File headscale.changes of Package headscale
-------------------------------------------------------------------
Fri Jun 6 16:05:38 UTC 2025 - Richard Rahl <rrahl0@opensuse.org>
- update to 0.26.1:
* Ensure nodes are matching both node key and machine key when connecting
* Fix /machine/map endpoint vulnerability
-------------------------------------------------------------------
Sun Jun 1 01:27:08 UTC 2025 - Marcus Rueckert <mrueckert@suse.de>
- Sync default configurations
-------------------------------------------------------------------
Sun Jun 1 01:25:22 UTC 2025 - Marcus Rueckert <mrueckert@suse.de>
- Fix the ldflags to set version and commit hash again
-------------------------------------------------------------------
Tue May 20 21:50:26 UTC 2025 - Richard Rahl <rrahl0@opensuse.org>
- update to 0.26.0:
* make version info in bug template more explicit
* add git hash to binary, print on startup
* remove oidc migration
* use helper function for constructing state updates
* use tsweb debugger
* set 0.25.0 changelog date
* activate json logs
* use tailscale version in all unsupported errs
* handle register auth errors
* fix routes not being saved when new nodes registers
* fix double login URL with OIDC
* Redo route code
* Experimental implementation of Policy v2
* Drop routes table
* Add usage example to routes flag
* Remove leftover printf
* remove policy handling for old capver
* Container images are also available on GHCR
* add faq section on scaling/performance
* Add a FAQ entry about two nodes seeing each other
* update bug template with debug
* Set content-type to JSON for some debug endpoints
* Remove coderabbit
* add third-party tool headscale-pf
* Explicitly handle /headscale/{config,lib,run} in container docs
* Mention that private keys generated if needed
* Multi network integration tests
* OIDC: Fetch UserInfo to get EmailVerified if necessary
* populate serving from primary routes
* allow users to be defined with @ in v1
* fix auto approver on register and new policy
* Add unraid-headscale-admin web UI to docs
* Only read relevant nodes from database in PeerChangedResponse
* ensure final dot on node name
* Restore support for "Override local DNS"
* some clarifications for tags
* Update oidc.md
* flake: add golang-lint lsp
* policy/v2: fix host validation, consistent pattern
* integration: clean up unreferenced hs- networks
* Mention "Network flow logs" as a missing feature
* Fix goroutine leak in EphemeralGC on node cancel
* Fix panic on fast reconnection of node
* add casbin user test
* config: disallow same server url and base_domain
* policy/v2: make default
* integration: remove failing resolvconf tests
* fix webauth + autoapprove routes
* types/authkey: include user object in response
* oidc: try to get username from userinfo
* notify nodes after owner change
* auth: ensure that routes are autoapproved when the node is stored
* Make matchers part of the Policy interface
* cli/nodes: filter nodes without any routes
* error on undefined host in policy
* Update source.md
* policy/v2: validate autogroup:interet only in dst
* cmd: add policy check command
* policy/matcher: fix bug using contains instead of overlap
* update capmap and deps for release
* Add documentation for routes
* Fix deprecation warnings
* feat: Create headscale user and group as system user/groups
* Update container.md
* go.mod: update rest of deps
* Make more granular SSH tests for both Policies
* policy: reduce routes sent to peers based on packetfilter
* Misc doc fixes
* app: throw away not found body
* Remove subnet router visibility workaround from docs
* policy/v2: validate that no undefined group or tag is used
* cli: policy check, dont require config or log
* policy/v2: separate exit node and 0.0.0.0/0 routes
* Add migration steps when policy is stored in the database
* Simplify policy migration
* bring back last_seen in database
* Remove map_legacy_users from example configuration
* fix: change FormatUint base from 64 to 10 in preauthkeys list command
* users: harden, test, and add cleaner of identifier
- remove patches fix-CVE-2025-30204.patch and fix-CVEs.patch, as upstream
updated their dependencies
-------------------------------------------------------------------
Thu Apr 24 17:13:47 UTC 2025 - Richard Rahl <rrahl0@opensuse.org>
- update fix-CVEs.patch for fixing bsc#1241801
-------------------------------------------------------------------
Wed Apr 16 08:06:07 UTC 2025 - Richard Rahl <rrahl0@opensuse.org>
- add patch fix-CVEs.patch to fix bsc#1241235, bsc#1237674
-------------------------------------------------------------------
Tue Apr 1 14:53:49 UTC 2025 - Richard Rahl <rrahl0@opensuse.org>
- add patch fix-CVE-2025-30204.patch, for fixing bsc#1240506
-------------------------------------------------------------------
Tue Feb 25 22:37:35 UTC 2025 - Richard Rahl <rrahl0@opensuse.org>
- update to 0.25.1:
* Fix issue where registration errors are sent correctly
* Fix issue where routes are passed on registration were not saved
* Fix issue where registration page was displayed twice
* fix double login URL with OIDC
* fix routes not being saved when new nodes registers
* hand register auth rerrors
-------------------------------------------------------------------
Thu Feb 13 14:25:06 UTC 2025 - Richard Rahl <rrahl0@opensuse.org>
- update to 0.25.0:
BREAKING:
* Authentication flow has been rewritten
* Remove support for Tailscale clients older than 1.62 (Capability version 87)
CHANGES:
* oidc.map_legacy_users is now false by default
* Print Tailscale version instead of capability versions for outdated nodes
* Do not allow renaming of users from OIDC
* Change minimum hostname length to 2
* Fix migration error caused by nodes having invalid auth keys
* Pre auth keys belonging to a user are no longer deleted with the user
* Pre auth keys that are used by a node can no longer be deleted
* Rehaul HTTP errors, return better status code and errors to users
-------------------------------------------------------------------
Fri Feb 7 18:56:21 UTC 2025 - Richard Rahl <rrahl0@opensuse.org>
- update 0.24.3:
* Fix migration error caused by nodes having invalid auth keys
* Pre auth keys belonging to a user are no longer deleted with the user
* Pre auth keys that are used by a node can no longer be deleted
- update to 0.24.2:
* Fix issue where email and username being equal fails to match in Policy
* Delete invalid routes before adding a NOT NULL constraint on node_id
- update to 0.24.1:
* Fix migration issue with user table for PostgreSQL
* Relax username validation to allow emails
* Remove invalid routes and add stronger constraints for routes to avoid API panic
* Fix panic when derp.update_frequency is 0
- update to 0.24.0:
BREAKING:
* Remove dns.use_username_in_magic_dns configuration option
* Having usernames in magic DNS is no longer possible.
* Remove versions older than 1.56
* Clean up old code required by old versions
* If you depend on a Headscale Web UI, you should wait with this update until
the UI have been updated to match the new API.
* GET /api/v1/user/{name} and GetUser have been removed in favour of
ListUsers with an ID parameter
* RenameUser and DeleteUser now require an ID instead of a name.
CHANGES:
* Improved compatibility of built-in DERP server with clients connecting over WebSocket
* Allow nodes to use SSH agent forwarding
* Fixed processing of fields in post request in MoveNode rpc
* Added conversion of 'Hostname' to 'givenName' in a node with FQDN rules applied
* Fixed updating of hostname and givenName when it is updated in HostInfo
* Fixed missing stable-debug container tag
* Loosened up server_url and base_domain check. It was overly strict in some cases
* CLI for managing users now accepts --identifier in addition to --name,
usage of --identifier is recommended
* Add dns.extra_records_path configuration option
* Support client verify for DERP
* Add PKCE Verifier for OIDC
-------------------------------------------------------------------
Thu Jan 2 06:06:23 UTC 2025 - Marcus Rueckert <mrueckert@suse.de>
- Fix the system integration
- actually build and use the sysuser pre snippet so that the user
is created before tmpfiles.d tries to create files
- no longer break debugsymbols for the binary (remove -s -w)
- use systemd macros for paths
- ensure proper requires/ordering for sysuser/systemd
-------------------------------------------------------------------
Wed Sep 18 19:41:45 UTC 2024 - Richard Rahl <rrahl0@opensuse.org>
- update to 0.23.0:
* Code reorganisation, a lot of code has moved
* Change the structure of database configuration, see config-example.yaml
- Old structure has been remove and the configuration must be converted
- Adds additional configuration for PostgreSQL for setting max open,
idle connection and idle connection lifetime
* API: Machine is now Node
* Remove support for older Tailscale clients (supported >=1.42)
* Headscale checks that at least one DERP is defined at start
* Embedded DERP server requires a private key
* Prefixes are now defined per v4 and v6 range
* MagicDNS domains no longer contain usernames
* YAML files are no longer supported for headscale policy (use HuJSON)
* DNS configuration has been restructured
* Use versioned migrations
* Make the OIDC callback page better
* SSH support
* State management has been improved
* Use error group handling to ensure tests actually pass
* Fix hang on SIGTERM
* Send logs to stderr by default
* Fix TS-2023-006 security UPnP issue
* Turn off gRPC logging
* Added the possibility to manually create a DERP-map entry
* Add support for deleting api keys
* Add command to backfill IP addresses for nodes missing IPs from configured prefixes
* Log available update as warning
* Add autogroup:internet to Policy
* Restore foreign keys and add constraints
* Make registration page easier to use on mobile devices
* Make write-ahead-log default on and configurable for SQLite
* Add APIs for managing headscale policy
* Fix for registering nodes using preauthkeys when running
on a postgres database in a non-UTC timezone
* Make sure integration tests cover postgres for all scenarios
* CLI commands (all except serve) only requires minimal configuration
* CLI results are now concistently sent to stdout and errors to stderr
* Fix issue where shutting down headscale would hang
* add shutdown that asserts if headscale had panics
-------------------------------------------------------------------
Thu Apr 18 14:04:09 UTC 2024 - Richard Rahl <rrahl0@disroot.org>
- remove CAP_CHOWN from systemd unit file, as it's unneeded
-------------------------------------------------------------------
Wed Dec 20 06:06:27 UTC 2023 - Richard Rahl <rrahl0@proton.me>
- initial packaging
