Merge branch 'main' into rerouting

2025-08-11 21:27:45 +00:00 · 2022-11-28 16:13:37 +00:00
parent 7d4fbe65ea eb072a1a74
commit 70611746cb
17 changed files with 796 additions and 24 deletions
--- a/integration/cli_test.go
+++ b/integration/cli_test.go
@@ -10,6 +10,7 @@ import (

 	v1 "github.com/juanfont/headscale/gen/go/headscale/v1"
 	"github.com/juanfont/headscale/integration/hsic"
+	"github.com/juanfont/headscale/integration/tsic"
 	"github.com/stretchr/testify/assert"
 )

@@ -39,7 +40,7 @@ func TestNamespaceCommand(t *testing.T) {
 		"namespace2": 0,
 	}

-	err = scenario.CreateHeadscaleEnv(spec, hsic.WithTestName("clins"))
+	err = scenario.CreateHeadscaleEnv(spec, []tsic.Option{}, hsic.WithTestName("clins"))
 	assert.NoError(t, err)

 	headscale, err := scenario.Headscale()
@@ -120,7 +121,7 @@ func TestPreAuthKeyCommand(t *testing.T) {
 		namespace: 0,
 	}

-	err = scenario.CreateHeadscaleEnv(spec, hsic.WithTestName("clipak"))
+	err = scenario.CreateHeadscaleEnv(spec, []tsic.Option{}, hsic.WithTestName("clipak"))
 	assert.NoError(t, err)

 	headscale, err := scenario.Headscale()
@@ -260,7 +261,7 @@ func TestPreAuthKeyCommandWithoutExpiry(t *testing.T) {
 		namespace: 0,
 	}

-	err = scenario.CreateHeadscaleEnv(spec, hsic.WithTestName("clipaknaexp"))
+	err = scenario.CreateHeadscaleEnv(spec, []tsic.Option{}, hsic.WithTestName("clipaknaexp"))
 	assert.NoError(t, err)

 	headscale, err := scenario.Headscale()
@@ -325,7 +326,7 @@ func TestPreAuthKeyCommandReusableEphemeral(t *testing.T) {
 		namespace: 0,
 	}

-	err = scenario.CreateHeadscaleEnv(spec, hsic.WithTestName("clipakresueeph"))
+	err = scenario.CreateHeadscaleEnv(spec, []tsic.Option{}, hsic.WithTestName("clipakresueeph"))
 	assert.NoError(t, err)

 	headscale, err := scenario.Headscale()
--- a/integration/general_test.go
+++ b/integration/general_test.go
@@ -7,6 +7,7 @@ import (
 	"time"

 	"github.com/juanfont/headscale/integration/hsic"
+	"github.com/juanfont/headscale/integration/tsic"
 	"github.com/rs/zerolog/log"
 )

@@ -24,7 +25,7 @@ func TestPingAllByIP(t *testing.T) {
 		"namespace2": len(TailscaleVersions),
 	}

-	err = scenario.CreateHeadscaleEnv(spec, hsic.WithTestName("pingallbyip"))
+	err = scenario.CreateHeadscaleEnv(spec, []tsic.Option{}, hsic.WithTestName("pingallbyip"))
 	if err != nil {
 		t.Errorf("failed to create headscale environment: %s", err)
 	}
@@ -80,7 +81,7 @@ func TestPingAllByHostname(t *testing.T) {
 		"namespace4": len(TailscaleVersions) - 1,
 	}

-	err = scenario.CreateHeadscaleEnv(spec, hsic.WithTestName("pingallbyname"))
+	err = scenario.CreateHeadscaleEnv(spec, []tsic.Option{}, hsic.WithTestName("pingallbyname"))
 	if err != nil {
 		t.Errorf("failed to create headscale environment: %s", err)
 	}
@@ -148,7 +149,7 @@ func TestTaildrop(t *testing.T) {
 		"taildrop": len(TailscaleVersions) - 1,
 	}

-	err = scenario.CreateHeadscaleEnv(spec, hsic.WithTestName("taildrop"))
+	err = scenario.CreateHeadscaleEnv(spec, []tsic.Option{}, hsic.WithTestName("taildrop"))
 	if err != nil {
 		t.Errorf("failed to create headscale environment: %s", err)
 	}
@@ -276,7 +277,7 @@ func TestResolveMagicDNS(t *testing.T) {
 		"magicdns2": len(TailscaleVersions) - 1,
 	}

-	err = scenario.CreateHeadscaleEnv(spec, hsic.WithTestName("magicdns"))
+	err = scenario.CreateHeadscaleEnv(spec, []tsic.Option{}, hsic.WithTestName("magicdns"))
 	if err != nil {
 		t.Errorf("failed to create headscale environment: %s", err)
 	}
--- a/integration/hsic/hsic.go
+++ b/integration/hsic/hsic.go
@@ -79,13 +79,9 @@ func WithTLS() Option {

 func WithConfigEnv(configEnv map[string]string) Option {
 	return func(hsic *HeadscaleInContainer) {
-		env := []string{}
-
 		for key, value := range configEnv {
-			env = append(env, fmt.Sprintf("%s=%s", key, value))
+			hsic.env = append(hsic.env, fmt.Sprintf("%s=%s", key, value))
 		}
-
-		hsic.env = env
 	}
 }

--- a/integration/scenario.go
+++ b/integration/scenario.go
@@ -229,6 +229,7 @@ func (s *Scenario) CreateTailscaleNodesInNamespace(
 	namespaceStr string,
 	requestedVersion string,
 	count int,
+	opts ...tsic.Option,
 ) error {
 	if namespace, ok := s.namespaces[namespaceStr]; ok {
 		for i := 0; i < count; i++ {
@@ -247,6 +248,11 @@ func (s *Scenario) CreateTailscaleNodesInNamespace(

 			namespace.createWaitGroup.Add(1)

+			opts = append(opts,
+				tsic.WithHeadscaleTLS(cert),
+				tsic.WithHeadscaleName(hostname),
+			)
+
 			go func() {
 				defer namespace.createWaitGroup.Done()

@@ -255,8 +261,7 @@ func (s *Scenario) CreateTailscaleNodesInNamespace(
 					s.pool,
 					version,
 					s.network,
-					tsic.WithHeadscaleTLS(cert),
-					tsic.WithHeadscaleName(hostname),
+					opts...,
 				)
 				if err != nil {
 					// return fmt.Errorf("failed to add tailscale node: %w", err)
@@ -341,7 +346,11 @@ func (s *Scenario) WaitForTailscaleSync() error {
 // CreateHeadscaleEnv is a conventient method returning a set up Headcale
 // test environment with nodes of all versions, joined to the server with X
 // namespaces.
-func (s *Scenario) CreateHeadscaleEnv(namespaces map[string]int, opts ...hsic.Option) error {
+func (s *Scenario) CreateHeadscaleEnv(
+	namespaces map[string]int,
+	tsOpts []tsic.Option,
+	opts ...hsic.Option,
+) error {
 	headscale, err := s.Headscale(opts...)
 	if err != nil {
 		return err
@@ -353,7 +362,7 @@ func (s *Scenario) CreateHeadscaleEnv(namespaces map[string]int, opts ...hsic.Op
 			return err
 		}

-		err = s.CreateTailscaleNodesInNamespace(namespaceName, "all", clientCount)
+		err = s.CreateTailscaleNodesInNamespace(namespaceName, "all", clientCount, tsOpts...)
 		if err != nil {
 			return err
 		}
--- a/integration/scenario_test.go
+++ b/integration/scenario_test.go
@@ -6,7 +6,7 @@ import (
 	"github.com/juanfont/headscale/integration/dockertestutil"
 )

-// This file is intendet to "test the test framework", by proxy it will also test
+// This file is intended to "test the test framework", by proxy it will also test
 // some Headcsale/Tailscale stuff, but mostly in very simple ways.

 func IntegrationSkip(t *testing.T) {
--- a/integration/ssh_test.go
+++ b/integration/ssh_test.go
@@ -0,0 +1,519 @@
+package integration
+
+import (
+	"fmt"
+	"strings"
+	"testing"
+	"time"
+
+	"github.com/juanfont/headscale"
+	"github.com/juanfont/headscale/integration/hsic"
+	"github.com/juanfont/headscale/integration/tsic"
+	"github.com/stretchr/testify/assert"
+)
+
+var retry = func(times int, sleepInterval time.Duration,
+	doWork func() (string, string, error),
+) (string, string, error) {
+	var result string
+	var stderr string
+	var err error
+
+	for attempts := 0; attempts < times; attempts++ {
+		tempResult, tempStderr, err := doWork()
+
+		result += tempResult
+		stderr += tempStderr
+
+		if err == nil {
+			return result, stderr, nil
+		}
+
+		// If we get a permission denied error, we can fail immediately
+		// since that is something we wont recover from by retrying.
+		if err != nil && strings.Contains(stderr, "Permission denied (tailscale)") {
+			return result, stderr, err
+		}
+
+		time.Sleep(sleepInterval)
+	}
+
+	return result, stderr, err
+}
+
+func TestSSHOneNamespaceAllToAll(t *testing.T) {
+	IntegrationSkip(t)
+	t.Parallel()
+
+	scenario, err := NewScenario()
+	if err != nil {
+		t.Errorf("failed to create scenario: %s", err)
+	}
+
+	spec := map[string]int{
+		"namespace1": len(TailscaleVersions) - 5,
+	}
+
+	err = scenario.CreateHeadscaleEnv(spec,
+		[]tsic.Option{tsic.WithSSH()},
+		hsic.WithACLPolicy(
+			&headscale.ACLPolicy{
+				Groups: map[string][]string{
+					"group:integration-test": {"namespace1"},
+				},
+				ACLs: []headscale.ACL{
+					{
+						Action:       "accept",
+						Sources:      []string{"*"},
+						Destinations: []string{"*:*"},
+					},
+				},
+				SSHs: []headscale.SSH{
+					{
+						Action:       "accept",
+						Sources:      []string{"group:integration-test"},
+						Destinations: []string{"group:integration-test"},
+						Users:        []string{"ssh-it-user"},
+					},
+				},
+			},
+		),
+		hsic.WithConfigEnv(map[string]string{
+			"HEADSCALE_EXPERIMENTAL_FEATURE_SSH": "1",
+		}),
+	)
+	if err != nil {
+		t.Errorf("failed to create headscale environment: %s", err)
+	}
+
+	allClients, err := scenario.ListTailscaleClients()
+	if err != nil {
+		t.Errorf("failed to get clients: %s", err)
+	}
+
+	err = scenario.WaitForTailscaleSync()
+	if err != nil {
+		t.Errorf("failed wait for tailscale clients to be in sync: %s", err)
+	}
+
+	_, err = scenario.ListTailscaleClientsFQDNs()
+	if err != nil {
+		t.Errorf("failed to get FQDNs: %s", err)
+	}
+
+	for _, client := range allClients {
+		for _, peer := range allClients {
+			if client.Hostname() == peer.Hostname() {
+				continue
+			}
+
+			assertSSHHostname(t, client, peer)
+		}
+	}
+
+	err = scenario.Shutdown()
+	if err != nil {
+		t.Errorf("failed to tear down scenario: %s", err)
+	}
+}
+
+func TestSSHMultipleNamespacesAllToAll(t *testing.T) {
+	IntegrationSkip(t)
+	t.Parallel()
+
+	scenario, err := NewScenario()
+	if err != nil {
+		t.Errorf("failed to create scenario: %s", err)
+	}
+
+	spec := map[string]int{
+		"namespace1": len(TailscaleVersions) - 5,
+		"namespace2": len(TailscaleVersions) - 5,
+	}
+
+	err = scenario.CreateHeadscaleEnv(spec,
+		[]tsic.Option{tsic.WithSSH()},
+		hsic.WithACLPolicy(
+			&headscale.ACLPolicy{
+				Groups: map[string][]string{
+					"group:integration-test": {"namespace1", "namespace2"},
+				},
+				ACLs: []headscale.ACL{
+					{
+						Action:       "accept",
+						Sources:      []string{"*"},
+						Destinations: []string{"*:*"},
+					},
+				},
+				SSHs: []headscale.SSH{
+					{
+						Action:       "accept",
+						Sources:      []string{"group:integration-test"},
+						Destinations: []string{"group:integration-test"},
+						Users:        []string{"ssh-it-user"},
+					},
+				},
+			},
+		),
+		hsic.WithConfigEnv(map[string]string{
+			"HEADSCALE_EXPERIMENTAL_FEATURE_SSH": "1",
+		}),
+	)
+	if err != nil {
+		t.Errorf("failed to create headscale environment: %s", err)
+	}
+
+	nsOneClients, err := scenario.ListTailscaleClients("namespace1")
+	if err != nil {
+		t.Errorf("failed to get clients: %s", err)
+	}
+
+	nsTwoClients, err := scenario.ListTailscaleClients("namespace2")
+	if err != nil {
+		t.Errorf("failed to get clients: %s", err)
+	}
+
+	err = scenario.WaitForTailscaleSync()
+	if err != nil {
+		t.Errorf("failed wait for tailscale clients to be in sync: %s", err)
+	}
+
+	_, err = scenario.ListTailscaleClientsFQDNs()
+	if err != nil {
+		t.Errorf("failed to get FQDNs: %s", err)
+	}
+
+	testInterNamespaceSSH := func(sourceClients []TailscaleClient, targetClients []TailscaleClient) {
+		for _, client := range sourceClients {
+			for _, peer := range targetClients {
+				assertSSHHostname(t, client, peer)
+			}
+		}
+	}
+
+	testInterNamespaceSSH(nsOneClients, nsTwoClients)
+	testInterNamespaceSSH(nsTwoClients, nsOneClients)
+
+	err = scenario.Shutdown()
+	if err != nil {
+		t.Errorf("failed to tear down scenario: %s", err)
+	}
+}
+
+func TestSSHNoSSHConfigured(t *testing.T) {
+	IntegrationSkip(t)
+	t.Parallel()
+
+	scenario, err := NewScenario()
+	if err != nil {
+		t.Errorf("failed to create scenario: %s", err)
+	}
+
+	spec := map[string]int{
+		"namespace1": len(TailscaleVersions) - 5,
+	}
+
+	err = scenario.CreateHeadscaleEnv(spec,
+		[]tsic.Option{tsic.WithSSH()},
+		hsic.WithACLPolicy(
+			&headscale.ACLPolicy{
+				Groups: map[string][]string{
+					"group:integration-test": {"namespace1"},
+				},
+				ACLs: []headscale.ACL{
+					{
+						Action:       "accept",
+						Sources:      []string{"*"},
+						Destinations: []string{"*:*"},
+					},
+				},
+				SSHs: []headscale.SSH{},
+			},
+		),
+		hsic.WithTestName("sshnoneconfigured"),
+		hsic.WithConfigEnv(map[string]string{
+			"HEADSCALE_EXPERIMENTAL_FEATURE_SSH": "1",
+		}),
+	)
+	if err != nil {
+		t.Errorf("failed to create headscale environment: %s", err)
+	}
+
+	allClients, err := scenario.ListTailscaleClients()
+	if err != nil {
+		t.Errorf("failed to get clients: %s", err)
+	}
+
+	err = scenario.WaitForTailscaleSync()
+	if err != nil {
+		t.Errorf("failed wait for tailscale clients to be in sync: %s", err)
+	}
+
+	_, err = scenario.ListTailscaleClientsFQDNs()
+	if err != nil {
+		t.Errorf("failed to get FQDNs: %s", err)
+	}
+
+	for _, client := range allClients {
+		for _, peer := range allClients {
+			if client.Hostname() == peer.Hostname() {
+				continue
+			}
+
+			assertSSHPermissionDenied(t, client, peer)
+		}
+	}
+
+	err = scenario.Shutdown()
+	if err != nil {
+		t.Errorf("failed to tear down scenario: %s", err)
+	}
+}
+
+func TestSSHIsBlockedInACL(t *testing.T) {
+	IntegrationSkip(t)
+	t.Parallel()
+
+	scenario, err := NewScenario()
+	if err != nil {
+		t.Errorf("failed to create scenario: %s", err)
+	}
+
+	spec := map[string]int{
+		"namespace1": len(TailscaleVersions) - 5,
+	}
+
+	err = scenario.CreateHeadscaleEnv(spec,
+		[]tsic.Option{tsic.WithSSH()},
+		hsic.WithACLPolicy(
+			&headscale.ACLPolicy{
+				Groups: map[string][]string{
+					"group:integration-test": {"namespace1"},
+				},
+				ACLs: []headscale.ACL{
+					{
+						Action:       "accept",
+						Sources:      []string{"*"},
+						Destinations: []string{"*:80"},
+					},
+				},
+				SSHs: []headscale.SSH{
+					{
+						Action:       "accept",
+						Sources:      []string{"group:integration-test"},
+						Destinations: []string{"group:integration-test"},
+						Users:        []string{"ssh-it-user"},
+					},
+				},
+			},
+		),
+		hsic.WithTestName("sshisblockedinacl"),
+		hsic.WithConfigEnv(map[string]string{
+			"HEADSCALE_EXPERIMENTAL_FEATURE_SSH": "1",
+		}),
+	)
+	if err != nil {
+		t.Errorf("failed to create headscale environment: %s", err)
+	}
+
+	allClients, err := scenario.ListTailscaleClients()
+	if err != nil {
+		t.Errorf("failed to get clients: %s", err)
+	}
+
+	err = scenario.WaitForTailscaleSync()
+	if err != nil {
+		t.Errorf("failed wait for tailscale clients to be in sync: %s", err)
+	}
+
+	_, err = scenario.ListTailscaleClientsFQDNs()
+	if err != nil {
+		t.Errorf("failed to get FQDNs: %s", err)
+	}
+
+	for _, client := range allClients {
+		for _, peer := range allClients {
+			if client.Hostname() == peer.Hostname() {
+				continue
+			}
+
+			assertSSHTimeout(t, client, peer)
+		}
+	}
+
+	err = scenario.Shutdown()
+	if err != nil {
+		t.Errorf("failed to tear down scenario: %s", err)
+	}
+}
+
+func TestSSNamespaceOnlyIsolation(t *testing.T) {
+	IntegrationSkip(t)
+	t.Parallel()
+
+	scenario, err := NewScenario()
+	if err != nil {
+		t.Errorf("failed to create scenario: %s", err)
+	}
+
+	spec := map[string]int{
+		"namespaceacl1": len(TailscaleVersions) - 5,
+		"namespaceacl2": len(TailscaleVersions) - 5,
+	}
+
+	err = scenario.CreateHeadscaleEnv(spec,
+		[]tsic.Option{tsic.WithSSH()},
+		hsic.WithACLPolicy(
+			&headscale.ACLPolicy{
+				Groups: map[string][]string{
+					"group:ssh1": {"namespaceacl1"},
+					"group:ssh2": {"namespaceacl2"},
+				},
+				ACLs: []headscale.ACL{
+					{
+						Action:       "accept",
+						Sources:      []string{"*"},
+						Destinations: []string{"*:*"},
+					},
+				},
+				SSHs: []headscale.SSH{
+					{
+						Action:       "accept",
+						Sources:      []string{"group:ssh1"},
+						Destinations: []string{"group:ssh1"},
+						Users:        []string{"ssh-it-user"},
+					},
+					{
+						Action:       "accept",
+						Sources:      []string{"group:ssh2"},
+						Destinations: []string{"group:ssh2"},
+						Users:        []string{"ssh-it-user"},
+					},
+				},
+			},
+		),
+		hsic.WithTestName("sshtwonamespaceaclblock"),
+		hsic.WithConfigEnv(map[string]string{
+			"HEADSCALE_EXPERIMENTAL_FEATURE_SSH": "1",
+		}),
+	)
+	if err != nil {
+		t.Errorf("failed to create headscale environment: %s", err)
+	}
+
+	ssh1Clients, err := scenario.ListTailscaleClients("namespaceacl1")
+	if err != nil {
+		t.Errorf("failed to get clients: %s", err)
+	}
+
+	ssh2Clients, err := scenario.ListTailscaleClients("namespaceacl2")
+	if err != nil {
+		t.Errorf("failed to get clients: %s", err)
+	}
+
+	err = scenario.WaitForTailscaleSync()
+	if err != nil {
+		t.Errorf("failed wait for tailscale clients to be in sync: %s", err)
+	}
+
+	_, err = scenario.ListTailscaleClientsFQDNs()
+	if err != nil {
+		t.Errorf("failed to get FQDNs: %s", err)
+	}
+
+	// TODO(kradalby,evenh): ACLs do currently not cover reject
+	// cases properly, and currently will accept all incomming connections
+	// as long as a rule is present.
+	//
+	// for _, client := range ssh1Clients {
+	// 	for _, peer := range ssh2Clients {
+	// 		if client.Hostname() == peer.Hostname() {
+	// 			continue
+	// 		}
+	//
+	// 		assertSSHPermissionDenied(t, client, peer)
+	// 	}
+	// }
+	//
+	// for _, client := range ssh2Clients {
+	// 	for _, peer := range ssh1Clients {
+	// 		if client.Hostname() == peer.Hostname() {
+	// 			continue
+	// 		}
+	//
+	// 		assertSSHPermissionDenied(t, client, peer)
+	// 	}
+	// }
+
+	for _, client := range ssh1Clients {
+		for _, peer := range ssh1Clients {
+			if client.Hostname() == peer.Hostname() {
+				continue
+			}
+
+			assertSSHHostname(t, client, peer)
+		}
+	}
+
+	for _, client := range ssh2Clients {
+		for _, peer := range ssh2Clients {
+			if client.Hostname() == peer.Hostname() {
+				continue
+			}
+
+			assertSSHHostname(t, client, peer)
+		}
+	}
+
+	err = scenario.Shutdown()
+	if err != nil {
+		t.Errorf("failed to tear down scenario: %s", err)
+	}
+}
+
+func doSSH(t *testing.T, client TailscaleClient, peer TailscaleClient) (string, string, error) {
+	t.Helper()
+
+	peerFQDN, _ := peer.FQDN()
+
+	command := []string{
+		"ssh", "-o StrictHostKeyChecking=no", "-o ConnectTimeout=1",
+		fmt.Sprintf("%s@%s", "ssh-it-user", peerFQDN),
+		"'hostname'",
+	}
+
+	return retry(10, 1*time.Second, func() (string, string, error) {
+		return client.Execute(command)
+	})
+}
+
+func assertSSHHostname(t *testing.T, client TailscaleClient, peer TailscaleClient) {
+	t.Helper()
+
+	result, _, err := doSSH(t, client, peer)
+	assert.NoError(t, err)
+
+	assert.Contains(t, peer.ID(), strings.ReplaceAll(result, "\n", ""))
+}
+
+func assertSSHPermissionDenied(t *testing.T, client TailscaleClient, peer TailscaleClient) {
+	t.Helper()
+
+	result, stderr, err := doSSH(t, client, peer)
+	assert.Error(t, err)
+
+	assert.Empty(t, result)
+
+	assert.Contains(t, stderr, "Permission denied (tailscale)")
+}
+
+func assertSSHTimeout(t *testing.T, client TailscaleClient, peer TailscaleClient) {
+	t.Helper()
+
+	result, stderr, err := doSSH(t, client, peer)
+	assert.NoError(t, err)
+
+	assert.Empty(t, result)
+
+	assert.Contains(t, stderr, "Connection timed out")
+}
--- a/integration/tailscale.go
+++ b/integration/tailscale.go
@@ -7,6 +7,7 @@ import (
 	"tailscale.com/ipn/ipnstate"
 )

+//nolint
 type TailscaleClient interface {
 	Hostname() string
 	Shutdown() error
@@ -20,4 +21,5 @@ type TailscaleClient interface {
 	WaitForReady() error
 	WaitForPeers(expected int) error
 	Ping(hostnameOrIP string) error
+	ID() string
 }
--- a/integration/tsic/tsic.go
+++ b/integration/tsic/tsic.go
@@ -47,6 +47,7 @@ type TailscaleInContainer struct {
 	// optional config
 	headscaleCert     []byte
 	headscaleHostname string
+	withSSH           bool
 }

 type Option = func(c *TailscaleInContainer)
@@ -83,6 +84,12 @@ func WithHeadscaleName(hsName string) Option {
 	}
 }

+func WithSSH() Option {
+	return func(tsic *TailscaleInContainer) {
+		tsic.withSSH = true
+	}
+}
+
 func New(
 	pool *dockertest.Pool,
 	version string,
@@ -176,6 +183,10 @@ func (t *TailscaleInContainer) Version() string {
 	return t.version
 }

+func (t *TailscaleInContainer) ID() string {
+	return t.container.Container.ID
+}
+
 func (t *TailscaleInContainer) Execute(
 	command []string,
 ) (string, string, error) {
@@ -215,6 +226,10 @@ func (t *TailscaleInContainer) Up(
 		t.hostname,
 	}

+	if t.withSSH {
+		command = append(command, "--ssh")
+	}
+
 	if _, _, err := t.Execute(command); err != nil {
 		return fmt.Errorf("failed to join tailscale client: %w", err)
 	}