Commit Graph

236 Commits

Author SHA1 Message Date
Antoine POPINEAU 7cc58af932
Allow more configuration over the OIDC flow.
Adds knobs to configure three aspects of the OpenID Connect flow:

 * Custom scopes to override the default "openid profile email".
 * Custom parameters to be added to the Authorize Endpoint request.
 * Domain allowlisting for authenticated principals.
 * User allowlisting for authenticated principals.
2022-05-02 17:11:07 +02:00
Juan Font Alonso 01d9a2f589 Fixed linting issues 2022-04-30 23:48:28 +02:00
Juan Font 843e2bd9b6 Do not setLastStateChangeToNow every 5 seconds 2022-04-30 14:47:16 +00:00
Kristoffer Dalby 6e2768097a Rename name -> hostname, nickname -> givenname 2022-04-24 20:54:38 +01:00
Juan Font Alonso db9ba17920 Added missing file 2022-03-18 13:10:35 +01:00
Juan Font Alonso 8f5875efe4 Reorg errors 2022-03-16 19:46:59 +01:00
Juan Font 98ac88d5ef
Changed comment position
Co-authored-by: Kristoffer Dalby <kradalby@kradalby.no>
2022-03-16 18:45:34 +01:00
Kristoffer Dalby d13338a9fb
Merge branch 'main' into mandatory-stun 2022-03-16 07:18:18 +00:00
bravechamp 0bfa5302a7
Fix API access
By allowing API keys to be validated
2022-03-15 16:05:56 +03:00
Juan Font Alonso b8aad5451d Make STUN run by default when embedded DERP is enabled
This commit also allows to set an external STUN server, while running the embedded DERP server (without embedded STUN)
2022-03-15 13:22:25 +01:00
Juan Font Alonso eb06054a7b Make DERP Region configurable 2022-03-06 17:25:21 +01:00
Juan Font Alonso eb500155e8 Make STUN server configurable 2022-03-06 17:00:56 +01:00
Juan Font Alonso 54c3e00a1f Merge local DERP server region with other configured DERP sources 2022-03-05 20:04:31 +01:00
Juan Font Alonso 237f7f1027 Merge branch 'main' into embedded-derp 2022-03-05 19:42:29 +01:00
Juan Font Alonso df37d1a639 Do not offer the option to be DERP insecure
Websockets, in which DERP is based, requires a TLS certificate. At the same time,
if we use a certificate it must be valid... otherwise Tailscale wont connect (does not
have an Insecure option). So there is no option to expose insecure here
2022-03-05 19:19:21 +01:00
Juan Font Alonso 758b1ba1cb Renamed configuration items of the DERP server 2022-03-05 16:22:02 +01:00
Juan Font Alonso 607c1eb316 Be consistent with uppercase DERP 2022-03-04 11:31:41 +01:00
e-zk 12a50ac8ac feat(windows): add /windows endpoint for Windows configuration
- registry file /windows/tailscale.reg is generated, filling in the
  associated control server URL
- also includes CLI instructions
- fix /apple incorrect template: 'Url' is supposed to be '.URL'
2022-03-04 19:53:44 +10:00
e-zk b342cf0240 feat(windows): cleanup /apple endpoint
- rename the gin function to AppleConfigMessage
- use <pre> + <code> for code blocks
- add headscale heading
- reword some sections
2022-03-04 19:53:29 +10:00
Juan Font Alonso 23cde8445f Merge branch 'main' into embedded-derp 2022-03-04 00:04:59 +01:00
Juan Font Alonso 897d480f4d Add an embedded DERP server to Headscale
This series of commit will be adding an embedded DERP server (and STUN) to Headscale,
thus making it completely self-contained and not dependant in other infrastructure.
2022-03-04 00:01:31 +01:00
Kristoffer Dalby b61500670c
Merge branch 'main' into metrics-listen 2022-03-02 11:35:33 +00:00
Kristoffer Dalby 7c63412df5 Remove todo 2022-02-28 23:02:41 +00:00
Kristoffer Dalby 5e92ddad43 Remove redundant caches
This commit removes the two extra caches (oidc, requested time) and uses
the new central registration cache instead. The requested time is
unified into the main machine object and the oidc key is just added to
the same cache, as a string with the state as a key instead of machine
key.
2022-02-28 22:42:30 +00:00
Nico Rey 9a61725e9f Metrics: Disable toggle. Set default port to 9090 2022-02-28 10:40:02 -03:00
Kristoffer Dalby 6126d6d9b5
Merge branch 'main' into metrics-listen 2022-02-28 14:24:25 +01:00
Kristoffer Dalby 469551bc5d Register new machines needing callback in memory
This commit stores temporary registration data in cache, instead of
memory allowing us to only have actually registered machines in the
database.
2022-02-28 08:06:39 +00:00
Nico Rey 06e6c29a5b metrics: make metrics endpoint toggleable 2022-02-25 18:36:03 -03:00
Adrien Raffin-Caboisse b39faa124a
Merge remote-tracking branch 'origin/main' into feat-oidc-login-as-namespace 2022-02-25 11:28:17 +01:00
Nico d55c79e75b
Merge branch 'main' into metrics-listen 2022-02-24 10:41:07 -03:00
Kristoffer Dalby eda0a9f88a Lock allocation of IP address
current logic is not safe as it will allow an IP that isnt persisted to
the DB to be given out multiple times if machines joins in quick
succession.

This adds a lock around the "get ip" and machine registration and save
to DB so we ensure thiis isnt happning.

Currently this had to be done three places, which is silly, and outlined
in #294.
2022-02-24 13:18:18 +00:00
Kristoffer Dalby aa506503e2
Merge branch 'main' into feat-oidc-login-as-namespace 2022-02-24 11:40:34 +00:00
Adrien Raffin-Caboisse 4f1f235a2e feat: add strip_email_domain to normalization of namespace 2022-02-23 14:03:07 +01:00
Adrien Raffin-Caboisse 717250adb3 feat: removing matchmap from headscale 2022-02-22 20:58:08 +01:00
Nico Rey e3bcc88880 Linter: make linter happy 2022-02-21 15:22:36 -03:00
Nico Rey d5fd7a5c00 metrics: add a new router and listener for Prometheus' metrics endpoint 2022-02-21 12:50:15 -03:00
Justin Angel daa75da277 Linting and updating tests 2022-02-21 10:09:23 -05:00
Kristoffer Dalby 7bf2a91dd0
Merge branch 'main' into configurable-mtls 2022-02-20 14:33:23 +00:00
Justin Angel 385dd9cc34 refactoring 2022-02-20 09:06:14 -05:00
Kristoffer Dalby b2b2954545
Merge branch 'main' into apiwork 2022-02-14 22:29:20 +00:00
Kristoffer Dalby 4e54796384 Allow gRPC server to run insecure 2022-02-13 09:08:46 +00:00
Kristoffer Dalby 0018a78d5a Add insecure option
Add option to not _validate_ if the certificate served from headscale is
trusted.
2022-02-13 08:41:49 +00:00
Kristoffer Dalby 2bc8051ae5 Remove kv-namespace-worker
This commit removes the namespace kv worker and related code, now that
we talk over gRPC to the server, and not directly to the DB, we should
not need this anymore.
2022-02-12 20:46:05 +00:00
Kristoffer Dalby d79ccfc05a Add comment on why grpc is on its own port, replace deprecated 2022-02-12 19:50:12 +00:00
Kristoffer Dalby 315ff9daf0 Remove insecure, only allow valid certs 2022-02-12 19:35:55 +00:00
Kristoffer Dalby 4078e75b50 Correct log message 2022-02-12 19:30:25 +00:00
Kristoffer Dalby 531298fa59 Fix import 2022-02-12 17:13:51 +00:00
Kristoffer Dalby 30a2ccd975 Add tls certs as creds for grpc 2022-02-12 17:05:30 +00:00
Kristoffer Dalby 59e48993f2 Change the http listener 2022-02-12 16:33:18 +00:00
Kristoffer Dalby bfc6f6e0eb Split grpc and http 2022-02-12 16:15:26 +00:00
Kristoffer Dalby 2aba37d2ef Try to support plaintext http2 after termination 2022-02-12 14:42:23 +00:00
Kristoffer Dalby 8853ccd5b4 Terminate tls immediatly, mux after 2022-02-12 13:25:27 +00:00
Justin Angel af25aa75d9 Merge branch 'configurable-mtls' of github.com:arch4ngel/headscale into configurable-mtls 2022-01-31 10:27:57 -05:00
Justin Angel da5250ea32 linting again 2022-01-31 10:27:43 -05:00
Kristoffer Dalby 168b1bd579
Merge branch 'main' into configurable-mtls 2022-01-31 12:28:00 +00:00
Justin Angel 52db80ab0d Merge branch 'configurable-mtls' of github.com:arch4ngel/headscale into configurable-mtls 2022-01-31 07:19:14 -05:00
Justin Angel 0c3fd16113 refining and adding tests 2022-01-31 07:18:50 -05:00
Justin Angel 310e7b15c7 making alternatives constants 2022-01-30 10:46:57 -05:00
Kristoffer Dalby 6f6018bad5
Merge branch 'main' into ipv6 2022-01-30 08:21:11 +00:00
Kristoffer Dalby 0609c97459
Merge branch 'main' into configurable-mtls 2022-01-29 20:15:58 +00:00
Justin Angel c98a559b4d linting/formatting 2022-01-29 14:15:33 -05:00
Justin Angel 5935b13b67 refining 2022-01-29 13:35:08 -05:00
Justin Angel 9e619fc020 Making client authentication mode configurable 2022-01-29 12:59:31 -05:00
Kristoffer Dalby 13f23d2e7e
Merge branch 'main' into socket-permission 2022-01-29 14:34:36 +00:00
Csaba Sarkadi c0c3b7d511 Merge remote-tracking branch 'origin/main' into ipv6 2022-01-29 15:27:49 +01:00
Kristoffer Dalby b4f8961e44 Make Unix socket permissions configurable 2022-01-28 18:58:22 +00:00
Kristoffer Dalby f59071ff1c Trim whitespace from privateKey before parsing 2022-01-28 17:23:01 +00:00
Kristoffer Dalby 537cd35cb2 Try to add the grpc cert correctly 2022-01-25 22:22:15 +00:00
Kristoffer Dalby 00c69ce50c Enable remote gRPC and HTTP API
This commit enables the existing gRPC and HTTP API from remote locations
as long as the user can provide a valid API key. This allows users to
control their headscale with the CLI from a workstation. 🎉
2022-01-25 22:11:15 +00:00
Csaba Sarkadi 1a6e5d8770 Add support for multiple IP prefixes 2022-01-16 14:18:22 +01:00
Eugen Biegler 5a504fa711
Better error description
Co-authored-by: Kristoffer Dalby <kradalby@kradalby.no>
2021-12-07 11:44:09 +01:00
Eugen Biegler b4cce22415
Better error description
Co-authored-by: Kristoffer Dalby <kradalby@kradalby.no>
2021-12-07 11:44:00 +01:00
Eugen 3a85c4d367 Better error description 2021-12-07 08:46:55 +01:00
Eugen 7e95b3501d Ignoe derp.yaml, don't panic in Serve() 2021-12-01 19:32:47 +01:00
Kristoffer Dalby 34f4109fbd Add back privatekey, but automatically generate it if it does not exist 2021-11-28 09:17:18 +00:00
Kristoffer Dalby ef81845deb
Merge branch 'main' into kradalby-patch-2 2021-11-27 20:30:27 +00:00
Kristoffer Dalby c63c259d31 Switch wgkey for types/key
We dont seem to need the wireguard key anymore, we generate a key on
startup based on the new library and the users fetch it from /key.

Clean up app.go and update docs
2021-11-26 23:28:06 +00:00
Kristoffer Dalby 58fd6c4ba5
Revert postgres constant value
changes "postgresql" to "postgres"
2021-11-26 07:13:00 +00:00
Kristoffer Dalby 021c464148 Add cache for requested expiry times
This commit adds a sentral cache to keep track of clients whom has
requested an expiry time, but were we need to keep hold of it until the
second request comes in.
2021-11-22 19:32:52 +00:00
Kristoffer Dalby 9aac1fb255 Remove expiry logic, this needs to be redone 2021-11-19 09:02:29 +00:00
Kristoffer Dalby d6739386a0
Get rid of dynamic errors 2021-11-15 19:18:14 +00:00
Kristoffer Dalby c4d4c9c4e4
Add and fix gosec 2021-11-15 18:31:52 +00:00
Kristoffer Dalby 715542ac1c
Add and fix stylecheck (golint replacement) 2021-11-15 17:24:24 +00:00
Kristoffer Dalby 471c0b4993
Initial work eliminating one/two letter variables 2021-11-14 20:32:03 +01:00
Kristoffer Dalby 53ed749f45
Start work on making gocritic pass 2021-11-14 18:44:37 +01:00
Kristoffer Dalby 85f28a3f4a
Remove all instances of undefined numbers (gonmd) 2021-11-14 18:31:51 +01:00
Kristoffer Dalby 9390348a65
Add and fix goconst 2021-11-14 18:06:25 +01:00
Kristoffer Dalby c9c16c7fb8
Remove unused params or returns 2021-11-14 18:03:21 +01:00
Kristoffer Dalby 0315f55fcd
Add and fix nilnil 2021-11-14 17:51:34 +01:00
Kristoffer Dalby 89eb13c6cb
Add and fix nlreturn (new line return) 2021-11-14 16:46:09 +01:00
Kristoffer Dalby 2634215f12 golangci-lint --fix 2021-11-13 08:39:04 +00:00
Kristoffer Dalby 03b7ec62ca Go format with shorter lines 2021-11-13 08:36:45 +00:00
Kristoffer Dalby 49893305b4 Only turn on response log in grpc in trace mode 2021-11-08 22:06:25 +00:00
Kristoffer Dalby b15efb5201 Ensure unix socket is removed before we startup 2021-11-07 09:55:32 +00:00
Kristoffer Dalby 2dfd42f80c Attempt to dry up CLI client, add proepr config
This commit is trying to DRY up the initiation of the gRPC client in
each command:

It renames the function to CLI instead of GRPC as it actually set up a
CLI client, not a generic grpc client

It also moves the configuration of address, timeout (which is now
consistent) and api to use Viper, allowing users to set it via env vars
and configuration file
2021-11-07 09:41:14 +00:00
Kristoffer Dalby 706ff59d70 Clean pointer list in app.go, add grpc logging and simplify naming 2021-11-04 22:18:55 +00:00
Kristoffer Dalby 7c774bc547
Remove flag that cant be trapped 2021-11-02 21:49:19 +00:00
Kristoffer Dalby 9954a3c599
Add handling for closing the socket 2021-11-02 21:46:15 +00:00
Kristoffer Dalby b91c115ade
Remove "auth skip" for socket traffic 2021-10-31 19:57:42 +00:00
Kristoffer Dalby 8db45a4e75
Setup a seperate, non-tls, no auth, socket grpc 2021-10-31 19:52:34 +00:00