Headscale

• Website
• GitHub Open source control server software
• Docs: Getting started
  • ACLs use case example
  • Setting custom DNS records
• Helm charts
  • gabe565 chart Artifacthub
  • gabe565 chart GitHub
• Container images
• FR: Support for WireGuard only peers

Headscale Web UI

• Headscale docs: Web Interface options
• Any WEB UI planned?
• gurucomputing/headscale-ui: See below
• GoodiesHQ/headscale-admin
  • Last commit 2024-04
  • Docker image
• Arispex/headscale-ui
  • Last commit 2024-02
  • JS
  • Only few commits
• ifargle/headscale-webui
  • State of project - Abandoned?
  • Stale, last commit 2023-05
• cockpit-headscale
  • Stale, last commit 2023-07

gurucomputing/headscale-ui

• GitHub
• Container images
• Bundles in both headscale helm charts
  • Configures ingress for /web
• Prometheus endpoint 127.0.0.1:9090/metrics
  • No real useful metrics

Configure

Connect UI to headscale server:

headscale apikeys create --expiration 3y

Server settings:

• Headscale API Key: $(gopass show --password token/$HEADSCALE_DOMAIN/api-token)

Headscale UI Usage

New client:

• Create a pre-auth key
• Users -> Varac -> Preauth Keys +

Ionscale

• GitHub
• Active, but lacking documentation
• No UI (headscale-ui: ionscale support ?)
• No helm chart so far

Manual registration and login

If the Headscale user varac doesn't exist yet, create it (only once):

headscale user create varac
headscale user list

Request node registration from a device:

sudo tailscale up --login-server https://$HEADSCALE_DOMAIN

Then follow the link from the browser to register the node in headscale:

headscale nodes register --user varac --key nodekey:$NODEKEY

Using a pre-auth key (deprecated)

Generate a preauth-key:

headscale --user $NODEUSER preauthkeys create --reusable --expiration 360d

Login using a preauth-key:

sudo tailscale up --login-server https://$HEADSCALE_DOMAIN \
  --authkey $(gopass show --password token/$HEADSCALE_DOMAIN/preauth-key/varac)

Ansible role

• artis3n-tailscale
• State file on each machine: ~/.local/state/artis3n-tailscale

Bootstrap new machine

Getting started: Using a preauthkey

Before configuring a device:

headscale user create varac

Register machine using a pre authenticated key

headscale --user varac preauthkeys create --reusable --expiration 3y

Use a tag:

headscale --user varac preauthkeys create --reusable --expiration 3y --tags tag:oas2

Then store token in gopass (token/hs.k.varac.net/varac/preauth-key/ANSIBLE_INVENTORY_HOSTNAME), add the device to the vpn inventory group and run ansible:

ansible-playbook -l zancas -t tailscale site.yml

Finally, accept the additional routes in the headscale UI.