diff --git a/tasks/main.yml b/tasks/main.yml index 4e20ee8..8120d57 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -1,17 +1,17 @@ --- - name: dirs - file: state=directory path="{{ item }}" # mode= o= g= + file: state=directory path="{{ item }}" mode="0700" # o= g= loop: - "{{ headscale_dir }}" - "{{ headscale_dir }}/config" - "{{ headscale_dir }}/data" - name: config file - template: src="config.yaml.j2" dest="{{ headscale_dir }}/config/config.yaml" # mode= o= g= + template: src="config.yaml.j2" dest="{{ headscale_dir }}/config/config.yaml" mode="0600" # o= g= - name: create an empty database file if it doesn't exist - copy: force=false content="" dest="{{ headscale_dir }}/data/db.sqlite" # mode= o= g= + copy: force=false content="" dest="{{ headscale_dir }}/data/db.sqlite" mode="0600" # o= g= - name: headscale coordination server docker_container: @@ -20,6 +20,9 @@ pull: "{{ headscale_pull }}" command: headscale serve restart_policy: unless-stopped + networks: + - name: servicenet + networks_cli_compatible: yes # don't add a default network volumes: - "{{ headscale_dir }}/config:/etc/headscale:ro" - "{{ headscale_dir }}/data:/var/lib/headscale" @@ -27,11 +30,12 @@ traefik.enable: "true" traefik.http.routers.headscale.entryPoints: "web_https" traefik.http.routers.headscale.rule: "Host(`{{ headscale_domain }}`)" - traefik.http.routers.headscale.middlewares: "chain-authelia@file" - published_ports: ### local testing - - "9441:8080" - - "9442:9090" # /metrics - - "50443:50443" # /headscale grpc API + traefik.http.routers.headscale.service: "headscale" + traefik.http.services.headscale.loadbalancer.server.port: "8080" + #published_ports: ### local testing + # - "9441:8080" + # - "9442:9090" # /metrics + # - "50443:50443" # /headscale grpc API # (If a given namespace already exists, the command issues an error # message but the exit code is 0 (successful).) @@ -39,10 +43,24 @@ community.docker.docker_container_exec: container: headscale argv: ['headscale', 'namespaces', 'create', "{{ item }}"] - register: result - changed_when: "'Namespace created' in result.stdout_lines" + register: _result + changed_when: "'User created' == _result.stdout" loop: "{{ headscale_namespaces }}" +# Create a new API key. +# ### Doesn't report an existing API key or expire the old one. +# See 'headscale apikeys list', 'headscale apikeys expire --prefix ...' +- name: API key + community.docker.docker_container_exec: + container: headscale + argv: ['headscale', 'apikeys', 'create', '--expiration=24h'] + register: headscale_api_key_create_result + changed_when: true + +- debug: + msg: "This is the API key to use in the web UI:\n{{ headscale_api_key_create_result.stdout }}" + when: not ansible_check_mode + # https://github.com/gurucomputing/headscale-ui - name: headscale UI docker_container: @@ -50,10 +68,11 @@ image: "{{ headscale_ui_docker_image }}" pull: "{{ headscale_pull }}" restart_policy: unless-stopped + networks: + - name: servicenet + networks_cli_compatible: yes # don't add a default network labels: traefik.enable: "true" - traefik.http.routers.headscale.entryPoints: "web_https" - traefik.http.routers.headscale.rule: "Host(`{{ headscale_domain }}`) && PathPrefix(`/web`)" - traefik.http.routers.headscale.middlewares: "chain-authelia@file" - exposed_ports: - - "80" + traefik.http.routers.headscale-ui.entryPoints: "web_https" + traefik.http.routers.headscale-ui.rule: "Host(`{{ headscale_domain }}`) && PathPrefix(`/web`)" + #traefik.http.routers.headscale-ui.middlewares: "chain-authelia@file"