Florian Preinstorfer
43c9c50af4
Drop syslog.target and systemd-managed /var/run
...
The systemd target "syslog.target" and not required because syslog is
socket activated.
The directory /var/run is usually a symlink to /run and its created by
systemd via the RuntimeDirectory=headscale option. System creates and
handles permissions, no need to manually mark it as a read-write path.
2025-05-21 15:40:32 +02:00
Florian Preinstorfer
4a941a2cb4
Refactor Debian/Ubuntu package
...
Move files for packaging outside the docs directory into its own
packaging directory. Replace the existing postinstall and postremove
scripts with Debian maintainerscripts to behave more like a typical
Debian package:
* Start and enable the headscale systemd service by default
* Does not print informational messages
* No longer stop and disable the service on updates
This package also performs migrations for all changes done in previous
package versions on upgrade:
* Set login shell to /usr/sbin/nologin
* Set home directory to /var/lib/headscale
* Migrate to system UID/GID
The package is lintian-clean with a few exceptions that are documented
as excludes and it passes puipars (both tested on Debian 12).
The following scenarious were tested on Ubuntu 22.04, Ubuntu 24.04,
Debian 11, Debian 12:
* Install
* Install same version again
* Install -> Remove -> Install
* Install -> Purge -> Install
* Purge
* Update from 0.22.0
* Update from 0.26.0
See: #2278
See: #2133
Fixes : #2311
2025-05-21 15:40:32 +02:00
Greg Dietsche
d2879b2b36
web: change node registration parameter order ( #2607 )
...
This change makes editing the generated command easier.
For example, after pasting into a terminal, the cursor position will be
near the username portion which requires editing.
2025-05-21 11:18:53 +02:00
Kristoffer Dalby
a52f1df180
policy: remove v1 code ( #2600 )
...
* policy: remove v1 code
Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com>
* db: update test with v1 removal
Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com>
* integration: start moving to v2 policy
Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com>
* policy: add ssh unmarshal tests
Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com>
* changelog: add entry
Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com>
* policy: remove v1 comment
Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com>
* integration: remove comment out case
Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com>
* cleanup skipv1
Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com>
* policy: remove v1 prefix workaround
Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com>
* policy: add all node ips if prefix/host is ts ip
Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com>
---------
Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com>
2025-05-20 13:57:26 +02:00
azrikahar
1605e2a7a9
fix typo in TailSQL's log
2025-05-18 07:15:41 +02:00
Vitalij Dovhanyc
6750414db1
feat: add autogroup:member, autogroup:tagged ( #2572 )
2025-05-17 11:07:34 +02:00
Florian Preinstorfer
b50e10a1be
Document breaking change for dns.override_local_dns
...
See: #2438
2025-05-16 19:33:00 +02:00
Florian Preinstorfer
c15aa541bb
Document HEADSCALE_CONFIG
2025-05-16 19:33:00 +02:00
Florian Preinstorfer
49b3468845
Do not ignore config-example.yml
...
Various tools (e.g ripgrep) skip files ignored by Git. Do not ignore
config-example.yml to include it in searches.
2025-05-16 19:33:00 +02:00
Kristoffer Dalby
bd6ed80936
policy/v2: error on missing or zero port ( #2606 )
...
* policy/v2: error on missing or zero port
Fixes #2605
Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com>
* changelog: add entry
Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com>
---------
Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com>
2025-05-16 17:30:47 +02:00
Kristoffer Dalby
30525cee0e
goreleaser: always do draft ( #2595 )
...
Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com>
2025-05-16 10:23:22 +02:00
Kristoffer Dalby
2dc2f3b3f0
users: harden, test, and add cleaner of identifier ( #2593 )
...
* users: harden, test, and add cleaner of identifier
Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com>
* db: migrate badly joined provider identifiers
Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com>
---------
Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com>
2025-05-14 16:45:14 +02:00
Kristoffer Dalby
d7a503a34e
changelog: entry for 0.26 ( #2594 )
...
* changelog: entry for 0.26
Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com>
* docs: bump version
Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com>
---------
Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com>
2025-05-14 16:32:56 +02:00
jasonrepos
62b489dc68
fix: change FormatUint base from 64 to 10 in preauthkeys list command ( #2588 )
2025-05-13 18:40:17 +00:00
nblock
8c7e650616
Remove map_legacy_users from example configuration ( #2590 )
2025-05-13 21:38:52 +03:00
Kristoffer Dalby
43943aeee9
bring back last_seen in database ( #2579 )
...
* db: add back last_seen to the database
Fixes #2574
Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com>
* integration: ensure last_seen is set
Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com>
---------
Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com>
2025-05-10 09:49:08 +02:00
nblock
d81b0053e5
Simplify policy migration ( #2582 )
...
These steps are easier to accomplish and require only Headscale 0.26.
They also work when a user has already upgraded the database.
See: #2567
2025-05-10 08:04:42 +02:00
nblock
dd0cbdf40c
Add migration steps when policy is stored in the database ( #2581 )
...
Fixes : #2567
2025-05-09 23:30:39 +02:00
Kristoffer Dalby
37dc0dad35
policy/v2: separate exit node and 0.0.0.0/0 routes ( #2578 )
...
* policy: add tests for route auto approval
Reproduce #2568
Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com>
* policy/v2: separate exit node and 0.0.0.0/0 routes
Fixes #2568
Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com>
---------
Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com>
2025-05-09 23:20:04 +02:00
Kristoffer Dalby
377b854dd8
cli: policy check, dont require config or log ( #2580 )
...
Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com>
2025-05-09 23:19:47 +02:00
Kristoffer Dalby
56db4ed0f1
policy/v2: validate that no undefined group or tag is used ( #2576 )
...
* policy/v2: allow Username as ssh source
Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com>
* policy/v2: validate that no undefined group or tag is used
Fixes #2570
Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com>
* policy: fixup tests which violated tag constraing
Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com>
---------
Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com>
2025-05-09 11:51:30 +02:00
nblock
833e0f66f1
Remove subnet router visibility workaround from docs ( #2569 )
...
Previous Headscale versions required a dedicated rule to make a subnet
router visible to clients. This workaround is no longer required.
2025-05-05 15:24:59 +02:00
Kristoffer Dalby
1dddd3e93b
app: throw away not found body ( #2566 )
...
Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com>
2025-05-04 22:06:44 +02:00
nblock
9a86ffc102
Misc doc fixes ( #2562 )
...
* Link to stable and development docs in the README
* Add Tailscale SSH and autogroup:nonroot to features page
* Use @ when referencing users in policy
* Remove unmaintained headscale-webui
The project seems to be unmaintained (last commit: 2023-05-08) and it
only supports Headscale 0.22 or earlier.
* Use full image URL in container docs
This makes it easy to switch the container runtime from docker <->
podman.
* Remove version from docker-compose.yml example
This is now deprecated and yields a warning.
2025-05-04 21:55:08 +02:00
Kristoffer Dalby
45e38cb080
policy: reduce routes sent to peers based on packetfilter ( #2561 )
...
* notifier: use convenience funcs
Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com>
* policy: reduce routes based on policy
Fixes #2365
Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com>
* hsic: more helper methods
Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com>
* policy: more test cases
Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com>
* integration: add route with filter acl integration test
Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com>
* integration: correct route reduce test, now failing
Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com>
* mapper: compare peer routes against node
Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com>
* hs: more output to debug strings
Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com>
* types/node: slice.ContainsFunc
Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com>
* policy: more reduce route test
Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com>
* changelog: add entry for route filter
Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com>
---------
Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com>
2025-05-04 21:52:47 +02:00
Kristoffer Dalby
b9868f6516
Make more granular SSH tests for both Policies ( #2555 )
...
* policy/v1: dont consider empty if ssh has rules
Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com>
* policy/v2: replace time.Duration with model.Duration
Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com>
* policy/v2: add autogroup and ssh validation
Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com>
* policy/v2: replace time.Duration with model.Duration
Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com>
* policy: replace old ssh tests with more granular test
Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com>
* policy: skip v1 tests expected to fail (missing error handling)
Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com>
* policy: skip v1 group tests, old bugs wont be fixed
Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com>
* integration: user valid policy for ssh
Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com>
* Changelog, add ssh section
Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com>
* nix update
Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com>
---------
Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com>
2025-05-04 12:05:41 +00:00
Kristoffer Dalby
f317a85ab4
go.mod: update rest of deps ( #2559 )
...
* flake: update go hash
Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com>
* go.mod: update more deps
Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com>
---------
Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com>
2025-05-03 16:36:08 +02:00
Alexey Tarasov
53d9c95160
Update container.md
2025-05-03 12:51:46 +02:00
Jacob Yundt
03a91693ac
feat: Create headscale user and group as system user/groups ( #2322 )
...
When creating the headscale user and group, create both as system groups
rather than creating them as 'user' groups.
FIXES #2278
2025-05-03 09:13:54 +00:00
nblock
cb7c0173ec
Fix deprecation warnings ( #2558 )
...
See https://goreleaser.com/deprecations/#archivesformat and
https://goreleaser.com/deprecations/#nfpmsbuilds
2025-05-03 10:18:49 +02:00
nblock
18d21d3585
Add documentation for routes ( #2496 )
...
* Add documentation for routes
* Rename exit-node to routes and add redirects
* Add a new section on subnet routers
* Extend the existing exit-node documentation
* Describe auto approvers for subnet routers and exit nodes
* Provide ACL examples for subnet routers and exit nodes
* Describe HA and its current limitations
* Add a troubleshooting section with IP forwarding
* Update features page for 0.26
Add auto approvers and link to our documentation if available.
* Prefer the console lexer when commandline and output mixed
2025-05-03 10:16:45 +02:00
Kristoffer Dalby
e7d2d79134
update capmap and deps for release ( #2522 )
...
* generate new capver map
Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com>
* replace old sort func
Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com>
* nix: flake update
Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com>
* capgen: update
Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com>
* capgen: update
Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com>
* go.mod: update tailscale
Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com>
* go.mod: update other deps
Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com>
---------
Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com>
2025-05-02 22:12:29 +02:00
Kristoffer Dalby
d810597414
policy/matcher: fix bug using contains instead of overlap ( #2556 )
...
* policy/matcher: slices.ContainsFunc
Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com>
* policy/matcher: slices.ContainsFunc, correct contains vs overlap
Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com>
* policy: add tests to validate fix for 2181
Fixes #2181
Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com>
---------
Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com>
2025-05-02 22:08:56 +02:00
Kristoffer Dalby
93afb03f67
cmd: add policy check command ( #2553 )
2025-05-02 13:58:30 +03:00
Kristoffer Dalby
e4d10ad964
policy/v2: validate autogroup:interet only in dst ( #2552 )
2025-05-02 13:58:12 +03:00
Janne Johansson
7dc86366b4
Update source.md
...
If we assume someone doesn't already have the required go package, they might also not have the required git package installed either, so pkg_add both of them.
2025-05-02 10:43:56 +02:00
Kristoffer Dalby
c923f461ab
error on undefined host in policy ( #2490 )
...
* add testcases
Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com>
* policy/v2: add validate to do post marshal validation
Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com>
---------
Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com>
2025-05-01 14:30:52 +02:00
Kristoffer Dalby
a4a203b9a3
cli/nodes: filter nodes without any routes ( #2551 )
2025-05-01 13:27:54 +03:00
aergus-tng
4651d06fa8
Make matchers part of the Policy interface ( #2514 )
...
* Make matchers part of the Policy interface
* Prevent race condition between rules and matchers
* Test also matchers in tests for Policy.Filter
* Compute `filterChanged` in v2 policy correctly
* Fix nil vs. empty list issue in v2 policy test
* policy/v2: always clear ssh map
Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com>
---------
Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com>
Co-authored-by: Aras Ergus <aras.ergus@tngtech.com>
Co-authored-by: Kristoffer Dalby <kristoffer@tailscale.com>
2025-05-01 07:06:30 +02:00
Kristoffer Dalby
eb1ecefd9e
auth: ensure that routes are autoapproved when the node is stored ( #2550 )
...
* integration: ensure route is set before node joins, reproduce
Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com>
* auth: ensure that routes are autoapproved when the node is stored
Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com>
---------
Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com>
2025-05-01 07:05:42 +02:00
Kristoffer Dalby
6b6509eeeb
notify nodes after owner change ( #2543 )
...
* proto: user id as identifier for move node
Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com>
* gen: regenr
Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com>
* grpc: move, use userid, one tx, send update
Updates #2467
Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com>
* integration: update move cli tests
Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com>
---------
Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com>
2025-04-30 18:33:38 +02:00
Kristoffer Dalby
cfe9bbf829
oidc: try to get username from userinfo ( #2545 )
...
* oidc: try to get username from userinfo
Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com>
* changelog
Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com>
---------
Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com>
2025-04-30 11:54:13 +02:00
Kristoffer Dalby
8f9fbf16f1
types/authkey: include user object in response ( #2542 )
...
* types/authkey: include user object, not string
Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com>
* make preauthkeys use id
Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com>
* changelog
Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com>
* integration: wire up user id for auth keys
Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com>
---------
Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com>
2025-04-30 11:45:08 +02:00
Kristoffer Dalby
f1206328dc
fix webauth + autoapprove routes ( #2528 )
...
* types/node: add helper funcs for node tags
Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com>
* types/node: add DebugString method for node
Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com>
* policy/v2: add String func to AutoApprover interface
Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com>
* policy/v2: simplify, use slices.Contains
Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com>
* policy/v2: debug, use nodes.DebugString
Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com>
* policy/v1: fix potential nil pointer in NodeCanApproveRoute
Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com>
* policy/v1: slices.Contains
Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com>
* integration/tsic: fix diff in login commands
Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com>
* integration: fix webauth running with wrong scenario
Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com>
* integration: move common oidc opts to func
Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com>
* integration: require node count, more verbose
Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com>
* auth: remove uneffective route approve
Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com>
* .github/workflows: fmt
Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com>
* integration/tsic: add id func
Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com>
* integration: remove call that might be nil
Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com>
* integration: test autoapprovers against web/authkey x group/tag/user
Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com>
* integration: unique network id per scenario
Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com>
* Revert "integration: move common oidc opts to func"
This reverts commit 7e9d165d4a
2025-04-30 07:54:04 +02:00
Kristoffer Dalby
57861507ab
integration: remove failing resolvconf tests ( #2549 )
...
Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com>
2025-04-30 07:52:23 +02:00
Kristoffer Dalby
2b38f7bef7
policy/v2: make default ( #2546 )
...
* policy/v2: make default
Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com>
* integration: do not run v1 tests
Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com>
* policy/v2: fix potential nil pointers
Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com>
* mapper: fix test failures in v2
Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com>
---------
Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com>
2025-04-29 16:27:41 +02:00
github-actions[bot]
9a4d0e1a99
flake.lock: Update ( #2518 )
...
Flake lock file updates:
• Updated input 'nixpkgs':
'github:NixOS/nixpkgs/18dd725c29603f582cf1900e0d25f9f1063dbf11?narHash=sha256-awS2zRgF4uTwrOKwwiJcByDzDOdo3Q1rPZbiHQg/N38%3D' (2025-04-13)
→ 'github:NixOS/nixpkgs/ebe4301cbd8f81c4f8d3244b3632338bbeb6d49c?narHash=sha256-5RJTdUHDmj12Qsv7XOhuospjAjATNiTMElplWnJE9Hs%3D' (2025-04-17)
Co-authored-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com>
2025-04-24 11:02:09 +00:00
Kristoffer Dalby
30539b2e26
config: disallow same server url and base_domain ( #2544 )
...
* config: disallow same server url and base_domain
Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com>
* changelog
Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com>
---------
Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com>
2025-04-23 16:24:38 +02:00
Kristoffer Dalby
098ab0357c
add casbin user test ( #2474 )
...
* add casbin user test
Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com>
* Delete double slash
* types/users: use join url on iss that are ursl
Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com>
---------
Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com>
Co-authored-by: Juan Font <juanfontalonso@gmail.com>
2025-04-23 13:21:51 +02:00
Relihan Myburgh
56d085bd08
Fix panic on fast reconnection of node ( #2536 )
...
* Fix panic on fast reconnection of node
* Use parameter captured in closure as per review request
2025-04-23 11:52:24 +02:00
