From edf638080a2e9e584cf7a3042350d5eea1a3f65d Mon Sep 17 00:00:00 2001 From: Elizabeth Hunt Date: Wed, 3 Jan 2024 01:30:54 -0500 Subject: deploy headscale and headscale ui via docker --- roles/common/files/docker-compose@.service | 4 +- roles/common/tasks/main.yml | 6 +- roles/vpn/files/acl.yml | 1 - roles/vpn/files/config/acl.yml | 1 + roles/vpn/files/config/config.yml | 327 +++++++++++++++++++++++++++++ roles/vpn/files/docker-compose.yml | 18 ++ roles/vpn/tasks/main.yml | 126 +++-------- roles/vpn/templates/config.yml.j2 | 327 ----------------------------- roles/vpn/templates/headscale.service.j2 | 26 --- roles/webservers/tasks/main.yml | 3 + 10 files changed, 383 insertions(+), 456 deletions(-) delete mode 100644 roles/vpn/files/acl.yml create mode 100644 roles/vpn/files/config/acl.yml create mode 100644 roles/vpn/files/config/config.yml create mode 100644 roles/vpn/files/docker-compose.yml delete mode 100644 roles/vpn/templates/config.yml.j2 delete mode 100644 roles/vpn/templates/headscale.service.j2 diff --git a/roles/common/files/docker-compose@.service b/roles/common/files/docker-compose@.service index 05ed468..a0182d4 100644 --- a/roles/common/files/docker-compose@.service +++ b/roles/common/files/docker-compose@.service @@ -7,8 +7,8 @@ After=docker.service Type=oneshot RemainAfterExit=true WorkingDirectory=/etc/docker/compose/%i -ExecStart=/usr/bin/docker-compose up -d --remove-orphans -ExecStop=/usr/bin/docker-compose down +ExecStart=/usr/bin/docker compose up -d --remove-orphans +ExecStop=/usr/bin/docker compose down [Install] WantedBy=multi-user.target diff --git a/roles/common/tasks/main.yml b/roles/common/tasks/main.yml index 69e9c90..80aad48 100644 --- a/roles/common/tasks/main.yml +++ b/roles/common/tasks/main.yml @@ -32,7 +32,11 @@ update_cache: yes - name: enable docker - service: name=docker state=restarted enabled=yes + ansible.builtin.systemd_service: + name: docker + state: restarted + enabled: true + daemon_reload: true - name: copy docker-compose@.service copy: diff --git a/roles/vpn/files/acl.yml b/roles/vpn/files/acl.yml deleted file mode 100644 index ed97d53..0000000 --- a/roles/vpn/files/acl.yml +++ /dev/null @@ -1 +0,0 @@ ---- diff --git a/roles/vpn/files/config/acl.yml b/roles/vpn/files/config/acl.yml new file mode 100644 index 0000000..ed97d53 --- /dev/null +++ b/roles/vpn/files/config/acl.yml @@ -0,0 +1 @@ +--- diff --git a/roles/vpn/files/config/config.yml b/roles/vpn/files/config/config.yml new file mode 100644 index 0000000..17ab98b --- /dev/null +++ b/roles/vpn/files/config/config.yml @@ -0,0 +1,327 @@ +--- +# headscale will look for a configuration file named `config.yaml` (or `config.json`) in the following order: +# +# - `/etc/headscale` +# - `~/.headscale` +# - current working directory + +# The url clients will connect to. +# Typically this will be a domain like: +# +# https://myheadscale.example.com:443 +# +server_url: https://headscale.simponic.xyz:443 + +# Address to listen to / bind to on the server +# +# For production: +# listen_addr: 0.0.0.0:8080 +listen_addr: 0.0.0.0:8080 + +# Address to listen to /metrics, you may want +# to keep this endpoint private to your internal +# network +# +metrics_listen_addr: 127.0.0.1:9090 + +# Address to listen for gRPC. +# gRPC is used for controlling a headscale server +# remotely with the CLI +# Note: Remote access _only_ works if you have +# valid certificates. +# +# For production: +# grpc_listen_addr: 0.0.0.0:50443 +grpc_listen_addr: 127.0.0.1:50443 + +# Allow the gRPC admin interface to run in INSECURE +# mode. This is not recommended as the traffic will +# be unencrypted. Only enable if you know what you +# are doing. +grpc_allow_insecure: false + +# The Noise section includes specific configuration for the +# TS2021 Noise protocol +noise: + # The Noise private key is used to encrypt the + # traffic between headscale and Tailscale clients when + # using the new Noise-based protocol. + private_key_path: /var/lib/headscale/noise_private.key + +private_key_path: /var/lib/headscale/private.key + +# List of IP prefixes to allocate tailaddresses from. +# Each prefix consists of either an IPv4 or IPv6 address, +# and the associated prefix length, delimited by a slash. +# It must be within IP ranges supported by the Tailscale +# client - i.e., subnets of 100.64.0.0/10 and fd7a:115c:a1e0::/48. +# See below: +# IPv6: https://github.com/tailscale/tailscale/blob/22ebb25e833264f58d7c3f534a8b166894a89536/net/tsaddr/tsaddr.go#LL81C52-L81C71 +# IPv4: https://github.com/tailscale/tailscale/blob/22ebb25e833264f58d7c3f534a8b166894a89536/net/tsaddr/tsaddr.go#L33 +# Any other range is NOT supported, and it will cause unexpected issues. +ip_prefixes: + - fd7a:115c:a1e0::/48 + - 100.64.0.0/10 + +# DERP is a relay system that Tailscale uses when a direct +# connection cannot be established. +# https://tailscale.com/blog/how-tailscale-works/#encrypted-tcp-relays-derp +# +# headscale needs a list of DERP servers that can be presented +# to the clients. +derp: + server: + # If enabled, runs the embedded DERP server and merges it into the rest of the DERP config + # The Headscale server_url defined above MUST be using https, DERP requires TLS to be in place + enabled: false + + # Region ID to use for the embedded DERP server. + # The local DERP prevails if the region ID collides with other region ID coming from + # the regular DERP config. + region_id: 999 + + # Region code and name are displayed in the Tailscale UI to identify a DERP region + region_code: "headscale" + region_name: "Headscale Embedded DERP" + + # Listens over UDP at the configured address for STUN connections - to help with NAT traversal. + # When the embedded DERP server is enabled stun_listen_addr MUST be defined. + # + # For more details on how this works, check this great article: https://tailscale.com/blog/how-tailscale-works/ + stun_listen_addr: "0.0.0.0:3478" + + # Private key used to encrypt the traffic between headscale DERP + # and Tailscale clients. + # The private key file will be autogenerated if it's missing. + # + private_key_path: /var/lib/headscale/derp_server_private.key + + # List of externally available DERP maps encoded in JSON + urls: + - https://controlplane.tailscale.com/derpmap/default + + # Locally available DERP map files encoded in YAML + # + # This option is mostly interesting for people hosting + # their own DERP servers: + # https://tailscale.com/kb/1118/custom-derp-servers/ + # + # paths: + # - /etc/headscale/derp-example.yaml + paths: [] + + # If enabled, a worker will be set up to periodically + # refresh the given sources and update the derpmap + # will be set up. + auto_update_enabled: true + + # How often should we check for DERP updates? + update_frequency: 24h + +# Disables the automatic check for headscale updates on startup +disable_check_updates: false + +# Time before an inactive ephemeral node is deleted? +ephemeral_node_inactivity_timeout: 30m + +# Period to check for node updates within the tailnet. A value too low will severely affect +# CPU consumption of Headscale. A value too high (over 60s) will cause problems +# for the nodes, as they won't get updates or keep alive messages frequently enough. +# In case of doubts, do not touch the default 10s. +node_update_check_interval: 10s + +# SQLite config +db_type: sqlite3 + +# For production: +db_path: /var/lib/headscale/db.sqlite + +# # Postgres config +# If using a Unix socket to connect to Postgres, set the socket path in the 'host' field and leave 'port' blank. +# db_type: postgres +# db_host: localhost +# db_port: 5432 +# db_name: headscale +# db_user: foo +# db_pass: bar + +# If other 'sslmode' is required instead of 'require(true)' and 'disabled(false)', set the 'sslmode' you need +# in the 'db_ssl' field. Refers to https://www.postgresql.org/docs/current/libpq-ssl.html Table 34.1. +# db_ssl: false + +### TLS configuration +# +## Let's encrypt / ACME +# +# headscale supports automatically requesting and setting up +# TLS for a domain with Let's Encrypt. +# +# URL to ACME directory +acme_url: https://acme-v02.api.letsencrypt.org/directory + +# Email to register with ACME provider +acme_email: "elizabeth.hunt@simponic.xyz" + +# Domain name to request a TLS certificate for: +tls_letsencrypt_hostname: "headscale.simponic.xyz" + +# Path to store certificates and metadata needed by +# letsencrypt +# For production: +tls_letsencrypt_cache_dir: /var/lib/headscale/cache + +# Type of ACME challenge to use, currently supported types: +# HTTP-01 or TLS-ALPN-01 +# See [docs/tls.md](docs/tls.md) for more information +tls_letsencrypt_challenge_type: HTTP-01 +# When HTTP-01 challenge is chosen, letsencrypt must set up a +# verification endpoint, and it will be listening on: +# :http = port 80 +tls_letsencrypt_listen: ":http" + +## Use already defined certificates: +tls_cert_path: "" +tls_key_path: "" + +log: + # Output formatting for logs: text or json + format: text + level: info + +# Path to a file containg ACL policies. +# ACLs can be defined as YAML or HUJSON. +# https://tailscale.com/kb/1018/acls/ +acl_policy_path: "" + +## DNS +# +# headscale supports Tailscale's DNS configuration and MagicDNS. +# Please have a look to their KB to better understand the concepts: +# +# - https://tailscale.com/kb/1054/dns/ +# - https://tailscale.com/kb/1081/magicdns/ +# - https://tailscale.com/blog/2021-09-private-dns-with-magicdns/ +# +dns_config: + # Whether to prefer using Headscale provided DNS or use local. + override_local_dns: true + + # List of DNS servers to expose to clients. + nameservers: + - 1.1.1.1 + + # NextDNS (see https://tailscale.com/kb/1218/nextdns/). + # "abc123" is example NextDNS ID, replace with yours. + # + # With metadata sharing: + # nameservers: + # - https://dns.nextdns.io/abc123 + # + # Without metadata sharing: + # nameservers: + # - 2a07:a8c0::ab:c123 + # - 2a07:a8c1::ab:c123 + + # Split DNS (see https://tailscale.com/kb/1054/dns/), + # list of search domains and the DNS to query for each one. + # + # restricted_nameservers: + # foo.bar.com: + # - 1.1.1.1 + # darp.headscale.net: + # - 1.1.1.1 + # - 8.8.8.8 + + # Search domains to inject. + domains: ['simponic.xyz'] + + # Extra DNS records + # so far only A-records are supported (on the tailscale side) + # See https://github.com/juanfont/headscale/blob/main/docs/dns-records.md#Limitations + # extra_records: + # - name: "grafana.myvpn.example.com" + # type: "A" + # value: "100.64.0.3" + # + # # you can also put it in one line + # - { name: "prometheus.myvpn.example.com", type: "A", value: "100.64.0.3" } + + # Whether to use [MagicDNS](https://tailscale.com/kb/1081/magicdns/). + # Only works if there is at least a nameserver defined. + magic_dns: true + + # Defines the base domain to create the hostnames for MagicDNS. + # `base_domain` must be a FQDNs, without the trailing dot. + # The FQDN of the hosts will be + # `hostname.user.base_domain` (e.g., _myhost.myuser.example.com_). + base_domain: headscale.simponic.xyz + +# Unix socket used for the CLI to connect without authentication +# Note: for production you will want to set this to something like: +unix_socket: /var/run/headscale/headscale.sock +unix_socket_permission: "0770" +# +# headscale supports experimental OpenID connect support, +# it is still being tested and might have some bugs, please +# help us test it. +# OpenID Connect +# oidc: +# only_start_if_oidc_is_available: true +# issuer: "https://your-oidc.issuer.com/path" +# client_id: "your-oidc-client-id" +# client_secret: "your-oidc-client-secret" +# # Alternatively, set `client_secret_path` to read the secret from the file. +# # It resolves environment variables, making integration to systemd's +# # `LoadCredential` straightforward: +# client_secret_path: "${CREDENTIALS_DIRECTORY}/oidc_client_secret" +# # client_secret and client_secret_path are mutually exclusive. +# +# # The amount of time from a node is authenticated with OpenID until it +# # expires and needs to reauthenticate. +# # Setting the value to "0" will mean no expiry. +# expiry: 180d +# +# # Use the expiry from the token received from OpenID when the user logged +# # in, this will typically lead to frequent need to reauthenticate and should +# # only been enabled if you know what you are doing. +# # Note: enabling this will cause `oidc.expiry` to be ignored. +# use_expiry_from_token: false +# +# # Customize the scopes used in the OIDC flow, defaults to "openid", "profile" and "email" and add custom query +# # parameters to the Authorize Endpoint request. Scopes default to "openid", "profile" and "email". +# +# scope: ["openid", "profile", "email", "custom"] +# extra_params: +# domain_hint: example.com +# +# # List allowed principal domains and/or users. If an authenticated user's domain is not in this list, the +# # authentication request will be rejected. +# +# allowed_domains: +# - example.com +# # Note: Groups from keycloak have a leading '/' +# allowed_groups: +# - /headscale +# allowed_users: +# - alice@example.com +# +# # If `strip_email_domain` is set to `true`, the domain part of the username email address will be removed. +# # This will transform `first-name.last-name@example.com` to the user `first-name.last-name` +# # If `strip_email_domain` is set to `false` the domain part will NOT be removed resulting to the following +# user: `first-name.last-name.example.com` +# +# strip_email_domain: true + +# Logtail configuration +# Logtail is Tailscales logging and auditing infrastructure, it allows the control panel +# to instruct tailscale nodes to log their activity to a remote server. +logtail: + # Enable logtail for this headscales clients. + # As there is currently no support for overriding the log server in headscale, this is + # disabled by default. Enabling this will make your clients send logs to Tailscale Inc. + enabled: false + +# Enabling this option makes devices prefer a random port for WireGuard traffic over the +# default static port 41641. This option is intended as a workaround for some buggy +# firewall devices. See https://tailscale.com/kb/1181/firewalls/ for more information. +randomize_client_port: false diff --git a/roles/vpn/files/docker-compose.yml b/roles/vpn/files/docker-compose.yml new file mode 100644 index 0000000..dc5e961 --- /dev/null +++ b/roles/vpn/files/docker-compose.yml @@ -0,0 +1,18 @@ +version: '3.5' +services: + headscale: + image: headscale/headscale:latest + container_name: headscale + volumes: + - ./config:/etc/headscale + - ./data:/var/lib/headscale + ports: + - 27896:8080 + command: headscale serve + restart: unless-stopped + headscale-ui: + image: ghcr.io/gurucomputing/headscale-ui:latest + restart: unless-stopped + container_name: headscale-ui + ports: + - 9443:443 diff --git a/roles/vpn/tasks/main.yml b/roles/vpn/tasks/main.yml index 22ca2f8..4f6bcca 100644 --- a/roles/vpn/tasks/main.yml +++ b/roles/vpn/tasks/main.yml @@ -1,110 +1,38 @@ --- -## UFW -- name: allow headscale tcp on 8080 - ufw: - rule: allow - port: '8080' - proto: tcp - -## INSTALL -- name: create headscale user group - group: - name: '{{ headscale_user_group }}' - gid: '{{ headscale_user_gid }}' - system: true - state: present - -- name: create headscale user - user: - name: '{{ headscale_user_name }}' - uid: '{{ headscale_user_uid }}' - group: '{{ headscale_user_group }}' - shell: /bin/false - system: true - create_home: false - -- name: download headscale binary - get_url: - url: 'https://github.com/juanfont/headscale/releases/download/v{{ headscale_version }}/headscale_{{ headscale_version }}_linux_{{ headscale_arch }}' - dest: '{{ headscale_binary_path }}' - owner: '{{ headscale_user_uid }}' - group: '{{ headscale_user_gid }}' - mode: 0770 - -- name: ensure headscale directories exist +- name: ensure headscale docker/compose exist file: - path: '{{ item }}' + path: /etc/docker/compose/headscale state: directory - owner: '{{ headscale_user_name }}' - group: '{{ headscale_user_group }}' - mode: 0755 - loop: '{{ headscale_directories }}' - -- name: ensure sqlite exists - file: - path: '{{ headscale_var_data_dir }}/db.sqlite' - state: touch - owner: '{{ headscale_user_uid }}' - group: '{{ headscale_user_gid }}' - mode: 0600 - modification_time: preserve - access_time: preserve - -- name: copy systemd unit file - template: - src: '../templates/headscale.service.j2' - dest: '/etc/systemd/system/headscale.service' - owner: '{{ headscale_user_uid }}' - group: '{{ headscale_user_gid }}' - mode: 0600 - -## CONFIG + owner: root + group: root + mode: 0700 -- name: copy configuration file template - template: - src: "../templates/config.yml.j2" - dest: "{{ headscale_config_dir }}/config.yaml" - owner: "{{ headscale_user_uid }}" - group: "{{ headscale_user_gid }}" - mode: "0600" +- name: copy headscale docker-compose.yml + copy: + src: ../files/docker-compose.yml + dest: /etc/docker/compose/headscale/docker-compose.yml + owner: root + group: root + mode: u=rw,g=r,o=r -- name: copy acl policies file +- name: copy headscale config volume copy: - content: '../files/acl.yml' - dest: '{{ headscale_config_dir }}/acl.yaml' - owner: '{{ headscale_user_uid }}' - group: '{{ headscale_user_gid }}' - mode: 0600 + src: ../files/config + dest: /etc/docker/compose/headscale/ + owner: root + group: root + mode: u=rw,g=r,o=r + +- name: ensure headscale data volume exist + file: + path: /etc/docker/compose/headscale/data + state: directory + owner: root + group: root + mode: 0700 -## ENABLE - name: daemon-reload and enable headscale ansible.builtin.systemd_service: state: restarted - daemon_reload: true enabled: true - name: headscale - -## CREATE USER -- name: ensure predefined users exist - command: - cmd: 'headscale users create {{ item }}' - loop: '{{ headscale_users }}' - register: user_created - changed_when: '"User created" in user_created.stdout' - -## ROUTES -- name: enable routes for node - command: - cmd: 'headscale routes enable -i {{ item.id }} -r {{ item.routes }}' - loop: '{{ headscale_enable_routes }}' - loop_control: - label: '{{ item.comment | default(item) }}' - when: not ansible_check_mode - -- name: enable exit nodes - command: - cmd: 'headscale routes enable -i {{ item.id }} -r 0.0.0.0/0,::/0' - loop: '{{ headscale_exit_nodes }}' - loop_control: - label: '{{ item.comment | default(item) }}' - when: not ansible_check_mode + name: docker-compose@headscale diff --git a/roles/vpn/templates/config.yml.j2 b/roles/vpn/templates/config.yml.j2 deleted file mode 100644 index 73b2c40..0000000 --- a/roles/vpn/templates/config.yml.j2 +++ /dev/null @@ -1,327 +0,0 @@ ---- -# headscale will look for a configuration file named `config.yaml` (or `config.json`) in the following order: -# -# - `/etc/headscale` -# - `~/.headscale` -# - current working directory - -# The url clients will connect to. -# Typically this will be a domain like: -# -# https://myheadscale.example.com:443 -# -server_url: https://headscale.simponic.xyz:443 - -# Address to listen to / bind to on the server -# -# For production: -# listen_addr: 0.0.0.0:8080 -listen_addr: 0.0.0.0:443 - -# Address to listen to /metrics, you may want -# to keep this endpoint private to your internal -# network -# -metrics_listen_addr: 127.0.0.1:9090 - -# Address to listen for gRPC. -# gRPC is used for controlling a headscale server -# remotely with the CLI -# Note: Remote access _only_ works if you have -# valid certificates. -# -# For production: -# grpc_listen_addr: 0.0.0.0:50443 -grpc_listen_addr: 127.0.0.1:50443 - -# Allow the gRPC admin interface to run in INSECURE -# mode. This is not recommended as the traffic will -# be unencrypted. Only enable if you know what you -# are doing. -grpc_allow_insecure: false - -# The Noise section includes specific configuration for the -# TS2021 Noise protocol -noise: - # The Noise private key is used to encrypt the - # traffic between headscale and Tailscale clients when - # using the new Noise-based protocol. - private_key_path: /var/lib/headscale/noise_private.key - -private_key_path: /var/lib/headscale/private.key - -# List of IP prefixes to allocate tailaddresses from. -# Each prefix consists of either an IPv4 or IPv6 address, -# and the associated prefix length, delimited by a slash. -# It must be within IP ranges supported by the Tailscale -# client - i.e., subnets of 100.64.0.0/10 and fd7a:115c:a1e0::/48. -# See below: -# IPv6: https://github.com/tailscale/tailscale/blob/22ebb25e833264f58d7c3f534a8b166894a89536/net/tsaddr/tsaddr.go#LL81C52-L81C71 -# IPv4: https://github.com/tailscale/tailscale/blob/22ebb25e833264f58d7c3f534a8b166894a89536/net/tsaddr/tsaddr.go#L33 -# Any other range is NOT supported, and it will cause unexpected issues. -ip_prefixes: - - fd7a:115c:a1e0::/48 - - 100.64.0.0/10 - -# DERP is a relay system that Tailscale uses when a direct -# connection cannot be established. -# https://tailscale.com/blog/how-tailscale-works/#encrypted-tcp-relays-derp -# -# headscale needs a list of DERP servers that can be presented -# to the clients. -derp: - server: - # If enabled, runs the embedded DERP server and merges it into the rest of the DERP config - # The Headscale server_url defined above MUST be using https, DERP requires TLS to be in place - enabled: false - - # Region ID to use for the embedded DERP server. - # The local DERP prevails if the region ID collides with other region ID coming from - # the regular DERP config. - region_id: 999 - - # Region code and name are displayed in the Tailscale UI to identify a DERP region - region_code: "headscale" - region_name: "Headscale Embedded DERP" - - # Listens over UDP at the configured address for STUN connections - to help with NAT traversal. - # When the embedded DERP server is enabled stun_listen_addr MUST be defined. - # - # For more details on how this works, check this great article: https://tailscale.com/blog/how-tailscale-works/ - stun_listen_addr: "0.0.0.0:3478" - - # Private key used to encrypt the traffic between headscale DERP - # and Tailscale clients. - # The private key file will be autogenerated if it's missing. - # - private_key_path: /var/lib/headscale/derp_server_private.key - - # List of externally available DERP maps encoded in JSON - urls: - - https://controlplane.tailscale.com/derpmap/default - - # Locally available DERP map files encoded in YAML - # - # This option is mostly interesting for people hosting - # their own DERP servers: - # https://tailscale.com/kb/1118/custom-derp-servers/ - # - # paths: - # - /etc/headscale/derp-example.yaml - paths: [] - - # If enabled, a worker will be set up to periodically - # refresh the given sources and update the derpmap - # will be set up. - auto_update_enabled: true - - # How often should we check for DERP updates? - update_frequency: 24h - -# Disables the automatic check for headscale updates on startup -disable_check_updates: false - -# Time before an inactive ephemeral node is deleted? -ephemeral_node_inactivity_timeout: 30m - -# Period to check for node updates within the tailnet. A value too low will severely affect -# CPU consumption of Headscale. A value too high (over 60s) will cause problems -# for the nodes, as they won't get updates or keep alive messages frequently enough. -# In case of doubts, do not touch the default 10s. -node_update_check_interval: 10s - -# SQLite config -db_type: sqlite3 - -# For production: -db_path: /var/lib/headscale/db.sqlite - -# # Postgres config -# If using a Unix socket to connect to Postgres, set the socket path in the 'host' field and leave 'port' blank. -# db_type: postgres -# db_host: localhost -# db_port: 5432 -# db_name: headscale -# db_user: foo -# db_pass: bar - -# If other 'sslmode' is required instead of 'require(true)' and 'disabled(false)', set the 'sslmode' you need -# in the 'db_ssl' field. Refers to https://www.postgresql.org/docs/current/libpq-ssl.html Table 34.1. -# db_ssl: false - -### TLS configuration -# -## Let's encrypt / ACME -# -# headscale supports automatically requesting and setting up -# TLS for a domain with Let's Encrypt. -# -# URL to ACME directory -acme_url: https://acme-v02.api.letsencrypt.org/directory - -# Email to register with ACME provider -acme_email: "elizabeth.hunt@simponic.xyz" - -# Domain name to request a TLS certificate for: -tls_letsencrypt_hostname: "headscale.simponic.xyz" - -# Path to store certificates and metadata needed by -# letsencrypt -# For production: -tls_letsencrypt_cache_dir: /var/lib/headscale/cache - -# Type of ACME challenge to use, currently supported types: -# HTTP-01 or TLS-ALPN-01 -# See [docs/tls.md](docs/tls.md) for more information -tls_letsencrypt_challenge_type: HTTP-01 -# When HTTP-01 challenge is chosen, letsencrypt must set up a -# verification endpoint, and it will be listening on: -# :http = port 80 -tls_letsencrypt_listen: ":http" - -## Use already defined certificates: -tls_cert_path: "" -tls_key_path: "" - -log: - # Output formatting for logs: text or json - format: text - level: info - -# Path to a file containg ACL policies. -# ACLs can be defined as YAML or HUJSON. -# https://tailscale.com/kb/1018/acls/ -acl_policy_path: "" - -## DNS -# -# headscale supports Tailscale's DNS configuration and MagicDNS. -# Please have a look to their KB to better understand the concepts: -# -# - https://tailscale.com/kb/1054/dns/ -# - https://tailscale.com/kb/1081/magicdns/ -# - https://tailscale.com/blog/2021-09-private-dns-with-magicdns/ -# -dns_config: - # Whether to prefer using Headscale provided DNS or use local. - override_local_dns: true - - # List of DNS servers to expose to clients. - nameservers: - - 1.1.1.1 - - # NextDNS (see https://tailscale.com/kb/1218/nextdns/). - # "abc123" is example NextDNS ID, replace with yours. - # - # With metadata sharing: - # nameservers: - # - https://dns.nextdns.io/abc123 - # - # Without metadata sharing: - # nameservers: - # - 2a07:a8c0::ab:c123 - # - 2a07:a8c1::ab:c123 - - # Split DNS (see https://tailscale.com/kb/1054/dns/), - # list of search domains and the DNS to query for each one. - # - # restricted_nameservers: - # foo.bar.com: - # - 1.1.1.1 - # darp.headscale.net: - # - 1.1.1.1 - # - 8.8.8.8 - - # Search domains to inject. - domains: ['simponic.xyz'] - - # Extra DNS records - # so far only A-records are supported (on the tailscale side) - # See https://github.com/juanfont/headscale/blob/main/docs/dns-records.md#Limitations - # extra_records: - # - name: "grafana.myvpn.example.com" - # type: "A" - # value: "100.64.0.3" - # - # # you can also put it in one line - # - { name: "prometheus.myvpn.example.com", type: "A", value: "100.64.0.3" } - - # Whether to use [MagicDNS](https://tailscale.com/kb/1081/magicdns/). - # Only works if there is at least a nameserver defined. - magic_dns: true - - # Defines the base domain to create the hostnames for MagicDNS. - # `base_domain` must be a FQDNs, without the trailing dot. - # The FQDN of the hosts will be - # `hostname.user.base_domain` (e.g., _myhost.myuser.example.com_). - base_domain: headscale.simponic.xyz - -# Unix socket used for the CLI to connect without authentication -# Note: for production you will want to set this to something like: -unix_socket: /var/run/headscale/headscale.sock -unix_socket_permission: "0770" -# -# headscale supports experimental OpenID connect support, -# it is still being tested and might have some bugs, please -# help us test it. -# OpenID Connect -# oidc: -# only_start_if_oidc_is_available: true -# issuer: "https://your-oidc.issuer.com/path" -# client_id: "your-oidc-client-id" -# client_secret: "your-oidc-client-secret" -# # Alternatively, set `client_secret_path` to read the secret from the file. -# # It resolves environment variables, making integration to systemd's -# # `LoadCredential` straightforward: -# client_secret_path: "${CREDENTIALS_DIRECTORY}/oidc_client_secret" -# # client_secret and client_secret_path are mutually exclusive. -# -# # The amount of time from a node is authenticated with OpenID until it -# # expires and needs to reauthenticate. -# # Setting the value to "0" will mean no expiry. -# expiry: 180d -# -# # Use the expiry from the token received from OpenID when the user logged -# # in, this will typically lead to frequent need to reauthenticate and should -# # only been enabled if you know what you are doing. -# # Note: enabling this will cause `oidc.expiry` to be ignored. -# use_expiry_from_token: false -# -# # Customize the scopes used in the OIDC flow, defaults to "openid", "profile" and "email" and add custom query -# # parameters to the Authorize Endpoint request. Scopes default to "openid", "profile" and "email". -# -# scope: ["openid", "profile", "email", "custom"] -# extra_params: -# domain_hint: example.com -# -# # List allowed principal domains and/or users. If an authenticated user's domain is not in this list, the -# # authentication request will be rejected. -# -# allowed_domains: -# - example.com -# # Note: Groups from keycloak have a leading '/' -# allowed_groups: -# - /headscale -# allowed_users: -# - alice@example.com -# -# # If `strip_email_domain` is set to `true`, the domain part of the username email address will be removed. -# # This will transform `first-name.last-name@example.com` to the user `first-name.last-name` -# # If `strip_email_domain` is set to `false` the domain part will NOT be removed resulting to the following -# user: `first-name.last-name.example.com` -# -# strip_email_domain: true - -# Logtail configuration -# Logtail is Tailscales logging and auditing infrastructure, it allows the control panel -# to instruct tailscale nodes to log their activity to a remote server. -logtail: - # Enable logtail for this headscales clients. - # As there is currently no support for overriding the log server in headscale, this is - # disabled by default. Enabling this will make your clients send logs to Tailscale Inc. - enabled: false - -# Enabling this option makes devices prefer a random port for WireGuard traffic over the -# default static port 41641. This option is intended as a workaround for some buggy -# firewall devices. See https://tailscale.com/kb/1181/firewalls/ for more information. -randomize_client_port: false diff --git a/roles/vpn/templates/headscale.service.j2 b/roles/vpn/templates/headscale.service.j2 deleted file mode 100644 index 46267f0..0000000 --- a/roles/vpn/templates/headscale.service.j2 +++ /dev/null @@ -1,26 +0,0 @@ -[Unit] -Description=headscale coordination server -After=syslog.target -After=network.target - -[Service] -Type=simple -Environment=GIN_MODE=release -User={{ headscale_user_name }} -Group={{ headscale_user_group }} -ExecStart={{ headscale_binary_path }} serve -ExecReload=kill -HUP $MAINPID -Restart=always -RestartSec=5 - -# Optional security enhancements -NoNewPrivileges=yes -PrivateTmp=yes -ProtectSystem=strict -ProtectHome=yes -ReadWritePaths={{ headscale_var_data_dir }} {{ headscale_pid_dir }} -AmbientCapabilities=CAP_NET_BIND_SERVICE -RuntimeDirectory={{ headscale_user_name }} - -[Install] -WantedBy=multi-user.target diff --git a/roles/webservers/tasks/main.yml b/roles/webservers/tasks/main.yml index 7d411fe..680b050 100644 --- a/roles/webservers/tasks/main.yml +++ b/roles/webservers/tasks/main.yml @@ -13,3 +13,6 @@ - name: restart ufw service: name=ufw state=restarted enabled=yes + +- name: install nginx + apt: name=nginx status=latest -- cgit v1.2.3-70-g09d2