Load ACL policy on headscale startup
This commit is contained in:
parent
401e6aec32
commit
202d6b506f
4 changed files with 18 additions and 3 deletions
7
acls.go
7
acls.go
|
@ -22,7 +22,7 @@ const errorInvalidTag = Error("invalid tag")
|
||||||
const errorInvalidNamespace = Error("invalid namespace")
|
const errorInvalidNamespace = Error("invalid namespace")
|
||||||
const errorInvalidPortFormat = Error("invalid port format")
|
const errorInvalidPortFormat = Error("invalid port format")
|
||||||
|
|
||||||
func (h *Headscale) LoadPolicy(path string) error {
|
func (h *Headscale) LoadAclPolicy(path string) error {
|
||||||
policyFile, err := os.Open(path)
|
policyFile, err := os.Open(path)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return err
|
return err
|
||||||
|
@ -40,7 +40,12 @@ func (h *Headscale) LoadPolicy(path string) error {
|
||||||
}
|
}
|
||||||
|
|
||||||
h.aclPolicy = &policy
|
h.aclPolicy = &policy
|
||||||
|
rules, err := h.generateACLRules()
|
||||||
|
if err != nil {
|
||||||
return err
|
return err
|
||||||
|
}
|
||||||
|
h.aclRules = rules
|
||||||
|
return nil
|
||||||
}
|
}
|
||||||
|
|
||||||
func (h *Headscale) generateACLRules() (*[]tailcfg.FilterRule, error) {
|
func (h *Headscale) generateACLRules() (*[]tailcfg.FilterRule, error) {
|
||||||
|
|
2
api.go
2
api.go
|
@ -373,7 +373,7 @@ func (h *Headscale) getMapResponse(mKey wgkey.Key, req tailcfg.MapRequest, m Mac
|
||||||
DNS: []netaddr.IP{},
|
DNS: []netaddr.IP{},
|
||||||
SearchPaths: []string{},
|
SearchPaths: []string{},
|
||||||
Domain: "foobar@example.com",
|
Domain: "foobar@example.com",
|
||||||
PacketFilter: tailcfg.FilterAllowAll,
|
PacketFilter: *h.aclRules,
|
||||||
DERPMap: h.cfg.DerpMap,
|
DERPMap: h.cfg.DerpMap,
|
||||||
UserProfiles: []tailcfg.UserProfile{},
|
UserProfiles: []tailcfg.UserProfile{},
|
||||||
}
|
}
|
||||||
|
|
3
app.go
3
app.go
|
@ -50,6 +50,7 @@ type Headscale struct {
|
||||||
privateKey *wgkey.Private
|
privateKey *wgkey.Private
|
||||||
|
|
||||||
aclPolicy *ACLPolicy
|
aclPolicy *ACLPolicy
|
||||||
|
aclRules *[]tailcfg.FilterRule
|
||||||
|
|
||||||
pollMu sync.Mutex
|
pollMu sync.Mutex
|
||||||
clientsPolling map[uint64]chan []byte // this is by all means a hackity hack
|
clientsPolling map[uint64]chan []byte // this is by all means a hackity hack
|
||||||
|
@ -84,7 +85,9 @@ func NewHeadscale(cfg Config) (*Headscale, error) {
|
||||||
dbString: dbString,
|
dbString: dbString,
|
||||||
privateKey: privKey,
|
privateKey: privKey,
|
||||||
publicKey: &pubKey,
|
publicKey: &pubKey,
|
||||||
|
aclRules: &tailcfg.FilterAllowAll, // default allowall
|
||||||
}
|
}
|
||||||
|
|
||||||
err = h.initDB()
|
err = h.initDB()
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return nil, err
|
return nil, err
|
||||||
|
|
|
@ -119,6 +119,13 @@ func getHeadscaleApp() (*headscale.Headscale, error) {
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return nil, err
|
return nil, err
|
||||||
}
|
}
|
||||||
|
|
||||||
|
// We are doing this here, as in the future could be cool to have it also hot-reload
|
||||||
|
err = h.LoadAclPolicy(absPath(viper.GetString("acl_policy_path")))
|
||||||
|
if err != nil {
|
||||||
|
log.Printf("Could not load the ACL policy: %s", err)
|
||||||
|
}
|
||||||
|
|
||||||
return h, nil
|
return h, nil
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
Loading…
Reference in a new issue