diff --git a/main.tf b/main.tf index 33f82405..9f81e5e6 100644 --- a/main.tf +++ b/main.tf @@ -61,6 +61,7 @@ variable "finance_app_oauth_google_client_secret" {} variable "finance_app_graphql_api_secret" {} variable "finance_app_gocardless_secret_id" {} variable "finance_app_gocardless_secret_key" {} +variable "headscale_config" {} variable "ansible_prefix" { default = "ANSIBLE_VAULT_PASSWORD_FILE=~/.ansible/vault_pass.txt ansible-playbook -i playbook/hosts.yaml playbook/linux.yml -t linux/initial_setup" @@ -286,6 +287,8 @@ module "kubernetes_cluster" { finance_app_db_connection_string = var.finance_app_db_connection_string finance_app_gocardless_secret_id = var.finance_app_gocardless_secret_id finance_app_gocardless_secret_key = var.finance_app_gocardless_secret_key + + headscale_config = var.headscale_config } diff --git a/modules/kubernetes/headscale/main.tf b/modules/kubernetes/headscale/main.tf index 1236570b..dc37044a 100644 --- a/modules/kubernetes/headscale/main.tf +++ b/modules/kubernetes/headscale/main.tf @@ -1,5 +1,6 @@ variable "tls_secret_name" {} +variable "headscale_config" {} resource "kubernetes_namespace" "headscale" { metadata { @@ -234,163 +235,6 @@ resource "kubernetes_config_map" "headscale-config" { } data = { - "config.yaml" = <<-EOT - --- - server_url: https://headscale.viktorbarzin.me - listen_addr: 0.0.0.0:8080 - metrics_listen_addr: 0.0.0.0:9090 - #grpc_listen_addr: 127.0.0.1:50443 - #grpc_listen_addr: 0.0.0.0:50443 - grpc_listen_addr: 0.0.0.0:41641 - #grpc_allow_insecure: false - grpc_allow_insecure: true - - #private_key_path: /etc/headscale/private.key - private_key_path: /mnt/private.key - - noise: - #private_key_path: /etc/headscale/noise_private.key - private_key_path: /mnt/noise_private.key - - ip_prefixes: - - fd7a:115c:a1e0::/48 - - 100.64.0.0/10 - - disable_check_updates: false - - ephemeral_node_inactivity_timeout: 30m - - derp: - server: - # If enabled, runs the embedded DERP server and merges it into the rest of the DERP config - # The Headscale server_url defined above MUST be using https, DERP requires TLS to be in place - enabled: true - - # Region ID to use for the embedded DERP server. - # The local DERP prevails if the region ID collides with other region ID coming from - # the regular DERP config. - region_id: 999 - - # Region code and name are displayed in the Tailscale UI to identify a DERP region - region_code: "headscale" - region_name: "Headscale Embedded DERP" - - # Listens over UDP at the configured address for STUN connections - to help with NAT traversal. - # When the embedded DERP server is enabled stun_listen_addr MUST be defined. - # - # For more details on how this works, check this great article: https://tailscale.com/blog/how-tailscale-works/ - stun_listen_addr: "0.0.0.0:3478" - - # List of externally available DERP maps encoded in JSON - urls: - - https://controlplane.tailscale.com/derpmap/default - - # Locally available DERP map files encoded in YAML - # - # This option is mostly interesting for people hosting - # their own DERP servers: - # https://tailscale.com/kb/1118/custom-derp-servers/ - # - # paths: - # - /etc/headscale/derp-example.yaml - paths: [] - - # If enabled, a worker will be set up to periodically - # refresh the given sources and update the derpmap - # will be set up. - auto_update_enabled: true - - # How often should we check for DERP updates? - update_frequency: 24h - - node_update_check_interval: 10s - - db_type: sqlite3 - - #db_path: /etc/headscale/db.sqlite - db_path: /mnt/db.sqlite - - acme_url: https://acme-v02.api.letsencrypt.org/directory - - acme_email: "" - - tls_letsencrypt_hostname: "" - - tls_letsencrypt_cache_dir: /var/lib/headscale/cache - - tls_letsencrypt_challenge_type: HTTP-01 - tls_letsencrypt_listen: ":http" - - tls_cert_path: "" - tls_key_path: "" - - log: - format: text - #level: info - level: debug - - acl_policy_path: "" - - dns_config: - override_local_dns: true - - nameservers: - - 1.1.1.1 - - domains: [] - - magic_dns: true - - unix_socket: /var/run/headscale/headscale.sock - unix_socket_permission: "0770" - - randomize_client_port: false - - # headscale supports experimental OpenID connect support, - # it is still being tested and might have some bugs, please - # help us test it. - # OpenID Connect - oidc: - only_start_if_oidc_is_available: true - issuer: "https://accounts.google.com" - client_id: "533122798643-4ti3espgjqhfnop0rors9t7r4o5i8top.apps.googleusercontent.com" - client_secret: "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" - - # The amount of time from a node is authenticated with OpenID until it - # expires and needs to reauthenticate. - # Setting the value to "0" will mean no expiry. - expiry: 180d - - # Use the expiry from the token received from OpenID when the user logged - # in, this will typically lead to frequent need to reauthenticate and should - # only been enabled if you know what you are doing. - # Note: enabling this will cause `oidc.expiry` to be ignored. - use_expiry_from_token: false - - # Customize the scopes used in the OIDC flow, defaults to "openid", "profile" and "email" and add custom query - # parameters to the Authorize Endpoint request. Scopes default to "openid", "profile" and "email". - - scope: ["openid", "profile", "email"] - # extra_params: - # domain_hint: example.com - - # List allowed principal domains and/or users. If an authenticated user's domain is not in this list, the - # authentication request will be rejected. - - # allowed_domains: - # - example.com - # Note: Groups from keycloak have a leading '/' - # allowed_groups: - # - /headscale - allowed_users: - - vbarzin@gmail.com - - # If `strip_email_domain` is set to `true`, the domain part of the username email address will be removed. - # This will transform `first-name.last-name@example.com` to the user `first-name.last-name` - # If `strip_email_domain` is set to `false` the domain part will NOT be removed resulting to the following - # user: `first-name.last-name.example.com` - - # strip_email_domain: true - EOT + "config.yaml" = var.headscale_config } } diff --git a/modules/kubernetes/main.tf b/modules/kubernetes/main.tf index c40e2440..c4a41b91 100644 --- a/modules/kubernetes/main.tf +++ b/modules/kubernetes/main.tf @@ -49,6 +49,7 @@ variable "finance_app_oauth_google_client_secret" {} variable "finance_app_graphql_api_secret" {} variable "finance_app_gocardless_secret_id" {} variable "finance_app_gocardless_secret_key" {} +variable "headscale_config" {} resource "null_resource" "core_services" { # List all the core modules that must be provisioned first @@ -301,8 +302,9 @@ module "technitium" { } module "headscale" { - source = "./headscale" - tls_secret_name = var.tls_secret_name + source = "./headscale" + tls_secret_name = var.tls_secret_name + headscale_config = var.headscale_config } # module "metrics_api" { diff --git a/terraform.tfstate b/terraform.tfstate index eccb3d06..a214ceeb 100644 Binary files a/terraform.tfstate and b/terraform.tfstate differ diff --git a/terraform.tfvars b/terraform.tfvars index 568df551..79023262 100644 Binary files a/terraform.tfvars and b/terraform.tfvars differ