Load the Tailscale secrets from the config instead of straight from E…

…NV vars
giodamelio · Apr 25, 2023 · 837bbc9 · 837bbc9
1 parent 0720705
commit 837bbc9
Show file tree

Hide file tree

Showing 4 changed files with 23 additions and 4 deletions.
diff --git a/config.go b/config.go
@@ -51,7 +51,13 @@ func loadConfig() {
 	}
 
 	// Check for required config options
-	requiredConfigs := []string{"domain", "tailscale.organization-name"}
+	requiredConfigs := []string{
+		"domain",
+		"tailscale.organization-name",
+		"tailscale.auth-key",
+		"tailscale.oauth-client-id",
+		"tailscale.oauth-client-secret",
+	}
 	var missingConfigs []string
 	for _, requiredConfigName := range requiredConfigs {
 		if !viper.IsSet(requiredConfigName) {

diff --git a/examples/tailscale-custom-domain-dns.toml b/examples/tailscale-custom-domain-dns.toml
@@ -23,6 +23,18 @@ domain = ""
 # Example: "<username>.github"
 organization-name = ""
 
+# Tailscale auth key. Allows the server to join your tailnet
+# WARNING: this is a secret value, consider setting it via an environment variable instead ofsaving it in a potentially insecure config file.
+# Example: "tskey-abcdef1432341818"
+auth-key = ""
+
+# Tailscale OAuth client id and secret
+# These are used to call the Tailscale API and get the list of devices on your tailnet and their IP addresses.
+# WARNING: these are secret values, consider setting it via an environment variable instead ofsaving it in a potentially insecure config file.
+# Example: id = "gC4s54HItEeu", secret = "tskey-client-gC4s54HItEeu-AAAAAAAAAAAAAAAAAAAAA"
+oauth-client-id = ""
+oauth-client-secret = ""
+
 # The hostname that the server will connect to your tailnet with.
 hostname = "tailscale-custom-domain-dns"
 

diff --git a/server/server.go b/server/server.go
@@ -25,6 +25,7 @@ func Start() {
 	// Startup tsnet
 	tsServer := new(tsnet.Server)
 	tsServer.Hostname = viper.GetString("tailscale.hostname")
+	tsServer.AuthKey = viper.GetString("tailscale.auth-key")
 	tsServer.Logf = func(format string, args ...any) {
 		log.
 			Trace().

diff --git a/tsapi/tailscale.go b/tsapi/tailscale.go
@@ -7,9 +7,9 @@ import (
 	"io"
 	"net/http"
 	"net/url"
-	"os"
 
 	"github.com/rs/zerolog/log"
+	"github.com/spf13/viper"
 	"golang.org/x/oauth2/clientcredentials"
 )
 
@@ -33,8 +33,8 @@ type Device struct {
 
 func NewTSClient(tailnetName string) *TSApi {
 	var oauthConfig = &clientcredentials.Config{
-		ClientID:     os.Getenv("TS_OAUTH_CLIENT_ID"),
-		ClientSecret: os.Getenv("TS_OAUTH_CLIENT_SECRET"),
+		ClientID:     viper.GetString("tailscale.oauth-client-id"),
+		ClientSecret: viper.GetString("tailscale.oauth-client-secret"),
 		TokenURL:     buildPath("/oauth/token"),
 	}