From 75f3e1fb03cfa99621925cba2164d64f1a298d60 Mon Sep 17 00:00:00 2001
From: "github-actions[bot]"
<41898282+github-actions[bot]@users.noreply.github.com>
Date: Thu, 21 Oct 2021 21:38:02 +0000
Subject: [PATCH 01/11] docs(README): update contributors
---
README.md | 151 ++++++++++++++++++++++++++++++++++++++++++++++++++++++
1 file changed, 151 insertions(+)
diff --git a/README.md b/README.md
index 19742d8e..3b411ecb 100644
--- a/README.md
+++ b/README.md
@@ -61,4 +61,155 @@ Please have a look at the documentation under [`docs/`](docs/).
## Contributors
+
+
From 5420347d2454855865c322314a0f5a30228b6da5 Mon Sep 17 00:00:00 2001
From: "github-actions[bot]"
<41898282+github-actions[bot]@users.noreply.github.com>
Date: Fri, 22 Oct 2021 06:58:20 +0000
Subject: [PATCH 02/11] docs(README): update contributors
---
README.md | 7 +++++++
1 file changed, 7 insertions(+)
diff --git a/README.md b/README.md
index 3b411ecb..a3c09396 100644
--- a/README.md
+++ b/README.md
@@ -195,6 +195,13 @@ Please have a look at the documentation under [`docs/`](docs/).
+
+
+ 
+
+ derelm
+
+ |
From e836db1eadcf3a517758cf5ac342cdf25d903e3c Mon Sep 17 00:00:00 2001
From: Kristoffer Dalby
Date: Fri, 22 Oct 2021 16:51:19 +0000
Subject: [PATCH 03/11] Add config.yaml to gitignore
---
.gitignore | 1 +
1 file changed, 1 insertion(+)
diff --git a/.gitignore b/.gitignore
index 95d758a7..610550b9 100644
--- a/.gitignore
+++ b/.gitignore
@@ -16,6 +16,7 @@
/headscale
config.json
+config.yaml
*.key
/db.sqlite
*.sqlite3
From aa245c2d06a2dbd9caded3c063c9429d4bc3af78 Mon Sep 17 00:00:00 2001
From: Kristoffer Dalby
Date: Fri, 22 Oct 2021 16:52:39 +0000
Subject: [PATCH 04/11] Remove derp.yaml, add selfhosted example
This PR will promote fetching the derpmap directly from tailscale, so we
will remove our example, as it might easily get outdated.
Add a derp-example that shows how a user can also add their own derp
server.
---
derp-example.yaml | 18 ++++++
derp.yaml | 146 ----------------------------------------------
2 files changed, 18 insertions(+), 146 deletions(-)
create mode 100644 derp-example.yaml
delete mode 100644 derp.yaml
diff --git a/derp-example.yaml b/derp-example.yaml
new file mode 100644
index 00000000..45db5b9a
--- /dev/null
+++ b/derp-example.yaml
@@ -0,0 +1,18 @@
+# This file contains some of the official Tailscale DERP servers,
+# shamelessly taken from https://github.com/tailscale/tailscale/blob/main/net/dnsfallback/dns-fallback-servers.json
+#
+# If you plan to somehow use headscale, please deploy your own DERP infra: https://tailscale.com/kb/1118/custom-derp-servers/
+regions:
+ 900:
+ regionid: 900
+ regioncode: custom
+ regionname: My Region
+ nodes:
+ - name: 1a
+ regionid: 1
+ hostname: myderp.mydomain.no
+ ipv4: 123.123.123.123
+ ipv6: "2604:a880:400:d1::828:b001"
+ stunport: 0
+ stunonly: false
+ derptestport: 0
diff --git a/derp.yaml b/derp.yaml
deleted file mode 100644
index 9434e712..00000000
--- a/derp.yaml
+++ /dev/null
@@ -1,146 +0,0 @@
-# This file contains some of the official Tailscale DERP servers,
-# shamelessly taken from https://github.com/tailscale/tailscale/blob/main/net/dnsfallback/dns-fallback-servers.json
-#
-# If you plan to somehow use headscale, please deploy your own DERP infra: https://tailscale.com/kb/1118/custom-derp-servers/
-regions:
- 1:
- regionid: 1
- regioncode: nyc
- regionname: New York City
- nodes:
- - name: 1a
- regionid: 1
- hostname: derp1.tailscale.com
- ipv4: 159.89.225.99
- ipv6: "2604:a880:400:d1::828:b001"
- stunport: 0
- stunonly: false
- derptestport: 0
- - name: 1b
- regionid: 1
- hostname: derp1b.tailscale.com
- ipv4: 45.55.35.93
- ipv6: "2604:a880:800:a1::f:2001"
- stunport: 0
- stunonly: false
- derptestport: 0
- 2:
- regionid: 2
- regioncode: sfo
- regionname: San Francisco
- nodes:
- - name: 2a
- regionid: 2
- hostname: derp2.tailscale.com
- ipv4: 167.172.206.31
- ipv6: "2604:a880:2:d1::c5:7001"
- stunport: 0
- stunonly: false
- derptestport: 0
- - name: 2b
- regionid: 2
- hostname: derp2b.tailscale.com
- ipv4: 64.227.106.23
- ipv6: "2604:a880:4:1d0::29:9000"
- stunport: 0
- stunonly: false
- derptestport: 0
- 3:
- regionid: 3
- regioncode: sin
- regionname: Singapore
- nodes:
- - name: 3a
- regionid: 3
- hostname: derp3.tailscale.com
- ipv4: 68.183.179.66
- ipv6: "2400:6180:0:d1::67d:8001"
- stunport: 0
- stunonly: false
- derptestport: 0
- 4:
- regionid: 4
- regioncode: fra
- regionname: Frankfurt
- nodes:
- - name: 4a
- regionid: 4
- hostname: derp4.tailscale.com
- ipv4: 167.172.182.26
- ipv6: "2a03:b0c0:3:e0::36e:900"
- stunport: 0
- stunonly: false
- derptestport: 0
- - name: 4b
- regionid: 4
- hostname: derp4b.tailscale.com
- ipv4: 157.230.25.0
- ipv6: "2a03:b0c0:3:e0::58f:3001"
- stunport: 0
- stunonly: false
- derptestport: 0
- 5:
- regionid: 5
- regioncode: syd
- regionname: Sydney
- nodes:
- - name: 5a
- regionid: 5
- hostname: derp5.tailscale.com
- ipv4: 103.43.75.49
- ipv6: "2001:19f0:5801:10b7:5400:2ff:feaa:284c"
- stunport: 0
- stunonly: false
- derptestport: 0
- 6:
- regionid: 6
- regioncode: blr
- regionname: Bangalore
- nodes:
- - name: 6a
- regionid: 6
- hostname: derp6.tailscale.com
- ipv4: 68.183.90.120
- ipv6: "2400:6180:100:d0::982:d001"
- stunport: 0
- stunonly: false
- derptestport: 0
- 7:
- regionid: 7
- regioncode: tok
- regionname: Tokyo
- nodes:
- - name: 7a
- regionid: 7
- hostname: derp7.tailscale.com
- ipv4: 167.179.89.145
- ipv6: "2401:c080:1000:467f:5400:2ff:feee:22aa"
- stunport: 0
- stunonly: false
- derptestport: 0
- 8:
- regionid: 8
- regioncode: lhr
- regionname: London
- nodes:
- - name: 8a
- regionid: 8
- hostname: derp8.tailscale.com
- ipv4: 167.71.139.179
- ipv6: "2a03:b0c0:1:e0::3cc:e001"
- stunport: 0
- stunonly: false
- derptestport: 0
- 9:
- regionid: 9
- regioncode: sao
- regionname: São Paulo
- nodes:
- - name: 9a
- regionid: 9
- hostname: derp9.tailscale.com
- ipv4: 207.148.3.137
- ipv6: "2001:19f0:6401:1d9c:5400:2ff:feef:bb82"
- stunport: 0
- stunonly: false
- derptestport: 0
From 57f46ded83456cc5abae95db15099abd51773bd8 Mon Sep 17 00:00:00 2001
From: Kristoffer Dalby
Date: Fri, 22 Oct 2021 16:55:14 +0000
Subject: [PATCH 05/11] Split derp into its own config struct
---
app.go | 34 +++++++++++---
cmd/headscale/cli/utils.go | 78 +++++++++++++++++++--------------
cmd/headscale/headscale_test.go | 28 ++++++++----
config.yaml.postgres.example | 1 -
config.yaml.sqlite.example | 31 ++++++++++---
5 files changed, 117 insertions(+), 55 deletions(-)
diff --git a/app.go b/app.go
index 66e2a306..546eb866 100644
--- a/app.go
+++ b/app.go
@@ -4,6 +4,7 @@ import (
"errors"
"fmt"
"net/http"
+ "net/url"
"os"
"sort"
"strings"
@@ -28,11 +29,12 @@ type Config struct {
ServerURL string
Addr string
PrivateKeyPath string
- DerpMap *tailcfg.DERPMap
EphemeralNodeInactivityTimeout time.Duration
IPPrefix netaddr.IPPrefix
BaseDomain string
+ DERP DERPConfig
+
DBtype string
DBpath string
DBhost string
@@ -55,6 +57,13 @@ type Config struct {
DNSConfig *tailcfg.DNSConfig
}
+type DERPConfig struct {
+ URLs []url.URL
+ Paths []string
+ AutoUpdate bool
+ UpdateFrequency time.Duration
+}
+
// Headscale represents the base app of the service
type Headscale struct {
cfg Config
@@ -65,6 +74,8 @@ type Headscale struct {
publicKey *wgkey.Key
privateKey *wgkey.Private
+ DERPMap *tailcfg.DERPMap
+
aclPolicy *ACLPolicy
aclRules *[]tailcfg.FilterRule
@@ -114,7 +125,7 @@ func NewHeadscale(cfg Config) (*Headscale, error) {
return nil, err
}
// we might have routes already from Split DNS
- if h.cfg.DNSConfig.Routes == nil {
+ if h.cfg.DNSConfig.Routes == nil {
h.cfg.DNSConfig.Routes = make(map[string][]dnstype.Resolver)
}
for _, d := range magicDNSDomains {
@@ -153,11 +164,15 @@ func (h *Headscale) expireEphemeralNodesWorker() {
return
}
for _, m := range *machines {
- if m.AuthKey != nil && m.LastSeen != nil && m.AuthKey.Ephemeral && time.Now().After(m.LastSeen.Add(h.cfg.EphemeralNodeInactivityTimeout)) {
+ if m.AuthKey != nil && m.LastSeen != nil && m.AuthKey.Ephemeral &&
+ time.Now().After(m.LastSeen.Add(h.cfg.EphemeralNodeInactivityTimeout)) {
log.Info().Str("machine", m.Name).Msg("Ephemeral client removed from database")
err = h.db.Unscoped().Delete(m).Error
if err != nil {
- log.Error().Err(err).Str("machine", m.Name).Msg("🤮 Cannot delete ephemeral machine from the database")
+ log.Error().
+ Err(err).
+ Str("machine", m.Name).
+ Msg("🤮 Cannot delete ephemeral machine from the database")
}
}
}
@@ -198,6 +213,15 @@ func (h *Headscale) Serve() error {
go h.watchForKVUpdates(5000)
go h.expireEphemeralNodes(5000)
+ // Fetch an initial DERP Map before we start serving
+ h.DERPMap = GetDERPMap(h.cfg.DERP)
+
+ if h.cfg.DERP.AutoUpdate {
+ derpMapCancelChannel := make(chan struct{})
+ defer func() { derpMapCancelChannel <- struct{}{} }()
+ go h.scheduledDERPMapUpdateWorker(derpMapCancelChannel)
+ }
+
s := &http.Server{
Addr: h.cfg.Addr,
Handler: r,
@@ -273,7 +297,6 @@ func (h *Headscale) getLastStateChange(namespaces ...string) time.Time {
times = append(times, lastChange)
}
-
}
sort.Slice(times, func(i, j int) bool {
@@ -284,7 +307,6 @@ func (h *Headscale) getLastStateChange(namespaces ...string) time.Time {
if len(times) == 0 {
return time.Now().UTC()
-
} else {
return times[0]
}
diff --git a/cmd/headscale/cli/utils.go b/cmd/headscale/cli/utils.go
index 52c8d043..0768e1eb 100644
--- a/cmd/headscale/cli/utils.go
+++ b/cmd/headscale/cli/utils.go
@@ -4,7 +4,7 @@ import (
"encoding/json"
"errors"
"fmt"
- "io"
+ "net/url"
"os"
"path/filepath"
"strings"
@@ -13,7 +13,6 @@ import (
"github.com/juanfont/headscale"
"github.com/rs/zerolog/log"
"github.com/spf13/viper"
- "gopkg.in/yaml.v2"
"inet.af/netaddr"
"tailscale.com/tailcfg"
"tailscale.com/types/dnstype"
@@ -51,21 +50,26 @@ func LoadConfig(path string) error {
// Collect any validation errors and return them all at once
var errorText string
- if (viper.GetString("tls_letsencrypt_hostname") != "") && ((viper.GetString("tls_cert_path") != "") || (viper.GetString("tls_key_path") != "")) {
+ if (viper.GetString("tls_letsencrypt_hostname") != "") &&
+ ((viper.GetString("tls_cert_path") != "") || (viper.GetString("tls_key_path") != "")) {
errorText += "Fatal config error: set either tls_letsencrypt_hostname or tls_cert_path/tls_key_path, not both\n"
}
- if (viper.GetString("tls_letsencrypt_hostname") != "") && (viper.GetString("tls_letsencrypt_challenge_type") == "TLS-ALPN-01") && (!strings.HasSuffix(viper.GetString("listen_addr"), ":443")) {
+ if (viper.GetString("tls_letsencrypt_hostname") != "") &&
+ (viper.GetString("tls_letsencrypt_challenge_type") == "TLS-ALPN-01") &&
+ (!strings.HasSuffix(viper.GetString("listen_addr"), ":443")) {
// this is only a warning because there could be something sitting in front of headscale that redirects the traffic (e.g. an iptables rule)
log.Warn().
Msg("Warning: when using tls_letsencrypt_hostname with TLS-ALPN-01 as challenge type, headscale must be reachable on port 443, i.e. listen_addr should probably end in :443")
}
- if (viper.GetString("tls_letsencrypt_challenge_type") != "HTTP-01") && (viper.GetString("tls_letsencrypt_challenge_type") != "TLS-ALPN-01") {
+ if (viper.GetString("tls_letsencrypt_challenge_type") != "HTTP-01") &&
+ (viper.GetString("tls_letsencrypt_challenge_type") != "TLS-ALPN-01") {
errorText += "Fatal config error: the only supported values for tls_letsencrypt_challenge_type are HTTP-01 and TLS-ALPN-01\n"
}
- if !strings.HasPrefix(viper.GetString("server_url"), "http://") && !strings.HasPrefix(viper.GetString("server_url"), "https://") {
+ if !strings.HasPrefix(viper.GetString("server_url"), "http://") &&
+ !strings.HasPrefix(viper.GetString("server_url"), "https://") {
errorText += "Fatal config error: server_url must start with https:// or http://\n"
}
if errorText != "" {
@@ -73,7 +77,35 @@ func LoadConfig(path string) error {
} else {
return nil
}
+}
+func GetDERPConfig() headscale.DERPConfig {
+ urlStrs := viper.GetStringSlice("derp.urls")
+
+ urls := make([]url.URL, len(urlStrs))
+ for index, urlStr := range urlStrs {
+ urlAddr, err := url.Parse(urlStr)
+ if err != nil {
+ log.Error().
+ Str("url", urlStr).
+ Err(err).
+ Msg("Failed to parse url, ignoring...")
+ }
+
+ urls[index] = *urlAddr
+ }
+
+ paths := viper.GetStringSlice("derp.paths")
+
+ autoUpdate := viper.GetBool("derp.auto_update_enabled")
+ updateFrequency := viper.GetDuration("derp.update_frequency")
+
+ return headscale.DERPConfig{
+ URLs: urls,
+ Paths: paths,
+ AutoUpdate: autoUpdate,
+ UpdateFrequency: updateFrequency,
+ }
}
func GetDNSConfig() (*tailcfg.DNSConfig, string) {
@@ -171,33 +203,30 @@ func absPath(path string) string {
}
func getHeadscaleApp() (*headscale.Headscale, error) {
- derpPath := absPath(viper.GetString("derp_map_path"))
- derpMap, err := loadDerpMap(derpPath)
- if err != nil {
- log.Error().
- Str("path", derpPath).
- Err(err).
- Msg("Could not load DERP servers map file")
- }
-
// Minimum inactivity time out is keepalive timeout (60s) plus a few seconds
// to avoid races
minInactivityTimeout, _ := time.ParseDuration("65s")
if viper.GetDuration("ephemeral_node_inactivity_timeout") <= minInactivityTimeout {
- err = fmt.Errorf("ephemeral_node_inactivity_timeout (%s) is set too low, must be more than %s\n", viper.GetString("ephemeral_node_inactivity_timeout"), minInactivityTimeout)
+ err := fmt.Errorf(
+ "ephemeral_node_inactivity_timeout (%s) is set too low, must be more than %s\n",
+ viper.GetString("ephemeral_node_inactivity_timeout"),
+ minInactivityTimeout,
+ )
return nil, err
}
dnsConfig, baseDomain := GetDNSConfig()
+ derpConfig := GetDERPConfig()
cfg := headscale.Config{
ServerURL: viper.GetString("server_url"),
Addr: viper.GetString("listen_addr"),
PrivateKeyPath: absPath(viper.GetString("private_key_path")),
- DerpMap: derpMap,
IPPrefix: netaddr.MustParseIPPrefix(viper.GetString("ip_prefix")),
BaseDomain: baseDomain,
+ DERP: derpConfig,
+
EphemeralNodeInactivityTimeout: viper.GetDuration("ephemeral_node_inactivity_timeout"),
DBtype: viper.GetString("db_type"),
@@ -243,21 +272,6 @@ func getHeadscaleApp() (*headscale.Headscale, error) {
return h, nil
}
-func loadDerpMap(path string) (*tailcfg.DERPMap, error) {
- derpFile, err := os.Open(path)
- if err != nil {
- return nil, err
- }
- defer derpFile.Close()
- var derpMap tailcfg.DERPMap
- b, err := io.ReadAll(derpFile)
- if err != nil {
- return nil, err
- }
- err = yaml.Unmarshal(b, &derpMap)
- return &derpMap, err
-}
-
func JsonOutput(result interface{}, errResult error, outputFormat string) {
var j []byte
var err error
diff --git a/cmd/headscale/headscale_test.go b/cmd/headscale/headscale_test.go
index 0c3add69..eff78496 100644
--- a/cmd/headscale/headscale_test.go
+++ b/cmd/headscale/headscale_test.go
@@ -25,7 +25,6 @@ func (s *Suite) SetUpSuite(c *check.C) {
}
func (s *Suite) TearDownSuite(c *check.C) {
-
}
func (*Suite) TestPostgresConfigLoading(c *check.C) {
@@ -53,7 +52,6 @@ func (*Suite) TestPostgresConfigLoading(c *check.C) {
// Test that config file was interpreted correctly
c.Assert(viper.GetString("server_url"), check.Equals, "http://127.0.0.1:8080")
c.Assert(viper.GetString("listen_addr"), check.Equals, "0.0.0.0:8080")
- c.Assert(viper.GetString("derp_map_path"), check.Equals, "derp.yaml")
c.Assert(viper.GetString("db_type"), check.Equals, "postgres")
c.Assert(viper.GetString("db_port"), check.Equals, "5432")
c.Assert(viper.GetString("tls_letsencrypt_hostname"), check.Equals, "")
@@ -86,7 +84,7 @@ func (*Suite) TestSqliteConfigLoading(c *check.C) {
// Test that config file was interpreted correctly
c.Assert(viper.GetString("server_url"), check.Equals, "http://127.0.0.1:8080")
c.Assert(viper.GetString("listen_addr"), check.Equals, "0.0.0.0:8080")
- c.Assert(viper.GetString("derp_map_path"), check.Equals, "derp.yaml")
+ c.Assert(viper.GetStringSlice("derp.paths")[0], check.Equals, "derp-example.yaml")
c.Assert(viper.GetString("db_type"), check.Equals, "sqlite3")
c.Assert(viper.GetString("db_path"), check.Equals, "db.sqlite")
c.Assert(viper.GetString("tls_letsencrypt_hostname"), check.Equals, "")
@@ -128,7 +126,7 @@ func (*Suite) TestDNSConfigLoading(c *check.C) {
func writeConfig(c *check.C, tmpDir string, configYaml []byte) {
// Populate a custom config file
configFile := filepath.Join(tmpDir, "config.yaml")
- err := ioutil.WriteFile(configFile, configYaml, 0644)
+ err := ioutil.WriteFile(configFile, configYaml, 0o644)
if err != nil {
c.Fatalf("Couldn't write file %s", configFile)
}
@@ -139,10 +137,12 @@ func (*Suite) TestTLSConfigValidation(c *check.C) {
if err != nil {
c.Fatal(err)
}
- //defer os.RemoveAll(tmpDir)
+ // defer os.RemoveAll(tmpDir)
fmt.Println(tmpDir)
- configYaml := []byte("---\ntls_letsencrypt_hostname: \"example.com\"\ntls_letsencrypt_challenge_type: \"\"\ntls_cert_path: \"abc.pem\"")
+ configYaml := []byte(
+ "---\ntls_letsencrypt_hostname: \"example.com\"\ntls_letsencrypt_challenge_type: \"\"\ntls_cert_path: \"abc.pem\"",
+ )
writeConfig(c, tmpDir, configYaml)
// Check configuration validation errors (1)
@@ -150,13 +150,23 @@ func (*Suite) TestTLSConfigValidation(c *check.C) {
c.Assert(err, check.NotNil)
// check.Matches can not handle multiline strings
tmp := strings.ReplaceAll(err.Error(), "\n", "***")
- c.Assert(tmp, check.Matches, ".*Fatal config error: set either tls_letsencrypt_hostname or tls_cert_path/tls_key_path, not both.*")
- c.Assert(tmp, check.Matches, ".*Fatal config error: the only supported values for tls_letsencrypt_challenge_type are.*")
+ c.Assert(
+ tmp,
+ check.Matches,
+ ".*Fatal config error: set either tls_letsencrypt_hostname or tls_cert_path/tls_key_path, not both.*",
+ )
+ c.Assert(
+ tmp,
+ check.Matches,
+ ".*Fatal config error: the only supported values for tls_letsencrypt_challenge_type are.*",
+ )
c.Assert(tmp, check.Matches, ".*Fatal config error: server_url must start with https:// or http://.*")
fmt.Println(tmp)
// Check configuration validation errors (2)
- configYaml = []byte("---\nserver_url: \"http://127.0.0.1:8080\"\ntls_letsencrypt_hostname: \"example.com\"\ntls_letsencrypt_challenge_type: \"TLS-ALPN-01\"")
+ configYaml = []byte(
+ "---\nserver_url: \"http://127.0.0.1:8080\"\ntls_letsencrypt_hostname: \"example.com\"\ntls_letsencrypt_challenge_type: \"TLS-ALPN-01\"",
+ )
writeConfig(c, tmpDir, configYaml)
err = cli.LoadConfig(tmpDir)
c.Assert(err, check.IsNil)
diff --git a/config.yaml.postgres.example b/config.yaml.postgres.example
index 569b42a9..920bdaaa 100644
--- a/config.yaml.postgres.example
+++ b/config.yaml.postgres.example
@@ -2,7 +2,6 @@
server_url: http://127.0.0.1:8080
listen_addr: 0.0.0.0:8080
private_key_path: private.key
-derp_map_path: derp.yaml
ephemeral_node_inactivity_timeout: 30m
# Postgres config
diff --git a/config.yaml.sqlite.example b/config.yaml.sqlite.example
index 158b1e5b..411a2a77 100644
--- a/config.yaml.sqlite.example
+++ b/config.yaml.sqlite.example
@@ -1,26 +1,43 @@
---
+log_level: info
server_url: http://127.0.0.1:8080
listen_addr: 0.0.0.0:8080
private_key_path: private.key
-derp_map_path: derp.yaml
ephemeral_node_inactivity_timeout: 30m
# SQLite config (uncomment it if you want to use SQLite)
db_type: sqlite3
db_path: db.sqlite
+derp:
+ # List of externally available DERP maps encoded in JSON
+ urls:
+ - https://controlplane.tailscale.com/derpmap/default
+
+ # Locally available DERP map files encoded in YAML
+ paths:
+ - derp-example.yaml
+
+ # If enabled, a worker will be set up to periodically
+ # refresh the given sources and update the derpmap
+ # will be set up.
+ auto_update_enabled: true
+
+ # How often should we check for updates?
+ update_frequency: 24h
+
acme_url: https://acme-v02.api.letsencrypt.org/directory
-acme_email: ''
-tls_letsencrypt_hostname: ''
+acme_email: ""
+tls_letsencrypt_hostname: ""
tls_letsencrypt_listen: ":http"
tls_letsencrypt_cache_dir: ".cache"
tls_letsencrypt_challenge_type: HTTP-01
-tls_cert_path: ''
-tls_key_path: ''
-acl_policy_path: ''
+tls_cert_path: ""
+tls_key_path: ""
+acl_policy_path: ""
dns_config:
nameservers:
- - 1.1.1.1
+ - 1.1.1.1
domains: []
magic_dns: true
base_domain: example.com
From 177f1eca06ff3f046ac75c921f01ccf1b0eb80ab Mon Sep 17 00:00:00 2001
From: Kristoffer Dalby
Date: Fri, 22 Oct 2021 16:55:35 +0000
Subject: [PATCH 06/11] Add helper functions for building derp maps from urls
and file
---
derp.go | 152 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++
1 file changed, 152 insertions(+)
create mode 100644 derp.go
diff --git a/derp.go b/derp.go
new file mode 100644
index 00000000..39e63210
--- /dev/null
+++ b/derp.go
@@ -0,0 +1,152 @@
+package headscale
+
+import (
+ "encoding/json"
+ "io"
+ "io/ioutil"
+ "net/http"
+ "net/url"
+ "os"
+ "time"
+
+ "github.com/rs/zerolog/log"
+
+ "gopkg.in/yaml.v2"
+
+ "tailscale.com/tailcfg"
+)
+
+func loadDERPMapFromPath(path string) (*tailcfg.DERPMap, error) {
+ derpFile, err := os.Open(path)
+ if err != nil {
+ return nil, err
+ }
+ defer derpFile.Close()
+ var derpMap tailcfg.DERPMap
+ b, err := io.ReadAll(derpFile)
+ if err != nil {
+ return nil, err
+ }
+ err = yaml.Unmarshal(b, &derpMap)
+ return &derpMap, err
+}
+
+func loadDERPMapFromURL(addr url.URL) (*tailcfg.DERPMap, error) {
+ client := http.Client{
+ Timeout: 10 * time.Second,
+ }
+ resp, err := client.Get(addr.String())
+ if err != nil {
+ return nil, err
+ }
+
+ defer resp.Body.Close()
+ body, err := ioutil.ReadAll(resp.Body)
+ if err != nil {
+ return nil, err
+ }
+
+ var derpMap tailcfg.DERPMap
+ err = json.Unmarshal(body, &derpMap)
+ return &derpMap, err
+}
+
+// mergeDERPMaps naively merges a list of DERPMaps into a single
+// DERPMap, it will _only_ look at the Regions, an integer.
+// If a region exists in two of the given DERPMaps, the region
+// form the _last_ DERPMap will be preserved.
+// An empty DERPMap list will result in a DERPMap with no regions
+func mergeDERPMaps(derpMaps []*tailcfg.DERPMap) *tailcfg.DERPMap {
+ result := tailcfg.DERPMap{
+ OmitDefaultRegions: false,
+ Regions: map[int]*tailcfg.DERPRegion{},
+ }
+
+ for _, derpMap := range derpMaps {
+ for id, region := range derpMap.Regions {
+ result.Regions[id] = region
+ }
+ }
+
+ return &result
+}
+
+func GetDERPMap(cfg DERPConfig) *tailcfg.DERPMap {
+ derpMaps := make([]*tailcfg.DERPMap, 0)
+
+ for _, path := range cfg.Paths {
+ log.Debug().
+ Str("func", "GetDERPMap").
+ Str("path", path).
+ Msg("Loading DERPMap from path")
+ derpMap, err := loadDERPMapFromPath(path)
+ if err != nil {
+ log.Error().
+ Str("func", "GetDERPMap").
+ Str("path", path).
+ Err(err).
+ Msg("Could not load DERP map from path")
+ break
+ }
+
+ derpMaps = append(derpMaps, derpMap)
+ }
+
+ for _, addr := range cfg.URLs {
+ derpMap, err := loadDERPMapFromURL(addr)
+ log.Debug().
+ Str("func", "GetDERPMap").
+ Str("url", addr.String()).
+ Msg("Loading DERPMap from path")
+ if err != nil {
+ log.Error().
+ Str("func", "GetDERPMap").
+ Str("url", addr.String()).
+ Err(err).
+ Msg("Could not load DERP map from path")
+ break
+ }
+
+ derpMaps = append(derpMaps, derpMap)
+ }
+
+ derpMap := mergeDERPMaps(derpMaps)
+
+ log.Trace().Interface("derpMap", derpMap).Msg("DERPMap loaded")
+
+ if len(derpMap.Regions) == 0 {
+ log.Warn().
+ Msg("DERP map is empty, not a single DERP map datasource was loaded correctly or contained a region")
+ }
+
+ return derpMap
+}
+
+func (h *Headscale) scheduledDERPMapUpdateWorker(cancelChan <-chan struct{}) {
+ log.Info().
+ Dur("frequency", h.cfg.DERP.UpdateFrequency).
+ Msg("Setting up a DERPMap update worker")
+ ticker := time.NewTicker(h.cfg.DERP.UpdateFrequency)
+
+ for {
+ select {
+ case <-cancelChan:
+ return
+
+ case <-ticker.C:
+ log.Info().Msg("Fetching DERPMap updates")
+ h.DERPMap = GetDERPMap(h.cfg.DERP)
+
+ namespaces, err := h.ListNamespaces()
+ if err != nil {
+ log.Error().
+ Err(err).
+ Msg("Failed to fetch namespaces")
+ }
+
+ for _, namespace := range *namespaces {
+ h.setLastStateChangeToNow(namespace.Name)
+ }
+ }
+ }
+}
From 582eb57a092b15ba84e1f69b9bca4a0c485249f7 Mon Sep 17 00:00:00 2001
From: Kristoffer Dalby
Date: Fri, 22 Oct 2021 16:56:00 +0000
Subject: [PATCH 07/11] Use the new derp map
---
api.go | 15 ++++++++++++---
1 file changed, 12 insertions(+), 3 deletions(-)
diff --git a/api.go b/api.go
index 6e30cb3a..a31cf529 100644
--- a/api.go
+++ b/api.go
@@ -82,7 +82,10 @@ func (h *Headscale) RegistrationHandler(c *gin.Context) {
now := time.Now().UTC()
var m Machine
- if result := h.db.Preload("Namespace").First(&m, "machine_key = ?", mKey.HexString()); errors.Is(result.Error, gorm.ErrRecordNotFound) {
+ if result := h.db.Preload("Namespace").First(&m, "machine_key = ?", mKey.HexString()); errors.Is(
+ result.Error,
+ gorm.ErrRecordNotFound,
+ ) {
log.Info().Str("machine", req.Hostinfo.Hostname).Msg("New machine")
m = Machine{
Expiry: &req.Expiry,
@@ -270,7 +273,7 @@ func (h *Headscale) getMapResponse(mKey wgkey.Key, req tailcfg.MapRequest, m *Ma
DNSConfig: dnsConfig,
Domain: h.cfg.BaseDomain,
PacketFilter: *h.aclRules,
- DERPMap: h.cfg.DerpMap,
+ DERPMap: h.DERPMap,
UserProfiles: profiles,
}
@@ -329,7 +332,13 @@ func (h *Headscale) getMapKeepAliveResponse(mKey wgkey.Key, req tailcfg.MapReque
return data, nil
}
-func (h *Headscale) handleAuthKey(c *gin.Context, db *gorm.DB, idKey wgkey.Key, req tailcfg.RegisterRequest, m Machine) {
+func (h *Headscale) handleAuthKey(
+ c *gin.Context,
+ db *gorm.DB,
+ idKey wgkey.Key,
+ req tailcfg.RegisterRequest,
+ m Machine,
+) {
log.Debug().
Str("func", "handleAuthKey").
Str("machine", req.Hostinfo.Hostname).
From 0e902fe949cec49aeea5f48da98779993f3b213d Mon Sep 17 00:00:00 2001
From: Kristoffer Dalby
Date: Fri, 22 Oct 2021 16:56:23 +0000
Subject: [PATCH 08/11] Add certificates to docker image so we can get derpmap
from tailscale
---
Dockerfile | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/Dockerfile b/Dockerfile
index 20bb7dae..6e216aad 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -12,6 +12,11 @@ RUN test -e /go/bin/headscale
FROM ubuntu:20.04
+RUN apt-get update \
+ && apt-get install -y ca-certificates \
+ && update-ca-certificates \
+ && rm -rf /var/lib/apt/lists/*
+
COPY --from=build /go/bin/headscale /usr/local/bin/headscale
ENV TZ UTC
From d875cca69d7919fdeb476b6c5b442ce5439d9e8c Mon Sep 17 00:00:00 2001
From: Kristoffer Dalby
Date: Fri, 22 Oct 2021 16:57:01 +0000
Subject: [PATCH 09/11] move integration to yaml, add new derp configuration
---
integration_test/etc/config.json | 19 -------------------
integration_test/etc/config.yaml | 20 ++++++++++++++++++++
2 files changed, 20 insertions(+), 19 deletions(-)
delete mode 100644 integration_test/etc/config.json
create mode 100644 integration_test/etc/config.yaml
diff --git a/integration_test/etc/config.json b/integration_test/etc/config.json
deleted file mode 100644
index dc23652d..00000000
--- a/integration_test/etc/config.json
+++ /dev/null
@@ -1,19 +0,0 @@
-{
- "server_url": "http://headscale:8080",
- "listen_addr": "0.0.0.0:8080",
- "private_key_path": "private.key",
- "derp_map_path": "derp.yaml",
- "ephemeral_node_inactivity_timeout": "30m",
- "db_type": "sqlite3",
- "db_path": "/tmp/integration_test_db.sqlite3",
- "acl_policy_path": "",
- "log_level": "trace",
- "dns_config": {
- "nameservers": [
- "1.1.1.1"
- ],
- "domains": [],
- "magic_dns": true,
- "base_domain": "headscale.net"
- }
-}
\ No newline at end of file
diff --git a/integration_test/etc/config.yaml b/integration_test/etc/config.yaml
new file mode 100644
index 00000000..6f68f304
--- /dev/null
+++ b/integration_test/etc/config.yaml
@@ -0,0 +1,20 @@
+log_level: trace
+acl_policy_path: ""
+db_type: sqlite3
+ephemeral_node_inactivity_timeout: 30m
+dns_config:
+ base_domain: headscale.net
+ magic_dns: true
+ domains: []
+ nameservers:
+ - 1.1.1.1
+db_path: /tmp/integration_test_db.sqlite3
+private_key_path: private.key
+listen_addr: 0.0.0.0:8080
+server_url: http://headscale:8080
+
+derp:
+ urls:
+ - https://controlplane.tailscale.com/derpmap/default
+ auto_update_enabled: false
+ update_frequency: 1m
From aefbd66317d837846e1db8c4fdc4d11633e885cf Mon Sep 17 00:00:00 2001
From: Kristoffer Dalby
Date: Fri, 22 Oct 2021 16:57:51 +0000
Subject: [PATCH 10/11] Remove derpmap volume from integration tests
---
integration_test.go | 31 +++++++++++++++++++++++++++----
1 file changed, 27 insertions(+), 4 deletions(-)
diff --git a/integration_test.go b/integration_test.go
index 3c51215d..53092423 100644
--- a/integration_test.go
+++ b/integration_test.go
@@ -230,7 +230,6 @@ func (s *IntegrationTestSuite) SetupSuite() {
Name: "headscale",
Mounts: []string{
fmt.Sprintf("%s/integration_test/etc:/etc/headscale", currentPath),
- fmt.Sprintf("%s/derp.yaml:/etc/headscale/derp.yaml", currentPath),
},
Networks: []*dockertest.Network{&network},
Cmd: []string{"headscale", "serve"},
@@ -289,7 +288,16 @@ func (s *IntegrationTestSuite) SetupSuite() {
fmt.Printf("Creating pre auth key for %s\n", namespace)
authKey, err := executeCommand(
&headscale,
- []string{"headscale", "--namespace", namespace, "preauthkeys", "create", "--reusable", "--expiration", "24h"},
+ []string{
+ "headscale",
+ "--namespace",
+ namespace,
+ "preauthkeys",
+ "create",
+ "--reusable",
+ "--expiration",
+ "24h",
+ },
[]string{},
)
assert.Nil(s.T(), err)
@@ -298,7 +306,16 @@ func (s *IntegrationTestSuite) SetupSuite() {
fmt.Printf("Joining tailscale containers to headscale at %s\n", headscaleEndpoint)
for hostname, tailscale := range scales.tailscales {
- command := []string{"tailscale", "up", "-login-server", headscaleEndpoint, "--authkey", strings.TrimSuffix(authKey, "\n"), "--hostname", hostname}
+ command := []string{
+ "tailscale",
+ "up",
+ "-login-server",
+ headscaleEndpoint,
+ "--authkey",
+ strings.TrimSuffix(authKey, "\n"),
+ "--hostname",
+ hostname,
+ }
fmt.Println("Join command:", command)
fmt.Printf("Running join command for %s\n", hostname)
@@ -661,7 +678,13 @@ func (s *IntegrationTestSuite) TestMagicDNS() {
fmt.Sprintf("%s.%s.headscale.net", peername, namespace),
}
- fmt.Printf("Pinging using Hostname (magicdns) from %s (%s) to %s (%s)\n", hostname, ips[hostname], peername, ip)
+ fmt.Printf(
+ "Pinging using Hostname (magicdns) from %s (%s) to %s (%s)\n",
+ hostname,
+ ips[hostname],
+ peername,
+ ip,
+ )
result, err := executeCommand(
&tailscale,
command,
From a3557694161dfa18aa518df84e73a60d30c001ae Mon Sep 17 00:00:00 2001
From: Kristoffer Dalby
Date: Fri, 22 Oct 2021 23:58:27 +0100
Subject: [PATCH 11/11] Update derp-example.yaml
Co-authored-by: Juan Font
---
derp-example.yaml | 3 ---
1 file changed, 3 deletions(-)
diff --git a/derp-example.yaml b/derp-example.yaml
index 45db5b9a..bbf7cc8d 100644
--- a/derp-example.yaml
+++ b/derp-example.yaml
@@ -1,6 +1,3 @@
-# This file contains some of the official Tailscale DERP servers,
-# shamelessly taken from https://github.com/tailscale/tailscale/blob/main/net/dnsfallback/dns-fallback-servers.json
-#
# If you plan to somehow use headscale, please deploy your own DERP infra: https://tailscale.com/kb/1118/custom-derp-servers/
regions:
900:
|
+ 
+ 
+ 
+ 
+ 
+ 
+ 
+ 
+ 
+ 
+ 
+ 
+ 
+ 
+ 
+ 
+ 
+ 
+