349 commits

Author	SHA1	Message	Date
Kristoffer Dalby	1398d01bd8	proto: change preauthkey API to ID-based operations ... Remove user parameter from ListPreAuthKeys. Change ExpirePreAuthKey and DeletePreAuthKey to use key ID.	2026-01-20 12:53:20 +01:00
Kristoffer Dalby	0451dd4718	state: allow untagging nodes via reauth with empty RequestTags ... When a node re-authenticates via OIDC/web auth with empty RequestTags (from `tailscale up --advertise-tags= --force-reauth`), remove all tags and return ownership to the authenticating user. This allows nodes to transition from any tagged state (including nodes originally registered with a tagged pre-auth key) back to user-owned. Fixes #2979	2026-01-17 10:13:24 +01:00
Florian Preinstorfer	d50108c722	Changelog: mark oidc.email_verified_required as breaking ... Headscale is now stricter and this is a breaking change if authorization filters are used and at least one user has an unverified email address.	2026-01-16 14:54:04 +01:00
Kristoffer Dalby	e43f19df79	CHANGELOG: add breaking change for Node API simplification	2026-01-14 09:32:46 +01:00
Justin Angel	7be20912f5	oidc: make email verification configurable ... Co-authored-by: Kristoffer Dalby <kristoffer@tailscale.com>	2025-12-18 11:42:32 +00:00
Kristoffer Dalby	3f0bfe28cc	changelog: prepare for 0.28.0 beta ... Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com>	2025-12-17 15:15:43 +01:00
Florian Preinstorfer	5c6cd62df1	Legacy preauthkeys must be used as-is	2025-12-17 13:05:08 +01:00
Kristoffer Dalby	642073f4b8	types: add option to disable taildrop, improve tests (#2955)	2025-12-12 11:35:16 +01:00
Kristoffer Dalby	22ee2bfc9c	tags: process tags on registration, simplify policy (#2931) ... This PR investigates, adds tests and aims to correctly implement Tailscale's model for how Tags should be accepted, assigned and used to identify nodes in the Tailscale access and ownership model. When evaluating in Headscale's policy, Tags are now only checked against a nodes "tags" list, which defines the source of truth for all tags for a given node. This simplifies the code for dealing with tags greatly, and should help us have less access bugs related to nodes belonging to tags or users. A node can either be owned by a user, or a tag. Next, to ensure the tags list on the node is correctly implemented, we first add tests for every registration scenario and combination of user, pre auth key and pre auth key with tags with the same registration expectation as observed by trying them all with the Tailscale control server. This should ensure that we implement the correct behaviour and that it does not change or break over time. Lastly, the missing parts of the auth has been added, or changed in the cases where it was wrong. This has in large parts allowed us to delete and simplify a lot of code. Now, tags can only be changed when a node authenticates or if set via the CLI/API. Tags can only be fully overwritten/replaced and any use of either auth or CLI will replace the current set if different. A user owned device can be converted to a tagged device, but it cannot be changed back. A tagged device can never remove the last tag either, it has to have a minimum of one.	2025-12-08 18:51:07 +01:00
Kristoffer Dalby	15c84b34e0	policy: allow tags to own tags (#2930)	2025-12-06 10:23:35 +01:00
Kristoffer Dalby	eb788cd007	make tags first class node owner (#2885) ... This PR changes tags to be something that exists on nodes in addition to users, to being its own thing. It is part of moving our tags support towards the correct tailscale compatible implementation. There are probably rough edges in this PR, but the intention is to get it in, and then start fixing bugs from 0.28.0 milestone (long standing tags issue) to discover what works and what doesnt. Updates #2417 Closes #2619	2025-12-02 12:01:25 +01:00
Kristoffer Dalby	705b239677	changelog: prep for 0.27.2 rc ... Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com>	2025-12-02 12:01:02 +01:00
Kristoffer Dalby	cb4d5b1906	hscontrol/oidc: fix ACL policy not applied to new OIDC nodes (#2890) ... Fixes #2888 Fixes #2896	2025-12-02 12:01:02 +01:00
Kristoffer Dalby	16d811b306	cli: remove node move command (#2922)	2025-12-01 21:43:31 +01:00
Kristoffer Dalby	7fb0f9a501	batcher: send endpoint and derp only updates. (#2856)	2025-11-13 20:38:49 +01:00
Florian Preinstorfer	249630bed8	Add API documentation ... Document the API endpoint and the built-in swagger docs at /swagger. The remote control docs are just a use case for gRPC - move it in the API docs and update links to it.	2025-11-13 15:22:55 +01:00
Kristoffer Dalby	75247f82b8	hscontrol/db: add init schema, drop pre-0.25 support (#2883)	2025-11-13 04:44:10 -06:00
Kristoffer Dalby	8394e7094a	capver: update latest (#2774)	2025-11-12 20:26:54 +01:00
Kristoffer Dalby	da9018a0eb	types: make pre auth key use bcrypt (#2853)	2025-11-12 16:36:36 +01:00
Kristoffer Dalby	2aa5b8b68d	changelog: add entry for templates redesign	2025-11-12 08:28:12 -06:00
Kristoffer Dalby	d14be8d43b	nix: add NixOS module and tests (#2857)	2025-11-12 13:11:38 +00:00
Kristoffer Dalby	000d5c3b0c	prettier: use standard config for all files including changelog (#2879)	2025-11-12 13:59:43 +01:00
Teej	218a8db1b9	add favicon to webpages (#2858) ... Co-authored-by: TeejMcSteez <tjhall047@gmail.com> Co-authored-by: Kristoffer Dalby <kristoffer@dalby.cc>	2025-11-12 03:46:57 +00:00
Kristoffer Dalby	1dcb04ce9b	changelog: add changelog entry ... Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com>	2025-11-11 17:27:00 -06:00
Kristoffer Dalby	785168a7b8	changelog: prepare for 0.27.1 ... Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com>	2025-11-11 13:17:02 -06:00
Andrey	f9bb88ad24	expire nodes with a custom timestamp (#2828)	2025-11-01 08:09:13 +01:00
Kristoffer Dalby	19a33394f6	changelog: set 0.27 date (#2823)	2025-10-27 12:14:02 +01:00
Kristoffer Dalby	1cdea7ed9b	stricter hostname validation and replace (#2383)	2025-10-22 13:50:39 +02:00
Florian Preinstorfer	8becb7e54a	Mention explicitly that @ is only required in policy	2025-10-21 14:28:03 +02:00
Kristoffer Dalby	e7a28a14af	changelog: prepare for 0.27.0 (#2797)	2025-10-16 19:04:07 +02:00
Stavros Kois	c07cc491bf	add health command (#2659) ... * add health command * update health check implementation to allow for more checks to added over time * add change changelog entry	2025-10-16 12:00:11 +00:00
Vitalij Dovhanyc	c2a58a304d	feat: add autogroup:self (#2789)	2025-10-16 12:59:52 +02:00
Florian Preinstorfer	bd35fcf338	Add FAQ entry about policy migration in the database	2025-09-17 16:32:29 +02:00
Kristoffer Dalby	2b30a15a68	cmd: add option to get and set policy directly from database (#2765)	2025-09-12 16:55:15 +02:00
Kristoffer Dalby	2938d03878	policy: reject unsupported fields (#2764)	2025-09-12 14:47:56 +02:00
Kristoffer Dalby	1b1c989268	{policy, node}: allow return paths in route reduction (#2767)	2025-09-12 11:47:51 +02:00
Kristoffer Dalby	b87567628a	derp: increase update frequency and harden on failures (#2741)	2025-08-22 10:40:38 +02:00
nblock	fa619ea9f3	Fix CHANGELOG for autogroup:member and autogroup:tagged (#2733)	2025-08-18 08:59:03 +02:00
Fredrik Ekre	5d8a2c25ea	OIDC: Query userinfo endpoint before verifying user ... This patch includes some changes to the OIDC integration in particular: - Make sure that userinfo claims are queried *before* comparing the user with the configured allowed groups, email and email domain. - Update user with group claim from the userinfo endpoint which is required for allowed groups to work correctly. This is essentially a continuation of #2545. - Let userinfo claims take precedence over id token claims. With these changes I have verified that Headscale works as expected together with Authelia without the documented escape hatch [0], i.e. everything works even if the id token only contain the iss and sub claims. [0]: https://www.authelia.com/integration/openid-connect/headscale/#configuration-escape-hatch	2025-08-11 17:51:16 +02:00
eyjhb	d77874373d	feat: add robots.txt	2025-08-10 10:57:45 +02:00
Kristoffer Dalby	a058bf3cd3	mapper: produce map before poll (#2628)	2025-07-28 11:15:53 +02:00
Kristoffer Dalby	7fce5065c4	all: remove 32 bit support (#2692)	2025-07-16 13:32:59 +02:00
Kristoffer Dalby	4668e5dd96	changelog: add entry for db ... Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com>	2025-07-07 15:48:38 +01:00
Stavros Kois	855c48aec2	remove unneeded check (#2658)	2025-07-04 15:47:01 +00:00
Stavros Kois	ded049b905	don't crash if config file is missing (#2656)	2025-07-04 12:58:17 +00:00
Florian Preinstorfer	d461db3abd	Refactor OpenID Connect documentation ... Restructure and rewrite the OpenID Connect documentation. Start from the most minimal configuration and describe what needs to be done both in Headscale and the identity provider. Describe additional features such as PKCE and authorization filters in a generic manner with examples. Document how Headscale populates its user profile and how it relates to OIDC claims. This is a revised version from the table in the changelog. Document the validation rules for fields and extend known limitations. Sort the provider specific section alphabetically and add a section for Authelia, Authentik, Kanidm and Keycloak. Also simplify and rename Azure to Entra ID. Update the description for the oidc section in the example configuration. Give a short explanation of each configuration setting. All documentend features were tested with Headscale 0.26 (using a fresh database each time) using the following identity providers: * Authelia * Authentik * Kanidm * Keycloak Fixes: #2295	2025-07-04 10:51:37 +02:00
Kristoffer Dalby	081af2674b	ci: fix golangci-lint flag for v2 compatibility (#2654)	2025-06-24 08:14:50 +02:00
seiuneko	d325211617	feat: add verify client config for embedded DERP (#2260) ... * feat: add verify client config for embedded DERP * refactor: embedded DERP no longer verify clients via HTTP - register the `headscale://` protocol in `http.DefaultTransport` to intercept network requests - update configuration to use a single boolean option `verify_clients` * refactor: use `http.HandlerFunc` for type definition * refactor: some renaming and restructuring * chore: some renaming and fix lint * test: fix TestDERPVerifyEndpoint - `tailscale debug derp` use random node private key * test: add verify clients integration test for embedded DERP server * fix: apply code review suggestions * chore: merge upstream changes * fix: apply code review suggestions --------- Co-authored-by: Kristoffer Dalby <kristoffer@dalby.cc>	2025-06-18 09:24:53 +02:00
Mustafa Enes Batur	bad783321e	Fix /machine/map endpoint vulnerability (#2642) ... * Improve map auth logic * Bugfix * Add comment, improve error message * noise: make func, get by node this commit splits the additional validation into a separate function so it can be reused if we add more endpoints in the future. It swaps the check, so we still look up by NodeKey, but before accepting the connection, we validate the known machinekey from the db against the noise connection. The reason for this is that when a node logs in or out, the node key is replaced and it will no longer be possible to look it up, breaking reauthentication. Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com> * noise: add comment to remind future use of getAndVal Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com> * changelog: add entry Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com> --------- Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com> Co-authored-by: Kristoffer Dalby <kristoffer@tailscale.com>	2025-06-06 12:14:11 +02:00
Florian Preinstorfer	cd704570be	Drop support for Ubuntu 20.04 ... Its old and our service file logs warning about unsupported options.	2025-05-21 15:40:32 +02:00