roles/vpn/tasks/main.yml


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110

---
## UFW
- name: allow headscale tcp on 8080
  ufw:
    rule: allow
    port: '8080'
    proto: tcp

## INSTALL
- name: create headscale user group
  group:
    name: '{{ headscale_user_group }}'
    gid: '{{ headscale_user_gid }}'
    system: true
    state: present

- name: create headscale user
  user:
    name: '{{ headscale_user_name }}'
    uid: '{{ headscale_user_uid }}'
    group: '{{ headscale_user_group }}'
    shell: /bin/false
    system: true
    create_home: false

- name: download headscale binary
  get_url:
    url: 'https://github.com/juanfont/headscale/releases/download/v{{ headscale_version }}/headscale_{{ headscale_version }}_linux_{{ headscale_arch }}'
    dest: '{{ headscale_binary_path }}'
    owner: '{{ headscale_user_uid }}'
    group: '{{ headscale_user_gid }}'
    mode: 0770

- name: ensure headscale directories exist
  file:
    path: '{{ item }}'
    state: directory
    owner: '{{ headscale_user_name }}'
    group: '{{ headscale_user_group }}'
    mode: 0755
  loop: '{{ headscale_directories }}'

- name: ensure sqlite exists
  file:
    path: '{{ headscale_var_data_dir }}/db.sqlite'
    state: touch
    owner: '{{ headscale_user_uid }}'
    group: '{{ headscale_user_gid }}'
    mode: 0600
    modification_time: preserve
    access_time: preserve

- name: copy systemd unit file
  template:
    src: '../templates/headscale.service.j2'
    dest: '/etc/systemd/system/headscale.service'
    owner: '{{ headscale_user_uid }}'
    group: '{{ headscale_user_gid }}'
    mode: 0600

## CONFIG

- name: copy configuration file template
  template:
    src: "../templates/config.yml.j2"
    dest: "{{ headscale_config_dir }}/config.yaml"
    owner: "{{ headscale_user_uid }}"
    group: "{{ headscale_user_gid }}"
    mode: "0600"

- name: copy acl policies file
  copy:
    content: '../files/acl.yml'
    dest: '{{ headscale_config_dir }}/acl.yaml'
    owner: '{{ headscale_user_uid }}'
    group: '{{ headscale_user_gid }}'
    mode: 0600

## ENABLE
- name: daemon-reload and enable headscale
  ansible.builtin.systemd_service:
    state: restarted
    daemon_reload: true
    enabled: true
    name: headscale

## CREATE USER
- name: ensure predefined users exist
  command:
    cmd: 'headscale users create {{ item }}'
  loop: '{{ headscale_users }}'
  register: user_created
  changed_when: '"User created" in user_created.stdout'

## ROUTES
- name: enable routes for node
  command:
    cmd: 'headscale routes enable -i {{ item.id }} -r {{ item.routes }}'
  loop: '{{ headscale_enable_routes }}'
  loop_control:
    label: '{{ item.comment | default(item) }}'
  when: not ansible_check_mode

- name: enable exit nodes
  command:
    cmd: 'headscale routes enable -i {{ item.id }} -r 0.0.0.0/0,::/0'
  loop: '{{ headscale_exit_nodes }}'
  loop_control:
    label: '{{ item.comment | default(item) }}'
  when: not ansible_check_mode