173 lines
4.8 KiB
YAML
173 lines
4.8 KiB
YAML
---
|
|
- name: Create headscale group
|
|
ansible.builtin.group:
|
|
name: "{{ headscale.group }}"
|
|
state: present
|
|
|
|
- name: Create headscale user
|
|
ansible.builtin.user:
|
|
name: "{{ headscale.user.name }}"
|
|
comment: "{{ headscale.user.comment }}"
|
|
create_home: "{{ headscale.user.create_home }}"
|
|
group: "{{ headscale.group }}"
|
|
groups: "{{ headscale.user.groups }}"
|
|
append: "{{ headscale.user.groups_append }}"
|
|
shell: "{{ headscale.user.shell }}"
|
|
system: "{{ headscale.user.system }}"
|
|
|
|
- name: Create folder structure
|
|
ansible.builtin.file:
|
|
path: "{{ item }}"
|
|
state: directory
|
|
owner: "{{ headscale.user.name }}"
|
|
group: "{{ headscale.group }}"
|
|
mode: 0700
|
|
loop:
|
|
- /var/lib/headscale
|
|
- /run/headscale
|
|
- /etc/headscale
|
|
|
|
- name: Install headscale config
|
|
ansible.builtin.template:
|
|
src: config.yaml.j2
|
|
dest: /etc/headscale/config.yaml
|
|
owner: "{{ headscale.user.name }}"
|
|
group: "{{ headscale.group }}"
|
|
|
|
- name: Create a state folder for Caddy
|
|
ansible.builtin.file:
|
|
path: "{{ caddy.home }}"
|
|
state: directory
|
|
mode: 0700
|
|
|
|
- name: Install Caddyfile
|
|
ansible.builtin.template:
|
|
src: Caddyfile.j2
|
|
dest: "{{ caddy.home }}/Caddyfile"
|
|
owner: root
|
|
group: root
|
|
mode: 0600
|
|
# multiple validate subcommands is not-a-feature atm...
|
|
# https://github.com/ansible/ansible/issues/72561
|
|
#
|
|
# caddy inline config validation:
|
|
# https://github.com/caddyserver/caddy/issues/3897
|
|
validate: >-
|
|
bash -c
|
|
'caddy fmt "$1"
|
|
&& caddy validate --adapter caddyfile --config "$1"'
|
|
- "%s"
|
|
register: caddyfile
|
|
|
|
- name: Enable services in the firewall
|
|
ansible.posix.firewalld:
|
|
zone: "{{ firewalld_default_zone }}"
|
|
service: "{{ item }}"
|
|
permanent: true
|
|
immediate: true
|
|
state: enabled
|
|
with_items:
|
|
- http
|
|
- https
|
|
when: "firewalld_configure"
|
|
|
|
- name: Expose gRPC
|
|
ansible.posix.firewalld:
|
|
port: 50443/tcp
|
|
permanent: true
|
|
immediate: true
|
|
state: enabled
|
|
when: "firewalld_configure"
|
|
|
|
# - name: Install xcaddy
|
|
# ansible.builtin.command:
|
|
# cmd: >
|
|
# go install -v
|
|
# github.com/caddyserver/xcaddy/cmd/xcaddy@{{ caddy.xcaddy_version }}
|
|
# creates: /root/go/bin/xcaddy
|
|
# environment:
|
|
# GOPATH: /usr/bin
|
|
#
|
|
# - name: Symlink xcaddy to /bin
|
|
# ansible.builtin.file:
|
|
# src: /root/go/bin/xcaddy
|
|
# dest: /usr/bin/xcaddy
|
|
# state: link
|
|
#
|
|
# - name: Build Caddy + njalla plugin
|
|
# ansible.builtin.command:
|
|
# cmd: >
|
|
# xcaddy build
|
|
# --with github.com/caddy-dns/njalla
|
|
# --output /usr/bin/nucaddy
|
|
# creates: /usr/bin/nucaddy
|
|
# environment:
|
|
# GOPATH: /usr/bin
|
|
# XCADDY_GO_BUILD_FLAGS: "-ldflags '-w s'"
|
|
# XCADDY_SKIP_CLEANUP: 1
|
|
|
|
- name: Install caddy-hs systemd service
|
|
ansible.builtin.template:
|
|
src: caddy-hs.service.j2
|
|
dest: /etc/systemd/system/caddy-hs.service
|
|
owner: root
|
|
group: root
|
|
register: caddysystemd
|
|
|
|
- name: Enable + start caddy-hs systemd service
|
|
ansible.builtin.systemd:
|
|
name: caddy-hs
|
|
state: started
|
|
enabled: true
|
|
daemon_reload: true
|
|
notify: Restart caddy-hs
|
|
|
|
- name: Fetch crt,key
|
|
ansible.builtin.fetch:
|
|
src: "{{ caddy.home }}/.local/share/caddy/certificates/{{ caddy.acme_url }}/{{ headscale.dns.base_domain }}/{{ headscale.dns.base_domain}}.{{ item }}"
|
|
dest: "/tmp/.{{ headscale.dns.base_domain }}-certs"
|
|
loop:
|
|
- crt
|
|
- key
|
|
when: caddyfile.changed or caddysystemd.changed
|
|
register: fetchcrt
|
|
|
|
- name: Copy to altcrtpath
|
|
ansible.builtin.copy:
|
|
src: "/tmp/.{{ headscale.dns.base_domain }}-certs/{{ ansible_host }}{{ caddy.home }}/.local/share/caddy/certificates/{{ caddy.acme_url }}/{{ headscale.dns.base_domain }}/{{ headscale.dns.base_domain}}.{{ item }}"
|
|
dest: "{{ headscale.altcrtpath }}/"
|
|
loop:
|
|
- crt
|
|
- key
|
|
when: fetchcrt.changed
|
|
|
|
- name: Run headscale container
|
|
containers.podman.podman_container:
|
|
name: headscale
|
|
state: started
|
|
recreate: true
|
|
image: "docker.io/headscale/headscale:{{ headscale.version }}"
|
|
ports: "{{ headscale.ports }}"
|
|
cap_add: "{{ headscale.cap_add }}"
|
|
restart_policy: always
|
|
volume:
|
|
- "{{ headscale.homedir }}:/var/lib/headscale:Z"
|
|
- "{{ headscale.rundir }}:/var/run/headscale:Z"
|
|
- "{{ headscale.etcdir }}:/etc/headscale:Z"
|
|
- "{{ headscale.altcrtpath }}:{{ headscale.le.certsroot }}:Z,ro"
|
|
command: headscale serve
|
|
vars:
|
|
crtpath: "{{ headscale.altcrtpath }}/{{ headscale.dns.base_domain }}"
|
|
when: caddyfile.changed or caddysystemd.changed or fetchcrt.changed
|
|
|
|
- name: Run headscale-ui container
|
|
containers.podman.podman_container:
|
|
name: headscale-ui
|
|
state: started
|
|
recreate: true
|
|
image: "ghcr.io/gurucomputing/headscale-ui:{{ headscale.ui.version }}"
|
|
ports: "{{ headscale.ui.ports }}"
|
|
restart_policy: always
|
|
when: caddyfile.changed or caddysystemd.changed or fetchcrt.changed
|
|
...
|