2020-06-21 10:32:08 +00:00
|
|
|
package headscale
|
|
|
|
|
|
|
|
import (
|
2021-04-24 02:54:15 +00:00
|
|
|
"errors"
|
2020-06-21 10:32:08 +00:00
|
|
|
"fmt"
|
2021-04-24 02:54:15 +00:00
|
|
|
"log"
|
|
|
|
"net/http"
|
2021-02-21 22:54:15 +00:00
|
|
|
"os"
|
2021-04-23 20:54:35 +00:00
|
|
|
"strings"
|
2021-02-23 20:07:52 +00:00
|
|
|
"sync"
|
2021-05-23 00:15:29 +00:00
|
|
|
"time"
|
2020-06-21 10:32:08 +00:00
|
|
|
|
|
|
|
"github.com/gin-gonic/gin"
|
2021-04-24 02:54:15 +00:00
|
|
|
"golang.org/x/crypto/acme/autocert"
|
2021-07-04 19:40:46 +00:00
|
|
|
"gorm.io/gorm"
|
2021-08-02 19:06:26 +00:00
|
|
|
"inet.af/netaddr"
|
2021-02-20 22:57:06 +00:00
|
|
|
"tailscale.com/tailcfg"
|
2021-06-25 16:57:08 +00:00
|
|
|
"tailscale.com/types/wgkey"
|
2020-06-21 10:32:08 +00:00
|
|
|
)
|
|
|
|
|
2021-02-21 21:14:38 +00:00
|
|
|
// Config contains the initial Headscale configuration
|
2020-06-21 10:32:08 +00:00
|
|
|
type Config struct {
|
2021-05-23 00:15:29 +00:00
|
|
|
ServerURL string
|
|
|
|
Addr string
|
|
|
|
PrivateKeyPath string
|
|
|
|
DerpMap *tailcfg.DERPMap
|
|
|
|
EphemeralNodeInactivityTimeout time.Duration
|
2021-08-02 19:06:26 +00:00
|
|
|
IPPrefix netaddr.IPPrefix
|
2020-06-21 10:32:08 +00:00
|
|
|
|
2021-05-15 12:32:26 +00:00
|
|
|
DBtype string
|
|
|
|
DBpath string
|
2020-06-21 10:32:08 +00:00
|
|
|
DBhost string
|
|
|
|
DBport int
|
|
|
|
DBname string
|
|
|
|
DBuser string
|
|
|
|
DBpass string
|
2021-04-23 20:54:35 +00:00
|
|
|
|
2021-07-23 22:12:01 +00:00
|
|
|
TLSLetsEncryptListen string
|
2021-04-24 02:54:15 +00:00
|
|
|
TLSLetsEncryptHostname string
|
|
|
|
TLSLetsEncryptCacheDir string
|
|
|
|
TLSLetsEncryptChallengeType string
|
|
|
|
|
2021-04-23 20:54:35 +00:00
|
|
|
TLSCertPath string
|
|
|
|
TLSKeyPath string
|
2020-06-21 10:32:08 +00:00
|
|
|
}
|
|
|
|
|
2021-02-21 21:14:38 +00:00
|
|
|
// Headscale represents the base app of the service
|
2020-06-21 10:32:08 +00:00
|
|
|
type Headscale struct {
|
|
|
|
cfg Config
|
2021-07-04 19:40:46 +00:00
|
|
|
db *gorm.DB
|
2020-06-21 10:32:08 +00:00
|
|
|
dbString string
|
2021-05-02 18:47:36 +00:00
|
|
|
dbType string
|
|
|
|
dbDebug bool
|
2021-06-25 16:57:08 +00:00
|
|
|
publicKey *wgkey.Key
|
|
|
|
privateKey *wgkey.Private
|
2021-02-23 20:07:52 +00:00
|
|
|
|
2021-07-03 15:31:32 +00:00
|
|
|
aclPolicy *ACLPolicy
|
2021-07-04 11:24:05 +00:00
|
|
|
aclRules *[]tailcfg.FilterRule
|
2021-07-03 15:31:32 +00:00
|
|
|
|
2021-02-23 20:07:52 +00:00
|
|
|
pollMu sync.Mutex
|
|
|
|
clientsPolling map[uint64]chan []byte // this is by all means a hackity hack
|
2020-06-21 10:32:08 +00:00
|
|
|
}
|
|
|
|
|
2021-02-21 21:14:38 +00:00
|
|
|
// NewHeadscale returns the Headscale app
|
2020-06-21 10:32:08 +00:00
|
|
|
func NewHeadscale(cfg Config) (*Headscale, error) {
|
2021-02-21 22:54:15 +00:00
|
|
|
content, err := os.ReadFile(cfg.PrivateKeyPath)
|
2020-06-21 10:32:08 +00:00
|
|
|
if err != nil {
|
|
|
|
return nil, err
|
|
|
|
}
|
2021-06-25 16:57:08 +00:00
|
|
|
privKey, err := wgkey.ParsePrivate(string(content))
|
2020-06-21 10:32:08 +00:00
|
|
|
if err != nil {
|
|
|
|
return nil, err
|
|
|
|
}
|
|
|
|
pubKey := privKey.Public()
|
2021-05-15 12:32:26 +00:00
|
|
|
|
|
|
|
var dbString string
|
|
|
|
switch cfg.DBtype {
|
|
|
|
case "postgres":
|
|
|
|
dbString = fmt.Sprintf("host=%s port=%d dbname=%s user=%s password=%s sslmode=disable", cfg.DBhost,
|
|
|
|
cfg.DBport, cfg.DBname, cfg.DBuser, cfg.DBpass)
|
|
|
|
case "sqlite3":
|
|
|
|
dbString = cfg.DBpath
|
|
|
|
default:
|
2021-07-11 13:10:37 +00:00
|
|
|
return nil, errors.New("unsupported DB")
|
2021-05-15 12:32:26 +00:00
|
|
|
}
|
|
|
|
|
2020-06-21 10:32:08 +00:00
|
|
|
h := Headscale{
|
2021-05-15 12:32:26 +00:00
|
|
|
cfg: cfg,
|
|
|
|
dbType: cfg.DBtype,
|
|
|
|
dbString: dbString,
|
2020-06-21 10:32:08 +00:00
|
|
|
privateKey: privKey,
|
|
|
|
publicKey: &pubKey,
|
2021-07-04 11:24:05 +00:00
|
|
|
aclRules: &tailcfg.FilterAllowAll, // default allowall
|
2020-06-21 10:32:08 +00:00
|
|
|
}
|
2021-07-04 11:24:05 +00:00
|
|
|
|
2020-06-21 10:32:08 +00:00
|
|
|
err = h.initDB()
|
|
|
|
if err != nil {
|
|
|
|
return nil, err
|
|
|
|
}
|
2021-07-04 19:40:46 +00:00
|
|
|
|
2021-02-23 20:07:52 +00:00
|
|
|
h.clientsPolling = make(map[uint64]chan []byte)
|
2020-06-21 10:32:08 +00:00
|
|
|
return &h, nil
|
|
|
|
}
|
|
|
|
|
2021-04-24 02:54:15 +00:00
|
|
|
// Redirect to our TLS url
|
|
|
|
func (h *Headscale) redirect(w http.ResponseWriter, req *http.Request) {
|
|
|
|
target := h.cfg.ServerURL + req.URL.RequestURI()
|
|
|
|
http.Redirect(w, req, target, http.StatusFound)
|
|
|
|
}
|
|
|
|
|
2021-05-23 00:15:29 +00:00
|
|
|
// ExpireEphemeralNodes deletes ephemeral machine records that have not been
|
|
|
|
// seen for longer than h.cfg.EphemeralNodeInactivityTimeout
|
|
|
|
func (h *Headscale) ExpireEphemeralNodes(milliSeconds int64) {
|
|
|
|
ticker := time.NewTicker(time.Duration(milliSeconds) * time.Millisecond)
|
|
|
|
for range ticker.C {
|
|
|
|
h.expireEphemeralNodesWorker()
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
func (h *Headscale) expireEphemeralNodesWorker() {
|
|
|
|
namespaces, err := h.ListNamespaces()
|
|
|
|
if err != nil {
|
|
|
|
log.Printf("Error listing namespaces: %s", err)
|
|
|
|
return
|
|
|
|
}
|
|
|
|
for _, ns := range *namespaces {
|
|
|
|
machines, err := h.ListMachinesInNamespace(ns.Name)
|
|
|
|
if err != nil {
|
|
|
|
log.Printf("Error listing machines in namespace %s: %s", ns.Name, err)
|
|
|
|
return
|
|
|
|
}
|
|
|
|
for _, m := range *machines {
|
|
|
|
if m.AuthKey != nil && m.LastSeen != nil && m.AuthKey.Ephemeral && time.Now().After(m.LastSeen.Add(h.cfg.EphemeralNodeInactivityTimeout)) {
|
|
|
|
log.Printf("[%s] Ephemeral client removed from database\n", m.Name)
|
2021-07-04 19:40:46 +00:00
|
|
|
err = h.db.Unscoped().Delete(m).Error
|
2021-05-23 00:15:29 +00:00
|
|
|
if err != nil {
|
|
|
|
log.Printf("[%s] 🤮 Cannot delete ephemeral machine from the database: %s", m.Name, err)
|
|
|
|
}
|
|
|
|
}
|
|
|
|
}
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2021-02-21 21:14:38 +00:00
|
|
|
// Serve launches a GIN server with the Headscale API
|
2020-06-21 10:32:08 +00:00
|
|
|
func (h *Headscale) Serve() error {
|
|
|
|
r := gin.Default()
|
|
|
|
r.GET("/key", h.KeyHandler)
|
|
|
|
r.GET("/register", h.RegisterWebAPI)
|
|
|
|
r.POST("/machine/:id/map", h.PollNetMapHandler)
|
|
|
|
r.POST("/machine/:id", h.RegistrationHandler)
|
2021-04-23 20:54:35 +00:00
|
|
|
var err error
|
2021-04-24 02:54:15 +00:00
|
|
|
if h.cfg.TLSLetsEncryptHostname != "" {
|
|
|
|
if !strings.HasPrefix(h.cfg.ServerURL, "https://") {
|
2021-05-23 00:15:29 +00:00
|
|
|
log.Println("WARNING: listening with TLS but ServerURL does not start with https://")
|
2021-04-24 02:54:15 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
m := autocert.Manager{
|
|
|
|
Prompt: autocert.AcceptTOS,
|
|
|
|
HostPolicy: autocert.HostWhitelist(h.cfg.TLSLetsEncryptHostname),
|
|
|
|
Cache: autocert.DirCache(h.cfg.TLSLetsEncryptCacheDir),
|
|
|
|
}
|
|
|
|
s := &http.Server{
|
|
|
|
Addr: h.cfg.Addr,
|
|
|
|
TLSConfig: m.TLSConfig(),
|
|
|
|
Handler: r,
|
|
|
|
}
|
|
|
|
if h.cfg.TLSLetsEncryptChallengeType == "TLS-ALPN-01" {
|
|
|
|
// Configuration via autocert with TLS-ALPN-01 (https://tools.ietf.org/html/rfc8737)
|
|
|
|
// The RFC requires that the validation is done on port 443; in other words, headscale
|
2021-07-24 13:01:20 +00:00
|
|
|
// must be reachable on port 443.
|
2021-04-24 02:54:15 +00:00
|
|
|
err = s.ListenAndServeTLS("", "")
|
|
|
|
} else if h.cfg.TLSLetsEncryptChallengeType == "HTTP-01" {
|
|
|
|
// Configuration via autocert with HTTP-01. This requires listening on
|
|
|
|
// port 80 for the certificate validation in addition to the headscale
|
|
|
|
// service, which can be configured to run on any other port.
|
|
|
|
go func() {
|
2021-07-23 22:12:01 +00:00
|
|
|
log.Fatal(http.ListenAndServe(h.cfg.TLSLetsEncryptListen, m.HTTPHandler(http.HandlerFunc(h.redirect))))
|
2021-04-24 02:54:15 +00:00
|
|
|
}()
|
2021-04-24 15:26:50 +00:00
|
|
|
err = s.ListenAndServeTLS("", "")
|
2021-04-24 02:54:15 +00:00
|
|
|
} else {
|
2021-07-11 14:39:19 +00:00
|
|
|
return errors.New("unknown value for TLSLetsEncryptChallengeType")
|
2021-04-24 02:54:15 +00:00
|
|
|
}
|
|
|
|
} else if h.cfg.TLSCertPath == "" {
|
2021-04-23 20:54:35 +00:00
|
|
|
if !strings.HasPrefix(h.cfg.ServerURL, "http://") {
|
2021-05-23 00:15:29 +00:00
|
|
|
log.Println("WARNING: listening without TLS but ServerURL does not start with http://")
|
2021-04-23 20:54:35 +00:00
|
|
|
}
|
|
|
|
err = r.Run(h.cfg.Addr)
|
|
|
|
} else {
|
|
|
|
if !strings.HasPrefix(h.cfg.ServerURL, "https://") {
|
2021-05-23 00:15:29 +00:00
|
|
|
log.Println("WARNING: listening with TLS but ServerURL does not start with https://")
|
2021-04-23 20:54:35 +00:00
|
|
|
}
|
|
|
|
err = r.RunTLS(h.cfg.Addr, h.cfg.TLSCertPath, h.cfg.TLSKeyPath)
|
|
|
|
}
|
2020-06-21 10:32:08 +00:00
|
|
|
return err
|
|
|
|
}
|