headscale: add STUN port, upgrade to 0.28.0, fix Home DERP connectivity

- Expose STUN port 3479/UDP on container and LoadBalancer service - Upgrade headscale from 0.23.0 to 0.28.0 - Vault config updated: auto DERP region with ipv4 field, ISP router port forward for UDP 3479 added Home DERP now shows ~3ms latency and is selected as nearest relay.
2026-03-24 14:51:09 +02:00 · 2026-03-24 14:51:09 +02:00 · a644eb1c8e
commit a644eb1c8e
parent fafea4b110
1 changed files with 11 additions and 2 deletions
--- a/stacks/headscale/modules/headscale/main.tf
+++ b/stacks/headscale/modules/headscale/main.tf
@ -71,8 +71,8 @@ resource "kubernetes_deployment" "headscale" {
      }
      spec {
        container {
-          image = "headscale/headscale:0.23.0"
-          # image   = "headscale/headscale:0.23.0-debug" # -debug is for debug images
+          image = "headscale/headscale:0.28.0"
+          # image   = "headscale/headscale:0.28.0-debug" # -debug is for debug images
          name    = "headscale"
          command = ["headscale", "serve"]

@ -95,6 +95,10 @@ resource "kubernetes_deployment" "headscale" {
          port {
            container_port = 41641
          }
+          port {
+            container_port = 3479
+            protocol       = "UDP"
+          }

          liveness_probe {
            http_get {
@ -304,6 +308,11 @@ resource "kubernetes_service" "headscale-server" {
      port     = "41641"
      protocol = "UDP"
    }
+    port {
+      name     = "stun"
+      port     = "3479"
+      protocol = "UDP"
+    }
  }
 }