starred/headscale
1
0
Fork 0
mirror of https://github.com/juanfont/headscale.git synced 2026-03-10 07:05:55 +01:00
Code Issues 98 Packages Projects Releases 10 Wiki Activity

Commit Graph

  • 27f5641341 golangci: add forbidigo rule for zerolog field constants Kristoffer Dalby 2026-01-28 14:05:46 +00:00
  • cf3d30b6f6 types: add MarshalZerologObject to domain types Kristoffer Dalby 2026-01-28 13:37:48 +00:00
  • 58020696fe zlog: add utility package for safe and consistent logging Kristoffer Dalby 2026-01-28 13:37:22 +00:00
  • e44b402fe4 integration: update TestSubnetRouteACL for filter merging and IPProto Kristoffer Dalby 2026-02-03 09:01:30 +00:00
  • 835b7eb960 policy: autogroup:internet does not generate packet filters Kristoffer Dalby 2026-01-28 13:08:38 +00:00
  • 95b1fd636e policy: fix wildcard DstPorts format and proto:icmp handling Kristoffer Dalby 2026-01-28 12:05:08 +00:00
  • 834ac27779 policy/v2: add subnet routes and exit node compatibility tests Kristoffer Dalby 2026-01-28 12:04:52 +00:00
  • 4a4032a4b0 changelog: document filter rule merging Kristoffer Dalby 2026-01-24 07:49:51 +00:00
  • 29aa08df0e policy: update test expectations for merged filter rules Kristoffer Dalby 2026-01-24 07:49:39 +00:00
  • 0b1727c337 policy: merge filter rules with identical SrcIPs and IPProto Kristoffer Dalby 2026-01-24 07:49:21 +00:00
  • 08fe2e4d6c policy: use CIDR format for autogroup:self destinations Kristoffer Dalby 2026-01-23 21:05:00 +00:00
  • cb29cade46 docs: add compatibility test documentation Kristoffer Dalby 2026-01-23 20:58:38 +00:00
  • f27298c759 changelog: document wildcard CGNAT range change Add breaking change entry for the wildcard resolution change to use CGNAT/ULA ranges instead of all IPs. Updates #3036 Kristoffer Dalby 2026-01-23 20:52:50 +00:00
  • 8baa14ef4a policy: use CGNAT/ULA ranges for wildcard resolution Change Asterix.Resolve() to use Tailscale's CGNAT range (100.64.0.0/10) and ULA range (fd7a:115c:a1e0::/48) instead of all IPs (0.0.0.0/0 and ::/0). This better matches Tailscale's security model where wildcard (*) means "any node in the tailnet" rather than literally "any IP address on the internet". Updates #3036 Kristoffer Dalby 2026-01-23 20:52:35 +00:00
  • ebdbe03639 policy: validate autogroup:self sources in ACL rules Tailscale validates that autogroup:self destinations in ACL rules can only be used when ALL sources are users, groups, autogroup:member, or wildcard (*). Previously, Headscale only performed this validation for SSH rules. Add validateACLSrcDstCombination() to enforce that tags, autogroup:tagged, hosts, and raw IPs cannot be used as sources with autogroup:self destinations. Invalid policies like tag:client → autogroup:self:* are now rejected at validation time, matching Tailscale behavior. Wildcard (*) is allowed because autogroup:self evaluation narrows it per-node to only the node's own IPs. Kristoffer Dalby 2026-01-23 20:37:27 +00:00
  • f735502eae policy: add ICMP protocols to default and export constants When ACL rules don't specify a protocol, Headscale now defaults to [TCP, UDP, ICMP, ICMPv6] instead of just [TCP, UDP], matching Tailscale's behavior. Also export protocol number constants (ProtocolTCP, ProtocolUDP, etc.) for use in external test packages, renaming the string protocol constants to ProtoNameTCP, ProtoNameUDP, etc. to avoid conflicts. This resolves 78 ICMP-related TODOs in the Tailscale compatibility tests, reducing the total from 165 to 87. Kristoffer Dalby 2026-01-23 20:16:02 +00:00
  • 53d17aa321 policy: add comprehensive Tailscale ACL compatibility tests Add extensive test coverage verifying Headscale's ACL policy behavior matches Tailscale's coordination server. Tests cover: - Source/destination resolution for users, groups, tags, hosts, IPs - autogroup:member, autogroup:tagged, autogroup:self behavior - Filter rule deduplication and merging semantics - Multi-rule interaction patterns - Error case validation Key behavioral differences documented: - Headscale creates separate filter entries per ACL rule; Tailscale merges rules with identical sources - Headscale deduplicates Dsts within a rule; Tailscale does not - Headscale does not validate autogroup:self source restrictions for ACL rules (only SSH rules); Tailscale rejects invalid sources Tests are based on real Tailscale coordination server responses captured from a test environment with 5 nodes (1 user-owned, 4 tagged). Kristoffer Dalby 2026-01-23 19:36:17 +00:00
  • 14f833bdb9 policy: fix autogroup:self handling for tagged nodes Skip autogroup:self destination processing for tagged nodes since they can never match autogroup:self (which only applies to user-owned nodes). Also reorder the IsTagged() check to short-circuit before accessing User() to avoid potential nil pointer access on tagged nodes. Kristoffer Dalby 2026-01-23 19:35:42 +00:00
  • 80518c75ab Deployed 9e50071d to development with MkDocs 1.6.1 and mike 2.1.3 github-actions 2026-02-05 07:01:32 +00:00
  • 9e50071df9 Link Fosdem 2026 talk Florian Preinstorfer 2026-02-05 07:30:16 +01:00
  • c907b0d323 Fix version in mkdocs Florian Preinstorfer 2026-02-05 07:25:22 +01:00
  • 4f263d91e2 Deployed 97fa117c to 0.28.0 with MkDocs 1.6.1 and mike 2.1.3 github-actions 2026-02-04 20:27:34 +00:00
  • 97fa117c48 changelog: set 0.28 date v0.28.0 Kristoffer Dalby 2026-02-04 21:19:23 +01:00
  • b5329ff0f3 flake.lock: update nixpkgs to 2026-02-03 Kristoffer Dalby 2026-02-04 16:54:08 +01:00
  • eac8a57bce flake.nix: update hashes for dependency changes Kristoffer Dalby 2026-02-04 16:42:49 +01:00
  • 44af046196 all: update Go module dependencies Kristoffer Dalby 2026-02-04 16:42:42 +01:00
  • 4a744f423b changelog: change api key format Kristoffer Dalby 2026-02-04 16:00:47 +01:00
  • ca75e096e6 integration: add test for tagged→user-owned conversion panic Kristoffer Dalby 2026-02-02 14:53:27 +00:00
  • ce7c256d1e state: set User pointer during tagged→user-owned conversion Kristoffer Dalby 2026-02-02 14:52:47 +00:00
  • 4912ceaaf5 state: inline reauthExistingNode and convertTaggedNodeToUser Kristoffer Dalby 2026-01-28 15:25:03 +00:00
  • d7f7f2c85e state: validate tags before UpdateNode to ensure consistency Kristoffer Dalby 2026-01-28 15:09:27 +00:00
  • df184e5276 state: fix expiry handling during node tag conversion Kristoffer Dalby 2026-01-28 14:33:46 +00:00
  • 0630fd32e5 state: refactor HandleNodeFromAuthPath for clarity Kristoffer Dalby 2026-01-28 10:30:48 +00:00
  • 306aabbbce state: fix nil pointer panic when re-registering tagged node without user Kristoffer Dalby 2026-01-26 10:58:05 +00:00
  • a09b0d1d69 policy/v2: add Caller() to log statements in compileACLWithAutogroupSelf Kristoffer Dalby 2026-02-02 14:33:22 +00:00
  • 362696a5ef policy/v2: keep partial IPSet on SSH destination resolution errors Kristoffer Dalby 2026-02-02 14:32:52 +00:00
  • 1f32c8bf61 policy/v2: add IsTagged() guards to prevent panics on tagged nodes Kristoffer Dalby 2026-02-02 14:32:22 +00:00
  • fb137a8fe3 policy/v2: use partial IPSet on group resolution errors in autogroup:self path Kristoffer Dalby 2026-02-02 14:07:43 +00:00
  • c2f28efbd7 policy/v2: add test for issue #2990 same-user tagged device Kristoffer Dalby 2026-01-27 09:02:03 +00:00
  • 11f0d4cfdd policy/v2: include nodes with empty filters in BuildPeerMap Kristoffer Dalby 2026-01-26 09:01:59 +00:00
  • ea53078dde integration: add test for tagged→user-owned conversion panic kradalby/3038-reg-panic Kristoffer Dalby 2026-02-02 14:53:27 +00:00
  • 80a34ec3c1 state: set User pointer during tagged→user-owned conversion Kristoffer Dalby 2026-02-02 14:52:47 +00:00
  • 2cbbfc4319 state: inline reauthExistingNode and convertTaggedNodeToUser Kristoffer Dalby 2026-01-28 15:25:03 +00:00
  • 32203accbe state: validate tags before UpdateNode to ensure consistency Kristoffer Dalby 2026-01-28 15:09:27 +00:00
  • 7b6990f63e state: fix expiry handling during node tag conversion Kristoffer Dalby 2026-01-28 14:33:46 +00:00
  • 0694caf4d2 state: refactor HandleNodeFromAuthPath for clarity Kristoffer Dalby 2026-01-28 10:30:48 +00:00
  • 5e4ac702e4 Deployed 5d300273 to development with MkDocs 1.6.1 and mike 2.1.3 github-actions 2026-01-28 15:08:07 +00:00
  • 5d300273dc Add a tags page and describe a few common operations Florian Preinstorfer 2026-01-24 10:58:58 +01:00
  • 7f003ecaff Add a page to describe supported registration methods Florian Preinstorfer 2026-01-20 21:05:10 +01:00
  • 2695d1527e Use registration key instead of machine key Florian Preinstorfer 2026-01-20 19:50:08 +01:00
  • d32f6707f7 Add missing words Florian Preinstorfer 2026-01-20 16:46:27 +01:00
  • 89e436f0e6 Bump year/version for mkdocs Florian Preinstorfer 2026-01-16 15:55:35 +01:00
  • b066f05945 state: fix nil pointer panic when re-registering tagged node without user Kristoffer Dalby 2026-01-26 10:58:05 +00:00
  • 46daa659e2 state: omit AuthKeyID/AuthKey in node Updates to prevent FK errors Kristoffer Dalby 2026-01-26 08:54:14 +00:00
  • 49b70db7f2 Conversion from personal to tagged node is reversible Florian Preinstorfer 2026-01-24 13:29:31 +01:00
  • 04b4071888 Fix node expiration success message Florian Preinstorfer 2026-01-24 14:06:42 +01:00
  • ee127edbf7 Remove trace log for preauthkeys create Florian Preinstorfer 2026-01-23 08:19:51 +01:00
  • 606e5f68a0 changelog: fixups for 0.28.0-beta.2 v0.28.0-beta.2 Kristoffer Dalby 2026-01-22 08:29:26 +00:00
  • a04b21abc6 gen: regenerate protobuf and type views Kristoffer Dalby 2026-01-21 16:51:04 +00:00
  • 92caadcee6 nix: update vendor hash for Go dependencies Kristoffer Dalby 2026-01-21 16:50:53 +00:00
  • aa29fd95a3 derp: migrate to derpserver package API Kristoffer Dalby 2026-01-21 16:50:28 +00:00
  • 0565e01c2f go.mod: update dependencies Kristoffer Dalby 2026-01-21 16:50:22 +00:00
  • aee1d2a640 nix: fix deprecated attributes and update dev tools Kristoffer Dalby 2026-01-21 16:50:10 +00:00
  • ee303186b3 docs: add changelog for SSH policy changes Kristoffer Dalby 2026-01-21 15:30:11 +00:00
  • e9a94f00a9 integration: update SSH tests for validation rules Kristoffer Dalby 2026-01-21 12:15:15 +00:00
  • d40203e153 policy: update tests for SSH validation rules Kristoffer Dalby 2026-01-21 12:14:56 +00:00
  • 5688c201e9 policy/v2: validate SSH source/destination combinations Kristoffer Dalby 2026-01-21 12:14:43 +00:00
  • 4e1834adaf db: use PolicyManager for RequestTags migration Shourya Gautam 2026-01-21 19:40:29 +05:30
  • 22afb2c61b policy: fix asymmetric peer visibility with autogroup:self Kristoffer Dalby 2026-01-20 16:49:36 +00:00
  • b3c4d0ec81 integration: add tests for API key expire/delete by ID Kristoffer Dalby 2026-01-16 14:10:42 +00:00
  • b82c9c9c0e docs: add changelog entry for API key expire/delete by ID Kristoffer Dalby 2026-01-16 14:01:07 +00:00
  • e0bae9b769 cli: add --id flag to API key expire/delete commands Kristoffer Dalby 2026-01-16 14:00:38 +00:00
  • a194712c34 grpc: support expire/delete API keys by ID Kristoffer Dalby 2026-01-16 13:57:49 +00:00
  • 8776745428 gen: regenerate protobuf code Kristoffer Dalby 2026-01-16 13:55:20 +00:00
  • b01eda721c proto: add id field to API key expire/delete requests Kristoffer Dalby 2026-01-16 13:54:34 +00:00
  • 42bd9cd058 state: add GetAPIKeyByID method Kristoffer Dalby 2026-01-16 13:53:59 +00:00
  • 515a22e696 go.mod: remove gopkg.in/check.v1 dependency Kristoffer Dalby 2026-01-16 16:33:09 +00:00
  • 6654142fbe cmd/headscale: migrate tests from check.v1 to testify Kristoffer Dalby 2026-01-16 16:32:57 +00:00
  • 424e26d636 db: migrate tests from check.v1 to testify Kristoffer Dalby 2026-01-16 16:32:36 +00:00
  • d9cbb96603 state: add unit test for DeleteUser change signal Kristoffer Dalby 2026-01-14 11:18:34 +00:00
  • c1cfb59b91 ci: add ACL unknown user tests to integration workflow Kristoffer Dalby 2026-01-14 08:52:58 +00:00
  • 4be13baf3f state: update policy manager when deleting users Kristoffer Dalby 2026-01-09 15:31:59 +00:00
  • 98c0817b95 integration: add tests for ACL group with deleted/unknown users Kristoffer Dalby 2026-01-09 15:15:26 +00:00
  • 951fd5a8e7 cli: show Owner column in preauthkeys list Kristoffer Dalby 2026-01-20 09:42:23 +00:00
  • b8f3e09046 integration: fix tags-only auth key tests Kristoffer Dalby 2026-01-14 14:29:52 +00:00
  • 4ab06930a2 hscontrol: handle tags-only PreAuthKeys in registration Kristoffer Dalby 2026-01-14 08:55:58 +00:00
  • 165c5f0491 cli: fix preauthkeys expire/delete argument validation Kristoffer Dalby 2026-01-09 08:49:37 +00:00
  • c8c3c9d4a0 hscontrol: allow CreatePreAuthKey without user when tags provided Kristoffer Dalby 2026-01-07 15:31:28 +01:00
  • 4dd1b49a35 integration: update CLI tests for ID-based preauthkey commands Kristoffer Dalby 2026-01-07 13:45:00 +01:00
  • db6882b5f5 integration: update DeleteAuthKey to use ID Kristoffer Dalby 2026-01-07 13:42:18 +01:00
  • 1325fd8b27 cli,hscontrol: use ID-based preauthkey operations Kristoffer Dalby 2026-01-07 13:36:51 +01:00
  • 8631581852 gen: regenerate proto code Kristoffer Dalby 2026-01-07 13:35:44 +01:00
  • 1398d01bd8 proto: change preauthkey API to ID-based operations Kristoffer Dalby 2026-01-07 13:35:34 +01:00
  • 00da5361b3 integration: test tags-only auth key behavior Kristoffer Dalby 2026-01-07 12:13:04 +01:00
  • 740d2b5a2c integration: support auth keys without user Kristoffer Dalby 2026-01-07 12:12:53 +01:00
  • 3b4b9a4436 hscontrol: fix tag updates not propagating to node self view Kristoffer Dalby 2026-01-15 13:56:48 +00:00
  • 1b6db34b93 integration/tags: add self-tag validation to existing tests Kristoffer Dalby 2026-01-15 13:56:11 +00:00
  • 07a4b1b1fd integration/tags: add dedicated issue #2978 reproduction test Kristoffer Dalby 2026-01-15 13:54:45 +00:00
  • 2e180d2587 integration: add test for reauth tag removal Kristoffer Dalby 2026-01-14 12:22:16 +00:00
  • 0451dd4718 state: allow untagging nodes via reauth with empty RequestTags Kristoffer Dalby 2026-01-14 12:22:02 +00:00