1 files changed, 62 insertions, 98 deletions

diff --git a/playbooks/roles/outbound/tasks/main.yml b/playbooks/roles/outbound/tasks/main.yml
index 107e71a..45540b4 100644
--- a/playbooks/roles/outbound/tasks/main.yml
+++ b/playbooks/roles/outbound/tasks/main.yml
@@ -1,119 +1,83 @@
 ---
 
-# Headscale setup
-- name: Build headscale compose dirs and files
-  ansible.builtin.file:
-    state: directory
-    dest: '/etc/docker/compose/headscale/{{ item.path }}'
-  with_filetree: '../templates/headscale'
-  when: item.state == 'directory'
-
-- name: Build headscale compose templates
-  ansible.builtin.template:
-    src: '{{ item.src }}'
-    dest: '/etc/docker/compose/headscale/{{ item.path }}'
-  with_filetree: '../templates/headscale'
-  when: item.state == 'file'
-
-- name: Daemon-reload and enable headscale
-  ansible.builtin.systemd_service:
+- name: Deploy Headscale
+  ansible.builtin.import_tasks: manage-docker-compose-service.yml
+  vars:
+    service_name: headscale
+    template_render_dir: "../templates/headscale"
+    service_destination_dir: "{{ headscale_base }}"
     state: started
-    enabled: true
-    daemon_reload: true
-    name: docker-compose@headscale
-
-- name: Perform rollout for headscale
-  ansible.builtin.shell:
-    cmd: "/usr/local/bin/docker-rollout rollout -f docker-compose.yml headscale"
-    chdir: "/etc/docker/compose/headscale"
-
-# User API Key
-- name: Generate API key if homelab build
-  ansible.builtin.shell:
-    cmd: docker compose exec -it headscale headscale apikeys create --expiration "{{ api_key_expiration }}"
-    chdir: /etc/docker/compose/headscale
-  register: api_key_result
-  when: generate_api_key
+    rollout_services:
+      - name: headscale
 
-- name: Store and display API key
-  when: generate_api_key
+- name: Generate Headscale API key (if requested)
+  when: generate_api_key | default(false)
   block:
-    - name: Define API Key Variable
-      set_fact:
-        headscale_api_key: "{{ api_key_result.stdout }}"
+    - name: Execute API key generation command
+      ansible.builtin.command:
+        cmd: "docker compose exec headscale headscale apikeys create --expiration {{ api_key_expiration }}"
+        chdir: /etc/docker/compose/headscale
+      register: api_key_result
+      changed_when: true
+
+    - name: Store and display newly generated API key
+      block:
+        - name: Store API Key in fact
+          ansible.builtin.set_fact:
+            headscale_api_key: "{{ api_key_result.stdout }}"
 
-    - name: Echo new key
-      ansible.builtin.debug:
-        msg: "Please store this API Key! {{ headscale_api_key }}"
+        - name: Display API Key (Requires User Action)
+          ansible.builtin.debug:
+            msg: "IMPORTANT: Please store this newly generated Headscale API Key! {{ headscale_api_key }}"
 
-    - name: Pause until user confirms
-      ansible.builtin.pause:
-        prompt: "Press return when ready!"
+        - name: Pause for user confirmation (API Key)
+          ansible.builtin.pause:
+            prompt: "API Key displayed. Press return to continue..."
+      when: api_key_result.rc == 0 # Only proceed if key generation succeeded
 
-# System user auth key
-- name: Create system key user and auth key if homelab build
-  when: generate_auth_key
+- name: Create Headscale system user and auth key (if requested)
+  when: generate_auth_key | default(false) # Default to false if var is undefined
   block:
-    - name: Create system key user
-      ansible.builtin.shell:
-        cmd: docker compose exec -it headscale headscale users create "{{ auth_key_user }}"
+    # Note: These steps might not be fully idempotent. Re-running will attempt creation again.
+    - name: Create system key user '{{ auth_key_user }}'
+      ansible.builtin.command: # Using command module is safer
+        cmd: "docker compose exec headscale headscale users create {{ auth_key_user }}"
         chdir: /etc/docker/compose/headscale
+      register: user_create_result
+      changed_when: "'User created' in user_create_result.stdout"
+      failed_when: user_create_result.rc != 0 and 'Cannot create user' not in user_create_result.stderr
 
-    - name: Create auth key preauthkey
-      ansible.builtin.shell:
-        cmd: docker compose exec -it headscale headscale preauthkeys create --reusable --expiration "{{ auth_key_expiration }}" --user "{{ auth_key_user }}"
+    - name: Create auth key for user '{{ auth_key_user }}'
+      ansible.builtin.command: # Using command module is safer
+        cmd: "docker compose exec headscale headscale preauthkeys create --reusable --expiration {{ auth_key_expiration }} --user {{ auth_key_user }}"
         chdir: /etc/docker/compose/headscale
       register: auth_key_result
+      changed_when: true
 
-    - name: Store and display Auth Key
+    - name: Store and display newly generated Auth Key
       block:
-        - name: Define Auth Key Variable
-          set_fact:
+        # This stores the *newly generated* key. Be aware of Ansible variable precedence
+        # if 'headscale_user_auth_key' is also defined elsewhere (like vaults).
+        # This fact is primarily for immediate display and user interaction below.
+        - name: Store Auth Key in fact
+          ansible.builtin.set_fact:
             headscale_user_auth_key: "{{ auth_key_result.stdout }}"
 
-        - name: Echo new auth key
+        - name: Display Auth Key (Requires User Action)
           ansible.builtin.debug:
-            msg: "Please store this Auth Key for user {{ auth_key_user }}! {{ headscale_user_auth_key }}"
+            msg: "IMPORTANT: Please store this newly generated Auth Key for user '{{ auth_key_user }}'! {{ headscale_user_auth_key }}"
 
-        - name: Pause until user confirms
+        - name: Pause for user confirmation (Auth Key)
           ansible.builtin.pause:
-            prompt: "Press return when ready!"
-
-# Proxy setup (AFTER API key generation)
-- name: Build proxy compose dirs and files
-  ansible.builtin.file:
-    state: directory
-    dest: '/etc/docker/compose/proxy/{{ item.path }}'
-  with_filetree: '../templates/proxy'
-  when: item.state == 'directory'
-
-- name: Build proxy compose templates
-  ansible.builtin.template:
-    src: '{{ item.src }}'
-    dest: '/etc/docker/compose/proxy/{{ item.path }}'
-  with_filetree: '../templates/proxy'
-  when: item.state == 'file'
-
-- name: Allow mail ports
-  with_items:
-    - "25"
-    - "587"
-    - "465"
-    - "993"
-    - "4190"
-  community.general.ufw:
-    rule: allow
-    port: "{{ item }}"
-    state: "enabled"
-
-- name: Daemon-reload and enable proxy
-  ansible.builtin.systemd_service:
+            prompt: "Auth Key displayed. Press return to continue..."
+      when: auth_key_result.rc == 0
+
+- name: Deploy Open Internet -> Headnet Proxy
+  ansible.builtin.import_tasks: manage-docker-compose-service.yml
+  vars:
+    service_name: proxy
+    template_render_dir: "../templates/proxy"
+    service_destination_dir: "{{ proxy_base }}"
     state: started
-    enabled: true
-    daemon_reload: true
-    name: docker-compose@proxy
-
-- name: Perform rollout for proxy
-  ansible.builtin.shell:
-    cmd: "/usr/local/bin/docker-rollout rollout -f docker-compose.yml proxy"
-    chdir: "/etc/docker/compose/proxy"
+    rollout_services:
+      - name: "{{ vpn_proxy_filter_container_name }}"