finish headscale setup

2024-01-02 19:05:01 -05:00 · 2024-01-02 19:05:01 -05:00 · b0a563db34
commit b0a563db34
parent c6a770bd1a
8 changed files with 50 additions and 35 deletions
--- a/deploy-webservers.yml
+++ b/deploy-webservers.yml
@ -0,0 +1,4 @@
 - name: webserver setup
  hosts: webservers
  roles:
    - webservers
--- a/group_vars/vpn.yml
+++ b/group_vars/vpn.yml
@ -14,7 +14,6 @@ headscale_directories:
  - '{{ headscale_var_data_dir }}'
  - '{{ headscale_pid_dir }}'
-headscale_acl: {}
+headscale_users: ['simponic']
 headscale_users: []
 headscale_enable_routes: []
 headscale_exit_nodes: []
--- a/7
+++ b/7
@ -6,6 +6,7 @@ ryo  ansible_user=root ansible_connection=ssh
 [webservers]
 levi  ansible_user=root ansible_connection=ssh
 nijika  ansible_user=root ansible_connection=ssh
 #ash.internal.simponic.xyz  ansible_user=root ansible_connection=ssh
 [nameservers]
@ -18,10 +19,10 @@ ryo  ansible_user=root ansible_connection=ssh
 [dnsreplica]
 nijika  ansible_user=root ansible_connection=ssh
 [dnsinternal]
 johan ansible_user=root ansible_connection=ssh
 [vpn]
 nijika ansible_user=root ansible_connection=ssh
 [dnsinternal]
 johan ansible_user=root ansible_connection=ssh
 [mail]
--- a/roles/common/tasks/main.yml
+++ b/roles/common/tasks/main.yml
@ -22,10 +22,11 @@
 - name: install UFW
  apt: name=ufw state=latest
- name: allow ssh from everywhere
+- name: allow ssh from everywhere and enable
  ufw:
    rule: allow
    name: OpenSSH
    state: enabled
 - name: restart ufw
  service: name=ufw state=restarted enabled=yes
--- a/roles/vpn/handlers/main.yml
+++ b/roles/vpn/handlers/main.yml
@ -1,14 +0,0 @@
 ---
 - name: restart headscale service
  service:
    name: headscale
    state: restarted
    enabled: true
    daemon-reload: true
  listen: 'restart headscale'
 - name: reload headscale
  service:
    name: headscale
    state: reloaded
  listen: 'reload headscale'
--- a/roles/vpn/tasks/main.yml
+++ b/roles/vpn/tasks/main.yml
@ -1,4 +1,11 @@
 ---
 ## UFW
 - name: allow headscale tcp on 8080
  ufw:
    rule: allow
    port: '8080'
    proto: tcp
 ## INSTALL
 - name: create headscale user group
  group:
@ -51,13 +58,6 @@
    group: '{{ headscale_user_gid }}'
    mode: 0600
 - name: daemon-reload and enable headscale
  ansible.builtin.systemd_service:
    state: restarted
    daemon_reload: true
    enabled: true
    name: headscale
 ## CONFIG
 - name: copy configuration file template
@ -67,7 +67,6 @@
    owner: "{{ headscale_user_uid }}"
    group: "{{ headscale_user_gid }}"
    mode: "0600"
  notify: reload headscale
 - name: copy acl policies file
  copy:
@ -76,8 +75,16 @@
    owner: '{{ headscale_user_uid }}'
    group: '{{ headscale_user_gid }}'
    mode: 0600
  notify: reload headscale
 ## ENABLE
 - name: daemon-reload and enable headscale
  ansible.builtin.systemd_service:
    state: restarted
    daemon_reload: true
    enabled: true
    name: headscale
 ## CREATE USER
 - name: ensure predefined users exist
  command:
    cmd: 'headscale users create {{ item }}'
--- a/roles/vpn/templates/config.yml.j2
+++ b/roles/vpn/templates/config.yml.j2
@ -10,13 +10,13 @@
 #
 # https://myheadscale.example.com:443
 #
-server_url: http://127.0.0.1:8080
+server_url: https://nijika.simponic.xyz:443
 # Address to listen to / bind to on the server
 #
 # For production:
 # listen_addr: 0.0.0.0:8080
-listen_addr: 127.0.0.1:8080
+listen_addr: 0.0.0.0:443
 # Address to listen to /metrics, you may want
 # to keep this endpoint private to your internal
@ -48,6 +48,8 @@ noise:
  # using the new Noise-based protocol.
  private_key_path: /var/lib/headscale/noise_private.key
 private_key_path: /var/lib/headscale/private.key
 # List of IP prefixes to allocate tailaddresses from.
 # Each prefix consists of either an IPv4 or IPv6 address,
 # and the associated prefix length, delimited by a slash.
@ -158,10 +160,10 @@ db_path: /var/lib/headscale/db.sqlite
 acme_url: https://acme-v02.api.letsencrypt.org/directory
 # Email to register with ACME provider
-acme_email: ""
+acme_email: "elizabeth.hunt@simponic.xyz"
 # Domain name to request a TLS certificate for:
-tls_letsencrypt_hostname: ""
+tls_letsencrypt_hostname: "nijika.simponic.xyz"
 # Path to store certificates and metadata needed by
 # letsencrypt
@ -231,7 +233,7 @@ dns_config:
  #     - 8.8.8.8
  # Search domains to inject.
-  domains: []
+  domains: ['simponic.xyz']
  # Extra DNS records
  # so far only A-records are supported (on the tailscale side)
@ -252,7 +254,7 @@ dns_config:
  # `base_domain` must be a FQDNs, without the trailing dot.
  # The FQDN of the hosts will be
  # `hostname.user.base_domain` (e.g., _myhost.myuser.example.com_).
-  base_domain: example.com
+  base_domain: nijika.simponic.xyz
 # Unix socket used for the CLI to connect without authentication
 # Note: for production you will want to set this to something like:
--- a/roles/webservers/tasks/main.yml
+++ b/roles/webservers/tasks/main.yml
@ -0,0 +1,15 @@
 ---
 - name: allow http
  ufw:
    rule: allow
    port: '80'
    proto: tcp
 - name: allow https
  ufw:
    rule: allow
    port: '443'
    proto: tcp
 - name: restart ufw
  service: name=ufw state=restarted enabled=yes