300 lines
7.1 KiB
TypeScript
300 lines
7.1 KiB
TypeScript
// Handle the configuration loading for headplane.
|
|
// Functionally only used for all sorts of sanity checks across headplane.
|
|
//
|
|
// Around the codebase, this is referred to as the context
|
|
|
|
import { access, constants, readFile, writeFile } from 'node:fs/promises';
|
|
import { resolve } from 'node:path';
|
|
|
|
import { parse } from 'yaml';
|
|
|
|
import { IntegrationFactory, loadIntegration } from '~/integration';
|
|
import { HeadscaleConfig, loadConfig } from '~/utils/config/headscale';
|
|
import { testOidc } from '~/utils/oidc';
|
|
import log from '~/utils/log';
|
|
import { initSessionManager } from '~/utils/sessions.server';
|
|
import { initAgentCache } from '~/utils/ws-agent';
|
|
|
|
export interface HeadplaneContext {
|
|
debug: boolean;
|
|
headscaleUrl: string;
|
|
headscalePublicUrl?: string;
|
|
cookieSecret: string;
|
|
integration: IntegrationFactory | undefined;
|
|
|
|
cache: {
|
|
enabled: boolean;
|
|
path: string;
|
|
defaultTTL: number;
|
|
}
|
|
|
|
config: {
|
|
read: boolean;
|
|
write: boolean;
|
|
};
|
|
|
|
oidc?: {
|
|
issuer: string;
|
|
client: string;
|
|
secret: string;
|
|
rootKey: string;
|
|
method: string;
|
|
disableKeyLogin: boolean;
|
|
};
|
|
}
|
|
|
|
let context: HeadplaneContext | undefined;
|
|
let loadLock = false;
|
|
|
|
export async function loadContext(): Promise<HeadplaneContext> {
|
|
if (context) {
|
|
return context;
|
|
}
|
|
|
|
if (loadLock) {
|
|
return new Promise((resolve) => {
|
|
const interval = setInterval(() => {
|
|
if (context) {
|
|
clearInterval(interval);
|
|
resolve(context);
|
|
}
|
|
}, 100);
|
|
});
|
|
}
|
|
|
|
loadLock = true;
|
|
const envFile = process.env.LOAD_ENV_FILE === 'true';
|
|
if (envFile) {
|
|
log.info('CTXT', 'Loading environment variables from .env');
|
|
await import('dotenv/config');
|
|
}
|
|
|
|
const debug = process.env.DEBUG === 'true';
|
|
if (debug) {
|
|
log.info('CTXT', 'Debug mode is enabled! Logs will spam a lot.');
|
|
log.info('CTXT', 'Please disable debug mode in production.');
|
|
}
|
|
|
|
const path = resolve(process.env.CONFIG_FILE ?? '/etc/headscale/config.yaml');
|
|
const { config, contextData } = await checkConfig(path);
|
|
|
|
let headscaleUrl = process.env.HEADSCALE_URL;
|
|
let headscalePublicUrl = process.env.HEADSCALE_PUBLIC_URL;
|
|
|
|
if (!headscaleUrl && !config) {
|
|
throw new Error('HEADSCALE_URL not set');
|
|
}
|
|
|
|
if (config) {
|
|
headscaleUrl = headscaleUrl ?? config.server_url;
|
|
if (!headscalePublicUrl) {
|
|
// Fallback to the config value if the env var is not set
|
|
headscalePublicUrl = config.server_url;
|
|
}
|
|
}
|
|
|
|
if (!headscaleUrl) {
|
|
throw new Error('Missing server_url in headscale config');
|
|
}
|
|
|
|
const cookieSecret = process.env.COOKIE_SECRET;
|
|
if (!cookieSecret) {
|
|
throw new Error('COOKIE_SECRET not set');
|
|
}
|
|
|
|
// Initialize Session Management
|
|
initSessionManager();
|
|
|
|
const cacheEnabled = process.env.AGENT_CACHE_DISABLED !== 'true';
|
|
const cachePath = process.env.AGENT_CACHE_PATH ?? '/etc/headplane/agent.cache';
|
|
const cacheTTL = 300 * 1000; // 5 minutes
|
|
|
|
// Load agent cache
|
|
if (cacheEnabled) {
|
|
log.info('CTXT', 'Initializing Agent Cache');
|
|
log.debug('CTXT', 'Cache Path: %s', cachePath);
|
|
log.debug('CTXT', 'Cache TTL: %d', cacheTTL);
|
|
await initAgentCache(cacheTTL, cachePath);
|
|
}
|
|
|
|
context = {
|
|
debug,
|
|
headscaleUrl,
|
|
headscalePublicUrl,
|
|
cookieSecret,
|
|
integration: await loadIntegration(),
|
|
config: contextData,
|
|
cache: {
|
|
enabled: cacheEnabled,
|
|
path: cachePath,
|
|
defaultTTL: cacheTTL,
|
|
},
|
|
oidc: await checkOidc(config),
|
|
};
|
|
|
|
log.info('CTXT', 'Starting Headplane with Context');
|
|
log.info('CTXT', 'HEADSCALE_URL: %s', headscaleUrl);
|
|
if (headscalePublicUrl) {
|
|
log.info('CTXT', 'HEADSCALE_PUBLIC_URL: %s', headscalePublicUrl);
|
|
}
|
|
|
|
log.info('CTXT', 'Integration: %s', context.integration?.name ?? 'None');
|
|
log.info(
|
|
'CTXT',
|
|
'Config: %s',
|
|
contextData.read
|
|
? `Found ${contextData.write ? '' : '(Read Only)'}`
|
|
: 'Unavailable',
|
|
);
|
|
|
|
log.info('CTXT', 'OIDC: %s', context.oidc ? 'Configured' : 'Unavailable');
|
|
loadLock = false;
|
|
return context;
|
|
}
|
|
|
|
async function checkConfig(path: string) {
|
|
log.debug('CTXT', 'Checking config at %s', path);
|
|
|
|
let config: HeadscaleConfig | undefined;
|
|
try {
|
|
config = await loadConfig(path);
|
|
} catch {
|
|
log.debug('CTXT', 'Config at %s failed to load', path);
|
|
return {
|
|
config: undefined,
|
|
contextData: {
|
|
read: false,
|
|
write: false,
|
|
},
|
|
};
|
|
}
|
|
|
|
let write = false;
|
|
try {
|
|
log.debug('CTXT', 'Checking write access to %s', path);
|
|
await access(path, constants.W_OK);
|
|
write = true;
|
|
} catch {
|
|
log.debug('CTXT', 'No write access to %s', path);
|
|
}
|
|
|
|
return {
|
|
config,
|
|
contextData: {
|
|
read: true,
|
|
write,
|
|
},
|
|
};
|
|
}
|
|
|
|
async function checkOidc(config?: HeadscaleConfig) {
|
|
log.debug('CTXT', 'Checking OIDC configuration');
|
|
|
|
const disableKeyLogin = process.env.DISABLE_API_KEY_LOGIN === 'true';
|
|
log.debug('CTXT', 'API Key Login Enabled: %s', !disableKeyLogin);
|
|
|
|
log.debug('CTXT', 'Checking ROOT_API_KEY and falling back to API_KEY');
|
|
const rootKey = process.env.ROOT_API_KEY ?? process.env.API_KEY;
|
|
if (!rootKey) {
|
|
throw new Error('ROOT_API_KEY or API_KEY not set');
|
|
}
|
|
|
|
let issuer = process.env.OIDC_ISSUER;
|
|
let client = process.env.OIDC_CLIENT_ID;
|
|
let secret = process.env.OIDC_CLIENT_SECRET;
|
|
const method = process.env.OIDC_CLIENT_SECRET_METHOD ?? 'client_secret_basic';
|
|
const skip = process.env.OIDC_SKIP_CONFIG_VALIDATION === 'true';
|
|
|
|
log.debug('CTXT', 'Checking OIDC environment variables');
|
|
log.debug('CTXT', 'Issuer: %s', issuer);
|
|
log.debug('CTXT', 'Client: %s', client);
|
|
|
|
if (
|
|
(issuer ?? client ?? secret) &&
|
|
!(issuer && client && secret) &&
|
|
!config
|
|
) {
|
|
throw new Error('OIDC environment variables are incomplete');
|
|
}
|
|
|
|
if (issuer && client && secret) {
|
|
if (!skip) {
|
|
log.debug(
|
|
'CTXT',
|
|
'Validating OIDC configuration from environment variables',
|
|
);
|
|
const result = await testOidc(issuer, client, secret);
|
|
if (!result) {
|
|
return;
|
|
}
|
|
} else {
|
|
log.debug('CTXT', 'OIDC_SKIP_CONFIG_VALIDATION is set');
|
|
log.debug('CTXT', 'Skipping OIDC configuration validation');
|
|
}
|
|
|
|
return {
|
|
issuer,
|
|
client,
|
|
secret,
|
|
method,
|
|
rootKey,
|
|
disableKeyLogin,
|
|
};
|
|
}
|
|
|
|
if ((!issuer || !client || !secret) && config) {
|
|
issuer = config.oidc?.issuer;
|
|
client = config.oidc?.client_id;
|
|
secret = config.oidc?.client_secret;
|
|
|
|
if (!secret && config.oidc?.client_secret_path) {
|
|
log.debug(
|
|
'CTXT',
|
|
'Trying to read OIDC client secret from %s',
|
|
config.oidc.client_secret_path,
|
|
);
|
|
try {
|
|
const data = await readFile(config.oidc.client_secret_path, 'utf8');
|
|
|
|
if (data && data.length > 0) {
|
|
secret = data.trim();
|
|
}
|
|
} catch {
|
|
log.error(
|
|
'CTXT',
|
|
'Failed to read OIDC client secret from %s',
|
|
config.oidc.client_secret_path,
|
|
);
|
|
}
|
|
}
|
|
}
|
|
|
|
if ((issuer ?? client ?? secret) && !(issuer && client && secret)) {
|
|
throw new Error('OIDC configuration is incomplete');
|
|
}
|
|
|
|
if (!issuer || !client || !secret) {
|
|
return;
|
|
}
|
|
|
|
if (config?.oidc?.only_start_if_oidc_is_available) {
|
|
log.debug('CTXT', 'Validating OIDC configuration from headscale config');
|
|
const result = await testOidc(issuer, client, secret);
|
|
if (!result) {
|
|
return;
|
|
}
|
|
} else {
|
|
log.debug('CTXT', 'OIDC validation is disabled in headscale config');
|
|
log.debug('CTXT', 'Skipping OIDC configuration validation');
|
|
}
|
|
|
|
return {
|
|
issuer,
|
|
client,
|
|
secret,
|
|
rootKey,
|
|
method,
|
|
disableKeyLogin,
|
|
};
|
|
}
|