fix empty acl error and begin work on webserver deployments with nginx

2024-01-03 01:56:01 -05:00 · 2024-01-03 01:56:01 -05:00 · 562df598d0
commit 562df598d0
parent edf638080a
3 changed files with 52 additions and 32 deletions
--- a/roles/vpn/files/config/acl.yml
+++ b/roles/vpn/files/config/acl.yml
@ -1 +1,4 @@
 ---
+groups:
+  admin:
+    - "lizzy"
--- a/roles/vpn/files/config/config.yml
+++ b/roles/vpn/files/config/config.yml
@ -149,37 +149,6 @@ db_path: /var/lib/headscale/db.sqlite
 # in the 'db_ssl' field. Refers to https://www.postgresql.org/docs/current/libpq-ssl.html Table 34.1.
 # db_ssl: false

-### TLS configuration
-#
-## Let's encrypt / ACME
-#
-# headscale supports automatically requesting and setting up
-# TLS for a domain with Let's Encrypt.
-#
-# URL to ACME directory
-acme_url: https://acme-v02.api.letsencrypt.org/directory
-
-# Email to register with ACME provider
-acme_email: "elizabeth.hunt@simponic.xyz"
-
-# Domain name to request a TLS certificate for:
-tls_letsencrypt_hostname: "headscale.simponic.xyz"
-
-# Path to store certificates and metadata needed by
-# letsencrypt
-# For production:
-tls_letsencrypt_cache_dir: /var/lib/headscale/cache
-
-# Type of ACME challenge to use, currently supported types:
-# HTTP-01 or TLS-ALPN-01
-# See [docs/tls.md](docs/tls.md) for more information
-tls_letsencrypt_challenge_type: HTTP-01
-# When HTTP-01 challenge is chosen, letsencrypt must set up a
-# verification endpoint, and it will be listening on:
-# :http = port 80
-tls_letsencrypt_listen: ":http"
-
-## Use already defined certificates:
 tls_cert_path: ""
 tls_key_path: ""

@ -191,7 +160,7 @@ log:
 # Path to a file containg ACL policies.
 # ACLs can be defined as YAML or HUJSON.
 # https://tailscale.com/kb/1018/acls/
-acl_policy_path: ""
+acl_policy_path: "/etc/headscale/acl.yml"

 ## DNS
 #
--- a/roles/webservers/files/nijika/headscale.simponic.xyz
+++ b/roles/webservers/files/nijika/headscale.simponic.xyz
@ -0,0 +1,48 @@
+server {
+    server_name headscale.simponic.xyz;
+
+    location /web {
+        proxy_pass https://127.0.0.1:9443;
+        proxy_http_version 1.1;
+        proxy_set_header Upgrade $http_upgrade;
+        proxy_set_header Connection $connection_upgrade;
+        proxy_set_header Host $server_name;
+        proxy_redirect http:// https://;
+        proxy_buffering off;
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Proto $http_x_forwarded_proto;
+        add_header Strict-Transport-Security "max-age=15552000; includeSubDomains" always;
+    }
+
+    location / {
+        proxy_pass https://127.0.0.1:27896;
+        proxy_http_version 1.1;
+        proxy_set_header Upgrade $http_upgrade;
+        proxy_set_header Connection $connection_upgrade;
+        proxy_set_header Host $server_name;
+        proxy_redirect http:// https://;
+        proxy_buffering off;
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Proto $http_x_forwarded_proto;
+        add_header Strict-Transport-Security "max-age=15552000; includeSubDomains" always;
+    }
+
+    listen 443 ssl; # managed by Certbot
+    ssl_certificate /etc/letsencrypt/live/headscale.simponic.xyz/fullchain.pem; # managed by Certbot
+    ssl_certificate_key /etc/letsencrypt/live/headscale.simponic.xyz/privkey.pem; # managed by Certbot
+    include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
+    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
+    keepalive_timeout 70;
+}
+
+server {
+    if ($host = headscale.simponic.xyz) {
+        return 301 https://$host$request_uri;
+    } # managed by Certbot
+
+    server_name headscale.simponic.xyz;
+    listen 80;
+    return 404; # managed by Certbot
+}