Get Gentoo!
gentoo.org sites
gentoo.org Wiki Bugs Forums Packages
Planet Archives Sources
Infra Status

Gentoo Archives: gentoo-commits

From: "Jakov Smolić" <jsmolic@g.o>
To: gentoo-commits@l.g.o
Subject: [gentoo-commits] repo/gentoo:master commit in: net-vpn/headscale/files/, net-vpn/headscale/
Date: Wed, 27 Apr 2022 16:01:17
Message-Id: 1651075198.5aa57d09a9ad9c907b69afc2c9cc340663980c18.jsmolic@gentoo
1 commit: 5aa57d09a9ad9c907b69afc2c9cc340663980c18
2 Author: Chris Su <chris <AT> lesscrowds <DOT> org>
3 AuthorDate: Wed Apr 27 15:43:23 2022 +0000
4 Commit: Jakov Smolić <jsmolic <AT> gentoo <DOT> org>
5 CommitDate: Wed Apr 27 15:59:58 2022 +0000
6 URL: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=5aa57d09
7
8 net-vpn/headscale: new package, add 0.15.0
9
10 Headsacle is an open-source, self-hosted implementation of the Tailscale
11 control server.
12
13 Using headscale, we can easily build a control server to form our own
14 vpn, the corresponding node authorization, set the acl, etc.
15
16 Closes: https://bugs.gentoo.org/841017
17 Signed-off-by: Chris Su <chris <AT> lesscrowds.org>
18 Closes: https://github.com/gentoo/gentoo/pull/25212
19 Signed-off-by: Jakov Smolić <jsmolic <AT> gentoo.org>
20
21 net-vpn/headscale/Manifest | 2 +
22 net-vpn/headscale/files/config.yaml.example | 221 ++++++++++++++++++++++++++++
23 net-vpn/headscale/files/headscale.conf | 8 +
24 net-vpn/headscale/files/headscaled.initd | 29 ++++
25 net-vpn/headscale/files/headscaled.service | 24 +++
26 net-vpn/headscale/headscale-0.15.0.ebuild | 49 ++++++
27 net-vpn/headscale/metadata.xml | 16 ++
28 7 files changed, 349 insertions(+)
29
30 diff --git a/net-vpn/headscale/Manifest b/net-vpn/headscale/Manifest
31 new file mode 100644
32 index 000000000000..d27143f85e93
33 --- /dev/null
34 +++ b/net-vpn/headscale/Manifest
35 @@ -0,0 +1,2 @@
36 +DIST headscale-0.15.0-deps.tar.xz 199844288 BLAKE2B 17c9e4a8877ee05f75f08c20794f6c084019f4554769ebabfc8d37e1ec309ac0cc2d18d341db241927df4ba3e43da39e8acb6a33a4a68435f9b3d3f7aebc098b SHA512 aa942787a4bc8644bb5e041fef293fd53a8d4ebc84faa8964c56fe9022b0359cd08ddd568898bc8fa4b2bc358f4c911b8a204438d676c5c4030bd89612d01c01
37 +DIST headscale-0.15.0.tar.gz 311959 BLAKE2B e4bcbf431c3b903024df95782b4070591e30439263796258f9a3cc07c7a2f4ea3f9895fb2869b642d6c37dc92fe492cc9d3b78261d8faa0a8e2c9eba3906aa20 SHA512 29b867f109e48bf04ab4f8a81bfab94155050f59f6c2aa2b4971567a7fb24ed343b869636e66e9cbb7b1b8df7d7415e769a85a7c3864d0fae169c15b6c7b6eb2
38
39 diff --git a/net-vpn/headscale/files/config.yaml.example b/net-vpn/headscale/files/config.yaml.example
40 new file mode 100644
41 index 000000000000..603b941dac9d
42 --- /dev/null
43 +++ b/net-vpn/headscale/files/config.yaml.example
44 @@ -0,0 +1,221 @@
45 +---
46 +# headscale will look for a configuration file named `config.yaml` (or `config.json`) in the following order:
47 +#
48 +# - `/etc/headscale`
49 +# - `~/.headscale`
50 +# - current working directory
51 +
52 +# The url clients will connect to.
53 +# Typically this will be a domain like:
54 +#
55 +# https://myheadscale.example.com:443
56 +#
57 +server_url: http://127.0.0.1:8080
58 +
59 +# Address to listen to / bind to on the server
60 +#
61 +listen_addr: 0.0.0.0:8080
62 +
63 +# Address to listen to /metrics, you may want
64 +# to keep this endpoint private to your internal
65 +# network
66 +#
67 +metrics_listen_addr: 127.0.0.1:9090
68 +
69 +# Address to listen for gRPC.
70 +# gRPC is used for controlling a headscale server
71 +# remotely with the CLI
72 +# Note: Remote access _only_ works if you have
73 +# valid certificates.
74 +grpc_listen_addr: 0.0.0.0:50443
75 +
76 +# Allow the gRPC admin interface to run in INSECURE
77 +# mode. This is not recommended as the traffic will
78 +# be unencrypted. Only enable if you know what you
79 +# are doing.
80 +grpc_allow_insecure: false
81 +
82 +# Private key used encrypt the traffic between headscale
83 +# and Tailscale clients.
84 +# The private key file which will be
85 +# autogenerated if it's missing
86 +private_key_path: /var/lib/headscale/private.key
87 +
88 +# List of IP prefixes to allocate tailaddresses from.
89 +# Each prefix consists of either an IPv4 or IPv6 address,
90 +# and the associated prefix length, delimited by a slash.
91 +ip_prefixes:
92 + - fd7a:115c:a1e0::/48
93 + - 100.64.0.0/10
94 +
95 +# DERP is a relay system that Tailscale uses when a direct
96 +# connection cannot be established.
97 +# https://tailscale.com/blog/how-tailscale-works/#encrypted-tcp-relays-derp
98 +#
99 +# headscale needs a list of DERP servers that can be presented
100 +# to the clients.
101 +derp:
102 + server:
103 + # If enabled, runs the embedded DERP server and merges it into the rest of the DERP config
104 + # The Headscale server_url defined above MUST be using https, DERP requires TLS to be in place
105 + enabled: false
106 +
107 + # Region ID to use for the embedded DERP server.
108 + # The local DERP prevails if the region ID collides with other region ID coming from
109 + # the regular DERP config.
110 + region_id: 999
111 +
112 + # Region code and name are displayed in the Tailscale UI to identify a DERP region
113 + region_code: "headscale"
114 + region_name: "Headscale Embedded DERP"
115 +
116 + # Listens in UDP at the configured address for STUN connections to help on NAT traversal.
117 + # When the embedded DERP server is enabled stun_listen_addr MUST be defined.
118 + #
119 + # For more details on how this works, check this great article: https://tailscale.com/blog/how-tailscale-works/
120 + stun_listen_addr: "0.0.0.0:3478"
121 +
122 + # List of externally available DERP maps encoded in JSON
123 + urls:
124 + - https://controlplane.tailscale.com/derpmap/default
125 +
126 + # Locally available DERP map files encoded in YAML
127 + #
128 + # This option is mostly interesting for people hosting
129 + # their own DERP servers:
130 + # https://tailscale.com/kb/1118/custom-derp-servers/
131 + #
132 + # paths:
133 + # - /etc/headscale/derp-example.yaml
134 + paths: []
135 +
136 + # If enabled, a worker will be set up to periodically
137 + # refresh the given sources and update the derpmap
138 + # will be set up.
139 + auto_update_enabled: true
140 +
141 + # How often should we check for DERP updates?
142 + update_frequency: 24h
143 +
144 +# Disables the automatic check for headscale updates on startup
145 +disable_check_updates: false
146 +
147 +# Time before an inactive ephemeral node is deleted?
148 +ephemeral_node_inactivity_timeout: 30m
149 +
150 +# SQLite config
151 +db_type: sqlite3
152 +db_path: /var/lib/headscale/db.sqlite
153 +
154 +# # Postgres config
155 +# db_type: postgres
156 +# db_host: localhost
157 +# db_port: 5432
158 +# db_name: headscale
159 +# db_user: foo
160 +# db_pass: bar
161 +
162 +### TLS configuration
163 +#
164 +## Let's encrypt / ACME
165 +#
166 +# headscale supports automatically requesting and setting up
167 +# TLS for a domain with Let's Encrypt.
168 +#
169 +# URL to ACME directory
170 +acme_url: https://acme-v02.api.letsencrypt.org/directory
171 +
172 +# Email to register with ACME provider
173 +acme_email: ""
174 +
175 +# Domain name to request a TLS certificate for:
176 +tls_letsencrypt_hostname: ""
177 +
178 +# Client (Tailscale/Browser) authentication mode (mTLS)
179 +# Acceptable values:
180 +# - disabled: client authentication disabled
181 +# - relaxed: client certificate is required but not verified
182 +# - enforced: client certificate is required and verified
183 +tls_client_auth_mode: relaxed
184 +
185 +# Path to store certificates and metadata needed by
186 +# letsencrypt
187 +tls_letsencrypt_cache_dir: /var/lib/headscale/cache
188 +
189 +# Type of ACME challenge to use, currently supported types:
190 +# HTTP-01 or TLS-ALPN-01
191 +# See [docs/tls.md](docs/tls.md) for more information
192 +tls_letsencrypt_challenge_type: HTTP-01
193 +# When HTTP-01 challenge is chosen, letsencrypt must set up a
194 +# verification endpoint, and it will be listning on:
195 +# :http = port 80
196 +tls_letsencrypt_listen: ":http"
197 +
198 +## Use already defined certificates:
199 +tls_cert_path: ""
200 +tls_key_path: ""
201 +
202 +log_level: info
203 +
204 +# Path to a file containg ACL policies.
205 +# ACLs can be defined as YAML or HUJSON.
206 +# https://tailscale.com/kb/1018/acls/
207 +acl_policy_path: ""
208 +
209 +## DNS
210 +#
211 +# headscale supports Tailscale's DNS configuration and MagicDNS.
212 +# Please have a look to their KB to better understand the concepts:
213 +#
214 +# - https://tailscale.com/kb/1054/dns/
215 +# - https://tailscale.com/kb/1081/magicdns/
216 +# - https://tailscale.com/blog/2021-09-private-dns-with-magicdns/
217 +#
218 +dns_config:
219 + # List of DNS servers to expose to clients.
220 + nameservers:
221 + - 1.1.1.1
222 +
223 + # Split DNS (see https://tailscale.com/kb/1054/dns/),
224 + # list of search domains and the DNS to query for each one.
225 + #
226 + # restricted_nameservers:
227 + # foo.bar.com:
228 + # - 1.1.1.1
229 + # darp.headscale.net:
230 + # - 1.1.1.1
231 + # - 8.8.8.8
232 +
233 + # Search domains to inject.
234 + domains: []
235 +
236 + # Whether to use [MagicDNS](https://tailscale.com/kb/1081/magicdns/).
237 + # Only works if there is at least a nameserver defined.
238 + magic_dns: true
239 +
240 + # Defines the base domain to create the hostnames for MagicDNS.
241 + # `base_domain` must be a FQDNs, without the trailing dot.
242 + # The FQDN of the hosts will be
243 + # `hostname.namespace.base_domain` (e.g., _myhost.mynamespace.example.com_).
244 + base_domain: example.com
245 +
246 +# Unix socket used for the CLI to connect without authentication
247 +# Note: for local development, you probably want to change this to:
248 +unix_socket: /run/headscale/headscale.sock
249 +unix_socket_permission: "0770"
250 +#
251 +# headscale supports experimental OpenID connect support,
252 +# it is still being tested and might have some bugs, please
253 +# help us test it.
254 +# OpenID Connect
255 +# oidc:
256 +# issuer: "https://your-oidc.issuer.com/path"
257 +# client_id: "your-oidc-client-id"
258 +# client_secret: "your-oidc-client-secret"
259 +#
260 +# If `strip_email_domain` is set to `true`, the domain part of the username email address will be removed.
261 +# This will transform `first-name.last-name@×××××××.com` to the namespace `first-name.last-name`
262 +# If `strip_email_domain` is set to `false` the domain part will NOT be removed resulting to the following
263 +# namespace: `first-name.last-name.example.com`
264 +#
265 +# strip_email_domain: true
266
267 diff --git a/net-vpn/headscale/files/headscale.conf b/net-vpn/headscale/files/headscale.conf
268 new file mode 100644
269 index 000000000000..5bf65c68e358
270 --- /dev/null
271 +++ b/net-vpn/headscale/files/headscale.conf
272 @@ -0,0 +1,8 @@
273 +HEADSCALE_USER=headscale
274 +HEADSCALE_GROUP=headscale
275 +
276 +# max number of open files (for floodfill)
277 +rc_ulimit="-n 4096"
278 +
279 +# Options to headscale
280 +HEADSCALE_OPTIONS="serve"
281
282 diff --git a/net-vpn/headscale/files/headscaled.initd b/net-vpn/headscale/files/headscaled.initd
283 new file mode 100644
284 index 000000000000..5a12887f444b
285 --- /dev/null
286 +++ b/net-vpn/headscale/files/headscaled.initd
287 @@ -0,0 +1,29 @@
288 +#!/sbin/openrc-run
289 +# Copyright 2022 Gentoo Authors
290 +# Distributed under the terms of the GNU General Public License v2
291 +
292 +description="Headscale Server daemon"
293 +command="/usr/bin/headscale"
294 +user="${HEADSCALE_USER}:${HEADSCALE_GROUP}"
295 +directory="/var/lib/headscale"
296 +output_log="/var/log/headscale.log"
297 +error_log="/var/log/headscale.log"
298 +
299 +start_stop_daemon_args="--user \"${user}\" ${HEADSCALE_OPTIONS} --background"
300 +
301 +depend() {
302 + need net
303 +}
304 +
305 +start_pre() {
306 + if [ ! -s /etc/headscale/config.yaml ] ; then
307 + eerror "Missing headscale configuration file"
308 + eerror "Please use /etc/headscale/config.yaml.example as example"
309 + return 1
310 + fi
311 +
312 + checkpath -d -m 700 -o "${user}" /run/headscale /var/lib/headscale
313 + checkpath -f -m 600 -o "${user}" /var/lib/headscale/db.sqlite /var/log/headscale.log
314 + checkpath -f -m 600 -o "${user}" /etc/headscale/config.yaml
315 +}
316 +
317
318 diff --git a/net-vpn/headscale/files/headscaled.service b/net-vpn/headscale/files/headscaled.service
319 new file mode 100644
320 index 000000000000..fb27b40d4e31
321 --- /dev/null
322 +++ b/net-vpn/headscale/files/headscaled.service
323 @@ -0,0 +1,24 @@
324 +[Unit]
325 +Description=headscale controller
326 +After=syslog.target
327 +After=network.target
328 +
329 +[Service]
330 +Type=simple
331 +User=headscale
332 +Group=headscale
333 +ExecStart=/usr/bin/headscale serve
334 +Restart=always
335 +RestartSec=5
336 +
337 +# Optional security enhancements
338 +NoNewPrivileges=yes
339 +PrivateTmp=yes
340 +ProtectSystem=strict
341 +ProtectHome=yes
342 +ReadWritePaths=/var/lib/headscale /run/headscale
343 +AmbientCapabilities=CAP_NET_BIND_SERVICE
344 +RuntimeDirectory=headscale
345 +
346 +[Install]
347 +WantedBy=multi-user.target
348
349 diff --git a/net-vpn/headscale/headscale-0.15.0.ebuild b/net-vpn/headscale/headscale-0.15.0.ebuild
350 new file mode 100644
351 index 000000000000..93a52a9f0cde
352 --- /dev/null
353 +++ b/net-vpn/headscale/headscale-0.15.0.ebuild
354 @@ -0,0 +1,49 @@
355 +# Copyright 2022 Gentoo Authors
356 +# Distributed under the terms of the GNU General Public License v2
357 +
358 +EAPI=8
359 +
360 +inherit go-module systemd
361 +
362 +DESCRIPTION="An open source, self-hosted implementation of the Tailscale control server"
363 +HOMEPAGE="https://github.com/juanfont/headscale"
364 +SRC_URI="
365 + https://github.com/juanfont/headscale/archive/refs/tags/v${PV}.tar.gz -> ${P}.tar.gz
366 + https://dev.gentoo.org/~jsmolic/distfiles/net-vpn/headscale/${P}-deps.tar.xz
367 +"
368 +
369 +LICENSE="BSD Apache-2.0 MIT"
370 +SLOT="0"
371 +KEYWORDS="~amd64"
372 +
373 +DEPEND="
374 + acct-group/headscale
375 + acct-user/headscale
376 +"
377 +RDEPEND="
378 + ${DEPEND}
379 + net-firewall/iptables
380 +"
381 +
382 +src_install() {
383 + keepdir /var/lib/headscale
384 + keepdir /etc/headscale
385 +
386 + dobin headscale
387 +
388 + insinto /etc/headscale
389 + doins "${FILESDIR}"/config.yaml.example
390 +
391 + fowners -R ${PN}:${PN} /etc/headscale
392 + fowners -R ${PN}:${PN} /var/lib/headscale
393 +
394 + systemd_dounit "${FILESDIR}"/headscaled.service
395 + newinitd "${FILESDIR}"/headscaled.initd headscaled
396 + newconfd "${FILESDIR}"/headscale.conf headscaled
397 +}
398 +
399 +pkg_postinst() {
400 + elog "You will need to set up your /etc/headscale/config.yaml file before starting the service"
401 + elog "Please use /etc/headscale/config.yaml.example as example"
402 + elog "More in the official documentation https://github.com/juanfont/headscale/tree/main/docs"
403 +}
404
405 diff --git a/net-vpn/headscale/metadata.xml b/net-vpn/headscale/metadata.xml
406 new file mode 100644
407 index 000000000000..73d345656db7
408 --- /dev/null
409 +++ b/net-vpn/headscale/metadata.xml
410 @@ -0,0 +1,16 @@
411 +<?xml version="1.0" encoding="UTF-8"?>
412 +<!DOCTYPE pkgmetadata SYSTEM "https://www.gentoo.org/dtd/metadata.dtd">
413 +<pkgmetadata>
414 + <maintainer type="person" proxied="yes">
415 + <email>chris@××××××××××.org</email>
416 + <name>Chris Su</name>
417 + </maintainer>
418 + <maintainer type="person" proxied="proxy">
419 + <email>dlan@g.o</email>
420 + <name>Yixun Lan</name>
421 + </maintainer>
422 + <maintainer type="person" proxied="proxy">
423 + <email>jsmolic@g.o</email>
424 + <name>Jakov Smolić</name>
425 + </maintainer>
426 +</pkgmetadata>
Report Message
Find on MARC Find on Google Groups