From a42003fb8fb51e58e2d884a4821054d1f8f744fa Mon Sep 17 00:00:00 2001
From: Viktor Barzin <viktorbarzin@meta.com>
Date: Sat, 28 Mar 2026 14:26:51 +0200
Subject: [PATCH] fix: add dedicated DERP IngressRoute bypassing middlewares

CrowdSec, rate limiting, anti-AI, and error pages middlewares were
interfering with the Upgrade: DERP protocol handshake. Also updated
Headscale ACL in Vault to allow tailnet DNS traffic to Technitium
(10.0.20.200:53).
---
 stacks/headscale/modules/headscale/main.tf | 32 ++++++++++++++++++++++
 1 file changed, 32 insertions(+)

diff --git a/stacks/headscale/modules/headscale/main.tf b/stacks/headscale/modules/headscale/main.tf
index 5545eb03..bf73f28c 100644
--- a/stacks/headscale/modules/headscale/main.tf
+++ b/stacks/headscale/modules/headscale/main.tf
@@ -268,6 +268,38 @@ module "ingress" {
   }
 }
 
+# Dedicated IngressRoute for DERP — bypasses CrowdSec, rate limiting, anti-AI,
+# and error pages middlewares that interfere with the Upgrade: DERP protocol.
+resource "kubernetes_manifest" "derp_ingress_route" {
+  manifest = {
+    apiVersion = "traefik.io/v1alpha1"
+    kind       = "IngressRoute"
+    metadata = {
+      name      = "headscale-derp"
+      namespace = kubernetes_namespace.headscale.metadata[0].name
+    }
+    spec = {
+      entryPoints = ["websecure"]
+      routes = [{
+        match = "Host(`headscale.viktorbarzin.me`) && PathPrefix(`/derp`)"
+        kind  = "Rule"
+        services = [{
+          name = kubernetes_service.headscale.metadata[0].name
+          port = 8080
+        }]
+        # Only retry middleware — no CrowdSec, rate limit, anti-AI, error pages
+        middlewares = [{
+          name      = "retry"
+          namespace = "traefik"
+        }]
+      }]
+      tls = {
+        secretName = var.tls_secret_name
+      }
+    }
+  }
+}
+
 module "ingress-ui" {
   source          = "../../../../modules/kubernetes/ingress_factory"
   namespace       = kubernetes_namespace.headscale.metadata[0].name