finish headscale setup

3 files changed, 24 insertions, 29 deletions

diff --git a/roles/vpn/handlers/main.yml b/roles/vpn/handlers/main.yml
deleted file mode 100644
index 4333c5f..0000000
--- a/roles/vpn/handlers/main.yml
+++ /dev/null
@@ -1,14 +0,0 @@
----
-- name: restart headscale service
-  service:
-    name: headscale
-    state: restarted
-    enabled: true
-    daemon-reload: true
-  listen: 'restart headscale'
-
-- name: reload headscale
-  service:
-    name: headscale
-    state: reloaded
-  listen: 'reload headscale'
diff --git a/roles/vpn/tasks/main.yml b/roles/vpn/tasks/main.yml
index 1715886..22ca2f8 100644
--- a/roles/vpn/tasks/main.yml
+++ b/roles/vpn/tasks/main.yml
@@ -1,4 +1,11 @@
 ---
+## UFW
+- name: allow headscale tcp on 8080
+  ufw:
+    rule: allow
+    port: '8080'
+    proto: tcp
+
 ## INSTALL
 - name: create headscale user group
   group:
@@ -51,13 +58,6 @@
     group: '{{ headscale_user_gid }}'
     mode: 0600
 
-- name: daemon-reload and enable headscale
-  ansible.builtin.systemd_service:
-    state: restarted
-    daemon_reload: true
-    enabled: true
-    name: headscale
-
 ## CONFIG
 
 - name: copy configuration file template
@@ -67,7 +67,6 @@
     owner: "{{ headscale_user_uid }}"
     group: "{{ headscale_user_gid }}"
     mode: "0600"
-  notify: reload headscale
 
 - name: copy acl policies file
   copy:
@@ -76,8 +75,16 @@
     owner: '{{ headscale_user_uid }}'
     group: '{{ headscale_user_gid }}'
     mode: 0600
-  notify: reload headscale
 
+## ENABLE
+- name: daemon-reload and enable headscale
+  ansible.builtin.systemd_service:
+    state: restarted
+    daemon_reload: true
+    enabled: true
+    name: headscale
+
+## CREATE USER
 - name: ensure predefined users exist
   command:
     cmd: 'headscale users create {{ item }}'
diff --git a/roles/vpn/templates/config.yml.j2 b/roles/vpn/templates/config.yml.j2
index 5105dcd..4eb5359 100644
--- a/roles/vpn/templates/config.yml.j2
+++ b/roles/vpn/templates/config.yml.j2
@@ -10,13 +10,13 @@
 #
 # https://myheadscale.example.com:443
 #
-server_url: http://127.0.0.1:8080
+server_url: https://nijika.simponic.xyz:443
 
 # Address to listen to / bind to on the server
 #
 # For production:
 # listen_addr: 0.0.0.0:8080
-listen_addr: 127.0.0.1:8080
+listen_addr: 0.0.0.0:443
 
 # Address to listen to /metrics, you may want
 # to keep this endpoint private to your internal
@@ -48,6 +48,8 @@ noise:
   # using the new Noise-based protocol.
   private_key_path: /var/lib/headscale/noise_private.key
 
+private_key_path: /var/lib/headscale/private.key
+
 # List of IP prefixes to allocate tailaddresses from.
 # Each prefix consists of either an IPv4 or IPv6 address,
 # and the associated prefix length, delimited by a slash.
@@ -158,10 +160,10 @@ db_path: /var/lib/headscale/db.sqlite
 acme_url: https://acme-v02.api.letsencrypt.org/directory
 
 # Email to register with ACME provider
-acme_email: ""
+acme_email: "elizabeth.hunt@simponic.xyz"
 
 # Domain name to request a TLS certificate for:
-tls_letsencrypt_hostname: ""
+tls_letsencrypt_hostname: "nijika.simponic.xyz"
 
 # Path to store certificates and metadata needed by
 # letsencrypt
@@ -231,7 +233,7 @@ dns_config:
   #     - 8.8.8.8
 
   # Search domains to inject.
-  domains: []
+  domains: ['simponic.xyz']
 
   # Extra DNS records
   # so far only A-records are supported (on the tailscale side)
@@ -252,7 +254,7 @@ dns_config:
   # `base_domain` must be a FQDNs, without the trailing dot.
   # The FQDN of the hosts will be
   # `hostname.user.base_domain` (e.g., _myhost.myuser.example.com_).
-  base_domain: example.com
+  base_domain: nijika.simponic.xyz
 
 # Unix socket used for the CLI to connect without authentication
 # Note: for production you will want to set this to something like: