Add note on Apache as unsupported

2025-08-23 05:07:43 +00:00 · 2023-01-22 22:59:09 +00:00
79 changed files with 1170 additions and 1916 deletions
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -8,14 +8,9 @@ on:
    branches:
      - main

-concurrency:
-  group: ${{ github.workflow }}-$${{ github.head_ref || github.run_id }}
-  cancel-in-progress: true
-
 jobs:
  build:
    runs-on: ubuntu-latest
-    permissions: write-all

    steps:
      - uses: actions/checkout@v3
@@ -37,34 +32,10 @@ jobs:
        if: steps.changed-files.outputs.any_changed == 'true'

      - name: Run build
-        id: build
        if: steps.changed-files.outputs.any_changed == 'true'
-        run: |
-          nix build |& tee build-result
-          BUILD_STATUS="${PIPESTATUS[0]}"
+        run: nix build

-          OLD_HASH=$(cat build-result | grep specified: | awk -F ':' '{print $2}' | sed 's/ //g')
-          NEW_HASH=$(cat build-result | grep got: | awk -F ':' '{print $2}' | sed 's/ //g')
-
-          echo "OLD_HASH=$OLD_HASH" >> $GITHUB_OUTPUT
-          echo "NEW_HASH=$NEW_HASH" >> $GITHUB_OUTPUT
-
-          exit $BUILD_STATUS
-
-      - name: Nix gosum diverging
-        uses: actions/github-script@v6
-        if: failure() && steps.build.outcome == 'failure'
-        with:
-          github-token: ${{secrets.GITHUB_TOKEN}}
-          script: |
-            github.rest.pulls.createReviewComment({
-              pull_number: context.issue.number,
-              owner: context.repo.owner,
-              repo: context.repo.repo,
-              body: 'Nix build failed with wrong gosum, please update "vendorSha256" (${{ steps.build.outputs.OLD_HASH }}) for the "headscale" package in flake.nix with the new SHA: ${{ steps.build.outputs.NEW_HASH }}'
-            })
-
-      - uses: actions/upload-artifact@v3
+      - uses: actions/upload-artifact@v2
        if: steps.changed-files.outputs.any_changed == 'true'
        with:
          name: headscale-linux
--- a/.github/workflows/lint.yml
+++ b/.github/workflows/lint.yml
@@ -3,10 +3,6 @@ name: Lint

 on: [push, pull_request]

-concurrency:
-  group: ${{ github.workflow }}-$${{ github.head_ref || github.run_id }}
-  cancel-in-progress: true
-
 jobs:
  golangci-lint:
    runs-on: ubuntu-latest
@@ -30,7 +26,7 @@ jobs:
        if: steps.changed-files.outputs.any_changed == 'true'
        uses: golangci/golangci-lint-action@v2
        with:
-          version: v1.51.2
+          version: v1.49.0

          # Only block PRs on new problems.
          # If this is not enabled, we will end up having PRs
@@ -63,7 +59,7 @@ jobs:

      - name: Prettify code
        if: steps.changed-files.outputs.any_changed == 'true'
-        uses: creyD/prettier_action@v4.3
+        uses: creyD/prettier_action@v4.0
        with:
          prettier_options: >-
            --check **/*.{ts,js,md,yaml,yml,sass,css,scss,html}
--- a/.github/workflows/test-integration-v2-TestAuthKeyLogoutAndRelogin.yaml
+++ b/.github/workflows/test-integration-v2-TestAuthKeyLogoutAndRelogin.yaml
@@ -1,3 +1,4 @@
+
 # DO NOT EDIT, generated with cmd/gh-action-integration-generator/main.go
 # To regenerate, run "go generate" in cmd/gh-action-integration-generator/

@@ -5,10 +6,6 @@ name: Integration Test v2 - TestAuthKeyLogoutAndRelogin

 on: [pull_request]

-concurrency:
-  group: ${{ github.workflow }}-$${{ github.head_ref || github.run_id }}
-  cancel-in-progress: true
-
 jobs:
  test:
    runs-on: ubuntu-latest
@@ -29,8 +26,8 @@ jobs:
            integration_test/
            config-example.yaml

-      - uses: cachix/install-nix-action@v18
-        if: ${{ env.ACT }} || steps.changed-files.outputs.any_changed == 'true'
+      - uses: cachix/install-nix-action@v16
+        if: steps.changed-files.outputs.any_changed == 'true'

      - name: Run general integration tests
        if: steps.changed-files.outputs.any_changed == 'true'
@@ -41,7 +38,6 @@ jobs:
              --name headscale-test-suite \
              --volume $PWD:$PWD -w $PWD/integration \
              --volume /var/run/docker.sock:/var/run/docker.sock \
-              --volume $PWD/control_logs:/tmp/control \
              golang:1 \
                go test ./... \
                  -tags ts2019 \
@@ -49,9 +45,3 @@ jobs:
                  -timeout 120m \
                  -parallel 1 \
                  -run "^TestAuthKeyLogoutAndRelogin$"
-
-      - uses: actions/upload-artifact@v3
-        if: always() && steps.changed-files.outputs.any_changed == 'true'
-        with:
-          name: logs
-          path: "control_logs/*.log"
--- a/.github/workflows/test-integration-v2-TestAuthWebFlowAuthenticationPingAll.yaml
+++ b/.github/workflows/test-integration-v2-TestAuthWebFlowAuthenticationPingAll.yaml
@@ -1,3 +1,4 @@
+
 # DO NOT EDIT, generated with cmd/gh-action-integration-generator/main.go
 # To regenerate, run "go generate" in cmd/gh-action-integration-generator/

@@ -5,10 +6,6 @@ name: Integration Test v2 - TestAuthWebFlowAuthenticationPingAll

 on: [pull_request]

-concurrency:
-  group: ${{ github.workflow }}-$${{ github.head_ref || github.run_id }}
-  cancel-in-progress: true
-
 jobs:
  test:
    runs-on: ubuntu-latest
@@ -29,8 +26,8 @@ jobs:
            integration_test/
            config-example.yaml

-      - uses: cachix/install-nix-action@v18
-        if: ${{ env.ACT }} || steps.changed-files.outputs.any_changed == 'true'
+      - uses: cachix/install-nix-action@v16
+        if: steps.changed-files.outputs.any_changed == 'true'

      - name: Run general integration tests
        if: steps.changed-files.outputs.any_changed == 'true'
@@ -41,7 +38,6 @@ jobs:
              --name headscale-test-suite \
              --volume $PWD:$PWD -w $PWD/integration \
              --volume /var/run/docker.sock:/var/run/docker.sock \
-              --volume $PWD/control_logs:/tmp/control \
              golang:1 \
                go test ./... \
                  -tags ts2019 \
@@ -49,9 +45,3 @@ jobs:
                  -timeout 120m \
                  -parallel 1 \
                  -run "^TestAuthWebFlowAuthenticationPingAll$"
-
-      - uses: actions/upload-artifact@v3
-        if: always() && steps.changed-files.outputs.any_changed == 'true'
-        with:
-          name: logs
-          path: "control_logs/*.log"
--- a/.github/workflows/test-integration-v2-TestAuthWebFlowLogoutAndRelogin.yaml
+++ b/.github/workflows/test-integration-v2-TestAuthWebFlowLogoutAndRelogin.yaml
@@ -1,3 +1,4 @@
+
 # DO NOT EDIT, generated with cmd/gh-action-integration-generator/main.go
 # To regenerate, run "go generate" in cmd/gh-action-integration-generator/

@@ -5,10 +6,6 @@ name: Integration Test v2 - TestAuthWebFlowLogoutAndRelogin

 on: [pull_request]

-concurrency:
-  group: ${{ github.workflow }}-$${{ github.head_ref || github.run_id }}
-  cancel-in-progress: true
-
 jobs:
  test:
    runs-on: ubuntu-latest
@@ -29,8 +26,8 @@ jobs:
            integration_test/
            config-example.yaml

-      - uses: cachix/install-nix-action@v18
-        if: ${{ env.ACT }} || steps.changed-files.outputs.any_changed == 'true'
+      - uses: cachix/install-nix-action@v16
+        if: steps.changed-files.outputs.any_changed == 'true'

      - name: Run general integration tests
        if: steps.changed-files.outputs.any_changed == 'true'
@@ -41,7 +38,6 @@ jobs:
              --name headscale-test-suite \
              --volume $PWD:$PWD -w $PWD/integration \
              --volume /var/run/docker.sock:/var/run/docker.sock \
-              --volume $PWD/control_logs:/tmp/control \
              golang:1 \
                go test ./... \
                  -tags ts2019 \
@@ -49,9 +45,3 @@ jobs:
                  -timeout 120m \
                  -parallel 1 \
                  -run "^TestAuthWebFlowLogoutAndRelogin$"
-
-      - uses: actions/upload-artifact@v3
-        if: always() && steps.changed-files.outputs.any_changed == 'true'
-        with:
-          name: logs
-          path: "control_logs/*.log"
--- a/.github/workflows/test-integration-v2-TestCreateTailscale.yaml
+++ b/.github/workflows/test-integration-v2-TestCreateTailscale.yaml
@@ -1,3 +1,4 @@
+
 # DO NOT EDIT, generated with cmd/gh-action-integration-generator/main.go
 # To regenerate, run "go generate" in cmd/gh-action-integration-generator/

@@ -5,10 +6,6 @@ name: Integration Test v2 - TestCreateTailscale

 on: [pull_request]

-concurrency:
-  group: ${{ github.workflow }}-$${{ github.head_ref || github.run_id }}
-  cancel-in-progress: true
-
 jobs:
  test:
    runs-on: ubuntu-latest
@@ -29,8 +26,8 @@ jobs:
            integration_test/
            config-example.yaml

-      - uses: cachix/install-nix-action@v18
-        if: ${{ env.ACT }} || steps.changed-files.outputs.any_changed == 'true'
+      - uses: cachix/install-nix-action@v16
+        if: steps.changed-files.outputs.any_changed == 'true'

      - name: Run general integration tests
        if: steps.changed-files.outputs.any_changed == 'true'
@@ -41,7 +38,6 @@ jobs:
              --name headscale-test-suite \
              --volume $PWD:$PWD -w $PWD/integration \
              --volume /var/run/docker.sock:/var/run/docker.sock \
-              --volume $PWD/control_logs:/tmp/control \
              golang:1 \
                go test ./... \
                  -tags ts2019 \
@@ -49,9 +45,3 @@ jobs:
                  -timeout 120m \
                  -parallel 1 \
                  -run "^TestCreateTailscale$"
-
-      - uses: actions/upload-artifact@v3
-        if: always() && steps.changed-files.outputs.any_changed == 'true'
-        with:
-          name: logs
-          path: "control_logs/*.log"
--- a/.github/workflows/test-integration-v2-TestEnablingRoutes.yaml
+++ b/.github/workflows/test-integration-v2-TestEnablingRoutes.yaml
@@ -1,3 +1,4 @@
+
 # DO NOT EDIT, generated with cmd/gh-action-integration-generator/main.go
 # To regenerate, run "go generate" in cmd/gh-action-integration-generator/

@@ -5,10 +6,6 @@ name: Integration Test v2 - TestEnablingRoutes

 on: [pull_request]

-concurrency:
-  group: ${{ github.workflow }}-$${{ github.head_ref || github.run_id }}
-  cancel-in-progress: true
-
 jobs:
  test:
    runs-on: ubuntu-latest
@@ -29,8 +26,8 @@ jobs:
            integration_test/
            config-example.yaml

-      - uses: cachix/install-nix-action@v18
-        if: ${{ env.ACT }} || steps.changed-files.outputs.any_changed == 'true'
+      - uses: cachix/install-nix-action@v16
+        if: steps.changed-files.outputs.any_changed == 'true'

      - name: Run general integration tests
        if: steps.changed-files.outputs.any_changed == 'true'
@@ -41,7 +38,6 @@ jobs:
              --name headscale-test-suite \
              --volume $PWD:$PWD -w $PWD/integration \
              --volume /var/run/docker.sock:/var/run/docker.sock \
-              --volume $PWD/control_logs:/tmp/control \
              golang:1 \
                go test ./... \
                  -tags ts2019 \
@@ -49,9 +45,3 @@ jobs:
                  -timeout 120m \
                  -parallel 1 \
                  -run "^TestEnablingRoutes$"
-
-      - uses: actions/upload-artifact@v3
-        if: always() && steps.changed-files.outputs.any_changed == 'true'
-        with:
-          name: logs
-          path: "control_logs/*.log"
--- a/.github/workflows/test-integration-v2-TestHeadscale.yaml
+++ b/.github/workflows/test-integration-v2-TestHeadscale.yaml
@@ -1,3 +1,4 @@
+
 # DO NOT EDIT, generated with cmd/gh-action-integration-generator/main.go
 # To regenerate, run "go generate" in cmd/gh-action-integration-generator/

@@ -5,10 +6,6 @@ name: Integration Test v2 - TestHeadscale

 on: [pull_request]

-concurrency:
-  group: ${{ github.workflow }}-$${{ github.head_ref || github.run_id }}
-  cancel-in-progress: true
-
 jobs:
  test:
    runs-on: ubuntu-latest
@@ -29,8 +26,8 @@ jobs:
            integration_test/
            config-example.yaml

-      - uses: cachix/install-nix-action@v18
-        if: ${{ env.ACT }} || steps.changed-files.outputs.any_changed == 'true'
+      - uses: cachix/install-nix-action@v16
+        if: steps.changed-files.outputs.any_changed == 'true'

      - name: Run general integration tests
        if: steps.changed-files.outputs.any_changed == 'true'
@@ -41,7 +38,6 @@ jobs:
              --name headscale-test-suite \
              --volume $PWD:$PWD -w $PWD/integration \
              --volume /var/run/docker.sock:/var/run/docker.sock \
-              --volume $PWD/control_logs:/tmp/control \
              golang:1 \
                go test ./... \
                  -tags ts2019 \
@@ -49,9 +45,3 @@ jobs:
                  -timeout 120m \
                  -parallel 1 \
                  -run "^TestHeadscale$"
-
-      - uses: actions/upload-artifact@v3
-        if: always() && steps.changed-files.outputs.any_changed == 'true'
-        with:
-          name: logs
-          path: "control_logs/*.log"
--- a/.github/workflows/test-integration-v2-TestNamespaceCommand.yaml
+++ b/.github/workflows/test-integration-v2-TestNamespaceCommand.yaml
@@ -1,14 +1,11 @@
+
 # DO NOT EDIT, generated with cmd/gh-action-integration-generator/main.go
 # To regenerate, run "go generate" in cmd/gh-action-integration-generator/

-name: Integration Test v2 - TestEphemeral
+name: Integration Test v2 - TestNamespaceCommand

 on: [pull_request]

-concurrency:
-  group: ${{ github.workflow }}-$${{ github.head_ref || github.run_id }}
-  cancel-in-progress: true
-
 jobs:
  test:
    runs-on: ubuntu-latest
@@ -29,8 +26,8 @@ jobs:
            integration_test/
            config-example.yaml

-      - uses: cachix/install-nix-action@v18
-        if: ${{ env.ACT }} || steps.changed-files.outputs.any_changed == 'true'
+      - uses: cachix/install-nix-action@v16
+        if: steps.changed-files.outputs.any_changed == 'true'

      - name: Run general integration tests
        if: steps.changed-files.outputs.any_changed == 'true'
@@ -41,17 +38,10 @@ jobs:
              --name headscale-test-suite \
              --volume $PWD:$PWD -w $PWD/integration \
              --volume /var/run/docker.sock:/var/run/docker.sock \
-              --volume $PWD/control_logs:/tmp/control \
              golang:1 \
                go test ./... \
                  -tags ts2019 \
                  -failfast \
                  -timeout 120m \
                  -parallel 1 \
-                  -run "^TestEphemeral$"
-
-      - uses: actions/upload-artifact@v3
-        if: always() && steps.changed-files.outputs.any_changed == 'true'
-        with:
-          name: logs
-          path: "control_logs/*.log"
+                  -run "^TestNamespaceCommand$"
--- a/.github/workflows/test-integration-v2-TestOIDCAuthenticationPingAll.yaml
+++ b/.github/workflows/test-integration-v2-TestOIDCAuthenticationPingAll.yaml
@@ -1,3 +1,4 @@
+
 # DO NOT EDIT, generated with cmd/gh-action-integration-generator/main.go
 # To regenerate, run "go generate" in cmd/gh-action-integration-generator/

@@ -5,10 +6,6 @@ name: Integration Test v2 - TestOIDCAuthenticationPingAll

 on: [pull_request]

-concurrency:
-  group: ${{ github.workflow }}-$${{ github.head_ref || github.run_id }}
-  cancel-in-progress: true
-
 jobs:
  test:
    runs-on: ubuntu-latest
@@ -29,8 +26,8 @@ jobs:
            integration_test/
            config-example.yaml

-      - uses: cachix/install-nix-action@v18
-        if: ${{ env.ACT }} || steps.changed-files.outputs.any_changed == 'true'
+      - uses: cachix/install-nix-action@v16
+        if: steps.changed-files.outputs.any_changed == 'true'

      - name: Run general integration tests
        if: steps.changed-files.outputs.any_changed == 'true'
@@ -41,7 +38,6 @@ jobs:
              --name headscale-test-suite \
              --volume $PWD:$PWD -w $PWD/integration \
              --volume /var/run/docker.sock:/var/run/docker.sock \
-              --volume $PWD/control_logs:/tmp/control \
              golang:1 \
                go test ./... \
                  -tags ts2019 \
@@ -49,9 +45,3 @@ jobs:
                  -timeout 120m \
                  -parallel 1 \
                  -run "^TestOIDCAuthenticationPingAll$"
-
-      - uses: actions/upload-artifact@v3
-        if: always() && steps.changed-files.outputs.any_changed == 'true'
-        with:
-          name: logs
-          path: "control_logs/*.log"
--- a/.github/workflows/test-integration-v2-TestOIDCExpireNodes.yaml
+++ b/.github/workflows/test-integration-v2-TestOIDCExpireNodes.yaml
@@ -1,14 +1,11 @@
+
 # DO NOT EDIT, generated with cmd/gh-action-integration-generator/main.go
 # To regenerate, run "go generate" in cmd/gh-action-integration-generator/

-name: Integration Test v2 - TestExpireNode
+name: Integration Test v2 - TestOIDCExpireNodes

 on: [pull_request]

-concurrency:
-  group: ${{ github.workflow }}-$${{ github.head_ref || github.run_id }}
-  cancel-in-progress: true
-
 jobs:
  test:
    runs-on: ubuntu-latest
@@ -29,8 +26,8 @@ jobs:
            integration_test/
            config-example.yaml

-      - uses: cachix/install-nix-action@v18
-        if: ${{ env.ACT }} || steps.changed-files.outputs.any_changed == 'true'
+      - uses: cachix/install-nix-action@v16
+        if: steps.changed-files.outputs.any_changed == 'true'

      - name: Run general integration tests
        if: steps.changed-files.outputs.any_changed == 'true'
@@ -41,17 +38,10 @@ jobs:
              --name headscale-test-suite \
              --volume $PWD:$PWD -w $PWD/integration \
              --volume /var/run/docker.sock:/var/run/docker.sock \
-              --volume $PWD/control_logs:/tmp/control \
              golang:1 \
                go test ./... \
                  -tags ts2019 \
                  -failfast \
                  -timeout 120m \
                  -parallel 1 \
-                  -run "^TestExpireNode$"
-
-      - uses: actions/upload-artifact@v3
-        if: always() && steps.changed-files.outputs.any_changed == 'true'
-        with:
-          name: logs
-          path: "control_logs/*.log"
+                  -run "^TestOIDCExpireNodes$"
--- a/.github/workflows/test-integration-v2-TestOIDCExpireNodesBasedOnTokenExpiry.yaml
+++ b/.github/workflows/test-integration-v2-TestOIDCExpireNodesBasedOnTokenExpiry.yaml
@@ -1,57 +0,0 @@
-# DO NOT EDIT, generated with cmd/gh-action-integration-generator/main.go
-# To regenerate, run "go generate" in cmd/gh-action-integration-generator/
-
-name: Integration Test v2 - TestOIDCExpireNodesBasedOnTokenExpiry
-
-on: [pull_request]
-
-concurrency:
-  group: ${{ github.workflow }}-$${{ github.head_ref || github.run_id }}
-  cancel-in-progress: true
-
-jobs:
-  test:
-    runs-on: ubuntu-latest
-
-    steps:
-      - uses: actions/checkout@v3
-        with:
-          fetch-depth: 2
-
-      - name: Get changed files
-        id: changed-files
-        uses: tj-actions/changed-files@v34
-        with:
-          files: |
-            *.nix
-            go.*
-            **/*.go
-            integration_test/
-            config-example.yaml
-
-      - uses: cachix/install-nix-action@v18
-        if: ${{ env.ACT }} || steps.changed-files.outputs.any_changed == 'true'
-
-      - name: Run general integration tests
-        if: steps.changed-files.outputs.any_changed == 'true'
-        run: |
-            nix develop --command -- docker run \
-              --tty --rm \
-              --volume ~/.cache/hs-integration-go:/go \
-              --name headscale-test-suite \
-              --volume $PWD:$PWD -w $PWD/integration \
-              --volume /var/run/docker.sock:/var/run/docker.sock \
-              --volume $PWD/control_logs:/tmp/control \
-              golang:1 \
-                go test ./... \
-                  -tags ts2019 \
-                  -failfast \
-                  -timeout 120m \
-                  -parallel 1 \
-                  -run "^TestOIDCExpireNodesBasedOnTokenExpiry$"
-
-      - uses: actions/upload-artifact@v3
-        if: always() && steps.changed-files.outputs.any_changed == 'true'
-        with:
-          name: logs
-          path: "control_logs/*.log"
--- a/.github/workflows/test-integration-v2-TestPingAllByHostname.yaml
+++ b/.github/workflows/test-integration-v2-TestPingAllByHostname.yaml
@@ -1,3 +1,4 @@
+
 # DO NOT EDIT, generated with cmd/gh-action-integration-generator/main.go
 # To regenerate, run "go generate" in cmd/gh-action-integration-generator/

@@ -5,10 +6,6 @@ name: Integration Test v2 - TestPingAllByHostname

 on: [pull_request]

-concurrency:
-  group: ${{ github.workflow }}-$${{ github.head_ref || github.run_id }}
-  cancel-in-progress: true
-
 jobs:
  test:
    runs-on: ubuntu-latest
@@ -29,8 +26,8 @@ jobs:
            integration_test/
            config-example.yaml

-      - uses: cachix/install-nix-action@v18
-        if: ${{ env.ACT }} || steps.changed-files.outputs.any_changed == 'true'
+      - uses: cachix/install-nix-action@v16
+        if: steps.changed-files.outputs.any_changed == 'true'

      - name: Run general integration tests
        if: steps.changed-files.outputs.any_changed == 'true'
@@ -41,7 +38,6 @@ jobs:
              --name headscale-test-suite \
              --volume $PWD:$PWD -w $PWD/integration \
              --volume /var/run/docker.sock:/var/run/docker.sock \
-              --volume $PWD/control_logs:/tmp/control \
              golang:1 \
                go test ./... \
                  -tags ts2019 \
@@ -49,9 +45,3 @@ jobs:
                  -timeout 120m \
                  -parallel 1 \
                  -run "^TestPingAllByHostname$"
-
-      - uses: actions/upload-artifact@v3
-        if: always() && steps.changed-files.outputs.any_changed == 'true'
-        with:
-          name: logs
-          path: "control_logs/*.log"
--- a/.github/workflows/test-integration-v2-TestPingAllByIP.yaml
+++ b/.github/workflows/test-integration-v2-TestPingAllByIP.yaml
@@ -1,3 +1,4 @@
+
 # DO NOT EDIT, generated with cmd/gh-action-integration-generator/main.go
 # To regenerate, run "go generate" in cmd/gh-action-integration-generator/

@@ -5,10 +6,6 @@ name: Integration Test v2 - TestPingAllByIP

 on: [pull_request]

-concurrency:
-  group: ${{ github.workflow }}-$${{ github.head_ref || github.run_id }}
-  cancel-in-progress: true
-
 jobs:
  test:
    runs-on: ubuntu-latest
@@ -29,8 +26,8 @@ jobs:
            integration_test/
            config-example.yaml

-      - uses: cachix/install-nix-action@v18
-        if: ${{ env.ACT }} || steps.changed-files.outputs.any_changed == 'true'
+      - uses: cachix/install-nix-action@v16
+        if: steps.changed-files.outputs.any_changed == 'true'

      - name: Run general integration tests
        if: steps.changed-files.outputs.any_changed == 'true'
@@ -41,7 +38,6 @@ jobs:
              --name headscale-test-suite \
              --volume $PWD:$PWD -w $PWD/integration \
              --volume /var/run/docker.sock:/var/run/docker.sock \
-              --volume $PWD/control_logs:/tmp/control \
              golang:1 \
                go test ./... \
                  -tags ts2019 \
@@ -49,9 +45,3 @@ jobs:
                  -timeout 120m \
                  -parallel 1 \
                  -run "^TestPingAllByIP$"
-
-      - uses: actions/upload-artifact@v3
-        if: always() && steps.changed-files.outputs.any_changed == 'true'
-        with:
-          name: logs
-          path: "control_logs/*.log"
--- a/.github/workflows/test-integration-v2-TestPreAuthKeyCommand.yaml
+++ b/.github/workflows/test-integration-v2-TestPreAuthKeyCommand.yaml
@@ -1,3 +1,4 @@
+
 # DO NOT EDIT, generated with cmd/gh-action-integration-generator/main.go
 # To regenerate, run "go generate" in cmd/gh-action-integration-generator/

@@ -5,10 +6,6 @@ name: Integration Test v2 - TestPreAuthKeyCommand

 on: [pull_request]

-concurrency:
-  group: ${{ github.workflow }}-$${{ github.head_ref || github.run_id }}
-  cancel-in-progress: true
-
 jobs:
  test:
    runs-on: ubuntu-latest
@@ -29,8 +26,8 @@ jobs:
            integration_test/
            config-example.yaml

-      - uses: cachix/install-nix-action@v18
-        if: ${{ env.ACT }} || steps.changed-files.outputs.any_changed == 'true'
+      - uses: cachix/install-nix-action@v16
+        if: steps.changed-files.outputs.any_changed == 'true'

      - name: Run general integration tests
        if: steps.changed-files.outputs.any_changed == 'true'
@@ -41,7 +38,6 @@ jobs:
              --name headscale-test-suite \
              --volume $PWD:$PWD -w $PWD/integration \
              --volume /var/run/docker.sock:/var/run/docker.sock \
-              --volume $PWD/control_logs:/tmp/control \
              golang:1 \
                go test ./... \
                  -tags ts2019 \
@@ -49,9 +45,3 @@ jobs:
                  -timeout 120m \
                  -parallel 1 \
                  -run "^TestPreAuthKeyCommand$"
-
-      - uses: actions/upload-artifact@v3
-        if: always() && steps.changed-files.outputs.any_changed == 'true'
-        with:
-          name: logs
-          path: "control_logs/*.log"
--- a/.github/workflows/test-integration-v2-TestPreAuthKeyCommandReusableEphemeral.yaml
+++ b/.github/workflows/test-integration-v2-TestPreAuthKeyCommandReusableEphemeral.yaml
@@ -1,3 +1,4 @@
+
 # DO NOT EDIT, generated with cmd/gh-action-integration-generator/main.go
 # To regenerate, run "go generate" in cmd/gh-action-integration-generator/

@@ -5,10 +6,6 @@ name: Integration Test v2 - TestPreAuthKeyCommandReusableEphemeral

 on: [pull_request]

-concurrency:
-  group: ${{ github.workflow }}-$${{ github.head_ref || github.run_id }}
-  cancel-in-progress: true
-
 jobs:
  test:
    runs-on: ubuntu-latest
@@ -29,8 +26,8 @@ jobs:
            integration_test/
            config-example.yaml

-      - uses: cachix/install-nix-action@v18
-        if: ${{ env.ACT }} || steps.changed-files.outputs.any_changed == 'true'
+      - uses: cachix/install-nix-action@v16
+        if: steps.changed-files.outputs.any_changed == 'true'

      - name: Run general integration tests
        if: steps.changed-files.outputs.any_changed == 'true'
@@ -41,7 +38,6 @@ jobs:
              --name headscale-test-suite \
              --volume $PWD:$PWD -w $PWD/integration \
              --volume /var/run/docker.sock:/var/run/docker.sock \
-              --volume $PWD/control_logs:/tmp/control \
              golang:1 \
                go test ./... \
                  -tags ts2019 \
@@ -49,9 +45,3 @@ jobs:
                  -timeout 120m \
                  -parallel 1 \
                  -run "^TestPreAuthKeyCommandReusableEphemeral$"
-
-      - uses: actions/upload-artifact@v3
-        if: always() && steps.changed-files.outputs.any_changed == 'true'
-        with:
-          name: logs
-          path: "control_logs/*.log"
--- a/.github/workflows/test-integration-v2-TestPreAuthKeyCommandWithoutExpiry.yaml
+++ b/.github/workflows/test-integration-v2-TestPreAuthKeyCommandWithoutExpiry.yaml
@@ -1,3 +1,4 @@
+
 # DO NOT EDIT, generated with cmd/gh-action-integration-generator/main.go
 # To regenerate, run "go generate" in cmd/gh-action-integration-generator/

@@ -5,10 +6,6 @@ name: Integration Test v2 - TestPreAuthKeyCommandWithoutExpiry

 on: [pull_request]

-concurrency:
-  group: ${{ github.workflow }}-$${{ github.head_ref || github.run_id }}
-  cancel-in-progress: true
-
 jobs:
  test:
    runs-on: ubuntu-latest
@@ -29,8 +26,8 @@ jobs:
            integration_test/
            config-example.yaml

-      - uses: cachix/install-nix-action@v18
-        if: ${{ env.ACT }} || steps.changed-files.outputs.any_changed == 'true'
+      - uses: cachix/install-nix-action@v16
+        if: steps.changed-files.outputs.any_changed == 'true'

      - name: Run general integration tests
        if: steps.changed-files.outputs.any_changed == 'true'
@@ -41,7 +38,6 @@ jobs:
              --name headscale-test-suite \
              --volume $PWD:$PWD -w $PWD/integration \
              --volume /var/run/docker.sock:/var/run/docker.sock \
-              --volume $PWD/control_logs:/tmp/control \
              golang:1 \
                go test ./... \
                  -tags ts2019 \
@@ -49,9 +45,3 @@ jobs:
                  -timeout 120m \
                  -parallel 1 \
                  -run "^TestPreAuthKeyCommandWithoutExpiry$"
-
-      - uses: actions/upload-artifact@v3
-        if: always() && steps.changed-files.outputs.any_changed == 'true'
-        with:
-          name: logs
-          path: "control_logs/*.log"
--- a/.github/workflows/test-integration-v2-TestResolveMagicDNS.yaml
+++ b/.github/workflows/test-integration-v2-TestResolveMagicDNS.yaml
@@ -1,3 +1,4 @@
+
 # DO NOT EDIT, generated with cmd/gh-action-integration-generator/main.go
 # To regenerate, run "go generate" in cmd/gh-action-integration-generator/

@@ -5,10 +6,6 @@ name: Integration Test v2 - TestResolveMagicDNS

 on: [pull_request]

-concurrency:
-  group: ${{ github.workflow }}-$${{ github.head_ref || github.run_id }}
-  cancel-in-progress: true
-
 jobs:
  test:
    runs-on: ubuntu-latest
@@ -29,8 +26,8 @@ jobs:
            integration_test/
            config-example.yaml

-      - uses: cachix/install-nix-action@v18
-        if: ${{ env.ACT }} || steps.changed-files.outputs.any_changed == 'true'
+      - uses: cachix/install-nix-action@v16
+        if: steps.changed-files.outputs.any_changed == 'true'

      - name: Run general integration tests
        if: steps.changed-files.outputs.any_changed == 'true'
@@ -41,7 +38,6 @@ jobs:
              --name headscale-test-suite \
              --volume $PWD:$PWD -w $PWD/integration \
              --volume /var/run/docker.sock:/var/run/docker.sock \
-              --volume $PWD/control_logs:/tmp/control \
              golang:1 \
                go test ./... \
                  -tags ts2019 \
@@ -49,9 +45,3 @@ jobs:
                  -timeout 120m \
                  -parallel 1 \
                  -run "^TestResolveMagicDNS$"
-
-      - uses: actions/upload-artifact@v3
-        if: always() && steps.changed-files.outputs.any_changed == 'true'
-        with:
-          name: logs
-          path: "control_logs/*.log"
--- a/.github/workflows/test-integration-v2-TestSSHIsBlockedInACL.yaml
+++ b/.github/workflows/test-integration-v2-TestSSHIsBlockedInACL.yaml
@@ -1,3 +1,4 @@
+
 # DO NOT EDIT, generated with cmd/gh-action-integration-generator/main.go
 # To regenerate, run "go generate" in cmd/gh-action-integration-generator/

@@ -5,10 +6,6 @@ name: Integration Test v2 - TestSSHIsBlockedInACL

 on: [pull_request]

-concurrency:
-  group: ${{ github.workflow }}-$${{ github.head_ref || github.run_id }}
-  cancel-in-progress: true
-
 jobs:
  test:
    runs-on: ubuntu-latest
@@ -29,8 +26,8 @@ jobs:
            integration_test/
            config-example.yaml

-      - uses: cachix/install-nix-action@v18
-        if: ${{ env.ACT }} || steps.changed-files.outputs.any_changed == 'true'
+      - uses: cachix/install-nix-action@v16
+        if: steps.changed-files.outputs.any_changed == 'true'

      - name: Run general integration tests
        if: steps.changed-files.outputs.any_changed == 'true'
@@ -41,7 +38,6 @@ jobs:
              --name headscale-test-suite \
              --volume $PWD:$PWD -w $PWD/integration \
              --volume /var/run/docker.sock:/var/run/docker.sock \
-              --volume $PWD/control_logs:/tmp/control \
              golang:1 \
                go test ./... \
                  -tags ts2019 \
@@ -49,9 +45,3 @@ jobs:
                  -timeout 120m \
                  -parallel 1 \
                  -run "^TestSSHIsBlockedInACL$"
-
-      - uses: actions/upload-artifact@v3
-        if: always() && steps.changed-files.outputs.any_changed == 'true'
-        with:
-          name: logs
-          path: "control_logs/*.log"
--- a/.github/workflows/test-integration-v2-TestSSHMultipleNamespacesAllToAll.yaml
+++ b/.github/workflows/test-integration-v2-TestSSHMultipleNamespacesAllToAll.yaml
@@ -1,14 +1,11 @@
+
 # DO NOT EDIT, generated with cmd/gh-action-integration-generator/main.go
 # To regenerate, run "go generate" in cmd/gh-action-integration-generator/

-name: Integration Test v2 - TestUserCommand
+name: Integration Test v2 - TestSSHMultipleNamespacesAllToAll

 on: [pull_request]

-concurrency:
-  group: ${{ github.workflow }}-$${{ github.head_ref || github.run_id }}
-  cancel-in-progress: true
-
 jobs:
  test:
    runs-on: ubuntu-latest
@@ -29,8 +26,8 @@ jobs:
            integration_test/
            config-example.yaml

-      - uses: cachix/install-nix-action@v18
-        if: ${{ env.ACT }} || steps.changed-files.outputs.any_changed == 'true'
+      - uses: cachix/install-nix-action@v16
+        if: steps.changed-files.outputs.any_changed == 'true'

      - name: Run general integration tests
        if: steps.changed-files.outputs.any_changed == 'true'
@@ -41,17 +38,10 @@ jobs:
              --name headscale-test-suite \
              --volume $PWD:$PWD -w $PWD/integration \
              --volume /var/run/docker.sock:/var/run/docker.sock \
-              --volume $PWD/control_logs:/tmp/control \
              golang:1 \
                go test ./... \
                  -tags ts2019 \
                  -failfast \
                  -timeout 120m \
                  -parallel 1 \
-                  -run "^TestUserCommand$"
-
-      - uses: actions/upload-artifact@v3
-        if: always() && steps.changed-files.outputs.any_changed == 'true'
-        with:
-          name: logs
-          path: "control_logs/*.log"
+                  -run "^TestSSHMultipleNamespacesAllToAll$"
--- a/.github/workflows/test-integration-v2-TestSSHMultipleUsersAllToAll.yaml
+++ b/.github/workflows/test-integration-v2-TestSSHMultipleUsersAllToAll.yaml
@@ -1,57 +0,0 @@
-# DO NOT EDIT, generated with cmd/gh-action-integration-generator/main.go
-# To regenerate, run "go generate" in cmd/gh-action-integration-generator/
-
-name: Integration Test v2 - TestSSHMultipleUsersAllToAll
-
-on: [pull_request]
-
-concurrency:
-  group: ${{ github.workflow }}-$${{ github.head_ref || github.run_id }}
-  cancel-in-progress: true
-
-jobs:
-  test:
-    runs-on: ubuntu-latest
-
-    steps:
-      - uses: actions/checkout@v3
-        with:
-          fetch-depth: 2
-
-      - name: Get changed files
-        id: changed-files
-        uses: tj-actions/changed-files@v34
-        with:
-          files: |
-            *.nix
-            go.*
-            **/*.go
-            integration_test/
-            config-example.yaml
-
-      - uses: cachix/install-nix-action@v18
-        if: ${{ env.ACT }} || steps.changed-files.outputs.any_changed == 'true'
-
-      - name: Run general integration tests
-        if: steps.changed-files.outputs.any_changed == 'true'
-        run: |
-            nix develop --command -- docker run \
-              --tty --rm \
-              --volume ~/.cache/hs-integration-go:/go \
-              --name headscale-test-suite \
-              --volume $PWD:$PWD -w $PWD/integration \
-              --volume /var/run/docker.sock:/var/run/docker.sock \
-              --volume $PWD/control_logs:/tmp/control \
-              golang:1 \
-                go test ./... \
-                  -tags ts2019 \
-                  -failfast \
-                  -timeout 120m \
-                  -parallel 1 \
-                  -run "^TestSSHMultipleUsersAllToAll$"
-
-      - uses: actions/upload-artifact@v3
-        if: always() && steps.changed-files.outputs.any_changed == 'true'
-        with:
-          name: logs
-          path: "control_logs/*.log"
--- a/.github/workflows/test-integration-v2-TestSSHNoSSHConfigured.yaml
+++ b/.github/workflows/test-integration-v2-TestSSHNoSSHConfigured.yaml
@@ -1,3 +1,4 @@
+
 # DO NOT EDIT, generated with cmd/gh-action-integration-generator/main.go
 # To regenerate, run "go generate" in cmd/gh-action-integration-generator/

@@ -5,10 +6,6 @@ name: Integration Test v2 - TestSSHNoSSHConfigured

 on: [pull_request]

-concurrency:
-  group: ${{ github.workflow }}-$${{ github.head_ref || github.run_id }}
-  cancel-in-progress: true
-
 jobs:
  test:
    runs-on: ubuntu-latest
@@ -29,8 +26,8 @@ jobs:
            integration_test/
            config-example.yaml

-      - uses: cachix/install-nix-action@v18
-        if: ${{ env.ACT }} || steps.changed-files.outputs.any_changed == 'true'
+      - uses: cachix/install-nix-action@v16
+        if: steps.changed-files.outputs.any_changed == 'true'

      - name: Run general integration tests
        if: steps.changed-files.outputs.any_changed == 'true'
@@ -41,7 +38,6 @@ jobs:
              --name headscale-test-suite \
              --volume $PWD:$PWD -w $PWD/integration \
              --volume /var/run/docker.sock:/var/run/docker.sock \
-              --volume $PWD/control_logs:/tmp/control \
              golang:1 \
                go test ./... \
                  -tags ts2019 \
@@ -49,9 +45,3 @@ jobs:
                  -timeout 120m \
                  -parallel 1 \
                  -run "^TestSSHNoSSHConfigured$"
-
-      - uses: actions/upload-artifact@v3
-        if: always() && steps.changed-files.outputs.any_changed == 'true'
-        with:
-          name: logs
-          path: "control_logs/*.log"
--- a/.github/workflows/test-integration-v2-TestSSHOneNamespaceAllToAll.yaml
+++ b/.github/workflows/test-integration-v2-TestSSHOneNamespaceAllToAll.yaml
@@ -1,14 +1,11 @@
+
 # DO NOT EDIT, generated with cmd/gh-action-integration-generator/main.go
 # To regenerate, run "go generate" in cmd/gh-action-integration-generator/

-name: Integration Test v2 - TestSSHOneUserAllToAll
+name: Integration Test v2 - TestSSHOneNamespaceAllToAll

 on: [pull_request]

-concurrency:
-  group: ${{ github.workflow }}-$${{ github.head_ref || github.run_id }}
-  cancel-in-progress: true
-
 jobs:
  test:
    runs-on: ubuntu-latest
@@ -29,8 +26,8 @@ jobs:
            integration_test/
            config-example.yaml

-      - uses: cachix/install-nix-action@v18
-        if: ${{ env.ACT }} || steps.changed-files.outputs.any_changed == 'true'
+      - uses: cachix/install-nix-action@v16
+        if: steps.changed-files.outputs.any_changed == 'true'

      - name: Run general integration tests
        if: steps.changed-files.outputs.any_changed == 'true'
@@ -41,17 +38,10 @@ jobs:
              --name headscale-test-suite \
              --volume $PWD:$PWD -w $PWD/integration \
              --volume /var/run/docker.sock:/var/run/docker.sock \
-              --volume $PWD/control_logs:/tmp/control \
              golang:1 \
                go test ./... \
                  -tags ts2019 \
                  -failfast \
                  -timeout 120m \
                  -parallel 1 \
-                  -run "^TestSSHOneUserAllToAll$"
-
-      - uses: actions/upload-artifact@v3
-        if: always() && steps.changed-files.outputs.any_changed == 'true'
-        with:
-          name: logs
-          path: "control_logs/*.log"
+                  -run "^TestSSHOneNamespaceAllToAll$"
--- a/.github/workflows/test-integration-v2-TestSSNamespaceOnlyIsolation.yaml
+++ b/.github/workflows/test-integration-v2-TestSSNamespaceOnlyIsolation.yaml
@@ -0,0 +1,47 @@
+
+# DO NOT EDIT, generated with cmd/gh-action-integration-generator/main.go
+# To regenerate, run "go generate" in cmd/gh-action-integration-generator/
+
+name: Integration Test v2 - TestSSNamespaceOnlyIsolation
+
+on: [pull_request]
+
+jobs:
+  test:
+    runs-on: ubuntu-latest
+
+    steps:
+      - uses: actions/checkout@v3
+        with:
+          fetch-depth: 2
+
+      - name: Get changed files
+        id: changed-files
+        uses: tj-actions/changed-files@v34
+        with:
+          files: |
+            *.nix
+            go.*
+            **/*.go
+            integration_test/
+            config-example.yaml
+
+      - uses: cachix/install-nix-action@v16
+        if: steps.changed-files.outputs.any_changed == 'true'
+
+      - name: Run general integration tests
+        if: steps.changed-files.outputs.any_changed == 'true'
+        run: |
+            nix develop --command -- docker run \
+              --tty --rm \
+              --volume ~/.cache/hs-integration-go:/go \
+              --name headscale-test-suite \
+              --volume $PWD:$PWD -w $PWD/integration \
+              --volume /var/run/docker.sock:/var/run/docker.sock \
+              golang:1 \
+                go test ./... \
+                  -tags ts2019 \
+                  -failfast \
+                  -timeout 120m \
+                  -parallel 1 \
+                  -run "^TestSSNamespaceOnlyIsolation$"
--- a/.github/workflows/test-integration-v2-TestSSUserOnlyIsolation.yaml
+++ b/.github/workflows/test-integration-v2-TestSSUserOnlyIsolation.yaml
@@ -1,57 +0,0 @@
-# DO NOT EDIT, generated with cmd/gh-action-integration-generator/main.go
-# To regenerate, run "go generate" in cmd/gh-action-integration-generator/
-
-name: Integration Test v2 - TestSSUserOnlyIsolation
-
-on: [pull_request]
-
-concurrency:
-  group: ${{ github.workflow }}-$${{ github.head_ref || github.run_id }}
-  cancel-in-progress: true
-
-jobs:
-  test:
-    runs-on: ubuntu-latest
-
-    steps:
-      - uses: actions/checkout@v3
-        with:
-          fetch-depth: 2
-
-      - name: Get changed files
-        id: changed-files
-        uses: tj-actions/changed-files@v34
-        with:
-          files: |
-            *.nix
-            go.*
-            **/*.go
-            integration_test/
-            config-example.yaml
-
-      - uses: cachix/install-nix-action@v18
-        if: ${{ env.ACT }} || steps.changed-files.outputs.any_changed == 'true'
-
-      - name: Run general integration tests
-        if: steps.changed-files.outputs.any_changed == 'true'
-        run: |
-            nix develop --command -- docker run \
-              --tty --rm \
-              --volume ~/.cache/hs-integration-go:/go \
-              --name headscale-test-suite \
-              --volume $PWD:$PWD -w $PWD/integration \
-              --volume /var/run/docker.sock:/var/run/docker.sock \
-              --volume $PWD/control_logs:/tmp/control \
-              golang:1 \
-                go test ./... \
-                  -tags ts2019 \
-                  -failfast \
-                  -timeout 120m \
-                  -parallel 1 \
-                  -run "^TestSSUserOnlyIsolation$"
-
-      - uses: actions/upload-artifact@v3
-        if: always() && steps.changed-files.outputs.any_changed == 'true'
-        with:
-          name: logs
-          path: "control_logs/*.log"
--- a/.github/workflows/test-integration-v2-TestTaildrop.yaml
+++ b/.github/workflows/test-integration-v2-TestTaildrop.yaml
@@ -1,3 +1,4 @@
+
 # DO NOT EDIT, generated with cmd/gh-action-integration-generator/main.go
 # To regenerate, run "go generate" in cmd/gh-action-integration-generator/

@@ -5,10 +6,6 @@ name: Integration Test v2 - TestTaildrop

 on: [pull_request]

-concurrency:
-  group: ${{ github.workflow }}-$${{ github.head_ref || github.run_id }}
-  cancel-in-progress: true
-
 jobs:
  test:
    runs-on: ubuntu-latest
@@ -29,8 +26,8 @@ jobs:
            integration_test/
            config-example.yaml

-      - uses: cachix/install-nix-action@v18
-        if: ${{ env.ACT }} || steps.changed-files.outputs.any_changed == 'true'
+      - uses: cachix/install-nix-action@v16
+        if: steps.changed-files.outputs.any_changed == 'true'

      - name: Run general integration tests
        if: steps.changed-files.outputs.any_changed == 'true'
@@ -41,7 +38,6 @@ jobs:
              --name headscale-test-suite \
              --volume $PWD:$PWD -w $PWD/integration \
              --volume /var/run/docker.sock:/var/run/docker.sock \
-              --volume $PWD/control_logs:/tmp/control \
              golang:1 \
                go test ./... \
                  -tags ts2019 \
@@ -49,9 +45,3 @@ jobs:
                  -timeout 120m \
                  -parallel 1 \
                  -run "^TestTaildrop$"
-
-      - uses: actions/upload-artifact@v3
-        if: always() && steps.changed-files.outputs.any_changed == 'true'
-        with:
-          name: logs
-          path: "control_logs/*.log"
--- a/.github/workflows/test-integration-v2-TestTailscaleNodesJoiningHeadcale.yaml
+++ b/.github/workflows/test-integration-v2-TestTailscaleNodesJoiningHeadcale.yaml
@@ -1,3 +1,4 @@
+
 # DO NOT EDIT, generated with cmd/gh-action-integration-generator/main.go
 # To regenerate, run "go generate" in cmd/gh-action-integration-generator/

@@ -5,10 +6,6 @@ name: Integration Test v2 - TestTailscaleNodesJoiningHeadcale

 on: [pull_request]

-concurrency:
-  group: ${{ github.workflow }}-$${{ github.head_ref || github.run_id }}
-  cancel-in-progress: true
-
 jobs:
  test:
    runs-on: ubuntu-latest
@@ -29,8 +26,8 @@ jobs:
            integration_test/
            config-example.yaml

-      - uses: cachix/install-nix-action@v18
-        if: ${{ env.ACT }} || steps.changed-files.outputs.any_changed == 'true'
+      - uses: cachix/install-nix-action@v16
+        if: steps.changed-files.outputs.any_changed == 'true'

      - name: Run general integration tests
        if: steps.changed-files.outputs.any_changed == 'true'
@@ -41,7 +38,6 @@ jobs:
              --name headscale-test-suite \
              --volume $PWD:$PWD -w $PWD/integration \
              --volume /var/run/docker.sock:/var/run/docker.sock \
-              --volume $PWD/control_logs:/tmp/control \
              golang:1 \
                go test ./... \
                  -tags ts2019 \
@@ -49,9 +45,3 @@ jobs:
                  -timeout 120m \
                  -parallel 1 \
                  -run "^TestTailscaleNodesJoiningHeadcale$"
-
-      - uses: actions/upload-artifact@v3
-        if: always() && steps.changed-files.outputs.any_changed == 'true'
-        with:
-          name: logs
-          path: "control_logs/*.log"
--- a/.github/workflows/test.yml
+++ b/.github/workflows/test.yml
@@ -2,10 +2,6 @@ name: Tests

 on: [push, pull_request]

-concurrency:
-  group: ${{ github.workflow }}-$${{ github.head_ref || github.run_id }}
-  cancel-in-progress: true
-
 jobs:
  test:
    runs-on: ubuntu-latest
--- a/.gitignore
+++ b/.gitignore
@@ -26,8 +26,7 @@ derp.yaml
 # Exclude Jetbrains Editors
 .idea

-test_output/
-control_logs/
+test_output/ 

 # Nix build output
 result
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -1,32 +1,13 @@
 # CHANGELOG

-## 0.21.0 (2023-xx-xx)
-
-### changes
-
- Adding "configtest" CLI command.
-
-## 0.20.0 (2023-02-03)
-
-### changes
-
- Fix wrong behaviour in exit nodes [#1159](https://github.com/juanfont/headscale/pull/1159)
- Align behaviour of `dns_config.restricted_nameservers` to tailscale [#1162](https://github.com/juanfont/headscale/pull/1162)
- Make OpenID Connect authenticated client expiry time configurable [#1191](https://github.com/juanfont/headscale/pull/1191)
-  - defaults to 180 days like Tailscale SaaS
-  - adds option to use the expiry time from the OpenID token for the node (see config-example.yaml)
- Set ControlTime in Map info sent to nodes [#1195](https://github.com/juanfont/headscale/pull/1195)
- Populate Tags field on Node updates sent [#1195](https://github.com/juanfont/headscale/pull/1195)
-
-## 0.19.0 (2023-01-29)
+## 0.19.0 (2022-11-26)

 ### BREAKING

 - Rename Namespace to User [#1144](https://github.com/juanfont/headscale/pull/1144)
  - **BACKUP your database before upgrading**
- Command line flags previously taking `--namespace` or `-n` will now require `--user` or `-u`

-## 0.18.0 (2023-01-14)
+## 0.18.0 (2022-01-14)

 ### Changes

--- a/README.md
+++ b/README.md
@@ -81,11 +81,6 @@ one of the maintainers.

 Please have a look at the documentation under [`docs/`](docs/).

-## Talks
-
- Fosdem 2023 (video): [Headscale: How we are using integration testing to reimplement Tailscale](https://fosdem.org/2023/schedule/event/goheadscale/)
-  - presented by Juan Font Alonso and Kristoffer Dalby
-
 ## Disclaimer

 1. We have nothing to do with Tailscale, or Tailscale Inc.
--- a/acls.go
+++ b/acls.go
@@ -150,11 +150,7 @@ func (h *Headscale) UpdateACLRules() error {
 	return nil
 }

-func generateACLRules(
-	machines []Machine,
-	aclPolicy ACLPolicy,
-	stripEmaildomain bool,
-) ([]tailcfg.FilterRule, error) {
+func generateACLRules(machines []Machine, aclPolicy ACLPolicy, stripEmaildomain bool) ([]tailcfg.FilterRule, error) {
 	rules := []tailcfg.FilterRule{}

 	for index, acl := range aclPolicy.ACLs {
@@ -164,7 +160,7 @@ func generateACLRules(

 		srcIPs := []string{}
 		for innerIndex, src := range acl.Sources {
-			srcs, err := generateACLPolicySrc(machines, aclPolicy, src, stripEmaildomain)
+			srcs, err := generateACLPolicySrcIP(machines, aclPolicy, src, stripEmaildomain)
 			if err != nil {
 				log.Error().
 					Msgf("Error parsing ACL %d, Source %d", index, innerIndex)
@@ -315,7 +311,7 @@ func sshCheckAction(duration string) (*tailcfg.SSHAction, error) {
 	}, nil
 }

-func generateACLPolicySrc(
+func generateACLPolicySrcIP(
 	machines []Machine,
 	aclPolicy ACLPolicy,
 	src string,
@@ -431,7 +427,6 @@ func parseProtocol(protocol string) ([]int, bool, error) {
 // - a user
 // - a group
 // - a tag
-// - a host
 // and transform these in IPAddresses.
 func expandAlias(
 	machines []Machine,
--- a/acls_test.go
+++ b/acls_test.go
@@ -1041,7 +1041,7 @@ func Test_expandAlias(t *testing.T) {
 			wantErr: false,
 		},
 		{
-			name: "simple host by ip",
+			name: "simple host",
 			args: args{
 				alias:            "10.0.0.1",
 				machines:         []Machine{},
@@ -1051,21 +1051,6 @@ func Test_expandAlias(t *testing.T) {
 			want:    []string{"10.0.0.1"},
 			wantErr: false,
 		},
-		{
-			name: "simple host by hostname alias",
-			args: args{
-				alias:    "testy",
-				machines: []Machine{},
-				aclPolicy: ACLPolicy{
-					Hosts: Hosts{
-						"testy": netip.MustParsePrefix("10.0.0.132/32"),
-					},
-				},
-				stripEmailDomain: true,
-			},
-			want:    []string{"10.0.0.132/32"},
-			wantErr: false,
-		},
 		{
 			name: "simple CIDR",
 			args: args{
--- a/api_common.go
+++ b/api_common.go
@@ -1,8 +1,6 @@
 package headscale

 import (
-	"time"
-
 	"github.com/rs/zerolog/log"
 	"tailscale.com/tailcfg"
 )
@@ -57,46 +55,16 @@ func (h *Headscale) generateMapResponse(
 		peers,
 	)

-	now := time.Now()
-
 	resp := tailcfg.MapResponse{
-		KeepAlive: false,
-		Node:      node,
-
-		// TODO: Only send if updated
-		DERPMap: h.DERPMap,
-
-		// TODO: Only send if updated
-		Peers: nodePeers,
-
-		// TODO(kradalby): Implement:
-		// https://github.com/tailscale/tailscale/blob/main/tailcfg/tailcfg.go#L1351-L1374
-		// PeersChanged
-		// PeersRemoved
-		// PeersChangedPatch
-		// PeerSeenChange
-		// OnlineChange
-
-		// TODO: Only send if updated
-		DNSConfig: dnsConfig,
-
-		// TODO: Only send if updated
-		Domain: h.cfg.BaseDomain,
-
-		// Do not instruct clients to collect services, we do not
-		// support or do anything with them
-		CollectServices: "false",
-
-		// TODO: Only send if updated
+		KeepAlive:    false,
+		Node:         node,
+		Peers:        nodePeers,
+		DNSConfig:    dnsConfig,
+		Domain:       h.cfg.BaseDomain,
 		PacketFilter: h.aclRules,
-
+		SSHPolicy:    h.sshPolicy,
+		DERPMap:      h.DERPMap,
 		UserProfiles: profiles,
-
-		// TODO: Only send if updated
-		SSHPolicy: h.sshPolicy,
-
-		ControlTime: &now,
-
 		Debug: &tailcfg.Debug{
 			DisableLogTail:      !h.cfg.LogTail.Enabled,
 			RandomizeClientPort: h.cfg.RandomizeClientPort,
--- a/app.go
+++ b/app.go
@@ -521,7 +521,7 @@ func (h *Headscale) createRouter(grpcMux *runtime.ServeMux) *mux.Router {
 	apiRouter.Use(h.httpAuthenticationMiddleware)
 	apiRouter.PathPrefix("/v1/").HandlerFunc(grpcMux.ServeHTTP)

-	router.PathPrefix("/").HandlerFunc(notFoundHandler)
+	router.PathPrefix("/").HandlerFunc(stdoutHandler)

 	return router
 }
@@ -957,7 +957,7 @@ func (h *Headscale) getLastStateChange(users ...User) time.Time {
 	}
 }

-func notFoundHandler(
+func stdoutHandler(
 	writer http.ResponseWriter,
 	req *http.Request,
 ) {
@@ -969,7 +969,6 @@ func notFoundHandler(
 		Interface("url", req.URL).
 		Bytes("body", body).
 		Msg("Request did not match")
-	writer.WriteHeader(http.StatusNotFound)
 }

 func readOrCreatePrivateKey(path string) (*key.MachinePrivate, error) {
--- a/cmd/gh-action-integration-generator/main.go
+++ b/cmd/gh-action-integration-generator/main.go
@@ -7,29 +7,19 @@ import (
 	"fmt"
 	"log"
 	"os"
-	"os/exec"
-	"path"
-	"path/filepath"
-	"strings"
 	"text/template"
 )

 var (
-	githubWorkflowPath  = "../../.github/workflows/"
 	jobFileNameTemplate = `test-integration-v2-%s.yaml`
-	jobTemplate         = template.Must(
-		template.New("jobTemplate").
-			Parse(`# DO NOT EDIT, generated with cmd/gh-action-integration-generator/main.go
+	jobTemplate         = template.Must(template.New("jobTemplate").Parse(`
+# DO NOT EDIT, generated with cmd/gh-action-integration-generator/main.go
 # To regenerate, run "go generate" in cmd/gh-action-integration-generator/

 name: Integration Test v2 - {{.Name}}

 on: [pull_request]

-concurrency:
-  group: {{ "${{ github.workflow }}-$${{ github.head_ref || github.run_id }}" }}
-  cancel-in-progress: true
-
 jobs:
  test:
    runs-on: ubuntu-latest
@@ -50,8 +40,8 @@ jobs:
            integration_test/
            config-example.yaml

-      - uses: cachix/install-nix-action@v18
-        if: {{ "${{ env.ACT }}" }} || steps.changed-files.outputs.any_changed == 'true'
+      - uses: cachix/install-nix-action@v16
+        if: steps.changed-files.outputs.any_changed == 'true'

      - name: Run general integration tests
        if: steps.changed-files.outputs.any_changed == 'true'
@@ -62,7 +52,6 @@ jobs:
              --name headscale-test-suite \
              --volume $PWD:$PWD -w $PWD/integration \
              --volume /var/run/docker.sock:/var/run/docker.sock \
-              --volume $PWD/control_logs:/tmp/control \
              golang:1 \
                go test ./... \
                  -tags ts2019 \
@@ -70,81 +59,43 @@ jobs:
                  -timeout 120m \
                  -parallel 1 \
                  -run "^{{.Name}}$"
-
-      - uses: actions/upload-artifact@v3
-        if: always() && steps.changed-files.outputs.any_changed == 'true'
-        with:
-          name: logs
-          path: "control_logs/*.log"
-`),
-	)
+`))
 )

 const workflowFilePerm = 0o600

-func removeTests() {
-	glob := fmt.Sprintf(jobFileNameTemplate, "*")
-
-	files, err := filepath.Glob(filepath.Join(githubWorkflowPath, glob))
-	if err != nil {
-		log.Fatalf("failed to find test files")
-	}
-
-	for _, file := range files {
-		err := os.Remove(file)
-		if err != nil {
-			log.Printf("failed to remove: %s", err)
-		}
-	}
-}
-
-func findTests() []string {
-	rgBin, err := exec.LookPath("rg")
-	if err != nil {
-		log.Fatalf("failed to find rg (ripgrep) binary")
-	}
-
-	args := []string{
-		"--regexp", "func (Test.+)\\(.*",
-		"../../integration/",
-		"--replace", "$1",
-		"--sort", "path",
-		"--no-line-number",
-		"--no-filename",
-		"--no-heading",
-	}
-
-	log.Printf("executing: %s %s", rgBin, strings.Join(args, " "))
-
-	ripgrep := exec.Command(
-		rgBin,
-		args...,
-	)
-
-	result, err := ripgrep.CombinedOutput()
-	if err != nil {
-		log.Printf("out: %s", result)
-		log.Fatalf("failed to run ripgrep: %s", err)
-	}
-
-	tests := strings.Split(string(result), "\n")
-	tests = tests[:len(tests)-1]
-
-	return tests
-}
-
 func main() {
 	type testConfig struct {
 		Name string
 	}

-	tests := findTests()
-
-	removeTests()
+	// TODO(kradalby): automatic fetch tests at runtime
+	tests := []string{
+		"TestAuthKeyLogoutAndRelogin",
+		"TestAuthWebFlowAuthenticationPingAll",
+		"TestAuthWebFlowLogoutAndRelogin",
+		"TestCreateTailscale",
+		"TestEnablingRoutes",
+		"TestHeadscale",
+		"TestUserCommand",
+		"TestOIDCAuthenticationPingAll",
+		"TestOIDCExpireNodes",
+		"TestPingAllByHostname",
+		"TestPingAllByIP",
+		"TestPreAuthKeyCommand",
+		"TestPreAuthKeyCommandReusableEphemeral",
+		"TestPreAuthKeyCommandWithoutExpiry",
+		"TestResolveMagicDNS",
+		"TestSSHIsBlockedInACL",
+		"TestSSHMultipleUsersAllToAll",
+		"TestSSHNoSSHConfigured",
+		"TestSSHOneUserAllToAll",
+		"TestSSUserOnlyIsolation",
+		"TestTaildrop",
+		"TestTailscaleNodesJoiningHeadcale",
+	}

 	for _, test := range tests {
-		log.Printf("generating workflow for %s", test)
-
 		var content bytes.Buffer

 		if err := jobTemplate.Execute(&content, testConfig{
@@ -153,9 +104,9 @@ func main() {
 			log.Fatalf("failed to render template: %s", err)
 		}

-		testPath := path.Join(githubWorkflowPath, fmt.Sprintf(jobFileNameTemplate, test))
+		path := "../../.github/workflows/" + fmt.Sprintf(jobFileNameTemplate, test)

-		err := os.WriteFile(testPath, content.Bytes(), workflowFilePerm)
+		err := os.WriteFile(path, content.Bytes(), workflowFilePerm)
 		if err != nil {
 			log.Fatalf("failed to write github job: %s", err)
 		}
--- a/cmd/headscale/cli/configtest.go
+++ b/cmd/headscale/cli/configtest.go
@@ -1,22 +0,0 @@
-package cli
-
-import (
-	"github.com/rs/zerolog/log"
-	"github.com/spf13/cobra"
-)
-
-func init() {
-	rootCmd.AddCommand(configTestCmd)
-}
-
-var configTestCmd = &cobra.Command{
-	Use:   "configtest",
-	Short: "Test the configuration.",
-	Long:  "Run a test of the configuration and exit.",
-	Run: func(cmd *cobra.Command, args []string) {
-		_, err := getHeadscaleApp()
-		if err != nil {
-			log.Fatal().Caller().Err(err).Msg("Error initializing")
-		}
-	},
-}
--- a/cmd/headscale/cli/debug.go
+++ b/cmd/headscale/cli/debug.go
@@ -27,13 +27,7 @@ func init() {
 	if err != nil {
 		log.Fatal().Err(err).Msg("")
 	}
-	createNodeCmd.Flags().StringP("user", "u", "", "User")
-
-	createNodeCmd.Flags().StringP("namespace", "n", "", "User")
-	createNodeNamespaceFlag := createNodeCmd.Flags().Lookup("namespace")
-	createNodeNamespaceFlag.Deprecated = deprecateNamespaceMessage
-	createNodeNamespaceFlag.Hidden = true
-
+	createNodeCmd.Flags().StringP("user", "n", "", "User")
 	err = createNodeCmd.MarkFlagRequired("user")
 	if err != nil {
 		log.Fatal().Err(err).Msg("")
--- a/cmd/headscale/cli/nodes.go
+++ b/cmd/headscale/cli/nodes.go
@@ -19,23 +19,11 @@ import (

 func init() {
 	rootCmd.AddCommand(nodeCmd)
-	listNodesCmd.Flags().StringP("user", "u", "", "Filter by user")
+	listNodesCmd.Flags().StringP("user", "n", "", "Filter by user")
 	listNodesCmd.Flags().BoolP("tags", "t", false, "Show tags")
-
-	listNodesCmd.Flags().StringP("namespace", "n", "", "User")
-	listNodesNamespaceFlag := listNodesCmd.Flags().Lookup("namespace")
-	listNodesNamespaceFlag.Deprecated = deprecateNamespaceMessage
-	listNodesNamespaceFlag.Hidden = true
-
 	nodeCmd.AddCommand(listNodesCmd)

-	registerNodeCmd.Flags().StringP("user", "u", "", "User")
-
-	registerNodeCmd.Flags().StringP("namespace", "n", "", "User")
-	registerNodeNamespaceFlag := registerNodeCmd.Flags().Lookup("namespace")
-	registerNodeNamespaceFlag.Deprecated = deprecateNamespaceMessage
-	registerNodeNamespaceFlag.Hidden = true
-
+	registerNodeCmd.Flags().StringP("user", "n", "", "User")
 	err := registerNodeCmd.MarkFlagRequired("user")
 	if err != nil {
 		log.Fatalf(err.Error())
@@ -75,12 +63,7 @@ func init() {
 		log.Fatalf(err.Error())
 	}

-	moveNodeCmd.Flags().StringP("user", "u", "", "New user")
-
-	moveNodeCmd.Flags().StringP("namespace", "n", "", "User")
-	moveNodeNamespaceFlag := moveNodeCmd.Flags().Lookup("namespace")
-	moveNodeNamespaceFlag.Deprecated = deprecateNamespaceMessage
-	moveNodeNamespaceFlag.Hidden = true
+	moveNodeCmd.Flags().StringP("user", "n", "", "New user")

 	err = moveNodeCmd.MarkFlagRequired("user")
 	if err != nil {
--- a/cmd/headscale/cli/preauthkeys.go
+++ b/cmd/headscale/cli/preauthkeys.go
@@ -20,13 +20,7 @@ const (

 func init() {
 	rootCmd.AddCommand(preauthkeysCmd)
-	preauthkeysCmd.PersistentFlags().StringP("user", "u", "", "User")
-
-	preauthkeysCmd.PersistentFlags().StringP("namespace", "n", "", "User")
-	pakNamespaceFlag := preauthkeysCmd.PersistentFlags().Lookup("namespace")
-	pakNamespaceFlag.Deprecated = deprecateNamespaceMessage
-	pakNamespaceFlag.Hidden = true
-
+	preauthkeysCmd.PersistentFlags().StringP("user", "n", "", "User")
 	err := preauthkeysCmd.MarkPersistentFlagRequired("user")
 	if err != nil {
 		log.Fatal().Err(err).Msg("")
--- a/cmd/headscale/cli/root.go
+++ b/cmd/headscale/cli/root.go
@@ -12,15 +12,10 @@ import (
 	"github.com/tcnksm/go-latest"
 )

-const (
-	deprecateNamespaceMessage = "use --user"
-)
-
 var cfgFile string = ""

 func init() {
-	if len(os.Args) > 1 &&
-		(os.Args[1] == "version" || os.Args[1] == "mockoidc" || os.Args[1] == "completion") {
+	if len(os.Args) > 1 && (os.Args[1] == "version" || os.Args[1] == "mockoidc" || os.Args[1] == "completion") {
 		return
 	}

--- a/cmd/headscale/cli/routes.go
+++ b/cmd/headscale/cli/routes.go
@@ -3,10 +3,8 @@ package cli
 import (
 	"fmt"
 	"log"
-	"net/netip"
 	"strconv"

-	"github.com/juanfont/headscale"
 	v1 "github.com/juanfont/headscale/gen/go/headscale/v1"
 	"github.com/pterm/pterm"
 	"github.com/spf13/cobra"
@@ -220,19 +218,6 @@ func routesToPtables(routes []*v1.Route) pterm.TableData {
 	tableData := pterm.TableData{{"ID", "Machine", "Prefix", "Advertised", "Enabled", "Primary"}}

 	for _, route := range routes {
-		var isPrimaryStr string
-		prefix, err := netip.ParsePrefix(route.Prefix)
-		if err != nil {
-			log.Printf("Error parsing prefix %s: %s", route.Prefix, err)
-
-			continue
-		}
-		if prefix == headscale.ExitRouteV4 || prefix == headscale.ExitRouteV6 {
-			isPrimaryStr = "-"
-		} else {
-			isPrimaryStr = strconv.FormatBool(route.IsPrimary)
-		}
-
 		tableData = append(tableData,
 			[]string{
 				strconv.FormatUint(route.Id, Base10),
@@ -240,7 +225,7 @@ func routesToPtables(routes []*v1.Route) pterm.TableData {
 				route.Prefix,
 				strconv.FormatBool(route.Advertised),
 				strconv.FormatBool(route.Enabled),
-				isPrimaryStr,
+				strconv.FormatBool(route.IsPrimary),
 			})
 	}

--- a/cmd/headscale/cli/users.go
+++ b/cmd/headscale/cli/users.go
@@ -27,7 +27,7 @@ const (
 var userCmd = &cobra.Command{
 	Use:     "users",
 	Short:   "Manage the users of Headscale",
-	Aliases: []string{"user", "namespace", "namespaces", "ns"},
+	Aliases: []string{"user", "namespace", "ns"},
 }

 var createUserCmd = &cobra.Command{
--- a/config-example.yaml
+++ b/config-example.yaml
@@ -282,38 +282,27 @@ unix_socket_permission: "0770"
 #   client_secret_path: "${CREDENTIALS_DIRECTORY}/oidc_client_secret"
 #   # client_secret and client_secret_path are mutually exclusive.
 #
-#   # The amount of time from a node is authenticated with OpenID until it
-#   # expires and needs to reauthenticate.
-#   # Setting the value to "0" will mean no expiry.
-#   expiry: 180d
-#
-#   # Use the expiry from the token received from OpenID when the user logged
-#   # in, this will typically lead to frequent need to reauthenticate and should
-#   # only been enabled if you know what you are doing.
-#   # Note: enabling this will cause `oidc.expiry` to be ignored.
-#   use_expiry_from_token: false
-#
-#   # Customize the scopes used in the OIDC flow, defaults to "openid", "profile" and "email" and add custom query
-#   # parameters to the Authorize Endpoint request. Scopes default to "openid", "profile" and "email".
+#   Customize the scopes used in the OIDC flow, defaults to "openid", "profile" and "email" and add custom query
+#   parameters to the Authorize Endpoint request. Scopes default to "openid", "profile" and "email".
 #
 #   scope: ["openid", "profile", "email", "custom"]
 #   extra_params:
 #     domain_hint: example.com
 #
-#   # List allowed principal domains and/or users. If an authenticated user's domain is not in this list, the
-#   # authentication request will be rejected.
+#   List allowed principal domains and/or users. If an authenticated user's domain is not in this list, the
+#   authentication request will be rejected.
 #
 #   allowed_domains:
 #     - example.com
-#   # Note: Groups from keycloak have a leading '/'
+# Groups from keycloak have a leading '/'
 #   allowed_groups:
 #     - /headscale
 #   allowed_users:
 #     - alice@example.com
 #
-#   # If `strip_email_domain` is set to `true`, the domain part of the username email address will be removed.
-#   # This will transform `first-name.last-name@example.com` to the user `first-name.last-name`
-#   # If `strip_email_domain` is set to `false` the domain part will NOT be removed resulting to the following
+#   If `strip_email_domain` is set to `true`, the domain part of the username email address will be removed.
+#   This will transform `first-name.last-name@example.com` to the user `first-name.last-name`
+#   If `strip_email_domain` is set to `false` the domain part will NOT be removed resulting to the following
 #   user: `first-name.last-name.example.com`
 #
 #   strip_email_domain: true
--- a/config.go
+++ b/config.go
@@ -11,7 +11,6 @@ import (
 	"time"

 	"github.com/coreos/go-oidc/v3/oidc"
-	"github.com/prometheus/common/model"
 	"github.com/rs/zerolog"
 	"github.com/rs/zerolog/log"
 	"github.com/spf13/viper"
@@ -26,14 +25,9 @@ const (

 	JSONLogFormat = "json"
 	TextLogFormat = "text"
-
-	defaultOIDCExpiryTime               = 180 * 24 * time.Hour // 180 Days
-	maxDuration           time.Duration = 1<<63 - 1
 )

-var errOidcMutuallyExclusive = errors.New(
-	"oidc_client_secret and oidc_client_secret_path are mutually exclusive",
-)
+var errOidcMutuallyExclusive = errors.New("oidc_client_secret and oidc_client_secret_path are mutually exclusive")

 // Config contains the initial Headscale configuration.
 type Config struct {
@@ -107,8 +101,6 @@ type OIDCConfig struct {
 	AllowedUsers               []string
 	AllowedGroups              []string
 	StripEmaildomain           bool
-	Expiry                     time.Duration
-	UseExpiryFromToken         bool
 }

 type DERPConfig struct {
@@ -188,8 +180,6 @@ func LoadConfig(path string, isFile bool) error {
 	viper.SetDefault("oidc.scope", []string{oidc.ScopeOpenID, "profile", "email"})
 	viper.SetDefault("oidc.strip_email_domain", true)
 	viper.SetDefault("oidc.only_start_if_oidc_is_available", true)
-	viper.SetDefault("oidc.expiry", "180d")
-	viper.SetDefault("oidc.use_expiry_from_token", false)

 	viper.SetDefault("logtail.enabled", false)
 	viper.SetDefault("randomize_client_port", false)
@@ -421,32 +411,34 @@ func GetDNSConfig() (*tailcfg.DNSConfig, string) {
 		}

 		if viper.IsSet("dns_config.restricted_nameservers") {
-			dnsConfig.Routes = make(map[string][]*dnstype.Resolver)
-			domains := []string{}
-			restrictedDNS := viper.GetStringMapStringSlice(
-				"dns_config.restricted_nameservers",
-			)
-			for domain, restrictedNameservers := range restrictedDNS {
-				restrictedResolvers := make(
-					[]*dnstype.Resolver,
-					len(restrictedNameservers),
+			if len(dnsConfig.Resolvers) > 0 {
+				dnsConfig.Routes = make(map[string][]*dnstype.Resolver)
+				restrictedDNS := viper.GetStringMapStringSlice(
+					"dns_config.restricted_nameservers",
 				)
-				for index, nameserverStr := range restrictedNameservers {
-					nameserver, err := netip.ParseAddr(nameserverStr)
-					if err != nil {
-						log.Error().
-							Str("func", "getDNSConfig").
-							Err(err).
-							Msgf("Could not parse restricted nameserver IP: %s", nameserverStr)
-					}
-					restrictedResolvers[index] = &dnstype.Resolver{
-						Addr: nameserver.String(),
+				for domain, restrictedNameservers := range restrictedDNS {
+					restrictedResolvers := make(
+						[]*dnstype.Resolver,
+						len(restrictedNameservers),
+					)
+					for index, nameserverStr := range restrictedNameservers {
+						nameserver, err := netip.ParseAddr(nameserverStr)
+						if err != nil {
+							log.Error().
+								Str("func", "getDNSConfig").
+								Err(err).
+								Msgf("Could not parse restricted nameserver IP: %s", nameserverStr)
+						}
+						restrictedResolvers[index] = &dnstype.Resolver{
+							Addr: nameserver.String(),
+						}
 					}
+					dnsConfig.Routes[domain] = restrictedResolvers
 				}
-				dnsConfig.Routes[domain] = restrictedResolvers
-				domains = append(domains, domain)
+			} else {
+				log.Warn().
+					Msg("Warning: dns_config.restricted_nameservers is set, but no nameservers are configured. Ignoring restricted_nameservers.")
 			}
-			dnsConfig.Domains = domains
 		}

 		if viper.IsSet("dns_config.domains") {
@@ -611,22 +603,6 @@ func GetHeadscaleConfig() (*Config, error) {
 			AllowedUsers:     viper.GetStringSlice("oidc.allowed_users"),
 			AllowedGroups:    viper.GetStringSlice("oidc.allowed_groups"),
 			StripEmaildomain: viper.GetBool("oidc.strip_email_domain"),
-			Expiry: func() time.Duration {
-				// if set to 0, we assume no expiry
-				if value := viper.GetString("oidc.expiry"); value == "0" {
-					return maxDuration
-				} else {
-					expiry, err := model.ParseDuration(value)
-					if err != nil {
-						log.Warn().Msg("failed to parse oidc.expiry, defaulting back to 180 days")
-
-						return defaultOIDCExpiryTime
-					}
-
-					return time.Duration(expiry)
-				}
-			}(),
-			UseExpiryFromToken: viper.GetBool("oidc.use_expiry_from_token"),
 		},

 		LogTail:             logConfig,
--- a/db.go
+++ b/db.go
@@ -48,9 +48,6 @@ func (h *Headscale) initDB() error {
 		return err
 	}

-	_ = db.Migrator().RenameColumn(&Machine{}, "namespace_id", "user_id")
-	_ = db.Migrator().RenameColumn(&PreAuthKey{}, "namespace_id", "user_id")
-
 	_ = db.Migrator().RenameColumn(&Machine{}, "ip_address", "ip_addresses")
 	_ = db.Migrator().RenameColumn(&Machine{}, "name", "hostname")

--- a/derp_server.go
+++ b/derp_server.go
@@ -157,14 +157,14 @@ func (h *Headscale) DERPHandler(

 	if !fastStart {
 		pubKey := h.privateKey.Public()
-		pubKeyStr, _ := pubKey.MarshalText() //nolint
+		pubKeyStr := pubKey.UntypedHexString() //nolint
 		fmt.Fprintf(conn, "HTTP/1.1 101 Switching Protocols\r\n"+
 			"Upgrade: DERP\r\n"+
 			"Connection: Upgrade\r\n"+
 			"Derp-Version: %v\r\n"+
 			"Derp-Public-Key: %s\r\n\r\n",
 			derp.ProtocolVersion,
-			string(pubKeyStr))
+			pubKeyStr)
 	}

 	h.DERPServer.tailscaleDERP.Accept(req.Context(), netConn, conn, netConn.RemoteAddr().String())
--- a/docs/oidc.md
+++ b/docs/oidc.md
@@ -139,34 +139,3 @@ oidc:
    # Optional: Force the Azure AD account picker
    prompt: select_account
 ```
-
-## Google OAuth Example
-
-In order to integrate Headscale with Google, you'll need to have a [Google Cloud Console](https://console.cloud.google.com) account.
-
-Google OAuth has a [verification process](https://support.google.com/cloud/answer/9110914?hl=en) if you need to have users authenticate who are outside of your domain. If you only need to authenticate users from your domain name (ie `@example.com`), you don't need to go through the verification process.
-
-However if you don't have a domain, or need to add users outside of your domain, you can manually add emails via Google Console.
-
-### Steps
-
-1. Go to [Google Console](https://console.cloud.google.com) and login or create an account if you don't have one.
-2. Create a project (if you don't already have one).
-3. On the left hand menu, go to `APIs and services` -> `Credentials`
-4. Click `Create Credentials` -> `OAuth client ID`
-5. Under `Application Type`, choose `Web Application`
-6. For `Name`, enter whatever you like
-7. Under `Authorised redirect URIs`, use `https://example.com/oidc/callback`, replacing example.com with your Headscale URL.
-8. Click `Save` at the bottom of the form
-9. Take note of the `Client ID` and `Client secret`, you can also download it for reference if you need it.
-10. Edit your headscale config, under `oidc`, filling in your `client_id` and `client_secret`:
-
-```yaml
-oidc:
-  issuer: "https://accounts.google.com"
-  client_id: ""
-  client_secret: ""
-  scope: ["openid", "profile", "email"]
-```
-
-You can also use `allowed_domains` and `allowed_users` to restrict the users who can authenticate.
--- a/docs/reverse-proxy.md
+++ b/docs/reverse-proxy.md
@@ -115,17 +115,6 @@ For a slightly more complex configuration which utilizes Docker containers to ma

 ## Apache

-The following minimal Apache config will proxy traffic to the Headscale instance on `<IP:PORT>`. Note that `upgrade=any` is required as a parameter for `ProxyPass` so that WebSockets traffic whose `Upgrade` header value is not equal to `WebSocket` (i. e. Tailscale Control Protocol) is forwarded correctly. See the [Apache docs](https://httpd.apache.org/docs/2.4/mod/mod_proxy_wstunnel.html) for more information on this.
+Apache is NOT supported. It will not work. Apache [overwrites](https://github.com/svn2github/apache-httpd/blob/82779fce1be478e2333afc9fef86d34f88db718b/modules/proxy/mod_proxy_wstunnel.c#L354) the custom upgrade header of thw WebSockets connection, which is required for the Tailscale TS2021 protocol.

-```
-<VirtualHost *:443>
-	ServerName <YOUR_SERVER_NAME>
-
-	ProxyPreserveHost On
-	ProxyPass / http://<IP:PORT>/ upgrade=any
-
-	SSLEngine On
-	SSLCertificateFile <PATH_TO_CERT>
-	SSLCertificateKeyFile <PATH_CERT_KEY>
-</VirtualHost>
-```
+Please use any other reverse proxy.
--- a/docs/running-headscale-linux.md
+++ b/docs/running-headscale-linux.md
@@ -138,7 +138,6 @@ NoNewPrivileges=yes
 PrivateTmp=yes
 ProtectSystem=strict
 ProtectHome=yes
-WorkingDirectory=/var/lib/headscale
 ReadWritePaths=/var/lib/headscale /var/run/headscale
 AmbientCapabilities=CAP_NET_BIND_SERVICE
 RuntimeDirectory=headscale
--- a/docs/running-headscale-openbsd.md
+++ b/docs/running-headscale-openbsd.md
@@ -10,14 +10,17 @@ describing how to make `headscale` run properly in a server environment.

 1. Install from ports (Not Recommend)

-   As of OpenBSD 7.2, there's a headscale in ports collection, however, it's severely outdated(v0.12.4).
+   As of OpenBSD 7.1, there's a headscale in ports collection, however, it's severely outdated(v0.12.4).
   You can install it via `pkg_add headscale`.

-2. Install from source on OpenBSD 7.2
+2. Install from source on OpenBSD 7.1

 ```shell
 # Install prerequistes
-pkg_add go
+# 1. go v1.19+: headscale newer than 0.17 needs go 1.19+ to compile
+# 2. gmake: Makefile in the headscale repo is written in GNU make syntax
+pkg_add -D snap go
+pkg_add gmake

 git clone https://github.com/juanfont/headscale.git

@@ -30,7 +33,7 @@ latestTag=$(git describe --tags `git rev-list --tags --max-count=1`)

 git checkout $latestTag

-go build -ldflags="-s -w -X github.com/juanfont/headscale/cmd/headscale/cli.Version=$latestTag" github.com/juanfont/headscale
+gmake build

 # make it executable
 chmod a+x headscale
--- a/flake.nix
+++ b/flake.nix
@@ -6,163 +6,157 @@
    flake-utils.url = "github:numtide/flake-utils";
  };

-  outputs =
-    { self
-    , nixpkgs
-    , flake-utils
-    , ...
-    }:
-    let
-      headscaleVersion =
-        if (self ? shortRev)
-        then self.shortRev
-        else "dev";
-    in
+  outputs = {
+    self,
+    nixpkgs,
+    flake-utils,
+    ...
+  }: let
+    headscaleVersion =
+      if (self ? shortRev)
+      then self.shortRev
+      else "dev";
+  in
    {
-      overlay = _: prev:
-        let
-          pkgs = nixpkgs.legacyPackages.${prev.system};
-        in
-        rec {
-          headscale = pkgs.buildGo119Module rec {
-            pname = "headscale";
-            version = headscaleVersion;
-            src = pkgs.lib.cleanSource self;
+      overlay = _: prev: let
+        pkgs = nixpkgs.legacyPackages.${prev.system};
+      in rec {
+        headscale = pkgs.buildGo119Module rec {
+          pname = "headscale";
+          version = headscaleVersion;
+          src = pkgs.lib.cleanSource self;

-            tags = [ "ts2019" ];
+          tags = ["ts2019"];

-            # Only run unit tests when testing a build
-            checkFlags = [ "-short" ];
+          # Only run unit tests when testing a build
+          checkFlags = ["-short"];

-            # When updating go.mod or go.sum, a new sha will need to be calculated,
-            # update this if you have a mismatch after doing a change to thos files.
-            vendorSha256 = "sha256-QkBBzyKthDnjPCYtGDeQtW46FyWfScRczBQEhAdKHbs=";
+          # When updating go.mod or go.sum, a new sha will need to be calculated,
+          # update this if you have a mismatch after doing a change to thos files.
+          vendorSha256 = "sha256-SuKT+b8g6xEK15ry2IAmpS/vwDG+zJqK9nfsWpHNXuU=";

-            ldflags = [ "-s" "-w" "-X github.com/juanfont/headscale/cmd/headscale/cli.Version=v${version}" ];
-          };
-
-          golines = pkgs.buildGoModule rec {
-            pname = "golines";
-            version = "0.11.0";
-
-            src = pkgs.fetchFromGitHub {
-              owner = "segmentio";
-              repo = "golines";
-              rev = "v${version}";
-              sha256 = "sha256-2K9KAg8iSubiTbujyFGN3yggrL+EDyeUCs9OOta/19A=";
-            };
-
-            vendorSha256 = "sha256-rxYuzn4ezAxaeDhxd8qdOzt+CKYIh03A9zKNdzILq18=";
-
-            nativeBuildInputs = [ pkgs.installShellFiles ];
-          };
-
-          golangci-lint = prev.golangci-lint.override {
-            # Override https://github.com/NixOS/nixpkgs/pull/166801 which changed this
-            # to buildGo118Module because it does not build on Darwin.
-            inherit (prev) buildGoModule;
-          };
-
-          protoc-gen-grpc-gateway = pkgs.buildGoModule rec {
-            pname = "grpc-gateway";
-            version = "2.14.0";
-
-            src = pkgs.fetchFromGitHub {
-              owner = "grpc-ecosystem";
-              repo = "grpc-gateway";
-              rev = "v${version}";
-              sha256 = "sha256-lnNdsDCpeSHtl2lC1IhUw11t3cnGF+37qSM7HDvKLls=";
-            };
-
-            vendorSha256 = "sha256-dGdnDuRbwg8fU7uB5GaHEWa/zI3w06onqjturvooJQA=";
-
-            nativeBuildInputs = [ pkgs.installShellFiles ];
-
-            subPackages = [ "protoc-gen-grpc-gateway" "protoc-gen-openapiv2" ];
-          };
+          ldflags = ["-s" "-w" "-X github.com/juanfont/headscale/cmd/headscale/cli.Version=v${version}"];
        };
+
+        golines = pkgs.buildGoModule rec {
+          pname = "golines";
+          version = "0.11.0";
+
+          src = pkgs.fetchFromGitHub {
+            owner = "segmentio";
+            repo = "golines";
+            rev = "v${version}";
+            sha256 = "sha256-2K9KAg8iSubiTbujyFGN3yggrL+EDyeUCs9OOta/19A=";
+          };
+
+          vendorSha256 = "sha256-rxYuzn4ezAxaeDhxd8qdOzt+CKYIh03A9zKNdzILq18=";
+
+          nativeBuildInputs = [pkgs.installShellFiles];
+        };
+
+        golangci-lint = prev.golangci-lint.override {
+          # Override https://github.com/NixOS/nixpkgs/pull/166801 which changed this
+          # to buildGo118Module because it does not build on Darwin.
+          inherit (prev) buildGoModule;
+        };
+
+        protoc-gen-grpc-gateway = pkgs.buildGoModule rec {
+          pname = "grpc-gateway";
+          version = "2.14.0";
+
+          src = pkgs.fetchFromGitHub {
+            owner = "grpc-ecosystem";
+            repo = "grpc-gateway";
+            rev = "v${version}";
+            sha256 = "sha256-lnNdsDCpeSHtl2lC1IhUw11t3cnGF+37qSM7HDvKLls=";
+          };
+
+          vendorSha256 = "sha256-dGdnDuRbwg8fU7uB5GaHEWa/zI3w06onqjturvooJQA=";
+
+          nativeBuildInputs = [pkgs.installShellFiles];
+
+          subPackages = ["protoc-gen-grpc-gateway" "protoc-gen-openapiv2"];
+        };
+      };
    }
    // flake-utils.lib.eachDefaultSystem
-      (system:
-      let
-        pkgs = import nixpkgs {
-          overlays = [ self.overlay ];
-          inherit system;
-        };
-        buildDeps = with pkgs; [ git go_1_19 gnumake ];
-        devDeps = with pkgs;
-          buildDeps
-          ++ [
-            golangci-lint
-            golines
-            nodePackages.prettier
-            goreleaser
-            gotestsum
+    (system: let
+      pkgs = import nixpkgs {
+        overlays = [self.overlay];
+        inherit system;
+      };
+      buildDeps = with pkgs; [git go_1_19 gnumake];
+      devDeps = with pkgs;
+        buildDeps
+        ++ [
+          golangci-lint
+          golines
+          nodePackages.prettier
+          goreleaser

-            # Protobuf dependencies
-            protobuf
-            protoc-gen-go
-            protoc-gen-go-grpc
-            protoc-gen-grpc-gateway
-            buf
-            clang-tools # clang-format
-          ];
+          # Protobuf dependencies
+          protobuf
+          protoc-gen-go
+          protoc-gen-go-grpc
+          protoc-gen-grpc-gateway
+          buf
+          clang-tools # clang-format
+        ];

-        # Add entry to build a docker image with headscale
-        # caveat: only works on Linux
-        #
-        # Usage:
-        # nix build .#headscale-docker
-        # docker load < result
-        headscale-docker = pkgs.dockerTools.buildLayeredImage {
-          name = "headscale";
-          tag = headscaleVersion;
-          contents = [ pkgs.headscale ];
-          config.Entrypoint = [ (pkgs.headscale + "/bin/headscale") ];
-        };
-      in
-      rec {
-        # `nix develop`
-        devShell = pkgs.mkShell {
-          buildInputs = devDeps;
+      # Add entry to build a docker image with headscale
+      # caveat: only works on Linux
+      #
+      # Usage:
+      # nix build .#headscale-docker
+      # docker load < result
+      headscale-docker = pkgs.dockerTools.buildLayeredImage {
+        name = "headscale";
+        tag = headscaleVersion;
+        contents = [pkgs.headscale];
+        config.Entrypoint = [(pkgs.headscale + "/bin/headscale")];
+      };
+    in rec {
+      # `nix develop`
+      devShell = pkgs.mkShell {
+        buildInputs = devDeps;

-          shellHook = ''
-            export GOFLAGS=-tags="ts2019"
+        shellHook = ''
+          export GOFLAGS=-tags="ts2019"
+        '';
+      };
+
+      # `nix build`
+      packages = with pkgs; {
+        inherit headscale;
+        inherit headscale-docker;
+      };
+      defaultPackage = pkgs.headscale;
+
+      # `nix run`
+      apps.headscale = flake-utils.lib.mkApp {
+        drv = packages.headscale;
+      };
+      apps.default = apps.headscale;
+
+      checks = {
+        format =
+          pkgs.runCommand "check-format"
+          {
+            buildInputs = with pkgs; [
+              gnumake
+              nixpkgs-fmt
+              golangci-lint
+              nodePackages.prettier
+              golines
+              clang-tools
+            ];
+          } ''
+            ${pkgs.nixpkgs-fmt}/bin/nixpkgs-fmt ${./.}
+            ${pkgs.golangci-lint}/bin/golangci-lint run --fix --timeout 10m
+            ${pkgs.nodePackages.prettier}/bin/prettier --write '**/**.{ts,js,md,yaml,yml,sass,css,scss,html}'
+            ${pkgs.golines}/bin/golines --max-len=88 --base-formatter=gofumpt -w ${./.}
+            ${pkgs.clang-tools}/bin/clang-format -style="{BasedOnStyle: Google, IndentWidth: 4, AlignConsecutiveDeclarations: true, AlignConsecutiveAssignments: true, ColumnLimit: 0}" -i ${./.}
          '';
-        };
-
-        # `nix build`
-        packages = with pkgs; {
-          inherit headscale;
-          inherit headscale-docker;
-        };
-        defaultPackage = pkgs.headscale;
-
-        # `nix run`
-        apps.headscale = flake-utils.lib.mkApp {
-          drv = packages.headscale;
-        };
-        apps.default = apps.headscale;
-
-        checks = {
-          format =
-            pkgs.runCommand "check-format"
-              {
-                buildInputs = with pkgs; [
-                  gnumake
-                  nixpkgs-fmt
-                  golangci-lint
-                  nodePackages.prettier
-                  golines
-                  clang-tools
-                ];
-              } ''
-              ${pkgs.nixpkgs-fmt}/bin/nixpkgs-fmt ${./.}
-              ${pkgs.golangci-lint}/bin/golangci-lint run --fix --timeout 10m
-              ${pkgs.nodePackages.prettier}/bin/prettier --write '**/**.{ts,js,md,yaml,yml,sass,css,scss,html}'
-              ${pkgs.golines}/bin/golines --max-len=88 --base-formatter=gofumpt -w ${./.}
-              ${pkgs.clang-tools}/bin/clang-format -style="{BasedOnStyle: Google, IndentWidth: 4, AlignConsecutiveDeclarations: true, AlignConsecutiveAssignments: true, ColumnLimit: 0}" -i ${./.}
-            '';
-        };
-      });
+      };
+    });
 }
--- a/go.mod
+++ b/go.mod
@@ -6,52 +6,50 @@ require (
 	github.com/AlecAivazis/survey/v2 v2.3.6
 	github.com/ccding/go-stun/stun v0.0.0-20200514191101-4dc67bcdb029
 	github.com/cenkalti/backoff/v4 v4.2.0
-	github.com/coreos/go-oidc/v3 v3.5.0
-	github.com/davecgh/go-spew v1.1.1
+	github.com/coreos/go-oidc/v3 v3.4.0
 	github.com/deckarep/golang-set/v2 v2.1.0
 	github.com/efekarakus/termcolor v1.0.1
-	github.com/glebarez/sqlite v1.7.0
-	github.com/gofrs/uuid v4.4.0+incompatible
+	github.com/glebarez/sqlite v1.5.0
+	github.com/gofrs/uuid v4.3.1+incompatible
 	github.com/gorilla/mux v1.8.0
 	github.com/grpc-ecosystem/go-grpc-middleware v1.3.0
-	github.com/grpc-ecosystem/grpc-gateway/v2 v2.15.1
-	github.com/klauspost/compress v1.15.15
+	github.com/grpc-ecosystem/grpc-gateway/v2 v2.14.0
+	github.com/klauspost/compress v1.15.12
 	github.com/oauth2-proxy/mockoidc v0.0.0-20220308204021-b9169deeb282
 	github.com/ory/dockertest/v3 v3.9.1
 	github.com/patrickmn/go-cache v2.1.0+incompatible
 	github.com/philip-bui/grpc-zerolog v1.0.1
 	github.com/prometheus/client_golang v1.14.0
-	github.com/prometheus/common v0.40.0
-	github.com/pterm/pterm v0.12.54
+	github.com/prometheus/common v0.37.0
+	github.com/pterm/pterm v0.12.50
 	github.com/puzpuzpuz/xsync/v2 v2.4.0
-	github.com/rs/zerolog v1.29.0
-	github.com/samber/lo v1.37.0
+	github.com/rs/zerolog v1.28.0
 	github.com/spf13/cobra v1.6.1
-	github.com/spf13/viper v1.15.0
-	github.com/stretchr/testify v1.8.2
-	github.com/tailscale/hujson v0.0.0-20221223112325-20486734a56a
+	github.com/spf13/viper v1.14.0
+	github.com/stretchr/testify v1.8.1
+	github.com/tailscale/hujson v0.0.0-20220630195928-54599719472f
 	github.com/tcnksm/go-latest v0.0.0-20170313132115-e3007ae9052e
-	go4.org/netipx v0.0.0-20230125063823-8449b0a6169f
-	golang.org/x/crypto v0.6.0
-	golang.org/x/net v0.7.0
-	golang.org/x/oauth2 v0.5.0
+	go4.org/netipx v0.0.0-20220925034521-797b0c90d8ab
+	golang.org/x/crypto v0.3.0
+	golang.org/x/net v0.2.0
+	golang.org/x/oauth2 v0.2.0
 	golang.org/x/sync v0.1.0
-	google.golang.org/genproto v0.0.0-20230223222841-637eb2293923
-	google.golang.org/grpc v1.53.0
+	google.golang.org/genproto v0.0.0-20221202195650-67e5cbc046fd
+	google.golang.org/grpc v1.51.0
 	google.golang.org/protobuf v1.28.1
 	gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c
 	gopkg.in/yaml.v2 v2.4.0
 	gopkg.in/yaml.v3 v3.0.1
-	gorm.io/driver/postgres v1.4.8
-	gorm.io/gorm v1.24.5
-	tailscale.com v1.36.2
+	gorm.io/driver/postgres v1.4.5
+	gorm.io/gorm v1.24.2
+	tailscale.com v1.34.0
 )

 require (
 	atomicgo.dev/cursor v0.1.1 // indirect
-	atomicgo.dev/keyboard v0.2.9 // indirect
+	atomicgo.dev/keyboard v0.2.8 // indirect
 	filippo.io/edwards25519 v1.0.0 // indirect
-	github.com/Azure/go-ansiterm v0.0.0-20230124172434-306776ec8161 // indirect
+	github.com/Azure/go-ansiterm v0.0.0-20210617225240-d185dfc1b5a1 // indirect
 	github.com/Microsoft/go-winio v0.6.0 // indirect
 	github.com/Nvveen/Gotty v0.0.0-20120604004816-cd527374f1e5 // indirect
 	github.com/akutz/memconn v0.1.0 // indirect
@@ -60,18 +58,16 @@ require (
 	github.com/cespare/xxhash/v2 v2.2.0 // indirect
 	github.com/containerd/console v1.0.3 // indirect
 	github.com/containerd/continuity v0.3.0 // indirect
-	github.com/docker/cli v23.0.1+incompatible // indirect
-	github.com/docker/docker v23.0.1+incompatible // indirect
+	github.com/davecgh/go-spew v1.1.1 // indirect
+	github.com/docker/cli v20.10.21+incompatible // indirect
+	github.com/docker/docker v20.10.21+incompatible // indirect
 	github.com/docker/go-connections v0.4.0 // indirect
 	github.com/docker/go-units v0.5.0 // indirect
-	github.com/dustin/go-humanize v1.0.1 // indirect
 	github.com/fsnotify/fsnotify v1.6.0 // indirect
 	github.com/fxamacker/cbor/v2 v2.4.0 // indirect
-	github.com/glebarez/go-sqlite v1.20.3 // indirect
-	github.com/go-jose/go-jose/v3 v3.0.0 // indirect
+	github.com/glebarez/go-sqlite v1.19.5 // indirect
 	github.com/gogo/protobuf v1.3.2 // indirect
 	github.com/golang-jwt/jwt v3.2.2+incompatible // indirect
-	github.com/golang/glog v1.0.0 // indirect
 	github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da // indirect
 	github.com/golang/protobuf v1.5.2 // indirect
 	github.com/google/go-cmp v0.5.9 // indirect
@@ -85,69 +81,71 @@ require (
 	github.com/hdevalence/ed25519consensus v0.1.0 // indirect
 	github.com/imdario/mergo v0.3.13 // indirect
 	github.com/inconshreveable/mousetrap v1.1.0 // indirect
+	github.com/jackc/chunkreader/v2 v2.0.1 // indirect
+	github.com/jackc/pgconn v1.13.0 // indirect
+	github.com/jackc/pgio v1.0.0 // indirect
 	github.com/jackc/pgpassfile v1.0.0 // indirect
-	github.com/jackc/pgservicefile v0.0.0-20221227161230-091c0ba34f0a // indirect
-	github.com/jackc/pgx/v5 v5.3.0 // indirect
+	github.com/jackc/pgproto3/v2 v2.3.1 // indirect
+	github.com/jackc/pgservicefile v0.0.0-20200714003250-2b9c44734f2b // indirect
+	github.com/jackc/pgtype v1.13.0 // indirect
+	github.com/jackc/pgx/v4 v4.17.2 // indirect
 	github.com/jinzhu/inflection v1.0.0 // indirect
 	github.com/jinzhu/now v1.1.5 // indirect
-	github.com/josharian/native v1.1.0 // indirect
-	github.com/jsimonetti/rtnetlink v1.3.1 // indirect
-	github.com/json-iterator/go v1.1.12 // indirect
+	github.com/josharian/native v1.0.0 // indirect
+	github.com/jsimonetti/rtnetlink v1.3.0 // indirect
 	github.com/kballard/go-shellquote v0.0.0-20180428030007-95032a82bc51 // indirect
-	github.com/kr/pretty v0.3.1 // indirect
+	github.com/kr/pretty v0.3.0 // indirect
 	github.com/kr/text v0.2.0 // indirect
-	github.com/lib/pq v1.10.7 // indirect
 	github.com/lithammer/fuzzysearch v1.1.5 // indirect
-	github.com/magiconair/properties v1.8.7 // indirect
+	github.com/magiconair/properties v1.8.6 // indirect
 	github.com/mattn/go-colorable v0.1.13 // indirect
-	github.com/mattn/go-isatty v0.0.17 // indirect
+	github.com/mattn/go-isatty v0.0.16 // indirect
 	github.com/mattn/go-runewidth v0.0.14 // indirect
 	github.com/matttproud/golang_protobuf_extensions v1.0.4 // indirect
-	github.com/mdlayher/netlink v1.7.1 // indirect
+	github.com/mdlayher/netlink v1.7.0 // indirect
 	github.com/mdlayher/socket v0.4.0 // indirect
 	github.com/mgutz/ansi v0.0.0-20200706080929-d51e80ef957d // indirect
 	github.com/mitchellh/go-ps v1.0.0 // indirect
 	github.com/mitchellh/mapstructure v1.5.0 // indirect
-	github.com/moby/term v0.0.0-20221205130635-1aeaba878587 // indirect
-	github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd // indirect
-	github.com/modern-go/reflect2 v1.0.2 // indirect
+	github.com/moby/term v0.0.0-20221128092401-c43b287e0e0f // indirect
 	github.com/opencontainers/go-digest v1.0.0 // indirect
 	github.com/opencontainers/image-spec v1.1.0-rc2 // indirect
 	github.com/opencontainers/runc v1.1.4 // indirect
+	github.com/pelletier/go-toml v1.9.5 // indirect
 	github.com/pelletier/go-toml/v2 v2.0.6 // indirect
 	github.com/pkg/errors v0.9.1 // indirect
 	github.com/pmezard/go-difflib v1.0.0 // indirect
 	github.com/prometheus/client_model v0.3.0 // indirect
-	github.com/prometheus/procfs v0.9.0 // indirect
-	github.com/remyoudompheng/bigfft v0.0.0-20230129092748-24d4a6f8daec // indirect
-	github.com/rivo/uniseg v0.4.4 // indirect
-	github.com/rogpeppe/go-internal v1.9.0 // indirect
+	github.com/prometheus/procfs v0.8.0 // indirect
+	github.com/remyoudompheng/bigfft v0.0.0-20220927061507-ef77025ab5aa // indirect
+	github.com/rivo/uniseg v0.4.3 // indirect
+	github.com/rogpeppe/go-internal v1.8.1-0.20211023094830-115ce09fd6b4 // indirect
 	github.com/sirupsen/logrus v1.9.0 // indirect
-	github.com/spf13/afero v1.9.4 // indirect
+	github.com/spf13/afero v1.9.3 // indirect
 	github.com/spf13/cast v1.5.0 // indirect
 	github.com/spf13/jwalterweatherman v1.1.0 // indirect
 	github.com/spf13/pflag v1.0.5 // indirect
-	github.com/subosito/gotenv v1.4.2 // indirect
+	github.com/subosito/gotenv v1.4.1 // indirect
 	github.com/x448/float16 v0.8.4 // indirect
 	github.com/xeipuuv/gojsonpointer v0.0.0-20190905194746-02993c407bfb // indirect
 	github.com/xeipuuv/gojsonreference v0.0.0-20180127040603-bd5ef7bd5415 // indirect
 	github.com/xeipuuv/gojsonschema v1.2.0 // indirect
 	github.com/xo/terminfo v0.0.0-20220910002029-abceb7e1c41e // indirect
 	go4.org/mem v0.0.0-20220726221520-4f986261bf13 // indirect
-	golang.org/x/exp v0.0.0-20230224173230-c95f2b4c22f2 // indirect
-	golang.org/x/mod v0.8.0 // indirect
-	golang.org/x/sys v0.5.0 // indirect
-	golang.org/x/term v0.5.0 // indirect
-	golang.org/x/text v0.7.0 // indirect
+	golang.org/x/exp v0.0.0-20220909182711-5c715a9e8561 // indirect
+	golang.org/x/mod v0.7.0 // indirect
+	golang.org/x/sys v0.3.0 // indirect
+	golang.org/x/term v0.2.0 // indirect
+	golang.org/x/text v0.5.0 // indirect
 	golang.org/x/time v0.3.0 // indirect
-	golang.org/x/tools v0.6.0 // indirect
+	golang.org/x/tools v0.3.0 // indirect
 	golang.zx2c4.com/wireguard/windows v0.5.3 // indirect
 	google.golang.org/appengine v1.6.7 // indirect
 	gopkg.in/ini.v1 v1.67.0 // indirect
 	gopkg.in/square/go-jose.v2 v2.6.0 // indirect
-	modernc.org/libc v1.22.2 // indirect
+	modernc.org/libc v1.21.5 // indirect
 	modernc.org/mathutil v1.5.0 // indirect
 	modernc.org/memory v1.5.0 // indirect
-	modernc.org/sqlite v1.20.3 // indirect
+	modernc.org/sqlite v1.20.0 // indirect
 	nhooyr.io/websocket v1.8.7 // indirect
 )
--- a/go.sum
+++ b/go.sum
--- a/integration/README.md
+++ b/integration/README.md
@@ -9,17 +9,8 @@ Headscale's test framework and the current set of scenarios are defined in this

 Tests are located in files ending with `_test.go` and the framework are located in the rest.

-## Running integration tests locally
-
-The easiest way to run tests locally is to use `[act](INSERT LINK)`, a local GitHub Actions runner:
-
-```
-act pull_request -W .github/workflows/test-integration-v2-TestPingAllByIP.yaml
-```
-
-Alternatively, the `docker run` command in each GitHub workflow file can be used.
-
 ## Running integration tests on GitHub Actions

-Each test currently runs as a separate workflows in GitHub actions, to add new test, run
+Each test currently runs as a separate workflows in GitHub actions, to add new test, add
+the new test to the list in `../cmd/gh-action-integration-generator/main.go` and run
 `go generate` inside `../cmd/gh-action-integration-generator/` and commit the result.
--- a/integration/auth_oidc_test.go
+++ b/integration/auth_oidc_test.go
@@ -19,7 +19,6 @@ import (
 	"github.com/juanfont/headscale/integration/hsic"
 	"github.com/ory/dockertest/v3"
 	"github.com/ory/dockertest/v3/docker"
-	"github.com/samber/lo"
 )

 const (
@@ -92,11 +91,7 @@ func TestOIDCAuthenticationPingAll(t *testing.T) {
 		t.Errorf("failed wait for tailscale clients to be in sync: %s", err)
 	}

-	allAddrs := lo.Map(allIps, func(x netip.Addr, index int) string {
-		return x.String()
-	})
-
-	success := pingAllHelper(t, allClients, allAddrs)
+	success := pingAll(t, allClients, allIps)
 	t.Logf("%d successful pings out of %d", success, len(allClients)*len(allIps))

 	err = scenario.Shutdown()
@@ -105,7 +100,7 @@ func TestOIDCAuthenticationPingAll(t *testing.T) {
 	}
 }

-func TestOIDCExpireNodesBasedOnTokenExpiry(t *testing.T) {
+func TestOIDCExpireNodes(t *testing.T) {
 	IntegrationSkip(t)
 	t.Parallel()

@@ -130,11 +125,10 @@ func TestOIDCExpireNodesBasedOnTokenExpiry(t *testing.T) {
 	}

 	oidcMap := map[string]string{
-		"HEADSCALE_OIDC_ISSUER":                oidcConfig.Issuer,
-		"HEADSCALE_OIDC_CLIENT_ID":             oidcConfig.ClientID,
-		"HEADSCALE_OIDC_CLIENT_SECRET":         oidcConfig.ClientSecret,
-		"HEADSCALE_OIDC_STRIP_EMAIL_DOMAIN":    fmt.Sprintf("%t", oidcConfig.StripEmaildomain),
-		"HEADSCALE_OIDC_USE_EXPIRY_FROM_TOKEN": "1",
+		"HEADSCALE_OIDC_ISSUER":             oidcConfig.Issuer,
+		"HEADSCALE_OIDC_CLIENT_ID":          oidcConfig.ClientID,
+		"HEADSCALE_OIDC_CLIENT_SECRET":      oidcConfig.ClientSecret,
+		"HEADSCALE_OIDC_STRIP_EMAIL_DOMAIN": fmt.Sprintf("%t", oidcConfig.StripEmaildomain),
 	}

 	err = scenario.CreateHeadscaleEnv(
@@ -162,11 +156,7 @@ func TestOIDCExpireNodesBasedOnTokenExpiry(t *testing.T) {
 		t.Errorf("failed wait for tailscale clients to be in sync: %s", err)
 	}

-	allAddrs := lo.Map(allIps, func(x netip.Addr, index int) string {
-		return x.String()
-	})
-
-	success := pingAllHelper(t, allClients, allAddrs)
+	success := pingAll(t, allClients, allIps)
 	t.Logf("%d successful pings out of %d (before expiry)", success, len(allClients)*len(allIps))

 	// await all nodes being logged out after OIDC token expiry
@@ -288,10 +278,7 @@ func (s *AuthOIDCScenario) runMockOIDC(accessTTL time.Duration) (*headscale.OIDC
 	log.Printf("headscale mock oidc is ready for tests at %s", hostEndpoint)

 	return &headscale.OIDCConfig{
-		Issuer: fmt.Sprintf(
-			"http://%s/oidc",
-			net.JoinHostPort(s.mockOIDC.GetIPInNetwork(s.network), strconv.Itoa(port)),
-		),
+		Issuer:                     fmt.Sprintf("http://%s/oidc", net.JoinHostPort(s.mockOIDC.GetIPInNetwork(s.network), strconv.Itoa(port))),
 		ClientID:                   "superclient",
 		ClientSecret:               "supersecret",
 		StripEmaildomain:           true,
@@ -368,6 +355,24 @@ func (s *AuthOIDCScenario) runTailscaleUp(
 	return fmt.Errorf("failed to up tailscale node: %w", errNoUserAvailable)
 }

+func pingAll(t *testing.T, clients []TailscaleClient, ips []netip.Addr) int {
+	t.Helper()
+	success := 0
+
+	for _, client := range clients {
+		for _, ip := range ips {
+			err := client.Ping(ip.String())
+			if err != nil {
+				t.Errorf("failed to ping %s from %s: %s", ip, client.Hostname(), err)
+			} else {
+				success++
+			}
+		}
+	}
+
+	return success
+}
+
 func (s *AuthOIDCScenario) Shutdown() error {
 	err := s.pool.Purge(s.mockOIDC)
 	if err != nil {
--- a/integration/auth_web_flow_test.go
+++ b/integration/auth_web_flow_test.go
@@ -13,7 +13,6 @@ import (
 	"testing"

 	"github.com/juanfont/headscale/integration/hsic"
-	"github.com/samber/lo"
 )

 var errParseAuthPage = errors.New("failed to parse auth page")
@@ -60,11 +59,18 @@ func TestAuthWebFlowAuthenticationPingAll(t *testing.T) {
 		t.Errorf("failed wait for tailscale clients to be in sync: %s", err)
 	}

-	allAddrs := lo.Map(allIps, func(x netip.Addr, index int) string {
-		return x.String()
-	})
+	success := 0
+	for _, client := range allClients {
+		for _, ip := range allIps {
+			err := client.Ping(ip.String())
+			if err != nil {
+				t.Errorf("failed to ping %s from %s: %s", ip, client.Hostname(), err)
+			} else {
+				success++
+			}
+		}
+	}

-	success := pingAllHelper(t, allClients, allAddrs)
 	t.Logf("%d successful pings out of %d", success, len(allClients)*len(allIps))

 	err = scenario.Shutdown()
@@ -111,11 +117,18 @@ func TestAuthWebFlowLogoutAndRelogin(t *testing.T) {
 		t.Errorf("failed wait for tailscale clients to be in sync: %s", err)
 	}

-	allAddrs := lo.Map(allIps, func(x netip.Addr, index int) string {
-		return x.String()
-	})
+	success := 0
+	for _, client := range allClients {
+		for _, ip := range allIps {
+			err := client.Ping(ip.String())
+			if err != nil {
+				t.Errorf("failed to ping %s from %s: %s", ip, client.Hostname(), err)
+			} else {
+				success++
+			}
+		}
+	}

-	success := pingAllHelper(t, allClients, allAddrs)
 	t.Logf("%d successful pings out of %d", success, len(allClients)*len(allIps))

 	clientIPs := make(map[TailscaleClient][]netip.Addr)
@@ -162,11 +175,18 @@ func TestAuthWebFlowLogoutAndRelogin(t *testing.T) {
 		t.Errorf("failed to get clients: %s", err)
 	}

-	allAddrs = lo.Map(allIps, func(x netip.Addr, index int) string {
-		return x.String()
-	})
+	success = 0
+	for _, client := range allClients {
+		for _, ip := range allIps {
+			err := client.Ping(ip.String())
+			if err != nil {
+				t.Errorf("failed to ping %s from %s: %s", ip, client.Hostname(), err)
+			} else {
+				success++
+			}
+		}
+	}

-	success = pingAllHelper(t, allClients, allAddrs)
 	t.Logf("%d successful pings out of %d", success, len(allClients)*len(allIps))

 	for _, client := range allClients {
@@ -191,12 +211,7 @@ func TestAuthWebFlowLogoutAndRelogin(t *testing.T) {
 			}

 			if !found {
-				t.Errorf(
-					"IPs changed for client %s. Used to be %v now %v",
-					client.Hostname(),
-					clientIPs[client],
-					ips,
-				)
+				t.Errorf("IPs changed for client %s. Used to be %v now %v", client.Hostname(), clientIPs[client], ips)
 			}
 		}
 	}
@@ -320,7 +335,7 @@ func (s *AuthWebFlowScenario) runHeadscaleRegister(userStr string, loginURL *url

 	if headscale, err := s.Headscale(); err == nil {
 		_, err = headscale.Execute(
-			[]string{"headscale", "nodes", "register", "--user", userStr, "--key", key},
+			[]string{"headscale", "-n", userStr, "nodes", "register", "--key", key},
 		)
 		if err != nil {
 			log.Printf("failed to register node: %s", err)
--- a/integration/cli_test.go
+++ b/integration/cli_test.go
@@ -99,7 +99,7 @@ func TestUserCommand(t *testing.T) {

 	assert.Equal(
 		t,
-		[]string{"newname", "user1"},
+		[]string{"user1", "newname"},
 		result,
 	)

--- a/integration/control.go
+++ b/integration/control.go
@@ -6,7 +6,6 @@ import (

 type ControlServer interface {
 	Shutdown() error
-	SaveLog(string) error
 	Execute(command []string) (string, error)
 	GetHealthEndpoint() string
 	GetEndpoint() string
--- a/integration/dockertestutil/logs.go
+++ b/integration/dockertestutil/logs.go
@@ -1,68 +0,0 @@
-package dockertestutil
-
-import (
-	"bytes"
-	"context"
-	"log"
-	"os"
-	"path"
-
-	"github.com/ory/dockertest/v3"
-	"github.com/ory/dockertest/v3/docker"
-)
-
-const filePerm = 0o644
-
-func SaveLog(
-	pool *dockertest.Pool,
-	resource *dockertest.Resource,
-	basePath string,
-) error {
-	err := os.MkdirAll(basePath, os.ModePerm)
-	if err != nil {
-		return err
-	}
-
-	var stdout bytes.Buffer
-	var stderr bytes.Buffer
-
-	err = pool.Client.Logs(
-		docker.LogsOptions{
-			Context:      context.TODO(),
-			Container:    resource.Container.ID,
-			OutputStream: &stdout,
-			ErrorStream:  &stderr,
-			Tail:         "all",
-			RawTerminal:  false,
-			Stdout:       true,
-			Stderr:       true,
-			Follow:       false,
-			Timestamps:   false,
-		},
-	)
-	if err != nil {
-		return err
-	}
-
-	log.Printf("Saving logs for %s to %s\n", resource.Container.Name, basePath)
-
-	err = os.WriteFile(
-		path.Join(basePath, resource.Container.Name+".stdout.log"),
-		stdout.Bytes(),
-		filePerm,
-	)
-	if err != nil {
-		return err
-	}
-
-	err = os.WriteFile(
-		path.Join(basePath, resource.Container.Name+".stderr.log"),
-		stderr.Bytes(),
-		filePerm,
-	)
-	if err != nil {
-		return err
-	}
-
-	return nil
-}
--- a/integration/general_test.go
+++ b/integration/general_test.go
@@ -1,19 +1,15 @@
 package integration

 import (
-	"encoding/json"
 	"fmt"
 	"net/netip"
 	"strings"
 	"testing"
 	"time"

-	v1 "github.com/juanfont/headscale/gen/go/headscale/v1"
 	"github.com/juanfont/headscale/integration/hsic"
 	"github.com/juanfont/headscale/integration/tsic"
 	"github.com/rs/zerolog/log"
-	"github.com/samber/lo"
-	"github.com/stretchr/testify/assert"
 )

 func TestPingAllByIP(t *testing.T) {
@@ -50,11 +46,19 @@ func TestPingAllByIP(t *testing.T) {
 		t.Errorf("failed wait for tailscale clients to be in sync: %s", err)
 	}

-	allAddrs := lo.Map(allIps, func(x netip.Addr, index int) string {
-		return x.String()
-	})
+	success := 0
+
+	for _, client := range allClients {
+		for _, ip := range allIps {
+			err := client.Ping(ip.String())
+			if err != nil {
+				t.Errorf("failed to ping %s from %s: %s", ip, client.Hostname(), err)
+			} else {
+				success++
+			}
+		}
+	}

-	success := pingAllHelper(t, allClients, allAddrs)
 	t.Logf("%d successful pings out of %d", success, len(allClients)*len(allIps))

 	err = scenario.Shutdown()
@@ -144,11 +148,18 @@ func TestAuthKeyLogoutAndRelogin(t *testing.T) {
 		t.Errorf("failed to get clients: %s", err)
 	}

-	allAddrs := lo.Map(allIps, func(x netip.Addr, index int) string {
-		return x.String()
-	})
+	success := 0
+	for _, client := range allClients {
+		for _, ip := range allIps {
+			err := client.Ping(ip.String())
+			if err != nil {
+				t.Errorf("failed to ping %s from %s: %s", ip, client.Hostname(), err)
+			} else {
+				success++
+			}
+		}
+	}

-	success := pingAllHelper(t, allClients, allAddrs)
 	t.Logf("%d successful pings out of %d", success, len(allClients)*len(allIps))

 	for _, client := range allClients {
@@ -173,12 +184,7 @@ func TestAuthKeyLogoutAndRelogin(t *testing.T) {
 			}

 			if !found {
-				t.Errorf(
-					"IPs changed for client %s. Used to be %v now %v",
-					client.Hostname(),
-					clientIPs[client],
-					ips,
-				)
+				t.Errorf("IPs changed for client %s. Used to be %v now %v", client.Hostname(), clientIPs[client], ips)
 			}
 		}
 	}
@@ -247,11 +253,18 @@ func TestEphemeral(t *testing.T) {
 		t.Errorf("failed to get clients: %s", err)
 	}

-	allAddrs := lo.Map(allIps, func(x netip.Addr, index int) string {
-		return x.String()
-	})
+	success := 0
+	for _, client := range allClients {
+		for _, ip := range allIps {
+			err := client.Ping(ip.String())
+			if err != nil {
+				t.Errorf("failed to ping %s from %s: %s", ip, client.Hostname(), err)
+			} else {
+				success++
+			}
+		}
+	}

-	success := pingAllHelper(t, allClients, allAddrs)
 	t.Logf("%d successful pings out of %d", success, len(allClients)*len(allIps))

 	for _, client := range allClients {
@@ -322,7 +335,18 @@ func TestPingAllByHostname(t *testing.T) {
 		t.Errorf("failed to get FQDNs: %s", err)
 	}

-	success := pingAllHelper(t, allClients, allHostnames)
+	success := 0
+
+	for _, client := range allClients {
+		for _, hostname := range allHostnames {
+			err := client.Ping(hostname)
+			if err != nil {
+				t.Errorf("failed to ping %s from %s: %s", hostname, client.Hostname(), err)
+			} else {
+				success++
+			}
+		}
+	}

 	t.Logf("%d successful pings out of %d", success, len(allClients)*len(allClients))

@@ -558,93 +582,3 @@ func TestResolveMagicDNS(t *testing.T) {
 		t.Errorf("failed to tear down scenario: %s", err)
 	}
 }
-
-func TestExpireNode(t *testing.T) {
-	IntegrationSkip(t)
-	t.Parallel()
-
-	scenario, err := NewScenario()
-	if err != nil {
-		t.Errorf("failed to create scenario: %s", err)
-	}
-
-	spec := map[string]int{
-		"user1": len(TailscaleVersions),
-	}
-
-	err = scenario.CreateHeadscaleEnv(spec, []tsic.Option{}, hsic.WithTestName("expirenode"))
-	if err != nil {
-		t.Errorf("failed to create headscale environment: %s", err)
-	}
-
-	allClients, err := scenario.ListTailscaleClients()
-	if err != nil {
-		t.Errorf("failed to get clients: %s", err)
-	}
-
-	allIps, err := scenario.ListTailscaleClientsIPs()
-	if err != nil {
-		t.Errorf("failed to get clients: %s", err)
-	}
-
-	err = scenario.WaitForTailscaleSync()
-	if err != nil {
-		t.Errorf("failed wait for tailscale clients to be in sync: %s", err)
-	}
-
-	allAddrs := lo.Map(allIps, func(x netip.Addr, index int) string {
-		return x.String()
-	})
-
-	success := pingAllHelper(t, allClients, allAddrs)
-	t.Logf("before expire: %d successful pings out of %d", success, len(allClients)*len(allIps))
-
-	for _, client := range allClients {
-		status, err := client.Status()
-		assert.NoError(t, err)
-
-		// Assert that we have the original count - self
-		assert.Len(t, status.Peers(), len(TailscaleVersions)-1)
-	}
-
-	headscale, err := scenario.Headscale()
-	assert.NoError(t, err)
-
-	// TODO(kradalby): This is Headscale specific and would not play nicely
-	// with other implementations of the ControlServer interface
-	result, err := headscale.Execute([]string{
-		"headscale", "nodes", "expire", "--identifier", "0", "--output", "json",
-	})
-	assert.NoError(t, err)
-
-	var machine v1.Machine
-	err = json.Unmarshal([]byte(result), &machine)
-	assert.NoError(t, err)
-
-	time.Sleep(30 * time.Second)
-
-	// Verify that the expired not is no longer present in the Peer list
-	// of connected nodes.
-	for _, client := range allClients {
-		status, err := client.Status()
-		assert.NoError(t, err)
-
-		for _, peerKey := range status.Peers() {
-			peerStatus := status.Peer[peerKey]
-
-			peerPublicKey := strings.TrimPrefix(peerStatus.PublicKey.String(), "nodekey:")
-
-			assert.NotEqual(t, machine.NodeKey, peerPublicKey)
-		}
-
-		if client.Hostname() != machine.Name {
-			// Assert that we have the original count - self - expired node
-			assert.Len(t, status.Peers(), len(TailscaleVersions)-2)
-		}
-	}
-
-	err = scenario.Shutdown()
-	if err != nil {
-		t.Errorf("failed to tear down scenario: %s", err)
-	}
-}
--- a/integration/hsic/hsic.go
+++ b/integration/hsic/hsic.go
@@ -41,8 +41,6 @@ type fileInContainer struct {
 	contents []byte
 }

-// HeadscaleInContainer is an implementation of ControlServer which
-// sets up a Headscale instance inside a container.
 type HeadscaleInContainer struct {
 	hostname string

@@ -59,12 +57,8 @@ type HeadscaleInContainer struct {
 	filesInContainer []fileInContainer
 }

-// Option represent optional settings that can be given to a
-// Headscale instance.
 type Option = func(c *HeadscaleInContainer)

-// WithACLPolicy adds a headscale.ACLPolicy policy to the
-// HeadscaleInContainer instance.
 func WithACLPolicy(acl *headscale.ACLPolicy) Option {
 	return func(hsic *HeadscaleInContainer) {
 		// TODO(kradalby): Move somewhere appropriate
@@ -74,7 +68,6 @@ func WithACLPolicy(acl *headscale.ACLPolicy) Option {
 	}
 }

-// WithTLS creates certificates and enables HTTPS.
 func WithTLS() Option {
 	return func(hsic *HeadscaleInContainer) {
 		cert, key, err := createCertificate()
@@ -91,8 +84,6 @@ func WithTLS() Option {
 	}
 }

-// WithConfigEnv takes a map of environment variables that
-// can be used to override Headscale configuration.
 func WithConfigEnv(configEnv map[string]string) Option {
 	return func(hsic *HeadscaleInContainer) {
 		for key, value := range configEnv {
@@ -101,15 +92,12 @@ func WithConfigEnv(configEnv map[string]string) Option {
 	}
 }

-// WithPort sets the port on where to run Headscale.
 func WithPort(port int) Option {
 	return func(hsic *HeadscaleInContainer) {
 		hsic.port = port
 	}
 }

-// WithTestName sets a name for the test, this will be reflected
-// in the Docker container name.
 func WithTestName(testName string) Option {
 	return func(hsic *HeadscaleInContainer) {
 		hash, _ := headscale.GenerateRandomStringDNSSafe(hsicHashLength)
@@ -119,8 +107,6 @@ func WithTestName(testName string) Option {
 	}
 }

-// WithHostnameAsServerURL sets the Headscale ServerURL based on
-// the Hostname.
 func WithHostnameAsServerURL() Option {
 	return func(hsic *HeadscaleInContainer) {
 		hsic.env["HEADSCALE_SERVER_URL"] = fmt.Sprintf("http://%s",
@@ -130,7 +116,6 @@ func WithHostnameAsServerURL() Option {
 	}
 }

-// WithFileInContainer adds a file to the container at the given path.
 func WithFileInContainer(path string, contents []byte) Option {
 	return func(hsic *HeadscaleInContainer) {
 		hsic.filesInContainer = append(hsic.filesInContainer,
@@ -141,7 +126,6 @@ func WithFileInContainer(path string, contents []byte) Option {
 	}
 }

-// New returns a new HeadscaleInContainer instance.
 func New(
 	pool *dockertest.Pool,
 	network *dockertest.Network,
@@ -260,19 +244,10 @@ func (t *HeadscaleInContainer) hasTLS() bool {
 	return len(t.tlsCert) != 0 && len(t.tlsKey) != 0
 }

-// Shutdown stops and cleans up the Headscale container.
 func (t *HeadscaleInContainer) Shutdown() error {
 	return t.pool.Purge(t.container)
 }

-// SaveLog saves the current stdout log of the container to a path
-// on the host system.
-func (t *HeadscaleInContainer) SaveLog(path string) error {
-	return dockertestutil.SaveLog(t.pool, t.container, path)
-}
-
-// Execute runs a command inside the Headscale container and returns the
-// result of stdout as a string.
 func (t *HeadscaleInContainer) Execute(
 	command []string,
 ) (string, error) {
@@ -294,23 +269,18 @@ func (t *HeadscaleInContainer) Execute(
 	return stdout, nil
 }

-// GetIP returns the docker container IP as a string.
 func (t *HeadscaleInContainer) GetIP() string {
 	return t.container.GetIPInNetwork(t.network)
 }

-// GetPort returns the docker container port as a string.
 func (t *HeadscaleInContainer) GetPort() string {
 	return fmt.Sprintf("%d", t.port)
 }

-// GetHealthEndpoint returns a health endpoint for the HeadscaleInContainer
-// instance.
 func (t *HeadscaleInContainer) GetHealthEndpoint() string {
 	return fmt.Sprintf("%s/health", t.GetEndpoint())
 }

-// GetEndpoint returns the Headscale endpoint for the HeadscaleInContainer.
 func (t *HeadscaleInContainer) GetEndpoint() string {
 	hostEndpoint := fmt.Sprintf("%s:%d",
 		t.GetIP(),
@@ -323,18 +293,14 @@ func (t *HeadscaleInContainer) GetEndpoint() string {
 	return fmt.Sprintf("http://%s", hostEndpoint)
 }

-// GetCert returns the public certificate of the HeadscaleInContainer.
 func (t *HeadscaleInContainer) GetCert() []byte {
 	return t.tlsCert
 }

-// GetHostname returns the hostname of the HeadscaleInContainer.
 func (t *HeadscaleInContainer) GetHostname() string {
 	return t.hostname
 }

-// WaitForReady blocks until the Headscale instance is ready to
-// serve clients.
 func (t *HeadscaleInContainer) WaitForReady() error {
 	url := t.GetHealthEndpoint()

@@ -362,7 +328,6 @@ func (t *HeadscaleInContainer) WaitForReady() error {
 	})
 }

-// CreateUser adds a new user to the Headscale instance.
 func (t *HeadscaleInContainer) CreateUser(
 	user string,
 ) error {
@@ -380,8 +345,6 @@ func (t *HeadscaleInContainer) CreateUser(
 	return nil
 }

-// CreateAuthKey creates a new "authorisation key" for a User that can be used
-// to authorise a TailscaleClient with the Headscale instance.
 func (t *HeadscaleInContainer) CreateAuthKey(
 	user string,
 	reusable bool,
@@ -425,8 +388,6 @@ func (t *HeadscaleInContainer) CreateAuthKey(
 	return &preAuthKey, nil
 }

-// ListMachinesInUser list the TailscaleClients (Machine, Headscale internal representation)
-// associated with a user.
 func (t *HeadscaleInContainer) ListMachinesInUser(
 	user string,
 ) ([]*v1.Machine, error) {
@@ -450,7 +411,6 @@ func (t *HeadscaleInContainer) ListMachinesInUser(
 	return nodes, nil
 }

-// WriteFile save file inside the Headscale container.
 func (t *HeadscaleInContainer) WriteFile(path string, data []byte) error {
 	return integrationutil.WriteFileToContainer(t.pool, t.container, path, data)
 }
--- a/integration/scenario.go
+++ b/integration/scenario.go
@@ -26,15 +26,13 @@ const (
 var (
 	errNoHeadscaleAvailable = errors.New("no headscale available")
 	errNoUserAvailable      = errors.New("no user available")
-	errNoClientFound        = errors.New("client not found")

 	// Tailscale started adding TS2021 support in CapabilityVersion>=28 (v1.24.0), but
 	// proper support in Headscale was only added for CapabilityVersion>=39 clients (v1.30.0).
 	tailscaleVersions2021 = []string{
 		"head",
 		"unstable",
-		"1.36.0",
-		"1.34.2",
+		"1.34.0",
 		"1.32.3",
 		"1.30.2",
 	}
@@ -57,23 +55,12 @@ var (
 	// 	"1.8.7",
 	// }.

-	// TailscaleVersions represents a list of Tailscale versions the suite
-	// uses to test compatibility with the ControlServer.
-	//
-	// The list contains two special cases, "head" and "unstable" which
-	// points to the current tip of Tailscale's main branch and the latest
-	// released unstable version.
-	//
-	// The rest of the version represents Tailscale versions that can be
-	// found in Tailscale's apt repository.
 	TailscaleVersions = append(
 		tailscaleVersions2021,
 		tailscaleVersions2019...,
 	)
 )

-// User represents a User in the ControlServer and a map of TailscaleClient's
-// associated with the User.
 type User struct {
 	Clients map[string]TailscaleClient

@@ -82,10 +69,6 @@ type User struct {
 	syncWaitGroup   sync.WaitGroup
 }

-// Scenario is a representation of an environment with one ControlServer and
-// one or more User's and its associated TailscaleClients.
-// A Scenario is intended to simplify setting up a new testcase for testing
-// a ControlServer with TailscaleClients.
 // TODO(kradalby): make control server configurable, test correctness with Tailscale SaaS.
 type Scenario struct {
 	// TODO(kradalby): support multiple headcales for later, currently only
@@ -100,8 +83,6 @@ type Scenario struct {
 	headscaleLock sync.Mutex
 }

-// NewScenario creates a test Scenario which can be used to bootstraps a ControlServer with
-// a set of Users and TailscaleClients.
 func NewScenario() (*Scenario, error) {
 	hash, err := headscale.GenerateRandomStringDNSSafe(scenarioHashLength)
 	if err != nil {
@@ -142,21 +123,9 @@ func NewScenario() (*Scenario, error) {
 	}, nil
 }

-// Shutdown shuts down and cleans up all the containers (ControlServer, TailscaleClient)
-// and networks associated with it.
-// In addition, it will save the logs of the ControlServer to `/tmp/control` in the
-// environment running the tests.
 func (s *Scenario) Shutdown() error {
 	s.controlServers.Range(func(_ string, control ControlServer) bool {
-		err := control.SaveLog("/tmp/control")
-		if err != nil {
-			log.Printf(
-				"Failed to save log from control: %s",
-				fmt.Errorf("failed to save log from control: %w", err),
-			)
-		}
-
-		err = control.Shutdown()
+		err := control.Shutdown()
 		if err != nil {
 			log.Printf(
 				"Failed to shut down control: %s",
@@ -189,7 +158,6 @@ func (s *Scenario) Shutdown() error {
 	return nil
 }

-// Users returns the name of all users associated with the Scenario.
 func (s *Scenario) Users() []string {
 	users := make([]string, 0)
 	for user := range s.users {
@@ -202,9 +170,6 @@ func (s *Scenario) Users() []string {
 /// Headscale related stuff
 // Note: These functions assume that there is a _single_ headscale instance for now

-// Headscale returns a ControlServer instance based on hsic (HeadscaleInContainer)
-// If the Scenario already has an instance, the pointer to the running container
-// will be return, otherwise a new instance will be created.
 // TODO(kradalby): make port and headscale configurable, multiple instances support?
 func (s *Scenario) Headscale(opts ...hsic.Option) (ControlServer, error) {
 	s.headscaleLock.Lock()
@@ -229,13 +194,7 @@ func (s *Scenario) Headscale(opts ...hsic.Option) (ControlServer, error) {
 	return headscale, nil
 }

-// CreatePreAuthKey creates a "pre authentorised key" to be created in the
-// Headscale instance on behalf of the Scenario.
-func (s *Scenario) CreatePreAuthKey(
-	user string,
-	reusable bool,
-	ephemeral bool,
-) (*v1.PreAuthKey, error) {
+func (s *Scenario) CreatePreAuthKey(user string, reusable bool, ephemeral bool) (*v1.PreAuthKey, error) {
 	if headscale, err := s.Headscale(); err == nil {
 		key, err := headscale.CreateAuthKey(user, reusable, ephemeral)
 		if err != nil {
@@ -248,8 +207,6 @@ func (s *Scenario) CreatePreAuthKey(
 	return nil, fmt.Errorf("failed to create user: %w", errNoHeadscaleAvailable)
 }

-// CreateUser creates a User to be created in the
-// Headscale instance on behalf of the Scenario.
 func (s *Scenario) CreateUser(user string) error {
 	if headscale, err := s.Headscale(); err == nil {
 		err := headscale.CreateUser(user)
@@ -269,8 +226,6 @@ func (s *Scenario) CreateUser(user string) error {

 /// Client related stuff

-// CreateTailscaleNodesInUser creates and adds a new TailscaleClient to a
-// User in the Scenario.
 func (s *Scenario) CreateTailscaleNodesInUser(
 	userStr string,
 	requestedVersion string,
@@ -331,8 +286,6 @@ func (s *Scenario) CreateTailscaleNodesInUser(
 	return fmt.Errorf("failed to add tailscale node: %w", errNoUserAvailable)
 }

-// RunTailscaleUp will log in all of the TailscaleClients associated with a
-// User to the given ControlServer (by URL).
 func (s *Scenario) RunTailscaleUp(
 	userStr, loginServer, authKey string,
 ) error {
@@ -361,8 +314,6 @@ func (s *Scenario) RunTailscaleUp(
 	return fmt.Errorf("failed to up tailscale node: %w", errNoUserAvailable)
 }

-// CountTailscale returns the total number of TailscaleClients in a Scenario.
-// This is the sum of Users x TailscaleClients.
 func (s *Scenario) CountTailscale() int {
 	count := 0

@@ -373,8 +324,6 @@ func (s *Scenario) CountTailscale() int {
 	return count
 }

-// WaitForTailscaleSync blocks execution until all the TailscaleClient reports
-// to have all other TailscaleClients present in their netmap.NetworkMap.
 func (s *Scenario) WaitForTailscaleSync() error {
 	tsCount := s.CountTailscale()

@@ -395,7 +344,7 @@ func (s *Scenario) WaitForTailscaleSync() error {
 	return nil
 }

-// CreateHeadscaleEnv is a conventient method returning a complete Headcale
+// CreateHeadscaleEnv is a conventient method returning a set up Headcale
 // test environment with nodes of all versions, joined to the server with X
 // users.
 func (s *Scenario) CreateHeadscaleEnv(
@@ -433,8 +382,6 @@ func (s *Scenario) CreateHeadscaleEnv(
 	return nil
 }

-// GetIPs returns all netip.Addr of TailscaleClients associated with a User
-// in a Scenario.
 func (s *Scenario) GetIPs(user string) ([]netip.Addr, error) {
 	var ips []netip.Addr
 	if ns, ok := s.users[user]; ok {
@@ -452,7 +399,6 @@ func (s *Scenario) GetIPs(user string) ([]netip.Addr, error) {
 	return ips, fmt.Errorf("failed to get ips: %w", errNoUserAvailable)
 }

-// GetIPs returns all TailscaleClients associated with a User in a Scenario.
 func (s *Scenario) GetClients(user string) ([]TailscaleClient, error) {
 	var clients []TailscaleClient
 	if ns, ok := s.users[user]; ok {
@@ -466,8 +412,6 @@ func (s *Scenario) GetClients(user string) ([]TailscaleClient, error) {
 	return clients, fmt.Errorf("failed to get clients: %w", errNoUserAvailable)
 }

-// ListTailscaleClients returns a list of TailscaleClients given the Users
-// passed as parameters.
 func (s *Scenario) ListTailscaleClients(users ...string) ([]TailscaleClient, error) {
 	var allClients []TailscaleClient

@@ -487,28 +431,6 @@ func (s *Scenario) ListTailscaleClients(users ...string) ([]TailscaleClient, err
 	return allClients, nil
 }

-// FindTailscaleClientByIP returns a TailscaleClient associated with an IP address
-// if it exists.
-func (s *Scenario) FindTailscaleClientByIP(ip netip.Addr) (TailscaleClient, error) {
-	clients, err := s.ListTailscaleClients()
-	if err != nil {
-		return nil, err
-	}
-
-	for _, client := range clients {
-		ips, _ := client.IPs()
-		for _, ip2 := range ips {
-			if ip == ip2 {
-				return client, nil
-			}
-		}
-	}
-
-	return nil, errNoClientFound
-}
-
-// ListTailscaleClientsIPs returns a list of netip.Addr based on Users
-// passed as parameters.
 func (s *Scenario) ListTailscaleClientsIPs(users ...string) ([]netip.Addr, error) {
 	var allIps []netip.Addr

@@ -528,8 +450,6 @@ func (s *Scenario) ListTailscaleClientsIPs(users ...string) ([]netip.Addr, error
 	return allIps, nil
 }

-// ListTailscaleClientsIPs returns a list of FQDN based on Users
-// passed as parameters.
 func (s *Scenario) ListTailscaleClientsFQDNs(users ...string) ([]string, error) {
 	allFQDNs := make([]string, 0)

@@ -550,8 +470,6 @@ func (s *Scenario) ListTailscaleClientsFQDNs(users ...string) ([]string, error)
 	return allFQDNs, nil
 }

-// WaitForTailscaleLogout blocks execution until all TailscaleClients have
-// logged out of the ControlServer.
 func (s *Scenario) WaitForTailscaleLogout() {
 	for _, user := range s.users {
 		for _, client := range user.Clients {
--- a/integration/tailscale.go
+++ b/integration/tailscale.go
@@ -4,7 +4,6 @@ import (
 	"net/netip"
 	"net/url"

-	"github.com/juanfont/headscale/integration/tsic"
 	"tailscale.com/ipn/ipnstate"
 )

@@ -23,6 +22,6 @@ type TailscaleClient interface {
 	WaitForReady() error
 	WaitForLogout() error
 	WaitForPeers(expected int) error
-	Ping(hostnameOrIP string, opts ...tsic.PingOption) error
+	Ping(hostnameOrIP string) error
 	ID() string
 }
--- a/integration/tsic/tsic.go
+++ b/integration/tsic/tsic.go
@@ -7,9 +7,7 @@ import (
 	"log"
 	"net/netip"
 	"net/url"
-	"strconv"
 	"strings"
-	"time"

 	"github.com/cenkalti/backoff/v4"
 	"github.com/juanfont/headscale"
@@ -22,7 +20,6 @@ import (

 const (
 	tsicHashLength    = 6
-	defaultPingCount  = 10
 	dockerContextPath = "../."
 	headscaleCertPath = "/usr/local/share/ca-certificates/headscale.crt"
 )
@@ -36,8 +33,6 @@ var (
 	errTailscaleNotLoggedOut           = errors.New("tailscale not logged out")
 )

-// TailscaleInContainer is an implementation of TailscaleClient which
-// sets up a Tailscale instance inside a container.
 type TailscaleInContainer struct {
 	version  string
 	hostname string
@@ -54,25 +49,16 @@ type TailscaleInContainer struct {
 	headscaleCert     []byte
 	headscaleHostname string
 	withSSH           bool
-	withTags          []string
 }

-// Option represent optional settings that can be given to a
-// Tailscale instance.
 type Option = func(c *TailscaleInContainer)

-// WithHeadscaleTLS takes the certificate of the Headscale instance
-// and adds it to the trusted surtificate of the Tailscale container.
 func WithHeadscaleTLS(cert []byte) Option {
 	return func(tsic *TailscaleInContainer) {
 		tsic.headscaleCert = cert
 	}
 }

-// WithOrCreateNetwork sets the Docker container network to use with
-// the Tailscale instance, if the parameter is nil, a new network,
-// isolating the TailscaleClient, will be created. If a network is
-// passed, the Tailscale instance will join the given network.
 func WithOrCreateNetwork(network *dockertest.Network) Option {
 	return func(tsic *TailscaleInContainer) {
 		if network != nil {
@@ -93,29 +79,18 @@ func WithOrCreateNetwork(network *dockertest.Network) Option {
 	}
 }

-// WithHeadscaleName set the name of the headscale instance,
-// mostly useful in combination with TLS and WithHeadscaleTLS.
 func WithHeadscaleName(hsName string) Option {
 	return func(tsic *TailscaleInContainer) {
 		tsic.headscaleHostname = hsName
 	}
 }

-// WithTags associates the given tags to the Tailscale instance.
-func WithTags(tags []string) Option {
-	return func(tsic *TailscaleInContainer) {
-		tsic.withTags = tags
-	}
-}
-
-// WithSSH enables SSH for the Tailscale instance.
 func WithSSH() Option {
 	return func(tsic *TailscaleInContainer) {
 		tsic.withSSH = true
 	}
 }

-// New returns a new TailscaleInContainer instance.
 func New(
 	pool *dockertest.Pool,
 	version string,
@@ -197,29 +172,22 @@ func (t *TailscaleInContainer) hasTLS() bool {
 	return len(t.headscaleCert) != 0
 }

-// Shutdown stops and cleans up the Tailscale container.
 func (t *TailscaleInContainer) Shutdown() error {
 	return t.pool.Purge(t.container)
 }

-// Hostname returns the hostname of the Tailscale instance.
 func (t *TailscaleInContainer) Hostname() string {
 	return t.hostname
 }

-// Version returns the running Tailscale version of the instance.
 func (t *TailscaleInContainer) Version() string {
 	return t.version
 }

-// ID returns the Docker container ID of the TailscaleInContainer
-// instance.
 func (t *TailscaleInContainer) ID() string {
 	return t.container.Container.ID
 }

-// Execute runs a command inside the Tailscale container and returns the
-// result of stdout as a string.
 func (t *TailscaleInContainer) Execute(
 	command []string,
 ) (string, string, error) {
@@ -245,8 +213,6 @@ func (t *TailscaleInContainer) Execute(
 	return stdout, stderr, nil
 }

-// Up runs the login routine on the given Tailscale instance.
-// This login mechanism uses the authorised key for authentication.
 func (t *TailscaleInContainer) Up(
 	loginServer, authKey string,
 ) error {
@@ -265,12 +231,6 @@ func (t *TailscaleInContainer) Up(
 		command = append(command, "--ssh")
 	}

-	if len(t.withTags) > 0 {
-		command = append(command,
-			fmt.Sprintf(`--advertise-tags=%s`, strings.Join(t.withTags, ",")),
-		)
-	}
-
 	if _, _, err := t.Execute(command); err != nil {
 		return fmt.Errorf("failed to join tailscale client: %w", err)
 	}
@@ -278,8 +238,6 @@ func (t *TailscaleInContainer) Up(
 	return nil
 }

-// Up runs the login routine on the given Tailscale instance.
-// This login mechanism uses web + command line flow for authentication.
 func (t *TailscaleInContainer) UpWithLoginURL(
 	loginServer string,
 ) (*url.URL, error) {
@@ -312,7 +270,6 @@ func (t *TailscaleInContainer) UpWithLoginURL(
 	return loginURL, nil
 }

-// Logout runs the logout routine on the given Tailscale instance.
 func (t *TailscaleInContainer) Logout() error {
 	_, _, err := t.Execute([]string{"tailscale", "logout"})
 	if err != nil {
@@ -322,7 +279,6 @@ func (t *TailscaleInContainer) Logout() error {
 	return nil
 }

-// IPs returns the netip.Addr of the Tailscale instance.
 func (t *TailscaleInContainer) IPs() ([]netip.Addr, error) {
 	if t.ips != nil && len(t.ips) != 0 {
 		return t.ips, nil
@@ -355,7 +311,6 @@ func (t *TailscaleInContainer) IPs() ([]netip.Addr, error) {
 	return ips, nil
 }

-// Status returns the ipnstate.Status of the Tailscale instance.
 func (t *TailscaleInContainer) Status() (*ipnstate.Status, error) {
 	command := []string{
 		"tailscale",
@@ -377,7 +332,6 @@ func (t *TailscaleInContainer) Status() (*ipnstate.Status, error) {
 	return &status, err
 }

-// FQDN returns the FQDN as a string of the Tailscale instance.
 func (t *TailscaleInContainer) FQDN() (string, error) {
 	if t.fqdn != "" {
 		return t.fqdn, nil
@@ -391,8 +345,6 @@ func (t *TailscaleInContainer) FQDN() (string, error) {
 	return status.Self.DNSName, nil
 }

-// WaitForReady blocks until the Tailscale (tailscaled) instance is ready
-// to login or be used.
 func (t *TailscaleInContainer) WaitForReady() error {
 	return t.pool.Retry(func() error {
 		status, err := t.Status()
@@ -408,7 +360,6 @@ func (t *TailscaleInContainer) WaitForReady() error {
 	})
 }

-// WaitForLogout blocks until the Tailscale instance has logged out.
 func (t *TailscaleInContainer) WaitForLogout() error {
 	return t.pool.Retry(func() error {
 		status, err := t.Status()
@@ -424,8 +375,6 @@ func (t *TailscaleInContainer) WaitForLogout() error {
 	})
 }

-// WaitForPeers blocks until N number of peers is present in the
-// Peer list of the Tailscale instance.
 func (t *TailscaleInContainer) WaitForPeers(expected int) error {
 	return t.pool.Retry(func() error {
 		status, err := t.Status()
@@ -441,65 +390,17 @@ func (t *TailscaleInContainer) WaitForPeers(expected int) error {
 	})
 }

-type (
-	// PingOption repreent optional settings that can be given
-	// to ping another host.
-	PingOption = func(args *pingArgs)
-
-	pingArgs struct {
-		timeout time.Duration
-		count   int
-		direct  bool
-	}
-)
-
-// WithPingTimeout sets the timeout for the ping command.
-func WithPingTimeout(timeout time.Duration) PingOption {
-	return func(args *pingArgs) {
-		args.timeout = timeout
-	}
-}
-
-// WithPingCount sets the count of pings to attempt.
-func WithPingCount(count int) PingOption {
-	return func(args *pingArgs) {
-		args.count = count
-	}
-}
-
-// WithPingUntilDirect decides if the ping should only succeed
-// if a direct connection is established or if successful
-// DERP ping is sufficient.
-func WithPingUntilDirect(direct bool) PingOption {
-	return func(args *pingArgs) {
-		args.direct = direct
-	}
-}
-
-// Ping executes the Tailscale ping command and pings a hostname
-// or IP. It accepts a series of PingOption.
 // TODO(kradalby): Make multiping, go routine magic.
-func (t *TailscaleInContainer) Ping(hostnameOrIP string, opts ...PingOption) error {
-	args := pingArgs{
-		timeout: time.Second,
-		count:   defaultPingCount,
-		direct:  true,
-	}
-
-	for _, opt := range opts {
-		opt(&args)
-	}
-
-	command := []string{
-		"tailscale", "ping",
-		fmt.Sprintf("--timeout=%s", args.timeout),
-		fmt.Sprintf("--c=%d", args.count),
-		fmt.Sprintf("--until-direct=%s", strconv.FormatBool(args.direct)),
-	}
-
-	command = append(command, hostnameOrIP)
-
+func (t *TailscaleInContainer) Ping(hostnameOrIP string) error {
 	return t.pool.Retry(func() error {
+		command := []string{
+			"tailscale", "ping",
+			"--timeout=1s",
+			"--c=10",
+			"--until-direct=true",
+			hostnameOrIP,
+		}
+
 		result, _, err := t.Execute(command)
 		if err != nil {
 			log.Printf(
@@ -520,7 +421,6 @@ func (t *TailscaleInContainer) Ping(hostnameOrIP string, opts ...PingOption) err
 	})
 }

-// WriteFile save file inside the Tailscale container.
 func (t *TailscaleInContainer) WriteFile(path string, data []byte) error {
 	return integrationutil.WriteFileToContainer(t.pool, t.container, path, data)
 }
--- a/integration/utils.go
+++ b/integration/utils.go
@@ -1,48 +0,0 @@
-package integration
-
-import (
-	"testing"
-)
-
-func pingAllHelper(t *testing.T, clients []TailscaleClient, addrs []string) int {
-	t.Helper()
-	success := 0
-
-	for _, client := range clients {
-		for _, addr := range addrs {
-			err := client.Ping(addr)
-			if err != nil {
-				t.Errorf("failed to ping %s from %s: %s", addr, client.Hostname(), err)
-			} else {
-				success++
-			}
-		}
-	}
-
-	return success
-}
-
-// pingAllNegativeHelper is intended to have 1 or more nodes timeing out from the ping,
-// it counts failures instead of successes.
-// func pingAllNegativeHelper(t *testing.T, clients []TailscaleClient, addrs []string) int {
-// 	t.Helper()
-// 	failures := 0
-//
-// 	timeout := 100
-// 	count := 3
-//
-// 	for _, client := range clients {
-// 		for _, addr := range addrs {
-// 			err := client.Ping(
-// 				addr,
-// 				tsic.WithPingTimeout(time.Duration(timeout)*time.Millisecond),
-// 				tsic.WithPingCount(count),
-// 			)
-// 			if err != nil {
-// 				failures++
-// 			}
-// 		}
-// 	}
-//
-// 	return failures
-// }
--- a/integration_cli_test.go
+++ b/integration_cli_test.go
@@ -24,6 +24,7 @@ type IntegrationCLITestSuite struct {
 	pool      dockertest.Pool
 	network   dockertest.Network
 	headscale dockertest.Resource
+	env       []string
 }

 func TestIntegrationCLITestSuite(t *testing.T) {
--- a/integration_common_test.go
+++ b/integration_common_test.go
@@ -9,6 +9,7 @@ import (
 	"net/netip"
 	"os"
 	"strconv"
+	"strings"
 	"time"

 	v1 "github.com/juanfont/headscale/gen/go/headscale/v1"
@@ -31,8 +32,7 @@ var (
 	tailscaleVersions = []string{
 		"head",
 		"unstable",
-		"1.36.2",
-		"1.34.2",
+		"1.34.0",
 		"1.32.3",
 		"1.30.2",
 		"1.28.0",
@@ -47,6 +47,11 @@ var (
 	}
 )

+type TestUser struct {
+	count      int
+	tailscales map[string]dockertest.Resource
+}
+
 type ExecuteCommandConfig struct {
 	timeout time.Duration
 }
@@ -196,6 +201,38 @@ func getDockerBuildOptions(version string) *dockertest.BuildOptions {
 	return tailscaleBuildOptions
 }

+func getIPs(
+	tailscales map[string]dockertest.Resource,
+) (map[string][]netip.Addr, error) {
+	ips := make(map[string][]netip.Addr)
+	for hostname, tailscale := range tailscales {
+		command := []string{"tailscale", "ip"}
+
+		result, _, err := ExecuteCommand(
+			&tailscale,
+			command,
+			[]string{},
+		)
+		if err != nil {
+			return nil, err
+		}
+
+		for _, address := range strings.Split(result, "\n") {
+			address = strings.TrimSuffix(address, "\n")
+			if len(address) < 1 {
+				continue
+			}
+			ip, err := netip.ParseAddr(address)
+			if err != nil {
+				return nil, err
+			}
+			ips[hostname] = append(ips[hostname], ip)
+		}
+	}
+
+	return ips, nil
+}
+
 func getDNSNames(
 	headscale *dockertest.Resource,
 ) ([]string, error) {
@@ -229,6 +266,43 @@ func getDNSNames(
 	return hostnames, nil
 }

+func getMagicFQDN(
+	headscale *dockertest.Resource,
+) ([]string, error) {
+	listAllResult, _, err := ExecuteCommand(
+		headscale,
+		[]string{
+			"headscale",
+			"nodes",
+			"list",
+			"--output",
+			"json",
+		},
+		[]string{},
+	)
+	if err != nil {
+		return nil, err
+	}
+
+	var listAll []v1.Machine
+	err = json.Unmarshal([]byte(listAllResult), &listAll)
+	if err != nil {
+		return nil, err
+	}
+
+	hostnames := make([]string, len(listAll))
+
+	for index := range listAll {
+		hostnames[index] = fmt.Sprintf(
+			"%s.%s.headscale.net",
+			listAll[index].GetGivenName(),
+			listAll[index].GetUser().GetName(),
+		)
+	}
+
+	return hostnames, nil
+}
+
 func GetEnvStr(key string) (string, error) {
 	v := os.Getenv(key)
 	if v == "" {
--- a/integration_embedded_derp_test.go
+++ b/integration_embedded_derp_test.go
@@ -382,7 +382,7 @@ func (s *IntegrationDERPTestSuite) saveLog(

 	err = os.WriteFile(
 		path.Join(basePath, resource.Container.Name+".stdout.log"),
-		stderr.Bytes(),
+		[]byte(stdout.String()),
 		0o644,
 	)
 	if err != nil {
@@ -391,7 +391,7 @@ func (s *IntegrationDERPTestSuite) saveLog(

 	err = os.WriteFile(
 		path.Join(basePath, resource.Container.Name+".stderr.log"),
-		stderr.Bytes(),
+		[]byte(stdout.String()),
 		0o644,
 	)
 	if err != nil {
--- a/integration_test/etc/alt-config.dump.gold.yaml
+++ b/integration_test/etc/alt-config.dump.gold.yaml
@@ -37,14 +37,12 @@ logtail:
  enabled: false
 metrics_listen_addr: 127.0.0.1:19090
 oidc:
-  expiry: 180d
  only_start_if_oidc_is_available: true
  scope:
    - openid
    - profile
    - email
  strip_email_domain: true
-  use_expiry_from_token: false
 private_key_path: private.key
 noise:
  private_key_path: noise_private.key
--- a/integration_test/etc/alt-env-config.dump.gold.yaml
+++ b/integration_test/etc/alt-env-config.dump.gold.yaml
@@ -36,14 +36,12 @@ logtail:
  enabled: false
 metrics_listen_addr: 127.0.0.1:19090
 oidc:
-  expiry: 180d
  only_start_if_oidc_is_available: true
  scope:
    - openid
    - profile
    - email
  strip_email_domain: true
-  use_expiry_from_token: false
 private_key_path: private.key
 noise:
  private_key_path: noise_private.key
--- a/integration_test/etc/config.dump.gold.yaml
+++ b/integration_test/etc/config.dump.gold.yaml
@@ -37,14 +37,12 @@ logtail:
  enabled: false
 metrics_listen_addr: 127.0.0.1:9090
 oidc:
-  expiry: 180d
  only_start_if_oidc_is_available: true
  scope:
    - openid
    - profile
    - email
  strip_email_domain: true
-  use_expiry_from_token: false
 private_key_path: private.key
 noise:
  private_key_path: noise_private.key
--- a/machine.go
+++ b/machine.go
@@ -12,7 +12,6 @@ import (

 	v1 "github.com/juanfont/headscale/gen/go/headscale/v1"
 	"github.com/rs/zerolog/log"
-	"github.com/samber/lo"
 	"google.golang.org/protobuf/types/known/timestamppb"
 	"gorm.io/gorm"
 	"tailscale.com/tailcfg"
@@ -739,39 +738,30 @@ func (h *Headscale) toNode(

 	online := machine.isOnline()

-	tags, _ := getTags(h.aclPolicy, machine, h.cfg.OIDC.StripEmaildomain)
-	tags = lo.Uniq(append(tags, machine.ForcedTags...))
-
 	node := tailcfg.Node{
 		ID: tailcfg.NodeID(machine.ID), // this is the actual ID
 		StableID: tailcfg.StableNodeID(
 			strconv.FormatUint(machine.ID, Base10),
 		), // in headscale, unlike tailcontrol server, IDs are permanent
-		Name: hostname,
-
-		User: tailcfg.UserID(machine.UserID),
-
-		Key:       nodeKey,
-		KeyExpiry: keyExpiry,
-
-		Machine:    machineKey,
-		DiscoKey:   discoKey,
-		Addresses:  addrs,
-		AllowedIPs: allowedIPs,
-		Endpoints:  machine.Endpoints,
-		DERP:       derp,
-		Hostinfo:   hostInfo.View(),
-		Created:    machine.CreatedAt,
-
-		Tags: tags,
-
+		Name:          hostname,
+		User:          tailcfg.UserID(machine.UserID),
+		Key:           nodeKey,
+		KeyExpiry:     keyExpiry,
+		Machine:       machineKey,
+		DiscoKey:      discoKey,
+		Addresses:     addrs,
+		AllowedIPs:    allowedIPs,
 		PrimaryRoutes: primaryPrefixes,
+		Endpoints:     machine.Endpoints,
+		DERP:          derp,
+
+		Online:   &online,
+		Hostinfo: hostInfo.View(),
+		Created:  machine.CreatedAt,
+		LastSeen: machine.LastSeen,

-		LastSeen:          machine.LastSeen,
-		Online:            &online,
 		KeepAlive:         true,
 		MachineAuthorized: !machine.isExpired(),
-
 		Capabilities: []string{
 			tailcfg.CapabilityFileSharing,
 			tailcfg.CapabilityAdmin,
@@ -1057,8 +1047,8 @@ func (h *Headscale) IsRoutesEnabled(machine *Machine, routeStr string) bool {
 	return false
 }

-// enableRoutes enables new routes based on a list of new routes.
-func (h *Headscale) enableRoutes(machine *Machine, routeStrs ...string) error {
+// EnableRoutes enables new routes based on a list of new routes.
+func (h *Headscale) EnableRoutes(machine *Machine, routeStrs ...string) error {
 	newRoutes := make([]netip.Prefix, len(routeStrs))
 	for index, routeStr := range routeStrs {
 		route, err := netip.ParsePrefix(routeStr)
@@ -1122,8 +1112,7 @@ func (h *Headscale) EnableAutoApprovedRoutes(machine *Machine) error {
 	routes := []Route{}
 	err := h.db.
 		Preload("Machine").
-		Where("machine_id = ? AND advertised = true AND enabled = false", machine.ID).
-		Find(&routes).Error
+		Where("machine_id = ? AND advertised = true AND enabled = false", machine.ID).Find(&routes).Error
 	if err != nil && !errors.Is(err, gorm.ErrRecordNotFound) {
 		log.Error().
 			Caller().
@@ -1137,9 +1126,7 @@ func (h *Headscale) EnableAutoApprovedRoutes(machine *Machine) error {
 	approvedRoutes := []Route{}

 	for _, advertisedRoute := range routes {
-		routeApprovers, err := h.aclPolicy.AutoApprovers.GetRouteApprovers(
-			netip.Prefix(advertisedRoute.Prefix),
-		)
+		routeApprovers, err := h.aclPolicy.AutoApprovers.GetRouteApprovers(netip.Prefix(advertisedRoute.Prefix))
 		if err != nil {
 			log.Err(err).
 				Str("advertisedRoute", advertisedRoute.String()).
--- a/oidc.go
+++ b/oidc.go
@@ -27,10 +27,8 @@ const (
 	errOIDCAllowedDomains      = Error("authenticated principal does not match any allowed domain")
 	errOIDCAllowedGroups       = Error("authenticated principal is not in any allowed group")
 	errOIDCAllowedUsers        = Error("authenticated principal does not match any allowed user")
-	errOIDCInvalidMachineState = Error(
-		"requested machine state key expired before authorisation completed",
-	)
-	errOIDCNodeKeyMissing = Error("could not get node key from cache")
+	errOIDCInvalidMachineState = Error("requested machine state key expired before authorisation completed")
+	errOIDCNodeKeyMissing      = Error("could not get node key from cache")
 )

 type IDTokenClaims struct {
@@ -70,14 +68,6 @@ func (h *Headscale) initOIDC() error {
 	return nil
 }

-func (h *Headscale) determineTokenExpiration(idTokenExpiration time.Time) time.Time {
-	if h.cfg.OIDC.UseExpiryFromToken {
-		return idTokenExpiration
-	}
-
-	return time.Now().Add(h.cfg.OIDC.Expiry)
-}
-
 // RegisterOIDC redirects to the OIDC provider for authentication
 // Puts NodeKey in cache so the callback can retrieve it using the oidc state param
 // Listens in /oidc/register/:nKey.
@@ -203,7 +193,6 @@ func (h *Headscale) OIDCCallback(
 	if err != nil {
 		return
 	}
-	idTokenExpiry := h.determineTokenExpiration(idToken.Expiry)

 	// TODO: we can use userinfo at some point to grab additional information about the user (groups membership, etc)
 	// userInfo, err := oidcProvider.UserInfo(context.Background(), oauth2.StaticTokenSource(oauth2Token))
@@ -229,12 +218,7 @@ func (h *Headscale) OIDCCallback(
 		return
 	}

-	nodeKey, machineExists, err := h.validateMachineForOIDCCallback(
-		writer,
-		state,
-		claims,
-		idTokenExpiry,
-	)
+	nodeKey, machineExists, err := h.validateMachineForOIDCCallback(writer, state, claims, idToken.Expiry)
 	if err != nil || machineExists {
 		return
 	}
@@ -252,7 +236,7 @@ func (h *Headscale) OIDCCallback(
 		return
 	}

-	if err := h.registerMachineForOIDCCallback(writer, user, nodeKey, idTokenExpiry); err != nil {
+	if err := h.registerMachineForOIDCCallback(writer, user, nodeKey, idToken.Expiry); err != nil {
 		return
 	}

--- a/protocol_common_utils.go
+++ b/protocol_common_utils.go
@@ -3,11 +3,9 @@ package headscale
 import (
 	"encoding/binary"
 	"encoding/json"
-	"sync"

 	"github.com/klauspost/compress/zstd"
 	"github.com/rs/zerolog/log"
-	"tailscale.com/smallzstd"
 	"tailscale.com/tailcfg"
 	"tailscale.com/types/key"
 )
@@ -105,7 +103,8 @@ func (h *Headscale) marshalMapResponse(

 	var respBody []byte
 	if compression == ZstdCompression {
-		respBody = zstdEncode(jsonBody)
+		encoder, _ := zstd.NewWriter(nil)
+		respBody = encoder.EncodeAll(jsonBody, nil)
 		if !isNoise { // if legacy protocol
 			respBody = h.privateKey.SealTo(machineKey, respBody)
 		}
@@ -123,28 +122,3 @@ func (h *Headscale) marshalMapResponse(

 	return data, nil
 }
-
-func zstdEncode(in []byte) []byte {
-	encoder, ok := zstdEncoderPool.Get().(*zstd.Encoder)
-	if !ok {
-		panic("invalid type in sync pool")
-	}
-	out := encoder.EncodeAll(in, nil)
-	_ = encoder.Close()
-	zstdEncoderPool.Put(encoder)
-
-	return out
-}
-
-var zstdEncoderPool = &sync.Pool{
-	New: func() any {
-		encoder, err := smallzstd.NewEncoder(
-			nil,
-			zstd.WithEncoderLevel(zstd.SpeedFastest))
-		if err != nil {
-			panic(err)
-		}
-
-		return encoder
-	},
-}
--- a/routes.go
+++ b/routes.go
@@ -90,14 +90,7 @@ func (h *Headscale) EnableRoute(id uint64) error {
 		return err
 	}

-	// Tailscale requires both IPv4 and IPv6 exit routes to
-	// be enabled at the same time, as per
-	// https://github.com/juanfont/headscale/issues/804#issuecomment-1399314002
-	if route.isExitRoute() {
-		return h.enableRoutes(&route.Machine, ExitRouteV4.String(), ExitRouteV6.String())
-	}
-
-	return h.enableRoutes(&route.Machine, netip.Prefix(route.Prefix).String())
+	return h.EnableRoutes(&route.Machine, netip.Prefix(route.Prefix).String())
 }

 func (h *Headscale) DisableRoute(id uint64) error {
--- a/routes_test.go
+++ b/routes_test.go
@@ -46,10 +46,10 @@ func (s *Suite) TestGetRoutes(c *check.C) {
 	c.Assert(err, check.IsNil)
 	c.Assert(len(advertisedRoutes), check.Equals, 1)

-	err = app.enableRoutes(&machine, "192.168.0.0/24")
+	err = app.EnableRoutes(&machine, "192.168.0.0/24")
 	c.Assert(err, check.NotNil)

-	err = app.enableRoutes(&machine, "10.0.0.0/24")
+	err = app.EnableRoutes(&machine, "10.0.0.0/24")
 	c.Assert(err, check.IsNil)
 }

@@ -102,10 +102,10 @@ func (s *Suite) TestGetEnableRoutes(c *check.C) {
 	c.Assert(err, check.IsNil)
 	c.Assert(len(noEnabledRoutes), check.Equals, 0)

-	err = app.enableRoutes(&machine, "192.168.0.0/24")
+	err = app.EnableRoutes(&machine, "192.168.0.0/24")
 	c.Assert(err, check.NotNil)

-	err = app.enableRoutes(&machine, "10.0.0.0/24")
+	err = app.EnableRoutes(&machine, "10.0.0.0/24")
 	c.Assert(err, check.IsNil)

 	enabledRoutes, err := app.GetEnabledRoutes(&machine)
@@ -113,14 +113,14 @@ func (s *Suite) TestGetEnableRoutes(c *check.C) {
 	c.Assert(len(enabledRoutes), check.Equals, 1)

 	// Adding it twice will just let it pass through
-	err = app.enableRoutes(&machine, "10.0.0.0/24")
+	err = app.EnableRoutes(&machine, "10.0.0.0/24")
 	c.Assert(err, check.IsNil)

 	enableRoutesAfterDoubleApply, err := app.GetEnabledRoutes(&machine)
 	c.Assert(err, check.IsNil)
 	c.Assert(len(enableRoutesAfterDoubleApply), check.Equals, 1)

-	err = app.enableRoutes(&machine, "150.0.10.0/25")
+	err = app.EnableRoutes(&machine, "150.0.10.0/25")
 	c.Assert(err, check.IsNil)

 	enabledRoutesWithAdditionalRoute, err := app.GetEnabledRoutes(&machine)
@@ -167,10 +167,10 @@ func (s *Suite) TestIsUniquePrefix(c *check.C) {
 	err = app.processMachineRoutes(&machine1)
 	c.Assert(err, check.IsNil)

-	err = app.enableRoutes(&machine1, route.String())
+	err = app.EnableRoutes(&machine1, route.String())
 	c.Assert(err, check.IsNil)

-	err = app.enableRoutes(&machine1, route2.String())
+	err = app.EnableRoutes(&machine1, route2.String())
 	c.Assert(err, check.IsNil)

 	hostInfo2 := tailcfg.Hostinfo{
@@ -192,7 +192,7 @@ func (s *Suite) TestIsUniquePrefix(c *check.C) {
 	err = app.processMachineRoutes(&machine2)
 	c.Assert(err, check.IsNil)

-	err = app.enableRoutes(&machine2, route2.String())
+	err = app.EnableRoutes(&machine2, route2.String())
 	c.Assert(err, check.IsNil)

 	enabledRoutes1, err := app.GetEnabledRoutes(&machine1)
@@ -254,10 +254,10 @@ func (s *Suite) TestSubnetFailover(c *check.C) {
 	err = app.processMachineRoutes(&machine1)
 	c.Assert(err, check.IsNil)

-	err = app.enableRoutes(&machine1, prefix.String())
+	err = app.EnableRoutes(&machine1, prefix.String())
 	c.Assert(err, check.IsNil)

-	err = app.enableRoutes(&machine1, prefix2.String())
+	err = app.EnableRoutes(&machine1, prefix2.String())
 	c.Assert(err, check.IsNil)

 	err = app.handlePrimarySubnetFailover()
@@ -291,7 +291,7 @@ func (s *Suite) TestSubnetFailover(c *check.C) {
 	err = app.processMachineRoutes(&machine2)
 	c.Assert(err, check.IsNil)

-	err = app.enableRoutes(&machine2, prefix2.String())
+	err = app.EnableRoutes(&machine2, prefix2.String())
 	c.Assert(err, check.IsNil)

 	err = app.handlePrimarySubnetFailover()
@@ -339,7 +339,7 @@ func (s *Suite) TestSubnetFailover(c *check.C) {
 	err = app.processMachineRoutes(&machine2)
 	c.Assert(err, check.IsNil)

-	err = app.enableRoutes(&machine2, prefix.String())
+	err = app.EnableRoutes(&machine2, prefix.String())
 	c.Assert(err, check.IsNil)

 	err = app.handlePrimarySubnetFailover()
@@ -413,24 +413,18 @@ func (s *Suite) TestAllowedIPRoutes(c *check.C) {
 	err = app.processMachineRoutes(&machine1)
 	c.Assert(err, check.IsNil)

-	err = app.enableRoutes(&machine1, prefix.String())
+	err = app.EnableRoutes(&machine1, prefix.String())
 	c.Assert(err, check.IsNil)

 	// We do not enable this one on purpose to test that it is not enabled
-	// err = app.enableRoutes(&machine1, prefix2.String())
+	// err = app.EnableRoutes(&machine1, prefix2.String())
 	// c.Assert(err, check.IsNil)

-	routes, err := app.GetMachineRoutes(&machine1)
+	err = app.EnableRoutes(&machine1, prefixExitNodeV4.String())
 	c.Assert(err, check.IsNil)
-	for _, route := range routes {
-		if route.isExitRoute() {
-			err = app.EnableRoute(uint64(route.ID))
-			c.Assert(err, check.IsNil)

-			// We only enable one exit route, so we can test that both are enabled
-			break
-		}
-	}
+	err = app.EnableRoutes(&machine1, prefixExitNodeV6.String())
+	c.Assert(err, check.IsNil)

 	err = app.handlePrimarySubnetFailover()
 	c.Assert(err, check.IsNil)
--- a/templates/apple.html
+++ b/templates/apple.html
@@ -4,27 +4,11 @@
    <meta charset="UTF-8" />
    <meta http-equiv="X-UA-Compatible" content="IE=edge" />
    <meta name="viewport" content="width=device-width, initial-scale=1.0" />
-    <title>headscale - Apple</title>
-    <style>
-      body {
-        margin: 40px auto;
-        max-width: 800px;
-        line-height: 1.5;
-        font-size: 16px;
-        color: #444;
-        padding: 0 10px;
-        font-family: Sans-serif;
-      }
-      h1,
-      h2,
-      h3 {
-        line-height: 1.2;
-      }
-    </style>
+    <title>Document</title>
  </head>

  <body>
-    <h1>headscale: Apple configuration</h1>
+    <h1>headscale</h1>
    <h2>Recent Tailscale versions (1.34.0 and higher)</h2>
    <p>
      Tailscale added Fast User Switching in version 1.34 and you can now use
--- a/templates/windows.html
+++ b/templates/windows.html
@@ -4,27 +4,11 @@
    <meta charset="UTF-8" />
    <meta http-equiv="X-UA-Compatible" content="IE=edge" />
    <meta name="viewport" content="width=device-width, initial-scale=1.0" />
-    <title>headscale - Windows</title>
-    <style>
-      body {
-        margin: 40px auto;
-        max-width: 800px;
-        line-height: 1.5;
-        font-size: 16px;
-        color: #444;
-        padding: 0 10px;
-        font-family: Sans-serif;
-      }
-      h1,
-      h2,
-      h3 {
-        line-height: 1.2;
-      }
-    </style>
+    <title>Document</title>
  </head>

  <body>
-    <h1>headscale: Windows configuration</h1>
+    <h1>headscale</h1>
    <h2>Recent Tailscale versions (1.34.0 and higher)</h2>
    <p>
      Tailscale added Fast User Switching in version 1.34 and you can now use