From f4ff654a691f3d1291cac8f21914b709d7a69ae0 Mon Sep 17 00:00:00 2001
From: Viktor Barzin <viktorbarzin@meta.com>
Date: Sat, 28 Mar 2026 15:44:13 +0200
Subject: [PATCH] perf: optimize Headscale for connectivity and latency
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

- Remove viktorbarzin.me from split DNS (same IPs as public DNS,
  was adding unnecessary tunnel overhead for every DNS query)
- Narrow reverse DNS split scope from 10.0.0.0/8 → 10.0.20.0/24
  and 10.0.10.0/24 only; 192.168.0.0/16 → 192.168.1.0/24 only
- Add extra_records for key internal services (technitium, k8s-master)
  for instant MagicDNS resolution without tunnel roundtrip
- Replace full Tailscale DERP map (29 regions) with curated set:
  home + 8 European + 5 global fallback DERPs (14 total)
- Add custom derp.yaml to ConfigMap, sourced from Vault

Port 80 DERP dropped — Traefik's global HTTP→HTTPS redirect
prevents non-TLS DERP upgrades on the web entrypoint.
---
 stacks/headscale/main.tf                   | 1 +
 stacks/headscale/modules/headscale/main.tf | 8 ++++++++
 2 files changed, 9 insertions(+)

diff --git a/stacks/headscale/main.tf b/stacks/headscale/main.tf
index 5741c9aa..8fd0c3e3 100644
--- a/stacks/headscale/main.tf
+++ b/stacks/headscale/main.tf
@@ -16,6 +16,7 @@ module "headscale" {
   nfs_server             = var.nfs_server
   headscale_config       = data.vault_kv_secret_v2.secrets.data["headscale_config"]
   headscale_acl          = data.vault_kv_secret_v2.secrets.data["headscale_acl"]
+  headscale_derp_map     = data.vault_kv_secret_v2.secrets.data["headscale_derp_map"]
   homepage_token         = try(local.homepage_credentials["headscale"]["api_key"], "")
   tier                   = local.tiers.core
   ui_cookie_secret       = data.vault_kv_secret_v2.secrets.data["headscale_ui_cookie_secret"]
diff --git a/stacks/headscale/modules/headscale/main.tf b/stacks/headscale/modules/headscale/main.tf
index 98b6575a..33cb83dc 100644
--- a/stacks/headscale/modules/headscale/main.tf
+++ b/stacks/headscale/modules/headscale/main.tf
@@ -17,6 +17,9 @@ variable "ui_api_key" {
   type      = string
   sensitive = true
 }
+variable "headscale_derp_map" {
+  type = string
+}
 
 resource "kubernetes_namespace" "headscale" {
   metadata {
@@ -151,6 +154,10 @@ resource "kubernetes_deployment" "headscale" {
               key  = "acl.yaml"
               path = "acl.yaml"
             }
+            items {
+              key  = "derp.yaml"
+              path = "derp.yaml"
+            }
           }
         }
 
@@ -370,6 +377,7 @@ resource "kubernetes_config_map" "headscale-config" {
   data = {
     "config.yaml" = var.headscale_config
     "acl.yaml"    = var.headscale_acl
+    "derp.yaml"   = var.headscale_derp_map
   }
 }