Noise private key now a nested field in config

This commit is contained in:
Juan Font Alonso 2022-08-21 10:42:23 +02:00
parent e20e818a42
commit 4424a9abc0
7 changed files with 32 additions and 20 deletions

View file

@ -163,10 +163,12 @@ func (*Suite) TestTLSConfigValidation(c *check.C) {
c.Fatal(err) c.Fatal(err)
} }
// defer os.RemoveAll(tmpDir) // defer os.RemoveAll(tmpDir)
configYaml := []byte(`---
configYaml := []byte( tls_letsencrypt_hostname: example.com
"---\nnoise_private_key_path: \"noise_private.key\"\ntls_letsencrypt_hostname: \"example.com\"\ntls_letsencrypt_challenge_type: \"\"\ntls_cert_path: \"abc.pem\"\n", tls_letsencrypt_challenge_type: ""
) tls_cert_path: abc.pem
noise:
private_key_path: noise_private.key`)
writeConfig(c, tmpDir, configYaml) writeConfig(c, tmpDir, configYaml)
// Check configuration validation errors (1) // Check configuration validation errors (1)
@ -191,9 +193,13 @@ func (*Suite) TestTLSConfigValidation(c *check.C) {
) )
// Check configuration validation errors (2) // Check configuration validation errors (2)
configYaml = []byte( configYaml = []byte(`---
"---\nnoise_private_key_path: \"noise_private.key\"\nserver_url: \"http://127.0.0.1:8080\"\ntls_letsencrypt_hostname: \"example.com\"\ntls_letsencrypt_challenge_type: \"TLS-ALPN-01\"", noise:
) private_key_path: noise_private.key
server_url: http://127.0.0.1:8080
tls_letsencrypt_hostname: example.com
tls_letsencrypt_challenge_type: TLS-ALPN-01
`)
writeConfig(c, tmpDir, configYaml) writeConfig(c, tmpDir, configYaml)
err = headscale.LoadConfig(tmpDir, false) err = headscale.LoadConfig(tmpDir, false)
c.Assert(err, check.IsNil) c.Assert(err, check.IsNil)

View file

@ -41,12 +41,14 @@ grpc_allow_insecure: false
# autogenerated if it's missing # autogenerated if it's missing
private_key_path: /var/lib/headscale/private.key private_key_path: /var/lib/headscale/private.key
# The Noise section includes specific configuration for the
# TS2021 Noise procotol
noise:
# The Noise private key is used to encrypt the # The Noise private key is used to encrypt the
# traffic between headscale and Tailscale clients when # traffic between headscale and Tailscale clients when
# using the new Noise-based TS2021 protocol. # using the new Noise-based protocol. It must be different
# The noise private key file which will be # from the legacy private key.
# autogenerated if it's missing private_key_path: /var/lib/headscale/noise_private.key
noise_private_key_path: /var/lib/headscale/noise_private.key
# List of IP prefixes to allocate tailaddresses from. # List of IP prefixes to allocate tailaddresses from.
# Each prefix consists of either an IPv4 or IPv6 address, # Each prefix consists of either an IPv4 or IPv6 address,

View file

@ -185,8 +185,8 @@ func LoadConfig(path string, isFile bool) error {
errorText += "Fatal config error: set either tls_letsencrypt_hostname or tls_cert_path/tls_key_path, not both\n" errorText += "Fatal config error: set either tls_letsencrypt_hostname or tls_cert_path/tls_key_path, not both\n"
} }
if !viper.IsSet("noise_private_key_path") { if !viper.IsSet("noise") || viper.GetString("noise.private_key_path") == "" {
errorText += "Fatal config error: headscale now requires a new `noise_private_key_path` field in the config file for the Tailscale v2 protocol\n" errorText += "Fatal config error: headscale now requires a new `noise.private_key_path` field in the config file for the Tailscale v2 protocol\n"
} }
if (viper.GetString("tls_letsencrypt_hostname") != "") && if (viper.GetString("tls_letsencrypt_hostname") != "") &&
@ -494,7 +494,7 @@ func GetHeadscaleConfig() (*Config, error) {
viper.GetString("private_key_path"), viper.GetString("private_key_path"),
), ),
NoisePrivateKeyPath: AbsolutePathFromConfigPath( NoisePrivateKeyPath: AbsolutePathFromConfigPath(
viper.GetString("noise_private_key_path"), viper.GetString("noise.private_key_path"),
), ),
BaseDomain: baseDomain, BaseDomain: baseDomain,

View file

@ -54,7 +54,8 @@ metrics_listen_addr: 0.0.0.0:9090
# The default /var/lib/headscale path is not writable in the container # The default /var/lib/headscale path is not writable in the container
private_key_path: /etc/headscale/private.key private_key_path: /etc/headscale/private.key
# The default /var/lib/headscale path is not writable in the container # The default /var/lib/headscale path is not writable in the container
noise_private_key_path: /var/lib/headscale/noise_private.key noise:
private_key_path: /var/lib/headscale/noise_private.key
# The default /var/lib/headscale path is not writable in the container # The default /var/lib/headscale path is not writable in the container
db_path: /etc/headscale/db.sqlite db_path: /etc/headscale/db.sqlite
``` ```

View file

@ -39,7 +39,8 @@ oidc:
- email - email
strip_email_domain: true strip_email_domain: true
private_key_path: private.key private_key_path: private.key
noise_private_key_path: noise_private.key noise:
private_key_path: noise_private.key
server_url: http://headscale:18080 server_url: http://headscale:18080
tls_client_auth_mode: relaxed tls_client_auth_mode: relaxed
tls_letsencrypt_cache_dir: /var/www/.cache tls_letsencrypt_cache_dir: /var/www/.cache

View file

@ -15,7 +15,8 @@ dns_config:
- 1.1.1.1 - 1.1.1.1
db_path: /tmp/integration_test_db.sqlite3 db_path: /tmp/integration_test_db.sqlite3
private_key_path: private.key private_key_path: private.key
noise_private_key_path: noise_private.key noise:
private_key_path: noise_private.key
listen_addr: 0.0.0.0:18080 listen_addr: 0.0.0.0:18080
metrics_listen_addr: 127.0.0.1:19090 metrics_listen_addr: 127.0.0.1:19090
server_url: http://headscale:18080 server_url: http://headscale:18080

View file

@ -39,7 +39,8 @@ oidc:
- email - email
strip_email_domain: true strip_email_domain: true
private_key_path: private.key private_key_path: private.key
noise_private_key_path: noise_private.key noise:
private_key_path: noise_private.key
server_url: http://headscale:8080 server_url: http://headscale:8080
tls_client_auth_mode: relaxed tls_client_auth_mode: relaxed
tls_letsencrypt_cache_dir: /var/www/.cache tls_letsencrypt_cache_dir: /var/www/.cache