move headscale config to tfvars and change leaked creds[ci skip]

2023-09-15 23:13:19 +00:00 · 2023-09-15 23:13:19 +00:00 · fbbc05180d
commit fbbc05180d
parent 5061eb590b
5 changed files with 9 additions and 160 deletions
--- a/main.tf
+++ b/main.tf
@ -61,6 +61,7 @@ variable "finance_app_oauth_google_client_secret" {}
 variable "finance_app_graphql_api_secret" {}
 variable "finance_app_gocardless_secret_id" {}
 variable "finance_app_gocardless_secret_key" {}
+variable "headscale_config" {}

 variable "ansible_prefix" {
  default     = "ANSIBLE_VAULT_PASSWORD_FILE=~/.ansible/vault_pass.txt ansible-playbook -i playbook/hosts.yaml playbook/linux.yml -t linux/initial_setup"
@ -286,6 +287,8 @@ module "kubernetes_cluster" {
  finance_app_db_connection_string       = var.finance_app_db_connection_string
  finance_app_gocardless_secret_id       = var.finance_app_gocardless_secret_id
  finance_app_gocardless_secret_key      = var.finance_app_gocardless_secret_key
+
+  headscale_config = var.headscale_config
 }


--- a/modules/kubernetes/headscale/main.tf
+++ b/modules/kubernetes/headscale/main.tf
@ -1,5 +1,6 @@

 variable "tls_secret_name" {}
+variable "headscale_config" {}

 resource "kubernetes_namespace" "headscale" {
  metadata {
@ -234,163 +235,6 @@ resource "kubernetes_config_map" "headscale-config" {
  }

  data = {
-    "config.yaml" = <<-EOT
-        ---
-        server_url: https://headscale.viktorbarzin.me
-        listen_addr: 0.0.0.0:8080
-        metrics_listen_addr: 0.0.0.0:9090
-        #grpc_listen_addr: 127.0.0.1:50443
-        #grpc_listen_addr: 0.0.0.0:50443
-        grpc_listen_addr: 0.0.0.0:41641
-        #grpc_allow_insecure: false
-        grpc_allow_insecure: true
-
-        #private_key_path: /etc/headscale/private.key
-        private_key_path: /mnt/private.key
-
-        noise:
-            #private_key_path: /etc/headscale/noise_private.key
-            private_key_path: /mnt/noise_private.key
-
-        ip_prefixes:
-        - fd7a:115c:a1e0::/48
-        - 100.64.0.0/10
-
-        disable_check_updates: false
-
-        ephemeral_node_inactivity_timeout: 30m
-
-        derp:
-          server:
-            # If enabled, runs the embedded DERP server and merges it into the rest of the DERP config
-            # The Headscale server_url defined above MUST be using https, DERP requires TLS to be in place
-            enabled: true
-
-            # Region ID to use for the embedded DERP server.
-            # The local DERP prevails if the region ID collides with other region ID coming from
-            # the regular DERP config.
-            region_id: 999
-
-            # Region code and name are displayed in the Tailscale UI to identify a DERP region
-            region_code: "headscale"
-            region_name: "Headscale Embedded DERP"
-
-            # Listens over UDP at the configured address for STUN connections - to help with NAT traversal.
-            # When the embedded DERP server is enabled stun_listen_addr MUST be defined.
-            #
-            # For more details on how this works, check this great article: https://tailscale.com/blog/how-tailscale-works/
-            stun_listen_addr: "0.0.0.0:3478"
-
-          # List of externally available DERP maps encoded in JSON
-          urls:
-            - https://controlplane.tailscale.com/derpmap/default
-
-          # Locally available DERP map files encoded in YAML
-          #
-          # This option is mostly interesting for people hosting
-          # their own DERP servers:
-          # https://tailscale.com/kb/1118/custom-derp-servers/
-          #
-          # paths:
-          #   - /etc/headscale/derp-example.yaml
-          paths: []
-
-          # If enabled, a worker will be set up to periodically
-          # refresh the given sources and update the derpmap
-          # will be set up.
-          auto_update_enabled: true
-
-          # How often should we check for DERP updates?
-          update_frequency: 24h
-
-        node_update_check_interval: 10s
-
-        db_type: sqlite3
-
-        #db_path: /etc/headscale/db.sqlite
-        db_path: /mnt/db.sqlite
-
-        acme_url: https://acme-v02.api.letsencrypt.org/directory
-
-        acme_email: ""
-
-        tls_letsencrypt_hostname: ""
-
-        tls_letsencrypt_cache_dir: /var/lib/headscale/cache
-
-        tls_letsencrypt_challenge_type: HTTP-01
-        tls_letsencrypt_listen: ":http"
-
-        tls_cert_path: ""
-        tls_key_path: ""
-
-        log:
-            format: text
-            #level: info
-            level: debug
-
-        acl_policy_path: ""
-
-        dns_config:
-            override_local_dns: true
-
-        nameservers:
-            - 1.1.1.1
-
-        domains: []
-
-        magic_dns: true
-
-        unix_socket: /var/run/headscale/headscale.sock
-        unix_socket_permission: "0770"
-
-        randomize_client_port: false
-        
-        # headscale supports experimental OpenID connect support,
-        # it is still being tested and might have some bugs, please
-        # help us test it.
-        # OpenID Connect
-        oidc:
-          only_start_if_oidc_is_available: true
-          issuer: "https://accounts.google.com"
-          client_id: "533122798643-4ti3espgjqhfnop0rors9t7r4o5i8top.apps.googleusercontent.com"
-          client_secret: "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"
-        
-          # The amount of time from a node is authenticated with OpenID until it
-          # expires and needs to reauthenticate.
-          # Setting the value to "0" will mean no expiry.
-          expiry: 180d
-        
-          # Use the expiry from the token received from OpenID when the user logged
-          # in, this will typically lead to frequent need to reauthenticate and should
-          # only been enabled if you know what you are doing.
-          # Note: enabling this will cause `oidc.expiry` to be ignored.
-          use_expiry_from_token: false
-        
-          # Customize the scopes used in the OIDC flow, defaults to "openid", "profile" and "email" and add custom query
-          # parameters to the Authorize Endpoint request. Scopes default to "openid", "profile" and "email".
-        
-          scope: ["openid", "profile", "email"]
-          # extra_params:
-          #   domain_hint: example.com
-        
-          # List allowed principal domains and/or users. If an authenticated user's domain is not in this list, the
-          # authentication request will be rejected.
-        
-          # allowed_domains:
-          #   - example.com
-          # Note: Groups from keycloak have a leading '/'
-          # allowed_groups:
-          #   - /headscale
-          allowed_users:
-            - vbarzin@gmail.com
-        
-          # If `strip_email_domain` is set to `true`, the domain part of the username email address will be removed.
-          # This will transform `first-name.last-name@example.com` to the user `first-name.last-name`
-          # If `strip_email_domain` is set to `false` the domain part will NOT be removed resulting to the following
-          # user: `first-name.last-name.example.com`
-        
-          # strip_email_domain: true
-    EOT
+    "config.yaml" = var.headscale_config
  }
 }
--- a/modules/kubernetes/main.tf
+++ b/modules/kubernetes/main.tf
@ -49,6 +49,7 @@ variable "finance_app_oauth_google_client_secret" {}
 variable "finance_app_graphql_api_secret" {}
 variable "finance_app_gocardless_secret_id" {}
 variable "finance_app_gocardless_secret_key" {}
+variable "headscale_config" {}

 resource "null_resource" "core_services" {
  # List all the core modules that must be provisioned first
@ -301,8 +302,9 @@ module "technitium" {
 }

 module "headscale" {
-  source          = "./headscale"
-  tls_secret_name = var.tls_secret_name
+  source           = "./headscale"
+  tls_secret_name  = var.tls_secret_name
+  headscale_config = var.headscale_config
 }

 # module "metrics_api" {
--- a/terraform.tfstate
+++ b/terraform.tfstate
--- a/terraform.tfvars
+++ b/terraform.tfvars