finish headscale setup

2024-01-02 19:05:01 -05:00 · 2024-01-02 19:05:01 -05:00 · b0a563db34
commit b0a563db34
parent c6a770bd1a
8 changed files with 50 additions and 35 deletions
--- a/deploy-webservers.yml
+++ b/deploy-webservers.yml
@ -0,0 +1,4 @@
+- name: webserver setup
+  hosts: webservers
+  roles:
+    - webservers
--- a/group_vars/vpn.yml
+++ b/group_vars/vpn.yml
@ -14,7 +14,6 @@ headscale_directories:
  - '{{ headscale_var_data_dir }}'
  - '{{ headscale_pid_dir }}'

-headscale_acl: {}
-headscale_users: []
+headscale_users: ['simponic']
 headscale_enable_routes: []
 headscale_exit_nodes: []
--- a/7
+++ b/7
@ -6,6 +6,7 @@ ryo  ansible_user=root ansible_connection=ssh

 [webservers]
 levi  ansible_user=root ansible_connection=ssh
+nijika  ansible_user=root ansible_connection=ssh
 #ash.internal.simponic.xyz  ansible_user=root ansible_connection=ssh

 [nameservers]
@ -18,10 +19,10 @@ ryo  ansible_user=root ansible_connection=ssh
 [dnsreplica]
 nijika  ansible_user=root ansible_connection=ssh

-[dnsinternal]
-johan ansible_user=root ansible_connection=ssh
-
 [vpn]
+nijika ansible_user=root ansible_connection=ssh
+
+[dnsinternal]
 johan ansible_user=root ansible_connection=ssh

 [mail]
--- a/roles/common/tasks/main.yml
+++ b/roles/common/tasks/main.yml
@ -22,10 +22,11 @@
 - name: install UFW
  apt: name=ufw state=latest

- name: allow ssh from everywhere
+- name: allow ssh from everywhere and enable
  ufw:
    rule: allow
    name: OpenSSH
+    state: enabled

 - name: restart ufw
  service: name=ufw state=restarted enabled=yes
--- a/roles/vpn/handlers/main.yml
+++ b/roles/vpn/handlers/main.yml
@ -1,14 +0,0 @@
---
- name: restart headscale service
-  service:
-    name: headscale
-    state: restarted
-    enabled: true
-    daemon-reload: true
-  listen: 'restart headscale'
-
- name: reload headscale
-  service:
-    name: headscale
-    state: reloaded
-  listen: 'reload headscale'
--- a/roles/vpn/tasks/main.yml
+++ b/roles/vpn/tasks/main.yml
@ -1,4 +1,11 @@
 ---
+## UFW
+- name: allow headscale tcp on 8080
+  ufw:
+    rule: allow
+    port: '8080'
+    proto: tcp
+
 ## INSTALL
 - name: create headscale user group
  group:
@ -51,13 +58,6 @@
    group: '{{ headscale_user_gid }}'
    mode: 0600

- name: daemon-reload and enable headscale
-  ansible.builtin.systemd_service:
-    state: restarted
-    daemon_reload: true
-    enabled: true
-    name: headscale
-
 ## CONFIG

 - name: copy configuration file template
@ -67,7 +67,6 @@
    owner: "{{ headscale_user_uid }}"
    group: "{{ headscale_user_gid }}"
    mode: "0600"
-  notify: reload headscale

 - name: copy acl policies file
  copy:
@ -76,8 +75,16 @@
    owner: '{{ headscale_user_uid }}'
    group: '{{ headscale_user_gid }}'
    mode: 0600
-  notify: reload headscale

+## ENABLE
+- name: daemon-reload and enable headscale
+  ansible.builtin.systemd_service:
+    state: restarted
+    daemon_reload: true
+    enabled: true
+    name: headscale
+
+## CREATE USER
 - name: ensure predefined users exist
  command:
    cmd: 'headscale users create {{ item }}'
--- a/roles/vpn/templates/config.yml.j2
+++ b/roles/vpn/templates/config.yml.j2
@ -10,13 +10,13 @@
 #
 # https://myheadscale.example.com:443
 #
-server_url: http://127.0.0.1:8080
+server_url: https://nijika.simponic.xyz:443

 # Address to listen to / bind to on the server
 #
 # For production:
 # listen_addr: 0.0.0.0:8080
-listen_addr: 127.0.0.1:8080
+listen_addr: 0.0.0.0:443

 # Address to listen to /metrics, you may want
 # to keep this endpoint private to your internal
@ -48,6 +48,8 @@ noise:
  # using the new Noise-based protocol.
  private_key_path: /var/lib/headscale/noise_private.key

+private_key_path: /var/lib/headscale/private.key
+
 # List of IP prefixes to allocate tailaddresses from.
 # Each prefix consists of either an IPv4 or IPv6 address,
 # and the associated prefix length, delimited by a slash.
@ -158,10 +160,10 @@ db_path: /var/lib/headscale/db.sqlite
 acme_url: https://acme-v02.api.letsencrypt.org/directory

 # Email to register with ACME provider
-acme_email: ""
+acme_email: "elizabeth.hunt@simponic.xyz"

 # Domain name to request a TLS certificate for:
-tls_letsencrypt_hostname: ""
+tls_letsencrypt_hostname: "nijika.simponic.xyz"

 # Path to store certificates and metadata needed by
 # letsencrypt
@ -231,7 +233,7 @@ dns_config:
  #     - 8.8.8.8

  # Search domains to inject.
-  domains: []
+  domains: ['simponic.xyz']

  # Extra DNS records
  # so far only A-records are supported (on the tailscale side)
@ -252,7 +254,7 @@ dns_config:
  # `base_domain` must be a FQDNs, without the trailing dot.
  # The FQDN of the hosts will be
  # `hostname.user.base_domain` (e.g., _myhost.myuser.example.com_).
-  base_domain: example.com
+  base_domain: nijika.simponic.xyz

 # Unix socket used for the CLI to connect without authentication
 # Note: for production you will want to set this to something like:
--- a/roles/webservers/tasks/main.yml
+++ b/roles/webservers/tasks/main.yml
@ -0,0 +1,15 @@
+---
+- name: allow http
+  ufw:
+    rule: allow
+    port: '80'
+    proto: tcp
+
+- name: allow https
+  ufw:
+    rule: allow
+    port: '443'
+    proto: tcp
+
+- name: restart ufw
+  service: name=ufw state=restarted enabled=yes