Commit Graph

258 Commits

Author SHA1 Message Date
Adrien Raffin-Caboisse
b39faa124a
Merge remote-tracking branch 'origin/main' into feat-oidc-login-as-namespace 2022-02-25 11:28:17 +01:00
Nico
d55c79e75b
Merge branch 'main' into metrics-listen 2022-02-24 10:41:07 -03:00
Kristoffer Dalby
eda0a9f88a Lock allocation of IP address
current logic is not safe as it will allow an IP that isnt persisted to
the DB to be given out multiple times if machines joins in quick
succession.

This adds a lock around the "get ip" and machine registration and save
to DB so we ensure thiis isnt happning.

Currently this had to be done three places, which is silly, and outlined
in #294.
2022-02-24 13:18:18 +00:00
Kristoffer Dalby
aa506503e2
Merge branch 'main' into feat-oidc-login-as-namespace 2022-02-24 11:40:34 +00:00
Adrien Raffin-Caboisse
4f1f235a2e feat: add strip_email_domain to normalization of namespace 2022-02-23 14:03:07 +01:00
Adrien Raffin-Caboisse
717250adb3 feat: removing matchmap from headscale 2022-02-22 20:58:08 +01:00
Nico Rey
e3bcc88880 Linter: make linter happy 2022-02-21 15:22:36 -03:00
Nico Rey
d5fd7a5c00 metrics: add a new router and listener for Prometheus' metrics endpoint 2022-02-21 12:50:15 -03:00
Justin Angel
daa75da277 Linting and updating tests 2022-02-21 10:09:23 -05:00
Kristoffer Dalby
7bf2a91dd0
Merge branch 'main' into configurable-mtls 2022-02-20 14:33:23 +00:00
Justin Angel
385dd9cc34 refactoring 2022-02-20 09:06:14 -05:00
Kristoffer Dalby
b2b2954545
Merge branch 'main' into apiwork 2022-02-14 22:29:20 +00:00
Kristoffer Dalby
4e54796384 Allow gRPC server to run insecure 2022-02-13 09:08:46 +00:00
Kristoffer Dalby
0018a78d5a Add insecure option
Add option to not _validate_ if the certificate served from headscale is
trusted.
2022-02-13 08:41:49 +00:00
Kristoffer Dalby
2bc8051ae5 Remove kv-namespace-worker
This commit removes the namespace kv worker and related code, now that
we talk over gRPC to the server, and not directly to the DB, we should
not need this anymore.
2022-02-12 20:46:05 +00:00
Kristoffer Dalby
d79ccfc05a Add comment on why grpc is on its own port, replace deprecated 2022-02-12 19:50:12 +00:00
Kristoffer Dalby
315ff9daf0 Remove insecure, only allow valid certs 2022-02-12 19:35:55 +00:00
Kristoffer Dalby
4078e75b50 Correct log message 2022-02-12 19:30:25 +00:00
Kristoffer Dalby
531298fa59 Fix import 2022-02-12 17:13:51 +00:00
Kristoffer Dalby
30a2ccd975 Add tls certs as creds for grpc 2022-02-12 17:05:30 +00:00
Kristoffer Dalby
59e48993f2 Change the http listener 2022-02-12 16:33:18 +00:00
Kristoffer Dalby
bfc6f6e0eb Split grpc and http 2022-02-12 16:15:26 +00:00
Kristoffer Dalby
2aba37d2ef Try to support plaintext http2 after termination 2022-02-12 14:42:23 +00:00
Kristoffer Dalby
8853ccd5b4 Terminate tls immediatly, mux after 2022-02-12 13:25:27 +00:00
Justin Angel
af25aa75d9 Merge branch 'configurable-mtls' of github.com:arch4ngel/headscale into configurable-mtls 2022-01-31 10:27:57 -05:00
Justin Angel
da5250ea32 linting again 2022-01-31 10:27:43 -05:00
Kristoffer Dalby
168b1bd579
Merge branch 'main' into configurable-mtls 2022-01-31 12:28:00 +00:00
Justin Angel
52db80ab0d Merge branch 'configurable-mtls' of github.com:arch4ngel/headscale into configurable-mtls 2022-01-31 07:19:14 -05:00
Justin Angel
0c3fd16113 refining and adding tests 2022-01-31 07:18:50 -05:00
Justin Angel
310e7b15c7 making alternatives constants 2022-01-30 10:46:57 -05:00
Kristoffer Dalby
6f6018bad5
Merge branch 'main' into ipv6 2022-01-30 08:21:11 +00:00
Kristoffer Dalby
0609c97459
Merge branch 'main' into configurable-mtls 2022-01-29 20:15:58 +00:00
Justin Angel
c98a559b4d linting/formatting 2022-01-29 14:15:33 -05:00
Justin Angel
5935b13b67 refining 2022-01-29 13:35:08 -05:00
Justin Angel
9e619fc020 Making client authentication mode configurable 2022-01-29 12:59:31 -05:00
Kristoffer Dalby
13f23d2e7e
Merge branch 'main' into socket-permission 2022-01-29 14:34:36 +00:00
Csaba Sarkadi
c0c3b7d511 Merge remote-tracking branch 'origin/main' into ipv6 2022-01-29 15:27:49 +01:00
Kristoffer Dalby
b4f8961e44 Make Unix socket permissions configurable 2022-01-28 18:58:22 +00:00
Kristoffer Dalby
f59071ff1c Trim whitespace from privateKey before parsing 2022-01-28 17:23:01 +00:00
Kristoffer Dalby
537cd35cb2 Try to add the grpc cert correctly 2022-01-25 22:22:15 +00:00
Kristoffer Dalby
00c69ce50c Enable remote gRPC and HTTP API
This commit enables the existing gRPC and HTTP API from remote locations
as long as the user can provide a valid API key. This allows users to
control their headscale with the CLI from a workstation. 🎉
2022-01-25 22:11:15 +00:00
Csaba Sarkadi
1a6e5d8770 Add support for multiple IP prefixes 2022-01-16 14:18:22 +01:00
Eugen Biegler
5a504fa711
Better error description
Co-authored-by: Kristoffer Dalby <kradalby@kradalby.no>
2021-12-07 11:44:09 +01:00
Eugen Biegler
b4cce22415
Better error description
Co-authored-by: Kristoffer Dalby <kradalby@kradalby.no>
2021-12-07 11:44:00 +01:00
Eugen
3a85c4d367 Better error description 2021-12-07 08:46:55 +01:00
Eugen
7e95b3501d Ignoe derp.yaml, don't panic in Serve() 2021-12-01 19:32:47 +01:00
Kristoffer Dalby
34f4109fbd Add back privatekey, but automatically generate it if it does not exist 2021-11-28 09:17:18 +00:00
Kristoffer Dalby
ef81845deb
Merge branch 'main' into kradalby-patch-2 2021-11-27 20:30:27 +00:00
Kristoffer Dalby
c63c259d31 Switch wgkey for types/key
We dont seem to need the wireguard key anymore, we generate a key on
startup based on the new library and the users fetch it from /key.

Clean up app.go and update docs
2021-11-26 23:28:06 +00:00
Kristoffer Dalby
58fd6c4ba5
Revert postgres constant value
changes "postgresql" to "postgres"
2021-11-26 07:13:00 +00:00
Kristoffer Dalby
021c464148 Add cache for requested expiry times
This commit adds a sentral cache to keep track of clients whom has
requested an expiry time, but were we need to keep hold of it until the
second request comes in.
2021-11-22 19:32:52 +00:00
Kristoffer Dalby
9aac1fb255 Remove expiry logic, this needs to be redone 2021-11-19 09:02:29 +00:00
Kristoffer Dalby
d6739386a0
Get rid of dynamic errors 2021-11-15 19:18:14 +00:00
Kristoffer Dalby
c4d4c9c4e4
Add and fix gosec 2021-11-15 18:31:52 +00:00
Kristoffer Dalby
715542ac1c
Add and fix stylecheck (golint replacement) 2021-11-15 17:24:24 +00:00
Kristoffer Dalby
471c0b4993
Initial work eliminating one/two letter variables 2021-11-14 20:32:03 +01:00
Kristoffer Dalby
53ed749f45
Start work on making gocritic pass 2021-11-14 18:44:37 +01:00
Kristoffer Dalby
85f28a3f4a
Remove all instances of undefined numbers (gonmd) 2021-11-14 18:31:51 +01:00
Kristoffer Dalby
9390348a65
Add and fix goconst 2021-11-14 18:06:25 +01:00
Kristoffer Dalby
c9c16c7fb8
Remove unused params or returns 2021-11-14 18:03:21 +01:00
Kristoffer Dalby
0315f55fcd
Add and fix nilnil 2021-11-14 17:51:34 +01:00
Kristoffer Dalby
89eb13c6cb
Add and fix nlreturn (new line return) 2021-11-14 16:46:09 +01:00
Kristoffer Dalby
2634215f12 golangci-lint --fix 2021-11-13 08:39:04 +00:00
Kristoffer Dalby
03b7ec62ca Go format with shorter lines 2021-11-13 08:36:45 +00:00
Kristoffer Dalby
49893305b4 Only turn on response log in grpc in trace mode 2021-11-08 22:06:25 +00:00
Kristoffer Dalby
b15efb5201 Ensure unix socket is removed before we startup 2021-11-07 09:55:32 +00:00
Kristoffer Dalby
2dfd42f80c Attempt to dry up CLI client, add proepr config
This commit is trying to DRY up the initiation of the gRPC client in
each command:

It renames the function to CLI instead of GRPC as it actually set up a
CLI client, not a generic grpc client

It also moves the configuration of address, timeout (which is now
consistent) and api to use Viper, allowing users to set it via env vars
and configuration file
2021-11-07 09:41:14 +00:00
Kristoffer Dalby
706ff59d70 Clean pointer list in app.go, add grpc logging and simplify naming 2021-11-04 22:18:55 +00:00
Kristoffer Dalby
7c774bc547
Remove flag that cant be trapped 2021-11-02 21:49:19 +00:00
Kristoffer Dalby
9954a3c599
Add handling for closing the socket 2021-11-02 21:46:15 +00:00
Kristoffer Dalby
b91c115ade
Remove "auth skip" for socket traffic 2021-10-31 19:57:42 +00:00
Kristoffer Dalby
8db45a4e75
Setup a seperate, non-tls, no auth, socket grpc 2021-10-31 19:52:34 +00:00
Kristoffer Dalby
1c9b1ea91a
Add todo 2021-10-31 16:34:20 +00:00
Kristoffer Dalby
3f30bf1e33
Ensure we set up TLS for http 2021-10-31 16:19:38 +00:00
Kristoffer Dalby
264e5964f6
Resolve merge conflict 2021-10-31 09:40:43 +00:00
Kristoffer Dalby
cbf3f5d640 Resolve merge conflict 2021-10-30 15:33:01 +00:00
Kristoffer Dalby
482a31b66b Setup swagger and swagger UI properly 2021-10-30 14:29:53 +00:00
Kristoffer Dalby
434fac52b7 Fix lint error 2021-10-30 14:29:03 +00:00
Kristoffer Dalby
6aacada852 Switch from gRPC localhost to socket
This commit changes the way CLI and grpc-gateway communicates with the
gRPC backend to socket, instead of localhost. Unauthenticated access now
goes on the socket, while the network interface will require API key (in
the future).
2021-10-30 14:08:16 +00:00
Kristoffer Dalby
68dab0fe7b Move localhost check to utils 2021-10-29 17:04:58 +00:00
Kristoffer Dalby
a23d82e33a Setup API and prepare for API keys
This commit sets up the API and gRPC endpoints and adds authentication
to them. Currently there is no actual authentication implemented but it
has been prepared for API keys.

In addition, there is a allow put in place for gRPC traffic over
localhost. This has two purposes:

1. grpc-gateway, which is the base of the API, connects to the gRPC
   service over localhost.
2. We do not want to break current "on server" behaviour which allows
   users to use the cli on the server without any fuzz
2021-10-29 16:45:06 +00:00
Kristoffer Dalby
2f045b20fb Refactor tls and wire up grpc, grpc gateway/api
This commit moves the TLS configuration into a seperate function.

It also wires up the gRPC interface and prepares handing the API
endpoints to the grpc gateway.
2021-10-26 20:42:56 +00:00
Kristoffer Dalby
57f46ded83 Split derp into its own config struct 2021-10-22 16:55:14 +00:00
Juan Font
41c5a0ddf5
Apply suggestions from code review
Co-authored-by: Kristoffer Dalby <kradalby@kradalby.no>
2021-10-20 09:35:56 +02:00
Juan Font Alonso
18b00b5d8d Add support for Split DNS (implements #179) 2021-10-19 20:51:43 +02:00
Kristoffer Dalby
677bd9b657 Implement namespace matching 2021-10-18 19:27:52 +00:00
unreality
afbfc1d370
Merge branch 'main' into main 2021-10-16 22:31:37 +08:00
Juan Font Alonso
5ce1526a06 Do not return a pointer 2021-10-10 12:43:41 +02:00
Raal Goff
74e6c1479e updates from code review 2021-10-10 17:22:42 +08:00
Juan Font
c4487b73c4
Merge branch 'main' into magic-dns-support 2021-10-09 12:24:07 +02:00
Juan Font Alonso
fc5153af3e Generate MagicDNS search domains for any tailnet range 2021-10-09 12:22:13 +02:00
Kristoffer Dalby
2997f4d251
Merge branch 'main' into main 2021-10-08 22:21:41 +01:00
Raal Goff
e407d423d4 updates from code review 2021-10-08 17:43:52 +08:00
Kristoffer Dalby
f0c54490ed Allow multiple namespaces to be checked for state at the same time 2021-10-06 22:06:07 +00:00
Kristoffer Dalby
ba391bc2ed Account for updates in shared namespaces 2021-10-06 19:32:15 +00:00
Raal Goff
c487591437 use go-oidc instead of verifying and extracting tokens ourselves, rename oidc_endpoint to oidc_issuer to be more inline with spec 2021-10-06 17:19:15 +08:00
Kristoffer Dalby
a01a0d1039 Remove unstable update channel, replace with state updates 2021-10-05 16:24:46 +00:00
Juan Font Alonso
2eef535b4b Merged main 2021-10-04 23:43:42 +02:00
Juan Font
040a18e6f8
Merge branch 'main' into magic-dns-support 2021-10-04 19:45:12 +02:00
Kristoffer Dalby
94ba5181fc Resolve merge conflict 2021-10-04 16:38:52 +00:00
Kristoffer Dalby
1d5b090579 Initial work on Prometheus metrics
This commit adds some Prometheus metrics to /metrics in headscale.

It will add the standard go metrics, some automatic gin metrics and some
initial headscale specific ones.

Some of them has been added to aid debugging #97 (loop bug)

In the future, we can use the metrics to get rid of the sleep in the
integration tests by checking that our expected number of nodes has been
registered:

```
headscale_machine_registrations_total
```
2021-10-04 16:28:07 +00:00
Juan Font Alonso
ef0f7c0c09 Integration tests for MagicDNS working 2021-10-04 18:04:08 +02:00
Aaron Bieber
8fa0fe65ba Add the ability to specify registration ACME email and ACME URL. 2021-10-03 12:26:38 -06:00
Kristoffer Dalby
ed728f57e0
Remove WriteTimeout from HTTP
Golangs built in HTTP server does not allow different HTTP timeout for
different types of handlers, so we cannot have a write timeout as we
attempt to do long polling (my bad).

See linked article.

Also removed redundant server declaration
2021-10-02 15:29:27 +01:00
Juan Font Alonso
8d60ae2c7e Tidy gomod 2021-10-02 13:03:41 +02:00
Juan Font Alonso
45e71ecba0 Generated MagicDNS search domains (only in 100.64.0.0/10) 2021-10-02 12:13:05 +02:00
Juan Font Alonso
656237e167 Propagate dns config vales across Headscale 2021-10-02 11:20:42 +02:00
Kristoffer Dalby
cc054d71fe
Merge branch 'main' into main 2021-09-26 21:35:26 +01:00
Raal Goff
e7a2501fe8 initial work on OIDC (SSO) integration 2021-09-26 16:53:05 +08:00
Kristoffer Dalby
2d39d6602c Merge remote-tracking branch 'upstream/main' into apple-mobileconfig 2021-09-19 18:00:40 +01:00
Kristoffer Dalby
dfcab2b6d5
Wire up new handlers 2021-09-19 17:56:29 +01:00
Kristoffer Dalby
987bbee1db
Add DNSConfig field to configuration 2021-08-24 07:09:47 +01:00
Kristoffer Dalby
88d7ac04bf
Account for racecondition in deleting/closing update channel
This commit tries to address the possible raceondition  that can happen
if a client closes its connection after we have fetched it from the
syncmap before sending the message.

To try to avoid introducing new dead lock conditions, all messages sent
to updateChannel has been moved into a function, which handles the
locking (instead of calling it all over the place)

The same lock is used around the delete/close function.
2021-08-20 16:52:34 +01:00
Kristoffer Dalby
53168d54d8
Make http timeout 30s instead of 10s 2021-08-19 22:29:03 +01:00
Kristoffer Dalby
b0ec945dbb
Make lastStateChange namespaced 2021-08-19 18:19:26 +01:00
Kristoffer Dalby
57b79aa852 Set timeout, add lastupdate field
This commit makes two reasonably major changes:

Set a default timeout for the go HTTP server (which gin uses), which
allows us to actually have broken long poll sessions fail so we can have
the client re-establish them.
The current 10s number is chosen randomly and we need more testing to
ensure that the feature work as intended.

The second is adding a last updated field to keep track of the last time
we had an update that needs to be propagated to all of our
clients/nodes. This will be used to keep track of our machines and if
they are up to date or need us to push an update.
2021-08-18 23:21:11 +01:00
Kristoffer Dalby
9698abbfd5
Resolve merge conflict 2021-08-13 10:33:19 +01:00
Juan Font
8eb7d47072 Fixed linting 2021-08-12 21:57:20 +02:00
Juan Font
ab61c87701 Also notify peers when deleting ephemerals 2021-08-12 21:53:37 +02:00
Juan Font
c1e6157847 Expire ephemeral is internal 2021-08-12 21:45:40 +02:00
Juan Font
4c849539fc Expire the ephemeral nodes in the Serve method 2021-08-12 21:44:12 +02:00
Kristoffer Dalby
149279f3d5 Add health endpoint
Allow us to tell when the server is up and running and can answer
requests
2021-08-08 17:36:25 +01:00
Kristoffer Dalby
99fd126219
Remove unused mutex 2021-08-06 21:11:38 +01:00
Kristoffer Dalby
1abc68ccf4 Removes locks causing deadlock
This commit removes most of the locks in the PollingMap handler as there
was combinations that caused deadlocks. Instead of doing a plain map and
doing the locking ourselves, we use sync.Map which handles it for us.
2021-08-05 22:14:37 +01:00
Kristoffer Dalby
a8c8a358d0
Make log keys lowercase 2021-08-05 20:57:47 +01:00
Kristoffer Dalby
ee704f8ef3
Initial port to zerologger 2021-08-05 18:11:26 +01:00
Juan Font
6091373b53
Merge pull request #63 from juanfont/use-kv-for-updates
Added communication between Serve and CLI using KV table
2021-08-03 20:30:33 +02:00
Kristoffer Dalby
309f868a21 Make IP prefix configurable
This commit makes the IP prefix used to generate addresses configurable
to users. This can be useful if you would like to use a smaller range or
if your current setup is overlapping with the current range.

The current range is left as a default
2021-08-02 20:06:26 +01:00
Juan Font Alonso
97f7c90092 Added communication between Serve and CLI using KV table (helps in #52) 2021-07-25 17:59:48 +02:00
Ward Vandewege
3260362436 Add some more detail to the README about the different Let's Encrypt
validation methods.
2021-07-24 09:20:38 -04:00
Aaron Bieber
69d77f6e9d Add a 'tls_letsencrypt_listen' config option
Currently the default (and non-configurable) Let's Encrypt listener will
bind to all IPs. This isn't ideal if we want to run headscale on a specific
IP only.

This also allows for one to set the listener to something other than
port 80. This is useful for OSs like OpenBSD which only allow root to
bind the lower port ranges (and don't have `setcap`) as we can now run
`headscale` as a non-privileged user while still using the baked in ACME
magic. Obviously this configuration would also require a reverse proxy
or firewall rule to redirect traffic. I attempted to outline that in the
README change.
2021-07-23 16:12:01 -06:00
Juan Font Alonso
0159649d0a Send the namespace name as user to the clients 2021-07-11 16:39:19 +02:00
Juan Font Alonso
cf9d920e4a Minor typo 2021-07-11 15:10:37 +02:00
Juan Font Alonso
d4b27fd54b Merge branch 'main' into acls 2021-07-04 21:54:55 +02:00
Juan Font Alonso
ff9d99b9ea Use gorm connection pool 2021-07-04 21:40:46 +02:00
Juan Font
202d6b506f Load ACL policy on headscale startup 2021-07-04 13:24:05 +02:00
Juan Font
136aab9dc8 Work in progress in rule generation 2021-07-03 17:31:32 +02:00
Juan Font Alonso
aa27709e60 Update code to Tailscale 1.10 2021-06-25 18:57:08 +02:00
Juan Font Alonso
69ba750b38 Update Headscale to depend on gorm v2 2021-06-24 15:44:19 +02:00
Ward Vandewege
d1c3faae5f Remove superfluous test support code. Fix bug in node list cli command.
Add tests.
2021-05-23 09:55:15 -04:00
Ward Vandewege
41f6740ddd Add support for ephemeral nodes via a special type of pre-auth key. Add
tests for that feature.

Other fixes: clean up a few typos in comments. Fix a bug that caused the
tests to run four times each. Be more consistent in the use of log
rather than fmt to print errors and notices.
2021-05-22 20:18:29 -04:00
Juan Font Alonso
216c6d85b2 Added support for sqlite as database backend 2021-05-15 14:32:26 +02:00
Ward Vandewege
b34e90c45d Fix bug in preauthkeys: namespace object was not populated in the return
value from CreatePreAuthKey and GetPreAuthKeys. Add tests for that bug,
and the rest of the preauthkeys functionality.

Fix path in `compress` Makefile target.
2021-05-02 14:58:05 -04:00
Ward Vandewege
f7b6c68d22 Address a bunch of golint warnings. 2021-04-24 11:26:50 -04:00
Ward Vandewege
426b4fd98a Add support for automatic TLS certificates via Let's Encrypt. Add a
configuration reference to the README.md file.
2021-04-23 22:55:01 -04:00
Ward Vandewege
252c68c50a Add HTTPS support for the web endpoint with manually configured
certificate/key files.
2021-04-23 17:18:00 -04:00
Juan Font Alonso
541d676b98 Minor code reorg 2021-04-08 23:57:31 +02:00
Juan Font Alonso
1fad8e6e5b Added basic routes functionality 2021-03-14 11:38:42 +01:00
Juan Font Alonso
b7655b1f68 Initial multi-user support using namespaces 2021-02-28 00:58:09 +01:00
Juan Font Alonso
06fb7d4587 WIP: Client updates. Long polling rewritten 2021-02-23 21:07:52 +01:00