currently supported types:
+    # HTTP-01 or TLS-ALPN-01
+    # See: docs/ref/tls.md for more information
+    tls_letsencrypt_challenge_type: HTTP-01
+    # When HTTP-01 challenge is chosen, letsencrypt must set up a
+    # verification endpoint, and it will be listening on:
+    # :http = port 80
+    tls_letsencrypt_listen: ":http"
+
+    ## Use already defined certificates:
+    tls_cert_path: ""
+    tls_key_path: ""
+
+    log:
+      # Output formatting for logs: text or json
+      format: text
+      level: info
+
+    ## Policy
+    # headscale supports Tailscale's ACL policies.
+    # Please have a look to their KB to better
+    # understand the concepts: https://tailscale.com/kb/1018/acls/
+    policy:
+      # The mode can be "file" or "database" that defines
+      # where the ACL policies are stored and read from.
+      mode: file
+      # If the mode is set to "file", the path to a
+      # HuJSON file containing ACL policies.
+      path: ""
+
+    ## DNS
+    #
+    # headscale supports Tailscale's DNS configuration and MagicDNS.
+    # Please have a look to their KB to better understand the concepts:
+    #
+    # - https://tailscale.com/kb/1054/dns/
+    # - https://tailscale.com/kb/1081/magicdns/
+    # - https://tailscale.com/blog/2021-09-private-dns-with-magicdns/
+    #
+    # Please note that for the DNS configuration to have any effect,
+    # clients must have the `--accept-dns=true` option enabled. This is the
+    # default for the Tailscale client. This option is enabled by default
+    # in the Tailscale client.
+    #
+    # Setting _any_ of the configuration and `--accept-dns=true` on the
+    # clients will integrate with the DNS manager on the client or
+    # overwrite /etc/resolv.conf.
+    # https://tailscale.com/kb/1235/resolv-conf
+    #
+    # If you want stop Headscale from managing the DNS configuration
+    # all the fields under `dns` should be set to empty values.
+    dns:
+      # Whether to use [MagicDNS](https://tailscale.com/kb/1081/magicdns/).
+      magic_dns: true
+
+      # Defines the base domain to create the hostnames for MagicDNS.
+      # This domain _must_ be different from the server_url domain.
+      # `base_domain` must be a FQDN, without the trailing dot.
+      # The FQDN of the hosts will be
+      # `hostname.base_domain` (e.g., _myhost.example.com_).
+      base_domain: example.com
+
+      # List of DNS servers to expose to clients.
+      nameservers:
+        global:
+          - 1.1.1.1
+          - 1.0.0.1
+          - 2606:4700:4700::1111
+          - 2606:4700:4700::1001
+
+          # NextDNS (see https://tailscale.com/kb/1218/nextdns/).
+          # "abc123" is example NextDNS ID, replace with yours.
+          # - https://dns.nextdns.io/abc123
+
+        # Split DNS (see https://tailscale.com/kb/1054/dns/),
+        # a map of domains and which DNS server to use for each.
+        split:
+          {}
+          # foo.bar.com:
+          #   - 1.1.1.1
+          # darp.headscale.net:
+          #   - 1.1.1.1
+          #   - 8.8.8.8
+
+      # Set custom DNS search domains. With MagicDNS enabled,
+      # your tailnet base_domain is always the first search domain.
+      search_domains: []
+
+      # Extra DNS records
+      # so far only A and AAAA records are supported (on the tailscale side)
+      # See: docs/ref/dns.md
+      extra_records: []
+      #   - name: "grafana.myvpn.example.com"
+      #     type: "A"
+      #     value: "100.64.0.3"
+      #
+      #   # you can also put it in one line
+      #   - { name: "prometheus.myvpn.example.com", type: "A", value: "100.64.0.3" }
+      #
+      # Alternatively, extra DNS records can be loaded from a JSON file.
+      # Headscale processes this file on each change.
+      # extra_records_path: /var/lib/headscale/extra-records.json
+
+    # Unix socket used for the CLI to connect without authentication
+    # Note: for production you will want to set this to something like:
+    unix_socket: /var/run/headscale/headscale.sock
+    unix_socket_permission: "0770"
+    #
+    # headscale supports experimental OpenID connect support,
+    # it is still being tested and might have some bugs, please
+    # help us test it.
+    # OpenID Connect
+    # oidc:
+    #   only_start_if_oidc_is_available: true
+    #   issuer: "https://your-oidc.issuer.com/path"
+    #   client_id: "your-oidc-client-id"
+    #   client_secret: "your-oidc-client-secret"
+    #   # Alternatively, set `client_secret_path` to read the secret from the file.
+    #   # It resolves environment variables, making integration to systemd's
+    #   # `LoadCredential` straightforward:
+    #   client_secret_path: "${CREDENTIALS_DIRECTORY}/oidc_client_secret"
+    #   # client_secret and client_secret_path are mutually exclusive.
+    #
+    #   # The amount of time from a node is authenticated with OpenID until it
+    #   # expires and needs to reauthenticate.
+    #   # Setting the value to "0" will mean no expiry.
+    #   expiry: 180d
+    #
+    #   # Use the expiry from the token received from OpenID when the user logged
+    #   # in, this will typically lead to frequent need to reauthenticate and should
+    #   # only been enabled if you know what you are doing.
+    #   # Note: enabling this will cause `oidc.expiry` to be ignored.
+    #   use_expiry_from_token: false
+    #
+    #   # Customize the scopes used in the OIDC flow, defaults to "openid", "profile" and "email" and add custom query
+    #   # parameters to the Authorize Endpoint request. Scopes default to "openid", "profile" and "email".
+    #
+    #   scope: ["openid", "profile", "email", "custom"]
+    #   extra_params:
+    #     domain_hint: example.com
+    #
+    #   # List allowed principal domains and/or users. If an authenticated user's domain is not in this list, the
+    #   # authentication request will be rejected.
+    #
+    #   allowed_domains:
+    #     - example.com
+    #   # Note: Groups from keycloak have a leading '/'
+    #   allowed_groups:
+    #     - /headscale
+    #   allowed_users:
+    #     - alice@example.com
+    #
+    #   # Optional: PKCE (Proof Key for Code Exchange) configuration
+    #   # PKCE adds an additional layer of security to the OAuth 2.0 authorization code flow
+    #   # by preventing authorization code interception attacks
+    #   # See https://datatracker.ietf.org/doc/html/rfc7636
+    #   pkce:
+    #     # Enable or disable PKCE support (default: false)
+    #     enabled: false
+    #     # PKCE method to use:
+    #     # - plain: Use plain code verifier
+    #     # - S256: Use SHA256 hashed code verifier (default, recommended)
+    #     method: S256
+    #
+    #   # Map legacy users from pre-0.24.0 versions of headscale to the new OIDC users
+    #   # by taking the username from the legacy user and matching it with the username
+    #   # provided by the OIDC. This is useful when migrating from legacy users to OIDC
+    #   # to force them using the unique identifier from the OIDC and to give them a
+    #   # proper display name and picture if available.
+    #   # Note that this will only work if the username from the legacy user is the same
+    #   # and there is a possibility for account takeover should a username have changed
+    #   # with the provider.
+    #   # When this feature is disabled, it will cause all new logins to be created as new users.
+    #   # Note this option will be removed in the future and should be set to false
+    #   # on all new installations, or when all users have logged in with OIDC once.
+    #   map_legacy_users: false
+
+    # Logtail configuration
+    # Logtail is Tailscales logging and auditing infrastructure, it allows the control panel
+    # to instruct tailscale nodes to log their activity to a remote server.
+    logtail:
+      # Enable logtail for this headscales clients.
+      # As there is currently no support for overriding the log server in headscale, this is
+      # disabled by default. Enabling this will make your clients send logs to Tailscale Inc.
+      enabled: false
+
+    # Enabling this option makes devices prefer a random port for WireGuard traffic over the
+    # default static port 41641. This option is intended as a workaround for some buggy
+    # firewall devices. See https://tailscale.com/kb/1181/firewalls/ for more information.
+    randomize_client_port: false

infrastructure/headscale/ingress.yaml

@@ -0,0 +1,17 @@
+apiVersion: traefik.io/v1alpha1
+kind: IngressRoute
+metadata:
+  name: headscale-ingressroute
+
+spec:
+  entryPoints:
+    - websecure
+  routes:
+  - match: Host(`headscale.kluster.moll.re`)
+    kind: Rule
+    services:
+    - name: headscale-web
+      port: 8080
+
+  tls:
+    certResolver: default-tls 

infrastructure/headscale/kustomization.yaml

@@ -0,0 +1,22 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+
+namespace: headscale
+
+resources:
+  - namespace.yaml
+  - headscale-config.configmap.yaml
+  - headplane-config.configmap.yaml
+  - pvc.yaml
+  - deployment.yaml
+  - serviceaccount.yaml
+  - service.yaml
+  - ingress.yaml
+
+images:
+  - name: headscale
+    newName: headscale/headscale # has all plugins
+    newTag: v0.25.1
+  - name: headplane
+    newName: ghcr.io/tale/headplane
+    newTag: "0.5.10"

infrastructure/headscale/namespace.yaml

@@ -0,0 +1,6 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: placeholder
+  labels:
+    pod-security.kubernetes.io/enforce: privileged 

infrastructure/headscale/pvc.yaml

@@ -0,0 +1,23 @@
+kind: PersistentVolumeClaim
+apiVersion: v1
+metadata:
+  name: headscale-data
+spec:
+  storageClassName: "nfs-client"
+  accessModes:
+    - ReadWriteOnce
+  resources:
+    requests:
+      storage: 1Gi
+---
+kind: PersistentVolumeClaim
+apiVersion: v1
+metadata:
+  name: headplane-data
+spec:
+  storageClassName: "nfs-client"
+  accessModes:
+    - ReadWriteOnce
+  resources:
+    requests:
+      storage: 1Gi

infrastructure/headscale/service.yaml

@@ -0,0 +1,10 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: headscale-web
+spec:
+  selector:
+    app: headscale
+  ports:
+  - port: 8080
+    targetPort: 8080

infrastructure/headscale/serviceaccount.yaml

@@ -0,0 +1,26 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: headplane-agent
+  # namespace: default # Adjust namespace as needed
+rules:
+- apiGroups: ['']
+  resources: ['pods']
+  verbs: ['get', 'list']
+- apiGroups: ['apps']
+  resources: ['deployments']
+  verbs: ['get', 'list']
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: headplane-agent
+  # namespace: default # Adjust namespace as needed
+roleRef:
+    apiGroup: rbac.authorization.k8s.io
+    kind: Role
+    name: headplane-agent
+subjects:
+- kind: ServiceAccount
+  name: default # If you use a different service account, change this
+  # namespace: default # Adjust namespace as needed

infrastructure/monitoring/kustomization.yaml

@@ -6,7 +6,7 @@ namespace: monitoring
 resources: 
   - namespace.yaml
   # prometheus-operator crds
-  - https://github.com/prometheus-operator/prometheus-operator?ref=v0.80.0
+  - https://github.com/prometheus-operator/prometheus-operator?ref=v0.82.0
   # single prometheus instance with a thanos sidecar
   - prometheus.yaml
   - thanos-store.statefulset.yaml
@@ -17,17 +17,17 @@ resources:
 images:
   - name: thanos
     newName: quay.io/thanos/thanos
-    newTag: v0.37.2
+    newTag: v0.38.0
 
 
 helmCharts:
   - name: loki
     releaseName: loki
     repo: https://grafana.github.io/helm-charts
-    version: 6.25.1
+    version: 6.29.0
     valuesFile: loki.values.yaml
   - name: prometheus-node-exporter
     releaseName: prometheus-node-exporter
     repo: https://prometheus-community.github.io/helm-charts
-    version: 4.43.1
+    version: 4.45.2
     valuesFile: prometheus-node-exporter.values.yaml

infrastructure/pg-ha/kustomization.yaml

@@ -9,6 +9,6 @@ namespace: pg-ha
 helmCharts:
   - name: cloudnative-pg
     releaseName: pg-controller
-    version: 0.23.0
+    version: 0.23.2
     valuesFile: values.yaml
     repo: https://cloudnative-pg.io/charts/

infrastructure/sealedsecrets/kustomization.yaml

@@ -9,4 +9,4 @@ resources:
 images:
   - name: controller
     newName: docker.io/bitnami/sealed-secrets-controller
-    newTag: 0.28.0
+    newTag: 0.29.0

infrastructure/traefik-system/kustomization.yaml

@@ -13,6 +13,6 @@ namespace: traefik-system
 helmCharts:
   - name: traefik
     releaseName: traefik
-    version: 33.2.1
+    version: 35.0.1
     valuesFile: values.yaml
     repo: https://traefik.github.io/charts