diff --git a/playbooks/services.yml b/playbooks/services.yml index d973017..22dabd7 100644 --- a/playbooks/services.yml +++ b/playbooks/services.yml @@ -47,34 +47,6 @@ - role: sr2c.core.node_exporter tags: prometheus -- name: Deploy and update Headscale server - hosts: - - headscale - roles: - - role: sr2c.core.baseline - vars: - baseline_epel_packages_allowed: - - certbot - - python3-certbot - - python3-pyrfc3339 - - python3-parsedatetime - - python3-josepy - - python3-importlib-metadata - - python3-configargparse - - python3-acme - - python3-zipp - - python3-pyOpenSSL - - node-exporter - tags: bootstrap - - role: freeipa.ansible_freeipa.ipaclient - become: true - state: present - tags: bootstrap - - role: sr2c.core.node_exporter - tags: prometheus - - role: sr2c.core.podman_headscale - tags: headscale - - name: Deploy and update the Prometheus server hosts: - prometheus diff --git a/roles/baseline/defaults/main.yml b/roles/baseline/defaults/main.yml index 0456b3d..60910db 100644 --- a/roles/baseline/defaults/main.yml +++ b/roles/baseline/defaults/main.yml @@ -25,5 +25,3 @@ baseline_second_disk_var_size: "5G" baseline_second_disk_var_log_size: "5G" baseline_second_disk_var_log_audit_size: "5G" baseline_second_disk_var_tmp_size: "5G" -baseline_tailscale_login_server: -# baseline_tailscale_auth_key: diff --git a/roles/baseline/tasks/main.yml b/roles/baseline/tasks/main.yml index 6583a24..2693fbc 100644 --- a/roles/baseline/tasks/main.yml +++ b/roles/baseline/tasks/main.yml @@ -111,10 +111,6 @@ file: ipaclient.yml when: "'ipaservers' not in group_names" -- name: Baseline | PATCH | Join Tailnet - ansible.builtin.include_tasks: - file: tailscale.yml - - name: Baseline | PATCH | Disable dnf-makecache.timer ansible.builtin.systemd_service: name: dnf-makecache.timer diff --git a/roles/baseline/tasks/tailscale.yml b/roles/baseline/tasks/tailscale.yml deleted file mode 100644 index f0e011e..0000000 --- a/roles/baseline/tasks/tailscale.yml +++ /dev/null @@ -1,40 +0,0 @@ ---- -- name: Tailscale | PATCH | Add Tailscale repository - ansible.builtin.yum_repository: - name: tailscale-stable - description: Tailscale stable - baseurl: https://pkgs.tailscale.com/stable/rhel/$releasever/$basearch - gpgcheck: true - gpgkey: https://pkgs.tailscale.com/stable/rhel/{{ ansible_distribution_major_version }}/repo.gpg - repo_gpgcheck: true - enabled: true - includepkgs: tailscale - become: true - -- name: Tailscale | PATCH | Install Tailscale - ansible.builtin.dnf: - name: tailscale - state: present - update_cache: yes - become: true - -- name: Tailscale | PATCH | Enable and start tailscaled service - ansible.builtin.systemd: - name: tailscaled - enabled: yes - state: started - become: true - -- name: Tailscale | AUDIT | Check if Tailscale is already up - ansible.builtin.command: tailscale status - register: tailscale_status - ignore_errors: yes - changed_when: false - become: true - -- name: Tailscale | PATCH | Bring up Tailscale with custom login server - ansible.builtin.command: - cmd: "tailscale up --login-server={{ baseline_tailscale_login_server }} --authkey={{ baseline_tailscale_auth_key }}" - when: tailscale_status.rc != 0 or "Logged out" in tailscale_status.stdout - no_log: yes # Hide auth key from logs - become: true diff --git a/roles/podman_headscale/defaults/main.yml b/roles/podman_headscale/defaults/main.yml deleted file mode 100644 index 5995b8f..0000000 --- a/roles/podman_headscale/defaults/main.yml +++ /dev/null @@ -1,6 +0,0 @@ ---- -podman_headscale_podman_rootless_user: app_headscale -podman_headscale_firewalld_zone: public -# podman_headscale_web_hostname: -# podman_headscale_acme_email: -# podman_headscale_magicdns_base: diff --git a/roles/podman_headscale/handlers/main.yml b/roles/podman_headscale/handlers/main.yml deleted file mode 100644 index a459862..0000000 --- a/roles/podman_headscale/handlers/main.yml +++ /dev/null @@ -1,8 +0,0 @@ ---- -- name: Restart Headscale - ansible.builtin.systemd_service: - name: headscale - scope: user - state: restarted - become: true - become_user: "{{ podman_headscale_podman_rootless_user }}" \ No newline at end of file diff --git a/roles/podman_headscale/tasks/main.yml b/roles/podman_headscale/tasks/main.yml deleted file mode 100644 index 283ad00..0000000 --- a/roles/podman_headscale/tasks/main.yml +++ /dev/null @@ -1,141 +0,0 @@ ---- -- name: Podman Headscale | PATCH | Open firewall for http and https services - ansible.posix.firewalld: - zone: "{{ podman_headscale_firewalld_zone }}" - service: "{{ item }}" - permanent: true - immediate: true - state: enabled - become: true - with_items: - - http - - https - -- name: Podman Headscale | PATCH | Install data plate - ansible.builtin.template: - src: etc/motd.d/10-data-plate.txt - dest: /etc/motd.d/10-data-plate.txt - owner: root - group: root - mode: "0444" - become: true - -- name: Podman Headscale | PATCH | Install podman and verify rootless podman user - ansible.builtin.include_role: - role: sr2c.core.podman_host - vars: - podman_host_minimum_unpriv_port: 80 - podman_host_rootless_users: ["{{ podman_headscale_podman_rootless_user }}"] - -- name: Podman Headscale | AUDIT | Get subuid range for user - ansible.builtin.command: - cmd: "getsubids {{ podman_headscale_podman_rootless_user }}" - register: _podman_headscale_user_subuid - changed_when: false - -- name: Podman Headscale | AUDIT | Get subgid range for user - ansible.builtin.command: - cmd: "getsubids -g {{ podman_headscale_podman_rootless_user }}" - register: _podman_headscale_user_subgid - changed_when: false - -- name: Podman Headscale | AUDIT | Parse outputs of getsubids and store results - ansible.builtin.set_fact: - _podman_headscale_user_subuid_start: "{{ _podman_headscale_user_subuid.stdout_lines[0].split()[2] }}" - _podman_headscale_user_subgid_start: "{{ _podman_headscale_user_subgid.stdout_lines[0].split()[2] }}" - -# Headscale runs with UID/GID 0 inside the container -# TODO: let's fix the above -- name: Podman Headscale | PATCH | Create configuration directory for Headscale - ansible.builtin.file: - path: "/home/{{ podman_headscale_podman_rootless_user }}/headscale-config" - owner: "{{ podman_headscale_podman_rootless_user }}" - group: "{{ podman_headscale_podman_rootless_user }}" - mode: "0700" - state: "directory" - become: true - -- name: Podman Headscale | PATCH | Create data directory for Headscale - ansible.builtin.file: - path: "/home/{{ podman_headscale_podman_rootless_user }}/headscale-data" - owner: "{{ podman_headscale_podman_rootless_user }}" - group: "{{ podman_headscale_podman_rootless_user }}" - mode: "0700" - state: "directory" - become: true - -- name: Podman Headscale | PATCH | Install Headscale configuration - ansible.builtin.template: - src: "home/podman/headscale-config/{{ item }}" - dest: "/home/{{ podman_headscale_podman_rootless_user }}/headscale-config/{{ item }}" - mode: "0400" - owner: "{{ (_podman_headscale_user_subuid_start | int) + 65533 }}" - group: "{{ (_podman_headscale_user_subgid_start | int) + 65533 }}" - become: true - with_items: - - acls.hujson - - config.yaml - notify: - - Restart Headscale - -- name: Podman Headscale | PATCH | Install container quadlets - ansible.builtin.template: - src: "home/podman/config/containers/systemd/{{ item }}" - dest: "/home/{{ podman_headscale_podman_rootless_user }}/.config/containers/systemd/{{ item }}" - owner: "{{ podman_headscale_podman_rootless_user }}" - mode: "0400" - with_items: - - headscale.container - become: true - notify: - - Restart Headscale - -- name: Podman Headscale | PATCH | Install network quadlets - ansible.builtin.template: - src: "home/podman/config/containers/systemd/{{ item }}" - dest: "/home/{{ podman_headscale_podman_rootless_user }}/.config/containers/systemd/{{ item }}" - owner: "{{ podman_headscale_podman_rootless_user }}" - mode: "0400" - with_items: - - headscale.network - become: true - notify: - - Restart Headscale - -- name: Podman Headscale | AUDIT | Verify quadlets are correctly defined - ansible.builtin.command: /usr/libexec/podman/quadlet -dryrun -user - register: podman_prometheus_quadlet_result - ignore_errors: true - changed_when: false - become: true - become_user: "{{ podman_headscale_podman_rootless_user }}" - -- name: Podman Headscale | AUDIT | Assert that the quadlet verification succeeded - ansible.builtin.assert: - that: - - podman_prometheus_quadlet_result.rc == 0 - fail_msg: "'/usr/libexec/podman/quadlet -dryrun -user' failed! Output withheld to prevent leaking secrets." - -- name: Podman Headscale | PATCH | Make sure Headscale is running now and started on boot - ansible.builtin.systemd_service: - name: "{{ item }}.service" - enabled: true - state: started - masked: false - daemon_reload: true - scope: user - with_items: - - headscale - become: true - become_user: "{{ podman_headscale_podman_rootless_user }}" - -- name: Podman Headscale | PATCH | Set up ClouDNS monitoring - sr2c.core.cloudns_monitor: - name: "Headscale - {{ podman_headscale_web_hostname[:20] }}" - host: "{{ inventory_hostname }}" - ip: "{{ inventory_hostname }}" - http_status_code: "200" - emails: "{{ cloudns_monitoring_emails }}" - auth_id: "{{ cloudns_auth_id }}" - auth_password: "{{ cloudns_auth_password }}" - delegate_to: localhost diff --git a/roles/podman_headscale/templates/etc/motd.d/10-data-plate.txt b/roles/podman_headscale/templates/etc/motd.d/10-data-plate.txt deleted file mode 100644 index fe9a70f..0000000 --- a/roles/podman_headscale/templates/etc/motd.d/10-data-plate.txt +++ /dev/null @@ -1,14 +0,0 @@ - ========================================================= - A Headscale instance is hosted on this server. - Podman user: {{ podman_headscale_podman_rootless_user }} - ========================================================= - # Become the podman user - sudo -iu {{ podman_headscale_podman_rootless_user }} - # Check the Headscale status - systemctl --user status headscale.service - # Restart Headscale - systemctl --user restart headscale.service - # Follow the logs for Headscale - journalctl --user -fu headscale.service - ========================================================= - diff --git a/roles/podman_headscale/templates/home/podman/config/containers/systemd/headscale.container b/roles/podman_headscale/templates/home/podman/config/containers/systemd/headscale.container deleted file mode 100644 index 7af41b8..0000000 --- a/roles/podman_headscale/templates/home/podman/config/containers/systemd/headscale.container +++ /dev/null @@ -1,15 +0,0 @@ -[Container] -ContainerName=headscale -Image=docker.io/headscale/headscale:v0.28 -Exec=serve -Network=headscale.network -Volume=/home/{{ podman_headscale_podman_rootless_user }}/headscale-config:/etc/headscale:ro,Z -Volume=/home/{{ podman_headscale_podman_rootless_user }}/headscale-data:/var/lib/headscale:rw,Z -PublishPort=80:80/tcp -PublishPort=443:443/tcp - -[Service] -Restart=on-failure - -[Install] -WantedBy=default.target diff --git a/roles/podman_headscale/templates/home/podman/config/containers/systemd/headscale.network b/roles/podman_headscale/templates/home/podman/config/containers/systemd/headscale.network deleted file mode 100644 index 8eca7ee..0000000 --- a/roles/podman_headscale/templates/home/podman/config/containers/systemd/headscale.network +++ /dev/null @@ -1,2 +0,0 @@ -[Network] -NetworkName=headscale diff --git a/roles/podman_headscale/templates/home/podman/headscale-config/acls.hujson b/roles/podman_headscale/templates/home/podman/headscale-config/acls.hujson deleted file mode 100644 index 9e26dfe..0000000 --- a/roles/podman_headscale/templates/home/podman/headscale-config/acls.hujson +++ /dev/null @@ -1 +0,0 @@ -{} \ No newline at end of file diff --git a/roles/podman_headscale/templates/home/podman/headscale-config/config.yaml b/roles/podman_headscale/templates/home/podman/headscale-config/config.yaml deleted file mode 100644 index 47d094f..0000000 --- a/roles/podman_headscale/templates/home/podman/headscale-config/config.yaml +++ /dev/null @@ -1,213 +0,0 @@ ---- -server_url: https://{{ podman_headscale_web_hostname }}:443 -listen_addr: 0.0.0.0:443 -metrics_listen_addr: 0.0.0.0:9090 -grpc_listen_addr: 0.0.0.0:50443 -grpc_allow_insecure: false -noise: - private_key_path: /var/lib/headscale/noise_private.key -# Any other range is NOT supported, and it will cause unexpected issues. -prefixes: - v4: 100.64.0.0/10 - v6: fd7a:115c:a1e0::/48 - allocation: sequential - -derp: - server: - enabled: false - - # Region ID to use for the embedded DERP server. - # The local DERP prevails if the region ID collides with other region ID coming from - # the regular DERP config. - region_id: 999 - - # Region code and name are displayed in the Tailscale UI to identify a DERP region - region_code: "headscale" - region_name: "Headscale Embedded DERP" - - # Only allow clients associated with this server access - verify_clients: true - - # Listens over UDP at the configured address for STUN connections - to help with NAT traversal. - # When the embedded DERP server is enabled stun_listen_addr MUST be defined. - # - # For more details on how this works, check this great article: https://tailscale.com/blog/how-tailscale-works/ - stun_listen_addr: "0.0.0.0:3478" - - # Private key used to encrypt the traffic between headscale DERP and - # Tailscale clients. A missing key will be automatically generated. - private_key_path: /var/lib/headscale/derp_server_private.key - - # This flag can be used, so the DERP map entry for the embedded DERP server is not written automatically, - # it enables the creation of your very own DERP map entry using a locally available file with the parameter DERP.paths - # If you enable the DERP server and set this to false, it is required to add the DERP server to the DERP map using DERP.paths - automatically_add_embedded_derp_region: true - - # For better connection stability (especially when using an Exit-Node and DNS is not working), - # it is possible to optionally add the public IPv4 and IPv6 address to the Derp-Map using: - ipv4: 198.51.100.1 - ipv6: 2001:db8::1 - - # List of externally available DERP maps encoded in JSON - urls: - - https://controlplane.tailscale.com/derpmap/default - - # Locally available DERP map files encoded in YAML - # - # This option is mostly interesting for people hosting - # their own DERP servers: - # https://tailscale.com/kb/1118/custom-derp-servers/ - # - # paths: - # - /etc/headscale/derp-example.yaml - paths: [] - - # If enabled, a worker will be set up to periodically - # refresh the given sources and update the derpmap - # will be set up. - auto_update_enabled: true - - # How often should we check for DERP updates? - update_frequency: 3h - -# Disables the automatic check for headscale updates on startup -disable_check_updates: false - -# Time before an inactive ephemeral node is deleted? -ephemeral_node_inactivity_timeout: 30m - -database: - # Database type. Available options: sqlite, postgres - # Please note that using Postgres is highly discouraged as it is only supported for legacy reasons. - # All new development, testing and optimisations are done with SQLite in mind. - type: sqlite - - # Enable debug mode. This setting requires the log.level to be set to "debug" or "trace". - debug: false - - # GORM configuration settings. - gorm: - # Enable prepared statements. - prepare_stmt: true - - # Enable parameterized queries. - parameterized_queries: true - - # Skip logging "record not found" errors. - skip_err_record_not_found: true - - # Threshold for slow queries in milliseconds. - slow_threshold: 1000 - - sqlite: - path: /var/lib/headscale/db.sqlite - write_ahead_log: true - wal_autocheckpoint: 1000 - -acme_url: https://acme-v02.api.letsencrypt.org/directory -acme_email: "{{ podman_headscale_acme_email }}" -tls_letsencrypt_hostname: "{{ podman_headscale_web_hostname }}" -tls_letsencrypt_cache_dir: /var/lib/headscale/cache -tls_letsencrypt_challenge_type: HTTP-01 -tls_letsencrypt_listen: ":http" - -log: - level: info - format: text - -policy: - mode: file - path: "/etc/headscale/acls.hujson" - -## DNS -# -# headscale supports Tailscale's DNS configuration and MagicDNS. -# Please have a look to their KB to better understand the concepts: -# -# - https://tailscale.com/kb/1054/dns/ -# - https://tailscale.com/kb/1081/magicdns/ -# - https://tailscale.com/blog/2021-09-private-dns-with-magicdns/ -# -# Please note that for the DNS configuration to have any effect, -# clients must have the `--accept-dns=true` option enabled. This is the -# default for the Tailscale client. This option is enabled by default -# in the Tailscale client. -# -# Setting _any_ of the configuration and `--accept-dns=true` on the -# clients will integrate with the DNS manager on the client or -# overwrite /etc/resolv.conf. -# https://tailscale.com/kb/1235/resolv-conf -# -# If you want stop Headscale from managing the DNS configuration -# all the fields under `dns` should be set to empty values. -dns: - magic_dns: true - base_domain: {{ podman_headscale_magicdns_base }} - - # Whether to use the local DNS settings of a node or override the local DNS - # settings (default) and force the use of Headscale's DNS configuration. - override_local_dns: true - - # List of DNS servers to expose to clients. - nameservers: - global: - - 1.1.1.1 - - 1.0.0.1 - - 2606:4700:4700::1111 - - 2606:4700:4700::1001 - - # NextDNS (see https://tailscale.com/kb/1218/nextdns/). - # "abc123" is example NextDNS ID, replace with yours. - # - https://dns.nextdns.io/abc123 - - # Split DNS (see https://tailscale.com/kb/1054/dns/), - # a map of domains and which DNS server to use for each. - split: {} - # foo.bar.com: - # - 1.1.1.1 - # darp.headscale.net: - # - 1.1.1.1 - # - 8.8.8.8 - - # Set custom DNS search domains. With MagicDNS enabled, - # your tailnet base_domain is always the first search domain. - search_domains: [] - - # Extra DNS records - # so far only A and AAAA records are supported (on the tailscale side) - # See: docs/ref/dns.md - extra_records: [] - # - name: "grafana.myvpn.example.com" - # type: "A" - # value: "100.64.0.3" - # - # # you can also put it in one line - # - { name: "prometheus.myvpn.example.com", type: "A", value: "100.64.0.3" } - # - # Alternatively, extra DNS records can be loaded from a JSON file. - # Headscale processes this file on each change. - # extra_records_path: /var/lib/headscale/extra-records.json - -unix_socket: /var/run/headscale/headscale.sock -unix_socket_permission: "0770" - -oidc: - only_start_if_oidc_is_available: false - issuer: "{{ podman_headscale_oidc_issuer }}" - client_id: "{{ podman_headscale_oidc_client_id }}" - client_secret: "{{ podman_headscale_oidc_client_secret }}" - expiry: 180d - use_expiry_from_token: false - scope: ["openid", "profile", "email"] - email_verified_required: true - pkce: - enabled: true - method: S256 - -logtail: - enabled: false - -randomize_client_port: false - -taildrop: - enabled: true