deploy headscale and headscale ui via docker

5 files changed, 46 insertions, 126 deletions

diff --git a/roles/vpn/files/acl.yml b/roles/vpn/files/config/acl.yml
index ed97d53..ed97d53 100644
--- a/roles/vpn/files/acl.yml
+++ b/roles/vpn/files/config/acl.yml
diff --git a/roles/vpn/templates/config.yml.j2 b/roles/vpn/files/config/config.yml
index 73b2c40..17ab98b 100644
--- a/roles/vpn/templates/config.yml.j2
+++ b/roles/vpn/files/config/config.yml
@@ -16,7 +16,7 @@ server_url: https://headscale.simponic.xyz:443
 #
 # For production:
 # listen_addr: 0.0.0.0:8080
-listen_addr: 0.0.0.0:443
+listen_addr: 0.0.0.0:8080
 
 # Address to listen to /metrics, you may want
 # to keep this endpoint private to your internal
diff --git a/roles/vpn/files/docker-compose.yml b/roles/vpn/files/docker-compose.yml
new file mode 100644
index 0000000..dc5e961
--- /dev/null
+++ b/roles/vpn/files/docker-compose.yml
@@ -0,0 +1,18 @@
+version: '3.5'
+services:
+  headscale:
+    image: headscale/headscale:latest
+    container_name: headscale
+    volumes:
+      - ./config:/etc/headscale
+      - ./data:/var/lib/headscale
+    ports:
+      - 27896:8080
+    command: headscale serve
+    restart: unless-stopped
+  headscale-ui:
+    image: ghcr.io/gurucomputing/headscale-ui:latest
+    restart: unless-stopped
+    container_name: headscale-ui
+    ports:
+      - 9443:443
diff --git a/roles/vpn/tasks/main.yml b/roles/vpn/tasks/main.yml
index 22ca2f8..4f6bcca 100644
--- a/roles/vpn/tasks/main.yml
+++ b/roles/vpn/tasks/main.yml
@@ -1,110 +1,38 @@
 ---
-## UFW
-- name: allow headscale tcp on 8080
-  ufw:
-    rule: allow
-    port: '8080'
-    proto: tcp
-
-## INSTALL
-- name: create headscale user group
-  group:
-    name: '{{ headscale_user_group }}'
-    gid: '{{ headscale_user_gid }}'
-    system: true
-    state: present
-
-- name: create headscale user
-  user:
-    name: '{{ headscale_user_name }}'
-    uid: '{{ headscale_user_uid }}'
-    group: '{{ headscale_user_group }}'
-    shell: /bin/false
-    system: true
-    create_home: false
-
-- name: download headscale binary
-  get_url:
-    url: 'https://github.com/juanfont/headscale/releases/download/v{{ headscale_version }}/headscale_{{ headscale_version }}_linux_{{ headscale_arch }}'
-    dest: '{{ headscale_binary_path }}'
-    owner: '{{ headscale_user_uid }}'
-    group: '{{ headscale_user_gid }}'
-    mode: 0770
-
-- name: ensure headscale directories exist
+- name: ensure headscale docker/compose exist
   file:
-    path: '{{ item }}'
+    path: /etc/docker/compose/headscale
     state: directory
-    owner: '{{ headscale_user_name }}'
-    group: '{{ headscale_user_group }}'
-    mode: 0755
-  loop: '{{ headscale_directories }}'
-
-- name: ensure sqlite exists
-  file:
-    path: '{{ headscale_var_data_dir }}/db.sqlite'
-    state: touch
-    owner: '{{ headscale_user_uid }}'
-    group: '{{ headscale_user_gid }}'
-    mode: 0600
-    modification_time: preserve
-    access_time: preserve
-
-- name: copy systemd unit file
-  template:
-    src: '../templates/headscale.service.j2'
-    dest: '/etc/systemd/system/headscale.service'
-    owner: '{{ headscale_user_uid }}'
-    group: '{{ headscale_user_gid }}'
-    mode: 0600
-
-## CONFIG
+    owner: root
+    group: root
+    mode: 0700
 
-- name: copy configuration file template
-  template:
-    src: "../templates/config.yml.j2"
-    dest: "{{ headscale_config_dir }}/config.yaml"
-    owner: "{{ headscale_user_uid }}"
-    group: "{{ headscale_user_gid }}"
-    mode: "0600"
+- name: copy headscale docker-compose.yml
+  copy:
+    src: ../files/docker-compose.yml
+    dest: /etc/docker/compose/headscale/docker-compose.yml
+    owner: root
+    group: root
+    mode: u=rw,g=r,o=r
 
-- name: copy acl policies file
+- name: copy headscale config volume
   copy:
-    content: '../files/acl.yml'
-    dest: '{{ headscale_config_dir }}/acl.yaml'
-    owner: '{{ headscale_user_uid }}'
-    group: '{{ headscale_user_gid }}'
-    mode: 0600
+    src: ../files/config
+    dest: /etc/docker/compose/headscale/
+    owner: root
+    group: root
+    mode: u=rw,g=r,o=r
+
+- name: ensure headscale data volume exist
+  file:
+    path: /etc/docker/compose/headscale/data
+    state: directory
+    owner: root
+    group: root
+    mode: 0700
 
-## ENABLE
 - name: daemon-reload and enable headscale
   ansible.builtin.systemd_service:
     state: restarted
-    daemon_reload: true
     enabled: true
-    name: headscale
-
-## CREATE USER
-- name: ensure predefined users exist
-  command:
-    cmd: 'headscale users create {{ item }}'
-  loop: '{{ headscale_users }}'
-  register: user_created
-  changed_when: '"User created" in user_created.stdout'
-
-## ROUTES
-- name: enable routes for node
-  command:
-    cmd: 'headscale routes enable -i {{ item.id }} -r {{ item.routes }}'
-  loop: '{{ headscale_enable_routes }}'
-  loop_control:
-    label: '{{ item.comment | default(item) }}'
-  when: not ansible_check_mode
-
-- name: enable exit nodes
-  command:
-    cmd: 'headscale routes enable -i {{ item.id }} -r 0.0.0.0/0,::/0'
-  loop: '{{ headscale_exit_nodes }}'
-  loop_control:
-    label: '{{ item.comment | default(item) }}'
-  when: not ansible_check_mode
+    name: docker-compose@headscale
diff --git a/roles/vpn/templates/headscale.service.j2 b/roles/vpn/templates/headscale.service.j2
deleted file mode 100644
index 46267f0..0000000
--- a/roles/vpn/templates/headscale.service.j2
+++ /dev/null
@@ -1,26 +0,0 @@
-[Unit]
-Description=headscale coordination server
-After=syslog.target
-After=network.target
-
-[Service]
-Type=simple
-Environment=GIN_MODE=release
-User={{ headscale_user_name }}
-Group={{ headscale_user_group }}
-ExecStart={{ headscale_binary_path }} serve
-ExecReload=kill -HUP $MAINPID
-Restart=always
-RestartSec=5
-
-# Optional security enhancements
-NoNewPrivileges=yes
-PrivateTmp=yes
-ProtectSystem=strict
-ProtectHome=yes
-ReadWritePaths={{ headscale_var_data_dir }} {{ headscale_pid_dir }}
-AmbientCapabilities=CAP_NET_BIND_SERVICE
-RuntimeDirectory={{ headscale_user_name }}
-
-[Install]
-WantedBy=multi-user.target