Merge pull request #20 from Lifeismana/pr

Add tailscale Oauth support
marc1307 · Jun 5, 2024 · 73329fc · 73329fc
2 parents 805d4e4 + 3c52d30
commit 73329fc
Show file tree

Hide file tree

Showing 5 changed files with 27 additions and 4 deletions.
diff --git a/README.md b/README.md
@@ -23,6 +23,8 @@ cf-domain=<cloudflare target zone>
 #cf-sub=<subdomain to use, optional>
 ts-key=<tailscale api key>
 ts-tailnet=<tailnet>
+#ts-clientid=<oauth clientid, optional>
+#ts-clientsecret=<oauth clientsecret, optional>
 #prefix=<prefix for dns records, optional>
 #postfix=<postfix for dns records, optional>
 ```
@@ -36,8 +38,13 @@ version: "3"
 secrets:
   cf-key:
     file: "./cloudflare-key.txt"
+  # either, use ts-key for an api key or ts-clientid and ts-clientsecret for oauth
   ts-key:
     file: "./tailscale-key.txt"
+  ts-clientid:
+    file: "./tailscale-clientid.txt" 
+  ts-clientsecret:
+    file: "./tailscale-clientsecret.txt"
 
 services:
   cloudflare-dns-sync:
@@ -68,6 +75,11 @@ Resource | include - specific zone - <your zone>
 ```
 
 ### Tailscale
+
+#### API Key
 1. Login to Tailscale website
 2. Create API key at: https://login.tailscale.com/admin/settings/authkeys
 
+#### OAuth
+1. Login to Tailscale website
+2. Create OAuth client at: https://login.tailscale.com/admin/settings/oauth with Devices Read permission
diff --git a/app/app.py b/app/app.py
@@ -14,7 +14,7 @@ def main():
     config = getConfig()
     cf_ZoneId = getZoneId(config['cf-key'], config['cf-domain'])
     cf_recordes = getZoneRecords(config['cf-key'], config['cf-domain'], zoneId=cf_ZoneId)
-    ts_records = getTailscaleDevice(config['ts-key'], config['ts-tailnet'])
+    ts_records = getTailscaleDevice(config['ts-key'], config['ts-clientid'], config['ts-clientsecret'], config['ts-tailnet'])
 
     records_typemap = {
         4: 'A',

diff --git a/app/config.py b/app/config.py
@@ -3,8 +3,9 @@
 from sys import path
 from termcolor import cprint
 
-keysToImport = ['cf-key', 'cf-domain', 'ts-key', 'ts-tailnet']
-keysOptional = ['cf-sub', 'prefix', 'postfix']
+keysToImport = ['cf-key', 'cf-domain', 'ts-tailnet']
+# maybe ts-client-id & ts-client-secret are better for names ?
+keysOptional = ['cf-sub', 'prefix', 'postfix', 'ts-key', 'ts-clientid', 'ts-clientsecret']
 
 def importkey(name, optional=False):
     key = name
@@ -52,6 +53,9 @@ def getConfig():
         static[key] = importkey(key)
     for key in keysOptional:
         static[key] = importkey(key, True)
+    if not static['ts-key'] and not (static['ts-clientid'] and static['ts-clientsecret']):
+        cprint("ERROR: mandatory tailscale configuration not found: ts-key or ts-clientid/ts-clientsecret missing", "red")
+        exit(1)
     return static
 
 if __name__ == '__main__':

diff --git a/app/requirements.txt b/app/requirements.txt
@@ -5,3 +5,5 @@ ipaddress==1.0.23
 requests==2.32.0
 termcolor==2.3.0
 urllib3==2.0.7
+requests-oauthlib==2.0.0
+oauthlib==3.2.2
diff --git a/app/tailscale.py b/app/tailscale.py
@@ -1,10 +1,15 @@
 import requests, json
 import ipaddress
 from requests.auth import HTTPBasicAuth
+from oauthlib.oauth2 import BackendApplicationClient
+from requests_oauthlib import OAuth2Session
 from termcolor import colored
 
 ### Get Data
-def getTailscaleDevice(apikey, tailnet):
+def getTailscaleDevice(apikey, clientid, clientsecret, tailnet):
+    if clientid and clientsecret:
+        token = OAuth2Session(client=BackendApplicationClient(client_id=clientid)).fetch_token(token_url='https://api.tailscale.com/api/v2/oauth/token', client_id=clientid, client_secret=clientsecret)
+        apikey = token["access_token"]
     url = "https://api.tailscale.com/api/v2/tailnet/{tailnet}/devices".format(tailnet=tailnet)
     payload={}
     headers = {