312 lines
8.9 KiB
TypeScript
312 lines
8.9 KiB
TypeScript
// Handle the configuration loading for headscale.
|
|
// Functionally only used for reading and writing the configuration file.
|
|
// Availability checks and other configuration checks are done in the headplane
|
|
// configuration file that's adjacent to this one.
|
|
//
|
|
// Around the codebase, this is referred to as the config
|
|
// Refer to this file on juanfont/headscale for the default values:
|
|
// https://github.com/juanfont/headscale/blob/main/hscontrol/types/config.go
|
|
import { readFile, writeFile } from 'node:fs/promises'
|
|
import { resolve } from 'node:path'
|
|
|
|
import { type Document, parseDocument } from 'yaml'
|
|
import { z } from 'zod'
|
|
|
|
const goBool = z
|
|
.union([z.boolean(), z.literal('true'), z.literal('false')])
|
|
.transform((value) => {
|
|
if (typeof value === 'boolean') {
|
|
return value
|
|
}
|
|
|
|
return value === 'true'
|
|
})
|
|
|
|
const goDuration = z.union([z.literal(0), z.string()])
|
|
|
|
const HeadscaleConfig = z.object({
|
|
tls_letsencrypt_cache_dir: z.string().default('/var/www/cache'),
|
|
tls_letsencrypt_challenge_type: z.enum(['HTTP-01', 'TLS-ALPN-01']).default('HTTP-01'),
|
|
|
|
tls_letsencrypt_hostname: z.string().optional(),
|
|
tls_letsencrypt_listen: z.string().optional(),
|
|
|
|
tls_cert_path: z.string().optional(),
|
|
tls_key_path: z.string().optional(),
|
|
|
|
server_url: z.string().regex(/^https?:\/\//),
|
|
listen_addr: z.string(),
|
|
metrics_listen_addr: z.string().optional(),
|
|
grpc_listen_addr: z.string().default(':50443'),
|
|
grpc_allow_insecure: goBool.default(false),
|
|
|
|
disable_check_updates: goBool.default(false),
|
|
ephemeral_node_inactivity_timeout: goDuration.default('120s'),
|
|
randomize_client_port: goBool.default(false),
|
|
acl_policy_path: z.string().optional(),
|
|
|
|
acme_email: z.string().optional(),
|
|
acme_url: z.string().optional(),
|
|
|
|
unix_socket: z.string().default('/var/run/headscale/headscale.sock'),
|
|
unix_socket_permission: z.string().default('0o770'),
|
|
|
|
tuning: z.object({
|
|
batch_change_delay: goDuration.default('800ms'),
|
|
node_mapsession_buffered_chan_size: z.number().default(30),
|
|
}).optional(),
|
|
|
|
noise: z.object({
|
|
private_key_path: z.string(),
|
|
}),
|
|
|
|
log: z.object({
|
|
level: z.string().default('info'),
|
|
format: z.enum(['text', 'json']).default('text'),
|
|
}).default({ level: 'info', format: 'text' }),
|
|
|
|
logtail: z.object({
|
|
enabled: goBool.default(false),
|
|
}).default({ enabled: false }),
|
|
|
|
cli: z.object({
|
|
address: z.string().optional(),
|
|
api_key: z.string().optional(),
|
|
timeout: goDuration.default('10s'),
|
|
insecure: goBool.default(false),
|
|
}).optional(),
|
|
|
|
prefixes: z.object({
|
|
allocation: z.enum(['sequential', 'random']).default('sequential'),
|
|
v4: z.string(),
|
|
v6: z.string(),
|
|
}),
|
|
|
|
dns_config: z.object({
|
|
override_local_dns: goBool.default(false),
|
|
nameservers: z.array(z.string()).default([]),
|
|
restricted_nameservers: z.record(z.array(z.string())).default({}),
|
|
domains: z.array(z.string()).default([]),
|
|
extra_records: z.array(z.object({
|
|
name: z.string(),
|
|
type: z.literal('A'),
|
|
value: z.string(),
|
|
})).default([]),
|
|
magic_dns: goBool.default(false),
|
|
base_domain: z.string().default('headscale.net'),
|
|
}),
|
|
|
|
oidc: z.object({
|
|
only_start_if_oidc_is_available: goBool.default(false),
|
|
issuer: z.string().optional(),
|
|
client_id: z.string().optional(),
|
|
client_secret: z.string().optional(),
|
|
client_secret_path: z.string().optional(),
|
|
scope: z.array(z.string()).default(['openid', 'profile', 'email']),
|
|
extra_params: z.record(z.unknown()).default({}),
|
|
allowed_domains: z.array(z.string()).optional(),
|
|
allowed_users: z.array(z.string()).optional(),
|
|
allowed_groups: z.array(z.string()).optional(),
|
|
strip_email_domain: goBool.default(false),
|
|
expiry: goDuration.default('180d'),
|
|
use_expiry_from_token: goBool.default(false),
|
|
}).optional(),
|
|
|
|
database: z.union([
|
|
z.object({
|
|
type: z.literal('sqlite'),
|
|
debug: goBool.default(false),
|
|
sqlite: z.object({
|
|
path: z.string(),
|
|
}),
|
|
}),
|
|
z.object({
|
|
type: z.literal('sqlite3'),
|
|
debug: goBool.default(false),
|
|
sqlite: z.object({
|
|
path: z.string(),
|
|
}),
|
|
}),
|
|
z.object({
|
|
type: z.literal('postgres'),
|
|
debug: goBool.default(false),
|
|
postgres: z.object({
|
|
host: z.string(),
|
|
port: z.number(),
|
|
name: z.string(),
|
|
user: z.string(),
|
|
pass: z.string(),
|
|
ssl: goBool.default(true),
|
|
max_open_conns: z.number().default(10),
|
|
max_idle_conns: z.number().default(10),
|
|
conn_max_idle_time_secs: z.number().default(3600),
|
|
}),
|
|
}),
|
|
]),
|
|
|
|
derp: z.object({
|
|
server: z.object({
|
|
enabled: goBool.default(true),
|
|
region_id: z.number().optional(),
|
|
region_code: z.string().optional(),
|
|
region_name: z.string().optional(),
|
|
stun_listen_addr: z.string().optional(),
|
|
private_key_path: z.string().optional(),
|
|
|
|
ipv4: z.string().optional(),
|
|
ipv6: z.string().optional(),
|
|
automatically_add_embedded_derp_region: goBool.default(true),
|
|
}),
|
|
|
|
urls: z.array(z.string()).optional(),
|
|
paths: z.array(z.string()).optional(),
|
|
auto_update_enabled: goBool.default(true),
|
|
update_frequency: goDuration.default('24h'),
|
|
}),
|
|
})
|
|
|
|
export type HeadscaleConfig = z.infer<typeof HeadscaleConfig>
|
|
|
|
export let configYaml: Document | undefined
|
|
export let config: HeadscaleConfig | undefined
|
|
|
|
export async function loadConfig(path?: string) {
|
|
if (config) {
|
|
return config
|
|
}
|
|
|
|
if (!path) {
|
|
throw new Error('Path is required to lazy load config')
|
|
}
|
|
|
|
const data = await readFile(path, 'utf8')
|
|
configYaml = parseDocument(data)
|
|
|
|
if (process.env.HEADSCALE_CONFIG_UNSTRICT === 'true') {
|
|
const loaded = configYaml.toJSON() as Record<string, unknown>
|
|
config = {
|
|
...loaded,
|
|
tls_letsencrypt_cache_dir: loaded.tls_letsencrypt_cache_dir ?? '/var/www/cache',
|
|
tls_letsencrypt_challenge_type: loaded.tls_letsencrypt_challenge_type ?? 'HTTP-01',
|
|
grpc_listen_addr: loaded.grpc_listen_addr ?? ':50443',
|
|
grpc_allow_insecure: loaded.grpc_allow_insecure ?? false,
|
|
randomize_client_port: loaded.randomize_client_port ?? false,
|
|
unix_socket: loaded.unix_socket ?? '/var/run/headscale/headscale.sock',
|
|
unix_socket_permission: loaded.unix_socket_permission ?? '0o770',
|
|
tuning: loaded.tuning ?? {
|
|
batch_change_delay: '800ms',
|
|
node_mapsession_buffered_chan_size: 30,
|
|
},
|
|
|
|
log: loaded.log ?? {
|
|
level: 'info',
|
|
format: 'text',
|
|
},
|
|
|
|
logtail: loaded.logtail ?? {
|
|
enabled: false,
|
|
},
|
|
|
|
cli: loaded.cli ?? {
|
|
timeout: '10s',
|
|
insecure: false,
|
|
},
|
|
|
|
prefixes: loaded.prefixes ?? {
|
|
allocation: 'sequential',
|
|
v4: '',
|
|
v6: '',
|
|
},
|
|
|
|
dns_config: loaded.dns_config ?? {
|
|
override_local_dns: false,
|
|
nameservers: [],
|
|
restricted_nameservers: {},
|
|
domains: [],
|
|
extra_records: [],
|
|
magic_dns: false,
|
|
base_domain: 'headscale.net',
|
|
},
|
|
} as HeadscaleConfig
|
|
|
|
console.log('Loaded Headscale configuration in non-strict mode')
|
|
console.log('By using this mode you forfeit GitHub issue support')
|
|
console.log('This is very dangerous and comes with a few caveats:')
|
|
console.log('- Headplane could very easily crash')
|
|
console.log('- Headplane could break your Headscale installation')
|
|
console.log('- The UI could throw random errors/show incorrect data')
|
|
console.log('')
|
|
return config
|
|
}
|
|
|
|
try {
|
|
config = await HeadscaleConfig.parseAsync(configYaml.toJSON())
|
|
} catch (error) {
|
|
if (error instanceof z.ZodError) {
|
|
console.log('Failed to parse the Headscale configuration file!')
|
|
console.log('The following schema issues were found:')
|
|
for (const issue of error.issues) {
|
|
const path = issue.path.map(String).join('.')
|
|
const message = issue.message
|
|
|
|
console.log(`- '${path}': ${message}`)
|
|
}
|
|
|
|
console.log('')
|
|
console.log('Please fix the configuration file and try again.')
|
|
console.log('Headplane will operate as if no config is present.')
|
|
console.log('')
|
|
}
|
|
|
|
throw error
|
|
}
|
|
|
|
return config
|
|
}
|
|
|
|
// This is so obscenely dangerous, please have a check around it
|
|
export async function patchConfig(partial: Record<string, unknown>) {
|
|
if (!configYaml || !config) {
|
|
throw new Error('Config not loaded')
|
|
}
|
|
|
|
for (const [key, value] of Object.entries(partial)) {
|
|
// If the key is something like `test.bar."foo.bar"`, then we treat
|
|
// the foo.bar as a single key, and not as two keys, so that needs
|
|
// to be split correctly.
|
|
|
|
// Iterate through each character, and if we find a dot, we check if
|
|
// the next character is a quote, and if it is, we skip until the next
|
|
// quote, and then we skip the next character, which should be a dot.
|
|
// If it's not a quote, we split it.
|
|
const path = []
|
|
let temp = ''
|
|
let inQuote = false
|
|
|
|
for (const element of key) {
|
|
if (element === '"') {
|
|
inQuote = !inQuote
|
|
}
|
|
|
|
if (element === '.' && !inQuote) {
|
|
path.push(temp.replaceAll('"', ''))
|
|
temp = ''
|
|
continue
|
|
}
|
|
|
|
temp += element
|
|
}
|
|
|
|
// Push the remaining element
|
|
path.push(temp.replaceAll('"', ''))
|
|
configYaml.setIn(path, value)
|
|
}
|
|
|
|
config = process.env.HEADSCALE_CONFIG_UNSTRICT === 'true'
|
|
? configYaml.toJSON() as HeadscaleConfig
|
|
: (await HeadscaleConfig.parseAsync(configYaml.toJSON()))
|
|
|
|
const path = resolve(process.env.CONFIG_FILE ?? '/etc/headscale/config.yaml')
|
|
await writeFile(path, configYaml.toString(), 'utf8')
|
|
}
|