From dbf98e2f22b8c90d29f09b3cffc778e3906bf58e Mon Sep 17 00:00:00 2001 From: steffen Date: Sat, 14 Mar 2026 12:28:47 +0100 Subject: [PATCH] add .gitignore, fix headscale CLI to use numeric user IDs - Add .gitignore for nix build result symlinks - Fix all headscale CLI commands: --user now requires numeric ID, not username (changed in newer headscale versions) - Add 'headscale users list' step to docs where preauth keys are created --- .gitignore | 2 ++ docs/getting-started/first-install.md | 30 +++++++++++++++++---------- docs/getting-started/new-client.md | 5 ++++- docs/services/headplane.md | 9 ++++---- docs/services/sops.md | 2 +- docs/services/tailscale.md | 7 +++++-- 6 files changed, 36 insertions(+), 19 deletions(-) create mode 100644 .gitignore diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..750baeb --- /dev/null +++ b/.gitignore @@ -0,0 +1,2 @@ +result +result-* diff --git a/docs/getting-started/first-install.md b/docs/getting-started/first-install.md index 01b96e4..9878a3e 100644 --- a/docs/getting-started/first-install.md +++ b/docs/getting-started/first-install.md @@ -204,8 +204,8 @@ Diese Secrets koennen erst nach Schritt 4 erstellt werden. **Jetzt noch nicht ei | Secret | Befehl | Voraussetzung | |--------|--------|---------------| -| `tailscale/auth-key` | `sudo headscale preauthkeys create --expiration 99y --reusable --user default` | Headscale laeuft | -| `headplane/agent_pre_authkey` | `sudo headscale users create headplane-agent && sudo headscale preauthkeys create --expiration 99y --user headplane-agent` | Headscale laeuft | +| `tailscale/auth-key` | Siehe Schritt 4.1-4.2 | Headscale laeuft | +| `headplane/agent_pre_authkey` | Siehe Schritt 4.1-4.2 | Headscale laeuft | | `forgejo-runner/token` | Forgejo Admin Panel > Actions > Runners > Create Runner | Forgejo laeuft | #### Beispiel secrets.yaml (Klartext vor Verschluesselung) @@ -276,20 +276,28 @@ Nachdem der Server mit Headscale und Forgejo laeuft: sudo headscale users create headplane-agent ``` -2. **Preauth-Keys generieren**: +2. **User-IDs ermitteln** (wird fuer die Preauth-Keys benoetigt): ```bash - # Fuer Tailscale - sudo headscale preauthkeys create --expiration 99y --reusable --user default - - # Fuer Headplane Agent - sudo headscale preauthkeys create --expiration 99y --user headplane-agent + sudo headscale users list ``` -3. **Forgejo-Runner-Token** ueber das Forgejo Admin Panel erstellen: + Die Ausgabe zeigt die numerischen IDs (z.B. `1` fuer default, `2` fuer headplane-agent). + +3. **Preauth-Keys generieren** (mit den IDs aus Schritt 2): + + ```bash + # Fuer Tailscale (User-ID von "default" einsetzen) + sudo headscale preauthkeys create --expiration 99y --reusable --user + + # Fuer Headplane Agent (User-ID von "headplane-agent" einsetzen) + sudo headscale preauthkeys create --expiration 99y --user + ``` + +4. **Forgejo-Runner-Token** ueber das Forgejo Admin Panel erstellen: Administration > Actions > Runners > Create new Runner -4. **Secrets ergaenzen**: +5. **Secrets ergaenzen**: ```bash sops hosts//secrets.yaml @@ -306,7 +314,7 @@ Nachdem der Server mit Headscale und Forgejo laeuft: agent_pre_authkey: "..." ``` -5. **Stufe-2-Services aktivieren** in `hosts//services/default.nix`: +6. **Stufe-2-Services aktivieren** in `hosts//services/default.nix`: ```nix { diff --git a/docs/getting-started/new-client.md b/docs/getting-started/new-client.md index 93b1d0a..cc2ec9e 100644 --- a/docs/getting-started/new-client.md +++ b/docs/getting-started/new-client.md @@ -36,7 +36,10 @@ Diese Anleitung beschreibt das Hinzufügen eines **neuen Raspberry Pi Clients** **Auf cryodev-main** (per SSH): ```bash -sudo headscale preauthkeys create --expiration 99y --reusable --user default +# User-ID ermitteln +sudo headscale users list +# Preauth-Key erstellen (User-ID von "default" einsetzen) +sudo headscale preauthkeys create --expiration 99y --reusable --user ``` **Ausgabe notieren!** (z.B. `tskey-preauth-abc123...`) diff --git a/docs/services/headplane.md b/docs/services/headplane.md index e6c807f..458d3fc 100644 --- a/docs/services/headplane.md +++ b/docs/services/headplane.md @@ -25,9 +25,10 @@ nix-shell -p openssl --run 'openssl rand -hex 16' ```bash # First, create a dedicated user sudo headscale users create headplane-agent - -# Then create a reusable pre-auth key -sudo headscale preauthkeys create --expiration 99y --reusable --user headplane-agent +# Find the user ID +sudo headscale users list +# Then create a reusable pre-auth key (use the ID of headplane-agent) +sudo headscale preauthkeys create --expiration 99y --reusable --user ``` ### Add to Secrets @@ -101,7 +102,7 @@ sudo journalctl -u headplane -f Verify the agent pre-auth key is valid: ```bash -sudo headscale preauthkeys list --user headplane-agent +sudo headscale preauthkeys list --user ``` If expired, create a new one and update the secrets file. diff --git a/docs/services/sops.md b/docs/services/sops.md index cf1a044..0f297a7 100644 --- a/docs/services/sops.md +++ b/docs/services/sops.md @@ -153,7 +153,7 @@ netdata: | Mailserver password | `nix-shell -p mkpasswd --run 'mkpasswd -sm bcrypt'` | | Random hex token | `nix-shell -p openssl --run 'openssl rand -hex 16'` | | UUID | `uuidgen` | -| Tailscale preauth | `sudo headscale preauthkeys create --expiration 99y --reusable --user default` | +| Tailscale preauth | `sudo headscale preauthkeys create --expiration 99y --reusable --user ` | ## Updating Keys diff --git a/docs/services/tailscale.md b/docs/services/tailscale.md index 8b0b54c..768a21c 100644 --- a/docs/services/tailscale.md +++ b/docs/services/tailscale.md @@ -14,7 +14,10 @@ Tailscale clients connect to the self-hosted Headscale server to join the mesh V On the Headscale server (cryodev-main): ```bash -sudo headscale preauthkeys create --expiration 99y --reusable --user default +# User-ID ermitteln +sudo headscale users list +# Preauth-Key erstellen (User-ID von "default" einsetzen) +sudo headscale preauthkeys create --expiration 99y --reusable --user ``` ### Add to Secrets @@ -111,7 +114,7 @@ Check the auth key is valid: ```bash # On Headscale server -sudo headscale preauthkeys list --user default +sudo headscale preauthkeys list --user ``` Verify the login server URL is correct in the client configuration.