Thanks for pointing this out, going to give it a whirl! Does this solve the thing about having to login using one of Google, Microsoft or Github accounts?
Headscale seems to have experimental support for OpenID, so if you plonk it down next to a simple OpenID server for authentication you should be good. You should be okay with anything from SimpleID to Keycloak as long as it supports the right endpoints.
I have no idea how the official clients will deal with that, though, but I've never used tailscale myself.
> plonk it down next to a simple OpenID server for authentication
Could you please elaborate on this solution? I'm not sufficiently knowledgeable about OpenID to quite understand what you mean, but I'd like to avoid any of the mentioned SSO providers, as they're all blocked on my systems for personal use.
... so I assume you mean that I could install one of [0-2] along with Headscale [3] to get the similar effect of installing Tailscael, just without those annoying SSO providers? I will see if I can find the time for examining that solution. Anything that can keep MS and Goog away is most welcome
Yes, with your open OpenID server you basically become your own SSO. I've set up a Keycloak instance for my self hosted stuff and now I can add 2FA to almost any web self-hosted service without the service even needing to have support for it.
Keycloak is quite a complicated system to configure, though, there are easier alternatives out there. If you're just trying to get anything up and running, something simple like Authelia may be better for your use case (disclaimer: I've never tried it, but it seems light weight and other people online seem to recommend it).
There is a big “Sign in with Email button” after installing the app in iOS.
Edit: Oh no, indeed when you want to sign up you need an sso provider indeed! This is what they say:
Can I sign up with an email address?
We don’t support sign-up with email addresses. By design, Tailscale is not an identity provider: there are no Tailscale passwords.
Using an identity provider is not only more secure than email and password, but it allow us to automatically rotate connection encryption keys, follow security policies set by your team (e.g., 2FA), and more.
