steffen dbf98e2f22 add .gitignore, fix headscale CLI to use numeric user IDs

- Add .gitignore for nix build result symlinks
- Fix all headscale CLI commands: --user now requires numeric ID,
  not username (changed in newer headscale versions)
- Add 'headscale users list' step to docs where preauth keys are created

2026-03-14 12:28:47 +01:00

1.8 KiB

Raw Blame History

Tailscale Client

Tailscale clients connect to the self-hosted Headscale server to join the mesh VPN.

References

Setup

Generate Auth Key

On the Headscale server (cryodev-main):

# User-ID ermitteln
sudo headscale users list
# Preauth-Key erstellen (User-ID von "default" einsetzen)
sudo headscale preauthkeys create --expiration 99y --reusable --user <ID>

Add to Secrets

sops hosts/<hostname>/secrets.yaml

tailscale:
  auth-key: "your-preauth-key"

Configuration

# In your host configuration
{ config, ... }:
{
  sops.secrets."tailscale/auth-key" = { };
  
  services.tailscale = {
    enable = true;
    authKeyFile = config.sops.secrets."tailscale/auth-key".path;
    extraUpFlags = [
      "--login-server=https://headscale.cryodev.xyz"
    ];
  };
}

Usage

Check Status

tailscale status

View IP Address

tailscale ip

Ping Another Node

tailscale ping <hostname>

SSH to Another Node

ssh user@<hostname>
# or using Tailscale IP
ssh user@100.64.0.X

MagicDNS

With Headscale's MagicDNS enabled, you can reach nodes by hostname:

ping cryodev-pi
ssh steffen@cryodev-main

Troubleshooting

Check Service Status

sudo systemctl status tailscaled

View Logs

sudo journalctl -u tailscaled -f

Re-authenticate

If the node is not connecting:

sudo tailscale up --login-server=https://headscale.cryodev.xyz --force-reauth

Node Not Appearing in Headscale

Check the auth key is valid:

# On Headscale server
sudo headscale preauthkeys list --user <ID>

Verify the login server URL is correct in the client configuration.

1.8 KiB Raw Blame History