feat(baseline): join tailnet

feat: new headscale role
2026-05-25 12:43:25 +01:00 · 2026-05-25 12:43:25 +01:00
12 changed files with 474 additions and 0 deletions
--- a/playbooks/services.yml
+++ b/playbooks/services.yml
@ -47,6 +47,34 @@
    - role: sr2c.core.node_exporter
      tags: prometheus

+- name: Deploy and update Headscale server
+  hosts:
+    - headscale
+  roles:
+    - role: sr2c.core.baseline
+      vars:
+        baseline_epel_packages_allowed:
+          - certbot
+          - python3-certbot
+          - python3-pyrfc3339
+          - python3-parsedatetime
+          - python3-josepy
+          - python3-importlib-metadata
+          - python3-configargparse
+          - python3-acme
+          - python3-zipp
+          - python3-pyOpenSSL
+          - node-exporter
+      tags: bootstrap
+    - role: freeipa.ansible_freeipa.ipaclient
+      become: true
+      state: present
+      tags: bootstrap
+    - role: sr2c.core.node_exporter
+      tags: prometheus
+    - role: sr2c.core.podman_headscale
+      tags: headscale
+
 - name: Deploy and update the Prometheus server
  hosts:
    - prometheus
--- a/roles/baseline/defaults/main.yml
+++ b/roles/baseline/defaults/main.yml
@ -25,3 +25,5 @@ baseline_second_disk_var_size: "5G"
 baseline_second_disk_var_log_size: "5G"
 baseline_second_disk_var_log_audit_size: "5G"
 baseline_second_disk_var_tmp_size: "5G"
+baseline_tailscale_login_server:
+# baseline_tailscale_auth_key:
--- a/roles/baseline/tasks/main.yml
+++ b/roles/baseline/tasks/main.yml
@ -111,6 +111,10 @@
    file: ipaclient.yml
  when: "'ipaservers' not in group_names"

+- name: Baseline | PATCH | Join Tailnet
+  ansible.builtin.include_tasks:
+    file: tailscale.yml
+
 - name: Baseline | PATCH | Disable dnf-makecache.timer
  ansible.builtin.systemd_service:
    name: dnf-makecache.timer
--- a/roles/baseline/tasks/tailscale.yml
+++ b/roles/baseline/tasks/tailscale.yml
@ -0,0 +1,40 @@
+---
+- name: Tailscale | PATCH | Add Tailscale repository
+  ansible.builtin.yum_repository:
+    name: tailscale-stable
+    description: Tailscale stable
+    baseurl: https://pkgs.tailscale.com/stable/rhel/$releasever/$basearch
+    gpgcheck: true
+    gpgkey: https://pkgs.tailscale.com/stable/rhel/{{ ansible_distribution_major_version }}/repo.gpg
+    repo_gpgcheck: true
+    enabled: true
+    includepkgs: tailscale
+  become: true
+
+- name: Tailscale | PATCH | Install Tailscale
+  ansible.builtin.dnf:
+    name: tailscale
+    state: present
+    update_cache: yes
+  become: true
+
+- name: Tailscale | PATCH | Enable and start tailscaled service
+  ansible.builtin.systemd:
+    name: tailscaled
+    enabled: yes
+    state: started
+  become: true
+
+- name: Tailscale | AUDIT | Check if Tailscale is already up
+  ansible.builtin.command: tailscale status
+  register: tailscale_status
+  ignore_errors: yes
+  changed_when: false
+  become: true
+
+- name: Tailscale | PATCH | Bring up Tailscale with custom login server
+  ansible.builtin.command:
+    cmd: "tailscale up --login-server={{ baseline_tailscale_login_server }} --authkey={{ baseline_tailscale_auth_key }}"
+  when: tailscale_status.rc != 0 or "Logged out" in tailscale_status.stdout
+  no_log: yes  # Hide auth key from logs
+  become: true
--- a/roles/podman_headscale/defaults/main.yml
+++ b/roles/podman_headscale/defaults/main.yml
@ -0,0 +1,6 @@
+---
+podman_headscale_podman_rootless_user: app_headscale
+podman_headscale_firewalld_zone: public
+# podman_headscale_web_hostname:
+# podman_headscale_acme_email:
+# podman_headscale_magicdns_base:
--- a/roles/podman_headscale/handlers/main.yml
+++ b/roles/podman_headscale/handlers/main.yml
@ -0,0 +1,8 @@
+---
+- name: Restart Headscale
+  ansible.builtin.systemd_service:
+    name: headscale
+    scope: user
+    state: restarted
+  become: true
+  become_user: "{{ podman_headscale_podman_rootless_user }}"
--- a/roles/podman_headscale/tasks/main.yml
+++ b/roles/podman_headscale/tasks/main.yml
@ -0,0 +1,141 @@
+---
+- name: Podman Headscale | PATCH | Open firewall for http and https services
+  ansible.posix.firewalld:
+    zone: "{{ podman_headscale_firewalld_zone }}"
+    service: "{{ item }}"
+    permanent: true
+    immediate: true
+    state: enabled
+  become: true
+  with_items:
+    - http
+    - https
+
+- name: Podman Headscale | PATCH | Install data plate
+  ansible.builtin.template:
+    src: etc/motd.d/10-data-plate.txt
+    dest: /etc/motd.d/10-data-plate.txt
+    owner: root
+    group: root
+    mode: "0444"
+  become: true
+
+- name: Podman Headscale | PATCH | Install podman and verify rootless podman user
+  ansible.builtin.include_role:
+    role: sr2c.core.podman_host
+  vars:
+    podman_host_minimum_unpriv_port: 80
+    podman_host_rootless_users: ["{{ podman_headscale_podman_rootless_user }}"]
+
+- name: Podman Headscale | AUDIT | Get subuid range for user
+  ansible.builtin.command:
+    cmd: "getsubids {{ podman_headscale_podman_rootless_user }}"
+  register: _podman_headscale_user_subuid
+  changed_when: false
+
+- name: Podman Headscale | AUDIT | Get subgid range for user
+  ansible.builtin.command:
+    cmd: "getsubids -g {{ podman_headscale_podman_rootless_user }}"
+  register: _podman_headscale_user_subgid
+  changed_when: false
+
+- name: Podman Headscale | AUDIT | Parse outputs of getsubids and store results
+  ansible.builtin.set_fact:
+    _podman_headscale_user_subuid_start: "{{ _podman_headscale_user_subuid.stdout_lines[0].split()[2] }}"
+    _podman_headscale_user_subgid_start: "{{ _podman_headscale_user_subgid.stdout_lines[0].split()[2] }}"
+
+# Headscale runs with UID/GID 0 inside the container
+# TODO: let's fix the above
+- name: Podman Headscale | PATCH | Create configuration directory for Headscale
+  ansible.builtin.file:
+    path: "/home/{{ podman_headscale_podman_rootless_user }}/headscale-config"
+    owner: "{{ podman_headscale_podman_rootless_user }}"
+    group: "{{ podman_headscale_podman_rootless_user }}"
+    mode: "0700"
+    state: "directory"
+  become: true
+
+- name: Podman Headscale | PATCH | Create data directory for Headscale
+  ansible.builtin.file:
+    path: "/home/{{ podman_headscale_podman_rootless_user }}/headscale-data"
+    owner: "{{ podman_headscale_podman_rootless_user }}"
+    group: "{{ podman_headscale_podman_rootless_user }}"
+    mode: "0700"
+    state: "directory"
+  become: true
+
+- name: Podman Headscale | PATCH | Install Headscale configuration
+  ansible.builtin.template:
+    src: "home/podman/headscale-config/{{ item }}"
+    dest: "/home/{{ podman_headscale_podman_rootless_user }}/headscale-config/{{ item }}"
+    mode: "0400"
+    owner: "{{ (_podman_headscale_user_subuid_start | int) + 65533 }}"
+    group: "{{ (_podman_headscale_user_subgid_start | int) + 65533 }}"
+  become: true
+  with_items:
+    - acls.hujson
+    - config.yaml
+  notify:
+    - Restart Headscale
+
+- name: Podman Headscale | PATCH | Install container quadlets
+  ansible.builtin.template:
+    src: "home/podman/config/containers/systemd/{{ item }}"
+    dest: "/home/{{ podman_headscale_podman_rootless_user }}/.config/containers/systemd/{{ item }}"
+    owner: "{{ podman_headscale_podman_rootless_user }}"
+    mode: "0400"
+  with_items:
+    - headscale.container
+  become: true
+  notify:
+    - Restart Headscale
+
+- name: Podman Headscale | PATCH | Install network quadlets
+  ansible.builtin.template:
+    src: "home/podman/config/containers/systemd/{{ item }}"
+    dest: "/home/{{ podman_headscale_podman_rootless_user }}/.config/containers/systemd/{{ item }}"
+    owner: "{{ podman_headscale_podman_rootless_user }}"
+    mode: "0400"
+  with_items:
+    - headscale.network
+  become: true
+  notify:
+    - Restart Headscale
+
+- name: Podman Headscale | AUDIT | Verify quadlets are correctly defined
+  ansible.builtin.command: /usr/libexec/podman/quadlet -dryrun -user
+  register: podman_prometheus_quadlet_result
+  ignore_errors: true
+  changed_when: false
+  become: true
+  become_user: "{{ podman_headscale_podman_rootless_user }}"
+
+- name: Podman Headscale | AUDIT | Assert that the quadlet verification succeeded
+  ansible.builtin.assert:
+    that:
+      - podman_prometheus_quadlet_result.rc == 0
+    fail_msg: "'/usr/libexec/podman/quadlet -dryrun -user' failed! Output withheld to prevent leaking secrets."
+
+- name: Podman Headscale | PATCH | Make sure Headscale is running now and started on boot
+  ansible.builtin.systemd_service:
+    name: "{{ item }}.service"
+    enabled: true
+    state: started
+    masked: false
+    daemon_reload: true
+    scope: user
+  with_items:
+    - headscale
+  become: true
+  become_user: "{{ podman_headscale_podman_rootless_user }}"
+
+- name: Podman Headscale | PATCH | Set up ClouDNS monitoring
+  sr2c.core.cloudns_monitor:
+    name: "Headscale - {{ podman_headscale_web_hostname[:20] }}"
+    host: "{{ inventory_hostname }}"
+    ip: "{{ inventory_hostname }}"
+    http_status_code: "200"
+    emails: "{{ cloudns_monitoring_emails }}"
+    auth_id: "{{ cloudns_auth_id }}"
+    auth_password: "{{ cloudns_auth_password }}"
+  delegate_to: localhost
--- a/roles/podman_headscale/templates/etc/motd.d/10-data-plate.txt
+++ b/roles/podman_headscale/templates/etc/motd.d/10-data-plate.txt
@ -0,0 +1,14 @@
+    =========================================================
+    A Headscale instance is hosted on this server.
+    Podman user: {{ podman_headscale_podman_rootless_user }}
+    =========================================================
+    # Become the podman user
+    sudo -iu {{ podman_headscale_podman_rootless_user }}
+    # Check the Headscale status
+    systemctl --user status headscale.service
+    # Restart Headscale
+    systemctl --user restart headscale.service
+    # Follow the logs for Headscale
+    journalctl --user -fu headscale.service
+    =========================================================
+
--- a/roles/podman_headscale/templates/home/podman/config/containers/systemd/headscale.container
+++ b/roles/podman_headscale/templates/home/podman/config/containers/systemd/headscale.container
@ -0,0 +1,15 @@
+[Container]
+ContainerName=headscale
+Image=docker.io/headscale/headscale:v0.28
+Exec=serve
+Network=headscale.network
+Volume=/home/{{ podman_headscale_podman_rootless_user }}/headscale-config:/etc/headscale:ro,Z
+Volume=/home/{{ podman_headscale_podman_rootless_user }}/headscale-data:/var/lib/headscale:rw,Z
+PublishPort=80:80/tcp
+PublishPort=443:443/tcp
+
+[Service]
+Restart=on-failure
+
+[Install]
+WantedBy=default.target
--- a/roles/podman_headscale/templates/home/podman/config/containers/systemd/headscale.network
+++ b/roles/podman_headscale/templates/home/podman/config/containers/systemd/headscale.network
@ -0,0 +1,2 @@
+[Network]
+NetworkName=headscale
--- a/roles/podman_headscale/templates/home/podman/headscale-config/acls.hujson
+++ b/roles/podman_headscale/templates/home/podman/headscale-config/acls.hujson
@ -0,0 +1 @@
+{}
--- a/roles/podman_headscale/templates/home/podman/headscale-config/config.yaml
+++ b/roles/podman_headscale/templates/home/podman/headscale-config/config.yaml
@ -0,0 +1,213 @@
+---
+server_url: https://{{ podman_headscale_web_hostname }}:443
+listen_addr: 0.0.0.0:443
+metrics_listen_addr: 0.0.0.0:9090
+grpc_listen_addr: 0.0.0.0:50443
+grpc_allow_insecure: false
+noise:
+  private_key_path: /var/lib/headscale/noise_private.key
+# Any other range is NOT supported, and it will cause unexpected issues.
+prefixes:
+  v4: 100.64.0.0/10
+  v6: fd7a:115c:a1e0::/48
+  allocation: sequential
+
+derp:
+  server:
+    enabled: false
+
+    # Region ID to use for the embedded DERP server.
+    # The local DERP prevails if the region ID collides with other region ID coming from
+    # the regular DERP config.
+    region_id: 999
+
+    # Region code and name are displayed in the Tailscale UI to identify a DERP region
+    region_code: "headscale"
+    region_name: "Headscale Embedded DERP"
+
+    # Only allow clients associated with this server access
+    verify_clients: true
+
+    # Listens over UDP at the configured address for STUN connections - to help with NAT traversal.
+    # When the embedded DERP server is enabled stun_listen_addr MUST be defined.
+    #
+    # For more details on how this works, check this great article: https://tailscale.com/blog/how-tailscale-works/
+    stun_listen_addr: "0.0.0.0:3478"
+
+    # Private key used to encrypt the traffic between headscale DERP and
+    # Tailscale clients. A missing key will be automatically generated.
+    private_key_path: /var/lib/headscale/derp_server_private.key
+
+    # This flag can be used, so the DERP map entry for the embedded DERP server is not written automatically,
+    # it enables the creation of your very own DERP map entry using a locally available file with the parameter DERP.paths
+    # If you enable the DERP server and set this to false, it is required to add the DERP server to the DERP map using DERP.paths
+    automatically_add_embedded_derp_region: true
+
+    # For better connection stability (especially when using an Exit-Node and DNS is not working),
+    # it is possible to optionally add the public IPv4 and IPv6 address to the Derp-Map using:
+    ipv4: 198.51.100.1
+    ipv6: 2001:db8::1
+
+  # List of externally available DERP maps encoded in JSON
+  urls:
+    - https://controlplane.tailscale.com/derpmap/default
+
+  # Locally available DERP map files encoded in YAML
+  #
+  # This option is mostly interesting for people hosting
+  # their own DERP servers:
+  # https://tailscale.com/kb/1118/custom-derp-servers/
+  #
+  # paths:
+  #   - /etc/headscale/derp-example.yaml
+  paths: []
+
+  # If enabled, a worker will be set up to periodically
+  # refresh the given sources and update the derpmap
+  # will be set up.
+  auto_update_enabled: true
+
+  # How often should we check for DERP updates?
+  update_frequency: 3h
+
+# Disables the automatic check for headscale updates on startup
+disable_check_updates: false
+
+# Time before an inactive ephemeral node is deleted?
+ephemeral_node_inactivity_timeout: 30m
+
+database:
+  # Database type. Available options: sqlite, postgres
+  # Please note that using Postgres is highly discouraged as it is only supported for legacy reasons.
+  # All new development, testing and optimisations are done with SQLite in mind.
+  type: sqlite
+
+  # Enable debug mode. This setting requires the log.level to be set to "debug" or "trace".
+  debug: false
+
+  # GORM configuration settings.
+  gorm:
+    # Enable prepared statements.
+    prepare_stmt: true
+
+    # Enable parameterized queries.
+    parameterized_queries: true
+
+    # Skip logging "record not found" errors.
+    skip_err_record_not_found: true
+
+    # Threshold for slow queries in milliseconds.
+    slow_threshold: 1000
+
+  sqlite:
+    path: /var/lib/headscale/db.sqlite
+    write_ahead_log: true
+    wal_autocheckpoint: 1000
+
+acme_url: https://acme-v02.api.letsencrypt.org/directory
+acme_email: "{{ podman_headscale_acme_email }}"
+tls_letsencrypt_hostname: "{{ podman_headscale_web_hostname }}"
+tls_letsencrypt_cache_dir: /var/lib/headscale/cache
+tls_letsencrypt_challenge_type: HTTP-01
+tls_letsencrypt_listen: ":http"
+
+log:
+  level: info
+  format: text
+
+policy:
+  mode: file
+  path: "/etc/headscale/acls.hujson"
+
+## DNS
+#
+# headscale supports Tailscale's DNS configuration and MagicDNS.
+# Please have a look to their KB to better understand the concepts:
+#
+# - https://tailscale.com/kb/1054/dns/
+# - https://tailscale.com/kb/1081/magicdns/
+# - https://tailscale.com/blog/2021-09-private-dns-with-magicdns/
+#
+# Please note that for the DNS configuration to have any effect,
+# clients must have the `--accept-dns=true` option enabled. This is the
+# default for the Tailscale client. This option is enabled by default
+# in the Tailscale client.
+#
+# Setting _any_ of the configuration and `--accept-dns=true` on the
+# clients will integrate with the DNS manager on the client or
+# overwrite /etc/resolv.conf.
+# https://tailscale.com/kb/1235/resolv-conf
+#
+# If you want stop Headscale from managing the DNS configuration
+# all the fields under `dns` should be set to empty values.
+dns:
+  magic_dns: true
+  base_domain: {{ podman_headscale_magicdns_base }}
+
+  # Whether to use the local DNS settings of a node or override the local DNS
+  # settings (default) and force the use of Headscale's DNS configuration.
+  override_local_dns: true
+
+  # List of DNS servers to expose to clients.
+  nameservers:
+    global:
+      - 1.1.1.1
+      - 1.0.0.1
+      - 2606:4700:4700::1111
+      - 2606:4700:4700::1001
+
+      # NextDNS (see https://tailscale.com/kb/1218/nextdns/).
+      # "abc123" is example NextDNS ID, replace with yours.
+      # - https://dns.nextdns.io/abc123
+
+    # Split DNS (see https://tailscale.com/kb/1054/dns/),
+    # a map of domains and which DNS server to use for each.
+    split: {}
+      # foo.bar.com:
+      #   - 1.1.1.1
+      # darp.headscale.net:
+      #   - 1.1.1.1
+      #   - 8.8.8.8
+
+  # Set custom DNS search domains. With MagicDNS enabled,
+  # your tailnet base_domain is always the first search domain.
+  search_domains: []
+
+  # Extra DNS records
+  # so far only A and AAAA records are supported (on the tailscale side)
+  # See: docs/ref/dns.md
+  extra_records: []
+  #   - name: "grafana.myvpn.example.com"
+  #     type: "A"
+  #     value: "100.64.0.3"
+  #
+  #   # you can also put it in one line
+  #   - { name: "prometheus.myvpn.example.com", type: "A", value: "100.64.0.3" }
+  #
+  # Alternatively, extra DNS records can be loaded from a JSON file.
+  # Headscale processes this file on each change.
+  # extra_records_path: /var/lib/headscale/extra-records.json
+
+unix_socket: /var/run/headscale/headscale.sock
+unix_socket_permission: "0770"
+
+oidc:
+  only_start_if_oidc_is_available: false
+  issuer: "{{ podman_headscale_oidc_issuer }}"
+  client_id: "{{ podman_headscale_oidc_client_id }}"
+  client_secret: "{{ podman_headscale_oidc_client_secret }}"
+  expiry: 180d
+  use_expiry_from_token: false
+  scope: ["openid", "profile", "email"]
+  email_verified_required: true
+  pkce:
+    enabled: true
+    method: S256
+
+logtail:
+  enabled: false
+
+randomize_client_port: false
+
+taildrop:
+  enabled: true
Author	SHA1	Message	Date
irl	90c7701ba9	feat(baseline): join tailnet Some checks failed Ansible Lint Check / lint (push) Failing after 1m1s Details	2026-05-25 12:43:25 +01:00
irl	8162595b34	feat: new headscale role	2026-05-25 12:43:25 +01:00