Add HTTPS support for the web endpoint with manually configured

certificate/key files.

app.go

@@ -3,6 +3,7 @@ package headscale
 import (
 	"fmt"
 	"os"
+	"strings"
 	"sync"
 
 	"github.com/gin-gonic/gin"
@@ -22,6 +23,9 @@ type Config struct {
 	DBname string
 	DBuser string
 	DBpass string
+
+	TLSCertPath string
+	TLSKeyPath  string
 }
 
 // Headscale represents the base app of the service
@@ -68,6 +72,17 @@ func (h *Headscale) Serve() error {
 	r.GET("/register", h.RegisterWebAPI)
 	r.POST("/machine/:id/map", h.PollNetMapHandler)
 	r.POST("/machine/:id", h.RegistrationHandler)
-	err := r.Run(h.cfg.Addr)
+	var err error
+	if h.cfg.TLSCertPath == "" {
+		if !strings.HasPrefix(h.cfg.ServerURL, "http://") {
+			fmt.Println("WARNING: listening without TLS but ServerURL does not start with http://")
+		}
+		err = r.Run(h.cfg.Addr)
+	} else {
+		if !strings.HasPrefix(h.cfg.ServerURL, "https://") {
+			fmt.Println("WARNING: listening with TLS but ServerURL does not start with https://")
+		}
+		err = r.RunTLS(h.cfg.Addr, h.cfg.TLSCertPath, h.cfg.TLSKeyPath)
+	}
 	return err
 }

cmd/headscale/headscale.go

@@ -311,7 +311,11 @@ func getHeadscaleApp() (*headscale.Headscale, error) {
 		DBname: viper.GetString("db_name"),
 		DBuser: viper.GetString("db_user"),
 		DBpass: viper.GetString("db_pass"),
+
+		TLSCertPath: absPath(viper.GetString("tls_cert_path")),
+		TLSKeyPath:  absPath(viper.GetString("tls_key_path")),
 	}
+
 	h, err := headscale.NewHeadscale(cfg)
 	if err != nil {
 		return nil, err

config.json.example

@@ -7,5 +7,7 @@
     "db_port": 5432,
     "db_name": "headscale",
     "db_user": "foo",
-    "db_pass": "bar"
+    "db_pass": "bar",
+    "tls_cert_path": "",
+    "tls_key_path": ""
 }