types: add node.expiry config, deprecate oidc.expiry

Introduce a structured NodeConfig that replaces the flat EphemeralNodeInactivityTimeout field with a nested Node section. Add node.expiry config (default: no expiry) as the unified default key expiry for all non-tagged nodes regardless of registration method. Remove oidc.expiry entirely — node.expiry now applies to OIDC nodes the same as all other registration methods. Using oidc.expiry in the config is a hard error. determineNodeExpiry() returns nil (no expiry) unless use_expiry_from_token is enabled, letting state.go apply the node.expiry default uniformly. The old ephemeral_node_inactivity_timeout key is preserved for backwards compatibility. Updates #1711
2026-04-10 11:14:21 +02:00 · 2026-03-01 22:53:26 +00:00
parent 23a5f1b628
commit 4d0b273b90
7 changed files with 171 additions and 64 deletions
--- a/config-example.yaml
+++ b/config-example.yaml
@@ -145,8 +145,25 @@ derp:
 # Disables the automatic check for headscale updates on startup
 disable_check_updates: false

-# Time before an inactive ephemeral node is deleted?
-ephemeral_node_inactivity_timeout: 30m
+# Node lifecycle configuration.
+node:
+  # Default key expiry for non-tagged nodes, regardless of registration method
+  # (auth key, CLI, web auth). Tagged nodes are exempt and never expire.
+  #
+  # This is the base default. OIDC can override this via oidc.expiry.
+  # If a client explicitly requests a specific expiry, the client value is used.
+  #
+  # Setting the value to "0" means no default expiry (nodes never expire unless
+  # explicitly expired via `headscale nodes expire`).
+  #
+  # Tailscale SaaS uses 180d; set to a positive duration to match that behaviour.
+  #
+  # Default: 0 (no default expiry)
+  expiry: 0
+
+  ephemeral:
+    # Time before an inactive ephemeral node is deleted.
+    inactivity_timeout: 30m

 database:
  # Database type. Available options: sqlite, postgres
@@ -355,15 +372,11 @@ unix_socket_permission: "0770"
 #   # `LoadCredential` straightforward:
 #   client_secret_path: "${CREDENTIALS_DIRECTORY}/oidc_client_secret"
 #
-#   # The amount of time a node is authenticated with OpenID until it expires
-#   # and needs to reauthenticate.
-#   # Setting the value to "0" will mean no expiry.
-#   expiry: 180d
-#
 #   # Use the expiry from the token received from OpenID when the user logged
 #   # in. This will typically lead to frequent need to reauthenticate and should
 #   # only be enabled if you know what you are doing.
-#   # Note: enabling this will cause `oidc.expiry` to be ignored.
+#   # Note: enabling this will cause `node.expiry` to be ignored for
+#   # OIDC-authenticated nodes.
 #   use_expiry_from_token: false
 #
 #   # The OIDC scopes to use, defaults to "openid", "profile" and "email".