test

Signed-off-by: Kristoffer Dalby <kristoffer@dalby.cc>

.github/workflows/release-docker.yml

@@ -1,138 +0,0 @@
----
-name: Release Docker
-
-on:
-  push:
-    tags:
-      - "*" # triggers only if push new tag version
-  workflow_dispatch:
-
-jobs:
-  docker-release:
-    runs-on: ubuntu-latest
-    steps:
-      - name: Checkout
-        uses: actions/checkout@v3
-        with:
-          fetch-depth: 0
-      - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v1
-      - name: Set up QEMU for multiple platforms
-        uses: docker/setup-qemu-action@master
-        with:
-          platforms: arm64,amd64
-      - name: Cache Docker layers
-        uses: actions/cache@v2
-        with:
-          path: /tmp/.buildx-cache
-          key: ${{ runner.os }}-buildx-${{ github.sha }}
-          restore-keys: |
-            ${{ runner.os }}-buildx-
-      - name: Docker meta
-        id: meta
-        uses: docker/metadata-action@v3
-        with:
-          # list of Docker images to use as base name for tags
-          images: |
-            ${{ secrets.DOCKERHUB_USERNAME }}/headscale
-            ghcr.io/${{ github.repository_owner }}/headscale
-          tags: |
-            type=semver,pattern={{version}}
-            type=semver,pattern={{major}}.{{minor}}
-            type=semver,pattern={{major}}
-            type=sha
-            type=raw,value=develop
-      - name: Login to DockerHub
-        uses: docker/login-action@v1
-        with:
-          username: ${{ secrets.DOCKERHUB_USERNAME }}
-          password: ${{ secrets.DOCKERHUB_TOKEN }}
-      - name: Login to GHCR
-        uses: docker/login-action@v1
-        with:
-          registry: ghcr.io
-          username: ${{ github.repository_owner }}
-          password: ${{ secrets.GITHUB_TOKEN }}
-      - name: Build and push
-        id: docker_build
-        uses: docker/build-push-action@v2
-        with:
-          push: true
-          context: .
-          tags: ${{ steps.meta.outputs.tags }}
-          labels: ${{ steps.meta.outputs.labels }}
-          platforms: linux/amd64,linux/arm64
-          cache-from: type=local,src=/tmp/.buildx-cache
-          cache-to: type=local,dest=/tmp/.buildx-cache-new
-          build-args: |
-            VERSION=${{ steps.meta.outputs.version }}
-      - name: Prepare cache for next build
-        run: |
-          rm -rf /tmp/.buildx-cache
-          mv /tmp/.buildx-cache-new /tmp/.buildx-cache
-
-  docker-debug-release:
-    runs-on: ubuntu-latest
-    steps:
-      - name: Checkout
-        uses: actions/checkout@v3
-        with:
-          fetch-depth: 0
-      - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v1
-      - name: Set up QEMU for multiple platforms
-        uses: docker/setup-qemu-action@master
-        with:
-          platforms: arm64,amd64
-      - name: Cache Docker layers
-        uses: actions/cache@v2
-        with:
-          path: /tmp/.buildx-cache-debug
-          key: ${{ runner.os }}-buildx-debug-${{ github.sha }}
-          restore-keys: |
-            ${{ runner.os }}-buildx-debug-
-      - name: Docker meta
-        id: meta-debug
-        uses: docker/metadata-action@v3
-        with:
-          # list of Docker images to use as base name for tags
-          images: |
-            ${{ secrets.DOCKERHUB_USERNAME }}/headscale
-            ghcr.io/${{ github.repository_owner }}/headscale
-          flavor: |
-            suffix=-debug,onlatest=true
-          tags: |
-            type=semver,pattern={{version}}
-            type=semver,pattern={{major}}.{{minor}}
-            type=semver,pattern={{major}}
-            type=sha
-            type=raw,value=develop
-      - name: Login to DockerHub
-        uses: docker/login-action@v1
-        with:
-          username: ${{ secrets.DOCKERHUB_USERNAME }}
-          password: ${{ secrets.DOCKERHUB_TOKEN }}
-      - name: Login to GHCR
-        uses: docker/login-action@v1
-        with:
-          registry: ghcr.io
-          username: ${{ github.repository_owner }}
-          password: ${{ secrets.GITHUB_TOKEN }}
-      - name: Build and push
-        id: docker_build
-        uses: docker/build-push-action@v2
-        with:
-          push: true
-          context: .
-          file: Dockerfile.debug
-          tags: ${{ steps.meta-debug.outputs.tags }}
-          labels: ${{ steps.meta-debug.outputs.labels }}
-          platforms: linux/amd64,linux/arm64
-          cache-from: type=local,src=/tmp/.buildx-cache-debug
-          cache-to: type=local,dest=/tmp/.buildx-cache-debug-new
-          build-args: |
-            VERSION=${{ steps.meta-debug.outputs.version }}
-      - name: Prepare cache for next build
-        run: |
-          rm -rf /tmp/.buildx-cache-debug
-          mv /tmp/.buildx-cache-debug-new /tmp/.buildx-cache-debug

.github/workflows/release.yml

@@ -20,6 +20,6 @@ jobs:
       - uses: DeterminateSystems/magic-nix-cache-action@main
 
       - name: Run goreleaser
-        run: nix develop --command -- goreleaser release --clean
+        run: nix develop --command -- "goreleaser release --clean --debug"
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

.goreleaser.yml

@@ -9,7 +9,7 @@ release:
 
 builds:
   - id: headscale
-    main: ./cmd/headscale/headscale.go
+    main: ./cmd/headscale
     mod_timestamp: "{{ .CommitTimestamp }}"
     env:
       - CGO_ENABLED=0
@@ -63,7 +63,6 @@ nfpms:
     bindir: /usr/bin
     formats:
       - deb
-      # - rpm
     contents:
       - src: ./config-example.yaml
         dst: /etc/headscale/config.yaml
@@ -80,6 +79,85 @@ nfpms:
       postinstall: ./docs/packaging/postinstall.sh
       postremove: ./docs/packaging/postremove.sh
 
+kos:
+  - id: ghcr
+    repository: ghcr.io/kradalby/headscale
+    base_image: gcr.io/distroless/base-debian12
+    build: headscale
+    main: ./cmd/headscale
+    env:
+      - CGO_ENABLED=0
+    platforms:
+      - linux/amd64
+      - linux/386
+      - linux/arm64
+      - linux/arm/v7
+    tags:
+      - latest
+      - "{{ .Tag }}"
+      - "{{ .Major }}.{{ .Minor }}.{{ .Patch }}"
+      - "{{ .Major }}.{{ .Minor }}"
+      - "{{ .Major }}"
+      - "sha-{{ .ShortCommit }}"
+      - "{{ if not .Prerelease }}stable{{ end }}"
+
+  - id: dockerhub
+    build: headscale
+    base_image: gcr.io/distroless/base-debian12
+    repository: headscale/headscale
+    platforms:
+      - linux/amd64
+      - linux/386
+      - linux/arm64
+      - linux/arm/v7
+    tags:
+      - latest
+      - "{{ .Tag }}"
+      - "{{ .Major }}.{{ .Minor }}.{{ .Patch }}"
+      - "{{ .Major }}.{{ .Minor }}"
+      - "{{ .Major }}"
+      - "sha-{{ .ShortCommit }}"
+      - "{{ if not .Prerelease }}stable{{ end }}"
+
+  - id: ghcr-debug
+    repository: ghcr.io/kradalby/headscale
+    base_image: "debian:12"
+    build: headscale
+    main: ./cmd/headscale
+    env:
+      - CGO_ENABLED=0
+    platforms:
+      - linux/amd64
+      - linux/386
+      - linux/arm64
+      - linux/arm/v7
+    tags:
+      - latest
+      - "{{ .Tag }}-debug"
+      - "{{ .Major }}.{{ .Minor }}.{{ .Patch }}-debug"
+      - "{{ .Major }}.{{ .Minor }}-debug"
+      - "{{ .Major }}-debug"
+      - "sha-{{ .ShortCommit }}-debug"
+      - "{{ if not .Prerelease }}stable{{ end }}-debug"
+
+  - id: dockerhub-debug
+    build: headscale
+    base_image: "debian:12"
+    repository: headscale/headscale
+    platforms:
+      - linux/amd64
+      - linux/386
+      - linux/arm64
+      - linux/arm/v7
+    tags:
+      - latest
+      - "{{ .Tag }}-debug"
+      - "{{ .Major }}.{{ .Minor }}.{{ .Patch }}-debug"
+      - "{{ .Major }}.{{ .Minor }}-debug"
+      - "{{ .Major }}-debug"
+      - "sha-{{ .ShortCommit }}-debug"
+      - "{{ if not .Prerelease }}stable{{ end }}-debug"
+
 checksum:
   name_template: "checksums.txt"
 snapshot:

Dockerfile

@@ -1,30 +0,0 @@
-# Builder image
-FROM docker.io/golang:1.21-bookworm AS build
-ARG VERSION=dev
-ENV GOPATH /go
-WORKDIR /go/src/headscale
-
-COPY go.mod go.sum /go/src/headscale/
-RUN go mod download
-
-COPY . .
-
-RUN CGO_ENABLED=0 GOOS=linux go install -ldflags="-s -w -X github.com/juanfont/headscale/cmd/headscale/cli.Version=$VERSION" -a ./cmd/headscale
-RUN strip /go/bin/headscale
-RUN test -e /go/bin/headscale
-
-# Production image
-FROM docker.io/debian:bookworm-slim
-
-RUN apt-get update \
-  && apt-get install -y ca-certificates \
-  && rm -rf /var/lib/apt/lists/* \
-  && apt-get clean
-
-COPY --from=build /go/bin/headscale /bin/headscale
-ENV TZ UTC
-
-RUN mkdir -p /var/run/headscale
-
-EXPOSE 8080/tcp
-CMD ["headscale"]

Dockerfile.debug

@@ -1,4 +1,7 @@
-# Builder image
+# This Dockerfile and the images produced are for testing headscale,
+# and are in no way endorsed by Headscale's maintainers as an
+# official nor supported release or distribution.
+
 FROM docker.io/golang:1.21-bookworm AS build
 ARG VERSION=dev
 ENV GOPATH /go

Dockerfile.tailscale-HEAD

@@ -1,3 +1,7 @@
+# This Dockerfile and the images produced are for testing headscale,
+# and are in no way endorsed by Headscale's maintainers as an
+# official nor supported release or distribution.
+
 FROM golang:latest
 
 RUN apt-get update \

flake.nix

@@ -95,6 +95,7 @@
           gotestsum
           gotests
           ksh
+          ko
 
           # 'dot' is needed for pprof graphs
           # go tool pprof -http=: <source>

hscontrol/db/node.go

@@ -900,7 +900,7 @@ func (hsdb *HSDatabase) ExpireExpiredNodes(lastCheck time.Time) time.Time {
 			// Do not use setNodeExpiry as that has a notifier hook, which
 			// can cause a deadlock, we are updating all changed nodes later
 			// and there is no point in notifiying twice.
-			if err := hsdb.db.Model(nodes[index]).Updates(types.Node{
+			if err := hsdb.db.Model(&nodes[index]).Updates(types.Node{
 				Expiry: &started,
 			}).Error; err != nil {
 				log.Error().

hscontrol/db/routes.go

@@ -585,6 +585,10 @@ func (hsdb *HSDatabase) failoverRoute(r *types.Route) ([]key.MachinePublic, erro
 			continue
 		}
 
+		if !route.Enabled {
+			continue
+		}
+
 		if hsdb.notifier.IsConnected(route.Node.MachineKey) {
 			newPrimary = &routes[idx]
 			break

hscontrol/db/routes_test.go

@@ -371,6 +371,7 @@ func TestFailoverRoute(t *testing.T) {
 					MachineKey: machineKeys[0],
 				},
 				IsPrimary: true,
+				Enabled:   true,
 			},
 			routes: types.Routes{
 				types.Route{
@@ -382,6 +383,7 @@ func TestFailoverRoute(t *testing.T) {
 						MachineKey: machineKeys[0],
 					},
 					IsPrimary: true,
+					Enabled:   true,
 				},
 				types.Route{
 					Model: gorm.Model{
@@ -392,6 +394,7 @@ func TestFailoverRoute(t *testing.T) {
 						MachineKey: machineKeys[1],
 					},
 					IsPrimary: false,
+					Enabled:   true,
 				},
 			},
 			want: []key.MachinePublic{
@@ -411,6 +414,7 @@ func TestFailoverRoute(t *testing.T) {
 					MachineKey: machineKeys[0],
 				},
 				IsPrimary: false,
+				Enabled:   true,
 			},
 			routes: types.Routes{
 				types.Route{
@@ -422,6 +426,7 @@ func TestFailoverRoute(t *testing.T) {
 						MachineKey: machineKeys[0],
 					},
 					IsPrimary: true,
+					Enabled:   true,
 				},
 				types.Route{
 					Model: gorm.Model{
@@ -432,6 +437,7 @@ func TestFailoverRoute(t *testing.T) {
 						MachineKey: machineKeys[1],
 					},
 					IsPrimary: false,
+					Enabled:   true,
 				},
 			},
 			want:    nil,
@@ -448,6 +454,7 @@ func TestFailoverRoute(t *testing.T) {
 					MachineKey: machineKeys[1],
 				},
 				IsPrimary: true,
+				Enabled:   true,
 			},
 			routes: types.Routes{
 				types.Route{
@@ -459,6 +466,7 @@ func TestFailoverRoute(t *testing.T) {
 						MachineKey: machineKeys[0],
 					},
 					IsPrimary: false,
+					Enabled:   true,
 				},
 				types.Route{
 					Model: gorm.Model{
@@ -469,6 +477,7 @@ func TestFailoverRoute(t *testing.T) {
 						MachineKey: machineKeys[1],
 					},
 					IsPrimary: true,
+					Enabled:   true,
 				},
 				types.Route{
 					Model: gorm.Model{
@@ -479,6 +488,7 @@ func TestFailoverRoute(t *testing.T) {
 						MachineKey: machineKeys[2],
 					},
 					IsPrimary: false,
+					Enabled:   true,
 				},
 			},
 			want: []key.MachinePublic{
@@ -498,6 +508,7 @@ func TestFailoverRoute(t *testing.T) {
 					MachineKey: machineKeys[0],
 				},
 				IsPrimary: true,
+				Enabled:   true,
 			},
 			routes: types.Routes{
 				types.Route{
@@ -509,6 +520,7 @@ func TestFailoverRoute(t *testing.T) {
 						MachineKey: machineKeys[0],
 					},
 					IsPrimary: true,
+					Enabled:   true,
 				},
 				// Offline
 				types.Route{
@@ -520,6 +532,7 @@ func TestFailoverRoute(t *testing.T) {
 						MachineKey: machineKeys[3],
 					},
 					IsPrimary: false,
+					Enabled:   true,
 				},
 			},
 			want:    nil,
@@ -536,6 +549,7 @@ func TestFailoverRoute(t *testing.T) {
 					MachineKey: machineKeys[0],
 				},
 				IsPrimary: true,
+				Enabled:   true,
 			},
 			routes: types.Routes{
 				types.Route{
@@ -547,6 +561,7 @@ func TestFailoverRoute(t *testing.T) {
 						MachineKey: machineKeys[0],
 					},
 					IsPrimary: true,
+					Enabled:   true,
 				},
 				// Offline
 				types.Route{
@@ -558,6 +573,7 @@ func TestFailoverRoute(t *testing.T) {
 						MachineKey: machineKeys[3],
 					},
 					IsPrimary: false,
+					Enabled:   true,
 				},
 				types.Route{
 					Model: gorm.Model{
@@ -568,6 +584,7 @@ func TestFailoverRoute(t *testing.T) {
 						MachineKey: machineKeys[1],
 					},
 					IsPrimary: true,
+					Enabled:   true,
 				},
 			},
 			want: []key.MachinePublic{
@@ -576,6 +593,47 @@ func TestFailoverRoute(t *testing.T) {
 			},
 			wantErr: false,
 		},
+		{
+			name: "failover-primary-none-enabled",
+			failingRoute: types.Route{
+				Model: gorm.Model{
+					ID: 1,
+				},
+				Prefix: ipp("10.0.0.0/24"),
+				Node: types.Node{
+					MachineKey: machineKeys[0],
+				},
+				IsPrimary: true,
+				Enabled:   true,
+			},
+			routes: types.Routes{
+				types.Route{
+					Model: gorm.Model{
+						ID: 1,
+					},
+					Prefix: ipp("10.0.0.0/24"),
+					Node: types.Node{
+						MachineKey: machineKeys[0],
+					},
+					IsPrimary: true,
+					Enabled:   true,
+				},
+				// not enabled
+				types.Route{
+					Model: gorm.Model{
+						ID: 2,
+					},
+					Prefix: ipp("10.0.0.0/24"),
+					Node: types.Node{
+						MachineKey: machineKeys[1],
+					},
+					IsPrimary: false,
+					Enabled:   false,
+				},
+			},
+			want:    nil,
+			wantErr: false,
+		},
 	}
 
 	for _, tt := range tests {

hscontrol/types/config.go

@@ -590,7 +590,7 @@ func GetHeadscaleConfig() (*Config, error) {
 		if err != nil {
 			return nil, err
 		}
-		oidcClientSecret = string(secretBytes)
+		oidcClientSecret = strings.TrimSpace(string(secretBytes))
 	}
 
 	return &Config{