juanfont.headscale

mirror of https://github.com/juanfont/headscale.git synced 2025-07-27 13:48:02 +02:00

Author	SHA1	Message	Date
Florian Preinstorfer	70e22cd64d	Refactor OpenID Connect documentation Restructure and rewrite the OpenID Connect documentation. Start from the most minimal configuration and describe what needs to be done both in Headscale and the identity provider. Describe additional features such as PKCE and authorization filters in a generic manner with examples. Document how Headscale populates its user profile and how it relates to OIDC claims. This is a revised version from the table in the changelog. Document the validation rules for fields and extend known limitations. Sort the provider specific section alphabetically and add a section for Keycloak with a brief description on how to configure the OIDC groups claim. Update the description for the oidc section in the example configuration. Give a short explanation of each configuration setting. All documentend features were tested with Headscale 0.26 (using a fresh database each time) using the following identity providers: * Keycloak	2025-05-24 12:56:00 +02:00
Shubham Hibare	df69840f92	feat(tools): Add Go client implementation	2025-05-23 17:52:31 +02:00
lucarickli	76ca7a2b50	Add headscale-console	2025-05-22 06:52:02 +02:00
Florian Preinstorfer	cd704570be	Drop support for Ubuntu 20.04 Its old and our service file logs warning about unsupported options.	2025-05-21 15:40:32 +02:00
Florian Preinstorfer	43c9c50af4	Drop syslog.target and systemd-managed /var/run The systemd target "syslog.target" and not required because syslog is socket activated. The directory /var/run is usually a symlink to /run and its created by systemd via the RuntimeDirectory=headscale option. System creates and handles permissions, no need to manually mark it as a read-write path.	2025-05-21 15:40:32 +02:00
Florian Preinstorfer	4a941a2cb4	Refactor Debian/Ubuntu package Move files for packaging outside the docs directory into its own packaging directory. Replace the existing postinstall and postremove scripts with Debian maintainerscripts to behave more like a typical Debian package: * Start and enable the headscale systemd service by default * Does not print informational messages * No longer stop and disable the service on updates This package also performs migrations for all changes done in previous package versions on upgrade: * Set login shell to /usr/sbin/nologin * Set home directory to /var/lib/headscale * Migrate to system UID/GID The package is lintian-clean with a few exceptions that are documented as excludes and it passes puipars (both tested on Debian 12). The following scenarious were tested on Ubuntu 22.04, Ubuntu 24.04, Debian 11, Debian 12: * Install * Install same version again * Install -> Remove -> Install * Install -> Purge -> Install * Purge * Update from 0.22.0 * Update from 0.26.0 See: #2278 See: #2133 Fixes: #2311	2025-05-21 15:40:32 +02:00
Greg Dietsche	d2879b2b36	web: change node registration parameter order (#2607 ) This change makes editing the generated command easier. For example, after pasting into a terminal, the cursor position will be near the username portion which requires editing.	2025-05-21 11:18:53 +02:00
Kristoffer Dalby	a52f1df180	policy: remove v1 code (#2600 ) * policy: remove v1 code Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com> * db: update test with v1 removal Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com> * integration: start moving to v2 policy Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com> * policy: add ssh unmarshal tests Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com> * changelog: add entry Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com> * policy: remove v1 comment Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com> * integration: remove comment out case Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com> * cleanup skipv1 Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com> * policy: remove v1 prefix workaround Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com> * policy: add all node ips if prefix/host is ts ip Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com> --------- Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com>	2025-05-20 13:57:26 +02:00
azrikahar	1605e2a7a9	fix typo in TailSQL's log	2025-05-18 07:15:41 +02:00
Vitalij Dovhanyc	6750414db1	feat: add autogroup:member, autogroup:tagged (#2572 )	2025-05-17 11:07:34 +02:00
Florian Preinstorfer	b50e10a1be	Document breaking change for dns.override_local_dns See: #2438	2025-05-16 19:33:00 +02:00
Florian Preinstorfer	c15aa541bb	Document HEADSCALE_CONFIG	2025-05-16 19:33:00 +02:00
Florian Preinstorfer	49b3468845	Do not ignore config-example.yml Various tools (e.g ripgrep) skip files ignored by Git. Do not ignore config-example.yml to include it in searches.	2025-05-16 19:33:00 +02:00
Kristoffer Dalby	bd6ed80936	policy/v2: error on missing or zero port (#2606 ) * policy/v2: error on missing or zero port Fixes #2605 Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com> * changelog: add entry Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com> --------- Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com>	2025-05-16 17:30:47 +02:00
Kristoffer Dalby	30525cee0e	goreleaser: always do draft (#2595 ) Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com>	2025-05-16 10:23:22 +02:00
Kristoffer Dalby	2dc2f3b3f0	users: harden, test, and add cleaner of identifier (#2593 ) * users: harden, test, and add cleaner of identifier Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com> * db: migrate badly joined provider identifiers Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com> --------- Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com>	2025-05-14 16:45:14 +02:00
Kristoffer Dalby	d7a503a34e	changelog: entry for 0.26 (#2594 ) * changelog: entry for 0.26 Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com> * docs: bump version Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com> --------- Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com>	2025-05-14 16:32:56 +02:00
jasonrepos	62b489dc68	fix: change FormatUint base from 64 to 10 in preauthkeys list command (#2588 )	2025-05-13 18:40:17 +00:00
nblock	8c7e650616	Remove map_legacy_users from example configuration (#2590 )	2025-05-13 21:38:52 +03:00
Kristoffer Dalby	43943aeee9	bring back last_seen in database (#2579 ) * db: add back last_seen to the database Fixes #2574 Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com> * integration: ensure last_seen is set Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com> --------- Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com>	2025-05-10 09:49:08 +02:00
nblock	d81b0053e5	Simplify policy migration (#2582 ) These steps are easier to accomplish and require only Headscale 0.26. They also work when a user has already upgraded the database. See: #2567	2025-05-10 08:04:42 +02:00
nblock	dd0cbdf40c	Add migration steps when policy is stored in the database (#2581 ) Fixes: #2567	2025-05-09 23:30:39 +02:00
Kristoffer Dalby	37dc0dad35	policy/v2: separate exit node and 0.0.0.0/0 routes (#2578 ) * policy: add tests for route auto approval Reproduce #2568 Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com> * policy/v2: separate exit node and 0.0.0.0/0 routes Fixes #2568 Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com> --------- Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com>	2025-05-09 23:20:04 +02:00
Kristoffer Dalby	377b854dd8	cli: policy check, dont require config or log (#2580 ) Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com>	2025-05-09 23:19:47 +02:00
Kristoffer Dalby	56db4ed0f1	policy/v2: validate that no undefined group or tag is used (#2576 ) * policy/v2: allow Username as ssh source Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com> * policy/v2: validate that no undefined group or tag is used Fixes #2570 Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com> * policy: fixup tests which violated tag constraing Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com> --------- Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com>	2025-05-09 11:51:30 +02:00
nblock	833e0f66f1	Remove subnet router visibility workaround from docs (#2569 ) Previous Headscale versions required a dedicated rule to make a subnet router visible to clients. This workaround is no longer required.	2025-05-05 15:24:59 +02:00
Kristoffer Dalby	1dddd3e93b	app: throw away not found body (#2566 ) Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com>	2025-05-04 22:06:44 +02:00
nblock	9a86ffc102	Misc doc fixes (#2562 ) * Link to stable and development docs in the README * Add Tailscale SSH and autogroup:nonroot to features page * Use @ when referencing users in policy * Remove unmaintained headscale-webui The project seems to be unmaintained (last commit: 2023-05-08) and it only supports Headscale 0.22 or earlier. * Use full image URL in container docs This makes it easy to switch the container runtime from docker <-> podman. * Remove version from docker-compose.yml example This is now deprecated and yields a warning.	2025-05-04 21:55:08 +02:00
Kristoffer Dalby	45e38cb080	policy: reduce routes sent to peers based on packetfilter (#2561 ) * notifier: use convenience funcs Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com> * policy: reduce routes based on policy Fixes #2365 Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com> * hsic: more helper methods Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com> * policy: more test cases Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com> * integration: add route with filter acl integration test Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com> * integration: correct route reduce test, now failing Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com> * mapper: compare peer routes against node Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com> * hs: more output to debug strings Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com> * types/node: slice.ContainsFunc Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com> * policy: more reduce route test Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com> * changelog: add entry for route filter Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com> --------- Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com>	2025-05-04 21:52:47 +02:00
Kristoffer Dalby	b9868f6516	Make more granular SSH tests for both Policies (#2555 ) * policy/v1: dont consider empty if ssh has rules Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com> * policy/v2: replace time.Duration with model.Duration Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com> * policy/v2: add autogroup and ssh validation Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com> * policy/v2: replace time.Duration with model.Duration Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com> * policy: replace old ssh tests with more granular test Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com> * policy: skip v1 tests expected to fail (missing error handling) Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com> * policy: skip v1 group tests, old bugs wont be fixed Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com> * integration: user valid policy for ssh Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com> * Changelog, add ssh section Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com> * nix update Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com> --------- Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com>	2025-05-04 12:05:41 +00:00
Kristoffer Dalby	f317a85ab4	go.mod: update rest of deps (#2559 ) * flake: update go hash Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com> * go.mod: update more deps Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com> --------- Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com>	2025-05-03 16:36:08 +02:00
Alexey Tarasov	53d9c95160	Update container.md	2025-05-03 12:51:46 +02:00
Jacob Yundt	03a91693ac	feat: Create headscale user and group as system user/groups (#2322 ) When creating the headscale user and group, create both as system groups rather than creating them as 'user' groups. FIXES #2278	2025-05-03 09:13:54 +00:00
nblock	cb7c0173ec	Fix deprecation warnings (#2558 ) See https://goreleaser.com/deprecations/#archivesformat and https://goreleaser.com/deprecations/#nfpmsbuilds	2025-05-03 10:18:49 +02:00
nblock	18d21d3585	Add documentation for routes (#2496 ) * Add documentation for routes * Rename exit-node to routes and add redirects * Add a new section on subnet routers * Extend the existing exit-node documentation * Describe auto approvers for subnet routers and exit nodes * Provide ACL examples for subnet routers and exit nodes * Describe HA and its current limitations * Add a troubleshooting section with IP forwarding * Update features page for 0.26 Add auto approvers and link to our documentation if available. * Prefer the console lexer when commandline and output mixed	2025-05-03 10:16:45 +02:00
Kristoffer Dalby	e7d2d79134	update capmap and deps for release (#2522 ) * generate new capver map Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com> * replace old sort func Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com> * nix: flake update Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com> * capgen: update Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com> * capgen: update Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com> * go.mod: update tailscale Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com> * go.mod: update other deps Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com> --------- Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com>	2025-05-02 22:12:29 +02:00
Kristoffer Dalby	d810597414	policy/matcher: fix bug using contains instead of overlap (#2556 ) * policy/matcher: slices.ContainsFunc Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com> * policy/matcher: slices.ContainsFunc, correct contains vs overlap Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com> * policy: add tests to validate fix for 2181 Fixes #2181 Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com> --------- Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com>	2025-05-02 22:08:56 +02:00
Kristoffer Dalby	93afb03f67	cmd: add policy check command (#2553 )	2025-05-02 13:58:30 +03:00
Kristoffer Dalby	e4d10ad964	policy/v2: validate autogroup:interet only in dst (#2552 )	2025-05-02 13:58:12 +03:00
Janne Johansson	7dc86366b4	Update source.md If we assume someone doesn't already have the required go package, they might also not have the required git package installed either, so pkg_add both of them.	2025-05-02 10:43:56 +02:00
Kristoffer Dalby	c923f461ab	error on undefined host in policy (#2490 ) * add testcases Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com> * policy/v2: add validate to do post marshal validation Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com> --------- Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com>	2025-05-01 14:30:52 +02:00
Kristoffer Dalby	a4a203b9a3	cli/nodes: filter nodes without any routes (#2551 )	2025-05-01 13:27:54 +03:00
aergus-tng	4651d06fa8	Make matchers part of the Policy interface (#2514 ) * Make matchers part of the Policy interface * Prevent race condition between rules and matchers * Test also matchers in tests for Policy.Filter * Compute `filterChanged` in v2 policy correctly * Fix nil vs. empty list issue in v2 policy test * policy/v2: always clear ssh map Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com> --------- Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com> Co-authored-by: Aras Ergus <aras.ergus@tngtech.com> Co-authored-by: Kristoffer Dalby <kristoffer@tailscale.com>	2025-05-01 07:06:30 +02:00
Kristoffer Dalby	eb1ecefd9e	auth: ensure that routes are autoapproved when the node is stored (#2550 ) * integration: ensure route is set before node joins, reproduce Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com> * auth: ensure that routes are autoapproved when the node is stored Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com> --------- Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com>	2025-05-01 07:05:42 +02:00
Kristoffer Dalby	6b6509eeeb	notify nodes after owner change (#2543 ) * proto: user id as identifier for move node Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com> * gen: regenr Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com> * grpc: move, use userid, one tx, send update Updates #2467 Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com> * integration: update move cli tests Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com> --------- Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com>	2025-04-30 18:33:38 +02:00
Kristoffer Dalby	cfe9bbf829	oidc: try to get username from userinfo (#2545 ) * oidc: try to get username from userinfo Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com> * changelog Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com> --------- Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com>	2025-04-30 11:54:13 +02:00
Kristoffer Dalby	8f9fbf16f1	types/authkey: include user object in response (#2542 ) * types/authkey: include user object, not string Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com> * make preauthkeys use id Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com> * changelog Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com> * integration: wire up user id for auth keys Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com> --------- Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com>	2025-04-30 11:45:08 +02:00
Kristoffer Dalby	f1206328dc	fix webauth + autoapprove routes (#2528 ) * types/node: add helper funcs for node tags Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com> * types/node: add DebugString method for node Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com> * policy/v2: add String func to AutoApprover interface Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com> * policy/v2: simplify, use slices.Contains Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com> * policy/v2: debug, use nodes.DebugString Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com> * policy/v1: fix potential nil pointer in NodeCanApproveRoute Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com> * policy/v1: slices.Contains Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com> * integration/tsic: fix diff in login commands Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com> * integration: fix webauth running with wrong scenario Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com> * integration: move common oidc opts to func Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com> * integration: require node count, more verbose Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com> * auth: remove uneffective route approve Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com> * .github/workflows: fmt Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com> * integration/tsic: add id func Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com> * integration: remove call that might be nil Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com> * integration: test autoapprovers against web/authkey x group/tag/user Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com> * integration: unique network id per scenario Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com> * Revert "integration: move common oidc opts to func" This reverts commit `7e9d165d4a`. * remove cmd Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com> * integration: clean docker images between runs in ci Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com> * integration: run autoapprove test against differnt policy modes Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com> * integration/tsic: append, not overrwrite extra login args Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com> * .github/workflows: remove polv2 Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com> --------- Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com>	2025-04-30 07:54:04 +02:00
Kristoffer Dalby	57861507ab	integration: remove failing resolvconf tests (#2549 ) Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com>	2025-04-30 07:52:23 +02:00
Kristoffer Dalby	2b38f7bef7	policy/v2: make default (#2546 ) * policy/v2: make default Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com> * integration: do not run v1 tests Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com> * policy/v2: fix potential nil pointers Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com> * mapper: fix test failures in v2 Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com> --------- Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com>	2025-04-29 16:27:41 +02:00

1 2 3 4 5 ...

3450 Commits