diff --git a/roles/common/files/docker-compose@.service b/roles/common/files/docker-compose@.service index 05ed468..a0182d4 100644 --- a/roles/common/files/docker-compose@.service +++ b/roles/common/files/docker-compose@.service @@ -7,8 +7,8 @@ After=docker.service Type=oneshot RemainAfterExit=true WorkingDirectory=/etc/docker/compose/%i -ExecStart=/usr/bin/docker-compose up -d --remove-orphans -ExecStop=/usr/bin/docker-compose down +ExecStart=/usr/bin/docker compose up -d --remove-orphans +ExecStop=/usr/bin/docker compose down [Install] WantedBy=multi-user.target diff --git a/roles/common/tasks/main.yml b/roles/common/tasks/main.yml index 69e9c90..80aad48 100644 --- a/roles/common/tasks/main.yml +++ b/roles/common/tasks/main.yml @@ -32,7 +32,11 @@ update_cache: yes - name: enable docker - service: name=docker state=restarted enabled=yes + ansible.builtin.systemd_service: + name: docker + state: restarted + enabled: true + daemon_reload: true - name: copy docker-compose@.service copy: diff --git a/roles/vpn/files/acl.yml b/roles/vpn/files/config/acl.yml similarity index 100% rename from roles/vpn/files/acl.yml rename to roles/vpn/files/config/acl.yml diff --git a/roles/vpn/templates/config.yml.j2 b/roles/vpn/files/config/config.yml similarity index 99% rename from roles/vpn/templates/config.yml.j2 rename to roles/vpn/files/config/config.yml index 73b2c40..17ab98b 100644 --- a/roles/vpn/templates/config.yml.j2 +++ b/roles/vpn/files/config/config.yml @@ -16,7 +16,7 @@ server_url: https://headscale.simponic.xyz:443 # # For production: # listen_addr: 0.0.0.0:8080 -listen_addr: 0.0.0.0:443 +listen_addr: 0.0.0.0:8080 # Address to listen to /metrics, you may want # to keep this endpoint private to your internal diff --git a/roles/vpn/files/docker-compose.yml b/roles/vpn/files/docker-compose.yml new file mode 100644 index 0000000..dc5e961 --- /dev/null +++ b/roles/vpn/files/docker-compose.yml @@ -0,0 +1,18 @@ +version: '3.5' +services: + headscale: + image: headscale/headscale:latest + container_name: headscale + volumes: + - ./config:/etc/headscale + - ./data:/var/lib/headscale + ports: + - 27896:8080 + command: headscale serve + restart: unless-stopped + headscale-ui: + image: ghcr.io/gurucomputing/headscale-ui:latest + restart: unless-stopped + container_name: headscale-ui + ports: + - 9443:443 diff --git a/roles/vpn/tasks/main.yml b/roles/vpn/tasks/main.yml index 22ca2f8..4f6bcca 100644 --- a/roles/vpn/tasks/main.yml +++ b/roles/vpn/tasks/main.yml @@ -1,110 +1,38 @@ --- -## UFW -- name: allow headscale tcp on 8080 - ufw: - rule: allow - port: '8080' - proto: tcp - -## INSTALL -- name: create headscale user group - group: - name: '{{ headscale_user_group }}' - gid: '{{ headscale_user_gid }}' - system: true - state: present - -- name: create headscale user - user: - name: '{{ headscale_user_name }}' - uid: '{{ headscale_user_uid }}' - group: '{{ headscale_user_group }}' - shell: /bin/false - system: true - create_home: false - -- name: download headscale binary - get_url: - url: 'https://github.com/juanfont/headscale/releases/download/v{{ headscale_version }}/headscale_{{ headscale_version }}_linux_{{ headscale_arch }}' - dest: '{{ headscale_binary_path }}' - owner: '{{ headscale_user_uid }}' - group: '{{ headscale_user_gid }}' - mode: 0770 - -- name: ensure headscale directories exist +- name: ensure headscale docker/compose exist file: - path: '{{ item }}' + path: /etc/docker/compose/headscale state: directory - owner: '{{ headscale_user_name }}' - group: '{{ headscale_user_group }}' - mode: 0755 - loop: '{{ headscale_directories }}' + owner: root + group: root + mode: 0700 -- name: ensure sqlite exists - file: - path: '{{ headscale_var_data_dir }}/db.sqlite' - state: touch - owner: '{{ headscale_user_uid }}' - group: '{{ headscale_user_gid }}' - mode: 0600 - modification_time: preserve - access_time: preserve - -- name: copy systemd unit file - template: - src: '../templates/headscale.service.j2' - dest: '/etc/systemd/system/headscale.service' - owner: '{{ headscale_user_uid }}' - group: '{{ headscale_user_gid }}' - mode: 0600 - -## CONFIG - -- name: copy configuration file template - template: - src: "../templates/config.yml.j2" - dest: "{{ headscale_config_dir }}/config.yaml" - owner: "{{ headscale_user_uid }}" - group: "{{ headscale_user_gid }}" - mode: "0600" - -- name: copy acl policies file +- name: copy headscale docker-compose.yml copy: - content: '../files/acl.yml' - dest: '{{ headscale_config_dir }}/acl.yaml' - owner: '{{ headscale_user_uid }}' - group: '{{ headscale_user_gid }}' - mode: 0600 + src: ../files/docker-compose.yml + dest: /etc/docker/compose/headscale/docker-compose.yml + owner: root + group: root + mode: u=rw,g=r,o=r + +- name: copy headscale config volume + copy: + src: ../files/config + dest: /etc/docker/compose/headscale/ + owner: root + group: root + mode: u=rw,g=r,o=r + +- name: ensure headscale data volume exist + file: + path: /etc/docker/compose/headscale/data + state: directory + owner: root + group: root + mode: 0700 -## ENABLE - name: daemon-reload and enable headscale ansible.builtin.systemd_service: state: restarted - daemon_reload: true enabled: true - name: headscale - -## CREATE USER -- name: ensure predefined users exist - command: - cmd: 'headscale users create {{ item }}' - loop: '{{ headscale_users }}' - register: user_created - changed_when: '"User created" in user_created.stdout' - -## ROUTES -- name: enable routes for node - command: - cmd: 'headscale routes enable -i {{ item.id }} -r {{ item.routes }}' - loop: '{{ headscale_enable_routes }}' - loop_control: - label: '{{ item.comment | default(item) }}' - when: not ansible_check_mode - -- name: enable exit nodes - command: - cmd: 'headscale routes enable -i {{ item.id }} -r 0.0.0.0/0,::/0' - loop: '{{ headscale_exit_nodes }}' - loop_control: - label: '{{ item.comment | default(item) }}' - when: not ansible_check_mode + name: docker-compose@headscale diff --git a/roles/vpn/templates/headscale.service.j2 b/roles/vpn/templates/headscale.service.j2 deleted file mode 100644 index 46267f0..0000000 --- a/roles/vpn/templates/headscale.service.j2 +++ /dev/null @@ -1,26 +0,0 @@ -[Unit] -Description=headscale coordination server -After=syslog.target -After=network.target - -[Service] -Type=simple -Environment=GIN_MODE=release -User={{ headscale_user_name }} -Group={{ headscale_user_group }} -ExecStart={{ headscale_binary_path }} serve -ExecReload=kill -HUP $MAINPID -Restart=always -RestartSec=5 - -# Optional security enhancements -NoNewPrivileges=yes -PrivateTmp=yes -ProtectSystem=strict -ProtectHome=yes -ReadWritePaths={{ headscale_var_data_dir }} {{ headscale_pid_dir }} -AmbientCapabilities=CAP_NET_BIND_SERVICE -RuntimeDirectory={{ headscale_user_name }} - -[Install] -WantedBy=multi-user.target diff --git a/roles/webservers/tasks/main.yml b/roles/webservers/tasks/main.yml index 7d411fe..680b050 100644 --- a/roles/webservers/tasks/main.yml +++ b/roles/webservers/tasks/main.yml @@ -13,3 +13,6 @@ - name: restart ufw service: name=ufw state=restarted enabled=yes + +- name: install nginx + apt: name=nginx status=latest