veilor-org/infra
1
0
Fork 0
Code Issues 7 Pull requests Projects Releases Packages Wiki Activity Actions

Headscale OIDC issuer fetch returns 403 (control plane down) #7

New issue
Open
opened 2026-05-06 10:56:42 +01:00 by s8n · 0 comments
s8n commented 2026-05-06 10:56:42 +01:00
Owner
Copy link

Severity: High — affects ALL tailnet enrollment

Headscale crashes on startup with:

FTL Error initializing error="creating new headscale: creating OIDC provider from issuer config: 403 Forbidden: Forbidden"

Root cause: Headscale container (in proxy docker network, source IP 172.20.0.x) hits auth.s8n.ru → Pi-hole resolves to 192.168.0.100 (split-horizon) → request hits Traefik no-guest@file middleware → 403 because 172.20.0.0/24 is NOT in the allowlist.

Downstream symptom: Onyx tailscale up fails with fetch control key: 403 Forbidden — same root cause.

Fix options:

  1. Add 172.20.0.0/24 to no-guest@file sourceRange in /opt/docker/traefik/config/dynamic.yml (cleanest).
  2. extra_hosts in headscale compose pointing auth.s8n.ru directly at the authentik container (requires cert handling — authentik cert is for the public hostname).

Recommendation: Option 1 — narrow allowlist add for the docker proxy network.

Discovered: 2026-05-06 during P0.1 (headscale client_secret relocation). Bug is pre-existing — same error occurred before + after the secret edit, confirmed by config restore-test.

Verification: docker logs headscale | grep -i listen shows "listening on :8080" (no FTL); curl -sI https://hs.s8n.ru/health returns 200.

**Severity:** High — affects ALL tailnet enrollment Headscale crashes on startup with: ``` FTL Error initializing error="creating new headscale: creating OIDC provider from issuer config: 403 Forbidden: Forbidden" ``` **Root cause:** Headscale container (in `proxy` docker network, source IP `172.20.0.x`) hits `auth.s8n.ru` → Pi-hole resolves to `192.168.0.100` (split-horizon) → request hits Traefik `no-guest@file` middleware → 403 because `172.20.0.0/24` is NOT in the allowlist. **Downstream symptom:** Onyx `tailscale up` fails with `fetch control key: 403 Forbidden` — same root cause. **Fix options:** 1. Add `172.20.0.0/24` to `no-guest@file` `sourceRange` in `/opt/docker/traefik/config/dynamic.yml` (cleanest). 2. `extra_hosts` in headscale compose pointing `auth.s8n.ru` directly at the authentik container (requires cert handling — authentik cert is for the public hostname). **Recommendation:** Option 1 — narrow allowlist add for the docker proxy network. **Discovered:** 2026-05-06 during P0.1 (headscale client_secret relocation). Bug is **pre-existing** — same error occurred before + after the secret edit, confirmed by config restore-test. **Verification:** `docker logs headscale | grep -i listen` shows "listening on :8080" (no FTL); `curl -sI https://hs.s8n.ru/health` returns 200.
s8n added the
audit
high
infra
security
 labels 2026-05-06 10:56:42 +01:00
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
main
backup/pre-rename-2026-05-07/main
No results found.
Labels
Clear labels   
audit

   
critical

   
deferred

   
high

   
infra

   
medium

   
security
No labels
audit
critical
deferred
high
infra
medium
security
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: veilor-org/infra#7
No description provided.
Delete branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?