Commit Graph

79 Commits

Author SHA1 Message Date
ohdearaugustin
ca54fb9f56 Revert unix_socket to default value 2023-05-03 20:16:04 +02:00
Kristoffer Dalby
b684ac0668 Simplify goreleaser, package deb and rpm
This commit simplifies the goreleaser configuration and then adds nfpm
support which allows us to build .deb and .rpm for each of the ARCH we
support.

The deb and rpm packages adds systemd services and users, creates
directories etc and should in general give the user a working
environment. We should be able to remove a lot of the complicated,
PEBCAK inducing documentation after this.

Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com>
2023-04-07 11:06:42 +02:00
Kristoffer Dalby
da48cf64b3 Set OpenID Connect Expiry
This commit adds a default OpenID Connect expiry to 180d to align with
Tailscale SaaS (previously infinite or based on token expiry).

In addition, it adds an option use the expiry time from the Token sent
by the OpenID provider. This will typically cause really short expiry
and you should only turn on this option if you know what you are
desiring.

This fixes #1176.

Co-authored-by: Even Holthe <even.holthe@bekk.no>
Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com>
2023-01-31 18:55:16 +01:00
Kristoffer Dalby
fb3e2dcf10 Rename namespace to user in docs
Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com>
2023-01-18 15:40:04 +01:00
Motiejus Jakštys
bafb6791d3 oidc: allow reading the client secret from a file
Currently the most "secret" way to specify the oidc client secret is via
an environment variable `OIDC_CLIENT_SECRET`, which is problematic[1].
Lets allow reading oidc client secret from a file. For extra convenience
the path to the secret will resolve the environment variables.

[1]: https://systemd.io/CREDENTIALS/
2023-01-14 17:03:57 +01:00
Kristoffer Dalby
8ca0fb7ed0 update ip_prefixes docs
we cant actually have arbitrary ip ranges, add a note about that.

Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com>
2023-01-12 11:39:39 +01:00
Christian Heusel
e2c62a7b0c document how to add new DNS records via extra_records 2023-01-01 22:45:16 +01:00
Zachary Newell
70f2f5d750 Added an OIDC AllowGroups option for authorization. 2022-12-07 08:53:16 +01:00
Orville Q. Song
e69176e200 Tweak 2022-11-24 16:13:47 +01:00
Orville Q. Song
d29d0222af Add a note about the db_ssl field in the example config file 2022-11-24 16:13:47 +01:00
Juan Font
935319a218 Remove mTLS from doc and config example 2022-11-19 19:50:34 +01:00
Arnar Gauti Ingason
6d3ede1367 Add support for NextDNS resolver 2022-11-18 09:38:46 +01:00
Kristoffer Dalby
3d8dd68b14 default to localhost, not listen on all
Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com>
2022-11-16 17:37:35 +01:00
Kristoffer Dalby
9790831afb Make config example "local dev first"
Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com>
2022-11-16 17:37:35 +01:00
Mesar Hameed
d8e9d95a3b config-example.yaml: fix typos and improve english. 2022-11-10 15:52:57 +00:00
Kristoffer Dalby
ca8bca98ed
Add support for "override local DNS" (#905)
* Add support for "override local DNS"

Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com>

* Update changelog

Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com>

* Update cli dump test

Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com>

Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com>
2022-10-31 16:26:18 +01:00
phpmalik
0b0fb0af22
Minor change
Spelling mistake
listning -> listening
2022-10-03 12:59:39 +05:30
Kristoffer Dalby
256b6cb54d
Add new option to config-example
Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com>
2022-09-26 10:01:15 +02:00
Igor Perepilitsyn
dd155dca97 Create a distinct log section in config 2022-09-11 21:37:23 +02:00
Igor Perepilitsyn
2403c0e198 toggle json logging via config 2022-08-26 13:10:51 +02:00
Juan Font Alonso
4424a9abc0 Noise private key now a nested field in config 2022-08-21 10:42:23 +02:00
Juan Font
67ffebc30a
Merge branch 'main' into hs2021-v2 2022-08-18 17:56:56 +02:00
azz
0cc14d0aca
feat: added db_ssl to config-example.yaml 2022-08-16 09:02:51 +01:00
Juan Font
c701f9e817
Merge branch 'main' into hs2021-v2 2022-08-15 22:56:39 +02:00
Victor Freire
0a5db52855 Add ability to connect to PostgreSQL via unix socket 2022-08-15 11:55:38 -03:00
Victor Freire
ec5acf7be2 Add ability to connect to PostgreSQL via unix socket 2022-08-13 11:34:12 -03:00
Juan Font Alonso
6e8e2bf508 Generate and read the Noise private key 2022-08-13 11:14:38 +02:00
Juan Font Alonso
5b5298b025 Renamed config param for node update check internal 2022-07-12 12:52:03 +02:00
Juan Font Alonso
cf3fc85196 Make tailnet updates check configurable 2022-07-12 12:27:28 +02:00
Anton Schubert
34be10840c add ability to set randomizeClientPort 2022-06-09 21:26:40 +02:00
Kristoffer Dalby
df7d5fa2b9 Fix lint 2022-05-30 14:58:40 +02:00
Kristoffer Dalby
a0c465c2eb Wire up setting to enable/disable logtail 2022-05-30 14:47:41 +02:00
Antoine POPINEAU
7cc58af932
Allow more configuration over the OIDC flow.
Adds knobs to configure three aspects of the OpenID Connect flow:

 * Custom scopes to override the default "openid profile email".
 * Custom parameters to be added to the Authorize Endpoint request.
 * Domain allowlisting for authenticated principals.
 * User allowlisting for authenticated principals.
2022-05-02 17:11:07 +02:00
Juan Font Alonso
d5ce7d7523 Prettier 2022-03-18 13:09:57 +01:00
Juan Font Alonso
2e6687209b Make STUN server mandatory if DERP embedded is enabled 2022-03-18 12:58:00 +01:00
Juan Font Alonso
b8aad5451d Make STUN run by default when embedded DERP is enabled
This commit also allows to set an external STUN server, while running the embedded DERP server (without embedded STUN)
2022-03-15 13:22:25 +01:00
Juan Font Alonso
580db9b58f Mention that STUN is UDP 2022-03-06 23:19:21 +01:00
Juan Font Alonso
eb06054a7b Make DERP Region configurable 2022-03-06 17:25:21 +01:00
Juan Font Alonso
eb500155e8 Make STUN server configurable 2022-03-06 17:00:56 +01:00
Juan Font Alonso
237f7f1027 Merge branch 'main' into embedded-derp 2022-03-05 19:42:29 +01:00
Juan Font Alonso
df37d1a639 Do not offer the option to be DERP insecure
Websockets, in which DERP is based, requires a TLS certificate. At the same time,
if we use a certificate it must be valid... otherwise Tailscale wont connect (does not
have an Insecure option). So there is no option to expose insecure here
2022-03-05 19:19:21 +01:00
Juan Font Alonso
758b1ba1cb Renamed configuration items of the DERP server 2022-03-05 16:22:02 +01:00
zakaria
745696b310 docs: fix mistake in ACME challenge type comment 2022-03-04 12:11:43 +10:00
Kristoffer Dalby
b61500670c
Merge branch 'main' into metrics-listen 2022-03-02 11:35:33 +00:00
Nico Rey
9a61725e9f Metrics: Disable toggle. Set default port to 9090 2022-02-28 10:40:02 -03:00
Kristoffer Dalby
6126d6d9b5
Merge branch 'main' into metrics-listen 2022-02-28 14:24:25 +01:00
Kristoffer Dalby
e0b9a317f4 Add note to config example 2022-02-27 09:05:08 +01:00
Nico Rey
06e6c29a5b metrics: make metrics endpoint toggleable 2022-02-25 18:36:03 -03:00
Nico Rey
a9122c3de3 prometheus: replace default port by a port between the recommended prometheus range 2022-02-25 18:21:20 -03:00
Nico
d55c79e75b
Merge branch 'main' into metrics-listen 2022-02-24 10:41:07 -03:00