#cloud-config # # Headscale (Tailscale control server) — harden SSH, then deploy, on fresh Alpine. # # Fill in REPO_URL and the values in the runcmd block, then paste this as the # instance user-data. DNS for HEADSCALE_DOMAIN must point at this host and # ports 80/443 reachable before boot. Requires an OIDC client pre-registered # in your pocket-id with redirect URI https://HEADSCALE_DOMAIN/oidc/callback. packages: - git runcmd: - hostnamectl set-hostname headscale || true - | set -e REPO_URL=https://git.anomalous.dev/57_Wolve/automations.git REPO_BRANCH=main HARDEN_SSH=1 # harden SSH on this fresh VM (set 0 to skip) SSH_PORT=22 ALLOWED_IP= # optional: whitelist your client IP in sshguard git clone --depth 1 --branch "$REPO_BRANCH" "$REPO_URL" /opt/automations cd /opt/automations # Harden SSH on this fresh VM: PQ KEX, key-only auth, sshguard. Seeds root # from globals/authorized_keys (or SSH_KEYS_URL). NOTE: harden-ssh also # prints a generated root key to the serial console — capture it, or rely # on the seeded keys. if [ "$HARDEN_SSH" = 1 ]; then SSH_PORT="$SSH_PORT" ALLOWED_IP="$ALLOWED_IP" SKIP_PROMPTS=1 FORCE=1 \ bash scripts/harden-ssh.sh fi HEADSCALE_DOMAIN=hs.example.com \ ACME_EMAIL=admin@example.com \ TAILNET_DOMAIN=tail.example.com \ POCKETID_DOMAIN=auth.example.com \ OIDC_CLIENT_ID=changeme \ OIDC_CLIENT_SECRET=changeme \ SKIP_PROMPTS=1 \ bash deployments/headscale/deploy.sh