2 files changed, 28 insertions, 1 deletions

diff --git a/playbooks/roles/traefik/templates/stacks/docker-compose.yml b/playbooks/roles/traefik/templates/stacks/docker-compose.yml
index 9f999e3..dfdd6ba 100644
--- a/playbooks/roles/traefik/templates/stacks/docker-compose.yml
+++ b/playbooks/roles/traefik/templates/stacks/docker-compose.yml
@@ -1,7 +1,32 @@
-version: '3.8'
 services:
+  headscale-client:
+    image: tailscale/tailscale:latest
+    hostname: headscale-traefik
+    restart: unless-stopped
+    environment:
+      - TS_AUTHKEY={{ headscale_user_auth_key }}
+      - TS_EXTRA_ARGS=--login-server=https://{{ headscale_host }} --accept-dns --stateful-filtering=false
+      - TS_STATE_DIR=/var/lib/tailscale
+      - TS_USERSPACE=false
+      - TZ={{ timezone }}
+    volumes:
+      - {{ traefik_base }}/volumes/headscale:/var/lib/tailscale
+      - /dev/net/tun:/dev/net/tun
+    cap_add:
+      - NET_ADMIN
+      - SYS_ADMIN
+    networks:
+      - headnet
+    deploy:
+      mode: replicated
+      replicas: 1
+      placement:
+        constraints: [node.role == manager]
   traefik:
     image: traefik:v3
+    restart: unless-stopped
+    depends_on:
+      - headscale-client
     ports:
       - 80:80
       - 443:443
@@ -17,6 +42,7 @@ services:
       - {{ traefik_base }}/volumes/certs:/certs
     networks:
       - proxy
+      - headnet
     deploy:
       mode: global
       placement:
@@ -39,3 +65,4 @@ networks:
     name: proxy
     driver: overlay
     attachable: true
+  headnet:
diff --git a/playbooks/roles/traefik/templates/volumes/headscale/.gitkeep b/playbooks/roles/traefik/templates/volumes/headscale/.gitkeep
new file mode 100644
index 0000000..e69de29
--- /dev/null
+++ b/playbooks/roles/traefik/templates/volumes/headscale/.gitkeep