From 562df598d0303b17e0b040411507f52f3b40d967 Mon Sep 17 00:00:00 2001
From: Elizabeth Hunt <elizabeth.hunt@simponic.xyz>
Date: Wed, 3 Jan 2024 01:56:01 -0500
Subject: [PATCH] fix empty acl error and begin work on webserver deployments
 with nginx

---
 roles/vpn/files/config/acl.yml                |  3 ++
 roles/vpn/files/config/config.yml             | 33 +------------
 .../files/nijika/headscale.simponic.xyz       | 48 +++++++++++++++++++
 3 files changed, 52 insertions(+), 32 deletions(-)
 create mode 100644 roles/webservers/files/nijika/headscale.simponic.xyz

diff --git a/roles/vpn/files/config/acl.yml b/roles/vpn/files/config/acl.yml
index ed97d53..c00cf48 100644
--- a/roles/vpn/files/config/acl.yml
+++ b/roles/vpn/files/config/acl.yml
@@ -1 +1,4 @@
 ---
+groups:
+  admin:
+    - "lizzy"
diff --git a/roles/vpn/files/config/config.yml b/roles/vpn/files/config/config.yml
index 17ab98b..3942feb 100644
--- a/roles/vpn/files/config/config.yml
+++ b/roles/vpn/files/config/config.yml
@@ -149,37 +149,6 @@ db_path: /var/lib/headscale/db.sqlite
 # in the 'db_ssl' field. Refers to https://www.postgresql.org/docs/current/libpq-ssl.html Table 34.1.
 # db_ssl: false
 
-### TLS configuration
-#
-## Let's encrypt / ACME
-#
-# headscale supports automatically requesting and setting up
-# TLS for a domain with Let's Encrypt.
-#
-# URL to ACME directory
-acme_url: https://acme-v02.api.letsencrypt.org/directory
-
-# Email to register with ACME provider
-acme_email: "elizabeth.hunt@simponic.xyz"
-
-# Domain name to request a TLS certificate for:
-tls_letsencrypt_hostname: "headscale.simponic.xyz"
-
-# Path to store certificates and metadata needed by
-# letsencrypt
-# For production:
-tls_letsencrypt_cache_dir: /var/lib/headscale/cache
-
-# Type of ACME challenge to use, currently supported types:
-# HTTP-01 or TLS-ALPN-01
-# See [docs/tls.md](docs/tls.md) for more information
-tls_letsencrypt_challenge_type: HTTP-01
-# When HTTP-01 challenge is chosen, letsencrypt must set up a
-# verification endpoint, and it will be listening on:
-# :http = port 80
-tls_letsencrypt_listen: ":http"
-
-## Use already defined certificates:
 tls_cert_path: ""
 tls_key_path: ""
 
@@ -191,7 +160,7 @@ log:
 # Path to a file containg ACL policies.
 # ACLs can be defined as YAML or HUJSON.
 # https://tailscale.com/kb/1018/acls/
-acl_policy_path: ""
+acl_policy_path: "/etc/headscale/acl.yml"
 
 ## DNS
 #
diff --git a/roles/webservers/files/nijika/headscale.simponic.xyz b/roles/webservers/files/nijika/headscale.simponic.xyz
new file mode 100644
index 0000000..442a2ac
--- /dev/null
+++ b/roles/webservers/files/nijika/headscale.simponic.xyz
@@ -0,0 +1,48 @@
+server {
+    server_name headscale.simponic.xyz;
+
+    location /web {
+        proxy_pass https://127.0.0.1:9443;
+        proxy_http_version 1.1;
+        proxy_set_header Upgrade $http_upgrade;
+        proxy_set_header Connection $connection_upgrade;
+        proxy_set_header Host $server_name;
+        proxy_redirect http:// https://;
+        proxy_buffering off;
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Proto $http_x_forwarded_proto;
+        add_header Strict-Transport-Security "max-age=15552000; includeSubDomains" always;
+    }
+
+    location / {
+        proxy_pass https://127.0.0.1:27896;
+        proxy_http_version 1.1;
+        proxy_set_header Upgrade $http_upgrade;
+        proxy_set_header Connection $connection_upgrade;
+        proxy_set_header Host $server_name;
+        proxy_redirect http:// https://;
+        proxy_buffering off;
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Proto $http_x_forwarded_proto;
+        add_header Strict-Transport-Security "max-age=15552000; includeSubDomains" always;
+    }
+
+    listen 443 ssl; # managed by Certbot
+    ssl_certificate /etc/letsencrypt/live/headscale.simponic.xyz/fullchain.pem; # managed by Certbot
+    ssl_certificate_key /etc/letsencrypt/live/headscale.simponic.xyz/privkey.pem; # managed by Certbot
+    include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
+    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
+    keepalive_timeout 70;
+}
+
+server {
+    if ($host = headscale.simponic.xyz) {
+        return 301 https://$host$request_uri;
+    } # managed by Certbot
+
+    server_name headscale.simponic.xyz;
+    listen 80;
+    return 404; # managed by Certbot
+}