diff options
Diffstat (limited to 'playbooks/roles/outbound')
3 files changed, 34 insertions, 12 deletions
diff --git a/playbooks/roles/outbound/templates/headscale/config/acl.json b/playbooks/roles/outbound/templates/headscale/config/acl.json index dcdd954..410de11 100644 --- a/playbooks/roles/outbound/templates/headscale/config/acl.json +++ b/playbooks/roles/outbound/templates/headscale/config/acl.json @@ -2,7 +2,7 @@ "groups": { "group:vpn_admins": [ {% for user in vpn_admins %} - "{{ user }}{{ oauth_user_suffix }}"{{ ", " if not loop.last else "" }} + "{{ user }}@{{ oauth_user_suffix }}"{{ ", " if not loop.last else "" }} {% endfor %} ] }, @@ -10,26 +10,26 @@ {% for user in vpn_users %} { "action": "accept", - "src": ["{{ user }}{{ oauth_user_suffix }}"], - "dst": ["{{ user }}{{ oauth_user_suffix }}:*"] + "src": ["{{ user }}@{{ oauth_user_suffix }}"], + "dst": ["{{ user }}@{{ oauth_user_suffix }}:*"] }, {% endfor %} { "action": "accept", - "src": ["{{ auth_key_user }}"], - "dst": ["{{ auth_key_user }}:*", "{{ loadbalancer_ip }}/32:*"] + "src": ["{{ auth_key_user }}@"], + "dst": ["{{ auth_key_user }}@:*", "{{ loadbalancer_ip }}/32:*"] }, {% for user, m in mesh.items() %} { "action": "accept", - "src": ["{{ user }}{{ oauth_user_suffix }}"], - "dst": ["{{ m.gateway }}/32:*]" + "src": ["{{ user }}@{{ oauth_user_suffix }}"], + "dst": ["{{ m.gateway }}/32:*"] }, {% endfor %} { "action": "accept", "src": ["group:vpn_admins"], - "dst": ["{{ loadbalancer_ip }}/32:*"] + "dst": [{% for user, m in mesh.items() %} "{{ m.gateway }}/32:*", {% endfor %} "{{ loadbalancer_ip }}/32:*"] } ] } diff --git a/playbooks/roles/outbound/templates/headscale/config/config.yaml b/playbooks/roles/outbound/templates/headscale/config/config.yaml index d3bff5a..54657b2 100644 --- a/playbooks/roles/outbound/templates/headscale/config/config.yaml +++ b/playbooks/roles/outbound/templates/headscale/config/config.yaml @@ -120,14 +120,18 @@ policy: dns: magic_dns: true base_domain: "{{ headscale_base_domain }}" + search_domains: [] nameservers: global: - {{ headscale_dns_for_connected_clients_1 }} - {{ headscale_dns_for_connected_clients_2 }} split: - {{ domain }}: - - {{ loadbalancer_ip }} - search_domains: [] +{% for user, m in mesh.items() %} +{% if "split_vpn_dns_to" in m %} + {{ m.domain }}: + - {{ m.split_vpn_dns_to }} +{% endif %} +{% endfor %} unix_socket: /var/run/headscale/headscale.sock unix_socket_permission: "0770" @@ -151,7 +155,6 @@ oidc: - {{ domain }} allowed_groups: - vpn@{{ idm_domain }} - strip_email_domain: true # Logtail configuration # Logtail is Tailscales logging and auditing infrastructure, it allows the control panel diff --git a/playbooks/roles/outbound/templates/proxy/nginx/conf.d/mon.conf b/playbooks/roles/outbound/templates/proxy/nginx/conf.d/mon.conf new file mode 100644 index 0000000..601e200 --- /dev/null +++ b/playbooks/roles/outbound/templates/proxy/nginx/conf.d/mon.conf @@ -0,0 +1,19 @@ +server { + listen 80; + server_name mon.liz.coffee; + + real_ip_header X-Forwarded-For; + real_ip_recursive on; + set_real_ip_from {{ docker_network }}; + + location / { + proxy_pass https://{{ loadbalancer_ip }}; + proxy_ssl_verify off; + proxy_http_version 1.1; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection "upgrade"; + } +} |