summarylogtreecommitdiffstats
diff options
context:
space:
mode:
-rw-r--r--.SRCINFO14
-rw-r--r--.gitignore1
-rw-r--r--PKGBUILD26
-rw-r--r--headscale.service52
-rw-r--r--headscale.sysusers1
-rw-r--r--headscale.tmpfiles2
6 files changed, 80 insertions, 16 deletions
diff --git a/.SRCINFO b/.SRCINFO
index 2fb5fa437e3..d3e71e1c650 100644
--- a/.SRCINFO
+++ b/.SRCINFO
@@ -1,19 +1,23 @@
pkgbase = headscale
pkgdesc = An open source, self-hosted implementation of the Tailscale coordination server.
- pkgver = 0.14.0
+ pkgver = 0.16.4
pkgrel = 1
url = https://github.com/juanfont/headscale
arch = any
license = BSD
makedepends = go
- depends = tailscale
optdepends = wireguard-tools: CLI tools for generating keys
optdepends = postgresql: alternative database provider
conflicts = headscale-git
backup = etc/headscale/config.yaml
- source = headscale-0.14.0.tar.gz::https://github.com/juanfont/headscale/archive/refs/tags/v0.14.0.tar.gz
+ backup = etc/headscale/derp.yaml
+ source = headscale-0.16.4.tar.gz::https://github.com/juanfont/headscale/archive/refs/tags/v0.16.4.tar.gz
source = headscale.service
- sha256sums = aabbc69c7ba1c3da70a34256fe53e8bb3897b19fb70ff03dfc01f06847a11e93
- sha256sums = 000457ad0cfaca8513c0f1be5b0a04beb673576e019c7184e5fb3a78e57738ab
+ source = headscale.sysusers
+ source = headscale.tmpfiles
+ sha256sums = 0395478f9dde68aa8ca23be8df6ff636d47166981d0995e4e31a8c7db12df8e8
+ sha256sums = SKIP
+ sha256sums = SKIP
+ sha256sums = SKIP
pkgname = headscale
diff --git a/.gitignore b/.gitignore
index 832a2faf833..b882116f824 100644
--- a/.gitignore
+++ b/.gitignore
@@ -2,3 +2,4 @@
/src
/headscale
/*.pkg.tar.*
+/*.gz
diff --git a/PKGBUILD b/PKGBUILD
index d5616c512f6..75bbf7bf7be 100644
--- a/PKGBUILD
+++ b/PKGBUILD
@@ -1,35 +1,49 @@
pkgname=headscale
-pkgver=0.14.0
+pkgver=0.16.4
pkgrel=1
pkgdesc="An open source, self-hosted implementation of the Tailscale coordination server."
arch=('any')
url="https://github.com/juanfont/headscale"
license=('BSD')
-depends=('tailscale')
+depends=()
makedepends=('go')
optdepends=(
'wireguard-tools: CLI tools for generating keys'
'postgresql: alternative database provider'
)
conflicts=("${pkgname}-git")
-backup=("etc/${pkgname}/config.yaml")
+backup=("etc/${pkgname}/config.yaml" "etc/${pkgname}/derp.yaml")
source=(
"${pkgname}-${pkgver}.tar.gz::https://github.com/juanfont/headscale/archive/refs/tags/v${pkgver}.tar.gz"
'headscale.service'
+ 'headscale.sysusers'
+ 'headscale.tmpfiles'
)
-sha256sums=('aabbc69c7ba1c3da70a34256fe53e8bb3897b19fb70ff03dfc01f06847a11e93'
- '000457ad0cfaca8513c0f1be5b0a04beb673576e019c7184e5fb3a78e57738ab')
+sha256sums=('0395478f9dde68aa8ca23be8df6ff636d47166981d0995e4e31a8c7db12df8e8'
+ '3cae7a3bfbb70bfda8dc4323d27cdcde0d841d1b3335c0f10525907eb3f6e650'
+ '059353f4843dec6eb447c567fac890ef63cc9c8acea18840fcfc3f4a76d596db'
+ '8a22d7193ceeac0be32725cf8108f963be3a21855e6099de964f810094d0adc7')
build() {
cd "${srcdir}/${pkgname}-${pkgver}"
- go build -v -o headscale -ldflags "-s -w -X github.com/juanfont/headscale/cmd/headscale/cli.Version=${pkgver}" ./cmd/headscale
+ make
+ sed -i 's-/var/run/headscale\.sock-/var/run/headscale/headscale\.sock-' config-example.yaml
}
package() {
cd "$srcdir/${pkgname}-${pkgver}"
install -D -m755 "${pkgname}" "${pkgdir}/usr/bin/${pkgname}"
+
install -D -m644 "config-example.yaml" "${pkgdir}/etc/${pkgname}/config.yaml"
+ install -D -m644 "config-example.yaml" "${pkgdir}/usr/share/${pkgname}/config-example.yaml"
+
+ install -D -m644 "derp-example.yaml" "${pkgdir}/etc/${pkgname}/derp.yaml"
+ install -D -m644 "derp-example.yaml" "${pkgdir}/usr/share/${pkgname}/derp-example.yaml"
+
+ install -D -m644 "${srcdir}/${pkgname}.sysusers" "${pkgdir}/usr/lib/sysusers.d/${pkgname}.conf"
+ install -D -m644 "${srcdir}/${pkgname}.tmpfiles" "${pkgdir}/usr/lib/tmpfiles.d/${pkgname}.conf"
+
install -D -m644 "LICENSE" "${pkgdir}/usr/share/licenses/${pkgname}/LICENSE"
install -D -m644 "${srcdir}/${pkgname}.service" "${pkgdir}/usr/lib/systemd/system/${pkgname}.service"
diff --git a/headscale.service b/headscale.service
index 8645af4c8b6..ab2cfa15ba9 100644
--- a/headscale.service
+++ b/headscale.service
@@ -1,14 +1,56 @@
[Unit]
-Description=Headscale server
+Description=Headscale controller
After=network.target
[Service]
Type=simple
-RemainAfterExit=yes
-Environment=GIN_MODE=release
ExecStart=/usr/bin/headscale serve
-ExecReload=/bin/kill -HUP $MAINPID
-Restart=on-failure
+WorkingDirectory=/var/lib/headscale
+ConfigurationDirectory=headscale
+RuntimeDirectory=headscale
+User=headscale
+Group=headscale
+
+DynamicUser=yes
+Restart=always
+RestartSec=5
+
+CapabilityBoundingSet=CAP_NET_BIND_SERVICE
+AmbientCapabilities=CAP_NET_BIND_SERVICE
+
+# If headscale is run at ports >1024, you should apply these options via a
+# drop-in file
+#CapabilityBoundingSet=
+#AmbientCapabilities=
+#PrivateUsers=yes
+
+NoNewPrivileges=yes
+
+LimitNOFILE=1048576
+UMask=0077
+
+ProtectSystem=strict
+ProtectHome=yes
+ReadWritePaths=/var/lib/headscale /var/run/headscale
+PrivateTmp=yes
+PrivateDevices=yes
+ProtectHostname=yes
+ProtectClock=yes
+ProtectKernelTunables=yes
+ProtectKernelModules=yes
+ProtectKernelLogs=yes
+ProtectControlGroups=yes
+RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6
+RestrictNamespaces=yes
+LockPersonality=yes
+MemoryDenyWriteExecute=yes
+RestrictRealtime=yes
+RestrictSUIDSGID=yes
+RemoveIPC=yes
+
+SystemCallFilter=@system-service
+SystemCallFilter=~@privileged @resources
+SystemCallArchitectures=native
[Install]
WantedBy=multi-user.target
diff --git a/headscale.sysusers b/headscale.sysusers
new file mode 100644
index 00000000000..a9238cceba1
--- /dev/null
+++ b/headscale.sysusers
@@ -0,0 +1 @@
+u headscale - "Headscale user"
diff --git a/headscale.tmpfiles b/headscale.tmpfiles
new file mode 100644
index 00000000000..7c49e08fa75
--- /dev/null
+++ b/headscale.tmpfiles
@@ -0,0 +1,2 @@
+d /var/lib/headscale 0750 headscale headscale
+h /var/lib/headscale - - - - +C