headscale

mirror of https://github.com/juanfont/headscale.git synced 2025-05-23 18:41:52 -04:00

Author	SHA1	Message	Date
Kristoffer Dalby	d7a503a34e	changelog: entry for 0.26 (#2594 ) * changelog: entry for 0.26 Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com> * docs: bump version Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com> --------- Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com>	2025-05-14 16:32:56 +02:00
jasonrepos	62b489dc68	fix: change FormatUint base from 64 to 10 in preauthkeys list command (#2588 )	2025-05-13 18:40:17 +00:00
nblock	8c7e650616	Remove map_legacy_users from example configuration (#2590 )	2025-05-13 21:38:52 +03:00
Kristoffer Dalby	43943aeee9	bring back last_seen in database (#2579 ) * db: add back last_seen to the database Fixes #2574 Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com> * integration: ensure last_seen is set Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com> --------- Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com> v0.26.0-beta.2	2025-05-10 09:49:08 +02:00
nblock	d81b0053e5	Simplify policy migration (#2582 ) These steps are easier to accomplish and require only Headscale 0.26. They also work when a user has already upgraded the database. See: #2567	2025-05-10 08:04:42 +02:00
nblock	dd0cbdf40c	Add migration steps when policy is stored in the database (#2581 ) Fixes: #2567	2025-05-09 23:30:39 +02:00
Kristoffer Dalby	37dc0dad35	policy/v2: separate exit node and 0.0.0.0/0 routes (#2578 ) * policy: add tests for route auto approval Reproduce #2568 Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com> * policy/v2: separate exit node and 0.0.0.0/0 routes Fixes #2568 Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com> --------- Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com>	2025-05-09 23:20:04 +02:00
Kristoffer Dalby	377b854dd8	cli: policy check, dont require config or log (#2580 ) Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com>	2025-05-09 23:19:47 +02:00
Kristoffer Dalby	56db4ed0f1	policy/v2: validate that no undefined group or tag is used (#2576 ) * policy/v2: allow Username as ssh source Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com> * policy/v2: validate that no undefined group or tag is used Fixes #2570 Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com> * policy: fixup tests which violated tag constraing Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com> --------- Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com>	2025-05-09 11:51:30 +02:00
nblock	833e0f66f1	Remove subnet router visibility workaround from docs (#2569 ) Previous Headscale versions required a dedicated rule to make a subnet router visible to clients. This workaround is no longer required.	2025-05-05 15:24:59 +02:00
Kristoffer Dalby	1dddd3e93b	app: throw away not found body (#2566 ) Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com> v0.26.0-beta.1	2025-05-04 22:06:44 +02:00
nblock	9a86ffc102	Misc doc fixes (#2562 ) * Link to stable and development docs in the README * Add Tailscale SSH and autogroup:nonroot to features page * Use @ when referencing users in policy * Remove unmaintained headscale-webui The project seems to be unmaintained (last commit: 2023-05-08) and it only supports Headscale 0.22 or earlier. * Use full image URL in container docs This makes it easy to switch the container runtime from docker <-> podman. * Remove version from docker-compose.yml example This is now deprecated and yields a warning.	2025-05-04 21:55:08 +02:00
Kristoffer Dalby	45e38cb080	policy: reduce routes sent to peers based on packetfilter (#2561 ) * notifier: use convenience funcs Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com> * policy: reduce routes based on policy Fixes #2365 Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com> * hsic: more helper methods Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com> * policy: more test cases Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com> * integration: add route with filter acl integration test Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com> * integration: correct route reduce test, now failing Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com> * mapper: compare peer routes against node Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com> * hs: more output to debug strings Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com> * types/node: slice.ContainsFunc Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com> * policy: more reduce route test Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com> * changelog: add entry for route filter Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com> --------- Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com>	2025-05-04 21:52:47 +02:00
Kristoffer Dalby	b9868f6516	Make more granular SSH tests for both Policies (#2555 ) * policy/v1: dont consider empty if ssh has rules Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com> * policy/v2: replace time.Duration with model.Duration Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com> * policy/v2: add autogroup and ssh validation Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com> * policy/v2: replace time.Duration with model.Duration Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com> * policy: replace old ssh tests with more granular test Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com> * policy: skip v1 tests expected to fail (missing error handling) Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com> * policy: skip v1 group tests, old bugs wont be fixed Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com> * integration: user valid policy for ssh Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com> * Changelog, add ssh section Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com> * nix update Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com> --------- Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com>	2025-05-04 12:05:41 +00:00
Kristoffer Dalby	f317a85ab4	go.mod: update rest of deps (#2559 ) * flake: update go hash Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com> * go.mod: update more deps Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com> --------- Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com>	2025-05-03 16:36:08 +02:00
Alexey Tarasov	53d9c95160	Update container.md	2025-05-03 12:51:46 +02:00
Jacob Yundt	03a91693ac	feat: Create headscale user and group as system user/groups (#2322 ) When creating the headscale user and group, create both as system groups rather than creating them as 'user' groups. FIXES #2278	2025-05-03 09:13:54 +00:00
nblock	cb7c0173ec	Fix deprecation warnings (#2558 ) See https://goreleaser.com/deprecations/#archivesformat and https://goreleaser.com/deprecations/#nfpmsbuilds	2025-05-03 10:18:49 +02:00
nblock	18d21d3585	Add documentation for routes (#2496 ) * Add documentation for routes * Rename exit-node to routes and add redirects * Add a new section on subnet routers * Extend the existing exit-node documentation * Describe auto approvers for subnet routers and exit nodes * Provide ACL examples for subnet routers and exit nodes * Describe HA and its current limitations * Add a troubleshooting section with IP forwarding * Update features page for 0.26 Add auto approvers and link to our documentation if available. * Prefer the console lexer when commandline and output mixed	2025-05-03 10:16:45 +02:00
Kristoffer Dalby	e7d2d79134	update capmap and deps for release (#2522 ) * generate new capver map Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com> * replace old sort func Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com> * nix: flake update Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com> * capgen: update Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com> * capgen: update Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com> * go.mod: update tailscale Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com> * go.mod: update other deps Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com> --------- Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com>	2025-05-02 22:12:29 +02:00
Kristoffer Dalby	d810597414	policy/matcher: fix bug using contains instead of overlap (#2556 ) * policy/matcher: slices.ContainsFunc Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com> * policy/matcher: slices.ContainsFunc, correct contains vs overlap Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com> * policy: add tests to validate fix for 2181 Fixes #2181 Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com> --------- Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com>	2025-05-02 22:08:56 +02:00
Kristoffer Dalby	93afb03f67	cmd: add policy check command (#2553 )	2025-05-02 13:58:30 +03:00
Kristoffer Dalby	e4d10ad964	policy/v2: validate autogroup:interet only in dst (#2552 )	2025-05-02 13:58:12 +03:00
Janne Johansson	7dc86366b4	Update source.md If we assume someone doesn't already have the required go package, they might also not have the required git package installed either, so pkg_add both of them.	2025-05-02 10:43:56 +02:00
Kristoffer Dalby	c923f461ab	error on undefined host in policy (#2490 ) * add testcases Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com> * policy/v2: add validate to do post marshal validation Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com> --------- Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com>	2025-05-01 14:30:52 +02:00
Kristoffer Dalby	a4a203b9a3	cli/nodes: filter nodes without any routes (#2551 )	2025-05-01 13:27:54 +03:00
aergus-tng	4651d06fa8	Make matchers part of the Policy interface (#2514 ) * Make matchers part of the Policy interface * Prevent race condition between rules and matchers * Test also matchers in tests for Policy.Filter * Compute `filterChanged` in v2 policy correctly * Fix nil vs. empty list issue in v2 policy test * policy/v2: always clear ssh map Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com> --------- Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com> Co-authored-by: Aras Ergus <aras.ergus@tngtech.com> Co-authored-by: Kristoffer Dalby <kristoffer@tailscale.com>	2025-05-01 07:06:30 +02:00
Kristoffer Dalby	eb1ecefd9e	auth: ensure that routes are autoapproved when the node is stored (#2550 ) * integration: ensure route is set before node joins, reproduce Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com> * auth: ensure that routes are autoapproved when the node is stored Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com> --------- Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com>	2025-05-01 07:05:42 +02:00
Kristoffer Dalby	6b6509eeeb	notify nodes after owner change (#2543 ) * proto: user id as identifier for move node Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com> * gen: regenr Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com> * grpc: move, use userid, one tx, send update Updates #2467 Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com> * integration: update move cli tests Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com> --------- Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com>	2025-04-30 18:33:38 +02:00
Kristoffer Dalby	cfe9bbf829	oidc: try to get username from userinfo (#2545 ) * oidc: try to get username from userinfo Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com> * changelog Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com> --------- Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com>	2025-04-30 11:54:13 +02:00
Kristoffer Dalby	8f9fbf16f1	types/authkey: include user object in response (#2542 ) * types/authkey: include user object, not string Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com> * make preauthkeys use id Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com> * changelog Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com> * integration: wire up user id for auth keys Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com> --------- Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com>	2025-04-30 11:45:08 +02:00
Kristoffer Dalby	f1206328dc	fix webauth + autoapprove routes (#2528 ) * types/node: add helper funcs for node tags Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com> * types/node: add DebugString method for node Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com> * policy/v2: add String func to AutoApprover interface Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com> * policy/v2: simplify, use slices.Contains Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com> * policy/v2: debug, use nodes.DebugString Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com> * policy/v1: fix potential nil pointer in NodeCanApproveRoute Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com> * policy/v1: slices.Contains Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com> * integration/tsic: fix diff in login commands Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com> * integration: fix webauth running with wrong scenario Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com> * integration: move common oidc opts to func Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com> * integration: require node count, more verbose Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com> * auth: remove uneffective route approve Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com> * .github/workflows: fmt Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com> * integration/tsic: add id func Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com> * integration: remove call that might be nil Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com> * integration: test autoapprovers against web/authkey x group/tag/user Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com> * integration: unique network id per scenario Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com> * Revert "integration: move common oidc opts to func" This reverts commit 7e9d165d4a900c304f1083b665f1a24a26e06e55. * remove cmd Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com> * integration: clean docker images between runs in ci Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com> * integration: run autoapprove test against differnt policy modes Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com> * integration/tsic: append, not overrwrite extra login args Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com> * .github/workflows: remove polv2 Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com> --------- Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com>	2025-04-30 07:54:04 +02:00
Kristoffer Dalby	57861507ab	integration: remove failing resolvconf tests (#2549 ) Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com>	2025-04-30 07:52:23 +02:00
Kristoffer Dalby	2b38f7bef7	policy/v2: make default (#2546 ) * policy/v2: make default Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com> * integration: do not run v1 tests Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com> * policy/v2: fix potential nil pointers Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com> * mapper: fix test failures in v2 Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com> --------- Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com>	2025-04-29 16:27:41 +02:00
github-actions[bot]	9a4d0e1a99	flake.lock: Update (#2518 ) Flake lock file updates: • Updated input 'nixpkgs': 'github:NixOS/nixpkgs/18dd725c29603f582cf1900e0d25f9f1063dbf11?narHash=sha256-awS2zRgF4uTwrOKwwiJcByDzDOdo3Q1rPZbiHQg/N38%3D' (2025-04-13) → 'github:NixOS/nixpkgs/ebe4301cbd8f81c4f8d3244b3632338bbeb6d49c?narHash=sha256-5RJTdUHDmj12Qsv7XOhuospjAjATNiTMElplWnJE9Hs%3D' (2025-04-17) Co-authored-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com>	2025-04-24 11:02:09 +00:00
Kristoffer Dalby	30539b2e26	config: disallow same server url and base_domain (#2544 ) * config: disallow same server url and base_domain Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com> * changelog Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com> --------- Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com>	2025-04-23 16:24:38 +02:00
Kristoffer Dalby	098ab0357c	add casbin user test (#2474 ) * add casbin user test Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com> * Delete double slash * types/users: use join url on iss that are ursl Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com> --------- Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com> Co-authored-by: Juan Font <juanfontalonso@gmail.com>	2025-04-23 13:21:51 +02:00
Relihan Myburgh	56d085bd08	Fix panic on fast reconnection of node (#2536 ) * Fix panic on fast reconnection of node * Use parameter captured in closure as per review request	2025-04-23 11:52:24 +02:00
Relihan Myburgh	92e587a82c	Fix goroutine leak in EphemeralGC on node cancel (#2538 ) * Fix goroutine leak in EphemeralGC on node cancel * Deal with timer firing whilst the GC is shutting down. Fix typos.	2025-04-23 11:44:24 +02:00
Pamplemousse	f3a1e693f2	Mention "Network flow logs" as a missing feature	2025-04-22 11:28:41 +02:00
Kristoffer Dalby	f783555469	integration: clean up unreferenced hs- networks (#2534 )	2025-04-18 12:06:28 +02:00
Kristoffer Dalby	710d75367e	policy/v2: fix host validation, consistent pattern (#2533 )	2025-04-18 11:35:04 +02:00
Kristoffer Dalby	c30e3a4762	flake: add golang-lint lsp (#2507 ) Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com>	2025-04-18 11:15:02 +02:00
alteriks	3287aa8bba	Update oidc.md Authelia docs	2025-04-18 10:16:08 +02:00
Kristoffer Dalby	8e7e52cf3a	some clarifications for tags (#2531 ) Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com>	2025-04-18 09:33:02 +02:00
nblock	1e0516b99d	Restore support for "Override local DNS" (#2438 ) Tailscale allows to override the local DNS settings of a node via "Override local DNS" [1]. Restore this flag with the same config setting name `dns.override_local_dns` but disable it by default to align it with Tailscale's default behaviour. Tested with Tailscale 1.80.2 and systemd-resolved on Debian 12. With `dns.override_local_dns: false`: ``` Link 12 (tailscale0) Current Scopes: DNS Protocols: -DefaultRoute -LLMNR -mDNS -DNSOverTLS DNSSEC=no/unsupported DNS Servers: 100.100.100.100 DNS Domain: tn.example.com ~0.e.1.a.c.5.1.1.a.7.d.f.ip6.arpa [snip] ``` With `dns.override_local_dns: true`: ``` Link 12 (tailscale0) Current Scopes: DNS Protocols: +DefaultRoute -LLMNR -mDNS -DNSOverTLS DNSSEC=no/unsupported DNS Servers: 100.100.100.100 DNS Domain: tn.example.com ~. ``` [1] https://tailscale.com/kb/1054/dns#override-local-dns Fixes: #2256	2025-04-17 17:16:59 +02:00
Kristoffer Dalby	0fbe392499	more wait, more retry (#2532 )	2025-04-16 12:42:26 +02:00
Nick	109989005d	ensure final dot on node name (#2503 ) * ensure final dot on node name This ensures that nodes which have a base domain set, will have a dot appended to their FQDN. Resolves: https://github.com/juanfont/headscale/issues/2501 * improve OIDC TTL expire test Waiting a bit more than the TTL of the OIDC token seems to remove some flakiness of this test. This furthermore makes use of a go func safe buffer which should avoid race conditions.	2025-04-11 12:39:08 +02:00
Enkelmann	0d3134720b	Only read relevant nodes from database in PeerChangedResponse (#2509 ) * Only read relevant nodes from database in PeerChangedResponse * Rework to ensure transactional consistency in PeerChangedResponse again * An empty nodeIDs list should return an empty nodes list * Add test to ListNodesSubset * Link PR in CHANGELOG.md * combine ListNodes and ListNodesSubset into one function * query for all nodes in ListNodes if no parameter is given * also add optional filtering for relevant nodes to ListPeers	2025-04-08 14:56:44 +02:00
Christoph	d2a6356d89	Add unraid-headscale-admin web UI to docs (#2515 ) * Add unraid-headscale-admin link	2025-04-02 20:54:32 +02:00

1 2 3 4 5 ...

3434 Commits