add .gitignore, fix headscale CLI to use numeric user IDs

- Add .gitignore for nix build result symlinks - Fix all headscale CLI commands: --user now requires numeric ID, not username (changed in newer headscale versions) - Add 'headscale users list' step to docs where preauth keys are created
2026-03-14 12:28:47 +01:00 · 2026-03-14 12:28:47 +01:00 · dbf98e2f22
commit dbf98e2f22
parent 4c560abffd
6 changed files with 36 additions and 19 deletions
--- a/.gitignore
+++ b/.gitignore
@ -0,0 +1,2 @@
+result
+result-*
--- a/docs/getting-started/first-install.md
+++ b/docs/getting-started/first-install.md
@ -204,8 +204,8 @@ Diese Secrets koennen erst nach Schritt 4 erstellt werden. **Jetzt noch nicht ei

 | Secret | Befehl | Voraussetzung |
 |--------|--------|---------------|
-| `tailscale/auth-key` | `sudo headscale preauthkeys create --expiration 99y --reusable --user default` | Headscale laeuft |
-| `headplane/agent_pre_authkey` | `sudo headscale users create headplane-agent && sudo headscale preauthkeys create --expiration 99y --user headplane-agent` | Headscale laeuft |
+| `tailscale/auth-key` | Siehe Schritt 4.1-4.2 | Headscale laeuft |
+| `headplane/agent_pre_authkey` | Siehe Schritt 4.1-4.2 | Headscale laeuft |
 | `forgejo-runner/token` | Forgejo Admin Panel > Actions > Runners > Create Runner | Forgejo laeuft |

 #### Beispiel secrets.yaml (Klartext vor Verschluesselung)
@ -276,20 +276,28 @@ Nachdem der Server mit Headscale und Forgejo laeuft:
   sudo headscale users create headplane-agent
   ```

-2. **Preauth-Keys generieren**:
+2. **User-IDs ermitteln** (wird fuer die Preauth-Keys benoetigt):

   ```bash
-   # Fuer Tailscale
-   sudo headscale preauthkeys create --expiration 99y --reusable --user default
-
-   # Fuer Headplane Agent
-   sudo headscale preauthkeys create --expiration 99y --user headplane-agent
+   sudo headscale users list
   ```

-3. **Forgejo-Runner-Token** ueber das Forgejo Admin Panel erstellen:
+   Die Ausgabe zeigt die numerischen IDs (z.B. `1` fuer default, `2` fuer headplane-agent).
+
+3. **Preauth-Keys generieren** (mit den IDs aus Schritt 2):
+
+   ```bash
+   # Fuer Tailscale (User-ID von "default" einsetzen)
+   sudo headscale preauthkeys create --expiration 99y --reusable --user <ID>
+
+   # Fuer Headplane Agent (User-ID von "headplane-agent" einsetzen)
+   sudo headscale preauthkeys create --expiration 99y --user <ID>
+   ```
+
+4. **Forgejo-Runner-Token** ueber das Forgejo Admin Panel erstellen:
   Administration > Actions > Runners > Create new Runner

-4. **Secrets ergaenzen**:
+5. **Secrets ergaenzen**:

   ```bash
   sops hosts/<hostname>/secrets.yaml
@ -306,7 +314,7 @@ Nachdem der Server mit Headscale und Forgejo laeuft:
       agent_pre_authkey: "..."
   ```

-5. **Stufe-2-Services aktivieren** in `hosts/<hostname>/services/default.nix`:
+6. **Stufe-2-Services aktivieren** in `hosts/<hostname>/services/default.nix`:

   ```nix
   {
--- a/docs/getting-started/new-client.md
+++ b/docs/getting-started/new-client.md
@ -36,7 +36,10 @@ Diese Anleitung beschreibt das Hinzufügen eines **neuen Raspberry Pi Clients**
 **Auf cryodev-main** (per SSH):

 ```bash
-sudo headscale preauthkeys create --expiration 99y --reusable --user default
+# User-ID ermitteln
+sudo headscale users list
+# Preauth-Key erstellen (User-ID von "default" einsetzen)
+sudo headscale preauthkeys create --expiration 99y --reusable --user <ID>
 ```

 **Ausgabe notieren!** (z.B. `tskey-preauth-abc123...`)
--- a/docs/services/headplane.md
+++ b/docs/services/headplane.md
@ -25,9 +25,10 @@ nix-shell -p openssl --run 'openssl rand -hex 16'
 ```bash
 # First, create a dedicated user
 sudo headscale users create headplane-agent
-
-# Then create a reusable pre-auth key
-sudo headscale preauthkeys create --expiration 99y --reusable --user headplane-agent
+# Find the user ID
+sudo headscale users list
+# Then create a reusable pre-auth key (use the ID of headplane-agent)
+sudo headscale preauthkeys create --expiration 99y --reusable --user <ID>
 ```

 ### Add to Secrets
@ -101,7 +102,7 @@ sudo journalctl -u headplane -f
 Verify the agent pre-auth key is valid:

 ```bash
-sudo headscale preauthkeys list --user headplane-agent
+sudo headscale preauthkeys list --user <ID>
 ```

 If expired, create a new one and update the secrets file.
--- a/docs/services/sops.md
+++ b/docs/services/sops.md
@ -153,7 +153,7 @@ netdata:
 | Mailserver password | `nix-shell -p mkpasswd --run 'mkpasswd -sm bcrypt'` |
 | Random hex token | `nix-shell -p openssl --run 'openssl rand -hex 16'` |
 | UUID | `uuidgen` |
-| Tailscale preauth | `sudo headscale preauthkeys create --expiration 99y --reusable --user default` |
+| Tailscale preauth | `sudo headscale preauthkeys create --expiration 99y --reusable --user <ID>` |

 ## Updating Keys

--- a/docs/services/tailscale.md
+++ b/docs/services/tailscale.md
@ -14,7 +14,10 @@ Tailscale clients connect to the self-hosted Headscale server to join the mesh V
 On the Headscale server (cryodev-main):

 ```bash
-sudo headscale preauthkeys create --expiration 99y --reusable --user default
+# User-ID ermitteln
+sudo headscale users list
+# Preauth-Key erstellen (User-ID von "default" einsetzen)
+sudo headscale preauthkeys create --expiration 99y --reusable --user <ID>
 ```

 ### Add to Secrets
@ -111,7 +114,7 @@ Check the auth key is valid:

 ```bash
 # On Headscale server
-sudo headscale preauthkeys list --user default
+sudo headscale preauthkeys list --user <ID>
 ```

 Verify the login server URL is correct in the client configuration.