From 4424a9abc0e1c81aae6709a70c635fc71b5e308f Mon Sep 17 00:00:00 2001 From: Juan Font Alonso Date: Sun, 21 Aug 2022 10:42:23 +0200 Subject: [PATCH] Noise private key now a nested field in config --- cmd/headscale/headscale_test.go | 20 ++++++++++++------- config-example.yaml | 14 +++++++------ config.go | 6 +++--- docs/running-headscale-container.md | 3 ++- .../etc/alt-config.dump.gold.yaml | 3 ++- integration_test/etc/alt-config.yaml | 3 ++- integration_test/etc/config.dump.gold.yaml | 3 ++- 7 files changed, 32 insertions(+), 20 deletions(-) diff --git a/cmd/headscale/headscale_test.go b/cmd/headscale/headscale_test.go index b0667f7..007d280 100644 --- a/cmd/headscale/headscale_test.go +++ b/cmd/headscale/headscale_test.go @@ -163,10 +163,12 @@ func (*Suite) TestTLSConfigValidation(c *check.C) { c.Fatal(err) } // defer os.RemoveAll(tmpDir) - - configYaml := []byte( - "---\nnoise_private_key_path: \"noise_private.key\"\ntls_letsencrypt_hostname: \"example.com\"\ntls_letsencrypt_challenge_type: \"\"\ntls_cert_path: \"abc.pem\"\n", - ) + configYaml := []byte(`--- +tls_letsencrypt_hostname: example.com +tls_letsencrypt_challenge_type: "" +tls_cert_path: abc.pem +noise: + private_key_path: noise_private.key`) writeConfig(c, tmpDir, configYaml) // Check configuration validation errors (1) @@ -191,9 +193,13 @@ func (*Suite) TestTLSConfigValidation(c *check.C) { ) // Check configuration validation errors (2) - configYaml = []byte( - "---\nnoise_private_key_path: \"noise_private.key\"\nserver_url: \"http://127.0.0.1:8080\"\ntls_letsencrypt_hostname: \"example.com\"\ntls_letsencrypt_challenge_type: \"TLS-ALPN-01\"", - ) + configYaml = []byte(`--- +noise: + private_key_path: noise_private.key +server_url: http://127.0.0.1:8080 +tls_letsencrypt_hostname: example.com +tls_letsencrypt_challenge_type: TLS-ALPN-01 +`) writeConfig(c, tmpDir, configYaml) err = headscale.LoadConfig(tmpDir, false) c.Assert(err, check.IsNil) diff --git a/config-example.yaml b/config-example.yaml index 5ebc130..2019a13 100644 --- a/config-example.yaml +++ b/config-example.yaml @@ -41,12 +41,14 @@ grpc_allow_insecure: false # autogenerated if it's missing private_key_path: /var/lib/headscale/private.key -# The Noise private key is used to encrypt the -# traffic between headscale and Tailscale clients when -# using the new Noise-based TS2021 protocol. -# The noise private key file which will be -# autogenerated if it's missing -noise_private_key_path: /var/lib/headscale/noise_private.key +# The Noise section includes specific configuration for the +# TS2021 Noise procotol +noise: + # The Noise private key is used to encrypt the + # traffic between headscale and Tailscale clients when + # using the new Noise-based protocol. It must be different + # from the legacy private key. + private_key_path: /var/lib/headscale/noise_private.key # List of IP prefixes to allocate tailaddresses from. # Each prefix consists of either an IPv4 or IPv6 address, diff --git a/config.go b/config.go index e503b61..0024731 100644 --- a/config.go +++ b/config.go @@ -185,8 +185,8 @@ func LoadConfig(path string, isFile bool) error { errorText += "Fatal config error: set either tls_letsencrypt_hostname or tls_cert_path/tls_key_path, not both\n" } - if !viper.IsSet("noise_private_key_path") { - errorText += "Fatal config error: headscale now requires a new `noise_private_key_path` field in the config file for the Tailscale v2 protocol\n" + if !viper.IsSet("noise") || viper.GetString("noise.private_key_path") == "" { + errorText += "Fatal config error: headscale now requires a new `noise.private_key_path` field in the config file for the Tailscale v2 protocol\n" } if (viper.GetString("tls_letsencrypt_hostname") != "") && @@ -494,7 +494,7 @@ func GetHeadscaleConfig() (*Config, error) { viper.GetString("private_key_path"), ), NoisePrivateKeyPath: AbsolutePathFromConfigPath( - viper.GetString("noise_private_key_path"), + viper.GetString("noise.private_key_path"), ), BaseDomain: baseDomain, diff --git a/docs/running-headscale-container.md b/docs/running-headscale-container.md index 4a9f151..d341bb7 100644 --- a/docs/running-headscale-container.md +++ b/docs/running-headscale-container.md @@ -54,7 +54,8 @@ metrics_listen_addr: 0.0.0.0:9090 # The default /var/lib/headscale path is not writable in the container private_key_path: /etc/headscale/private.key # The default /var/lib/headscale path is not writable in the container -noise_private_key_path: /var/lib/headscale/noise_private.key +noise: + private_key_path: /var/lib/headscale/noise_private.key # The default /var/lib/headscale path is not writable in the container db_path: /etc/headscale/db.sqlite ``` diff --git a/integration_test/etc/alt-config.dump.gold.yaml b/integration_test/etc/alt-config.dump.gold.yaml index e71c957..3d38b12 100644 --- a/integration_test/etc/alt-config.dump.gold.yaml +++ b/integration_test/etc/alt-config.dump.gold.yaml @@ -39,7 +39,8 @@ oidc: - email strip_email_domain: true private_key_path: private.key -noise_private_key_path: noise_private.key +noise: + private_key_path: noise_private.key server_url: http://headscale:18080 tls_client_auth_mode: relaxed tls_letsencrypt_cache_dir: /var/www/.cache diff --git a/integration_test/etc/alt-config.yaml b/integration_test/etc/alt-config.yaml index 35dd9e4..179fdcd 100644 --- a/integration_test/etc/alt-config.yaml +++ b/integration_test/etc/alt-config.yaml @@ -15,7 +15,8 @@ dns_config: - 1.1.1.1 db_path: /tmp/integration_test_db.sqlite3 private_key_path: private.key -noise_private_key_path: noise_private.key +noise: + private_key_path: noise_private.key listen_addr: 0.0.0.0:18080 metrics_listen_addr: 127.0.0.1:19090 server_url: http://headscale:18080 diff --git a/integration_test/etc/config.dump.gold.yaml b/integration_test/etc/config.dump.gold.yaml index 7153965..91ca5b9 100644 --- a/integration_test/etc/config.dump.gold.yaml +++ b/integration_test/etc/config.dump.gold.yaml @@ -39,7 +39,8 @@ oidc: - email strip_email_domain: true private_key_path: private.key -noise_private_key_path: noise_private.key +noise: + private_key_path: noise_private.key server_url: http://headscale:8080 tls_client_auth_mode: relaxed tls_letsencrypt_cache_dir: /var/www/.cache