Skip to content

Route private services through Headscale#602

Merged
mulatta merged 7 commits into
mainfrom
tailnet-private-services-base
Jul 3, 2026
Merged

Route private services through Headscale#602
mulatta merged 7 commits into
mainfrom
tailnet-private-services-base

Conversation

@mulatta

@mulatta mulatta commented Jul 3, 2026

Copy link
Copy Markdown
Collaborator

Route browser-facing internal services through Headscale-resolved names while keeping non-browser/API services private.

Highlights:

  • Remove public Cloudflare records for internal service hostnames.
  • Move Grafana and Vaultwarden browser ingress to tailnet-only access.
  • Publish Gatus at status.sjanglab.org as a tailnet-only status page without a dashboard password.
  • Preserve Vaultwarden direct OIDC instead of forward auth.
  • Keep disabled AI API services dormant.
  • Update nginx forward-auth headers for private ingress.

Stack:

  • Base PR in private-service stack.

mulatta added 3 commits July 3, 2026 03:39
The GitHub provider deprecated the inline pages block on repositories, and keeping it there left a persistent plan diff. Move Pages management to github_repository_pages so live state converges cleanly.
Keep Cloudflare DNS limited to endpoints that need public resolution so private services cannot be discovered through the public zone.
Keep dashboards reachable to administrators without relying on a public Cloudflare record or eta public ingress.
@mulatta

mulatta commented Jul 3, 2026

Copy link
Copy Markdown
Collaborator Author

@mulatta mulatta changed the title github: manage Pages with dedicated resource Route private services through Headscale Jul 3, 2026
mulatta added 4 commits July 3, 2026 13:54
Expose the status dashboard on a Headscale-resolved name without browser auth, while keeping the HTTPS vhost reachable only from tailnet clients. Internal users can inspect service health without sharing a dashboard password, and no public DNS record is published for the service.
Preserve the existing eta data service while moving browser ingress behind a Headscale-resolved tau proxy.
Authentik forward auth selects proxy providers by request host. Forward the normalized host headers to the outpost so protected internal services return an auth challenge instead of 404-backed 500 responses.

Vaultwarden still runs on eta, while split-DNS sends clients to tau. Point tau's tailnet proxy at eta over wg-admin to avoid a dead localhost upstream.
Avoid renewing certificates for disabled Ollama and vLLM deployments while documenting that API clients need token-style auth instead of browser redirects.
@mulatta mulatta force-pushed the tailnet-private-services-base branch from 39a8814 to 09f4404 Compare July 3, 2026 04:55
@mulatta mulatta merged commit 46f654b into main Jul 3, 2026
3 of 4 checks passed
@mulatta mulatta deleted the tailnet-private-services-base branch July 3, 2026 05:30
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant