finish headscale setup

This commit is contained in:
Elizabeth Hunt 2024-01-02 19:05:01 -05:00
parent c6a770bd1a
commit b0a563db34
8 changed files with 50 additions and 35 deletions

4
deploy-webservers.yml Normal file
View File

@ -0,0 +1,4 @@
- name: webserver setup
hosts: webservers
roles:
- webservers

View File

@ -14,7 +14,6 @@ headscale_directories:
- '{{ headscale_var_data_dir }}' - '{{ headscale_var_data_dir }}'
- '{{ headscale_pid_dir }}' - '{{ headscale_pid_dir }}'
headscale_acl: {} headscale_users: ['simponic']
headscale_users: []
headscale_enable_routes: [] headscale_enable_routes: []
headscale_exit_nodes: [] headscale_exit_nodes: []

View File

@ -6,6 +6,7 @@ ryo ansible_user=root ansible_connection=ssh
[webservers] [webservers]
levi ansible_user=root ansible_connection=ssh levi ansible_user=root ansible_connection=ssh
nijika ansible_user=root ansible_connection=ssh
#ash.internal.simponic.xyz ansible_user=root ansible_connection=ssh #ash.internal.simponic.xyz ansible_user=root ansible_connection=ssh
[nameservers] [nameservers]
@ -18,10 +19,10 @@ ryo ansible_user=root ansible_connection=ssh
[dnsreplica] [dnsreplica]
nijika ansible_user=root ansible_connection=ssh nijika ansible_user=root ansible_connection=ssh
[dnsinternal]
johan ansible_user=root ansible_connection=ssh
[vpn] [vpn]
nijika ansible_user=root ansible_connection=ssh
[dnsinternal]
johan ansible_user=root ansible_connection=ssh johan ansible_user=root ansible_connection=ssh
[mail] [mail]

View File

@ -22,10 +22,11 @@
- name: install UFW - name: install UFW
apt: name=ufw state=latest apt: name=ufw state=latest
- name: allow ssh from everywhere - name: allow ssh from everywhere and enable
ufw: ufw:
rule: allow rule: allow
name: OpenSSH name: OpenSSH
state: enabled
- name: restart ufw - name: restart ufw
service: name=ufw state=restarted enabled=yes service: name=ufw state=restarted enabled=yes

View File

@ -1,14 +0,0 @@
---
- name: restart headscale service
service:
name: headscale
state: restarted
enabled: true
daemon-reload: true
listen: 'restart headscale'
- name: reload headscale
service:
name: headscale
state: reloaded
listen: 'reload headscale'

View File

@ -1,4 +1,11 @@
--- ---
## UFW
- name: allow headscale tcp on 8080
ufw:
rule: allow
port: '8080'
proto: tcp
## INSTALL ## INSTALL
- name: create headscale user group - name: create headscale user group
group: group:
@ -51,13 +58,6 @@
group: '{{ headscale_user_gid }}' group: '{{ headscale_user_gid }}'
mode: 0600 mode: 0600
- name: daemon-reload and enable headscale
ansible.builtin.systemd_service:
state: restarted
daemon_reload: true
enabled: true
name: headscale
## CONFIG ## CONFIG
- name: copy configuration file template - name: copy configuration file template
@ -67,7 +67,6 @@
owner: "{{ headscale_user_uid }}" owner: "{{ headscale_user_uid }}"
group: "{{ headscale_user_gid }}" group: "{{ headscale_user_gid }}"
mode: "0600" mode: "0600"
notify: reload headscale
- name: copy acl policies file - name: copy acl policies file
copy: copy:
@ -76,8 +75,16 @@
owner: '{{ headscale_user_uid }}' owner: '{{ headscale_user_uid }}'
group: '{{ headscale_user_gid }}' group: '{{ headscale_user_gid }}'
mode: 0600 mode: 0600
notify: reload headscale
## ENABLE
- name: daemon-reload and enable headscale
ansible.builtin.systemd_service:
state: restarted
daemon_reload: true
enabled: true
name: headscale
## CREATE USER
- name: ensure predefined users exist - name: ensure predefined users exist
command: command:
cmd: 'headscale users create {{ item }}' cmd: 'headscale users create {{ item }}'

View File

@ -10,13 +10,13 @@
# #
# https://myheadscale.example.com:443 # https://myheadscale.example.com:443
# #
server_url: http://127.0.0.1:8080 server_url: https://nijika.simponic.xyz:443
# Address to listen to / bind to on the server # Address to listen to / bind to on the server
# #
# For production: # For production:
# listen_addr: 0.0.0.0:8080 # listen_addr: 0.0.0.0:8080
listen_addr: 127.0.0.1:8080 listen_addr: 0.0.0.0:443
# Address to listen to /metrics, you may want # Address to listen to /metrics, you may want
# to keep this endpoint private to your internal # to keep this endpoint private to your internal
@ -48,6 +48,8 @@ noise:
# using the new Noise-based protocol. # using the new Noise-based protocol.
private_key_path: /var/lib/headscale/noise_private.key private_key_path: /var/lib/headscale/noise_private.key
private_key_path: /var/lib/headscale/private.key
# List of IP prefixes to allocate tailaddresses from. # List of IP prefixes to allocate tailaddresses from.
# Each prefix consists of either an IPv4 or IPv6 address, # Each prefix consists of either an IPv4 or IPv6 address,
# and the associated prefix length, delimited by a slash. # and the associated prefix length, delimited by a slash.
@ -158,10 +160,10 @@ db_path: /var/lib/headscale/db.sqlite
acme_url: https://acme-v02.api.letsencrypt.org/directory acme_url: https://acme-v02.api.letsencrypt.org/directory
# Email to register with ACME provider # Email to register with ACME provider
acme_email: "" acme_email: "elizabeth.hunt@simponic.xyz"
# Domain name to request a TLS certificate for: # Domain name to request a TLS certificate for:
tls_letsencrypt_hostname: "" tls_letsencrypt_hostname: "nijika.simponic.xyz"
# Path to store certificates and metadata needed by # Path to store certificates and metadata needed by
# letsencrypt # letsencrypt
@ -231,7 +233,7 @@ dns_config:
# - 8.8.8.8 # - 8.8.8.8
# Search domains to inject. # Search domains to inject.
domains: [] domains: ['simponic.xyz']
# Extra DNS records # Extra DNS records
# so far only A-records are supported (on the tailscale side) # so far only A-records are supported (on the tailscale side)
@ -252,7 +254,7 @@ dns_config:
# `base_domain` must be a FQDNs, without the trailing dot. # `base_domain` must be a FQDNs, without the trailing dot.
# The FQDN of the hosts will be # The FQDN of the hosts will be
# `hostname.user.base_domain` (e.g., _myhost.myuser.example.com_). # `hostname.user.base_domain` (e.g., _myhost.myuser.example.com_).
base_domain: example.com base_domain: nijika.simponic.xyz
# Unix socket used for the CLI to connect without authentication # Unix socket used for the CLI to connect without authentication
# Note: for production you will want to set this to something like: # Note: for production you will want to set this to something like:

View File

@ -0,0 +1,15 @@
---
- name: allow http
ufw:
rule: allow
port: '80'
proto: tcp
- name: allow https
ufw:
rule: allow
port: '443'
proto: tcp
- name: restart ufw
service: name=ufw state=restarted enabled=yes