Add k8s deployment, standalone app Dockerfile.

Tested with Rancher k3s. See k8s/README.md for site configuration and
deployment instructions.

Add cert-manager, tls, remote headscale script.

k8s/production-tls/ingress-patch.yaml

@@ -0,0 +1,11 @@
+kind: Ingress
+metadata:
+  name: headscale
+  annotations:
+    cert-manager.io/cluster-issuer: letsencrypt-production
+    traefik.ingress.kubernetes.io/router.tls: "true"
+spec:
+  tls:
+  - hosts:
+    - $(PUBLIC_HOSTNAME)
+    secretName: production-cert

k8s/production-tls/kustomization.yaml

@@ -0,0 +1,9 @@
+namespace: headscale
+bases:
+- ../base
+resources:
+- production-issuer.yaml
+patches:
+- path: ingress-patch.yaml
+  target:
+    kind: Ingress

k8s/production-tls/production-issuer.yaml

@@ -0,0 +1,16 @@
+apiVersion: cert-manager.io/v1
+kind: ClusterIssuer
+metadata:
+  name: letsencrypt-production
+spec:
+  acme:
+    # TODO: figure out how to get kustomize to interpolate this, or use a transformer
+    #email: $(CONTACT_EMAIL)
+    server: https://acme-v02.api.letsencrypt.org/directory
+    privateKeySecretRef:
+      # Secret resource used to store the account's private key.
+      name: letsencrypt-production-acc-key
+    solvers:
+    - http01:
+        ingress:
+          class: traefik