From 837bbc90f15bc648edb0bbeee47ee3ac6dc5361c Mon Sep 17 00:00:00 2001 From: Giovanni d'Amelio Date: Mon, 24 Apr 2023 17:40:21 -0700 Subject: [PATCH] Load the Tailscale secrets from the config instead of straight from ENV vars --- config.go | 8 +++++++- examples/tailscale-custom-domain-dns.toml | 12 ++++++++++++ server/server.go | 1 + tsapi/tailscale.go | 6 +++--- 4 files changed, 23 insertions(+), 4 deletions(-) diff --git a/config.go b/config.go index 69fdf4b..691d8eb 100644 --- a/config.go +++ b/config.go @@ -51,7 +51,13 @@ func loadConfig() { } // Check for required config options - requiredConfigs := []string{"domain", "tailscale.organization-name"} + requiredConfigs := []string{ + "domain", + "tailscale.organization-name", + "tailscale.auth-key", + "tailscale.oauth-client-id", + "tailscale.oauth-client-secret", + } var missingConfigs []string for _, requiredConfigName := range requiredConfigs { if !viper.IsSet(requiredConfigName) { diff --git a/examples/tailscale-custom-domain-dns.toml b/examples/tailscale-custom-domain-dns.toml index 758523f..8064f30 100644 --- a/examples/tailscale-custom-domain-dns.toml +++ b/examples/tailscale-custom-domain-dns.toml @@ -23,6 +23,18 @@ domain = "" # Example: ".github" organization-name = "" +# Tailscale auth key. Allows the server to join your tailnet +# WARNING: this is a secret value, consider setting it via an environment variable instead ofsaving it in a potentially insecure config file. +# Example: "tskey-abcdef1432341818" +auth-key = "" + +# Tailscale OAuth client id and secret +# These are used to call the Tailscale API and get the list of devices on your tailnet and their IP addresses. +# WARNING: these are secret values, consider setting it via an environment variable instead ofsaving it in a potentially insecure config file. +# Example: id = "gC4s54HItEeu", secret = "tskey-client-gC4s54HItEeu-AAAAAAAAAAAAAAAAAAAAA" +oauth-client-id = "" +oauth-client-secret = "" + # The hostname that the server will connect to your tailnet with. hostname = "tailscale-custom-domain-dns" diff --git a/server/server.go b/server/server.go index a7b2537..ea2c1bd 100644 --- a/server/server.go +++ b/server/server.go @@ -25,6 +25,7 @@ func Start() { // Startup tsnet tsServer := new(tsnet.Server) tsServer.Hostname = viper.GetString("tailscale.hostname") + tsServer.AuthKey = viper.GetString("tailscale.auth-key") tsServer.Logf = func(format string, args ...any) { log. Trace(). diff --git a/tsapi/tailscale.go b/tsapi/tailscale.go index 1fc99b2..82037e3 100644 --- a/tsapi/tailscale.go +++ b/tsapi/tailscale.go @@ -7,9 +7,9 @@ import ( "io" "net/http" "net/url" - "os" "github.com/rs/zerolog/log" + "github.com/spf13/viper" "golang.org/x/oauth2/clientcredentials" ) @@ -33,8 +33,8 @@ type Device struct { func NewTSClient(tailnetName string) *TSApi { var oauthConfig = &clientcredentials.Config{ - ClientID: os.Getenv("TS_OAUTH_CLIENT_ID"), - ClientSecret: os.Getenv("TS_OAUTH_CLIENT_SECRET"), + ClientID: viper.GetString("tailscale.oauth-client-id"), + ClientSecret: viper.GetString("tailscale.oauth-client-secret"), TokenURL: buildPath("/oauth/token"), }