diff options
Diffstat (limited to 'roles/vpn')
| -rw-r--r-- | roles/vpn/files/config/acl.yml (renamed from roles/vpn/files/acl.yml) | 0 | ||||
| -rw-r--r-- | roles/vpn/files/config/config.yml (renamed from roles/vpn/templates/config.yml.j2) | 2 | ||||
| -rw-r--r-- | roles/vpn/files/docker-compose.yml | 18 | ||||
| -rw-r--r-- | roles/vpn/tasks/main.yml | 126 | ||||
| -rw-r--r-- | roles/vpn/templates/headscale.service.j2 | 26 |
5 files changed, 46 insertions, 126 deletions
diff --git a/roles/vpn/files/acl.yml b/roles/vpn/files/config/acl.yml index ed97d53..ed97d53 100644 --- a/roles/vpn/files/acl.yml +++ b/roles/vpn/files/config/acl.yml diff --git a/roles/vpn/templates/config.yml.j2 b/roles/vpn/files/config/config.yml index 73b2c40..17ab98b 100644 --- a/roles/vpn/templates/config.yml.j2 +++ b/roles/vpn/files/config/config.yml @@ -16,7 +16,7 @@ server_url: https://headscale.simponic.xyz:443 # # For production: # listen_addr: 0.0.0.0:8080 -listen_addr: 0.0.0.0:443 +listen_addr: 0.0.0.0:8080 # Address to listen to /metrics, you may want # to keep this endpoint private to your internal diff --git a/roles/vpn/files/docker-compose.yml b/roles/vpn/files/docker-compose.yml new file mode 100644 index 0000000..dc5e961 --- /dev/null +++ b/roles/vpn/files/docker-compose.yml @@ -0,0 +1,18 @@ +version: '3.5' +services: + headscale: + image: headscale/headscale:latest + container_name: headscale + volumes: + - ./config:/etc/headscale + - ./data:/var/lib/headscale + ports: + - 27896:8080 + command: headscale serve + restart: unless-stopped + headscale-ui: + image: ghcr.io/gurucomputing/headscale-ui:latest + restart: unless-stopped + container_name: headscale-ui + ports: + - 9443:443 diff --git a/roles/vpn/tasks/main.yml b/roles/vpn/tasks/main.yml index 22ca2f8..4f6bcca 100644 --- a/roles/vpn/tasks/main.yml +++ b/roles/vpn/tasks/main.yml @@ -1,110 +1,38 @@ --- -## UFW -- name: allow headscale tcp on 8080 - ufw: - rule: allow - port: '8080' - proto: tcp - -## INSTALL -- name: create headscale user group - group: - name: '{{ headscale_user_group }}' - gid: '{{ headscale_user_gid }}' - system: true - state: present - -- name: create headscale user - user: - name: '{{ headscale_user_name }}' - uid: '{{ headscale_user_uid }}' - group: '{{ headscale_user_group }}' - shell: /bin/false - system: true - create_home: false - -- name: download headscale binary - get_url: - url: 'https://github.com/juanfont/headscale/releases/download/v{{ headscale_version }}/headscale_{{ headscale_version }}_linux_{{ headscale_arch }}' - dest: '{{ headscale_binary_path }}' - owner: '{{ headscale_user_uid }}' - group: '{{ headscale_user_gid }}' - mode: 0770 - -- name: ensure headscale directories exist +- name: ensure headscale docker/compose exist file: - path: '{{ item }}' + path: /etc/docker/compose/headscale state: directory - owner: '{{ headscale_user_name }}' - group: '{{ headscale_user_group }}' - mode: 0755 - loop: '{{ headscale_directories }}' - -- name: ensure sqlite exists - file: - path: '{{ headscale_var_data_dir }}/db.sqlite' - state: touch - owner: '{{ headscale_user_uid }}' - group: '{{ headscale_user_gid }}' - mode: 0600 - modification_time: preserve - access_time: preserve - -- name: copy systemd unit file - template: - src: '../templates/headscale.service.j2' - dest: '/etc/systemd/system/headscale.service' - owner: '{{ headscale_user_uid }}' - group: '{{ headscale_user_gid }}' - mode: 0600 - -## CONFIG + owner: root + group: root + mode: 0700 -- name: copy configuration file template - template: - src: "../templates/config.yml.j2" - dest: "{{ headscale_config_dir }}/config.yaml" - owner: "{{ headscale_user_uid }}" - group: "{{ headscale_user_gid }}" - mode: "0600" +- name: copy headscale docker-compose.yml + copy: + src: ../files/docker-compose.yml + dest: /etc/docker/compose/headscale/docker-compose.yml + owner: root + group: root + mode: u=rw,g=r,o=r -- name: copy acl policies file +- name: copy headscale config volume copy: - content: '../files/acl.yml' - dest: '{{ headscale_config_dir }}/acl.yaml' - owner: '{{ headscale_user_uid }}' - group: '{{ headscale_user_gid }}' - mode: 0600 + src: ../files/config + dest: /etc/docker/compose/headscale/ + owner: root + group: root + mode: u=rw,g=r,o=r + +- name: ensure headscale data volume exist + file: + path: /etc/docker/compose/headscale/data + state: directory + owner: root + group: root + mode: 0700 -## ENABLE - name: daemon-reload and enable headscale ansible.builtin.systemd_service: state: restarted - daemon_reload: true enabled: true - name: headscale - -## CREATE USER -- name: ensure predefined users exist - command: - cmd: 'headscale users create {{ item }}' - loop: '{{ headscale_users }}' - register: user_created - changed_when: '"User created" in user_created.stdout' - -## ROUTES -- name: enable routes for node - command: - cmd: 'headscale routes enable -i {{ item.id }} -r {{ item.routes }}' - loop: '{{ headscale_enable_routes }}' - loop_control: - label: '{{ item.comment | default(item) }}' - when: not ansible_check_mode - -- name: enable exit nodes - command: - cmd: 'headscale routes enable -i {{ item.id }} -r 0.0.0.0/0,::/0' - loop: '{{ headscale_exit_nodes }}' - loop_control: - label: '{{ item.comment | default(item) }}' - when: not ansible_check_mode + name: docker-compose@headscale diff --git a/roles/vpn/templates/headscale.service.j2 b/roles/vpn/templates/headscale.service.j2 deleted file mode 100644 index 46267f0..0000000 --- a/roles/vpn/templates/headscale.service.j2 +++ /dev/null @@ -1,26 +0,0 @@ -[Unit] -Description=headscale coordination server -After=syslog.target -After=network.target - -[Service] -Type=simple -Environment=GIN_MODE=release -User={{ headscale_user_name }} -Group={{ headscale_user_group }} -ExecStart={{ headscale_binary_path }} serve -ExecReload=kill -HUP $MAINPID -Restart=always -RestartSec=5 - -# Optional security enhancements -NoNewPrivileges=yes -PrivateTmp=yes -ProtectSystem=strict -ProtectHome=yes -ReadWritePaths={{ headscale_var_data_dir }} {{ headscale_pid_dir }} -AmbientCapabilities=CAP_NET_BIND_SERVICE -RuntimeDirectory={{ headscale_user_name }} - -[Install] -WantedBy=multi-user.target |