Merge branch 'main' into acls-doc

2025-10-28 10:51:44 +01:00 · 2022-03-18 20:44:44 +00:00 · 2022-03-18 20:44:44 +00:00 · 47bbb85a20
commit 47bbb85a20
parent d68d7d5a6f 304109a6c5
15 changed files with 48 additions and 39 deletions
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@ -31,7 +31,7 @@ jobs:
        if: steps.changed-files.outputs.any_changed == 'true'
        uses: actions/setup-go@v2
        with:
-          go-version: "1.17.7"
+          go-version: "1.18.0"
      - name: Install dependencies
        if: steps.changed-files.outputs.any_changed == 'true'
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@ -18,7 +18,7 @@ jobs:
      - name: Set up Go
        uses: actions/setup-go@v2
        with:
-          go-version: 1.17.7
+          go-version: 1.18.0
      - name: Install dependencies
        run: |
--- a/.github/workflows/test-integration.yml
+++ b/.github/workflows/test-integration.yml
@ -25,7 +25,7 @@ jobs:
        if: steps.changed-files.outputs.any_changed == 'true'
        uses: actions/setup-go@v2
        with:
-          go-version: "1.17.7"
+          go-version: "1.18.0"
      - name: Run Integration tests
        if: steps.changed-files.outputs.any_changed == 'true'
--- a/.github/workflows/test.yml
+++ b/.github/workflows/test.yml
@ -25,7 +25,7 @@ jobs:
        if: steps.changed-files.outputs.any_changed == 'true'
        uses: actions/setup-go@v2
        with:
-          go-version: "1.17.7"
+          go-version: "1.18.0"
      - name: Install dependencies
        if: steps.changed-files.outputs.any_changed == 'true'
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@ -29,6 +29,7 @@
 - Fix a limitation in the ACLs that prevented users to write rules with `*` as source [#374](https://github.com/juanfont/headscale/issues/374)
 - Reduce the overhead of marshal/unmarshal for Hostinfo, routes and endpoints by using specific types in Machine [#371](https://github.com/juanfont/headscale/pull/371)
 - Apply normalization function to FQDN on hostnames when hosts registers and retrieve informations [#363](https://github.com/juanfont/headscale/issues/363)
 - Fix a bug that prevented the use of `tailscale logout` with OIDC [#508](https://github.com/juanfont/headscale/issues/508)
 ## 0.14.0 (2022-02-24)
--- a/2
+++ b/2
@ -1,5 +1,5 @@
 # Builder image
-FROM docker.io/golang:1.17.8-bullseye AS build
+FROM docker.io/golang:1.18.0-bullseye AS build
 ENV GOPATH /go
 WORKDIR /go/src/headscale
--- a/Dockerfile.alpine
+++ b/Dockerfile.alpine
@ -1,5 +1,5 @@
 # Builder image
-FROM docker.io/golang:1.17.8-alpine AS build
+FROM docker.io/golang:1.18.0-alpine AS build
 ENV GOPATH /go
 WORKDIR /go/src/headscale
--- a/Dockerfile.debug
+++ b/Dockerfile.debug
@ -1,5 +1,5 @@
 # Builder image
-FROM docker.io/golang:1.17.8-bullseye AS build
+FROM docker.io/golang:1.18.0-bullseye AS build
 ENV GOPATH /go
 WORKDIR /go/src/headscale
--- a/app.go
+++ b/app.go
@ -47,6 +47,14 @@ import (
 	"tailscale.com/types/key"
 )
 const (
 	errSTUNAddressNotSet                   = Error("STUN address not set")
 	errUnsupportedDatabase                 = Error("unsupported DB")
 	errUnsupportedLetsEncryptChallengeType = Error(
 		"unknown value for Lets Encrypt challenge type",
 	)
 )
 const (
 	AuthPrefix         = "Bearer "
 	Postgres           = "postgres"
@ -58,11 +66,6 @@ const (
 	registerCacheExpiration = time.Minute * 15
 	registerCacheCleanup    = time.Minute * 20
 	errUnsupportedDatabase                 = Error("unsupported DB")
 	errUnsupportedLetsEncryptChallengeType = Error(
 		"unknown value for Lets Encrypt challenge type",
 	)
 	DisabledClientAuth = "disabled"
 	RelaxedClientAuth  = "relaxed"
 	EnforcedClientAuth = "enforced"
@ -124,7 +127,6 @@ type DERPConfig struct {
 	ServerRegionID   int
 	ServerRegionCode string
 	ServerRegionName string
 	STUNEnabled      bool
 	STUNAddr         string
 	URLs             []url.URL
 	Paths            []string
@ -500,10 +502,13 @@ func (h *Headscale) Serve() error {
 	h.DERPMap = GetDERPMap(h.cfg.DERP)
 	if h.cfg.DERP.ServerEnabled {
-		h.DERPMap.Regions[h.DERPServer.region.RegionID] = &h.DERPServer.region
+		// When embedded DERP is enabled we always need a STUN server
-		if h.cfg.DERP.STUNEnabled {
+		if h.cfg.DERP.STUNAddr == "" {
-			go h.ServeSTUN()
+			return errSTUNAddressNotSet
 		}
 		h.DERPMap.Regions[h.DERPServer.region.RegionID] = &h.DERPServer.region
 		go h.ServeSTUN()
 	}
 	if h.cfg.DERP.AutoUpdate {
--- a/cmd/headscale/cli/utils.go
+++ b/cmd/headscale/cli/utils.go
@ -55,6 +55,9 @@ func LoadConfig(path string) error {
 	viper.SetDefault("dns_config", nil)
 	viper.SetDefault("derp.server.enabled", false)
 	viper.SetDefault("derp.server.stun.enabled", true)
 	viper.SetDefault("unix_socket", "/var/run/headscale.sock")
 	viper.SetDefault("unix_socket_permission", "0o770")
@ -121,8 +124,11 @@ func GetDERPConfig() headscale.DERPConfig {
 	serverRegionID := viper.GetInt("derp.server.region_id")
 	serverRegionCode := viper.GetString("derp.server.region_code")
 	serverRegionName := viper.GetString("derp.server.region_name")
-	stunEnabled := viper.GetBool("derp.server.stun.enabled")
+	stunAddr := viper.GetString("derp.server.stun_listen_addr")
-	stunAddr := viper.GetString("derp.server.stun.listen_addr")
+
 	if serverEnabled && stunAddr == "" {
 		log.Fatal().Msg("derp.server.stun_listen_addr must be set if derp.server.enabled is true")
 	}
 	urlStrs := viper.GetStringSlice("derp.urls")
@ -149,7 +155,6 @@ func GetDERPConfig() headscale.DERPConfig {
 		ServerRegionID:   serverRegionID,
 		ServerRegionCode: serverRegionCode,
 		ServerRegionName: serverRegionName,
 		STUNEnabled:      stunEnabled,
 		STUNAddr:         stunAddr,
 		URLs:             urls,
 		Paths:            paths,
--- a/config-example.yaml
+++ b/config-example.yaml
@ -69,11 +69,11 @@ derp:
    region_code: "headscale"
    region_name: "Headscale Embedded DERP"
-    # If enabled, also listens in UDP at the configured address for STUN connections to help on NAT traversal
+    # Listens in UDP at the configured address for STUN connections to help on NAT traversal.
    # When the embedded DERP server is enabled stun_listen_addr MUST be defined.
    #
    # For more details on how this works, check this great article: https://tailscale.com/blog/how-tailscale-works/
-    stun:
+    stun_listen_addr: "0.0.0.0:3478"
      enabled: false
      listen_addr: "0.0.0.0:3478"
  # List of externally available DERP maps encoded in JSON
  urls:
--- a/derp_server.go
+++ b/derp_server.go
@ -77,17 +77,15 @@ func (h *Headscale) generateRegionLocalDERP() (tailcfg.DERPRegion, error) {
 		},
 	}
-	if h.cfg.DERP.STUNEnabled {
+	_, portSTUNStr, err := net.SplitHostPort(h.cfg.DERP.STUNAddr)
-		_, portStr, err := net.SplitHostPort(h.cfg.DERP.STUNAddr)
+	if err != nil {
-		if err != nil {
+		return tailcfg.DERPRegion{}, err
 			return tailcfg.DERPRegion{}, err
 		}
 		port, err := strconv.Atoi(portStr)
 		if err != nil {
 			return tailcfg.DERPRegion{}, err
 		}
 		localDERPregion.Nodes[0].STUNPort = port
 	}
 	portSTUN, err := strconv.Atoi(portSTUNStr)
 	if err != nil {
 		return tailcfg.DERPRegion{}, err
 	}
 	localDERPregion.Nodes[0].STUNPort = portSTUN
 	return localDERPregion, nil
 }
--- a/go.mod
+++ b/go.mod
@ -1,9 +1,10 @@
 module github.com/juanfont/headscale
-go 1.17
+go 1.18
 require (
 	github.com/AlecAivazis/survey/v2 v2.3.2
 	github.com/ccding/go-stun/stun v0.0.0-20200514191101-4dc67bcdb029
 	github.com/coreos/go-oidc/v3 v3.1.0
 	github.com/efekarakus/termcolor v1.0.1
 	github.com/fatih/set v0.2.1
@ -49,7 +50,6 @@ require (
 	github.com/akutz/memconn v0.1.0 // indirect
 	github.com/atomicgo/cursor v0.0.1 // indirect
 	github.com/beorn7/perks v1.0.1 // indirect
 	github.com/ccding/go-stun/stun v0.0.0-20200514191101-4dc67bcdb029 // indirect
 	github.com/cenkalti/backoff/v4 v4.1.2 // indirect
 	github.com/cespare/xxhash/v2 v2.1.2 // indirect
 	github.com/containerd/continuity v0.2.2 // indirect
--- a/integration_test/etc_embedded_derp/config.yaml
+++ b/integration_test/etc_embedded_derp/config.yaml
@ -24,6 +24,5 @@ derp:
    region_id: 999
    region_code: "headscale"
    region_name: "Headscale Embedded DERP"
-    stun:
+
-      enabled: true
+    stun_listen_addr: "0.0.0.0:3478"
      listen_addr: "0.0.0.0:3478"
--- a/oidc.go
+++ b/oidc.go
@ -10,6 +10,7 @@ import (
 	"html/template"
 	"net/http"
 	"strings"
 	"time"
 	"github.com/coreos/go-oidc/v3/oidc"
 	"github.com/gin-gonic/gin"
@ -229,7 +230,7 @@ func (h *Headscale) OIDCCallback(ctx *gin.Context) {
 			Str("machine", machine.Name).
 			Msg("machine already registered, reauthenticating")
-		h.RefreshMachine(machine, *machine.Expiry)
+		h.RefreshMachine(machine, time.Time{})
 		var content bytes.Buffer
 		if err := oidcCallbackTemplate.Execute(&content, oidcCallbackTemplateConfig{