Noise private key now a nested field in config
This commit is contained in:
parent
e20e818a42
commit
4424a9abc0
7 changed files with 32 additions and 20 deletions
|
@ -163,10 +163,12 @@ func (*Suite) TestTLSConfigValidation(c *check.C) {
|
||||||
c.Fatal(err)
|
c.Fatal(err)
|
||||||
}
|
}
|
||||||
// defer os.RemoveAll(tmpDir)
|
// defer os.RemoveAll(tmpDir)
|
||||||
|
configYaml := []byte(`---
|
||||||
configYaml := []byte(
|
tls_letsencrypt_hostname: example.com
|
||||||
"---\nnoise_private_key_path: \"noise_private.key\"\ntls_letsencrypt_hostname: \"example.com\"\ntls_letsencrypt_challenge_type: \"\"\ntls_cert_path: \"abc.pem\"\n",
|
tls_letsencrypt_challenge_type: ""
|
||||||
)
|
tls_cert_path: abc.pem
|
||||||
|
noise:
|
||||||
|
private_key_path: noise_private.key`)
|
||||||
writeConfig(c, tmpDir, configYaml)
|
writeConfig(c, tmpDir, configYaml)
|
||||||
|
|
||||||
// Check configuration validation errors (1)
|
// Check configuration validation errors (1)
|
||||||
|
@ -191,9 +193,13 @@ func (*Suite) TestTLSConfigValidation(c *check.C) {
|
||||||
)
|
)
|
||||||
|
|
||||||
// Check configuration validation errors (2)
|
// Check configuration validation errors (2)
|
||||||
configYaml = []byte(
|
configYaml = []byte(`---
|
||||||
"---\nnoise_private_key_path: \"noise_private.key\"\nserver_url: \"http://127.0.0.1:8080\"\ntls_letsencrypt_hostname: \"example.com\"\ntls_letsencrypt_challenge_type: \"TLS-ALPN-01\"",
|
noise:
|
||||||
)
|
private_key_path: noise_private.key
|
||||||
|
server_url: http://127.0.0.1:8080
|
||||||
|
tls_letsencrypt_hostname: example.com
|
||||||
|
tls_letsencrypt_challenge_type: TLS-ALPN-01
|
||||||
|
`)
|
||||||
writeConfig(c, tmpDir, configYaml)
|
writeConfig(c, tmpDir, configYaml)
|
||||||
err = headscale.LoadConfig(tmpDir, false)
|
err = headscale.LoadConfig(tmpDir, false)
|
||||||
c.Assert(err, check.IsNil)
|
c.Assert(err, check.IsNil)
|
||||||
|
|
|
@ -41,12 +41,14 @@ grpc_allow_insecure: false
|
||||||
# autogenerated if it's missing
|
# autogenerated if it's missing
|
||||||
private_key_path: /var/lib/headscale/private.key
|
private_key_path: /var/lib/headscale/private.key
|
||||||
|
|
||||||
# The Noise private key is used to encrypt the
|
# The Noise section includes specific configuration for the
|
||||||
# traffic between headscale and Tailscale clients when
|
# TS2021 Noise procotol
|
||||||
# using the new Noise-based TS2021 protocol.
|
noise:
|
||||||
# The noise private key file which will be
|
# The Noise private key is used to encrypt the
|
||||||
# autogenerated if it's missing
|
# traffic between headscale and Tailscale clients when
|
||||||
noise_private_key_path: /var/lib/headscale/noise_private.key
|
# using the new Noise-based protocol. It must be different
|
||||||
|
# from the legacy private key.
|
||||||
|
private_key_path: /var/lib/headscale/noise_private.key
|
||||||
|
|
||||||
# List of IP prefixes to allocate tailaddresses from.
|
# List of IP prefixes to allocate tailaddresses from.
|
||||||
# Each prefix consists of either an IPv4 or IPv6 address,
|
# Each prefix consists of either an IPv4 or IPv6 address,
|
||||||
|
|
|
@ -185,8 +185,8 @@ func LoadConfig(path string, isFile bool) error {
|
||||||
errorText += "Fatal config error: set either tls_letsencrypt_hostname or tls_cert_path/tls_key_path, not both\n"
|
errorText += "Fatal config error: set either tls_letsencrypt_hostname or tls_cert_path/tls_key_path, not both\n"
|
||||||
}
|
}
|
||||||
|
|
||||||
if !viper.IsSet("noise_private_key_path") {
|
if !viper.IsSet("noise") || viper.GetString("noise.private_key_path") == "" {
|
||||||
errorText += "Fatal config error: headscale now requires a new `noise_private_key_path` field in the config file for the Tailscale v2 protocol\n"
|
errorText += "Fatal config error: headscale now requires a new `noise.private_key_path` field in the config file for the Tailscale v2 protocol\n"
|
||||||
}
|
}
|
||||||
|
|
||||||
if (viper.GetString("tls_letsencrypt_hostname") != "") &&
|
if (viper.GetString("tls_letsencrypt_hostname") != "") &&
|
||||||
|
@ -494,7 +494,7 @@ func GetHeadscaleConfig() (*Config, error) {
|
||||||
viper.GetString("private_key_path"),
|
viper.GetString("private_key_path"),
|
||||||
),
|
),
|
||||||
NoisePrivateKeyPath: AbsolutePathFromConfigPath(
|
NoisePrivateKeyPath: AbsolutePathFromConfigPath(
|
||||||
viper.GetString("noise_private_key_path"),
|
viper.GetString("noise.private_key_path"),
|
||||||
),
|
),
|
||||||
BaseDomain: baseDomain,
|
BaseDomain: baseDomain,
|
||||||
|
|
||||||
|
|
|
@ -54,7 +54,8 @@ metrics_listen_addr: 0.0.0.0:9090
|
||||||
# The default /var/lib/headscale path is not writable in the container
|
# The default /var/lib/headscale path is not writable in the container
|
||||||
private_key_path: /etc/headscale/private.key
|
private_key_path: /etc/headscale/private.key
|
||||||
# The default /var/lib/headscale path is not writable in the container
|
# The default /var/lib/headscale path is not writable in the container
|
||||||
noise_private_key_path: /var/lib/headscale/noise_private.key
|
noise:
|
||||||
|
private_key_path: /var/lib/headscale/noise_private.key
|
||||||
# The default /var/lib/headscale path is not writable in the container
|
# The default /var/lib/headscale path is not writable in the container
|
||||||
db_path: /etc/headscale/db.sqlite
|
db_path: /etc/headscale/db.sqlite
|
||||||
```
|
```
|
||||||
|
|
|
@ -39,7 +39,8 @@ oidc:
|
||||||
- email
|
- email
|
||||||
strip_email_domain: true
|
strip_email_domain: true
|
||||||
private_key_path: private.key
|
private_key_path: private.key
|
||||||
noise_private_key_path: noise_private.key
|
noise:
|
||||||
|
private_key_path: noise_private.key
|
||||||
server_url: http://headscale:18080
|
server_url: http://headscale:18080
|
||||||
tls_client_auth_mode: relaxed
|
tls_client_auth_mode: relaxed
|
||||||
tls_letsencrypt_cache_dir: /var/www/.cache
|
tls_letsencrypt_cache_dir: /var/www/.cache
|
||||||
|
|
|
@ -15,7 +15,8 @@ dns_config:
|
||||||
- 1.1.1.1
|
- 1.1.1.1
|
||||||
db_path: /tmp/integration_test_db.sqlite3
|
db_path: /tmp/integration_test_db.sqlite3
|
||||||
private_key_path: private.key
|
private_key_path: private.key
|
||||||
noise_private_key_path: noise_private.key
|
noise:
|
||||||
|
private_key_path: noise_private.key
|
||||||
listen_addr: 0.0.0.0:18080
|
listen_addr: 0.0.0.0:18080
|
||||||
metrics_listen_addr: 127.0.0.1:19090
|
metrics_listen_addr: 127.0.0.1:19090
|
||||||
server_url: http://headscale:18080
|
server_url: http://headscale:18080
|
||||||
|
|
|
@ -39,7 +39,8 @@ oidc:
|
||||||
- email
|
- email
|
||||||
strip_email_domain: true
|
strip_email_domain: true
|
||||||
private_key_path: private.key
|
private_key_path: private.key
|
||||||
noise_private_key_path: noise_private.key
|
noise:
|
||||||
|
private_key_path: noise_private.key
|
||||||
server_url: http://headscale:8080
|
server_url: http://headscale:8080
|
||||||
tls_client_auth_mode: relaxed
|
tls_client_auth_mode: relaxed
|
||||||
tls_letsencrypt_cache_dir: /var/www/.cache
|
tls_letsencrypt_cache_dir: /var/www/.cache
|
||||||
|
|
Loading…
Reference in a new issue