Headscale

[samcday]

My original designs/ideas used Tailscale for core control-plane API access, as well as cluster networking. I've since backed all that stuff out in favor of a simpler + local-first approach with kube-vip + Cilium L2 LB.

As a result, I have the option now to self-host my Tailscale usage. I've done that in the past by running Headscale on Fly.io, which worked well enough.

I can expose the Headscale control-plane API publicly the same way I do Synapse - via Cloudflare Tunnels.

DoD:

• [x] Headscale running with Postgres
• [x] Postgres backup bukkit
• [x] Subnet router for 10.0.1.0/24
• [x] All devices reconnected to Headscale tailnet (nothing logged into Tailscale.com)
• [x] Tailscale.com account deleted

Once the basics are in place, some interesting follow-up:

• Self-host OIDC for samcday.com and then thread that through Headscale (and then beyond, using the tailnet auth proxy stuff?)

[samcday]

I ran into the known issue with TS2021 API not working behind Cloudflare because of a nonstandard Upgrade.

I spent some time looking at the alternatives. I'm still intrigued by Nebula/Defined but the not-Wireguard aspect is an instant disqualification in my books. I'm gonna spend some time playing around with NetBird and/or Netmaker.

[samcday]

Decided to keep some of the baby with the bathwater, after all.

TS2021 might not work behind Cloudflare, but it mercifully works behind Tailscale Funnel.

So what I've done is deploy Dex and configure WebFinger OIDC discovery for samcday.com, and configured a new Tailscale.com tailnet via the Custom OIDC support. I then redeployed TS operator in the home cluster configured for this new Tailnet, and used its support for Funnel to trivially expose the Headscale ingress.

The one thing that super duper sux is no custom domain support. So instead of my headscale endpoint being available on https://headscale.samcday.com, it's https://headscale.taild2b250.ts.net, maybe something will change in future, though.