5 files changed, 50 insertions, 11 deletions

diff --git a/playbooks/roles/outbound/templates/headscale/config/config.yaml b/playbooks/roles/outbound/templates/headscale/config/config.yaml
index 54657b2..078058e 100644
--- a/playbooks/roles/outbound/templates/headscale/config/config.yaml
+++ b/playbooks/roles/outbound/templates/headscale/config/config.yaml
@@ -7,7 +7,7 @@ listen_addr: '{{ headscale_listen_addr }}'
 # to keep this endpoint private to your internal
 # network
 #
-metrics_listen_addr: 127.0.0.1:9090
+metrics_listen_addr: '{{ headscale_metrics_listen_addr }}'
 
 # The Noise section includes specific configuration for the
 # TS2021 Noise protocol
@@ -122,9 +122,7 @@ dns:
   base_domain: "{{ headscale_base_domain }}"
   search_domains: []
   nameservers:
-    global:
-      - {{ headscale_dns_for_connected_clients_1 }}
-      - {{ headscale_dns_for_connected_clients_2 }}
+    global: {{ headscale_dns_for_connected_clients | tojson }}
     split:
 {% for user, m in mesh.items() %}
 {% if "split_vpn_dns_to" in m %}
diff --git a/playbooks/roles/outbound/templates/headscale/docker-compose.yml b/playbooks/roles/outbound/templates/headscale/docker-compose.yml
index 515630c..463db70 100644
--- a/playbooks/roles/outbound/templates/headscale/docker-compose.yml
+++ b/playbooks/roles/outbound/templates/headscale/docker-compose.yml
@@ -12,16 +12,19 @@ services:
     networks:
       - proxy
     environment:
-      - DEPLOYMENT_TIME={{ deployment_time }}
-      - VIRTUAL_HOST={{ headscale_host }}
-      - VIRTUAL_PORT={{ headscale_port }}
-      - LETSENCRYPT_HOST={{ headscale_host }}
+      DEPLOYMENT_TIME: "{{ deployment_time }}"
+      VIRTUAL_HOST_MULTIPORTS: |-
+        {{ headscale_host }}:
+          "/":
+            port: {{ headscale_port }}
+          "/metrics":
+            port: {{ headscale_metrics_port }}
 {% if homelab_build %}
     healthcheck:
       disable: true
 {% else %}
     healthcheck:
-      test: ["CMD", "wget", "-qO", "-", "http://localhost:{{ headscale_port }}/health"] 
+      test: ["CMD", "wget", "-qO", "-", "http://localhost:{{ headscale_port }}/health"]
       interval: 10s
       timeout: 5s
       retries: 3
@@ -34,11 +37,12 @@ services:
     networks:
       - proxy
     environment:
+      - TZ={{ timezone }}
       - DEPLOYMENT_TIME={{ deployment_time }}
       - VIRTUAL_HOST={{ headscale_host }}
       - VIRTUAL_PORT={{ headscale_port }}
       - LETSENCRYPT_HOST={{ headscale_host }}
-      - VIRTUAL_PATH=/web/ 
+      - VIRTUAL_PATH=/web/
       - VIRTUAL_DEST=/web/
 
 networks:
diff --git a/playbooks/roles/outbound/templates/proxy/docker-compose.yml b/playbooks/roles/outbound/templates/proxy/docker-compose.yml
index c754cdc..654c5da 100644
--- a/playbooks/roles/outbound/templates/proxy/docker-compose.yml
+++ b/playbooks/roles/outbound/templates/proxy/docker-compose.yml
@@ -66,4 +66,3 @@ networks:
     driver: bridge
   proxy:
     external: true
-
diff --git a/playbooks/roles/outbound/templates/proxy/nginx/conf.d/coffee.conf b/playbooks/roles/outbound/templates/proxy/nginx/conf.d/coffee.conf
new file mode 100644
index 0000000..5fa47be
--- /dev/null
+++ b/playbooks/roles/outbound/templates/proxy/nginx/conf.d/coffee.conf
@@ -0,0 +1,19 @@
+server {
+    listen 80;
+    server_name liz.coffee;
+
+    real_ip_header X-Forwarded-For;
+    real_ip_recursive on;
+    set_real_ip_from {{ docker_network }};
+
+    location / {
+        proxy_pass https://{{ loadbalancer_ip }};
+        proxy_ssl_verify off;
+        proxy_http_version 1.1;
+        proxy_set_header Host $host;
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header Upgrade $http_upgrade;
+        proxy_set_header Connection "upgrade";
+    }
+}
diff --git a/playbooks/roles/outbound/templates/proxy/nginx/conf.d/fwdauth.conf b/playbooks/roles/outbound/templates/proxy/nginx/conf.d/fwdauth.conf
new file mode 100644
index 0000000..a2696bf
--- /dev/null
+++ b/playbooks/roles/outbound/templates/proxy/nginx/conf.d/fwdauth.conf
@@ -0,0 +1,19 @@
+server {
+    listen 80;
+    server_name fwdauth.liz.coffee;
+
+    real_ip_header X-Forwarded-For;
+    real_ip_recursive on;
+    set_real_ip_from {{ docker_network }};
+
+    location / {
+        proxy_pass https://{{ loadbalancer_ip }};
+        proxy_ssl_verify off;
+        proxy_http_version 1.1;
+        proxy_set_header Host $host;
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header Upgrade $http_upgrade;
+        proxy_set_header Connection "upgrade";
+    }
+}