deploy headscale and headscale ui via docker

This commit is contained in:
Elizabeth Hunt 2024-01-03 01:30:54 -05:00
parent 365641c4b5
commit edf638080a
8 changed files with 57 additions and 130 deletions

View File

@ -7,8 +7,8 @@ After=docker.service
Type=oneshot Type=oneshot
RemainAfterExit=true RemainAfterExit=true
WorkingDirectory=/etc/docker/compose/%i WorkingDirectory=/etc/docker/compose/%i
ExecStart=/usr/bin/docker-compose up -d --remove-orphans ExecStart=/usr/bin/docker compose up -d --remove-orphans
ExecStop=/usr/bin/docker-compose down ExecStop=/usr/bin/docker compose down
[Install] [Install]
WantedBy=multi-user.target WantedBy=multi-user.target

View File

@ -32,7 +32,11 @@
update_cache: yes update_cache: yes
- name: enable docker - name: enable docker
service: name=docker state=restarted enabled=yes ansible.builtin.systemd_service:
name: docker
state: restarted
enabled: true
daemon_reload: true
- name: copy docker-compose@.service - name: copy docker-compose@.service
copy: copy:

View File

@ -16,7 +16,7 @@ server_url: https://headscale.simponic.xyz:443
# #
# For production: # For production:
# listen_addr: 0.0.0.0:8080 # listen_addr: 0.0.0.0:8080
listen_addr: 0.0.0.0:443 listen_addr: 0.0.0.0:8080
# Address to listen to /metrics, you may want # Address to listen to /metrics, you may want
# to keep this endpoint private to your internal # to keep this endpoint private to your internal

View File

@ -0,0 +1,18 @@
version: '3.5'
services:
headscale:
image: headscale/headscale:latest
container_name: headscale
volumes:
- ./config:/etc/headscale
- ./data:/var/lib/headscale
ports:
- 27896:8080
command: headscale serve
restart: unless-stopped
headscale-ui:
image: ghcr.io/gurucomputing/headscale-ui:latest
restart: unless-stopped
container_name: headscale-ui
ports:
- 9443:443

View File

@ -1,110 +1,38 @@
--- ---
## UFW - name: ensure headscale docker/compose exist
- name: allow headscale tcp on 8080
ufw:
rule: allow
port: '8080'
proto: tcp
## INSTALL
- name: create headscale user group
group:
name: '{{ headscale_user_group }}'
gid: '{{ headscale_user_gid }}'
system: true
state: present
- name: create headscale user
user:
name: '{{ headscale_user_name }}'
uid: '{{ headscale_user_uid }}'
group: '{{ headscale_user_group }}'
shell: /bin/false
system: true
create_home: false
- name: download headscale binary
get_url:
url: 'https://github.com/juanfont/headscale/releases/download/v{{ headscale_version }}/headscale_{{ headscale_version }}_linux_{{ headscale_arch }}'
dest: '{{ headscale_binary_path }}'
owner: '{{ headscale_user_uid }}'
group: '{{ headscale_user_gid }}'
mode: 0770
- name: ensure headscale directories exist
file: file:
path: '{{ item }}' path: /etc/docker/compose/headscale
state: directory state: directory
owner: '{{ headscale_user_name }}' owner: root
group: '{{ headscale_user_group }}' group: root
mode: 0755 mode: 0700
loop: '{{ headscale_directories }}'
- name: ensure sqlite exists - name: copy headscale docker-compose.yml
file:
path: '{{ headscale_var_data_dir }}/db.sqlite'
state: touch
owner: '{{ headscale_user_uid }}'
group: '{{ headscale_user_gid }}'
mode: 0600
modification_time: preserve
access_time: preserve
- name: copy systemd unit file
template:
src: '../templates/headscale.service.j2'
dest: '/etc/systemd/system/headscale.service'
owner: '{{ headscale_user_uid }}'
group: '{{ headscale_user_gid }}'
mode: 0600
## CONFIG
- name: copy configuration file template
template:
src: "../templates/config.yml.j2"
dest: "{{ headscale_config_dir }}/config.yaml"
owner: "{{ headscale_user_uid }}"
group: "{{ headscale_user_gid }}"
mode: "0600"
- name: copy acl policies file
copy: copy:
content: '../files/acl.yml' src: ../files/docker-compose.yml
dest: '{{ headscale_config_dir }}/acl.yaml' dest: /etc/docker/compose/headscale/docker-compose.yml
owner: '{{ headscale_user_uid }}' owner: root
group: '{{ headscale_user_gid }}' group: root
mode: 0600 mode: u=rw,g=r,o=r
- name: copy headscale config volume
copy:
src: ../files/config
dest: /etc/docker/compose/headscale/
owner: root
group: root
mode: u=rw,g=r,o=r
- name: ensure headscale data volume exist
file:
path: /etc/docker/compose/headscale/data
state: directory
owner: root
group: root
mode: 0700
## ENABLE
- name: daemon-reload and enable headscale - name: daemon-reload and enable headscale
ansible.builtin.systemd_service: ansible.builtin.systemd_service:
state: restarted state: restarted
daemon_reload: true
enabled: true enabled: true
name: headscale name: docker-compose@headscale
## CREATE USER
- name: ensure predefined users exist
command:
cmd: 'headscale users create {{ item }}'
loop: '{{ headscale_users }}'
register: user_created
changed_when: '"User created" in user_created.stdout'
## ROUTES
- name: enable routes for node
command:
cmd: 'headscale routes enable -i {{ item.id }} -r {{ item.routes }}'
loop: '{{ headscale_enable_routes }}'
loop_control:
label: '{{ item.comment | default(item) }}'
when: not ansible_check_mode
- name: enable exit nodes
command:
cmd: 'headscale routes enable -i {{ item.id }} -r 0.0.0.0/0,::/0'
loop: '{{ headscale_exit_nodes }}'
loop_control:
label: '{{ item.comment | default(item) }}'
when: not ansible_check_mode

View File

@ -1,26 +0,0 @@
[Unit]
Description=headscale coordination server
After=syslog.target
After=network.target
[Service]
Type=simple
Environment=GIN_MODE=release
User={{ headscale_user_name }}
Group={{ headscale_user_group }}
ExecStart={{ headscale_binary_path }} serve
ExecReload=kill -HUP $MAINPID
Restart=always
RestartSec=5
# Optional security enhancements
NoNewPrivileges=yes
PrivateTmp=yes
ProtectSystem=strict
ProtectHome=yes
ReadWritePaths={{ headscale_var_data_dir }} {{ headscale_pid_dir }}
AmbientCapabilities=CAP_NET_BIND_SERVICE
RuntimeDirectory={{ headscale_user_name }}
[Install]
WantedBy=multi-user.target

View File

@ -13,3 +13,6 @@
- name: restart ufw - name: restart ufw
service: name=ufw state=restarted enabled=yes service: name=ufw state=restarted enabled=yes
- name: install nginx
apt: name=nginx status=latest