feat: move grpc config

config-example.yaml

@@ -24,26 +24,28 @@ listen_addr: 127.0.0.1:8080
 #
 metrics_listen_addr: 127.0.0.1:9090
 
-# Address to listen for gRPC.
 # gRPC is used for controlling a headscale server
 # remotely with the CLI
-# Note: Remote access _only_ works if you have
+grpc: 
-# valid certificates.
+  # Address to listen for gRPC.
-#
+  # Note: Remote access _only_ works if you have
-# For production:
+  # valid certificates.
-# grpc_listen_addr: 0.0.0.0:50443
+  #
-grpc_listen_addr: 127.0.0.1:50443
+  # For production:
+  # listen_addr: 0.0.0.0:50443
+  listen_addr: 127.0.0.1:50443
 
-# Allow the gRPC admin interface to run in INSECURE
+  # Allow the gRPC admin interface to run in INSECURE
-# mode. This is not recommended as the traffic will
+  # mode. This is not recommended as the traffic will
-# be unencrypted. Only enable if you know what you
+  # be unencrypted. Only enable if you know what you
-# are doing.
+  # are doing.
-grpc_allow_insecure: false
+  allow_insecure: false
 
-# Use separate a certificate for gRPC, this overwrites
+  # Use a separate x509 certificate for gRPC, this is used
-# the global certificate.
+  # instead of the global certificate.
-grpc_tls_cert_path: ""
+  tls:
-grpc_tls_key_path: ""
+    cert_path: ""
+    key_path: ""
 
 # The Noise section includes specific configuration for the
 # TS2021 Noise protocol

docs/remote-cli.md

@@ -7,7 +7,7 @@
 - Access to create API keys (local access to the `headscale` server)
 - `headscale` _must_ be served over TLS/HTTPS
   - Remote access does _not_ support unencrypted traffic.
-- Port `50443` must be open in the firewall (or port overridden by `grpc_listen_addr` option)
+- Port `50443` must be open in the firewall (or port overridden by `grpc.listen_addr` option)
 
 ## Goal
 

hscontrol/types/config.go

@@ -106,8 +106,8 @@ type DatabaseConfig struct {
 }
 
 type TLSConfig struct {
-	CertPath string
+	CertPath     string
-	KeyPath  string
+	KeyPath      string
 	GRPCCertPath string
 	GRPCKeyPath  string
 
@@ -213,8 +213,8 @@ func LoadConfig(path string, isFile bool) error {
 	viper.SetDefault("unix_socket", "/var/run/headscale/headscale.sock")
 	viper.SetDefault("unix_socket_permission", "0o770")
 
-	viper.SetDefault("grpc_listen_addr", ":50443")
+	viper.SetDefault("grpc.listen_addr", ":50443")
-	viper.SetDefault("grpc_allow_insecure", false)
+	viper.SetDefault("grpc.allow_insecure", false)
 
 	viper.SetDefault("cli.timeout", "5s")
 	viper.SetDefault("cli.insecure", false)
@@ -316,10 +316,10 @@ func GetTLSConfig() TLSConfig {
 			viper.GetString("tls_key_path"),
 		),
 		GRPCCertPath: util.AbsolutePathFromConfigPath(
-			viper.GetString("grpc_tls_cert_path"),
+			viper.GetString("grpc.tls_cert_path"),
 		),
 		GRPCKeyPath: util.AbsolutePathFromConfigPath(
-			viper.GetString("grpc_tls_key_path"),
+			viper.GetString("grpc.tls_key_path"),
 		),
 	}
 }
@@ -700,8 +700,8 @@ func GetHeadscaleConfig() (*Config, error) {
 		ServerURL:          viper.GetString("server_url"),
 		Addr:               viper.GetString("listen_addr"),
 		MetricsAddr:        viper.GetString("metrics_listen_addr"),
-		GRPCAddr:           viper.GetString("grpc_listen_addr"),
+		GRPCAddr:           viper.GetString("grpc.listen_addr"),
-		GRPCAllowInsecure:  viper.GetBool("grpc_allow_insecure"),
+		GRPCAllowInsecure:  viper.GetBool("grpc.allow_insecure"),
 		DisableUpdateCheck: viper.GetBool("disable_check_updates"),
 
 		PrefixV4:     prefix4,

integration/hsic/hsic.go

@@ -97,8 +97,8 @@ func WithTLS() Option {
 		}
 
 		// TODO(kradalby): Move somewhere appropriate
-		hsic.env["HEADSCALE_TLS_CERT_PATH"] = tlsCertPath
+		hsic.env["HEADSCALE_GRPC_TLS_CERT_PATH"] = tlsCertPath
-		hsic.env["HEADSCALE_TLS_KEY_PATH"] = tlsKeyPath
+		hsic.env["HEADSCALE_GRPC_TLS_KEY_PATH"] = tlsKeyPath
 
 		hsic.tlsCert = cert
 		hsic.tlsKey = key