Set db_ssl to false by default, fixes #1043

Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com>
Added an OIDC AllowGroups option for authorization.
2025-08-15 05:57:43 +00:00 · 2022-12-07 14:58:47 +01:00 · 2022-12-07 08:53:16 +01:00 · 2022-12-06 08:52:21 +01:00 · 2022-12-06 08:17:14 +01:00 · 2022-12-06 08:17:14 +01:00
90 changed files with 5259 additions and 2691 deletions
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -13,13 +13,13 @@ jobs:
    runs-on: ubuntu-latest

    steps:
-      - uses: actions/checkout@v2
+      - uses: actions/checkout@v3
        with:
          fetch-depth: 2

      - name: Get changed files
        id: changed-files
-        uses: tj-actions/changed-files@v14.1
+        uses: tj-actions/changed-files@v34
        with:
          files: |
            *.nix
--- a/.github/workflows/contributors.yml
+++ b/.github/workflows/contributors.yml
@@ -9,7 +9,7 @@ jobs:
  add-contributors:
    runs-on: ubuntu-latest
    steps:
-      - uses: actions/checkout@v2
+      - uses: actions/checkout@v3
      - name: Delete upstream contributor branch
        # Allow continue on failure to account for when the
        # upstream branch is deleted or does not exist.
--- a/.github/workflows/gh-actions-updater.yaml
+++ b/.github/workflows/gh-actions-updater.yaml
@@ -0,0 +1,23 @@
+name: GitHub Actions Version Updater
+
+# Controls when the action will run.
+on:
+  schedule:
+    # Automatically run on every Sunday
+    - cron: "0 0 * * 0"
+
+jobs:
+  build:
+    runs-on: ubuntu-latest
+
+    steps:
+      - uses: actions/checkout@v2
+        with:
+          # [Required] Access token with `workflow` scope.
+          token: ${{ secrets.WORKFLOW_SECRET }}
+
+      - name: Run GitHub Actions Version Updater
+        uses: saadmk11/github-actions-version-updater@v0.7.1
+        with:
+          # [Required] Access token with `workflow` scope.
+          token: ${{ secrets.WORKFLOW_SECRET }}
--- a/.github/workflows/lint.yml
+++ b/.github/workflows/lint.yml
@@ -7,13 +7,13 @@ jobs:
  golangci-lint:
    runs-on: ubuntu-latest
    steps:
-      - uses: actions/checkout@v2
+      - uses: actions/checkout@v3
        with:
          fetch-depth: 2

      - name: Get changed files
        id: changed-files
-        uses: tj-actions/changed-files@v14.1
+        uses: tj-actions/changed-files@v34
        with:
          files: |
            *.nix
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -9,27 +9,17 @@ on:

 jobs:
  goreleaser:
-    runs-on: ubuntu-18.04 # due to CGO we need to user an older version
+    runs-on: ubuntu-latest
    steps:
      - name: Checkout
-        uses: actions/checkout@v2
+        uses: actions/checkout@v3
        with:
          fetch-depth: 0
-      - name: Set up Go
-        uses: actions/setup-go@v2
-        with:
-          go-version: 1.19.0

-      - name: Install dependencies
-        run: |
-          sudo apt update
-          sudo apt install -y gcc-aarch64-linux-gnu
-      - name: Run GoReleaser
-        uses: goreleaser/goreleaser-action@v2
-        with:
-          distribution: goreleaser
-          version: latest
-          args: release --rm-dist
+      - uses: cachix/install-nix-action@v16
+
+      - name: Run goreleaser
+        run: nix develop --command -- goreleaser release --rm-dist
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

@@ -37,7 +27,7 @@ jobs:
    runs-on: ubuntu-latest
    steps:
      - name: Checkout
-        uses: actions/checkout@v2
+        uses: actions/checkout@v3
        with:
          fetch-depth: 0
      - name: Set up Docker Buildx
@@ -65,8 +55,8 @@ jobs:
            type=semver,pattern={{version}}
            type=semver,pattern={{major}}.{{minor}}
            type=semver,pattern={{major}}
-            type=raw,value=latest
            type=sha
+            type=raw,value=develop
      - name: Login to DockerHub
        uses: docker/login-action@v1
        with:
@@ -100,7 +90,7 @@ jobs:
    runs-on: ubuntu-latest
    steps:
      - name: Checkout
-        uses: actions/checkout@v2
+        uses: actions/checkout@v3
        with:
          fetch-depth: 0
      - name: Set up Docker Buildx
@@ -125,13 +115,13 @@ jobs:
            ${{ secrets.DOCKERHUB_USERNAME }}/headscale
            ghcr.io/${{ github.repository_owner }}/headscale
          flavor: |
-            latest=false
+            suffix=-debug,onlatest=true
          tags: |
-            type=semver,pattern={{version}}-debug
-            type=semver,pattern={{major}}.{{minor}}-debug
-            type=semver,pattern={{major}}-debug
-            type=raw,value=latest-debug
-            type=sha,suffix=-debug
+            type=semver,pattern={{version}}
+            type=semver,pattern={{major}}.{{minor}}
+            type=semver,pattern={{major}}
+            type=sha
+            type=raw,value=develop
      - name: Login to DockerHub
        uses: docker/login-action@v1
        with:
@@ -161,69 +151,3 @@ jobs:
        run: |
          rm -rf /tmp/.buildx-cache-debug
          mv /tmp/.buildx-cache-debug-new /tmp/.buildx-cache-debug
-
-  docker-alpine-release:
-    runs-on: ubuntu-latest
-    steps:
-      - name: Checkout
-        uses: actions/checkout@v2
-        with:
-          fetch-depth: 0
-      - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v1
-      - name: Set up QEMU for multiple platforms
-        uses: docker/setup-qemu-action@master
-        with:
-          platforms: arm64,amd64
-      - name: Cache Docker layers
-        uses: actions/cache@v2
-        with:
-          path: /tmp/.buildx-cache-alpine
-          key: ${{ runner.os }}-buildx-alpine-${{ github.sha }}
-          restore-keys: |
-            ${{ runner.os }}-buildx-alpine-
-      - name: Docker meta
-        id: meta-alpine
-        uses: docker/metadata-action@v3
-        with:
-          # list of Docker images to use as base name for tags
-          images: |
-            ${{ secrets.DOCKERHUB_USERNAME }}/headscale
-            ghcr.io/${{ github.repository_owner }}/headscale
-          flavor: |
-            latest=false
-          tags: |
-            type=semver,pattern={{version}}-alpine
-            type=semver,pattern={{major}}.{{minor}}-alpine
-            type=semver,pattern={{major}}-alpine
-            type=raw,value=latest-alpine
-            type=sha,suffix=-alpine
-      - name: Login to DockerHub
-        uses: docker/login-action@v1
-        with:
-          username: ${{ secrets.DOCKERHUB_USERNAME }}
-          password: ${{ secrets.DOCKERHUB_TOKEN }}
-      - name: Login to GHCR
-        uses: docker/login-action@v1
-        with:
-          registry: ghcr.io
-          username: ${{ github.repository_owner }}
-          password: ${{ secrets.GITHUB_TOKEN }}
-      - name: Build and push
-        id: docker_build
-        uses: docker/build-push-action@v2
-        with:
-          push: true
-          context: .
-          file: Dockerfile.alpine
-          tags: ${{ steps.meta-alpine.outputs.tags }}
-          labels: ${{ steps.meta-alpine.outputs.labels }}
-          platforms: linux/amd64,linux/arm64
-          cache-from: type=local,src=/tmp/.buildx-cache-alpine
-          cache-to: type=local,dest=/tmp/.buildx-cache-alpine-new
-          build-args: |
-            VERSION=${{ steps.meta-alpine.outputs.version }}
-      - name: Prepare cache for next build
-        run: |
-          rm -rf /tmp/.buildx-cache-alpine
-          mv /tmp/.buildx-cache-alpine-new /tmp/.buildx-cache-alpine
--- a/.github/workflows/renovatebot.yml
+++ b/.github/workflows/renovatebot.yml
@@ -1,27 +0,0 @@
---
-name: Renovate
-on:
-  schedule:
-    - cron: "* * 5,20 * *" # Every 5th and 20th of the month
-  workflow_dispatch:
-jobs:
-  renovate:
-    runs-on: ubuntu-latest
-    steps:
-      - name: Get token
-        id: get_token
-        uses: machine-learning-apps/actions-app-token@master
-        with:
-          APP_PEM: ${{ secrets.RENOVATEBOT_SECRET }}
-          APP_ID: ${{ secrets.RENOVATEBOT_APP_ID }}
-
-      - name: Checkout
-        uses: actions/checkout@v2.0.0
-
-      - name: Self-hosted Renovate
-        uses: renovatebot/github-action@v31.81.3
-        with:
-          configurationFile: .github/renovate.json
-          token: "x-access-token:${{ steps.get_token.outputs.app_token }}"
-        # env:
-        #  LOG_LEVEL: "debug"
--- a/.github/workflows/test-integration-cli.yml
+++ b/.github/workflows/test-integration-cli.yml
@@ -7,7 +7,7 @@ jobs:
    runs-on: ubuntu-latest

    steps:
-      - uses: actions/checkout@v2
+      - uses: actions/checkout@v3
        with:
          fetch-depth: 2

@@ -18,7 +18,7 @@ jobs:

      - name: Get changed files
        id: changed-files
-        uses: tj-actions/changed-files@v14.1
+        uses: tj-actions/changed-files@v34
        with:
          files: |
            *.nix
--- a/.github/workflows/test-integration-derp.yml
+++ b/.github/workflows/test-integration-derp.yml
@@ -7,7 +7,7 @@ jobs:
    runs-on: ubuntu-latest

    steps:
-      - uses: actions/checkout@v2
+      - uses: actions/checkout@v3
        with:
          fetch-depth: 2

@@ -18,7 +18,7 @@ jobs:

      - name: Get changed files
        id: changed-files
-        uses: tj-actions/changed-files@v14.1
+        uses: tj-actions/changed-files@v34
        with:
          files: |
            *.nix
--- a/.github/workflows/test-integration-oidc.yml
+++ b/.github/workflows/test-integration-oidc.yml
@@ -1,35 +0,0 @@
-name: Integration Test OIDC
-
-on: [pull_request]
-
-jobs:
-  integration-test-oidc:
-    runs-on: ubuntu-latest
-
-    steps:
-      - uses: actions/checkout@v2
-        with:
-          fetch-depth: 2
-
-      - name: Set Swap Space
-        uses: pierotofy/set-swap-space@master
-        with:
-          swap-size-gb: 10
-
-      - name: Get changed files
-        id: changed-files
-        uses: tj-actions/changed-files@v14.1
-        with:
-          files: |
-            *.nix
-            go.*
-            **/*.go
-            integration_test/
-            config-example.yaml
-
-      - uses: cachix/install-nix-action@v16
-        if: steps.changed-files.outputs.any_changed == 'true'
-
-      - name: Run OIDC integration tests
-        if: steps.changed-files.outputs.any_changed == 'true'
-        run: nix develop --command -- make test_integration_oidc
--- a/.github/workflows/test-integration-v2-kradalby.yml
+++ b/.github/workflows/test-integration-v2-kradalby.yml
@@ -1,24 +1,19 @@
-name: Integration Test v2
+name: Integration Test v2 - kradalby

 on: [pull_request]

 jobs:
-  integration-test-v2:
-    runs-on: ubuntu-latest
+  integration-test-v2-kradalby:
+    runs-on: [self-hosted, linux, x64, nixos, docker]

    steps:
-      - uses: actions/checkout@v2
+      - uses: actions/checkout@v3
        with:
          fetch-depth: 2

-      - name: Set Swap Space
-        uses: pierotofy/set-swap-space@master
-        with:
-          swap-size-gb: 10
-
      - name: Get changed files
        id: changed-files
-        uses: tj-actions/changed-files@v14.1
+        uses: tj-actions/changed-files@v34
        with:
          files: |
            *.nix
@@ -27,8 +22,13 @@ jobs:
            integration_test/
            config-example.yaml

-      - uses: cachix/install-nix-action@v16
+      # We currently only run one job at the time, so make sure
+      # we just wipe all containers and all networks.
+      - name: Clean up Docker
        if: steps.changed-files.outputs.any_changed == 'true'
+        run: |
+          docker kill $(docker ps -q)
+          docker network prune -f

      - name: Run general integration tests
        if: steps.changed-files.outputs.any_changed == 'true'
--- a/.github/workflows/test.yml
+++ b/.github/workflows/test.yml
@@ -7,13 +7,13 @@ jobs:
    runs-on: ubuntu-latest

    steps:
-      - uses: actions/checkout@v2
+      - uses: actions/checkout@v3
        with:
          fetch-depth: 2

      - name: Get changed files
        id: changed-files
-        uses: tj-actions/changed-files@v14.1
+        uses: tj-actions/changed-files@v34
        with:
          files: |
            *.nix
--- a/.golangci.yaml
+++ b/.golangci.yaml
@@ -1,6 +1,8 @@
 ---
 run:
  timeout: 10m
+  build-tags:
+    - ts2019

 issues:
  skip-dirs:
@@ -26,6 +28,7 @@ linters:
    - ireturn
    - execinquery
    - exhaustruct
+    - nolintlint

    # We should strive to enable these:
    - wrapcheck
@@ -33,6 +36,9 @@ linters:
    - makezero
    - maintidx

+    # Limits the methods of an interface to 10. We have more in integration tests
+    - interfacebloat
+
    # We might want to enable this, but it might be a lot of work
    - cyclop
    - nestif
--- a/.goreleaser.yml
+++ b/.goreleaser.yml
@@ -20,6 +20,8 @@ builds:
      - -mod=readonly
    ldflags:
      - -s -w -X github.com/juanfont/headscale/cmd/headscale/cli.Version=v{{.Version}}
+    tags:
+      - ts2019

  - id: darwin-arm64
    main: ./cmd/headscale/headscale.go
@@ -34,6 +36,8 @@ builds:
      - -mod=readonly
    ldflags:
      - -s -w -X github.com/juanfont/headscale/cmd/headscale/cli.Version=v{{.Version}}
+    tags:
+      - ts2019

  - id: linux-amd64
    mod_timestamp: "{{ .CommitTimestamp }}"
@@ -46,6 +50,8 @@ builds:
    main: ./cmd/headscale/headscale.go
    ldflags:
      - -s -w -X github.com/juanfont/headscale/cmd/headscale/cli.Version=v{{.Version}}
+    tags:
+      - ts2019

  - id: linux-arm64
    mod_timestamp: "{{ .CommitTimestamp }}"
@@ -58,6 +64,8 @@ builds:
    main: ./cmd/headscale/headscale.go
    ldflags:
      - -s -w -X github.com/juanfont/headscale/cmd/headscale/cli.Version=v{{.Version}}
+    tags:
+      - ts2019

 archives:
  - id: golang-cross
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -1,14 +1,42 @@
 # CHANGELOG

-## 0.17.0 (2022-XX-XX)
-
-### BREAKING
-
- Log level option `log_level` was moved to a distinct `log` config section and renamed to `level` [#768](https://github.com/juanfont/headscale/pull/768)
+## 0.18.x (2022-xx-xx)

 ### Changes

+- Reworked routing and added support for subnet router failover [#1024](https://github.com/juanfont/headscale/pull/1024)
+- Added an OIDC AllowGroups Configuration options and authorization check [#1041](https://github.com/juanfont/headscale/pull/1041)
+- Set `db_ssl` to false by default [#1052](https://github.com/juanfont/headscale/pull/1052)
+
+## 0.17.1 (2022-12-05)
+
+### Changes
+
+- Correct typo on macOS standalone profile link [#1028](https://github.com/juanfont/headscale/pull/1028)
+- Update platform docs with Fast User Switching [#1016](https://github.com/juanfont/headscale/pull/1016)
+
+## 0.17.0 (2022-11-26)
+
+### BREAKING
+
+- `noise.private_key_path` has been added and is required for the new noise protocol.
+- Log level option `log_level` was moved to a distinct `log` config section and renamed to `level` [#768](https://github.com/juanfont/headscale/pull/768)
+- Removed Alpine Linux container image [#962](https://github.com/juanfont/headscale/pull/962)
+
+### Important Changes
+
 - Added support for Tailscale TS2021 protocol [#738](https://github.com/juanfont/headscale/pull/738)
+- Add experimental support for [SSH ACL](https://tailscale.com/kb/1018/acls/#tailscale-ssh) (see docs for limitations) [#847](https://github.com/juanfont/headscale/pull/847)
+  - Please note that this support should be considered _partially_ implemented
+  - SSH ACLs status:
+    - Support `accept` and `check` (SSH can be enabled and used for connecting and authentication)
+    - Rejecting connections **are not supported**, meaning that if you enable SSH, then assume that _all_ `ssh` connections **will be allowed**.
+    - If you decied to try this feature, please carefully managed permissions by blocking port `22` with regular ACLs or do _not_ set `--ssh` on your clients.
+    - We are currently improving our testing of the SSH ACLs, help us get an overview by testing and giving feedback.
+  - This feature should be considered dangerous and it is disabled by default. Enable by setting `HEADSCALE_EXPERIMENTAL_FEATURE_SSH=1`.
+
+### Changes
+
 - Add ability to specify config location via env var `HEADSCALE_CONFIG` [#674](https://github.com/juanfont/headscale/issues/674)
 - Target Go 1.19 for Headscale [#778](https://github.com/juanfont/headscale/pull/778)
 - Target Tailscale v1.30.0 to build Headscale [#780](https://github.com/juanfont/headscale/pull/780)
@@ -24,6 +52,10 @@
 - Remove `ip_prefix` configuration option and warning [#899](https://github.com/juanfont/headscale/pull/899)
 - Add `dns_config.override_local_dns` option [#905](https://github.com/juanfont/headscale/pull/905)
 - Fix some DNS config issues [#660](https://github.com/juanfont/headscale/issues/660)
+- Make it possible to disable TS2019 with build flag [#928](https://github.com/juanfont/headscale/pull/928)
+- Fix OIDC registration issues [#960](https://github.com/juanfont/headscale/pull/960) and [#971](https://github.com/juanfont/headscale/pull/971)
+- Add support for specifying NextDNS DNS-over-HTTPS resolver [#940](https://github.com/juanfont/headscale/pull/940)
+- Make more sslmode available for postgresql connection [#927](https://github.com/juanfont/headscale/pull/927)

 ## 0.16.4 (2022-08-21)

--- a/4
+++ b/4
@@ -1,5 +1,5 @@
 # Builder image
-FROM docker.io/golang:1.19.0-bullseye AS build
+FROM docker.io/golang:1.19-bullseye AS build
 ARG VERSION=dev
 ENV GOPATH /go
 WORKDIR /go/src/headscale
@@ -9,7 +9,7 @@ RUN go mod download

 COPY . .

-RUN CGO_ENABLED=0 GOOS=linux go install -ldflags="-s -w -X github.com/juanfont/headscale/cmd/headscale/cli.Version=$VERSION" -a ./cmd/headscale
+RUN CGO_ENABLED=0 GOOS=linux go install -tags ts2019 -ldflags="-s -w -X github.com/juanfont/headscale/cmd/headscale/cli.Version=$VERSION" -a ./cmd/headscale
 RUN strip /go/bin/headscale
 RUN test -e /go/bin/headscale

--- a/Dockerfile.alpine
+++ b/Dockerfile.alpine
@@ -1,24 +0,0 @@
-# Builder image
-FROM docker.io/golang:1.19.0-alpine AS build
-ARG VERSION=dev
-ENV GOPATH /go
-WORKDIR /go/src/headscale
-
-COPY go.mod go.sum /go/src/headscale/
-RUN apk add gcc musl-dev
-RUN go mod download
-
-COPY . .
-
-RUN CGO_ENABLED=0 GOOS=linux go install -ldflags="-s -w -X github.com/juanfont/headscale/cmd/headscale/cli.Version=$VERSION" -a ./cmd/headscale
-RUN strip /go/bin/headscale
-RUN test -e /go/bin/headscale
-
-# Production image
-FROM docker.io/alpine:latest
-
-COPY --from=build /go/bin/headscale /bin/headscale
-ENV TZ UTC
-
-EXPOSE 8080/tcp
-CMD ["headscale"]
--- a/Dockerfile.debug
+++ b/Dockerfile.debug
@@ -1,5 +1,5 @@
 # Builder image
-FROM docker.io/golang:1.19.0-bullseye AS build
+FROM docker.io/golang:1.19-bullseye AS build
 ARG VERSION=dev
 ENV GOPATH /go
 WORKDIR /go/src/headscale
@@ -9,7 +9,7 @@ RUN go mod download

 COPY . .

-RUN CGO_ENABLED=0 GOOS=linux go install -ldflags="-s -w -X github.com/juanfont/headscale/cmd/headscale/cli.Version=$VERSION" -a ./cmd/headscale
+RUN CGO_ENABLED=0 GOOS=linux go install -tags ts2019 -ldflags="-s -w -X github.com/juanfont/headscale/cmd/headscale/cli.Version=$VERSION" -a ./cmd/headscale
 RUN test -e /go/bin/headscale

 # Debug image
--- a/Dockerfile.tailscale
+++ b/Dockerfile.tailscale
@@ -4,14 +4,16 @@ ARG TAILSCALE_VERSION=*
 ARG TAILSCALE_CHANNEL=stable

 RUN apt-get update \
-    && apt-get install -y gnupg curl \
+    && apt-get install -y gnupg curl ssh \
    && curl -fsSL https://pkgs.tailscale.com/${TAILSCALE_CHANNEL}/ubuntu/focal.gpg | apt-key add - \
    && curl -fsSL https://pkgs.tailscale.com/${TAILSCALE_CHANNEL}/ubuntu/focal.list | tee /etc/apt/sources.list.d/tailscale.list \
    && apt-get update \
    && apt-get install -y ca-certificates tailscale=${TAILSCALE_VERSION} dnsutils \
    && rm -rf /var/lib/apt/lists/*

+RUN adduser --shell=/bin/bash ssh-it-user
+
 ADD integration_test/etc_embedded_derp/tls/server.crt /usr/local/share/ca-certificates/
-RUN chmod 644 /usr/local/share/ca-certificates/server.crt 
+RUN chmod 644 /usr/local/share/ca-certificates/server.crt

 RUN update-ca-certificates
--- a/Dockerfile.tailscale-HEAD
+++ b/Dockerfile.tailscale-HEAD
@@ -1,9 +1,10 @@
 FROM golang:latest

 RUN apt-get update \
-    && apt-get install -y ca-certificates dnsutils git iptables \
+    && apt-get install -y ca-certificates dnsutils git iptables ssh \
    && rm -rf /var/lib/apt/lists/*

+RUN useradd --shell=/bin/bash --create-home ssh-it-user

 RUN git clone https://github.com/tailscale/tailscale.git

@@ -18,6 +19,6 @@ RUN cp tailscale /usr/local/bin/
 RUN cp tailscaled /usr/local/bin/

 ADD integration_test/etc_embedded_derp/tls/server.crt /usr/local/share/ca-certificates/
-RUN chmod 644 /usr/local/share/ca-certificates/server.crt 
+RUN chmod 644 /usr/local/share/ca-certificates/server.crt

 RUN update-ca-certificates
--- a/22
+++ b/22
@@ -10,6 +10,8 @@ ifeq ($(filter $(GOOS), openbsd netbsd soloaris plan9), )
 else
 endif

+TAGS = -tags ts2019
+
 # GO_SOURCES = $(wildcard *.go)
 # PROTO_SOURCES = $(wildcard **/*.proto)
 GO_SOURCES = $(call rwildcard,,*.go)
@@ -17,12 +19,12 @@ PROTO_SOURCES = $(call rwildcard,,*.proto)


 build:
-	GOOS=$(GOOS) CGO_ENABLED=0 go build -trimpath $(pieflags) -mod=readonly -ldflags "-s -w -X github.com/juanfont/headscale/cmd/headscale/cli.Version=$(version)" cmd/headscale/headscale.go
+	nix build

 dev: lint test build

 test:
-	@go test -short -coverprofile=coverage.out ./...
+	@go test $(TAGS) -short -coverprofile=coverage.out ./...

 test_integration: test_integration_cli test_integration_derp test_integration_oidc test_integration_v2_general

@@ -34,7 +36,7 @@ test_integration_cli:
 		-v ~/.cache/hs-integration-go:/go \
 		-v $$PWD:$$PWD -w $$PWD \
 		-v /var/run/docker.sock:/var/run/docker.sock golang:1 \
-		go test -failfast -timeout 30m -count=1 -run IntegrationCLI ./...
+		go test $(TAGS) -failfast -timeout 30m -count=1 -run IntegrationCLI ./...

 test_integration_derp:
 	docker network rm $$(docker network ls --filter name=headscale --quiet) || true
@@ -44,17 +46,7 @@ test_integration_derp:
 		-v ~/.cache/hs-integration-go:/go \
 		-v $$PWD:$$PWD -w $$PWD \
 		-v /var/run/docker.sock:/var/run/docker.sock golang:1 \
-		go test -failfast -timeout 30m -count=1 -run IntegrationDERP ./...
-
-test_integration_oidc:
-	docker network rm $$(docker network ls --filter name=headscale --quiet) || true
-	docker network create headscale-test || true
-	docker run -t --rm \
-		--network headscale-test \
-		-v ~/.cache/hs-integration-go:/go \
-		-v $$PWD:$$PWD -w $$PWD \
-		-v /var/run/docker.sock:/var/run/docker.sock golang:1 \
-		go test -failfast -timeout 30m -count=1 -run IntegrationOIDC ./...
+		go test $(TAGS) -failfast -timeout 30m -count=1 -run IntegrationDERP ./...

 test_integration_v2_general:
 	docker run \
@@ -64,7 +56,7 @@ test_integration_v2_general:
 		-v $$PWD:$$PWD -w $$PWD/integration \
 		-v /var/run/docker.sock:/var/run/docker.sock \
 		golang:1 \
-		go test ./... -timeout 60m -parallel 6
+		go test $(TAGS) -failfast ./... -timeout 120m -parallel 8

 coverprofile_func:
 	go tool cover -func=coverage.out
--- a/README.md
+++ b/README.md
@@ -269,6 +269,13 @@ make build
            <sub style="font-size:14px"><b>Mike Lloyd</b></sub>
        </a>
    </td>
+    <td align="center" style="word-wrap: break-word; width: 150.0; height: 150.0">
+        <a href=https://github.com/iSchluff>
+            <img src=https://avatars.githubusercontent.com/u/1429641?v=4 width="100;"  style="border-radius:50%;align-items:center;justify-content:center;overflow:hidden;padding-top:10px" alt=Anton Schubert/>
+            <br />
+            <sub style="font-size:14px"><b>Anton Schubert</b></sub>
+        </a>
+    </td>
    <td align="center" style="word-wrap: break-word; width: 150.0; height: 150.0">
        <a href=https://github.com/Niek>
            <img src=https://avatars.githubusercontent.com/u/213140?v=4 width="100;"  style="border-radius:50%;align-items:center;justify-content:center;overflow:hidden;padding-top:10px" alt=Niek van der Maas/>
@@ -283,6 +290,8 @@ make build
            <sub style="font-size:14px"><b>Eugen Biegler</b></sub>
        </a>
    </td>
+</tr>
+<tr>
    <td align="center" style="word-wrap: break-word; width: 150.0; height: 150.0">
        <a href=https://github.com/617a7a>
            <img src=https://avatars.githubusercontent.com/u/67651251?v=4 width="100;"  style="border-radius:50%;align-items:center;justify-content:center;overflow:hidden;padding-top:10px" alt=Azz/>
@@ -290,13 +299,11 @@ make build
            <sub style="font-size:14px"><b>Azz</b></sub>
        </a>
    </td>
-</tr>
-<tr>
    <td align="center" style="word-wrap: break-word; width: 150.0; height: 150.0">
-        <a href=https://github.com/iSchluff>
-            <img src=https://avatars.githubusercontent.com/u/1429641?v=4 width="100;"  style="border-radius:50%;align-items:center;justify-content:center;overflow:hidden;padding-top:10px" alt=Anton Schubert/>
+        <a href=https://github.com/evenh>
+            <img src=https://avatars.githubusercontent.com/u/2701536?v=4 width="100;"  style="border-radius:50%;align-items:center;justify-content:center;overflow:hidden;padding-top:10px" alt=Even Holthe/>
            <br />
-            <sub style="font-size:14px"><b>Anton Schubert</b></sub>
+            <sub style="font-size:14px"><b>Even Holthe</b></sub>
        </a>
    </td>
    <td align="center" style="word-wrap: break-word; width: 150.0; height: 150.0">
@@ -327,6 +334,15 @@ make build
            <sub style="font-size:14px"><b>Fernando De Lucchi</b></sub>
        </a>
    </td>
+</tr>
+<tr>
+    <td align="center" style="word-wrap: break-word; width: 150.0; height: 150.0">
+        <a href=https://github.com/OrvilleQ>
+            <img src=https://avatars.githubusercontent.com/u/21377465?v=4 width="100;"  style="border-radius:50%;align-items:center;justify-content:center;overflow:hidden;padding-top:10px" alt=Orville Q. Song/>
+            <br />
+            <sub style="font-size:14px"><b>Orville Q. Song</b></sub>
+        </a>
+    </td>
    <td align="center" style="word-wrap: break-word; width: 150.0; height: 150.0">
        <a href=https://github.com/hdhoang>
            <img src=https://avatars.githubusercontent.com/u/12537?v=4 width="100;"  style="border-radius:50%;align-items:center;justify-content:center;overflow:hidden;padding-top:10px" alt=hdhoang/>
@@ -334,8 +350,6 @@ make build
            <sub style="font-size:14px"><b>hdhoang</b></sub>
        </a>
    </td>
-</tr>
-<tr>
    <td align="center" style="word-wrap: break-word; width: 150.0; height: 150.0">
        <a href=https://github.com/bravechamp>
            <img src=https://avatars.githubusercontent.com/u/48980452?v=4 width="100;"  style="border-radius:50%;align-items:center;justify-content:center;overflow:hidden;padding-top:10px" alt=bravechamp/>
@@ -364,6 +378,8 @@ make build
            <sub style="font-size:14px"><b>ChibangLW</b></sub>
        </a>
    </td>
+</tr>
+<tr>
    <td align="center" style="word-wrap: break-word; width: 150.0; height: 150.0">
        <a href=https://github.com/mevansam>
            <img src=https://avatars.githubusercontent.com/u/403630?v=4 width="100;"  style="border-radius:50%;align-items:center;justify-content:center;overflow:hidden;padding-top:10px" alt=Mevan Samaratunga/>
@@ -378,8 +394,6 @@ make build
            <sub style="font-size:14px"><b>Michael G.</b></sub>
        </a>
    </td>
-</tr>
-<tr>
    <td align="center" style="word-wrap: break-word; width: 150.0; height: 150.0">
        <a href=https://github.com/ptman>
            <img src=https://avatars.githubusercontent.com/u/24669?v=4 width="100;"  style="border-radius:50%;align-items:center;justify-content:center;overflow:hidden;padding-top:10px" alt=Paul Tötterman/>
@@ -408,6 +422,8 @@ make build
            <sub style="font-size:14px"><b>kevinlin</b></sub>
        </a>
    </td>
+</tr>
+<tr>
    <td align="center" style="word-wrap: break-word; width: 150.0; height: 150.0">
        <a href=https://github.com/artemklevtsov>
            <img src=https://avatars.githubusercontent.com/u/603798?v=4 width="100;"  style="border-radius:50%;align-items:center;justify-content:center;overflow:hidden;padding-top:10px" alt=Artem Klevtsov/>
@@ -422,8 +438,13 @@ make build
            <sub style="font-size:14px"><b>Casey Marshall</b></sub>
        </a>
    </td>
-</tr>
-<tr>
+    <td align="center" style="word-wrap: break-word; width: 150.0; height: 150.0">
+        <a href=https://github.com/CNLHC>
+            <img src=https://avatars.githubusercontent.com/u/21005146?v=4 width="100;"  style="border-radius:50%;align-items:center;justify-content:center;overflow:hidden;padding-top:10px" alt=LiuHanCheng/>
+            <br />
+            <sub style="font-size:14px"><b>LiuHanCheng</b></sub>
+        </a>
+    </td>
    <td align="center" style="word-wrap: break-word; width: 150.0; height: 150.0">
        <a href=https://github.com/pvinis>
            <img src=https://avatars.githubusercontent.com/u/100233?v=4 width="100;"  style="border-radius:50%;align-items:center;justify-content:center;overflow:hidden;padding-top:10px" alt=Pavlos Vinieratos/>
@@ -439,7 +460,16 @@ make build
        </a>
    </td>
    <td align="center" style="word-wrap: break-word; width: 150.0; height: 150.0">
-        <a href=https://github.com/vtrf>
+        <a href=https://github.com/snh>
+            <img src=https://avatars.githubusercontent.com/u/2051768?v=4 width="100;"  style="border-radius:50%;align-items:center;justify-content:center;overflow:hidden;padding-top:10px" alt=Steven Honson/>
+            <br />
+            <sub style="font-size:14px"><b>Steven Honson</b></sub>
+        </a>
+    </td>
+</tr>
+<tr>
+    <td align="center" style="word-wrap: break-word; width: 150.0; height: 150.0">
+        <a href=https://github.com/ratsclub>
            <img src=https://avatars.githubusercontent.com/u/25647735?v=4 width="100;"  style="border-radius:50%;align-items:center;justify-content:center;overflow:hidden;padding-top:10px" alt=Victor Freire/>
            <br />
            <sub style="font-size:14px"><b>Victor Freire</b></sub>
@@ -466,8 +496,13 @@ make build
            <sub style="font-size:14px"><b>Abraham Ingersoll</b></sub>
        </a>
    </td>
-</tr>
-<tr>
+    <td align="center" style="word-wrap: break-word; width: 150.0; height: 150.0">
+        <a href=https://github.com/puzpuzpuz>
+            <img src=https://avatars.githubusercontent.com/u/37772591?v=4 width="100;"  style="border-radius:50%;align-items:center;justify-content:center;overflow:hidden;padding-top:10px" alt=Andrei Pechkurov/>
+            <br />
+            <sub style="font-size:14px"><b>Andrei Pechkurov</b></sub>
+        </a>
+    </td>
    <td align="center" style="word-wrap: break-word; width: 150.0; height: 150.0">
        <a href=https://github.com/apognu>
            <img src=https://avatars.githubusercontent.com/u/3017182?v=4 width="100;"  style="border-radius:50%;align-items:center;justify-content:center;overflow:hidden;padding-top:10px" alt=Antoine POPINEAU/>
@@ -475,6 +510,8 @@ make build
            <sub style="font-size:14px"><b>Antoine POPINEAU</b></sub>
        </a>
    </td>
+</tr>
+<tr>
    <td align="center" style="word-wrap: break-word; width: 150.0; height: 150.0">
        <a href=https://github.com/aofei>
            <img src=https://avatars.githubusercontent.com/u/5037285?v=4 width="100;"  style="border-radius:50%;align-items:center;justify-content:center;overflow:hidden;padding-top:10px" alt=Aofei Sheng/>
@@ -482,6 +519,13 @@ make build
            <sub style="font-size:14px"><b>Aofei Sheng</b></sub>
        </a>
    </td>
+    <td align="center" style="word-wrap: break-word; width: 150.0; height: 150.0">
+        <a href=https://github.com/arnarg>
+            <img src=https://avatars.githubusercontent.com/u/1291396?v=4 width="100;"  style="border-radius:50%;align-items:center;justify-content:center;overflow:hidden;padding-top:10px" alt=Arnar/>
+            <br />
+            <sub style="font-size:14px"><b>Arnar</b></sub>
+        </a>
+    </td>
    <td align="center" style="word-wrap: break-word; width: 150.0; height: 150.0">
        <a href=https://github.com/awoimbee>
            <img src=https://avatars.githubusercontent.com/u/22431493?v=4 width="100;"  style="border-radius:50%;align-items:center;justify-content:center;overflow:hidden;padding-top:10px" alt=Arthur Woimbée/>
@@ -579,9 +623,9 @@ make build
    </td>
    <td align="center" style="word-wrap: break-word; width: 150.0; height: 150.0">
        <a href=https://github.com/renovate-bot>
-            <img src=https://avatars.githubusercontent.com/u/25180681?v=4 width="100;"  style="border-radius:50%;align-items:center;justify-content:center;overflow:hidden;padding-top:10px" alt=WhiteSource Renovate/>
+            <img src=https://avatars.githubusercontent.com/u/25180681?v=4 width="100;"  style="border-radius:50%;align-items:center;justify-content:center;overflow:hidden;padding-top:10px" alt=Mend Renovate/>
            <br />
-            <sub style="font-size:14px"><b>WhiteSource Renovate</b></sub>
+            <sub style="font-size:14px"><b>Mend Renovate</b></sub>
        </a>
    </td>
    <td align="center" style="word-wrap: break-word; width: 150.0; height: 150.0">
@@ -716,6 +760,13 @@ make build
            <sub style="font-size:14px"><b>ignoramous</b></sub>
        </a>
    </td>
+    <td align="center" style="word-wrap: break-word; width: 150.0; height: 150.0">
+        <a href=https://github.com/magichuihui>
+            <img src=https://avatars.githubusercontent.com/u/10866198?v=4 width="100;"  style="border-radius:50%;align-items:center;justify-content:center;overflow:hidden;padding-top:10px" alt=suhelen/>
+            <br />
+            <sub style="font-size:14px"><b>suhelen</b></sub>
+        </a>
+    </td>
    <td align="center" style="word-wrap: break-word; width: 150.0; height: 150.0">
        <a href=https://github.com/lion24>
            <img src=https://avatars.githubusercontent.com/u/1382102?v=4 width="100;"  style="border-radius:50%;align-items:center;justify-content:center;overflow:hidden;padding-top:10px" alt=sharkonet/>
@@ -723,6 +774,15 @@ make build
            <sub style="font-size:14px"><b>sharkonet</b></sub>
        </a>
    </td>
+</tr>
+<tr>
+    <td align="center" style="word-wrap: break-word; width: 150.0; height: 150.0">
+        <a href=https://github.com/manju-rn>
+            <img src=https://avatars.githubusercontent.com/u/26291847?v=4 width="100;"  style="border-radius:50%;align-items:center;justify-content:center;overflow:hidden;padding-top:10px" alt=manju-rn/>
+            <br />
+            <sub style="font-size:14px"><b>manju-rn</b></sub>
+        </a>
+    </td>
    <td align="center" style="word-wrap: break-word; width: 150.0; height: 150.0">
        <a href=https://github.com/pernila>
            <img src=https://avatars.githubusercontent.com/u/12460060?v=4 width="100;"  style="border-radius:50%;align-items:center;justify-content:center;overflow:hidden;padding-top:10px" alt=pernila/>
@@ -730,8 +790,6 @@ make build
            <sub style="font-size:14px"><b>pernila</b></sub>
        </a>
    </td>
-</tr>
-<tr>
    <td align="center" style="word-wrap: break-word; width: 150.0; height: 150.0">
        <a href=https://github.com/phpmalik>
            <img src=https://avatars.githubusercontent.com/u/26834645?v=4 width="100;"  style="border-radius:50%;align-items:center;justify-content:center;overflow:hidden;padding-top:10px" alt=phpmalik/>
--- a/acls.go
+++ b/acls.go
@@ -10,10 +10,12 @@ import (
 	"path/filepath"
 	"strconv"
 	"strings"
+	"time"

 	"github.com/rs/zerolog/log"
 	"github.com/tailscale/hujson"
 	"gopkg.in/yaml.v3"
+	"tailscale.com/envknob"
 	"tailscale.com/tailcfg"
 )

@@ -54,6 +56,8 @@ const (
 	ProtocolFC       = 133 // Fibre Channel
 )

+var featureEnableSSH = envknob.RegisterBool("HEADSCALE_EXPERIMENTAL_FEATURE_SSH")
+
 // LoadACLPolicy loads the ACL policy from the specify path, and generates the ACL rules.
 func (h *Headscale) LoadACLPolicy(path string) error {
 	log.Debug().
@@ -113,36 +117,50 @@ func (h *Headscale) LoadACLPolicy(path string) error {
 }

 func (h *Headscale) UpdateACLRules() error {
-	rules, err := h.generateACLRules()
+	machines, err := h.ListMachines()
+	if err != nil {
+		return err
+	}
+
+	if h.aclPolicy == nil {
+		return errEmptyPolicy
+	}
+
+	rules, err := generateACLRules(machines, *h.aclPolicy, h.cfg.OIDC.StripEmaildomain)
 	if err != nil {
 		return err
 	}
 	log.Trace().Interface("ACL", rules).Msg("ACL rules generated")
 	h.aclRules = rules

+	if featureEnableSSH() {
+		sshRules, err := h.generateSSHRules()
+		if err != nil {
+			return err
+		}
+		log.Trace().Interface("SSH", sshRules).Msg("SSH rules generated")
+		if h.sshPolicy == nil {
+			h.sshPolicy = &tailcfg.SSHPolicy{}
+		}
+		h.sshPolicy.Rules = sshRules
+	} else if h.aclPolicy != nil && len(h.aclPolicy.SSHs) > 0 {
+		log.Info().Msg("SSH ACLs has been defined, but HEADSCALE_EXPERIMENTAL_FEATURE_SSH is not enabled, this is a unstable feature, check docs before activating")
+	}
+
 	return nil
 }

-func (h *Headscale) generateACLRules() ([]tailcfg.FilterRule, error) {
+func generateACLRules(machines []Machine, aclPolicy ACLPolicy, stripEmaildomain bool) ([]tailcfg.FilterRule, error) {
 	rules := []tailcfg.FilterRule{}

-	if h.aclPolicy == nil {
-		return nil, errEmptyPolicy
-	}
-
-	machines, err := h.ListMachines()
-	if err != nil {
-		return nil, err
-	}
-
-	for index, acl := range h.aclPolicy.ACLs {
+	for index, acl := range aclPolicy.ACLs {
 		if acl.Action != "accept" {
 			return nil, errInvalidAction
 		}

 		srcIPs := []string{}
 		for innerIndex, src := range acl.Sources {
-			srcs, err := h.generateACLPolicySrcIP(machines, *h.aclPolicy, src)
+			srcs, err := generateACLPolicySrcIP(machines, aclPolicy, src, stripEmaildomain)
 			if err != nil {
 				log.Error().
 					Msgf("Error parsing ACL %d, Source %d", index, innerIndex)
@@ -162,11 +180,12 @@ func (h *Headscale) generateACLRules() ([]tailcfg.FilterRule, error) {

 		destPorts := []tailcfg.NetPortRange{}
 		for innerIndex, dest := range acl.Destinations {
-			dests, err := h.generateACLPolicyDest(
+			dests, err := generateACLPolicyDest(
 				machines,
-				*h.aclPolicy,
+				aclPolicy,
 				dest,
 				needsWildcard,
+				stripEmaildomain,
 			)
 			if err != nil {
 				log.Error().
@@ -187,19 +206,126 @@ func (h *Headscale) generateACLRules() ([]tailcfg.FilterRule, error) {
 	return rules, nil
 }

-func (h *Headscale) generateACLPolicySrcIP(
+func (h *Headscale) generateSSHRules() ([]*tailcfg.SSHRule, error) {
+	rules := []*tailcfg.SSHRule{}
+
+	if h.aclPolicy == nil {
+		return nil, errEmptyPolicy
+	}
+
+	machines, err := h.ListMachines()
+	if err != nil {
+		return nil, err
+	}
+
+	acceptAction := tailcfg.SSHAction{
+		Message:                  "",
+		Reject:                   false,
+		Accept:                   true,
+		SessionDuration:          0,
+		AllowAgentForwarding:     false,
+		HoldAndDelegate:          "",
+		AllowLocalPortForwarding: true,
+	}
+
+	rejectAction := tailcfg.SSHAction{
+		Message:                  "",
+		Reject:                   true,
+		Accept:                   false,
+		SessionDuration:          0,
+		AllowAgentForwarding:     false,
+		HoldAndDelegate:          "",
+		AllowLocalPortForwarding: false,
+	}
+
+	for index, sshACL := range h.aclPolicy.SSHs {
+		action := rejectAction
+		switch sshACL.Action {
+		case "accept":
+			action = acceptAction
+		case "check":
+			checkAction, err := sshCheckAction(sshACL.CheckPeriod)
+			if err != nil {
+				log.Error().
+					Msgf("Error parsing SSH %d, check action with unparsable duration '%s'", index, sshACL.CheckPeriod)
+			} else {
+				action = *checkAction
+			}
+		default:
+			log.Error().
+				Msgf("Error parsing SSH %d, unknown action '%s'", index, sshACL.Action)
+
+			return nil, err
+		}
+
+		principals := make([]*tailcfg.SSHPrincipal, 0, len(sshACL.Sources))
+		for innerIndex, rawSrc := range sshACL.Sources {
+			expandedSrcs, err := expandAlias(
+				machines,
+				*h.aclPolicy,
+				rawSrc,
+				h.cfg.OIDC.StripEmaildomain,
+			)
+			if err != nil {
+				log.Error().
+					Msgf("Error parsing SSH %d, Source %d", index, innerIndex)
+
+				return nil, err
+			}
+			for _, expandedSrc := range expandedSrcs {
+				principals = append(principals, &tailcfg.SSHPrincipal{
+					NodeIP: expandedSrc,
+				})
+			}
+		}
+
+		userMap := make(map[string]string, len(sshACL.Users))
+		for _, user := range sshACL.Users {
+			userMap[user] = "="
+		}
+		rules = append(rules, &tailcfg.SSHRule{
+			RuleExpires: nil,
+			Principals:  principals,
+			SSHUsers:    userMap,
+			Action:      &action,
+		})
+	}
+
+	return rules, nil
+}
+
+func sshCheckAction(duration string) (*tailcfg.SSHAction, error) {
+	sessionLength, err := time.ParseDuration(duration)
+	if err != nil {
+		return nil, err
+	}
+
+	return &tailcfg.SSHAction{
+		Message:                  "",
+		Reject:                   false,
+		Accept:                   true,
+		SessionDuration:          sessionLength,
+		AllowAgentForwarding:     false,
+		HoldAndDelegate:          "",
+		AllowLocalPortForwarding: true,
+	}, nil
+}
+
+func generateACLPolicySrcIP(
 	machines []Machine,
 	aclPolicy ACLPolicy,
 	src string,
+	stripEmaildomain bool,
 ) ([]string, error) {
-	return expandAlias(machines, aclPolicy, src, h.cfg.OIDC.StripEmaildomain)
+	return expandAlias(machines, aclPolicy, src, stripEmaildomain)
 }

-func (h *Headscale) generateACLPolicyDest(
+func generateACLPolicyDest(
 	machines []Machine,
 	aclPolicy ACLPolicy,
 	dest string,
 	needsWildcard bool,
+	stripEmaildomain bool,
 ) ([]tailcfg.NetPortRange, error) {
 	tokens := strings.Split(dest, ":")
 	if len(tokens) < expectedTokenItems || len(tokens) > 3 {
@@ -223,7 +349,7 @@ func (h *Headscale) generateACLPolicyDest(
 		machines,
 		aclPolicy,
 		alias,
-		h.cfg.OIDC.StripEmaildomain,
+		stripEmaildomain,
 	)
 	if err != nil {
 		return nil, err
@@ -260,12 +386,7 @@ func (h *Headscale) generateACLPolicyDest(
 func parseProtocol(protocol string) ([]int, bool, error) {
 	switch protocol {
 	case "":
-		return []int{
-			protocolICMP,
-			protocolIPv6ICMP,
-			protocolTCP,
-			protocolUDP,
-		}, false, nil
+		return nil, false, nil
 	case "igmp":
 		return []int{protocolIGMP}, true, nil
 	case "ipv4", "ip-in-ip":
--- a/acls_test.go
+++ b/acls_test.go
@@ -7,6 +7,7 @@ import (
 	"testing"

 	"gopkg.in/check.v1"
+	"tailscale.com/envknob"
 	"tailscale.com/tailcfg"
 )

@@ -53,7 +54,7 @@ func (s *Suite) TestBasicRule(c *check.C) {
 	err := app.LoadACLPolicy("./tests/acls/acl_policy_basic_1.hujson")
 	c.Assert(err, check.IsNil)

-	rules, err := app.generateACLRules()
+	rules, err := generateACLRules([]Machine{}, *app.aclPolicy, false)
 	c.Assert(err, check.IsNil)
 	c.Assert(rules, check.NotNil)
 }
@@ -73,6 +74,81 @@ func (s *Suite) TestInvalidAction(c *check.C) {
 	c.Assert(errors.Is(err, errInvalidAction), check.Equals, true)
 }

+func (s *Suite) TestSshRules(c *check.C) {
+	envknob.Setenv("HEADSCALE_EXPERIMENTAL_FEATURE_SSH", "1")
+
+	namespace, err := app.CreateNamespace("user1")
+	c.Assert(err, check.IsNil)
+
+	pak, err := app.CreatePreAuthKey(namespace.Name, false, false, nil, nil)
+	c.Assert(err, check.IsNil)
+
+	_, err = app.GetMachine("user1", "testmachine")
+	c.Assert(err, check.NotNil)
+	hostInfo := tailcfg.Hostinfo{
+		OS:          "centos",
+		Hostname:    "testmachine",
+		RequestTags: []string{"tag:test"},
+	}
+
+	machine := Machine{
+		ID:             0,
+		MachineKey:     "foo",
+		NodeKey:        "bar",
+		DiscoKey:       "faa",
+		Hostname:       "testmachine",
+		IPAddresses:    MachineAddresses{netip.MustParseAddr("100.64.0.1")},
+		NamespaceID:    namespace.ID,
+		RegisterMethod: RegisterMethodAuthKey,
+		AuthKeyID:      uint(pak.ID),
+		HostInfo:       HostInfo(hostInfo),
+	}
+	app.db.Save(&machine)
+
+	app.aclPolicy = &ACLPolicy{
+		Groups: Groups{
+			"group:test": []string{"user1"},
+		},
+		Hosts: Hosts{
+			"client": netip.PrefixFrom(netip.MustParseAddr("100.64.99.42"), 32),
+		},
+		ACLs: []ACL{
+			{
+				Action:       "accept",
+				Sources:      []string{"*"},
+				Destinations: []string{"*:*"},
+			},
+		},
+		SSHs: []SSH{
+			{
+				Action:       "accept",
+				Sources:      []string{"group:test"},
+				Destinations: []string{"client"},
+				Users:        []string{"autogroup:nonroot"},
+			},
+			{
+				Action:       "accept",
+				Sources:      []string{"*"},
+				Destinations: []string{"client"},
+				Users:        []string{"autogroup:nonroot"},
+			},
+		},
+	}
+
+	err = app.UpdateACLRules()
+
+	c.Assert(err, check.IsNil)
+	c.Assert(app.sshPolicy, check.NotNil)
+	c.Assert(app.sshPolicy.Rules, check.HasLen, 2)
+	c.Assert(app.sshPolicy.Rules[0].SSHUsers, check.HasLen, 1)
+	c.Assert(app.sshPolicy.Rules[0].Principals, check.HasLen, 1)
+	c.Assert(app.sshPolicy.Rules[0].Principals[0].NodeIP, check.Matches, "100.64.0.1")
+
+	c.Assert(app.sshPolicy.Rules[1].SSHUsers, check.HasLen, 1)
+	c.Assert(app.sshPolicy.Rules[1].Principals, check.HasLen, 1)
+	c.Assert(app.sshPolicy.Rules[1].Principals[0].NodeIP, check.Matches, "*")
+}
+
 func (s *Suite) TestInvalidGroupInGroup(c *check.C) {
 	// this ACL is wrong because the group in Sources sections doesn't exist
 	app.aclPolicy = &ACLPolicy{
@@ -335,7 +411,7 @@ func (s *Suite) TestPortRange(c *check.C) {
 	err := app.LoadACLPolicy("./tests/acls/acl_policy_basic_range.hujson")
 	c.Assert(err, check.IsNil)

-	rules, err := app.generateACLRules()
+	rules, err := generateACLRules([]Machine{}, *app.aclPolicy, false)
 	c.Assert(err, check.IsNil)
 	c.Assert(rules, check.NotNil)

@@ -349,7 +425,7 @@ func (s *Suite) TestProtocolParsing(c *check.C) {
 	err := app.LoadACLPolicy("./tests/acls/acl_policy_basic_protocols.hujson")
 	c.Assert(err, check.IsNil)

-	rules, err := app.generateACLRules()
+	rules, err := generateACLRules([]Machine{}, *app.aclPolicy, false)
 	c.Assert(err, check.IsNil)
 	c.Assert(rules, check.NotNil)

@@ -363,7 +439,7 @@ func (s *Suite) TestPortWildcard(c *check.C) {
 	err := app.LoadACLPolicy("./tests/acls/acl_policy_basic_wildcards.hujson")
 	c.Assert(err, check.IsNil)

-	rules, err := app.generateACLRules()
+	rules, err := generateACLRules([]Machine{}, *app.aclPolicy, false)
 	c.Assert(err, check.IsNil)
 	c.Assert(rules, check.NotNil)

@@ -379,7 +455,7 @@ func (s *Suite) TestPortWildcardYAML(c *check.C) {
 	err := app.LoadACLPolicy("./tests/acls/acl_policy_basic_wildcards.yaml")
 	c.Assert(err, check.IsNil)

-	rules, err := app.generateACLRules()
+	rules, err := generateACLRules([]Machine{}, *app.aclPolicy, false)
 	c.Assert(err, check.IsNil)
 	c.Assert(rules, check.NotNil)

@@ -419,7 +495,10 @@ func (s *Suite) TestPortNamespace(c *check.C) {
 	)
 	c.Assert(err, check.IsNil)

-	rules, err := app.generateACLRules()
+	machines, err := app.ListMachines()
+	c.Assert(err, check.IsNil)
+
+	rules, err := generateACLRules(machines, *app.aclPolicy, false)
 	c.Assert(err, check.IsNil)
 	c.Assert(rules, check.NotNil)

@@ -459,7 +538,10 @@ func (s *Suite) TestPortGroup(c *check.C) {
 	err = app.LoadACLPolicy("./tests/acls/acl_policy_basic_groups.hujson")
 	c.Assert(err, check.IsNil)

-	rules, err := app.generateACLRules()
+	machines, err := app.ListMachines()
+	c.Assert(err, check.IsNil)
+
+	rules, err := generateACLRules(machines, *app.aclPolicy, false)
 	c.Assert(err, check.IsNil)
 	c.Assert(rules, check.NotNil)

--- a/acls_types.go
+++ b/acls_types.go
@@ -17,6 +17,7 @@ type ACLPolicy struct {
 	ACLs          []ACL         `json:"acls"          yaml:"acls"`
 	Tests         []ACLTest     `json:"tests"         yaml:"tests"`
 	AutoApprovers AutoApprovers `json:"autoApprovers" yaml:"autoApprovers"`
+	SSHs          []SSH         `json:"ssh"           yaml:"ssh"`
 }

 // ACL is a basic rule for the ACL Policy.
@@ -50,6 +51,15 @@ type AutoApprovers struct {
 	ExitNode []string            `json:"exitNode" yaml:"exitNode"`
 }

+// SSH controls who can ssh into which machines.
+type SSH struct {
+	Action       string   `json:"action"                yaml:"action"`
+	Sources      []string `json:"src"                   yaml:"src"`
+	Destinations []string `json:"dst"                   yaml:"dst"`
+	Users        []string `json:"users"                 yaml:"users"`
+	CheckPeriod  string   `json:"checkPeriod,omitempty" yaml:"checkPeriod,omitempty"`
+}
+
 // UnmarshalJSON allows to parse the Hosts directly into netip objects.
 func (hosts *Hosts) UnmarshalJSON(data []byte) error {
 	newHosts := Hosts{}
--- a/api_common.go
+++ b/api_common.go
@@ -13,7 +13,7 @@ func (h *Headscale) generateMapResponse(
 		Str("func", "generateMapResponse").
 		Str("machine", mapRequest.Hostinfo.Hostname).
 		Msg("Creating Map response")
-	node, err := machine.toNode(h.cfg.BaseDomain, h.cfg.DNSConfig)
+	node, err := h.toNode(*machine, h.cfg.BaseDomain, h.cfg.DNSConfig)
 	if err != nil {
 		log.Error().
 			Caller().
@@ -35,9 +35,9 @@ func (h *Headscale) generateMapResponse(
 		return nil, err
 	}

-	profiles := getMapResponseUserProfiles(*machine, peers)
+	profiles := h.getMapResponseUserProfiles(*machine, peers)

-	nodePeers, err := peers.toNodes(h.cfg.BaseDomain, h.cfg.DNSConfig)
+	nodePeers, err := h.toNodes(peers, h.cfg.BaseDomain, h.cfg.DNSConfig)
 	if err != nil {
 		log.Error().
 			Caller().
@@ -62,6 +62,7 @@ func (h *Headscale) generateMapResponse(
 		DNSConfig:    dnsConfig,
 		Domain:       h.cfg.BaseDomain,
 		PacketFilter: h.aclRules,
+		SSHPolicy:    h.sshPolicy,
 		DERPMap:      h.DERPMap,
 		UserProfiles: profiles,
 		Debug: &tailcfg.Debug{
--- a/app.go
+++ b/app.go
@@ -11,6 +11,7 @@ import (
 	"os"
 	"os/signal"
 	"sort"
+	"strconv"
 	"strings"
 	"sync"
 	"syscall"
@@ -51,12 +52,6 @@ const (
 	errUnsupportedLetsEncryptChallengeType = Error(
 		"unknown value for Lets Encrypt challenge type",
 	)
-
-	ErrFailedPrivateKey      = Error("failed to read or create private key")
-	ErrFailedNoisePrivateKey = Error(
-		"failed to read or create Noise protocol private key",
-	)
-	ErrSamePrivateKeys = Error("private key and noise private key are the same")
 )

 const (
@@ -93,6 +88,7 @@ type Headscale struct {

 	aclPolicy *ACLPolicy
 	aclRules  []tailcfg.FilterRule
+	sshPolicy *tailcfg.SSHPolicy

 	lastStateChange *xsync.MapOf[string, time.Time]

@@ -107,41 +103,20 @@ type Headscale struct {
 	pollNetMapStreamWG sync.WaitGroup
 }

-// Look up the TLS constant relative to user-supplied TLS client
-// authentication mode. If an unknown mode is supplied, the default
-// value, tls.RequireAnyClientCert, is returned. The returned boolean
-// indicates if the supplied mode was valid.
-func LookupTLSClientAuthMode(mode string) (tls.ClientAuthType, bool) {
-	switch mode {
-	case DisabledClientAuth:
-		// Client cert is _not_ required.
-		return tls.NoClientCert, true
-	case RelaxedClientAuth:
-		// Client cert required, but _not verified_.
-		return tls.RequireAnyClientCert, true
-	case EnforcedClientAuth:
-		// Client cert is _required and verified_.
-		return tls.RequireAndVerifyClientCert, true
-	default:
-		// Return the default when an unknown value is supplied.
-		return tls.RequireAnyClientCert, false
-	}
-}
-
 func NewHeadscale(cfg *Config) (*Headscale, error) {
 	privateKey, err := readOrCreatePrivateKey(cfg.PrivateKeyPath)
 	if err != nil {
-		return nil, ErrFailedPrivateKey
+		return nil, fmt.Errorf("failed to read or create private key: %w", err)
 	}

 	// TS2021 requires to have a different key from the legacy protocol.
 	noisePrivateKey, err := readOrCreatePrivateKey(cfg.NoisePrivateKeyPath)
 	if err != nil {
-		return nil, ErrFailedNoisePrivateKey
+		return nil, fmt.Errorf("failed to read or create Noise protocol private key: %w", err)
 	}

 	if privateKey.Equal(*noisePrivateKey) {
-		return nil, ErrSamePrivateKeys
+		return nil, fmt.Errorf("private key and noise private key are the same: %w", err)
 	}

 	var dbString string
@@ -154,8 +129,12 @@ func NewHeadscale(cfg *Config) (*Headscale, error) {
 			cfg.DBuser,
 		)

-		if !cfg.DBssl {
-			dbString += " sslmode=disable"
+		if sslEnabled, err := strconv.ParseBool(cfg.DBssl); err == nil {
+			if !sslEnabled {
+				dbString += " sslmode=disable"
+			}
+		} else {
+			dbString += fmt.Sprintf(" sslmode=%s", cfg.DBssl)
 		}

 		if cfg.DBport != 0 {
@@ -240,6 +219,16 @@ func (h *Headscale) expireEphemeralNodes(milliSeconds int64) {
 	}
 }

+func (h *Headscale) failoverSubnetRoutes(milliSeconds int64) {
+	ticker := time.NewTicker(time.Duration(milliSeconds) * time.Millisecond)
+	for range ticker.C {
+		err := h.handlePrimarySubnetFailover()
+		if err != nil {
+			log.Error().Err(err).Msg("failed to handle primary subnet failover")
+		}
+	}
+}
+
 func (h *Headscale) expireEphemeralNodesWorker() {
 	namespaces, err := h.ListNamespaces()
 	if err != nil {
@@ -454,9 +443,8 @@ func (h *Headscale) createRouter(grpcMux *runtime.ServeMux) *mux.Router {
 	router.HandleFunc("/health", h.HealthHandler).Methods(http.MethodGet)
 	router.HandleFunc("/key", h.KeyHandler).Methods(http.MethodGet)
 	router.HandleFunc("/register/{nkey}", h.RegisterWebAPI).Methods(http.MethodGet)
-	router.HandleFunc("/machine/{mkey}/map", h.PollNetMapHandler).
-		Methods(http.MethodPost)
-	router.HandleFunc("/machine/{mkey}", h.RegistrationHandler).Methods(http.MethodPost)
+	h.addLegacyHandlers(router)
+
 	router.HandleFunc("/oidc/register/{nkey}", h.RegisterOIDC).Methods(http.MethodGet)
 	router.HandleFunc("/oidc/callback", h.OIDCCallback).Methods(http.MethodGet)
 	router.HandleFunc("/apple", h.AppleConfigMessage).Methods(http.MethodGet)
@@ -519,6 +507,8 @@ func (h *Headscale) Serve() error {

 	go h.expireEphemeralNodes(updateInterval)

+	go h.failoverSubnetRoutes(updateInterval)
+
 	if zl.GlobalLevel() == zl.TraceLevel {
 		zerolog.RespLog = true
 	} else {
@@ -862,12 +852,7 @@ func (h *Headscale) getTLSSettings() (*tls.Config, error) {
 			log.Warn().Msg("Listening with TLS but ServerURL does not start with https://")
 		}

-		log.Info().Msg(fmt.Sprintf(
-			"Client authentication (mTLS) is \"%s\". See the docs to learn about configuring this setting.",
-			h.cfg.TLS.ClientAuthMode))
-
 		tlsConfig := &tls.Config{
-			ClientAuth:   h.cfg.TLS.ClientAuthMode,
 			NextProtos:   []string{"http/1.1"},
 			Certificates: make([]tls.Certificate, 1),
 			MinVersion:   tls.VersionTLS12,
--- a/app_test.go
+++ b/app_test.go
@@ -59,20 +59,3 @@ func (s *Suite) ResetDB(c *check.C) {
 	}
 	app.db = db
 }
-
-// Enusre an error is returned when an invalid auth mode
-// is supplied.
-func (s *Suite) TestInvalidClientAuthMode(c *check.C) {
-	_, isValid := LookupTLSClientAuthMode("invalid")
-	c.Assert(isValid, check.Equals, false)
-}
-
-// Ensure that all client auth modes return a nil error.
-func (s *Suite) TestAuthModes(c *check.C) {
-	modes := []string{"disabled", "relaxed", "enforced"}
-
-	for _, v := range modes {
-		_, isValid := LookupTLSClientAuthMode(v)
-		c.Assert(isValid, check.Equals, true)
-	}
-}
--- a/cmd/headscale/cli/debug.go
+++ b/cmd/headscale/cli/debug.go
@@ -3,6 +3,7 @@ package cli
 import (
 	"fmt"

+	"github.com/juanfont/headscale"
 	v1 "github.com/juanfont/headscale/gen/go/headscale/v1"
 	"github.com/rs/zerolog/log"
 	"github.com/spf13/cobra"
@@ -10,8 +11,7 @@ import (
 )

 const (
-	keyLength             = 64
-	errPreAuthKeyTooShort = Error("key too short, must be 64 hexadecimal characters")
+	errPreAuthKeyMalformed = Error("key is malformed. expected 64 hex characters with `nodekey` prefix")
 )

 // Error is used to compare errors as per https://dave.cheney.net/2016/04/07/constant-errors
@@ -87,8 +87,8 @@ var createNodeCmd = &cobra.Command{

 			return
 		}
-		if len(machineKey) != keyLength {
-			err = errPreAuthKeyTooShort
+		if !headscale.NodePublicKeyRegex.Match([]byte(machineKey)) {
+			err = errPreAuthKeyMalformed
 			ErrorOutput(
 				err,
 				fmt.Sprintf("Error: %s", err),
--- a/cmd/headscale/cli/nodes.go
+++ b/cmd/headscale/cli/nodes.go
@@ -134,7 +134,9 @@ var registerNodeCmd = &cobra.Command{
 			return
 		}

-		SuccessOutput(response.Machine, "Machine register", output)
+		SuccessOutput(
+			response.Machine,
+			fmt.Sprintf("Machine %s registered", response.Machine.GivenName), output)
 	},
 }

--- a/cmd/headscale/cli/root.go
+++ b/cmd/headscale/cli/root.go
@@ -15,7 +15,7 @@ import (
 var cfgFile string = ""

 func init() {
-	if len(os.Args) > 1 && (os.Args[1] == "version" || os.Args[1] == "mockoidc") {
+	if len(os.Args) > 1 && (os.Args[1] == "version" || os.Args[1] == "mockoidc" || os.Args[1] == "completion") {
 		return
 	}

--- a/cmd/headscale/cli/routes.go
+++ b/cmd/headscale/cli/routes.go
@@ -11,29 +11,28 @@ import (
 	"google.golang.org/grpc/status"
 )

+const (
+	Base10 = 10
+)
+
 func init() {
 	rootCmd.AddCommand(routesCmd)
-
 	listRoutesCmd.Flags().Uint64P("identifier", "i", 0, "Node identifier (ID)")
-	err := listRoutesCmd.MarkFlagRequired("identifier")
-	if err != nil {
-		log.Fatalf(err.Error())
-	}
 	routesCmd.AddCommand(listRoutesCmd)

-	enableRouteCmd.Flags().
-		StringSliceP("route", "r", []string{}, "List (or repeated flags) of routes to enable")
-	enableRouteCmd.Flags().Uint64P("identifier", "i", 0, "Node identifier (ID)")
-	enableRouteCmd.Flags().BoolP("all", "a", false, "All routes from host")
-
-	err = enableRouteCmd.MarkFlagRequired("identifier")
+	enableRouteCmd.Flags().Uint64P("route", "r", 0, "Route identifier (ID)")
+	err := enableRouteCmd.MarkFlagRequired("route")
 	if err != nil {
 		log.Fatalf(err.Error())
 	}
-
 	routesCmd.AddCommand(enableRouteCmd)

-	nodeCmd.AddCommand(routesCmd)
+	disableRouteCmd.Flags().Uint64P("route", "r", 0, "Route identifier (ID)")
+	err = disableRouteCmd.MarkFlagRequired("route")
+	if err != nil {
+		log.Fatalf(err.Error())
+	}
+	routesCmd.AddCommand(disableRouteCmd)
 }

 var routesCmd = &cobra.Command{
@@ -44,7 +43,7 @@ var routesCmd = &cobra.Command{

 var listRoutesCmd = &cobra.Command{
 	Use:     "list",
-	Short:   "List routes advertised and enabled by a given node",
+	Short:   "List all routes",
 	Aliases: []string{"ls", "show"},
 	Run: func(cmd *cobra.Command, args []string) {
 		output, _ := cmd.Flags().GetString("output")
@@ -64,28 +63,51 @@ var listRoutesCmd = &cobra.Command{
 		defer cancel()
 		defer conn.Close()

-		request := &v1.GetMachineRouteRequest{
-			MachineId: machineID,
+		var routes []*v1.Route
+
+		if machineID == 0 {
+			response, err := client.GetRoutes(ctx, &v1.GetRoutesRequest{})
+			if err != nil {
+				ErrorOutput(
+					err,
+					fmt.Sprintf("Cannot get nodes: %s", status.Convert(err).Message()),
+					output,
+				)
+
+				return
+			}
+
+			if output != "" {
+				SuccessOutput(response.Routes, "", output)
+
+				return
+			}
+
+			routes = response.Routes
+		} else {
+			response, err := client.GetMachineRoutes(ctx, &v1.GetMachineRoutesRequest{
+				MachineId: machineID,
+			})
+			if err != nil {
+				ErrorOutput(
+					err,
+					fmt.Sprintf("Cannot get routes for machine %d: %s", machineID, status.Convert(err).Message()),
+					output,
+				)
+
+				return
+			}
+
+			if output != "" {
+				SuccessOutput(response.Routes, "", output)
+
+				return
+			}
+
+			routes = response.Routes
 		}

-		response, err := client.GetMachineRoute(ctx, request)
-		if err != nil {
-			ErrorOutput(
-				err,
-				fmt.Sprintf("Cannot get nodes: %s", status.Convert(err).Message()),
-				output,
-			)
-
-			return
-		}
-
-		if output != "" {
-			SuccessOutput(response.Routes, "", output)
-
-			return
-		}
-
-		tableData := routesToPtables(response.Routes)
+		tableData := routesToPtables(routes)
 		if err != nil {
 			ErrorOutput(err, fmt.Sprintf("Error converting to table: %s", err), output)

@@ -107,16 +129,12 @@ var listRoutesCmd = &cobra.Command{

 var enableRouteCmd = &cobra.Command{
 	Use:   "enable",
-	Short: "Set the enabled routes for a given node",
-	Long: `This command will take a list of routes that will _replace_ 
-the current set of routes on a given node.
-If you would like to disable a route, simply run the command again, but 
-omit the route you do not want to enable.
-	`,
+	Short: "Set a route as enabled",
+	Long:  `This command will make as enabled a given route.`,
 	Run: func(cmd *cobra.Command, args []string) {
 		output, _ := cmd.Flags().GetString("output")

-		machineID, err := cmd.Flags().GetUint64("identifier")
+		routeID, err := cmd.Flags().GetUint64("route")
 		if err != nil {
 			ErrorOutput(
 				err,
@@ -131,52 +149,13 @@ omit the route you do not want to enable.
 		defer cancel()
 		defer conn.Close()

-		var routes []string
-
-		isAll, _ := cmd.Flags().GetBool("all")
-		if isAll {
-			response, err := client.GetMachineRoute(ctx, &v1.GetMachineRouteRequest{
-				MachineId: machineID,
-			})
-			if err != nil {
-				ErrorOutput(
-					err,
-					fmt.Sprintf(
-						"Cannot get machine routes: %s\n",
-						status.Convert(err).Message(),
-					),
-					output,
-				)
-
-				return
-			}
-			routes = response.GetRoutes().GetAdvertisedRoutes()
-		} else {
-			routes, err = cmd.Flags().GetStringSlice("route")
-			if err != nil {
-				ErrorOutput(
-					err,
-					fmt.Sprintf("Error getting routes from flag: %s", err),
-					output,
-				)
-
-				return
-			}
-		}
-
-		request := &v1.EnableMachineRoutesRequest{
-			MachineId: machineID,
-			Routes:    routes,
-		}
-
-		response, err := client.EnableMachineRoutes(ctx, request)
+		response, err := client.EnableRoute(ctx, &v1.EnableRouteRequest{
+			RouteId: routeID,
+		})
 		if err != nil {
 			ErrorOutput(
 				err,
-				fmt.Sprintf(
-					"Cannot register machine: %s\n",
-					status.Convert(err).Message(),
-				),
+				fmt.Sprintf("Cannot enable route %d: %s", routeID, status.Convert(err).Message()),
 				output,
 			)

@@ -184,50 +163,71 @@ omit the route you do not want to enable.
 		}

 		if output != "" {
-			SuccessOutput(response.Routes, "", output)
+			SuccessOutput(response, "", output)

 			return
 		}
+	},
+}

-		tableData := routesToPtables(response.Routes)
-		if err != nil {
-			ErrorOutput(err, fmt.Sprintf("Error converting to table: %s", err), output)
+var disableRouteCmd = &cobra.Command{
+	Use:   "disable",
+	Short: "Set as disabled a given route",
+	Long:  `This command will make as disabled a given route.`,
+	Run: func(cmd *cobra.Command, args []string) {
+		output, _ := cmd.Flags().GetString("output")

-			return
-		}
-
-		err = pterm.DefaultTable.WithHasHeader().WithData(tableData).Render()
+		routeID, err := cmd.Flags().GetUint64("route")
 		if err != nil {
 			ErrorOutput(
 				err,
-				fmt.Sprintf("Failed to render pterm table: %s", err),
+				fmt.Sprintf("Error getting machine id from flag: %s", err),
 				output,
 			)

 			return
 		}
+
+		ctx, client, conn, cancel := getHeadscaleCLIClient()
+		defer cancel()
+		defer conn.Close()
+
+		response, err := client.DisableRoute(ctx, &v1.DisableRouteRequest{
+			RouteId: routeID,
+		})
+		if err != nil {
+			ErrorOutput(
+				err,
+				fmt.Sprintf("Cannot enable route %d: %s", routeID, status.Convert(err).Message()),
+				output,
+			)
+
+			return
+		}
+
+		if output != "" {
+			SuccessOutput(response, "", output)
+
+			return
+		}
 	},
 }

 // routesToPtables converts the list of routes to a nice table.
-func routesToPtables(routes *v1.Routes) pterm.TableData {
-	tableData := pterm.TableData{{"Route", "Enabled"}}
+func routesToPtables(routes []*v1.Route) pterm.TableData {
+	tableData := pterm.TableData{{"ID", "Machine", "Prefix", "Advertised", "Enabled", "Primary"}}

-	for _, route := range routes.GetAdvertisedRoutes() {
-		enabled := isStringInSlice(routes.EnabledRoutes, route)
-
-		tableData = append(tableData, []string{route, strconv.FormatBool(enabled)})
+	for _, route := range routes {
+		tableData = append(tableData,
+			[]string{
+				strconv.FormatUint(route.Id, Base10),
+				route.Machine.GivenName,
+				route.Prefix,
+				strconv.FormatBool(route.Advertised),
+				strconv.FormatBool(route.Enabled),
+				strconv.FormatBool(route.IsPrimary),
+			})
 	}

 	return tableData
 }
-
-func isStringInSlice(strs []string, s string) bool {
-	for _, s2 := range strs {
-		if s == s2 {
-			return true
-		}
-	}
-
-	return false
-}
--- a/cmd/headscale/headscale_test.go
+++ b/cmd/headscale/headscale_test.go
@@ -55,10 +55,10 @@ func (*Suite) TestConfigFileLoading(c *check.C) {

 	// Test that config file was interpreted correctly
 	c.Assert(viper.GetString("server_url"), check.Equals, "http://127.0.0.1:8080")
-	c.Assert(viper.GetString("listen_addr"), check.Equals, "0.0.0.0:8080")
+	c.Assert(viper.GetString("listen_addr"), check.Equals, "127.0.0.1:8080")
 	c.Assert(viper.GetString("metrics_listen_addr"), check.Equals, "127.0.0.1:9090")
 	c.Assert(viper.GetString("db_type"), check.Equals, "sqlite3")
-	c.Assert(viper.GetString("db_path"), check.Equals, "/var/lib/headscale/db.sqlite")
+	c.Assert(viper.GetString("db_path"), check.Equals, "./db.sqlite")
 	c.Assert(viper.GetString("tls_letsencrypt_hostname"), check.Equals, "")
 	c.Assert(viper.GetString("tls_letsencrypt_listen"), check.Equals, ":http")
 	c.Assert(viper.GetString("tls_letsencrypt_challenge_type"), check.Equals, "HTTP-01")
@@ -98,10 +98,10 @@ func (*Suite) TestConfigLoading(c *check.C) {

 	// Test that config file was interpreted correctly
 	c.Assert(viper.GetString("server_url"), check.Equals, "http://127.0.0.1:8080")
-	c.Assert(viper.GetString("listen_addr"), check.Equals, "0.0.0.0:8080")
+	c.Assert(viper.GetString("listen_addr"), check.Equals, "127.0.0.1:8080")
 	c.Assert(viper.GetString("metrics_listen_addr"), check.Equals, "127.0.0.1:9090")
 	c.Assert(viper.GetString("db_type"), check.Equals, "sqlite3")
-	c.Assert(viper.GetString("db_path"), check.Equals, "/var/lib/headscale/db.sqlite")
+	c.Assert(viper.GetString("db_path"), check.Equals, "./db.sqlite")
 	c.Assert(viper.GetString("tls_letsencrypt_hostname"), check.Equals, "")
 	c.Assert(viper.GetString("tls_letsencrypt_listen"), check.Equals, ":http")
 	c.Assert(viper.GetString("tls_letsencrypt_challenge_type"), check.Equals, "HTTP-01")
--- a/config-example.yaml
+++ b/config-example.yaml
@@ -14,7 +14,9 @@ server_url: http://127.0.0.1:8080

 # Address to listen to / bind to on the server
 #
-listen_addr: 0.0.0.0:8080
+# For production:
+# listen_addr: 0.0.0.0:8080
+listen_addr: 127.0.0.1:8080

 # Address to listen to /metrics, you may want
 # to keep this endpoint private to your internal
@@ -27,7 +29,10 @@ metrics_listen_addr: 127.0.0.1:9090
 # remotely with the CLI
 # Note: Remote access _only_ works if you have
 # valid certificates.
-grpc_listen_addr: 0.0.0.0:50443
+#
+# For production:
+# grpc_listen_addr: 0.0.0.0:50443
+grpc_listen_addr: 127.0.0.1:50443

 # Allow the gRPC admin interface to run in INSECURE
 # mode. This is not recommended as the traffic will
@@ -35,20 +40,25 @@ grpc_listen_addr: 0.0.0.0:50443
 # are doing.
 grpc_allow_insecure: false

-# Private key used encrypt the traffic between headscale
+# Private key used to encrypt the traffic between headscale
 # and Tailscale clients.
-# The private key file which will be
-# autogenerated if it's missing
-private_key_path: /var/lib/headscale/private.key
+# The private key file will be autogenerated if it's missing.
+#
+# For production:
+# /var/lib/headscale/private.key
+private_key_path: ./private.key

 # The Noise section includes specific configuration for the
-# TS2021 Noise procotol
+# TS2021 Noise protocol
 noise:
  # The Noise private key is used to encrypt the
  # traffic between headscale and Tailscale clients when
  # using the new Noise-based protocol. It must be different
  # from the legacy private key.
-  private_key_path: /var/lib/headscale/noise_private.key
+  #
+  # For production:
+  # private_key_path: /var/lib/headscale/noise_private.key
+  private_key_path: ./noise_private.key

 # List of IP prefixes to allocate tailaddresses from.
 # Each prefix consists of either an IPv4 or IPv6 address,
@@ -78,7 +88,7 @@ derp:
    region_code: "headscale"
    region_name: "Headscale Embedded DERP"

-    # Listens in UDP at the configured address for STUN connections to help on NAT traversal.
+    # Listens over UDP at the configured address for STUN connections - to help with NAT traversal.
    # When the embedded DERP server is enabled stun_listen_addr MUST be defined.
    #
    # For more details on how this works, check this great article: https://tailscale.com/blog/how-tailscale-works/
@@ -112,15 +122,18 @@ disable_check_updates: false
 # Time before an inactive ephemeral node is deleted?
 ephemeral_node_inactivity_timeout: 30m

-# Period to check for node updates in the tailnet. A value too low will severily affect
+# Period to check for node updates within the tailnet. A value too low will severely affect
 # CPU consumption of Headscale. A value too high (over 60s) will cause problems
-# to the nodes, as they won't get updates or keep alive messages in time.
+# for the nodes, as they won't get updates or keep alive messages frequently enough.
 # In case of doubts, do not touch the default 10s.
 node_update_check_interval: 10s

 # SQLite config
 db_type: sqlite3
-db_path: /var/lib/headscale/db.sqlite
+
+# For production:
+# db_path: /var/lib/headscale/db.sqlite
+db_path: ./db.sqlite

 # # Postgres config
 # If using a Unix socket to connect to Postgres, set the socket path in the 'host' field and leave 'port' blank.
@@ -130,6 +143,9 @@ db_path: /var/lib/headscale/db.sqlite
 # db_name: headscale
 # db_user: foo
 # db_pass: bar
+
+# If other 'sslmode' is required instead of 'require(true)' and 'disabled(false)', set the 'sslmode' you need
+# in the 'db_ssl' field. Refers to https://www.postgresql.org/docs/current/libpq-ssl.html Table 34.1.
 # db_ssl: false

 ### TLS configuration
@@ -148,16 +164,11 @@ acme_email: ""
 # Domain name to request a TLS certificate for:
 tls_letsencrypt_hostname: ""

-# Client (Tailscale/Browser) authentication mode (mTLS)
-# Acceptable values:
-# - disabled: client authentication disabled
-# - relaxed: client certificate is required but not verified
-# - enforced: client certificate is required and verified
-tls_client_auth_mode: relaxed
-
 # Path to store certificates and metadata needed by
 # letsencrypt
-tls_letsencrypt_cache_dir: /var/lib/headscale/cache
+# For production:
+# tls_letsencrypt_cache_dir: /var/lib/headscale/cache
+tls_letsencrypt_cache_dir: ./cache

 # Type of ACME challenge to use, currently supported types:
 # HTTP-01 or TLS-ALPN-01
@@ -199,6 +210,18 @@ dns_config:
  nameservers:
    - 1.1.1.1

+  # NextDNS (see https://tailscale.com/kb/1218/nextdns/).
+  # "abc123" is example NextDNS ID, replace with yours.
+  #
+  # With metadata sharing:
+  # nameservers:
+  #   - https://dns.nextdns.io/abc123
+  #
+  # Without metadata sharing:
+  # nameservers:
+  #   - 2a07:a8c0::ab:c123
+  #   - 2a07:a8c1::ab:c123
+
  # Split DNS (see https://tailscale.com/kb/1054/dns/),
  # list of search domains and the DNS to query for each one.
  #
@@ -223,9 +246,9 @@ dns_config:
  base_domain: example.com

 # Unix socket used for the CLI to connect without authentication
-# Note: for local development, you probably want to change this to:
-# unix_socket: ./headscale.sock
-unix_socket: /var/run/headscale.sock
+# Note: for production you will want to set this to something like:
+# unix_socket: /var/run/headscale.sock
+unix_socket: ./headscale.sock
 unix_socket_permission: "0770"
 #
 # headscale supports experimental OpenID connect support,
@@ -250,6 +273,9 @@ unix_socket_permission: "0770"
 #
 #   allowed_domains:
 #     - example.com
+# Groups from keycloak have a leading '/'
+#   allowed_groups:
+#     - /headscale
 #   allowed_users:
 #     - alice@example.com
 #
--- a/config.go
+++ b/config.go
@@ -1,7 +1,6 @@
 package headscale

 import (
-	"crypto/tls"
 	"errors"
 	"fmt"
 	"io/fs"
@@ -52,7 +51,7 @@ type Config struct {
 	DBname string
 	DBuser string
 	DBpass string
-	DBssl  bool
+	DBssl  string

 	TLS TLSConfig

@@ -75,9 +74,8 @@ type Config struct {
 }

 type TLSConfig struct {
-	CertPath       string
-	KeyPath        string
-	ClientAuthMode tls.ClientAuthType
+	CertPath string
+	KeyPath  string

 	LetsEncrypt LetsEncryptConfig
 }
@@ -98,6 +96,7 @@ type OIDCConfig struct {
 	ExtraParams                map[string]string
 	AllowedDomains             []string
 	AllowedUsers               []string
+	AllowedGroups              []string
 	StripEmaildomain           bool
 }

@@ -154,7 +153,6 @@ func LoadConfig(path string, isFile bool) error {

 	viper.SetDefault("tls_letsencrypt_cache_dir", "/var/www/.cache")
 	viper.SetDefault("tls_letsencrypt_challenge_type", http01ChallengeType)
-	viper.SetDefault("tls_client_auth_mode", "relaxed")

 	viper.SetDefault("log.level", "info")
 	viper.SetDefault("log.format", TextLogFormat)
@@ -174,6 +172,8 @@ func LoadConfig(path string, isFile bool) error {
 	viper.SetDefault("cli.timeout", "5s")
 	viper.SetDefault("cli.insecure", false)

+	viper.SetDefault("db_ssl", false)
+
 	viper.SetDefault("oidc.scope", []string{oidc.ScopeOpenID, "profile", "email"})
 	viper.SetDefault("oidc.strip_email_domain", true)
 	viper.SetDefault("oidc.only_start_if_oidc_is_available", true)
@@ -185,6 +185,10 @@ func LoadConfig(path string, isFile bool) error {

 	viper.SetDefault("node_update_check_interval", "10s")

+	if IsCLIConfigured() {
+		return nil
+	}
+
 	if err := viper.ReadInConfig(); err != nil {
 		log.Warn().Err(err).Msg("Failed to read configuration from disk")

@@ -220,19 +224,6 @@ func LoadConfig(path string, isFile bool) error {
 		errorText += "Fatal config error: server_url must start with https:// or http://\n"
 	}

-	_, authModeValid := LookupTLSClientAuthMode(
-		viper.GetString("tls_client_auth_mode"),
-	)
-
-	if !authModeValid {
-		errorText += fmt.Sprintf(
-			"Invalid tls_client_auth_mode supplied: %s. Accepted values: %s, %s, %s.",
-			viper.GetString("tls_client_auth_mode"),
-			DisabledClientAuth,
-			RelaxedClientAuth,
-			EnforcedClientAuth)
-	}
-
 	// Minimum inactivity time out is keepalive timeout (60s) plus a few seconds
 	// to avoid races
 	minInactivityTimeout, _ := time.ParseDuration("65s")
@@ -262,10 +253,6 @@ func LoadConfig(path string, isFile bool) error {
 }

 func GetTLSConfig() TLSConfig {
-	tlsClientAuthMode, _ := LookupTLSClientAuthMode(
-		viper.GetString("tls_client_auth_mode"),
-	)
-
 	return TLSConfig{
 		LetsEncrypt: LetsEncryptConfig{
 			Hostname: viper.GetString("tls_letsencrypt_hostname"),
@@ -281,7 +268,6 @@ func GetTLSConfig() TLSConfig {
 		KeyPath: AbsolutePathFromConfigPath(
 			viper.GetString("tls_key_path"),
 		),
-		ClientAuthMode: tlsClientAuthMode,
 	}
 }

@@ -383,10 +369,21 @@ func GetDNSConfig() (*tailcfg.DNSConfig, string) {
 		if viper.IsSet("dns_config.nameservers") {
 			nameserversStr := viper.GetStringSlice("dns_config.nameservers")

-			nameservers := make([]netip.Addr, len(nameserversStr))
-			resolvers := make([]*dnstype.Resolver, len(nameserversStr))
+			nameservers := []netip.Addr{}
+			resolvers := []*dnstype.Resolver{}

-			for index, nameserverStr := range nameserversStr {
+			for _, nameserverStr := range nameserversStr {
+				// Search for explicit DNS-over-HTTPS resolvers
+				if strings.HasPrefix(nameserverStr, "https://") {
+					resolvers = append(resolvers, &dnstype.Resolver{
+						Addr: nameserverStr,
+					})
+
+					// This nameserver can not be parsed as an IP address
+					continue
+				}
+
+				// Parse nameserver as a regular IP
 				nameserver, err := netip.ParseAddr(nameserverStr)
 				if err != nil {
 					log.Error().
@@ -395,10 +392,10 @@ func GetDNSConfig() (*tailcfg.DNSConfig, string) {
 						Msgf("Could not parse nameserver IP: %s", nameserverStr)
 				}

-				nameservers[index] = nameserver
-				resolvers[index] = &dnstype.Resolver{
+				nameservers = append(nameservers, nameserver)
+				resolvers = append(resolvers, &dnstype.Resolver{
 					Addr: nameserver.String(),
-				}
+				})
 			}

 			dnsConfig.Nameservers = nameservers
@@ -469,6 +466,17 @@ func GetDNSConfig() (*tailcfg.DNSConfig, string) {
 }

 func GetHeadscaleConfig() (*Config, error) {
+	if IsCLIConfigured() {
+		return &Config{
+			CLI: CLIConfig{
+				Address:  viper.GetString("cli.address"),
+				APIKey:   viper.GetString("cli.api_key"),
+				Timeout:  viper.GetDuration("cli.timeout"),
+				Insecure: viper.GetBool("cli.insecure"),
+			},
+		}, nil
+	}
+
 	dnsConfig, baseDomain := GetDNSConfig()
 	derpConfig := GetDERPConfig()
 	logConfig := GetLogTailConfig()
@@ -540,7 +548,7 @@ func GetHeadscaleConfig() (*Config, error) {
 		DBname: viper.GetString("db_name"),
 		DBuser: viper.GetString("db_user"),
 		DBpass: viper.GetString("db_pass"),
-		DBssl:  viper.GetBool("db_ssl"),
+		DBssl:  viper.GetString("db_ssl"),

 		TLS: GetTLSConfig(),

@@ -563,12 +571,15 @@ func GetHeadscaleConfig() (*Config, error) {
 			ExtraParams:      viper.GetStringMapString("oidc.extra_params"),
 			AllowedDomains:   viper.GetStringSlice("oidc.allowed_domains"),
 			AllowedUsers:     viper.GetStringSlice("oidc.allowed_users"),
+			AllowedGroups:    viper.GetStringSlice("oidc.allowed_groups"),
 			StripEmaildomain: viper.GetBool("oidc.strip_email_domain"),
 		},

 		LogTail:             logConfig,
 		RandomizeClientPort: randomizeClientPort,

+		ACL: GetACLConfig(),
+
 		CLI: CLIConfig{
 			Address:  viper.GetString("cli.address"),
 			APIKey:   viper.GetString("cli.api_key"),
@@ -576,8 +587,10 @@ func GetHeadscaleConfig() (*Config, error) {
 			Insecure: viper.GetBool("cli.insecure"),
 		},

-		ACL: GetACLConfig(),
-
 		Log: GetLogConfig(),
 	}, nil
 }
+
+func IsCLIConfigured() bool {
+	return viper.GetString("cli.address") != "" && viper.GetString("cli.api_key") != ""
+}
--- a/db.go
+++ b/db.go
@@ -18,8 +18,10 @@ import (
 )

 const (
-	dbVersion        = "1"
-	errValueNotFound = Error("not found")
+	dbVersion = "1"
+
+	errValueNotFound     = Error("not found")
+	ErrCannotParsePrefix = Error("cannot parse prefix")
 )

 // KV is a key-value store in a psql table. For future use...
@@ -79,6 +81,67 @@ func (h *Headscale) initDB() error {
 		}
 	}

+	err = db.AutoMigrate(&Route{})
+	if err != nil {
+		return err
+	}
+
+	if db.Migrator().HasColumn(&Machine{}, "enabled_routes") {
+		log.Info().Msgf("Database has legacy enabled_routes column in machine, migrating...")
+
+		type MachineAux struct {
+			ID            uint64
+			EnabledRoutes IPPrefixes
+		}
+
+		machinesAux := []MachineAux{}
+		err := db.Table("machines").Select("id, enabled_routes").Scan(&machinesAux).Error
+		if err != nil {
+			log.Fatal().Err(err).Msg("Error accessing db")
+		}
+		for _, machine := range machinesAux {
+			for _, prefix := range machine.EnabledRoutes {
+				if err != nil {
+					log.Error().
+						Err(err).
+						Str("enabled_route", prefix.String()).
+						Msg("Error parsing enabled_route")
+
+					continue
+				}
+
+				err = db.Preload("Machine").Where("machine_id = ? AND prefix = ?", machine.ID, IPPrefix(prefix)).First(&Route{}).Error
+				if err == nil {
+					log.Info().
+						Str("enabled_route", prefix.String()).
+						Msg("Route already migrated to new table, skipping")
+
+					continue
+				}
+
+				route := Route{
+					MachineID:  machine.ID,
+					Advertised: true,
+					Enabled:    true,
+					Prefix:     IPPrefix(prefix),
+				}
+				if err := h.db.Create(&route).Error; err != nil {
+					log.Error().Err(err).Msg("Error creating route")
+				} else {
+					log.Info().
+						Uint64("machine_id", route.MachineID).
+						Str("prefix", prefix.String()).
+						Msg("Route migrated")
+				}
+			}
+		}
+
+		err = db.Migrator().DropColumn(&Machine{}, "enabled_routes")
+		if err != nil {
+			log.Error().Err(err).Msg("Error dropping enabled_routes column")
+		}
+	}
+
 	err = db.AutoMigrate(&Machine{})
 	if err != nil {
 		return err
@@ -264,6 +327,30 @@ func (hi HostInfo) Value() (driver.Value, error) {
 	return string(bytes), err
 }

+type IPPrefix netip.Prefix
+
+func (i *IPPrefix) Scan(destination interface{}) error {
+	switch value := destination.(type) {
+	case string:
+		prefix, err := netip.ParsePrefix(value)
+		if err != nil {
+			return err
+		}
+		*i = IPPrefix(prefix)
+
+		return nil
+	default:
+		return fmt.Errorf("%w: unexpected data type %T", ErrCannotParsePrefix, destination)
+	}
+}
+
+// Value return json value, implement driver.Valuer interface.
+func (i IPPrefix) Value() (driver.Value, error) {
+	prefixStr := netip.Prefix(i).String()
+
+	return prefixStr, nil
+}
+
 type IPPrefixes []netip.Prefix

 func (i *IPPrefixes) Scan(destination interface{}) error {
--- a/dns.go
+++ b/dns.go
@@ -3,11 +3,13 @@ package headscale
 import (
 	"fmt"
 	"net/netip"
+	"net/url"
 	"strings"

 	mapset "github.com/deckarep/golang-set/v2"
 	"go4.org/netipx"
 	"tailscale.com/tailcfg"
+	"tailscale.com/types/dnstype"
 	"tailscale.com/util/dnsname"
 )

@@ -20,6 +22,10 @@ const (
 	ipv6AddressLength = 128
 )

+const (
+	nextDNSDoHPrefix = "https://dns.nextdns.io"
+)
+
 // generateMagicDNSRootDomains generates a list of DNS entries to be included in `Routes` in `MapResponse`.
 // This list of reverse DNS entries instructs the OS on what subnets and domains the Tailscale embedded DNS
 // server (listening in 100.100.100.100 udp/53) should be used for.
@@ -152,16 +158,39 @@ func generateIPv6DNSRootDomain(ipPrefix netip.Prefix) []dnsname.FQDN {
 	return fqdns
 }

+// If any nextdns DoH resolvers are present in the list of resolvers it will
+// take metadata from the machine metadata and instruct tailscale to add it
+// to the requests. This makes it possible to identify from which device the
+// requests come in the NextDNS dashboard.
+//
+// This will produce a resolver like:
+// `https://dns.nextdns.io/<nextdns-id>?device_name=node-name&device_model=linux&device_ip=100.64.0.1`
+func addNextDNSMetadata(resolvers []*dnstype.Resolver, machine Machine) {
+	for _, resolver := range resolvers {
+		if strings.HasPrefix(resolver.Addr, nextDNSDoHPrefix) {
+			attrs := url.Values{
+				"device_name":  []string{machine.Hostname},
+				"device_model": []string{machine.HostInfo.OS},
+			}
+
+			if len(machine.IPAddresses) > 0 {
+				attrs.Add("device_ip", machine.IPAddresses[0].String())
+			}
+
+			resolver.Addr = fmt.Sprintf("%s?%s", resolver.Addr, attrs.Encode())
+		}
+	}
+}
+
 func getMapResponseDNSConfig(
 	dnsConfigOrig *tailcfg.DNSConfig,
 	baseDomain string,
 	machine Machine,
 	peers Machines,
 ) *tailcfg.DNSConfig {
-	var dnsConfig *tailcfg.DNSConfig
+	var dnsConfig *tailcfg.DNSConfig = dnsConfigOrig.Clone()
 	if dnsConfigOrig != nil && dnsConfigOrig.Proxied { // if MagicDNS is enabled
 		// Only inject the Search Domain of the current namespace - shared nodes should use their full FQDN
-		dnsConfig = dnsConfigOrig.Clone()
 		dnsConfig.Domains = append(
 			dnsConfig.Domains,
 			fmt.Sprintf(
@@ -184,5 +213,7 @@ func getMapResponseDNSConfig(
 		dnsConfig = dnsConfigOrig
 	}

+	addNextDNSMetadata(dnsConfig.Resolvers, machine)
+
 	return dnsConfig
 }
--- a/docs/proposals/002-better-routing.md
+++ b/docs/proposals/002-better-routing.md
@@ -0,0 +1,48 @@
+# Better route management
+
+As of today, route management in Headscale is very basic and does not allow for much flexibility, including implementing subnet HA, 4via6 or more advanced features. We also have a number of bugs (e.g., routes exposed by ephemeral nodes)
+
+This proposal aims to improve the route management.
+
+## Current situation
+
+Routes advertised by the nodes are read from the Hostinfo struct. If approved from the the CLI or via autoApprovers, the route is added to the EnabledRoutes field in `Machine`.
+
+This means that the advertised routes are not persisted in the database, as Hostinfo is always replaced. In the same way, EnabledRoutes can get out of sync with the actual routes in the node.
+
+In case of colliding routes (i.e., subnets that are exposed from multiple nodes), we are currently just sending all of them in `PrimaryRoutes`... and hope for the best. (`PrimaryRoutes` is the field in `Node` used for subnet failover).
+
+## Proposal
+
+The core part is to create a new `Route` struct (and DB table), with the following fields:
+
+```go
+type Route struct {
+	ID          uint64 `gorm:"primary_key"`
+
+    Machine     *Machine
+    Prefix      IPPrefix
+
+    Advertised  bool
+    Enabled     bool
+    IsPrimary   bool
+
+
+    CreatedAt   *time.Time
+    UpdatedAt   *time.Time
+    DeletedAt   *time.Time
+}
+```
+
+- The `Advertised` field is set to true if the route is being advertised by the node. It is set to false if the route is removed. This way we can indicate if a later enabled route has stopped being advertised. A similar behaviour happens in the Tailscale.com control panel.
+
+- The `Enabled` field is set to true if the route is enabled - via CLI or autoApprovers.
+
+- `IsPrimary` indicates if Headscale has selected this route as the primary route for that particular subnet. This allows us to implement subnet failover. This would be fully automatic if there is more than subnet routers advertising the same network - which is the behaviour of Tailscale.com.
+
+## Stuff to bear in mind
+
+- We need to make sure to migrate the current `EnabledRoutes` of `Machine` into the new table.
+- When a node stops sharing a subnet, I reckon we should mark it both as not `Advertised` and not `Enabled`. Users should re-enable it if the node advertises it again.
+- If only one subnet router is advertising a subnet, we should mark it as primary.
+- Regarding subnet failover, the current behaviour of Tailscale.com is to perform the failover after 15 seconds from the node disconnecting from their control panel. I reckon we cannot do the same currently. Our maximum granularity is the keep alive period.
--- a/docs/running-headscale-container.md
+++ b/docs/running-headscale-container.md
@@ -58,6 +58,7 @@ private_key_path: /etc/headscale/private.key
 noise:
  private_key_path: /etc/headscale/noise_private.key
 # The default /var/lib/headscale path is not writable  in the container
+db_type: sqlite3
 db_path: /etc/headscale/db.sqlite
 ```

--- a/docs/tls.md
+++ b/docs/tls.md
@@ -29,17 +29,3 @@ headscale can also be configured to expose its web service via TLS. To configure
 tls_cert_path: ""
 tls_key_path: ""
 ```
-
-### Configuring Mutual TLS Authentication (mTLS)
-
-mTLS is a method by which an HTTPS server authenticates clients, e.g. Tailscale, using TLS certificates. This can be configured by applying one of the following values to the `tls_client_auth_mode` setting in the configuration file.
-
-| Value               | Behavior                                                   |
-| ------------------- | ---------------------------------------------------------- |
-| `disabled`          | Disable mTLS.                                              |
-| `relaxed` (default) | A client certificate is required, but it is not verified.  |
-| `enforced`          | Requires clients to supply a certificate that is verified. |
-
-```yaml
-tls_client_auth_mode: ""
-```
--- a/flake.lock
+++ b/flake.lock
@@ -2,11 +2,11 @@
  "nodes": {
    "flake-utils": {
      "locked": {
-        "lastModified": 1659877975,
-        "narHash": "sha256-zllb8aq3YO3h8B/U0/J1WBgAL8EX5yWf5pMj3G0NAmc=",
+        "lastModified": 1667395993,
+        "narHash": "sha256-nuEHfE/LcWyuSWnS8t12N1wc105Qtau+/OdUAjtQ0rA=",
        "owner": "numtide",
        "repo": "flake-utils",
-        "rev": "c0e246b9b83f637f4681389ecabcb2681b4f3af0",
+        "rev": "5aed5285a952e0b949eb3ba02c12fa4fcfef535f",
        "type": "github"
      },
      "original": {
@@ -17,11 +17,11 @@
    },
    "nixpkgs": {
      "locked": {
-        "lastModified": 1666869603,
-        "narHash": "sha256-3V53or4Vpu4+LrGfGSh3T2V8+qf5RP6nRuex9GywkwE=",
+        "lastModified": 1670064435,
+        "narHash": "sha256-+ELoY30UN+Pl3Yn7RWRPabykwebsVK/kYE9JsIsUMxQ=",
        "owner": "NixOS",
        "repo": "nixpkgs",
-        "rev": "2001e2b31c565bcdf7bc13062b8d7cfccaca05b8",
+        "rev": "61a8a98e6d557e6dd7ed0cdb54c3a3e3bbc5e25c",
        "type": "github"
      },
      "original": {
--- a/flake.nix
+++ b/flake.nix
@@ -26,12 +26,14 @@
          version = headscaleVersion;
          src = pkgs.lib.cleanSource self;

+          tags = ["ts2019"];
+
          # Only run unit tests when testing a build
          checkFlags = ["-short"];

          # When updating go.mod or go.sum, a new sha will need to be calculated,
          # update this if you have a mismatch after doing a change to thos files.
-          vendorSha256 = "sha256-Cq0WipTQ+kGcvnfP0kjyvjyonl2OC9W7Tj0MCuB1lDU=";
+          vendorSha256 = "sha256-SuKT+b8g6xEK15ry2IAmpS/vwDG+zJqK9nfsWpHNXuU=";

          ldflags = ["-s" "-w" "-X github.com/juanfont/headscale/cmd/headscale/cli.Version=v${version}"];
        };
@@ -107,6 +109,7 @@
          golangci-lint
          golines
          nodePackages.prettier
+          goreleaser

          # Protobuf dependencies
          protobuf
@@ -135,7 +138,7 @@
        buildInputs = devDeps;

        shellHook = ''
-          export GOFLAGS=-tags="integration,integration_general,integration_oidc,integration_cli,integration_derp"
+          export GOFLAGS=-tags="ts2019"
        '';
      };

@@ -144,14 +147,13 @@
        inherit headscale;
        inherit headscale-docker;
      };
-
      defaultPackage = pkgs.headscale;

      # `nix run`
      apps.headscale = flake-utils.lib.mkApp {
        drv = packages.headscale;
      };
-      defaultApp = apps.headscale;
+      apps.default = apps.headscale;

      checks = {
        format =
--- a/gen/go/headscale/v1/headscale.pb.go
+++ b/gen/go/headscale/v1/headscale.pb.go
@@ -36,7 +36,7 @@ var file_headscale_v1_headscale_proto_rawDesc = []byte{
 	0x6f, 0x74, 0x6f, 0x1a, 0x19, 0x68, 0x65, 0x61, 0x64, 0x73, 0x63, 0x61, 0x6c, 0x65, 0x2f, 0x76,
 	0x31, 0x2f, 0x72, 0x6f, 0x75, 0x74, 0x65, 0x73, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x1a, 0x19,
 	0x68, 0x65, 0x61, 0x64, 0x73, 0x63, 0x61, 0x6c, 0x65, 0x2f, 0x76, 0x31, 0x2f, 0x61, 0x70, 0x69,
-	0x6b, 0x65, 0x79, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x32, 0xb1, 0x16, 0x0a, 0x10, 0x48, 0x65,
+	0x6b, 0x65, 0x79, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x32, 0x81, 0x18, 0x0a, 0x10, 0x48, 0x65,
 	0x61, 0x64, 0x73, 0x63, 0x61, 0x6c, 0x65, 0x53, 0x65, 0x72, 0x76, 0x69, 0x63, 0x65, 0x12, 0x77,
 	0x0a, 0x0c, 0x47, 0x65, 0x74, 0x4e, 0x61, 0x6d, 0x65, 0x73, 0x70, 0x61, 0x63, 0x65, 0x12, 0x21,
 	0x2e, 0x68, 0x65, 0x61, 0x64, 0x73, 0x63, 0x61, 0x6c, 0x65, 0x2e, 0x76, 0x31, 0x2e, 0x47, 0x65,
@@ -51,9 +51,9 @@ var file_headscale_v1_headscale_proto_rawDesc = []byte{
 	0x4e, 0x61, 0x6d, 0x65, 0x73, 0x70, 0x61, 0x63, 0x65, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74,
 	0x1a, 0x25, 0x2e, 0x68, 0x65, 0x61, 0x64, 0x73, 0x63, 0x61, 0x6c, 0x65, 0x2e, 0x76, 0x31, 0x2e,
 	0x43, 0x72, 0x65, 0x61, 0x74, 0x65, 0x4e, 0x61, 0x6d, 0x65, 0x73, 0x70, 0x61, 0x63, 0x65, 0x52,
-	0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x22, 0x1c, 0x82, 0xd3, 0xe4, 0x93, 0x02, 0x16, 0x22,
-	0x11, 0x2f, 0x61, 0x70, 0x69, 0x2f, 0x76, 0x31, 0x2f, 0x6e, 0x61, 0x6d, 0x65, 0x73, 0x70, 0x61,
-	0x63, 0x65, 0x3a, 0x01, 0x2a, 0x12, 0x96, 0x01, 0x0a, 0x0f, 0x52, 0x65, 0x6e, 0x61, 0x6d, 0x65,
+	0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x22, 0x1c, 0x82, 0xd3, 0xe4, 0x93, 0x02, 0x16, 0x3a,
+	0x01, 0x2a, 0x22, 0x11, 0x2f, 0x61, 0x70, 0x69, 0x2f, 0x76, 0x31, 0x2f, 0x6e, 0x61, 0x6d, 0x65,
+	0x73, 0x70, 0x61, 0x63, 0x65, 0x12, 0x96, 0x01, 0x0a, 0x0f, 0x52, 0x65, 0x6e, 0x61, 0x6d, 0x65,
 	0x4e, 0x61, 0x6d, 0x65, 0x73, 0x70, 0x61, 0x63, 0x65, 0x12, 0x24, 0x2e, 0x68, 0x65, 0x61, 0x64,
 	0x73, 0x63, 0x61, 0x6c, 0x65, 0x2e, 0x76, 0x31, 0x2e, 0x52, 0x65, 0x6e, 0x61, 0x6d, 0x65, 0x4e,
 	0x61, 0x6d, 0x65, 0x73, 0x70, 0x61, 0x63, 0x65, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x1a,
@@ -85,17 +85,17 @@ var file_headscale_v1_headscale_proto_rawDesc = []byte{
 	0x71, 0x75, 0x65, 0x73, 0x74, 0x1a, 0x26, 0x2e, 0x68, 0x65, 0x61, 0x64, 0x73, 0x63, 0x61, 0x6c,
 	0x65, 0x2e, 0x76, 0x31, 0x2e, 0x43, 0x72, 0x65, 0x61, 0x74, 0x65, 0x50, 0x72, 0x65, 0x41, 0x75,
 	0x74, 0x68, 0x4b, 0x65, 0x79, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x22, 0x1d, 0x82,
-	0xd3, 0xe4, 0x93, 0x02, 0x17, 0x22, 0x12, 0x2f, 0x61, 0x70, 0x69, 0x2f, 0x76, 0x31, 0x2f, 0x70,
-	0x72, 0x65, 0x61, 0x75, 0x74, 0x68, 0x6b, 0x65, 0x79, 0x3a, 0x01, 0x2a, 0x12, 0x87, 0x01, 0x0a,
+	0xd3, 0xe4, 0x93, 0x02, 0x17, 0x3a, 0x01, 0x2a, 0x22, 0x12, 0x2f, 0x61, 0x70, 0x69, 0x2f, 0x76,
+	0x31, 0x2f, 0x70, 0x72, 0x65, 0x61, 0x75, 0x74, 0x68, 0x6b, 0x65, 0x79, 0x12, 0x87, 0x01, 0x0a,
 	0x10, 0x45, 0x78, 0x70, 0x69, 0x72, 0x65, 0x50, 0x72, 0x65, 0x41, 0x75, 0x74, 0x68, 0x4b, 0x65,
 	0x79, 0x12, 0x25, 0x2e, 0x68, 0x65, 0x61, 0x64, 0x73, 0x63, 0x61, 0x6c, 0x65, 0x2e, 0x76, 0x31,
 	0x2e, 0x45, 0x78, 0x70, 0x69, 0x72, 0x65, 0x50, 0x72, 0x65, 0x41, 0x75, 0x74, 0x68, 0x4b, 0x65,
 	0x79, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x1a, 0x26, 0x2e, 0x68, 0x65, 0x61, 0x64, 0x73,
 	0x63, 0x61, 0x6c, 0x65, 0x2e, 0x76, 0x31, 0x2e, 0x45, 0x78, 0x70, 0x69, 0x72, 0x65, 0x50, 0x72,
 	0x65, 0x41, 0x75, 0x74, 0x68, 0x4b, 0x65, 0x79, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65,
-	0x22, 0x24, 0x82, 0xd3, 0xe4, 0x93, 0x02, 0x1e, 0x22, 0x19, 0x2f, 0x61, 0x70, 0x69, 0x2f, 0x76,
-	0x31, 0x2f, 0x70, 0x72, 0x65, 0x61, 0x75, 0x74, 0x68, 0x6b, 0x65, 0x79, 0x2f, 0x65, 0x78, 0x70,
-	0x69, 0x72, 0x65, 0x3a, 0x01, 0x2a, 0x12, 0x7a, 0x0a, 0x0f, 0x4c, 0x69, 0x73, 0x74, 0x50, 0x72,
+	0x22, 0x24, 0x82, 0xd3, 0xe4, 0x93, 0x02, 0x1e, 0x3a, 0x01, 0x2a, 0x22, 0x19, 0x2f, 0x61, 0x70,
+	0x69, 0x2f, 0x76, 0x31, 0x2f, 0x70, 0x72, 0x65, 0x61, 0x75, 0x74, 0x68, 0x6b, 0x65, 0x79, 0x2f,
+	0x65, 0x78, 0x70, 0x69, 0x72, 0x65, 0x12, 0x7a, 0x0a, 0x0f, 0x4c, 0x69, 0x73, 0x74, 0x50, 0x72,
 	0x65, 0x41, 0x75, 0x74, 0x68, 0x4b, 0x65, 0x79, 0x73, 0x12, 0x24, 0x2e, 0x68, 0x65, 0x61, 0x64,
 	0x73, 0x63, 0x61, 0x6c, 0x65, 0x2e, 0x76, 0x31, 0x2e, 0x4c, 0x69, 0x73, 0x74, 0x50, 0x72, 0x65,
 	0x41, 0x75, 0x74, 0x68, 0x4b, 0x65, 0x79, 0x73, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x1a,
@@ -110,8 +110,8 @@ var file_headscale_v1_headscale_proto_rawDesc = []byte{
 	0x73, 0x74, 0x1a, 0x28, 0x2e, 0x68, 0x65, 0x61, 0x64, 0x73, 0x63, 0x61, 0x6c, 0x65, 0x2e, 0x76,
 	0x31, 0x2e, 0x44, 0x65, 0x62, 0x75, 0x67, 0x43, 0x72, 0x65, 0x61, 0x74, 0x65, 0x4d, 0x61, 0x63,
 	0x68, 0x69, 0x6e, 0x65, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x22, 0x20, 0x82, 0xd3,
-	0xe4, 0x93, 0x02, 0x1a, 0x22, 0x15, 0x2f, 0x61, 0x70, 0x69, 0x2f, 0x76, 0x31, 0x2f, 0x64, 0x65,
-	0x62, 0x75, 0x67, 0x2f, 0x6d, 0x61, 0x63, 0x68, 0x69, 0x6e, 0x65, 0x3a, 0x01, 0x2a, 0x12, 0x75,
+	0xe4, 0x93, 0x02, 0x1a, 0x3a, 0x01, 0x2a, 0x22, 0x15, 0x2f, 0x61, 0x70, 0x69, 0x2f, 0x76, 0x31,
+	0x2f, 0x64, 0x65, 0x62, 0x75, 0x67, 0x2f, 0x6d, 0x61, 0x63, 0x68, 0x69, 0x6e, 0x65, 0x12, 0x75,
 	0x0a, 0x0a, 0x47, 0x65, 0x74, 0x4d, 0x61, 0x63, 0x68, 0x69, 0x6e, 0x65, 0x12, 0x1f, 0x2e, 0x68,
 	0x65, 0x61, 0x64, 0x73, 0x63, 0x61, 0x6c, 0x65, 0x2e, 0x76, 0x31, 0x2e, 0x47, 0x65, 0x74, 0x4d,
 	0x61, 0x63, 0x68, 0x69, 0x6e, 0x65, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x1a, 0x20, 0x2e,
@@ -124,9 +124,9 @@ var file_headscale_v1_headscale_proto_rawDesc = []byte{
 	0x53, 0x65, 0x74, 0x54, 0x61, 0x67, 0x73, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x1a, 0x1d,
 	0x2e, 0x68, 0x65, 0x61, 0x64, 0x73, 0x63, 0x61, 0x6c, 0x65, 0x2e, 0x76, 0x31, 0x2e, 0x53, 0x65,
 	0x74, 0x54, 0x61, 0x67, 0x73, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x22, 0x2c, 0x82,
-	0xd3, 0xe4, 0x93, 0x02, 0x26, 0x22, 0x21, 0x2f, 0x61, 0x70, 0x69, 0x2f, 0x76, 0x31, 0x2f, 0x6d,
-	0x61, 0x63, 0x68, 0x69, 0x6e, 0x65, 0x2f, 0x7b, 0x6d, 0x61, 0x63, 0x68, 0x69, 0x6e, 0x65, 0x5f,
-	0x69, 0x64, 0x7d, 0x2f, 0x74, 0x61, 0x67, 0x73, 0x3a, 0x01, 0x2a, 0x12, 0x80, 0x01, 0x0a, 0x0f,
+	0xd3, 0xe4, 0x93, 0x02, 0x26, 0x3a, 0x01, 0x2a, 0x22, 0x21, 0x2f, 0x61, 0x70, 0x69, 0x2f, 0x76,
+	0x31, 0x2f, 0x6d, 0x61, 0x63, 0x68, 0x69, 0x6e, 0x65, 0x2f, 0x7b, 0x6d, 0x61, 0x63, 0x68, 0x69,
+	0x6e, 0x65, 0x5f, 0x69, 0x64, 0x7d, 0x2f, 0x74, 0x61, 0x67, 0x73, 0x12, 0x80, 0x01, 0x0a, 0x0f,
 	0x52, 0x65, 0x67, 0x69, 0x73, 0x74, 0x65, 0x72, 0x4d, 0x61, 0x63, 0x68, 0x69, 0x6e, 0x65, 0x12,
 	0x24, 0x2e, 0x68, 0x65, 0x61, 0x64, 0x73, 0x63, 0x61, 0x6c, 0x65, 0x2e, 0x76, 0x31, 0x2e, 0x52,
 	0x65, 0x67, 0x69, 0x73, 0x74, 0x65, 0x72, 0x4d, 0x61, 0x63, 0x68, 0x69, 0x6e, 0x65, 0x52, 0x65,
@@ -175,24 +175,37 @@ var file_headscale_v1_headscale_proto_rawDesc = []byte{
 	0x61, 0x63, 0x68, 0x69, 0x6e, 0x65, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x22, 0x2e,
 	0x82, 0xd3, 0xe4, 0x93, 0x02, 0x28, 0x22, 0x26, 0x2f, 0x61, 0x70, 0x69, 0x2f, 0x76, 0x31, 0x2f,
 	0x6d, 0x61, 0x63, 0x68, 0x69, 0x6e, 0x65, 0x2f, 0x7b, 0x6d, 0x61, 0x63, 0x68, 0x69, 0x6e, 0x65,
-	0x5f, 0x69, 0x64, 0x7d, 0x2f, 0x6e, 0x61, 0x6d, 0x65, 0x73, 0x70, 0x61, 0x63, 0x65, 0x12, 0x8b,
-	0x01, 0x0a, 0x0f, 0x47, 0x65, 0x74, 0x4d, 0x61, 0x63, 0x68, 0x69, 0x6e, 0x65, 0x52, 0x6f, 0x75,
-	0x74, 0x65, 0x12, 0x24, 0x2e, 0x68, 0x65, 0x61, 0x64, 0x73, 0x63, 0x61, 0x6c, 0x65, 0x2e, 0x76,
-	0x31, 0x2e, 0x47, 0x65, 0x74, 0x4d, 0x61, 0x63, 0x68, 0x69, 0x6e, 0x65, 0x52, 0x6f, 0x75, 0x74,
-	0x65, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x1a, 0x25, 0x2e, 0x68, 0x65, 0x61, 0x64, 0x73,
-	0x63, 0x61, 0x6c, 0x65, 0x2e, 0x76, 0x31, 0x2e, 0x47, 0x65, 0x74, 0x4d, 0x61, 0x63, 0x68, 0x69,
-	0x6e, 0x65, 0x52, 0x6f, 0x75, 0x74, 0x65, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x22,
-	0x2b, 0x82, 0xd3, 0xe4, 0x93, 0x02, 0x25, 0x12, 0x23, 0x2f, 0x61, 0x70, 0x69, 0x2f, 0x76, 0x31,
-	0x2f, 0x6d, 0x61, 0x63, 0x68, 0x69, 0x6e, 0x65, 0x2f, 0x7b, 0x6d, 0x61, 0x63, 0x68, 0x69, 0x6e,
-	0x65, 0x5f, 0x69, 0x64, 0x7d, 0x2f, 0x72, 0x6f, 0x75, 0x74, 0x65, 0x73, 0x12, 0x97, 0x01, 0x0a,
-	0x13, 0x45, 0x6e, 0x61, 0x62, 0x6c, 0x65, 0x4d, 0x61, 0x63, 0x68, 0x69, 0x6e, 0x65, 0x52, 0x6f,
-	0x75, 0x74, 0x65, 0x73, 0x12, 0x28, 0x2e, 0x68, 0x65, 0x61, 0x64, 0x73, 0x63, 0x61, 0x6c, 0x65,
-	0x2e, 0x76, 0x31, 0x2e, 0x45, 0x6e, 0x61, 0x62, 0x6c, 0x65, 0x4d, 0x61, 0x63, 0x68, 0x69, 0x6e,
-	0x65, 0x52, 0x6f, 0x75, 0x74, 0x65, 0x73, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x1a, 0x29,
-	0x2e, 0x68, 0x65, 0x61, 0x64, 0x73, 0x63, 0x61, 0x6c, 0x65, 0x2e, 0x76, 0x31, 0x2e, 0x45, 0x6e,
-	0x61, 0x62, 0x6c, 0x65, 0x4d, 0x61, 0x63, 0x68, 0x69, 0x6e, 0x65, 0x52, 0x6f, 0x75, 0x74, 0x65,
+	0x5f, 0x69, 0x64, 0x7d, 0x2f, 0x6e, 0x61, 0x6d, 0x65, 0x73, 0x70, 0x61, 0x63, 0x65, 0x12, 0x64,
+	0x0a, 0x09, 0x47, 0x65, 0x74, 0x52, 0x6f, 0x75, 0x74, 0x65, 0x73, 0x12, 0x1e, 0x2e, 0x68, 0x65,
+	0x61, 0x64, 0x73, 0x63, 0x61, 0x6c, 0x65, 0x2e, 0x76, 0x31, 0x2e, 0x47, 0x65, 0x74, 0x52, 0x6f,
+	0x75, 0x74, 0x65, 0x73, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x1a, 0x1f, 0x2e, 0x68, 0x65,
+	0x61, 0x64, 0x73, 0x63, 0x61, 0x6c, 0x65, 0x2e, 0x76, 0x31, 0x2e, 0x47, 0x65, 0x74, 0x52, 0x6f,
+	0x75, 0x74, 0x65, 0x73, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x22, 0x16, 0x82, 0xd3,
+	0xe4, 0x93, 0x02, 0x10, 0x12, 0x0e, 0x2f, 0x61, 0x70, 0x69, 0x2f, 0x76, 0x31, 0x2f, 0x72, 0x6f,
+	0x75, 0x74, 0x65, 0x73, 0x12, 0x7c, 0x0a, 0x0b, 0x45, 0x6e, 0x61, 0x62, 0x6c, 0x65, 0x52, 0x6f,
+	0x75, 0x74, 0x65, 0x12, 0x20, 0x2e, 0x68, 0x65, 0x61, 0x64, 0x73, 0x63, 0x61, 0x6c, 0x65, 0x2e,
+	0x76, 0x31, 0x2e, 0x45, 0x6e, 0x61, 0x62, 0x6c, 0x65, 0x52, 0x6f, 0x75, 0x74, 0x65, 0x52, 0x65,
+	0x71, 0x75, 0x65, 0x73, 0x74, 0x1a, 0x21, 0x2e, 0x68, 0x65, 0x61, 0x64, 0x73, 0x63, 0x61, 0x6c,
+	0x65, 0x2e, 0x76, 0x31, 0x2e, 0x45, 0x6e, 0x61, 0x62, 0x6c, 0x65, 0x52, 0x6f, 0x75, 0x74, 0x65,
+	0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x22, 0x28, 0x82, 0xd3, 0xe4, 0x93, 0x02, 0x22,
+	0x22, 0x20, 0x2f, 0x61, 0x70, 0x69, 0x2f, 0x76, 0x31, 0x2f, 0x72, 0x6f, 0x75, 0x74, 0x65, 0x73,
+	0x2f, 0x7b, 0x72, 0x6f, 0x75, 0x74, 0x65, 0x5f, 0x69, 0x64, 0x7d, 0x2f, 0x65, 0x6e, 0x61, 0x62,
+	0x6c, 0x65, 0x12, 0x80, 0x01, 0x0a, 0x0c, 0x44, 0x69, 0x73, 0x61, 0x62, 0x6c, 0x65, 0x52, 0x6f,
+	0x75, 0x74, 0x65, 0x12, 0x21, 0x2e, 0x68, 0x65, 0x61, 0x64, 0x73, 0x63, 0x61, 0x6c, 0x65, 0x2e,
+	0x76, 0x31, 0x2e, 0x44, 0x69, 0x73, 0x61, 0x62, 0x6c, 0x65, 0x52, 0x6f, 0x75, 0x74, 0x65, 0x52,
+	0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x1a, 0x22, 0x2e, 0x68, 0x65, 0x61, 0x64, 0x73, 0x63, 0x61,
+	0x6c, 0x65, 0x2e, 0x76, 0x31, 0x2e, 0x44, 0x69, 0x73, 0x61, 0x62, 0x6c, 0x65, 0x52, 0x6f, 0x75,
+	0x74, 0x65, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x22, 0x29, 0x82, 0xd3, 0xe4, 0x93,
+	0x02, 0x23, 0x22, 0x21, 0x2f, 0x61, 0x70, 0x69, 0x2f, 0x76, 0x31, 0x2f, 0x72, 0x6f, 0x75, 0x74,
+	0x65, 0x73, 0x2f, 0x7b, 0x72, 0x6f, 0x75, 0x74, 0x65, 0x5f, 0x69, 0x64, 0x7d, 0x2f, 0x64, 0x69,
+	0x73, 0x61, 0x62, 0x6c, 0x65, 0x12, 0x8e, 0x01, 0x0a, 0x10, 0x47, 0x65, 0x74, 0x4d, 0x61, 0x63,
+	0x68, 0x69, 0x6e, 0x65, 0x52, 0x6f, 0x75, 0x74, 0x65, 0x73, 0x12, 0x25, 0x2e, 0x68, 0x65, 0x61,
+	0x64, 0x73, 0x63, 0x61, 0x6c, 0x65, 0x2e, 0x76, 0x31, 0x2e, 0x47, 0x65, 0x74, 0x4d, 0x61, 0x63,
+	0x68, 0x69, 0x6e, 0x65, 0x52, 0x6f, 0x75, 0x74, 0x65, 0x73, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73,
+	0x74, 0x1a, 0x26, 0x2e, 0x68, 0x65, 0x61, 0x64, 0x73, 0x63, 0x61, 0x6c, 0x65, 0x2e, 0x76, 0x31,
+	0x2e, 0x47, 0x65, 0x74, 0x4d, 0x61, 0x63, 0x68, 0x69, 0x6e, 0x65, 0x52, 0x6f, 0x75, 0x74, 0x65,
 	0x73, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x22, 0x2b, 0x82, 0xd3, 0xe4, 0x93, 0x02,
-	0x25, 0x22, 0x23, 0x2f, 0x61, 0x70, 0x69, 0x2f, 0x76, 0x31, 0x2f, 0x6d, 0x61, 0x63, 0x68, 0x69,
+	0x25, 0x12, 0x23, 0x2f, 0x61, 0x70, 0x69, 0x2f, 0x76, 0x31, 0x2f, 0x6d, 0x61, 0x63, 0x68, 0x69,
 	0x6e, 0x65, 0x2f, 0x7b, 0x6d, 0x61, 0x63, 0x68, 0x69, 0x6e, 0x65, 0x5f, 0x69, 0x64, 0x7d, 0x2f,
 	0x72, 0x6f, 0x75, 0x74, 0x65, 0x73, 0x12, 0x70, 0x0a, 0x0c, 0x43, 0x72, 0x65, 0x61, 0x74, 0x65,
 	0x41, 0x70, 0x69, 0x4b, 0x65, 0x79, 0x12, 0x21, 0x2e, 0x68, 0x65, 0x61, 0x64, 0x73, 0x63, 0x61,
@@ -200,16 +213,16 @@ var file_headscale_v1_headscale_proto_rawDesc = []byte{
 	0x65, 0x79, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x1a, 0x22, 0x2e, 0x68, 0x65, 0x61, 0x64,
 	0x73, 0x63, 0x61, 0x6c, 0x65, 0x2e, 0x76, 0x31, 0x2e, 0x43, 0x72, 0x65, 0x61, 0x74, 0x65, 0x41,
 	0x70, 0x69, 0x4b, 0x65, 0x79, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x22, 0x19, 0x82,
-	0xd3, 0xe4, 0x93, 0x02, 0x13, 0x22, 0x0e, 0x2f, 0x61, 0x70, 0x69, 0x2f, 0x76, 0x31, 0x2f, 0x61,
-	0x70, 0x69, 0x6b, 0x65, 0x79, 0x3a, 0x01, 0x2a, 0x12, 0x77, 0x0a, 0x0c, 0x45, 0x78, 0x70, 0x69,
+	0xd3, 0xe4, 0x93, 0x02, 0x13, 0x3a, 0x01, 0x2a, 0x22, 0x0e, 0x2f, 0x61, 0x70, 0x69, 0x2f, 0x76,
+	0x31, 0x2f, 0x61, 0x70, 0x69, 0x6b, 0x65, 0x79, 0x12, 0x77, 0x0a, 0x0c, 0x45, 0x78, 0x70, 0x69,
 	0x72, 0x65, 0x41, 0x70, 0x69, 0x4b, 0x65, 0x79, 0x12, 0x21, 0x2e, 0x68, 0x65, 0x61, 0x64, 0x73,
 	0x63, 0x61, 0x6c, 0x65, 0x2e, 0x76, 0x31, 0x2e, 0x45, 0x78, 0x70, 0x69, 0x72, 0x65, 0x41, 0x70,
 	0x69, 0x4b, 0x65, 0x79, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x1a, 0x22, 0x2e, 0x68, 0x65,
 	0x61, 0x64, 0x73, 0x63, 0x61, 0x6c, 0x65, 0x2e, 0x76, 0x31, 0x2e, 0x45, 0x78, 0x70, 0x69, 0x72,
 	0x65, 0x41, 0x70, 0x69, 0x4b, 0x65, 0x79, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x22,
-	0x20, 0x82, 0xd3, 0xe4, 0x93, 0x02, 0x1a, 0x22, 0x15, 0x2f, 0x61, 0x70, 0x69, 0x2f, 0x76, 0x31,
-	0x2f, 0x61, 0x70, 0x69, 0x6b, 0x65, 0x79, 0x2f, 0x65, 0x78, 0x70, 0x69, 0x72, 0x65, 0x3a, 0x01,
-	0x2a, 0x12, 0x6a, 0x0a, 0x0b, 0x4c, 0x69, 0x73, 0x74, 0x41, 0x70, 0x69, 0x4b, 0x65, 0x79, 0x73,
+	0x20, 0x82, 0xd3, 0xe4, 0x93, 0x02, 0x1a, 0x3a, 0x01, 0x2a, 0x22, 0x15, 0x2f, 0x61, 0x70, 0x69,
+	0x2f, 0x76, 0x31, 0x2f, 0x61, 0x70, 0x69, 0x6b, 0x65, 0x79, 0x2f, 0x65, 0x78, 0x70, 0x69, 0x72,
+	0x65, 0x12, 0x6a, 0x0a, 0x0b, 0x4c, 0x69, 0x73, 0x74, 0x41, 0x70, 0x69, 0x4b, 0x65, 0x79, 0x73,
 	0x12, 0x20, 0x2e, 0x68, 0x65, 0x61, 0x64, 0x73, 0x63, 0x61, 0x6c, 0x65, 0x2e, 0x76, 0x31, 0x2e,
 	0x4c, 0x69, 0x73, 0x74, 0x41, 0x70, 0x69, 0x4b, 0x65, 0x79, 0x73, 0x52, 0x65, 0x71, 0x75, 0x65,
 	0x73, 0x74, 0x1a, 0x21, 0x2e, 0x68, 0x65, 0x61, 0x64, 0x73, 0x63, 0x61, 0x6c, 0x65, 0x2e, 0x76,
@@ -222,50 +235,54 @@ var file_headscale_v1_headscale_proto_rawDesc = []byte{
 }

 var file_headscale_v1_headscale_proto_goTypes = []interface{}{
-	(*GetNamespaceRequest)(nil),         // 0: headscale.v1.GetNamespaceRequest
-	(*CreateNamespaceRequest)(nil),      // 1: headscale.v1.CreateNamespaceRequest
-	(*RenameNamespaceRequest)(nil),      // 2: headscale.v1.RenameNamespaceRequest
-	(*DeleteNamespaceRequest)(nil),      // 3: headscale.v1.DeleteNamespaceRequest
-	(*ListNamespacesRequest)(nil),       // 4: headscale.v1.ListNamespacesRequest
-	(*CreatePreAuthKeyRequest)(nil),     // 5: headscale.v1.CreatePreAuthKeyRequest
-	(*ExpirePreAuthKeyRequest)(nil),     // 6: headscale.v1.ExpirePreAuthKeyRequest
-	(*ListPreAuthKeysRequest)(nil),      // 7: headscale.v1.ListPreAuthKeysRequest
-	(*DebugCreateMachineRequest)(nil),   // 8: headscale.v1.DebugCreateMachineRequest
-	(*GetMachineRequest)(nil),           // 9: headscale.v1.GetMachineRequest
-	(*SetTagsRequest)(nil),              // 10: headscale.v1.SetTagsRequest
-	(*RegisterMachineRequest)(nil),      // 11: headscale.v1.RegisterMachineRequest
-	(*DeleteMachineRequest)(nil),        // 12: headscale.v1.DeleteMachineRequest
-	(*ExpireMachineRequest)(nil),        // 13: headscale.v1.ExpireMachineRequest
-	(*RenameMachineRequest)(nil),        // 14: headscale.v1.RenameMachineRequest
-	(*ListMachinesRequest)(nil),         // 15: headscale.v1.ListMachinesRequest
-	(*MoveMachineRequest)(nil),          // 16: headscale.v1.MoveMachineRequest
-	(*GetMachineRouteRequest)(nil),      // 17: headscale.v1.GetMachineRouteRequest
-	(*EnableMachineRoutesRequest)(nil),  // 18: headscale.v1.EnableMachineRoutesRequest
-	(*CreateApiKeyRequest)(nil),         // 19: headscale.v1.CreateApiKeyRequest
-	(*ExpireApiKeyRequest)(nil),         // 20: headscale.v1.ExpireApiKeyRequest
-	(*ListApiKeysRequest)(nil),          // 21: headscale.v1.ListApiKeysRequest
-	(*GetNamespaceResponse)(nil),        // 22: headscale.v1.GetNamespaceResponse
-	(*CreateNamespaceResponse)(nil),     // 23: headscale.v1.CreateNamespaceResponse
-	(*RenameNamespaceResponse)(nil),     // 24: headscale.v1.RenameNamespaceResponse
-	(*DeleteNamespaceResponse)(nil),     // 25: headscale.v1.DeleteNamespaceResponse
-	(*ListNamespacesResponse)(nil),      // 26: headscale.v1.ListNamespacesResponse
-	(*CreatePreAuthKeyResponse)(nil),    // 27: headscale.v1.CreatePreAuthKeyResponse
-	(*ExpirePreAuthKeyResponse)(nil),    // 28: headscale.v1.ExpirePreAuthKeyResponse
-	(*ListPreAuthKeysResponse)(nil),     // 29: headscale.v1.ListPreAuthKeysResponse
-	(*DebugCreateMachineResponse)(nil),  // 30: headscale.v1.DebugCreateMachineResponse
-	(*GetMachineResponse)(nil),          // 31: headscale.v1.GetMachineResponse
-	(*SetTagsResponse)(nil),             // 32: headscale.v1.SetTagsResponse
-	(*RegisterMachineResponse)(nil),     // 33: headscale.v1.RegisterMachineResponse
-	(*DeleteMachineResponse)(nil),       // 34: headscale.v1.DeleteMachineResponse
-	(*ExpireMachineResponse)(nil),       // 35: headscale.v1.ExpireMachineResponse
-	(*RenameMachineResponse)(nil),       // 36: headscale.v1.RenameMachineResponse
-	(*ListMachinesResponse)(nil),        // 37: headscale.v1.ListMachinesResponse
-	(*MoveMachineResponse)(nil),         // 38: headscale.v1.MoveMachineResponse
-	(*GetMachineRouteResponse)(nil),     // 39: headscale.v1.GetMachineRouteResponse
-	(*EnableMachineRoutesResponse)(nil), // 40: headscale.v1.EnableMachineRoutesResponse
-	(*CreateApiKeyResponse)(nil),        // 41: headscale.v1.CreateApiKeyResponse
-	(*ExpireApiKeyResponse)(nil),        // 42: headscale.v1.ExpireApiKeyResponse
-	(*ListApiKeysResponse)(nil),         // 43: headscale.v1.ListApiKeysResponse
+	(*GetNamespaceRequest)(nil),        // 0: headscale.v1.GetNamespaceRequest
+	(*CreateNamespaceRequest)(nil),     // 1: headscale.v1.CreateNamespaceRequest
+	(*RenameNamespaceRequest)(nil),     // 2: headscale.v1.RenameNamespaceRequest
+	(*DeleteNamespaceRequest)(nil),     // 3: headscale.v1.DeleteNamespaceRequest
+	(*ListNamespacesRequest)(nil),      // 4: headscale.v1.ListNamespacesRequest
+	(*CreatePreAuthKeyRequest)(nil),    // 5: headscale.v1.CreatePreAuthKeyRequest
+	(*ExpirePreAuthKeyRequest)(nil),    // 6: headscale.v1.ExpirePreAuthKeyRequest
+	(*ListPreAuthKeysRequest)(nil),     // 7: headscale.v1.ListPreAuthKeysRequest
+	(*DebugCreateMachineRequest)(nil),  // 8: headscale.v1.DebugCreateMachineRequest
+	(*GetMachineRequest)(nil),          // 9: headscale.v1.GetMachineRequest
+	(*SetTagsRequest)(nil),             // 10: headscale.v1.SetTagsRequest
+	(*RegisterMachineRequest)(nil),     // 11: headscale.v1.RegisterMachineRequest
+	(*DeleteMachineRequest)(nil),       // 12: headscale.v1.DeleteMachineRequest
+	(*ExpireMachineRequest)(nil),       // 13: headscale.v1.ExpireMachineRequest
+	(*RenameMachineRequest)(nil),       // 14: headscale.v1.RenameMachineRequest
+	(*ListMachinesRequest)(nil),        // 15: headscale.v1.ListMachinesRequest
+	(*MoveMachineRequest)(nil),         // 16: headscale.v1.MoveMachineRequest
+	(*GetRoutesRequest)(nil),           // 17: headscale.v1.GetRoutesRequest
+	(*EnableRouteRequest)(nil),         // 18: headscale.v1.EnableRouteRequest
+	(*DisableRouteRequest)(nil),        // 19: headscale.v1.DisableRouteRequest
+	(*GetMachineRoutesRequest)(nil),    // 20: headscale.v1.GetMachineRoutesRequest
+	(*CreateApiKeyRequest)(nil),        // 21: headscale.v1.CreateApiKeyRequest
+	(*ExpireApiKeyRequest)(nil),        // 22: headscale.v1.ExpireApiKeyRequest
+	(*ListApiKeysRequest)(nil),         // 23: headscale.v1.ListApiKeysRequest
+	(*GetNamespaceResponse)(nil),       // 24: headscale.v1.GetNamespaceResponse
+	(*CreateNamespaceResponse)(nil),    // 25: headscale.v1.CreateNamespaceResponse
+	(*RenameNamespaceResponse)(nil),    // 26: headscale.v1.RenameNamespaceResponse
+	(*DeleteNamespaceResponse)(nil),    // 27: headscale.v1.DeleteNamespaceResponse
+	(*ListNamespacesResponse)(nil),     // 28: headscale.v1.ListNamespacesResponse
+	(*CreatePreAuthKeyResponse)(nil),   // 29: headscale.v1.CreatePreAuthKeyResponse
+	(*ExpirePreAuthKeyResponse)(nil),   // 30: headscale.v1.ExpirePreAuthKeyResponse
+	(*ListPreAuthKeysResponse)(nil),    // 31: headscale.v1.ListPreAuthKeysResponse
+	(*DebugCreateMachineResponse)(nil), // 32: headscale.v1.DebugCreateMachineResponse
+	(*GetMachineResponse)(nil),         // 33: headscale.v1.GetMachineResponse
+	(*SetTagsResponse)(nil),            // 34: headscale.v1.SetTagsResponse
+	(*RegisterMachineResponse)(nil),    // 35: headscale.v1.RegisterMachineResponse
+	(*DeleteMachineResponse)(nil),      // 36: headscale.v1.DeleteMachineResponse
+	(*ExpireMachineResponse)(nil),      // 37: headscale.v1.ExpireMachineResponse
+	(*RenameMachineResponse)(nil),      // 38: headscale.v1.RenameMachineResponse
+	(*ListMachinesResponse)(nil),       // 39: headscale.v1.ListMachinesResponse
+	(*MoveMachineResponse)(nil),        // 40: headscale.v1.MoveMachineResponse
+	(*GetRoutesResponse)(nil),          // 41: headscale.v1.GetRoutesResponse
+	(*EnableRouteResponse)(nil),        // 42: headscale.v1.EnableRouteResponse
+	(*DisableRouteResponse)(nil),       // 43: headscale.v1.DisableRouteResponse
+	(*GetMachineRoutesResponse)(nil),   // 44: headscale.v1.GetMachineRoutesResponse
+	(*CreateApiKeyResponse)(nil),       // 45: headscale.v1.CreateApiKeyResponse
+	(*ExpireApiKeyResponse)(nil),       // 46: headscale.v1.ExpireApiKeyResponse
+	(*ListApiKeysResponse)(nil),        // 47: headscale.v1.ListApiKeysResponse
 }
 var file_headscale_v1_headscale_proto_depIdxs = []int32{
 	0,  // 0: headscale.v1.HeadscaleService.GetNamespace:input_type -> headscale.v1.GetNamespaceRequest
@@ -285,35 +302,39 @@ var file_headscale_v1_headscale_proto_depIdxs = []int32{
 	14, // 14: headscale.v1.HeadscaleService.RenameMachine:input_type -> headscale.v1.RenameMachineRequest
 	15, // 15: headscale.v1.HeadscaleService.ListMachines:input_type -> headscale.v1.ListMachinesRequest
 	16, // 16: headscale.v1.HeadscaleService.MoveMachine:input_type -> headscale.v1.MoveMachineRequest
-	17, // 17: headscale.v1.HeadscaleService.GetMachineRoute:input_type -> headscale.v1.GetMachineRouteRequest
-	18, // 18: headscale.v1.HeadscaleService.EnableMachineRoutes:input_type -> headscale.v1.EnableMachineRoutesRequest
-	19, // 19: headscale.v1.HeadscaleService.CreateApiKey:input_type -> headscale.v1.CreateApiKeyRequest
-	20, // 20: headscale.v1.HeadscaleService.ExpireApiKey:input_type -> headscale.v1.ExpireApiKeyRequest
-	21, // 21: headscale.v1.HeadscaleService.ListApiKeys:input_type -> headscale.v1.ListApiKeysRequest
-	22, // 22: headscale.v1.HeadscaleService.GetNamespace:output_type -> headscale.v1.GetNamespaceResponse
-	23, // 23: headscale.v1.HeadscaleService.CreateNamespace:output_type -> headscale.v1.CreateNamespaceResponse
-	24, // 24: headscale.v1.HeadscaleService.RenameNamespace:output_type -> headscale.v1.RenameNamespaceResponse
-	25, // 25: headscale.v1.HeadscaleService.DeleteNamespace:output_type -> headscale.v1.DeleteNamespaceResponse
-	26, // 26: headscale.v1.HeadscaleService.ListNamespaces:output_type -> headscale.v1.ListNamespacesResponse
-	27, // 27: headscale.v1.HeadscaleService.CreatePreAuthKey:output_type -> headscale.v1.CreatePreAuthKeyResponse
-	28, // 28: headscale.v1.HeadscaleService.ExpirePreAuthKey:output_type -> headscale.v1.ExpirePreAuthKeyResponse
-	29, // 29: headscale.v1.HeadscaleService.ListPreAuthKeys:output_type -> headscale.v1.ListPreAuthKeysResponse
-	30, // 30: headscale.v1.HeadscaleService.DebugCreateMachine:output_type -> headscale.v1.DebugCreateMachineResponse
-	31, // 31: headscale.v1.HeadscaleService.GetMachine:output_type -> headscale.v1.GetMachineResponse
-	32, // 32: headscale.v1.HeadscaleService.SetTags:output_type -> headscale.v1.SetTagsResponse
-	33, // 33: headscale.v1.HeadscaleService.RegisterMachine:output_type -> headscale.v1.RegisterMachineResponse
-	34, // 34: headscale.v1.HeadscaleService.DeleteMachine:output_type -> headscale.v1.DeleteMachineResponse
-	35, // 35: headscale.v1.HeadscaleService.ExpireMachine:output_type -> headscale.v1.ExpireMachineResponse
-	36, // 36: headscale.v1.HeadscaleService.RenameMachine:output_type -> headscale.v1.RenameMachineResponse
-	37, // 37: headscale.v1.HeadscaleService.ListMachines:output_type -> headscale.v1.ListMachinesResponse
-	38, // 38: headscale.v1.HeadscaleService.MoveMachine:output_type -> headscale.v1.MoveMachineResponse
-	39, // 39: headscale.v1.HeadscaleService.GetMachineRoute:output_type -> headscale.v1.GetMachineRouteResponse
-	40, // 40: headscale.v1.HeadscaleService.EnableMachineRoutes:output_type -> headscale.v1.EnableMachineRoutesResponse
-	41, // 41: headscale.v1.HeadscaleService.CreateApiKey:output_type -> headscale.v1.CreateApiKeyResponse
-	42, // 42: headscale.v1.HeadscaleService.ExpireApiKey:output_type -> headscale.v1.ExpireApiKeyResponse
-	43, // 43: headscale.v1.HeadscaleService.ListApiKeys:output_type -> headscale.v1.ListApiKeysResponse
-	22, // [22:44] is the sub-list for method output_type
-	0,  // [0:22] is the sub-list for method input_type
+	17, // 17: headscale.v1.HeadscaleService.GetRoutes:input_type -> headscale.v1.GetRoutesRequest
+	18, // 18: headscale.v1.HeadscaleService.EnableRoute:input_type -> headscale.v1.EnableRouteRequest
+	19, // 19: headscale.v1.HeadscaleService.DisableRoute:input_type -> headscale.v1.DisableRouteRequest
+	20, // 20: headscale.v1.HeadscaleService.GetMachineRoutes:input_type -> headscale.v1.GetMachineRoutesRequest
+	21, // 21: headscale.v1.HeadscaleService.CreateApiKey:input_type -> headscale.v1.CreateApiKeyRequest
+	22, // 22: headscale.v1.HeadscaleService.ExpireApiKey:input_type -> headscale.v1.ExpireApiKeyRequest
+	23, // 23: headscale.v1.HeadscaleService.ListApiKeys:input_type -> headscale.v1.ListApiKeysRequest
+	24, // 24: headscale.v1.HeadscaleService.GetNamespace:output_type -> headscale.v1.GetNamespaceResponse
+	25, // 25: headscale.v1.HeadscaleService.CreateNamespace:output_type -> headscale.v1.CreateNamespaceResponse
+	26, // 26: headscale.v1.HeadscaleService.RenameNamespace:output_type -> headscale.v1.RenameNamespaceResponse
+	27, // 27: headscale.v1.HeadscaleService.DeleteNamespace:output_type -> headscale.v1.DeleteNamespaceResponse
+	28, // 28: headscale.v1.HeadscaleService.ListNamespaces:output_type -> headscale.v1.ListNamespacesResponse
+	29, // 29: headscale.v1.HeadscaleService.CreatePreAuthKey:output_type -> headscale.v1.CreatePreAuthKeyResponse
+	30, // 30: headscale.v1.HeadscaleService.ExpirePreAuthKey:output_type -> headscale.v1.ExpirePreAuthKeyResponse
+	31, // 31: headscale.v1.HeadscaleService.ListPreAuthKeys:output_type -> headscale.v1.ListPreAuthKeysResponse
+	32, // 32: headscale.v1.HeadscaleService.DebugCreateMachine:output_type -> headscale.v1.DebugCreateMachineResponse
+	33, // 33: headscale.v1.HeadscaleService.GetMachine:output_type -> headscale.v1.GetMachineResponse
+	34, // 34: headscale.v1.HeadscaleService.SetTags:output_type -> headscale.v1.SetTagsResponse
+	35, // 35: headscale.v1.HeadscaleService.RegisterMachine:output_type -> headscale.v1.RegisterMachineResponse
+	36, // 36: headscale.v1.HeadscaleService.DeleteMachine:output_type -> headscale.v1.DeleteMachineResponse
+	37, // 37: headscale.v1.HeadscaleService.ExpireMachine:output_type -> headscale.v1.ExpireMachineResponse
+	38, // 38: headscale.v1.HeadscaleService.RenameMachine:output_type -> headscale.v1.RenameMachineResponse
+	39, // 39: headscale.v1.HeadscaleService.ListMachines:output_type -> headscale.v1.ListMachinesResponse
+	40, // 40: headscale.v1.HeadscaleService.MoveMachine:output_type -> headscale.v1.MoveMachineResponse
+	41, // 41: headscale.v1.HeadscaleService.GetRoutes:output_type -> headscale.v1.GetRoutesResponse
+	42, // 42: headscale.v1.HeadscaleService.EnableRoute:output_type -> headscale.v1.EnableRouteResponse
+	43, // 43: headscale.v1.HeadscaleService.DisableRoute:output_type -> headscale.v1.DisableRouteResponse
+	44, // 44: headscale.v1.HeadscaleService.GetMachineRoutes:output_type -> headscale.v1.GetMachineRoutesResponse
+	45, // 45: headscale.v1.HeadscaleService.CreateApiKey:output_type -> headscale.v1.CreateApiKeyResponse
+	46, // 46: headscale.v1.HeadscaleService.ExpireApiKey:output_type -> headscale.v1.ExpireApiKeyResponse
+	47, // 47: headscale.v1.HeadscaleService.ListApiKeys:output_type -> headscale.v1.ListApiKeysResponse
+	24, // [24:48] is the sub-list for method output_type
+	0,  // [0:24] is the sub-list for method input_type
 	0,  // [0:0] is the sub-list for extension type_name
 	0,  // [0:0] is the sub-list for extension extendee
 	0,  // [0:0] is the sub-list for field type_name
--- a/gen/go/headscale/v1/headscale.pb.gw.go
+++ b/gen/go/headscale/v1/headscale.pb.gw.go
--- a/gen/go/headscale/v1/headscale_grpc.pb.go
+++ b/gen/go/headscale/v1/headscale_grpc.pb.go
@@ -43,8 +43,10 @@ type HeadscaleServiceClient interface {
 	ListMachines(ctx context.Context, in *ListMachinesRequest, opts ...grpc.CallOption) (*ListMachinesResponse, error)
 	MoveMachine(ctx context.Context, in *MoveMachineRequest, opts ...grpc.CallOption) (*MoveMachineResponse, error)
 	// --- Route start ---
-	GetMachineRoute(ctx context.Context, in *GetMachineRouteRequest, opts ...grpc.CallOption) (*GetMachineRouteResponse, error)
-	EnableMachineRoutes(ctx context.Context, in *EnableMachineRoutesRequest, opts ...grpc.CallOption) (*EnableMachineRoutesResponse, error)
+	GetRoutes(ctx context.Context, in *GetRoutesRequest, opts ...grpc.CallOption) (*GetRoutesResponse, error)
+	EnableRoute(ctx context.Context, in *EnableRouteRequest, opts ...grpc.CallOption) (*EnableRouteResponse, error)
+	DisableRoute(ctx context.Context, in *DisableRouteRequest, opts ...grpc.CallOption) (*DisableRouteResponse, error)
+	GetMachineRoutes(ctx context.Context, in *GetMachineRoutesRequest, opts ...grpc.CallOption) (*GetMachineRoutesResponse, error)
 	// --- ApiKeys start ---
 	CreateApiKey(ctx context.Context, in *CreateApiKeyRequest, opts ...grpc.CallOption) (*CreateApiKeyResponse, error)
 	ExpireApiKey(ctx context.Context, in *ExpireApiKeyRequest, opts ...grpc.CallOption) (*ExpireApiKeyResponse, error)
@@ -212,18 +214,36 @@ func (c *headscaleServiceClient) MoveMachine(ctx context.Context, in *MoveMachin
 	return out, nil
 }

-func (c *headscaleServiceClient) GetMachineRoute(ctx context.Context, in *GetMachineRouteRequest, opts ...grpc.CallOption) (*GetMachineRouteResponse, error) {
-	out := new(GetMachineRouteResponse)
-	err := c.cc.Invoke(ctx, "/headscale.v1.HeadscaleService/GetMachineRoute", in, out, opts...)
+func (c *headscaleServiceClient) GetRoutes(ctx context.Context, in *GetRoutesRequest, opts ...grpc.CallOption) (*GetRoutesResponse, error) {
+	out := new(GetRoutesResponse)
+	err := c.cc.Invoke(ctx, "/headscale.v1.HeadscaleService/GetRoutes", in, out, opts...)
 	if err != nil {
 		return nil, err
 	}
 	return out, nil
 }

-func (c *headscaleServiceClient) EnableMachineRoutes(ctx context.Context, in *EnableMachineRoutesRequest, opts ...grpc.CallOption) (*EnableMachineRoutesResponse, error) {
-	out := new(EnableMachineRoutesResponse)
-	err := c.cc.Invoke(ctx, "/headscale.v1.HeadscaleService/EnableMachineRoutes", in, out, opts...)
+func (c *headscaleServiceClient) EnableRoute(ctx context.Context, in *EnableRouteRequest, opts ...grpc.CallOption) (*EnableRouteResponse, error) {
+	out := new(EnableRouteResponse)
+	err := c.cc.Invoke(ctx, "/headscale.v1.HeadscaleService/EnableRoute", in, out, opts...)
+	if err != nil {
+		return nil, err
+	}
+	return out, nil
+}
+
+func (c *headscaleServiceClient) DisableRoute(ctx context.Context, in *DisableRouteRequest, opts ...grpc.CallOption) (*DisableRouteResponse, error) {
+	out := new(DisableRouteResponse)
+	err := c.cc.Invoke(ctx, "/headscale.v1.HeadscaleService/DisableRoute", in, out, opts...)
+	if err != nil {
+		return nil, err
+	}
+	return out, nil
+}
+
+func (c *headscaleServiceClient) GetMachineRoutes(ctx context.Context, in *GetMachineRoutesRequest, opts ...grpc.CallOption) (*GetMachineRoutesResponse, error) {
+	out := new(GetMachineRoutesResponse)
+	err := c.cc.Invoke(ctx, "/headscale.v1.HeadscaleService/GetMachineRoutes", in, out, opts...)
 	if err != nil {
 		return nil, err
 	}
@@ -282,8 +302,10 @@ type HeadscaleServiceServer interface {
 	ListMachines(context.Context, *ListMachinesRequest) (*ListMachinesResponse, error)
 	MoveMachine(context.Context, *MoveMachineRequest) (*MoveMachineResponse, error)
 	// --- Route start ---
-	GetMachineRoute(context.Context, *GetMachineRouteRequest) (*GetMachineRouteResponse, error)
-	EnableMachineRoutes(context.Context, *EnableMachineRoutesRequest) (*EnableMachineRoutesResponse, error)
+	GetRoutes(context.Context, *GetRoutesRequest) (*GetRoutesResponse, error)
+	EnableRoute(context.Context, *EnableRouteRequest) (*EnableRouteResponse, error)
+	DisableRoute(context.Context, *DisableRouteRequest) (*DisableRouteResponse, error)
+	GetMachineRoutes(context.Context, *GetMachineRoutesRequest) (*GetMachineRoutesResponse, error)
 	// --- ApiKeys start ---
 	CreateApiKey(context.Context, *CreateApiKeyRequest) (*CreateApiKeyResponse, error)
 	ExpireApiKey(context.Context, *ExpireApiKeyRequest) (*ExpireApiKeyResponse, error)
@@ -346,11 +368,17 @@ func (UnimplementedHeadscaleServiceServer) ListMachines(context.Context, *ListMa
 func (UnimplementedHeadscaleServiceServer) MoveMachine(context.Context, *MoveMachineRequest) (*MoveMachineResponse, error) {
 	return nil, status.Errorf(codes.Unimplemented, "method MoveMachine not implemented")
 }
-func (UnimplementedHeadscaleServiceServer) GetMachineRoute(context.Context, *GetMachineRouteRequest) (*GetMachineRouteResponse, error) {
-	return nil, status.Errorf(codes.Unimplemented, "method GetMachineRoute not implemented")
+func (UnimplementedHeadscaleServiceServer) GetRoutes(context.Context, *GetRoutesRequest) (*GetRoutesResponse, error) {
+	return nil, status.Errorf(codes.Unimplemented, "method GetRoutes not implemented")
 }
-func (UnimplementedHeadscaleServiceServer) EnableMachineRoutes(context.Context, *EnableMachineRoutesRequest) (*EnableMachineRoutesResponse, error) {
-	return nil, status.Errorf(codes.Unimplemented, "method EnableMachineRoutes not implemented")
+func (UnimplementedHeadscaleServiceServer) EnableRoute(context.Context, *EnableRouteRequest) (*EnableRouteResponse, error) {
+	return nil, status.Errorf(codes.Unimplemented, "method EnableRoute not implemented")
+}
+func (UnimplementedHeadscaleServiceServer) DisableRoute(context.Context, *DisableRouteRequest) (*DisableRouteResponse, error) {
+	return nil, status.Errorf(codes.Unimplemented, "method DisableRoute not implemented")
+}
+func (UnimplementedHeadscaleServiceServer) GetMachineRoutes(context.Context, *GetMachineRoutesRequest) (*GetMachineRoutesResponse, error) {
+	return nil, status.Errorf(codes.Unimplemented, "method GetMachineRoutes not implemented")
 }
 func (UnimplementedHeadscaleServiceServer) CreateApiKey(context.Context, *CreateApiKeyRequest) (*CreateApiKeyResponse, error) {
 	return nil, status.Errorf(codes.Unimplemented, "method CreateApiKey not implemented")
@@ -680,38 +708,74 @@ func _HeadscaleService_MoveMachine_Handler(srv interface{}, ctx context.Context,
 	return interceptor(ctx, in, info, handler)
 }

-func _HeadscaleService_GetMachineRoute_Handler(srv interface{}, ctx context.Context, dec func(interface{}) error, interceptor grpc.UnaryServerInterceptor) (interface{}, error) {
-	in := new(GetMachineRouteRequest)
+func _HeadscaleService_GetRoutes_Handler(srv interface{}, ctx context.Context, dec func(interface{}) error, interceptor grpc.UnaryServerInterceptor) (interface{}, error) {
+	in := new(GetRoutesRequest)
 	if err := dec(in); err != nil {
 		return nil, err
 	}
 	if interceptor == nil {
-		return srv.(HeadscaleServiceServer).GetMachineRoute(ctx, in)
+		return srv.(HeadscaleServiceServer).GetRoutes(ctx, in)
 	}
 	info := &grpc.UnaryServerInfo{
 		Server:     srv,
-		FullMethod: "/headscale.v1.HeadscaleService/GetMachineRoute",
+		FullMethod: "/headscale.v1.HeadscaleService/GetRoutes",
 	}
 	handler := func(ctx context.Context, req interface{}) (interface{}, error) {
-		return srv.(HeadscaleServiceServer).GetMachineRoute(ctx, req.(*GetMachineRouteRequest))
+		return srv.(HeadscaleServiceServer).GetRoutes(ctx, req.(*GetRoutesRequest))
 	}
 	return interceptor(ctx, in, info, handler)
 }

-func _HeadscaleService_EnableMachineRoutes_Handler(srv interface{}, ctx context.Context, dec func(interface{}) error, interceptor grpc.UnaryServerInterceptor) (interface{}, error) {
-	in := new(EnableMachineRoutesRequest)
+func _HeadscaleService_EnableRoute_Handler(srv interface{}, ctx context.Context, dec func(interface{}) error, interceptor grpc.UnaryServerInterceptor) (interface{}, error) {
+	in := new(EnableRouteRequest)
 	if err := dec(in); err != nil {
 		return nil, err
 	}
 	if interceptor == nil {
-		return srv.(HeadscaleServiceServer).EnableMachineRoutes(ctx, in)
+		return srv.(HeadscaleServiceServer).EnableRoute(ctx, in)
 	}
 	info := &grpc.UnaryServerInfo{
 		Server:     srv,
-		FullMethod: "/headscale.v1.HeadscaleService/EnableMachineRoutes",
+		FullMethod: "/headscale.v1.HeadscaleService/EnableRoute",
 	}
 	handler := func(ctx context.Context, req interface{}) (interface{}, error) {
-		return srv.(HeadscaleServiceServer).EnableMachineRoutes(ctx, req.(*EnableMachineRoutesRequest))
+		return srv.(HeadscaleServiceServer).EnableRoute(ctx, req.(*EnableRouteRequest))
+	}
+	return interceptor(ctx, in, info, handler)
+}
+
+func _HeadscaleService_DisableRoute_Handler(srv interface{}, ctx context.Context, dec func(interface{}) error, interceptor grpc.UnaryServerInterceptor) (interface{}, error) {
+	in := new(DisableRouteRequest)
+	if err := dec(in); err != nil {
+		return nil, err
+	}
+	if interceptor == nil {
+		return srv.(HeadscaleServiceServer).DisableRoute(ctx, in)
+	}
+	info := &grpc.UnaryServerInfo{
+		Server:     srv,
+		FullMethod: "/headscale.v1.HeadscaleService/DisableRoute",
+	}
+	handler := func(ctx context.Context, req interface{}) (interface{}, error) {
+		return srv.(HeadscaleServiceServer).DisableRoute(ctx, req.(*DisableRouteRequest))
+	}
+	return interceptor(ctx, in, info, handler)
+}
+
+func _HeadscaleService_GetMachineRoutes_Handler(srv interface{}, ctx context.Context, dec func(interface{}) error, interceptor grpc.UnaryServerInterceptor) (interface{}, error) {
+	in := new(GetMachineRoutesRequest)
+	if err := dec(in); err != nil {
+		return nil, err
+	}
+	if interceptor == nil {
+		return srv.(HeadscaleServiceServer).GetMachineRoutes(ctx, in)
+	}
+	info := &grpc.UnaryServerInfo{
+		Server:     srv,
+		FullMethod: "/headscale.v1.HeadscaleService/GetMachineRoutes",
+	}
+	handler := func(ctx context.Context, req interface{}) (interface{}, error) {
+		return srv.(HeadscaleServiceServer).GetMachineRoutes(ctx, req.(*GetMachineRoutesRequest))
 	}
 	return interceptor(ctx, in, info, handler)
 }
@@ -846,12 +910,20 @@ var HeadscaleService_ServiceDesc = grpc.ServiceDesc{
 			Handler:    _HeadscaleService_MoveMachine_Handler,
 		},
 		{
-			MethodName: "GetMachineRoute",
-			Handler:    _HeadscaleService_GetMachineRoute_Handler,
+			MethodName: "GetRoutes",
+			Handler:    _HeadscaleService_GetRoutes_Handler,
 		},
 		{
-			MethodName: "EnableMachineRoutes",
-			Handler:    _HeadscaleService_EnableMachineRoutes_Handler,
+			MethodName: "EnableRoute",
+			Handler:    _HeadscaleService_EnableRoute_Handler,
+		},
+		{
+			MethodName: "DisableRoute",
+			Handler:    _HeadscaleService_DisableRoute_Handler,
+		},
+		{
+			MethodName: "GetMachineRoutes",
+			Handler:    _HeadscaleService_GetMachineRoutes_Handler,
 		},
 		{
 			MethodName: "CreateApiKey",
--- a/gen/go/headscale/v1/routes.pb.go
+++ b/gen/go/headscale/v1/routes.pb.go
@@ -9,6 +9,7 @@ package v1
 import (
 	protoreflect "google.golang.org/protobuf/reflect/protoreflect"
 	protoimpl "google.golang.org/protobuf/runtime/protoimpl"
+	timestamppb "google.golang.org/protobuf/types/known/timestamppb"
 	reflect "reflect"
 	sync "sync"
 )
@@ -20,17 +21,24 @@ const (
 	_ = protoimpl.EnforceVersion(protoimpl.MaxVersion - 20)
 )

-type Routes struct {
+type Route struct {
 	state         protoimpl.MessageState
 	sizeCache     protoimpl.SizeCache
 	unknownFields protoimpl.UnknownFields

-	AdvertisedRoutes []string `protobuf:"bytes,1,rep,name=advertised_routes,json=advertisedRoutes,proto3" json:"advertised_routes,omitempty"`
-	EnabledRoutes    []string `protobuf:"bytes,2,rep,name=enabled_routes,json=enabledRoutes,proto3" json:"enabled_routes,omitempty"`
+	Id         uint64                 `protobuf:"varint,1,opt,name=id,proto3" json:"id,omitempty"`
+	Machine    *Machine               `protobuf:"bytes,2,opt,name=machine,proto3" json:"machine,omitempty"`
+	Prefix     string                 `protobuf:"bytes,3,opt,name=prefix,proto3" json:"prefix,omitempty"`
+	Advertised bool                   `protobuf:"varint,4,opt,name=advertised,proto3" json:"advertised,omitempty"`
+	Enabled    bool                   `protobuf:"varint,5,opt,name=enabled,proto3" json:"enabled,omitempty"`
+	IsPrimary  bool                   `protobuf:"varint,6,opt,name=is_primary,json=isPrimary,proto3" json:"is_primary,omitempty"`
+	CreatedAt  *timestamppb.Timestamp `protobuf:"bytes,7,opt,name=created_at,json=createdAt,proto3" json:"created_at,omitempty"`
+	UpdatedAt  *timestamppb.Timestamp `protobuf:"bytes,8,opt,name=updated_at,json=updatedAt,proto3" json:"updated_at,omitempty"`
+	DeletedAt  *timestamppb.Timestamp `protobuf:"bytes,9,opt,name=deleted_at,json=deletedAt,proto3" json:"deleted_at,omitempty"`
 }

-func (x *Routes) Reset() {
-	*x = Routes{}
+func (x *Route) Reset() {
+	*x = Route{}
 	if protoimpl.UnsafeEnabled {
 		mi := &file_headscale_v1_routes_proto_msgTypes[0]
 		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
@@ -38,13 +46,13 @@ func (x *Routes) Reset() {
 	}
 }

-func (x *Routes) String() string {
+func (x *Route) String() string {
 	return protoimpl.X.MessageStringOf(x)
 }

-func (*Routes) ProtoMessage() {}
+func (*Route) ProtoMessage() {}

-func (x *Routes) ProtoReflect() protoreflect.Message {
+func (x *Route) ProtoReflect() protoreflect.Message {
 	mi := &file_headscale_v1_routes_proto_msgTypes[0]
 	if protoimpl.UnsafeEnabled && x != nil {
 		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
@@ -56,35 +64,82 @@ func (x *Routes) ProtoReflect() protoreflect.Message {
 	return mi.MessageOf(x)
 }

-// Deprecated: Use Routes.ProtoReflect.Descriptor instead.
-func (*Routes) Descriptor() ([]byte, []int) {
+// Deprecated: Use Route.ProtoReflect.Descriptor instead.
+func (*Route) Descriptor() ([]byte, []int) {
 	return file_headscale_v1_routes_proto_rawDescGZIP(), []int{0}
 }

-func (x *Routes) GetAdvertisedRoutes() []string {
+func (x *Route) GetId() uint64 {
 	if x != nil {
-		return x.AdvertisedRoutes
+		return x.Id
+	}
+	return 0
+}
+
+func (x *Route) GetMachine() *Machine {
+	if x != nil {
+		return x.Machine
 	}
 	return nil
 }

-func (x *Routes) GetEnabledRoutes() []string {
+func (x *Route) GetPrefix() string {
 	if x != nil {
-		return x.EnabledRoutes
+		return x.Prefix
+	}
+	return ""
+}
+
+func (x *Route) GetAdvertised() bool {
+	if x != nil {
+		return x.Advertised
+	}
+	return false
+}
+
+func (x *Route) GetEnabled() bool {
+	if x != nil {
+		return x.Enabled
+	}
+	return false
+}
+
+func (x *Route) GetIsPrimary() bool {
+	if x != nil {
+		return x.IsPrimary
+	}
+	return false
+}
+
+func (x *Route) GetCreatedAt() *timestamppb.Timestamp {
+	if x != nil {
+		return x.CreatedAt
 	}
 	return nil
 }

-type GetMachineRouteRequest struct {
+func (x *Route) GetUpdatedAt() *timestamppb.Timestamp {
+	if x != nil {
+		return x.UpdatedAt
+	}
+	return nil
+}
+
+func (x *Route) GetDeletedAt() *timestamppb.Timestamp {
+	if x != nil {
+		return x.DeletedAt
+	}
+	return nil
+}
+
+type GetRoutesRequest struct {
 	state         protoimpl.MessageState
 	sizeCache     protoimpl.SizeCache
 	unknownFields protoimpl.UnknownFields
-
-	MachineId uint64 `protobuf:"varint,1,opt,name=machine_id,json=machineId,proto3" json:"machine_id,omitempty"`
 }

-func (x *GetMachineRouteRequest) Reset() {
-	*x = GetMachineRouteRequest{}
+func (x *GetRoutesRequest) Reset() {
+	*x = GetRoutesRequest{}
 	if protoimpl.UnsafeEnabled {
 		mi := &file_headscale_v1_routes_proto_msgTypes[1]
 		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
@@ -92,13 +147,13 @@ func (x *GetMachineRouteRequest) Reset() {
 	}
 }

-func (x *GetMachineRouteRequest) String() string {
+func (x *GetRoutesRequest) String() string {
 	return protoimpl.X.MessageStringOf(x)
 }

-func (*GetMachineRouteRequest) ProtoMessage() {}
+func (*GetRoutesRequest) ProtoMessage() {}

-func (x *GetMachineRouteRequest) ProtoReflect() protoreflect.Message {
+func (x *GetRoutesRequest) ProtoReflect() protoreflect.Message {
 	mi := &file_headscale_v1_routes_proto_msgTypes[1]
 	if protoimpl.UnsafeEnabled && x != nil {
 		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
@@ -110,28 +165,21 @@ func (x *GetMachineRouteRequest) ProtoReflect() protoreflect.Message {
 	return mi.MessageOf(x)
 }

-// Deprecated: Use GetMachineRouteRequest.ProtoReflect.Descriptor instead.
-func (*GetMachineRouteRequest) Descriptor() ([]byte, []int) {
+// Deprecated: Use GetRoutesRequest.ProtoReflect.Descriptor instead.
+func (*GetRoutesRequest) Descriptor() ([]byte, []int) {
 	return file_headscale_v1_routes_proto_rawDescGZIP(), []int{1}
 }

-func (x *GetMachineRouteRequest) GetMachineId() uint64 {
-	if x != nil {
-		return x.MachineId
-	}
-	return 0
-}
-
-type GetMachineRouteResponse struct {
+type GetRoutesResponse struct {
 	state         protoimpl.MessageState
 	sizeCache     protoimpl.SizeCache
 	unknownFields protoimpl.UnknownFields

-	Routes *Routes `protobuf:"bytes,1,opt,name=routes,proto3" json:"routes,omitempty"`
+	Routes []*Route `protobuf:"bytes,1,rep,name=routes,proto3" json:"routes,omitempty"`
 }

-func (x *GetMachineRouteResponse) Reset() {
-	*x = GetMachineRouteResponse{}
+func (x *GetRoutesResponse) Reset() {
+	*x = GetRoutesResponse{}
 	if protoimpl.UnsafeEnabled {
 		mi := &file_headscale_v1_routes_proto_msgTypes[2]
 		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
@@ -139,13 +187,13 @@ func (x *GetMachineRouteResponse) Reset() {
 	}
 }

-func (x *GetMachineRouteResponse) String() string {
+func (x *GetRoutesResponse) String() string {
 	return protoimpl.X.MessageStringOf(x)
 }

-func (*GetMachineRouteResponse) ProtoMessage() {}
+func (*GetRoutesResponse) ProtoMessage() {}

-func (x *GetMachineRouteResponse) ProtoReflect() protoreflect.Message {
+func (x *GetRoutesResponse) ProtoReflect() protoreflect.Message {
 	mi := &file_headscale_v1_routes_proto_msgTypes[2]
 	if protoimpl.UnsafeEnabled && x != nil {
 		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
@@ -157,29 +205,28 @@ func (x *GetMachineRouteResponse) ProtoReflect() protoreflect.Message {
 	return mi.MessageOf(x)
 }

-// Deprecated: Use GetMachineRouteResponse.ProtoReflect.Descriptor instead.
-func (*GetMachineRouteResponse) Descriptor() ([]byte, []int) {
+// Deprecated: Use GetRoutesResponse.ProtoReflect.Descriptor instead.
+func (*GetRoutesResponse) Descriptor() ([]byte, []int) {
 	return file_headscale_v1_routes_proto_rawDescGZIP(), []int{2}
 }

-func (x *GetMachineRouteResponse) GetRoutes() *Routes {
+func (x *GetRoutesResponse) GetRoutes() []*Route {
 	if x != nil {
 		return x.Routes
 	}
 	return nil
 }

-type EnableMachineRoutesRequest struct {
+type EnableRouteRequest struct {
 	state         protoimpl.MessageState
 	sizeCache     protoimpl.SizeCache
 	unknownFields protoimpl.UnknownFields

-	MachineId uint64   `protobuf:"varint,1,opt,name=machine_id,json=machineId,proto3" json:"machine_id,omitempty"`
-	Routes    []string `protobuf:"bytes,2,rep,name=routes,proto3" json:"routes,omitempty"`
+	RouteId uint64 `protobuf:"varint,1,opt,name=route_id,json=routeId,proto3" json:"route_id,omitempty"`
 }

-func (x *EnableMachineRoutesRequest) Reset() {
-	*x = EnableMachineRoutesRequest{}
+func (x *EnableRouteRequest) Reset() {
+	*x = EnableRouteRequest{}
 	if protoimpl.UnsafeEnabled {
 		mi := &file_headscale_v1_routes_proto_msgTypes[3]
 		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
@@ -187,13 +234,13 @@ func (x *EnableMachineRoutesRequest) Reset() {
 	}
 }

-func (x *EnableMachineRoutesRequest) String() string {
+func (x *EnableRouteRequest) String() string {
 	return protoimpl.X.MessageStringOf(x)
 }

-func (*EnableMachineRoutesRequest) ProtoMessage() {}
+func (*EnableRouteRequest) ProtoMessage() {}

-func (x *EnableMachineRoutesRequest) ProtoReflect() protoreflect.Message {
+func (x *EnableRouteRequest) ProtoReflect() protoreflect.Message {
 	mi := &file_headscale_v1_routes_proto_msgTypes[3]
 	if protoimpl.UnsafeEnabled && x != nil {
 		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
@@ -205,35 +252,26 @@ func (x *EnableMachineRoutesRequest) ProtoReflect() protoreflect.Message {
 	return mi.MessageOf(x)
 }

-// Deprecated: Use EnableMachineRoutesRequest.ProtoReflect.Descriptor instead.
-func (*EnableMachineRoutesRequest) Descriptor() ([]byte, []int) {
+// Deprecated: Use EnableRouteRequest.ProtoReflect.Descriptor instead.
+func (*EnableRouteRequest) Descriptor() ([]byte, []int) {
 	return file_headscale_v1_routes_proto_rawDescGZIP(), []int{3}
 }

-func (x *EnableMachineRoutesRequest) GetMachineId() uint64 {
+func (x *EnableRouteRequest) GetRouteId() uint64 {
 	if x != nil {
-		return x.MachineId
+		return x.RouteId
 	}
 	return 0
 }

-func (x *EnableMachineRoutesRequest) GetRoutes() []string {
-	if x != nil {
-		return x.Routes
-	}
-	return nil
-}
-
-type EnableMachineRoutesResponse struct {
+type EnableRouteResponse struct {
 	state         protoimpl.MessageState
 	sizeCache     protoimpl.SizeCache
 	unknownFields protoimpl.UnknownFields
-
-	Routes *Routes `protobuf:"bytes,1,opt,name=routes,proto3" json:"routes,omitempty"`
 }

-func (x *EnableMachineRoutesResponse) Reset() {
-	*x = EnableMachineRoutesResponse{}
+func (x *EnableRouteResponse) Reset() {
+	*x = EnableRouteResponse{}
 	if protoimpl.UnsafeEnabled {
 		mi := &file_headscale_v1_routes_proto_msgTypes[4]
 		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
@@ -241,13 +279,13 @@ func (x *EnableMachineRoutesResponse) Reset() {
 	}
 }

-func (x *EnableMachineRoutesResponse) String() string {
+func (x *EnableRouteResponse) String() string {
 	return protoimpl.X.MessageStringOf(x)
 }

-func (*EnableMachineRoutesResponse) ProtoMessage() {}
+func (*EnableRouteResponse) ProtoMessage() {}

-func (x *EnableMachineRoutesResponse) ProtoReflect() protoreflect.Message {
+func (x *EnableRouteResponse) ProtoReflect() protoreflect.Message {
 	mi := &file_headscale_v1_routes_proto_msgTypes[4]
 	if protoimpl.UnsafeEnabled && x != nil {
 		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
@@ -259,12 +297,184 @@ func (x *EnableMachineRoutesResponse) ProtoReflect() protoreflect.Message {
 	return mi.MessageOf(x)
 }

-// Deprecated: Use EnableMachineRoutesResponse.ProtoReflect.Descriptor instead.
-func (*EnableMachineRoutesResponse) Descriptor() ([]byte, []int) {
+// Deprecated: Use EnableRouteResponse.ProtoReflect.Descriptor instead.
+func (*EnableRouteResponse) Descriptor() ([]byte, []int) {
 	return file_headscale_v1_routes_proto_rawDescGZIP(), []int{4}
 }

-func (x *EnableMachineRoutesResponse) GetRoutes() *Routes {
+type DisableRouteRequest struct {
+	state         protoimpl.MessageState
+	sizeCache     protoimpl.SizeCache
+	unknownFields protoimpl.UnknownFields
+
+	RouteId uint64 `protobuf:"varint,1,opt,name=route_id,json=routeId,proto3" json:"route_id,omitempty"`
+}
+
+func (x *DisableRouteRequest) Reset() {
+	*x = DisableRouteRequest{}
+	if protoimpl.UnsafeEnabled {
+		mi := &file_headscale_v1_routes_proto_msgTypes[5]
+		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+		ms.StoreMessageInfo(mi)
+	}
+}
+
+func (x *DisableRouteRequest) String() string {
+	return protoimpl.X.MessageStringOf(x)
+}
+
+func (*DisableRouteRequest) ProtoMessage() {}
+
+func (x *DisableRouteRequest) ProtoReflect() protoreflect.Message {
+	mi := &file_headscale_v1_routes_proto_msgTypes[5]
+	if protoimpl.UnsafeEnabled && x != nil {
+		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+		if ms.LoadMessageInfo() == nil {
+			ms.StoreMessageInfo(mi)
+		}
+		return ms
+	}
+	return mi.MessageOf(x)
+}
+
+// Deprecated: Use DisableRouteRequest.ProtoReflect.Descriptor instead.
+func (*DisableRouteRequest) Descriptor() ([]byte, []int) {
+	return file_headscale_v1_routes_proto_rawDescGZIP(), []int{5}
+}
+
+func (x *DisableRouteRequest) GetRouteId() uint64 {
+	if x != nil {
+		return x.RouteId
+	}
+	return 0
+}
+
+type DisableRouteResponse struct {
+	state         protoimpl.MessageState
+	sizeCache     protoimpl.SizeCache
+	unknownFields protoimpl.UnknownFields
+}
+
+func (x *DisableRouteResponse) Reset() {
+	*x = DisableRouteResponse{}
+	if protoimpl.UnsafeEnabled {
+		mi := &file_headscale_v1_routes_proto_msgTypes[6]
+		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+		ms.StoreMessageInfo(mi)
+	}
+}
+
+func (x *DisableRouteResponse) String() string {
+	return protoimpl.X.MessageStringOf(x)
+}
+
+func (*DisableRouteResponse) ProtoMessage() {}
+
+func (x *DisableRouteResponse) ProtoReflect() protoreflect.Message {
+	mi := &file_headscale_v1_routes_proto_msgTypes[6]
+	if protoimpl.UnsafeEnabled && x != nil {
+		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+		if ms.LoadMessageInfo() == nil {
+			ms.StoreMessageInfo(mi)
+		}
+		return ms
+	}
+	return mi.MessageOf(x)
+}
+
+// Deprecated: Use DisableRouteResponse.ProtoReflect.Descriptor instead.
+func (*DisableRouteResponse) Descriptor() ([]byte, []int) {
+	return file_headscale_v1_routes_proto_rawDescGZIP(), []int{6}
+}
+
+type GetMachineRoutesRequest struct {
+	state         protoimpl.MessageState
+	sizeCache     protoimpl.SizeCache
+	unknownFields protoimpl.UnknownFields
+
+	MachineId uint64 `protobuf:"varint,1,opt,name=machine_id,json=machineId,proto3" json:"machine_id,omitempty"`
+}
+
+func (x *GetMachineRoutesRequest) Reset() {
+	*x = GetMachineRoutesRequest{}
+	if protoimpl.UnsafeEnabled {
+		mi := &file_headscale_v1_routes_proto_msgTypes[7]
+		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+		ms.StoreMessageInfo(mi)
+	}
+}
+
+func (x *GetMachineRoutesRequest) String() string {
+	return protoimpl.X.MessageStringOf(x)
+}
+
+func (*GetMachineRoutesRequest) ProtoMessage() {}
+
+func (x *GetMachineRoutesRequest) ProtoReflect() protoreflect.Message {
+	mi := &file_headscale_v1_routes_proto_msgTypes[7]
+	if protoimpl.UnsafeEnabled && x != nil {
+		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+		if ms.LoadMessageInfo() == nil {
+			ms.StoreMessageInfo(mi)
+		}
+		return ms
+	}
+	return mi.MessageOf(x)
+}
+
+// Deprecated: Use GetMachineRoutesRequest.ProtoReflect.Descriptor instead.
+func (*GetMachineRoutesRequest) Descriptor() ([]byte, []int) {
+	return file_headscale_v1_routes_proto_rawDescGZIP(), []int{7}
+}
+
+func (x *GetMachineRoutesRequest) GetMachineId() uint64 {
+	if x != nil {
+		return x.MachineId
+	}
+	return 0
+}
+
+type GetMachineRoutesResponse struct {
+	state         protoimpl.MessageState
+	sizeCache     protoimpl.SizeCache
+	unknownFields protoimpl.UnknownFields
+
+	Routes []*Route `protobuf:"bytes,1,rep,name=routes,proto3" json:"routes,omitempty"`
+}
+
+func (x *GetMachineRoutesResponse) Reset() {
+	*x = GetMachineRoutesResponse{}
+	if protoimpl.UnsafeEnabled {
+		mi := &file_headscale_v1_routes_proto_msgTypes[8]
+		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+		ms.StoreMessageInfo(mi)
+	}
+}
+
+func (x *GetMachineRoutesResponse) String() string {
+	return protoimpl.X.MessageStringOf(x)
+}
+
+func (*GetMachineRoutesResponse) ProtoMessage() {}
+
+func (x *GetMachineRoutesResponse) ProtoReflect() protoreflect.Message {
+	mi := &file_headscale_v1_routes_proto_msgTypes[8]
+	if protoimpl.UnsafeEnabled && x != nil {
+		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+		if ms.LoadMessageInfo() == nil {
+			ms.StoreMessageInfo(mi)
+		}
+		return ms
+	}
+	return mi.MessageOf(x)
+}
+
+// Deprecated: Use GetMachineRoutesResponse.ProtoReflect.Descriptor instead.
+func (*GetMachineRoutesResponse) Descriptor() ([]byte, []int) {
+	return file_headscale_v1_routes_proto_rawDescGZIP(), []int{8}
+}
+
+func (x *GetMachineRoutesResponse) GetRoutes() []*Route {
 	if x != nil {
 		return x.Routes
 	}
@@ -276,34 +486,60 @@ var File_headscale_v1_routes_proto protoreflect.FileDescriptor
 var file_headscale_v1_routes_proto_rawDesc = []byte{
 	0x0a, 0x19, 0x68, 0x65, 0x61, 0x64, 0x73, 0x63, 0x61, 0x6c, 0x65, 0x2f, 0x76, 0x31, 0x2f, 0x72,
 	0x6f, 0x75, 0x74, 0x65, 0x73, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x12, 0x0c, 0x68, 0x65, 0x61,
-	0x64, 0x73, 0x63, 0x61, 0x6c, 0x65, 0x2e, 0x76, 0x31, 0x22, 0x5c, 0x0a, 0x06, 0x52, 0x6f, 0x75,
-	0x74, 0x65, 0x73, 0x12, 0x2b, 0x0a, 0x11, 0x61, 0x64, 0x76, 0x65, 0x72, 0x74, 0x69, 0x73, 0x65,
-	0x64, 0x5f, 0x72, 0x6f, 0x75, 0x74, 0x65, 0x73, 0x18, 0x01, 0x20, 0x03, 0x28, 0x09, 0x52, 0x10,
-	0x61, 0x64, 0x76, 0x65, 0x72, 0x74, 0x69, 0x73, 0x65, 0x64, 0x52, 0x6f, 0x75, 0x74, 0x65, 0x73,
-	0x12, 0x25, 0x0a, 0x0e, 0x65, 0x6e, 0x61, 0x62, 0x6c, 0x65, 0x64, 0x5f, 0x72, 0x6f, 0x75, 0x74,
-	0x65, 0x73, 0x18, 0x02, 0x20, 0x03, 0x28, 0x09, 0x52, 0x0d, 0x65, 0x6e, 0x61, 0x62, 0x6c, 0x65,
-	0x64, 0x52, 0x6f, 0x75, 0x74, 0x65, 0x73, 0x22, 0x37, 0x0a, 0x16, 0x47, 0x65, 0x74, 0x4d, 0x61,
-	0x63, 0x68, 0x69, 0x6e, 0x65, 0x52, 0x6f, 0x75, 0x74, 0x65, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73,
-	0x74, 0x12, 0x1d, 0x0a, 0x0a, 0x6d, 0x61, 0x63, 0x68, 0x69, 0x6e, 0x65, 0x5f, 0x69, 0x64, 0x18,
-	0x01, 0x20, 0x01, 0x28, 0x04, 0x52, 0x09, 0x6d, 0x61, 0x63, 0x68, 0x69, 0x6e, 0x65, 0x49, 0x64,
-	0x22, 0x47, 0x0a, 0x17, 0x47, 0x65, 0x74, 0x4d, 0x61, 0x63, 0x68, 0x69, 0x6e, 0x65, 0x52, 0x6f,
-	0x75, 0x74, 0x65, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x12, 0x2c, 0x0a, 0x06, 0x72,
-	0x6f, 0x75, 0x74, 0x65, 0x73, 0x18, 0x01, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x14, 0x2e, 0x68, 0x65,
-	0x61, 0x64, 0x73, 0x63, 0x61, 0x6c, 0x65, 0x2e, 0x76, 0x31, 0x2e, 0x52, 0x6f, 0x75, 0x74, 0x65,
-	0x73, 0x52, 0x06, 0x72, 0x6f, 0x75, 0x74, 0x65, 0x73, 0x22, 0x53, 0x0a, 0x1a, 0x45, 0x6e, 0x61,
-	0x62, 0x6c, 0x65, 0x4d, 0x61, 0x63, 0x68, 0x69, 0x6e, 0x65, 0x52, 0x6f, 0x75, 0x74, 0x65, 0x73,
-	0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x12, 0x1d, 0x0a, 0x0a, 0x6d, 0x61, 0x63, 0x68, 0x69,
-	0x6e, 0x65, 0x5f, 0x69, 0x64, 0x18, 0x01, 0x20, 0x01, 0x28, 0x04, 0x52, 0x09, 0x6d, 0x61, 0x63,
-	0x68, 0x69, 0x6e, 0x65, 0x49, 0x64, 0x12, 0x16, 0x0a, 0x06, 0x72, 0x6f, 0x75, 0x74, 0x65, 0x73,
-	0x18, 0x02, 0x20, 0x03, 0x28, 0x09, 0x52, 0x06, 0x72, 0x6f, 0x75, 0x74, 0x65, 0x73, 0x22, 0x4b,
-	0x0a, 0x1b, 0x45, 0x6e, 0x61, 0x62, 0x6c, 0x65, 0x4d, 0x61, 0x63, 0x68, 0x69, 0x6e, 0x65, 0x52,
-	0x6f, 0x75, 0x74, 0x65, 0x73, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x12, 0x2c, 0x0a,
-	0x06, 0x72, 0x6f, 0x75, 0x74, 0x65, 0x73, 0x18, 0x01, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x14, 0x2e,
-	0x68, 0x65, 0x61, 0x64, 0x73, 0x63, 0x61, 0x6c, 0x65, 0x2e, 0x76, 0x31, 0x2e, 0x52, 0x6f, 0x75,
-	0x74, 0x65, 0x73, 0x52, 0x06, 0x72, 0x6f, 0x75, 0x74, 0x65, 0x73, 0x42, 0x29, 0x5a, 0x27, 0x67,
-	0x69, 0x74, 0x68, 0x75, 0x62, 0x2e, 0x63, 0x6f, 0x6d, 0x2f, 0x6a, 0x75, 0x61, 0x6e, 0x66, 0x6f,
-	0x6e, 0x74, 0x2f, 0x68, 0x65, 0x61, 0x64, 0x73, 0x63, 0x61, 0x6c, 0x65, 0x2f, 0x67, 0x65, 0x6e,
-	0x2f, 0x67, 0x6f, 0x2f, 0x76, 0x31, 0x62, 0x06, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x33,
+	0x64, 0x73, 0x63, 0x61, 0x6c, 0x65, 0x2e, 0x76, 0x31, 0x1a, 0x1f, 0x67, 0x6f, 0x6f, 0x67, 0x6c,
+	0x65, 0x2f, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x62, 0x75, 0x66, 0x2f, 0x74, 0x69, 0x6d, 0x65, 0x73,
+	0x74, 0x61, 0x6d, 0x70, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x1a, 0x1a, 0x68, 0x65, 0x61, 0x64,
+	0x73, 0x63, 0x61, 0x6c, 0x65, 0x2f, 0x76, 0x31, 0x2f, 0x6d, 0x61, 0x63, 0x68, 0x69, 0x6e, 0x65,
+	0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x22, 0xea, 0x02, 0x0a, 0x05, 0x52, 0x6f, 0x75, 0x74, 0x65,
+	0x12, 0x0e, 0x0a, 0x02, 0x69, 0x64, 0x18, 0x01, 0x20, 0x01, 0x28, 0x04, 0x52, 0x02, 0x69, 0x64,
+	0x12, 0x2f, 0x0a, 0x07, 0x6d, 0x61, 0x63, 0x68, 0x69, 0x6e, 0x65, 0x18, 0x02, 0x20, 0x01, 0x28,
+	0x0b, 0x32, 0x15, 0x2e, 0x68, 0x65, 0x61, 0x64, 0x73, 0x63, 0x61, 0x6c, 0x65, 0x2e, 0x76, 0x31,
+	0x2e, 0x4d, 0x61, 0x63, 0x68, 0x69, 0x6e, 0x65, 0x52, 0x07, 0x6d, 0x61, 0x63, 0x68, 0x69, 0x6e,
+	0x65, 0x12, 0x16, 0x0a, 0x06, 0x70, 0x72, 0x65, 0x66, 0x69, 0x78, 0x18, 0x03, 0x20, 0x01, 0x28,
+	0x09, 0x52, 0x06, 0x70, 0x72, 0x65, 0x66, 0x69, 0x78, 0x12, 0x1e, 0x0a, 0x0a, 0x61, 0x64, 0x76,
+	0x65, 0x72, 0x74, 0x69, 0x73, 0x65, 0x64, 0x18, 0x04, 0x20, 0x01, 0x28, 0x08, 0x52, 0x0a, 0x61,
+	0x64, 0x76, 0x65, 0x72, 0x74, 0x69, 0x73, 0x65, 0x64, 0x12, 0x18, 0x0a, 0x07, 0x65, 0x6e, 0x61,
+	0x62, 0x6c, 0x65, 0x64, 0x18, 0x05, 0x20, 0x01, 0x28, 0x08, 0x52, 0x07, 0x65, 0x6e, 0x61, 0x62,
+	0x6c, 0x65, 0x64, 0x12, 0x1d, 0x0a, 0x0a, 0x69, 0x73, 0x5f, 0x70, 0x72, 0x69, 0x6d, 0x61, 0x72,
+	0x79, 0x18, 0x06, 0x20, 0x01, 0x28, 0x08, 0x52, 0x09, 0x69, 0x73, 0x50, 0x72, 0x69, 0x6d, 0x61,
+	0x72, 0x79, 0x12, 0x39, 0x0a, 0x0a, 0x63, 0x72, 0x65, 0x61, 0x74, 0x65, 0x64, 0x5f, 0x61, 0x74,
+	0x18, 0x07, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x1a, 0x2e, 0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2e,
+	0x70, 0x72, 0x6f, 0x74, 0x6f, 0x62, 0x75, 0x66, 0x2e, 0x54, 0x69, 0x6d, 0x65, 0x73, 0x74, 0x61,
+	0x6d, 0x70, 0x52, 0x09, 0x63, 0x72, 0x65, 0x61, 0x74, 0x65, 0x64, 0x41, 0x74, 0x12, 0x39, 0x0a,
+	0x0a, 0x75, 0x70, 0x64, 0x61, 0x74, 0x65, 0x64, 0x5f, 0x61, 0x74, 0x18, 0x08, 0x20, 0x01, 0x28,
+	0x0b, 0x32, 0x1a, 0x2e, 0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f,
+	0x62, 0x75, 0x66, 0x2e, 0x54, 0x69, 0x6d, 0x65, 0x73, 0x74, 0x61, 0x6d, 0x70, 0x52, 0x09, 0x75,
+	0x70, 0x64, 0x61, 0x74, 0x65, 0x64, 0x41, 0x74, 0x12, 0x39, 0x0a, 0x0a, 0x64, 0x65, 0x6c, 0x65,
+	0x74, 0x65, 0x64, 0x5f, 0x61, 0x74, 0x18, 0x09, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x1a, 0x2e, 0x67,
+	0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x62, 0x75, 0x66, 0x2e, 0x54,
+	0x69, 0x6d, 0x65, 0x73, 0x74, 0x61, 0x6d, 0x70, 0x52, 0x09, 0x64, 0x65, 0x6c, 0x65, 0x74, 0x65,
+	0x64, 0x41, 0x74, 0x22, 0x12, 0x0a, 0x10, 0x47, 0x65, 0x74, 0x52, 0x6f, 0x75, 0x74, 0x65, 0x73,
+	0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x22, 0x40, 0x0a, 0x11, 0x47, 0x65, 0x74, 0x52, 0x6f,
+	0x75, 0x74, 0x65, 0x73, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x12, 0x2b, 0x0a, 0x06,
+	0x72, 0x6f, 0x75, 0x74, 0x65, 0x73, 0x18, 0x01, 0x20, 0x03, 0x28, 0x0b, 0x32, 0x13, 0x2e, 0x68,
+	0x65, 0x61, 0x64, 0x73, 0x63, 0x61, 0x6c, 0x65, 0x2e, 0x76, 0x31, 0x2e, 0x52, 0x6f, 0x75, 0x74,
+	0x65, 0x52, 0x06, 0x72, 0x6f, 0x75, 0x74, 0x65, 0x73, 0x22, 0x2f, 0x0a, 0x12, 0x45, 0x6e, 0x61,
+	0x62, 0x6c, 0x65, 0x52, 0x6f, 0x75, 0x74, 0x65, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x12,
+	0x19, 0x0a, 0x08, 0x72, 0x6f, 0x75, 0x74, 0x65, 0x5f, 0x69, 0x64, 0x18, 0x01, 0x20, 0x01, 0x28,
+	0x04, 0x52, 0x07, 0x72, 0x6f, 0x75, 0x74, 0x65, 0x49, 0x64, 0x22, 0x15, 0x0a, 0x13, 0x45, 0x6e,
+	0x61, 0x62, 0x6c, 0x65, 0x52, 0x6f, 0x75, 0x74, 0x65, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73,
+	0x65, 0x22, 0x30, 0x0a, 0x13, 0x44, 0x69, 0x73, 0x61, 0x62, 0x6c, 0x65, 0x52, 0x6f, 0x75, 0x74,
+	0x65, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x12, 0x19, 0x0a, 0x08, 0x72, 0x6f, 0x75, 0x74,
+	0x65, 0x5f, 0x69, 0x64, 0x18, 0x01, 0x20, 0x01, 0x28, 0x04, 0x52, 0x07, 0x72, 0x6f, 0x75, 0x74,
+	0x65, 0x49, 0x64, 0x22, 0x16, 0x0a, 0x14, 0x44, 0x69, 0x73, 0x61, 0x62, 0x6c, 0x65, 0x52, 0x6f,
+	0x75, 0x74, 0x65, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x22, 0x38, 0x0a, 0x17, 0x47,
+	0x65, 0x74, 0x4d, 0x61, 0x63, 0x68, 0x69, 0x6e, 0x65, 0x52, 0x6f, 0x75, 0x74, 0x65, 0x73, 0x52,
+	0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x12, 0x1d, 0x0a, 0x0a, 0x6d, 0x61, 0x63, 0x68, 0x69, 0x6e,
+	0x65, 0x5f, 0x69, 0x64, 0x18, 0x01, 0x20, 0x01, 0x28, 0x04, 0x52, 0x09, 0x6d, 0x61, 0x63, 0x68,
+	0x69, 0x6e, 0x65, 0x49, 0x64, 0x22, 0x47, 0x0a, 0x18, 0x47, 0x65, 0x74, 0x4d, 0x61, 0x63, 0x68,
+	0x69, 0x6e, 0x65, 0x52, 0x6f, 0x75, 0x74, 0x65, 0x73, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73,
+	0x65, 0x12, 0x2b, 0x0a, 0x06, 0x72, 0x6f, 0x75, 0x74, 0x65, 0x73, 0x18, 0x01, 0x20, 0x03, 0x28,
+	0x0b, 0x32, 0x13, 0x2e, 0x68, 0x65, 0x61, 0x64, 0x73, 0x63, 0x61, 0x6c, 0x65, 0x2e, 0x76, 0x31,
+	0x2e, 0x52, 0x6f, 0x75, 0x74, 0x65, 0x52, 0x06, 0x72, 0x6f, 0x75, 0x74, 0x65, 0x73, 0x42, 0x29,
+	0x5a, 0x27, 0x67, 0x69, 0x74, 0x68, 0x75, 0x62, 0x2e, 0x63, 0x6f, 0x6d, 0x2f, 0x6a, 0x75, 0x61,
+	0x6e, 0x66, 0x6f, 0x6e, 0x74, 0x2f, 0x68, 0x65, 0x61, 0x64, 0x73, 0x63, 0x61, 0x6c, 0x65, 0x2f,
+	0x67, 0x65, 0x6e, 0x2f, 0x67, 0x6f, 0x2f, 0x76, 0x31, 0x62, 0x06, 0x70, 0x72, 0x6f, 0x74, 0x6f,
+	0x33,
 }

 var (
@@ -318,22 +554,32 @@ func file_headscale_v1_routes_proto_rawDescGZIP() []byte {
 	return file_headscale_v1_routes_proto_rawDescData
 }

-var file_headscale_v1_routes_proto_msgTypes = make([]protoimpl.MessageInfo, 5)
+var file_headscale_v1_routes_proto_msgTypes = make([]protoimpl.MessageInfo, 9)
 var file_headscale_v1_routes_proto_goTypes = []interface{}{
-	(*Routes)(nil),                      // 0: headscale.v1.Routes
-	(*GetMachineRouteRequest)(nil),      // 1: headscale.v1.GetMachineRouteRequest
-	(*GetMachineRouteResponse)(nil),     // 2: headscale.v1.GetMachineRouteResponse
-	(*EnableMachineRoutesRequest)(nil),  // 3: headscale.v1.EnableMachineRoutesRequest
-	(*EnableMachineRoutesResponse)(nil), // 4: headscale.v1.EnableMachineRoutesResponse
+	(*Route)(nil),                    // 0: headscale.v1.Route
+	(*GetRoutesRequest)(nil),         // 1: headscale.v1.GetRoutesRequest
+	(*GetRoutesResponse)(nil),        // 2: headscale.v1.GetRoutesResponse
+	(*EnableRouteRequest)(nil),       // 3: headscale.v1.EnableRouteRequest
+	(*EnableRouteResponse)(nil),      // 4: headscale.v1.EnableRouteResponse
+	(*DisableRouteRequest)(nil),      // 5: headscale.v1.DisableRouteRequest
+	(*DisableRouteResponse)(nil),     // 6: headscale.v1.DisableRouteResponse
+	(*GetMachineRoutesRequest)(nil),  // 7: headscale.v1.GetMachineRoutesRequest
+	(*GetMachineRoutesResponse)(nil), // 8: headscale.v1.GetMachineRoutesResponse
+	(*Machine)(nil),                  // 9: headscale.v1.Machine
+	(*timestamppb.Timestamp)(nil),    // 10: google.protobuf.Timestamp
 }
 var file_headscale_v1_routes_proto_depIdxs = []int32{
-	0, // 0: headscale.v1.GetMachineRouteResponse.routes:type_name -> headscale.v1.Routes
-	0, // 1: headscale.v1.EnableMachineRoutesResponse.routes:type_name -> headscale.v1.Routes
-	2, // [2:2] is the sub-list for method output_type
-	2, // [2:2] is the sub-list for method input_type
-	2, // [2:2] is the sub-list for extension type_name
-	2, // [2:2] is the sub-list for extension extendee
-	0, // [0:2] is the sub-list for field type_name
+	9,  // 0: headscale.v1.Route.machine:type_name -> headscale.v1.Machine
+	10, // 1: headscale.v1.Route.created_at:type_name -> google.protobuf.Timestamp
+	10, // 2: headscale.v1.Route.updated_at:type_name -> google.protobuf.Timestamp
+	10, // 3: headscale.v1.Route.deleted_at:type_name -> google.protobuf.Timestamp
+	0,  // 4: headscale.v1.GetRoutesResponse.routes:type_name -> headscale.v1.Route
+	0,  // 5: headscale.v1.GetMachineRoutesResponse.routes:type_name -> headscale.v1.Route
+	6,  // [6:6] is the sub-list for method output_type
+	6,  // [6:6] is the sub-list for method input_type
+	6,  // [6:6] is the sub-list for extension type_name
+	6,  // [6:6] is the sub-list for extension extendee
+	0,  // [0:6] is the sub-list for field type_name
 }

 func init() { file_headscale_v1_routes_proto_init() }
@@ -341,9 +587,10 @@ func file_headscale_v1_routes_proto_init() {
 	if File_headscale_v1_routes_proto != nil {
 		return
 	}
+	file_headscale_v1_machine_proto_init()
 	if !protoimpl.UnsafeEnabled {
 		file_headscale_v1_routes_proto_msgTypes[0].Exporter = func(v interface{}, i int) interface{} {
-			switch v := v.(*Routes); i {
+			switch v := v.(*Route); i {
 			case 0:
 				return &v.state
 			case 1:
@@ -355,7 +602,7 @@ func file_headscale_v1_routes_proto_init() {
 			}
 		}
 		file_headscale_v1_routes_proto_msgTypes[1].Exporter = func(v interface{}, i int) interface{} {
-			switch v := v.(*GetMachineRouteRequest); i {
+			switch v := v.(*GetRoutesRequest); i {
 			case 0:
 				return &v.state
 			case 1:
@@ -367,7 +614,7 @@ func file_headscale_v1_routes_proto_init() {
 			}
 		}
 		file_headscale_v1_routes_proto_msgTypes[2].Exporter = func(v interface{}, i int) interface{} {
-			switch v := v.(*GetMachineRouteResponse); i {
+			switch v := v.(*GetRoutesResponse); i {
 			case 0:
 				return &v.state
 			case 1:
@@ -379,7 +626,7 @@ func file_headscale_v1_routes_proto_init() {
 			}
 		}
 		file_headscale_v1_routes_proto_msgTypes[3].Exporter = func(v interface{}, i int) interface{} {
-			switch v := v.(*EnableMachineRoutesRequest); i {
+			switch v := v.(*EnableRouteRequest); i {
 			case 0:
 				return &v.state
 			case 1:
@@ -391,7 +638,55 @@ func file_headscale_v1_routes_proto_init() {
 			}
 		}
 		file_headscale_v1_routes_proto_msgTypes[4].Exporter = func(v interface{}, i int) interface{} {
-			switch v := v.(*EnableMachineRoutesResponse); i {
+			switch v := v.(*EnableRouteResponse); i {
+			case 0:
+				return &v.state
+			case 1:
+				return &v.sizeCache
+			case 2:
+				return &v.unknownFields
+			default:
+				return nil
+			}
+		}
+		file_headscale_v1_routes_proto_msgTypes[5].Exporter = func(v interface{}, i int) interface{} {
+			switch v := v.(*DisableRouteRequest); i {
+			case 0:
+				return &v.state
+			case 1:
+				return &v.sizeCache
+			case 2:
+				return &v.unknownFields
+			default:
+				return nil
+			}
+		}
+		file_headscale_v1_routes_proto_msgTypes[6].Exporter = func(v interface{}, i int) interface{} {
+			switch v := v.(*DisableRouteResponse); i {
+			case 0:
+				return &v.state
+			case 1:
+				return &v.sizeCache
+			case 2:
+				return &v.unknownFields
+			default:
+				return nil
+			}
+		}
+		file_headscale_v1_routes_proto_msgTypes[7].Exporter = func(v interface{}, i int) interface{} {
+			switch v := v.(*GetMachineRoutesRequest); i {
+			case 0:
+				return &v.state
+			case 1:
+				return &v.sizeCache
+			case 2:
+				return &v.unknownFields
+			default:
+				return nil
+			}
+		}
+		file_headscale_v1_routes_proto_msgTypes[8].Exporter = func(v interface{}, i int) interface{} {
+			switch v := v.(*GetMachineRoutesResponse); i {
 			case 0:
 				return &v.state
 			case 1:
@@ -409,7 +704,7 @@ func file_headscale_v1_routes_proto_init() {
 			GoPackagePath: reflect.TypeOf(x{}).PkgPath(),
 			RawDescriptor: file_headscale_v1_routes_proto_rawDesc,
 			NumEnums:      0,
-			NumMessages:   5,
+			NumMessages:   9,
 			NumExtensions: 0,
 			NumServices:   0,
 		},
--- a/gen/openapiv2/headscale/v1/headscale.swagger.json
+++ b/gen/openapiv2/headscale/v1/headscale.swagger.json
@@ -367,13 +367,12 @@
    },
    "/api/v1/machine/{machineId}/routes": {
      "get": {
-        "summary": "--- Route start ---",
-        "operationId": "HeadscaleService_GetMachineRoute",
+        "operationId": "HeadscaleService_GetMachineRoutes",
        "responses": {
          "200": {
            "description": "A successful response.",
            "schema": {
-              "$ref": "#/definitions/v1GetMachineRouteResponse"
+              "$ref": "#/definitions/v1GetMachineRoutesResponse"
            }
          },
          "default": {
@@ -395,45 +394,6 @@
        "tags": [
          "HeadscaleService"
        ]
-      },
-      "post": {
-        "operationId": "HeadscaleService_EnableMachineRoutes",
-        "responses": {
-          "200": {
-            "description": "A successful response.",
-            "schema": {
-              "$ref": "#/definitions/v1EnableMachineRoutesResponse"
-            }
-          },
-          "default": {
-            "description": "An unexpected error response.",
-            "schema": {
-              "$ref": "#/definitions/rpcStatus"
-            }
-          }
-        },
-        "parameters": [
-          {
-            "name": "machineId",
-            "in": "path",
-            "required": true,
-            "type": "string",
-            "format": "uint64"
-          },
-          {
-            "name": "routes",
-            "in": "query",
-            "required": false,
-            "type": "array",
-            "items": {
-              "type": "string"
-            },
-            "collectionFormat": "multi"
-          }
-        ],
-        "tags": [
-          "HeadscaleService"
-        ]
      }
    },
    "/api/v1/machine/{machineId}/tags": {
@@ -722,6 +682,91 @@
          "HeadscaleService"
        ]
      }
+    },
+    "/api/v1/routes": {
+      "get": {
+        "summary": "--- Route start ---",
+        "operationId": "HeadscaleService_GetRoutes",
+        "responses": {
+          "200": {
+            "description": "A successful response.",
+            "schema": {
+              "$ref": "#/definitions/v1GetRoutesResponse"
+            }
+          },
+          "default": {
+            "description": "An unexpected error response.",
+            "schema": {
+              "$ref": "#/definitions/rpcStatus"
+            }
+          }
+        },
+        "tags": [
+          "HeadscaleService"
+        ]
+      }
+    },
+    "/api/v1/routes/{routeId}/disable": {
+      "post": {
+        "operationId": "HeadscaleService_DisableRoute",
+        "responses": {
+          "200": {
+            "description": "A successful response.",
+            "schema": {
+              "$ref": "#/definitions/v1DisableRouteResponse"
+            }
+          },
+          "default": {
+            "description": "An unexpected error response.",
+            "schema": {
+              "$ref": "#/definitions/rpcStatus"
+            }
+          }
+        },
+        "parameters": [
+          {
+            "name": "routeId",
+            "in": "path",
+            "required": true,
+            "type": "string",
+            "format": "uint64"
+          }
+        ],
+        "tags": [
+          "HeadscaleService"
+        ]
+      }
+    },
+    "/api/v1/routes/{routeId}/enable": {
+      "post": {
+        "operationId": "HeadscaleService_EnableRoute",
+        "responses": {
+          "200": {
+            "description": "A successful response.",
+            "schema": {
+              "$ref": "#/definitions/v1EnableRouteResponse"
+            }
+          },
+          "default": {
+            "description": "An unexpected error response.",
+            "schema": {
+              "$ref": "#/definitions/rpcStatus"
+            }
+          }
+        },
+        "parameters": [
+          {
+            "name": "routeId",
+            "in": "path",
+            "required": true,
+            "type": "string",
+            "format": "uint64"
+          }
+        ],
+        "tags": [
+          "HeadscaleService"
+        ]
+      }
    }
  },
  "definitions": {
@@ -875,13 +920,11 @@
    "v1DeleteNamespaceResponse": {
      "type": "object"
    },
-    "v1EnableMachineRoutesResponse": {
-      "type": "object",
-      "properties": {
-        "routes": {
-          "$ref": "#/definitions/v1Routes"
-        }
-      }
+    "v1DisableRouteResponse": {
+      "type": "object"
+    },
+    "v1EnableRouteResponse": {
+      "type": "object"
    },
    "v1ExpireApiKeyRequest": {
      "type": "object",
@@ -924,11 +967,14 @@
        }
      }
    },
-    "v1GetMachineRouteResponse": {
+    "v1GetMachineRoutesResponse": {
      "type": "object",
      "properties": {
        "routes": {
-          "$ref": "#/definitions/v1Routes"
+          "type": "array",
+          "items": {
+            "$ref": "#/definitions/v1Route"
+          }
        }
      }
    },
@@ -940,6 +986,17 @@
        }
      }
    },
+    "v1GetRoutesResponse": {
+      "type": "object",
+      "properties": {
+        "routes": {
+          "type": "array",
+          "items": {
+            "$ref": "#/definitions/v1Route"
+          }
+        }
+      }
+    },
    "v1ListApiKeysResponse": {
      "type": "object",
      "properties": {
@@ -1151,20 +1208,39 @@
        }
      }
    },
-    "v1Routes": {
+    "v1Route": {
      "type": "object",
      "properties": {
-        "advertisedRoutes": {
-          "type": "array",
-          "items": {
-            "type": "string"
-          }
+        "id": {
+          "type": "string",
+          "format": "uint64"
        },
-        "enabledRoutes": {
-          "type": "array",
-          "items": {
-            "type": "string"
-          }
+        "machine": {
+          "$ref": "#/definitions/v1Machine"
+        },
+        "prefix": {
+          "type": "string"
+        },
+        "advertised": {
+          "type": "boolean"
+        },
+        "enabled": {
+          "type": "boolean"
+        },
+        "isPrimary": {
+          "type": "boolean"
+        },
+        "createdAt": {
+          "type": "string",
+          "format": "date-time"
+        },
+        "updatedAt": {
+          "type": "string",
+          "format": "date-time"
+        },
+        "deletedAt": {
+          "type": "string",
+          "format": "date-time"
        }
      }
    },
--- a/go.mod
+++ b/go.mod
@@ -5,44 +5,44 @@ go 1.19
 require (
 	github.com/AlecAivazis/survey/v2 v2.3.6
 	github.com/ccding/go-stun/stun v0.0.0-20200514191101-4dc67bcdb029
-	github.com/cenkalti/backoff/v4 v4.1.3
+	github.com/cenkalti/backoff/v4 v4.2.0
 	github.com/coreos/go-oidc/v3 v3.4.0
 	github.com/deckarep/golang-set/v2 v2.1.0
 	github.com/efekarakus/termcolor v1.0.1
 	github.com/glebarez/sqlite v1.5.0
-	github.com/gofrs/uuid v4.3.0+incompatible
+	github.com/gofrs/uuid v4.3.1+incompatible
 	github.com/gorilla/mux v1.8.0
 	github.com/grpc-ecosystem/go-grpc-middleware v1.3.0
-	github.com/grpc-ecosystem/grpc-gateway/v2 v2.12.0
+	github.com/grpc-ecosystem/grpc-gateway/v2 v2.14.0
 	github.com/klauspost/compress v1.15.12
 	github.com/oauth2-proxy/mockoidc v0.0.0-20220308204021-b9169deeb282
 	github.com/ory/dockertest/v3 v3.9.1
 	github.com/patrickmn/go-cache v2.1.0+incompatible
 	github.com/philip-bui/grpc-zerolog v1.0.1
-	github.com/prometheus/client_golang v1.13.0
+	github.com/prometheus/client_golang v1.14.0
 	github.com/prometheus/common v0.37.0
-	github.com/pterm/pterm v0.12.49
-	github.com/puzpuzpuz/xsync/v2 v2.0.2
+	github.com/pterm/pterm v0.12.50
+	github.com/puzpuzpuz/xsync/v2 v2.4.0
 	github.com/rs/zerolog v1.28.0
 	github.com/spf13/cobra v1.6.1
-	github.com/spf13/viper v1.13.0
-	github.com/stretchr/testify v1.8.0
+	github.com/spf13/viper v1.14.0
+	github.com/stretchr/testify v1.8.1
 	github.com/tailscale/hujson v0.0.0-20220630195928-54599719472f
 	github.com/tcnksm/go-latest v0.0.0-20170313132115-e3007ae9052e
 	go4.org/netipx v0.0.0-20220925034521-797b0c90d8ab
-	golang.org/x/crypto v0.1.0
-	golang.org/x/net v0.1.0
-	golang.org/x/oauth2 v0.1.0
+	golang.org/x/crypto v0.3.0
+	golang.org/x/net v0.2.0
+	golang.org/x/oauth2 v0.2.0
 	golang.org/x/sync v0.1.0
-	google.golang.org/genproto v0.0.0-20221027153422-115e99e71e1c
-	google.golang.org/grpc v1.50.1
+	google.golang.org/genproto v0.0.0-20221202195650-67e5cbc046fd
+	google.golang.org/grpc v1.51.0
 	google.golang.org/protobuf v1.28.1
 	gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c
 	gopkg.in/yaml.v2 v2.4.0
 	gopkg.in/yaml.v3 v3.0.1
 	gorm.io/driver/postgres v1.4.5
-	gorm.io/gorm v1.24.1-0.20221019064659-5dd2bb482755
-	tailscale.com v1.32.2
+	gorm.io/gorm v1.24.2
+	tailscale.com v1.34.0
 )

 require (
@@ -55,7 +55,7 @@ require (
 	github.com/akutz/memconn v0.1.0 // indirect
 	github.com/alexbrainman/sspi v0.0.0-20210105120005-909beea2cc74 // indirect
 	github.com/beorn7/perks v1.0.1 // indirect
-	github.com/cespare/xxhash/v2 v2.1.2 // indirect
+	github.com/cespare/xxhash/v2 v2.2.0 // indirect
 	github.com/containerd/console v1.0.3 // indirect
 	github.com/containerd/continuity v0.3.0 // indirect
 	github.com/davecgh/go-spew v1.1.1 // indirect
@@ -65,7 +65,7 @@ require (
 	github.com/docker/go-units v0.5.0 // indirect
 	github.com/fsnotify/fsnotify v1.6.0 // indirect
 	github.com/fxamacker/cbor/v2 v2.4.0 // indirect
-	github.com/glebarez/go-sqlite v1.19.2 // indirect
+	github.com/glebarez/go-sqlite v1.19.5 // indirect
 	github.com/gogo/protobuf v1.3.2 // indirect
 	github.com/golang-jwt/jwt v3.2.2+incompatible // indirect
 	github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da // indirect
@@ -80,19 +80,19 @@ require (
 	github.com/hashicorp/hcl v1.0.0 // indirect
 	github.com/hdevalence/ed25519consensus v0.1.0 // indirect
 	github.com/imdario/mergo v0.3.13 // indirect
-	github.com/inconshreveable/mousetrap v1.0.1 // indirect
+	github.com/inconshreveable/mousetrap v1.1.0 // indirect
 	github.com/jackc/chunkreader/v2 v2.0.1 // indirect
 	github.com/jackc/pgconn v1.13.0 // indirect
 	github.com/jackc/pgio v1.0.0 // indirect
 	github.com/jackc/pgpassfile v1.0.0 // indirect
 	github.com/jackc/pgproto3/v2 v2.3.1 // indirect
 	github.com/jackc/pgservicefile v0.0.0-20200714003250-2b9c44734f2b // indirect
-	github.com/jackc/pgtype v1.12.0 // indirect
+	github.com/jackc/pgtype v1.13.0 // indirect
 	github.com/jackc/pgx/v4 v4.17.2 // indirect
 	github.com/jinzhu/inflection v1.0.0 // indirect
 	github.com/jinzhu/now v1.1.5 // indirect
 	github.com/josharian/native v1.0.0 // indirect
-	github.com/jsimonetti/rtnetlink v1.2.3 // indirect
+	github.com/jsimonetti/rtnetlink v1.3.0 // indirect
 	github.com/kballard/go-shellquote v0.0.0-20180428030007-95032a82bc51 // indirect
 	github.com/kr/pretty v0.3.0 // indirect
 	github.com/kr/text v0.2.0 // indirect
@@ -102,26 +102,26 @@ require (
 	github.com/mattn/go-isatty v0.0.16 // indirect
 	github.com/mattn/go-runewidth v0.0.14 // indirect
 	github.com/matttproud/golang_protobuf_extensions v1.0.4 // indirect
-	github.com/mdlayher/netlink v1.6.2 // indirect
-	github.com/mdlayher/socket v0.2.3 // indirect
+	github.com/mdlayher/netlink v1.7.0 // indirect
+	github.com/mdlayher/socket v0.4.0 // indirect
 	github.com/mgutz/ansi v0.0.0-20200706080929-d51e80ef957d // indirect
 	github.com/mitchellh/go-ps v1.0.0 // indirect
 	github.com/mitchellh/mapstructure v1.5.0 // indirect
-	github.com/moby/term v0.0.0-20220808134915-39b0c02b01ae // indirect
+	github.com/moby/term v0.0.0-20221128092401-c43b287e0e0f // indirect
 	github.com/opencontainers/go-digest v1.0.0 // indirect
 	github.com/opencontainers/image-spec v1.1.0-rc2 // indirect
 	github.com/opencontainers/runc v1.1.4 // indirect
 	github.com/pelletier/go-toml v1.9.5 // indirect
-	github.com/pelletier/go-toml/v2 v2.0.5 // indirect
+	github.com/pelletier/go-toml/v2 v2.0.6 // indirect
 	github.com/pkg/errors v0.9.1 // indirect
 	github.com/pmezard/go-difflib v1.0.0 // indirect
 	github.com/prometheus/client_model v0.3.0 // indirect
 	github.com/prometheus/procfs v0.8.0 // indirect
 	github.com/remyoudompheng/bigfft v0.0.0-20220927061507-ef77025ab5aa // indirect
-	github.com/rivo/uniseg v0.4.2 // indirect
+	github.com/rivo/uniseg v0.4.3 // indirect
 	github.com/rogpeppe/go-internal v1.8.1-0.20211023094830-115ce09fd6b4 // indirect
 	github.com/sirupsen/logrus v1.9.0 // indirect
-	github.com/spf13/afero v1.9.2 // indirect
+	github.com/spf13/afero v1.9.3 // indirect
 	github.com/spf13/cast v1.5.0 // indirect
 	github.com/spf13/jwalterweatherman v1.1.0 // indirect
 	github.com/spf13/pflag v1.0.5 // indirect
@@ -132,19 +132,20 @@ require (
 	github.com/xeipuuv/gojsonschema v1.2.0 // indirect
 	github.com/xo/terminfo v0.0.0-20220910002029-abceb7e1c41e // indirect
 	go4.org/mem v0.0.0-20220726221520-4f986261bf13 // indirect
-	golang.org/x/mod v0.6.0 // indirect
-	golang.org/x/sys v0.1.0 // indirect
-	golang.org/x/term v0.1.0 // indirect
-	golang.org/x/text v0.4.0 // indirect
-	golang.org/x/time v0.1.0 // indirect
-	golang.org/x/tools v0.2.0 // indirect
+	golang.org/x/exp v0.0.0-20220909182711-5c715a9e8561 // indirect
+	golang.org/x/mod v0.7.0 // indirect
+	golang.org/x/sys v0.3.0 // indirect
+	golang.org/x/term v0.2.0 // indirect
+	golang.org/x/text v0.5.0 // indirect
+	golang.org/x/time v0.3.0 // indirect
+	golang.org/x/tools v0.3.0 // indirect
 	golang.zx2c4.com/wireguard/windows v0.5.3 // indirect
 	google.golang.org/appengine v1.6.7 // indirect
 	gopkg.in/ini.v1 v1.67.0 // indirect
 	gopkg.in/square/go-jose.v2 v2.6.0 // indirect
-	modernc.org/libc v1.21.4 // indirect
+	modernc.org/libc v1.21.5 // indirect
 	modernc.org/mathutil v1.5.0 // indirect
-	modernc.org/memory v1.4.0 // indirect
-	modernc.org/sqlite v1.19.3 // indirect
+	modernc.org/memory v1.5.0 // indirect
+	modernc.org/sqlite v1.20.0 // indirect
 	nhooyr.io/websocket v1.8.7 // indirect
 )
--- a/go.sum
+++ b/go.sum
@@ -1,3 +1,4 @@
+atomicgo.dev/assert v0.0.2 h1:FiKeMiZSgRrZsPo9qn/7vmr7mCsh5SZyXY4YGYiYwrg=
 atomicgo.dev/cursor v0.1.1 h1:0t9sxQomCTRh5ug+hAMCs59x/UmC9QL6Ci5uosINKD4=
 atomicgo.dev/cursor v0.1.1/go.mod h1:Lr4ZJB3U7DfPPOkbH7/6TOtJ4vFGHlgj1nc+n900IpU=
 atomicgo.dev/keyboard v0.2.8 h1:Di09BitwZgdTV1hPyX/b9Cqxi8HVuJQwWivnZUEqlj4=
@@ -78,7 +79,7 @@ github.com/MarvinJWendt/testza v0.2.10/go.mod h1:pd+VWsoGUiFtq+hRKSU1Bktnn+DMCSr
 github.com/MarvinJWendt/testza v0.2.12/go.mod h1:JOIegYyV7rX+7VZ9r77L/eH6CfJHHzXjB69adAhzZkI=
 github.com/MarvinJWendt/testza v0.3.0/go.mod h1:eFcL4I0idjtIx8P9C6KkAuLgATNKpX4/2oUqKc6bF2c=
 github.com/MarvinJWendt/testza v0.4.2/go.mod h1:mSdhXiKH8sg/gQehJ63bINcCKp7RtYewEjXsvsVUPbE=
-github.com/MarvinJWendt/testza v0.4.3 h1:u2XaM4IqGp9dsdUmML8/Z791fu4yjQYzOiufOtJwTII=
+github.com/MarvinJWendt/testza v0.5.1 h1:a9Fqx6vQrHQ4CyiaLhktfTTelwGotmFWy8MNhyaohw8=
 github.com/Masterminds/semver v1.5.0 h1:H65muMkzWKEuNDnfl9d70GUjFniHKHRbFPGBuZ3QEww=
 github.com/Masterminds/semver/v3 v3.1.1 h1:hLg3sBzpNErnxhQtUy/mmLR2I9foDujNK030IGemrRc=
 github.com/Masterminds/semver/v3 v3.1.1/go.mod h1:VPu/7SZ7ePZ3QOrcuXROw5FAcLl4a0cBrbBpGY/8hQs=
@@ -106,20 +107,23 @@ github.com/beorn7/perks v1.0.1 h1:VlbKKnNfV8bJzeqoa4cOKqO6bYr3WgKZxO8Z16+hsOM=
 github.com/beorn7/perks v1.0.1/go.mod h1:G2ZrVWU2WbWT9wwq4/hrbKbnv/1ERSJQ0ibhJ6rlkpw=
 github.com/ccding/go-stun/stun v0.0.0-20200514191101-4dc67bcdb029 h1:POmUHfxXdeyM8Aomg4tKDcwATCFuW+cYLkj6pwsw9pc=
 github.com/ccding/go-stun/stun v0.0.0-20200514191101-4dc67bcdb029/go.mod h1:Rpr5n9cGHYdM3S3IK8ROSUUUYjQOu+MSUCZDcJbYWi8=
-github.com/cenkalti/backoff/v4 v4.1.3 h1:cFAlzYUlVYDysBEH2T5hyJZMh3+5+WCBvSnK6Q8UtC4=
-github.com/cenkalti/backoff/v4 v4.1.3/go.mod h1:scbssz8iZGpm3xbr14ovlUdkxfGXNInqkPWOWmG2CLw=
+github.com/cenkalti/backoff/v4 v4.2.0 h1:HN5dHm3WBOgndBH6E8V0q2jIYIR3s9yglV8k/+MN3u4=
+github.com/cenkalti/backoff/v4 v4.2.0/go.mod h1:Y3VNntkOUPxTVeUxJ/G5vcM//AlwfmyYozVcomhLiZE=
 github.com/census-instrumentation/opencensus-proto v0.2.1/go.mod h1:f6KPmirojxKA12rnyqOA5BBL4O983OfeGPqjHWSTneU=
 github.com/cespare/xxhash v1.1.0/go.mod h1:XrSqR1VqqWfGrhpAt58auRo0WTKS1nRRg3ghfAqPWnc=
 github.com/cespare/xxhash/v2 v2.1.1/go.mod h1:VGX0DQ3Q6kWi7AoAeZDth3/j3BFtOZR5XLFGgcrjCOs=
-github.com/cespare/xxhash/v2 v2.1.2 h1:YRXhKfTDauu4ajMg1TPgFO5jnlC2HCbmLXMcTG5cbYE=
 github.com/cespare/xxhash/v2 v2.1.2/go.mod h1:VGX0DQ3Q6kWi7AoAeZDth3/j3BFtOZR5XLFGgcrjCOs=
+github.com/cespare/xxhash/v2 v2.2.0 h1:DC2CZ1Ep5Y4k3ZQ899DldepgrayRUGE6BBZ/cd9Cj44=
+github.com/cespare/xxhash/v2 v2.2.0/go.mod h1:VGX0DQ3Q6kWi7AoAeZDth3/j3BFtOZR5XLFGgcrjCOs=
 github.com/checkpoint-restore/go-criu/v5 v5.3.0/go.mod h1:E/eQpaFtUKGOOSEBZgmKAcn+zUUwWxqcaKZlF54wK8E=
 github.com/chzyer/logex v1.1.10/go.mod h1:+Ywpsq7O8HXn0nuIou7OrIPyXbp3wmkHB+jjWRnGsAI=
+github.com/chzyer/logex v1.2.0/go.mod h1:9+9sk7u7pGNWYMkh0hdiL++6OeibzJccyQU4p4MedaY=
 github.com/chzyer/readline v0.0.0-20180603132655-2972be24d48e/go.mod h1:nSuG5e5PlCu98SY8svDHJxuZscDgtXS6KTTbou5AhLI=
+github.com/chzyer/readline v1.5.0/go.mod h1:x22KAscuvRqlLoK9CsoYsmxoXZMMFVyOl86cAH8qUic=
 github.com/chzyer/test v0.0.0-20180213035817-a1ea475d72b1/go.mod h1:Q3SI9o4m/ZMnBNeIyt5eFwwo7qiLfzFZmjNmxjkiQlU=
+github.com/chzyer/test v0.0.0-20210722231415-061457976a23/go.mod h1:Q3SI9o4m/ZMnBNeIyt5eFwwo7qiLfzFZmjNmxjkiQlU=
 github.com/cilium/ebpf v0.7.0/go.mod h1:/oI2+1shJiTGAMgl6/RgJr36Eo1jzrRcAWbcXO2usCA=
 github.com/cilium/ebpf v0.9.3 h1:5KtxXZU+scyERvkJMEm16TbScVvuuMrlhPly78ZMbSc=
-github.com/cilium/ebpf v0.9.3/go.mod h1:w27N4UjpaQ9X/DGrSugxUG+H+NhgntDuPb5lCzxCn8A=
 github.com/client9/misspell v0.3.4/go.mod h1:qj6jICC3Q7zFZvVWo7KLAzC3yx5G7kyvSDkc90ppPyw=
 github.com/cncf/udpa/go v0.0.0-20191209042840-269d4d468f6f/go.mod h1:M8M6+tZqaGXZJjfX53e64911xZQV5JYwmTeXPW+k8Sc=
 github.com/cncf/udpa/go v0.0.0-20200629203442-efcf912fb354/go.mod h1:WmhPx2Nbnhtbo57+VJT5O0JRkEi1Wbu0z5j0R8u5Hbk=
@@ -146,7 +150,6 @@ github.com/cpuguy83/go-md2man/v2 v2.0.0-20190314233015-f79a8a8ca69d/go.mod h1:ma
 github.com/cpuguy83/go-md2man/v2 v2.0.2/go.mod h1:tgQtvFlXSQOSOSIRvRPT7W67SCa46tRHOmNcaadrF8o=
 github.com/creack/pty v1.1.7/go.mod h1:lj5s0c3V2DBrqTV7llrYr5NG6My20zk30Fl46Y7DoTY=
 github.com/creack/pty v1.1.9/go.mod h1:oKZEueFk5CKHvIhNR5MUki03XCEU+Q6VDXinZuGJ33E=
-github.com/creack/pty v1.1.11/go.mod h1:oKZEueFk5CKHvIhNR5MUki03XCEU+Q6VDXinZuGJ33E=
 github.com/creack/pty v1.1.17 h1:QeVUsEDNrLBW4tMgZHvxy18sKtr6VI492kBhUfhDJNI=
 github.com/creack/pty v1.1.17/go.mod h1:MOBLtS5ELjhRRrroQr9kyvTxUAFNvYEK993ew/Vr4O4=
 github.com/cyphar/filepath-securejoin v0.2.3/go.mod h1:aPGpWjXOXUn2NCNjFvBE6aRxGGx79pTxQpKOJNYHHl4=
@@ -178,7 +181,6 @@ github.com/envoyproxy/go-control-plane v0.9.10-0.20210907150352-cf90f659a021/go.
 github.com/envoyproxy/go-control-plane v0.10.2-0.20220325020618-49ff273808a1/go.mod h1:KJwIaB5Mv44NWtYuAOFCVOjcI94vtpEz2JU/D2v6IjE=
 github.com/envoyproxy/protoc-gen-validate v0.1.0/go.mod h1:iSmxcyjqTsJpI2R4NaDN7+kN2VEUnK/pcBlmesArF7c=
 github.com/frankban/quicktest v1.11.3/go.mod h1:wRf/ReqHper53s+kmmSZizM8NamnL3IM0I9ntUbOk+k=
-github.com/frankban/quicktest v1.14.0/go.mod h1:NeW+ay9A/U67EYXNFA1nPE8e/tnQv/09mUdL/ijj8og=
 github.com/frankban/quicktest v1.14.3 h1:FJKSZTDHjyhriyC81FLQ0LY93eSai0ZyR/ZIkd3ZUKE=
 github.com/fsnotify/fsnotify v1.6.0 h1:n+5WquG0fcWoWp6xPWfHdbskMCQaFnG6PfBrh1Ky4HY=
 github.com/fsnotify/fsnotify v1.6.0/go.mod h1:sl3t1tCWJFWoRz9R8WJCbQihKKwmorjAbSClcnxKAGw=
@@ -190,8 +192,8 @@ github.com/gin-contrib/sse v0.1.0/go.mod h1:RHrZQHXnP2xjPF+u1gW/2HnVO7nvIa9PG3Gm
 github.com/gin-gonic/gin v1.6.3 h1:ahKqKTFpO5KTPHxWZjEdPScmYaGtLo8Y4DMHoEsnp14=
 github.com/gin-gonic/gin v1.6.3/go.mod h1:75u5sXoLsGZoRN5Sgbi1eraJ4GU3++wFwWzhwvtwp4M=
 github.com/glebarez/go-sqlite v1.19.1/go.mod h1:9AykawGIyIcxoSfpYWiX1SgTNHTNsa/FVc75cDkbp4M=
-github.com/glebarez/go-sqlite v1.19.2 h1:mTtntWN3wk9UNjIf6F7Upqnfq96p+cjhfgCsupUd1hY=
-github.com/glebarez/go-sqlite v1.19.2/go.mod h1:DoubC3Kn5X6EBvDa2iaxAdIJqPNmY7M/sOCpfa8fus0=
+github.com/glebarez/go-sqlite v1.19.5 h1:krEVjICcImFNi+X81GmEkSe/brhzLL3Csbkb/ihi8sI=
+github.com/glebarez/go-sqlite v1.19.5/go.mod h1:IjVxx3ezfL9clKLLSzVgv2sGZe28yIa116YyLTIvp84=
 github.com/glebarez/sqlite v1.5.0 h1:+8LAEpmywqresSoGlqjjT+I9m4PseIM3NcerIJ/V7mk=
 github.com/glebarez/sqlite v1.5.0/go.mod h1:0wzXzTvfVJIN2GqRhCdMbnYd+m+aH5/QV7B30rM6NgY=
 github.com/go-gl/glfw v0.0.0-20190409004039-e6da0acd62b1/go.mod h1:vR7hzQXu2zJy9AVAgeJqvqgH9Q5CA+iKCZ2gyEVpxRU=
@@ -223,8 +225,8 @@ github.com/gobwas/ws v1.0.2/go.mod h1:szmBTxLgaFppYjEmNtny/v3w89xOydFnnZMcgRRu/E
 github.com/godbus/dbus/v5 v5.0.4/go.mod h1:xhWf0FNVPg57R7Z0UbKHbJfkEywrmjJnf7w5xrFpKfA=
 github.com/godbus/dbus/v5 v5.0.6/go.mod h1:xhWf0FNVPg57R7Z0UbKHbJfkEywrmjJnf7w5xrFpKfA=
 github.com/gofrs/uuid v4.0.0+incompatible/go.mod h1:b2aQJv3Z4Fp6yNu3cdSllBxTCLRxnplIgP/c0N/04lM=
-github.com/gofrs/uuid v4.3.0+incompatible h1:CaSVZxm5B+7o45rtab4jC2G37WGYX1zQfuU2i6DSvnc=
-github.com/gofrs/uuid v4.3.0+incompatible/go.mod h1:b2aQJv3Z4Fp6yNu3cdSllBxTCLRxnplIgP/c0N/04lM=
+github.com/gofrs/uuid v4.3.1+incompatible h1:0/KbAdpx3UXAx1kEOWHJeOkpbgRFGHVgv+CFIY7dBJI=
+github.com/gofrs/uuid v4.3.1+incompatible/go.mod h1:b2aQJv3Z4Fp6yNu3cdSllBxTCLRxnplIgP/c0N/04lM=
 github.com/gogo/protobuf v1.1.1/go.mod h1:r8qH/GZQm5c6nD/R0oafs1akxWv10x8SbQlK7atdtwQ=
 github.com/gogo/protobuf v1.3.2 h1:Ov1cvc58UF3b5XjBnZv7+opcTcQFZebYjWzi34vdm4Q=
 github.com/gogo/protobuf v1.3.2/go.mod h1:P1XiOD3dCwIKUDQYPy72D8LYyHL2YPYrpS2s69NZV8Q=
@@ -307,6 +309,7 @@ github.com/google/pprof v0.0.0-20210226084205-cbba55b83ad5/go.mod h1:kpwsk12EmLe
 github.com/google/pprof v0.0.0-20210601050228-01bbb1931b22/go.mod h1:kpwsk12EmLew5upagYY7GY0pfYCcupk39gWOCRROcvE=
 github.com/google/pprof v0.0.0-20210609004039-a478d1d731e9/go.mod h1:kpwsk12EmLew5upagYY7GY0pfYCcupk39gWOCRROcvE=
 github.com/google/pprof v0.0.0-20210720184732-4bb14d4b1be1/go.mod h1:kpwsk12EmLew5upagYY7GY0pfYCcupk39gWOCRROcvE=
+github.com/google/pprof v0.0.0-20221118152302-e6195bd50e26/go.mod h1:dDKJzRmX4S37WGHujM7tX//fmj1uioxKzKxz3lo4HJo=
 github.com/google/renameio v0.1.0/go.mod h1:KWCgfxg9yswjAJkECMjeO8J8rahYeXnNhOm40UhjYkI=
 github.com/google/shlex v0.0.0-20191202100458-e7afc7fbc510 h1:El6M4kTTCOh6aBiKaUGG7oYTSPP8MxqL4YI3kZKwcP4=
 github.com/google/shlex v0.0.0-20191202100458-e7afc7fbc510/go.mod h1:pupxD2MaaD3pAXIBCelhxNneeOaAeabZDe5s4K6zSpQ=
@@ -334,8 +337,8 @@ github.com/gorilla/websocket v1.4.1/go.mod h1:YR8l580nyteQvAITg2hZ9XVh4b55+EU/ad
 github.com/grpc-ecosystem/go-grpc-middleware v1.3.0 h1:+9834+KizmvFV7pXQGSXQTsaWhq2GjuNUt0aUU0YBYw=
 github.com/grpc-ecosystem/go-grpc-middleware v1.3.0/go.mod h1:z0ButlSOZa5vEBq9m2m2hlwIgKw+rp3sdCBRoJY+30Y=
 github.com/grpc-ecosystem/grpc-gateway v1.16.0/go.mod h1:BDjrQk3hbvj6Nolgz8mAMFbcEtjT1g+wF4CSlocrBnw=
-github.com/grpc-ecosystem/grpc-gateway/v2 v2.12.0 h1:kr3j8iIMR4ywO/O0rvksXaJvauGGCMg2zAZIiNZ9uIQ=
-github.com/grpc-ecosystem/grpc-gateway/v2 v2.12.0/go.mod h1:ummNFgdgLhhX7aIiy35vVmQNS0rWXknfPE0qe6fmFXg=
+github.com/grpc-ecosystem/grpc-gateway/v2 v2.14.0 h1:t7uX3JBHdVwAi3G7sSSdbsk8NfgA+LnUS88V/2EKaA0=
+github.com/grpc-ecosystem/grpc-gateway/v2 v2.14.0/go.mod h1:4OGVnY4qf2+gw+ssiHbW+pq4mo2yko94YxxMmXZ7jCA=
 github.com/hashicorp/go-version v1.6.0 h1:feTTfFNnjP967rlCxM/I9g701jU+RN74YKx2mOkIeek=
 github.com/hashicorp/go-version v1.6.0/go.mod h1:fltr4n8CU8Ke44wwGCBoEymUuxUHl09ZGVZPK5anwXA=
 github.com/hashicorp/golang-lru v0.5.0/go.mod h1:/m3WP610KZHVQ1SGc6re/UDhFvYD7pJ4Ao+sR/qLZy8=
@@ -348,10 +351,12 @@ github.com/hinshun/vt10x v0.0.0-20220119200601-820417d04eec h1:qv2VnGeEQHchGaZ/u
 github.com/hinshun/vt10x v0.0.0-20220119200601-820417d04eec/go.mod h1:Q48J4R4DvxnHolD5P8pOtXigYlRuPLGl6moFx3ulM68=
 github.com/ianlancetaylor/demangle v0.0.0-20181102032728-5e5cf60278f6/go.mod h1:aSSvb/t6k1mPoxDqO4vJh6VOCGPwU4O0C2/Eqndh1Sc=
 github.com/ianlancetaylor/demangle v0.0.0-20200824232613-28f6c0f3b639/go.mod h1:aSSvb/t6k1mPoxDqO4vJh6VOCGPwU4O0C2/Eqndh1Sc=
+github.com/ianlancetaylor/demangle v0.0.0-20220319035150-800ac71e25c2/go.mod h1:aYm2/VgdVmcIU8iMfdMvDMsRAQjcfZSKFby6HOFvi/w=
 github.com/imdario/mergo v0.3.13 h1:lFzP57bqS/wsqKssCGmtLAb8A0wKjLGrve2q3PPVcBk=
 github.com/imdario/mergo v0.3.13/go.mod h1:4lJ1jqUDcsbIECGy0RUJAXNIhg+6ocWgb1ALK2O4oXg=
-github.com/inconshreveable/mousetrap v1.0.1 h1:U3uMjPSQEBMNp1lFxmllqCPM6P5u/Xq7Pgzkat/bFNc=
 github.com/inconshreveable/mousetrap v1.0.1/go.mod h1:vpF70FUmC8bwa3OWnCshd2FqLfsEA9PFc4w1p2J65bw=
+github.com/inconshreveable/mousetrap v1.1.0 h1:wN+x4NVGpMsO7ErUn/mUI3vEoE6Jt13X2s0bqwp9tc8=
+github.com/inconshreveable/mousetrap v1.1.0/go.mod h1:vpF70FUmC8bwa3OWnCshd2FqLfsEA9PFc4w1p2J65bw=
 github.com/jackc/chunkreader v1.0.0/go.mod h1:RT6O25fNZIuasFJRyZ4R/Y2BbhasbmZXF9QQ7T3kePo=
 github.com/jackc/chunkreader/v2 v2.0.0/go.mod h1:odVSm741yZoC3dpHEUXIqA9tQRhFrgOHwnPIn9lDKlk=
 github.com/jackc/chunkreader/v2 v2.0.1 h1:i+RDz65UE+mmpjTfyz0MoVTnzeYxroil2G82ki7MGG8=
@@ -387,8 +392,9 @@ github.com/jackc/pgtype v0.0.0-20190421001408-4ed0de4755e0/go.mod h1:hdSHsc1V01C
 github.com/jackc/pgtype v0.0.0-20190824184912-ab885b375b90/go.mod h1:KcahbBH1nCMSo2DXpzsoWOAfFkdEtEJpPbVLq8eE+mc=
 github.com/jackc/pgtype v0.0.0-20190828014616-a8802b16cc59/go.mod h1:MWlu30kVJrUS8lot6TQqcg7mtthZ9T0EoIBFiJcmcyw=
 github.com/jackc/pgtype v1.8.1-0.20210724151600-32e20a603178/go.mod h1:C516IlIV9NKqfsMCXTdChteoXmwgUceqaLfjg2e3NlM=
-github.com/jackc/pgtype v1.12.0 h1:Dlq8Qvcch7kiehm8wPGIW0W3KsCCHJnRacKW0UM8n5w=
 github.com/jackc/pgtype v1.12.0/go.mod h1:LUMuVrfsFfdKGLw+AFFVv6KtHOFMwRgDDzBt76IqCA4=
+github.com/jackc/pgtype v1.13.0 h1:XkIc7A+1BmZD19bB2NxrtjJweHxQ9agqvM+9URc68Cg=
+github.com/jackc/pgtype v1.13.0/go.mod h1:LUMuVrfsFfdKGLw+AFFVv6KtHOFMwRgDDzBt76IqCA4=
 github.com/jackc/pgx/v4 v4.0.0-20190420224344-cc3461e65d96/go.mod h1:mdxmSJJuR08CZQyj1PVQBHy9XOp5p8/SHH6a0psbY9Y=
 github.com/jackc/pgx/v4 v4.0.0-20190421002000-1b8f0016e912/go.mod h1:no/Y67Jkk/9WuGR0JG/JseM9irFbnEPbuWV2EELPNuM=
 github.com/jackc/pgx/v4 v4.0.0-pre1.0.20190824185557-6972a5742186/go.mod h1:X+GQnOEnf1dqHGpw7JmHqHc1NxDoalibchSk9/RWuDc=
@@ -407,8 +413,8 @@ github.com/jinzhu/now v1.1.5/go.mod h1:d3SSVoowX0Lcu0IBviAWJpolVfI5UJVZZ7cO71lE/
 github.com/josharian/native v1.0.0 h1:Ts/E8zCSEsG17dUqv7joXJFybuMLjQfWE04tsBODTxk=
 github.com/josharian/native v1.0.0/go.mod h1:7X/raswPFr05uY3HiLlYeyQntB6OO7E/d2Cu7qoaN2w=
 github.com/jpillora/backoff v1.0.0/go.mod h1:J/6gKK9jxlEcS3zixgDgUAsiuZ7yrSoa/FX5e0EB2j4=
-github.com/jsimonetti/rtnetlink v1.2.3 h1:JntWIxmljlDswWwebzpZCz2Aa3t2kThJ79f658zgsPU=
-github.com/jsimonetti/rtnetlink v1.2.3/go.mod h1:5r5Rj9WEseVOUzDk5RN9v0gVXbkBz9XtENwhC6PwvtU=
+github.com/jsimonetti/rtnetlink v1.3.0 h1:lScjubfLwewsD1F+YaDLiq1HDDq7IGADIhGATPwlKHg=
+github.com/jsimonetti/rtnetlink v1.3.0/go.mod h1:SDPgjZRgWa6SvsU59TWBji7nxZGDVHt0HarV7J9E0kM=
 github.com/json-iterator/go v1.1.6/go.mod h1:+SdeFBvtyEkXs7REEP0seUULqWtbJapLOCVDaaPEHmU=
 github.com/json-iterator/go v1.1.9/go.mod h1:KdQUCv79m/52Kvf8AW2vK1V8akMuk1QjK/uOdHXbAo4=
 github.com/json-iterator/go v1.1.10/go.mod h1:KdQUCv79m/52Kvf8AW2vK1V8akMuk1QjK/uOdHXbAo4=
@@ -429,7 +435,7 @@ github.com/klauspost/compress v1.15.12/go.mod h1:QPwzmACJjUTFsnSHH934V6woptycfrD
 github.com/klauspost/cpuid/v2 v2.0.9/go.mod h1:FInQzS24/EEf25PyTYn52gqo7WaD8xa0213Md/qVLRg=
 github.com/klauspost/cpuid/v2 v2.0.10/go.mod h1:g2LTdtYhdyuGPqyWyv7qRAmj1WBqxuObKfj5c0PQa7c=
 github.com/klauspost/cpuid/v2 v2.0.12/go.mod h1:g2LTdtYhdyuGPqyWyv7qRAmj1WBqxuObKfj5c0PQa7c=
-github.com/klauspost/cpuid/v2 v2.1.0 h1:eyi1Ad2aNJMW95zcSbmGg7Cg6cq3ADwLpMAP96d8rF0=
+github.com/klauspost/cpuid/v2 v2.2.0 h1:4ZexSFt8agMNzNisrsilL6RClWDC5YJnLHNIfTy4iuc=
 github.com/konsorten/go-windows-terminal-sequences v1.0.1/go.mod h1:T0+1ngSBFLxvqU3pZ+m/2kptfBszLMUkC4ZK/EgS/cQ=
 github.com/konsorten/go-windows-terminal-sequences v1.0.2/go.mod h1:T0+1ngSBFLxvqU3pZ+m/2kptfBszLMUkC4ZK/EgS/cQ=
 github.com/konsorten/go-windows-terminal-sequences v1.0.3/go.mod h1:T0+1ngSBFLxvqU3pZ+m/2kptfBszLMUkC4ZK/EgS/cQ=
@@ -476,10 +482,10 @@ github.com/mattn/go-sqlite3 v1.14.15/go.mod h1:2eHXhiwb8IkHr+BDWZGa96P6+rkvnG63S
 github.com/matttproud/golang_protobuf_extensions v1.0.1/go.mod h1:D8He9yQNgCq6Z5Ld7szi9bcBfOoFv/3dc6xSMkL2PC0=
 github.com/matttproud/golang_protobuf_extensions v1.0.4 h1:mmDVorXM7PCGKw94cs5zkfA9PSy5pEvNWRP0ET0TIVo=
 github.com/matttproud/golang_protobuf_extensions v1.0.4/go.mod h1:BSXmuO+STAnVfrANrmjBb36TMTDstsz7MSK+HVaYKv4=
-github.com/mdlayher/netlink v1.6.2 h1:D2zGSkvYsJ6NreeED3JiVTu1lj2sIYATqSaZlhPzUgQ=
-github.com/mdlayher/netlink v1.6.2/go.mod h1:O1HXX2sIWSMJ3Qn1BYZk1yZM+7iMki/uYGGiwGyq/iU=
-github.com/mdlayher/socket v0.2.3 h1:XZA2X2TjdOwNoNPVPclRCURoX/hokBY8nkTmRZFEheM=
-github.com/mdlayher/socket v0.2.3/go.mod h1:bz12/FozYNH/VbvC3q7TRIK/Y6dH1kCKsXaUeXi/FmY=
+github.com/mdlayher/netlink v1.7.0 h1:ZNGI4V7i1fJ94DPYtWhI/R85i/Q7ZxnuhUJQcJMoodI=
+github.com/mdlayher/netlink v1.7.0/go.mod h1:nKO5CSjE/DJjVhk/TNp6vCE1ktVxEA8VEh8drhZzxsQ=
+github.com/mdlayher/socket v0.4.0 h1:280wsy40IC9M9q1uPGcLBwXpcTQDtoGwVt+BNoITxIw=
+github.com/mdlayher/socket v0.4.0/go.mod h1:xxFqz5GRCUN3UEOm9CZqEJsAbe1C8OwSK46NlmWuVoc=
 github.com/mgutz/ansi v0.0.0-20170206155736-9520e82c474b/go.mod h1:01TrycV0kFyexm33Z7vhZRXopbI8J3TDReVlkTgMUxE=
 github.com/mgutz/ansi v0.0.0-20200706080929-d51e80ef957d h1:5PJl274Y63IEHC+7izoQE9x6ikvDFZS2mDVS3drnohI=
 github.com/mgutz/ansi v0.0.0-20200706080929-d51e80ef957d/go.mod h1:01TrycV0kFyexm33Z7vhZRXopbI8J3TDReVlkTgMUxE=
@@ -488,8 +494,8 @@ github.com/mitchellh/go-ps v1.0.0/go.mod h1:J4lOc8z8yJs6vUwklHw2XEIiT4z4C40KtWVN
 github.com/mitchellh/mapstructure v1.5.0 h1:jeMsZIYE/09sWLaz43PL7Gy6RuMjD2eJVyuac5Z2hdY=
 github.com/mitchellh/mapstructure v1.5.0/go.mod h1:bFUtVrKA4DC2yAKiSyO/QUcy7e+RRV2QTWOzhPopBRo=
 github.com/moby/sys/mountinfo v0.5.0/go.mod h1:3bMD3Rg+zkqx8MRYPi7Pyb0Ie97QEBmdxbhnCLlSvSU=
-github.com/moby/term v0.0.0-20220808134915-39b0c02b01ae h1:O4SWKdcHVCvYqyDV+9CJA1fcDN2L11Bule0iFy3YlAI=
-github.com/moby/term v0.0.0-20220808134915-39b0c02b01ae/go.mod h1:E2VnQOmVuvZB6UYnnDB0qG5Nq/1tD9acaOpo6xmt0Kw=
+github.com/moby/term v0.0.0-20221128092401-c43b287e0e0f h1:J/7hjLaHLD7epG0m6TBMGmp4NQ+ibBYLfeyJWdAIFLA=
+github.com/moby/term v0.0.0-20221128092401-c43b287e0e0f/go.mod h1:15ce4BGCFxt7I5NQKT+HV0yEDxmf6fSysfEDiVo3zFM=
 github.com/modern-go/concurrent v0.0.0-20180228061459-e0a39a4cb421/go.mod h1:6dJC0mAP4ikYIbvyc7fijjWJddQyLn8Ig3JB5CqoB9Q=
 github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd h1:TRLaZ9cD/w8PVh93nsPXa1VrQ6jlwL5oN8l14QlcNfg=
 github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd/go.mod h1:6dJC0mAP4ikYIbvyc7fijjWJddQyLn8Ig3JB5CqoB9Q=
@@ -517,8 +523,8 @@ github.com/patrickmn/go-cache v2.1.0+incompatible h1:HRMgzkcYKYpi3C8ajMPV8OFXaaR
 github.com/patrickmn/go-cache v2.1.0+incompatible/go.mod h1:3Qf8kWWT7OJRJbdiICTKqZju1ZixQ/KpMGzzAfe6+WQ=
 github.com/pelletier/go-toml v1.9.5 h1:4yBQzkHv+7BHq2PQUZF3Mx0IYxG7LsP222s7Agd3ve8=
 github.com/pelletier/go-toml v1.9.5/go.mod h1:u1nR/EPcESfeI/szUZKdtJ0xRNbUoANCkoOuaOx1Y+c=
-github.com/pelletier/go-toml/v2 v2.0.5 h1:ipoSadvV8oGUjnUbMub59IDPPwfxF694nG/jwbMiyQg=
-github.com/pelletier/go-toml/v2 v2.0.5/go.mod h1:OMHamSCAODeSsVrwwvcJOaoN0LIUIaFVNZzmWyNfXas=
+github.com/pelletier/go-toml/v2 v2.0.6 h1:nrzqCb7j9cDFj2coyLNLaZuJTLjWjlaz6nvTvIwycIU=
+github.com/pelletier/go-toml/v2 v2.0.6/go.mod h1:eumQOmlWiOPt5WriQQqoM5y18pDHwha2N+QD+EUNTek=
 github.com/philip-bui/grpc-zerolog v1.0.1 h1:EMacvLRUd2O1K0eWod27ZP5CY1iTNkhBDLSN+Q4JEvA=
 github.com/philip-bui/grpc-zerolog v1.0.1/go.mod h1:qXbiq/2X4ZUMMshsqlWyTHOcw7ns+GZmlqZZN05ZHcQ=
 github.com/pkg/diff v0.0.0-20210226163009-20ebb0f2a09e/go.mod h1:pJLUxLENpZxwdsKMEsNbx1VGcRFpLqf3715MtcvvzbA=
@@ -534,8 +540,8 @@ github.com/prometheus/client_golang v1.0.0/go.mod h1:db9x61etRT2tGnBNRi70OPL5Fsn
 github.com/prometheus/client_golang v1.7.1/go.mod h1:PY5Wy2awLA44sXw4AOSfFBetzPP4j5+D6mVACh+pe2M=
 github.com/prometheus/client_golang v1.11.0/go.mod h1:Z6t4BnS23TR94PD6BsDNk8yVqroYurpAkEiz0P2BEV0=
 github.com/prometheus/client_golang v1.12.1/go.mod h1:3Z9XVyYiZYEO+YQWt3RD2R3jrbd179Rt297l4aS6nDY=
-github.com/prometheus/client_golang v1.13.0 h1:b71QUfeo5M8gq2+evJdTPfZhYMAU0uKPkyPJ7TPsloU=
-github.com/prometheus/client_golang v1.13.0/go.mod h1:vTeo+zgvILHsnnj/39Ou/1fPN5nJFOEMgftOUOmlvYQ=
+github.com/prometheus/client_golang v1.14.0 h1:nJdhIvne2eSX/XRAFV9PcvFFRbrjbcTUj0VP62TMhnw=
+github.com/prometheus/client_golang v1.14.0/go.mod h1:8vpkKitgIVNcqrRBWh1C4TIUQgYNtG/XQE4E/Zae36Y=
 github.com/prometheus/client_model v0.0.0-20180712105110-5c3871d89910/go.mod h1:MbSGuTsp3dbXC40dX6PRTWyKYBIrTGTE9sqQNg2J8bo=
 github.com/prometheus/client_model v0.0.0-20190129233127-fd36f4220a90/go.mod h1:xMI15A0UPsDsEKsMN9yxemIoYk6Tm2C1GtYGdfGttqA=
 github.com/prometheus/client_model v0.0.0-20190812154241-14fe0d1b01d4/go.mod h1:xMI15A0UPsDsEKsMN9yxemIoYk6Tm2C1GtYGdfGttqA=
@@ -562,16 +568,16 @@ github.com/pterm/pterm v0.12.31/go.mod h1:32ZAWZVXD7ZfG0s8qqHXePte42kdz8ECtRyEej
 github.com/pterm/pterm v0.12.33/go.mod h1:x+h2uL+n7CP/rel9+bImHD5lF3nM9vJj80k9ybiiTTE=
 github.com/pterm/pterm v0.12.36/go.mod h1:NjiL09hFhT/vWjQHSj1athJpx6H8cjpHXNAK5bUw8T8=
 github.com/pterm/pterm v0.12.40/go.mod h1:ffwPLwlbXxP+rxT0GsgDTzS3y3rmpAO1NMjUkGTYf8s=
-github.com/pterm/pterm v0.12.49 h1:qeNm0wTWawy6WhKoY8ZKq6qTXFr0s2UtUyRW0yVztEg=
-github.com/pterm/pterm v0.12.49/go.mod h1:D4OBoWNqAfXkm5QLTjIgjNiMXPHemLJHnIreGUsWzWg=
-github.com/puzpuzpuz/xsync/v2 v2.0.2 h1:IpXQ8gGkrnZlLGpJLDmq56sYjNhF88n934Yq5BV5fKw=
-github.com/puzpuzpuz/xsync/v2 v2.0.2/go.mod h1:gD2H2krq/w52MfPLE+Uy64TzJDVY7lP2znR9qmR35kU=
+github.com/pterm/pterm v0.12.50 h1:53nKg5lLI1kXkvLWq2IQI5rgkPkFzEQsuQjxAb39VlE=
+github.com/pterm/pterm v0.12.50/go.mod h1:79BLm4vos2z+eOoHnDG7ZWuYtLaSStyaspKjGmSoxc4=
+github.com/puzpuzpuz/xsync/v2 v2.4.0 h1:5sXAMHrtx1bg9nbRZTOn8T4MkWe5V+o8yKRH02Eznag=
+github.com/puzpuzpuz/xsync/v2 v2.4.0/go.mod h1:gD2H2krq/w52MfPLE+Uy64TzJDVY7lP2znR9qmR35kU=
 github.com/remyoudompheng/bigfft v0.0.0-20200410134404-eec4a21b6bb0/go.mod h1:qqbHyh8v60DhA7CoWK5oRCqLrMHRGoxYCSS9EjAz6Eo=
 github.com/remyoudompheng/bigfft v0.0.0-20220927061507-ef77025ab5aa h1:tEkEyxYeZ43TR55QU/hsIt9aRGBxbgGuz9CGykjvogY=
 github.com/remyoudompheng/bigfft v0.0.0-20220927061507-ef77025ab5aa/go.mod h1:qqbHyh8v60DhA7CoWK5oRCqLrMHRGoxYCSS9EjAz6Eo=
 github.com/rivo/uniseg v0.2.0/go.mod h1:J6wj4VEh+S6ZtnVlnTBMWIodfgj8LQOQFoIToxlJtxc=
-github.com/rivo/uniseg v0.4.2 h1:YwD0ulJSJytLpiaWua0sBDusfsCZohxjxzVTYjwxfV8=
-github.com/rivo/uniseg v0.4.2/go.mod h1:FN3SvrM+Zdj16jyLfmOkMNblXMcoc8DfTHruCPUcx88=
+github.com/rivo/uniseg v0.4.3 h1:utMvzDsuh3suAEnhH0RdHmoPbU648o6CvXxTx4SBMOw=
+github.com/rivo/uniseg v0.4.3/go.mod h1:FN3SvrM+Zdj16jyLfmOkMNblXMcoc8DfTHruCPUcx88=
 github.com/rogpeppe/fastuuid v1.2.0/go.mod h1:jVj6XXZzXRy/MSR5jhDC/2q6DgLz+nrA6LYCDYWNEvQ=
 github.com/rogpeppe/go-internal v1.3.0/go.mod h1:M8bDsm7K2OlrFYOpmOWEs/qY81heoFRclV5y23lUDJ4=
 github.com/rogpeppe/go-internal v1.6.1/go.mod h1:xXDCJY+GAPziupqXw64V24skbSoqbTEfhy4qGm1nDQc=
@@ -601,24 +607,24 @@ github.com/sirupsen/logrus v1.8.1/go.mod h1:yWOB1SBYBC5VeMP7gHvWumXLIWorT60ONWic
 github.com/sirupsen/logrus v1.9.0 h1:trlNQbNUG3OdDrDil03MCb1H2o9nJ1x4/5LYw7byDE0=
 github.com/sirupsen/logrus v1.9.0/go.mod h1:naHLuLoDiP4jHNo9R0sCBMtWGeIprob74mVsIT4qYEQ=
 github.com/spaolacci/murmur3 v0.0.0-20180118202830-f09979ecbc72/go.mod h1:JwIasOWyU6f++ZhiEuf87xNszmSA2myDM2Kzu9HwQUA=
-github.com/spf13/afero v1.9.2 h1:j49Hj62F0n+DaZ1dDCvhABaPNSGNkt32oRFxI33IEMw=
-github.com/spf13/afero v1.9.2/go.mod h1:iUV7ddyEEZPO5gA3zD4fJt6iStLlL+Lg4m2cihcDf8Y=
+github.com/spf13/afero v1.9.3 h1:41FoI0fD7OR7mGcKE/aOiLkGreyf8ifIOQmJANWogMk=
+github.com/spf13/afero v1.9.3/go.mod h1:iUV7ddyEEZPO5gA3zD4fJt6iStLlL+Lg4m2cihcDf8Y=
 github.com/spf13/cast v1.5.0 h1:rj3WzYc11XZaIZMPKmwP96zkFEnnAmV8s6XbB2aY32w=
 github.com/spf13/cast v1.5.0/go.mod h1:SpXXQ5YoyJw6s3/6cMTQuxvgRl3PCJiyaX9p6b155UU=
 github.com/spf13/cobra v1.6.1 h1:o94oiPyS4KD1mPy2fmcYYHHfCxLqYjJOhGsCHFZtEzA=
 github.com/spf13/cobra v1.6.1/go.mod h1:IOw/AERYS7UzyrGinqmz6HLUo219MORXGxhbaJUqzrY=
 github.com/spf13/jwalterweatherman v1.1.0 h1:ue6voC5bR5F8YxI5S67j9i582FU4Qvo2bmqnqMYADFk=
 github.com/spf13/jwalterweatherman v1.1.0/go.mod h1:aNWZUN0dPAAO/Ljvb5BEdw96iTZ0EXowPYD95IqWIGo=
-github.com/spf13/pflag v1.0.3/go.mod h1:DYY7MBk1bdzusC3SYhjObp+wFpr4gzcvqqNjLnInEg4=
 github.com/spf13/pflag v1.0.5 h1:iy+VFUOCP1a+8yFto/drg2CJ5u0yRoB7fZw3DKv/JXA=
 github.com/spf13/pflag v1.0.5/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An2Bg=
-github.com/spf13/viper v1.13.0 h1:BWSJ/M+f+3nmdz9bxB+bWX28kkALN2ok11D0rSo8EJU=
-github.com/spf13/viper v1.13.0/go.mod h1:Icm2xNL3/8uyh/wFuB1jI7TiTNKp8632Nwegu+zgdYw=
+github.com/spf13/viper v1.14.0 h1:Rg7d3Lo706X9tHsJMUjdiwMpHB7W8WnSVOssIY+JElU=
+github.com/spf13/viper v1.14.0/go.mod h1:WT//axPky3FdvXHzGw33dNdXXXfFQqmEalje+egj8As=
 github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
 github.com/stretchr/objx v0.1.1/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
 github.com/stretchr/objx v0.2.0/go.mod h1:qt09Ya8vawLte6SNmTgCsAVtYtaKzEcn8ATUoHMkEqE=
-github.com/stretchr/objx v0.4.0 h1:M2gUjqZET1qApGOWNSnZ49BAIMX4F/1plDv3+l31EJ4=
 github.com/stretchr/objx v0.4.0/go.mod h1:YvHI0jy2hoMjB+UWwv71VJQ9isScKT/TqJzVSSt89Yw=
+github.com/stretchr/objx v0.5.0 h1:1zr/of2m5FGMsad5YfcqgdqdWrIhu+EBEJRhR1U7z/c=
+github.com/stretchr/objx v0.5.0/go.mod h1:Yh+to48EsGEfYuaHDzXPcE3xhTkx73EhmCGUpEOglKo=
 github.com/stretchr/testify v1.2.2/go.mod h1:a8OnRcib4nhh0OaRAV+Yts87kKdq0PP7pXfy6kDkUVs=
 github.com/stretchr/testify v1.3.0/go.mod h1:M5WIy9Dh21IEIfnGCwXGc5bZfKNJtfHm1UVUgZn+9EI=
 github.com/stretchr/testify v1.4.0/go.mod h1:j7eGeouHqKxXV5pUuKE4zz7dFj8WfuZ+81PSLYec5m4=
@@ -626,8 +632,9 @@ github.com/stretchr/testify v1.5.1/go.mod h1:5W2xD1RspED5o8YsWQXVCued0rvSQ+mT+I5
 github.com/stretchr/testify v1.6.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
 github.com/stretchr/testify v1.7.0/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
 github.com/stretchr/testify v1.7.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
-github.com/stretchr/testify v1.8.0 h1:pSgiaMZlXftHpm5L7V1+rVB+AZJydKsMxsQBIJw4PKk=
 github.com/stretchr/testify v1.8.0/go.mod h1:yNjHg4UonilssWZ8iaSj1OCr/vHnekPRkoO+kdMU+MU=
+github.com/stretchr/testify v1.8.1 h1:w7B6lhMri9wdJUVmEZPGGhZzrYTPvgJArz7wNPgYKsk=
+github.com/stretchr/testify v1.8.1/go.mod h1:w2LPCIKwWwSfY2zedu0+kehJoqGctiVI29o6fzry7u4=
 github.com/subosito/gotenv v1.4.1 h1:jyEFiXpy21Wm81FBN71l9VoMMV8H8jG+qIK3GCpY6Qs=
 github.com/subosito/gotenv v1.4.1/go.mod h1:ayKnFf/c6rvx/2iiLrJUk1e6plDbT3edrFNGqEflhK0=
 github.com/syndtr/gocapability v0.0.0-20200815063812-42c35b437635/go.mod h1:hkRG7XYTFWNJGYcbNJQlaLq0fg1yr4J4t/NcTQtrfww=
@@ -698,8 +705,8 @@ golang.org/x/crypto v0.0.0-20210711020723-a769d52b0f97/go.mod h1:GvvjBRRGRdwPK5y
 golang.org/x/crypto v0.0.0-20211108221036-ceb1ce70b4fa/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc=
 golang.org/x/crypto v0.0.0-20220214200702-86341886e292/go.mod h1:IxCIyHEi3zRg3s0A5j5BB6A9Jmi73HwBIUl50j+osU4=
 golang.org/x/crypto v0.0.0-20220722155217-630584e8d5aa/go.mod h1:IxCIyHEi3zRg3s0A5j5BB6A9Jmi73HwBIUl50j+osU4=
-golang.org/x/crypto v0.1.0 h1:MDRAIl0xIo9Io2xV565hzXHw3zVseKrJKodhohM5CjU=
-golang.org/x/crypto v0.1.0/go.mod h1:RecgLatLF4+eUMCP1PoPZQb+cVrJcOPbHkTkbkB9sbw=
+golang.org/x/crypto v0.3.0 h1:a06MkbcxBrEFc0w0QIZWXrH/9cCX6KJyWbBOIwAn+7A=
+golang.org/x/crypto v0.3.0/go.mod h1:hebNnKkNXi2UzZN1eVRvBB7co0a+JxK6XbPiWVs/3J4=
 golang.org/x/exp v0.0.0-20190121172915-509febef88a4/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA=
 golang.org/x/exp v0.0.0-20190306152737-a1d7652674e8/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA=
 golang.org/x/exp v0.0.0-20190510132918-efd6b22b2522/go.mod h1:ZjyILWgesfNpC6sMxTJOJm9Kp84zZh5NQWvqDGG3Qr8=
@@ -711,6 +718,7 @@ golang.org/x/exp v0.0.0-20200119233911-0405dc783f0a/go.mod h1:2RIsYlXP63K8oxa1u0
 golang.org/x/exp v0.0.0-20200207192155-f17229e696bd/go.mod h1:J/WKrq2StrnmMY6+EHIKF9dgMWnmCNThgcyBT1FY9mM=
 golang.org/x/exp v0.0.0-20200224162631-6cc2880d07d6/go.mod h1:3jZMyOhIsHpP37uCMkUooju7aAi5cS1Q23tOzKc+0MU=
 golang.org/x/exp v0.0.0-20220909182711-5c715a9e8561 h1:MDc5xs78ZrZr3HMQugiXOAkSZtfTpbJLDr/lwfgO53E=
+golang.org/x/exp v0.0.0-20220909182711-5c715a9e8561/go.mod h1:cyybsKvd6eL0RnXn6p/Grxp8F5bW7iYuBgsNCOHpMYE=
 golang.org/x/exp/typeparams v0.0.0-20220328175248-053ad81199eb h1:fP6C8Xutcp5AlakmT/SkQot0pMicROAsEX7OfNPuG10=
 golang.org/x/image v0.0.0-20190227222117-0694c2d4d067/go.mod h1:kZ7UVZpmo3dzQBMxlp+ypCbDeSB+sBbTgSJuh5dn5js=
 golang.org/x/image v0.0.0-20190802002840-cff245a6509b/go.mod h1:FeLwcggjj3mMvU+oOTbSwawSJRM1uh48EjtB4UJZlP0=
@@ -737,8 +745,8 @@ golang.org/x/mod v0.3.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
 golang.org/x/mod v0.4.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
 golang.org/x/mod v0.4.1/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
 golang.org/x/mod v0.4.2/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
-golang.org/x/mod v0.6.0 h1:b9gGHsz9/HhJ3HF5DHQytPpuwocVTChQJK3AvoLRD5I=
-golang.org/x/mod v0.6.0/go.mod h1:4mET923SAdbXp2ki8ey+zGs1SLqsuM2Y0uvdZR/fUNI=
+golang.org/x/mod v0.7.0 h1:LapD9S96VoQRhi/GrNTqeBJFrUjs5UHCAtTlgwA5oZA=
+golang.org/x/mod v0.7.0/go.mod h1:iBbtSCu2XBx23ZKBPSOrRkjjQPZFPuis4dIYUhu/chs=
 golang.org/x/net v0.0.0-20180724234803-3673e40ba225/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
 golang.org/x/net v0.0.0-20180826012351-8a410e7b638d/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
 golang.org/x/net v0.0.0-20181114220301-adae6a3d119a/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
@@ -788,9 +796,8 @@ golang.org/x/net v0.0.0-20220425223048-2871e0cb64e4/go.mod h1:CfG3xpIq0wQ8r1q4Su
 golang.org/x/net v0.0.0-20220607020251-c690dde0001d/go.mod h1:XRhObCWvk6IyKnWLug+ECip1KBveYUHfp+8e9klMJ9c=
 golang.org/x/net v0.0.0-20220624214902-1bab6f366d9e/go.mod h1:XRhObCWvk6IyKnWLug+ECip1KBveYUHfp+8e9klMJ9c=
 golang.org/x/net v0.0.0-20220826154423-83b083e8dc8b/go.mod h1:YDH+HFinaLZZlnHAfSS6ZXJJ9M9t4Dl22yv3iI2vPwk=
-golang.org/x/net v0.0.0-20220923203811-8be639271d50/go.mod h1:YDH+HFinaLZZlnHAfSS6ZXJJ9M9t4Dl22yv3iI2vPwk=
-golang.org/x/net v0.1.0 h1:hZ/3BUoy5aId7sCpA/Tc5lt8DkFgdVS2onTpJsZ/fl0=
-golang.org/x/net v0.1.0/go.mod h1:Cx3nUiGt4eDBEyega/BKRp+/AlGL8hYe7U9odMt2Cco=
+golang.org/x/net v0.2.0 h1:sZfSu1wtKLGlWI4ZZayP0ck9Y73K1ynO6gqzTdBVdPU=
+golang.org/x/net v0.2.0/go.mod h1:KqCZLdyyvdV855qA2rE3GC2aiw5xGR5TEjj8smXukLY=
 golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U=
 golang.org/x/oauth2 v0.0.0-20190226205417-e64efc72b421/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw=
 golang.org/x/oauth2 v0.0.0-20190604053449-0f29369cfe45/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw=
@@ -812,8 +819,8 @@ golang.org/x/oauth2 v0.0.0-20220309155454-6242fa91716a/go.mod h1:DAh4E804XQdzx2j
 golang.org/x/oauth2 v0.0.0-20220411215720-9780585627b5/go.mod h1:DAh4E804XQdzx2j+YRIaUnCqCV2RuMz24cGBJ5QYIrc=
 golang.org/x/oauth2 v0.0.0-20220608161450-d0670ef3b1eb/go.mod h1:jaDAt6Dkxork7LmZnYtzbRWj0W47D86a3TGe0YHBvmE=
 golang.org/x/oauth2 v0.0.0-20220822191816-0ebed06d0094/go.mod h1:h4gKUeWbJ4rQPri7E0u6Gs4e9Ri2zaLxzw5DI5XGrYg=
-golang.org/x/oauth2 v0.1.0 h1:isLCZuhj4v+tYv7eskaN4v/TM+A1begWWgyVJDdl1+Y=
-golang.org/x/oauth2 v0.1.0/go.mod h1:G9FE4dLTsbXUu90h/Pf85g4w1D+SSAgR+q46nJZ8M4A=
+golang.org/x/oauth2 v0.2.0 h1:GtQkldQ9m7yvzCL1V+LrYow3Khe0eJH0w7RbX/VbaIU=
+golang.org/x/oauth2 v0.2.0/go.mod h1:Cwn6afJ8jrQwYMxQDTpISoXmXW9I6qF6vDeuuoX3Ibs=
 golang.org/x/sync v0.0.0-20180314180146-1d60e4601c6f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20181108010431-42b317875d0f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20181221193216-37e7f081c4d4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
@@ -826,7 +833,6 @@ golang.org/x/sync v0.0.0-20201020160332-67f06af15bc9/go.mod h1:RxMgew5VJxzue5/jJ
 golang.org/x/sync v0.0.0-20201207232520-09787c993a3a/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20210220032951-036812b2e83c/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20220601150217-0de741cfad7f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
-golang.org/x/sync v0.0.0-20220923202941-7f9b1623fab7/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.1.0 h1:wsuoTGHzEhffawBOhz5CYhcrV4IdKZbEyZjBMuTp12o=
 golang.org/x/sync v0.1.0/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sys v0.0.0-20180830151530-49385e6e1522/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
@@ -907,6 +913,7 @@ golang.org/x/sys v0.0.0-20220114195835-da31bd327af9/go.mod h1:oPkhp1MJrh7nUepCBc
 golang.org/x/sys v0.0.0-20220128215802-99c3d69c2c27/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20220209214540-3681064d5158/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20220227234510-4e6760a101f9/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.0.0-20220310020820-b874c991c1a5/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20220319134239-a9b59b0215f8/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20220328115105-d36c6a25d886/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20220412211240-33da011f77ad/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
@@ -919,17 +926,16 @@ golang.org/x/sys v0.0.0-20220715151400-c0bba94af5f8/go.mod h1:oPkhp1MJrh7nUepCBc
 golang.org/x/sys v0.0.0-20220728004956-3c1f35247d10/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20220811171246-fbc7d0a398ab/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20220908164124-27713097b956/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.0.0-20220928140112-f11e5e49a4ec/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.1.0 h1:kunALQeHf1/185U1i0GOB/fy1IPRDDpuoOOqRReG57U=
-golang.org/x/sys v0.1.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.3.0 h1:w8ZOecv6NaNa/zC8944JTU3vz4u6Lagfk4RPQxv92NQ=
+golang.org/x/sys v0.3.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/term v0.0.0-20201117132131-f5c789dd3221/go.mod h1:Nr5EML6q2oocZ2LXRh80K7BxOlk5/8JxuGnuhpl+muw=
 golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
 golang.org/x/term v0.0.0-20210220032956-6a3ed077a48d/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
 golang.org/x/term v0.0.0-20210503060354-a79de5458b56/go.mod h1:tfny5GFUkzUvx4ps4ajbZsCe5lw1metzhBm9T3x7oIY=
 golang.org/x/term v0.0.0-20210615171337-6886f2dfbf5b/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8=
 golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8=
-golang.org/x/term v0.1.0 h1:g6Z6vPFA9dYBAF7DWcH6sCcOntplXsDKcliusYijMlw=
-golang.org/x/term v0.1.0/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8=
+golang.org/x/term v0.2.0 h1:z85xZCsEl7bi/KwbNADeBYoOP0++7W1ipu+aGnpwzRM=
+golang.org/x/term v0.2.0/go.mod h1:TVmDHMZPmdnySmBfhjOoOdhjzdE1h4u1VwSiw2l1Nuc=
 golang.org/x/text v0.0.0-20170915032832-14c0d48ead0c/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
 golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
 golang.org/x/text v0.3.1-0.20180807135948-17ff2d5776d2/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
@@ -939,13 +945,13 @@ golang.org/x/text v0.3.4/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
 golang.org/x/text v0.3.5/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
 golang.org/x/text v0.3.6/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
 golang.org/x/text v0.3.7/go.mod h1:u+2+/6zg+i71rQMx5EYifcz6MCKuco9NR6JIITiCfzQ=
-golang.org/x/text v0.4.0 h1:BrVqGRd7+k1DiOgtnFvAkoQEWQvBc25ouMJM6429SFg=
-golang.org/x/text v0.4.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8=
+golang.org/x/text v0.5.0 h1:OLmvp0KP+FVG99Ct/qFiL/Fhk4zp4QQnZ7b2U+5piUM=
+golang.org/x/text v0.5.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8=
 golang.org/x/time v0.0.0-20181108054448-85acf8d2951c/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
 golang.org/x/time v0.0.0-20190308202827-9d24e82272b4/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
 golang.org/x/time v0.0.0-20191024005414-555d28b269f0/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
-golang.org/x/time v0.1.0 h1:xYY+Bajn2a7VBmTM5GikTmnK8ZuX8YgnQCqZpbBNtmA=
-golang.org/x/time v0.1.0/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
+golang.org/x/time v0.3.0 h1:rg5rLMjNzMS1RkNLzCG38eapWhnYLFYXDXj2gOlr8j4=
+golang.org/x/time v0.3.0/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
 golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
 golang.org/x/tools v0.0.0-20190114222345-bf090417da8b/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
 golang.org/x/tools v0.0.0-20190226205152-f727befe758c/go.mod h1:9Yl7xja0Znq3iFh3HoIrodX9oNMXvdceNzlUR8zjMvY=
@@ -958,7 +964,6 @@ golang.org/x/tools v0.0.0-20190506145303-2d16b83fe98c/go.mod h1:RgjU9mgBXZiqYHBn
 golang.org/x/tools v0.0.0-20190524140312-2c0ae7006135/go.mod h1:RgjU9mgBXZiqYHBnxXauZ1Gv1EHHAz9KjViQ78xBX0Q=
 golang.org/x/tools v0.0.0-20190606124116-d0a3d012864b/go.mod h1:/rFqwRUd4F7ZHNgwSSTFct+R/Kf4OFW1sUzUTQQTgfc=
 golang.org/x/tools v0.0.0-20190621195816-6e04913cbbac/go.mod h1:/rFqwRUd4F7ZHNgwSSTFct+R/Kf4OFW1sUzUTQQTgfc=
-golang.org/x/tools v0.0.0-20190624222133-a101b041ded4/go.mod h1:/rFqwRUd4F7ZHNgwSSTFct+R/Kf4OFW1sUzUTQQTgfc=
 golang.org/x/tools v0.0.0-20190628153133-6cdbf07be9d0/go.mod h1:/rFqwRUd4F7ZHNgwSSTFct+R/Kf4OFW1sUzUTQQTgfc=
 golang.org/x/tools v0.0.0-20190816200558-6889da9d5479/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
 golang.org/x/tools v0.0.0-20190823170909-c4a336ef6a2f/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
@@ -1007,8 +1012,8 @@ golang.org/x/tools v0.1.2/go.mod h1:o0xws9oXOQQZyjljx8fwUC0k7L1pTE6eaCbjGeHmOkk=
 golang.org/x/tools v0.1.3/go.mod h1:o0xws9oXOQQZyjljx8fwUC0k7L1pTE6eaCbjGeHmOkk=
 golang.org/x/tools v0.1.4/go.mod h1:o0xws9oXOQQZyjljx8fwUC0k7L1pTE6eaCbjGeHmOkk=
 golang.org/x/tools v0.1.5/go.mod h1:o0xws9oXOQQZyjljx8fwUC0k7L1pTE6eaCbjGeHmOkk=
-golang.org/x/tools v0.2.0 h1:G6AHpWxTMGY1KyEYoAQ5WTtIekUUvDNjan3ugu60JvE=
-golang.org/x/tools v0.2.0/go.mod h1:y4OqIKeOV/fWJetJ8bXPU1sEVniLMIyDAZWeHdV+NTA=
+golang.org/x/tools v0.3.0 h1:SrNbZl6ECOS1qFzgTdQfWXZM9XBkiA6tkFrH9YSTPHM=
+golang.org/x/tools v0.3.0/go.mod h1:/rWhSS2+zyEVwoJf8YAX6L2f0ntZ7Kn/mGgAWcipA5k=
 golang.org/x/xerrors v0.0.0-20190410155217-1f06c39b4373/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 golang.org/x/xerrors v0.0.0-20190513163551-3ee3066db522/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
@@ -1148,8 +1153,8 @@ google.golang.org/genproto v0.0.0-20220518221133-4f43b3371335/go.mod h1:RAyBrSAP
 google.golang.org/genproto v0.0.0-20220523171625-347a074981d8/go.mod h1:RAyBrSAP7Fh3Nc84ghnVLDPuV51xc9agzmm4Ph6i0Q4=
 google.golang.org/genproto v0.0.0-20220608133413-ed9918b62aac/go.mod h1:KEWEmljWE5zPzLBa/oHl6DaEt9LmfH6WtH1OHIvleBA=
 google.golang.org/genproto v0.0.0-20220616135557-88e70c0c3a90/go.mod h1:KEWEmljWE5zPzLBa/oHl6DaEt9LmfH6WtH1OHIvleBA=
-google.golang.org/genproto v0.0.0-20221027153422-115e99e71e1c h1:QgY/XxIAIeccR+Ca/rDdKubLIU9rcJ3xfy1DC/Wd2Oo=
-google.golang.org/genproto v0.0.0-20221027153422-115e99e71e1c/go.mod h1:CGI5F/G+E5bKwmfYo09AXuVN4dD894kIKUFmVbP2/Fo=
+google.golang.org/genproto v0.0.0-20221202195650-67e5cbc046fd h1:OjndDrsik+Gt+e6fs45z9AxiewiKyLKYpA45W5Kpkks=
+google.golang.org/genproto v0.0.0-20221202195650-67e5cbc046fd/go.mod h1:cTsE614GARnxrLsqKREzmNYJACSWWpAWdNMwnD7c2BE=
 google.golang.org/grpc v1.19.0/go.mod h1:mqu4LbDTu4XGKhr4mRzUsmM4RtVoemTSY81AxZiDr8c=
 google.golang.org/grpc v1.20.1/go.mod h1:10oTOabMzJvdu6/UiuZezV6QK5dSlG84ov/aaiqXj38=
 google.golang.org/grpc v1.21.1/go.mod h1:oYelfM1adQP15Ek0mdvEgi9Df8B9CZIaU1084ijfRaM=
@@ -1181,8 +1186,8 @@ google.golang.org/grpc v1.45.0/go.mod h1:lN7owxKUQEqMfSyQikvvk5tf/6zMPsrK+ONuO11
 google.golang.org/grpc v1.46.0/go.mod h1:vN9eftEi1UMyUsIF80+uQXhHjbXYbm0uXoFCACuMGWk=
 google.golang.org/grpc v1.46.2/go.mod h1:vN9eftEi1UMyUsIF80+uQXhHjbXYbm0uXoFCACuMGWk=
 google.golang.org/grpc v1.47.0/go.mod h1:vN9eftEi1UMyUsIF80+uQXhHjbXYbm0uXoFCACuMGWk=
-google.golang.org/grpc v1.50.1 h1:DS/BukOZWp8s6p4Dt/tOaJaTQyPyOoCcrjroHuCeLzY=
-google.golang.org/grpc v1.50.1/go.mod h1:ZgQEeidpAuNRZ8iRrlBKXZQP1ghovWIVhdJRyCDK+GI=
+google.golang.org/grpc v1.51.0 h1:E1eGv1FTqoLIdnBCZufiSHgKjlqG6fKFf6pPWtMTh8U=
+google.golang.org/grpc v1.51.0/go.mod h1:wgNDFcnuBGmxLKI/qn4T+m5BtEBYXJPvibbUPsAIPww=
 google.golang.org/grpc/cmd/protoc-gen-go-grpc v1.1.0/go.mod h1:6Kw0yEErY5E/yWrBtf03jp27GLLJujG4z/JK95pnjjw=
 google.golang.org/protobuf v0.0.0-20200109180630-ec00e32a8dfd/go.mod h1:DFci5gLYBciE7Vtevhsrf46CRTquxDuWsQurQQe4oz8=
 google.golang.org/protobuf v0.0.0-20200221191635-4d8936d0db64/go.mod h1:kwYJMbMJ01Woi6D6+Kah6886xMZcty6N08ah7+eCXa0=
@@ -1229,9 +1234,9 @@ gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
 gorm.io/driver/postgres v1.4.5 h1:mTeXTTtHAgnS9PgmhN2YeUbazYpLhUI1doLnw42XUZc=
 gorm.io/driver/postgres v1.4.5/go.mod h1:GKNQYSJ14qvWkvPwXljMGehpKrhlDNsqYRr5HnYGncg=
 gorm.io/gorm v1.24.0/go.mod h1:DVrVomtaYTbqs7gB/x2uVvqnXzv0nqjB396B8cG4dBA=
-gorm.io/gorm v1.24.1-0.20221019064659-5dd2bb482755 h1:7AdrbfcvKnzejfqP5g37fdSZOXH/JvaPIzBIHTOqXKk=
 gorm.io/gorm v1.24.1-0.20221019064659-5dd2bb482755/go.mod h1:DVrVomtaYTbqs7gB/x2uVvqnXzv0nqjB396B8cG4dBA=
-gotest.tools/v3 v3.0.2/go.mod h1:3SzNCllyD9/Y+b5r9JIKQ474KzkZyqLqEfYqMsX94Bk=
+gorm.io/gorm v1.24.2 h1:9wR6CFD+G8nOusLdvkZelOEhpJVwwHzpQOUM+REd6U0=
+gorm.io/gorm v1.24.2/go.mod h1:DVrVomtaYTbqs7gB/x2uVvqnXzv0nqjB396B8cG4dBA=
 gotest.tools/v3 v3.2.0 h1:I0DwBVMGAx26dttAj1BtJLAkVGncrkkUXfJLC4Flt/I=
 honnef.co/go/tools v0.0.0-20190102054323-c2f93a96b099/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4=
 honnef.co/go/tools v0.0.0-20190106161140-3f1c8253044a/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4=
@@ -1240,7 +1245,7 @@ honnef.co/go/tools v0.0.0-20190523083050-ea95bdfd59fc/go.mod h1:rf3lG4BRIbNafJWh
 honnef.co/go/tools v0.0.1-2019.2.3/go.mod h1:a3bituU0lyd329TUQxRnasdCoJDkEUEAqEt0JzvZhAg=
 honnef.co/go/tools v0.0.1-2020.1.3/go.mod h1:X/FiERA/W4tHapMX5mGpAtMSVEeEUOyHaw9vFzvIQ3k=
 honnef.co/go/tools v0.0.1-2020.1.4/go.mod h1:X/FiERA/W4tHapMX5mGpAtMSVEeEUOyHaw9vFzvIQ3k=
-honnef.co/go/tools v0.4.0-0.dev.0.20220404092545-59d7a2877f83 h1:lZ9GIYaU+o5+X6ST702I/Ntyq9Y2oIMZ42rBQpem64A=
+honnef.co/go/tools v0.4.0-0.dev.0.20220517111757-f4a2f64ce238 h1:8Vr1KP9OTjoKQSSeLefzibQgDV4s2ujJElKHqMi7nsA=
 howett.net/plist v1.0.0 h1:7CrbWYbPPO/PyNy38b2EB/+gYbjCe2DXBxgtOOZbSQM=
 lukechampine.com/uint128 v1.1.1/go.mod h1:c4eWIwlEGaxC/+H1VguhU4PHXNWDCDMUlWdIWl2j1gk=
 lukechampine.com/uint128 v1.2.0/go.mod h1:c4eWIwlEGaxC/+H1VguhU4PHXNWDCDMUlWdIWl2j1gk=
@@ -1251,7 +1256,8 @@ modernc.org/cc/v3 v3.40.0/go.mod h1:/bTg4dnWkSXowUO6ssQKnOV0yMVxDYNIsIrzqTFDGH0=
 modernc.org/ccgo/v3 v3.0.0-20220904174949-82d86e1b6d56/go.mod h1:YSXjPL62P2AMSxBphRHPn7IkzhVHqkvOnRKAKh+W6ZI=
 modernc.org/ccgo/v3 v3.0.0-20220910160915-348f15de615a/go.mod h1:8p47QxPkdugex9J4n9P2tLZ9bK01yngIVp00g4nomW0=
 modernc.org/ccgo/v3 v3.16.9/go.mod h1:zNMzC9A9xeNUepy6KuZBbugn3c0Mc9TeiJO4lgvkJDo=
-modernc.org/ccgo/v3 v3.16.12/go.mod h1:fUB3Vn0nVPReA+7IG7yZDfjv1TMWjhQP8gCxrFAtL5g=
+modernc.org/ccgo/v3 v3.16.13-0.20221017192402-261537637ce8/go.mod h1:fUB3Vn0nVPReA+7IG7yZDfjv1TMWjhQP8gCxrFAtL5g=
+modernc.org/ccgo/v3 v3.16.13/go.mod h1:2Quk+5YgpImhPjv2Qsob1DnZ/4som1lJTodubIcoUkY=
 modernc.org/ccorpus v1.11.6/go.mod h1:2gEUTrWqdpH2pXsmTM1ZkjeSrUWDpjMu2T6m29L/ErQ=
 modernc.org/httpfs v1.0.6/go.mod h1:7dosgurJGp0sPaRanU53W4xZYKh14wfzX420oZADeHM=
 modernc.org/libc v1.17.0/go.mod h1:XsgLldpP4aWlPlsjqKRdHPqCxCjISdHfM/yeWC5GyW0=
@@ -1259,22 +1265,24 @@ modernc.org/libc v1.17.4/go.mod h1:WNg2ZH56rDEwdropAJeZPQkXmDwh+JCA1s/htl6r2fA=
 modernc.org/libc v1.18.0/go.mod h1:vj6zehR5bfc98ipowQOM2nIDUZnVew/wNC/2tOGS+q0=
 modernc.org/libc v1.19.0/go.mod h1:ZRfIaEkgrYgZDl6pa4W39HgN5G/yDW+NRmNKZBDFrk0=
 modernc.org/libc v1.20.3/go.mod h1:ZRfIaEkgrYgZDl6pa4W39HgN5G/yDW+NRmNKZBDFrk0=
-modernc.org/libc v1.21.4 h1:CzTlumWeIbPV5/HVIMzYHNPCRP8uiU/CWiN2gtd/Qu8=
 modernc.org/libc v1.21.4/go.mod h1:przBsL5RDOZajTVslkugzLBj1evTue36jEomFQOoYuI=
+modernc.org/libc v1.21.5 h1:xBkU9fnHV+hvZuPSRszN0AXDG4M7nwPLwTWwkYcvLCI=
+modernc.org/libc v1.21.5/go.mod h1:przBsL5RDOZajTVslkugzLBj1evTue36jEomFQOoYuI=
 modernc.org/mathutil v1.2.2/go.mod h1:mZW8CKdRPY1v87qxC/wUdX5O1qDzXMP5TH3wjfpga6E=
 modernc.org/mathutil v1.4.1/go.mod h1:mZW8CKdRPY1v87qxC/wUdX5O1qDzXMP5TH3wjfpga6E=
 modernc.org/mathutil v1.5.0 h1:rV0Ko/6SfM+8G+yKiyI830l3Wuz1zRutdslNoQ0kfiQ=
 modernc.org/mathutil v1.5.0/go.mod h1:mZW8CKdRPY1v87qxC/wUdX5O1qDzXMP5TH3wjfpga6E=
 modernc.org/memory v1.2.0/go.mod h1:/0wo5ibyrQiaoUoH7f9D8dnglAmILJ5/cxZlRECf+Nw=
 modernc.org/memory v1.3.0/go.mod h1:PkUhL0Mugw21sHPeskwZW4D6VscE/GQJOnIpCnW6pSU=
-modernc.org/memory v1.4.0 h1:crykUfNSnMAXaOJnnxcSzbUGMqkLWjklJKkBK2nwZwk=
 modernc.org/memory v1.4.0/go.mod h1:PkUhL0Mugw21sHPeskwZW4D6VscE/GQJOnIpCnW6pSU=
+modernc.org/memory v1.5.0 h1:N+/8c5rE6EqugZwHii4IFsaJ7MUhoWX07J5tC/iI5Ds=
+modernc.org/memory v1.5.0/go.mod h1:PkUhL0Mugw21sHPeskwZW4D6VscE/GQJOnIpCnW6pSU=
 modernc.org/opt v0.1.1/go.mod h1:WdSiB5evDcignE70guQKxYUl14mgWtbClRi5wmkkTX0=
 modernc.org/opt v0.1.3/go.mod h1:WdSiB5evDcignE70guQKxYUl14mgWtbClRi5wmkkTX0=
 modernc.org/sqlite v1.19.1/go.mod h1:UfQ83woKMaPW/ZBruK0T7YaFCrI+IE0LeWVY6pmnVms=
-modernc.org/sqlite v1.19.2/go.mod h1:fEgebDYAGTFJj2c/ukKmnaq/0ZQZg0PSYxRa/bHyCDs=
-modernc.org/sqlite v1.19.3 h1:dIoagx6yIQT3V/zOSeAyZ8OqQyEr17YTgETOXTZNJMA=
-modernc.org/sqlite v1.19.3/go.mod h1:xiyJD7FY8mTZXnQwE/gEL1STtFrrnDx03V8KhVQmcr8=
+modernc.org/sqlite v1.19.5/go.mod h1:EsYz8rfOvLCiYTy5ZFsOYzoCcRMu98YYkwAcCw5YIYw=
+modernc.org/sqlite v1.20.0 h1:80zmD3BGkm8BZ5fUi/4lwJQHiO3GXgIUvZRXpoIfROY=
+modernc.org/sqlite v1.20.0/go.mod h1:EsYz8rfOvLCiYTy5ZFsOYzoCcRMu98YYkwAcCw5YIYw=
 modernc.org/strutil v1.1.1/go.mod h1:DE+MQQ/hjKBZS2zNInV5hhcipt5rLPWkmpbGeW5mmdw=
 modernc.org/strutil v1.1.3/go.mod h1:MEHNA7PdEnEwLvspRMtWTNnp2nnyvMfkimT1NKNAGbw=
 modernc.org/tcl v1.14.0/go.mod h1:gQ7c1YPMvryCHCcmf8acB6VPabE59QBeuRQLL7cTUlM=
@@ -1288,6 +1296,6 @@ nhooyr.io/websocket v1.8.7/go.mod h1:B70DZP8IakI65RVQ51MsWP/8jndNma26DVA/nFSCgW0
 rsc.io/binaryregexp v0.2.0/go.mod h1:qTv7/COck+e2FymRvadv62gMdZztPaShugOCi3I+8D8=
 rsc.io/quote/v3 v3.1.0/go.mod h1:yEA65RcK8LyAZtP9Kv3t0HmxON59tX3rD+tICJqUlj0=
 rsc.io/sampler v1.3.0/go.mod h1:T1hPZKmBbMNahiBKFy5HrXp6adAjACjK9JXDnKaTXpA=
-software.sslmate.com/src/go-pkcs12 v0.0.0-20210415151418-c5206de65a78 h1:SqYE5+A2qvRhErbsXFfUEUmpWEKxxRSMgGLkvRAFOV4=
-tailscale.com v1.32.2 h1:bTYbeNPhC3OBH0g5kYWXBEoUOiEsNYf0WSvsvFsYlB0=
-tailscale.com v1.32.2/go.mod h1:AwKk+tI7z1+EXzmLxVNXA4dBpgTKd6RVV1VjFYEiv94=
+software.sslmate.com/src/go-pkcs12 v0.2.0 h1:nlFkj7bTysH6VkC4fGphtjXRbezREPgrHuJG20hBGPE=
+tailscale.com v1.34.0 h1:ntWjElpoTfjbBjYC4gt0jH/V4tjRfl3FW7ZEDu8u+4s=
+tailscale.com v1.34.0/go.mod h1:ZsBP7rjzzB2rp+UCOumr9DAe0EQ6OPivwSXcz/BrekQ=
--- a/grpcv1.go
+++ b/grpcv1.go
@@ -1,4 +1,4 @@
-//nolint
+// nolint
 package headscale

 import (
@@ -12,6 +12,7 @@ import (
 	"google.golang.org/grpc/codes"
 	"google.golang.org/grpc/status"
 	"tailscale.com/tailcfg"
+	"tailscale.com/types/key"
 )

 type headscaleV1APIServer struct { // v1.HeadscaleServiceServer
@@ -363,36 +364,60 @@ func (api headscaleV1APIServer) MoveMachine(
 	return &v1.MoveMachineResponse{Machine: machine.toProto()}, nil
 }

-func (api headscaleV1APIServer) GetMachineRoute(
+func (api headscaleV1APIServer) GetRoutes(
 	ctx context.Context,
-	request *v1.GetMachineRouteRequest,
-) (*v1.GetMachineRouteResponse, error) {
-	machine, err := api.h.GetMachineByID(request.GetMachineId())
+	request *v1.GetRoutesRequest,
+) (*v1.GetRoutesResponse, error) {
+	routes, err := api.h.GetRoutes()
 	if err != nil {
 		return nil, err
 	}

-	return &v1.GetMachineRouteResponse{
-		Routes: machine.RoutesToProto(),
+	return &v1.GetRoutesResponse{
+		Routes: Routes(routes).toProto(),
 	}, nil
 }

-func (api headscaleV1APIServer) EnableMachineRoutes(
+func (api headscaleV1APIServer) EnableRoute(
 	ctx context.Context,
-	request *v1.EnableMachineRoutesRequest,
-) (*v1.EnableMachineRoutesResponse, error) {
+	request *v1.EnableRouteRequest,
+) (*v1.EnableRouteResponse, error) {
+	err := api.h.EnableRoute(request.GetRouteId())
+	if err != nil {
+		return nil, err
+	}
+
+	return &v1.EnableRouteResponse{}, nil
+}
+
+func (api headscaleV1APIServer) DisableRoute(
+	ctx context.Context,
+	request *v1.DisableRouteRequest,
+) (*v1.DisableRouteResponse, error) {
+	err := api.h.DisableRoute(request.GetRouteId())
+	if err != nil {
+		return nil, err
+	}
+
+	return &v1.DisableRouteResponse{}, nil
+}
+
+func (api headscaleV1APIServer) GetMachineRoutes(
+	ctx context.Context,
+	request *v1.GetMachineRoutesRequest,
+) (*v1.GetMachineRoutesResponse, error) {
 	machine, err := api.h.GetMachineByID(request.GetMachineId())
 	if err != nil {
 		return nil, err
 	}

-	err = api.h.EnableRoutes(machine, request.GetRoutes()...)
+	routes, err := api.h.GetMachineRoutes(machine)
 	if err != nil {
 		return nil, err
 	}

-	return &v1.EnableMachineRoutesResponse{
-		Routes: machine.RoutesToProto(),
+	return &v1.GetMachineRoutesResponse{
+		Routes: Routes(routes).toProto(),
 	}, nil
 }

@@ -497,8 +522,14 @@ func (api headscaleV1APIServer) DebugCreateMachine(
 		HostInfo: HostInfo(hostinfo),
 	}

+	nodeKey := key.NodePublic{}
+	err = nodeKey.UnmarshalText([]byte(request.GetKey()))
+	if err != nil {
+		log.Panic().Msg("can not add machine for debug. invalid node key")
+	}
+
 	api.h.registrationCache.Set(
-		request.GetKey(),
+		NodePublicKeyStripPrefix(nodeKey),
 		newMachine,
 		registerCacheExpiration,
 	)
--- a/handler_legacy.go
+++ b/handler_legacy.go
@@ -0,0 +1,15 @@
+//go:build ts2019
+
+package headscale
+
+import (
+	"net/http"
+
+	"github.com/gorilla/mux"
+)
+
+func (h *Headscale) addLegacyHandlers(router *mux.Router) {
+	router.HandleFunc("/machine/{mkey}/map", h.PollNetMapHandler).
+		Methods(http.MethodPost)
+	router.HandleFunc("/machine/{mkey}", h.RegistrationHandler).Methods(http.MethodPost)
+}
--- a/handler_placeholder.go
+++ b/handler_placeholder.go
@@ -0,0 +1,8 @@
+//go:build !ts2019
+
+package headscale
+
+import "github.com/gorilla/mux"
+
+func (h *Headscale) addLegacyHandlers(router *mux.Router) {
+}
--- a/integration/auth_oidc_test.go
+++ b/integration/auth_oidc_test.go
@@ -0,0 +1,302 @@
+package integration
+
+import (
+	"context"
+	"crypto/tls"
+	"errors"
+	"fmt"
+	"io"
+	"log"
+	"net"
+	"net/http"
+	"strconv"
+	"testing"
+
+	"github.com/juanfont/headscale"
+	"github.com/juanfont/headscale/integration/dockertestutil"
+	"github.com/juanfont/headscale/integration/hsic"
+	"github.com/ory/dockertest/v3"
+	"github.com/ory/dockertest/v3/docker"
+)
+
+const (
+	dockerContextPath      = "../."
+	hsicOIDCMockHashLength = 6
+	oidcServerPort         = 10000
+)
+
+var errStatusCodeNotOK = errors.New("status code not OK")
+
+type AuthOIDCScenario struct {
+	*Scenario
+
+	mockOIDC *dockertest.Resource
+}
+
+func TestOIDCAuthenticationPingAll(t *testing.T) {
+	IntegrationSkip(t)
+	t.Parallel()
+
+	baseScenario, err := NewScenario()
+	if err != nil {
+		t.Errorf("failed to create scenario: %s", err)
+	}
+
+	scenario := AuthOIDCScenario{
+		Scenario: baseScenario,
+	}
+
+	spec := map[string]int{
+		"namespace1": len(TailscaleVersions),
+	}
+
+	oidcConfig, err := scenario.runMockOIDC()
+	if err != nil {
+		t.Errorf("failed to run mock OIDC server: %s", err)
+	}
+
+	oidcMap := map[string]string{
+		"HEADSCALE_OIDC_ISSUER":             oidcConfig.Issuer,
+		"HEADSCALE_OIDC_CLIENT_ID":          oidcConfig.ClientID,
+		"HEADSCALE_OIDC_CLIENT_SECRET":      oidcConfig.ClientSecret,
+		"HEADSCALE_OIDC_STRIP_EMAIL_DOMAIN": fmt.Sprintf("%t", oidcConfig.StripEmaildomain),
+	}
+
+	err = scenario.CreateHeadscaleEnv(
+		spec,
+		hsic.WithTestName("oidcauthping"),
+		hsic.WithConfigEnv(oidcMap),
+		hsic.WithHostnameAsServerURL(),
+	)
+	if err != nil {
+		t.Errorf("failed to create headscale environment: %s", err)
+	}
+
+	allClients, err := scenario.ListTailscaleClients()
+	if err != nil {
+		t.Errorf("failed to get clients: %s", err)
+	}
+
+	allIps, err := scenario.ListTailscaleClientsIPs()
+	if err != nil {
+		t.Errorf("failed to get clients: %s", err)
+	}
+
+	err = scenario.WaitForTailscaleSync()
+	if err != nil {
+		t.Errorf("failed wait for tailscale clients to be in sync: %s", err)
+	}
+
+	success := 0
+
+	for _, client := range allClients {
+		for _, ip := range allIps {
+			err := client.Ping(ip.String())
+			if err != nil {
+				t.Errorf("failed to ping %s from %s: %s", ip, client.Hostname(), err)
+			} else {
+				success++
+			}
+		}
+	}
+
+	t.Logf("%d successful pings out of %d", success, len(allClients)*len(allIps))
+
+	err = scenario.Shutdown()
+	if err != nil {
+		t.Errorf("failed to tear down scenario: %s", err)
+	}
+}
+
+func (s *AuthOIDCScenario) CreateHeadscaleEnv(
+	namespaces map[string]int,
+	opts ...hsic.Option,
+) error {
+	headscale, err := s.Headscale(opts...)
+	if err != nil {
+		return err
+	}
+
+	err = headscale.WaitForReady()
+	if err != nil {
+		return err
+	}
+
+	for namespaceName, clientCount := range namespaces {
+		log.Printf("creating namespace %s with %d clients", namespaceName, clientCount)
+		err = s.CreateNamespace(namespaceName)
+		if err != nil {
+			return err
+		}
+
+		err = s.CreateTailscaleNodesInNamespace(namespaceName, "all", clientCount)
+		if err != nil {
+			return err
+		}
+
+		err = s.runTailscaleUp(namespaceName, headscale.GetEndpoint())
+		if err != nil {
+			return err
+		}
+	}
+
+	return nil
+}
+
+func (s *AuthOIDCScenario) runMockOIDC() (*headscale.OIDCConfig, error) {
+	hash, _ := headscale.GenerateRandomStringDNSSafe(hsicOIDCMockHashLength)
+
+	hostname := fmt.Sprintf("hs-oidcmock-%s", hash)
+
+	mockOidcOptions := &dockertest.RunOptions{
+		Name:         hostname,
+		Cmd:          []string{"headscale", "mockoidc"},
+		ExposedPorts: []string{"10000/tcp"},
+		PortBindings: map[docker.Port][]docker.PortBinding{
+			"10000/tcp": {{HostPort: "10000"}},
+		},
+		Networks: []*dockertest.Network{s.Scenario.network},
+		Env: []string{
+			fmt.Sprintf("MOCKOIDC_ADDR=%s", hostname),
+			"MOCKOIDC_PORT=10000",
+			"MOCKOIDC_CLIENT_ID=superclient",
+			"MOCKOIDC_CLIENT_SECRET=supersecret",
+		},
+	}
+
+	headscaleBuildOptions := &dockertest.BuildOptions{
+		Dockerfile: "Dockerfile.debug",
+		ContextDir: dockerContextPath,
+	}
+
+	err := s.pool.RemoveContainerByName(hostname)
+	if err != nil {
+		return nil, err
+	}
+
+	if pmockoidc, err := s.pool.BuildAndRunWithBuildOptions(
+		headscaleBuildOptions,
+		mockOidcOptions,
+		dockertestutil.DockerRestartPolicy); err == nil {
+		s.mockOIDC = pmockoidc
+	} else {
+		return nil, err
+	}
+
+	log.Println("Waiting for headscale mock oidc to be ready for tests")
+	hostEndpoint := fmt.Sprintf(
+		"%s:%s",
+		s.mockOIDC.GetIPInNetwork(s.network),
+		s.mockOIDC.GetPort(fmt.Sprintf("%d/tcp", oidcServerPort)),
+	)
+
+	if err := s.pool.Retry(func() error {
+		oidcConfigURL := fmt.Sprintf("http://%s/oidc/.well-known/openid-configuration", hostEndpoint)
+		httpClient := &http.Client{}
+		ctx := context.Background()
+		req, _ := http.NewRequestWithContext(ctx, http.MethodGet, oidcConfigURL, nil)
+		resp, err := httpClient.Do(req)
+		if err != nil {
+			log.Printf("headscale mock OIDC tests is not ready: %s\n", err)
+
+			return err
+		}
+		defer resp.Body.Close()
+
+		if resp.StatusCode != http.StatusOK {
+			return errStatusCodeNotOK
+		}
+
+		return nil
+	}); err != nil {
+		return nil, err
+	}
+
+	log.Printf("headscale mock oidc is ready for tests at %s", hostEndpoint)
+
+	return &headscale.OIDCConfig{
+		Issuer: fmt.Sprintf("http://%s/oidc",
+			net.JoinHostPort(s.mockOIDC.GetIPInNetwork(s.network), strconv.Itoa(oidcServerPort))),
+		ClientID:         "superclient",
+		ClientSecret:     "supersecret",
+		StripEmaildomain: true,
+	}, nil
+}
+
+func (s *AuthOIDCScenario) runTailscaleUp(
+	namespaceStr, loginServer string,
+) error {
+	headscale, err := s.Headscale()
+	if err != nil {
+		return err
+	}
+
+	log.Printf("running tailscale up for namespace %s", namespaceStr)
+	if namespace, ok := s.namespaces[namespaceStr]; ok {
+		for _, client := range namespace.Clients {
+			namespace.joinWaitGroup.Add(1)
+
+			go func(c TailscaleClient) {
+				defer namespace.joinWaitGroup.Done()
+
+				// TODO(juanfont): error handle this
+				loginURL, err := c.UpWithLoginURL(loginServer)
+				if err != nil {
+					log.Printf("failed to run tailscale up: %s", err)
+				}
+
+				loginURL.Host = fmt.Sprintf("%s:8080", headscale.GetIP())
+				loginURL.Scheme = "http"
+
+				insecureTransport := &http.Transport{
+					TLSClientConfig: &tls.Config{InsecureSkipVerify: true}, // nolint
+				}
+
+				log.Printf("%s login url: %s\n", c.Hostname(), loginURL.String())
+
+				httpClient := &http.Client{Transport: insecureTransport}
+				ctx := context.Background()
+				req, _ := http.NewRequestWithContext(ctx, http.MethodGet, loginURL.String(), nil)
+				resp, err := httpClient.Do(req)
+				if err != nil {
+					log.Printf("%s failed to get login url %s: %s", c.Hostname(), loginURL, err)
+
+					return
+				}
+
+				defer resp.Body.Close()
+
+				_, err = io.ReadAll(resp.Body)
+				if err != nil {
+					log.Printf("%s failed to read response body: %s", c.Hostname(), err)
+
+					return
+				}
+
+				log.Printf("Finished request for %s to join tailnet", c.Hostname())
+			}(client)
+
+			err = client.WaitForReady()
+			if err != nil {
+				log.Printf("error waiting for client %s to be ready: %s", client.Hostname(), err)
+			}
+
+			log.Printf("client %s is ready", client.Hostname())
+		}
+
+		namespace.joinWaitGroup.Wait()
+
+		return nil
+	}
+
+	return fmt.Errorf("failed to up tailscale node: %w", errNoNamespaceAvailable)
+}
+
+func (s *AuthOIDCScenario) Shutdown() error {
+	err := s.pool.Purge(s.mockOIDC)
+	if err != nil {
+		return err
+	}
+
+	return s.Scenario.Shutdown()
+}
--- a/integration/auth_web_flow_test.go
+++ b/integration/auth_web_flow_test.go
@@ -0,0 +1,205 @@
+package integration
+
+import (
+	"context"
+	"errors"
+	"fmt"
+	"io"
+	"log"
+	"net/http"
+	"net/url"
+	"strings"
+	"testing"
+
+	"github.com/juanfont/headscale/integration/hsic"
+)
+
+var errParseAuthPage = errors.New("failed to parse auth page")
+
+type AuthWebFlowScenario struct {
+	*Scenario
+}
+
+func TestAuthWebFlowAuthenticationPingAll(t *testing.T) {
+	IntegrationSkip(t)
+	t.Parallel()
+
+	baseScenario, err := NewScenario()
+	if err != nil {
+		t.Errorf("failed to create scenario: %s", err)
+	}
+
+	scenario := AuthWebFlowScenario{
+		Scenario: baseScenario,
+	}
+
+	spec := map[string]int{
+		"namespace1": len(TailscaleVersions),
+		"namespace2": len(TailscaleVersions),
+	}
+
+	err = scenario.CreateHeadscaleEnv(spec, hsic.WithTestName("webauthping"))
+	if err != nil {
+		t.Errorf("failed to create headscale environment: %s", err)
+	}
+
+	allClients, err := scenario.ListTailscaleClients()
+	if err != nil {
+		t.Errorf("failed to get clients: %s", err)
+	}
+
+	allIps, err := scenario.ListTailscaleClientsIPs()
+	if err != nil {
+		t.Errorf("failed to get clients: %s", err)
+	}
+
+	err = scenario.WaitForTailscaleSync()
+	if err != nil {
+		t.Errorf("failed wait for tailscale clients to be in sync: %s", err)
+	}
+
+	success := 0
+
+	for _, client := range allClients {
+		for _, ip := range allIps {
+			err := client.Ping(ip.String())
+			if err != nil {
+				t.Errorf("failed to ping %s from %s: %s", ip, client.Hostname(), err)
+			} else {
+				success++
+			}
+		}
+	}
+
+	t.Logf("%d successful pings out of %d", success, len(allClients)*len(allIps))
+
+	err = scenario.Shutdown()
+	if err != nil {
+		t.Errorf("failed to tear down scenario: %s", err)
+	}
+}
+
+func (s *AuthWebFlowScenario) CreateHeadscaleEnv(
+	namespaces map[string]int,
+	opts ...hsic.Option,
+) error {
+	headscale, err := s.Headscale(opts...)
+	if err != nil {
+		return err
+	}
+
+	err = headscale.WaitForReady()
+	if err != nil {
+		return err
+	}
+
+	for namespaceName, clientCount := range namespaces {
+		log.Printf("creating namespace %s with %d clients", namespaceName, clientCount)
+		err = s.CreateNamespace(namespaceName)
+		if err != nil {
+			return err
+		}
+
+		err = s.CreateTailscaleNodesInNamespace(namespaceName, "all", clientCount)
+		if err != nil {
+			return err
+		}
+
+		err = s.runTailscaleUp(namespaceName, headscale.GetEndpoint())
+		if err != nil {
+			return err
+		}
+	}
+
+	return nil
+}
+
+func (s *AuthWebFlowScenario) runTailscaleUp(
+	namespaceStr, loginServer string,
+) error {
+	log.Printf("running tailscale up for namespace %s", namespaceStr)
+	if namespace, ok := s.namespaces[namespaceStr]; ok {
+		for _, client := range namespace.Clients {
+			namespace.joinWaitGroup.Add(1)
+
+			go func(c TailscaleClient) {
+				defer namespace.joinWaitGroup.Done()
+
+				// TODO(juanfont): error handle this
+				loginURL, err := c.UpWithLoginURL(loginServer)
+				if err != nil {
+					log.Printf("failed to run tailscale up: %s", err)
+				}
+
+				err = s.runHeadscaleRegister(namespaceStr, loginURL)
+				if err != nil {
+					log.Printf("failed to register client: %s", err)
+				}
+			}(client)
+
+			err := client.WaitForReady()
+			if err != nil {
+				log.Printf("error waiting for client %s to be ready: %s", client.Hostname(), err)
+			}
+		}
+		namespace.joinWaitGroup.Wait()
+
+		return nil
+	}
+
+	return fmt.Errorf("failed to up tailscale node: %w", errNoNamespaceAvailable)
+}
+
+func (s *AuthWebFlowScenario) runHeadscaleRegister(namespaceStr string, loginURL *url.URL) error {
+	headscale, err := s.Headscale()
+	if err != nil {
+		return err
+	}
+
+	log.Printf("loginURL: %s", loginURL)
+	loginURL.Host = fmt.Sprintf("%s:8080", headscale.GetIP())
+	loginURL.Scheme = "http"
+
+	httpClient := &http.Client{}
+	ctx := context.Background()
+	req, _ := http.NewRequestWithContext(ctx, http.MethodGet, loginURL.String(), nil)
+	resp, err := httpClient.Do(req)
+	if err != nil {
+		return err
+	}
+
+	body, err := io.ReadAll(resp.Body)
+	if err != nil {
+		return err
+	}
+
+	defer resp.Body.Close()
+
+	// see api.go HTML template
+	codeSep := strings.Split(string(body), "</code>")
+	if len(codeSep) != 2 {
+		return errParseAuthPage
+	}
+
+	keySep := strings.Split(codeSep[0], "key ")
+	if len(keySep) != 2 {
+		return errParseAuthPage
+	}
+	key := keySep[1]
+	log.Printf("registering node %s", key)
+
+	if headscale, err := s.Headscale(); err == nil {
+		_, err = headscale.Execute(
+			[]string{"headscale", "-n", namespaceStr, "nodes", "register", "--key", key},
+		)
+		if err != nil {
+			log.Printf("failed to register node: %s", err)
+
+			return err
+		}
+
+		return nil
+	}
+
+	return fmt.Errorf("failed to find headscale: %w", errNoHeadscaleAvailable)
+}
--- a/integration/cli_test.go
+++ b/integration/cli_test.go
@@ -2,11 +2,15 @@ package integration

 import (
 	"encoding/json"
+	"fmt"
 	"sort"
+	"strconv"
 	"testing"
 	"time"

 	v1 "github.com/juanfont/headscale/gen/go/headscale/v1"
+	"github.com/juanfont/headscale/integration/hsic"
+	"github.com/juanfont/headscale/integration/tsic"
 	"github.com/stretchr/testify/assert"
 )

@@ -36,11 +40,14 @@ func TestNamespaceCommand(t *testing.T) {
 		"namespace2": 0,
 	}

-	err = scenario.CreateHeadscaleEnv(spec)
+	err = scenario.CreateHeadscaleEnv(spec, []tsic.Option{}, hsic.WithTestName("clins"))
+	assert.NoError(t, err)
+
+	headscale, err := scenario.Headscale()
 	assert.NoError(t, err)

 	var listNamespaces []v1.Namespace
-	err = executeAndUnmarshal(scenario.Headscale(),
+	err = executeAndUnmarshal(headscale,
 		[]string{
 			"headscale",
 			"namespaces",
@@ -61,7 +68,7 @@ func TestNamespaceCommand(t *testing.T) {
 		result,
 	)

-	_, err = scenario.Headscale().Execute(
+	_, err = headscale.Execute(
 		[]string{
 			"headscale",
 			"namespaces",
@@ -75,7 +82,7 @@ func TestNamespaceCommand(t *testing.T) {
 	assert.NoError(t, err)

 	var listAfterRenameNamespaces []v1.Namespace
-	err = executeAndUnmarshal(scenario.Headscale(),
+	err = executeAndUnmarshal(headscale,
 		[]string{
 			"headscale",
 			"namespaces",
@@ -114,7 +121,10 @@ func TestPreAuthKeyCommand(t *testing.T) {
 		namespace: 0,
 	}

-	err = scenario.CreateHeadscaleEnv(spec)
+	err = scenario.CreateHeadscaleEnv(spec, []tsic.Option{}, hsic.WithTestName("clipak"))
+	assert.NoError(t, err)
+
+	headscale, err := scenario.Headscale()
 	assert.NoError(t, err)

 	keys := make([]*v1.PreAuthKey, count)
@@ -123,7 +133,7 @@ func TestPreAuthKeyCommand(t *testing.T) {
 	for index := 0; index < count; index++ {
 		var preAuthKey v1.PreAuthKey
 		err := executeAndUnmarshal(
-			scenario.Headscale(),
+			headscale,
 			[]string{
 				"headscale",
 				"preauthkeys",
@@ -149,7 +159,7 @@ func TestPreAuthKeyCommand(t *testing.T) {

 	var listedPreAuthKeys []v1.PreAuthKey
 	err = executeAndUnmarshal(
-		scenario.Headscale(),
+		headscale,
 		[]string{
 			"headscale",
 			"preauthkeys",
@@ -202,7 +212,7 @@ func TestPreAuthKeyCommand(t *testing.T) {
 	}

 	// Test key expiry
-	_, err = scenario.Headscale().Execute(
+	_, err = headscale.Execute(
 		[]string{
 			"headscale",
 			"preauthkeys",
@@ -216,7 +226,7 @@ func TestPreAuthKeyCommand(t *testing.T) {

 	var listedPreAuthKeysAfterExpire []v1.PreAuthKey
 	err = executeAndUnmarshal(
-		scenario.Headscale(),
+		headscale,
 		[]string{
 			"headscale",
 			"preauthkeys",
@@ -251,12 +261,15 @@ func TestPreAuthKeyCommandWithoutExpiry(t *testing.T) {
 		namespace: 0,
 	}

-	err = scenario.CreateHeadscaleEnv(spec)
+	err = scenario.CreateHeadscaleEnv(spec, []tsic.Option{}, hsic.WithTestName("clipaknaexp"))
+	assert.NoError(t, err)
+
+	headscale, err := scenario.Headscale()
 	assert.NoError(t, err)

 	var preAuthKey v1.PreAuthKey
 	err = executeAndUnmarshal(
-		scenario.Headscale(),
+		headscale,
 		[]string{
 			"headscale",
 			"preauthkeys",
@@ -273,7 +286,7 @@ func TestPreAuthKeyCommandWithoutExpiry(t *testing.T) {

 	var listedPreAuthKeys []v1.PreAuthKey
 	err = executeAndUnmarshal(
-		scenario.Headscale(),
+		headscale,
 		[]string{
 			"headscale",
 			"preauthkeys",
@@ -313,12 +326,15 @@ func TestPreAuthKeyCommandReusableEphemeral(t *testing.T) {
 		namespace: 0,
 	}

-	err = scenario.CreateHeadscaleEnv(spec)
+	err = scenario.CreateHeadscaleEnv(spec, []tsic.Option{}, hsic.WithTestName("clipakresueeph"))
+	assert.NoError(t, err)
+
+	headscale, err := scenario.Headscale()
 	assert.NoError(t, err)

 	var preAuthReusableKey v1.PreAuthKey
 	err = executeAndUnmarshal(
-		scenario.Headscale(),
+		headscale,
 		[]string{
 			"headscale",
 			"preauthkeys",
@@ -335,7 +351,7 @@ func TestPreAuthKeyCommandReusableEphemeral(t *testing.T) {

 	var preAuthEphemeralKey v1.PreAuthKey
 	err = executeAndUnmarshal(
-		scenario.Headscale(),
+		headscale,
 		[]string{
 			"headscale",
 			"preauthkeys",
@@ -355,7 +371,7 @@ func TestPreAuthKeyCommandReusableEphemeral(t *testing.T) {

 	var listedPreAuthKeys []v1.PreAuthKey
 	err = executeAndUnmarshal(
-		scenario.Headscale(),
+		headscale,
 		[]string{
 			"headscale",
 			"preauthkeys",
@@ -375,3 +391,144 @@ func TestPreAuthKeyCommandReusableEphemeral(t *testing.T) {
 	err = scenario.Shutdown()
 	assert.NoError(t, err)
 }
+
+func TestEnablingRoutes(t *testing.T) {
+	IntegrationSkip(t)
+	t.Parallel()
+
+	namespace := "enable-routing"
+
+	scenario, err := NewScenario()
+	assert.NoError(t, err)
+
+	spec := map[string]int{
+		namespace: 3,
+	}
+
+	err = scenario.CreateHeadscaleEnv(spec, []tsic.Option{}, hsic.WithTestName("clienableroute"))
+	assert.NoError(t, err)
+
+	allClients, err := scenario.ListTailscaleClients()
+	if err != nil {
+		t.Errorf("failed to get clients: %s", err)
+	}
+
+	err = scenario.WaitForTailscaleSync()
+	if err != nil {
+		t.Errorf("failed wait for tailscale clients to be in sync: %s", err)
+	}
+
+	headscale, err := scenario.Headscale()
+	assert.NoError(t, err)
+
+	// advertise routes using the up command
+	for i, client := range allClients {
+		routeStr := fmt.Sprintf("10.0.%d.0/24", i)
+		hostname, _ := client.FQDN()
+		_, _, err = client.Execute([]string{
+			"tailscale",
+			"up",
+			fmt.Sprintf("--advertise-routes=%s", routeStr),
+			"-login-server", headscale.GetEndpoint(),
+			"--hostname", hostname,
+		})
+		assert.NoError(t, err)
+	}
+
+	err = scenario.WaitForTailscaleSync()
+	if err != nil {
+		t.Errorf("failed wait for tailscale clients to be in sync: %s", err)
+	}
+
+	var routes []*v1.Route
+	err = executeAndUnmarshal(
+		headscale,
+		[]string{
+			"headscale",
+			"routes",
+			"list",
+			"--output",
+			"json",
+		},
+		&routes,
+	)
+
+	assert.NoError(t, err)
+	assert.Len(t, routes, 3)
+
+	for _, route := range routes {
+		assert.Equal(t, route.Advertised, true)
+		assert.Equal(t, route.Enabled, false)
+		assert.Equal(t, route.IsPrimary, false)
+	}
+
+	for _, route := range routes {
+		_, err = headscale.Execute(
+			[]string{
+				"headscale",
+				"routes",
+				"enable",
+				"--route",
+				strconv.Itoa(int(route.Id)),
+			})
+		assert.NoError(t, err)
+	}
+
+	var enablingRoutes []*v1.Route
+	err = executeAndUnmarshal(
+		headscale,
+		[]string{
+			"headscale",
+			"routes",
+			"list",
+			"--output",
+			"json",
+		},
+		&enablingRoutes,
+	)
+	assert.NoError(t, err)
+
+	for _, route := range enablingRoutes {
+		assert.Equal(t, route.Advertised, true)
+		assert.Equal(t, route.Enabled, true)
+		assert.Equal(t, route.IsPrimary, true)
+	}
+
+	routeIDToBeDisabled := enablingRoutes[0].Id
+
+	_, err = headscale.Execute(
+		[]string{
+			"headscale",
+			"routes",
+			"disable",
+			"--route",
+			strconv.Itoa(int(routeIDToBeDisabled)),
+		})
+	assert.NoError(t, err)
+
+	var disablingRoutes []*v1.Route
+	err = executeAndUnmarshal(
+		headscale,
+		[]string{
+			"headscale",
+			"routes",
+			"list",
+			"--output",
+			"json",
+		},
+		&disablingRoutes,
+	)
+	assert.NoError(t, err)
+
+	for _, route := range disablingRoutes {
+		assert.Equal(t, true, route.Advertised)
+
+		if route.Id == routeIDToBeDisabled {
+			assert.Equal(t, route.Enabled, false)
+			assert.Equal(t, route.IsPrimary, false)
+		} else {
+			assert.Equal(t, route.Enabled, true)
+			assert.Equal(t, route.IsPrimary, true)
+		}
+	}
+}
--- a/integration/control.go
+++ b/integration/control.go
@@ -13,4 +13,7 @@ type ControlServer interface {
 	CreateNamespace(namespace string) error
 	CreateAuthKey(namespace string) (*v1.PreAuthKey, error)
 	ListMachinesInNamespace(namespace string) ([]*v1.Machine, error)
+	GetCert() []byte
+	GetHostname() string
+	GetIP() string
 }
--- a/integration/general_test.go
+++ b/integration/general_test.go
@@ -6,11 +6,14 @@ import (
 	"testing"
 	"time"

+	"github.com/juanfont/headscale/integration/hsic"
+	"github.com/juanfont/headscale/integration/tsic"
 	"github.com/rs/zerolog/log"
 )

 func TestPingAllByIP(t *testing.T) {
 	IntegrationSkip(t)
+	t.Parallel()

 	scenario, err := NewScenario()
 	if err != nil {
@@ -22,7 +25,7 @@ func TestPingAllByIP(t *testing.T) {
 		"namespace2": len(TailscaleVersions),
 	}

-	err = scenario.CreateHeadscaleEnv(spec)
+	err = scenario.CreateHeadscaleEnv(spec, []tsic.Option{}, hsic.WithTestName("pingallbyip"))
 	if err != nil {
 		t.Errorf("failed to create headscale environment: %s", err)
 	}
@@ -65,6 +68,7 @@ func TestPingAllByIP(t *testing.T) {

 func TestPingAllByHostname(t *testing.T) {
 	IntegrationSkip(t)
+	t.Parallel()

 	scenario, err := NewScenario()
 	if err != nil {
@@ -77,7 +81,7 @@ func TestPingAllByHostname(t *testing.T) {
 		"namespace4": len(TailscaleVersions) - 1,
 	}

-	err = scenario.CreateHeadscaleEnv(spec)
+	err = scenario.CreateHeadscaleEnv(spec, []tsic.Option{}, hsic.WithTestName("pingallbyname"))
 	if err != nil {
 		t.Errorf("failed to create headscale environment: %s", err)
 	}
@@ -118,8 +122,13 @@ func TestPingAllByHostname(t *testing.T) {
 	}
 }

+// If subtests are parallel, then they will start before setup is run.
+// This might mean we approach setup slightly wrong, but for now, ignore
+// the linter
+// nolint:tparallel
 func TestTaildrop(t *testing.T) {
 	IntegrationSkip(t)
+	t.Parallel()

 	retry := func(times int, sleepInverval time.Duration, doWork func() error) error {
 		var err error
@@ -144,7 +153,7 @@ func TestTaildrop(t *testing.T) {
 		"taildrop": len(TailscaleVersions) - 1,
 	}

-	err = scenario.CreateHeadscaleEnv(spec)
+	err = scenario.CreateHeadscaleEnv(spec, []tsic.Option{}, hsic.WithTestName("taildrop"))
 	if err != nil {
 		t.Errorf("failed to create headscale environment: %s", err)
 	}
@@ -168,7 +177,7 @@ func TestTaildrop(t *testing.T) {
 	for _, client := range allClients {
 		command := []string{"touch", fmt.Sprintf("/tmp/file_from_%s", client.Hostname())}

-		if _, err := client.Execute(command); err != nil {
+		if _, _, err := client.Execute(command); err != nil {
 			t.Errorf("failed to create taildrop file on %s, err: %s", client.Hostname(), err)
 		}

@@ -193,7 +202,7 @@ func TestTaildrop(t *testing.T) {
 						client.Hostname(),
 						peer.Hostname(),
 					)
-					_, err := client.Execute(command)
+					_, _, err := client.Execute(command)

 					return err
 				})
@@ -214,7 +223,7 @@ func TestTaildrop(t *testing.T) {
 			"get",
 			"/tmp/",
 		}
-		if _, err := client.Execute(command); err != nil {
+		if _, _, err := client.Execute(command); err != nil {
 			t.Errorf("failed to get taildrop file on %s, err: %s", client.Hostname(), err)
 		}

@@ -234,7 +243,7 @@ func TestTaildrop(t *testing.T) {
 					peer.Hostname(),
 				)

-				result, err := client.Execute(command)
+				result, _, err := client.Execute(command)
 				if err != nil {
 					t.Errorf("failed to execute command to ls taildrop: %s", err)
 				}
@@ -259,6 +268,7 @@ func TestTaildrop(t *testing.T) {

 func TestResolveMagicDNS(t *testing.T) {
 	IntegrationSkip(t)
+	t.Parallel()

 	scenario, err := NewScenario()
 	if err != nil {
@@ -271,7 +281,7 @@ func TestResolveMagicDNS(t *testing.T) {
 		"magicdns2": len(TailscaleVersions) - 1,
 	}

-	err = scenario.CreateHeadscaleEnv(spec)
+	err = scenario.CreateHeadscaleEnv(spec, []tsic.Option{}, hsic.WithTestName("magicdns"))
 	if err != nil {
 		t.Errorf("failed to create headscale environment: %s", err)
 	}
@@ -306,7 +316,7 @@ func TestResolveMagicDNS(t *testing.T) {
 				"tailscale",
 				"ip", peerFQDN,
 			}
-			result, err := client.Execute(command)
+			result, _, err := client.Execute(command)
 			if err != nil {
 				t.Errorf(
 					"failed to execute resolve/ip command %s from %s: %s",
--- a/integration/hsic/hsic.go
+++ b/integration/hsic/hsic.go
@@ -1,67 +1,118 @@
 package hsic

 import (
-	"archive/tar"
 	"bytes"
+	"crypto/rand"
+	"crypto/rsa"
+	"crypto/tls"
+	"crypto/x509"
+	"crypto/x509/pkix"
 	"encoding/json"
+	"encoding/pem"
 	"errors"
 	"fmt"
-	"io"
 	"log"
+	"math/big"
+	"net"
 	"net/http"
-	"path/filepath"
+	"time"

 	"github.com/juanfont/headscale"
 	v1 "github.com/juanfont/headscale/gen/go/headscale/v1"
 	"github.com/juanfont/headscale/integration/dockertestutil"
+	"github.com/juanfont/headscale/integration/integrationutil"
 	"github.com/ory/dockertest/v3"
-	"github.com/ory/dockertest/v3/docker"
 )

 const (
-	hsicHashLength    = 6
-	dockerContextPath = "../."
-	aclPolicyPath     = "/etc/headscale/acl.hujson"
+	hsicHashLength       = 6
+	dockerContextPath    = "../."
+	aclPolicyPath        = "/etc/headscale/acl.hujson"
+	tlsCertPath          = "/etc/headscale/tls.cert"
+	tlsKeyPath           = "/etc/headscale/tls.key"
+	headscaleDefaultPort = 8080
 )

 var errHeadscaleStatusCodeNotOk = errors.New("headscale status code not ok")

 type HeadscaleInContainer struct {
 	hostname string
-	port     int

 	pool      *dockertest.Pool
 	container *dockertest.Resource
 	network   *dockertest.Network

 	// optional config
+	port      int
 	aclPolicy *headscale.ACLPolicy
 	env       []string
+	tlsCert   []byte
+	tlsKey    []byte
 }

 type Option = func(c *HeadscaleInContainer)

 func WithACLPolicy(acl *headscale.ACLPolicy) Option {
 	return func(hsic *HeadscaleInContainer) {
+		// TODO(kradalby): Move somewhere appropriate
+		hsic.env = append(hsic.env, fmt.Sprintf("HEADSCALE_ACL_POLICY_PATH=%s", aclPolicyPath))
+
 		hsic.aclPolicy = acl
 	}
 }

+func WithTLS() Option {
+	return func(hsic *HeadscaleInContainer) {
+		cert, key, err := createCertificate()
+		if err != nil {
+			log.Fatalf("failed to create certificates for headscale test: %s", err)
+		}
+
+		// TODO(kradalby): Move somewhere appropriate
+		hsic.env = append(hsic.env, fmt.Sprintf("HEADSCALE_TLS_CERT_PATH=%s", tlsCertPath))
+		hsic.env = append(hsic.env, fmt.Sprintf("HEADSCALE_TLS_KEY_PATH=%s", tlsKeyPath))
+
+		hsic.tlsCert = cert
+		hsic.tlsKey = key
+	}
+}
+
 func WithConfigEnv(configEnv map[string]string) Option {
 	return func(hsic *HeadscaleInContainer) {
-		env := []string{}
-
 		for key, value := range configEnv {
-			env = append(env, fmt.Sprintf("%s=%s", key, value))
+			hsic.env = append(hsic.env, fmt.Sprintf("%s=%s", key, value))
 		}
+	}
+}

-		hsic.env = env
+func WithPort(port int) Option {
+	return func(hsic *HeadscaleInContainer) {
+		hsic.port = port
+	}
+}
+
+func WithTestName(testName string) Option {
+	return func(hsic *HeadscaleInContainer) {
+		hash, _ := headscale.GenerateRandomStringDNSSafe(hsicHashLength)
+
+		hostname := fmt.Sprintf("hs-%s-%s", testName, hash)
+		hsic.hostname = hostname
+	}
+}
+
+func WithHostnameAsServerURL() Option {
+	return func(hsic *HeadscaleInContainer) {
+		hsic.env = append(
+			hsic.env,
+			fmt.Sprintf("HEADSCALE_SERVER_URL=http://%s:%d",
+				hsic.GetHostname(),
+				hsic.port,
+			))
 	}
 }

 func New(
 	pool *dockertest.Pool,
-	port int,
 	network *dockertest.Network,
 	opts ...Option,
 ) (*HeadscaleInContainer, error) {
@@ -71,11 +122,10 @@ func New(
 	}

 	hostname := fmt.Sprintf("hs-%s", hash)
-	portProto := fmt.Sprintf("%d/tcp", port)

 	hsic := &HeadscaleInContainer{
 		hostname: hostname,
-		port:     port,
+		port:     headscaleDefaultPort,

 		pool:    pool,
 		network: network,
@@ -85,9 +135,9 @@ func New(
 		opt(hsic)
 	}

-	if hsic.aclPolicy != nil {
-		hsic.env = append(hsic.env, fmt.Sprintf("HEADSCALE_ACL_POLICY_PATH=%s", aclPolicyPath))
-	}
+	log.Println("NAME: ", hsic.hostname)
+
+	portProto := fmt.Sprintf("%d/tcp", hsic.port)

 	headscaleBuildOptions := &dockertest.BuildOptions{
 		Dockerfile: "Dockerfile.debug",
@@ -95,7 +145,7 @@ func New(
 	}

 	runOptions := &dockertest.RunOptions{
-		Name:         hostname,
+		Name:         hsic.hostname,
 		ExposedPorts: []string{portProto},
 		Networks:     []*dockertest.Network{network},
 		// Cmd:          []string{"headscale", "serve"},
@@ -108,7 +158,7 @@ func New(
 	// dockertest isnt very good at handling containers that has already
 	// been created, this is an attempt to make sure this container isnt
 	// present.
-	err = pool.RemoveContainerByName(hostname)
+	err = pool.RemoveContainerByName(hsic.hostname)
 	if err != nil {
 		return nil, err
 	}
@@ -123,7 +173,7 @@ func New(
 	if err != nil {
 		return nil, fmt.Errorf("could not start headscale container: %w", err)
 	}
-	log.Printf("Created %s container\n", hostname)
+	log.Printf("Created %s container\n", hsic.hostname)

 	hsic.container = container

@@ -144,9 +194,25 @@ func New(
 		}
 	}

+	if hsic.hasTLS() {
+		err = hsic.WriteFile(tlsCertPath, hsic.tlsCert)
+		if err != nil {
+			return nil, fmt.Errorf("failed to write TLS certificate to container: %w", err)
+		}
+
+		err = hsic.WriteFile(tlsKeyPath, hsic.tlsKey)
+		if err != nil {
+			return nil, fmt.Errorf("failed to write TLS key to container: %w", err)
+		}
+	}
+
 	return hsic, nil
 }

+func (t *HeadscaleInContainer) hasTLS() bool {
+	return len(t.tlsCert) != 0 && len(t.tlsKey) != 0
+}
+
 func (t *HeadscaleInContainer) Shutdown() error {
 	return t.pool.Purge(t.container)
 }
@@ -154,8 +220,6 @@ func (t *HeadscaleInContainer) Shutdown() error {
 func (t *HeadscaleInContainer) Execute(
 	command []string,
 ) (string, error) {
-	log.Println("command", command)
-	log.Printf("running command for %s\n", t.hostname)
 	stdout, stderr, err := dockertestutil.ExecuteCommand(
 		t.container,
 		command,
@@ -164,11 +228,11 @@ func (t *HeadscaleInContainer) Execute(
 	if err != nil {
 		log.Printf("command stderr: %s\n", stderr)

-		return "", err
-	}
+		if stdout != "" {
+			log.Printf("command stdout: %s\n", stdout)
+		}

-	if stdout != "" {
-		log.Printf("command stdout: %s\n", stdout)
+		return "", err
 	}

 	return stdout, nil
@@ -179,17 +243,11 @@ func (t *HeadscaleInContainer) GetIP() string {
 }

 func (t *HeadscaleInContainer) GetPort() string {
-	portProto := fmt.Sprintf("%d/tcp", t.port)
-
-	return t.container.GetPort(portProto)
+	return fmt.Sprintf("%d", t.port)
 }

 func (t *HeadscaleInContainer) GetHealthEndpoint() string {
-	hostEndpoint := fmt.Sprintf("%s:%d",
-		t.GetIP(),
-		t.port)
-
-	return fmt.Sprintf("http://%s/health", hostEndpoint)
+	return fmt.Sprintf("%s/health", t.GetEndpoint())
 }

 func (t *HeadscaleInContainer) GetEndpoint() string {
@@ -197,16 +255,36 @@ func (t *HeadscaleInContainer) GetEndpoint() string {
 		t.GetIP(),
 		t.port)

+	if t.hasTLS() {
+		return fmt.Sprintf("https://%s", hostEndpoint)
+	}
+
 	return fmt.Sprintf("http://%s", hostEndpoint)
 }

+func (t *HeadscaleInContainer) GetCert() []byte {
+	return t.tlsCert
+}
+
+func (t *HeadscaleInContainer) GetHostname() string {
+	return t.hostname
+}
+
 func (t *HeadscaleInContainer) WaitForReady() error {
 	url := t.GetHealthEndpoint()

 	log.Printf("waiting for headscale to be ready at %s", url)

+	client := &http.Client{}
+
+	if t.hasTLS() {
+		insecureTransport := http.DefaultTransport.(*http.Transport).Clone()      //nolint
+		insecureTransport.TLSClientConfig = &tls.Config{InsecureSkipVerify: true} //nolint
+		client = &http.Client{Transport: insecureTransport}
+	}
+
 	return t.pool.Retry(func() error {
-		resp, err := http.Get(url) //nolint
+		resp, err := client.Get(url) //nolint
 		if err != nil {
 			return fmt.Errorf("headscale is not ready: %w", err)
 		}
@@ -294,55 +372,87 @@ func (t *HeadscaleInContainer) ListMachinesInNamespace(
 }

 func (t *HeadscaleInContainer) WriteFile(path string, data []byte) error {
-	dirPath, fileName := filepath.Split(path)
+	return integrationutil.WriteFileToContainer(t.pool, t.container, path, data)
+}

-	file := bytes.NewReader(data)
+// nolint
+func createCertificate() ([]byte, []byte, error) {
+	// From:
+	// https://shaneutt.com/blog/golang-ca-and-signed-cert-go/

-	buf := bytes.NewBuffer([]byte{})
-
-	tarWriter := tar.NewWriter(buf)
-
-	header := &tar.Header{
-		Name: fileName,
-		Size: file.Size(),
-		// Mode:    int64(stat.Mode()),
-		// ModTime: stat.ModTime(),
-	}
-
-	err := tarWriter.WriteHeader(header)
-	if err != nil {
-		return fmt.Errorf("failed write file header to tar: %w", err)
-	}
-
-	_, err = io.Copy(tarWriter, file)
-	if err != nil {
-		return fmt.Errorf("failed to copy file to tar: %w", err)
-	}
-
-	err = tarWriter.Close()
-	if err != nil {
-		return fmt.Errorf("failed to close tar: %w", err)
-	}
-
-	log.Printf("tar: %s", buf.String())
-
-	// Ensure the directory is present inside the container
-	_, err = t.Execute([]string{"mkdir", "-p", dirPath})
-	if err != nil {
-		return fmt.Errorf("failed to ensure directory: %w", err)
-	}
-
-	err = t.pool.Client.UploadToContainer(
-		t.container.Container.ID,
-		docker.UploadToContainerOptions{
-			NoOverwriteDirNonDir: false,
-			Path:                 dirPath,
-			InputStream:          bytes.NewReader(buf.Bytes()),
+	ca := &x509.Certificate{
+		SerialNumber: big.NewInt(2019),
+		Subject: pkix.Name{
+			Organization: []string{"Headscale testing INC"},
+			Country:      []string{"NL"},
+			Locality:     []string{"Leiden"},
 		},
+		NotBefore: time.Now(),
+		NotAfter:  time.Now().Add(30 * time.Minute),
+		IsCA:      true,
+		ExtKeyUsage: []x509.ExtKeyUsage{
+			x509.ExtKeyUsageClientAuth,
+			x509.ExtKeyUsageServerAuth,
+		},
+		KeyUsage:              x509.KeyUsageDigitalSignature | x509.KeyUsageCertSign,
+		BasicConstraintsValid: true,
+	}
+
+	caPrivKey, err := rsa.GenerateKey(rand.Reader, 4096)
+	if err != nil {
+		return nil, nil, err
+	}
+
+	cert := &x509.Certificate{
+		SerialNumber: big.NewInt(1658),
+		Subject: pkix.Name{
+			Organization: []string{"Headscale testing INC"},
+			Country:      []string{"NL"},
+			Locality:     []string{"Leiden"},
+		},
+		IPAddresses:  []net.IP{net.IPv4(127, 0, 0, 1), net.IPv6loopback},
+		NotBefore:    time.Now(),
+		NotAfter:     time.Now().Add(30 * time.Minute),
+		SubjectKeyId: []byte{1, 2, 3, 4, 6},
+		ExtKeyUsage:  []x509.ExtKeyUsage{x509.ExtKeyUsageClientAuth, x509.ExtKeyUsageServerAuth},
+		KeyUsage:     x509.KeyUsageDigitalSignature,
+	}
+
+	certPrivKey, err := rsa.GenerateKey(rand.Reader, 4096)
+	if err != nil {
+		return nil, nil, err
+	}
+
+	certBytes, err := x509.CreateCertificate(
+		rand.Reader,
+		cert,
+		ca,
+		&certPrivKey.PublicKey,
+		caPrivKey,
 	)
 	if err != nil {
-		return err
+		return nil, nil, err
 	}

-	return nil
+	certPEM := new(bytes.Buffer)
+
+	err = pem.Encode(certPEM, &pem.Block{
+		Type:  "CERTIFICATE",
+		Bytes: certBytes,
+	})
+	if err != nil {
+		return nil, nil, err
+	}
+
+	certPrivKeyPEM := new(bytes.Buffer)
+
+	err = pem.Encode(certPrivKeyPEM, &pem.Block{
+		Type:  "RSA PRIVATE KEY",
+		Bytes: x509.MarshalPKCS1PrivateKey(certPrivKey),
+	})
+	if err != nil {
+		return nil, nil, err
+	}
+
+	return certPEM.Bytes(), certPrivKeyPEM.Bytes(), nil
 }
--- a/integration/integrationutil/util.go
+++ b/integration/integrationutil/util.go
@@ -0,0 +1,74 @@
+package integrationutil
+
+import (
+	"archive/tar"
+	"bytes"
+	"fmt"
+	"io"
+	"path/filepath"
+
+	"github.com/juanfont/headscale/integration/dockertestutil"
+	"github.com/ory/dockertest/v3"
+	"github.com/ory/dockertest/v3/docker"
+)
+
+func WriteFileToContainer(
+	pool *dockertest.Pool,
+	container *dockertest.Resource,
+	path string,
+	data []byte,
+) error {
+	dirPath, fileName := filepath.Split(path)
+
+	file := bytes.NewReader(data)
+
+	buf := bytes.NewBuffer([]byte{})
+
+	tarWriter := tar.NewWriter(buf)
+
+	header := &tar.Header{
+		Name: fileName,
+		Size: file.Size(),
+		// Mode:    int64(stat.Mode()),
+		// ModTime: stat.ModTime(),
+	}
+
+	err := tarWriter.WriteHeader(header)
+	if err != nil {
+		return fmt.Errorf("failed write file header to tar: %w", err)
+	}
+
+	_, err = io.Copy(tarWriter, file)
+	if err != nil {
+		return fmt.Errorf("failed to copy file to tar: %w", err)
+	}
+
+	err = tarWriter.Close()
+	if err != nil {
+		return fmt.Errorf("failed to close tar: %w", err)
+	}
+
+	// Ensure the directory is present inside the container
+	_, _, err = dockertestutil.ExecuteCommand(
+		container,
+		[]string{"mkdir", "-p", dirPath},
+		[]string{},
+	)
+	if err != nil {
+		return fmt.Errorf("failed to ensure directory: %w", err)
+	}
+
+	err = pool.Client.UploadToContainer(
+		container.Container.ID,
+		docker.UploadToContainerOptions{
+			NoOverwriteDirNonDir: false,
+			Path:                 dirPath,
+			InputStream:          bytes.NewReader(buf.Bytes()),
+		},
+	)
+	if err != nil {
+		return err
+	}
+
+	return nil
+}
--- a/integration/scenario.go
+++ b/integration/scenario.go
@@ -15,22 +15,29 @@ import (
 	"github.com/juanfont/headscale/integration/hsic"
 	"github.com/juanfont/headscale/integration/tsic"
 	"github.com/ory/dockertest/v3"
+	"github.com/puzpuzpuz/xsync/v2"
 )

 const (
 	scenarioHashLength = 6
 	maxWait            = 60 * time.Second
-	headscalePort      = 8080
 )

 var (
 	errNoHeadscaleAvailable = errors.New("no headscale available")
 	errNoNamespaceAvailable = errors.New("no namespace available")
-	TailscaleVersions       = []string{
+
+	// Tailscale started adding TS2021 support in CapabilityVersion>=28 (v1.24.0), but
+	// proper support in Headscale was only added for CapabilityVersion>=39 clients (v1.30.0).
+	tailscaleVersions2021 = []string{
 		"head",
 		"unstable",
-		"1.32.1",
+		"1.34.0",
+		"1.32.3",
 		"1.30.2",
+	}
+
+	tailscaleVersions2019 = []string{
 		"1.28.0",
 		"1.26.2",
 		"1.24.2",
@@ -38,13 +45,20 @@ var (
 		"1.20.4",
 		"1.18.2",
 		"1.16.2",
-
-		// These versions seem to fail when fetching from apt.
-		// "1.14.6",
-		// "1.12.4",
-		// "1.10.2",
-		// "1.8.7",
 	}
+
+	// tailscaleVersionsUnavailable = []string{
+	// 	// These versions seem to fail when fetching from apt.
+	// 	"1.14.6",
+	// 	"1.12.4",
+	// 	"1.10.2",
+	// 	"1.8.7",
+	// }.
+
+	TailscaleVersions = append(
+		tailscaleVersions2021,
+		tailscaleVersions2019...,
+	)
 )

 type Namespace struct {
@@ -59,12 +73,14 @@ type Namespace struct {
 type Scenario struct {
 	// TODO(kradalby): support multiple headcales for later, currently only
 	// use one.
-	controlServers map[string]ControlServer
+	controlServers *xsync.MapOf[string, ControlServer]

 	namespaces map[string]*Namespace

 	pool    *dockertest.Pool
 	network *dockertest.Network
+
+	headscaleLock sync.Mutex
 }

 func NewScenario() (*Scenario, error) {
@@ -99,7 +115,7 @@ func NewScenario() (*Scenario, error) {
 	}

 	return &Scenario{
-		controlServers: make(map[string]ControlServer),
+		controlServers: xsync.NewMapOf[ControlServer](),
 		namespaces:     make(map[string]*Namespace),

 		pool:    pool,
@@ -108,12 +124,17 @@ func NewScenario() (*Scenario, error) {
 }

 func (s *Scenario) Shutdown() error {
-	for _, control := range s.controlServers {
+	s.controlServers.Range(func(_ string, control ControlServer) bool {
 		err := control.Shutdown()
 		if err != nil {
-			return fmt.Errorf("failed to tear down control: %w", err)
+			log.Printf(
+				"Failed to shut down control: %s",
+				fmt.Errorf("failed to tear down control: %w", err),
+			)
 		}
-	}
+
+		return true
+	})

 	for namespaceName, namespace := range s.namespaces {
 		for _, client := range namespace.Clients {
@@ -150,36 +171,31 @@ func (s *Scenario) Namespaces() []string {
 // Note: These functions assume that there is a _single_ headscale instance for now

 // TODO(kradalby): make port and headscale configurable, multiple instances support?
-func (s *Scenario) StartHeadscale() error {
-	headscale, err := hsic.New(s.pool, headscalePort, s.network,
-		hsic.WithACLPolicy(
-			&headscale.ACLPolicy{
-				ACLs: []headscale.ACL{
-					{
-						Action:       "accept",
-						Sources:      []string{"*"},
-						Destinations: []string{"*:*"},
-					},
-				},
-			},
-		),
-	)
-	if err != nil {
-		return fmt.Errorf("failed to create headscale container: %w", err)
+func (s *Scenario) Headscale(opts ...hsic.Option) (ControlServer, error) {
+	s.headscaleLock.Lock()
+	defer s.headscaleLock.Unlock()
+
+	if headscale, ok := s.controlServers.Load("headscale"); ok {
+		return headscale, nil
 	}

-	s.controlServers["headscale"] = headscale
+	headscale, err := hsic.New(s.pool, s.network, opts...)
+	if err != nil {
+		return nil, fmt.Errorf("failed to create headscale container: %w", err)
+	}

-	return nil
-}
+	err = headscale.WaitForReady()
+	if err != nil {
+		return nil, fmt.Errorf("failed reach headscale container: %w", err)
+	}

-func (s *Scenario) Headscale() *hsic.HeadscaleInContainer {
-	//nolint
-	return s.controlServers["headscale"].(*hsic.HeadscaleInContainer)
+	s.controlServers.Store("headscale", headscale)
+
+	return headscale, nil
 }

 func (s *Scenario) CreatePreAuthKey(namespace string) (*v1.PreAuthKey, error) {
-	if headscale, ok := s.controlServers["headscale"]; ok {
+	if headscale, err := s.Headscale(); err == nil {
 		key, err := headscale.CreateAuthKey(namespace)
 		if err != nil {
 			return nil, fmt.Errorf("failed to create namespace: %w", err)
@@ -192,7 +208,7 @@ func (s *Scenario) CreatePreAuthKey(namespace string) (*v1.PreAuthKey, error) {
 }

 func (s *Scenario) CreateNamespace(namespace string) error {
-	if headscale, ok := s.controlServers["headscale"]; ok {
+	if headscale, err := s.Headscale(); err == nil {
 		err := headscale.CreateNamespace(namespace)
 		if err != nil {
 			return fmt.Errorf("failed to create namespace: %w", err)
@@ -214,6 +230,7 @@ func (s *Scenario) CreateTailscaleNodesInNamespace(
 	namespaceStr string,
 	requestedVersion string,
 	count int,
+	opts ...tsic.Option,
 ) error {
 	if namespace, ok := s.namespaces[namespaceStr]; ok {
 		for i := 0; i < count; i++ {
@@ -222,16 +239,40 @@ func (s *Scenario) CreateTailscaleNodesInNamespace(
 				version = TailscaleVersions[i%len(TailscaleVersions)]
 			}

+			headscale, err := s.Headscale()
+			if err != nil {
+				return fmt.Errorf("failed to create tailscale node: %w", err)
+			}
+
+			cert := headscale.GetCert()
+			hostname := headscale.GetHostname()
+
 			namespace.createWaitGroup.Add(1)

+			opts = append(opts,
+				tsic.WithHeadscaleTLS(cert),
+				tsic.WithHeadscaleName(hostname),
+			)
+
 			go func() {
 				defer namespace.createWaitGroup.Done()

 				// TODO(kradalby): error handle this
-				tsClient, err := tsic.New(s.pool, version, s.network)
+				tsClient, err := tsic.New(
+					s.pool,
+					version,
+					s.network,
+					opts...,
+				)
 				if err != nil {
 					// return fmt.Errorf("failed to add tailscale node: %w", err)
-					log.Printf("failed to add tailscale node: %s", err)
+					log.Printf("failed to create tailscale node: %s", err)
+				}
+
+				err = tsClient.WaitForReady()
+				if err != nil {
+					// return fmt.Errorf("failed to add tailscale node: %w", err)
+					log.Printf("failed to wait for tailscaled: %s", err)
 				}

 				namespace.Clients[tsClient.Hostname()] = tsClient
@@ -258,7 +299,13 @@ func (s *Scenario) RunTailscaleUp(
 				// TODO(kradalby): error handle this
 				_ = c.Up(loginServer, authKey)
 			}(client)
+
+			err := client.WaitForReady()
+			if err != nil {
+				log.Printf("error waiting for client %s to be ready: %s", client.Hostname(), err)
+			}
 		}
+
 		namespace.joinWaitGroup.Wait()

 		return nil
@@ -300,13 +347,12 @@ func (s *Scenario) WaitForTailscaleSync() error {
 // CreateHeadscaleEnv is a conventient method returning a set up Headcale
 // test environment with nodes of all versions, joined to the server with X
 // namespaces.
-func (s *Scenario) CreateHeadscaleEnv(namespaces map[string]int) error {
-	err := s.StartHeadscale()
-	if err != nil {
-		return err
-	}
-
-	err = s.Headscale().WaitForReady()
+func (s *Scenario) CreateHeadscaleEnv(
+	namespaces map[string]int,
+	tsOpts []tsic.Option,
+	opts ...hsic.Option,
+) error {
+	headscale, err := s.Headscale(opts...)
 	if err != nil {
 		return err
 	}
@@ -317,7 +363,7 @@ func (s *Scenario) CreateHeadscaleEnv(namespaces map[string]int) error {
 			return err
 		}

-		err = s.CreateTailscaleNodesInNamespace(namespaceName, "all", clientCount)
+		err = s.CreateTailscaleNodesInNamespace(namespaceName, "all", clientCount, tsOpts...)
 		if err != nil {
 			return err
 		}
@@ -327,7 +373,7 @@ func (s *Scenario) CreateHeadscaleEnv(namespaces map[string]int) error {
 			return err
 		}

-		err = s.RunTailscaleUp(namespaceName, s.Headscale().GetEndpoint(), key.GetKey())
+		err = s.RunTailscaleUp(namespaceName, headscale.GetEndpoint(), key.GetKey())
 		if err != nil {
 			return err
 		}
--- a/integration/scenario_test.go
+++ b/integration/scenario_test.go
@@ -6,7 +6,7 @@ import (
 	"github.com/juanfont/headscale/integration/dockertestutil"
 )

-// This file is intendet to "test the test framework", by proxy it will also test
+// This file is intended to "test the test framework", by proxy it will also test
 // some Headcsale/Tailscale stuff, but mostly in very simple ways.

 func IntegrationSkip(t *testing.T) {
@@ -21,8 +21,13 @@ func IntegrationSkip(t *testing.T) {
 	}
 }

+// If subtests are parallel, then they will start before setup is run.
+// This might mean we approach setup slightly wrong, but for now, ignore
+// the linter
+// nolint:tparallel
 func TestHeadscale(t *testing.T) {
 	IntegrationSkip(t)
+	t.Parallel()

 	var err error

@@ -34,12 +39,12 @@ func TestHeadscale(t *testing.T) {
 	}

 	t.Run("start-headscale", func(t *testing.T) {
-		err = scenario.StartHeadscale()
+		headscale, err := scenario.Headscale()
 		if err != nil {
 			t.Errorf("failed to create start headcale: %s", err)
 		}

-		err = scenario.Headscale().WaitForReady()
+		err = headscale.WaitForReady()
 		if err != nil {
 			t.Errorf("headscale failed to become ready: %s", err)
 		}
@@ -69,8 +74,13 @@ func TestHeadscale(t *testing.T) {
 	}
 }

+// If subtests are parallel, then they will start before setup is run.
+// This might mean we approach setup slightly wrong, but for now, ignore
+// the linter
+// nolint:tparallel
 func TestCreateTailscale(t *testing.T) {
 	IntegrationSkip(t)
+	t.Parallel()

 	namespace := "only-create-containers"

@@ -102,8 +112,13 @@ func TestCreateTailscale(t *testing.T) {
 	}
 }

+// If subtests are parallel, then they will start before setup is run.
+// This might mean we approach setup slightly wrong, but for now, ignore
+// the linter
+// nolint:tparallel
 func TestTailscaleNodesJoiningHeadcale(t *testing.T) {
 	IntegrationSkip(t)
+	t.Parallel()

 	var err error

@@ -117,12 +132,11 @@ func TestTailscaleNodesJoiningHeadcale(t *testing.T) {
 	}

 	t.Run("start-headscale", func(t *testing.T) {
-		err = scenario.StartHeadscale()
+		headscale, err := scenario.Headscale()
 		if err != nil {
 			t.Errorf("failed to create start headcale: %s", err)
 		}

-		headscale := scenario.Headscale()
 		err = headscale.WaitForReady()
 		if err != nil {
 			t.Errorf("headscale failed to become ready: %s", err)
@@ -157,7 +171,16 @@ func TestTailscaleNodesJoiningHeadcale(t *testing.T) {
 			t.Errorf("failed to create preauthkey: %s", err)
 		}

-		err = scenario.RunTailscaleUp(namespace, scenario.Headscale().GetEndpoint(), key.GetKey())
+		headscale, err := scenario.Headscale()
+		if err != nil {
+			t.Errorf("failed to create start headcale: %s", err)
+		}
+
+		err = scenario.RunTailscaleUp(
+			namespace,
+			headscale.GetEndpoint(),
+			key.GetKey(),
+		)
 		if err != nil {
 			t.Errorf("failed to login: %s", err)
 		}
--- a/integration/ssh_test.go
+++ b/integration/ssh_test.go
@@ -0,0 +1,519 @@
+package integration
+
+import (
+	"fmt"
+	"strings"
+	"testing"
+	"time"
+
+	"github.com/juanfont/headscale"
+	"github.com/juanfont/headscale/integration/hsic"
+	"github.com/juanfont/headscale/integration/tsic"
+	"github.com/stretchr/testify/assert"
+)
+
+var retry = func(times int, sleepInterval time.Duration,
+	doWork func() (string, string, error),
+) (string, string, error) {
+	var result string
+	var stderr string
+	var err error
+
+	for attempts := 0; attempts < times; attempts++ {
+		tempResult, tempStderr, err := doWork()
+
+		result += tempResult
+		stderr += tempStderr
+
+		if err == nil {
+			return result, stderr, nil
+		}
+
+		// If we get a permission denied error, we can fail immediately
+		// since that is something we wont recover from by retrying.
+		if err != nil && strings.Contains(stderr, "Permission denied (tailscale)") {
+			return result, stderr, err
+		}
+
+		time.Sleep(sleepInterval)
+	}
+
+	return result, stderr, err
+}
+
+func TestSSHOneNamespaceAllToAll(t *testing.T) {
+	IntegrationSkip(t)
+	t.Parallel()
+
+	scenario, err := NewScenario()
+	if err != nil {
+		t.Errorf("failed to create scenario: %s", err)
+	}
+
+	spec := map[string]int{
+		"namespace1": len(TailscaleVersions) - 5,
+	}
+
+	err = scenario.CreateHeadscaleEnv(spec,
+		[]tsic.Option{tsic.WithSSH()},
+		hsic.WithACLPolicy(
+			&headscale.ACLPolicy{
+				Groups: map[string][]string{
+					"group:integration-test": {"namespace1"},
+				},
+				ACLs: []headscale.ACL{
+					{
+						Action:       "accept",
+						Sources:      []string{"*"},
+						Destinations: []string{"*:*"},
+					},
+				},
+				SSHs: []headscale.SSH{
+					{
+						Action:       "accept",
+						Sources:      []string{"group:integration-test"},
+						Destinations: []string{"group:integration-test"},
+						Users:        []string{"ssh-it-user"},
+					},
+				},
+			},
+		),
+		hsic.WithConfigEnv(map[string]string{
+			"HEADSCALE_EXPERIMENTAL_FEATURE_SSH": "1",
+		}),
+	)
+	if err != nil {
+		t.Errorf("failed to create headscale environment: %s", err)
+	}
+
+	allClients, err := scenario.ListTailscaleClients()
+	if err != nil {
+		t.Errorf("failed to get clients: %s", err)
+	}
+
+	err = scenario.WaitForTailscaleSync()
+	if err != nil {
+		t.Errorf("failed wait for tailscale clients to be in sync: %s", err)
+	}
+
+	_, err = scenario.ListTailscaleClientsFQDNs()
+	if err != nil {
+		t.Errorf("failed to get FQDNs: %s", err)
+	}
+
+	for _, client := range allClients {
+		for _, peer := range allClients {
+			if client.Hostname() == peer.Hostname() {
+				continue
+			}
+
+			assertSSHHostname(t, client, peer)
+		}
+	}
+
+	err = scenario.Shutdown()
+	if err != nil {
+		t.Errorf("failed to tear down scenario: %s", err)
+	}
+}
+
+func TestSSHMultipleNamespacesAllToAll(t *testing.T) {
+	IntegrationSkip(t)
+	t.Parallel()
+
+	scenario, err := NewScenario()
+	if err != nil {
+		t.Errorf("failed to create scenario: %s", err)
+	}
+
+	spec := map[string]int{
+		"namespace1": len(TailscaleVersions) - 5,
+		"namespace2": len(TailscaleVersions) - 5,
+	}
+
+	err = scenario.CreateHeadscaleEnv(spec,
+		[]tsic.Option{tsic.WithSSH()},
+		hsic.WithACLPolicy(
+			&headscale.ACLPolicy{
+				Groups: map[string][]string{
+					"group:integration-test": {"namespace1", "namespace2"},
+				},
+				ACLs: []headscale.ACL{
+					{
+						Action:       "accept",
+						Sources:      []string{"*"},
+						Destinations: []string{"*:*"},
+					},
+				},
+				SSHs: []headscale.SSH{
+					{
+						Action:       "accept",
+						Sources:      []string{"group:integration-test"},
+						Destinations: []string{"group:integration-test"},
+						Users:        []string{"ssh-it-user"},
+					},
+				},
+			},
+		),
+		hsic.WithConfigEnv(map[string]string{
+			"HEADSCALE_EXPERIMENTAL_FEATURE_SSH": "1",
+		}),
+	)
+	if err != nil {
+		t.Errorf("failed to create headscale environment: %s", err)
+	}
+
+	nsOneClients, err := scenario.ListTailscaleClients("namespace1")
+	if err != nil {
+		t.Errorf("failed to get clients: %s", err)
+	}
+
+	nsTwoClients, err := scenario.ListTailscaleClients("namespace2")
+	if err != nil {
+		t.Errorf("failed to get clients: %s", err)
+	}
+
+	err = scenario.WaitForTailscaleSync()
+	if err != nil {
+		t.Errorf("failed wait for tailscale clients to be in sync: %s", err)
+	}
+
+	_, err = scenario.ListTailscaleClientsFQDNs()
+	if err != nil {
+		t.Errorf("failed to get FQDNs: %s", err)
+	}
+
+	testInterNamespaceSSH := func(sourceClients []TailscaleClient, targetClients []TailscaleClient) {
+		for _, client := range sourceClients {
+			for _, peer := range targetClients {
+				assertSSHHostname(t, client, peer)
+			}
+		}
+	}
+
+	testInterNamespaceSSH(nsOneClients, nsTwoClients)
+	testInterNamespaceSSH(nsTwoClients, nsOneClients)
+
+	err = scenario.Shutdown()
+	if err != nil {
+		t.Errorf("failed to tear down scenario: %s", err)
+	}
+}
+
+func TestSSHNoSSHConfigured(t *testing.T) {
+	IntegrationSkip(t)
+	t.Parallel()
+
+	scenario, err := NewScenario()
+	if err != nil {
+		t.Errorf("failed to create scenario: %s", err)
+	}
+
+	spec := map[string]int{
+		"namespace1": len(TailscaleVersions) - 5,
+	}
+
+	err = scenario.CreateHeadscaleEnv(spec,
+		[]tsic.Option{tsic.WithSSH()},
+		hsic.WithACLPolicy(
+			&headscale.ACLPolicy{
+				Groups: map[string][]string{
+					"group:integration-test": {"namespace1"},
+				},
+				ACLs: []headscale.ACL{
+					{
+						Action:       "accept",
+						Sources:      []string{"*"},
+						Destinations: []string{"*:*"},
+					},
+				},
+				SSHs: []headscale.SSH{},
+			},
+		),
+		hsic.WithTestName("sshnoneconfigured"),
+		hsic.WithConfigEnv(map[string]string{
+			"HEADSCALE_EXPERIMENTAL_FEATURE_SSH": "1",
+		}),
+	)
+	if err != nil {
+		t.Errorf("failed to create headscale environment: %s", err)
+	}
+
+	allClients, err := scenario.ListTailscaleClients()
+	if err != nil {
+		t.Errorf("failed to get clients: %s", err)
+	}
+
+	err = scenario.WaitForTailscaleSync()
+	if err != nil {
+		t.Errorf("failed wait for tailscale clients to be in sync: %s", err)
+	}
+
+	_, err = scenario.ListTailscaleClientsFQDNs()
+	if err != nil {
+		t.Errorf("failed to get FQDNs: %s", err)
+	}
+
+	for _, client := range allClients {
+		for _, peer := range allClients {
+			if client.Hostname() == peer.Hostname() {
+				continue
+			}
+
+			assertSSHPermissionDenied(t, client, peer)
+		}
+	}
+
+	err = scenario.Shutdown()
+	if err != nil {
+		t.Errorf("failed to tear down scenario: %s", err)
+	}
+}
+
+func TestSSHIsBlockedInACL(t *testing.T) {
+	IntegrationSkip(t)
+	t.Parallel()
+
+	scenario, err := NewScenario()
+	if err != nil {
+		t.Errorf("failed to create scenario: %s", err)
+	}
+
+	spec := map[string]int{
+		"namespace1": len(TailscaleVersions) - 5,
+	}
+
+	err = scenario.CreateHeadscaleEnv(spec,
+		[]tsic.Option{tsic.WithSSH()},
+		hsic.WithACLPolicy(
+			&headscale.ACLPolicy{
+				Groups: map[string][]string{
+					"group:integration-test": {"namespace1"},
+				},
+				ACLs: []headscale.ACL{
+					{
+						Action:       "accept",
+						Sources:      []string{"*"},
+						Destinations: []string{"*:80"},
+					},
+				},
+				SSHs: []headscale.SSH{
+					{
+						Action:       "accept",
+						Sources:      []string{"group:integration-test"},
+						Destinations: []string{"group:integration-test"},
+						Users:        []string{"ssh-it-user"},
+					},
+				},
+			},
+		),
+		hsic.WithTestName("sshisblockedinacl"),
+		hsic.WithConfigEnv(map[string]string{
+			"HEADSCALE_EXPERIMENTAL_FEATURE_SSH": "1",
+		}),
+	)
+	if err != nil {
+		t.Errorf("failed to create headscale environment: %s", err)
+	}
+
+	allClients, err := scenario.ListTailscaleClients()
+	if err != nil {
+		t.Errorf("failed to get clients: %s", err)
+	}
+
+	err = scenario.WaitForTailscaleSync()
+	if err != nil {
+		t.Errorf("failed wait for tailscale clients to be in sync: %s", err)
+	}
+
+	_, err = scenario.ListTailscaleClientsFQDNs()
+	if err != nil {
+		t.Errorf("failed to get FQDNs: %s", err)
+	}
+
+	for _, client := range allClients {
+		for _, peer := range allClients {
+			if client.Hostname() == peer.Hostname() {
+				continue
+			}
+
+			assertSSHTimeout(t, client, peer)
+		}
+	}
+
+	err = scenario.Shutdown()
+	if err != nil {
+		t.Errorf("failed to tear down scenario: %s", err)
+	}
+}
+
+func TestSSNamespaceOnlyIsolation(t *testing.T) {
+	IntegrationSkip(t)
+	t.Parallel()
+
+	scenario, err := NewScenario()
+	if err != nil {
+		t.Errorf("failed to create scenario: %s", err)
+	}
+
+	spec := map[string]int{
+		"namespaceacl1": len(TailscaleVersions) - 5,
+		"namespaceacl2": len(TailscaleVersions) - 5,
+	}
+
+	err = scenario.CreateHeadscaleEnv(spec,
+		[]tsic.Option{tsic.WithSSH()},
+		hsic.WithACLPolicy(
+			&headscale.ACLPolicy{
+				Groups: map[string][]string{
+					"group:ssh1": {"namespaceacl1"},
+					"group:ssh2": {"namespaceacl2"},
+				},
+				ACLs: []headscale.ACL{
+					{
+						Action:       "accept",
+						Sources:      []string{"*"},
+						Destinations: []string{"*:*"},
+					},
+				},
+				SSHs: []headscale.SSH{
+					{
+						Action:       "accept",
+						Sources:      []string{"group:ssh1"},
+						Destinations: []string{"group:ssh1"},
+						Users:        []string{"ssh-it-user"},
+					},
+					{
+						Action:       "accept",
+						Sources:      []string{"group:ssh2"},
+						Destinations: []string{"group:ssh2"},
+						Users:        []string{"ssh-it-user"},
+					},
+				},
+			},
+		),
+		hsic.WithTestName("sshtwonamespaceaclblock"),
+		hsic.WithConfigEnv(map[string]string{
+			"HEADSCALE_EXPERIMENTAL_FEATURE_SSH": "1",
+		}),
+	)
+	if err != nil {
+		t.Errorf("failed to create headscale environment: %s", err)
+	}
+
+	ssh1Clients, err := scenario.ListTailscaleClients("namespaceacl1")
+	if err != nil {
+		t.Errorf("failed to get clients: %s", err)
+	}
+
+	ssh2Clients, err := scenario.ListTailscaleClients("namespaceacl2")
+	if err != nil {
+		t.Errorf("failed to get clients: %s", err)
+	}
+
+	err = scenario.WaitForTailscaleSync()
+	if err != nil {
+		t.Errorf("failed wait for tailscale clients to be in sync: %s", err)
+	}
+
+	_, err = scenario.ListTailscaleClientsFQDNs()
+	if err != nil {
+		t.Errorf("failed to get FQDNs: %s", err)
+	}
+
+	// TODO(kradalby,evenh): ACLs do currently not cover reject
+	// cases properly, and currently will accept all incomming connections
+	// as long as a rule is present.
+	//
+	// for _, client := range ssh1Clients {
+	// 	for _, peer := range ssh2Clients {
+	// 		if client.Hostname() == peer.Hostname() {
+	// 			continue
+	// 		}
+	//
+	// 		assertSSHPermissionDenied(t, client, peer)
+	// 	}
+	// }
+	//
+	// for _, client := range ssh2Clients {
+	// 	for _, peer := range ssh1Clients {
+	// 		if client.Hostname() == peer.Hostname() {
+	// 			continue
+	// 		}
+	//
+	// 		assertSSHPermissionDenied(t, client, peer)
+	// 	}
+	// }
+
+	for _, client := range ssh1Clients {
+		for _, peer := range ssh1Clients {
+			if client.Hostname() == peer.Hostname() {
+				continue
+			}
+
+			assertSSHHostname(t, client, peer)
+		}
+	}
+
+	for _, client := range ssh2Clients {
+		for _, peer := range ssh2Clients {
+			if client.Hostname() == peer.Hostname() {
+				continue
+			}
+
+			assertSSHHostname(t, client, peer)
+		}
+	}
+
+	err = scenario.Shutdown()
+	if err != nil {
+		t.Errorf("failed to tear down scenario: %s", err)
+	}
+}
+
+func doSSH(t *testing.T, client TailscaleClient, peer TailscaleClient) (string, string, error) {
+	t.Helper()
+
+	peerFQDN, _ := peer.FQDN()
+
+	command := []string{
+		"ssh", "-o StrictHostKeyChecking=no", "-o ConnectTimeout=1",
+		fmt.Sprintf("%s@%s", "ssh-it-user", peerFQDN),
+		"'hostname'",
+	}
+
+	return retry(10, 1*time.Second, func() (string, string, error) {
+		return client.Execute(command)
+	})
+}
+
+func assertSSHHostname(t *testing.T, client TailscaleClient, peer TailscaleClient) {
+	t.Helper()
+
+	result, _, err := doSSH(t, client, peer)
+	assert.NoError(t, err)
+
+	assert.Contains(t, peer.ID(), strings.ReplaceAll(result, "\n", ""))
+}
+
+func assertSSHPermissionDenied(t *testing.T, client TailscaleClient, peer TailscaleClient) {
+	t.Helper()
+
+	result, stderr, err := doSSH(t, client, peer)
+	assert.Error(t, err)
+
+	assert.Empty(t, result)
+
+	assert.Contains(t, stderr, "Permission denied (tailscale)")
+}
+
+func assertSSHTimeout(t *testing.T, client TailscaleClient, peer TailscaleClient) {
+	t.Helper()
+
+	result, stderr, err := doSSH(t, client, peer)
+	assert.NoError(t, err)
+
+	assert.Empty(t, result)
+
+	assert.Contains(t, stderr, "Connection timed out")
+}
--- a/integration/tailscale.go
+++ b/integration/tailscale.go
@@ -2,19 +2,24 @@ package integration

 import (
 	"net/netip"
+	"net/url"

 	"tailscale.com/ipn/ipnstate"
 )

+//nolint
 type TailscaleClient interface {
 	Hostname() string
 	Shutdown() error
 	Version() string
-	Execute(command []string) (string, error)
+	Execute(command []string) (string, string, error)
 	Up(loginServer, authKey string) error
+	UpWithLoginURL(loginServer string) (*url.URL, error)
 	IPs() ([]netip.Addr, error)
 	FQDN() (string, error)
 	Status() (*ipnstate.Status, error)
+	WaitForReady() error
 	WaitForPeers(expected int) error
 	Ping(hostnameOrIP string) error
+	ID() string
 }
--- a/integration/tsic/tsic.go
+++ b/integration/tsic/tsic.go
@@ -6,11 +6,13 @@ import (
 	"fmt"
 	"log"
 	"net/netip"
+	"net/url"
 	"strings"

 	"github.com/cenkalti/backoff/v4"
 	"github.com/juanfont/headscale"
 	"github.com/juanfont/headscale/integration/dockertestutil"
+	"github.com/juanfont/headscale/integration/integrationutil"
 	"github.com/ory/dockertest/v3"
 	"github.com/ory/dockertest/v3/docker"
 	"tailscale.com/ipn/ipnstate"
@@ -19,12 +21,15 @@ import (
 const (
 	tsicHashLength    = 6
 	dockerContextPath = "../."
+	headscaleCertPath = "/usr/local/share/ca-certificates/headscale.crt"
 )

 var (
-	errTailscalePingFailed     = errors.New("ping failed")
-	errTailscaleNotLoggedIn    = errors.New("tailscale not logged in")
-	errTailscaleWrongPeerCount = errors.New("wrong peer count")
+	errTailscalePingFailed             = errors.New("ping failed")
+	errTailscaleNotLoggedIn            = errors.New("tailscale not logged in")
+	errTailscaleWrongPeerCount         = errors.New("wrong peer count")
+	errTailscaleCannotUpWithoutAuthkey = errors.New("cannot up without authkey")
+	errTailscaleNotConnected           = errors.New("tailscale not connected")
 )

 type TailscaleInContainer struct {
@@ -38,12 +43,58 @@ type TailscaleInContainer struct {
 	// "cache"
 	ips  []netip.Addr
 	fqdn string
+
+	// optional config
+	headscaleCert     []byte
+	headscaleHostname string
+	withSSH           bool
+}
+
+type Option = func(c *TailscaleInContainer)
+
+func WithHeadscaleTLS(cert []byte) Option {
+	return func(tsic *TailscaleInContainer) {
+		tsic.headscaleCert = cert
+	}
+}
+
+func WithOrCreateNetwork(network *dockertest.Network) Option {
+	return func(tsic *TailscaleInContainer) {
+		if network != nil {
+			tsic.network = network
+
+			return
+		}
+
+		network, err := dockertestutil.GetFirstOrCreateNetwork(
+			tsic.pool,
+			fmt.Sprintf("%s-network", tsic.hostname),
+		)
+		if err != nil {
+			log.Fatalf("failed to create network: %s", err)
+		}
+
+		tsic.network = network
+	}
+}
+
+func WithHeadscaleName(hsName string) Option {
+	return func(tsic *TailscaleInContainer) {
+		tsic.headscaleHostname = hsName
+	}
+}
+
+func WithSSH() Option {
+	return func(tsic *TailscaleInContainer) {
+		tsic.withSSH = true
+	}
 }

 func New(
 	pool *dockertest.Pool,
 	version string,
 	network *dockertest.Network,
+	opts ...Option,
 ) (*TailscaleInContainer, error) {
 	hash, err := headscale.GenerateRandomStringDNSSafe(tsicHashLength)
 	if err != nil {
@@ -52,20 +103,38 @@ func New(

 	hostname := fmt.Sprintf("ts-%s-%s", strings.ReplaceAll(version, ".", "-"), hash)

-	// TODO(kradalby): figure out why we need to "refresh" the network here.
-	// network, err = dockertestutil.GetFirstOrCreateNetwork(pool, network.Network.Name)
-	// if err != nil {
-	// 	return nil, err
-	// }
+	tsic := &TailscaleInContainer{
+		version:  version,
+		hostname: hostname,
+
+		pool:    pool,
+		network: network,
+	}
+
+	for _, opt := range opts {
+		opt(tsic)
+	}

 	tailscaleOptions := &dockertest.RunOptions{
 		Name:     hostname,
 		Networks: []*dockertest.Network{network},
-		Cmd: []string{
-			"tailscaled", "--tun=tsdev",
+		// Cmd: []string{
+		// 	"tailscaled", "--tun=tsdev",
+		// },
+		Entrypoint: []string{
+			"/bin/bash",
+			"-c",
+			"/bin/sleep 3 ; update-ca-certificates ; tailscaled --tun=tsdev",
 		},
 	}

+	if tsic.headscaleHostname != "" {
+		tailscaleOptions.ExtraHosts = []string{
+			"host.docker.internal:host-gateway",
+			fmt.Sprintf("%s:host-gateway", tsic.headscaleHostname),
+		}
+	}
+
 	// dockertest isnt very good at handling containers that has already
 	// been created, this is an attempt to make sure this container isnt
 	// present.
@@ -86,14 +155,20 @@ func New(
 	}
 	log.Printf("Created %s container\n", hostname)

-	return &TailscaleInContainer{
-		version:  version,
-		hostname: hostname,
+	tsic.container = container

-		pool:      pool,
-		container: container,
-		network:   network,
-	}, nil
+	if tsic.hasTLS() {
+		err = tsic.WriteFile(headscaleCertPath, tsic.headscaleCert)
+		if err != nil {
+			return nil, fmt.Errorf("failed to write TLS certificate to container: %w", err)
+		}
+	}
+
+	return tsic, nil
+}
+
+func (t *TailscaleInContainer) hasTLS() bool {
+	return len(t.headscaleCert) != 0
 }

 func (t *TailscaleInContainer) Shutdown() error {
@@ -108,11 +183,13 @@ func (t *TailscaleInContainer) Version() string {
 	return t.version
 }

+func (t *TailscaleInContainer) ID() string {
+	return t.container.Container.ID
+}
+
 func (t *TailscaleInContainer) Execute(
 	command []string,
-) (string, error) {
-	log.Println("command", command)
-	log.Printf("running command for %s\n", t.hostname)
+) (string, string, error) {
 	stdout, stderr, err := dockertestutil.ExecuteCommand(
 		t.container,
 		command,
@@ -126,13 +203,13 @@ func (t *TailscaleInContainer) Execute(
 		}

 		if strings.Contains(stderr, "NeedsLogin") {
-			return "", errTailscaleNotLoggedIn
+			return stdout, stderr, errTailscaleNotLoggedIn
 		}

-		return "", err
+		return stdout, stderr, err
 	}

-	return stdout, nil
+	return stdout, stderr, nil
 }

 func (t *TailscaleInContainer) Up(
@@ -149,13 +226,49 @@ func (t *TailscaleInContainer) Up(
 		t.hostname,
 	}

-	if _, err := t.Execute(command); err != nil {
+	if t.withSSH {
+		command = append(command, "--ssh")
+	}
+
+	if _, _, err := t.Execute(command); err != nil {
 		return fmt.Errorf("failed to join tailscale client: %w", err)
 	}

 	return nil
 }

+func (t *TailscaleInContainer) UpWithLoginURL(
+	loginServer string,
+) (*url.URL, error) {
+	command := []string{
+		"tailscale",
+		"up",
+		"-login-server",
+		loginServer,
+		"--hostname",
+		t.hostname,
+	}
+
+	_, stderr, err := t.Execute(command)
+	if errors.Is(err, errTailscaleNotLoggedIn) {
+		return nil, errTailscaleCannotUpWithoutAuthkey
+	}
+
+	urlStr := strings.ReplaceAll(stderr, "\nTo authenticate, visit:\n\n\t", "")
+	urlStr = strings.TrimSpace(urlStr)
+
+	// parse URL
+	loginURL, err := url.Parse(urlStr)
+	if err != nil {
+		log.Printf("Could not parse login URL: %s", err)
+		log.Printf("Original join command result: %s", stderr)
+
+		return nil, err
+	}
+
+	return loginURL, nil
+}
+
 func (t *TailscaleInContainer) IPs() ([]netip.Addr, error) {
 	if t.ips != nil && len(t.ips) != 0 {
 		return t.ips, nil
@@ -168,7 +281,7 @@ func (t *TailscaleInContainer) IPs() ([]netip.Addr, error) {
 		"ip",
 	}

-	result, err := t.Execute(command)
+	result, _, err := t.Execute(command)
 	if err != nil {
 		return []netip.Addr{}, fmt.Errorf("failed to join tailscale client: %w", err)
 	}
@@ -195,7 +308,7 @@ func (t *TailscaleInContainer) Status() (*ipnstate.Status, error) {
 		"--json",
 	}

-	result, err := t.Execute(command)
+	result, _, err := t.Execute(command)
 	if err != nil {
 		return nil, fmt.Errorf("failed to execute tailscale status command: %w", err)
 	}
@@ -222,6 +335,21 @@ func (t *TailscaleInContainer) FQDN() (string, error) {
 	return status.Self.DNSName, nil
 }

+func (t *TailscaleInContainer) WaitForReady() error {
+	return t.pool.Retry(func() error {
+		status, err := t.Status()
+		if err != nil {
+			return fmt.Errorf("failed to fetch tailscale status: %w", err)
+		}
+
+		if status.CurrentTailnet != nil {
+			return nil
+		}
+
+		return errTailscaleNotConnected
+	})
+}
+
 func (t *TailscaleInContainer) WaitForPeers(expected int) error {
 	return t.pool.Retry(func() error {
 		status, err := t.Status()
@@ -248,7 +376,7 @@ func (t *TailscaleInContainer) Ping(hostnameOrIP string) error {
 			hostnameOrIP,
 		}

-		result, err := t.Execute(command)
+		result, _, err := t.Execute(command)
 		if err != nil {
 			log.Printf(
 				"failed to run ping command from %s to %s, err: %s",
@@ -268,6 +396,10 @@ func (t *TailscaleInContainer) Ping(hostnameOrIP string) error {
 	})
 }

+func (t *TailscaleInContainer) WriteFile(path string, data []byte) error {
+	return integrationutil.WriteFileToContainer(t.pool, t.container, path, data)
+}
+
 func createTailscaleBuildOptions(version string) *dockertest.BuildOptions {
 	var tailscaleBuildOptions *dockertest.BuildOptions
 	switch version {
--- a/integration_cli_test.go
+++ b/integration_cli_test.go
@@ -1,4 +1,4 @@
-//nolint
+// nolint
 package headscale

 import (
@@ -558,8 +558,8 @@ func (s *IntegrationCLITestSuite) TestNodeTagCommand() {
 	assert.Nil(s.T(), err)

 	machineKeys := []string{
-		"9b2ffa7e08cc421a3d2cca9012280f6a236fd0de0b4ce005b30a98ad930306fe",
-		"6abd00bb5fdda622db51387088c68e97e71ce58e7056aa54f592b6a8219d524c",
+		"nodekey:9b2ffa7e08cc421a3d2cca9012280f6a236fd0de0b4ce005b30a98ad930306fe",
+		"nodekey:6abd00bb5fdda622db51387088c68e97e71ce58e7056aa54f592b6a8219d524c",
 	}
 	machines := make([]*v1.Machine, len(machineKeys))
 	assert.Nil(s.T(), err)
@@ -691,11 +691,11 @@ func (s *IntegrationCLITestSuite) TestNodeCommand() {

 	// Randomly generated machine keys
 	machineKeys := []string{
-		"9b2ffa7e08cc421a3d2cca9012280f6a236fd0de0b4ce005b30a98ad930306fe",
-		"6abd00bb5fdda622db51387088c68e97e71ce58e7056aa54f592b6a8219d524c",
-		"f08305b4ee4250b95a70f3b7504d048d75d899993c624a26d422c67af0422507",
-		"8bc13285cee598acf76b1824a6f4490f7f2e3751b201e28aeb3b07fe81d5b4a1",
-		"cf7b0fd05da556fdc3bab365787b506fd82d64a70745db70e00e86c1b1c03084",
+		"nodekey:9b2ffa7e08cc421a3d2cca9012280f6a236fd0de0b4ce005b30a98ad930306fe",
+		"nodekey:6abd00bb5fdda622db51387088c68e97e71ce58e7056aa54f592b6a8219d524c",
+		"nodekey:f08305b4ee4250b95a70f3b7504d048d75d899993c624a26d422c67af0422507",
+		"nodekey:8bc13285cee598acf76b1824a6f4490f7f2e3751b201e28aeb3b07fe81d5b4a1",
+		"nodekey:cf7b0fd05da556fdc3bab365787b506fd82d64a70745db70e00e86c1b1c03084",
 	}
 	machines := make([]*v1.Machine, len(machineKeys))
 	assert.Nil(s.T(), err)
@@ -779,8 +779,8 @@ func (s *IntegrationCLITestSuite) TestNodeCommand() {
 	assert.Equal(s.T(), "machine-5", listAll[4].Name)

 	otherNamespaceMachineKeys := []string{
-		"b5b444774186d4217adcec407563a1223929465ee2c68a4da13af0d0185b4f8e",
-		"dc721977ac7415aafa87f7d4574cbe07c6b171834a6d37375782bdc1fb6b3584",
+		"nodekey:b5b444774186d4217adcec407563a1223929465ee2c68a4da13af0d0185b4f8e",
+		"nodekey:dc721977ac7415aafa87f7d4574cbe07c6b171834a6d37375782bdc1fb6b3584",
 	}
 	otherNamespaceMachines := make([]*v1.Machine, len(otherNamespaceMachineKeys))
 	assert.Nil(s.T(), err)
@@ -950,11 +950,11 @@ func (s *IntegrationCLITestSuite) TestNodeExpireCommand() {

 	// Randomly generated machine keys
 	machineKeys := []string{
-		"9b2ffa7e08cc421a3d2cca9012280f6a236fd0de0b4ce005b30a98ad930306fe",
-		"6abd00bb5fdda622db51387088c68e97e71ce58e7056aa54f592b6a8219d524c",
-		"f08305b4ee4250b95a70f3b7504d048d75d899993c624a26d422c67af0422507",
-		"8bc13285cee598acf76b1824a6f4490f7f2e3751b201e28aeb3b07fe81d5b4a1",
-		"cf7b0fd05da556fdc3bab365787b506fd82d64a70745db70e00e86c1b1c03084",
+		"nodekey:9b2ffa7e08cc421a3d2cca9012280f6a236fd0de0b4ce005b30a98ad930306fe",
+		"nodekey:6abd00bb5fdda622db51387088c68e97e71ce58e7056aa54f592b6a8219d524c",
+		"nodekey:f08305b4ee4250b95a70f3b7504d048d75d899993c624a26d422c67af0422507",
+		"nodekey:8bc13285cee598acf76b1824a6f4490f7f2e3751b201e28aeb3b07fe81d5b4a1",
+		"nodekey:cf7b0fd05da556fdc3bab365787b506fd82d64a70745db70e00e86c1b1c03084",
 	}
 	machines := make([]*v1.Machine, len(machineKeys))
 	assert.Nil(s.T(), err)
@@ -1077,11 +1077,11 @@ func (s *IntegrationCLITestSuite) TestNodeRenameCommand() {

 	// Randomly generated machine keys
 	machineKeys := []string{
-		"cf7b0fd05da556fdc3bab365787b506fd82d64a70745db70e00e86c1b1c03084",
-		"8bc13285cee598acf76b1824a6f4490f7f2e3751b201e28aeb3b07fe81d5b4a1",
-		"f08305b4ee4250b95a70f3b7504d048d75d899993c624a26d422c67af0422507",
-		"6abd00bb5fdda622db51387088c68e97e71ce58e7056aa54f592b6a8219d524c",
-		"9b2ffa7e08cc421a3d2cca9012280f6a236fd0de0b4ce005b30a98ad930306fe",
+		"nodekey:cf7b0fd05da556fdc3bab365787b506fd82d64a70745db70e00e86c1b1c03084",
+		"nodekey:8bc13285cee598acf76b1824a6f4490f7f2e3751b201e28aeb3b07fe81d5b4a1",
+		"nodekey:f08305b4ee4250b95a70f3b7504d048d75d899993c624a26d422c67af0422507",
+		"nodekey:6abd00bb5fdda622db51387088c68e97e71ce58e7056aa54f592b6a8219d524c",
+		"nodekey:9b2ffa7e08cc421a3d2cca9012280f6a236fd0de0b4ce005b30a98ad930306fe",
 	}
 	machines := make([]*v1.Machine, len(machineKeys))
 	assert.Nil(s.T(), err)
@@ -1243,199 +1243,6 @@ func (s *IntegrationCLITestSuite) TestNodeRenameCommand() {
 	assert.Contains(s.T(), listAllAfterRenameAttempt[4].GetGivenName(), "machine-5")
 }

-func (s *IntegrationCLITestSuite) TestRouteCommand() {
-	namespace, err := s.createNamespace("routes-namespace")
-	assert.Nil(s.T(), err)
-
-	// Randomly generated machine keys
-	machineKey := "9b2ffa7e08cc421a3d2cca9012280f6a236fd0de0b4ce005b30a98ad930306fe"
-
-	_, _, err = ExecuteCommand(
-		&s.headscale,
-		[]string{
-			"headscale",
-			"debug",
-			"create-node",
-			"--name",
-			"route-machine",
-			"--namespace",
-			namespace.Name,
-			"--key",
-			machineKey,
-			"--route",
-			"10.0.0.0/8",
-			"--route",
-			"192.168.1.0/24",
-			"--output",
-			"json",
-		},
-		[]string{},
-	)
-	assert.Nil(s.T(), err)
-
-	machineResult, _, err := ExecuteCommand(
-		&s.headscale,
-		[]string{
-			"headscale",
-			"nodes",
-			"--namespace",
-			namespace.Name,
-			"register",
-			"--key",
-			machineKey,
-			"--output",
-			"json",
-		},
-		[]string{},
-	)
-	assert.Nil(s.T(), err)
-
-	var machine v1.Machine
-	err = json.Unmarshal([]byte(machineResult), &machine)
-	assert.Nil(s.T(), err)
-
-	assert.Equal(s.T(), uint64(1), machine.Id)
-	assert.Equal(s.T(), "route-machine", machine.Name)
-
-	listAllResult, _, err := ExecuteCommand(
-		&s.headscale,
-		[]string{
-			"headscale",
-			"routes",
-			"list",
-			"--output",
-			"json",
-			"--identifier",
-			"0",
-		},
-		[]string{},
-	)
-	assert.Nil(s.T(), err)
-
-	var listAll v1.Routes
-	err = json.Unmarshal([]byte(listAllResult), &listAll)
-	assert.Nil(s.T(), err)
-
-	assert.Len(s.T(), listAll.AdvertisedRoutes, 2)
-	assert.Contains(s.T(), listAll.AdvertisedRoutes, "10.0.0.0/8")
-	assert.Contains(s.T(), listAll.AdvertisedRoutes, "192.168.1.0/24")
-
-	assert.Empty(s.T(), listAll.EnabledRoutes)
-
-	enableTwoRoutesResult, _, err := ExecuteCommand(
-		&s.headscale,
-		[]string{
-			"headscale",
-			"routes",
-			"enable",
-			"--output",
-			"json",
-			"--identifier",
-			"0",
-			"--route",
-			"10.0.0.0/8",
-			"--route",
-			"192.168.1.0/24",
-		},
-		[]string{},
-	)
-	assert.Nil(s.T(), err)
-
-	var enableTwoRoutes v1.Routes
-	err = json.Unmarshal([]byte(enableTwoRoutesResult), &enableTwoRoutes)
-	assert.Nil(s.T(), err)
-
-	assert.Len(s.T(), enableTwoRoutes.AdvertisedRoutes, 2)
-	assert.Contains(s.T(), enableTwoRoutes.AdvertisedRoutes, "10.0.0.0/8")
-	assert.Contains(s.T(), enableTwoRoutes.AdvertisedRoutes, "192.168.1.0/24")
-
-	assert.Len(s.T(), enableTwoRoutes.EnabledRoutes, 2)
-	assert.Contains(s.T(), enableTwoRoutes.EnabledRoutes, "10.0.0.0/8")
-	assert.Contains(s.T(), enableTwoRoutes.EnabledRoutes, "192.168.1.0/24")
-
-	// Enable only one route, effectively disabling one of the routes
-	enableOneRouteResult, _, err := ExecuteCommand(
-		&s.headscale,
-		[]string{
-			"headscale",
-			"routes",
-			"enable",
-			"--output",
-			"json",
-			"--identifier",
-			"0",
-			"--route",
-			"10.0.0.0/8",
-		},
-		[]string{},
-	)
-	assert.Nil(s.T(), err)
-
-	var enableOneRoute v1.Routes
-	err = json.Unmarshal([]byte(enableOneRouteResult), &enableOneRoute)
-	assert.Nil(s.T(), err)
-
-	assert.Len(s.T(), enableOneRoute.AdvertisedRoutes, 2)
-	assert.Contains(s.T(), enableOneRoute.AdvertisedRoutes, "10.0.0.0/8")
-	assert.Contains(s.T(), enableOneRoute.AdvertisedRoutes, "192.168.1.0/24")
-
-	assert.Len(s.T(), enableOneRoute.EnabledRoutes, 1)
-	assert.Contains(s.T(), enableOneRoute.EnabledRoutes, "10.0.0.0/8")
-
-	// Enable only one route, effectively disabling one of the routes
-	failEnableNonAdvertisedRoute, _, err := ExecuteCommand(
-		&s.headscale,
-		[]string{
-			"headscale",
-			"routes",
-			"enable",
-			"--output",
-			"json",
-			"--identifier",
-			"0",
-			"--route",
-			"11.0.0.0/8",
-		},
-		[]string{},
-	)
-	assert.Nil(s.T(), err)
-
-	assert.Contains(
-		s.T(),
-		string(failEnableNonAdvertisedRoute),
-		"route (route-machine) is not available on node",
-	)
-
-	// Enable all routes on host
-	enableAllRouteResult, _, err := ExecuteCommand(
-		&s.headscale,
-		[]string{
-			"headscale",
-			"routes",
-			"enable",
-			"--output",
-			"json",
-			"--identifier",
-			"0",
-			"--all",
-		},
-		[]string{},
-	)
-	assert.Nil(s.T(), err)
-
-	var enableAllRoute v1.Routes
-	err = json.Unmarshal([]byte(enableAllRouteResult), &enableAllRoute)
-	assert.Nil(s.T(), err)
-
-	assert.Len(s.T(), enableAllRoute.AdvertisedRoutes, 2)
-	assert.Contains(s.T(), enableAllRoute.AdvertisedRoutes, "10.0.0.0/8")
-	assert.Contains(s.T(), enableAllRoute.AdvertisedRoutes, "192.168.1.0/24")
-
-	assert.Len(s.T(), enableAllRoute.EnabledRoutes, 2)
-	assert.Contains(s.T(), enableAllRoute.EnabledRoutes, "10.0.0.0/8")
-	assert.Contains(s.T(), enableAllRoute.EnabledRoutes, "192.168.1.0/24")
-}
-
 func (s *IntegrationCLITestSuite) TestApiKeyCommand() {
 	count := 5

@@ -1588,7 +1395,7 @@ func (s *IntegrationCLITestSuite) TestNodeMoveCommand() {
 	assert.Nil(s.T(), err)

 	// Randomly generated machine key
-	machineKey := "688411b767663479632d44140f08a9fde87383adc7cdeb518f62ce28a17ef0aa"
+	machineKey := "nodekey:688411b767663479632d44140f08a9fde87383adc7cdeb518f62ce28a17ef0aa"

 	_, _, err = ExecuteCommand(
 		&s.headscale,
--- a/integration_common_test.go
+++ b/integration_common_test.go
@@ -32,7 +32,8 @@ var (
 	tailscaleVersions = []string{
 		"head",
 		"unstable",
-		"1.32.0",
+		"1.34.0",
+		"1.32.3",
 		"1.30.2",
 		"1.28.0",
 		"1.26.2",
--- a/integration_oidc_test.go
+++ b/integration_oidc_test.go
@@ -1,558 +0,0 @@
-//nolint
-package headscale
-
-import (
-	"bytes"
-	"context"
-	"crypto/tls"
-	"fmt"
-	"io"
-	"log"
-	"net/http"
-	"net/url"
-	"os"
-	"path"
-	"strings"
-	"sync"
-	"testing"
-	"time"
-
-	"github.com/ory/dockertest/v3"
-	"github.com/ory/dockertest/v3/docker"
-	"github.com/stretchr/testify/assert"
-	"github.com/stretchr/testify/suite"
-)
-
-const (
-	oidcHeadscaleHostname = "headscale-oidc"
-	oidcMockHostname      = "headscale-mock-oidc"
-	oidcNamespaceName     = "oidcnamespace"
-	totalOidcContainers   = 3
-)
-
-type IntegrationOIDCTestSuite struct {
-	suite.Suite
-	stats *suite.SuiteInformation
-
-	pool      dockertest.Pool
-	network   dockertest.Network
-	headscale dockertest.Resource
-	mockOidc  dockertest.Resource
-	saveLogs  bool
-
-	tailscales    map[string]dockertest.Resource
-	joinWaitGroup sync.WaitGroup
-}
-
-func TestIntegrationOIDCTestSuite(t *testing.T) {
-	if testing.Short() {
-		t.Skip("skipping integration tests due to short flag")
-	}
-
-	saveLogs, err := GetEnvBool("HEADSCALE_INTEGRATION_SAVE_LOG")
-	if err != nil {
-		saveLogs = false
-	}
-
-	s := new(IntegrationOIDCTestSuite)
-
-	s.tailscales = make(map[string]dockertest.Resource)
-	s.saveLogs = saveLogs
-
-	suite.Run(t, s)
-
-	// HandleStats, which allows us to check if we passed and save logs
-	// is called after TearDown, so we cannot tear down containers before
-	// we have potentially saved the logs.
-	if s.saveLogs {
-		for _, tailscale := range s.tailscales {
-			if err := s.pool.Purge(&tailscale); err != nil {
-				log.Printf("Could not purge resource: %s\n", err)
-			}
-		}
-
-		if !s.stats.Passed() {
-			err := s.saveLog(&s.headscale, "test_output")
-			if err != nil {
-				log.Printf("Could not save log: %s\n", err)
-			}
-		}
-
-		if err := s.pool.Purge(&s.mockOidc); err != nil {
-			log.Printf("Could not purge resource: %s\n", err)
-		}
-
-		if err := s.pool.Purge(&s.headscale); err != nil {
-			t.Logf("Could not purge resource: %s\n", err)
-		}
-
-		if err := s.network.Close(); err != nil {
-			log.Printf("Could not close network: %s\n", err)
-		}
-	}
-}
-
-func (s *IntegrationOIDCTestSuite) SetupSuite() {
-	if ppool, err := dockertest.NewPool(""); err == nil {
-		s.pool = *ppool
-	} else {
-		s.FailNow(fmt.Sprintf("Could not connect to docker: %s", err), "")
-	}
-
-	network, err := GetFirstOrCreateNetwork(&s.pool, headscaleNetwork)
-	if err != nil {
-		s.FailNow(fmt.Sprintf("Failed to create or get network: %s", err), "")
-	}
-	s.network = network
-
-	log.Printf("Network config: %v", s.network.Network.IPAM.Config[0])
-
-	s.Suite.T().Log("Setting up mock OIDC")
-	mockOidcOptions := &dockertest.RunOptions{
-		Name:         oidcMockHostname,
-		Cmd:          []string{"headscale", "mockoidc"},
-		ExposedPorts: []string{"10000/tcp"},
-		PortBindings: map[docker.Port][]docker.PortBinding{
-			"10000/tcp": {{HostPort: "10000"}},
-		},
-		Networks: []*dockertest.Network{&s.network},
-		Env: []string{
-			fmt.Sprintf("MOCKOIDC_ADDR=%s", oidcMockHostname),
-			"MOCKOIDC_PORT=10000",
-			"MOCKOIDC_CLIENT_ID=superclient",
-			"MOCKOIDC_CLIENT_SECRET=supersecret",
-		},
-	}
-
-	headscaleBuildOptions := &dockertest.BuildOptions{
-		Dockerfile: "Dockerfile.debug",
-		ContextDir: ".",
-	}
-
-	err = s.pool.RemoveContainerByName(oidcMockHostname)
-	if err != nil {
-		s.FailNow(
-			fmt.Sprintf(
-				"Could not remove existing container before building test: %s",
-				err,
-			),
-			"",
-		)
-	}
-
-	if pmockoidc, err := s.pool.BuildAndRunWithBuildOptions(
-		headscaleBuildOptions,
-		mockOidcOptions,
-		DockerRestartPolicy); err == nil {
-		s.mockOidc = *pmockoidc
-	} else {
-		s.FailNow(fmt.Sprintf("Could not start mockOIDC container: %s", err), "")
-	}
-
-	s.Suite.T().Logf("Waiting for headscale mock oidc to be ready for tests")
-	hostEndpoint := fmt.Sprintf(
-		"%s:%s",
-		s.mockOidc.GetIPInNetwork(&s.network),
-		s.mockOidc.GetPort("10000/tcp"),
-	)
-
-	if err := s.pool.Retry(func() error {
-		url := fmt.Sprintf("http://%s/oidc/.well-known/openid-configuration", hostEndpoint)
-		resp, err := http.Get(url)
-		if err != nil {
-			log.Printf("headscale mock OIDC tests is not ready: %s\n", err)
-			return err
-		}
-
-		if resp.StatusCode != http.StatusOK {
-			return fmt.Errorf("status code not OK")
-		}
-
-		return nil
-	}); err != nil {
-		// TODO(kradalby): If we cannot access headscale, or any other fatal error during
-		// test setup, we need to abort and tear down. However, testify does not seem to
-		// support that at the moment:
-		// https://github.com/stretchr/testify/issues/849
-		return // fmt.Errorf("Could not connect to headscale: %s", err)
-	}
-	s.Suite.T().Log("headscale-mock-oidc container is ready for embedded OIDC tests")
-
-	oidcCfg := fmt.Sprintf(`
-oidc:
-  issuer: http://%s:10000/oidc
-  client_id: superclient
-  client_secret: supersecret
-  strip_email_domain: true`, s.mockOidc.GetIPInNetwork(&s.network))
-
-	currentPath, err := os.Getwd()
-	if err != nil {
-		s.FailNow(fmt.Sprintf("Could not determine current path: %s", err), "")
-	}
-
-	baseConfig, err := os.ReadFile(
-		path.Join(currentPath, "integration_test/etc_oidc/base_config.yaml"))
-	if err != nil {
-		s.FailNow(fmt.Sprintf("Could not read base config: %s", err), "")
-	}
-	config := string(baseConfig) + oidcCfg
-
-	log.Println(config)
-
-	configPath := path.Join(currentPath, "integration_test/etc_oidc/config.yaml")
-	err = os.WriteFile(configPath, []byte(config), 0o644)
-	if err != nil {
-		s.FailNow(fmt.Sprintf("Could not write config: %s", err), "")
-	}
-
-	headscaleOptions := &dockertest.RunOptions{
-		Name:     oidcHeadscaleHostname,
-		Networks: []*dockertest.Network{&s.network},
-		Mounts: []string{
-			path.Join(currentPath,
-				"integration_test/etc_oidc:/etc/headscale",
-			),
-		},
-		Cmd:          []string{"headscale", "serve"},
-		ExposedPorts: []string{"8443/tcp", "3478/udp"},
-		PortBindings: map[docker.Port][]docker.PortBinding{
-			"8443/tcp": {{HostPort: "8443"}},
-			"3478/udp": {{HostPort: "3478"}},
-		},
-	}
-
-	err = s.pool.RemoveContainerByName(oidcHeadscaleHostname)
-	if err != nil {
-		s.FailNow(
-			fmt.Sprintf(
-				"Could not remove existing container before building test: %s",
-				err,
-			),
-			"",
-		)
-	}
-
-	s.Suite.T().Logf("Creating headscale container for OIDC integration tests")
-	if pheadscale, err := s.pool.BuildAndRunWithBuildOptions(headscaleBuildOptions, headscaleOptions, DockerRestartPolicy); err == nil {
-		s.headscale = *pheadscale
-	} else {
-		s.FailNow(fmt.Sprintf("Could not start headscale container: %s", err), "")
-	}
-	s.Suite.T().Logf("Created headscale container for embedded OIDC tests")
-
-	s.Suite.T().Logf("Creating tailscale containers for embedded OIDC tests")
-
-	for i := 0; i < totalOidcContainers; i++ {
-		version := tailscaleVersions[i%len(tailscaleVersions)]
-		hostname, container := s.tailscaleContainer(
-			fmt.Sprint(i),
-			version,
-		)
-		s.tailscales[hostname] = *container
-	}
-
-	s.Suite.T().Logf("Waiting for headscale to be ready for embedded OIDC tests")
-	hostMockEndpoint := fmt.Sprintf(
-		"%s:%s",
-		s.headscale.GetIPInNetwork(&s.network),
-		s.headscale.GetPort("8443/tcp"),
-	)
-
-	if err := s.pool.Retry(func() error {
-		url := fmt.Sprintf("https://%s/health", hostMockEndpoint)
-		insecureTransport := http.DefaultTransport.(*http.Transport).Clone()
-		insecureTransport.TLSClientConfig = &tls.Config{InsecureSkipVerify: true}
-		client := &http.Client{Transport: insecureTransport}
-		resp, err := client.Get(url)
-		if err != nil {
-			log.Printf("headscale for embedded OIDC tests is not ready: %s\n", err)
-			return err
-		}
-
-		if resp.StatusCode != http.StatusOK {
-			return fmt.Errorf("status code not OK")
-		}
-
-		return nil
-	}); err != nil {
-		// TODO(kradalby): If we cannot access headscale, or any other fatal error during
-		// test setup, we need to abort and tear down. However, testify does not seem to
-		// support that at the moment:
-		// https://github.com/stretchr/testify/issues/849
-		return // fmt.Errorf("Could not connect to headscale: %s", err)
-	}
-	s.Suite.T().Log("headscale container is ready for embedded OIDC tests")
-
-	s.Suite.T().Logf("Creating headscale namespace: %s\n", oidcNamespaceName)
-	result, _, err := ExecuteCommand(
-		&s.headscale,
-		[]string{"headscale", "namespaces", "create", oidcNamespaceName},
-		[]string{},
-	)
-	log.Println("headscale create namespace result: ", result)
-	assert.Nil(s.T(), err)
-
-	headscaleEndpoint := fmt.Sprintf(
-		"https://headscale:%s",
-		s.headscale.GetPort("8443/tcp"),
-	)
-
-	log.Printf(
-		"Joining tailscale containers to headscale at %s\n",
-		headscaleEndpoint,
-	)
-	for hostname, tailscale := range s.tailscales {
-		s.joinWaitGroup.Add(1)
-		go s.AuthenticateOIDC(headscaleEndpoint, hostname, tailscale)
-
-		// TODO(juan): Workaround for https://github.com/juanfont/headscale/issues/814
-		time.Sleep(1 * time.Second)
-	}
-
-	s.joinWaitGroup.Wait()
-
-	// The nodes need a bit of time to get their updated maps from headscale
-	// TODO: See if we can have a more deterministic wait here.
-	time.Sleep(60 * time.Second)
-}
-
-func (s *IntegrationOIDCTestSuite) AuthenticateOIDC(
-	endpoint, hostname string,
-	tailscale dockertest.Resource,
-) {
-	defer s.joinWaitGroup.Done()
-
-	loginURL, err := s.joinOIDC(endpoint, hostname, tailscale)
-	if err != nil {
-		s.FailNow(fmt.Sprintf("Could not join OIDC node: %s", err), "")
-	}
-
-	insecureTransport := &http.Transport{
-		TLSClientConfig: &tls.Config{InsecureSkipVerify: true},
-	}
-	client := &http.Client{Transport: insecureTransport}
-	resp, err := client.Get(loginURL.String())
-	assert.Nil(s.T(), err)
-
-	log.Printf("auth body, err: %#v, %s", resp, err)
-
-	body, err := io.ReadAll(resp.Body)
-	assert.Nil(s.T(), err)
-
-	if err != nil {
-		s.FailNow(fmt.Sprintf("Could not read login page: %s", err), "")
-	}
-
-	log.Printf("Login page for %s: %s", hostname, string(body))
-}
-
-func (s *IntegrationOIDCTestSuite) joinOIDC(
-	endpoint, hostname string,
-	tailscale dockertest.Resource,
-) (*url.URL, error) {
-	command := []string{
-		"tailscale",
-		"up",
-		"-login-server",
-		endpoint,
-		"--hostname",
-		hostname,
-	}
-
-	log.Println("Join command:", command)
-	log.Printf("Running join command for %s\n", hostname)
-	_, stderr, _ := ExecuteCommand(
-		&tailscale,
-		command,
-		[]string{},
-	)
-
-	// This piece of code just gets the login URL out of the stderr of the tailscale client.
-	// See https://github.com/tailscale/tailscale/blob/main/cmd/tailscale/cli/up.go#L584.
-	urlStr := strings.ReplaceAll(stderr, "\nTo authenticate, visit:\n\n\t", "")
-	urlStr = strings.TrimSpace(urlStr)
-
-	// parse URL
-	loginUrl, err := url.Parse(urlStr)
-	if err != nil {
-		log.Printf("Could not parse login URL: %s", err)
-		log.Printf("Original join command result: %s", stderr)
-		return nil, err
-	}
-
-	return loginUrl, nil
-}
-
-func (s *IntegrationOIDCTestSuite) tailscaleContainer(
-	identifier, version string,
-) (string, *dockertest.Resource) {
-	tailscaleBuildOptions := getDockerBuildOptions(version)
-
-	hostname := fmt.Sprintf(
-		"tailscale-%s-%s",
-		strings.Replace(version, ".", "-", -1),
-		identifier,
-	)
-	tailscaleOptions := &dockertest.RunOptions{
-		Name:     hostname,
-		Networks: []*dockertest.Network{&s.network},
-		Cmd: []string{
-			"tailscaled", "--tun=tsdev",
-		},
-
-		// expose the host IP address, so we can access it from inside the container
-		ExtraHosts: []string{
-			"host.docker.internal:host-gateway",
-			"headscale:host-gateway",
-		},
-	}
-
-	pts, err := s.pool.BuildAndRunWithBuildOptions(
-		tailscaleBuildOptions,
-		tailscaleOptions,
-		DockerRestartPolicy,
-		DockerAllowLocalIPv6,
-		DockerAllowNetworkAdministration,
-	)
-	if err != nil {
-		s.FailNow(
-			fmt.Sprintf(
-				"Could not start tailscale container version %s: %s",
-				version,
-				err,
-			),
-		)
-	}
-	log.Printf("Created %s container\n", hostname)
-
-	return hostname, pts
-}
-
-func (s *IntegrationOIDCTestSuite) TearDownSuite() {
-	if !s.saveLogs {
-		for _, tailscale := range s.tailscales {
-			if err := s.pool.Purge(&tailscale); err != nil {
-				log.Printf("Could not purge resource: %s\n", err)
-			}
-		}
-
-		if err := s.pool.Purge(&s.headscale); err != nil {
-			log.Printf("Could not purge resource: %s\n", err)
-		}
-
-		if err := s.pool.Purge(&s.mockOidc); err != nil {
-			log.Printf("Could not purge resource: %s\n", err)
-		}
-
-		if err := s.network.Close(); err != nil {
-			log.Printf("Could not close network: %s\n", err)
-		}
-	}
-}
-
-func (s *IntegrationOIDCTestSuite) HandleStats(
-	suiteName string,
-	stats *suite.SuiteInformation,
-) {
-	s.stats = stats
-}
-
-func (s *IntegrationOIDCTestSuite) saveLog(
-	resource *dockertest.Resource,
-	basePath string,
-) error {
-	err := os.MkdirAll(basePath, os.ModePerm)
-	if err != nil {
-		return err
-	}
-
-	var stdout bytes.Buffer
-	var stderr bytes.Buffer
-
-	err = s.pool.Client.Logs(
-		docker.LogsOptions{
-			Context:      context.TODO(),
-			Container:    resource.Container.ID,
-			OutputStream: &stdout,
-			ErrorStream:  &stderr,
-			Tail:         "all",
-			RawTerminal:  false,
-			Stdout:       true,
-			Stderr:       true,
-			Follow:       false,
-			Timestamps:   false,
-		},
-	)
-	if err != nil {
-		return err
-	}
-
-	log.Printf("Saving logs for %s to %s\n", resource.Container.Name, basePath)
-
-	err = os.WriteFile(
-		path.Join(basePath, resource.Container.Name+".stdout.log"),
-		[]byte(stdout.String()),
-		0o644,
-	)
-	if err != nil {
-		return err
-	}
-
-	err = os.WriteFile(
-		path.Join(basePath, resource.Container.Name+".stderr.log"),
-		[]byte(stdout.String()),
-		0o644,
-	)
-	if err != nil {
-		return err
-	}
-
-	return nil
-}
-
-func (s *IntegrationOIDCTestSuite) TestPingAllPeersByAddress() {
-	for hostname, tailscale := range s.tailscales {
-		ips, err := getIPs(s.tailscales)
-		assert.Nil(s.T(), err)
-		for peername, peerIPs := range ips {
-			for i, ip := range peerIPs {
-				// We currently cant ping ourselves, so skip that.
-				if peername == hostname {
-					continue
-				}
-				s.T().
-					Run(fmt.Sprintf("%s-%s-%d", hostname, peername, i), func(t *testing.T) {
-						// We are only interested in "direct ping" which means what we
-						// might need a couple of more attempts before reaching the node.
-						command := []string{
-							"tailscale", "ping",
-							"--timeout=1s",
-							"--c=10",
-							"--until-direct=true",
-							ip.String(),
-						}
-
-						log.Printf(
-							"Pinging from %s to %s (%s)\n",
-							hostname,
-							peername,
-							ip,
-						)
-						stdout, stderr, err := ExecuteCommand(
-							&tailscale,
-							command,
-							[]string{},
-						)
-						assert.Nil(t, err)
-						log.Printf(
-							"result for %s: stdout: %s, stderr: %s\n",
-							hostname,
-							stdout,
-							stderr,
-						)
-						assert.Contains(t, stdout, "pong")
-					})
-			}
-		}
-	}
-}
--- a/integration_test/etc/alt-config.dump.gold.yaml
+++ b/integration_test/etc/alt-config.dump.gold.yaml
@@ -3,6 +3,7 @@ cli:
  insecure: false
  timeout: 5s
 db_path: /tmp/integration_test_db.sqlite3
+db_ssl: false
 db_type: sqlite3
 derp:
  auto_update_enabled: false
@@ -46,7 +47,6 @@ private_key_path: private.key
 noise:
  private_key_path: noise_private.key
 server_url: http://headscale:18080
-tls_client_auth_mode: relaxed
 tls_letsencrypt_cache_dir: /var/www/.cache
 tls_letsencrypt_challenge_type: HTTP-01
 unix_socket: /var/run/headscale.sock
--- a/integration_test/etc/alt-config.yaml
+++ b/integration_test/etc/alt-config.yaml
@@ -16,6 +16,7 @@ dns_config:
    - 127.0.0.11
    - 1.1.1.1
 db_path: /tmp/integration_test_db.sqlite3
+db_ssl: false
 private_key_path: private.key
 noise:
  private_key_path: noise_private.key
--- a/integration_test/etc/alt-env-config.dump.gold.yaml
+++ b/integration_test/etc/alt-env-config.dump.gold.yaml
@@ -3,6 +3,7 @@ cli:
  insecure: false
  timeout: 5s
 db_path: /tmp/integration_test_db.sqlite3
+db_ssl: false
 db_type: sqlite3
 derp:
  auto_update_enabled: false
@@ -45,7 +46,6 @@ private_key_path: private.key
 noise:
  private_key_path: noise_private.key
 server_url: http://headscale:18080
-tls_client_auth_mode: relaxed
 tls_letsencrypt_cache_dir: /var/www/.cache
 tls_letsencrypt_challenge_type: HTTP-01
 unix_socket: /var/run/headscale.sock
--- a/integration_test/etc/alt-env-config.yaml
+++ b/integration_test/etc/alt-env-config.yaml
@@ -15,6 +15,7 @@ dns_config:
  nameservers:
    - 1.1.1.1
 db_path: /tmp/integration_test_db.sqlite3
+db_ssl: false
 private_key_path: private.key
 noise:
  private_key_path: noise_private.key
--- a/integration_test/etc/config.dump.gold.yaml
+++ b/integration_test/etc/config.dump.gold.yaml
@@ -3,6 +3,7 @@ cli:
  insecure: false
  timeout: 5s
 db_path: /tmp/integration_test_db.sqlite3
+db_ssl: false
 db_type: sqlite3
 derp:
  auto_update_enabled: false
@@ -46,7 +47,6 @@ private_key_path: private.key
 noise:
  private_key_path: noise_private.key
 server_url: http://headscale:8080
-tls_client_auth_mode: relaxed
 tls_letsencrypt_cache_dir: /var/www/.cache
 tls_letsencrypt_challenge_type: HTTP-01
 unix_socket: /var/run/headscale.sock
--- a/integration_test/etc_oidc/base_config.yaml
+++ b/integration_test/etc_oidc/base_config.yaml
@@ -14,7 +14,6 @@ listen_addr: 0.0.0.0:8443
 server_url: https://headscale-oidc:8443
 tls_cert_path: "/etc/headscale/tls/server.crt"
 tls_key_path: "/etc/headscale/tls/server.key"
-tls_client_auth_mode: disabled
 derp:
  urls:
    - https://controlplane.tailscale.com/derpmap/default
--- a/machine.go
+++ b/machine.go
@@ -13,6 +13,7 @@ import (
 	v1 "github.com/juanfont/headscale/gen/go/headscale/v1"
 	"github.com/rs/zerolog/log"
 	"google.golang.org/protobuf/types/known/timestamppb"
+	"gorm.io/gorm"
 	"tailscale.com/tailcfg"
 	"tailscale.com/types/key"
 )
@@ -37,11 +38,6 @@ const (
 	maxHostnameLength = 255
 )

-var (
-	ExitRouteV4 = netip.MustParsePrefix("0.0.0.0/0")
-	ExitRouteV6 = netip.MustParsePrefix("::/0")
-)
-
 // Machine is a Headscale client.
 type Machine struct {
 	ID          uint64 `gorm:"primary_key"`
@@ -76,9 +72,8 @@ type Machine struct {
 	LastSuccessfulUpdate *time.Time
 	Expiry               *time.Time

-	HostInfo      HostInfo
-	Endpoints     StringList
-	EnabledRoutes IPPrefixes
+	HostInfo  HostInfo
+	Endpoints StringList

 	CreatedAt time.Time
 	UpdatedAt time.Time
@@ -143,6 +138,17 @@ func (machine Machine) isExpired() bool {
 	return time.Now().UTC().After(*machine.Expiry)
 }

+// isOnline returns if the machine is connected to Headscale.
+// This is really a naive implementation, as we don't really see
+// if there is a working connection between the client and the server.
+func (machine *Machine) isOnline() bool {
+	if machine.LastSeen == nil {
+		return false
+	}
+
+	return machine.LastSeen.After(time.Now().Add(-keepAliveInterval))
+}
+
 func containsAddresses(inputs []string, addrs []string) bool {
 	for _, addr := range addrs {
 		if contains(inputs, addr) {
@@ -595,14 +601,15 @@ func (machines MachinesP) String() string {
 	return fmt.Sprintf("[ %s ](%d)", strings.Join(temp, ", "), len(temp))
 }

-func (machines Machines) toNodes(
+func (h *Headscale) toNodes(
+	machines Machines,
 	baseDomain string,
 	dnsConfig *tailcfg.DNSConfig,
 ) ([]*tailcfg.Node, error) {
 	nodes := make([]*tailcfg.Node, len(machines))

 	for index, machine := range machines {
-		node, err := machine.toNode(baseDomain, dnsConfig)
+		node, err := h.toNode(machine, baseDomain, dnsConfig)
 		if err != nil {
 			return nil, err
 		}
@@ -615,7 +622,8 @@ func (machines Machines) toNodes(

 // toNode converts a Machine into a Tailscale Node. includeRoutes is false for shared nodes
 // as per the expected behaviour in the official SaaS.
-func (machine Machine) toNode(
+func (h *Headscale) toNode(
+	machine Machine,
 	baseDomain string,
 	dnsConfig *tailcfg.DNSConfig,
 ) (*tailcfg.Node, error) {
@@ -663,24 +671,19 @@ func (machine Machine) toNode(
 		[]netip.Prefix{},
 		addrs...) // we append the node own IP, as it is required by the clients

-	allowedIPs = append(allowedIPs, machine.EnabledRoutes...)
-
-	// TODO(kradalby): This is kind of a hack where we say that
-	// all the announced routes (except exit), is presented as primary
-	// routes. This might be problematic if two nodes expose the same route.
-	// This was added to address an issue where subnet routers stopped working
-	// when we only populated AllowedIPs.
-	primaryRoutes := []netip.Prefix{}
-	if len(machine.EnabledRoutes) > 0 {
-		for _, route := range machine.EnabledRoutes {
-			if route == ExitRouteV4 || route == ExitRouteV6 {
-				continue
-			}
-
-			primaryRoutes = append(primaryRoutes, route)
-		}
+	enabledRoutes, err := h.GetEnabledRoutes(&machine)
+	if err != nil {
+		return nil, err
 	}

+	allowedIPs = append(allowedIPs, enabledRoutes...)
+
+	primaryRoutes, err := h.getMachinePrimaryRoutes(&machine)
+	if err != nil {
+		return nil, err
+	}
+	primaryPrefixes := Routes(primaryRoutes).toPrefixes()
+
 	var derp string
 	if machine.HostInfo.NetInfo != nil {
 		derp = fmt.Sprintf("127.3.3.40:%d", machine.HostInfo.NetInfo.PreferredDERP)
@@ -716,9 +719,7 @@ func (machine Machine) toNode(

 	hostInfo := machine.GetHostInfo()

-	// A node is Online if it is connected to the control server,
-	// and we now we update LastSeen every keepAliveInterval duration at least.
-	online := machine.LastSeen.After(time.Now().Add(-keepAliveInterval))
+	online := machine.isOnline()

 	node := tailcfg.Node{
 		ID: tailcfg.NodeID(machine.ID), // this is the actual ID
@@ -733,7 +734,7 @@ func (machine Machine) toNode(
 		DiscoKey:      discoKey,
 		Addresses:     addrs,
 		AllowedIPs:    allowedIPs,
-		PrimaryRoutes: primaryRoutes,
+		PrimaryRoutes: primaryPrefixes,
 		Endpoints:     machine.Endpoints,
 		DERP:          derp,

@@ -744,7 +745,11 @@ func (machine Machine) toNode(

 		KeepAlive:         true,
 		MachineAuthorized: !machine.isExpired(),
-		Capabilities:      []string{tailcfg.CapabilityFileSharing},
+		Capabilities: []string{
+			tailcfg.CapabilityFileSharing,
+			tailcfg.CapabilityAdmin,
+			tailcfg.CapabilitySSH,
+		},
 	}

 	return &node, nil
@@ -839,7 +844,13 @@ func (h *Headscale) RegisterMachineFromAuthCallback(
 	namespaceName string,
 	registrationMethod string,
 ) (*Machine, error) {
-	if machineInterface, ok := h.registrationCache.Get(nodeKeyStr); ok {
+	nodeKey := key.NodePublic{}
+	err := nodeKey.UnmarshalText([]byte(nodeKeyStr))
+	if err != nil {
+		return nil, err
+	}
+
+	if machineInterface, ok := h.registrationCache.Get(NodePublicKeyStripPrefix(nodeKey)); ok {
 		if registrationMachine, ok := machineInterface.(Machine); ok {
 			namespace, err := h.GetNamespace(namespaceName)
 			if err != nil {
@@ -917,21 +928,69 @@ func (h *Headscale) RegisterMachine(machine Machine,
 	return &machine, nil
 }

-func (machine *Machine) GetAdvertisedRoutes() []netip.Prefix {
-	return machine.HostInfo.RoutableIPs
+// GetAdvertisedRoutes returns the routes that are be advertised by the given machine.
+func (h *Headscale) GetAdvertisedRoutes(machine *Machine) ([]netip.Prefix, error) {
+	routes := []Route{}
+
+	err := h.db.
+		Preload("Machine").
+		Where("machine_id = ? AND advertised = ?", machine.ID, true).Find(&routes).Error
+	if err != nil && !errors.Is(err, gorm.ErrRecordNotFound) {
+		log.Error().
+			Caller().
+			Err(err).
+			Str("machine", machine.Hostname).
+			Msg("Could not get advertised routes for machine")
+
+		return nil, err
+	}
+
+	prefixes := []netip.Prefix{}
+	for _, route := range routes {
+		prefixes = append(prefixes, netip.Prefix(route.Prefix))
+	}
+
+	return prefixes, nil
 }

-func (machine *Machine) GetEnabledRoutes() []netip.Prefix {
-	return machine.EnabledRoutes
+// GetEnabledRoutes returns the routes that are enabled for the machine.
+func (h *Headscale) GetEnabledRoutes(machine *Machine) ([]netip.Prefix, error) {
+	routes := []Route{}
+
+	err := h.db.
+		Preload("Machine").
+		Where("machine_id = ? AND advertised = ? AND enabled = ?", machine.ID, true, true).
+		Find(&routes).Error
+	if err != nil && !errors.Is(err, gorm.ErrRecordNotFound) {
+		log.Error().
+			Caller().
+			Err(err).
+			Str("machine", machine.Hostname).
+			Msg("Could not get enabled routes for machine")
+
+		return nil, err
+	}
+
+	prefixes := []netip.Prefix{}
+	for _, route := range routes {
+		prefixes = append(prefixes, netip.Prefix(route.Prefix))
+	}
+
+	return prefixes, nil
 }

-func (machine *Machine) IsRoutesEnabled(routeStr string) bool {
+func (h *Headscale) IsRoutesEnabled(machine *Machine, routeStr string) bool {
 	route, err := netip.ParsePrefix(routeStr)
 	if err != nil {
 		return false
 	}

-	enabledRoutes := machine.GetEnabledRoutes()
+	enabledRoutes, err := h.GetEnabledRoutes(machine)
+	if err != nil {
+		log.Error().Err(err).Msg("Could not get enabled routes")
+
+		return false
+	}

 	for _, enabledRoute := range enabledRoutes {
 		if route == enabledRoute {
@@ -942,8 +1001,7 @@ func (machine *Machine) IsRoutesEnabled(routeStr string) bool {
 	return false
 }

-// EnableNodeRoute enables new routes based on a list of new routes. It will _replace_ the
-// previous list of routes.
+// EnableRoutes enables new routes based on a list of new routes.
 func (h *Headscale) EnableRoutes(machine *Machine, routeStrs ...string) error {
 	newRoutes := make([]netip.Prefix, len(routeStrs))
 	for index, routeStr := range routeStrs {
@@ -955,8 +1013,13 @@ func (h *Headscale) EnableRoutes(machine *Machine, routeStrs ...string) error {
 		newRoutes[index] = route
 	}

+	advertisedRoutes, err := h.GetAdvertisedRoutes(machine)
+	if err != nil {
+		return err
+	}
+
 	for _, newRoute := range newRoutes {
-		if !contains(machine.GetAdvertisedRoutes(), newRoute) {
+		if !contains(advertisedRoutes, newRoute) {
 			return fmt.Errorf(
 				"route (%s) is not available on node %s: %w",
 				machine.Hostname,
@@ -965,52 +1028,77 @@ func (h *Headscale) EnableRoutes(machine *Machine, routeStrs ...string) error {
 		}
 	}

-	machine.EnabledRoutes = newRoutes
+	// Separate loop so we don't leave things in a half-updated state
+	for _, prefix := range newRoutes {
+		route := Route{}
+		err := h.db.Preload("Machine").
+			Where("machine_id = ? AND prefix = ?", machine.ID, IPPrefix(prefix)).
+			First(&route).Error
+		if err == nil {
+			route.Enabled = true

-	if err := h.db.Save(machine).Error; err != nil {
-		return fmt.Errorf("failed enable routes for machine in the database: %w", err)
+			// Mark already as primary if there is only this node offering this subnet
+			// (and is not an exit route)
+			if !route.isExitRoute() {
+				route.IsPrimary = h.isUniquePrefix(route)
+			}
+
+			err = h.db.Save(&route).Error
+			if err != nil {
+				return fmt.Errorf("failed to enable route: %w", err)
+			}
+		} else {
+			return fmt.Errorf("failed to find route: %w", err)
+		}
 	}

 	return nil
 }

-// Enabled any routes advertised by a machine that match the ACL autoApprovers policy.
-func (h *Headscale) EnableAutoApprovedRoutes(machine *Machine) {
+// EnableAutoApprovedRoutes enables any routes advertised by a machine that match the ACL autoApprovers policy.
+func (h *Headscale) EnableAutoApprovedRoutes(machine *Machine) error {
 	if len(machine.IPAddresses) == 0 {
-		return // This machine has no IPAddresses, so can't possibly match any autoApprovers ACLs
+		return nil // This machine has no IPAddresses, so can't possibly match any autoApprovers ACLs
 	}

-	approvedRoutes := make([]netip.Prefix, 0, len(machine.HostInfo.RoutableIPs))
-	thisMachine := []Machine{*machine}
+	routes := []Route{}
+	err := h.db.
+		Preload("Machine").
+		Where("machine_id = ? AND advertised = true AND enabled = false", machine.ID).Find(&routes).Error
+	if err != nil && !errors.Is(err, gorm.ErrRecordNotFound) {
+		log.Error().
+			Caller().
+			Err(err).
+			Str("machine", machine.Hostname).
+			Msg("Could not get advertised routes for machine")

-	for _, advertisedRoute := range machine.HostInfo.RoutableIPs {
-		if contains(machine.EnabledRoutes, advertisedRoute) {
-			continue // Skip routes that are already enabled for the node
-		}
+		return err
+	}

-		routeApprovers, err := h.aclPolicy.AutoApprovers.GetRouteApprovers(
-			advertisedRoute,
-		)
+	approvedRoutes := []Route{}
+
+	for _, advertisedRoute := range routes {
+		routeApprovers, err := h.aclPolicy.AutoApprovers.GetRouteApprovers(netip.Prefix(advertisedRoute.Prefix))
 		if err != nil {
 			log.Err(err).
 				Str("advertisedRoute", advertisedRoute.String()).
 				Uint64("machineId", machine.ID).
 				Msg("Failed to resolve autoApprovers for advertised route")

-			return
+			return err
 		}

 		for _, approvedAlias := range routeApprovers {
 			if approvedAlias == machine.Namespace.Name {
 				approvedRoutes = append(approvedRoutes, advertisedRoute)
 			} else {
-				approvedIps, err := expandAlias(thisMachine, *h.aclPolicy, approvedAlias, h.cfg.OIDC.StripEmaildomain)
+				approvedIps, err := expandAlias([]Machine{*machine}, *h.aclPolicy, approvedAlias, h.cfg.OIDC.StripEmaildomain)
 				if err != nil {
 					log.Err(err).
 						Str("alias", approvedAlias).
 						Msg("Failed to expand alias when processing autoApprovers policy")

-					return
+					return err
 				}

 				// approvedIPs should contain all of machine's IPs if it matches the rule, so check for first
@@ -1021,26 +1109,20 @@ func (h *Headscale) EnableAutoApprovedRoutes(machine *Machine) {
 		}
 	}

-	for _, approvedRoute := range approvedRoutes {
-		if !contains(machine.EnabledRoutes, approvedRoute) {
-			log.Info().
-				Str("route", approvedRoute.String()).
-				Uint64("client", machine.ID).
-				Msg("Enabling autoApproved route for client")
-			machine.EnabledRoutes = append(machine.EnabledRoutes, approvedRoute)
+	for i, approvedRoute := range approvedRoutes {
+		approvedRoutes[i].Enabled = true
+		err = h.db.Save(&approvedRoutes[i]).Error
+		if err != nil {
+			log.Err(err).
+				Str("approvedRoute", approvedRoute.String()).
+				Uint64("machineId", machine.ID).
+				Msg("Failed to enable approved route")
+
+			return err
 		}
 	}
-}

-func (machine *Machine) RoutesToProto() *v1.Routes {
-	availableRoutes := machine.GetAdvertisedRoutes()
-
-	enabledRoutes := machine.GetEnabledRoutes()
-
-	return &v1.Routes{
-		AdvertisedRoutes: ipPrefixToString(availableRoutes),
-		EnabledRoutes:    ipPrefixToString(enabledRoutes),
-	}
+	return nil
 }

 func (h *Headscale) generateGivenName(suppliedName string, randomSuffix bool) (string, error) {
--- a/machine_test.go
+++ b/machine_test.go
@@ -1153,9 +1153,16 @@ func (s *Suite) TestAutoApproveRoutes(c *check.C) {

 	app.db.Save(&machine)

+	err = app.processMachineRoutes(&machine)
+	c.Assert(err, check.IsNil)
+
 	machine0ByID, err := app.GetMachineByID(0)
 	c.Assert(err, check.IsNil)

-	app.EnableAutoApprovedRoutes(machine0ByID)
-	c.Assert(machine0ByID.GetEnabledRoutes(), check.HasLen, 3)
+	err = app.EnableAutoApprovedRoutes(machine0ByID)
+	c.Assert(err, check.IsNil)
+
+	enabledRoutes, err := app.GetEnabledRoutes(machine0ByID)
+	c.Assert(err, check.IsNil)
+	c.Assert(enabledRoutes, check.HasLen, 3)
 }
--- a/namespaces.go
+++ b/namespaces.go
@@ -211,7 +211,10 @@ func (n *Namespace) toLogin() *tailcfg.Login {
 	return &login
 }

-func getMapResponseUserProfiles(machine Machine, peers Machines) []tailcfg.UserProfile {
+func (h *Headscale) getMapResponseUserProfiles(
+	machine Machine,
+	peers Machines,
+) []tailcfg.UserProfile {
 	namespaceMap := make(map[string]Namespace)
 	namespaceMap[machine.Namespace.Name] = machine.Namespace
 	for _, peer := range peers {
@@ -220,11 +223,17 @@ func getMapResponseUserProfiles(machine Machine, peers Machines) []tailcfg.UserP

 	profiles := []tailcfg.UserProfile{}
 	for _, namespace := range namespaceMap {
+		displayName := namespace.Name
+
+		if h.cfg.BaseDomain != "" {
+			displayName = fmt.Sprintf("%s@%s", namespace.Name, h.cfg.BaseDomain)
+		}
+
 		profiles = append(profiles,
 			tailcfg.UserProfile{
 				ID:          tailcfg.UserID(namespace.ID),
 				LoginName:   namespace.Name,
-				DisplayName: namespace.Name,
+				DisplayName: displayName,
 			})
 	}

--- a/namespaces_test.go
+++ b/namespaces_test.go
@@ -209,7 +209,7 @@ func (s *Suite) TestGetMapResponseUserProfiles(c *check.C) {
 	peersOfMachine1InShared1, err := app.getPeers(machineInShared1)
 	c.Assert(err, check.IsNil)

-	userProfiles := getMapResponseUserProfiles(
+	userProfiles := app.getMapResponseUserProfiles(
 		*machineInShared1,
 		peersOfMachine1InShared1,
 	)
--- a/noise.go
+++ b/noise.go
@@ -36,7 +36,7 @@ func (h *Headscale) NoiseUpgradeHandler(
 		return
 	}

-	noiseConn, err := controlhttp.AcceptHTTP(req.Context(), writer, req, *h.noisePrivateKey)
+	noiseConn, err := controlhttp.AcceptHTTP(req.Context(), writer, req, *h.noisePrivateKey, nil)
 	if err != nil {
 		log.Error().Err(err).Msg("noise upgrade failed")
 		http.Error(writer, err.Error(), http.StatusInternalServerError)
--- a/oidc.go
+++ b/oidc.go
@@ -25,6 +25,7 @@ const (
 	errEmptyOIDCCallbackParams = Error("empty OIDC callback params")
 	errNoOIDCIDToken           = Error("could not extract ID Token for OIDC callback")
 	errOIDCAllowedDomains      = Error("authenticated principal does not match any allowed domain")
+	errOIDCAllowedGroups       = Error("authenticated principal is not in any allowed group")
 	errOIDCAllowedUsers        = Error("authenticated principal does not match any allowed user")
 	errOIDCInvalidMachineState = Error("requested machine state key expired before authorisation completed")
 	errOIDCNodeKeyMissing      = Error("could not get node key from cache")
@@ -76,19 +77,54 @@ func (h *Headscale) RegisterOIDC(
 ) {
 	vars := mux.Vars(req)
 	nodeKeyStr, ok := vars["nkey"]
-	if !ok || nodeKeyStr == "" {
-		log.Error().
-			Caller().
-			Msg("Missing node key in URL")
-		http.Error(writer, "Missing node key in URL", http.StatusBadRequest)
+
+	log.Debug().
+		Caller().
+		Str("node_key", nodeKeyStr).
+		Bool("ok", ok).
+		Msg("Received oidc register call")
+
+	if !NodePublicKeyRegex.Match([]byte(nodeKeyStr)) {
+		log.Warn().Str("node_key", nodeKeyStr).Msg("Invalid node key passed to registration url")
+
+		writer.Header().Set("Content-Type", "text/plain; charset=utf-8")
+		writer.WriteHeader(http.StatusUnauthorized)
+		_, err := writer.Write([]byte("Unauthorized"))
+		if err != nil {
+			log.Error().
+				Caller().
+				Err(err).
+				Msg("Failed to write response")
+		}

 		return
 	}

-	log.Trace().
-		Caller().
-		Str("node_key", nodeKeyStr).
-		Msg("Received oidc register call")
+	// We need to make sure we dont open for XSS style injections, if the parameter that
+	// is passed as a key is not parsable/validated as a NodePublic key, then fail to render
+	// the template and log an error.
+	var nodeKey key.NodePublic
+	err := nodeKey.UnmarshalText(
+		[]byte(NodePublicKeyEnsurePrefix(nodeKeyStr)),
+	)
+
+	if !ok || nodeKeyStr == "" || err != nil {
+		log.Warn().
+			Err(err).
+			Msg("Failed to parse incoming nodekey in OIDC registration")
+
+		writer.Header().Set("Content-Type", "text/plain; charset=utf-8")
+		writer.WriteHeader(http.StatusBadRequest)
+		_, err := writer.Write([]byte("Wrong params"))
+		if err != nil {
+			log.Error().
+				Caller().
+				Err(err).
+				Msg("Failed to write response")
+		}
+
+		return
+	}

 	randomBlob := make([]byte, randomByteSize)
 	if _, err := rand.Read(randomBlob); err != nil {
@@ -103,7 +139,7 @@ func (h *Headscale) RegisterOIDC(
 	stateStr := hex.EncodeToString(randomBlob)[:32]

 	// place the node key into the state cache, so it can be retrieved later
-	h.registrationCache.Set(stateStr, nodeKeyStr, registerCacheExpiration)
+	h.registrationCache.Set(stateStr, NodePublicKeyStripPrefix(nodeKey), registerCacheExpiration)

 	// Add any extra parameter provided in the configuration to the Authorize Endpoint request
 	extras := make([]oauth2.AuthCodeOption, 0, len(h.cfg.OIDC.ExtraParams))
@@ -174,6 +210,10 @@ func (h *Headscale) OIDCCallback(
 		return
 	}

+	if err := validateOIDCAllowedGroups(writer, h.cfg.OIDC.AllowedGroups, claims); err != nil {
+		return
+	}
+
 	if err := validateOIDCAllowedUsers(writer, h.cfg.OIDC.AllowedUsers, claims); err != nil {
 		return
 	}
@@ -369,6 +409,39 @@ func validateOIDCAllowedDomains(
 	return nil
 }

+// validateOIDCAllowedGroups checks if AllowedGroups is provided,
+// and that the user has one group in the list.
+// claims.Groups can be populated by adding a client scope named
+// 'groups' that contains group membership.
+func validateOIDCAllowedGroups(
+	writer http.ResponseWriter,
+	allowedGroups []string,
+	claims *IDTokenClaims,
+) error {
+	if len(allowedGroups) > 0 {
+		for _, group := range allowedGroups {
+			if IsStringInSlice(claims.Groups, group) {
+				return nil
+			}
+		}
+
+		log.Error().Msg("authenticated principal not in any allowed groups")
+		writer.Header().Set("Content-Type", "text/plain; charset=utf-8")
+		writer.WriteHeader(http.StatusBadRequest)
+		_, err := writer.Write([]byte("unauthorized principal (allowed groups)"))
+		if err != nil {
+			log.Error().
+				Caller().
+				Err(err).
+				Msg("Failed to write response")
+		}
+
+		return errOIDCAllowedGroups
+	}
+
+	return nil
+}
+
 // validateOIDCAllowedUsers checks that if AllowedUsers is provided,
 // that the authenticated principal is part of that list.
 func validateOIDCAllowedUsers(
@@ -405,8 +478,8 @@ func (h *Headscale) validateMachineForOIDCCallback(
 	claims *IDTokenClaims,
 ) (*key.NodePublic, bool, error) {
 	// retrieve machinekey from state cache
-	machineKeyIf, machineKeyFound := h.registrationCache.Get(state)
-	if !machineKeyFound {
+	nodeKeyIf, nodeKeyFound := h.registrationCache.Get(state)
+	if !nodeKeyFound {
 		log.Error().
 			Msg("requested machine state key expired before authorisation completed")
 		writer.Header().Set("Content-Type", "text/plain; charset=utf-8")
@@ -419,20 +492,38 @@ func (h *Headscale) validateMachineForOIDCCallback(
 				Msg("Failed to write response")
 		}

-		return nil, false, errOIDCInvalidMachineState
+		return nil, false, errOIDCNodeKeyMissing
 	}

 	var nodeKey key.NodePublic
-	nodeKeyFromCache, nodeKeyOK := machineKeyIf.(string)
+	nodeKeyFromCache, nodeKeyOK := nodeKeyIf.(string)
+	if !nodeKeyOK {
+		log.Error().
+			Msg("requested machine state key is not a string")
+		writer.Header().Set("Content-Type", "text/plain; charset=utf-8")
+		writer.WriteHeader(http.StatusBadRequest)
+		_, err := writer.Write([]byte("state is invalid"))
+		if err != nil {
+			log.Error().
+				Caller().
+				Err(err).
+				Msg("Failed to write response")
+		}
+
+		return nil, false, errOIDCInvalidMachineState
+	}
+
 	err := nodeKey.UnmarshalText(
 		[]byte(NodePublicKeyEnsurePrefix(nodeKeyFromCache)),
 	)
 	if err != nil {
 		log.Error().
+			Str("nodeKey", nodeKeyFromCache).
+			Bool("nodeKeyOK", nodeKeyOK).
 			Msg("could not parse node public key")
 		writer.Header().Set("Content-Type", "text/plain; charset=utf-8")
 		writer.WriteHeader(http.StatusBadRequest)
-		_, werr := writer.Write([]byte("could not parse public key"))
+		_, werr := writer.Write([]byte("could not parse node public key"))
 		if werr != nil {
 			log.Error().
 				Caller().
@@ -443,21 +534,6 @@ func (h *Headscale) validateMachineForOIDCCallback(
 		return nil, false, err
 	}

-	if !nodeKeyOK {
-		log.Error().Msg("could not get node key from cache")
-		writer.Header().Set("Content-Type", "text/plain; charset=utf-8")
-		writer.WriteHeader(http.StatusInternalServerError)
-		_, err := writer.Write([]byte("could not get node key from cache"))
-		if err != nil {
-			log.Error().
-				Caller().
-				Err(err).
-				Msg("Failed to write response")
-		}
-
-		return nil, false, errOIDCNodeKeyMissing
-	}
-
 	// retrieve machine information if it exist
 	// The error is not important, because if it does not
 	// exist, then this is a new machine and we will move
@@ -604,10 +680,8 @@ func (h *Headscale) registerMachineForOIDCCallback(
 	namespace *Namespace,
 	nodeKey *key.NodePublic,
 ) error {
-	nodeKeyStr := NodePublicKeyStripPrefix(*nodeKey)
-
 	if _, err := h.RegisterMachineFromAuthCallback(
-		nodeKeyStr,
+		nodeKey.String(),
 		namespace.Name,
 		RegisterMethodOIDC,
 	); err != nil {
--- a/platform_config.go
+++ b/platform_config.go
@@ -2,6 +2,7 @@ package headscale

 import (
 	"bytes"
+	_ "embed"
 	"html/template"
 	"net/http"
 	textTemplate "text/template"
@@ -11,51 +12,18 @@ import (
 	"github.com/rs/zerolog/log"
 )

+//go:embed templates/apple.html
+var appleTemplate string
+
+//go:embed templates/windows.html
+var windowsTemplate string
+
 // WindowsConfigMessage shows a simple message in the browser for how to configure the Windows Tailscale client.
 func (h *Headscale) WindowsConfigMessage(
 	writer http.ResponseWriter,
 	req *http.Request,
 ) {
-	winTemplate := template.Must(template.New("windows").Parse(`
-<html>
-	<body>
-		<h1>headscale</h1>
-		<h2>Windows registry configuration</h2>
-		<p>
-		    This page provides Windows registry information for the official Windows Tailscale client.
-		<p>
-		<p>
-		    The registry file will configure Tailscale to use <code>{{.URL}}</code> as its control server.
-		<p>
-		<h3>Caution</h3>
-		<p>You should always download and inspect the registry file before installing it:</p>
-		<pre><code>curl {{.URL}}/windows/tailscale.reg</code></pre>
-
-		<h2>Installation</h2>
-		<p>Headscale can be set to the default server by running the registry file:</p>
-
-		<p>
-		    <a href="/windows/tailscale.reg" download="tailscale.reg">Windows registry file</a>
-		</p>
-
-		<ol>
-			<li>Download the registry file, then run it</li>
-			<li>Follow the prompts</li>
-			<li>Install and run the official windows Tailscale client</li>
-			<li>When the installation has finished, start Tailscale, and log in by clicking the icon in the system tray</li>
-		</ol>
-		<p>Or</p>
-		<p>Open command prompt with Administrator rights. Issue the following commands to add the required registry entries:</p>
-		<pre>
-<code>REG ADD "HKLM\Software\Tailscale IPN" /v UnattendedMode /t REG_SZ /d always
-REG ADD "HKLM\Software\Tailscale IPN" /v LoginURL /t REG_SZ /d "{{.URL}}"</code></pre>
-		<p>
-		    Restart Tailscale and log in.
-		<p>
-	</body>
-</html>
-`))
-
+	winTemplate := template.Must(template.New("windows").Parse(windowsTemplate))
 	config := map[string]interface{}{
 		"URL": h.cfg.ServerURL,
 	}
@@ -136,55 +104,7 @@ func (h *Headscale) AppleConfigMessage(
 	writer http.ResponseWriter,
 	req *http.Request,
 ) {
-	appleTemplate := template.Must(template.New("apple").Parse(`
-<html>
-	<body>
-		<h1>headscale</h1>
-		<h2>Apple configuration profiles</h2>
-		<p>
-		    This page provides <a href="https://support.apple.com/guide/mdm/mdm-overview-mdmbf9e668/web">configuration profiles</a> for the official Tailscale clients for <a href="https://apps.apple.com/us/app/tailscale/id1470499037?ls=1">iOS</a> and <a href="https://apps.apple.com/ca/app/tailscale/id1475387142?mt=12">macOS</a>.
-		</p>
-		<p>
-		    The profiles will configure Tailscale.app to use <code>{{.URL}}</code> as its control server.
-		</p>
-
-		<h3>Caution</h3>
-		<p>You should always download and inspect the profile before installing it:</p>
-		<!--
-		<pre><code>curl {{.URL}}/apple/ios</code></pre>
-		-->
-		<pre><code>curl {{.URL}}/apple/macos</code></pre>
-
-		<h2>Profiles</h2>
-
-		<!--
-		<h3>iOS</h3>
-		<p>
-		    <a href="/apple/ios" download="headscale_ios.mobileconfig">iOS profile</a>
-		</p>
-		-->
-
-		<h3>macOS</h3>
-		<p>Headscale can be set to the default server by installing a Headscale configuration profile:</p>
-		<p>
-		    <a href="/apple/macos" download="headscale_macos.mobileconfig">macOS profile</a>
-		</p>
-
-		<ol>
-		<li>Download the profile, then open it. When it has been opened, there should be a notification that a profile can be installed</li>
-		<li>Open System Preferences and go to "Profiles"</li>
-		<li>Find and install the Headscale profile</li>
-		<li>Restart Tailscale.app and log in</li>
-		</ol>
-
-		<p>Or</p>
-		<p>Use your terminal to configure the default setting for Tailscale by issuing:</p>
-		<code>defaults write io.tailscale.ipn.macos ControlURL {{.URL}}</code>
-
-		<p>Restart Tailscale.app and log in.</p>
-
-	</body>
-</html>`))
+	appleTemplate := template.Must(template.New("apple").Parse(appleTemplate))

 	config := map[string]interface{}{
 		"URL": h.cfg.ServerURL,
@@ -282,24 +202,33 @@ func (h *Headscale) ApplePlatformConfig(
 	}

 	var payload bytes.Buffer
+	handleMacError := func(ierr error) {
+		log.Error().
+			Str("handler", "ApplePlatformConfig").
+			Err(ierr).
+			Msg("Could not render Apple macOS template")
+
+		writer.Header().Set("Content-Type", "text/plain; charset=utf-8")
+		writer.WriteHeader(http.StatusInternalServerError)
+		_, err := writer.Write([]byte("Could not render Apple macOS template"))
+		if err != nil {
+			log.Error().
+				Caller().
+				Err(err).
+				Msg("Failed to write response")
+		}
+	}

 	switch platform {
-	case "macos":
-		if err := macosTemplate.Execute(&payload, platformConfig); err != nil {
-			log.Error().
-				Str("handler", "ApplePlatformConfig").
-				Err(err).
-				Msg("Could not render Apple macOS template")
+	case "macos-standalone":
+		if err := macosStandaloneTemplate.Execute(&payload, platformConfig); err != nil {
+			handleMacError(err)

-			writer.Header().Set("Content-Type", "text/plain; charset=utf-8")
-			writer.WriteHeader(http.StatusInternalServerError)
-			_, err := writer.Write([]byte("Could not render Apple macOS template"))
-			if err != nil {
-				log.Error().
-					Caller().
-					Err(err).
-					Msg("Failed to write response")
-			}
+			return
+		}
+	case "macos-app-store":
+		if err := macosAppStoreTemplate.Execute(&payload, platformConfig); err != nil {
+			handleMacError(err)

 			return
 		}
@@ -444,7 +373,7 @@ var iosTemplate = textTemplate.Must(textTemplate.New("iosTemplate").Parse(`
    </dict>
 `))

-var macosTemplate = template.Must(template.New("macosTemplate").Parse(`
+var macosAppStoreTemplate = template.Must(template.New("macosTemplate").Parse(`
    <dict>
        <key>PayloadType</key>
        <string>io.tailscale.ipn.macos</string>
@@ -456,7 +385,23 @@ var macosTemplate = template.Must(template.New("macosTemplate").Parse(`
        <integer>1</integer>
        <key>PayloadEnabled</key>
        <true/>
-
+        <key>ControlURL</key>
+        <string>{{.URL}}</string>
+    </dict>
+`))
+
+var macosStandaloneTemplate = template.Must(template.New("macosStandaloneTemplate").Parse(`
+    <dict>
+        <key>PayloadType</key>
+        <string>io.tailscale.ipn.macsys</string>
+        <key>PayloadUUID</key>
+        <string>{{.UUID}}</string>
+        <key>PayloadIdentifier</key>
+        <string>com.github.juanfont.headscale</string>
+        <key>PayloadVersion</key>
+        <integer>1</integer>
+        <key>PayloadEnabled</key>
+        <true/>
        <key>ControlURL</key>
        <string>{{.URL}}</string>
    </dict>
--- a/proto/headscale/v1/headscale.proto
+++ b/proto/headscale/v1/headscale.proto
@@ -126,17 +126,31 @@ service HeadscaleService {
    // --- Machine end ---

    // --- Route start ---
-    rpc GetMachineRoute(GetMachineRouteRequest) returns (GetMachineRouteResponse) {
+    rpc GetRoutes(GetRoutesRequest) returns (GetRoutesResponse) {
+        option (google.api.http) = {
+            get: "/api/v1/routes"
+        };
+    }
+
+    rpc EnableRoute(EnableRouteRequest) returns (EnableRouteResponse) {
+        option (google.api.http) = {
+            post: "/api/v1/routes/{route_id}/enable"
+        };
+    }
+
+    rpc DisableRoute(DisableRouteRequest) returns (DisableRouteResponse) {
+        option (google.api.http) = {
+            post: "/api/v1/routes/{route_id}/disable"
+        };
+    }
+
+
+    rpc GetMachineRoutes(GetMachineRoutesRequest) returns (GetMachineRoutesResponse) {
        option (google.api.http) = {
            get: "/api/v1/machine/{machine_id}/routes"
        };
    }

-    rpc EnableMachineRoutes(EnableMachineRoutesRequest) returns (EnableMachineRoutesResponse) {
-        option (google.api.http) = {
-            post: "/api/v1/machine/{machine_id}/routes"
-        };
-    }
    // --- Route end ---

    // --- ApiKeys start ---
--- a/proto/headscale/v1/routes.proto
+++ b/proto/headscale/v1/routes.proto
@@ -2,24 +2,47 @@ syntax = "proto3";
 package headscale.v1;
 option  go_package = "github.com/juanfont/headscale/gen/go/v1";

-message Routes {
-    repeated string advertised_routes = 1;
-    repeated string enabled_routes    = 2;
+import "google/protobuf/timestamp.proto";
+import "headscale/v1/machine.proto";
+
+message Route {
+    uint64  id          = 1;
+    Machine machine     = 2;
+    string  prefix      = 3;
+    bool    advertised   = 4;
+    bool    enabled     = 5;
+    bool    is_primary  = 6;
+
+    google.protobuf.Timestamp created_at = 7;
+    google.protobuf.Timestamp updated_at = 8;
+    google.protobuf.Timestamp deleted_at = 9;
 }

-message GetMachineRouteRequest {
+message GetRoutesRequest {
+}
+
+message GetRoutesResponse {
+    repeated Route routes = 1;
+}
+
+message EnableRouteRequest {
+    uint64 route_id = 1;
+}
+
+message EnableRouteResponse {
+}
+
+message DisableRouteRequest {
+    uint64 route_id = 1;
+}
+
+message DisableRouteResponse {
+}
+
+message GetMachineRoutesRequest {
    uint64 machine_id = 1;
 }

-message GetMachineRouteResponse {
-    Routes routes = 1;
-}
-
-message EnableMachineRoutesRequest {
-    uint64          machine_id = 1;
-    repeated string routes     = 2;
-}
-
-message EnableMachineRoutesResponse {
-    Routes routes = 1;
-}
+message GetMachineRoutesResponse {
+    repeated Route routes = 1;
+}
--- a/protocol_common.go
+++ b/protocol_common.go
@@ -435,6 +435,10 @@ func (h *Headscale) handleAuthKeyCommon(

 	resp.MachineAuthorized = true
 	resp.User = *pak.Namespace.toUser()
+	// Provide LoginName when registering with pre-auth key
+	// Otherwise it will need to exec `tailscale up` twice to fetch the *LoginName*
+	resp.Login = *pak.Namespace.toLogin()
+
 	respBody, err := h.marshalResponse(resp, machineKey)
 	if err != nil {
 		log.Error().
@@ -486,16 +490,17 @@ func (h *Headscale) handleNewMachineCommon(
 		Bool("noise", machineKey.IsZero()).
 		Str("machine", registerRequest.Hostinfo.Hostname).
 		Msg("The node seems to be new, sending auth url")
+
 	if h.oauth2Config != nil {
 		resp.AuthURL = fmt.Sprintf(
 			"%s/oidc/register/%s",
 			strings.TrimSuffix(h.cfg.ServerURL, "/"),
-			NodePublicKeyStripPrefix(registerRequest.NodeKey),
+			registerRequest.NodeKey,
 		)
 	} else {
 		resp.AuthURL = fmt.Sprintf("%s/register/%s",
 			strings.TrimSuffix(h.cfg.ServerURL, "/"),
-			NodePublicKeyStripPrefix(registerRequest.NodeKey))
+			registerRequest.NodeKey)
 	}

 	respBody, err := h.marshalResponse(resp, machineKey)
@@ -524,6 +529,7 @@ func (h *Headscale) handleNewMachineCommon(
 	log.Info().
 		Caller().
 		Bool("noise", machineKey.IsZero()).
+		Str("AuthURL", resp.AuthURL).
 		Str("machine", registerRequest.Hostinfo.Hostname).
 		Msg("Successfully sent auth url")
 }
@@ -722,11 +728,11 @@ func (h *Headscale) handleMachineExpiredCommon(
 	if h.oauth2Config != nil {
 		resp.AuthURL = fmt.Sprintf("%s/oidc/register/%s",
 			strings.TrimSuffix(h.cfg.ServerURL, "/"),
-			NodePublicKeyStripPrefix(registerRequest.NodeKey))
+			registerRequest.NodeKey)
 	} else {
 		resp.AuthURL = fmt.Sprintf("%s/register/%s",
 			strings.TrimSuffix(h.cfg.ServerURL, "/"),
-			NodePublicKeyStripPrefix(registerRequest.NodeKey))
+			registerRequest.NodeKey)
 	}

 	respBody, err := h.marshalResponse(resp, machineKey)
--- a/protocol_common_poll.go
+++ b/protocol_common_poll.go
@@ -32,6 +32,15 @@ func (h *Headscale) handlePollCommon(
 	machine.DiscoKey = DiscoPublicKeyStripPrefix(mapRequest.DiscoKey)
 	now := time.Now().UTC()

+	err := h.processMachineRoutes(machine)
+	if err != nil {
+		log.Error().
+			Caller().
+			Err(err).
+			Str("machine", machine.Hostname).
+			Msg("Error processing machine routes")
+	}
+
 	// update ACLRules with peer informations (to update server tags if necessary)
 	if h.aclPolicy != nil {
 		err := h.UpdateACLRules()
@@ -44,7 +53,15 @@ func (h *Headscale) handlePollCommon(
 		}

 		// update routes with peer information
-		h.EnableAutoApprovedRoutes(machine)
+		err = h.EnableAutoApprovedRoutes(machine)
+		if err != nil {
+			log.Error().
+				Caller().
+				Bool("noise", isNoise).
+				Str("machine", machine.Hostname).
+				Err(err).
+				Msg("Error running auto approved routes")
+		}
 	}

 	// From Tailscale client:
@@ -451,7 +468,7 @@ func (h *Headscale) pollNetMapStream(
 					Time("last_successful_update", lastUpdate).
 					Time("last_state_change", h.getLastStateChange(machine.Namespace)).
 					Msgf("There has been updates since the last successful update to %s", machine.Hostname)
-				data, err := h.getMapResponseData(mapRequest, machine, false)
+				data, err := h.getMapResponseData(mapRequest, machine, isNoise)
 				if err != nil {
 					log.Error().
 						Str("handler", "PollNetMapStream").
@@ -622,7 +639,7 @@ func (h *Headscale) scheduledPollWorker(
 	defer closeChanWithLog(
 		keepAliveChan,
 		fmt.Sprint(ctx.Value(machineNameContextKey)),
-		"updateChan",
+		"keepAliveChan",
 	)

 	for {
--- a/protocol_legacy.go
+++ b/protocol_legacy.go
@@ -1,3 +1,5 @@
+//go:build ts2019
+
 package headscale

 import (
--- a/protocol_legacy_poll.go
+++ b/protocol_legacy_poll.go
@@ -1,3 +1,5 @@
+//go:build ts2019
+
 package headscale

 import (
--- a/routes.go
+++ b/routes.go
@@ -1,118 +1,338 @@
 package headscale

 import (
+	"errors"
 	"fmt"
 	"net/netip"
+
+	v1 "github.com/juanfont/headscale/gen/go/headscale/v1"
+	"github.com/rs/zerolog/log"
+	"google.golang.org/protobuf/types/known/timestamppb"
+	"gorm.io/gorm"
 )

 const (
 	ErrRouteIsNotAvailable = Error("route is not available")
 )

-// Deprecated: use machine function instead
-// GetAdvertisedNodeRoutes returns the subnet routes advertised by a node (identified by
-// namespace and node name).
-func (h *Headscale) GetAdvertisedNodeRoutes(
-	namespace string,
-	nodeName string,
-) (*[]netip.Prefix, error) {
-	machine, err := h.GetMachine(namespace, nodeName)
+var (
+	ExitRouteV4 = netip.MustParsePrefix("0.0.0.0/0")
+	ExitRouteV6 = netip.MustParsePrefix("::/0")
+)
+
+type Route struct {
+	gorm.Model
+
+	MachineID uint64
+	Machine   Machine
+	Prefix    IPPrefix
+
+	Advertised bool
+	Enabled    bool
+	IsPrimary  bool
+}
+
+type Routes []Route
+
+func (r *Route) String() string {
+	return fmt.Sprintf("%s:%s", r.Machine, netip.Prefix(r.Prefix).String())
+}
+
+func (r *Route) isExitRoute() bool {
+	return netip.Prefix(r.Prefix) == ExitRouteV4 || netip.Prefix(r.Prefix) == ExitRouteV6
+}
+
+func (rs Routes) toPrefixes() []netip.Prefix {
+	prefixes := make([]netip.Prefix, len(rs))
+	for i, r := range rs {
+		prefixes[i] = netip.Prefix(r.Prefix)
+	}
+
+	return prefixes
+}
+
+func (h *Headscale) GetRoutes() ([]Route, error) {
+	var routes []Route
+	err := h.db.Preload("Machine").Find(&routes).Error
 	if err != nil {
 		return nil, err
 	}

-	return &machine.HostInfo.RoutableIPs, nil
+	return routes, nil
 }

-// Deprecated: use machine function instead
-// GetEnabledNodeRoutes returns the subnet routes enabled by a node (identified by
-// namespace and node name).
-func (h *Headscale) GetEnabledNodeRoutes(
-	namespace string,
-	nodeName string,
-) ([]netip.Prefix, error) {
-	machine, err := h.GetMachine(namespace, nodeName)
+func (h *Headscale) GetMachineRoutes(m *Machine) ([]Route, error) {
+	var routes []Route
+	err := h.db.
+		Preload("Machine").
+		Where("machine_id = ?", m.ID).
+		Find(&routes).Error
+	if err != nil && !errors.Is(err, gorm.ErrRecordNotFound) {
+		return nil, err
+	}
+
+	return routes, nil
+}
+
+func (h *Headscale) GetRoute(id uint64) (*Route, error) {
+	var route Route
+	err := h.db.Preload("Machine").First(&route, id).Error
 	if err != nil {
 		return nil, err
 	}

-	return machine.EnabledRoutes, nil
+	return &route, nil
 }

-// Deprecated: use machine function instead
-// IsNodeRouteEnabled checks if a certain route has been enabled.
-func (h *Headscale) IsNodeRouteEnabled(
-	namespace string,
-	nodeName string,
-	routeStr string,
-) bool {
-	route, err := netip.ParsePrefix(routeStr)
+func (h *Headscale) EnableRoute(id uint64) error {
+	route, err := h.GetRoute(id)
 	if err != nil {
-		return false
+		return err
 	}

-	enabledRoutes, err := h.GetEnabledNodeRoutes(namespace, nodeName)
-	if err != nil {
-		return false
-	}
-
-	for _, enabledRoute := range enabledRoutes {
-		if route == enabledRoute {
-			return true
-		}
-	}
-
-	return false
+	return h.EnableRoutes(&route.Machine, netip.Prefix(route.Prefix).String())
 }

-// Deprecated: use EnableRoute in machine.go
-// EnableNodeRoute enables a subnet route advertised by a node (identified by
-// namespace and node name).
-func (h *Headscale) EnableNodeRoute(
-	namespace string,
-	nodeName string,
-	routeStr string,
-) error {
-	machine, err := h.GetMachine(namespace, nodeName)
+func (h *Headscale) DisableRoute(id uint64) error {
+	route, err := h.GetRoute(id)
 	if err != nil {
 		return err
 	}

-	route, err := netip.ParsePrefix(routeStr)
+	route.Enabled = false
+	route.IsPrimary = false
+	err = h.db.Save(route).Error
 	if err != nil {
 		return err
 	}

-	availableRoutes, err := h.GetAdvertisedNodeRoutes(namespace, nodeName)
+	return h.handlePrimarySubnetFailover()
+}
+
+// isUniquePrefix returns if there is another machine providing the same route already.
+func (h *Headscale) isUniquePrefix(route Route) bool {
+	var count int64
+	h.db.
+		Model(&Route{}).
+		Where("prefix = ? AND machine_id != ? AND advertised = ? AND enabled = ?",
+			route.Prefix,
+			route.MachineID,
+			true, true).Count(&count)
+
+	return count == 0
+}
+
+func (h *Headscale) getPrimaryRoute(prefix netip.Prefix) (*Route, error) {
+	var route Route
+	err := h.db.
+		Preload("Machine").
+		Where("prefix = ? AND advertised = ? AND enabled = ? AND is_primary = ?", IPPrefix(prefix), true, true, true).
+		First(&route).Error
+	if err != nil && !errors.Is(err, gorm.ErrRecordNotFound) {
+		return nil, err
+	}
+
+	if errors.Is(err, gorm.ErrRecordNotFound) {
+		return nil, gorm.ErrRecordNotFound
+	}
+
+	return &route, nil
+}
+
+// getMachinePrimaryRoutes returns the routes that are enabled and marked as primary (for subnet failover)
+// Exit nodes are not considered for this, as they are never marked as Primary.
+func (h *Headscale) getMachinePrimaryRoutes(m *Machine) ([]Route, error) {
+	var routes []Route
+	err := h.db.
+		Preload("Machine").
+		Where("machine_id = ? AND advertised = ? AND enabled = ? AND is_primary = ?", m.ID, true, true, true).
+		Find(&routes).Error
+	if err != nil {
+		return nil, err
+	}
+
+	return routes, nil
+}
+
+func (h *Headscale) processMachineRoutes(machine *Machine) error {
+	currentRoutes := []Route{}
+	err := h.db.Where("machine_id = ?", machine.ID).Find(&currentRoutes).Error
 	if err != nil {
 		return err
 	}

-	enabledRoutes, err := h.GetEnabledNodeRoutes(namespace, nodeName)
-	if err != nil {
-		return err
+	advertisedRoutes := map[netip.Prefix]bool{}
+	for _, prefix := range machine.HostInfo.RoutableIPs {
+		advertisedRoutes[prefix] = false
 	}

-	available := false
-	for _, availableRoute := range *availableRoutes {
-		// If the route is available, and not yet enabled, add it to the new routing table
-		if route == availableRoute {
-			available = true
-			if !h.IsNodeRouteEnabled(namespace, nodeName, routeStr) {
-				enabledRoutes = append(enabledRoutes, route)
+	for pos, route := range currentRoutes {
+		if _, ok := advertisedRoutes[netip.Prefix(route.Prefix)]; ok {
+			if !route.Advertised {
+				currentRoutes[pos].Advertised = true
+				err := h.db.Save(&currentRoutes[pos]).Error
+				if err != nil {
+					return err
+				}
+			}
+			advertisedRoutes[netip.Prefix(route.Prefix)] = true
+		} else if route.Advertised {
+			currentRoutes[pos].Advertised = false
+			currentRoutes[pos].Enabled = false
+			err := h.db.Save(&currentRoutes[pos]).Error
+			if err != nil {
+				return err
 			}
 		}
 	}

-	if !available {
-		return ErrRouteIsNotAvailable
-	}
-
-	machine.EnabledRoutes = enabledRoutes
-
-	if err := h.db.Save(&machine).Error; err != nil {
-		return fmt.Errorf("failed to update node routes in the database: %w", err)
+	for prefix, exists := range advertisedRoutes {
+		if !exists {
+			route := Route{
+				MachineID:  machine.ID,
+				Prefix:     IPPrefix(prefix),
+				Advertised: true,
+				Enabled:    false,
+			}
+			err := h.db.Create(&route).Error
+			if err != nil {
+				return err
+			}
+		}
 	}

 	return nil
 }
+
+func (h *Headscale) handlePrimarySubnetFailover() error {
+	// first, get all the enabled routes
+	var routes []Route
+	err := h.db.
+		Preload("Machine").
+		Where("advertised = ? AND enabled = ?", true, true).
+		Find(&routes).Error
+	if err != nil && !errors.Is(err, gorm.ErrRecordNotFound) {
+		log.Error().Err(err).Msg("error getting routes")
+	}
+
+	for pos, route := range routes {
+		if route.isExitRoute() {
+			continue
+		}
+
+		if !route.IsPrimary {
+			_, err := h.getPrimaryRoute(netip.Prefix(route.Prefix))
+			if h.isUniquePrefix(route) || errors.Is(err, gorm.ErrRecordNotFound) {
+				log.Info().
+					Str("prefix", netip.Prefix(route.Prefix).String()).
+					Str("machine", route.Machine.GivenName).
+					Msg("Setting primary route")
+				routes[pos].IsPrimary = true
+				err := h.db.Save(&routes[pos]).Error
+				if err != nil {
+					log.Error().Err(err).Msg("error marking route as primary")
+
+					return err
+				}
+
+				continue
+			}
+		}
+
+		if route.IsPrimary {
+			if route.Machine.isOnline() {
+				continue
+			}
+
+			// machine offline, find a new primary
+			log.Info().
+				Str("machine", route.Machine.Hostname).
+				Str("prefix", netip.Prefix(route.Prefix).String()).
+				Msgf("machine offline, finding a new primary subnet")
+
+			// find a new primary route
+			var newPrimaryRoutes []Route
+			err := h.db.
+				Preload("Machine").
+				Where("prefix = ? AND machine_id != ? AND advertised = ? AND enabled = ?",
+					route.Prefix,
+					route.MachineID,
+					true, true).
+				Find(&newPrimaryRoutes).Error
+			if err != nil && !errors.Is(err, gorm.ErrRecordNotFound) {
+				log.Error().Err(err).Msg("error finding new primary route")
+
+				return err
+			}
+
+			var newPrimaryRoute *Route
+			for pos, r := range newPrimaryRoutes {
+				if r.Machine.isOnline() {
+					newPrimaryRoute = &newPrimaryRoutes[pos]
+
+					break
+				}
+			}
+
+			if newPrimaryRoute == nil {
+				log.Warn().
+					Str("machine", route.Machine.Hostname).
+					Str("prefix", netip.Prefix(route.Prefix).String()).
+					Msgf("no alternative primary route found")
+
+				continue
+			}
+
+			log.Info().
+				Str("old_machine", route.Machine.Hostname).
+				Str("prefix", netip.Prefix(route.Prefix).String()).
+				Str("new_machine", newPrimaryRoute.Machine.Hostname).
+				Msgf("found new primary route")
+
+			// disable the old primary route
+			routes[pos].IsPrimary = false
+			err = h.db.Save(&routes[pos]).Error
+			if err != nil {
+				log.Error().Err(err).Msg("error disabling old primary route")
+
+				return err
+			}
+
+			// enable the new primary route
+			newPrimaryRoute.IsPrimary = true
+			err = h.db.Save(&newPrimaryRoute).Error
+			if err != nil {
+				log.Error().Err(err).Msg("error enabling new primary route")
+
+				return err
+			}
+		}
+	}
+
+	return nil
+}
+
+func (rs Routes) toProto() []*v1.Route {
+	protoRoutes := []*v1.Route{}
+
+	for _, route := range rs {
+		protoRoute := v1.Route{
+			Id:         uint64(route.ID),
+			Machine:    route.Machine.toProto(),
+			Prefix:     netip.Prefix(route.Prefix).String(),
+			Advertised: route.Advertised,
+			Enabled:    route.Enabled,
+			IsPrimary:  route.IsPrimary,
+			CreatedAt:  timestamppb.New(route.CreatedAt),
+			UpdatedAt:  timestamppb.New(route.UpdatedAt),
+		}
+
+		if route.DeletedAt.Valid {
+			protoRoute.DeletedAt = timestamppb.New(route.DeletedAt.Time)
+		}
+
+		protoRoutes = append(protoRoutes, &protoRoute)
+	}
+
+	return protoRoutes
+}
--- a/routes_test.go
+++ b/routes_test.go
@@ -2,6 +2,7 @@ package headscale

 import (
 	"net/netip"
+	"time"

 	"gopkg.in/check.v1"
 	"tailscale.com/tailcfg"
@@ -37,17 +38,17 @@ func (s *Suite) TestGetRoutes(c *check.C) {
 	}
 	app.db.Save(&machine)

-	advertisedRoutes, err := app.GetAdvertisedNodeRoutes(
-		"test",
-		"test_get_route_machine",
-	)
+	err = app.processMachineRoutes(&machine)
 	c.Assert(err, check.IsNil)
-	c.Assert(len(*advertisedRoutes), check.Equals, 1)

-	err = app.EnableNodeRoute("test", "test_get_route_machine", "192.168.0.0/24")
+	advertisedRoutes, err := app.GetAdvertisedRoutes(&machine)
+	c.Assert(err, check.IsNil)
+	c.Assert(len(advertisedRoutes), check.Equals, 1)
+
+	err = app.EnableRoutes(&machine, "192.168.0.0/24")
 	c.Assert(err, check.NotNil)

-	err = app.EnableNodeRoute("test", "test_get_route_machine", "10.0.0.0/24")
+	err = app.EnableRoutes(&machine, "10.0.0.0/24")
 	c.Assert(err, check.IsNil)
 }

@@ -88,48 +89,266 @@ func (s *Suite) TestGetEnableRoutes(c *check.C) {
 	}
 	app.db.Save(&machine)

-	availableRoutes, err := app.GetAdvertisedNodeRoutes(
-		"test",
-		"test_enable_route_machine",
-	)
+	err = app.processMachineRoutes(&machine)
 	c.Assert(err, check.IsNil)
-	c.Assert(len(*availableRoutes), check.Equals, 2)

-	noEnabledRoutes, err := app.GetEnabledNodeRoutes(
-		"test",
-		"test_enable_route_machine",
-	)
+	availableRoutes, err := app.GetAdvertisedRoutes(&machine)
+	c.Assert(err, check.IsNil)
+	c.Assert(err, check.IsNil)
+	c.Assert(len(availableRoutes), check.Equals, 2)
+
+	noEnabledRoutes, err := app.GetEnabledRoutes(&machine)
 	c.Assert(err, check.IsNil)
 	c.Assert(len(noEnabledRoutes), check.Equals, 0)

-	err = app.EnableNodeRoute("test", "test_enable_route_machine", "192.168.0.0/24")
+	err = app.EnableRoutes(&machine, "192.168.0.0/24")
 	c.Assert(err, check.NotNil)

-	err = app.EnableNodeRoute("test", "test_enable_route_machine", "10.0.0.0/24")
+	err = app.EnableRoutes(&machine, "10.0.0.0/24")
 	c.Assert(err, check.IsNil)

-	enabledRoutes, err := app.GetEnabledNodeRoutes("test", "test_enable_route_machine")
+	enabledRoutes, err := app.GetEnabledRoutes(&machine)
 	c.Assert(err, check.IsNil)
 	c.Assert(len(enabledRoutes), check.Equals, 1)

 	// Adding it twice will just let it pass through
-	err = app.EnableNodeRoute("test", "test_enable_route_machine", "10.0.0.0/24")
+	err = app.EnableRoutes(&machine, "10.0.0.0/24")
 	c.Assert(err, check.IsNil)

-	enableRoutesAfterDoubleApply, err := app.GetEnabledNodeRoutes(
-		"test",
-		"test_enable_route_machine",
-	)
+	enableRoutesAfterDoubleApply, err := app.GetEnabledRoutes(&machine)
 	c.Assert(err, check.IsNil)
 	c.Assert(len(enableRoutesAfterDoubleApply), check.Equals, 1)

-	err = app.EnableNodeRoute("test", "test_enable_route_machine", "150.0.10.0/25")
+	err = app.EnableRoutes(&machine, "150.0.10.0/25")
 	c.Assert(err, check.IsNil)

-	enabledRoutesWithAdditionalRoute, err := app.GetEnabledNodeRoutes(
-		"test",
-		"test_enable_route_machine",
-	)
+	enabledRoutesWithAdditionalRoute, err := app.GetEnabledRoutes(&machine)
 	c.Assert(err, check.IsNil)
 	c.Assert(len(enabledRoutesWithAdditionalRoute), check.Equals, 2)
 }
+
+func (s *Suite) TestIsUniquePrefix(c *check.C) {
+	namespace, err := app.CreateNamespace("test")
+	c.Assert(err, check.IsNil)
+
+	pak, err := app.CreatePreAuthKey(namespace.Name, false, false, nil, nil)
+	c.Assert(err, check.IsNil)
+
+	_, err = app.GetMachine("test", "test_enable_route_machine")
+	c.Assert(err, check.NotNil)
+
+	route, err := netip.ParsePrefix(
+		"10.0.0.0/24",
+	)
+	c.Assert(err, check.IsNil)
+
+	route2, err := netip.ParsePrefix(
+		"150.0.10.0/25",
+	)
+	c.Assert(err, check.IsNil)
+
+	hostInfo1 := tailcfg.Hostinfo{
+		RoutableIPs: []netip.Prefix{route, route2},
+	}
+	machine1 := Machine{
+		ID:             1,
+		MachineKey:     "foo",
+		NodeKey:        "bar",
+		DiscoKey:       "faa",
+		Hostname:       "test_enable_route_machine",
+		NamespaceID:    namespace.ID,
+		RegisterMethod: RegisterMethodAuthKey,
+		AuthKeyID:      uint(pak.ID),
+		HostInfo:       HostInfo(hostInfo1),
+	}
+	app.db.Save(&machine1)
+
+	err = app.processMachineRoutes(&machine1)
+	c.Assert(err, check.IsNil)
+
+	err = app.EnableRoutes(&machine1, route.String())
+	c.Assert(err, check.IsNil)
+
+	err = app.EnableRoutes(&machine1, route2.String())
+	c.Assert(err, check.IsNil)
+
+	hostInfo2 := tailcfg.Hostinfo{
+		RoutableIPs: []netip.Prefix{route2},
+	}
+	machine2 := Machine{
+		ID:             2,
+		MachineKey:     "foo",
+		NodeKey:        "bar",
+		DiscoKey:       "faa",
+		Hostname:       "test_enable_route_machine",
+		NamespaceID:    namespace.ID,
+		RegisterMethod: RegisterMethodAuthKey,
+		AuthKeyID:      uint(pak.ID),
+		HostInfo:       HostInfo(hostInfo2),
+	}
+	app.db.Save(&machine2)
+
+	err = app.processMachineRoutes(&machine2)
+	c.Assert(err, check.IsNil)
+
+	err = app.EnableRoutes(&machine2, route2.String())
+	c.Assert(err, check.IsNil)
+
+	enabledRoutes1, err := app.GetEnabledRoutes(&machine1)
+	c.Assert(err, check.IsNil)
+	c.Assert(len(enabledRoutes1), check.Equals, 2)
+
+	enabledRoutes2, err := app.GetEnabledRoutes(&machine2)
+	c.Assert(err, check.IsNil)
+	c.Assert(len(enabledRoutes2), check.Equals, 1)
+
+	routes, err := app.getMachinePrimaryRoutes(&machine1)
+	c.Assert(err, check.IsNil)
+	c.Assert(len(routes), check.Equals, 2)
+
+	routes, err = app.getMachinePrimaryRoutes(&machine2)
+	c.Assert(err, check.IsNil)
+	c.Assert(len(routes), check.Equals, 0)
+}
+
+func (s *Suite) TestSubnetFailover(c *check.C) {
+	namespace, err := app.CreateNamespace("test")
+	c.Assert(err, check.IsNil)
+
+	pak, err := app.CreatePreAuthKey(namespace.Name, false, false, nil, nil)
+	c.Assert(err, check.IsNil)
+
+	_, err = app.GetMachine("test", "test_enable_route_machine")
+	c.Assert(err, check.NotNil)
+
+	prefix, err := netip.ParsePrefix(
+		"10.0.0.0/24",
+	)
+	c.Assert(err, check.IsNil)
+
+	prefix2, err := netip.ParsePrefix(
+		"150.0.10.0/25",
+	)
+	c.Assert(err, check.IsNil)
+
+	hostInfo1 := tailcfg.Hostinfo{
+		RoutableIPs: []netip.Prefix{prefix, prefix2},
+	}
+
+	now := time.Now()
+	machine1 := Machine{
+		ID:             1,
+		MachineKey:     "foo",
+		NodeKey:        "bar",
+		DiscoKey:       "faa",
+		Hostname:       "test_enable_route_machine",
+		NamespaceID:    namespace.ID,
+		RegisterMethod: RegisterMethodAuthKey,
+		AuthKeyID:      uint(pak.ID),
+		HostInfo:       HostInfo(hostInfo1),
+		LastSeen:       &now,
+	}
+	app.db.Save(&machine1)
+
+	err = app.processMachineRoutes(&machine1)
+	c.Assert(err, check.IsNil)
+
+	err = app.EnableRoutes(&machine1, prefix.String())
+	c.Assert(err, check.IsNil)
+
+	err = app.EnableRoutes(&machine1, prefix2.String())
+	c.Assert(err, check.IsNil)
+
+	err = app.handlePrimarySubnetFailover()
+	c.Assert(err, check.IsNil)
+
+	enabledRoutes1, err := app.GetEnabledRoutes(&machine1)
+	c.Assert(err, check.IsNil)
+	c.Assert(len(enabledRoutes1), check.Equals, 2)
+
+	route, err := app.getPrimaryRoute(prefix)
+	c.Assert(err, check.IsNil)
+	c.Assert(route.MachineID, check.Equals, machine1.ID)
+
+	hostInfo2 := tailcfg.Hostinfo{
+		RoutableIPs: []netip.Prefix{prefix2},
+	}
+	machine2 := Machine{
+		ID:             2,
+		MachineKey:     "foo",
+		NodeKey:        "bar",
+		DiscoKey:       "faa",
+		Hostname:       "test_enable_route_machine",
+		NamespaceID:    namespace.ID,
+		RegisterMethod: RegisterMethodAuthKey,
+		AuthKeyID:      uint(pak.ID),
+		HostInfo:       HostInfo(hostInfo2),
+		LastSeen:       &now,
+	}
+	app.db.Save(&machine2)
+
+	err = app.processMachineRoutes(&machine2)
+	c.Assert(err, check.IsNil)
+
+	err = app.EnableRoutes(&machine2, prefix2.String())
+	c.Assert(err, check.IsNil)
+
+	err = app.handlePrimarySubnetFailover()
+	c.Assert(err, check.IsNil)
+
+	enabledRoutes1, err = app.GetEnabledRoutes(&machine1)
+	c.Assert(err, check.IsNil)
+	c.Assert(len(enabledRoutes1), check.Equals, 2)
+
+	enabledRoutes2, err := app.GetEnabledRoutes(&machine2)
+	c.Assert(err, check.IsNil)
+	c.Assert(len(enabledRoutes2), check.Equals, 1)
+
+	routes, err := app.getMachinePrimaryRoutes(&machine1)
+	c.Assert(err, check.IsNil)
+	c.Assert(len(routes), check.Equals, 2)
+
+	routes, err = app.getMachinePrimaryRoutes(&machine2)
+	c.Assert(err, check.IsNil)
+	c.Assert(len(routes), check.Equals, 0)
+
+	// lets make machine1 lastseen 10 mins ago
+	before := now.Add(-10 * time.Minute)
+	machine1.LastSeen = &before
+	err = app.db.Save(&machine1).Error
+	c.Assert(err, check.IsNil)
+
+	err = app.handlePrimarySubnetFailover()
+	c.Assert(err, check.IsNil)
+
+	routes, err = app.getMachinePrimaryRoutes(&machine1)
+	c.Assert(err, check.IsNil)
+	c.Assert(len(routes), check.Equals, 1)
+
+	routes, err = app.getMachinePrimaryRoutes(&machine2)
+	c.Assert(err, check.IsNil)
+	c.Assert(len(routes), check.Equals, 1)
+
+	machine2.HostInfo = HostInfo(tailcfg.Hostinfo{
+		RoutableIPs: []netip.Prefix{prefix, prefix2},
+	})
+	err = app.db.Save(&machine2).Error
+	c.Assert(err, check.IsNil)
+
+	err = app.processMachineRoutes(&machine2)
+	c.Assert(err, check.IsNil)
+
+	err = app.EnableRoutes(&machine2, prefix.String())
+	c.Assert(err, check.IsNil)
+
+	err = app.handlePrimarySubnetFailover()
+	c.Assert(err, check.IsNil)
+
+	routes, err = app.getMachinePrimaryRoutes(&machine1)
+	c.Assert(err, check.IsNil)
+	c.Assert(len(routes), check.Equals, 0)
+
+	routes, err = app.getMachinePrimaryRoutes(&machine2)
+	c.Assert(err, check.IsNil)
+	c.Assert(len(routes), check.Equals, 2)
+}
--- a/templates/apple.html
+++ b/templates/apple.html
@@ -0,0 +1,124 @@
+<!DOCTYPE html>
+<html lang="en">
+  <head>
+    <meta charset="UTF-8" />
+    <meta http-equiv="X-UA-Compatible" content="IE=edge" />
+    <meta name="viewport" content="width=device-width, initial-scale=1.0" />
+    <title>Document</title>
+  </head>
+
+  <body>
+    <h1>headscale</h1>
+    <h2>Recent Tailscale versions (1.34.0 and higher)</h2>
+    <p>
+      Tailscale added Fast User Switching in version 1.34 and you can now use
+      the new login command to connect to one or more headscale (and Tailscale)
+      servers. The previously used profiles does not have an effect anymore.
+    </p>
+    <h3>Command line</h3>
+    <p>Use Tailscale's login command to add your profile:</p>
+    <pre><code>tailscale login --login-server {{.URL}}</code></pre>
+
+    <h3>GUI</h3>
+    <ol>
+      <li>
+        ALT + Click the Tailscale icon in the menu and hover over the Debug menu
+      </li>
+      <li>Under "Custm Login Server", select "Add Account..."</li>
+      <li>
+        Enter "{{.URL}}" of the headscale instance and press "Add Account"
+      </li>
+      <li>Follow the login procedure in the browser</li>
+    </ol>
+
+    <h2>Apple configuration profiles (1.32.0 and lower)</h2>
+    <p>
+      This page provides
+      <a href="https://support.apple.com/guide/mdm/mdm-overview-mdmbf9e668/web">
+        configuration profiles
+      </a>
+      for the official Tailscale clients for
+    </p>
+    <ul>
+      <li>
+        <a href="https://apps.apple.com/us/app/tailscale/id1470499037?ls=1"
+          >iOS</a
+        >
+      </li>
+      <li>
+        <a href="https://apps.apple.com/ca/app/tailscale/id1475387142?mt=12"
+          >macOS - AppStore Client</a
+        >.
+      </li>
+      <li>
+        <a href="https://pkgs.tailscale.com/stable/#macos"
+          >macOS - Standalone Client</a
+        >.
+      </li>
+    </ul>
+    <p>
+      The profiles will configure Tailscale.app to use <code>{{.URL}}</code> as
+      its control server.
+    </p>
+
+    <h3>Caution</h3>
+    <p>
+      You should always download and inspect the profile before installing it:
+    </p>
+    <!--
+		<pre><code>curl {{.URL}}/apple/ios</code></pre>
+		-->
+    <pre><code>curl {{.URL}}/apple/macos</code></pre>
+
+    <h2>Profiles</h2>
+
+    <!--
+		<h3>iOS</h3>
+		<p>
+		    <a href="/apple/ios" download="headscale_ios.mobileconfig">iOS profile</a>
+		</p>
+		-->
+
+    <h3>macOS</h3>
+    <p>
+      Headscale can be set to the default server by installing a Headscale
+      configuration profile:
+    </p>
+    <p>
+      <a href="/apple/macos-app-store" download="headscale_macos.mobileconfig"
+        >macOS AppStore profile</a
+      >
+      <a href="/apple/macos-standalone" download="headscale_macos.mobileconfig"
+        >macOS Standalone profile</a
+      >
+    </p>
+
+    <ol>
+      <li>
+        Download the profile, then open it. When it has been opened, there
+        should be a notification that a profile can be installed
+      </li>
+      <li>Open System Preferences and go to "Profiles"</li>
+      <li>Find and install the Headscale profile</li>
+      <li>Restart Tailscale.app and log in</li>
+    </ol>
+
+    <p>Or</p>
+    <p>
+      Use your terminal to configure the default setting for Tailscale by
+      issuing:
+    </p>
+    <ul>
+      <li>
+        for app store client:
+        <code>defaults write io.tailscale.ipn.macos ControlURL {{.URL}}</code>
+      </li>
+      <li>
+        for standalone client:
+        <code>defaults write io.tailscale.ipn.macsys ControlURL {{.URL}}</code>
+      </li>
+    </ul>
+
+    <p>Restart Tailscale.app and log in.</p>
+  </body>
+</html>
--- a/templates/windows.html
+++ b/templates/windows.html
@@ -0,0 +1,74 @@
+<!DOCTYPE html>
+<html lang="en">
+  <head>
+    <meta charset="UTF-8" />
+    <meta http-equiv="X-UA-Compatible" content="IE=edge" />
+    <meta name="viewport" content="width=device-width, initial-scale=1.0" />
+    <title>Document</title>
+  </head>
+
+  <body>
+    <h1>headscale</h1>
+    <h2>Recent Tailscale versions (1.34.0 and higher)</h2>
+    <p>
+      Tailscale added Fast User Switching in version 1.34 and you can now use
+      the new login command to connect to one or more headscale (and Tailscale)
+      servers. The previously used profiles does not have an effect anymore.
+    </p>
+    <p>Use Tailscale's login command to add your profile:</p>
+    <pre><code>tailscale login --login-server {{.URL}}</code></pre>
+
+    <h2>Windows registry configuration (1.32.0 and lower)</h2>
+    <p>
+      This page provides Windows registry information for the official Windows
+      Tailscale client.
+    </p>
+
+    <p></p>
+    <p>
+      The registry file will configure Tailscale to use <code>{{.URL}}</code> as
+      its control server.
+    </p>
+
+    <p></p>
+    <h3>Caution</h3>
+    <p>
+      You should always download and inspect the registry file before installing
+      it:
+    </p>
+    <pre><code>curl {{.URL}}/windows/tailscale.reg</code></pre>
+
+    <h2>Installation</h2>
+    <p>
+      Headscale can be set to the default server by running the registry file:
+    </p>
+
+    <p>
+      <a href="/windows/tailscale.reg" download="tailscale.reg"
+        >Windows registry file</a
+      >
+    </p>
+
+    <ol>
+      <li>Download the registry file, then run it</li>
+      <li>Follow the prompts</li>
+      <li>Install and run the official windows Tailscale client</li>
+      <li>
+        When the installation has finished, start Tailscale, and log in by
+        clicking the icon in the system tray
+      </li>
+    </ol>
+    <p>Or</p>
+    <p>
+      Open command prompt with Administrator rights. Issue the following
+      commands to add the required registry entries:
+    </p>
+    <pre>
+    <code>REG ADD "HKLM\Software\Tailscale IPN" /v UnattendedMode /t REG_SZ /d always
+      REG ADD "HKLM\Software\Tailscale IPN" /v LoginURL /t REG_SZ /d "{{.URL}}"</code>
+  </pre>
+    <p>Restart Tailscale and log in.</p>
+
+    <p></p>
+  </body>
+</html>
--- a/utils.go
+++ b/utils.go
@@ -254,16 +254,6 @@ func GrpcSocketDialer(ctx context.Context, addr string) (net.Conn, error) {
 	return d.DialContext(ctx, "unix", addr)
 }

-func ipPrefixToString(prefixes []netip.Prefix) []string {
-	result := make([]string, len(prefixes))
-
-	for index, prefix := range prefixes {
-		result[index] = prefix.String()
-	}
-
-	return result
-}
-
 func stringToIPPrefix(prefixes []string) ([]netip.Prefix, error) {
 	result := make([]netip.Prefix, len(prefixes))

@@ -347,7 +337,7 @@ func IsStringInSlice(slice []string, str string) bool {
 }

 func AbsolutePathFromConfigPath(path string) string {
-	// If a relative path is provided, prefix it with the the directory where
+	// If a relative path is provided, prefix it with the directory where
 	// the config file was found.
 	if (path != "") && !strings.HasPrefix(path, string(os.PathSeparator)) {
 		dir, _ := filepath.Split(viper.ConfigFileUsed())
Author	SHA1	Message	Date
Kristoffer Dalby	134c72f4fb	Set db_ssl to false by default, fixes #1043 Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com>	2022-12-07 14:58:47 +01:00
Zachary Newell	70f2f5d750	Added an OIDC AllowGroups option for authorization.	2022-12-07 08:53:16 +01:00
Kristoffer Dalby	4453728614	Murder docker container and network before run Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com>	2022-12-06 08:52:21 +01:00
Juan Font	34107f9a0f	Updated changelog	2022-12-06 08:17:14 +01:00
Juan Font	52862b8a22	Port integration tests routes CLI to v2 Fix options signature	2022-12-06 08:17:14 +01:00
Juan Font	946d38e5d7	Minor linting fixes Remove magic number (base10...)	2022-12-06 08:17:14 +01:00
Juan Font	78819be03c	Use the new routes API from the CLI	2022-12-06 08:17:14 +01:00
Juan Font	34631dfcf5	Refactored route grpc glue code	2022-12-06 08:17:14 +01:00
Juan Font	8fa9755b55	Updated generated pb code Update swagger	2022-12-06 08:17:14 +01:00
Juan Font	1b557ac1ea	Update protobuf definitions + support methods for the API Add more logging Updated protos with new routes API	2022-12-06 08:17:14 +01:00
Juan Font	8170f5e693	Removed unused code and linting fixes Another bunch of gosec/golint related fixes Remove method no longer used	2022-12-06 08:17:14 +01:00
Juan Font	a506d0fcc8	Run handlePrimarySubnetFailover() with a ticker when Serve	2022-12-06 08:17:14 +01:00
Juan Font	6718ff71d3	Added helper methods for subnet failover + unit tests Added method to perform subnet failover Added tests for subnet failover	2022-12-06 08:17:14 +01:00
Juan Font	b62acff2e3	Refactor machine.go, and move functionality to routes.go + unit tests Port routes tests to new model Mark as primary the first instance of subnet + tests In preparation for subnet failover, mark the initial occurrence of a subnet as the primary one.	2022-12-06 08:17:14 +01:00
Juan Font	ac8bff716d	Call processMachineRoutes when a new Map is received	2022-12-06 08:17:14 +01:00
Juan Font	fba77de4eb	Add Route DB model and migration from existing field Add migration from Machine.EnabledRoutes to the new Route table Cleanup route.go and add helper methods to process HostInfo	2022-12-06 08:17:14 +01:00
github-actions[bot]	d1bca105ef	docs(README): update contributors	2022-12-05 22:05:25 +01:00
Juan Font	6c2d6fa302	Do not explicitly set the protocols when ommited in ACL	2022-12-05 21:45:18 +01:00
Kristoffer Dalby	1015bc3e02	Upgrade to Tailscale 1.34.0 Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com>	2022-12-05 20:41:15 +01:00
Kristoffer Dalby	68c72d03b5	Prep changelog for new release Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com>	2022-12-05 20:41:15 +01:00
Kristoffer Dalby	bd4b2da06e	Add changelog entry to correct version Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com>	2022-12-05 20:41:15 +01:00
Kristoffer Dalby	7b8cf5ef1a	Add 1.34.0 to integration tests Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com>	2022-12-05 20:41:15 +01:00
Kristoffer Dalby	638a3d48ec	fix nix run Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com>	2022-12-05 20:41:15 +01:00
Kristoffer Dalby	4de676c64e	Add instructions for macOS GUI Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com>	2022-12-05 20:41:15 +01:00
Kristoffer Dalby	a58a552f0e	Update macos/windows doc Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com>	2022-12-05 20:41:15 +01:00
Kristoffer Dalby	0db16c7bbe	Update nix deps, get go 1.19.3 in Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com>	2022-12-05 10:40:17 +01:00
Kristoffer Dalby	06f7e7cfd8	Tag dockerfiles to minor version so we dont have to care about patch Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com>	2022-12-05 10:40:17 +01:00
Kristoffer Dalby	19f12f94c0	Make goreleaser use Nix Eliminate one more place to make sure we use the same go version Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com>	2022-12-05 10:40:17 +01:00
Kristoffer Dalby	95d3062c21	Add github action updater Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com>	2022-12-05 10:40:17 +01:00
Kristoffer Dalby	86fa136a63	Upgrade go dependencies Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com>	2022-12-05 10:40:17 +01:00
Juan Font	89c12072ba	added changelog for 0.17.1	2022-12-03 16:34:23 +01:00
Juan Font	54f701ff92	generateACLPolicy() no longer a Headscale method	2022-12-03 15:43:40 +01:00
Juan Font	5a70ea7326	Correct typo on standalone (fixes #1021 )	2022-12-01 17:01:20 +01:00
Kristoffer Dalby	63cd3122e6	Add breaking change about noise private path Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com>	2022-12-01 14:47:19 +01:00
Kristoffer Dalby	6f4c6c1876	Ignore tparallel where it doesnt make sense Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com>	2022-12-01 14:45:11 +01:00
Kristoffer Dalby	eb072a1a74	mark some changes as more important Signed-off-by: Kristoffer Dalby <kradalby@kradalby.no>	2022-11-26 12:01:12 +01:00
Kristoffer Dalby	36b8862e7c	Add notes about current ssh status Signed-off-by: Kristoffer Dalby <kradalby@kradalby.no>	2022-11-26 11:53:31 +01:00
Even Holthe	d4e3bf184b	Add experimental flag to unit test	2022-11-26 11:53:31 +01:00
Even Holthe	c28ca27133	Add SSH ACL to changelog	2022-11-26 11:53:31 +01:00
Kristoffer Dalby	c02e105065	Mark the flag properly experimental Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com>	2022-11-26 11:53:31 +01:00
Kristoffer Dalby	22da5bfc1d	Enable SSH for tests Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com>	2022-11-26 11:53:31 +01:00
Kristoffer Dalby	c6d31747f7	Add feature flag for SSH, and warning Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com>	2022-11-26 11:53:31 +01:00
Kristoffer Dalby	91ed6e2197	Allow WithEnv to be passed multiple times Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com>	2022-11-26 11:53:31 +01:00
Kristoffer Dalby	d71aef3b98	Mark all tests with Parallel Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com>	2022-11-26 11:53:31 +01:00
Kristoffer Dalby	8a79c2e7ed	Do not retry on permission denied in ssh Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com>	2022-11-26 11:53:31 +01:00
Kristoffer Dalby	f34e7c341b	Strip newline from hostname Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com>	2022-11-26 11:53:31 +01:00
Kristoffer Dalby	e28d308796	Add negative tests Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com>	2022-11-26 11:53:31 +01:00
Even Holthe	f610be632e	SSH: add test between namespaces	2022-11-26 11:53:31 +01:00
Even Holthe	fd6d25b5c1	SSH: Lint and typos	2022-11-26 11:53:31 +01:00
Kristoffer Dalby	3695284286	Make simple initial test case This commit makes the initial SSH test a bit simpler: - Use the same pattern/functions for all clients as other tests - Only test within _one_ namespace/user to confirm the base case - Use retry function, same as taildrop, there is some funky going on there... Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com>	2022-11-26 11:53:31 +01:00
Kristoffer Dalby	cfaa36e51a	Add method to expose container id Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com>	2022-11-26 11:53:31 +01:00
Kristoffer Dalby	d207c30949	Ensure we have ssh in container Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com>	2022-11-26 11:53:31 +01:00
Even Holthe	519f22f9bf	SSH integration test setup	2022-11-26 11:53:31 +01:00
Even Holthe	52a323b90d	Add SSH capability advertisement Advertises the SSH capability, and parses the SSH ACLs to pass to the tailscale client. Doesn’t support ‘autogroup’ ACL functionality. Co-authored-by: Daniel Brooks <db48x@headline.com>	2022-11-26 11:53:31 +01:00
github-actions[bot]	91559d0558	docs(README): update contributors	2022-11-25 08:58:13 +01:00
Orville Q. Song	25195b8d73	Update CHANGELOG.md	2022-11-24 16:13:47 +01:00
Orville Q. Song	e69176e200	Tweak	2022-11-24 16:13:47 +01:00
Orville Q. Song	d29d0222af	Add a note about the db_ssl field in the example config file	2022-11-24 16:13:47 +01:00
Orville Q. Song	72b9803a08	Change DBssl to string	2022-11-24 16:13:47 +01:00
Kristoffer Dalby	99e33181b2	Make displayName include basedomain if set Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com>	2022-11-22 19:16:58 +01:00
Kristoffer Dalby	e7f322b9b6	Mark all tests to run in parallel Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com>	2022-11-22 13:18:58 +01:00
Juan Font	1d36e1775f	Remove OIDC action	2022-11-21 22:07:27 +01:00
Juan Font	0525bea593	Remove legacy OIDC tests	2022-11-21 22:07:27 +01:00
Juan Font	2770c7cc07	Initial proposal for better routing	2022-11-21 21:58:22 +01:00
Juan Font	1b0e80bb10	Add OIDC integration tests * Port OIDC integration tests to v2 * Move Tailscale old versions to TS2019 list * Remove Alpine Linux container * Updated changelog * Releases: use flavor to set the tag suffix * Added more debug messages in OIDC registration * Added more logging * Do not strip nodekey prefix on handle expired * Updated changelog * Add WithHostnameAsServerURL option func * Reduce the number of namespaces and use hsic.WithHostnameAsServerURL * Linting fix * Fix linting issues * Wait for ready outside the up goroutine * Minor change in log message * Add prefix to env var * Remove unused env var Co-authored-by: Juan Font <juan.font@esa.int> Co-authored-by: Steven Honson <steven@honson.id.au> Co-authored-by: Kristoffer Dalby <kristoffer@dalby.cc>	2022-11-21 21:51:54 +01:00
Kristoffer Dalby	4ccc528d96	Remove some very verbose error outputs Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com>	2022-11-21 14:37:50 +01:00
Juan Font	6a311f4ab6	Remove broken renovatebot	2022-11-20 17:19:50 +01:00
manju-rn	a49a405413	Correction in the sample config file Added the db_type in the sample config.yaml Without this entry, the container throws Unsupported DB error `db_type: sqlite3`	2022-11-20 17:12:13 +01:00
Juan Font	24f946e2e9	Fix completion issues (fixes #839 )	2022-11-20 13:57:38 +01:00
Juan Font	c3cdb340de	Increase integration tests timeout to 120m	2022-11-20 12:56:07 +01:00
Juan Font	935319a218	Remove mTLS from doc and config example	2022-11-19 19:50:34 +01:00
Juan Font	4c7e15a7ce	Remove mTLS config from integration config	2022-11-19 19:50:34 +01:00
Juan Font	d461097247	Remove mTLS stuff from code	2022-11-19 19:50:34 +01:00
Juan Font	f90a3c196c	Move TS WaitForReady outside up goroutine	2022-11-19 17:16:08 +01:00
Juan Font Alonso	751cc173d4	Fix issue when CLI is configured in config file	2022-11-18 19:19:56 +01:00
Juan Font Alonso	ff134f2b8e	Fix remote CLI when there is no config file present	2022-11-18 19:19:56 +01:00
Arnar Gauti Ingason	6d3ede1367	Add support for NextDNS resolver	2022-11-18 09:38:46 +01:00
Steven Honson	c0884f94b8	Release: tag every release with develop	2022-11-17 16:52:12 +01:00
Kristoffer Dalby	3d8dd68b14	default to localhost, not listen on all Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com>	2022-11-16 17:37:35 +01:00
Kristoffer Dalby	b02e88364e	Fix test Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com>	2022-11-16 17:37:35 +01:00
Kristoffer Dalby	9790831afb	Make config example "local dev first" Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com>	2022-11-16 17:37:35 +01:00
Juan Font Alonso	2d79179141	Updated changelog	2022-11-15 21:28:26 +01:00
Juan Font Alonso	275cc28193	Do not strip nodekey prefix on handle expired	2022-11-15 21:28:26 +01:00
Juan Font	c5ba7552c5	Added more logging	2022-11-15 21:28:26 +01:00
Juan Font	8909f801bb	Added more debug messages in OIDC registration	2022-11-15 21:28:26 +01:00
Steven Honson	3d4af52b3a	Releases: use flavor to set the tag suffix	2022-11-15 11:36:38 +01:00
Juan Font	6391555dab	Updated changelog	2022-11-15 08:42:29 +01:00
Juan Font	8cc5b2174b	Remove Alpine Linux container	2022-11-15 08:42:29 +01:00
Juan Font	9269dd01f5	Move Tailscale old versions to TS2019 list	2022-11-14 23:06:30 +01:00
Juan Font	ef68f17a96	Return the correct error on cache miss	2022-11-14 18:34:27 +01:00
Juan Font	f74266f8f8	OIDC code cleanup and harmonize with regular web auth	2022-11-14 18:34:27 +01:00
Kristoffer Dalby	46df219ed3	Add testname identifier to hs container Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com>	2022-11-14 16:50:28 +01:00
Kristoffer Dalby	835288d864	Remove unused variable Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com>	2022-11-14 16:50:28 +01:00
Kristoffer Dalby	93d56362af	Lock and unify headscale start/get method Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com>	2022-11-14 16:50:28 +01:00
Kristoffer Dalby	4799859be0	Fix renamed method Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com>	2022-11-14 16:50:28 +01:00
Kristoffer Dalby	8e44596171	less verbose command output Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com>	2022-11-14 16:50:28 +01:00
Kristoffer Dalby	d479234058	Split ts versions into 2019/2021 for dedicated tests later Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com>	2022-11-14 16:50:28 +01:00
Kristoffer Dalby	3fc5866de0	Remove duplicate function Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com>	2022-11-14 16:50:28 +01:00
Kristoffer Dalby	f3c40086ac	Make TLS setup work automatically This commit injects the per-test-generated tls certs into the tailscale container and makes sure all can ping all. It does not test any of the DERP isolation yet. Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com>	2022-11-14 16:50:28 +01:00
Kristoffer Dalby	09ed21edd8	Remove duplicate function Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com>	2022-11-14 16:50:28 +01:00
Kristoffer Dalby	456479eaa1	Rename and move wait for headscale Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com>	2022-11-14 16:50:28 +01:00
Kristoffer Dalby	cb87852825	Add nolint to gosec stuff that doesnt matter because test Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com>	2022-11-14 16:50:28 +01:00
Kristoffer Dalby	69440058bb	Clean up cert function Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com>	2022-11-14 16:50:28 +01:00
Kristoffer Dalby	9bc6ac0f35	Make TLS setup work automatically This commit injects the per-test-generated tls certs into the tailscale container and makes sure all can ping all. It does not test any of the DERP isolation yet. Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com>	2022-11-14 16:50:28 +01:00
Juan Font Alonso	89ff5c83d2	Add web flow auth integration tests	2022-11-14 08:47:02 +01:00
Juan Font Alonso	0a47d694be	Return the real port of the container	2022-11-14 08:47:02 +01:00
Juan Font Alonso	73c84d4f6a	Print hostname of the machine registered	2022-11-14 08:47:02 +01:00
Juan Font Alonso	a9251d6652	Fixed linter issues	2022-11-13 22:33:41 +01:00
Juan Font Alonso	f9c44f11d6	Added method to run tailscale up without authkey	2022-11-13 22:33:41 +01:00
Juan Font Alonso	1f8bd24a0d	Return stderr in tsic.Execute	2022-11-13 22:33:41 +01:00
Juan Font Alonso	7bf2eb3d71	Update Tailscale interface with new Execute signature	2022-11-13 22:33:41 +01:00
Juan Font Alonso	f5a5437917	disable interfacebloat linter	2022-11-13 18:30:00 +01:00
Juan Font Alonso	9989657c0f	Wait for tailscale client to be ready after tailscale up	2022-11-13 18:30:00 +01:00
Juan Font Alonso	cb2790984f	Added WaitForReady() to Tailscale interface When using running `tailscale up` in the AuthKey flow process, the tailscale client immediately enters PollMap after registration - avoiding a race condition. When using the web auth (up -> go to the Control website -> CLI `register`) the client is polling checking if it has been authorized. If we immediately ask for the client IP, as done in CreateHeadscaleEnv() we might have the client in NotReady status. This method provides a way to wait for the client to be ready. Signed-off-by: Juan Font Alonso <juanfontalonso@gmail.com>	2022-11-13 18:30:00 +01:00
Juan Font Alonso	18c0009a51	Fix oidc.go linting issues Signed-off-by: Juan Font Alonso <juanfontalonso@gmail.com>	2022-11-13 15:42:54 +01:00
Juan Font Alonso	d038df2a88	Added ts2019 buildtag to CI config Otherwise we are getting utils.go:119:6: `decode` is unused (deadcode) Signed-off-by: Juan Font Alonso <juanfontalonso@gmail.com>	2022-11-13 15:42:54 +01:00
Mesar Hameed	d8e9d95a3b	config-example.yaml: fix typos and improve english.	2022-11-10 15:52:57 +00:00
Grigoriy Mikhalkin	0e405c7ce0	remove private key constant errors from NewHeadscale	2022-11-10 15:35:22 +00:00
Anton Schubert	21f0e089b6	fix noise mapResponse updates, fixes #838	2022-11-10 14:44:44 +00:00
kyra	cfda804726	Provide LoginName when registering with pre-auth key	2022-11-06 19:09:52 +01:00
github-actions[bot]	d6b383dd2f	docs(README): update contributors	2022-11-05 16:03:17 +01:00
LiuHanCheng	07f92e647c	fix bug in #912 (#914 )	2022-11-05 09:07:22 +01:00
LiuHanCheng	bf87b33292	feat: add information to the `/apple` page for the macOS standalone client user (#915 ) Co-authored-by: Kristoffer Dalby <kristoffer@dalby.cc>	2022-11-04 12:27:23 +01:00
Kristoffer Dalby	527b580f5e	Add build flag to enable TS2019 (#928 )	2022-11-04 11:26:33 +01:00
Kristoffer Dalby	c31328a54a	Fix bitrotted versions in gh ci Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com>	2022-11-04 10:46:23 +01:00
Kristoffer Dalby	b2c0e37122	Run on correct change Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com>	2022-11-04 10:35:19 +01:00
Kristoffer Dalby	889223e35f	Add experimental kradalby gh runner Remove old v2 runner in favour of self-hosted Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com>	2022-11-04 10:35:19 +01:00