diff options
Diffstat (limited to 'roles/vpn')
| -rw-r--r-- | roles/vpn/files/config/acl.json | 11 | ||||
| -rw-r--r-- | roles/vpn/files/docker-compose.yml | 4 | ||||
| -rw-r--r-- | roles/vpn/templates/config.yml.j2 | 6 |
3 files changed, 14 insertions, 7 deletions
diff --git a/roles/vpn/files/config/acl.json b/roles/vpn/files/config/acl.json index 2dbb13a..7c28276 100644 --- a/roles/vpn/files/config/acl.json +++ b/roles/vpn/files/config/acl.json @@ -1,6 +1,7 @@ { "groups": { - "group:admin": ["elizabeth.hunt"] + "group:admin": ["elizabeth.hunt"], + "group:sys": ["sys"] }, "tagOwners": { "tag:prod": ["group:admin"], @@ -14,8 +15,14 @@ "dst": [ "tag:dev:*", "tag:private:*", - "tag:prod:*" + "tag:prod:*", + "group:sys:*" ] + }, + { + "action": "accept", + "src": ["group:sys"], + "dst": ["group:sys:*"] } ] } diff --git a/roles/vpn/files/docker-compose.yml b/roles/vpn/files/docker-compose.yml index dc5e961..38d58d3 100644 --- a/roles/vpn/files/docker-compose.yml +++ b/roles/vpn/files/docker-compose.yml @@ -7,7 +7,7 @@ services: - ./config:/etc/headscale - ./data:/var/lib/headscale ports: - - 27896:8080 + - 127.0.0.1:27896:8080 command: headscale serve restart: unless-stopped headscale-ui: @@ -15,4 +15,4 @@ services: restart: unless-stopped container_name: headscale-ui ports: - - 9443:443 + - 127.0.0.1:9443:443 diff --git a/roles/vpn/templates/config.yml.j2 b/roles/vpn/templates/config.yml.j2 index 4f815f4..d083c8f 100644 --- a/roles/vpn/templates/config.yml.j2 +++ b/roles/vpn/templates/config.yml.j2 @@ -177,7 +177,7 @@ dns_config: # List of DNS servers to expose to clients. nameservers: - - 1.1.1.1 + - {{ johan_ip }} # NextDNS (see https://tailscale.com/kb/1218/nextdns/). # "abc123" is example NextDNS ID, replace with yours. @@ -202,7 +202,7 @@ dns_config: # - 8.8.8.8 # Search domains to inject. - domains: ['simponic.xyz'] + domains: ['simponic.xyz', 'internal.simponic.xyz'] # Extra DNS records # so far only A-records are supported (on the tailscale side) @@ -223,7 +223,7 @@ dns_config: # `base_domain` must be a FQDNs, without the trailing dot. # The FQDN of the hosts will be # `hostname.user.base_domain` (e.g., _myhost.myuser.example.com_). - base_domain: headscale.simponic.xyz + base_domain: internal.simponic.xyz # Unix socket used for the CLI to connect without authentication # Note: for production you will want to set this to something like: |