From ef1b7f75fa666acf99d901f5142f10730de801c0 Mon Sep 17 00:00:00 2001
From: scott boone <scott.e.boone@gmail.com>
Date: Fri, 1 Aug 2025 15:42:58 -0500
Subject: [PATCH 1/2] WIP: tailscale and headscale VPN

---
 nomad/headscale.hcl               | 189 ++++++++++++++++++++++++
 nomad/tailscale.hcl               | 232 ++++++++++++++++++++++++++++++
 scripts/deploy-nomad-headscale.sh |  56 ++++++++
 scripts/deploy-nomad-tailscale.sh |  49 +++++++
 4 files changed, 526 insertions(+)
 create mode 100644 nomad/headscale.hcl
 create mode 100644 nomad/tailscale.hcl
 create mode 100755 scripts/deploy-nomad-headscale.sh
 create mode 100755 scripts/deploy-nomad-tailscale.sh

diff --git a/nomad/headscale.hcl b/nomad/headscale.hcl
new file mode 100644
index 000000000..a419284c5
--- /dev/null
+++ b/nomad/headscale.hcl
@@ -0,0 +1,189 @@
+variable "dc" {
+  type = string
+}
+
+variable "headscale_hostname" {
+  type = string
+}
+
+variable "headscale_version" {
+  type = string
+  default = "latest"
+}
+
+variable "headscale_count" {
+  type = number
+  default = 1
+}
+
+job "[JOB_NAME]" {
+  datacenters = ["${var.dc}"]
+  type        = "service"
+  priority    = 50
+
+  constraint {
+    attribute = "${attr.kernel.name}"
+    value     = "linux"
+  }
+
+  group "headscale" {
+    count = var.headscale_count
+
+    constraint {
+      attribute  = "${meta.pool_type}"
+      operator   = "set_contains_any"
+      value      = "consul,general"
+    }
+
+    restart {
+      attempts = 2
+      interval = "30m"
+      delay    = "15s"
+      mode     = "fail"
+    }
+
+    ephemeral_disk {
+      size = 1000
+    }
+
+    network {
+      port "http" {
+        to = 8080
+      }
+      port "grpc" {
+        to = 50443
+      }
+      port "metrics" {
+        to = 9090
+      }
+    }
+
+    task "headscale" {
+      driver = "docker"
+
+      vault {
+        change_mode = "restart"
+      }
+
+      config {
+        image = "headscale/headscale:${var.headscale_version}"
+        force_pull = false
+        ports = ["http", "grpc", "metrics"]
+        volumes = [
+          "local/config.yaml:/etc/headscale/config.yaml",
+          "alloc/data:/var/lib/headscale"
+        ]
+        command = "serve"
+      }
+
+      template {
+        destination = "local/config.yaml"
+        data = <<EOF
+server_url: https://${var.headscale_hostname}
+listen_addr: 0.0.0.0:8080
+metrics_listen_addr: 0.0.0.0:9090
+grpc_listen_addr: 0.0.0.0:50443
+grpc_allow_insecure: false
+
+private_key_path: /var/lib/headscale/private.key
+noise:
+  private_key_path: /var/lib/headscale/noise_private.key
+
+prefixes:
+  v6: fd7a:115c:a1e0::/48
+  v4: 100.64.0.0/10
+
+derp:
+  server:
+    enabled: false
+
+  urls:
+    - https://controlplane.tailscale.com/derpmap/default
+
+  auto_update_enabled: true
+  update_frequency: 24h
+
+disable_check_updates: false
+
+ephemeral_node_inactivity_timeout: 30m
+
+node_update_check_interval: 10s
+
+database:
+  type: sqlite3
+  sqlite:
+    path: /var/lib/headscale/db.sqlite
+
+acme_url: https://acme-v02.api.letsencrypt.org/directory
+acme_email: ""
+
+tls_letsencrypt_hostname: ""
+tls_cert_path: ""
+tls_key_path: ""
+
+log:
+  format: text
+  level: info
+
+oidc:
+  only_start_if_oidc_is_available: false
+  issuer: ""
+  client_id: ""
+  client_secret_path: ""
+  scope: ["openid", "profile", "email"]
+  extra_params: {}
+  allowed_domains: []
+  allowed_users: []
+  allowed_groups: []
+
+logtail:
+  enabled: false
+
+randomize_client_port: false
+
+dns:
+  override_local_dns: true
+  nameservers:
+    global:
+      - 1.1.1.1
+      - 8.8.8.8
+  search_domains: []
+  magic_dns: true
+  base_domain: "headscale.local"
+EOF
+      }
+
+      resources {
+        cpu    = 200
+        memory = 256
+      }
+
+      service {
+        name = "headscale"
+        tags = ["int-urlprefix-${var.headscale_hostname}/"]
+        port = "http"
+        
+        check {
+          name     = "headscale-health"
+          type     = "http"
+          path     = "/health"
+          port     = "http"
+          interval = "10s"
+          timeout  = "2s"
+        }
+      }
+
+      service {
+        name = "headscale-grpc"
+        port = "grpc"
+        tags = ["headscale-grpc"]
+      }
+
+      service {
+        name = "headscale-metrics"
+        port = "metrics"
+        tags = ["headscale-metrics"]
+      }
+    }
+  }
+}
diff --git a/nomad/tailscale.hcl b/nomad/tailscale.hcl
new file mode 100644
index 000000000..9e8d5e7a9
--- /dev/null
+++ b/nomad/tailscale.hcl
@@ -0,0 +1,232 @@
+variable "dc" {
+  type = string
+}
+
+variable "tailscale_hostname" {
+  type = string
+}
+
+variable "tailscale_version" {
+  type = string
+  default = "latest"
+}
+
+variable "tailscale_count" {
+  type = number
+  default = 1
+}
+
+variable "tailscale_auth_key" {
+  type = string
+  description = "Headscale auth key for automatic device registration"
+  default = ""
+}
+
+variable "headscale_url" {
+  type = string
+  description = "Headscale server URL"
+  default = ""
+}
+
+job "[JOB_NAME]" {
+  datacenters = ["${var.dc}"]
+  type        = "service"
+  priority    = 50
+
+  constraint {
+    attribute = "${attr.kernel.name}"
+    value     = "linux"
+  }
+
+  group "tailscale" {
+    count = var.tailscale_count
+
+    constraint {
+      attribute  = "${meta.pool_type}"
+      operator   = "set_contains_any"
+      value      = "consul,general"
+    }
+
+    affinity {
+      attribute  = "${meta.pool_type}"
+      value      = "consul"
+      weight     = -50
+    }
+
+    affinity {
+      attribute  = "${meta.pool_type}"
+      value      = "general"
+      weight     = 100
+    }
+
+    restart {
+      attempts = 2
+      interval = "30m"
+      delay    = "15s"
+      mode     = "fail"
+    }
+
+    ephemeral_disk {
+      size = 300
+    }
+
+    network {
+      mode = "host"
+      port "http" {
+        static = 8080
+        to = 8080
+      }
+    }
+
+    task "tailscale" {
+      driver = "docker"
+
+      vault {
+        change_mode = "restart"
+      }
+
+      config {
+        image = "tailscale/tailscale:${var.tailscale_version}"
+        force_pull = false
+        network_mode = "host"
+        cap_add = ["NET_ADMIN", "NET_RAW"]
+        privileged = true
+        volumes = [
+          "/dev/net/tun:/dev/net/tun",
+          "local/start-tailscale.sh:/start-tailscale.sh"
+        ]
+        entrypoint = ["/bin/sh", "/start-tailscale.sh"]
+      }
+
+      template {
+        destination = "local/start-tailscale.sh"
+        perms = "755"
+        data = <<EOF
+#!/bin/sh
+set -e
+
+echo "Starting Tailscale daemon..."
+tailscaled --tun=userspace-networking --socks5-server=localhost:1055 --outbound-http-proxy-listen=localhost:1055 &
+TAILSCALED_PID=$!
+
+# Wait for tailscaled to start
+sleep 5
+
+echo "Connecting to network..."
+if [ -n "$TS_LOGIN_SERVER" ]; then
+    echo "Using Headscale server: $TS_LOGIN_SERVER"
+    tailscale up --login-server="$TS_LOGIN_SERVER" --authkey="$TS_AUTHKEY" --accept-routes --accept-dns=false
+else
+    echo "Using Tailscale.com"
+    tailscale up --authkey="$TS_AUTHKEY" --accept-routes --accept-dns=false
+fi
+
+echo "Tailscale connected successfully"
+tailscale status
+
+# Keep the daemon running
+wait $TAILSCALED_PID
+EOF
+      }
+
+      template {
+        destination = "local/env"
+        env         = true
+        data        = <<EOF
+TS_STATE_DIR=/var/lib/tailscale
+TS_SOCKET=/var/run/tailscale/tailscaled.sock
+TS_USERSPACE=true
+{{ if var.headscale_url != "" }}
+TS_LOGIN_SERVER=${var.headscale_url}
+{{ end }}
+{{ if var.tailscale_auth_key != "" }}
+TS_AUTHKEY=${var.tailscale_auth_key}
+{{ else }}
+{{ with secret "secret/default/headscale/config" }}
+TS_AUTHKEY={{ .Data.data.auth_key }}
+{{ if .Data.data.login_server }}
+TS_LOGIN_SERVER={{ .Data.data.login_server }}
+{{ end }}
+{{ end }}
+{{ end }}
+DATACENTER=${var.dc}
+REGION={{ env "meta.cloud_region" }}
+NOMAD_ALLOC_ID={{ env "NOMAD_ALLOC_ID" }}
+EOF
+      }
+
+      resources {
+        cpu    = 200
+        memory = 128
+      }
+
+      service {
+        name = "tailscale"
+        port = "http"
+        tags = ["tailscale", "vpn"]
+        
+        check {
+          name     = "tailscale-status"
+          type     = "script"
+          command  = "/bin/sh"
+          args     = ["-c", "tailscale status --json > /dev/null 2>&1"]
+          interval = "30s"
+          timeout  = "10s"
+        }
+      }
+    }
+
+    task "tailscale-web" {
+      driver = "docker"
+      
+      lifecycle {
+        hook    = "poststart"
+        sidecar = true
+      }
+
+      config {
+        image = "nginx:alpine"
+        ports = ["http"]
+        volumes = [
+          "local/nginx.conf:/etc/nginx/nginx.conf"
+        ]
+      }
+
+      template {
+        destination = "local/nginx.conf"
+        data = <<EOF
+events {
+    worker_connections 1024;
+}
+
+http {
+    server {
+        listen 8080;
+        
+        location /health {
+            access_log off;
+            return 200 "healthy\n";
+            add_header Content-Type text/plain;
+        }
+        
+        location /status {
+            proxy_pass http://100.100.100.100:8080/;
+            proxy_set_header Host $host;
+            proxy_set_header X-Real-IP $remote_addr;
+        }
+        
+        location / {
+            return 200 "Tailscale VPN Gateway\n";
+            add_header Content-Type text/plain;
+        }
+}
+}
+EOF
+      }
+
+      resources {
+        cpu    = 50
+        memory = 32
+      }
+    }
+  }
diff --git a/scripts/deploy-nomad-headscale.sh b/scripts/deploy-nomad-headscale.sh
new file mode 100755
index 000000000..162c0a844
--- /dev/null
+++ b/scripts/deploy-nomad-headscale.sh
@@ -0,0 +1,56 @@
+#!/bin/bash
+
+if [ -z "$ENVIRONMENT" ]; then
+    echo "No ENVIRONMENT set, exiting"
+    exit 2
+fi
+
+LOCAL_PATH=$(dirname "${BASH_SOURCE[0]}")
+
+[ -e "$LOCAL_PATH/../sites/$ENVIRONMENT/stack-env.sh" ] && . "$LOCAL_PATH/../sites/$ENVIRONMENT/stack-env.sh"
+
+[ -e "$LOCAL_PATH/../clouds/all.sh" ] && . "$LOCAL_PATH/../clouds/all.sh"
+[ -e "$LOCAL_PATH/../clouds/oracle.sh" ] && . "$LOCAL_PATH/../clouds/oracle.sh"
+
+if [ -z "$ORACLE_REGION" ]; then
+    echo "No ORACLE_REGION set, exiting"
+    exit 2
+fi
+
+[ -z "$LOCAL_REGION" ] && LOCAL_REGION="$OCI_LOCAL_REGION"
+[ -z "$LOCAL_REGION" ] && LOCAL_REGION="us-phoenix-1"
+
+[ -z "$HEADSCALE_VERSION" ] && HEADSCALE_VERSION="latest"
+[ -z "$HEADSCALE_COUNT" ] && HEADSCALE_COUNT="1"
+
+export RESOURCE_NAME_ROOT="${ENVIRONMENT}-${ORACLE_REGION}-headscale"
+
+if [ -z "$NOMAD_ADDR" ]; then
+    export NOMAD_ADDR="https://$ENVIRONMENT-$LOCAL_REGION-nomad.$TOP_LEVEL_DNS_ZONE_NAME"
+fi
+
+export NOMAD_VAR_headscale_hostname="${RESOURCE_NAME_ROOT}.${TOP_LEVEL_DNS_ZONE_NAME}"
+export NOMAD_VAR_headscale_version="$HEADSCALE_VERSION"
+export NOMAD_VAR_headscale_count="$HEADSCALE_COUNT"
+
+NOMAD_JOB_PATH="$LOCAL_PATH/../nomad"
+NOMAD_DC="$ENVIRONMENT-$ORACLE_REGION"
+JOB_NAME="headscale-$ORACLE_REGION"
+
+sed -e "s/\[JOB_NAME\]/$JOB_NAME/" "$NOMAD_JOB_PATH/headscale.hcl" | nomad job run -var="dc=$NOMAD_DC" -
+RET=$?
+
+export CNAME_VALUE="$RESOURCE_NAME_ROOT"
+export STACK_NAME="${RESOURCE_NAME_ROOT}-cname"
+export UNIQUE_ID="${RESOURCE_NAME_ROOT}"
+export CNAME_TARGET="${ENVIRONMENT}-${ORACLE_REGION}-nomad-pool-general-internal.${DEFAULT_DNS_ZONE_NAME}"
+$LOCAL_PATH/create-oracle-cname-stack.sh
+
+echo ""
+echo "Headscale deployed successfully!"
+echo "Server URL: https://${RESOURCE_NAME_ROOT}.${TOP_LEVEL_DNS_ZONE_NAME}"
+echo ""
+echo "Next steps:"
+echo "1. Create a user: nomad exec -job $JOB_NAME headscale users create myuser"
+echo "2. Generate auth keys: nomad exec -job $JOB_NAME headscale --user myuser preauthkeys create --reusable --expiration 24h"
+echo "3. Use the auth key with TAILSCALE_AUTH_KEY and set HEADSCALE_URL=https://${RESOURCE_NAME_ROOT}.${TOP_LEVEL_DNS_ZONE_NAME}"
diff --git a/scripts/deploy-nomad-tailscale.sh b/scripts/deploy-nomad-tailscale.sh
new file mode 100755
index 000000000..54234a156
--- /dev/null
+++ b/scripts/deploy-nomad-tailscale.sh
@@ -0,0 +1,49 @@
+#!/bin/bash
+
+if [ -z "$ENVIRONMENT" ]; then
+    echo "No ENVIRONMENT set, exiting"
+    exit 2
+fi
+
+LOCAL_PATH=$(dirname "${BASH_SOURCE[0]}")
+
+[ -e "$LOCAL_PATH/../sites/$ENVIRONMENT/stack-env.sh" ] && . "$LOCAL_PATH/../sites/$ENVIRONMENT/stack-env.sh"
+
+[ -e "$LOCAL_PATH/../clouds/all.sh" ] && . "$LOCAL_PATH/../clouds/all.sh"
+[ -e "$LOCAL_PATH/../clouds/oracle.sh" ] && . "$LOCAL_PATH/../clouds/oracle.sh"
+
+if [ -z "$ORACLE_REGION" ]; then
+    echo "No ORACLE_REGION set, exiting"
+    exit 2
+fi
+
+[ -z "$LOCAL_REGION" ] && LOCAL_REGION="$OCI_LOCAL_REGION"
+[ -z "$LOCAL_REGION" ] && LOCAL_REGION="us-phoenix-1"
+
+[ -z "$TAILSCALE_VERSION" ] && TAILSCALE_VERSION="latest"
+[ -z "$TAILSCALE_COUNT" ] && TAILSCALE_COUNT="1"
+
+export RESOURCE_NAME_ROOT="${ENVIRONMENT}-${ORACLE_REGION}-tailscale"
+
+if [ -z "$NOMAD_ADDR" ]; then
+    export NOMAD_ADDR="https://$ENVIRONMENT-$LOCAL_REGION-nomad.$TOP_LEVEL_DNS_ZONE_NAME"
+fi
+
+export NOMAD_VAR_tailscale_hostname="${RESOURCE_NAME_ROOT}.${TOP_LEVEL_DNS_ZONE_NAME}"
+export NOMAD_VAR_tailscale_version="$TAILSCALE_VERSION"
+export NOMAD_VAR_tailscale_count="$TAILSCALE_COUNT"
+export NOMAD_VAR_tailscale_auth_key="$TAILSCALE_AUTH_KEY"
+export NOMAD_VAR_headscale_url="$HEADSCALE_URL"
+
+NOMAD_JOB_PATH="$LOCAL_PATH/../nomad"
+NOMAD_DC="$ENVIRONMENT-$ORACLE_REGION"
+JOB_NAME="tailscale-$ORACLE_REGION"
+
+sed -e "s/\[JOB_NAME\]/$JOB_NAME/" "$NOMAD_JOB_PATH/tailscale.hcl" | nomad job run -var="dc=$NOMAD_DC" -
+RET=$?
+
+export CNAME_VALUE="$RESOURCE_NAME_ROOT"
+export STACK_NAME="${RESOURCE_NAME_ROOT}-cname"
+export UNIQUE_ID="${RESOURCE_NAME_ROOT}"
+export CNAME_TARGET="${ENVIRONMENT}-${ORACLE_REGION}-nomad-pool-general-internal.${DEFAULT_DNS_ZONE_NAME}"
+$LOCAL_PATH/create-oracle-cname-stack.sh

From 88c554eb8bc584bd6e92a6fef66e09ef6da05bcd Mon Sep 17 00:00:00 2001
From: scott boone <scott.e.boone@gmail.com>
Date: Tue, 12 Aug 2025 10:35:03 -0500
Subject: [PATCH 2/2] WIP: tailscale VPN

---
 nomad/headscale.hcl               |  17 ++--
 nomad/ouroboros.hcl               | 128 ++++++++++++++++++++++++++++++
 nomad/tailscale.hcl               |   2 +-
 scripts/deploy-nomad-ouroboros.sh |  78 ++++++++++++++++++
 4 files changed, 212 insertions(+), 13 deletions(-)
 create mode 100644 nomad/ouroboros.hcl
 create mode 100755 scripts/deploy-nomad-ouroboros.sh

diff --git a/nomad/headscale.hcl b/nomad/headscale.hcl
index a419284c5..2055df7d7 100644
--- a/nomad/headscale.hcl
+++ b/nomad/headscale.hcl
@@ -79,7 +79,7 @@ job "[JOB_NAME]" {
       template {
         destination = "local/config.yaml"
         data = <<EOF
-server_url: https://${var.headscale_hostname}
+server_url: https://${var.headscale_hostname}/
 listen_addr: 0.0.0.0:8080
 metrics_listen_addr: 0.0.0.0:9090
 grpc_listen_addr: 0.0.0.0:50443
@@ -171,18 +171,11 @@ EOF
           interval = "10s"
           timeout  = "2s"
         }
-      }
-
-      service {
-        name = "headscale-grpc"
-        port = "grpc"
-        tags = ["headscale-grpc"]
-      }
 
-      service {
-        name = "headscale-metrics"
-        port = "metrics"
-        tags = ["headscale-metrics"]
+        meta {
+          grpc = "${NOMAD_HOST_PORT_grpc}"
+          metrics = "${NOMAD_HOST_PORT_metrics}"
+        }
       }
     }
   }
diff --git a/nomad/ouroboros.hcl b/nomad/ouroboros.hcl
new file mode 100644
index 000000000..335fa0548
--- /dev/null
+++ b/nomad/ouroboros.hcl
@@ -0,0 +1,128 @@
+variable "dc" {
+  type = string
+}
+
+variable "ouroboros_hostname" {
+  type = string
+}
+
+variable "ouroboros_version" {
+  type = string
+  default = "latest"
+}
+
+variable "ouroboros_count" {
+  type = number
+  default = 1
+}
+
+variable "headscale_url" {
+  type = string
+  description = "URL of the Headscale server"
+}
+
+job "[JOB_NAME]" {
+  datacenters = ["${var.dc}"]
+  type        = "service"
+  priority    = 50
+
+  constraint {
+    attribute = "${attr.kernel.name}"
+    value     = "linux"
+  }
+
+  group "ouroboros" {
+    count = var.ouroboros_count
+
+    constraint {
+      attribute  = "${meta.pool_type}"
+      operator   = "set_contains_any"
+      value      = "consul,general"
+    }
+
+    restart {
+      attempts = 2
+      interval = "30m"
+      delay    = "15s"
+      mode     = "fail"
+    }
+
+    ephemeral_disk {
+      size = 300
+    }
+
+    network {
+      port "http" {
+        to = 8080
+      }
+    }
+
+    task "ouroboros" {
+      driver = "docker"
+
+      vault {
+        change_mode = "restart"
+      }
+
+      config {
+        image = "ouroboros/ouroboros:${var.ouroboros_version}"
+        force_pull = false
+        ports = ["http"]
+      }
+
+      template {
+        destination = "local/env"
+        env         = true
+        data        = <<EOF
+# Headscale connection
+HEADSCALE_URL=${var.headscale_url}
+{{ with secret "secret/default/headscale/api" }}
+HEADSCALE_API_KEY={{ .Data.data.api_key }}
+{{ end }}
+
+# OIDC configuration for Okta
+{{ with secret "secret/default/ouroboros/oidc" }}
+OIDC_ISSUER={{ .Data.data.issuer }}
+OIDC_CLIENT_ID={{ .Data.data.client_id }}
+OIDC_CLIENT_SECRET={{ .Data.data.client_secret }}
+{{ end }}
+OIDC_REDIRECT_URL=https://${var.ouroboros_hostname}/auth/oidc/callback
+
+# Application settings
+BIND_ADDR=0.0.0.0:8080
+LOG_LEVEL=info
+BASE_URL=https://${var.ouroboros_hostname}
+
+# Security settings
+SESSION_SECRET={{ with secret "secret/default/ouroboros/session" }}{{ .Data.data.secret }}{{ end }}
+CSRF_SECRET={{ with secret "secret/default/ouroboros/csrf" }}{{ .Data.data.secret }}{{ end }}
+
+# Feature flags
+ENABLE_OIDC=true
+DISABLE_API_KEY_LOGIN=true
+ALLOW_USER_REGISTRATION=false
+EOF
+      }
+
+      resources {
+        cpu    = 200
+        memory = 256
+      }
+
+      service {
+        name = "ouroboros"
+        tags = ["int-urlprefix-${var.ouroboros_hostname}/"]
+        port = "http"
+        
+        check {
+          name     = "ouroboros-health"
+          type     = "http"
+          path     = "/health"
+          port     = "http"
+          interval = "10s"
+          timeout  = "2s"
+        }
+      }
+    }
+  }
+}
diff --git a/nomad/tailscale.hcl b/nomad/tailscale.hcl
index 9e8d5e7a9..ce28ff2f9 100644
--- a/nomad/tailscale.hcl
+++ b/nomad/tailscale.hcl
@@ -162,8 +162,8 @@ EOF
 
       service {
         name = "tailscale"
+        tags = ["int-urlprefix-${var.prometheus_hostname}/"]
         port = "http"
-        tags = ["tailscale", "vpn"]
         
         check {
           name     = "tailscale-status"
diff --git a/scripts/deploy-nomad-ouroboros.sh b/scripts/deploy-nomad-ouroboros.sh
new file mode 100755
index 000000000..a30434c9b
--- /dev/null
+++ b/scripts/deploy-nomad-ouroboros.sh
@@ -0,0 +1,78 @@
+#!/bin/bash
+
+if [ -z "$ENVIRONMENT" ]; then
+    echo "No ENVIRONMENT set, exiting"
+    exit 2
+fi
+
+LOCAL_PATH=$(dirname "${BASH_SOURCE[0]}")
+
+[ -e "$LOCAL_PATH/../sites/$ENVIRONMENT/stack-env.sh" ] && . "$LOCAL_PATH/../sites/$ENVIRONMENT/stack-env.sh"
+
+[ -e "$LOCAL_PATH/../clouds/all.sh" ] && . "$LOCAL_PATH/../clouds/all.sh"
+[ -e "$LOCAL_PATH/../clouds/oracle.sh" ] && . "$LOCAL_PATH/../clouds/oracle.sh"
+
+if [ -z "$ORACLE_REGION" ]; then
+    echo "No ORACLE_REGION set, exiting"
+    exit 2
+fi
+
+[ -z "$LOCAL_REGION" ] && LOCAL_REGION="$OCI_LOCAL_REGION"
+[ -z "$LOCAL_REGION" ] && LOCAL_REGION="us-phoenix-1"
+
+[ -z "$OUROBOROS_VERSION" ] && OUROBOROS_VERSION="latest"
+[ -z "$OUROBOROS_COUNT" ] && OUROBOROS_COUNT="1"
+[ -z "$HEADSCALE_URL" ] && HEADSCALE_URL="https://${ENVIRONMENT}-${ORACLE_REGION}-headscale.${TOP_LEVEL_DNS_ZONE_NAME}"
+
+export RESOURCE_NAME_ROOT="${ENVIRONMENT}-${ORACLE_REGION}-ouroboros"
+
+if [ -z "$NOMAD_ADDR" ]; then
+    export NOMAD_ADDR="https://$ENVIRONMENT-$LOCAL_REGION-nomad.$TOP_LEVEL_DNS_ZONE_NAME"
+fi
+
+export NOMAD_VAR_ouroboros_hostname="${RESOURCE_NAME_ROOT}.${TOP_LEVEL_DNS_ZONE_NAME}"
+export NOMAD_VAR_ouroboros_version="$OUROBOROS_VERSION"
+export NOMAD_VAR_ouroboros_count="$OUROBOROS_COUNT"
+export NOMAD_VAR_headscale_url="$HEADSCALE_URL"
+
+NOMAD_JOB_PATH="$LOCAL_PATH/../nomad"
+NOMAD_DC="$ENVIRONMENT-$ORACLE_REGION"
+JOB_NAME="ouroboros-$ORACLE_REGION"
+
+sed -e "s/\[JOB_NAME\]/$JOB_NAME/" "$NOMAD_JOB_PATH/ouroboros.hcl" | nomad job run -var="dc=$NOMAD_DC" -
+RET=$?
+
+export CNAME_VALUE="$RESOURCE_NAME_ROOT"
+export STACK_NAME="${RESOURCE_NAME_ROOT}-cname"
+export UNIQUE_ID="${RESOURCE_NAME_ROOT}"
+export CNAME_TARGET="${ENVIRONMENT}-${ORACLE_REGION}-nomad-pool-general-internal.${DEFAULT_DNS_ZONE_NAME}"
+$LOCAL_PATH/create-oracle-cname-stack.sh
+
+echo ""
+echo "Ouroboros UI deployed successfully!"
+echo "UI URL: https://${RESOURCE_NAME_ROOT}.${TOP_LEVEL_DNS_ZONE_NAME}"
+echo "Headscale Server: $HEADSCALE_URL"
+echo ""
+echo "Required Vault secrets to configure:"
+echo ""
+echo "1. Headscale API Key:"
+echo "   # First, generate an API key in Headscale:"
+echo "   nomad exec -job headscale-$ORACLE_REGION headscale apikeys create"
+echo "   # Then store it in Vault:"
+echo "   vault kv put secret/default/headscale/api api_key='hsk_xxxxxxxxxxxxx'"
+echo ""
+echo "2. OIDC/Okta Configuration:"
+echo "   vault kv put secret/default/ouroboros/oidc \\"
+echo "     issuer='https://your-company.okta.com' \\"
+echo "     client_id='your-okta-client-id' \\"
+echo "     client_secret='your-okta-client-secret'"
+echo ""
+echo "3. Session Secrets:"
+echo "   vault kv put secret/default/ouroboros/session \\"
+echo "     secret='\$(openssl rand -base64 32)'"
+echo "   vault kv put secret/default/ouroboros/csrf \\"
+echo "     secret='\$(openssl rand -base64 32)'"
+echo ""
+echo "Okta Application Configuration:"
+echo "- Redirect URI: https://${RESOURCE_NAME_ROOT}.${TOP_LEVEL_DNS_ZONE_NAME}/auth/oidc/callback"
+echo "- Required scopes: openid, profile, email"