finish headscale setup

This commit is contained in:
Elizabeth Hunt 2024-01-02 19:05:01 -05:00
parent c6a770bd1a
commit b0a563db34
8 changed files with 50 additions and 35 deletions

4
deploy-webservers.yml Normal file
View File

@ -0,0 +1,4 @@
- name: webserver setup
hosts: webservers
roles:
- webservers

View File

@ -14,7 +14,6 @@ headscale_directories:
- '{{ headscale_var_data_dir }}'
- '{{ headscale_pid_dir }}'
headscale_acl: {}
headscale_users: []
headscale_users: ['simponic']
headscale_enable_routes: []
headscale_exit_nodes: []

View File

@ -6,6 +6,7 @@ ryo ansible_user=root ansible_connection=ssh
[webservers]
levi ansible_user=root ansible_connection=ssh
nijika ansible_user=root ansible_connection=ssh
#ash.internal.simponic.xyz ansible_user=root ansible_connection=ssh
[nameservers]
@ -18,10 +19,10 @@ ryo ansible_user=root ansible_connection=ssh
[dnsreplica]
nijika ansible_user=root ansible_connection=ssh
[dnsinternal]
johan ansible_user=root ansible_connection=ssh
[vpn]
nijika ansible_user=root ansible_connection=ssh
[dnsinternal]
johan ansible_user=root ansible_connection=ssh
[mail]

View File

@ -22,10 +22,11 @@
- name: install UFW
apt: name=ufw state=latest
- name: allow ssh from everywhere
- name: allow ssh from everywhere and enable
ufw:
rule: allow
name: OpenSSH
state: enabled
- name: restart ufw
service: name=ufw state=restarted enabled=yes

View File

@ -1,14 +0,0 @@
---
- name: restart headscale service
service:
name: headscale
state: restarted
enabled: true
daemon-reload: true
listen: 'restart headscale'
- name: reload headscale
service:
name: headscale
state: reloaded
listen: 'reload headscale'

View File

@ -1,4 +1,11 @@
---
## UFW
- name: allow headscale tcp on 8080
ufw:
rule: allow
port: '8080'
proto: tcp
## INSTALL
- name: create headscale user group
group:
@ -51,13 +58,6 @@
group: '{{ headscale_user_gid }}'
mode: 0600
- name: daemon-reload and enable headscale
ansible.builtin.systemd_service:
state: restarted
daemon_reload: true
enabled: true
name: headscale
## CONFIG
- name: copy configuration file template
@ -67,7 +67,6 @@
owner: "{{ headscale_user_uid }}"
group: "{{ headscale_user_gid }}"
mode: "0600"
notify: reload headscale
- name: copy acl policies file
copy:
@ -76,8 +75,16 @@
owner: '{{ headscale_user_uid }}'
group: '{{ headscale_user_gid }}'
mode: 0600
notify: reload headscale
## ENABLE
- name: daemon-reload and enable headscale
ansible.builtin.systemd_service:
state: restarted
daemon_reload: true
enabled: true
name: headscale
## CREATE USER
- name: ensure predefined users exist
command:
cmd: 'headscale users create {{ item }}'

View File

@ -10,13 +10,13 @@
#
# https://myheadscale.example.com:443
#
server_url: http://127.0.0.1:8080
server_url: https://nijika.simponic.xyz:443
# Address to listen to / bind to on the server
#
# For production:
# listen_addr: 0.0.0.0:8080
listen_addr: 127.0.0.1:8080
listen_addr: 0.0.0.0:443
# Address to listen to /metrics, you may want
# to keep this endpoint private to your internal
@ -48,6 +48,8 @@ noise:
# using the new Noise-based protocol.
private_key_path: /var/lib/headscale/noise_private.key
private_key_path: /var/lib/headscale/private.key
# List of IP prefixes to allocate tailaddresses from.
# Each prefix consists of either an IPv4 or IPv6 address,
# and the associated prefix length, delimited by a slash.
@ -158,10 +160,10 @@ db_path: /var/lib/headscale/db.sqlite
acme_url: https://acme-v02.api.letsencrypt.org/directory
# Email to register with ACME provider
acme_email: ""
acme_email: "elizabeth.hunt@simponic.xyz"
# Domain name to request a TLS certificate for:
tls_letsencrypt_hostname: ""
tls_letsencrypt_hostname: "nijika.simponic.xyz"
# Path to store certificates and metadata needed by
# letsencrypt
@ -231,7 +233,7 @@ dns_config:
# - 8.8.8.8
# Search domains to inject.
domains: []
domains: ['simponic.xyz']
# Extra DNS records
# so far only A-records are supported (on the tailscale side)
@ -252,7 +254,7 @@ dns_config:
# `base_domain` must be a FQDNs, without the trailing dot.
# The FQDN of the hosts will be
# `hostname.user.base_domain` (e.g., _myhost.myuser.example.com_).
base_domain: example.com
base_domain: nijika.simponic.xyz
# Unix socket used for the CLI to connect without authentication
# Note: for production you will want to set this to something like:

View File

@ -0,0 +1,15 @@
---
- name: allow http
ufw:
rule: allow
port: '80'
proto: tcp
- name: allow https
ufw:
rule: allow
port: '443'
proto: tcp
- name: restart ufw
service: name=ufw state=restarted enabled=yes