From a644eb1c8ecde86e5c6018c00e41fed09490ac99 Mon Sep 17 00:00:00 2001
From: Viktor Barzin <viktorbarzin@meta.com>
Date: Tue, 24 Mar 2026 14:51:09 +0200
Subject: [PATCH] headscale: add STUN port, upgrade to 0.28.0, fix Home DERP
 connectivity

- Expose STUN port 3479/UDP on container and LoadBalancer service
- Upgrade headscale from 0.23.0 to 0.28.0
- Vault config updated: auto DERP region with ipv4 field, ISP router
  port forward for UDP 3479 added

Home DERP now shows ~3ms latency and is selected as nearest relay.
---
 stacks/headscale/modules/headscale/main.tf | 13 +++++++++++--
 1 file changed, 11 insertions(+), 2 deletions(-)

diff --git a/stacks/headscale/modules/headscale/main.tf b/stacks/headscale/modules/headscale/main.tf
index 4d5e9dc6..fc330049 100644
--- a/stacks/headscale/modules/headscale/main.tf
+++ b/stacks/headscale/modules/headscale/main.tf
@@ -71,8 +71,8 @@ resource "kubernetes_deployment" "headscale" {
       }
       spec {
         container {
-          image = "headscale/headscale:0.23.0"
-          # image   = "headscale/headscale:0.23.0-debug" # -debug is for debug images
+          image = "headscale/headscale:0.28.0"
+          # image   = "headscale/headscale:0.28.0-debug" # -debug is for debug images
           name    = "headscale"
           command = ["headscale", "serve"]
 
@@ -95,6 +95,10 @@ resource "kubernetes_deployment" "headscale" {
           port {
             container_port = 41641
           }
+          port {
+            container_port = 3479
+            protocol       = "UDP"
+          }
 
           liveness_probe {
             http_get {
@@ -304,6 +308,11 @@ resource "kubernetes_service" "headscale-server" {
       port     = "41641"
       protocol = "UDP"
     }
+    port {
+      name     = "stun"
+      port     = "3479"
+      protocol = "UDP"
+    }
   }
 }