deploy headscale and headscale ui via docker

roles/common/files/docker-compose@.service

@@ -7,8 +7,8 @@ After=docker.service
 Type=oneshot
 RemainAfterExit=true
 WorkingDirectory=/etc/docker/compose/%i
-ExecStart=/usr/bin/docker-compose up -d --remove-orphans
+ExecStart=/usr/bin/docker compose up -d --remove-orphans
-ExecStop=/usr/bin/docker-compose down
+ExecStop=/usr/bin/docker compose down
 
 [Install]
 WantedBy=multi-user.target

roles/common/tasks/main.yml

@@ -32,7 +32,11 @@
     update_cache: yes
 
 - name: enable docker
-  service: name=docker state=restarted enabled=yes
+  ansible.builtin.systemd_service: 
+    name: docker 
+    state: restarted 
+    enabled: true 
+    daemon_reload: true
 
 - name: copy docker-compose@.service
   copy:

roles/vpn/files/config/config.yml

@@ -16,7 +16,7 @@ server_url: https://headscale.simponic.xyz:443
 #
 # For production:
 # listen_addr: 0.0.0.0:8080
-listen_addr: 0.0.0.0:443
+listen_addr: 0.0.0.0:8080
 
 # Address to listen to /metrics, you may want
 # to keep this endpoint private to your internal

roles/vpn/files/docker-compose.yml

@@ -0,0 +1,18 @@
+version: '3.5'
+services:
+  headscale:
+    image: headscale/headscale:latest
+    container_name: headscale
+    volumes:
+      - ./config:/etc/headscale
+      - ./data:/var/lib/headscale
+    ports:
+      - 27896:8080
+    command: headscale serve
+    restart: unless-stopped
+  headscale-ui:
+    image: ghcr.io/gurucomputing/headscale-ui:latest
+    restart: unless-stopped
+    container_name: headscale-ui
+    ports:
+      - 9443:443

roles/vpn/tasks/main.yml

@@ -1,110 +1,38 @@
 ---
-## UFW
+- name: ensure headscale docker/compose exist
-- name: allow headscale tcp on 8080
-  ufw:
-    rule: allow
-    port: '8080'
-    proto: tcp
-
-## INSTALL
-- name: create headscale user group
-  group:
-    name: '{{ headscale_user_group }}'
-    gid: '{{ headscale_user_gid }}'
-    system: true
-    state: present
-
-- name: create headscale user
-  user:
-    name: '{{ headscale_user_name }}'
-    uid: '{{ headscale_user_uid }}'
-    group: '{{ headscale_user_group }}'
-    shell: /bin/false
-    system: true
-    create_home: false
-
-- name: download headscale binary
-  get_url:
-    url: 'https://github.com/juanfont/headscale/releases/download/v{{ headscale_version }}/headscale_{{ headscale_version }}_linux_{{ headscale_arch }}'
-    dest: '{{ headscale_binary_path }}'
-    owner: '{{ headscale_user_uid }}'
-    group: '{{ headscale_user_gid }}'
-    mode: 0770
-
-- name: ensure headscale directories exist
   file:
-    path: '{{ item }}'
+    path: /etc/docker/compose/headscale
     state: directory
-    owner: '{{ headscale_user_name }}'
+    owner: root
-    group: '{{ headscale_user_group }}'
+    group: root
-    mode: 0755
+    mode: 0700
-  loop: '{{ headscale_directories }}'
 
-- name: ensure sqlite exists
+- name: copy headscale docker-compose.yml
-  file:
-    path: '{{ headscale_var_data_dir }}/db.sqlite'
-    state: touch
-    owner: '{{ headscale_user_uid }}'
-    group: '{{ headscale_user_gid }}'
-    mode: 0600
-    modification_time: preserve
-    access_time: preserve
-
-- name: copy systemd unit file
-  template:
-    src: '../templates/headscale.service.j2'
-    dest: '/etc/systemd/system/headscale.service'
-    owner: '{{ headscale_user_uid }}'
-    group: '{{ headscale_user_gid }}'
-    mode: 0600
-
-## CONFIG
-
-- name: copy configuration file template
-  template:
-    src: "../templates/config.yml.j2"
-    dest: "{{ headscale_config_dir }}/config.yaml"
-    owner: "{{ headscale_user_uid }}"
-    group: "{{ headscale_user_gid }}"
-    mode: "0600"
-
-- name: copy acl policies file
   copy:
-    content: '../files/acl.yml'
+    src: ../files/docker-compose.yml
-    dest: '{{ headscale_config_dir }}/acl.yaml'
+    dest: /etc/docker/compose/headscale/docker-compose.yml
-    owner: '{{ headscale_user_uid }}'
+    owner: root
-    group: '{{ headscale_user_gid }}'
+    group: root
-    mode: 0600
+    mode: u=rw,g=r,o=r
+
+- name: copy headscale config volume
+  copy:
+    src: ../files/config
+    dest: /etc/docker/compose/headscale/
+    owner: root
+    group: root
+    mode: u=rw,g=r,o=r
+
+- name: ensure headscale data volume exist
+  file:
+    path: /etc/docker/compose/headscale/data
+    state: directory
+    owner: root
+    group: root
+    mode: 0700
 
-## ENABLE
 - name: daemon-reload and enable headscale
   ansible.builtin.systemd_service:
     state: restarted
-    daemon_reload: true
     enabled: true
-    name: headscale
+    name: docker-compose@headscale
-
-## CREATE USER
-- name: ensure predefined users exist
-  command:
-    cmd: 'headscale users create {{ item }}'
-  loop: '{{ headscale_users }}'
-  register: user_created
-  changed_when: '"User created" in user_created.stdout'
-
-## ROUTES
-- name: enable routes for node
-  command:
-    cmd: 'headscale routes enable -i {{ item.id }} -r {{ item.routes }}'
-  loop: '{{ headscale_enable_routes }}'
-  loop_control:
-    label: '{{ item.comment | default(item) }}'
-  when: not ansible_check_mode
-
-- name: enable exit nodes
-  command:
-    cmd: 'headscale routes enable -i {{ item.id }} -r 0.0.0.0/0,::/0'
-  loop: '{{ headscale_exit_nodes }}'
-  loop_control:
-    label: '{{ item.comment | default(item) }}'
-  when: not ansible_check_mode

roles/vpn/templates/headscale.service.j2

@@ -1,26 +0,0 @@
-[Unit]
-Description=headscale coordination server
-After=syslog.target
-After=network.target
-
-[Service]
-Type=simple
-Environment=GIN_MODE=release
-User={{ headscale_user_name }}
-Group={{ headscale_user_group }}
-ExecStart={{ headscale_binary_path }} serve
-ExecReload=kill -HUP $MAINPID
-Restart=always
-RestartSec=5
-
-# Optional security enhancements
-NoNewPrivileges=yes
-PrivateTmp=yes
-ProtectSystem=strict
-ProtectHome=yes
-ReadWritePaths={{ headscale_var_data_dir }} {{ headscale_pid_dir }}
-AmbientCapabilities=CAP_NET_BIND_SERVICE
-RuntimeDirectory={{ headscale_user_name }}
-
-[Install]
-WantedBy=multi-user.target

roles/webservers/tasks/main.yml

@@ -13,3 +13,6 @@
 
 - name: restart ufw
   service: name=ufw state=restarted enabled=yes
+
+- name: install nginx
+  apt: name=nginx status=latest