This commit adds a default OpenID Connect expiry to 180d to align with
Tailscale SaaS (previously infinite or based on token expiry).
In addition, it adds an option use the expiry time from the Token sent
by the OpenID provider. This will typically cause really short expiry
and you should only turn on this option if you know what you are
desiring.
This fixes#1176.
Co-authored-by: Even Holthe <even.holthe@bekk.no>
Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com>
Align behaviour of dns_config.restricted_nameservers to tailscale.
Tailscale allows split DNS configuration without requiring global nameservers.
In addition, as per [the docs](https://tailscale.com/kb/1054/dns/#using-dns-settings-in-the-admin-console):
> These nameservers also configure search domains for your devices
This commit aligns headscale to tailscale by:
* honouring dns_config.restricted_nameservers regardless of whether any global resolvers are configured
* adding a search domain for each restricted_nameserver
- Save logs from control(headscale) on every run to tmp
- Upgrade nix-actions
- Cancel builds if new commit is pushed
- Fix a sorting bug in user command test
Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com>
As indicated by bradfitz in https://github.com/juanfont/headscale/issues/804#issuecomment-1399314002,
both routes for the exit node must be enabled at the same time. If a user tries to enable one of the exit node routes,
the other gets activated too.
This commit also reduces the API surface, making private a method that didnt need to be exposed.
The calls to AutoMigrate to other classes that refer to users will
create the table and it will break, it needs to be done before
everything else.
Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com>
While this truly breaks the point of the backwards compatible stuff with
protobuf, it does not seem worth it to attempt to glue together a
compatible API.
Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com>
Currently the most "secret" way to specify the oidc client secret is via
an environment variable `OIDC_CLIENT_SECRET`, which is problematic[1].
Lets allow reading oidc client secret from a file. For extra convenience
the path to the secret will resolve the environment variables.
[1]: https://systemd.io/CREDENTIALS/