diff --git a/config-example.yaml b/config-example.yaml index 668fa39a..72869145 100644 --- a/config-example.yaml +++ b/config-example.yaml @@ -24,26 +24,28 @@ listen_addr: 127.0.0.1:8080 # metrics_listen_addr: 127.0.0.1:9090 -# Address to listen for gRPC. # gRPC is used for controlling a headscale server # remotely with the CLI -# Note: Remote access _only_ works if you have -# valid certificates. -# -# For production: -# grpc_listen_addr: 0.0.0.0:50443 -grpc_listen_addr: 127.0.0.1:50443 +grpc: + # Address to listen for gRPC. + # Note: Remote access _only_ works if you have + # valid certificates. + # + # For production: + # listen_addr: 0.0.0.0:50443 + listen_addr: 127.0.0.1:50443 -# Allow the gRPC admin interface to run in INSECURE -# mode. This is not recommended as the traffic will -# be unencrypted. Only enable if you know what you -# are doing. -grpc_allow_insecure: false + # Allow the gRPC admin interface to run in INSECURE + # mode. This is not recommended as the traffic will + # be unencrypted. Only enable if you know what you + # are doing. + allow_insecure: false -# Use separate a certificate for gRPC, this overwrites -# the global certificate. -grpc_tls_cert_path: "" -grpc_tls_key_path: "" + # Use a separate x509 certificate for gRPC, this is used + # instead of the global certificate. + tls: + cert_path: "" + key_path: "" # The Noise section includes specific configuration for the # TS2021 Noise protocol diff --git a/docs/remote-cli.md b/docs/remote-cli.md index 3d44eabc..6a0cb873 100644 --- a/docs/remote-cli.md +++ b/docs/remote-cli.md @@ -7,7 +7,7 @@ - Access to create API keys (local access to the `headscale` server) - `headscale` _must_ be served over TLS/HTTPS - Remote access does _not_ support unencrypted traffic. -- Port `50443` must be open in the firewall (or port overridden by `grpc_listen_addr` option) +- Port `50443` must be open in the firewall (or port overridden by `grpc.listen_addr` option) ## Goal diff --git a/hscontrol/types/config.go b/hscontrol/types/config.go index 9c02772c..a743dd93 100644 --- a/hscontrol/types/config.go +++ b/hscontrol/types/config.go @@ -106,8 +106,8 @@ type DatabaseConfig struct { } type TLSConfig struct { - CertPath string - KeyPath string + CertPath string + KeyPath string GRPCCertPath string GRPCKeyPath string @@ -213,8 +213,8 @@ func LoadConfig(path string, isFile bool) error { viper.SetDefault("unix_socket", "/var/run/headscale/headscale.sock") viper.SetDefault("unix_socket_permission", "0o770") - viper.SetDefault("grpc_listen_addr", ":50443") - viper.SetDefault("grpc_allow_insecure", false) + viper.SetDefault("grpc.listen_addr", ":50443") + viper.SetDefault("grpc.allow_insecure", false) viper.SetDefault("cli.timeout", "5s") viper.SetDefault("cli.insecure", false) @@ -316,10 +316,10 @@ func GetTLSConfig() TLSConfig { viper.GetString("tls_key_path"), ), GRPCCertPath: util.AbsolutePathFromConfigPath( - viper.GetString("grpc_tls_cert_path"), + viper.GetString("grpc.tls_cert_path"), ), GRPCKeyPath: util.AbsolutePathFromConfigPath( - viper.GetString("grpc_tls_key_path"), + viper.GetString("grpc.tls_key_path"), ), } } @@ -700,8 +700,8 @@ func GetHeadscaleConfig() (*Config, error) { ServerURL: viper.GetString("server_url"), Addr: viper.GetString("listen_addr"), MetricsAddr: viper.GetString("metrics_listen_addr"), - GRPCAddr: viper.GetString("grpc_listen_addr"), - GRPCAllowInsecure: viper.GetBool("grpc_allow_insecure"), + GRPCAddr: viper.GetString("grpc.listen_addr"), + GRPCAllowInsecure: viper.GetBool("grpc.allow_insecure"), DisableUpdateCheck: viper.GetBool("disable_check_updates"), PrefixV4: prefix4, diff --git a/integration/hsic/hsic.go b/integration/hsic/hsic.go index 5b55a0a8..71fc6fb6 100644 --- a/integration/hsic/hsic.go +++ b/integration/hsic/hsic.go @@ -97,8 +97,8 @@ func WithTLS() Option { } // TODO(kradalby): Move somewhere appropriate - hsic.env["HEADSCALE_TLS_CERT_PATH"] = tlsCertPath - hsic.env["HEADSCALE_TLS_KEY_PATH"] = tlsKeyPath + hsic.env["HEADSCALE_GRPC_TLS_CERT_PATH"] = tlsCertPath + hsic.env["HEADSCALE_GRPC_TLS_KEY_PATH"] = tlsKeyPath hsic.tlsCert = cert hsic.tlsKey = key