1 |
commit: 5aa57d09a9ad9c907b69afc2c9cc340663980c18 |
2 |
Author: Chris Su <chris <AT> lesscrowds <DOT> org> |
3 |
AuthorDate: Wed Apr 27 15:43:23 2022 +0000 |
4 |
Commit: Jakov Smolić <jsmolic <AT> gentoo <DOT> org> |
5 |
CommitDate: Wed Apr 27 15:59:58 2022 +0000 |
6 |
URL: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=5aa57d09 |
7 |
|
8 |
net-vpn/headscale: new package, add 0.15.0 |
9 |
|
10 |
Headsacle is an open-source, self-hosted implementation of the Tailscale |
11 |
control server. |
12 |
|
13 |
Using headscale, we can easily build a control server to form our own |
14 |
vpn, the corresponding node authorization, set the acl, etc. |
15 |
|
16 |
Closes: https://bugs.gentoo.org/841017 |
17 |
Signed-off-by: Chris Su <chris <AT> lesscrowds.org> |
18 |
Closes: https://github.com/gentoo/gentoo/pull/25212 |
19 |
Signed-off-by: Jakov Smolić <jsmolic <AT> gentoo.org> |
20 |
|
21 |
net-vpn/headscale/Manifest | 2 + |
22 |
net-vpn/headscale/files/config.yaml.example | 221 ++++++++++++++++++++++++++++ |
23 |
net-vpn/headscale/files/headscale.conf | 8 + |
24 |
net-vpn/headscale/files/headscaled.initd | 29 ++++ |
25 |
net-vpn/headscale/files/headscaled.service | 24 +++ |
26 |
net-vpn/headscale/headscale-0.15.0.ebuild | 49 ++++++ |
27 |
net-vpn/headscale/metadata.xml | 16 ++ |
28 |
7 files changed, 349 insertions(+) |
29 |
|
30 |
diff --git a/net-vpn/headscale/Manifest b/net-vpn/headscale/Manifest |
31 |
new file mode 100644 |
32 |
index 000000000000..d27143f85e93 |
33 |
--- /dev/null |
34 |
+++ b/net-vpn/headscale/Manifest |
35 |
@@ -0,0 +1,2 @@ |
36 |
+DIST headscale-0.15.0-deps.tar.xz 199844288 BLAKE2B 17c9e4a8877ee05f75f08c20794f6c084019f4554769ebabfc8d37e1ec309ac0cc2d18d341db241927df4ba3e43da39e8acb6a33a4a68435f9b3d3f7aebc098b SHA512 aa942787a4bc8644bb5e041fef293fd53a8d4ebc84faa8964c56fe9022b0359cd08ddd568898bc8fa4b2bc358f4c911b8a204438d676c5c4030bd89612d01c01 |
37 |
+DIST headscale-0.15.0.tar.gz 311959 BLAKE2B e4bcbf431c3b903024df95782b4070591e30439263796258f9a3cc07c7a2f4ea3f9895fb2869b642d6c37dc92fe492cc9d3b78261d8faa0a8e2c9eba3906aa20 SHA512 29b867f109e48bf04ab4f8a81bfab94155050f59f6c2aa2b4971567a7fb24ed343b869636e66e9cbb7b1b8df7d7415e769a85a7c3864d0fae169c15b6c7b6eb2 |
38 |
|
39 |
diff --git a/net-vpn/headscale/files/config.yaml.example b/net-vpn/headscale/files/config.yaml.example |
40 |
new file mode 100644 |
41 |
index 000000000000..603b941dac9d |
42 |
--- /dev/null |
43 |
+++ b/net-vpn/headscale/files/config.yaml.example |
44 |
@@ -0,0 +1,221 @@ |
45 |
+--- |
46 |
+# headscale will look for a configuration file named `config.yaml` (or `config.json`) in the following order: |
47 |
+# |
48 |
+# - `/etc/headscale` |
49 |
+# - `~/.headscale` |
50 |
+# - current working directory |
51 |
+ |
52 |
+# The url clients will connect to. |
53 |
+# Typically this will be a domain like: |
54 |
+# |
55 |
+# https://myheadscale.example.com:443 |
56 |
+# |
57 |
+server_url: http://127.0.0.1:8080 |
58 |
+ |
59 |
+# Address to listen to / bind to on the server |
60 |
+# |
61 |
+listen_addr: 0.0.0.0:8080 |
62 |
+ |
63 |
+# Address to listen to /metrics, you may want |
64 |
+# to keep this endpoint private to your internal |
65 |
+# network |
66 |
+# |
67 |
+metrics_listen_addr: 127.0.0.1:9090 |
68 |
+ |
69 |
+# Address to listen for gRPC. |
70 |
+# gRPC is used for controlling a headscale server |
71 |
+# remotely with the CLI |
72 |
+# Note: Remote access _only_ works if you have |
73 |
+# valid certificates. |
74 |
+grpc_listen_addr: 0.0.0.0:50443 |
75 |
+ |
76 |
+# Allow the gRPC admin interface to run in INSECURE |
77 |
+# mode. This is not recommended as the traffic will |
78 |
+# be unencrypted. Only enable if you know what you |
79 |
+# are doing. |
80 |
+grpc_allow_insecure: false |
81 |
+ |
82 |
+# Private key used encrypt the traffic between headscale |
83 |
+# and Tailscale clients. |
84 |
+# The private key file which will be |
85 |
+# autogenerated if it's missing |
86 |
+private_key_path: /var/lib/headscale/private.key |
87 |
+ |
88 |
+# List of IP prefixes to allocate tailaddresses from. |
89 |
+# Each prefix consists of either an IPv4 or IPv6 address, |
90 |
+# and the associated prefix length, delimited by a slash. |
91 |
+ip_prefixes: |
92 |
+ - fd7a:115c:a1e0::/48 |
93 |
+ - 100.64.0.0/10 |
94 |
+ |
95 |
+# DERP is a relay system that Tailscale uses when a direct |
96 |
+# connection cannot be established. |
97 |
+# https://tailscale.com/blog/how-tailscale-works/#encrypted-tcp-relays-derp |
98 |
+# |
99 |
+# headscale needs a list of DERP servers that can be presented |
100 |
+# to the clients. |
101 |
+derp: |
102 |
+ server: |
103 |
+ # If enabled, runs the embedded DERP server and merges it into the rest of the DERP config |
104 |
+ # The Headscale server_url defined above MUST be using https, DERP requires TLS to be in place |
105 |
+ enabled: false |
106 |
+ |
107 |
+ # Region ID to use for the embedded DERP server. |
108 |
+ # The local DERP prevails if the region ID collides with other region ID coming from |
109 |
+ # the regular DERP config. |
110 |
+ region_id: 999 |
111 |
+ |
112 |
+ # Region code and name are displayed in the Tailscale UI to identify a DERP region |
113 |
+ region_code: "headscale" |
114 |
+ region_name: "Headscale Embedded DERP" |
115 |
+ |
116 |
+ # Listens in UDP at the configured address for STUN connections to help on NAT traversal. |
117 |
+ # When the embedded DERP server is enabled stun_listen_addr MUST be defined. |
118 |
+ # |
119 |
+ # For more details on how this works, check this great article: https://tailscale.com/blog/how-tailscale-works/ |
120 |
+ stun_listen_addr: "0.0.0.0:3478" |
121 |
+ |
122 |
+ # List of externally available DERP maps encoded in JSON |
123 |
+ urls: |
124 |
+ - https://controlplane.tailscale.com/derpmap/default |
125 |
+ |
126 |
+ # Locally available DERP map files encoded in YAML |
127 |
+ # |
128 |
+ # This option is mostly interesting for people hosting |
129 |
+ # their own DERP servers: |
130 |
+ # https://tailscale.com/kb/1118/custom-derp-servers/ |
131 |
+ # |
132 |
+ # paths: |
133 |
+ # - /etc/headscale/derp-example.yaml |
134 |
+ paths: [] |
135 |
+ |
136 |
+ # If enabled, a worker will be set up to periodically |
137 |
+ # refresh the given sources and update the derpmap |
138 |
+ # will be set up. |
139 |
+ auto_update_enabled: true |
140 |
+ |
141 |
+ # How often should we check for DERP updates? |
142 |
+ update_frequency: 24h |
143 |
+ |
144 |
+# Disables the automatic check for headscale updates on startup |
145 |
+disable_check_updates: false |
146 |
+ |
147 |
+# Time before an inactive ephemeral node is deleted? |
148 |
+ephemeral_node_inactivity_timeout: 30m |
149 |
+ |
150 |
+# SQLite config |
151 |
+db_type: sqlite3 |
152 |
+db_path: /var/lib/headscale/db.sqlite |
153 |
+ |
154 |
+# # Postgres config |
155 |
+# db_type: postgres |
156 |
+# db_host: localhost |
157 |
+# db_port: 5432 |
158 |
+# db_name: headscale |
159 |
+# db_user: foo |
160 |
+# db_pass: bar |
161 |
+ |
162 |
+### TLS configuration |
163 |
+# |
164 |
+## Let's encrypt / ACME |
165 |
+# |
166 |
+# headscale supports automatically requesting and setting up |
167 |
+# TLS for a domain with Let's Encrypt. |
168 |
+# |
169 |
+# URL to ACME directory |
170 |
+acme_url: https://acme-v02.api.letsencrypt.org/directory |
171 |
+ |
172 |
+# Email to register with ACME provider |
173 |
+acme_email: "" |
174 |
+ |
175 |
+# Domain name to request a TLS certificate for: |
176 |
+tls_letsencrypt_hostname: "" |
177 |
+ |
178 |
+# Client (Tailscale/Browser) authentication mode (mTLS) |
179 |
+# Acceptable values: |
180 |
+# - disabled: client authentication disabled |
181 |
+# - relaxed: client certificate is required but not verified |
182 |
+# - enforced: client certificate is required and verified |
183 |
+tls_client_auth_mode: relaxed |
184 |
+ |
185 |
+# Path to store certificates and metadata needed by |
186 |
+# letsencrypt |
187 |
+tls_letsencrypt_cache_dir: /var/lib/headscale/cache |
188 |
+ |
189 |
+# Type of ACME challenge to use, currently supported types: |
190 |
+# HTTP-01 or TLS-ALPN-01 |
191 |
+# See [docs/tls.md](docs/tls.md) for more information |
192 |
+tls_letsencrypt_challenge_type: HTTP-01 |
193 |
+# When HTTP-01 challenge is chosen, letsencrypt must set up a |
194 |
+# verification endpoint, and it will be listning on: |
195 |
+# :http = port 80 |
196 |
+tls_letsencrypt_listen: ":http" |
197 |
+ |
198 |
+## Use already defined certificates: |
199 |
+tls_cert_path: "" |
200 |
+tls_key_path: "" |
201 |
+ |
202 |
+log_level: info |
203 |
+ |
204 |
+# Path to a file containg ACL policies. |
205 |
+# ACLs can be defined as YAML or HUJSON. |
206 |
+# https://tailscale.com/kb/1018/acls/ |
207 |
+acl_policy_path: "" |
208 |
+ |
209 |
+## DNS |
210 |
+# |
211 |
+# headscale supports Tailscale's DNS configuration and MagicDNS. |
212 |
+# Please have a look to their KB to better understand the concepts: |
213 |
+# |
214 |
+# - https://tailscale.com/kb/1054/dns/ |
215 |
+# - https://tailscale.com/kb/1081/magicdns/ |
216 |
+# - https://tailscale.com/blog/2021-09-private-dns-with-magicdns/ |
217 |
+# |
218 |
+dns_config: |
219 |
+ # List of DNS servers to expose to clients. |
220 |
+ nameservers: |
221 |
+ - 1.1.1.1 |
222 |
+ |
223 |
+ # Split DNS (see https://tailscale.com/kb/1054/dns/), |
224 |
+ # list of search domains and the DNS to query for each one. |
225 |
+ # |
226 |
+ # restricted_nameservers: |
227 |
+ # foo.bar.com: |
228 |
+ # - 1.1.1.1 |
229 |
+ # darp.headscale.net: |
230 |
+ # - 1.1.1.1 |
231 |
+ # - 8.8.8.8 |
232 |
+ |
233 |
+ # Search domains to inject. |
234 |
+ domains: [] |
235 |
+ |
236 |
+ # Whether to use [MagicDNS](https://tailscale.com/kb/1081/magicdns/). |
237 |
+ # Only works if there is at least a nameserver defined. |
238 |
+ magic_dns: true |
239 |
+ |
240 |
+ # Defines the base domain to create the hostnames for MagicDNS. |
241 |
+ # `base_domain` must be a FQDNs, without the trailing dot. |
242 |
+ # The FQDN of the hosts will be |
243 |
+ # `hostname.namespace.base_domain` (e.g., _myhost.mynamespace.example.com_). |
244 |
+ base_domain: example.com |
245 |
+ |
246 |
+# Unix socket used for the CLI to connect without authentication |
247 |
+# Note: for local development, you probably want to change this to: |
248 |
+unix_socket: /run/headscale/headscale.sock |
249 |
+unix_socket_permission: "0770" |
250 |
+# |
251 |
+# headscale supports experimental OpenID connect support, |
252 |
+# it is still being tested and might have some bugs, please |
253 |
+# help us test it. |
254 |
+# OpenID Connect |
255 |
+# oidc: |
256 |
+# issuer: "https://your-oidc.issuer.com/path" |
257 |
+# client_id: "your-oidc-client-id" |
258 |
+# client_secret: "your-oidc-client-secret" |
259 |
+# |
260 |
+# If `strip_email_domain` is set to `true`, the domain part of the username email address will be removed. |
261 |
+# This will transform `first-name.last-name@×××××××.com` to the namespace `first-name.last-name` |
262 |
+# If `strip_email_domain` is set to `false` the domain part will NOT be removed resulting to the following |
263 |
+# namespace: `first-name.last-name.example.com` |
264 |
+# |
265 |
+# strip_email_domain: true |
266 |
|
267 |
diff --git a/net-vpn/headscale/files/headscale.conf b/net-vpn/headscale/files/headscale.conf |
268 |
new file mode 100644 |
269 |
index 000000000000..5bf65c68e358 |
270 |
--- /dev/null |
271 |
+++ b/net-vpn/headscale/files/headscale.conf |
272 |
@@ -0,0 +1,8 @@ |
273 |
+HEADSCALE_USER=headscale |
274 |
+HEADSCALE_GROUP=headscale |
275 |
+ |
276 |
+# max number of open files (for floodfill) |
277 |
+rc_ulimit="-n 4096" |
278 |
+ |
279 |
+# Options to headscale |
280 |
+HEADSCALE_OPTIONS="serve" |
281 |
|
282 |
diff --git a/net-vpn/headscale/files/headscaled.initd b/net-vpn/headscale/files/headscaled.initd |
283 |
new file mode 100644 |
284 |
index 000000000000..5a12887f444b |
285 |
--- /dev/null |
286 |
+++ b/net-vpn/headscale/files/headscaled.initd |
287 |
@@ -0,0 +1,29 @@ |
288 |
+#!/sbin/openrc-run |
289 |
+# Copyright 2022 Gentoo Authors |
290 |
+# Distributed under the terms of the GNU General Public License v2 |
291 |
+ |
292 |
+description="Headscale Server daemon" |
293 |
+command="/usr/bin/headscale" |
294 |
+user="${HEADSCALE_USER}:${HEADSCALE_GROUP}" |
295 |
+directory="/var/lib/headscale" |
296 |
+output_log="/var/log/headscale.log" |
297 |
+error_log="/var/log/headscale.log" |
298 |
+ |
299 |
+start_stop_daemon_args="--user \"${user}\" ${HEADSCALE_OPTIONS} --background" |
300 |
+ |
301 |
+depend() { |
302 |
+ need net |
303 |
+} |
304 |
+ |
305 |
+start_pre() { |
306 |
+ if [ ! -s /etc/headscale/config.yaml ] ; then |
307 |
+ eerror "Missing headscale configuration file" |
308 |
+ eerror "Please use /etc/headscale/config.yaml.example as example" |
309 |
+ return 1 |
310 |
+ fi |
311 |
+ |
312 |
+ checkpath -d -m 700 -o "${user}" /run/headscale /var/lib/headscale |
313 |
+ checkpath -f -m 600 -o "${user}" /var/lib/headscale/db.sqlite /var/log/headscale.log |
314 |
+ checkpath -f -m 600 -o "${user}" /etc/headscale/config.yaml |
315 |
+} |
316 |
+ |
317 |
|
318 |
diff --git a/net-vpn/headscale/files/headscaled.service b/net-vpn/headscale/files/headscaled.service |
319 |
new file mode 100644 |
320 |
index 000000000000..fb27b40d4e31 |
321 |
--- /dev/null |
322 |
+++ b/net-vpn/headscale/files/headscaled.service |
323 |
@@ -0,0 +1,24 @@ |
324 |
+[Unit] |
325 |
+Description=headscale controller |
326 |
+After=syslog.target |
327 |
+After=network.target |
328 |
+ |
329 |
+[Service] |
330 |
+Type=simple |
331 |
+User=headscale |
332 |
+Group=headscale |
333 |
+ExecStart=/usr/bin/headscale serve |
334 |
+Restart=always |
335 |
+RestartSec=5 |
336 |
+ |
337 |
+# Optional security enhancements |
338 |
+NoNewPrivileges=yes |
339 |
+PrivateTmp=yes |
340 |
+ProtectSystem=strict |
341 |
+ProtectHome=yes |
342 |
+ReadWritePaths=/var/lib/headscale /run/headscale |
343 |
+AmbientCapabilities=CAP_NET_BIND_SERVICE |
344 |
+RuntimeDirectory=headscale |
345 |
+ |
346 |
+[Install] |
347 |
+WantedBy=multi-user.target |
348 |
|
349 |
diff --git a/net-vpn/headscale/headscale-0.15.0.ebuild b/net-vpn/headscale/headscale-0.15.0.ebuild |
350 |
new file mode 100644 |
351 |
index 000000000000..93a52a9f0cde |
352 |
--- /dev/null |
353 |
+++ b/net-vpn/headscale/headscale-0.15.0.ebuild |
354 |
@@ -0,0 +1,49 @@ |
355 |
+# Copyright 2022 Gentoo Authors |
356 |
+# Distributed under the terms of the GNU General Public License v2 |
357 |
+ |
358 |
+EAPI=8 |
359 |
+ |
360 |
+inherit go-module systemd |
361 |
+ |
362 |
+DESCRIPTION="An open source, self-hosted implementation of the Tailscale control server" |
363 |
+HOMEPAGE="https://github.com/juanfont/headscale" |
364 |
+SRC_URI=" |
365 |
+ https://github.com/juanfont/headscale/archive/refs/tags/v${PV}.tar.gz -> ${P}.tar.gz |
366 |
+ https://dev.gentoo.org/~jsmolic/distfiles/net-vpn/headscale/${P}-deps.tar.xz |
367 |
+" |
368 |
+ |
369 |
+LICENSE="BSD Apache-2.0 MIT" |
370 |
+SLOT="0" |
371 |
+KEYWORDS="~amd64" |
372 |
+ |
373 |
+DEPEND=" |
374 |
+ acct-group/headscale |
375 |
+ acct-user/headscale |
376 |
+" |
377 |
+RDEPEND=" |
378 |
+ ${DEPEND} |
379 |
+ net-firewall/iptables |
380 |
+" |
381 |
+ |
382 |
+src_install() { |
383 |
+ keepdir /var/lib/headscale |
384 |
+ keepdir /etc/headscale |
385 |
+ |
386 |
+ dobin headscale |
387 |
+ |
388 |
+ insinto /etc/headscale |
389 |
+ doins "${FILESDIR}"/config.yaml.example |
390 |
+ |
391 |
+ fowners -R ${PN}:${PN} /etc/headscale |
392 |
+ fowners -R ${PN}:${PN} /var/lib/headscale |
393 |
+ |
394 |
+ systemd_dounit "${FILESDIR}"/headscaled.service |
395 |
+ newinitd "${FILESDIR}"/headscaled.initd headscaled |
396 |
+ newconfd "${FILESDIR}"/headscale.conf headscaled |
397 |
+} |
398 |
+ |
399 |
+pkg_postinst() { |
400 |
+ elog "You will need to set up your /etc/headscale/config.yaml file before starting the service" |
401 |
+ elog "Please use /etc/headscale/config.yaml.example as example" |
402 |
+ elog "More in the official documentation https://github.com/juanfont/headscale/tree/main/docs" |
403 |
+} |
404 |
|
405 |
diff --git a/net-vpn/headscale/metadata.xml b/net-vpn/headscale/metadata.xml |
406 |
new file mode 100644 |
407 |
index 000000000000..73d345656db7 |
408 |
--- /dev/null |
409 |
+++ b/net-vpn/headscale/metadata.xml |
410 |
@@ -0,0 +1,16 @@ |
411 |
+<?xml version="1.0" encoding="UTF-8"?> |
412 |
+<!DOCTYPE pkgmetadata SYSTEM "https://www.gentoo.org/dtd/metadata.dtd"> |
413 |
+<pkgmetadata> |
414 |
+ <maintainer type="person" proxied="yes"> |
415 |
+ <email>chris@××××××××××.org</email> |
416 |
+ <name>Chris Su</name> |
417 |
+ </maintainer> |
418 |
+ <maintainer type="person" proxied="proxy"> |
419 |
+ <email>dlan@g.o</email> |
420 |
+ <name>Yixun Lan</name> |
421 |
+ </maintainer> |
422 |
+ <maintainer type="person" proxied="proxy"> |
423 |
+ <email>jsmolic@g.o</email> |
424 |
+ <name>Jakov Smolić</name> |
425 |
+ </maintainer> |
426 |
+</pkgmetadata> |