Update golang-lint

Other linting issue

.github/workflows/build.yml

@@ -15,6 +15,7 @@ concurrency:
 jobs:
   build:
     runs-on: ubuntu-latest
+    permissions: write-all
 
     steps:
       - uses: actions/checkout@v3
@@ -36,8 +37,32 @@ jobs:
         if: steps.changed-files.outputs.any_changed == 'true'
 
       - name: Run build
+        id: build
         if: steps.changed-files.outputs.any_changed == 'true'
-        run: nix build
+        run: |
+          nix build |& tee build-result
+          BUILD_STATUS="${PIPESTATUS[0]}"
+
+          OLD_HASH=$(cat build-result | grep specified: | awk -F ':' '{print $2}' | sed 's/ //g')
+          NEW_HASH=$(cat build-result | grep got: | awk -F ':' '{print $2}' | sed 's/ //g')
+
+          echo "OLD_HASH=$OLD_HASH" >> $GITHUB_OUTPUT
+          echo "NEW_HASH=$NEW_HASH" >> $GITHUB_OUTPUT
+
+          exit $BUILD_STATUS
+
+      - name: Nix gosum diverging
+        uses: actions/github-script@v6
+        if: failure() && steps.build.outcome == 'failure'
+        with:
+          github-token: ${{secrets.GITHUB_TOKEN}}
+          script: |
+            github.rest.pulls.createReviewComment({
+              pull_number: context.issue.number,
+              owner: context.repo.owner,
+              repo: context.repo.repo,
+              body: 'Nix build failed with wrong gosum, please update "vendorSha256" (${{ steps.build.outputs.OLD_HASH }}) for the "headscale" package in flake.nix with the new SHA: ${{ steps.build.outputs.NEW_HASH }}'
+            })
 
       - uses: actions/upload-artifact@v3
         if: steps.changed-files.outputs.any_changed == 'true'

.github/workflows/lint.yml

@@ -30,7 +30,7 @@ jobs:
         if: steps.changed-files.outputs.any_changed == 'true'
         uses: golangci/golangci-lint-action@v2
         with:
-          version: v1.49.0
+          version: v1.51.2
 
           # Only block PRs on new problems.
           # If this is not enabled, we will end up having PRs

CHANGELOG.md

@@ -1,8 +1,14 @@
 # CHANGELOG
 
-## 0.20.0 (2023-x-x)
+## 0.21.0 (2023-xx-xx)
 
-### Changes
+### changes
+
+- Adding "configtest" CLI command.
+
+## 0.20.0 (2023-02-03)
+
+### changes
 
 - Fix wrong behaviour in exit nodes [#1159](https://github.com/juanfont/headscale/pull/1159)
 - Align behaviour of `dns_config.restricted_nameservers` to tailscale [#1162](https://github.com/juanfont/headscale/pull/1162)

app.go

@@ -521,7 +521,7 @@ func (h *Headscale) createRouter(grpcMux *runtime.ServeMux) *mux.Router {
 	apiRouter.Use(h.httpAuthenticationMiddleware)
 	apiRouter.PathPrefix("/v1/").HandlerFunc(grpcMux.ServeHTTP)
 
-	router.PathPrefix("/").HandlerFunc(stdoutHandler)
+	router.PathPrefix("/").HandlerFunc(notFoundHandler)
 
 	return router
 }
@@ -957,7 +957,7 @@ func (h *Headscale) getLastStateChange(users ...User) time.Time {
 	}
 }
 
-func stdoutHandler(
+func notFoundHandler(
 	writer http.ResponseWriter,
 	req *http.Request,
 ) {
@@ -969,6 +969,7 @@ func stdoutHandler(
 		Interface("url", req.URL).
 		Bytes("body", body).
 		Msg("Request did not match")
+	writer.WriteHeader(http.StatusNotFound)
 }
 
 func readOrCreatePrivateKey(path string) (*key.MachinePrivate, error) {

cmd/headscale/cli/configtest.go

@@ -0,0 +1,22 @@
+package cli
+
+import (
+	"github.com/rs/zerolog/log"
+	"github.com/spf13/cobra"
+)
+
+func init() {
+	rootCmd.AddCommand(configTestCmd)
+}
+
+var configTestCmd = &cobra.Command{
+	Use:   "configtest",
+	Short: "Test the configuration.",
+	Long:  "Run a test of the configuration and exit.",
+	Run: func(cmd *cobra.Command, args []string) {
+		_, err := getHeadscaleApp()
+		if err != nil {
+			log.Fatal().Caller().Err(err).Msg("Error initializing")
+		}
+	},
+}

docs/oidc.md

@@ -139,3 +139,34 @@ oidc:
     # Optional: Force the Azure AD account picker
     prompt: select_account
 ```
+
+## Google OAuth Example
+
+In order to integrate Headscale with Google, you'll need to have a [Google Cloud Console](https://console.cloud.google.com) account.
+
+Google OAuth has a [verification process](https://support.google.com/cloud/answer/9110914?hl=en) if you need to have users authenticate who are outside of your domain. If you only need to authenticate users from your domain name (ie `@example.com`), you don't need to go through the verification process.
+
+However if you don't have a domain, or need to add users outside of your domain, you can manually add emails via Google Console.
+
+### Steps
+
+1. Go to [Google Console](https://console.cloud.google.com) and login or create an account if you don't have one.
+2. Create a project (if you don't already have one).
+3. On the left hand menu, go to `APIs and services` -> `Credentials`
+4. Click `Create Credentials` -> `OAuth client ID`
+5. Under `Application Type`, choose `Web Application`
+6. For `Name`, enter whatever you like
+7. Under `Authorised redirect URIs`, use `https://example.com/oidc/callback`, replacing example.com with your Headscale URL.
+8. Click `Save` at the bottom of the form
+9. Take note of the `Client ID` and `Client secret`, you can also download it for reference if you need it.
+10. Edit your headscale config, under `oidc`, filling in your `client_id` and `client_secret`:
+
+```yaml
+oidc:
+  issuer: "https://accounts.google.com"
+  client_id: ""
+  client_secret: ""
+  scope: ["openid", "profile", "email"]
+```
+
+You can also use `allowed_domains` and `allowed_users` to restrict the users who can authenticate.

integration/hsic/hsic.go

@@ -108,7 +108,7 @@ func WithPort(port int) Option {
 	}
 }
 
-// WithTestName sets a a name for the test, this will be reflected
+// WithTestName sets a name for the test, this will be reflected
 // in the Docker container name.
 func WithTestName(testName string) Option {
 	return func(hsic *HeadscaleInContainer) {