headscale

mirror of https://github.com/juanfont/headscale.git synced 2025-07-12 18:41:06 -04:00

Author	SHA1	Message	Date
Florian Preinstorfer	4d89030701	Set doc version to 0.26.1	2025-06-07 11:08:54 +02:00
Mustafa Enes Batur	474ea236d0	Fix `/machine/map` endpoint vulnerability (#2642 ) * Improve map auth logic * Bugfix * Add comment, improve error message * noise: make func, get by node this commit splits the additional validation into a separate function so it can be reused if we add more endpoints in the future. It swaps the check, so we still look up by NodeKey, but before accepting the connection, we validate the known machinekey from the db against the noise connection. The reason for this is that when a node logs in or out, the node key is replaced and it will no longer be possible to look it up, breaking reauthentication. Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com> Co-authored-by: Kristoffer Dalby <kristoffer@tailscale.com> v0.26.1	2025-06-06 12:16:37 +02:00
Kristoffer Dalby	2dc2f3b3f0	users: harden, test, and add cleaner of identifier (#2593 ) * users: harden, test, and add cleaner of identifier Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com> * db: migrate badly joined provider identifiers Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com> --------- Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com> v0.26.0	2025-05-14 16:45:14 +02:00
Kristoffer Dalby	d7a503a34e	changelog: entry for 0.26 (#2594 ) * changelog: entry for 0.26 Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com> * docs: bump version Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com> --------- Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com>	2025-05-14 16:32:56 +02:00
jasonrepos	62b489dc68	fix: change FormatUint base from 64 to 10 in preauthkeys list command (#2588 )	2025-05-13 18:40:17 +00:00
nblock	8c7e650616	Remove map_legacy_users from example configuration (#2590 )	2025-05-13 21:38:52 +03:00
Kristoffer Dalby	43943aeee9	bring back last_seen in database (#2579 ) * db: add back last_seen to the database Fixes #2574 Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com> * integration: ensure last_seen is set Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com> --------- Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com> v0.26.0-beta.2	2025-05-10 09:49:08 +02:00
nblock	d81b0053e5	Simplify policy migration (#2582 ) These steps are easier to accomplish and require only Headscale 0.26. They also work when a user has already upgraded the database. See: #2567	2025-05-10 08:04:42 +02:00
nblock	dd0cbdf40c	Add migration steps when policy is stored in the database (#2581 ) Fixes: #2567	2025-05-09 23:30:39 +02:00
Kristoffer Dalby	37dc0dad35	policy/v2: separate exit node and 0.0.0.0/0 routes (#2578 ) * policy: add tests for route auto approval Reproduce #2568 Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com> * policy/v2: separate exit node and 0.0.0.0/0 routes Fixes #2568 Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com> --------- Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com>	2025-05-09 23:20:04 +02:00
Kristoffer Dalby	377b854dd8	cli: policy check, dont require config or log (#2580 ) Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com>	2025-05-09 23:19:47 +02:00
Kristoffer Dalby	56db4ed0f1	policy/v2: validate that no undefined group or tag is used (#2576 ) * policy/v2: allow Username as ssh source Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com> * policy/v2: validate that no undefined group or tag is used Fixes #2570 Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com> * policy: fixup tests which violated tag constraing Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com> --------- Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com>	2025-05-09 11:51:30 +02:00
nblock	833e0f66f1	Remove subnet router visibility workaround from docs (#2569 ) Previous Headscale versions required a dedicated rule to make a subnet router visible to clients. This workaround is no longer required.	2025-05-05 15:24:59 +02:00
Kristoffer Dalby	1dddd3e93b	app: throw away not found body (#2566 ) Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com> v0.26.0-beta.1	2025-05-04 22:06:44 +02:00
nblock	9a86ffc102	Misc doc fixes (#2562 ) * Link to stable and development docs in the README * Add Tailscale SSH and autogroup:nonroot to features page * Use @ when referencing users in policy * Remove unmaintained headscale-webui The project seems to be unmaintained (last commit: 2023-05-08) and it only supports Headscale 0.22 or earlier. * Use full image URL in container docs This makes it easy to switch the container runtime from docker <-> podman. * Remove version from docker-compose.yml example This is now deprecated and yields a warning.	2025-05-04 21:55:08 +02:00
Kristoffer Dalby	45e38cb080	policy: reduce routes sent to peers based on packetfilter (#2561 ) * notifier: use convenience funcs Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com> * policy: reduce routes based on policy Fixes #2365 Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com> * hsic: more helper methods Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com> * policy: more test cases Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com> * integration: add route with filter acl integration test Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com> * integration: correct route reduce test, now failing Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com> * mapper: compare peer routes against node Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com> * hs: more output to debug strings Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com> * types/node: slice.ContainsFunc Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com> * policy: more reduce route test Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com> * changelog: add entry for route filter Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com> --------- Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com>	2025-05-04 21:52:47 +02:00
Kristoffer Dalby	b9868f6516	Make more granular SSH tests for both Policies (#2555 ) * policy/v1: dont consider empty if ssh has rules Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com> * policy/v2: replace time.Duration with model.Duration Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com> * policy/v2: add autogroup and ssh validation Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com> * policy/v2: replace time.Duration with model.Duration Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com> * policy: replace old ssh tests with more granular test Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com> * policy: skip v1 tests expected to fail (missing error handling) Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com> * policy: skip v1 group tests, old bugs wont be fixed Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com> * integration: user valid policy for ssh Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com> * Changelog, add ssh section Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com> * nix update Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com> --------- Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com>	2025-05-04 12:05:41 +00:00
Kristoffer Dalby	f317a85ab4	go.mod: update rest of deps (#2559 ) * flake: update go hash Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com> * go.mod: update more deps Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com> --------- Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com>	2025-05-03 16:36:08 +02:00
Alexey Tarasov	53d9c95160	Update container.md	2025-05-03 12:51:46 +02:00
Jacob Yundt	03a91693ac	feat: Create headscale user and group as system user/groups (#2322 ) When creating the headscale user and group, create both as system groups rather than creating them as 'user' groups. FIXES #2278	2025-05-03 09:13:54 +00:00
nblock	cb7c0173ec	Fix deprecation warnings (#2558 ) See https://goreleaser.com/deprecations/#archivesformat and https://goreleaser.com/deprecations/#nfpmsbuilds	2025-05-03 10:18:49 +02:00
nblock	18d21d3585	Add documentation for routes (#2496 ) * Add documentation for routes * Rename exit-node to routes and add redirects * Add a new section on subnet routers * Extend the existing exit-node documentation * Describe auto approvers for subnet routers and exit nodes * Provide ACL examples for subnet routers and exit nodes * Describe HA and its current limitations * Add a troubleshooting section with IP forwarding * Update features page for 0.26 Add auto approvers and link to our documentation if available. * Prefer the console lexer when commandline and output mixed	2025-05-03 10:16:45 +02:00
Kristoffer Dalby	e7d2d79134	update capmap and deps for release (#2522 ) * generate new capver map Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com> * replace old sort func Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com> * nix: flake update Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com> * capgen: update Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com> * capgen: update Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com> * go.mod: update tailscale Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com> * go.mod: update other deps Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com> --------- Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com>	2025-05-02 22:12:29 +02:00
Kristoffer Dalby	d810597414	policy/matcher: fix bug using contains instead of overlap (#2556 ) * policy/matcher: slices.ContainsFunc Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com> * policy/matcher: slices.ContainsFunc, correct contains vs overlap Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com> * policy: add tests to validate fix for 2181 Fixes #2181 Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com> --------- Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com>	2025-05-02 22:08:56 +02:00
Kristoffer Dalby	93afb03f67	cmd: add policy check command (#2553 )	2025-05-02 13:58:30 +03:00
Kristoffer Dalby	e4d10ad964	policy/v2: validate autogroup:interet only in dst (#2552 )	2025-05-02 13:58:12 +03:00
Janne Johansson	7dc86366b4	Update source.md If we assume someone doesn't already have the required go package, they might also not have the required git package installed either, so pkg_add both of them.	2025-05-02 10:43:56 +02:00
Kristoffer Dalby	c923f461ab	error on undefined host in policy (#2490 ) * add testcases Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com> * policy/v2: add validate to do post marshal validation Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com> --------- Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com>	2025-05-01 14:30:52 +02:00
Kristoffer Dalby	a4a203b9a3	cli/nodes: filter nodes without any routes (#2551 )	2025-05-01 13:27:54 +03:00
aergus-tng	4651d06fa8	Make matchers part of the Policy interface (#2514 ) * Make matchers part of the Policy interface * Prevent race condition between rules and matchers * Test also matchers in tests for Policy.Filter * Compute `filterChanged` in v2 policy correctly * Fix nil vs. empty list issue in v2 policy test * policy/v2: always clear ssh map Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com> --------- Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com> Co-authored-by: Aras Ergus <aras.ergus@tngtech.com> Co-authored-by: Kristoffer Dalby <kristoffer@tailscale.com>	2025-05-01 07:06:30 +02:00
Kristoffer Dalby	eb1ecefd9e	auth: ensure that routes are autoapproved when the node is stored (#2550 ) * integration: ensure route is set before node joins, reproduce Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com> * auth: ensure that routes are autoapproved when the node is stored Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com> --------- Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com>	2025-05-01 07:05:42 +02:00
Kristoffer Dalby	6b6509eeeb	notify nodes after owner change (#2543 ) * proto: user id as identifier for move node Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com> * gen: regenr Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com> * grpc: move, use userid, one tx, send update Updates #2467 Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com> * integration: update move cli tests Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com> --------- Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com>	2025-04-30 18:33:38 +02:00
Kristoffer Dalby	cfe9bbf829	oidc: try to get username from userinfo (#2545 ) * oidc: try to get username from userinfo Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com> * changelog Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com> --------- Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com>	2025-04-30 11:54:13 +02:00
Kristoffer Dalby	8f9fbf16f1	types/authkey: include user object in response (#2542 ) * types/authkey: include user object, not string Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com> * make preauthkeys use id Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com> * changelog Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com> * integration: wire up user id for auth keys Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com> --------- Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com>	2025-04-30 11:45:08 +02:00
Kristoffer Dalby	f1206328dc	fix webauth + autoapprove routes (#2528 ) * types/node: add helper funcs for node tags Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com> * types/node: add DebugString method for node Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com> * policy/v2: add String func to AutoApprover interface Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com> * policy/v2: simplify, use slices.Contains Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com> * policy/v2: debug, use nodes.DebugString Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com> * policy/v1: fix potential nil pointer in NodeCanApproveRoute Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com> * policy/v1: slices.Contains Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com> * integration/tsic: fix diff in login commands Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com> * integration: fix webauth running with wrong scenario Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com> * integration: move common oidc opts to func Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com> * integration: require node count, more verbose Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com> * auth: remove uneffective route approve Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com> * .github/workflows: fmt Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com> * integration/tsic: add id func Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com> * integration: remove call that might be nil Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com> * integration: test autoapprovers against web/authkey x group/tag/user Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com> * integration: unique network id per scenario Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com> * Revert "integration: move common oidc opts to func" This reverts commit 7e9d165d4a900c304f1083b665f1a24a26e06e55. * remove cmd Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com> * integration: clean docker images between runs in ci Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com> * integration: run autoapprove test against differnt policy modes Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com> * integration/tsic: append, not overrwrite extra login args Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com> * .github/workflows: remove polv2 Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com> --------- Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com>	2025-04-30 07:54:04 +02:00
Kristoffer Dalby	57861507ab	integration: remove failing resolvconf tests (#2549 ) Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com>	2025-04-30 07:52:23 +02:00
Kristoffer Dalby	2b38f7bef7	policy/v2: make default (#2546 ) * policy/v2: make default Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com> * integration: do not run v1 tests Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com> * policy/v2: fix potential nil pointers Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com> * mapper: fix test failures in v2 Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com> --------- Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com>	2025-04-29 16:27:41 +02:00
github-actions[bot]	9a4d0e1a99	flake.lock: Update (#2518 ) Flake lock file updates: • Updated input 'nixpkgs': 'github:NixOS/nixpkgs/18dd725c29603f582cf1900e0d25f9f1063dbf11?narHash=sha256-awS2zRgF4uTwrOKwwiJcByDzDOdo3Q1rPZbiHQg/N38%3D' (2025-04-13) → 'github:NixOS/nixpkgs/ebe4301cbd8f81c4f8d3244b3632338bbeb6d49c?narHash=sha256-5RJTdUHDmj12Qsv7XOhuospjAjATNiTMElplWnJE9Hs%3D' (2025-04-17) Co-authored-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com>	2025-04-24 11:02:09 +00:00
Kristoffer Dalby	30539b2e26	config: disallow same server url and base_domain (#2544 ) * config: disallow same server url and base_domain Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com> * changelog Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com> --------- Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com>	2025-04-23 16:24:38 +02:00
Kristoffer Dalby	098ab0357c	add casbin user test (#2474 ) * add casbin user test Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com> * Delete double slash * types/users: use join url on iss that are ursl Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com> --------- Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com> Co-authored-by: Juan Font <juanfontalonso@gmail.com>	2025-04-23 13:21:51 +02:00
Relihan Myburgh	56d085bd08	Fix panic on fast reconnection of node (#2536 ) * Fix panic on fast reconnection of node * Use parameter captured in closure as per review request	2025-04-23 11:52:24 +02:00
Relihan Myburgh	92e587a82c	Fix goroutine leak in EphemeralGC on node cancel (#2538 ) * Fix goroutine leak in EphemeralGC on node cancel * Deal with timer firing whilst the GC is shutting down. Fix typos.	2025-04-23 11:44:24 +02:00
Pamplemousse	f3a1e693f2	Mention "Network flow logs" as a missing feature	2025-04-22 11:28:41 +02:00
Kristoffer Dalby	f783555469	integration: clean up unreferenced hs- networks (#2534 )	2025-04-18 12:06:28 +02:00
Kristoffer Dalby	710d75367e	policy/v2: fix host validation, consistent pattern (#2533 )	2025-04-18 11:35:04 +02:00
Kristoffer Dalby	c30e3a4762	flake: add golang-lint lsp (#2507 ) Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com>	2025-04-18 11:15:02 +02:00
alteriks	3287aa8bba	Update oidc.md Authelia docs	2025-04-18 10:16:08 +02:00
Kristoffer Dalby	8e7e52cf3a	some clarifications for tags (#2531 ) Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com>	2025-04-18 09:33:02 +02:00
nblock	1e0516b99d	Restore support for "Override local DNS" (#2438 ) Tailscale allows to override the local DNS settings of a node via "Override local DNS" [1]. Restore this flag with the same config setting name `dns.override_local_dns` but disable it by default to align it with Tailscale's default behaviour. Tested with Tailscale 1.80.2 and systemd-resolved on Debian 12. With `dns.override_local_dns: false`: ``` Link 12 (tailscale0) Current Scopes: DNS Protocols: -DefaultRoute -LLMNR -mDNS -DNSOverTLS DNSSEC=no/unsupported DNS Servers: 100.100.100.100 DNS Domain: tn.example.com ~0.e.1.a.c.5.1.1.a.7.d.f.ip6.arpa [snip] ``` With `dns.override_local_dns: true`: ``` Link 12 (tailscale0) Current Scopes: DNS Protocols: +DefaultRoute -LLMNR -mDNS -DNSOverTLS DNSSEC=no/unsupported DNS Servers: 100.100.100.100 DNS Domain: tn.example.com ~. ``` [1] https://tailscale.com/kb/1054/dns#override-local-dns Fixes: #2256	2025-04-17 17:16:59 +02:00
Kristoffer Dalby	0fbe392499	more wait, more retry (#2532 )	2025-04-16 12:42:26 +02:00

1 2 3 4 5 ...

3437 Commits