prep for release

.github/workflows/release.yml

@@ -0,0 +1,29 @@
+permissions:
+  contents: write
+
+name: release
+on:
+  push:
+    tags:
+    - v*.*.*
+    - '!v*.*.*-**'
+
+jobs:    
+  goreleaser:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v2
+      - name: Unshallow clone
+        run: git fetch --prune --unshallow
+      - name: Install Go
+        uses: actions/setup-go@v2
+        with:
+          go-version: '1.22.x'
+      - name: Run GoReleaser
+        uses: goreleaser/goreleaser-action@v3
+        with:
+          args: release --clean --skip=validate
+          version: latest
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

derper.service

@@ -1,19 +1,17 @@
 [Unit]
 Description=Tailscale DERP Server
 After=network.target
+StartLimitIntervalSec=0
+StartLimitBurst=0
 
 [Service]
-Type=simple
-User=derper
-Group=derper
-ExecStart=/usr/bin/derper -c /etc/derper/derper.conf
+LimitNOFILE=990000
+User=0
+Group=0
+ExecStart=/usr/bin/derper -certdir=/var/cache/derper/certs
 Restart=on-failure
 RestartSec=5
-LimitNOFILE=1048576
-
-# Hardening measures
 AmbientCapabilities=CAP_NET_BIND_SERVICE
-CapabilityBoundingSet=CAP_NET_BIND_SERVICE
 
 
 [Install]

scripts/postinstall.sh

@@ -10,7 +10,5 @@ systemctl enable derper.service
 systemctl start xdpderper.service
 systemctl start derper.service
 
-# setcap
-sudo setcap 'cap_net_bind_service=+ep' /usr/bin/derper
-sudo setcap 'cap_net_bind_service=+ep' /usr/bin/xdpderper
+
 

scripts/preinstall.sh

@@ -1,8 +1,40 @@
 #!/bin/sh
-getent group xdpderper >/dev/null || groupadd -r xdpderper
-getent passwd xdpderper >/dev/null || useradd -r -g xdpderper -s /bin/bash -c "XDPDERP server" xdpderper
-getent group derper >/dev/null || groupadd -r derper
-getent passwd derper >/dev/null || useradd -r -g derper -s /bin/bash -c "DERP server" derper
 
-mkdir /etc/derper
-chown -R derper:derper /etc/derper
+# Detect the correct configuration directory
+if [ -f /etc/os-release ]; then
+    . /etc/os-release
+    case "$ID" in
+        rhel|centos|fedora|rocky|almalinux)
+            CONFIG_DIR="/etc/sysconfig"
+            ;;
+        debian|ubuntu)
+            CONFIG_DIR="/etc/default"
+            ;;
+        *)
+            echo "Unknown OS. Defaulting to /etc/default"
+            CONFIG_DIR="/etc/default"
+            ;;
+    esac
+else
+    # Fallback if /etc/os-release is not available
+    if [ -d /etc/sysconfig ]; then
+        CONFIG_DIR="/etc/sysconfig"
+    else
+        CONFIG_DIR="/etc/default"
+    fi
+fi
+
+# Create necessary directories
+mkdir -p /etc/derper
+mkdir -p /var/cache/derper/certs
+mkdir -p /var/lib/derper
+
+# Create a configuration file if it doesn't exist
+if [ ! -f "$CONFIG_DIR/derper" ]; then
+    echo "# Configuration file for DERP server" > "$CONFIG_DIR/derper"
+    echo "HOSTNAME=your-default-hostname.example.com" >> "$CONFIG_DIR/derper"
+    echo "Configuration file created at $CONFIG_DIR/derper"
+else
+    echo "Configuration file already exists at $CONFIG_DIR/derper"
+fi
+

tooling/get_tag.sh

@@ -0,0 +1,5 @@
+#!/bin/bash
+
+cd tailscale
+latest_tag=$(git describe --tags `git rev-list --tags --max-count=1`)
+echo "Latest upstream tag: $latest_tag"

xdpderper.service

@@ -1,24 +1,14 @@
 [Unit]
-Description=Tailscale XDPDERP Server
-After=network.target
+StartLimitIntervalSec=0
+StartLimitBurst=0
 
 [Service]
-Type=simple
-User=xdpderper
-Group=xdpderper
-ExecStart=/usr/bin/xdpderper
+ExecStart=xdpderper --dst-port=3478 --mode=xdpdrv
 Restart=on-failure
-RestartSec=5
-LimitNOFILE=1048576
-
-# Hardening measures
-PrivateTmp=yes
-ProtectSystem=full
-NoNewPrivileges=yes
-ProtectHome=yes
-ProtectKernelTunables=yes
-ProtectKernelModules=yes
-ProtectControlGroups=yes
+LimitNOFILE=990000
+AmbientCapabilities=CAP_NET_BIND_SERVICE
+User=0
+Group=0
 
 [Install]
 WantedBy=multi-user.target