Antoine POPINEAU
7cc58af932
Allow more configuration over the OIDC flow.
...
Adds knobs to configure three aspects of the OpenID Connect flow:
* Custom scopes to override the default "openid profile email".
* Custom parameters to be added to the Authorize Endpoint request.
* Domain allowlisting for authenticated principals.
* User allowlisting for authenticated principals.
2022-05-02 17:11:07 +02:00
Juan Font Alonso
01d9a2f589
Fixed linting issues
2022-04-30 23:48:28 +02:00
Juan Font
843e2bd9b6
Do not setLastStateChangeToNow every 5 seconds
2022-04-30 14:47:16 +00:00
Kristoffer Dalby
6e2768097a
Rename name -> hostname, nickname -> givenname
2022-04-24 20:54:38 +01:00
Juan Font Alonso
db9ba17920
Added missing file
2022-03-18 13:10:35 +01:00
Juan Font Alonso
8f5875efe4
Reorg errors
2022-03-16 19:46:59 +01:00
Juan Font
98ac88d5ef
Changed comment position
...
Co-authored-by: Kristoffer Dalby <kradalby@kradalby.no>
2022-03-16 18:45:34 +01:00
Kristoffer Dalby
d13338a9fb
Merge branch 'main' into mandatory-stun
2022-03-16 07:18:18 +00:00
bravechamp
0bfa5302a7
Fix API access
...
By allowing API keys to be validated
2022-03-15 16:05:56 +03:00
Juan Font Alonso
b8aad5451d
Make STUN run by default when embedded DERP is enabled
...
This commit also allows to set an external STUN server, while running the embedded DERP server (without embedded STUN)
2022-03-15 13:22:25 +01:00
Juan Font Alonso
eb06054a7b
Make DERP Region configurable
2022-03-06 17:25:21 +01:00
Juan Font Alonso
eb500155e8
Make STUN server configurable
2022-03-06 17:00:56 +01:00
Juan Font Alonso
54c3e00a1f
Merge local DERP server region with other configured DERP sources
2022-03-05 20:04:31 +01:00
Juan Font Alonso
237f7f1027
Merge branch 'main' into embedded-derp
2022-03-05 19:42:29 +01:00
Juan Font Alonso
df37d1a639
Do not offer the option to be DERP insecure
...
Websockets, in which DERP is based, requires a TLS certificate. At the same time,
if we use a certificate it must be valid... otherwise Tailscale wont connect (does not
have an Insecure option). So there is no option to expose insecure here
2022-03-05 19:19:21 +01:00
Juan Font Alonso
758b1ba1cb
Renamed configuration items of the DERP server
2022-03-05 16:22:02 +01:00
Juan Font Alonso
607c1eb316
Be consistent with uppercase DERP
2022-03-04 11:31:41 +01:00
e-zk
12a50ac8ac
feat(windows): add /windows endpoint for Windows configuration
...
- registry file /windows/tailscale.reg is generated, filling in the
associated control server URL
- also includes CLI instructions
- fix /apple incorrect template: 'Url' is supposed to be '.URL'
2022-03-04 19:53:44 +10:00
e-zk
b342cf0240
feat(windows): cleanup /apple endpoint
...
- rename the gin function to AppleConfigMessage
- use <pre> + <code> for code blocks
- add headscale heading
- reword some sections
2022-03-04 19:53:29 +10:00
Juan Font Alonso
23cde8445f
Merge branch 'main' into embedded-derp
2022-03-04 00:04:59 +01:00
Juan Font Alonso
897d480f4d
Add an embedded DERP server to Headscale
...
This series of commit will be adding an embedded DERP server (and STUN) to Headscale,
thus making it completely self-contained and not dependant in other infrastructure.
2022-03-04 00:01:31 +01:00
Kristoffer Dalby
b61500670c
Merge branch 'main' into metrics-listen
2022-03-02 11:35:33 +00:00
Kristoffer Dalby
7c63412df5
Remove todo
2022-02-28 23:02:41 +00:00
Kristoffer Dalby
5e92ddad43
Remove redundant caches
...
This commit removes the two extra caches (oidc, requested time) and uses
the new central registration cache instead. The requested time is
unified into the main machine object and the oidc key is just added to
the same cache, as a string with the state as a key instead of machine
key.
2022-02-28 22:42:30 +00:00
Nico Rey
9a61725e9f
Metrics: Disable toggle. Set default port to 9090
2022-02-28 10:40:02 -03:00
Kristoffer Dalby
6126d6d9b5
Merge branch 'main' into metrics-listen
2022-02-28 14:24:25 +01:00
Kristoffer Dalby
469551bc5d
Register new machines needing callback in memory
...
This commit stores temporary registration data in cache, instead of
memory allowing us to only have actually registered machines in the
database.
2022-02-28 08:06:39 +00:00
Nico Rey
06e6c29a5b
metrics: make metrics endpoint toggleable
2022-02-25 18:36:03 -03:00
Adrien Raffin-Caboisse
b39faa124a
Merge remote-tracking branch 'origin/main' into feat-oidc-login-as-namespace
2022-02-25 11:28:17 +01:00
Nico
d55c79e75b
Merge branch 'main' into metrics-listen
2022-02-24 10:41:07 -03:00
Kristoffer Dalby
eda0a9f88a
Lock allocation of IP address
...
current logic is not safe as it will allow an IP that isnt persisted to
the DB to be given out multiple times if machines joins in quick
succession.
This adds a lock around the "get ip" and machine registration and save
to DB so we ensure thiis isnt happning.
Currently this had to be done three places, which is silly, and outlined
in #294 .
2022-02-24 13:18:18 +00:00
Kristoffer Dalby
aa506503e2
Merge branch 'main' into feat-oidc-login-as-namespace
2022-02-24 11:40:34 +00:00
Adrien Raffin-Caboisse
4f1f235a2e
feat: add strip_email_domain to normalization of namespace
2022-02-23 14:03:07 +01:00
Adrien Raffin-Caboisse
717250adb3
feat: removing matchmap from headscale
2022-02-22 20:58:08 +01:00
Nico Rey
e3bcc88880
Linter: make linter happy
2022-02-21 15:22:36 -03:00
Nico Rey
d5fd7a5c00
metrics: add a new router and listener for Prometheus' metrics endpoint
2022-02-21 12:50:15 -03:00
Justin Angel
daa75da277
Linting and updating tests
2022-02-21 10:09:23 -05:00
Kristoffer Dalby
7bf2a91dd0
Merge branch 'main' into configurable-mtls
2022-02-20 14:33:23 +00:00
Justin Angel
385dd9cc34
refactoring
2022-02-20 09:06:14 -05:00
Kristoffer Dalby
b2b2954545
Merge branch 'main' into apiwork
2022-02-14 22:29:20 +00:00
Kristoffer Dalby
4e54796384
Allow gRPC server to run insecure
2022-02-13 09:08:46 +00:00
Kristoffer Dalby
0018a78d5a
Add insecure option
...
Add option to not _validate_ if the certificate served from headscale is
trusted.
2022-02-13 08:41:49 +00:00
Kristoffer Dalby
2bc8051ae5
Remove kv-namespace-worker
...
This commit removes the namespace kv worker and related code, now that
we talk over gRPC to the server, and not directly to the DB, we should
not need this anymore.
2022-02-12 20:46:05 +00:00
Kristoffer Dalby
d79ccfc05a
Add comment on why grpc is on its own port, replace deprecated
2022-02-12 19:50:12 +00:00
Kristoffer Dalby
315ff9daf0
Remove insecure, only allow valid certs
2022-02-12 19:35:55 +00:00
Kristoffer Dalby
4078e75b50
Correct log message
2022-02-12 19:30:25 +00:00
Kristoffer Dalby
531298fa59
Fix import
2022-02-12 17:13:51 +00:00
Kristoffer Dalby
30a2ccd975
Add tls certs as creds for grpc
2022-02-12 17:05:30 +00:00
Kristoffer Dalby
59e48993f2
Change the http listener
2022-02-12 16:33:18 +00:00
Kristoffer Dalby
bfc6f6e0eb
Split grpc and http
2022-02-12 16:15:26 +00:00
Kristoffer Dalby
2aba37d2ef
Try to support plaintext http2 after termination
2022-02-12 14:42:23 +00:00
Kristoffer Dalby
8853ccd5b4
Terminate tls immediatly, mux after
2022-02-12 13:25:27 +00:00
Justin Angel
af25aa75d9
Merge branch 'configurable-mtls' of github.com:arch4ngel/headscale into configurable-mtls
2022-01-31 10:27:57 -05:00
Justin Angel
da5250ea32
linting again
2022-01-31 10:27:43 -05:00
Kristoffer Dalby
168b1bd579
Merge branch 'main' into configurable-mtls
2022-01-31 12:28:00 +00:00
Justin Angel
52db80ab0d
Merge branch 'configurable-mtls' of github.com:arch4ngel/headscale into configurable-mtls
2022-01-31 07:19:14 -05:00
Justin Angel
0c3fd16113
refining and adding tests
2022-01-31 07:18:50 -05:00
Justin Angel
310e7b15c7
making alternatives constants
2022-01-30 10:46:57 -05:00
Kristoffer Dalby
6f6018bad5
Merge branch 'main' into ipv6
2022-01-30 08:21:11 +00:00
Kristoffer Dalby
0609c97459
Merge branch 'main' into configurable-mtls
2022-01-29 20:15:58 +00:00
Justin Angel
c98a559b4d
linting/formatting
2022-01-29 14:15:33 -05:00
Justin Angel
5935b13b67
refining
2022-01-29 13:35:08 -05:00
Justin Angel
9e619fc020
Making client authentication mode configurable
2022-01-29 12:59:31 -05:00
Kristoffer Dalby
13f23d2e7e
Merge branch 'main' into socket-permission
2022-01-29 14:34:36 +00:00
Csaba Sarkadi
c0c3b7d511
Merge remote-tracking branch 'origin/main' into ipv6
2022-01-29 15:27:49 +01:00
Kristoffer Dalby
b4f8961e44
Make Unix socket permissions configurable
2022-01-28 18:58:22 +00:00
Kristoffer Dalby
f59071ff1c
Trim whitespace from privateKey before parsing
2022-01-28 17:23:01 +00:00
Kristoffer Dalby
537cd35cb2
Try to add the grpc cert correctly
2022-01-25 22:22:15 +00:00
Kristoffer Dalby
00c69ce50c
Enable remote gRPC and HTTP API
...
This commit enables the existing gRPC and HTTP API from remote locations
as long as the user can provide a valid API key. This allows users to
control their headscale with the CLI from a workstation. 🎉
2022-01-25 22:11:15 +00:00
Csaba Sarkadi
1a6e5d8770
Add support for multiple IP prefixes
2022-01-16 14:18:22 +01:00
Eugen Biegler
5a504fa711
Better error description
...
Co-authored-by: Kristoffer Dalby <kradalby@kradalby.no>
2021-12-07 11:44:09 +01:00
Eugen Biegler
b4cce22415
Better error description
...
Co-authored-by: Kristoffer Dalby <kradalby@kradalby.no>
2021-12-07 11:44:00 +01:00
Eugen
3a85c4d367
Better error description
2021-12-07 08:46:55 +01:00
Eugen
7e95b3501d
Ignoe derp.yaml, don't panic in Serve()
2021-12-01 19:32:47 +01:00
Kristoffer Dalby
34f4109fbd
Add back privatekey, but automatically generate it if it does not exist
2021-11-28 09:17:18 +00:00
Kristoffer Dalby
ef81845deb
Merge branch 'main' into kradalby-patch-2
2021-11-27 20:30:27 +00:00
Kristoffer Dalby
c63c259d31
Switch wgkey for types/key
...
We dont seem to need the wireguard key anymore, we generate a key on
startup based on the new library and the users fetch it from /key.
Clean up app.go and update docs
2021-11-26 23:28:06 +00:00
Kristoffer Dalby
58fd6c4ba5
Revert postgres constant value
...
changes "postgresql" to "postgres"
2021-11-26 07:13:00 +00:00
Kristoffer Dalby
021c464148
Add cache for requested expiry times
...
This commit adds a sentral cache to keep track of clients whom has
requested an expiry time, but were we need to keep hold of it until the
second request comes in.
2021-11-22 19:32:52 +00:00
Kristoffer Dalby
9aac1fb255
Remove expiry logic, this needs to be redone
2021-11-19 09:02:29 +00:00
Kristoffer Dalby
d6739386a0
Get rid of dynamic errors
2021-11-15 19:18:14 +00:00
Kristoffer Dalby
c4d4c9c4e4
Add and fix gosec
2021-11-15 18:31:52 +00:00
Kristoffer Dalby
715542ac1c
Add and fix stylecheck (golint replacement)
2021-11-15 17:24:24 +00:00
Kristoffer Dalby
471c0b4993
Initial work eliminating one/two letter variables
2021-11-14 20:32:03 +01:00
Kristoffer Dalby
53ed749f45
Start work on making gocritic pass
2021-11-14 18:44:37 +01:00
Kristoffer Dalby
85f28a3f4a
Remove all instances of undefined numbers (gonmd)
2021-11-14 18:31:51 +01:00
Kristoffer Dalby
9390348a65
Add and fix goconst
2021-11-14 18:06:25 +01:00
Kristoffer Dalby
c9c16c7fb8
Remove unused params or returns
2021-11-14 18:03:21 +01:00
Kristoffer Dalby
0315f55fcd
Add and fix nilnil
2021-11-14 17:51:34 +01:00
Kristoffer Dalby
89eb13c6cb
Add and fix nlreturn (new line return)
2021-11-14 16:46:09 +01:00
Kristoffer Dalby
2634215f12
golangci-lint --fix
2021-11-13 08:39:04 +00:00
Kristoffer Dalby
03b7ec62ca
Go format with shorter lines
2021-11-13 08:36:45 +00:00
Kristoffer Dalby
49893305b4
Only turn on response log in grpc in trace mode
2021-11-08 22:06:25 +00:00
Kristoffer Dalby
b15efb5201
Ensure unix socket is removed before we startup
2021-11-07 09:55:32 +00:00
Kristoffer Dalby
2dfd42f80c
Attempt to dry up CLI client, add proepr config
...
This commit is trying to DRY up the initiation of the gRPC client in
each command:
It renames the function to CLI instead of GRPC as it actually set up a
CLI client, not a generic grpc client
It also moves the configuration of address, timeout (which is now
consistent) and api to use Viper, allowing users to set it via env vars
and configuration file
2021-11-07 09:41:14 +00:00
Kristoffer Dalby
706ff59d70
Clean pointer list in app.go, add grpc logging and simplify naming
2021-11-04 22:18:55 +00:00
Kristoffer Dalby
7c774bc547
Remove flag that cant be trapped
2021-11-02 21:49:19 +00:00
Kristoffer Dalby
9954a3c599
Add handling for closing the socket
2021-11-02 21:46:15 +00:00
Kristoffer Dalby
b91c115ade
Remove "auth skip" for socket traffic
2021-10-31 19:57:42 +00:00
Kristoffer Dalby
8db45a4e75
Setup a seperate, non-tls, no auth, socket grpc
2021-10-31 19:52:34 +00:00