diff options
| author | Elizabeth Hunt <me@liz.coffee> | 2025-04-27 21:15:30 -0700 |
|---|---|---|
| committer | Elizabeth Hunt <me@liz.coffee> | 2025-04-27 21:25:52 -0700 |
| commit | daef0cf448af17357b552245f39067a9d340ce3d (patch) | |
| tree | f65a660f7232f057b0c14e477c166006bfb83f87 /playbooks/roles/outbound/tasks/main.yml | |
| parent | 1dcdfe34a74708f88aad68af965f4bb5c79adff1 (diff) | |
| download | infra-daef0cf448af17357b552245f39067a9d340ce3d.tar.gz infra-daef0cf448af17357b552245f39067a9d340ce3d.zip | |
Waow
Diffstat (limited to 'playbooks/roles/outbound/tasks/main.yml')
| -rw-r--r-- | playbooks/roles/outbound/tasks/main.yml | 160 |
1 files changed, 62 insertions, 98 deletions
diff --git a/playbooks/roles/outbound/tasks/main.yml b/playbooks/roles/outbound/tasks/main.yml index 107e71a..45540b4 100644 --- a/playbooks/roles/outbound/tasks/main.yml +++ b/playbooks/roles/outbound/tasks/main.yml @@ -1,119 +1,83 @@ --- -# Headscale setup -- name: Build headscale compose dirs and files - ansible.builtin.file: - state: directory - dest: '/etc/docker/compose/headscale/{{ item.path }}' - with_filetree: '../templates/headscale' - when: item.state == 'directory' - -- name: Build headscale compose templates - ansible.builtin.template: - src: '{{ item.src }}' - dest: '/etc/docker/compose/headscale/{{ item.path }}' - with_filetree: '../templates/headscale' - when: item.state == 'file' - -- name: Daemon-reload and enable headscale - ansible.builtin.systemd_service: +- name: Deploy Headscale + ansible.builtin.import_tasks: manage-docker-compose-service.yml + vars: + service_name: headscale + template_render_dir: "../templates/headscale" + service_destination_dir: "{{ headscale_base }}" state: started - enabled: true - daemon_reload: true - name: docker-compose@headscale - -- name: Perform rollout for headscale - ansible.builtin.shell: - cmd: "/usr/local/bin/docker-rollout rollout -f docker-compose.yml headscale" - chdir: "/etc/docker/compose/headscale" - -# User API Key -- name: Generate API key if homelab build - ansible.builtin.shell: - cmd: docker compose exec -it headscale headscale apikeys create --expiration "{{ api_key_expiration }}" - chdir: /etc/docker/compose/headscale - register: api_key_result - when: generate_api_key + rollout_services: + - name: headscale -- name: Store and display API key - when: generate_api_key +- name: Generate Headscale API key (if requested) + when: generate_api_key | default(false) block: - - name: Define API Key Variable - set_fact: - headscale_api_key: "{{ api_key_result.stdout }}" + - name: Execute API key generation command + ansible.builtin.command: + cmd: "docker compose exec headscale headscale apikeys create --expiration {{ api_key_expiration }}" + chdir: /etc/docker/compose/headscale + register: api_key_result + changed_when: true + + - name: Store and display newly generated API key + block: + - name: Store API Key in fact + ansible.builtin.set_fact: + headscale_api_key: "{{ api_key_result.stdout }}" - - name: Echo new key - ansible.builtin.debug: - msg: "Please store this API Key! {{ headscale_api_key }}" + - name: Display API Key (Requires User Action) + ansible.builtin.debug: + msg: "IMPORTANT: Please store this newly generated Headscale API Key! {{ headscale_api_key }}" - - name: Pause until user confirms - ansible.builtin.pause: - prompt: "Press return when ready!" + - name: Pause for user confirmation (API Key) + ansible.builtin.pause: + prompt: "API Key displayed. Press return to continue..." + when: api_key_result.rc == 0 # Only proceed if key generation succeeded -# System user auth key -- name: Create system key user and auth key if homelab build - when: generate_auth_key +- name: Create Headscale system user and auth key (if requested) + when: generate_auth_key | default(false) # Default to false if var is undefined block: - - name: Create system key user - ansible.builtin.shell: - cmd: docker compose exec -it headscale headscale users create "{{ auth_key_user }}" + # Note: These steps might not be fully idempotent. Re-running will attempt creation again. + - name: Create system key user '{{ auth_key_user }}' + ansible.builtin.command: # Using command module is safer + cmd: "docker compose exec headscale headscale users create {{ auth_key_user }}" chdir: /etc/docker/compose/headscale + register: user_create_result + changed_when: "'User created' in user_create_result.stdout" + failed_when: user_create_result.rc != 0 and 'Cannot create user' not in user_create_result.stderr - - name: Create auth key preauthkey - ansible.builtin.shell: - cmd: docker compose exec -it headscale headscale preauthkeys create --reusable --expiration "{{ auth_key_expiration }}" --user "{{ auth_key_user }}" + - name: Create auth key for user '{{ auth_key_user }}' + ansible.builtin.command: # Using command module is safer + cmd: "docker compose exec headscale headscale preauthkeys create --reusable --expiration {{ auth_key_expiration }} --user {{ auth_key_user }}" chdir: /etc/docker/compose/headscale register: auth_key_result + changed_when: true - - name: Store and display Auth Key + - name: Store and display newly generated Auth Key block: - - name: Define Auth Key Variable - set_fact: + # This stores the *newly generated* key. Be aware of Ansible variable precedence + # if 'headscale_user_auth_key' is also defined elsewhere (like vaults). + # This fact is primarily for immediate display and user interaction below. + - name: Store Auth Key in fact + ansible.builtin.set_fact: headscale_user_auth_key: "{{ auth_key_result.stdout }}" - - name: Echo new auth key + - name: Display Auth Key (Requires User Action) ansible.builtin.debug: - msg: "Please store this Auth Key for user {{ auth_key_user }}! {{ headscale_user_auth_key }}" + msg: "IMPORTANT: Please store this newly generated Auth Key for user '{{ auth_key_user }}'! {{ headscale_user_auth_key }}" - - name: Pause until user confirms + - name: Pause for user confirmation (Auth Key) ansible.builtin.pause: - prompt: "Press return when ready!" - -# Proxy setup (AFTER API key generation) -- name: Build proxy compose dirs and files - ansible.builtin.file: - state: directory - dest: '/etc/docker/compose/proxy/{{ item.path }}' - with_filetree: '../templates/proxy' - when: item.state == 'directory' - -- name: Build proxy compose templates - ansible.builtin.template: - src: '{{ item.src }}' - dest: '/etc/docker/compose/proxy/{{ item.path }}' - with_filetree: '../templates/proxy' - when: item.state == 'file' - -- name: Allow mail ports - with_items: - - "25" - - "587" - - "465" - - "993" - - "4190" - community.general.ufw: - rule: allow - port: "{{ item }}" - state: "enabled" - -- name: Daemon-reload and enable proxy - ansible.builtin.systemd_service: + prompt: "Auth Key displayed. Press return to continue..." + when: auth_key_result.rc == 0 + +- name: Deploy Open Internet -> Headnet Proxy + ansible.builtin.import_tasks: manage-docker-compose-service.yml + vars: + service_name: proxy + template_render_dir: "../templates/proxy" + service_destination_dir: "{{ proxy_base }}" state: started - enabled: true - daemon_reload: true - name: docker-compose@proxy - -- name: Perform rollout for proxy - ansible.builtin.shell: - cmd: "/usr/local/bin/docker-rollout rollout -f docker-compose.yml proxy" - chdir: "/etc/docker/compose/proxy" + rollout_services: + - name: "{{ vpn_proxy_filter_container_name }}" |