Kristoffer Dalby
1cdea7ed9b
stricter hostname validation and replace ( #2383 )
2025-10-22 13:50:39 +02:00
Florian Preinstorfer
8becb7e54a
Mention explicitly that @ is only required in policy
Build / build-nix (push) Has been cancelled
Build / build-cross (GOARCH=amd64 GOOS=darwin) (push) Has been cancelled
Build / build-cross (GOARCH=amd64 GOOS=linux) (push) Has been cancelled
Build / build-cross (GOARCH=arm64 GOOS=darwin) (push) Has been cancelled
Build / build-cross (GOARCH=arm64 GOOS=linux) (push) Has been cancelled
Check Generated Files / check-generated (push) Has been cancelled
Tests / test (push) Has been cancelled
Deploy docs / deploy (push) Has been cancelled
Close inactive issues / close-issues (push) Has been cancelled
2025-10-21 14:28:03 +02:00
Kristoffer Dalby
e7a28a14af
changelog: prepare for 0.27.0 ( #2797 )
Build / build-nix (push) Has been cancelled
Build / build-cross (GOARCH=amd64 GOOS=darwin) (push) Has been cancelled
Build / build-cross (GOARCH=amd64 GOOS=linux) (push) Has been cancelled
Build / build-cross (GOARCH=arm64 GOOS=darwin) (push) Has been cancelled
Build / build-cross (GOARCH=arm64 GOOS=linux) (push) Has been cancelled
Check Generated Files / check-generated (push) Has been cancelled
Tests / test (push) Has been cancelled
Deploy docs / deploy (push) Has been cancelled
Close inactive issues / close-issues (push) Has been cancelled
2025-10-16 19:04:07 +02:00
Stavros Kois
c07cc491bf
add health command ( #2659 )
...
Build / build-nix (push) Has been cancelled
Build / build-cross (GOARCH=amd64 GOOS=darwin) (push) Has been cancelled
Build / build-cross (GOARCH=amd64 GOOS=linux) (push) Has been cancelled
Build / build-cross (GOARCH=arm64 GOOS=darwin) (push) Has been cancelled
Build / build-cross (GOARCH=arm64 GOOS=linux) (push) Has been cancelled
Check Generated Files / check-generated (push) Has been cancelled
Deploy docs / deploy (push) Has been cancelled
Tests / test (push) Has been cancelled
* add health command
* update health check implementation to allow for more checks to added over time
* add change changelog entry
2025-10-16 12:00:11 +00:00
Vitalij Dovhanyc
c2a58a304d
feat: add autogroup:self ( #2789 )
2025-10-16 12:59:52 +02:00
Florian Preinstorfer
bd35fcf338
Add FAQ entry about policy migration in the database
Build / build-nix (push) Has been cancelled
Build / build-cross (GOARCH=amd64 GOOS=darwin) (push) Has been cancelled
Build / build-cross (GOARCH=amd64 GOOS=linux) (push) Has been cancelled
Build / build-cross (GOARCH=arm64 GOOS=darwin) (push) Has been cancelled
Build / build-cross (GOARCH=arm64 GOOS=linux) (push) Has been cancelled
Check Generated Files / check-generated (push) Has been cancelled
Deploy docs / deploy (push) Has been cancelled
Tests / test (push) Has been cancelled
Close inactive issues / close-issues (push) Has been cancelled
update-flake-lock / lockfile (push) Has been cancelled
GitHub Actions Version Updater / build (push) Has been cancelled
2025-09-17 16:32:29 +02:00
Kristoffer Dalby
2b30a15a68
cmd: add option to get and set policy directly from database ( #2765 )
Build / build-nix (push) Has been cancelled
Build / build-cross (GOARCH=amd64 GOOS=darwin) (push) Has been cancelled
Build / build-cross (GOARCH=amd64 GOOS=linux) (push) Has been cancelled
Build / build-cross (GOARCH=arm64 GOOS=darwin) (push) Has been cancelled
Build / build-cross (GOARCH=arm64 GOOS=linux) (push) Has been cancelled
Check Generated Files / check-generated (push) Has been cancelled
Tests / test (push) Has been cancelled
Close inactive issues / close-issues (push) Has been cancelled
2025-09-12 16:55:15 +02:00
Kristoffer Dalby
2938d03878
policy: reject unsupported fields ( #2764 )
Build / build-nix (push) Has been cancelled
Build / build-cross (GOARCH=amd64 GOOS=darwin) (push) Has been cancelled
Build / build-cross (GOARCH=amd64 GOOS=linux) (push) Has been cancelled
Build / build-cross (GOARCH=arm64 GOOS=darwin) (push) Has been cancelled
Build / build-cross (GOARCH=arm64 GOOS=linux) (push) Has been cancelled
Check Generated Files / check-generated (push) Has been cancelled
Tests / test (push) Has been cancelled
2025-09-12 14:47:56 +02:00
Kristoffer Dalby
1b1c989268
{policy, node}: allow return paths in route reduction ( #2767 )
2025-09-12 11:47:51 +02:00
Kristoffer Dalby
b87567628a
derp: increase update frequency and harden on failures ( #2741 )
2025-08-22 10:40:38 +02:00
nblock
fa619ea9f3
Fix CHANGELOG for autogroup:member and autogroup:tagged ( #2733 )
Build / build-nix (push) Waiting to run
Build / build-cross (GOARCH=amd64 GOOS=darwin) (push) Waiting to run
Build / build-cross (GOARCH=amd64 GOOS=linux) (push) Waiting to run
Build / build-cross (GOARCH=arm64 GOOS=darwin) (push) Waiting to run
Build / build-cross (GOARCH=arm64 GOOS=linux) (push) Waiting to run
Check Generated Files / check-generated (push) Waiting to run
Tests / test (push) Waiting to run
2025-08-18 08:59:03 +02:00
Fredrik Ekre
5d8a2c25ea
OIDC: Query userinfo endpoint before verifying user
...
Build / build-nix (push) Has been cancelled
Build / build-cross (GOARCH=amd64 GOOS=darwin) (push) Has been cancelled
Build / build-cross (GOARCH=amd64 GOOS=linux) (push) Has been cancelled
Build / build-cross (GOARCH=arm64 GOOS=darwin) (push) Has been cancelled
Build / build-cross (GOARCH=arm64 GOOS=linux) (push) Has been cancelled
Check Generated Files / check-generated (push) Has been cancelled
Tests / test (push) Has been cancelled
Close inactive issues / close-issues (push) Has been cancelled
This patch includes some changes to the OIDC integration in particular:
- Make sure that userinfo claims are queried *before* comparing the
user with the configured allowed groups, email and email domain.
- Update user with group claim from the userinfo endpoint which is
required for allowed groups to work correctly. This is essentially a
continuation of #2545 .
- Let userinfo claims take precedence over id token claims.
With these changes I have verified that Headscale works as expected
together with Authelia without the documented escape hatch [0], i.e.
everything works even if the id token only contain the iss and sub
claims.
[0]: https://www.authelia.com/integration/openid-connect/headscale/#configuration-escape-hatch
2025-08-11 17:51:16 +02:00
eyjhb
d77874373d
feat: add robots.txt
2025-08-10 10:57:45 +02:00
Kristoffer Dalby
a058bf3cd3
mapper: produce map before poll ( #2628 )
Build / build-nix (push) Has been cancelled
Build / build-cross (GOARCH=amd64 GOOS=darwin) (push) Has been cancelled
Build / build-cross (GOARCH=amd64 GOOS=linux) (push) Has been cancelled
Build / build-cross (GOARCH=arm64 GOOS=darwin) (push) Has been cancelled
Build / build-cross (GOARCH=arm64 GOOS=linux) (push) Has been cancelled
Check Generated Files / check-generated (push) Has been cancelled
Tests / test (push) Has been cancelled
update-flake-lock / lockfile (push) Has been cancelled
GitHub Actions Version Updater / build (push) Has been cancelled
2025-07-28 11:15:53 +02:00
Kristoffer Dalby
7fce5065c4
all: remove 32 bit support ( #2692 )
Build / build-nix (push) Has been cancelled
Build / build-cross (GOARCH=amd64 GOOS=darwin) (push) Has been cancelled
Build / build-cross (GOARCH=amd64 GOOS=linux) (push) Has been cancelled
Build / build-cross (GOARCH=arm64 GOOS=darwin) (push) Has been cancelled
Build / build-cross (GOARCH=arm64 GOOS=linux) (push) Has been cancelled
Tests / test (push) Has been cancelled
update-flake-lock / lockfile (push) Has been cancelled
GitHub Actions Version Updater / build (push) Has been cancelled
2025-07-16 13:32:59 +02:00
Kristoffer Dalby
4668e5dd96
changelog: add entry for db
...
Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com >
2025-07-07 15:48:38 +01:00
Stavros Kois
855c48aec2
remove unneeded check ( #2658 )
Build / build-nix (push) Has been cancelled
Build / build-cross (GOARCH=386 GOOS=linux) (push) Has been cancelled
Build / build-cross (GOARCH=amd64 GOOS=darwin) (push) Has been cancelled
Build / build-cross (GOARCH=amd64 GOOS=linux) (push) Has been cancelled
Build / build-cross (GOARCH=arm GOOS=linux GOARM=5) (push) Has been cancelled
Build / build-cross (GOARCH=arm GOOS=linux GOARM=6) (push) Has been cancelled
Build / build-cross (GOARCH=arm GOOS=linux GOARM=7) (push) Has been cancelled
Build / build-cross (GOARCH=arm64 GOOS=darwin) (push) Has been cancelled
Build / build-cross (GOARCH=arm64 GOOS=linux) (push) Has been cancelled
Tests / test (push) Has been cancelled
update-flake-lock / lockfile (push) Has been cancelled
GitHub Actions Version Updater / build (push) Has been cancelled
2025-07-04 15:47:01 +00:00
Stavros Kois
ded049b905
don't crash if config file is missing ( #2656 )
Build / build-nix (push) Waiting to run
Build / build-cross (GOARCH=386 GOOS=linux) (push) Waiting to run
Build / build-cross (GOARCH=amd64 GOOS=darwin) (push) Waiting to run
Build / build-cross (GOARCH=amd64 GOOS=linux) (push) Waiting to run
Build / build-cross (GOARCH=arm GOOS=linux GOARM=5) (push) Waiting to run
Build / build-cross (GOARCH=arm GOOS=linux GOARM=6) (push) Waiting to run
Build / build-cross (GOARCH=arm GOOS=linux GOARM=7) (push) Waiting to run
Build / build-cross (GOARCH=arm64 GOOS=darwin) (push) Waiting to run
Build / build-cross (GOARCH=arm64 GOOS=linux) (push) Waiting to run
Tests / test (push) Waiting to run
Deploy docs / deploy (push) Has been cancelled
2025-07-04 12:58:17 +00:00
Florian Preinstorfer
d461db3abd
Refactor OpenID Connect documentation
...
Restructure and rewrite the OpenID Connect documentation. Start from the
most minimal configuration and describe what needs to be done both in
Headscale and the identity provider. Describe additional features such
as PKCE and authorization filters in a generic manner with examples.
Document how Headscale populates its user profile and how it relates to
OIDC claims. This is a revised version from the table in the changelog.
Document the validation rules for fields and extend known limitations.
Sort the provider specific section alphabetically and add a section for
Authelia, Authentik, Kanidm and Keycloak. Also simplify and rename Azure
to Entra ID.
Update the description for the oidc section in the example
configuration. Give a short explanation of each configuration setting.
All documentend features were tested with Headscale 0.26 (using a fresh
database each time) using the following identity providers:
* Authelia
* Authentik
* Kanidm
* Keycloak
Fixes : #2295
2025-07-04 10:51:37 +02:00
Kristoffer Dalby
081af2674b
ci: fix golangci-lint flag for v2 compatibility ( #2654 )
Build / build-nix (push) Waiting to run
Build / build-cross (GOARCH=386 GOOS=linux) (push) Waiting to run
Build / build-cross (GOARCH=amd64 GOOS=darwin) (push) Waiting to run
Build / build-cross (GOARCH=amd64 GOOS=linux) (push) Waiting to run
Build / build-cross (GOARCH=arm GOOS=linux GOARM=5) (push) Waiting to run
Build / build-cross (GOARCH=arm GOOS=linux GOARM=6) (push) Waiting to run
Build / build-cross (GOARCH=arm GOOS=linux GOARM=7) (push) Waiting to run
Build / build-cross (GOARCH=arm64 GOOS=darwin) (push) Waiting to run
Build / build-cross (GOARCH=arm64 GOOS=linux) (push) Waiting to run
Tests / test (push) Waiting to run
Deploy docs / deploy (push) Has been cancelled
2025-06-24 08:14:50 +02:00
seiuneko
d325211617
feat: add verify client config for embedded DERP ( #2260 )
...
Build / build-nix (push) Waiting to run
Build / build-cross (GOARCH=386 GOOS=linux) (push) Waiting to run
Build / build-cross (GOARCH=amd64 GOOS=darwin) (push) Waiting to run
Build / build-cross (GOARCH=amd64 GOOS=linux) (push) Waiting to run
Build / build-cross (GOARCH=arm GOOS=linux GOARM=5) (push) Waiting to run
Build / build-cross (GOARCH=arm GOOS=linux GOARM=6) (push) Waiting to run
Build / build-cross (GOARCH=arm GOOS=linux GOARM=7) (push) Waiting to run
Build / build-cross (GOARCH=arm64 GOOS=darwin) (push) Waiting to run
Build / build-cross (GOARCH=arm64 GOOS=linux) (push) Waiting to run
Tests / test (push) Waiting to run
* feat: add verify client config for embedded DERP
* refactor: embedded DERP no longer verify clients via HTTP
- register the `headscale://` protocol in `http.DefaultTransport` to intercept network requests
- update configuration to use a single boolean option `verify_clients`
* refactor: use `http.HandlerFunc` for type definition
* refactor: some renaming and restructuring
* chore: some renaming and fix lint
* test: fix TestDERPVerifyEndpoint
- `tailscale debug derp` use random node private key
* test: add verify clients integration test for embedded DERP server
* fix: apply code review suggestions
* chore: merge upstream changes
* fix: apply code review suggestions
---------
Co-authored-by: Kristoffer Dalby <kristoffer@dalby.cc >
2025-06-18 09:24:53 +02:00
Mustafa Enes Batur
bad783321e
Fix /machine/map endpoint vulnerability ( #2642 )
...
Build / build-nix (push) Has been cancelled
Build / build-cross (GOARCH=386 GOOS=linux) (push) Has been cancelled
Build / build-cross (GOARCH=amd64 GOOS=darwin) (push) Has been cancelled
Build / build-cross (GOARCH=amd64 GOOS=linux) (push) Has been cancelled
Build / build-cross (GOARCH=arm GOOS=linux GOARM=5) (push) Has been cancelled
Build / build-cross (GOARCH=arm GOOS=linux GOARM=6) (push) Has been cancelled
Build / build-cross (GOARCH=arm GOOS=linux GOARM=7) (push) Has been cancelled
Build / build-cross (GOARCH=arm64 GOOS=darwin) (push) Has been cancelled
Build / build-cross (GOARCH=arm64 GOOS=linux) (push) Has been cancelled
Tests / test (push) Has been cancelled
update-flake-lock / lockfile (push) Has been cancelled
GitHub Actions Version Updater / build (push) Has been cancelled
* Improve map auth logic
* Bugfix
* Add comment, improve error message
* noise: make func, get by node
this commit splits the additional validation into a
separate function so it can be reused if we add more
endpoints in the future.
It swaps the check, so we still look up by NodeKey, but before
accepting the connection, we validate the known machinekey from
the db against the noise connection.
The reason for this is that when a node logs in or out, the node key
is replaced and it will no longer be possible to look it up, breaking
reauthentication.
Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com >
* noise: add comment to remind future use of getAndVal
Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com >
* changelog: add entry
Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com >
---------
Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com >
Co-authored-by: Kristoffer Dalby <kristoffer@tailscale.com >
2025-06-06 12:14:11 +02:00
Florian Preinstorfer
cd704570be
Drop support for Ubuntu 20.04
...
Build / build-nix (push) Waiting to run
Build / build-cross (GOARCH=386 GOOS=linux) (push) Waiting to run
Build / build-cross (GOARCH=amd64 GOOS=darwin) (push) Waiting to run
Build / build-cross (GOARCH=amd64 GOOS=linux) (push) Waiting to run
Build / build-cross (GOARCH=arm GOOS=linux GOARM=5) (push) Waiting to run
Build / build-cross (GOARCH=arm GOOS=linux GOARM=6) (push) Waiting to run
Build / build-cross (GOARCH=arm GOOS=linux GOARM=7) (push) Waiting to run
Build / build-cross (GOARCH=arm64 GOOS=darwin) (push) Waiting to run
Build / build-cross (GOARCH=arm64 GOOS=linux) (push) Waiting to run
Deploy docs / deploy (push) Waiting to run
Tests / test (push) Waiting to run
Its old and our service file logs warning about unsupported options.
2025-05-21 15:40:32 +02:00
Kristoffer Dalby
a52f1df180
policy: remove v1 code ( #2600 )
...
Build / build-nix (push) Waiting to run
Build / build-cross (GOARCH=386 GOOS=linux) (push) Waiting to run
Build / build-cross (GOARCH=amd64 GOOS=darwin) (push) Waiting to run
Build / build-cross (GOARCH=amd64 GOOS=linux) (push) Waiting to run
Build / build-cross (GOARCH=arm GOOS=linux GOARM=5) (push) Waiting to run
Build / build-cross (GOARCH=arm GOOS=linux GOARM=6) (push) Waiting to run
Build / build-cross (GOARCH=arm GOOS=linux GOARM=7) (push) Waiting to run
Build / build-cross (GOARCH=arm64 GOOS=darwin) (push) Waiting to run
Build / build-cross (GOARCH=arm64 GOOS=linux) (push) Waiting to run
Tests / test (push) Waiting to run
* policy: remove v1 code
Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com >
* db: update test with v1 removal
Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com >
* integration: start moving to v2 policy
Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com >
* policy: add ssh unmarshal tests
Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com >
* changelog: add entry
Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com >
* policy: remove v1 comment
Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com >
* integration: remove comment out case
Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com >
* cleanup skipv1
Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com >
* policy: remove v1 prefix workaround
Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com >
* policy: add all node ips if prefix/host is ts ip
Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com >
---------
Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com >
2025-05-20 13:57:26 +02:00
Vitalij Dovhanyc
6750414db1
feat: add autogroup:member, autogroup:tagged ( #2572 )
Build / build-nix (push) Waiting to run
Build / build-cross (GOARCH=386 GOOS=linux) (push) Waiting to run
Build / build-cross (GOARCH=amd64 GOOS=darwin) (push) Waiting to run
Build / build-cross (GOARCH=amd64 GOOS=linux) (push) Waiting to run
Build / build-cross (GOARCH=arm GOOS=linux GOARM=5) (push) Waiting to run
Build / build-cross (GOARCH=arm GOOS=linux GOARM=6) (push) Waiting to run
Build / build-cross (GOARCH=arm GOOS=linux GOARM=7) (push) Waiting to run
Build / build-cross (GOARCH=arm64 GOOS=darwin) (push) Waiting to run
Build / build-cross (GOARCH=arm64 GOOS=linux) (push) Waiting to run
Tests / test (push) Waiting to run
Deploy docs / deploy (push) Has been cancelled
update-flake-lock / lockfile (push) Has been cancelled
GitHub Actions Version Updater / build (push) Has been cancelled
2025-05-17 11:07:34 +02:00
Florian Preinstorfer
b50e10a1be
Document breaking change for dns.override_local_dns
...
Build / build-nix (push) Waiting to run
Build / build-cross (GOARCH=386 GOOS=linux) (push) Waiting to run
Build / build-cross (GOARCH=amd64 GOOS=darwin) (push) Waiting to run
Build / build-cross (GOARCH=amd64 GOOS=linux) (push) Waiting to run
Build / build-cross (GOARCH=arm GOOS=linux GOARM=5) (push) Waiting to run
Build / build-cross (GOARCH=arm GOOS=linux GOARM=6) (push) Waiting to run
Build / build-cross (GOARCH=arm GOOS=linux GOARM=7) (push) Waiting to run
Build / build-cross (GOARCH=arm64 GOOS=darwin) (push) Waiting to run
Build / build-cross (GOARCH=arm64 GOOS=linux) (push) Waiting to run
Deploy docs / deploy (push) Waiting to run
Tests / test (push) Waiting to run
See: #2438
2025-05-16 19:33:00 +02:00
Kristoffer Dalby
bd6ed80936
policy/v2: error on missing or zero port ( #2606 )
...
Build / build-nix (push) Waiting to run
Build / build-cross (GOARCH=386 GOOS=linux) (push) Waiting to run
Build / build-cross (GOARCH=amd64 GOOS=darwin) (push) Waiting to run
Build / build-cross (GOARCH=amd64 GOOS=linux) (push) Waiting to run
Build / build-cross (GOARCH=arm GOOS=linux GOARM=5) (push) Waiting to run
Build / build-cross (GOARCH=arm GOOS=linux GOARM=6) (push) Waiting to run
Build / build-cross (GOARCH=arm GOOS=linux GOARM=7) (push) Waiting to run
Build / build-cross (GOARCH=arm64 GOOS=darwin) (push) Waiting to run
Build / build-cross (GOARCH=arm64 GOOS=linux) (push) Waiting to run
Tests / test (push) Waiting to run
* policy/v2: error on missing or zero port
Fixes #2605
Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com >
* changelog: add entry
Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com >
---------
Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com >
2025-05-16 17:30:47 +02:00
Kristoffer Dalby
d7a503a34e
changelog: entry for 0.26 ( #2594 )
...
* changelog: entry for 0.26
Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com >
* docs: bump version
Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com >
---------
Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com >
2025-05-14 16:32:56 +02:00
nblock
d81b0053e5
Simplify policy migration ( #2582 )
...
These steps are easier to accomplish and require only Headscale 0.26.
They also work when a user has already upgraded the database.
See: #2567
2025-05-10 08:04:42 +02:00
nblock
dd0cbdf40c
Add migration steps when policy is stored in the database ( #2581 )
...
Build / build-nix (push) Waiting to run
Build / build-cross (GOARCH=386 GOOS=linux) (push) Waiting to run
Build / build-cross (GOARCH=amd64 GOOS=darwin) (push) Waiting to run
Build / build-cross (GOARCH=amd64 GOOS=linux) (push) Waiting to run
Build / build-cross (GOARCH=arm GOOS=linux GOARM=5) (push) Waiting to run
Build / build-cross (GOARCH=arm GOOS=linux GOARM=6) (push) Waiting to run
Build / build-cross (GOARCH=arm GOOS=linux GOARM=7) (push) Waiting to run
Build / build-cross (GOARCH=arm64 GOOS=darwin) (push) Waiting to run
Build / build-cross (GOARCH=arm64 GOOS=linux) (push) Waiting to run
Tests / test (push) Waiting to run
Fixes : #2567
2025-05-09 23:30:39 +02:00
Kristoffer Dalby
45e38cb080
policy: reduce routes sent to peers based on packetfilter ( #2561 )
...
* notifier: use convenience funcs
Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com >
* policy: reduce routes based on policy
Fixes #2365
Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com >
* hsic: more helper methods
Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com >
* policy: more test cases
Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com >
* integration: add route with filter acl integration test
Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com >
* integration: correct route reduce test, now failing
Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com >
* mapper: compare peer routes against node
Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com >
* hs: more output to debug strings
Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com >
* types/node: slice.ContainsFunc
Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com >
* policy: more reduce route test
Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com >
* changelog: add entry for route filter
Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com >
---------
Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com >
2025-05-04 21:52:47 +02:00
Kristoffer Dalby
b9868f6516
Make more granular SSH tests for both Policies ( #2555 )
...
Build / build-nix (push) Waiting to run
Build / build-cross (GOARCH=386 GOOS=linux) (push) Waiting to run
Build / build-cross (GOARCH=amd64 GOOS=darwin) (push) Waiting to run
Build / build-cross (GOARCH=amd64 GOOS=linux) (push) Waiting to run
Build / build-cross (GOARCH=arm GOOS=linux GOARM=5) (push) Waiting to run
Build / build-cross (GOARCH=arm GOOS=linux GOARM=6) (push) Waiting to run
Build / build-cross (GOARCH=arm GOOS=linux GOARM=7) (push) Waiting to run
Build / build-cross (GOARCH=arm64 GOOS=darwin) (push) Waiting to run
Build / build-cross (GOARCH=arm64 GOOS=linux) (push) Waiting to run
Tests / test (push) Waiting to run
* policy/v1: dont consider empty if ssh has rules
Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com >
* policy/v2: replace time.Duration with model.Duration
Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com >
* policy/v2: add autogroup and ssh validation
Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com >
* policy/v2: replace time.Duration with model.Duration
Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com >
* policy: replace old ssh tests with more granular test
Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com >
* policy: skip v1 tests expected to fail (missing error handling)
Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com >
* policy: skip v1 group tests, old bugs wont be fixed
Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com >
* integration: user valid policy for ssh
Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com >
* Changelog, add ssh section
Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com >
* nix update
Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com >
---------
Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com >
2025-05-04 12:05:41 +00:00
nblock
18d21d3585
Add documentation for routes ( #2496 )
...
* Add documentation for routes
* Rename exit-node to routes and add redirects
* Add a new section on subnet routers
* Extend the existing exit-node documentation
* Describe auto approvers for subnet routers and exit nodes
* Provide ACL examples for subnet routers and exit nodes
* Describe HA and its current limitations
* Add a troubleshooting section with IP forwarding
* Update features page for 0.26
Add auto approvers and link to our documentation if available.
* Prefer the console lexer when commandline and output mixed
2025-05-03 10:16:45 +02:00
Kristoffer Dalby
93afb03f67
cmd: add policy check command ( #2553 )
Build / build-nix (push) Waiting to run
Build / build-cross (GOARCH=386 GOOS=linux) (push) Waiting to run
Build / build-cross (GOARCH=amd64 GOOS=darwin) (push) Waiting to run
Build / build-cross (GOARCH=amd64 GOOS=linux) (push) Waiting to run
Build / build-cross (GOARCH=arm GOOS=linux GOARM=5) (push) Waiting to run
Build / build-cross (GOARCH=arm GOOS=linux GOARM=6) (push) Waiting to run
Build / build-cross (GOARCH=arm GOOS=linux GOARM=7) (push) Waiting to run
Build / build-cross (GOARCH=arm64 GOOS=darwin) (push) Waiting to run
Build / build-cross (GOARCH=arm64 GOOS=linux) (push) Waiting to run
Tests / test (push) Waiting to run
2025-05-02 13:58:30 +03:00
Kristoffer Dalby
cfe9bbf829
oidc: try to get username from userinfo ( #2545 )
...
Build / build-nix (push) Waiting to run
Build / build-cross (GOARCH=386 GOOS=linux) (push) Waiting to run
Build / build-cross (GOARCH=amd64 GOOS=darwin) (push) Waiting to run
Build / build-cross (GOARCH=amd64 GOOS=linux) (push) Waiting to run
Build / build-cross (GOARCH=arm GOOS=linux GOARM=5) (push) Waiting to run
Build / build-cross (GOARCH=arm GOOS=linux GOARM=6) (push) Waiting to run
Build / build-cross (GOARCH=arm GOOS=linux GOARM=7) (push) Waiting to run
Build / build-cross (GOARCH=arm64 GOOS=darwin) (push) Waiting to run
Build / build-cross (GOARCH=arm64 GOOS=linux) (push) Waiting to run
Tests / test (push) Waiting to run
* oidc: try to get username from userinfo
Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com >
* changelog
Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com >
---------
Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com >
2025-04-30 11:54:13 +02:00
Kristoffer Dalby
8f9fbf16f1
types/authkey: include user object in response ( #2542 )
...
* types/authkey: include user object, not string
Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com >
* make preauthkeys use id
Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com >
* changelog
Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com >
* integration: wire up user id for auth keys
Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com >
---------
Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com >
2025-04-30 11:45:08 +02:00
Kristoffer Dalby
2b38f7bef7
policy/v2: make default ( #2546 )
...
Build / build-nix (push) Waiting to run
Build / build-cross (GOARCH=386 GOOS=linux) (push) Waiting to run
Build / build-cross (GOARCH=amd64 GOOS=darwin) (push) Waiting to run
Build / build-cross (GOARCH=amd64 GOOS=linux) (push) Waiting to run
Build / build-cross (GOARCH=arm GOOS=linux GOARM=5) (push) Waiting to run
Build / build-cross (GOARCH=arm GOOS=linux GOARM=6) (push) Waiting to run
Build / build-cross (GOARCH=arm GOOS=linux GOARM=7) (push) Waiting to run
Build / build-cross (GOARCH=arm64 GOOS=darwin) (push) Waiting to run
Build / build-cross (GOARCH=arm64 GOOS=linux) (push) Waiting to run
Tests / test (push) Waiting to run
* policy/v2: make default
Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com >
* integration: do not run v1 tests
Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com >
* policy/v2: fix potential nil pointers
Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com >
* mapper: fix test failures in v2
Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com >
---------
Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com >
2025-04-29 16:27:41 +02:00
Kristoffer Dalby
30539b2e26
config: disallow same server url and base_domain ( #2544 )
...
Build / build-nix (push) Waiting to run
Build / build-cross (GOARCH=386 GOOS=linux) (push) Waiting to run
Build / build-cross (GOARCH=amd64 GOOS=darwin) (push) Waiting to run
Build / build-cross (GOARCH=amd64 GOOS=linux) (push) Waiting to run
Build / build-cross (GOARCH=arm GOOS=linux GOARM=5) (push) Waiting to run
Build / build-cross (GOARCH=arm GOOS=linux GOARM=6) (push) Waiting to run
Build / build-cross (GOARCH=arm GOOS=linux GOARM=7) (push) Waiting to run
Build / build-cross (GOARCH=arm64 GOOS=darwin) (push) Waiting to run
Build / build-cross (GOARCH=arm64 GOOS=linux) (push) Waiting to run
Tests / test (push) Waiting to run
* config: disallow same server url and base_domain
Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com >
* changelog
Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com >
---------
Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com >
2025-04-23 16:24:38 +02:00
nblock
1e0516b99d
Restore support for "Override local DNS" ( #2438 )
...
Tailscale allows to override the local DNS settings of a node via
"Override local DNS" [1]. Restore this flag with the same config setting
name `dns.override_local_dns` but disable it by default to align it with
Tailscale's default behaviour.
Tested with Tailscale 1.80.2 and systemd-resolved on Debian 12.
With `dns.override_local_dns: false`:
```
Link 12 (tailscale0)
Current Scopes: DNS
Protocols: -DefaultRoute -LLMNR -mDNS -DNSOverTLS DNSSEC=no/unsupported
DNS Servers: 100.100.100.100
DNS Domain: tn.example.com ~0.e.1.a.c.5.1.1.a.7.d.f.ip6.arpa [snip]
```
With `dns.override_local_dns: true`:
```
Link 12 (tailscale0)
Current Scopes: DNS
Protocols: +DefaultRoute -LLMNR -mDNS -DNSOverTLS DNSSEC=no/unsupported
DNS Servers: 100.100.100.100
DNS Domain: tn.example.com ~.
```
[1] https://tailscale.com/kb/1054/dns#override-local-dns
Fixes : #2256
2025-04-17 17:16:59 +02:00
Nick
109989005d
ensure final dot on node name ( #2503 )
...
* ensure final dot on node name
This ensures that nodes which have a base domain set, will have a dot appended to their FQDN.
Resolves: https://github.com/juanfont/headscale/issues/2501
* improve OIDC TTL expire test
Waiting a bit more than the TTL of the OIDC token seems to remove some flakiness of this test. This furthermore makes use of a go func safe buffer which should avoid race conditions.
2025-04-11 12:39:08 +02:00
Enkelmann
0d3134720b
Only read relevant nodes from database in PeerChangedResponse ( #2509 )
...
* Only read relevant nodes from database in PeerChangedResponse
* Rework to ensure transactional consistency in PeerChangedResponse again
* An empty nodeIDs list should return an empty nodes list
* Add test to ListNodesSubset
* Link PR in CHANGELOG.md
* combine ListNodes and ListNodesSubset into one function
* query for all nodes in ListNodes if no parameter is given
* also add optional filtering for relevant nodes to ListPeers
2025-04-08 14:56:44 +02:00
Benjamin Staffin
b5953d689c
OIDC: Fetch UserInfo to get EmailVerified if necessary ( #2493 )
2025-03-27 10:39:29 +01:00
Kristoffer Dalby
87326f5c4f
Experimental implementation of Policy v2 ( #2214 )
...
* utility iterator for ipset
Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com >
* split policy -> policy and v1
This commit split out the common policy logic and policy implementation
into separate packages.
policy contains functions that are independent of the policy implementation,
this typically means logic that works on tailcfg types and generic formats.
In addition, it defines the PolicyManager interface which the v1 implements.
v1 is a subpackage which implements the PolicyManager using the "original"
policy implementation.
Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com >
* use polivyv1 definitions in integration tests
These can be marshalled back into JSON, which the
new format might not be able to.
Also, just dont change it all to JSON strings for now.
Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com >
* formatter: breaks lines
Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com >
* remove compareprefix, use tsaddr version
Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com >
* remove getacl test, add back autoapprover
Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com >
* use policy manager tag handling
Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com >
* rename display helper for user
Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com >
* introduce policy v2 package
policy v2 is built from the ground up to be stricter
and follow the same pattern for all types of resolvers.
TODO introduce
aliass
resolver
Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com >
* wire up policyv2 in integration testing
Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com >
* split policy v2 tests into seperate workflow to work around github limit
Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com >
* add policy manager output to /debug
Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com >
* update changelog
Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com >
---------
Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com >
2025-03-10 16:20:29 +01:00
Kristoffer Dalby
7891378f57
Redo route code ( #2422 )
...
Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com >
2025-02-26 16:22:55 +01:00
Kristoffer Dalby
16868190c8
fix double login URL with OIDC ( #2445 )
...
* factor out login url parser
Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com >
* move to not trigger test gen checker
Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com >
* return regresp or err after waiting for registration
Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com >
* update changelog
Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com >
---------
Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com >
2025-02-25 18:16:07 +01:00
Kristoffer Dalby
da2ca054b1
fix routes not being saved when new nodes registers ( #2444 )
...
* add test to validate exitnode propagation
Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com >
* save routes on register
Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com >
* update changelog
Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com >
* no nil
Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com >
* add missing integration tests
Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com >
---------
Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com >
2025-02-23 23:10:25 +01:00
Kristoffer Dalby
bcff0eaae7
handle register auth errors ( #2435 )
...
* handle register auth errors
This commit handles register auth errors as the
Tailscale clients expect. It returns the error as
part of a tailcfg.RegisterResponse and not as a
http error.
In addition it fixes a nil pointer panic triggered
by not handling the errors as part of this chain.
Fixes #2434
Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com >
* changelog
Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com >
---------
Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com >
2025-02-23 17:02:46 +01:00
Kristoffer Dalby
604f7f6282
update to go 1.24 ( #2427 )
2025-02-14 10:56:03 +01:00
Kristoffer Dalby
b943cce868
set 0.25.0 changelog date ( #2423 )
...
* date in changelog
Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com >
* update docs version
Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com >
---------
Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com >
2025-02-11 16:25:53 +01:00
Kristoffer Dalby
6403c8d5d2
use tsweb debugger ( #2420 )
...
This PR switches the homegrown debug endpoint to using tsweb.Debugger, a neat toolkit with batteries included for pprof and friends, and making it easy to add additional debug info:
I've started out by adding a bunch of "introspect" endpoints
image
So users can see the acl, filter, config, derpmap and connected nodes as headscale sees them.
2025-02-11 11:18:59 +01:00
