[Bug] Tags applied to nodes are not applied in ACL until headscale service is restarted after adding the tag

[SlackingVeteran]

Is this a support request?

• This is not a support request

Is there an existing issue for this?

• I have searched the existing issues

Current Behavior

When a tag is applied or removed from node, ACL is not applied for the node based on tags until headscale service is restarted

Expected Behavior

When tag is applied or removed from nodes the changes should be reflected on user's account that has access to tag through ACL.

If user has access to the tag and the tag is removed from node then user should no longer have access to the node without restarting headscale service
And if user has access to the tag and the tag is added to the node then user should gain access to the node without restarting headscale service

Steps To Reproduce

I have a tag:shared tag in ACL as follows:

{
  "groups": {
    "group:all-members": [
      "[email protected]",
      "[email protected]"
    ]
  },
  "tagOwners": {
    "tag:shared": [
      "group:all-members"
    ]
  },
  "hosts": {},
  "acls": [
    {
      "action": "accept",
      "src": [
        "[email protected]"
      ],
      "dst": [
        "[email protected]:*"
      ]
    },
    {
      "action": "accept",
      "src": [
        "[email protected]"
      ],
      "dst": [
        "[email protected]:*"
      ]
    },
    {
      "action": "accept",
      "src": [
        "group:all-members"
      ],
      "dst": [
        "tag:shared:*"
      ]
    }
  ],
  "ssh": []
}

Then I applied tag:shared to one of the node owned by user1 with headscale nodes tag --tags tag:shared -i 1 and shows up in headscale nodes list -o json as:

[
        {
                "id": 1,
                "machine_key": "mkey:<redacted>",
                "node_key": "nodekey:<redacted>",
                "disco_key": "discokey:<redacted>",
                "ip_addresses": [
                        "100.64.0.1",
                        "fd7a:115c:a1e0::1"
                ],
                "name": "USER1-DT",
                "user": {
                        "id": 1,
                        "name": "user1",
                        "created_at": {
                                "seconds": 1738102564,
                                "nanos": 803193762
                        },
                        "display_name": "FirstName LastName",
                        "email": "[email protected]",
                        "provider_id": "<redacted>",
                        "provider": "oidc"
                },
                "last_seen": {
                        "seconds": 1738104866,
                        "nanos": 780535645
                },
                "expiry": {
                        "seconds": 1753654564,
                        "nanos": 797022733
                },
                "created_at": {
                        "seconds": 1738102564,
                        "nanos": 813862893
                },
                "register_method": 3,
                "forced_tags": [
                        "tag:shared"
                ],
                "valid_tags": [
                        "tag:shared"
                ],
                "given_name": "user1-dt",
                "online": true
        },
        {...}
]

The device does not show up for user2 in Tailscale client. Restarting headscale service makes ACL work as expected and USER1-DT appears on user2's list.

Same issue can be noticed when tag is removed from USER1-DT, user2 continues to get access to the device until headscale service is restarted

Environment

- OS: Windows 11
- Headscale version: 0.24.1
- Tailscale version: 1.78.1

Runtime environment

• Headscale is behind a (reverse) proxy
• Headscale runs in a container

Anything else?

Let me know if any additional info is required

[DevId-E]

#2375 could be related or the same