* do not allow preauth keys to be deleted if assigned to node

Signed-off-by: Kristoffer Dalby <[email protected]>

* update changelog

Signed-off-by: Kristoffer Dalby <[email protected]>

---------

Signed-off-by: Kristoffer Dalby <[email protected]>

* return an error when renaming users from OIDC
* set minimum hostname length of 2

* add dedicated http error to propagate to user

Signed-off-by: Kristoffer Dalby <[email protected]>

* classify user errors in http handlers

Signed-off-by: Kristoffer Dalby <[email protected]>

* move validation of pre auth key out of db

This move separates the logic a bit and allow us to
write specific errors for the caller, in this case the web
layer so we can present the user with the correct error
codes without bleeding web stuff into a generic validate.

Signed-off-by: Kristoffer Dalby <[email protected]>

* update changelog

Signed-off-by: Kristoffer Dalby <[email protected]>

---------

Signed-off-by: Kristoffer Dalby <[email protected]>

Separate the term "tailnet" from user and be more explicit about
providing a single tailnet.

Also be more explicit about users. Refer to "headscale users" when
mentioning commandline invocations and use the term "local users" when
discussing unix accounts.

Fixes: #2335

…#2412)

Signed-off-by: Kristoffer Dalby <[email protected]>

Signed-off-by: Kristoffer Dalby <[email protected]>

Signed-off-by: Kristoffer Dalby <[email protected]>

* add git hash to binary, print on startup

Signed-off-by: Kristoffer Dalby <[email protected]>

* update changelog

Signed-off-by: Kristoffer Dalby <[email protected]>

---------

Signed-off-by: Kristoffer Dalby <[email protected]>

* remove oidc migration

Signed-off-by: Kristoffer Dalby <[email protected]>

* update changelog

Signed-off-by: Kristoffer Dalby <[email protected]>

---------

Signed-off-by: Kristoffer Dalby <[email protected]>

This helps preventing messages being sent with the wrong update type
and payload combination, and it is shorter/neater.

Signed-off-by: Kristoffer Dalby <[email protected]>

This PR switches the homegrown debug endpoint to using tsweb.Debugger, a neat toolkit with batteries included for pprof and friends, and making it easy to add additional debug info:

I've started out by adding a bunch of "introspect" endpoints
image

So users can see the acl, filter, config, derpmap and connected nodes as headscale sees them.

* date in changelog

Signed-off-by: Kristoffer Dalby <[email protected]>

* update docs version

Signed-off-by: Kristoffer Dalby <[email protected]>

---------

Signed-off-by: Kristoffer Dalby <[email protected]>

Co-authored-by: jan.sulimma <[email protected]>

* handle register auth errors

This commit handles register auth errors as the
Tailscale clients expect. It returns the error as
part of a tailcfg.RegisterResponse and not as a
http error.

In addition it fixes a nil pointer panic triggered
by not handling the errors as part of this chain.

Fixes #2434

Signed-off-by: Kristoffer Dalby <[email protected]>

* changelog

Signed-off-by: Kristoffer Dalby <[email protected]>

---------

Signed-off-by: Kristoffer Dalby <[email protected]>

* add test to validate exitnode propagation

Signed-off-by: Kristoffer Dalby <[email protected]>

* save routes on register

Signed-off-by: Kristoffer Dalby <[email protected]>

* update changelog

Signed-off-by: Kristoffer Dalby <[email protected]>

* no nil

Signed-off-by: Kristoffer Dalby <[email protected]>

* add missing integration tests

Signed-off-by: Kristoffer Dalby <[email protected]>

---------

Signed-off-by: Kristoffer Dalby <[email protected]>

* factor out login url parser

Signed-off-by: Kristoffer Dalby <[email protected]>

* move to not trigger test gen checker

Signed-off-by: Kristoffer Dalby <[email protected]>

* return regresp or err after waiting for registration

Signed-off-by: Kristoffer Dalby <[email protected]>

* update changelog

Signed-off-by: Kristoffer Dalby <[email protected]>

---------

Signed-off-by: Kristoffer Dalby <[email protected]>

Signed-off-by: Kristoffer Dalby <[email protected]>

This PR addresses some consistency issues that was introduced or discovered with the nodestore.

nodestore:
Now returns the node that is being put or updated when it is finished. This closes a race condition where when we read it back, we do not necessarily get the node with the given change and it ensures we get all the other updates from that batch write.

auth:
Authentication paths have been unified and simplified. It removes a lot of bad branches and ensures we only do the minimal work.
A comprehensive auth test set has been created so we do not have to run integration tests to validate auth and it has allowed us to generate test cases for all the branches we currently know of.

integration:
added a lot more tooling and checks to validate that nodes reach the expected state when they come up and down. Standardised between the different auth models. A lot of this is to support or detect issues in the changes to nodestore (races) and auth (inconsistencies after login and reaching correct state)

This PR was assisted, particularly tests, by claude code.

* add health command
* update health check implementation to allow for more checks to added over time
* add change changelog entry

Fixes: #2793

…tFoundError

Correctly identify Viper's ConfigFileNotFoundError in LoadConfig to log a warning and use defaults, unifying behavior with empty config files. Fixes fatal error when no config file is present for CLI commands relying on environment variables.

Also indent and split the comment into two lines to avoid horizontal
scrolling.

#2807)

)