juanfont · nblock · May 21, 2025 · May 16, 2025 · May 19, 2025 · May 21, 2025
@@ -64,8 +64,15 @@ nfpms:
     vendor: headscale
     maintainer: Kristoffer Dalby <[email protected]>
     homepage: https://github.com/juanfont/headscale
-    license: BSD
+    description: |-
+      Open source implementation of the Tailscale control server.
+      Headscale aims to implement a self-hosted, open source alternative to the
+      Tailscale control server. Headscale's goal is to provide self-hosters and
+      hobbyists with an open-source server they can use for their projects and
+      labs. It implements a narrow scope, a single Tailscale network (tailnet),
+      suitable for a personal use, or a small open-source organisation.
     bindir: /usr/bin
+    section: net
     formats:
       - deb
     contents:
@@ -74,15 +81,21 @@ nfpms:
         type: config|noreplace
         file_info:
           mode: 0644
-      - src: ./docs/packaging/headscale.systemd.service
+      - src: ./packaging/systemd/headscale.service
         dst: /usr/lib/systemd/system/headscale.service
       - dst: /var/lib/headscale
         type: dir
-      - dst: /var/run/headscale
-        type: dir
+      - src: LICENSE
+        dst: /usr/share/doc/headscale/copyright
     scripts:
-      postinstall: ./docs/packaging/postinstall.sh
-      postremove: ./docs/packaging/postremove.sh
+      postinstall: ./packaging/deb/postinst
+      postremove: ./packaging/deb/postrm
+      preremove: ./packaging/deb/prerm
+    deb:
+      lintian_overrides:
+        - no-changelog  # Our CHANGELOG.md uses a different formatting
+        - no-manual-page
+        - statically-linked-binary
 
 kos:
   - id: ghcr

@@ -11,6 +11,8 @@
 
 - Remove policy v1 code
   [#2600](https://github.com/juanfont/headscale/pull/2600)
+- Refactor Debian/Ubuntu packaging and drop support for Ubuntu 20.04.
+  [#2614](https://github.com/juanfont/headscale/pull/2614)
 
 ## 0.26.0 (2025-05-14)
 

@@ -7,7 +7,7 @@ Both are available on the [GitHub releases page](https://github.com/juanfont/hea
 
 It is recommended to use our DEB packages to install headscale on a Debian based system as those packages configure a
 local user to run headscale, provide a default configuration and ship with a systemd service file. Supported
-distributions are Ubuntu 20.04 or newer, Debian 11 or newer.
+distributions are Ubuntu 22.04 or newer, Debian 11 or newer.
 
 1.  Download the [latest headscale package](https://github.com/juanfont/headscale/releases/latest) for your platform (`.deb` for Ubuntu and Debian).
 
@@ -87,8 +87,8 @@ managed by systemd.
     sudo nano /etc/headscale/config.yaml
     ```
 
-1.  Copy [headscale's systemd service file](../../packaging/headscale.systemd.service) to
-    `/etc/systemd/system/headscale.service` and adjust it to suit your local setup. The following parameters likely need
+1.  Copy [headscale's systemd service file](https://github.com/juanfont/headscale/blob/main/packaging/systemd/headscale.service)
+    to `/etc/systemd/system/headscale.service` and adjust it to suit your local setup. The following parameters likely need
     to be modified: `ExecStart`, `WorkingDirectory`, `ReadWritePaths`.
 
 1.  In `/etc/headscale/config.yaml`, override the default `headscale` unix socket with a path that is writable by the

@@ -58,9 +58,6 @@ theme:
 
 # Excludes
 exclude_docs: |
-  /packaging/README.md
-  /packaging/postinstall.sh
-  /packaging/postremove.sh
   /requirements.txt
 
 # Plugins

@@ -0,0 +1,5 @@
+# Packaging
+
+We use [nFPM](https://nfpm.goreleaser.com/) for making `.deb` packages.
+
+This folder contains files we need to package with these releases.
@@ -0,0 +1,87 @@
+#!/bin/sh
+# postinst script for headscale.
+
+set -e
+
+# Summary of how this script can be called:
+#        * <postinst> 'configure' <most-recently-configured-version>
+#        * <old-postinst> 'abort-upgrade' <new version>
+#        * <conflictor's-postinst> 'abort-remove' 'in-favour' <package>
+#          <new-version>
+#        * <postinst> 'abort-remove'
+#        * <deconfigured's-postinst> 'abort-deconfigure' 'in-favour'
+#          <failed-install-package> <version> 'removing'
+#          <conflicting-package> <version>
+# for details, see https://www.debian.org/doc/debian-policy/ or
+# the debian-policy package.
+
+HEADSCALE_USER="headscale"
+HEADSCALE_GROUP="headscale"
+HEADSCALE_HOME_DIR="/var/lib/headscale"
+HEADSCALE_SHELL="/usr/sbin/nologin"
+HEADSCALE_SERVICE="headscale.service"
+
+case "$1" in
+    configure)
+      groupadd --force --system "$HEADSCALE_GROUP"
+      if ! id -u "$HEADSCALE_USER" >/dev/null 2>&1; then
+        useradd --system --shell "$HEADSCALE_SHELL" \
+          --gid "$HEADSCALE_GROUP" --home-dir "$HEADSCALE_HOME_DIR" \
+          --comment "headscale default user" "$HEADSCALE_USER"
+      fi
+
+      if dpkg --compare-versions "$2" lt-nl "0.27"; then
+        # < 0.24.0-beta.1 used /home/headscale as home and /bin/sh as shell.
+        # The directory /home/headscale was not created by the package or
+        # useradd but the service always used /var/lib/headscale which was
+        # always shipped by the package as empty directory. Previous versions
+        # of the package did not update the user account properties.
+        usermod --home "$HEADSCALE_HOME_DIR" --shell "$HEADSCALE_SHELL" \
+          "$HEADSCALE_USER" >/dev/null
+      fi
+
+      if dpkg --compare-versions "$2" lt-nl "0.27" \
+        && [ $(id --user "$HEADSCALE_USER") -ge 1000 ] \
+        && [ $(id --group "$HEADSCALE_GROUP") -ge 1000 ]; then
+        # < 0.26.0-beta.1 created a regular user/group to run headscale.
+        # Previous versions of the package did not migrate to system uid/gid.
+        # Assume that the *default* uid/gid range is in use and only run this
+        # migration when the current uid/gid is allocated in the user range.
+        # Create a temporary system user/group to guarantee the allocation of a
+        # uid/gid in the system range. Assign this new uid/gid to the existing
+        # user and group and remove the temporary user/group afterwards.
+        tmp_name="headscaletmp"
+        useradd --system --no-log-init --no-create-home --shell "$HEADSCALE_SHELL" "$tmp_name"
+        tmp_uid="$(id --user "$tmp_name")"
+        tmp_gid="$(id --group "$tmp_name")"
+        usermod --non-unique --uid "$tmp_uid" --gid "$tmp_gid" "$HEADSCALE_USER"
+        groupmod --non-unique --gid "$tmp_gid" "$HEADSCALE_USER"
+        userdel --force "$tmp_name"
+      fi
+
+      # Enable service and keep track of its state
+      if deb-systemd-helper --quiet was-enabled "$HEADSCALE_SERVICE"; then
+        deb-systemd-helper enable "$HEADSCALE_SERVICE" >/dev/null || true
+      else
+        deb-systemd-helper update-state "$HEADSCALE_SERVICE" >/dev/null || true
+      fi
+
+      # Bounce service
+      if [ -d /run/systemd/system ]; then
+        systemctl --system daemon-reload >/dev/null || true
+        if [ -n "$2" ]; then
+          deb-systemd-invoke restart "$HEADSCALE_SERVICE" >/dev/null || true
+        else
+          deb-systemd-invoke start "$HEADSCALE_SERVICE" >/dev/null || true
+        fi
+      fi
+    ;;
+
+    abort-upgrade|abort-remove|abort-deconfigure)
+    ;;
+
+    *)
+        echo "postinst called with unknown argument '$1'" >&2
+        exit 1
+    ;;
+esac
@@ -0,0 +1,42 @@
+#!/bin/sh
+# postrm script for headscale.
+
+set -e
+
+# Summary of how this script can be called:
+#        * <postrm> 'remove'
+#        * <postrm> 'purge'
+#        * <old-postrm> 'upgrade' <new-version>
+#        * <new-postrm> 'failed-upgrade' <old-version>
+#        * <new-postrm> 'abort-install'
+#        * <new-postrm> 'abort-install' <old-version>
+#        * <new-postrm> 'abort-upgrade' <old-version>
+#        * <disappearer's-postrm> 'disappear' <overwriter>
+#          <overwriter-version>
+# for details, see https://www.debian.org/doc/debian-policy/ or
+# the debian-policy package.
+
+
+case "$1" in
+    remove)
+      if [ -d /run/systemd/system ]; then
+        systemctl --system daemon-reload >/dev/null || true
+      fi
+    ;;
+
+    purge)
+      userdel headscale
+      rm -rf /var/lib/headscale
+      if [ -x "/usr/bin/deb-systemd-helper" ]; then
+        deb-systemd-helper purge headscale.service >/dev/null || true
+      fi
+    ;;
+
+    upgrade|failed-upgrade|abort-install|abort-upgrade|disappear)
+    ;;
+
+    *)
+        echo "postrm called with unknown argument '$1'" >&2
+        exit 1
+    ;;
+esac
@@ -0,0 +1,34 @@
+#!/bin/sh
+# prerm script for headscale.
+
+set -e
+
+# Summary of how this script can be called:
+#        * <prerm> 'remove'
+#        * <old-prerm> 'upgrade' <new-version>
+#        * <new-prerm> 'failed-upgrade' <old-version>
+#        * <conflictor's-prerm> 'remove' 'in-favour' <package> <new-version>
+#        * <deconfigured's-prerm> 'deconfigure' 'in-favour'
+#          <package-being-installed> <version> 'removing'
+#          <conflicting-package> <version>
+# for details, see https://www.debian.org/doc/debian-policy/ or
+# the debian-policy package.
+
+
+case "$1" in
+    remove)
+      if [ -d /run/systemd/system ]; then
+          deb-systemd-invoke stop headscale.service >/dev/null || true
+      fi
+    ;;
+    upgrade|deconfigure)
+    ;;
+
+    failed-upgrade)
+    ;;
+
+    *)
+        echo "prerm called with unknown argument '$1'" >&2
+        exit 1
+    ;;
+esac
@@ -1,5 +1,4 @@
 [Unit]
-After=syslog.target
 After=network.target
 Description=headscale coordination server for Tailscale
 X-Restart-Triggers=/etc/headscale/config.yaml
@@ -14,7 +13,7 @@ Restart=always
 RestartSec=5
 
 WorkingDirectory=/var/lib/headscale
-ReadWritePaths=/var/lib/headscale /var/run
+ReadWritePaths=/var/lib/headscale
 
 AmbientCapabilities=CAP_NET_BIND_SERVICE CAP_CHOWN
 CapabilityBoundingSet=CAP_NET_BIND_SERVICE CAP_CHOWN