Feature Request: Config-level switch to disable node-key expiration (for long-lived IoT fleets) #2681
Description
Use case
We operate hundreds of battery-powered IoT devices that may remain offline for months or even years (e.g. in storage, remote sites without WAN, manual shutdown).
Each unit is provisioned in-factory with a reusable PAK and then shipped; once in the field we have no physical or remote means to re-run authentication.
When the node finally comes back online we must be able to SSH immediately for service, recovery or firmware updates.
Description
Current situation
Headscale tracks node.expiry. Once the expiry passes the node stops forwarding traffic.
The only workaround is to run headscale nodes expire --reset … (or set expiry = NULL in SQLite) per node, either after enrollment or post-expiry.
Automating that reset via cron/API is fragile: a missed run or a future schema change could strand thousands of devices.
Requested behavior
Tailscale has a similar feature: Disabling key expiry
Add a single configuration flag - global or tag-scoped - that disables key expiry entirely for matching nodes.
# config.yaml
...
node_key_expiration:
disabled: true # global switch
# or more granular
exempt_tags:
- tag:battery # never expire devices with this tag
If disabled: true, Headscale should skip scheduling expiry for every new node and ignore expiry checks during map generation.
If exempt_tags is supplied, only nodes carrying one of those tags are exempt; others follow normal 180 d rotation.
Impact
Zero behavior change for existing users: the feature defaults to disabled = false.
Simplifies large-scale IoT deployments by removing a hidden operational pitfall.
This would keep security knobs (manual nodes expire …, ACL tags) intact for cases where an operator really wants to revoke a stale device.
Thank you for considering, that would really have a huge impact for us!
Contribution
- I can write the design doc for this feature
- I can contribute this feature
How can it be implemented?
No response