Merge d5bd8be9ad into 6275399327

* Link back to node registration docs
* adjust wording in apple docs
* Mention client specific page to check if headscale works

Ref: #2238

docs/ref/acls.md

@@ -45,11 +45,11 @@ headscale server.
 
 ACLs have to be written in [huJSON](https://github.com/tailscale/hujson).
 
-When registering the servers we will need to add the flag
-`--advertise-tags=tag:<tag1>,tag:<tag2>`, and the user that is
-registering the server should be allowed to do it. Since anyone can add tags to
-a server they can register, the check of the tags is done on headscale server
-and only valid tags are applied. A tag is valid if the user that is
+When [registering the servers](../usage/getting-started.md#register-a-node) we
+will need to add the flag `--advertise-tags=tag:<tag1>,tag:<tag2>`, and the user
+that is registering the server should be allowed to do it. Since anyone can add
+tags to a server they can register, the check of the tags is done on headscale
+server and only valid tags are applied. A tag is valid if the user that is
 registering it is allowed to do it.
 
 To use ACLs in headscale, you must edit your `config.yaml` file. In there you will find a `policy.path` parameter. This will need to point to your ACL file. More info on how these policies are written can be found [here](https://tailscale.com/kb/1018/acls/).

docs/ref/tls.md

@@ -9,6 +9,8 @@ tls_cert_path: ""
 tls_key_path: ""
 ```
 
+The certificate should contain the full chain, else some clients, like the Tailscale Android client, will reject it.
+
 ## Let's Encrypt / ACME
 
 To get a certificate automatically via [Let's Encrypt](https://letsencrypt.org/), set `tls_letsencrypt_hostname` to the desired certificate hostname. This name must resolve to the IP address(es) headscale is reachable on (i.e., it must correspond to the `server_url` configuration parameter). The certificate and Let's Encrypt account credentials will be stored in the directory configured in `tls_letsencrypt_cache_dir`. If the path is relative, it will be interpreted as relative to the directory the configuration file was read from.

docs/usage/connect/apple.md

@@ -60,7 +60,7 @@ Install the official Tailscale tvOS client from the [App Store](https://apps.app
 
 ### Configuring the headscale URL
 
-- Go Settings (the apple tvOS settings) > Apps > Tailscale
+- Open Settings (the Apple tvOS settings) > Apps > Tailscale
 - Under `ALTERNATE COORDINATION SERVER URL`, select `URL`
 - Enter the URL of your headscale instance (e.g `https://headscale.example.com`) and press `OK`
 - Return to the tvOS Home screen

docs/usage/getting-started.md

@@ -9,6 +9,8 @@ This page helps you get started with headscale and provides a few usage examples
       installation instructions.
     * The configuration file exists and is adjusted to suit your environment, see
       [Configuration](../ref/configuration.md) for details.
+    * Headscale is reachable from the Internet. Verify this by opening client specific setup instructions in your
+      browser, e.g. https://headscale.example.com/windows
     * The Tailscale client is installed, see [Client and operating system support](../about/clients.md) for more
       information.
 

flake.lock

@@ -5,11 +5,11 @@
         "systems": "systems"
       },
       "locked": {
-        "lastModified": 1726560853,
-        "narHash": "sha256-X6rJYSESBVr3hBoH0WbKE5KvhPU5bloyZ2L4K60/fPQ=",
+        "lastModified": 1731533236,
+        "narHash": "sha256-l0KFg5HjrsfsO/JpG+r7fRrqm12kzFHyUHqHCVpMMbI=",
         "owner": "numtide",
         "repo": "flake-utils",
-        "rev": "c1dfcf08411b08f6b8615f7d8971a2bfa81d5e8a",
+        "rev": "11707dc2f618dd54ca8739b309ec4fc024de578b",
         "type": "github"
       },
       "original": {
@@ -20,11 +20,11 @@
     },
     "nixpkgs": {
       "locked": {
-        "lastModified": 1730958623,
-        "narHash": "sha256-JwQZIGSYnRNOgDDoIgqKITrPVil+RMWHsZH1eE1VGN0=",
+        "lastModified": 1731763621,
+        "narHash": "sha256-ddcX4lQL0X05AYkrkV2LMFgGdRvgap7Ho8kgon3iWZk=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "85f7e662eda4fa3a995556527c87b2524b691933",
+        "rev": "c69a9bffbecde46b4b939465422ddc59493d3e4d",
         "type": "github"
       },
       "original": {

hscontrol/policy/acls.go

@@ -991,7 +991,10 @@ func filterNodesByUser(nodes types.Nodes, users []types.User, userToken string)
 	var potentialUsers []types.User
 	for _, user := range users {
 		if user.ProviderIdentifier == userToken {
-			potentialUsers = append(potentialUsers, user)
+			// If a user is matching with a known unique field,
+			// disgard all other users and only keep the current
+			// user.
+			potentialUsers = []types.User{user}
 
 			break
 		}

hscontrol/policy/acls_test.go

@@ -869,13 +869,18 @@ func Test_expandPorts(t *testing.T) {
 	}
 }
 
-func Test_listNodesInUser(t *testing.T) {
+func Test_filterNodesByUser(t *testing.T) {
 	users := []types.User{
 		{Model: gorm.Model{ID: 1}, Name: "marc"},
 		{Model: gorm.Model{ID: 2}, Name: "joe", Email: "joe@headscale.net"},
 		{Model: gorm.Model{ID: 3}, Name: "mikael", Email: "mikael@headscale.net", ProviderIdentifier: "http://oidc.org/1234"},
 		{Model: gorm.Model{ID: 4}, Name: "mikael2", Email: "mikael@headscale.net"},
 		{Model: gorm.Model{ID: 5}, Name: "mikael", Email: "mikael2@headscale.net"},
+		{Model: gorm.Model{ID: 6}, Name: "http://oidc.org/1234", Email: "mikael@headscale.net"},
+		{Model: gorm.Model{ID: 7}, Name: "1"},
+		{Model: gorm.Model{ID: 8}, Name: "alex", Email: "alex@headscale.net"},
+		{Model: gorm.Model{ID: 9}, Name: "alex@headscale.net"},
+		{Model: gorm.Model{ID: 10}, Email: "http://oidc.org/1234"},
 	}
 
 	type args struct {
@@ -947,6 +952,7 @@ func Test_listNodesInUser(t *testing.T) {
 				nodes: types.Nodes{
 					&types.Node{ID: 1, User: users[1]},
 					&types.Node{ID: 2, User: users[2]},
+					&types.Node{ID: 8, User: users[7]},
 				},
 				user: "joe@headscale.net",
 			},
@@ -1057,6 +1063,7 @@ func Test_listNodesInUser(t *testing.T) {
 					&types.Node{ID: 3, User: users[2]},
 					&types.Node{ID: 4, User: users[3]},
 					&types.Node{ID: 5, User: users[4]},
+					&types.Node{ID: 8, User: users[7]},
 				},
 				user: "joe@headscale.net",
 			},
@@ -1064,6 +1071,17 @@ func Test_listNodesInUser(t *testing.T) {
 				&types.Node{ID: 2, User: users[1]},
 			},
 		},
+		{
+			name: "email-as-username-duplicate",
+			args: args{
+				nodes: types.Nodes{
+					&types.Node{ID: 1, User: users[7]},
+					&types.Node{ID: 2, User: users[8]},
+				},
+				user: "alex@headscale.net",
+			},
+			want: nil,
+		},
 		{
 			name: "all-users-no-email-random-order",
 			args: args{
@@ -1087,6 +1105,7 @@ func Test_listNodesInUser(t *testing.T) {
 					&types.Node{ID: 3, User: users[2]},
 					&types.Node{ID: 4, User: users[3]},
 					&types.Node{ID: 5, User: users[4]},
+					&types.Node{ID: 6, User: users[5]},
 				},
 				user: "http://oidc.org/1234",
 			},
@@ -1103,6 +1122,7 @@ func Test_listNodesInUser(t *testing.T) {
 					&types.Node{ID: 3, User: users[2]},
 					&types.Node{ID: 4, User: users[3]},
 					&types.Node{ID: 5, User: users[4]},
+					&types.Node{ID: 6, User: users[5]},
 				},
 				user: "http://oidc.org/4321",
 			},
@@ -1116,7 +1136,11 @@ func Test_listNodesInUser(t *testing.T) {
 				rand.Shuffle(len(ns), func(i, j int) {
 					ns[i], ns[j] = ns[j], ns[i]
 				})
-				got := filterNodesByUser(ns, users, test.args.user)
+				us := users
+				rand.Shuffle(len(us), func(i, j int) {
+					us[i], us[j] = us[j], us[i]
+				})
+				got := filterNodesByUser(ns, us, test.args.user)
 				sort.Slice(got, func(i, j int) bool {
 					return got[i].ID < got[j].ID
 				})