Initial commit after Claude implementation

roles/headscale/defaults/main.yml

@@ -0,0 +1,2 @@
+---
+headscale_data_dir: "{{ sovereign_base_dir }}/headscale"

roles/headscale/handlers/main.yml

@@ -0,0 +1,6 @@
+---
+- name: restart headscale
+  community.docker.docker_compose_v2:
+    project_src: "{{ headscale_data_dir }}"
+    state: present
+    recreate: always

roles/headscale/tasks/main.yml

@@ -0,0 +1,29 @@
+---
+- name: Create Headscale directories
+  ansible.builtin.file:
+    path: "{{ item }}"
+    state: directory
+    mode: '0755'
+  loop:
+    - "{{ headscale_data_dir }}"
+    - "{{ headscale_data_dir }}/config"
+    - "{{ headscale_data_dir }}/data"
+
+- name: Deploy Headscale config
+  ansible.builtin.template:
+    src: headscale-config.yaml.j2
+    dest: "{{ headscale_data_dir }}/config/config.yaml"
+    mode: '0644'
+  notify: restart headscale
+
+- name: Deploy Headscale docker-compose
+  ansible.builtin.template:
+    src: docker-compose.yml.j2
+    dest: "{{ headscale_data_dir }}/docker-compose.yml"
+    mode: '0644'
+  notify: restart headscale
+
+- name: Start Headscale
+  community.docker.docker_compose_v2:
+    project_src: "{{ headscale_data_dir }}"
+    state: present

roles/headscale/templates/docker-compose.yml.j2

@@ -0,0 +1,28 @@
+services:
+  headscale:
+    image: headscale/headscale:{{ headscale_version }}
+    container_name: headscale
+    restart: unless-stopped
+    command: serve
+    volumes:
+      - {{ headscale_data_dir }}/config:/etc/headscale
+      - {{ headscale_data_dir }}/data:/var/lib/headscale
+    ports:
+      - "{{ wireguard_port }}:{{ wireguard_port }}/udp"
+    labels:
+      - "traefik.enable=true"
+      - "traefik.http.routers.headscale.rule=Host(`{{ headscale_domain }}`)"
+      - "traefik.http.routers.headscale.tls=true"
+      - "traefik.http.routers.headscale.tls.certresolver=letsencrypt"
+      - "traefik.http.services.headscale.loadbalancer.server.port=8080"
+    networks:
+      - {{ sovereign_network_name }}
+    logging:
+      driver: gelf
+      options:
+        gelf-address: "udp://{{ graylog_host }}:{{ graylog_gelf_port }}"
+        tag: "headscale"
+
+networks:
+  {{ sovereign_network_name }}:
+    external: true

roles/headscale/templates/headscale-config.yaml.j2

@@ -0,0 +1,50 @@
+server_url: "https://{{ headscale_domain }}"
+listen_addr: 0.0.0.0:8080
+grpc_listen_addr: 0.0.0.0:50443
+grpc_allow_insecure: false
+
+private_key_path: /var/lib/headscale/private.key
+noise:
+  private_key_path: /var/lib/headscale/noise_private.key
+
+prefixes:
+  v6: fd7a:115c:a1e0::/48
+  v4: 100.64.0.0/10
+  allocation: sequential
+
+derp:
+  server:
+    enabled: false
+  urls:
+    - https://controlplane.tailscale.com/derpmap/default
+  auto_update_enabled: true
+  update_frequency: 24h
+
+disable_check_updates: true
+ephemeral_node_inactivity_timeout: 30m
+
+database:
+  type: sqlite
+  sqlite:
+    path: /var/lib/headscale/db.sqlite
+
+log:
+  format: text
+  level: info
+
+dns:
+  magic_dns: true
+  base_domain: "{{ base_domain }}"
+  nameservers:
+    global:
+      - 1.1.1.1
+      - 8.8.8.8
+
+oidc:
+  only_start_if_oidc_is_available: true
+  issuer: "https://{{ authentik_domain }}/application/o/headscale/"
+  client_id: "headscale"
+  client_secret: "changeme_headscale_oidc_secret"
+  scope: ["openid", "profile", "email"]
+  extra_params:
+    domain_hint: "{{ base_domain }}"