From b0a563db34c7ac86f36c3f293ea8610de1c8a35c Mon Sep 17 00:00:00 2001
From: Elizabeth Hunt <elizabeth.hunt@simponic.xyz>
Date: Tue, 2 Jan 2024 19:05:01 -0500
Subject: [PATCH] finish headscale setup

---
 deploy-webservers.yml             |  4 ++++
 group_vars/vpn.yml                |  3 +--
 inventory                         |  7 ++++---
 roles/common/tasks/main.yml       |  3 ++-
 roles/vpn/handlers/main.yml       | 14 --------------
 roles/vpn/tasks/main.yml          | 25 ++++++++++++++++---------
 roles/vpn/templates/config.yml.j2 | 14 ++++++++------
 roles/webservers/tasks/main.yml   | 15 +++++++++++++++
 8 files changed, 50 insertions(+), 35 deletions(-)
 create mode 100644 deploy-webservers.yml
 delete mode 100644 roles/vpn/handlers/main.yml
 create mode 100644 roles/webservers/tasks/main.yml

diff --git a/deploy-webservers.yml b/deploy-webservers.yml
new file mode 100644
index 0000000..432819a
--- /dev/null
+++ b/deploy-webservers.yml
@@ -0,0 +1,4 @@
+- name: webserver setup
+  hosts: webservers
+  roles:
+    - webservers
diff --git a/group_vars/vpn.yml b/group_vars/vpn.yml
index 211c13b..ea2f63d 100644
--- a/group_vars/vpn.yml
+++ b/group_vars/vpn.yml
@@ -14,7 +14,6 @@ headscale_directories:
   - '{{ headscale_var_data_dir }}'
   - '{{ headscale_pid_dir }}'
 
-headscale_acl: {}
-headscale_users: []
+headscale_users: ['simponic']
 headscale_enable_routes: []
 headscale_exit_nodes: []
diff --git a/inventory b/inventory
index 42d53e0..3160522 100644
--- a/inventory
+++ b/inventory
@@ -6,6 +6,7 @@ ryo  ansible_user=root ansible_connection=ssh
 
 [webservers]
 levi  ansible_user=root ansible_connection=ssh
+nijika  ansible_user=root ansible_connection=ssh
 #ash.internal.simponic.xyz  ansible_user=root ansible_connection=ssh
 
 [nameservers]
@@ -18,10 +19,10 @@ ryo  ansible_user=root ansible_connection=ssh
 [dnsreplica]
 nijika  ansible_user=root ansible_connection=ssh
 
-[dnsinternal]
-johan ansible_user=root ansible_connection=ssh
-
 [vpn]
+nijika ansible_user=root ansible_connection=ssh
+
+[dnsinternal]
 johan ansible_user=root ansible_connection=ssh
 
 [mail]
diff --git a/roles/common/tasks/main.yml b/roles/common/tasks/main.yml
index 1d2e987..7c97505 100644
--- a/roles/common/tasks/main.yml
+++ b/roles/common/tasks/main.yml
@@ -22,10 +22,11 @@
 - name: install UFW
   apt: name=ufw state=latest
 
-- name: allow ssh from everywhere
+- name: allow ssh from everywhere and enable
   ufw:
     rule: allow
     name: OpenSSH
+    state: enabled
 
 - name: restart ufw
   service: name=ufw state=restarted enabled=yes
diff --git a/roles/vpn/handlers/main.yml b/roles/vpn/handlers/main.yml
deleted file mode 100644
index 4333c5f..0000000
--- a/roles/vpn/handlers/main.yml
+++ /dev/null
@@ -1,14 +0,0 @@
----
-- name: restart headscale service
-  service:
-    name: headscale
-    state: restarted
-    enabled: true
-    daemon-reload: true
-  listen: 'restart headscale'
-
-- name: reload headscale
-  service:
-    name: headscale
-    state: reloaded
-  listen: 'reload headscale'
diff --git a/roles/vpn/tasks/main.yml b/roles/vpn/tasks/main.yml
index 1715886..22ca2f8 100644
--- a/roles/vpn/tasks/main.yml
+++ b/roles/vpn/tasks/main.yml
@@ -1,4 +1,11 @@
 ---
+## UFW
+- name: allow headscale tcp on 8080
+  ufw:
+    rule: allow
+    port: '8080'
+    proto: tcp
+
 ## INSTALL
 - name: create headscale user group
   group:
@@ -51,13 +58,6 @@
     group: '{{ headscale_user_gid }}'
     mode: 0600
 
-- name: daemon-reload and enable headscale
-  ansible.builtin.systemd_service:
-    state: restarted
-    daemon_reload: true
-    enabled: true
-    name: headscale
-
 ## CONFIG
 
 - name: copy configuration file template
@@ -67,7 +67,6 @@
     owner: "{{ headscale_user_uid }}"
     group: "{{ headscale_user_gid }}"
     mode: "0600"
-  notify: reload headscale
 
 - name: copy acl policies file
   copy:
@@ -76,8 +75,16 @@
     owner: '{{ headscale_user_uid }}'
     group: '{{ headscale_user_gid }}'
     mode: 0600
-  notify: reload headscale
 
+## ENABLE
+- name: daemon-reload and enable headscale
+  ansible.builtin.systemd_service:
+    state: restarted
+    daemon_reload: true
+    enabled: true
+    name: headscale
+
+## CREATE USER
 - name: ensure predefined users exist
   command:
     cmd: 'headscale users create {{ item }}'
diff --git a/roles/vpn/templates/config.yml.j2 b/roles/vpn/templates/config.yml.j2
index 5105dcd..4eb5359 100644
--- a/roles/vpn/templates/config.yml.j2
+++ b/roles/vpn/templates/config.yml.j2
@@ -10,13 +10,13 @@
 #
 # https://myheadscale.example.com:443
 #
-server_url: http://127.0.0.1:8080
+server_url: https://nijika.simponic.xyz:443
 
 # Address to listen to / bind to on the server
 #
 # For production:
 # listen_addr: 0.0.0.0:8080
-listen_addr: 127.0.0.1:8080
+listen_addr: 0.0.0.0:443
 
 # Address to listen to /metrics, you may want
 # to keep this endpoint private to your internal
@@ -48,6 +48,8 @@ noise:
   # using the new Noise-based protocol.
   private_key_path: /var/lib/headscale/noise_private.key
 
+private_key_path: /var/lib/headscale/private.key
+
 # List of IP prefixes to allocate tailaddresses from.
 # Each prefix consists of either an IPv4 or IPv6 address,
 # and the associated prefix length, delimited by a slash.
@@ -158,10 +160,10 @@ db_path: /var/lib/headscale/db.sqlite
 acme_url: https://acme-v02.api.letsencrypt.org/directory
 
 # Email to register with ACME provider
-acme_email: ""
+acme_email: "elizabeth.hunt@simponic.xyz"
 
 # Domain name to request a TLS certificate for:
-tls_letsencrypt_hostname: ""
+tls_letsencrypt_hostname: "nijika.simponic.xyz"
 
 # Path to store certificates and metadata needed by
 # letsencrypt
@@ -231,7 +233,7 @@ dns_config:
   #     - 8.8.8.8
 
   # Search domains to inject.
-  domains: []
+  domains: ['simponic.xyz']
 
   # Extra DNS records
   # so far only A-records are supported (on the tailscale side)
@@ -252,7 +254,7 @@ dns_config:
   # `base_domain` must be a FQDNs, without the trailing dot.
   # The FQDN of the hosts will be
   # `hostname.user.base_domain` (e.g., _myhost.myuser.example.com_).
-  base_domain: example.com
+  base_domain: nijika.simponic.xyz
 
 # Unix socket used for the CLI to connect without authentication
 # Note: for production you will want to set this to something like:
diff --git a/roles/webservers/tasks/main.yml b/roles/webservers/tasks/main.yml
new file mode 100644
index 0000000..7d411fe
--- /dev/null
+++ b/roles/webservers/tasks/main.yml
@@ -0,0 +1,15 @@
+---
+- name: allow http
+  ufw:
+    rule: allow
+    port: '80'
+    proto: tcp
+
+- name: allow https
+  ufw:
+    rule: allow
+    port: '443'
+    proto: tcp
+
+- name: restart ufw
+  service: name=ufw state=restarted enabled=yes