diff options
Diffstat (limited to 'roles')
| -rw-r--r-- | roles/vpn/files/config/acl.json | 21 | ||||
| -rw-r--r-- | roles/vpn/files/config/acl.yml | 4 | ||||
| -rw-r--r-- | roles/vpn/tasks/main.yml | 2 | ||||
| -rw-r--r-- | roles/vpn/templates/config.yml.j2 | 5 |
4 files changed, 24 insertions, 8 deletions
diff --git a/roles/vpn/files/config/acl.json b/roles/vpn/files/config/acl.json new file mode 100644 index 0000000..2dbb13a --- /dev/null +++ b/roles/vpn/files/config/acl.json @@ -0,0 +1,21 @@ +{ + "groups": { + "group:admin": ["elizabeth.hunt"] + }, + "tagOwners": { + "tag:prod": ["group:admin"], + "tag:private": ["group:admin"], + "tag:dev": ["group:admin"] + }, + "acls": [ + { + "action": "accept", + "src": ["group:admin"], + "dst": [ + "tag:dev:*", + "tag:private:*", + "tag:prod:*" + ] + } + ] +} diff --git a/roles/vpn/files/config/acl.yml b/roles/vpn/files/config/acl.yml deleted file mode 100644 index c00cf48..0000000 --- a/roles/vpn/files/config/acl.yml +++ /dev/null @@ -1,4 +0,0 @@ ---- -groups: - admin: - - "lizzy" diff --git a/roles/vpn/tasks/main.yml b/roles/vpn/tasks/main.yml index 60963f1..b1b5009 100644 --- a/roles/vpn/tasks/main.yml +++ b/roles/vpn/tasks/main.yml @@ -26,7 +26,7 @@ - name: build headscale config template template: src: ../templates/config.yml.j2 - dest: /etc/docker/compose/headscale/config.yml + dest: /etc/docker/compose/headscale/config/config.yml owner: root group: root mode: u=rw,g=r,o=r diff --git a/roles/vpn/templates/config.yml.j2 b/roles/vpn/templates/config.yml.j2 index 926a84f..4f815f4 100644 --- a/roles/vpn/templates/config.yml.j2 +++ b/roles/vpn/templates/config.yml.j2 @@ -160,7 +160,7 @@ log: # Path to a file containg ACL policies. # ACLs can be defined as YAML or HUJSON. # https://tailscale.com/kb/1018/acls/ -acl_policy_path: "/etc/headscale/acl.yml" +acl_policy_path: "/etc/headscale/acl.json" ## DNS # @@ -264,8 +264,7 @@ oidc: # - admins # - people # Optional. - allowed_users: - - "{{ headscale_allowed_users }}" + allowed_users: {{ headscale_allowed_users }} # If `strip_email_domain` is set to `true`, the domain part of the username email address will be removed. # This will transform `first-name.last-name@example.com` to the user `first-name.last-name` |