diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml new file mode 100644 index 0000000..9dfdc80 --- /dev/null +++ b/.github/workflows/release.yml @@ -0,0 +1,29 @@ +permissions: + contents: write + +name: release +on: + push: + tags: + - v*.*.* + - '!v*.*.*-**' + +jobs: + goreleaser: + runs-on: ubuntu-latest + steps: + - name: Checkout + uses: actions/checkout@v2 + - name: Unshallow clone + run: git fetch --prune --unshallow + - name: Install Go + uses: actions/setup-go@v2 + with: + go-version: '1.22.x' + - name: Run GoReleaser + uses: goreleaser/goreleaser-action@v3 + with: + args: release --clean --skip=validate + version: latest + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} \ No newline at end of file diff --git a/derper.service b/derper.service index 6023db2..a522649 100644 --- a/derper.service +++ b/derper.service @@ -1,19 +1,17 @@ [Unit] Description=Tailscale DERP Server After=network.target +StartLimitIntervalSec=0 +StartLimitBurst=0 [Service] -Type=simple -User=derper -Group=derper -ExecStart=/usr/bin/derper -c /etc/derper/derper.conf +LimitNOFILE=990000 +User=0 +Group=0 +ExecStart=/usr/bin/derper -certdir=/var/cache/derper/certs Restart=on-failure RestartSec=5 -LimitNOFILE=1048576 - -# Hardening measures AmbientCapabilities=CAP_NET_BIND_SERVICE -CapabilityBoundingSet=CAP_NET_BIND_SERVICE [Install] diff --git a/scripts/postinstall.sh b/scripts/postinstall.sh index 975318b..0b303f4 100644 --- a/scripts/postinstall.sh +++ b/scripts/postinstall.sh @@ -10,7 +10,5 @@ systemctl enable derper.service systemctl start xdpderper.service systemctl start derper.service -# setcap -sudo setcap 'cap_net_bind_service=+ep' /usr/bin/derper -sudo setcap 'cap_net_bind_service=+ep' /usr/bin/xdpderper + diff --git a/scripts/preinstall.sh b/scripts/preinstall.sh index 77211c1..a79e933 100644 --- a/scripts/preinstall.sh +++ b/scripts/preinstall.sh @@ -1,8 +1,40 @@ #!/bin/sh -getent group xdpderper >/dev/null || groupadd -r xdpderper -getent passwd xdpderper >/dev/null || useradd -r -g xdpderper -s /bin/bash -c "XDPDERP server" xdpderper -getent group derper >/dev/null || groupadd -r derper -getent passwd derper >/dev/null || useradd -r -g derper -s /bin/bash -c "DERP server" derper -mkdir /etc/derper -chown -R derper:derper /etc/derper \ No newline at end of file +# Detect the correct configuration directory +if [ -f /etc/os-release ]; then + . /etc/os-release + case "$ID" in + rhel|centos|fedora|rocky|almalinux) + CONFIG_DIR="/etc/sysconfig" + ;; + debian|ubuntu) + CONFIG_DIR="/etc/default" + ;; + *) + echo "Unknown OS. Defaulting to /etc/default" + CONFIG_DIR="/etc/default" + ;; + esac +else + # Fallback if /etc/os-release is not available + if [ -d /etc/sysconfig ]; then + CONFIG_DIR="/etc/sysconfig" + else + CONFIG_DIR="/etc/default" + fi +fi + +# Create necessary directories +mkdir -p /etc/derper +mkdir -p /var/cache/derper/certs +mkdir -p /var/lib/derper + +# Create a configuration file if it doesn't exist +if [ ! -f "$CONFIG_DIR/derper" ]; then + echo "# Configuration file for DERP server" > "$CONFIG_DIR/derper" + echo "HOSTNAME=your-default-hostname.example.com" >> "$CONFIG_DIR/derper" + echo "Configuration file created at $CONFIG_DIR/derper" +else + echo "Configuration file already exists at $CONFIG_DIR/derper" +fi + diff --git a/tailscale b/tailscale index c9188d7..73128e2 160000 --- a/tailscale +++ b/tailscale @@ -1 +1 @@ -Subproject commit c9188d7760fb68a60e6791f0adf42f8dc1728251 +Subproject commit 73128e25230fda8c82696ed0ffef991bce68cecc diff --git a/tooling/get_tag.sh b/tooling/get_tag.sh new file mode 100755 index 0000000..9a6bd3e --- /dev/null +++ b/tooling/get_tag.sh @@ -0,0 +1,5 @@ +#!/bin/bash + +cd tailscale +latest_tag=$(git describe --tags `git rev-list --tags --max-count=1`) +echo "Latest upstream tag: $latest_tag" diff --git a/xdpderper.service b/xdpderper.service index d9136b1..de04ef7 100644 --- a/xdpderper.service +++ b/xdpderper.service @@ -1,24 +1,14 @@ [Unit] -Description=Tailscale XDPDERP Server -After=network.target +StartLimitIntervalSec=0 +StartLimitBurst=0 [Service] -Type=simple -User=xdpderper -Group=xdpderper -ExecStart=/usr/bin/xdpderper +ExecStart=xdpderper --dst-port=3478 --mode=xdpdrv Restart=on-failure -RestartSec=5 -LimitNOFILE=1048576 - -# Hardening measures -PrivateTmp=yes -ProtectSystem=full -NoNewPrivileges=yes -ProtectHome=yes -ProtectKernelTunables=yes -ProtectKernelModules=yes -ProtectControlGroups=yes +LimitNOFILE=990000 +AmbientCapabilities=CAP_NET_BIND_SERVICE +User=0 +Group=0 [Install] WantedBy=multi-user.target \ No newline at end of file