fix headscale and lnbits

2025-11-03 16:51:53 +01:00 · 2025-11-03 16:51:53 +01:00 · eb047a29f3
commit eb047a29f3
parent 0bafa6ba2c
3 changed files with 137 additions and 26 deletions
--- a/ansible/services/headscale/deploy_headscale_playbook.yml
+++ b/ansible/services/headscale/deploy_headscale_playbook.yml
@ -1,11 +1,12 @@
 - name: Deploy headscale and configure Caddy reverse proxy
-  hosts: vipy
+  hosts: spacey
  become: no
  vars_files:
    - ../../infra_vars.yml
    - ./headscale_vars.yml
  vars:
    headscale_domain: "{{ headscale_subdomain }}.{{ root_domain }}"
+    headscale_base_domain: "tailnet.{{ root_domain }}"

  tasks:
    - name: Install required packages
@ -34,6 +35,16 @@
        path: /tmp/headscale.deb
        state: absent

+    - name: Ensure headscale user exists
+      become: yes
+      user:
+        name: headscale
+        system: yes
+        shell: /usr/sbin/nologin
+        home: /var/lib/headscale
+        create_home: yes
+        state: present
+
    - name: Create headscale data directory
      become: yes
      file:
@ -50,17 +61,7 @@
        state: directory
        owner: headscale
        group: headscale
-        mode: '0755'
-
-    - name: Ensure headscale user exists
-      become: yes
-      user:
-        name: headscale
-        system: yes
-        shell: /usr/sbin/nologin
-        home: /var/lib/headscale
-        create_home: yes
-        state: present
+        mode: '0770'

    - name: Ensure headscale user owns data directory
      become: yes
@ -69,6 +70,14 @@
        owner: headscale
        group: headscale
        recurse: yes
+        mode: '0750'
+
+    - name: Add counterweight user to headscale group
+      become: yes
+      user:
+        name: counterweight
+        groups: headscale
+        append: yes

    - name: Create ACL policies file
      become: yes
@ -84,7 +93,7 @@
          }
        owner: headscale
        group: headscale
-        mode: '0644'
+        mode: '0640'
      notify: Restart headscale

    - name: Deploy headscale configuration file
@ -135,17 +144,17 @@
            path: /etc/headscale/acl.json
          
          dns:
-            base_domain: tailnet.contrapeso.xyz
+            base_domain: {{ headscale_base_domain | quote }}
            magic_dns: true
            search_domains:
-              - tailnet.contrapeso.xyz
+              - {{ headscale_base_domain | quote }}
            nameservers:
              global:
                - 1.1.1.1
                - 1.0.0.1
        owner: root
-        group: root
-        mode: '0644'
+        group: headscale
+        mode: '0640'
      notify: Restart headscale

    - name: Test headscale configuration
@ -165,6 +174,21 @@
        enabled: yes
        state: started

+    - name: Wait for headscale unix socket to be ready
+      become: yes
+      wait_for:
+        path: /var/run/headscale/headscale.sock
+        state: present
+        timeout: 60
+        delay: 2
+
+    - name: Create headscale namespace if it doesn't exist
+      become: yes
+      command: headscale users create {{ headscale_namespace }}
+      register: create_namespace_result
+      failed_when: create_namespace_result.rc != 0 and 'already exists' not in create_namespace_result.stderr and 'UNIQUE constraint' not in create_namespace_result.stderr
+      changed_when: create_namespace_result.rc == 0
+
    - name: Allow HTTPS through UFW
      become: yes
      ufw: