Document ports in use

Ref: #1767
OIDC: Query userinfo endpoint before verifying user
2025-08-15 08:57:45 +00:00 · 2025-08-14 09:24:09 +02:00 · 2025-08-11 17:51:16 +02:00 · 2025-08-10 13:31:24 +02:00 · 2025-08-10 10:57:45 +02:00 · 2025-07-28 11:15:53 +02:00
512 changed files with 47066 additions and 27012 deletions
--- a/.dockerignore
+++ b/.dockerignore
@@ -17,3 +17,7 @@ LICENSE
 .vscode

 *.sock
+
+node_modules/
+package-lock.json
+package.json
--- a/.github/CODEOWNERS
+++ b/.github/CODEOWNERS
@@ -1,10 +1,10 @@
 * @juanfont @kradalby

-*.md @ohdearaugustin
-*.yml @ohdearaugustin
-*.yaml @ohdearaugustin
-Dockerfile* @ohdearaugustin
-.goreleaser.yaml @ohdearaugustin
-/docs/ @ohdearaugustin
-/.github/workflows/ @ohdearaugustin
-/.github/renovate.json @ohdearaugustin
+*.md @ohdearaugustin @nblock
+*.yml @ohdearaugustin @nblock
+*.yaml @ohdearaugustin @nblock
+Dockerfile* @ohdearaugustin @nblock
+.goreleaser.yaml @ohdearaugustin @nblock
+/docs/ @ohdearaugustin @nblock
+/.github/workflows/ @ohdearaugustin @nblock
+/.github/renovate.json @ohdearaugustin @nblock
--- a/.github/ISSUE_TEMPLATE/bug_report.yaml
+++ b/.github/ISSUE_TEMPLATE/bug_report.yaml
@@ -6,14 +6,18 @@ body:
  - type: checkboxes
    attributes:
      label: Is this a support request?
-      description: This issue tracker is for bugs and feature requests only. If you need help, please use ask in our Discord community
+      description:
+        This issue tracker is for bugs and feature requests only. If you need
+        help, please use ask in our Discord community
      options:
        - label: This is not a support request
          required: true
  - type: checkboxes
    attributes:
      label: Is there an existing issue for this?
-      description: Please search to see if an issue already exists for the bug you encountered.
+      description:
+        Please search to see if an issue already exists for the bug you
+        encountered.
      options:
        - label: I have searched the existing issues
          required: true
@@ -44,10 +48,16 @@ body:
    attributes:
      label: Environment
      description: |
+        Please provide information about your environment.
+        If you are using a container, always provide the headscale version and not only the Docker image version.
+        Please do not put "latest".
+
+        If you are experiencing a problem during an upgrade, please provide the versions of the old and new versions of Headscale and Tailscale.
+
        examples:
-          - **OS**: Ubuntu 20.04
-          - **Headscale version**: 0.22.3
-          - **Tailscale version**: 1.64.0
+          - **OS**: Ubuntu 24.04
+          - **Headscale version**: 0.24.3
+          - **Tailscale version**: 1.80.0
      value: |
        - OS:
        - Headscale version:
@@ -65,19 +75,31 @@ body:
          required: false
  - type: textarea
    attributes:
-      label: Anything else?
+      label: Debug information
      description: |
-        Links? References? Anything that will give us more context about the issue you are encountering!
+        Please have a look at our [Debugging and troubleshooting
+        guide](https://headscale.net/development/ref/debug/) to learn about
+        common debugging techniques.
+
+        Links? References? Anything that will give us more context about the issue you are encountering.
+        If **any** of these are omitted we will likely close your issue, do **not** ignore them.

        - Client netmap dump (see below)
-        - ACL configuration
+        - Policy configuration
        - Headscale configuration
+        - Headscale log (with `trace` enabled)

        Dump the netmap of tailscale clients:
        `tailscale debug netmap > DESCRIPTIVE_NAME.json`

-        Please provide information describing the netmap, which client, which headscale version etc.
+        Dump the status of tailscale clients:
+        `tailscale status --json > DESCRIPTIVE_NAME.json`
+
+        Get the logs of a Tailscale client that is not working as expected.
+        `tailscale debug daemon-logs`

        Tip: You can attach images or log files by clicking this area to highlight it and then dragging files in.
+        **Ensure** you use formatting for files you attach.
+        Do **not** paste in long files.
    validations:
-      required: false
+      required: true
--- a/.github/ISSUE_TEMPLATE/feature_request.yaml
+++ b/.github/ISSUE_TEMPLATE/feature_request.yaml
@@ -16,21 +16,24 @@ body:
  - type: textarea
    attributes:
      label: Description
-      description: A clear and precise description of what new or changed feature you want.
+      description:
+        A clear and precise description of what new or changed feature you want.
    validations:
      required: true
  - type: checkboxes
    attributes:
      label: Contribution
-      description: Are you willing to contribute to the implementation of this feature?
+      description:
+        Are you willing to contribute to the implementation of this feature?
      options:
        - label: I can write the design doc for this feature
-          required: true
+          required: false
        - label: I can contribute this feature
-          required: true
+          required: false
  - type: textarea
    attributes:
      label: How can it be implemented?
-      description: Free text for your ideas on how this feature could be implemented.
+      description:
+        Free text for your ideas on how this feature could be implemented.
    validations:
      required: false
--- a/.github/workflows/build-docker-pr.yml
+++ b/.github/workflows/build-docker-pr.yml
@@ -1,71 +0,0 @@
-name: Build
-
-on:
-  push:
-    branches:
-      - main
-  pull_request:
-    branches:
-      - main
-
-concurrency:
-  group: ${{ github.workflow }}-$${{ github.head_ref || github.run_id }}
-  cancel-in-progress: true
-
-jobs:
-  build:
-    runs-on: ubuntu-latest
-    permissions: write-all
-    steps:
-      - uses: actions/checkout@v4
-        with:
-          fetch-depth: 2
-      - name: Get changed files
-        id: changed-files
-        uses: dorny/paths-filter@v3
-        with:
-          filters: |
-            files:
-              - '*.nix'
-              - 'go.*'
-              - '**/*.go'
-              - 'integration_test/'
-              - 'config-example.yaml'
-      - uses: DeterminateSystems/nix-installer-action@main
-        if: steps.changed-files.outputs.files == 'true'
-      - uses: DeterminateSystems/magic-nix-cache-action@main
-        if: steps.changed-files.outputs.files == 'true'
-
-      - name: Run build
-        id: build
-        if: steps.changed-files.outputs.files == 'true'
-        run: |
-          nix build |& tee build-result
-          BUILD_STATUS="${PIPESTATUS[0]}"
-
-          OLD_HASH=$(cat build-result | grep specified: | awk -F ':' '{print $2}' | sed 's/ //g')
-          NEW_HASH=$(cat build-result | grep got: | awk -F ':' '{print $2}' | sed 's/ //g')
-
-          echo "OLD_HASH=$OLD_HASH" >> $GITHUB_OUTPUT
-          echo "NEW_HASH=$NEW_HASH" >> $GITHUB_OUTPUT
-
-          exit $BUILD_STATUS
-
-      - name: Nix gosum diverging
-        uses: actions/github-script@v6
-        if: failure() && steps.build.outcome == 'failure'
-        with:
-          github-token: ${{secrets.GITHUB_TOKEN}}
-          script: |
-            github.rest.pulls.createReviewComment({
-              pull_number: context.issue.number,
-              owner: context.repo.owner,
-              repo: context.repo.repo,
-              body: 'Nix build failed with wrong gosum, please update "vendorSha256" (${{ steps.build.outputs.OLD_HASH }}) for the "headscale" package in flake.nix with the new SHA: ${{ steps.build.outputs.NEW_HASH }}'
-            })
-
-      - uses: actions/upload-artifact@v4
-        if: steps.changed-files.outputs.files == 'true'
-        with:
-          name: headscale-linux
-          path: result/bin/headscale
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -1,7 +1,10 @@
-name: Build Docker images for PRs
+name: Build

 on:
-  pull_request_target:
+  push:
+    branches:
+      - main
+  pull_request:
    branches:
      - main

@@ -10,16 +13,16 @@ concurrency:
  cancel-in-progress: true

 jobs:
-  build:
+  build-nix:
    runs-on: ubuntu-latest
    permissions: write-all
    steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
        with:
          fetch-depth: 2
      - name: Get changed files
        id: changed-files
-        uses: dorny/paths-filter@v3
+        uses: dorny/paths-filter@de90cc6fb38fc0963ad72b210f1f284cd68cea36 # v3.0.2
        with:
          filters: |
            files:
@@ -28,34 +31,73 @@ jobs:
              - '**/*.go'
              - 'integration_test/'
              - 'config-example.yaml'
-              - '.ko.yaml'
-      - uses: DeterminateSystems/nix-installer-action@main
+      - uses: nixbuild/nix-quick-install-action@889f3180bb5f064ee9e3201428d04ae9e41d54ad # v31
        if: steps.changed-files.outputs.files == 'true'
-      - uses: DeterminateSystems/magic-nix-cache-action@main
+      - uses: nix-community/cache-nix-action@135667ec418502fa5a3598af6fb9eb733888ce6a # v6.1.3
        if: steps.changed-files.outputs.files == 'true'
+        with:
+          primary-key:
+            nix-${{ runner.os }}-${{ runner.arch }}-${{ hashFiles('**/*.nix',
+            '**/flake.lock') }}
+          restore-prefixes-first-match: nix-${{ runner.os }}-${{ runner.arch }}

-      # - uses: actions/github-script@v7
-      #   id: get_pr_data
-      #   with:
-      #     script: |
-      #       return (
-      #         await github.rest.repos.listPullRequestsAssociatedWithCommit({
-      #           commit_sha: context.sha,
-      #           owner: context.repo.owner,
-      #           repo: context.repo.repo,
-      #         })
-      #       ).data[0];
-
-      # - name: Pull Request data
-      #   run: |
-      #     echo '${{steps.get_pr_data.outputs.result}}'
-
-      - name: Run ko build
+      - name: Run nix build
        id: build
        if: steps.changed-files.outputs.files == 'true'
-        env:
-          KO_DOCKER_REPO: ghcr.io/${{ github.repository_owner }}/headscale
-          # TAG_PR_NAME: pr-${{ fromJson(steps.get_pr_data.outputs.result).number }}
-          TAG_SHA: ${{ github.sha }}
        run: |
-          nix develop --command -- ko build --sbom=none --tags=$TAG_SHA ./cmd/headscale
+          nix build |& tee build-result
+          BUILD_STATUS="${PIPESTATUS[0]}"
+
+          OLD_HASH=$(cat build-result | grep specified: | awk -F ':' '{print $2}' | sed 's/ //g')
+          NEW_HASH=$(cat build-result | grep got: | awk -F ':' '{print $2}' | sed 's/ //g')
+
+          echo "OLD_HASH=$OLD_HASH" >> $GITHUB_OUTPUT
+          echo "NEW_HASH=$NEW_HASH" >> $GITHUB_OUTPUT
+
+          exit $BUILD_STATUS
+
+      - name: Nix gosum diverging
+        uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1
+        if: failure() && steps.build.outcome == 'failure'
+        with:
+          github-token: ${{secrets.GITHUB_TOKEN}}
+          script: |
+            github.rest.pulls.createReviewComment({
+              pull_number: context.issue.number,
+              owner: context.repo.owner,
+              repo: context.repo.repo,
+              body: 'Nix build failed with wrong gosum, please update "vendorSha256" (${{ steps.build.outputs.OLD_HASH }}) for the "headscale" package in flake.nix with the new SHA: ${{ steps.build.outputs.NEW_HASH }}'
+            })
+
+      - uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
+        if: steps.changed-files.outputs.files == 'true'
+        with:
+          name: headscale-linux
+          path: result/bin/headscale
+  build-cross:
+    runs-on: ubuntu-latest
+    strategy:
+      matrix:
+        env:
+          - "GOARCH=arm64 GOOS=linux"
+          - "GOARCH=amd64 GOOS=linux"
+          - "GOARCH=arm64 GOOS=darwin"
+          - "GOARCH=amd64 GOOS=darwin"
+    steps:
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      - uses: nixbuild/nix-quick-install-action@889f3180bb5f064ee9e3201428d04ae9e41d54ad # v31
+      - uses: nix-community/cache-nix-action@135667ec418502fa5a3598af6fb9eb733888ce6a # v6.1.3
+        with:
+          primary-key:
+            nix-${{ runner.os }}-${{ runner.arch }}-${{ hashFiles('**/*.nix',
+            '**/flake.lock') }}
+          restore-prefixes-first-match: nix-${{ runner.os }}-${{ runner.arch }}
+
+      - name: Run go cross compile
+        run:
+          env ${{ matrix.env }} nix develop --command -- go build -o "headscale"
+          ./cmd/headscale
+      - uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
+        with:
+          name: "headscale-${{ matrix.env }}"
+          path: "headscale"
--- a/.github/workflows/check-generated.yml
+++ b/.github/workflows/check-generated.yml
@@ -0,0 +1,55 @@
+name: Check Generated Files
+
+on:
+  push:
+    branches:
+      - main
+  pull_request:
+    branches:
+      - main
+
+concurrency:
+  group: ${{ github.workflow }}-$${{ github.head_ref || github.run_id }}
+  cancel-in-progress: true
+
+jobs:
+  check-generated:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        with:
+          fetch-depth: 2
+      - name: Get changed files
+        id: changed-files
+        uses: dorny/paths-filter@de90cc6fb38fc0963ad72b210f1f284cd68cea36 # v3.0.2
+        with:
+          filters: |
+            files:
+              - '*.nix'
+              - 'go.*'
+              - '**/*.go'
+              - '**/*.proto'
+              - 'buf.gen.yaml'
+              - 'tools/**'
+      - uses: nixbuild/nix-quick-install-action@889f3180bb5f064ee9e3201428d04ae9e41d54ad # v31
+        if: steps.changed-files.outputs.files == 'true'
+      - uses: nix-community/cache-nix-action@135667ec418502fa5a3598af6fb9eb733888ce6a # v6.1.3
+        if: steps.changed-files.outputs.files == 'true'
+        with:
+          primary-key: nix-${{ runner.os }}-${{ runner.arch }}-${{ hashFiles('**/*.nix', '**/flake.lock') }}
+          restore-prefixes-first-match: nix-${{ runner.os }}-${{ runner.arch }}
+
+      - name: Run make generate
+        if: steps.changed-files.outputs.files == 'true'
+        run: nix develop --command -- make generate
+
+      - name: Check for uncommitted changes
+        if: steps.changed-files.outputs.files == 'true'
+        run: |
+          if ! git diff --exit-code; then
+            echo "❌ Generated files are not up to date!"
+            echo "Please run 'make generate' and commit the changes."
+            exit 1
+          else
+            echo "✅ All generated files are up to date."
+          fi
--- a/.github/workflows/check-tests.yaml
+++ b/.github/workflows/check-tests.yaml
@@ -10,12 +10,12 @@ jobs:
  check-tests:
    runs-on: ubuntu-latest
    steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
        with:
          fetch-depth: 2
      - name: Get changed files
        id: changed-files
-        uses: dorny/paths-filter@v3
+        uses: dorny/paths-filter@de90cc6fb38fc0963ad72b210f1f284cd68cea36 # v3.0.2
        with:
          filters: |
            files:
@@ -24,15 +24,20 @@ jobs:
              - '**/*.go'
              - 'integration_test/'
              - 'config-example.yaml'
-      - uses: DeterminateSystems/nix-installer-action@main
+      - uses: nixbuild/nix-quick-install-action@889f3180bb5f064ee9e3201428d04ae9e41d54ad # v31
        if: steps.changed-files.outputs.files == 'true'
-      - uses: DeterminateSystems/magic-nix-cache-action@main
+      - uses: nix-community/cache-nix-action@135667ec418502fa5a3598af6fb9eb733888ce6a # v6.1.3
        if: steps.changed-files.outputs.files == 'true'
+        with:
+          primary-key:
+            nix-${{ runner.os }}-${{ runner.arch }}-${{ hashFiles('**/*.nix',
+            '**/flake.lock') }}
+          restore-prefixes-first-match: nix-${{ runner.os }}-${{ runner.arch }}

      - name: Generate and check integration tests
        if: steps.changed-files.outputs.files == 'true'
        run: |
-          nix develop --command bash -c "cd cmd/gh-action-integration-generator/ && go generate"
+          nix develop --command bash -c "cd .github/workflows && go generate"
          git diff --exit-code .github/workflows/test-integration.yaml

      - name: Show missing tests
--- a/.github/workflows/docs-deploy.yml
+++ b/.github/workflows/docs-deploy.yml
@@ -0,0 +1,51 @@
+name: Deploy docs
+
+on:
+  push:
+    branches:
+      # Main branch for development docs
+      - main
+
+      # Doc maintenance branches
+      - doc/[0-9]+.[0-9]+.[0-9]+
+    tags:
+      # Stable release tags
+      - v[0-9]+.[0-9]+.[0-9]+
+    paths:
+      - "docs/**"
+      - "mkdocs.yml"
+  workflow_dispatch:
+
+jobs:
+  deploy:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        with:
+          fetch-depth: 0
+      - name: Install python
+        uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5.6.0
+        with:
+          python-version: 3.x
+      - name: Setup cache
+        uses: actions/cache@5a3ec84eff668545956fd18022155c47e93e2684 # v4.2.3
+        with:
+          key: ${{ github.ref }}
+          path: .cache
+      - name: Setup dependencies
+        run: pip install -r docs/requirements.txt
+      - name: Configure git
+        run: |
+          git config user.name github-actions
+          git config user.email github-actions@github.com
+      - name: Deploy development docs
+        if: github.ref == 'refs/heads/main'
+        run: mike deploy --push development unstable
+      - name: Deploy stable docs from doc branches
+        if: startsWith(github.ref, 'refs/heads/doc/')
+        run: mike deploy --push ${GITHUB_REF_NAME##*/}
+      - name: Deploy stable docs from tag
+        if: startsWith(github.ref, 'refs/tags/v')
+        # This assumes that only newer tags are pushed
+        run: mike deploy --push --update-aliases ${GITHUB_REF_NAME#v} stable latest
--- a/.github/workflows/docs-test.yml
+++ b/.github/workflows/docs-test.yml
@@ -11,13 +11,13 @@ jobs:
    runs-on: ubuntu-latest
    steps:
      - name: Checkout repository
-        uses: actions/checkout@v4
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
      - name: Install python
-        uses: actions/setup-python@v4
+        uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5.6.0
        with:
          python-version: 3.x
      - name: Setup cache
-        uses: actions/cache@v2
+        uses: actions/cache@5a3ec84eff668545956fd18022155c47e93e2684 # v4.2.3
        with:
          key: ${{ github.ref }}
          path: .cache
--- a/.github/workflows/docs.yml
+++ b/.github/workflows/docs.yml
@@ -1,52 +0,0 @@
-name: Build documentation
-
-on:
-  push:
-    branches:
-      - main
-  workflow_dispatch:
-
-permissions:
-  contents: read
-  pages: write
-  id-token: write
-
-jobs:
-  build:
-    runs-on: ubuntu-latest
-    steps:
-      - name: Checkout repository
-        uses: actions/checkout@v4
-      - name: Install python
-        uses: actions/setup-python@v4
-        with:
-          python-version: 3.x
-      - name: Setup cache
-        uses: actions/cache@v2
-        with:
-          key: ${{ github.ref }}
-          path: .cache
-      - name: Setup dependencies
-        run: pip install -r docs/requirements.txt
-      - name: Build docs
-        run: mkdocs build --strict
-      - name: Upload artifact
-        uses: actions/upload-pages-artifact@v3
-        with:
-          path: ./site
-
-  deploy:
-    environment:
-      name: github-pages
-      url: ${{ steps.deployment.outputs.page_url }}
-    permissions:
-      pages: write
-      id-token: write
-    runs-on: ubuntu-latest
-    needs: build
-    steps:
-      - name: Configure Pages
-        uses: actions/configure-pages@v4
-      - name: Deploy to GitHub Pages
-        id: deployment
-        uses: actions/deploy-pages@v4
--- a/.github/workflows/gh-action-integration-generator.go
+++ b/.github/workflows/gh-action-integration-generator.go
@@ -1,6 +1,6 @@
 package main

-//go:generate go run ./main.go
+//go:generate go run ./gh-action-integration-generator.go

 import (
 	"bytes"
@@ -38,23 +38,29 @@ func findTests() []string {
 	return tests
 }

-func updateYAML(tests []string) {
+func updateYAML(tests []string, jobName string, testPath string) {
 	testsForYq := fmt.Sprintf("[%s]", strings.Join(tests, ", "))

 	yqCommand := fmt.Sprintf(
-		"yq eval '.jobs.integration-test.strategy.matrix.test = %s' ../../.github/workflows/test-integration.yaml -i",
+		"yq eval '.jobs.%s.strategy.matrix.test = %s' %s -i",
+		jobName,
 		testsForYq,
+		testPath,
 	)
 	cmd := exec.Command("bash", "-c", yqCommand)

-	var out bytes.Buffer
-	cmd.Stdout = &out
+	var stdout bytes.Buffer
+	var stderr bytes.Buffer
+	cmd.Stdout = &stdout
+	cmd.Stderr = &stderr
 	err := cmd.Run()
 	if err != nil {
+		log.Printf("stdout: %s", stdout.String())
+		log.Printf("stderr: %s", stderr.String())
 		log.Fatalf("failed to run yq command: %s", err)
 	}

-	fmt.Println("YAML file updated successfully")
+	fmt.Printf("YAML file (%s) job %s updated successfully\n", testPath, jobName)
 }

 func main() {
@@ -65,5 +71,21 @@ func main() {
 		quotedTests[i] = fmt.Sprintf("\"%s\"", test)
 	}

-	updateYAML(quotedTests)
+	// Define selected tests for PostgreSQL
+	postgresTestNames := []string{
+		"TestACLAllowUserDst",
+		"TestPingAllByIP",
+		"TestEphemeral2006DeletedTooQuickly",
+		"TestPingAllByIPManyUpDown",
+		"TestSubnetRouterMultiNetwork",
+	}
+
+	quotedPostgresTests := make([]string, len(postgresTestNames))
+	for i, test := range postgresTestNames {
+		quotedPostgresTests[i] = fmt.Sprintf("\"%s\"", test)
+	}
+
+	// Update both SQLite and PostgreSQL job matrices
+	updateYAML(quotedTests, "sqlite", "./test-integration.yaml")
+	updateYAML(quotedPostgresTests, "postgres", "./test-integration.yaml")
 }
--- a/.github/workflows/gh-actions-updater.yaml
+++ b/.github/workflows/gh-actions-updater.yaml
@@ -7,16 +7,17 @@ on:

 jobs:
  build:
+    if: github.repository == 'juanfont/headscale'
    runs-on: ubuntu-latest

    steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
        with:
          # [Required] Access token with `workflow` scope.
          token: ${{ secrets.WORKFLOW_SECRET }}

      - name: Run GitHub Actions Version Updater
-        uses: saadmk11/github-actions-version-updater@v0.8.1
+        uses: saadmk11/github-actions-version-updater@64be81ba69383f81f2be476703ea6570c4c8686e # v0.8.1
        with:
          # [Required] Access token with `workflow` scope.
          token: ${{ secrets.WORKFLOW_SECRET }}
--- a/.github/workflows/integration-test-template.yml
+++ b/.github/workflows/integration-test-template.yml
@@ -0,0 +1,95 @@
+name: Integration Test Template
+
+on:
+  workflow_call:
+    inputs:
+      test:
+        required: true
+        type: string
+      postgres_flag:
+        required: false
+        type: string
+        default: ""
+      database_name:
+        required: true
+        type: string
+
+jobs:
+  test:
+    runs-on: ubuntu-latest
+    env:
+      # Github does not allow us to access secrets in pull requests,
+      # so this env var is used to check if we have the secret or not.
+      # If we have the secrets, meaning we are running on push in a fork,
+      # there might be secrets available for more debugging.
+      # If TS_OAUTH_CLIENT_ID and TS_OAUTH_SECRET is set, then the job
+      # will join a debug tailscale network, set up SSH and a tmux session.
+      # The SSH will be configured to use the SSH key of the Github user
+      # that triggered the build.
+      HAS_TAILSCALE_SECRET: ${{ secrets.TS_OAUTH_CLIENT_ID }}
+    steps:
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        with:
+          fetch-depth: 2
+      - name: Get changed files
+        id: changed-files
+        uses: dorny/paths-filter@de90cc6fb38fc0963ad72b210f1f284cd68cea36 # v3.0.2
+        with:
+          filters: |
+            files:
+              - '*.nix'
+              - 'go.*'
+              - '**/*.go'
+              - 'integration_test/'
+              - 'config-example.yaml'
+      - name: Tailscale
+        if: ${{ env.HAS_TAILSCALE_SECRET }}
+        uses: tailscale/github-action@6986d2c82a91fbac2949fe01f5bab95cf21b5102 # v3.2.2
+        with:
+          oauth-client-id: ${{ secrets.TS_OAUTH_CLIENT_ID }}
+          oauth-secret: ${{ secrets.TS_OAUTH_SECRET }}
+          tags: tag:gh
+      - name: Setup SSH server for Actor
+        if: ${{ env.HAS_TAILSCALE_SECRET }}
+        uses: alexellis/setup-sshd-actor@master
+      - uses: nixbuild/nix-quick-install-action@889f3180bb5f064ee9e3201428d04ae9e41d54ad # v31
+        if: steps.changed-files.outputs.files == 'true'
+      - uses: nix-community/cache-nix-action@135667ec418502fa5a3598af6fb9eb733888ce6a # v6.1.3
+        if: steps.changed-files.outputs.files == 'true'
+        with:
+          primary-key:
+            nix-${{ runner.os }}-${{ runner.arch }}-${{ hashFiles('**/*.nix',
+            '**/flake.lock') }}
+          restore-prefixes-first-match: nix-${{ runner.os }}-${{ runner.arch }}
+      - name: Run Integration Test
+        uses: Wandalen/wretry.action@e68c23e6309f2871ca8ae4763e7629b9c258e1ea # v3.8.0
+        if: steps.changed-files.outputs.files == 'true'
+        with:
+          # Our integration tests are started like a thundering herd, often
+          # hitting limits of the various external repositories we depend on
+          # like docker hub. This will retry jobs every 5 min, 10 times,
+          # hopefully letting us avoid manual intervention and restarting jobs.
+          # One could of course argue that we should invest in trying to avoid
+          # this, but currently it seems like a larger investment to be cleverer
+          # about this.
+          # Some of the jobs might still require manual restart as they are really
+          # slow and this will cause them to eventually be killed by Github actions.
+          attempt_delay: 300000 # 5 min
+          attempt_limit: 2
+          command: |
+            nix develop --command -- hi run --stats --ts-memory-limit=300 --hs-memory-limit=500 "^${{ inputs.test }}$" \
+              --timeout=120m \
+              ${{ inputs.postgres_flag }}
+      - uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
+        if: always() && steps.changed-files.outputs.files == 'true'
+        with:
+          name: ${{ inputs.database_name }}-${{ inputs.test }}-logs
+          path: "control_logs/*/*.log"
+      - uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
+        if: always() && steps.changed-files.outputs.files == 'true'
+        with:
+          name: ${{ inputs.database_name }}-${{ inputs.test }}-archives
+          path: "control_logs/*/*.tar"
+      - name: Setup a blocking tmux session
+        if: ${{ env.HAS_TAILSCALE_SECRET }}
+        uses: alexellis/block-with-tmux-action@master
--- a/.github/workflows/lint.yml
+++ b/.github/workflows/lint.yml
@@ -10,12 +10,12 @@ jobs:
  golangci-lint:
    runs-on: ubuntu-latest
    steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
        with:
          fetch-depth: 2
      - name: Get changed files
        id: changed-files
-        uses: dorny/paths-filter@v3
+        uses: dorny/paths-filter@de90cc6fb38fc0963ad72b210f1f284cd68cea36 # v3.0.2
        with:
          filters: |
            files:
@@ -24,24 +24,34 @@ jobs:
              - '**/*.go'
              - 'integration_test/'
              - 'config-example.yaml'
-      - uses: DeterminateSystems/nix-installer-action@main
+      - uses: nixbuild/nix-quick-install-action@889f3180bb5f064ee9e3201428d04ae9e41d54ad # v31
        if: steps.changed-files.outputs.files == 'true'
-      - uses: DeterminateSystems/magic-nix-cache-action@main
+      - uses: nix-community/cache-nix-action@135667ec418502fa5a3598af6fb9eb733888ce6a # v6.1.3
        if: steps.changed-files.outputs.files == 'true'
+        with:
+          primary-key:
+            nix-${{ runner.os }}-${{ runner.arch }}-${{ hashFiles('**/*.nix',
+            '**/flake.lock') }}
+          restore-prefixes-first-match: nix-${{ runner.os }}-${{ runner.arch }}

      - name: golangci-lint
        if: steps.changed-files.outputs.files == 'true'
-        run: nix develop --command -- golangci-lint run --new-from-rev=${{github.event.pull_request.base.sha}} --out-format=github-actions .
+        run: nix develop --command -- golangci-lint run
+          --new-from-rev=${{github.event.pull_request.base.sha}}
+          --output.text.path=stdout
+          --output.text.print-linter-name
+          --output.text.print-issued-lines
+          --output.text.colors

  prettier-lint:
    runs-on: ubuntu-latest
    steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
        with:
          fetch-depth: 2
      - name: Get changed files
        id: changed-files
-        uses: dorny/paths-filter@v3
+        uses: dorny/paths-filter@de90cc6fb38fc0963ad72b210f1f284cd68cea36 # v3.0.2
        with:
          filters: |
            files:
@@ -55,21 +65,32 @@ jobs:
              - '**/*.css'
              - '**/*.scss'
              - '**/*.html'
-      - uses: DeterminateSystems/nix-installer-action@main
+      - uses: nixbuild/nix-quick-install-action@889f3180bb5f064ee9e3201428d04ae9e41d54ad # v31
        if: steps.changed-files.outputs.files == 'true'
-      - uses: DeterminateSystems/magic-nix-cache-action@main
+      - uses: nix-community/cache-nix-action@135667ec418502fa5a3598af6fb9eb733888ce6a # v6.1.3
        if: steps.changed-files.outputs.files == 'true'
+        with:
+          primary-key:
+            nix-${{ runner.os }}-${{ runner.arch }}-${{ hashFiles('**/*.nix',
+            '**/flake.lock') }}
+          restore-prefixes-first-match: nix-${{ runner.os }}-${{ runner.arch }}

      - name: Prettify code
        if: steps.changed-files.outputs.files == 'true'
-        run: nix develop --command -- prettier --no-error-on-unmatched-pattern --ignore-unknown --check **/*.{ts,js,md,yaml,yml,sass,css,scss,html}
+        run: nix develop --command -- prettier --no-error-on-unmatched-pattern
+          --ignore-unknown --check **/*.{ts,js,md,yaml,yml,sass,css,scss,html}

  proto-lint:
    runs-on: ubuntu-latest
    steps:
-      - uses: actions/checkout@v4
-      - uses: DeterminateSystems/nix-installer-action@main
-      - uses: DeterminateSystems/magic-nix-cache-action@main
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      - uses: nixbuild/nix-quick-install-action@889f3180bb5f064ee9e3201428d04ae9e41d54ad # v31
+      - uses: nix-community/cache-nix-action@135667ec418502fa5a3598af6fb9eb733888ce6a # v6.1.3
+        with:
+          primary-key:
+            nix-${{ runner.os }}-${{ runner.arch }}-${{ hashFiles('**/*.nix',
+            '**/flake.lock') }}
+          restore-prefixes-first-match: nix-${{ runner.os }}-${{ runner.arch }}

      - name: Buf lint
        run: nix develop --command -- buf lint proto
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -9,28 +9,34 @@ on:

 jobs:
  goreleaser:
+    if: github.repository == 'juanfont/headscale'
    runs-on: ubuntu-latest
    steps:
      - name: Checkout
-        uses: actions/checkout@v4
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
        with:
          fetch-depth: 0

      - name: Login to DockerHub
-        uses: docker/login-action@v3
+        uses: docker/login-action@74a5d142397b4f367a81961eba4e8cd7edddf772 # v3.4.0
        with:
          username: ${{ secrets.DOCKERHUB_USERNAME }}
          password: ${{ secrets.DOCKERHUB_TOKEN }}

      - name: Login to GHCR
-        uses: docker/login-action@v3
+        uses: docker/login-action@74a5d142397b4f367a81961eba4e8cd7edddf772 # v3.4.0
        with:
          registry: ghcr.io
          username: ${{ github.repository_owner }}
          password: ${{ secrets.GITHUB_TOKEN }}

-      - uses: DeterminateSystems/nix-installer-action@main
-      - uses: DeterminateSystems/magic-nix-cache-action@main
+      - uses: nixbuild/nix-quick-install-action@889f3180bb5f064ee9e3201428d04ae9e41d54ad # v31
+      - uses: nix-community/cache-nix-action@135667ec418502fa5a3598af6fb9eb733888ce6a # v6.1.3
+        with:
+          primary-key:
+            nix-${{ runner.os }}-${{ runner.arch }}-${{ hashFiles('**/*.nix',
+            '**/flake.lock') }}
+          restore-prefixes-first-match: nix-${{ runner.os }}-${{ runner.arch }}

      - name: Run goreleaser
        run: nix develop --command -- goreleaser release --clean
--- a/.github/workflows/stale.yml
+++ b/.github/workflows/stale.yml
@@ -6,18 +6,24 @@ on:

 jobs:
  close-issues:
+    if: github.repository == 'juanfont/headscale'
    runs-on: ubuntu-latest
    permissions:
      issues: write
      pull-requests: write
    steps:
-      - uses: actions/stale@v9
+      - uses: actions/stale@5bef64f19d7facfb25b37b414482c7164d639639 # v9.1.0
        with:
          days-before-issue-stale: 90
          days-before-issue-close: 7
          stale-issue-label: "stale"
-          stale-issue-message: "This issue is stale because it has been open for 90 days with no activity."
-          close-issue-message: "This issue was closed because it has been inactive for 14 days since being marked as stale."
+          stale-issue-message:
+            "This issue is stale because it has been open for 90 days with no
+            activity."
+          close-issue-message:
+            "This issue was closed because it has been inactive for 14 days
+            since being marked as stale."
          days-before-pr-stale: -1
          days-before-pr-close: -1
+          exempt-issue-labels: "no-stale-bot"
          repo-token: ${{ secrets.GITHUB_TOKEN }}
--- a/.github/workflows/test-integration.yaml
+++ b/.github/workflows/test-integration.yaml
@@ -1,11 +1,13 @@
-name: Integration Tests
+name: integration
+# To debug locally on a branch, and when needing secrets
+# change this to include `push` so the build is ran on
+# the main repository.
 on: [pull_request]
 concurrency:
  group: ${{ github.workflow }}-${{ github.head_ref || github.run_id }}
  cancel-in-progress: true
 jobs:
-  integration-test:
-    runs-on: ubuntu-latest
+  sqlite:
    strategy:
      fail-fast: false
      matrix:
@@ -19,8 +21,16 @@ jobs:
          - TestACLNamedHostsCanReach
          - TestACLDevice1CanAccessDevice2
          - TestPolicyUpdateWhileRunningWithCLIInDatabase
+          - TestACLAutogroupMember
+          - TestACLAutogroupTagged
+          - TestAuthKeyLogoutAndReloginSameUser
+          - TestAuthKeyLogoutAndReloginNewUser
+          - TestAuthKeyLogoutAndReloginSameUserExpiredKey
          - TestOIDCAuthenticationPingAll
          - TestOIDCExpireNodesBasedOnTokenExpiry
+          - TestOIDC024UserCreation
+          - TestOIDCAuthenticationWithPKCE
+          - TestOIDCReloginSameNodeNewUser
          - TestAuthWebFlowAuthenticationPingAll
          - TestAuthWebFlowLogoutAndRelogin
          - TestUserCommand
@@ -30,89 +40,62 @@ jobs:
          - TestPreAuthKeyCorrectUserLoggedInCommand
          - TestApiKeyCommand
          - TestNodeTagCommand
-          - TestNodeAdvertiseTagNoACLCommand
-          - TestNodeAdvertiseTagWithACLCommand
+          - TestNodeAdvertiseTagCommand
          - TestNodeCommand
          - TestNodeExpireCommand
          - TestNodeRenameCommand
          - TestNodeMoveCommand
          - TestPolicyCommand
+          - TestPolicyBrokenConfigCommand
+          - TestDERPVerifyEndpoint
+          - TestResolveMagicDNS
+          - TestResolveMagicDNSExtraRecordsPath
          - TestDERPServerScenario
+          - TestDERPServerWebsocketScenario
          - TestPingAllByIP
          - TestPingAllByIPPublicDERP
-          - TestAuthKeyLogoutAndRelogin
          - TestEphemeral
+          - TestEphemeralInAlternateTimezone
          - TestEphemeral2006DeletedTooQuickly
          - TestPingAllByHostname
          - TestTaildrop
-          - TestResolveMagicDNS
+          - TestUpdateHostnameFromClient
          - TestExpireNode
          - TestNodeOnlineStatus
          - TestPingAllByIPManyUpDown
+          - Test2118DeletingOnlineNodePanics
          - TestEnablingRoutes
          - TestHASubnetRouterFailover
-          - TestEnableDisableAutoApprovedRoute
          - TestSubnetRouteACL
+          - TestEnablingExitRoutes
+          - TestSubnetRouterMultiNetwork
+          - TestSubnetRouterMultiNetworkExitNode
+          - TestAutoApproveMultiNetwork
+          - TestSubnetRouteACLFiltering
          - TestHeadscale
-          - TestCreateTailscale
          - TestTailscaleNodesJoiningHeadcale
          - TestSSHOneUserToAll
          - TestSSHMultipleUsersAllToAll
          - TestSSHNoSSHConfigured
          - TestSSHIsBlockedInACL
          - TestSSHUserOnlyIsolation
-        database: [postgres, sqlite]
-    steps:
-      - uses: actions/checkout@v4
-        with:
-          fetch-depth: 2
-      - name: Get changed files
-        id: changed-files
-        uses: dorny/paths-filter@v3
-        with:
-          filters: |
-            files:
-              - '*.nix'
-              - 'go.*'
-              - '**/*.go'
-              - 'integration_test/'
-              - 'config-example.yaml'
-      - uses: DeterminateSystems/nix-installer-action@main
-        if: steps.changed-files.outputs.files == 'true'
-      - uses: DeterminateSystems/magic-nix-cache-action@main
-        if: steps.changed-files.outputs.files == 'true'
-      - uses: satackey/action-docker-layer-caching@main
-        if: steps.changed-files.outputs.files == 'true'
-        continue-on-error: true
-      - name: Run Integration Test
-        uses: Wandalen/wretry.action@master
-        if: steps.changed-files.outputs.files == 'true'
-        env:
-          USE_POSTGRES: ${{ matrix.database == 'postgres' && '1' || '0' }}
-        with:
-          attempt_limit: 5
-          command: |
-            nix develop --command -- docker run \
-              --tty --rm \
-              --volume ~/.cache/hs-integration-go:/go \
-              --name headscale-test-suite \
-              --volume $PWD:$PWD -w $PWD/integration \
-              --volume /var/run/docker.sock:/var/run/docker.sock \
-              --volume $PWD/control_logs:/tmp/control \
-              --env HEADSCALE_INTEGRATION_POSTGRES=${{env.USE_POSTGRES}} \
-              golang:1 \
-                go run gotest.tools/gotestsum@latest -- ./... \
-                  -failfast \
-                  -timeout 120m \
-                  -parallel 1 \
-                  -run "^${{ matrix.test }}$"
-      - uses: actions/upload-artifact@v4
-        if: always() && steps.changed-files.outputs.files == 'true'
-        with:
-          name: ${{ matrix.test }}-${{matrix.database}}-logs
-          path: "control_logs/*.log"
-      - uses: actions/upload-artifact@v4
-        if: always() && steps.changed-files.outputs.files == 'true'
-        with:
-          name: ${{ matrix.test }}-${{matrix.database}}-pprof
-          path: "control_logs/*.pprof.tar"
+    uses: ./.github/workflows/integration-test-template.yml
+    with:
+      test: ${{ matrix.test }}
+      postgres_flag: "--postgres=0"
+      database_name: "sqlite"
+  postgres:
+    strategy:
+      fail-fast: false
+      matrix:
+        test:
+          - TestACLAllowUserDst
+          - TestPingAllByIP
+          - TestEphemeral2006DeletedTooQuickly
+          - TestPingAllByIPManyUpDown
+          - TestSubnetRouterMultiNetwork
+    uses: ./.github/workflows/integration-test-template.yml
+    with:
+      test: ${{ matrix.test }}
+      postgres_flag: "--postgres=1"
+      database_name: "postgres"
--- a/.github/workflows/test.yml
+++ b/.github/workflows/test.yml
@@ -11,13 +11,13 @@ jobs:
    runs-on: ubuntu-latest

    steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
        with:
          fetch-depth: 2

      - name: Get changed files
        id: changed-files
-        uses: dorny/paths-filter@v3
+        uses: dorny/paths-filter@de90cc6fb38fc0963ad72b210f1f284cd68cea36 # v3.0.2
        with:
          filters: |
            files:
@@ -27,11 +27,22 @@ jobs:
              - 'integration_test/'
              - 'config-example.yaml'

-      - uses: DeterminateSystems/nix-installer-action@main
+      - uses: nixbuild/nix-quick-install-action@889f3180bb5f064ee9e3201428d04ae9e41d54ad # v31
        if: steps.changed-files.outputs.files == 'true'
-      - uses: DeterminateSystems/magic-nix-cache-action@main
+      - uses: nix-community/cache-nix-action@135667ec418502fa5a3598af6fb9eb733888ce6a # v6.1.3
        if: steps.changed-files.outputs.files == 'true'
+        with:
+          primary-key:
+            nix-${{ runner.os }}-${{ runner.arch }}-${{ hashFiles('**/*.nix',
+            '**/flake.lock') }}
+          restore-prefixes-first-match: nix-${{ runner.os }}-${{ runner.arch }}

      - name: Run tests
        if: steps.changed-files.outputs.files == 'true'
-        run: nix develop --check
+        env:
+          # As of 2025-01-06, these env vars was not automatically
+          # set anymore which breaks the initdb for postgres on
+          # some of the database migration tests.
+          LC_ALL: "en_US.UTF-8"
+          LC_CTYPE: "en_US.UTF-8"
+        run: nix develop --command -- gotestsum
--- a/.github/workflows/update-flake.yml
+++ b/.github/workflows/update-flake.yml
@@ -6,13 +6,14 @@ on:

 jobs:
  lockfile:
+    if: github.repository == 'juanfont/headscale'
    runs-on: ubuntu-latest
    steps:
      - name: Checkout repository
-        uses: actions/checkout@v4
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
      - name: Install Nix
-        uses: DeterminateSystems/nix-installer-action@main
+        uses: DeterminateSystems/nix-installer-action@21a544727d0c62386e78b4befe52d19ad12692e3 # v17
      - name: Update flake.lock
-        uses: DeterminateSystems/update-flake-lock@main
+        uses: DeterminateSystems/update-flake-lock@428c2b58a4b7414dabd372acb6a03dba1084d3ab # v25
        with:
          pr-title: "Update flake.lock"
--- a/.gitignore
+++ b/.gitignore
@@ -1,6 +1,9 @@
 ignored/
 tailscale/
 .vscode/
+.claude/
+
+*.prof

 # Binaries for programs and plugins
 *.exe
@@ -20,8 +23,9 @@ vendor/

 dist/
 /headscale
-config.json
 config.yaml
+config*.yaml
+!config-example.yaml
 derp.yaml
 *.hujson
 *.key
@@ -45,3 +49,7 @@ integration_test/etc/config.dump.yaml
 /site

 __debug_bin
+
+node_modules/
+package-lock.json
+package.json
--- a/.golangci.yaml
+++ b/.golangci.yaml
@@ -1,64 +1,80 @@
 ---
-run:
-  timeout: 10m
-  build-tags:
-    - ts2019
-
-issues:
-  skip-dirs:
-    - gen
+version: "2"
 linters:
-  enable-all: true
+  default: all
  disable:
+    - cyclop
    - depguard
-
-    - revive
-    - lll
-    - gofmt
+    - dupl
+    - exhaustruct
+    - funlen
    - gochecknoglobals
    - gochecknoinits
    - gocognit
-    - funlen
-    - tagliatelle
    - godox
-    - ireturn
-    - execinquery
-    - exhaustruct
-    - nolintlint
-    - musttag # causes issues with imported libs
-    - depguard
-
-    # We should strive to enable these:
-    - wrapcheck
-    - dupl
-    - makezero
-    - maintidx
-
-    # Limits the methods of an interface to 10. We have more in integration tests
    - interfacebloat
-
-    # We might want to enable this, but it might be a lot of work
-    - cyclop
+    - ireturn
+    - lll
+    - maintidx
+    - makezero
+    - musttag
    - nestif
-    - wsl # might be incompatible with gofumpt
-    - testpackage
+    - nolintlint
    - paralleltest
+    - revive
+    - tagliatelle
+    - testpackage
+    - varnamelen
+    - wrapcheck
+    - wsl
+  settings:
+    gocritic:
+      disabled-checks:
+        - appendAssign
+        - ifElseChain
+    nlreturn:
+      block-size: 4
+    varnamelen:
+      ignore-names:
+        - err
+        - db
+        - id
+        - ip
+        - ok
+        - c
+        - tt
+        - tx
+        - rx
+        - sb
+        - wg
+        - pr
+        - p
+        - p2
+      ignore-type-assert-ok: true
+      ignore-map-index-ok: true
+  exclusions:
+    generated: lax
+    presets:
+      - comments
+      - common-false-positives
+      - legacy
+      - std-error-handling
+    paths:
+      - third_party$
+      - builtin$
+      - examples$
+      - gen

-linters-settings:
-  varnamelen:
-    ignore-type-assert-ok: true
-    ignore-map-index-ok: true
-    ignore-names:
-      - err
-      - db
-      - id
-      - ip
-      - ok
-      - c
-      - tt
-
-  gocritic:
-    disabled-checks:
-      - appendAssign
-      # TODO(kradalby): Remove this
-      - ifElseChain
+formatters:
+  enable:
+    - gci
+    - gofmt
+    - gofumpt
+    - goimports
+  exclusions:
+    generated: lax
+    paths:
+      - third_party$
+      - builtin$
+      - examples$
+      - gen
--- a/.goreleaser.yml
+++ b/.goreleaser.yml
@@ -1,11 +1,13 @@
 ---
+version: 2
 before:
  hooks:
-    - go mod tidy -compat=1.22
+    - go mod tidy -compat=1.24
    - go mod vendor

 release:
  prerelease: auto
+  draft: true

 builds:
  - id: headscale
@@ -17,21 +19,22 @@ builds:
      - darwin_amd64
      - darwin_arm64
      - freebsd_amd64
-      - linux_386
      - linux_amd64
      - linux_arm64
-      - linux_arm_5
-      - linux_arm_6
-      - linux_arm_7
    flags:
      - -mod=readonly
    ldflags:
-      - -s -w -X github.com/juanfont/headscale/cmd/headscale/cli.Version=v{{.Version}}
+      - -s -w
+      - -X github.com/juanfont/headscale/hscontrol/types.Version={{ .Version }}
+      - -X github.com/juanfont/headscale/hscontrol/types.GitCommitHash={{ .Commit }}
+    tags:
+      - ts2019

 archives:
  - id: golang-cross
    name_template: '{{ .ProjectName }}_{{ .Version }}_{{ .Os }}_{{ .Arch }}{{ with .Arm }}v{{ . }}{{ end }}{{ with .Mips }}_{{ . }}{{ end }}{{ if not (eq .Amd64 "v1") }}{{ .Amd64 }}{{ end }}'
-    format: binary
+    formats:
+      - binary

 source:
  enabled: true
@@ -50,15 +53,22 @@ nfpms:
  # List file contents: dpkg -c dist/headscale...deb
  # Package metadata: dpkg --info dist/headscale....deb
  #
-  - builds:
+  - ids:
      - headscale
    package_name: headscale
    priority: optional
    vendor: headscale
    maintainer: Kristoffer Dalby <kristoffer@dalby.cc>
    homepage: https://github.com/juanfont/headscale
-    license: BSD
+    description: |-
+      Open source implementation of the Tailscale control server.
+      Headscale aims to implement a self-hosted, open source alternative to the
+      Tailscale control server. Headscale's goal is to provide self-hosters and
+      hobbyists with an open-source server they can use for their projects and
+      labs. It implements a narrow scope, a single Tailscale network (tailnet),
+      suitable for a personal use, or a small open-source organisation.
    bindir: /usr/bin
+    section: net
    formats:
      - deb
    contents:
@@ -67,19 +77,27 @@ nfpms:
        type: config|noreplace
        file_info:
          mode: 0644
-      - src: ./docs/packaging/headscale.systemd.service
+      - src: ./packaging/systemd/headscale.service
        dst: /usr/lib/systemd/system/headscale.service
      - dst: /var/lib/headscale
        type: dir
-      - dst: /var/run/headscale
-        type: dir
+      - src: LICENSE
+        dst: /usr/share/doc/headscale/copyright
    scripts:
-      postinstall: ./docs/packaging/postinstall.sh
-      postremove: ./docs/packaging/postremove.sh
+      postinstall: ./packaging/deb/postinst
+      postremove: ./packaging/deb/postrm
+      preremove: ./packaging/deb/prerm
+    deb:
+      lintian_overrides:
+        - no-changelog # Our CHANGELOG.md uses a different formatting
+        - no-manual-page
+        - statically-linked-binary

 kos:
  - id: ghcr
-    repository: ghcr.io/juanfont/headscale
+    repositories:
+      - ghcr.io/juanfont/headscale
+      - headscale/headscale

    # bare tells KO to only use the repository
    # for tagging and naming the container.
@@ -91,32 +109,7 @@ kos:
      - CGO_ENABLED=0
    platforms:
      - linux/amd64
-      - linux/386
      - linux/arm64
-      - linux/arm/v7
-    tags:
-      - "{{ if not .Prerelease }}latest{{ end }}"
-      - "{{ if not .Prerelease }}{{ .Major }}.{{ .Minor }}.{{ .Patch }}{{ end }}"
-      - "{{ if not .Prerelease }}{{ .Major }}.{{ .Minor }}{{ end }}"
-      - "{{ if not .Prerelease }}{{ .Major }}{{ end }}"
-      - "{{ if not .Prerelease }}v{{ .Major }}.{{ .Minor }}.{{ .Patch }}{{ end }}"
-      - "{{ if not .Prerelease }}v{{ .Major }}.{{ .Minor }}{{ end }}"
-      - "{{ if not .Prerelease }}v{{ .Major }}{{ end }}"
-      - "{{ if not .Prerelease }}stable{{ else }}unstable{{ end }}"
-      - "{{ .Tag }}"
-      - '{{ trimprefix .Tag "v" }}'
-      - "sha-{{ .ShortCommit }}"
-
-  - id: dockerhub
-    build: headscale
-    base_image: gcr.io/distroless/base-debian12
-    repository: headscale/headscale
-    bare: true
-    platforms:
-      - linux/amd64
-      - linux/386
-      - linux/arm64
-      - linux/arm/v7
    tags:
      - "{{ if not .Prerelease }}latest{{ end }}"
      - "{{ if not .Prerelease }}{{ .Major }}.{{ .Minor }}.{{ .Patch }}{{ end }}"
@@ -131,7 +124,10 @@ kos:
      - "sha-{{ .ShortCommit }}"

  - id: ghcr-debug
-    repository: ghcr.io/juanfont/headscale
+    repositories:
+      - ghcr.io/juanfont/headscale
+      - headscale/headscale
+
    bare: true
    base_image: gcr.io/distroless/base-debian12:debug
    build: headscale
@@ -140,9 +136,7 @@ kos:
      - CGO_ENABLED=0
    platforms:
      - linux/amd64
-      - linux/386
      - linux/arm64
-      - linux/arm/v7
    tags:
      - "{{ if not .Prerelease }}latest-debug{{ end }}"
      - "{{ if not .Prerelease }}{{ .Major }}.{{ .Minor }}.{{ .Patch }}-debug{{ end }}"
@@ -151,30 +145,7 @@ kos:
      - "{{ if not .Prerelease }}v{{ .Major }}.{{ .Minor }}.{{ .Patch }}-debug{{ end }}"
      - "{{ if not .Prerelease }}v{{ .Major }}.{{ .Minor }}-debug{{ end }}"
      - "{{ if not .Prerelease }}v{{ .Major }}-debug{{ end }}"
-      - "{{ if not .Prerelease }}stable{{ else }}unstable-debug{{ end }}"
-      - "{{ .Tag }}-debug"
-      - '{{ trimprefix .Tag "v" }}-debug'
-      - "sha-{{ .ShortCommit }}-debug"
-
-  - id: dockerhub-debug
-    build: headscale
-    base_image: gcr.io/distroless/base-debian12:debug
-    repository: headscale/headscale
-    bare: true
-    platforms:
-      - linux/amd64
-      - linux/386
-      - linux/arm64
-      - linux/arm/v7
-    tags:
-      - "{{ if not .Prerelease }}latest-debug{{ end }}"
-      - "{{ if not .Prerelease }}{{ .Major }}.{{ .Minor }}.{{ .Patch }}-debug{{ end }}"
-      - "{{ if not .Prerelease }}{{ .Major }}.{{ .Minor }}-debug{{ end }}"
-      - "{{ if not .Prerelease }}{{ .Major }}-debug{{ end }}"
-      - "{{ if not .Prerelease }}v{{ .Major }}.{{ .Minor }}.{{ .Patch }}-debug{{ end }}"
-      - "{{ if not .Prerelease }}v{{ .Major }}.{{ .Minor }}-debug{{ end }}"
-      - "{{ if not .Prerelease }}v{{ .Major }}-debug{{ end }}"
-      - "{{ if not .Prerelease }}stable{{ else }}unstable-debug{{ end }}"
+      - "{{ if not .Prerelease }}stable-debug{{ else }}unstable-debug{{ end }}"
      - "{{ .Tag }}-debug"
      - '{{ trimprefix .Tag "v" }}-debug'
      - "sha-{{ .ShortCommit }}-debug"
@@ -182,7 +153,7 @@ kos:
 checksum:
  name_template: "checksums.txt"
 snapshot:
-  name_template: "{{ .Tag }}-next"
+  version_template: "{{ .Tag }}-next"
 changelog:
  sort: asc
  filters:
--- a/.ko.yaml
+++ b/.ko.yaml
@@ -1,16 +0,0 @@
-defaultBaseImage: gcr.io/distroless/base-debian12:debug
-defaultPlatforms:
-  - linux/arm64
-  - linux/arm/v7
-  - linux/amd64
-  - linux/386
-
-builds:
-  - id: headscale
-    main: ./cmd/headscale
-    env:
-      - CGO_ENABLED=0
-    flags:
-      - -mod=readonly
-    ldflags:
-      - -s -w -X github.com/juanfont/headscale/cmd/headscale/cli.Version=v{{.Git.ShortCommit}}
--- a/.prettierignore
+++ b/.prettierignore
@@ -1,6 +1,5 @@
 .github/workflows/test-integration-v2*
-docs/dns-records.md
-docs/running-headscale-container.md
-docs/running-headscale-linux-manual.md
-docs/running-headscale-linux.md
-docs/running-headscale-openbsd.md
+docs/about/features.md
+docs/ref/configuration.md
+docs/ref/oidc.md
+docs/ref/remote-cli.md
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
--- a/CLAUDE.md
+++ b/CLAUDE.md
@@ -0,0 +1,395 @@
+# CLAUDE.md
+
+This file provides guidance to Claude Code (claude.ai/code) when working with code in this repository.
+
+## Overview
+
+Headscale is an open-source implementation of the Tailscale control server written in Go. It provides self-hosted coordination for Tailscale networks (tailnets), managing node registration, IP allocation, policy enforcement, and DERP routing.
+
+## Development Commands
+
+### Quick Setup
+```bash
+# Recommended: Use Nix for dependency management
+nix develop
+
+# Full development workflow
+make dev  # runs fmt + lint + test + build
+```
+
+### Essential Commands
+```bash
+# Build headscale binary
+make build
+
+# Run tests
+make test
+go test ./...                    # All unit tests
+go test -race ./...              # With race detection
+
+# Run specific integration test
+go run ./cmd/hi run "TestName" --postgres
+
+# Code formatting and linting
+make fmt         # Format all code (Go, docs, proto)
+make lint        # Lint all code (Go, proto)
+make fmt-go      # Format Go code only
+make lint-go     # Lint Go code only
+
+# Protocol buffer generation (after modifying proto/)
+make generate
+
+# Clean build artifacts  
+make clean
+```
+
+### Integration Testing
+```bash
+# Use the hi (Headscale Integration) test runner
+go run ./cmd/hi doctor                    # Check system requirements
+go run ./cmd/hi run "TestPattern"         # Run specific test
+go run ./cmd/hi run "TestPattern" --postgres  # With PostgreSQL backend
+
+# Test artifacts are saved to control_logs/ with logs and debug data
+```
+
+## Project Structure & Architecture
+
+### Top-Level Organization
+
+```
+headscale/
+├── cmd/                    # Command-line applications
+│   ├── headscale/         # Main headscale server binary
+│   └── hi/               # Headscale Integration test runner
+├── hscontrol/            # Core control plane logic
+├── integration/          # End-to-end Docker-based tests
+├── proto/               # Protocol buffer definitions
+├── gen/                 # Generated code (protobuf)
+├── docs/                # Documentation
+└── packaging/           # Distribution packaging
+```
+
+### Core Packages (`hscontrol/`)
+
+**Main Server (`hscontrol/`)**
+- `app.go`: Application setup, dependency injection, server lifecycle
+- `handlers.go`: HTTP/gRPC API endpoints for management operations
+- `grpcv1.go`: gRPC service implementation for headscale API
+- `poll.go`: **Critical** - Handles Tailscale MapRequest/MapResponse protocol
+- `noise.go`: Noise protocol implementation for secure client communication
+- `auth.go`: Authentication flows (web, OIDC, command-line)
+- `oidc.go`: OpenID Connect integration for user authentication
+
+**State Management (`hscontrol/state/`)**
+- `state.go`: Central coordinator for all subsystems (database, policy, IP allocation, DERP)
+- `node_store.go`: **Performance-critical** - In-memory cache with copy-on-write semantics
+- Thread-safe operations with deadlock detection
+- Coordinates between database persistence and real-time operations
+
+**Database Layer (`hscontrol/db/`)**
+- `db.go`: Database abstraction, GORM setup, migration management
+- `node.go`: Node lifecycle, registration, expiration, IP assignment
+- `users.go`: User management, namespace isolation
+- `api_key.go`: API authentication tokens
+- `preauth_keys.go`: Pre-authentication keys for automated node registration
+- `ip.go`: IP address allocation and management
+- `policy.go`: Policy storage and retrieval
+- Schema migrations in `schema.sql` with extensive test data coverage
+
+**Policy Engine (`hscontrol/policy/`)**
+- `policy.go`: Core ACL evaluation logic, HuJSON parsing
+- `v2/`: Next-generation policy system with improved filtering
+- `matcher/`: ACL rule matching and evaluation engine
+- Determines peer visibility, route approval, and network access rules
+- Supports both file-based and database-stored policies
+
+**Network Management (`hscontrol/`)**
+- `derp/`: DERP (Designated Encrypted Relay for Packets) server implementation
+  - NAT traversal when direct connections fail
+  - Fallback relay for firewall-restricted environments
+- `mapper/`: Converts internal Headscale state to Tailscale's wire protocol format
+  - `tail.go`: Tailscale-specific data structure generation
+- `routes/`: Subnet route management and primary route selection
+- `dns/`: DNS record management and MagicDNS implementation
+
+**Utilities & Support (`hscontrol/`)**
+- `types/`: Core data structures, configuration, validation
+- `util/`: Helper functions for networking, DNS, key management
+- `templates/`: Client configuration templates (Apple, Windows, etc.)
+- `notifier/`: Event notification system for real-time updates
+- `metrics.go`: Prometheus metrics collection
+- `capver/`: Tailscale capability version management
+
+### Key Subsystem Interactions
+
+**Node Registration Flow**
+1. **Client Connection**: `noise.go` handles secure protocol handshake
+2. **Authentication**: `auth.go` validates credentials (web/OIDC/preauth)
+3. **State Creation**: `state.go` coordinates IP allocation via `db/ip.go`
+4. **Storage**: `db/node.go` persists node, `NodeStore` caches in memory
+5. **Network Setup**: `mapper/` generates initial Tailscale network map
+
+**Ongoing Operations**
+1. **Poll Requests**: `poll.go` receives periodic client updates
+2. **State Updates**: `NodeStore` maintains real-time node information
+3. **Policy Application**: `policy/` evaluates ACL rules for peer relationships
+4. **Map Distribution**: `mapper/` sends network topology to all affected clients
+
+**Route Management**
+1. **Advertisement**: Clients announce routes via `poll.go` Hostinfo updates
+2. **Storage**: `db/` persists routes, `NodeStore` caches for performance
+3. **Approval**: `policy/` auto-approves routes based on ACL rules
+4. **Distribution**: `routes/` selects primary routes, `mapper/` distributes to peers
+
+### Command-Line Tools (`cmd/`)
+
+**Main Server (`cmd/headscale/`)**
+- `headscale.go`: CLI parsing, configuration loading, server startup
+- Supports daemon mode, CLI operations (user/node management), database operations
+
+**Integration Test Runner (`cmd/hi/`)**
+- `main.go`: Test execution framework with Docker orchestration
+- `run.go`: Individual test execution with artifact collection
+- `doctor.go`: System requirements validation
+- `docker.go`: Container lifecycle management
+- Essential for validating changes against real Tailscale clients
+
+### Generated & External Code
+
+**Protocol Buffers (`proto/` → `gen/`)**
+- Defines gRPC API for headscale management operations
+- Client libraries can generate from these definitions
+- Run `make generate` after modifying `.proto` files
+
+**Integration Testing (`integration/`)**
+- `scenario.go`: Docker test environment setup
+- `tailscale.go`: Tailscale client container management
+- Individual test files for specific functionality areas
+- Real end-to-end validation with network isolation
+
+### Critical Performance Paths
+
+**High-Frequency Operations**
+1. **MapRequest Processing** (`poll.go`): Every 15-60 seconds per client
+2. **NodeStore Reads** (`node_store.go`): Every operation requiring node data
+3. **Policy Evaluation** (`policy/`): On every peer relationship calculation
+4. **Route Lookups** (`routes/`): During network map generation
+
+**Database Write Patterns**
+- **Frequent**: Node heartbeats, endpoint updates, route changes
+- **Moderate**: User operations, policy updates, API key management
+- **Rare**: Schema migrations, bulk operations
+
+### Configuration & Deployment
+
+**Configuration** (`hscontrol/types/config.go`)**
+- Database connection settings (SQLite/PostgreSQL)
+- Network configuration (IP ranges, DNS settings)
+- Policy mode (file vs database)
+- DERP relay configuration
+- OIDC provider settings
+
+**Key Dependencies**
+- **GORM**: Database ORM with migration support
+- **Tailscale Libraries**: Core networking and protocol code
+- **Zerolog**: Structured logging throughout the application
+- **Buf**: Protocol buffer toolchain for code generation
+
+### Development Workflow Integration
+
+The architecture supports incremental development:
+- **Unit Tests**: Focus on individual packages (`*_test.go` files)
+- **Integration Tests**: Validate cross-component interactions
+- **Database Tests**: Extensive migration and data integrity validation
+- **Policy Tests**: ACL rule evaluation and edge cases
+- **Performance Tests**: NodeStore and high-frequency operation validation
+
+## Integration Test System
+
+### Overview
+Integration tests use Docker containers running real Tailscale clients against a Headscale server. Tests validate end-to-end functionality including routing, ACLs, node lifecycle, and network coordination.
+
+### Running Integration Tests
+
+**System Requirements**
+```bash
+# Check if your system is ready
+go run ./cmd/hi doctor
+```
+This verifies Docker, Go, required images, and disk space.
+
+**Test Execution Patterns**
+```bash
+# Run a single test (recommended for development)
+go run ./cmd/hi run "TestSubnetRouterMultiNetwork"
+
+# Run with PostgreSQL backend (for database-heavy tests)
+go run ./cmd/hi run "TestExpireNode" --postgres
+
+# Run multiple tests with pattern matching
+go run ./cmd/hi run "TestSubnet*"
+
+# Run all integration tests (CI/full validation)
+go test ./integration -timeout 30m
+```
+
+**Test Categories & Timing**
+- **Fast tests** (< 2 min): Basic functionality, CLI operations
+- **Medium tests** (2-5 min): Route management, ACL validation  
+- **Slow tests** (5+ min): Node expiration, HA failover
+- **Long-running tests** (10+ min): `TestNodeOnlineStatus` (12 min duration)
+
+### Test Infrastructure
+
+**Docker Setup**
+- Headscale server container with configurable database backend
+- Multiple Tailscale client containers with different versions
+- Isolated networks per test scenario
+- Automatic cleanup after test completion
+
+**Test Artifacts**
+All test runs save artifacts to `control_logs/TIMESTAMP-ID/`:
+```
+control_logs/20250713-213106-iajsux/
+├── hs-testname-abc123.stderr.log     # Headscale server logs
+├── hs-testname-abc123.stdout.log
+├── hs-testname-abc123.db             # Database snapshot
+├── hs-testname-abc123_metrics.txt    # Prometheus metrics
+├── hs-testname-abc123-mapresponses/  # Protocol debug data
+├── ts-client-xyz789.stderr.log       # Tailscale client logs
+├── ts-client-xyz789.stdout.log
+└── ts-client-xyz789_status.json      # Client status dump
+```
+
+### Test Development Guidelines
+
+**Timing Considerations**
+Integration tests involve real network operations and Docker container lifecycle:
+
+```go
+// ❌ Wrong: Immediate assertions after async operations
+client.Execute([]string{"tailscale", "set", "--advertise-routes=10.0.0.0/24"})
+nodes, _ := headscale.ListNodes()
+require.Len(t, nodes[0].GetAvailableRoutes(), 1) // May fail due to timing
+
+// ✅ Correct: Wait for async operations to complete
+client.Execute([]string{"tailscale", "set", "--advertise-routes=10.0.0.0/24"})
+require.EventuallyWithT(t, func(c *assert.CollectT) {
+    nodes, err := headscale.ListNodes()
+    assert.NoError(c, err)
+    assert.Len(c, nodes[0].GetAvailableRoutes(), 1)
+}, 10*time.Second, 100*time.Millisecond, "route should be advertised")
+```
+
+**Common Test Patterns**
+- **Route Advertisement**: Use `EventuallyWithT` for route propagation
+- **Node State Changes**: Wait for NodeStore synchronization  
+- **ACL Policy Changes**: Allow time for policy recalculation
+- **Network Connectivity**: Use ping tests with retries
+
+**Test Data Management**
+```go
+// Node identification: Don't assume array ordering
+expectedRoutes := map[string]string{"1": "10.33.0.0/16"}
+for _, node := range nodes {
+    nodeIDStr := fmt.Sprintf("%d", node.GetId())
+    if route, shouldHaveRoute := expectedRoutes[nodeIDStr]; shouldHaveRoute {
+        // Test the node that should have the route
+    }
+}
+```
+
+### Troubleshooting Integration Tests
+
+**Common Failure Patterns**
+1. **Timing Issues**: Test assertions run before async operations complete
+   - **Solution**: Use `EventuallyWithT` with appropriate timeouts
+   - **Timeout Guidelines**: 3-5s for route operations, 10s for complex scenarios
+
+2. **Infrastructure Problems**: Disk space, Docker issues, network conflicts
+   - **Check**: `go run ./cmd/hi doctor` for system health
+   - **Clean**: Remove old test containers and networks
+
+3. **NodeStore Synchronization**: Tests expecting immediate data availability
+   - **Key Points**: Route advertisements must propagate through poll requests
+   - **Fix**: Wait for NodeStore updates after Hostinfo changes
+
+4. **Database Backend Differences**: SQLite vs PostgreSQL behavior differences
+   - **Use**: `--postgres` flag for database-intensive tests
+   - **Note**: Some timing characteristics differ between backends
+
+**Debugging Failed Tests**
+1. **Check test artifacts** in `control_logs/` for detailed logs
+2. **Examine MapResponse JSON** files for protocol-level debugging
+3. **Review Headscale stderr logs** for server-side error messages
+4. **Check Tailscale client status** for network-level issues
+
+**Resource Management**
+- Tests require significant disk space (each run ~100MB of logs)
+- Docker containers are cleaned up automatically on success
+- Failed tests may leave containers running - clean manually if needed
+- Use `docker system prune` periodically to reclaim space
+
+### Best Practices for Test Modifications
+
+1. **Always test locally** before committing integration test changes
+2. **Use appropriate timeouts** - too short causes flaky tests, too long slows CI
+3. **Clean up properly** - ensure tests don't leave persistent state
+4. **Handle both success and failure paths** in test scenarios
+5. **Document timing requirements** for complex test scenarios
+
+## NodeStore Implementation Details
+
+**Key Insight from Recent Work**: The NodeStore is a critical performance optimization that caches node data in memory while ensuring consistency with the database. When working with route advertisements or node state changes:
+
+1. **Timing Considerations**: Route advertisements need time to propagate from clients to server. Use `require.EventuallyWithT()` patterns in tests instead of immediate assertions.
+
+2. **Synchronization Points**: NodeStore updates happen at specific points like `poll.go:420` after Hostinfo changes. Ensure these are maintained when modifying the polling logic.
+
+3. **Peer Visibility**: The NodeStore's `peersFunc` determines which nodes are visible to each other. Policy-based filtering is separate from monitoring visibility - expired nodes should remain visible for debugging but marked as expired.
+
+## Testing Guidelines
+
+### Integration Test Patterns
+```go
+// Use EventuallyWithT for async operations
+require.EventuallyWithT(t, func(c *assert.CollectT) {
+    nodes, err := headscale.ListNodes()
+    assert.NoError(c, err)
+    // Check expected state
+}, 10*time.Second, 100*time.Millisecond, "description")
+
+// Node route checking by actual node properties, not array position
+var routeNode *v1.Node
+for _, node := range nodes {
+    if nodeIDStr := fmt.Sprintf("%d", node.GetId()); expectedRoutes[nodeIDStr] != "" {
+        routeNode = node
+        break
+    }
+}
+```
+
+### Running Problematic Tests
+- Some tests require significant time (e.g., `TestNodeOnlineStatus` runs for 12 minutes)
+- Infrastructure issues like disk space can cause test failures unrelated to code changes  
+- Use `--postgres` flag when testing database-heavy scenarios
+
+## Important Notes
+
+- **Dependencies**: Use `nix develop` for consistent toolchain (Go, buf, protobuf tools, linting)
+- **Protocol Buffers**: Changes to `proto/` require `make generate` and should be committed separately
+- **Code Style**: Enforced via golangci-lint with golines (width 88) and gofumpt formatting
+- **Database**: Supports both SQLite (development) and PostgreSQL (production/testing)
+- **Integration Tests**: Require Docker and can consume significant disk space
+- **Performance**: NodeStore optimizations are critical for scale - be careful with changes to state management
+
+## Debugging Integration Tests
+
+Test artifacts are preserved in `control_logs/TIMESTAMP-ID/` including:
+- Headscale server logs (stderr/stdout)
+- Tailscale client logs and status
+- Database dumps and network captures
+- MapResponse JSON files for protocol debugging
+
+When tests fail, check these artifacts first before assuming code issues.
--- a/CODE_OF_CONDUCT.md
+++ b/CODE_OF_CONDUCT.md
@@ -62,7 +62,7 @@ event.

 Instances of abusive, harassing, or otherwise unacceptable behavior
 may be reported to the community leaders responsible for enforcement
-at our Discord channel. All complaints
+on our [Discord server](https://discord.gg/c84AZQhmpx). All complaints
 will be reviewed and investigated promptly and fairly.

 All community leaders are obligated to respect the privacy and
--- a/CONTRIBUTING.md
+++ b/CONTRIBUTING.md
@@ -9,7 +9,7 @@ Headscale has a small maintainer team that tries to balance working on the proje

 When we work on issues ourselves, we develop first hand knowledge of the code and it makes it possible for us to maintain and own the code as the project develops.

-Code contributions are seen as a positive thing. People enjoy and engage with our project, but it also comes with some challenges; we have to understand the code, we have to understand the feature, we might have to become familiar with external libraries or services and we think about security implications. All those steps are required during the reviewing process. After the code has been merged, the feature has to be maintained. Any changes reliant on external services must be updated and expanded accordingly. 
+Code contributions are seen as a positive thing. People enjoy and engage with our project, but it also comes with some challenges; we have to understand the code, we have to understand the feature, we might have to become familiar with external libraries or services and we think about security implications. All those steps are required during the reviewing process. After the code has been merged, the feature has to be maintained. Any changes reliant on external services must be updated and expanded accordingly.

 The review and day-1 maintenance adds a significant burden on the maintainers. Often we hope that the contributor will help out, but we found that most of the time, they disappear after their new feature was added.

--- a/Dockerfile.debug
+++ b/Dockerfile.debug
@@ -1,26 +0,0 @@
-# This Dockerfile and the images produced are for testing headscale,
-# and are in no way endorsed by Headscale's maintainers as an
-# official nor supported release or distribution.
-
-FROM docker.io/golang:1.22-bookworm
-ARG VERSION=dev
-ENV GOPATH /go
-WORKDIR /go/src/headscale
-
-RUN apt-get update \
-  && apt-get install --no-install-recommends --yes less jq \
-  && rm -rf /var/lib/apt/lists/* \
-  && apt-get clean
-RUN mkdir -p /var/run/headscale
-
-COPY go.mod go.sum /go/src/headscale/
-RUN go mod download
-
-COPY . .
-
-RUN CGO_ENABLED=0 GOOS=linux go install -ldflags="-s -w -X github.com/juanfont/headscale/cmd/headscale/cli.Version=$VERSION" -a ./cmd/headscale && test -e /go/bin/headscale
-
-# Need to reset the entrypoint or everything will run as a busybox script
-ENTRYPOINT []
-EXPOSE 8080/tcp
-CMD ["headscale"]
--- a/Dockerfile.derper
+++ b/Dockerfile.derper
@@ -0,0 +1,19 @@
+# For testing purposes only
+
+FROM golang:alpine AS build-env
+
+WORKDIR /go/src
+
+RUN apk add --no-cache git
+ARG VERSION_BRANCH=main
+RUN git clone https://github.com/tailscale/tailscale.git --branch=$VERSION_BRANCH --depth=1
+WORKDIR /go/src/tailscale
+
+ARG TARGETARCH
+RUN GOARCH=$TARGETARCH go install -v ./cmd/derper
+
+FROM alpine:3.18
+RUN apk add --no-cache ca-certificates iptables iproute2 ip6tables curl
+
+COPY --from=build-env /go/bin/* /usr/local/bin/
+ENTRYPOINT [ "/usr/local/bin/derper" ]
--- a/Dockerfile.integration
+++ b/Dockerfile.integration
@@ -0,0 +1,30 @@
+# This Dockerfile and the images produced are for testing headscale,
+# and are in no way endorsed by Headscale's maintainers as an
+# official nor supported release or distribution.
+
+FROM docker.io/golang:1.24-bookworm
+ARG VERSION=dev
+ENV GOPATH /go
+WORKDIR /go/src/headscale
+
+RUN apt-get update \
+  && apt-get install --no-install-recommends --yes less jq sqlite3 dnsutils \
+  && rm -rf /var/lib/apt/lists/* \
+  && apt-get clean
+RUN mkdir -p /var/run/headscale
+
+# Install delve debugger
+RUN go install github.com/go-delve/delve/cmd/dlv@latest
+
+COPY go.mod go.sum /go/src/headscale/
+RUN go mod download
+
+COPY . .
+
+# Build debug binary with debug symbols for delve
+RUN CGO_ENABLED=0 GOOS=linux go build -gcflags="all=-N -l" -o /go/bin/headscale ./cmd/headscale
+
+# Need to reset the entrypoint or everything will run as a busybox script
+ENTRYPOINT []
+EXPOSE 8080/tcp 40000/tcp
+CMD ["/go/bin/dlv", "--listen=0.0.0.0:40000", "--headless=true", "--api-version=2", "--accept-multiclient", "exec", "/go/bin/headscale", "--"]
--- a/Dockerfile.tailscale-HEAD
+++ b/Dockerfile.tailscale-HEAD
@@ -4,7 +4,7 @@
 # This Dockerfile is more or less lifted from tailscale/tailscale
 # to ensure a similar build process when testing the HEAD of tailscale.

-FROM golang:1.22-alpine AS build-env
+FROM golang:1.24-alpine AS build-env

 WORKDIR /go/src

@@ -28,7 +28,9 @@ ARG VERSION_GIT_HASH=""
 ENV VERSION_GIT_HASH=$VERSION_GIT_HASH
 ARG TARGETARCH

-RUN GOARCH=$TARGETARCH go install -ldflags="\
+ARG BUILD_TAGS=""
+
+RUN GOARCH=$TARGETARCH go install -tags="${BUILD_TAGS}" -ldflags="\
      -X tailscale.com/version.longStamp=$VERSION_LONG \
      -X tailscale.com/version.shortStamp=$VERSION_SHORT \
      -X tailscale.com/version.gitCommitStamp=$VERSION_GIT_HASH" \
--- a/153
+++ b/153
@@ -1,54 +1,129 @@
-# Calculate version
-version ?= $(shell git describe --always --tags --dirty)
+# Headscale Makefile
+# Modern Makefile following best practices

-rwildcard=$(foreach d,$(wildcard $1*),$(call rwildcard,$d/,$2) $(filter $(subst *,%,$2),$d))
+# Version calculation
+VERSION ?= $(shell git describe --always --tags --dirty)

-# Determine if OS supports pie
+# Build configuration
 GOOS ?= $(shell uname | tr '[:upper:]' '[:lower:]')
-ifeq ($(filter $(GOOS), openbsd netbsd soloaris plan9), )
-	pieflags = -buildmode=pie
-else
+ifeq ($(filter $(GOOS), openbsd netbsd solaris plan9), )
+	PIE_FLAGS = -buildmode=pie
 endif

-# GO_SOURCES = $(wildcard *.go)
-# PROTO_SOURCES = $(wildcard **/*.proto)
-GO_SOURCES = $(call rwildcard,,*.go)
-PROTO_SOURCES = $(call rwildcard,,*.proto)
+# Tool availability check with nix warning
+define check_tool
+	@command -v $(1) >/dev/null 2>&1 || { \
+		echo "Warning: $(1) not found. Run 'nix develop' to ensure all dependencies are available."; \
+		exit 1; \
+	}
+endef
+
+# Source file collections using shell find for better performance
+GO_SOURCES := $(shell find . -name '*.go' -not -path './gen/*' -not -path './vendor/*')
+PROTO_SOURCES := $(shell find . -name '*.proto' -not -path './gen/*' -not -path './vendor/*')
+DOC_SOURCES := $(shell find . \( -name '*.md' -o -name '*.yaml' -o -name '*.yml' -o -name '*.ts' -o -name '*.js' -o -name '*.html' -o -name '*.css' -o -name '*.scss' -o -name '*.sass' \) -not -path './gen/*' -not -path './vendor/*' -not -path './node_modules/*')
+
+# Default target
+.PHONY: all
+all: lint test build
+
+# Dependency checking
+.PHONY: check-deps
+check-deps:
+	$(call check_tool,go)
+	$(call check_tool,golangci-lint)
+	$(call check_tool,gofumpt)
+	$(call check_tool,prettier)
+	$(call check_tool,clang-format)
+	$(call check_tool,buf)
+
+# Build targets
+.PHONY: build
+build: check-deps $(GO_SOURCES) go.mod go.sum
+	@echo "Building headscale..."
+	go build $(PIE_FLAGS) -ldflags "-X main.version=$(VERSION)" -o headscale ./cmd/headscale
+
+# Test targets
+.PHONY: test
+test: check-deps $(GO_SOURCES) go.mod go.sum
+	@echo "Running Go tests..."
+	go test -race ./...


-build:
-	nix build
+# Formatting targets
+.PHONY: fmt
+fmt: fmt-go fmt-prettier fmt-proto

-dev: lint test build
+.PHONY: fmt-go
+fmt-go: check-deps $(GO_SOURCES)
+	@echo "Formatting Go code..."
+	gofumpt -l -w .
+	golangci-lint run --fix

-test:
-	gotestsum -- -short -coverprofile=coverage.out ./...
+.PHONY: fmt-prettier
+fmt-prettier: check-deps $(DOC_SOURCES)
+	@echo "Formatting documentation and config files..."
+	prettier --write '**/*.{ts,js,md,yaml,yml,sass,css,scss,html}'
+	prettier --write --print-width 80 --prose-wrap always CHANGELOG.md

-test_integration:
-	docker run \
-		-t --rm \
-		-v ~/.cache/hs-integration-go:/go \
-		--name headscale-test-suite \
-		-v $$PWD:$$PWD -w $$PWD/integration \
-		-v /var/run/docker.sock:/var/run/docker.sock \
-		-v $$PWD/control_logs:/tmp/control \
-		golang:1 \
-		go run gotest.tools/gotestsum@latest -- -failfast ./... -timeout 120m -parallel 8
+.PHONY: fmt-proto
+fmt-proto: check-deps $(PROTO_SOURCES)
+	@echo "Formatting Protocol Buffer files..."
+	clang-format -i $(PROTO_SOURCES)

-lint:
-	golangci-lint run --fix --timeout 10m
+# Linting targets
+.PHONY: lint
+lint: lint-go lint-proto

-fmt:
-	prettier --write '**/**.{ts,js,md,yaml,yml,sass,css,scss,html}'
-	golines --max-len=88 --base-formatter=gofumpt -w $(GO_SOURCES)
-	clang-format -style="{BasedOnStyle: Google, IndentWidth: 4, AlignConsecutiveDeclarations: true, AlignConsecutiveAssignments: true, ColumnLimit: 0}" -i $(PROTO_SOURCES)
+.PHONY: lint-go
+lint-go: check-deps $(GO_SOURCES) go.mod go.sum
+	@echo "Linting Go code..."
+	golangci-lint run --timeout 10m

-proto-lint:
-	cd proto/ && go run github.com/bufbuild/buf/cmd/buf lint
+.PHONY: lint-proto
+lint-proto: check-deps $(PROTO_SOURCES)
+	@echo "Linting Protocol Buffer files..."
+	cd proto/ && buf lint

-compress: build
-	upx --brute headscale
+# Code generation
+.PHONY: generate
+generate: check-deps
+	@echo "Generating code..."
+	go generate ./...

-generate:
-	rm -rf gen
-	buf generate proto
+# Clean targets
+.PHONY: clean
+clean:
+	rm -rf headscale gen
+
+# Development workflow
+.PHONY: dev
+dev: fmt lint test build
+
+# Help target
+.PHONY: help
+help:
+	@echo "Headscale Development Makefile"
+	@echo ""
+	@echo "Main targets:"
+	@echo "  all          - Run lint, test, and build (default)"
+	@echo "  build        - Build headscale binary"
+	@echo "  test         - Run Go tests"
+	@echo "  fmt          - Format all code (Go, docs, proto)"
+	@echo "  lint         - Lint all code (Go, proto)"
+	@echo "  generate     - Generate code from Protocol Buffers"
+	@echo "  dev          - Full development workflow (fmt + lint + test + build)"
+	@echo "  clean        - Clean build artifacts"
+	@echo ""
+	@echo "Specific targets:"
+	@echo "  fmt-go       - Format Go code only"
+	@echo "  fmt-prettier - Format documentation only" 
+	@echo "  fmt-proto    - Format Protocol Buffer files only"
+	@echo "  lint-go      - Lint Go code only"
+	@echo "  lint-proto   - Lint Protocol Buffer files only"
+	@echo ""
+	@echo "Dependencies:"
+	@echo "  check-deps   - Verify required tools are available"
+	@echo ""
+	@echo "Note: If not running in a nix shell, ensure dependencies are available:"
+	@echo "  nix develop"
--- a/README.md
+++ b/README.md
@@ -4,11 +4,15 @@

 An open source, self-hosted implementation of the Tailscale control server.

-Join our [Discord](https://discord.gg/c84AZQhmpx) server for a chat.
+Join our [Discord server](https://discord.gg/c84AZQhmpx) for a chat.

 **Note:** Always select the same GitHub tag as the released version you use
-to ensure you have the correct example configuration and documentation.
-The `main` branch might contain unreleased changes.
+to ensure you have the correct example configuration. The `main` branch might
+contain unreleased changes. The documentation is available for stable and
+development versions:
+
+- [Documentation for the stable version](https://headscale.net/stable/)
+- [Documentation for the development version](https://headscale.net/development/)

 ## What is Tailscale

@@ -32,12 +36,12 @@ organisation.

 ## Design goal

-Headscale aims to implement a self-hosted, open source alternative to the Tailscale
-control server.
-Headscale's goal is to provide self-hosters and hobbyists with an open-source
-server they can use for their projects and labs.
-It implements a narrow scope, a single Tailnet, suitable for a personal use, or a small
-open-source organisation.
+Headscale aims to implement a self-hosted, open source alternative to the
+[Tailscale](https://tailscale.com/) control server. Headscale's goal is to
+provide self-hosters and hobbyists with an open-source server they can use for
+their projects and labs. It implements a narrow scope, a _single_ Tailscale
+network (tailnet), suitable for a personal use, or a small open-source
+organisation.

 ## Supporting Headscale

@@ -46,39 +50,18 @@ buttons available in the repo.

 ## Features

- Full "base" support of Tailscale's features
- Configurable DNS
-  - [Split DNS](https://tailscale.com/kb/1054/dns/#using-dns-settings-in-the-admin-console)
- Node registration
-  - Single-Sign-On (via Open ID Connect)
-  - Pre authenticated key
- Taildrop (File Sharing)
- [Access control lists](https://tailscale.com/kb/1018/acls/)
- [MagicDNS](https://tailscale.com/kb/1081/magicdns)
- Support for multiple IP ranges in the tailnet
- Dual stack (IPv4 and IPv6)
- Routing advertising (including exit nodes)
- Ephemeral nodes
- Embedded [DERP server](https://tailscale.com/blog/how-tailscale-works/#encrypted-tcp-relays-derp)
+Please see ["Features" in the documentation](https://headscale.net/stable/about/features/).

 ## Client OS support

-| OS      | Supports headscale                                        |
-| ------- | --------------------------------------------------------- |
-| Linux   | Yes                                                       |
-| OpenBSD | Yes                                                       |
-| FreeBSD | Yes                                                       |
-| macOS   | Yes (see `/apple` on your headscale for more information) |
-| Windows | Yes [docs](./docs/windows-client.md)                      |
-| Android | Yes [docs](./docs/android-client.md)                      |
-| iOS     | Yes [docs](./docs/iOS-client.md)                          |
+Please see ["Client and operating system support" in the documentation](https://headscale.net/stable/about/clients/).

 ## Running headscale

 **Please note that we do not support nor encourage the use of reverse proxies
 and container to run Headscale.**

-Please have a look at the [`documentation`](https://headscale.net/).
+Please have a look at the [`documentation`](https://headscale.net/stable/).

 ## Talks

@@ -100,7 +83,7 @@ Please read the [CONTRIBUTING.md](./CONTRIBUTING.md) file.
 ### Requirements

 To contribute to headscale you would need the latest version of [Go](https://golang.org)
-and [Buf](https://buf.build)(Protobuf generator).
+and [Buf](https://buf.build) (Protobuf generator).

 We recommend using [Nix](https://nixos.org/) to setup a development environment. This can
 be done with `nix develop`, which will install the tools and give you a shell.
@@ -155,16 +138,29 @@ make test

 To build the program:

-```shell
-nix build
-```
-
-or
-
 ```shell
 make build
 ```

+### Development workflow
+
+We recommend using Nix for dependency management to ensure you have all required tools. If you prefer to manage dependencies yourself, you can use Make directly:
+
+**With Nix (recommended):**
+```shell
+nix develop
+make test
+make build
+```
+
+**With your own dependencies:**
+```shell
+make test
+make build
+```
+
+The Makefile will warn you if any required tools are missing and suggest running `nix develop`. Run `make help` to see all available targets.
+
 ## Contributors

 <a href="https://github.com/juanfont/headscale/graphs/contributors">
--- a/cmd/headscale/cli/api_key.go
+++ b/cmd/headscale/cli/api_key.go
@@ -54,7 +54,7 @@ var listAPIKeys = &cobra.Command{
 	Run: func(cmd *cobra.Command, args []string) {
 		output, _ := cmd.Flags().GetString("output")

-		ctx, client, conn, cancel := getHeadscaleCLIClient()
+		ctx, client, conn, cancel := newHeadscaleCLIWithConfig()
 		defer cancel()
 		defer conn.Close()

@@ -67,14 +67,10 @@ var listAPIKeys = &cobra.Command{
 				fmt.Sprintf("Error getting the list of keys: %s", err),
 				output,
 			)
-
-			return
 		}

 		if output != "" {
 			SuccessOutput(response.GetApiKeys(), "", output)
-
-			return
 		}

 		tableData := pterm.TableData{
@@ -102,8 +98,6 @@ var listAPIKeys = &cobra.Command{
 				fmt.Sprintf("Failed to render pterm table: %s", err),
 				output,
 			)
-
-			return
 		}
 	},
 }
@@ -119,9 +113,6 @@ If you loose a key, create a new one and revoke (expire) the old one.`,
 	Run: func(cmd *cobra.Command, args []string) {
 		output, _ := cmd.Flags().GetString("output")

-		log.Trace().
-			Msg("Preparing to create ApiKey")
-
 		request := &v1.CreateApiKeyRequest{}

 		durationStr, _ := cmd.Flags().GetString("expiration")
@@ -133,19 +124,13 @@ If you loose a key, create a new one and revoke (expire) the old one.`,
 				fmt.Sprintf("Could not parse duration: %s\n", err),
 				output,
 			)
-
-			return
 		}

 		expiration := time.Now().UTC().Add(time.Duration(duration))

-		log.Trace().
-			Dur("expiration", time.Duration(duration)).
-			Msg("expiration has been set")
-
 		request.Expiration = timestamppb.New(expiration)

-		ctx, client, conn, cancel := getHeadscaleCLIClient()
+		ctx, client, conn, cancel := newHeadscaleCLIWithConfig()
 		defer cancel()
 		defer conn.Close()

@@ -156,8 +141,6 @@ If you loose a key, create a new one and revoke (expire) the old one.`,
 				fmt.Sprintf("Cannot create Api Key: %s\n", err),
 				output,
 			)
-
-			return
 		}

 		SuccessOutput(response.GetApiKey(), response.GetApiKey(), output)
@@ -178,11 +161,9 @@ var expireAPIKeyCmd = &cobra.Command{
 				fmt.Sprintf("Error getting prefix from CLI flag: %s", err),
 				output,
 			)
-
-			return
 		}

-		ctx, client, conn, cancel := getHeadscaleCLIClient()
+		ctx, client, conn, cancel := newHeadscaleCLIWithConfig()
 		defer cancel()
 		defer conn.Close()

@@ -197,8 +178,6 @@ var expireAPIKeyCmd = &cobra.Command{
 				fmt.Sprintf("Cannot expire Api Key: %s\n", err),
 				output,
 			)
-
-			return
 		}

 		SuccessOutput(response, "Key expired", output)
@@ -219,11 +198,9 @@ var deleteAPIKeyCmd = &cobra.Command{
 				fmt.Sprintf("Error getting prefix from CLI flag: %s", err),
 				output,
 			)
-
-			return
 		}

-		ctx, client, conn, cancel := getHeadscaleCLIClient()
+		ctx, client, conn, cancel := newHeadscaleCLIWithConfig()
 		defer cancel()
 		defer conn.Close()

@@ -238,8 +215,6 @@ var deleteAPIKeyCmd = &cobra.Command{
 				fmt.Sprintf("Cannot delete Api Key: %s\n", err),
 				output,
 			)
-
-			return
 		}

 		SuccessOutput(response, "Key deleted", output)
--- a/cmd/headscale/cli/configtest.go
+++ b/cmd/headscale/cli/configtest.go
@@ -14,7 +14,7 @@ var configTestCmd = &cobra.Command{
 	Short: "Test the configuration.",
 	Long:  "Run a test of the configuration and exit.",
 	Run: func(cmd *cobra.Command, args []string) {
-		_, err := getHeadscaleApp()
+		_, err := newHeadscaleServerWithConfig()
 		if err != nil {
 			log.Fatal().Caller().Err(err).Msg("Error initializing")
 		}
--- a/cmd/headscale/cli/debug.go
+++ b/cmd/headscale/cli/debug.go
@@ -4,10 +4,10 @@ import (
 	"fmt"

 	v1 "github.com/juanfont/headscale/gen/go/headscale/v1"
+	"github.com/juanfont/headscale/hscontrol/types"
 	"github.com/rs/zerolog/log"
 	"github.com/spf13/cobra"
 	"google.golang.org/grpc/status"
-	"tailscale.com/types/key"
 )

 const (
@@ -64,11 +64,9 @@ var createNodeCmd = &cobra.Command{
 		user, err := cmd.Flags().GetString("user")
 		if err != nil {
 			ErrorOutput(err, fmt.Sprintf("Error getting user: %s", err), output)
-
-			return
 		}

-		ctx, client, conn, cancel := getHeadscaleCLIClient()
+		ctx, client, conn, cancel := newHeadscaleCLIWithConfig()
 		defer cancel()
 		defer conn.Close()

@@ -79,31 +77,24 @@ var createNodeCmd = &cobra.Command{
 				fmt.Sprintf("Error getting node from flag: %s", err),
 				output,
 			)
-
-			return
 		}

-		machineKey, err := cmd.Flags().GetString("key")
+		registrationID, err := cmd.Flags().GetString("key")
 		if err != nil {
 			ErrorOutput(
 				err,
 				fmt.Sprintf("Error getting key from flag: %s", err),
 				output,
 			)
-
-			return
 		}

-		var mkey key.MachinePublic
-		err = mkey.UnmarshalText([]byte(machineKey))
+		_, err = types.RegistrationIDFromString(registrationID)
 		if err != nil {
 			ErrorOutput(
 				err,
 				fmt.Sprintf("Failed to parse machine key from flag: %s", err),
 				output,
 			)
-
-			return
 		}

 		routes, err := cmd.Flags().GetStringSlice("route")
@@ -113,12 +104,10 @@ var createNodeCmd = &cobra.Command{
 				fmt.Sprintf("Error getting routes from flag: %s", err),
 				output,
 			)
-
-			return
 		}

 		request := &v1.DebugCreateNodeRequest{
-			Key:    machineKey,
+			Key:    registrationID,
 			Name:   name,
 			User:   user,
 			Routes: routes,
@@ -128,11 +117,9 @@ var createNodeCmd = &cobra.Command{
 		if err != nil {
 			ErrorOutput(
 				err,
-				fmt.Sprintf("Cannot create node: %s", status.Convert(err).Message()),
+				"Cannot create node: "+status.Convert(err).Message(),
 				output,
 			)
-
-			return
 		}

 		SuccessOutput(response.GetNode(), "Node created", output)
--- a/cmd/headscale/cli/mockoidc.go
+++ b/cmd/headscale/cli/mockoidc.go
@@ -1,8 +1,11 @@
 package cli

 import (
+	"encoding/json"
+	"errors"
 	"fmt"
 	"net"
+	"net/http"
 	"os"
 	"strconv"
 	"time"
@@ -64,6 +67,19 @@ func mockOIDC() error {
 		accessTTL = newTTL
 	}

+	userStr := os.Getenv("MOCKOIDC_USERS")
+	if userStr == "" {
+		return errors.New("MOCKOIDC_USERS not defined")
+	}
+
+	var users []mockoidc.MockUser
+	err := json.Unmarshal([]byte(userStr), &users)
+	if err != nil {
+		return fmt.Errorf("unmarshalling users: %w", err)
+	}
+
+	log.Info().Interface("users", users).Msg("loading users from JSON")
+
 	log.Info().Msgf("Access token TTL: %s", accessTTL)

 	port, err := strconv.Atoi(portStr)
@@ -71,7 +87,7 @@ func mockOIDC() error {
 		return err
 	}

-	mock, err := getMockOIDC(clientID, clientSecret)
+	mock, err := getMockOIDC(clientID, clientSecret, users)
 	if err != nil {
 		return err
 	}
@@ -93,12 +109,18 @@ func mockOIDC() error {
 	return nil
 }

-func getMockOIDC(clientID string, clientSecret string) (*mockoidc.MockOIDC, error) {
+func getMockOIDC(clientID string, clientSecret string, users []mockoidc.MockUser) (*mockoidc.MockOIDC, error) {
 	keypair, err := mockoidc.NewKeypair(nil)
 	if err != nil {
 		return nil, err
 	}

+	userQueue := mockoidc.UserQueue{}
+
+	for _, user := range users {
+		userQueue.Push(&user)
+	}
+
 	mock := mockoidc.MockOIDC{
 		ClientID:                      clientID,
 		ClientSecret:                  clientSecret,
@@ -107,9 +129,19 @@ func getMockOIDC(clientID string, clientSecret string) (*mockoidc.MockOIDC, erro
 		CodeChallengeMethodsSupported: []string{"plain", "S256"},
 		Keypair:                       keypair,
 		SessionStore:                  mockoidc.NewSessionStore(),
-		UserQueue:                     &mockoidc.UserQueue{},
+		UserQueue:                     &userQueue,
 		ErrorQueue:                    &mockoidc.ErrorQueue{},
 	}

+	mock.AddMiddleware(func(h http.Handler) http.Handler {
+		return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+			log.Info().Msgf("Request: %+v", r)
+			h.ServeHTTP(w, r)
+			if r.Response != nil {
+				log.Info().Msgf("Response: %+v", r.Response)
+			}
+		})
+	})
+
 	return &mock, nil
 }
--- a/cmd/headscale/cli/nodes.go
+++ b/cmd/headscale/cli/nodes.go
@@ -13,6 +13,7 @@ import (
 	v1 "github.com/juanfont/headscale/gen/go/headscale/v1"
 	"github.com/juanfont/headscale/hscontrol/util"
 	"github.com/pterm/pterm"
+	"github.com/samber/lo"
 	"github.com/spf13/cobra"
 	"google.golang.org/grpc/status"
 	"tailscale.com/types/key"
@@ -27,9 +28,11 @@ func init() {
 	listNodesNamespaceFlag := listNodesCmd.Flags().Lookup("namespace")
 	listNodesNamespaceFlag.Deprecated = deprecateNamespaceMessage
 	listNodesNamespaceFlag.Hidden = true
-
 	nodeCmd.AddCommand(listNodesCmd)

+	listNodeRoutesCmd.Flags().Uint64P("identifier", "i", 0, "Node identifier (ID)")
+	nodeCmd.AddCommand(listNodeRoutesCmd)
+
 	registerNodeCmd.Flags().StringP("user", "u", "", "User")

 	registerNodeCmd.Flags().StringP("namespace", "n", "", "User")
@@ -39,33 +42,33 @@ func init() {

 	err := registerNodeCmd.MarkFlagRequired("user")
 	if err != nil {
-		log.Fatalf(err.Error())
+		log.Fatal(err.Error())
 	}
 	registerNodeCmd.Flags().StringP("key", "k", "", "Key")
 	err = registerNodeCmd.MarkFlagRequired("key")
 	if err != nil {
-		log.Fatalf(err.Error())
+		log.Fatal(err.Error())
 	}
 	nodeCmd.AddCommand(registerNodeCmd)

 	expireNodeCmd.Flags().Uint64P("identifier", "i", 0, "Node identifier (ID)")
 	err = expireNodeCmd.MarkFlagRequired("identifier")
 	if err != nil {
-		log.Fatalf(err.Error())
+		log.Fatal(err.Error())
 	}
 	nodeCmd.AddCommand(expireNodeCmd)

 	renameNodeCmd.Flags().Uint64P("identifier", "i", 0, "Node identifier (ID)")
 	err = renameNodeCmd.MarkFlagRequired("identifier")
 	if err != nil {
-		log.Fatalf(err.Error())
+		log.Fatal(err.Error())
 	}
 	nodeCmd.AddCommand(renameNodeCmd)

 	deleteNodeCmd.Flags().Uint64P("identifier", "i", 0, "Node identifier (ID)")
 	err = deleteNodeCmd.MarkFlagRequired("identifier")
 	if err != nil {
-		log.Fatalf(err.Error())
+		log.Fatal(err.Error())
 	}
 	nodeCmd.AddCommand(deleteNodeCmd)

@@ -73,10 +76,10 @@ func init() {

 	err = moveNodeCmd.MarkFlagRequired("identifier")
 	if err != nil {
-		log.Fatalf(err.Error())
+		log.Fatal(err.Error())
 	}

-	moveNodeCmd.Flags().StringP("user", "u", "", "New user")
+	moveNodeCmd.Flags().Uint64P("user", "u", 0, "New user")

 	moveNodeCmd.Flags().StringP("namespace", "n", "", "User")
 	moveNodeNamespaceFlag := moveNodeCmd.Flags().Lookup("namespace")
@@ -85,20 +88,20 @@ func init() {

 	err = moveNodeCmd.MarkFlagRequired("user")
 	if err != nil {
-		log.Fatalf(err.Error())
+		log.Fatal(err.Error())
 	}
 	nodeCmd.AddCommand(moveNodeCmd)

 	tagCmd.Flags().Uint64P("identifier", "i", 0, "Node identifier (ID)")
-
-	err = tagCmd.MarkFlagRequired("identifier")
-	if err != nil {
-		log.Fatalf(err.Error())
-	}
-	tagCmd.Flags().
-		StringSliceP("tags", "t", []string{}, "List of tags to add to the node")
+	tagCmd.MarkFlagRequired("identifier")
+	tagCmd.Flags().StringSliceP("tags", "t", []string{}, "List of tags to add to the node")
 	nodeCmd.AddCommand(tagCmd)

+	approveRoutesCmd.Flags().Uint64P("identifier", "i", 0, "Node identifier (ID)")
+	approveRoutesCmd.MarkFlagRequired("identifier")
+	approveRoutesCmd.Flags().StringSliceP("routes", "r", []string{}, `List of routes that will be approved (comma-separated, e.g. "10.0.0.0/8,192.168.0.0/24" or empty string to remove all approved routes)`)
+	nodeCmd.AddCommand(approveRoutesCmd)
+
 	nodeCmd.AddCommand(backfillNodeIPsCmd)
 }

@@ -116,27 +119,23 @@ var registerNodeCmd = &cobra.Command{
 		user, err := cmd.Flags().GetString("user")
 		if err != nil {
 			ErrorOutput(err, fmt.Sprintf("Error getting user: %s", err), output)
-
-			return
 		}

-		ctx, client, conn, cancel := getHeadscaleCLIClient()
+		ctx, client, conn, cancel := newHeadscaleCLIWithConfig()
 		defer cancel()
 		defer conn.Close()

-		machineKey, err := cmd.Flags().GetString("key")
+		registrationID, err := cmd.Flags().GetString("key")
 		if err != nil {
 			ErrorOutput(
 				err,
 				fmt.Sprintf("Error getting node key from flag: %s", err),
 				output,
 			)
-
-			return
 		}

 		request := &v1.RegisterNodeRequest{
-			Key:  machineKey,
+			Key:  registrationID,
 			User: user,
 		}

@@ -150,8 +149,6 @@ var registerNodeCmd = &cobra.Command{
 				),
 				output,
 			)
-
-			return
 		}

 		SuccessOutput(
@@ -169,17 +166,13 @@ var listNodesCmd = &cobra.Command{
 		user, err := cmd.Flags().GetString("user")
 		if err != nil {
 			ErrorOutput(err, fmt.Sprintf("Error getting user: %s", err), output)
-
-			return
 		}
 		showTags, err := cmd.Flags().GetBool("tags")
 		if err != nil {
 			ErrorOutput(err, fmt.Sprintf("Error getting tags flag: %s", err), output)
-
-			return
 		}

-		ctx, client, conn, cancel := getHeadscaleCLIClient()
+		ctx, client, conn, cancel := newHeadscaleCLIWithConfig()
 		defer cancel()
 		defer conn.Close()

@@ -191,24 +184,18 @@ var listNodesCmd = &cobra.Command{
 		if err != nil {
 			ErrorOutput(
 				err,
-				fmt.Sprintf("Cannot get nodes: %s", status.Convert(err).Message()),
+				"Cannot get nodes: "+status.Convert(err).Message(),
 				output,
 			)
-
-			return
 		}

 		if output != "" {
 			SuccessOutput(response.GetNodes(), "", output)
-
-			return
 		}

 		tableData, err := nodesToPtables(user, showTags, response.GetNodes())
 		if err != nil {
 			ErrorOutput(err, fmt.Sprintf("Error converting to table: %s", err), output)
-
-			return
 		}

 		err = pterm.DefaultTable.WithHasHeader().WithData(tableData).Render()
@@ -218,9 +205,73 @@ var listNodesCmd = &cobra.Command{
 				fmt.Sprintf("Failed to render pterm table: %s", err),
 				output,
 			)
+		}
+	},
+}
+
+var listNodeRoutesCmd = &cobra.Command{
+	Use:     "list-routes",
+	Short:   "List routes available on nodes",
+	Aliases: []string{"lsr", "routes"},
+	Run: func(cmd *cobra.Command, args []string) {
+		output, _ := cmd.Flags().GetString("output")
+		identifier, err := cmd.Flags().GetUint64("identifier")
+		if err != nil {
+			ErrorOutput(
+				err,
+				fmt.Sprintf("Error converting ID to integer: %s", err),
+				output,
+			)

 			return
 		}
+
+		ctx, client, conn, cancel := newHeadscaleCLIWithConfig()
+		defer cancel()
+		defer conn.Close()
+
+		request := &v1.ListNodesRequest{}
+
+		response, err := client.ListNodes(ctx, request)
+		if err != nil {
+			ErrorOutput(
+				err,
+				"Cannot get nodes: "+status.Convert(err).Message(),
+				output,
+			)
+		}
+
+		if output != "" {
+			SuccessOutput(response.GetNodes(), "", output)
+		}
+
+		nodes := response.GetNodes()
+		if identifier != 0 {
+			for _, node := range response.GetNodes() {
+				if node.GetId() == identifier {
+					nodes = []*v1.Node{node}
+					break
+				}
+			}
+		}
+
+		nodes = lo.Filter(nodes, func(n *v1.Node, _ int) bool {
+			return (n.GetSubnetRoutes() != nil && len(n.GetSubnetRoutes()) > 0) || (n.GetApprovedRoutes() != nil && len(n.GetApprovedRoutes()) > 0) || (n.GetAvailableRoutes() != nil && len(n.GetAvailableRoutes()) > 0)
+		})
+
+		tableData, err := nodeRoutesToPtables(nodes)
+		if err != nil {
+			ErrorOutput(err, fmt.Sprintf("Error converting to table: %s", err), output)
+		}
+
+		err = pterm.DefaultTable.WithHasHeader().WithData(tableData).Render()
+		if err != nil {
+			ErrorOutput(
+				err,
+				fmt.Sprintf("Failed to render pterm table: %s", err),
+				output,
+			)
+		}
 	},
 }

@@ -243,7 +294,7 @@ var expireNodeCmd = &cobra.Command{
 			return
 		}

-		ctx, client, conn, cancel := getHeadscaleCLIClient()
+		ctx, client, conn, cancel := newHeadscaleCLIWithConfig()
 		defer cancel()
 		defer conn.Close()

@@ -286,7 +337,7 @@ var renameNodeCmd = &cobra.Command{
 			return
 		}

-		ctx, client, conn, cancel := getHeadscaleCLIClient()
+		ctx, client, conn, cancel := newHeadscaleCLIWithConfig()
 		defer cancel()
 		defer conn.Close()

@@ -335,7 +386,7 @@ var deleteNodeCmd = &cobra.Command{
 			return
 		}

-		ctx, client, conn, cancel := getHeadscaleCLIClient()
+		ctx, client, conn, cancel := newHeadscaleCLIWithConfig()
 		defer cancel()
 		defer conn.Close()

@@ -347,10 +398,7 @@ var deleteNodeCmd = &cobra.Command{
 		if err != nil {
 			ErrorOutput(
 				err,
-				fmt.Sprintf(
-					"Error getting node node: %s",
-					status.Convert(err).Message(),
-				),
+				"Error getting node node: "+status.Convert(err).Message(),
 				output,
 			)

@@ -386,10 +434,7 @@ var deleteNodeCmd = &cobra.Command{
 			if err != nil {
 				ErrorOutput(
 					err,
-					fmt.Sprintf(
-						"Error deleting node: %s",
-						status.Convert(err).Message(),
-					),
+					"Error deleting node: "+status.Convert(err).Message(),
 					output,
 				)

@@ -424,7 +469,7 @@ var moveNodeCmd = &cobra.Command{
 			return
 		}

-		user, err := cmd.Flags().GetString("user")
+		user, err := cmd.Flags().GetUint64("user")
 		if err != nil {
 			ErrorOutput(
 				err,
@@ -435,7 +480,7 @@ var moveNodeCmd = &cobra.Command{
 			return
 		}

-		ctx, client, conn, cancel := getHeadscaleCLIClient()
+		ctx, client, conn, cancel := newHeadscaleCLIWithConfig()
 		defer cancel()
 		defer conn.Close()

@@ -447,10 +492,7 @@ var moveNodeCmd = &cobra.Command{
 		if err != nil {
 			ErrorOutput(
 				err,
-				fmt.Sprintf(
-					"Error getting node: %s",
-					status.Convert(err).Message(),
-				),
+				"Error getting node: "+status.Convert(err).Message(),
 				output,
 			)

@@ -466,10 +508,7 @@ var moveNodeCmd = &cobra.Command{
 		if err != nil {
 			ErrorOutput(
 				err,
-				fmt.Sprintf(
-					"Error moving node: %s",
-					status.Convert(err).Message(),
-				),
+				"Error moving node: "+status.Convert(err).Message(),
 				output,
 			)

@@ -500,26 +539,29 @@ be assigned to nodes.`,
 		output, _ := cmd.Flags().GetString("output")

 		confirm := false
-		prompt := &survey.Confirm{
-			Message: "Are you sure that you want to assign/remove IPs to/from nodes?",
+
+		force, _ := cmd.Flags().GetBool("force")
+		if !force {
+			prompt := &survey.Confirm{
+				Message: "Are you sure that you want to assign/remove IPs to/from nodes?",
+			}
+			err = survey.AskOne(prompt, &confirm)
+			if err != nil {
+				return
+			}
 		}
-		err = survey.AskOne(prompt, &confirm)
-		if err != nil {
-			return
-		}
-		if confirm {
-			ctx, client, conn, cancel := getHeadscaleCLIClient()
+
+
+		if confirm || force {
+			ctx, client, conn, cancel := newHeadscaleCLIWithConfig()
 			defer cancel()
 			defer conn.Close()

-			changes, err := client.BackfillNodeIPs(ctx, &v1.BackfillNodeIPsRequest{Confirmed: confirm})
+			changes, err := client.BackfillNodeIPs(ctx, &v1.BackfillNodeIPsRequest{Confirmed: confirm || force })
 			if err != nil {
 				ErrorOutput(
 					err,
-					fmt.Sprintf(
-						"Error backfilling IPs: %s",
-						status.Convert(err).Message(),
-					),
+					"Error backfilling IPs: "+status.Convert(err).Message(),
 					output,
 				)

@@ -675,13 +717,42 @@ func nodesToPtables(
 	return tableData, nil
 }

+func nodeRoutesToPtables(
+	nodes []*v1.Node,
+) (pterm.TableData, error) {
+	tableHeader := []string{
+		"ID",
+		"Hostname",
+		"Approved",
+		"Available",
+		"Serving (Primary)",
+	}
+	tableData := pterm.TableData{tableHeader}
+
+	for _, node := range nodes {
+		nodeData := []string{
+			strconv.FormatUint(node.GetId(), util.Base10),
+			node.GetGivenName(),
+			strings.Join(node.GetApprovedRoutes(), ", "),
+			strings.Join(node.GetAvailableRoutes(), ", "),
+			strings.Join(node.GetSubnetRoutes(), ", "),
+		}
+		tableData = append(
+			tableData,
+			nodeData,
+		)
+	}
+
+	return tableData, nil
+}
+
 var tagCmd = &cobra.Command{
 	Use:     "tag",
 	Short:   "Manage the tags of a node",
 	Aliases: []string{"tags", "t"},
 	Run: func(cmd *cobra.Command, args []string) {
 		output, _ := cmd.Flags().GetString("output")
-		ctx, client, conn, cancel := getHeadscaleCLIClient()
+		ctx, client, conn, cancel := newHeadscaleCLIWithConfig()
 		defer cancel()
 		defer conn.Close()

@@ -732,3 +803,60 @@ var tagCmd = &cobra.Command{
 		}
 	},
 }
+
+var approveRoutesCmd = &cobra.Command{
+	Use:   "approve-routes",
+	Short: "Manage the approved routes of a node",
+	Run: func(cmd *cobra.Command, args []string) {
+		output, _ := cmd.Flags().GetString("output")
+		ctx, client, conn, cancel := newHeadscaleCLIWithConfig()
+		defer cancel()
+		defer conn.Close()
+
+		// retrieve flags from CLI
+		identifier, err := cmd.Flags().GetUint64("identifier")
+		if err != nil {
+			ErrorOutput(
+				err,
+				fmt.Sprintf("Error converting ID to integer: %s", err),
+				output,
+			)
+
+			return
+		}
+		routes, err := cmd.Flags().GetStringSlice("routes")
+		if err != nil {
+			ErrorOutput(
+				err,
+				fmt.Sprintf("Error retrieving list of routes to add to node, %v", err),
+				output,
+			)
+
+			return
+		}
+
+		// Sending routes to node
+		request := &v1.SetApprovedRoutesRequest{
+			NodeId: identifier,
+			Routes: routes,
+		}
+		resp, err := client.SetApprovedRoutes(ctx, request)
+		if err != nil {
+			ErrorOutput(
+				err,
+				fmt.Sprintf("Error while sending routes to headscale: %s", err),
+				output,
+			)
+
+			return
+		}
+
+		if resp != nil {
+			SuccessOutput(
+				resp.GetNode(),
+				"Node updated",
+				output,
+			)
+		}
+	},
+}
--- a/cmd/headscale/cli/policy.go
+++ b/cmd/headscale/cli/policy.go
@@ -1,12 +1,16 @@
 package cli

 import (
+	"fmt"
 	"io"
 	"os"

 	v1 "github.com/juanfont/headscale/gen/go/headscale/v1"
+	"github.com/juanfont/headscale/hscontrol/policy"
+	"github.com/juanfont/headscale/hscontrol/types"
 	"github.com/rs/zerolog/log"
 	"github.com/spf13/cobra"
+	"tailscale.com/types/views"
 )

 func init() {
@@ -18,6 +22,12 @@ func init() {
 		log.Fatal().Err(err).Msg("")
 	}
 	policyCmd.AddCommand(setPolicy)
+
+	checkPolicy.Flags().StringP("file", "f", "", "Path to a policy file in HuJSON format")
+	if err := checkPolicy.MarkFlagRequired("file"); err != nil {
+		log.Fatal().Err(err).Msg("")
+	}
+	policyCmd.AddCommand(checkPolicy)
 }

 var policyCmd = &cobra.Command{
@@ -30,7 +40,8 @@ var getPolicy = &cobra.Command{
 	Short:   "Print the current ACL Policy",
 	Aliases: []string{"show", "view", "fetch"},
 	Run: func(cmd *cobra.Command, args []string) {
-		ctx, client, conn, cancel := getHeadscaleCLIClient()
+		output, _ := cmd.Flags().GetString("output")
+		ctx, client, conn, cancel := newHeadscaleCLIWithConfig()
 		defer cancel()
 		defer conn.Close()

@@ -38,13 +49,13 @@ var getPolicy = &cobra.Command{

 		response, err := client.GetPolicy(ctx, request)
 		if err != nil {
-			log.Fatal().Err(err).Msg("Failed to get the policy")
-
-			return
+			ErrorOutput(err, fmt.Sprintf("Failed loading ACL Policy: %s", err), output)
 		}

 		// TODO(pallabpain): Maybe print this better?
-		SuccessOutput("", response.GetPolicy(), "hujson")
+		// This does not pass output as we dont support yaml, json or json-line
+		// output for this command. It is HuJSON already.
+		SuccessOutput("", response.GetPolicy(), "")
 	},
 }

@@ -56,35 +67,57 @@ var setPolicy = &cobra.Command{
 	This command only works when the acl.policy_mode is set to "db", and the policy will be stored in the database.`,
 	Aliases: []string{"put", "update"},
 	Run: func(cmd *cobra.Command, args []string) {
+		output, _ := cmd.Flags().GetString("output")
 		policyPath, _ := cmd.Flags().GetString("file")

 		f, err := os.Open(policyPath)
 		if err != nil {
-			log.Fatal().Err(err).Msg("Error opening the policy file")
-
-			return
+			ErrorOutput(err, fmt.Sprintf("Error opening the policy file: %s", err), output)
 		}
 		defer f.Close()

 		policyBytes, err := io.ReadAll(f)
 		if err != nil {
-			log.Fatal().Err(err).Msg("Error reading the policy file")
-
-			return
+			ErrorOutput(err, fmt.Sprintf("Error reading the policy file: %s", err), output)
 		}

 		request := &v1.SetPolicyRequest{Policy: string(policyBytes)}

-		ctx, client, conn, cancel := getHeadscaleCLIClient()
+		ctx, client, conn, cancel := newHeadscaleCLIWithConfig()
 		defer cancel()
 		defer conn.Close()

 		if _, err := client.SetPolicy(ctx, request); err != nil {
-			log.Fatal().Err(err).Msg("Failed to set ACL Policy")
-
-			return
+			ErrorOutput(err, fmt.Sprintf("Failed to set ACL Policy: %s", err), output)
 		}

 		SuccessOutput(nil, "Policy updated.", "")
 	},
 }
+
+var checkPolicy = &cobra.Command{
+	Use:   "check",
+	Short: "Check the Policy file for errors",
+	Run: func(cmd *cobra.Command, args []string) {
+		output, _ := cmd.Flags().GetString("output")
+		policyPath, _ := cmd.Flags().GetString("file")
+
+		f, err := os.Open(policyPath)
+		if err != nil {
+			ErrorOutput(err, fmt.Sprintf("Error opening the policy file: %s", err), output)
+		}
+		defer f.Close()
+
+		policyBytes, err := io.ReadAll(f)
+		if err != nil {
+			ErrorOutput(err, fmt.Sprintf("Error reading the policy file: %s", err), output)
+		}
+
+		_, err = policy.NewPolicyManager(policyBytes, nil, views.Slice[types.NodeView]{})
+		if err != nil {
+			ErrorOutput(err, fmt.Sprintf("Error parsing the policy file: %s", err), output)
+		}
+
+		SuccessOutput(nil, "Policy is valid", "")
+	},
+}
--- a/cmd/headscale/cli/preauthkeys.go
+++ b/cmd/headscale/cli/preauthkeys.go
@@ -20,7 +20,7 @@ const (

 func init() {
 	rootCmd.AddCommand(preauthkeysCmd)
-	preauthkeysCmd.PersistentFlags().StringP("user", "u", "", "User")
+	preauthkeysCmd.PersistentFlags().Uint64P("user", "u", 0, "User identifier (ID)")

 	preauthkeysCmd.PersistentFlags().StringP("namespace", "n", "", "User")
 	pakNamespaceFlag := preauthkeysCmd.PersistentFlags().Lookup("namespace")
@@ -57,14 +57,12 @@ var listPreAuthKeys = &cobra.Command{
 	Run: func(cmd *cobra.Command, args []string) {
 		output, _ := cmd.Flags().GetString("output")

-		user, err := cmd.Flags().GetString("user")
+		user, err := cmd.Flags().GetUint64("user")
 		if err != nil {
 			ErrorOutput(err, fmt.Sprintf("Error getting user: %s", err), output)
-
-			return
 		}

-		ctx, client, conn, cancel := getHeadscaleCLIClient()
+		ctx, client, conn, cancel := newHeadscaleCLIWithConfig()
 		defer cancel()
 		defer conn.Close()

@@ -85,8 +83,6 @@ var listPreAuthKeys = &cobra.Command{

 		if output != "" {
 			SuccessOutput(response.GetPreAuthKeys(), "", output)
-
-			return
 		}

 		tableData := pterm.TableData{
@@ -116,7 +112,7 @@ var listPreAuthKeys = &cobra.Command{
 			aclTags = strings.TrimLeft(aclTags, ",")

 			tableData = append(tableData, []string{
-				key.GetId(),
+				strconv.FormatUint(key.GetId(), 10),
 				key.GetKey(),
 				strconv.FormatBool(key.GetReusable()),
 				strconv.FormatBool(key.GetEphemeral()),
@@ -134,8 +130,6 @@ var listPreAuthKeys = &cobra.Command{
 				fmt.Sprintf("Failed to render pterm table: %s", err),
 				output,
 			)
-
-			return
 		}
 	},
 }
@@ -147,23 +141,15 @@ var createPreAuthKeyCmd = &cobra.Command{
 	Run: func(cmd *cobra.Command, args []string) {
 		output, _ := cmd.Flags().GetString("output")

-		user, err := cmd.Flags().GetString("user")
+		user, err := cmd.Flags().GetUint64("user")
 		if err != nil {
 			ErrorOutput(err, fmt.Sprintf("Error getting user: %s", err), output)
-
-			return
 		}

 		reusable, _ := cmd.Flags().GetBool("reusable")
 		ephemeral, _ := cmd.Flags().GetBool("ephemeral")
 		tags, _ := cmd.Flags().GetStringSlice("tags")

-		log.Trace().
-			Bool("reusable", reusable).
-			Bool("ephemeral", ephemeral).
-			Str("user", user).
-			Msg("Preparing to create preauthkey")
-
 		request := &v1.CreatePreAuthKeyRequest{
 			User:      user,
 			Reusable:  reusable,
@@ -180,8 +166,6 @@ var createPreAuthKeyCmd = &cobra.Command{
 				fmt.Sprintf("Could not parse duration: %s\n", err),
 				output,
 			)
-
-			return
 		}

 		expiration := time.Now().UTC().Add(time.Duration(duration))
@@ -192,7 +176,7 @@ var createPreAuthKeyCmd = &cobra.Command{

 		request.Expiration = timestamppb.New(expiration)

-		ctx, client, conn, cancel := getHeadscaleCLIClient()
+		ctx, client, conn, cancel := newHeadscaleCLIWithConfig()
 		defer cancel()
 		defer conn.Close()

@@ -203,8 +187,6 @@ var createPreAuthKeyCmd = &cobra.Command{
 				fmt.Sprintf("Cannot create Pre Auth Key: %s\n", err),
 				output,
 			)
-
-			return
 		}

 		SuccessOutput(response.GetPreAuthKey(), response.GetPreAuthKey().GetKey(), output)
@@ -224,14 +206,12 @@ var expirePreAuthKeyCmd = &cobra.Command{
 	},
 	Run: func(cmd *cobra.Command, args []string) {
 		output, _ := cmd.Flags().GetString("output")
-		user, err := cmd.Flags().GetString("user")
+		user, err := cmd.Flags().GetUint64("user")
 		if err != nil {
 			ErrorOutput(err, fmt.Sprintf("Error getting user: %s", err), output)
-
-			return
 		}

-		ctx, client, conn, cancel := getHeadscaleCLIClient()
+		ctx, client, conn, cancel := newHeadscaleCLIWithConfig()
 		defer cancel()
 		defer conn.Close()

@@ -247,8 +227,6 @@ var expirePreAuthKeyCmd = &cobra.Command{
 				fmt.Sprintf("Cannot expire Pre Auth Key: %s\n", err),
 				output,
 			)
-
-			return
 		}

 		SuccessOutput(response, "Key expired", output)
--- a/cmd/headscale/cli/root.go
+++ b/cmd/headscale/cli/root.go
@@ -4,11 +4,13 @@ import (
 	"fmt"
 	"os"
 	"runtime"
+	"slices"

 	"github.com/juanfont/headscale/hscontrol/types"
 	"github.com/rs/zerolog"
 	"github.com/rs/zerolog/log"
 	"github.com/spf13/cobra"
+	"github.com/spf13/viper"
 	"github.com/tcnksm/go-latest"
 )

@@ -24,6 +26,11 @@ func init() {
 		return
 	}

+	if slices.Contains(os.Args, "policy") && slices.Contains(os.Args, "check") {
+		zerolog.SetGlobalLevel(zerolog.Disabled)
+		return
+	}
+
 	cobra.OnInitialize(initConfig)
 	rootCmd.PersistentFlags().
 		StringVarP(&cfgFile, "config", "c", "", "config file (default is /etc/headscale/config.yaml)")
@@ -49,11 +56,6 @@ func initConfig() {
 		}
 	}

-	cfg, err := types.GetHeadscaleConfig()
-	if err != nil {
-		log.Fatal().Err(err).Msg("Failed to read headscale configuration")
-	}
-
 	machineOutput := HasMachineOutputFlag()

 	// If the user has requested a "node" readable format,
@@ -62,24 +64,26 @@ func initConfig() {
 		zerolog.SetGlobalLevel(zerolog.Disabled)
 	}

-	if cfg.Log.Format == types.JSONLogFormat {
+	logFormat := viper.GetString("log.format")
+	if logFormat == types.JSONLogFormat {
 		log.Logger = log.Output(os.Stdout)
 	}

-	if !cfg.DisableUpdateCheck && !machineOutput {
+	disableUpdateCheck := viper.GetBool("disable_check_updates")
+	if !disableUpdateCheck && !machineOutput {
 		if (runtime.GOOS == "linux" || runtime.GOOS == "darwin") &&
-			Version != "dev" {
+			types.Version != "dev" {
 			githubTag := &latest.GithubTag{
 				Owner:      "juanfont",
 				Repository: "headscale",
 			}
-			res, err := latest.Check(githubTag, Version)
+			res, err := latest.Check(githubTag, types.Version)
 			if err == nil && res.Outdated {
 				//nolint
 				log.Warn().Msgf(
 					"An updated version of Headscale has been found (%s vs. your current %s). Check it out https://github.com/juanfont/headscale/releases\n",
 					res.Current,
-					Version,
+					types.Version,
 				)
 			}
 		}
--- a/cmd/headscale/cli/routes.go
+++ b/cmd/headscale/cli/routes.go
@@ -1,298 +0,0 @@
-package cli
-
-import (
-	"fmt"
-	"log"
-	"net/netip"
-	"strconv"
-
-	v1 "github.com/juanfont/headscale/gen/go/headscale/v1"
-	"github.com/juanfont/headscale/hscontrol/types"
-	"github.com/pterm/pterm"
-	"github.com/spf13/cobra"
-	"google.golang.org/grpc/status"
-)
-
-const (
-	Base10 = 10
-)
-
-func init() {
-	rootCmd.AddCommand(routesCmd)
-	listRoutesCmd.Flags().Uint64P("identifier", "i", 0, "Node identifier (ID)")
-	routesCmd.AddCommand(listRoutesCmd)
-
-	enableRouteCmd.Flags().Uint64P("route", "r", 0, "Route identifier (ID)")
-	err := enableRouteCmd.MarkFlagRequired("route")
-	if err != nil {
-		log.Fatalf(err.Error())
-	}
-	routesCmd.AddCommand(enableRouteCmd)
-
-	disableRouteCmd.Flags().Uint64P("route", "r", 0, "Route identifier (ID)")
-	err = disableRouteCmd.MarkFlagRequired("route")
-	if err != nil {
-		log.Fatalf(err.Error())
-	}
-	routesCmd.AddCommand(disableRouteCmd)
-
-	deleteRouteCmd.Flags().Uint64P("route", "r", 0, "Route identifier (ID)")
-	err = deleteRouteCmd.MarkFlagRequired("route")
-	if err != nil {
-		log.Fatalf(err.Error())
-	}
-	routesCmd.AddCommand(deleteRouteCmd)
-}
-
-var routesCmd = &cobra.Command{
-	Use:     "routes",
-	Short:   "Manage the routes of Headscale",
-	Aliases: []string{"r", "route"},
-}
-
-var listRoutesCmd = &cobra.Command{
-	Use:     "list",
-	Short:   "List all routes",
-	Aliases: []string{"ls", "show"},
-	Run: func(cmd *cobra.Command, args []string) {
-		output, _ := cmd.Flags().GetString("output")
-
-		machineID, err := cmd.Flags().GetUint64("identifier")
-		if err != nil {
-			ErrorOutput(
-				err,
-				fmt.Sprintf("Error getting machine id from flag: %s", err),
-				output,
-			)
-
-			return
-		}
-
-		ctx, client, conn, cancel := getHeadscaleCLIClient()
-		defer cancel()
-		defer conn.Close()
-
-		var routes []*v1.Route
-
-		if machineID == 0 {
-			response, err := client.GetRoutes(ctx, &v1.GetRoutesRequest{})
-			if err != nil {
-				ErrorOutput(
-					err,
-					fmt.Sprintf("Cannot get nodes: %s", status.Convert(err).Message()),
-					output,
-				)
-
-				return
-			}
-
-			if output != "" {
-				SuccessOutput(response.GetRoutes(), "", output)
-
-				return
-			}
-
-			routes = response.GetRoutes()
-		} else {
-			response, err := client.GetNodeRoutes(ctx, &v1.GetNodeRoutesRequest{
-				NodeId: machineID,
-			})
-			if err != nil {
-				ErrorOutput(
-					err,
-					fmt.Sprintf("Cannot get routes for node %d: %s", machineID, status.Convert(err).Message()),
-					output,
-				)
-
-				return
-			}
-
-			if output != "" {
-				SuccessOutput(response.GetRoutes(), "", output)
-
-				return
-			}
-
-			routes = response.GetRoutes()
-		}
-
-		tableData := routesToPtables(routes)
-		if err != nil {
-			ErrorOutput(err, fmt.Sprintf("Error converting to table: %s", err), output)
-
-			return
-		}
-
-		err = pterm.DefaultTable.WithHasHeader().WithData(tableData).Render()
-		if err != nil {
-			ErrorOutput(
-				err,
-				fmt.Sprintf("Failed to render pterm table: %s", err),
-				output,
-			)
-
-			return
-		}
-	},
-}
-
-var enableRouteCmd = &cobra.Command{
-	Use:   "enable",
-	Short: "Set a route as enabled",
-	Long:  `This command will make as enabled a given route.`,
-	Run: func(cmd *cobra.Command, args []string) {
-		output, _ := cmd.Flags().GetString("output")
-
-		routeID, err := cmd.Flags().GetUint64("route")
-		if err != nil {
-			ErrorOutput(
-				err,
-				fmt.Sprintf("Error getting machine id from flag: %s", err),
-				output,
-			)
-
-			return
-		}
-
-		ctx, client, conn, cancel := getHeadscaleCLIClient()
-		defer cancel()
-		defer conn.Close()
-
-		response, err := client.EnableRoute(ctx, &v1.EnableRouteRequest{
-			RouteId: routeID,
-		})
-		if err != nil {
-			ErrorOutput(
-				err,
-				fmt.Sprintf("Cannot enable route %d: %s", routeID, status.Convert(err).Message()),
-				output,
-			)
-
-			return
-		}
-
-		if output != "" {
-			SuccessOutput(response, "", output)
-
-			return
-		}
-	},
-}
-
-var disableRouteCmd = &cobra.Command{
-	Use:   "disable",
-	Short: "Set as disabled a given route",
-	Long:  `This command will make as disabled a given route.`,
-	Run: func(cmd *cobra.Command, args []string) {
-		output, _ := cmd.Flags().GetString("output")
-
-		routeID, err := cmd.Flags().GetUint64("route")
-		if err != nil {
-			ErrorOutput(
-				err,
-				fmt.Sprintf("Error getting machine id from flag: %s", err),
-				output,
-			)
-
-			return
-		}
-
-		ctx, client, conn, cancel := getHeadscaleCLIClient()
-		defer cancel()
-		defer conn.Close()
-
-		response, err := client.DisableRoute(ctx, &v1.DisableRouteRequest{
-			RouteId: routeID,
-		})
-		if err != nil {
-			ErrorOutput(
-				err,
-				fmt.Sprintf("Cannot disable route %d: %s", routeID, status.Convert(err).Message()),
-				output,
-			)
-
-			return
-		}
-
-		if output != "" {
-			SuccessOutput(response, "", output)
-
-			return
-		}
-	},
-}
-
-var deleteRouteCmd = &cobra.Command{
-	Use:   "delete",
-	Short: "Delete a given route",
-	Long:  `This command will delete a given route.`,
-	Run: func(cmd *cobra.Command, args []string) {
-		output, _ := cmd.Flags().GetString("output")
-
-		routeID, err := cmd.Flags().GetUint64("route")
-		if err != nil {
-			ErrorOutput(
-				err,
-				fmt.Sprintf("Error getting machine id from flag: %s", err),
-				output,
-			)
-
-			return
-		}
-
-		ctx, client, conn, cancel := getHeadscaleCLIClient()
-		defer cancel()
-		defer conn.Close()
-
-		response, err := client.DeleteRoute(ctx, &v1.DeleteRouteRequest{
-			RouteId: routeID,
-		})
-		if err != nil {
-			ErrorOutput(
-				err,
-				fmt.Sprintf("Cannot delete route %d: %s", routeID, status.Convert(err).Message()),
-				output,
-			)
-
-			return
-		}
-
-		if output != "" {
-			SuccessOutput(response, "", output)
-
-			return
-		}
-	},
-}
-
-// routesToPtables converts the list of routes to a nice table.
-func routesToPtables(routes []*v1.Route) pterm.TableData {
-	tableData := pterm.TableData{{"ID", "Node", "Prefix", "Advertised", "Enabled", "Primary"}}
-
-	for _, route := range routes {
-		var isPrimaryStr string
-		prefix, err := netip.ParsePrefix(route.GetPrefix())
-		if err != nil {
-			log.Printf("Error parsing prefix %s: %s", route.GetPrefix(), err)
-
-			continue
-		}
-		if prefix == types.ExitRouteV4 || prefix == types.ExitRouteV6 {
-			isPrimaryStr = "-"
-		} else {
-			isPrimaryStr = strconv.FormatBool(route.GetIsPrimary())
-		}
-
-		tableData = append(tableData,
-			[]string{
-				strconv.FormatUint(route.GetId(), Base10),
-				route.GetNode().GetGivenName(),
-				route.GetPrefix(),
-				strconv.FormatBool(route.GetAdvertised()),
-				strconv.FormatBool(route.GetEnabled()),
-				isPrimaryStr,
-			})
-	}
-
-	return tableData
-}
--- a/cmd/headscale/cli/server.go
+++ b/cmd/headscale/cli/server.go
@@ -1,8 +1,13 @@
 package cli

 import (
+	"errors"
+	"fmt"
+	"net/http"
+
 	"github.com/rs/zerolog/log"
 	"github.com/spf13/cobra"
+	"github.com/tailscale/squibble"
 )

 func init() {
@@ -16,14 +21,20 @@ var serveCmd = &cobra.Command{
 		return nil
 	},
 	Run: func(cmd *cobra.Command, args []string) {
-		app, err := getHeadscaleApp()
+		app, err := newHeadscaleServerWithConfig()
 		if err != nil {
+			var squibbleErr squibble.ValidationError
+			if errors.As(err, &squibbleErr) {
+				fmt.Printf("SQLite schema failed to validate:\n")
+				fmt.Println(squibbleErr.Diff)
+			}
+
 			log.Fatal().Caller().Err(err).Msg("Error initializing")
 		}

 		err = app.Serve()
-		if err != nil {
-			log.Fatal().Caller().Err(err).Msg("Error starting server")
+		if err != nil && !errors.Is(err, http.ErrServerClosed) {
+			log.Fatal().Caller().Err(err).Msg("Headscale ran into an error and had to shut down.")
 		}
 	},
 }
--- a/cmd/headscale/cli/users.go
+++ b/cmd/headscale/cli/users.go
@@ -3,6 +3,8 @@ package cli
 import (
 	"errors"
 	"fmt"
+	"net/url"
+	"strconv"

 	survey "github.com/AlecAivazis/survey/v2"
 	v1 "github.com/juanfont/headscale/gen/go/headscale/v1"
@@ -12,12 +14,43 @@ import (
 	"google.golang.org/grpc/status"
 )

+func usernameAndIDFlag(cmd *cobra.Command) {
+	cmd.Flags().Int64P("identifier", "i", -1, "User identifier (ID)")
+	cmd.Flags().StringP("name", "n", "", "Username")
+}
+
+// usernameAndIDFromFlag returns the username and ID from the flags of the command.
+// If both are empty, it will exit the program with an error.
+func usernameAndIDFromFlag(cmd *cobra.Command) (uint64, string) {
+	username, _ := cmd.Flags().GetString("name")
+	identifier, _ := cmd.Flags().GetInt64("identifier")
+	if username == "" && identifier < 0 {
+		err := errors.New("--name or --identifier flag is required")
+		ErrorOutput(
+			err,
+			"Cannot rename user: "+status.Convert(err).Message(),
+			"",
+		)
+	}
+
+	return uint64(identifier), username
+}
+
 func init() {
 	rootCmd.AddCommand(userCmd)
 	userCmd.AddCommand(createUserCmd)
+	createUserCmd.Flags().StringP("display-name", "d", "", "Display name")
+	createUserCmd.Flags().StringP("email", "e", "", "Email")
+	createUserCmd.Flags().StringP("picture-url", "p", "", "Profile picture URL")
 	userCmd.AddCommand(listUsersCmd)
+	usernameAndIDFlag(listUsersCmd)
+	listUsersCmd.Flags().StringP("email", "e", "", "Email")
 	userCmd.AddCommand(destroyUserCmd)
+	usernameAndIDFlag(destroyUserCmd)
 	userCmd.AddCommand(renameUserCmd)
+	usernameAndIDFlag(renameUserCmd)
+	renameUserCmd.Flags().StringP("new-name", "r", "", "New username")
+	renameNodeCmd.MarkFlagRequired("new-name")
 }

 var errMissingParameter = errors.New("missing parameters")
@@ -44,7 +77,7 @@ var createUserCmd = &cobra.Command{

 		userName := args[0]

-		ctx, client, conn, cancel := getHeadscaleCLIClient()
+		ctx, client, conn, cancel := newHeadscaleCLIWithConfig()
 		defer cancel()
 		defer conn.Close()

@@ -52,19 +85,36 @@ var createUserCmd = &cobra.Command{

 		request := &v1.CreateUserRequest{Name: userName}

+		if displayName, _ := cmd.Flags().GetString("display-name"); displayName != "" {
+			request.DisplayName = displayName
+		}
+
+		if email, _ := cmd.Flags().GetString("email"); email != "" {
+			request.Email = email
+		}
+
+		if pictureURL, _ := cmd.Flags().GetString("picture-url"); pictureURL != "" {
+			if _, err := url.Parse(pictureURL); err != nil {
+				ErrorOutput(
+					err,
+					fmt.Sprintf(
+						"Invalid Picture URL: %s",
+						err,
+					),
+					output,
+				)
+			}
+			request.PictureUrl = pictureURL
+		}
+
 		log.Trace().Interface("request", request).Msg("Sending CreateUser request")
 		response, err := client.CreateUser(ctx, request)
 		if err != nil {
 			ErrorOutput(
 				err,
-				fmt.Sprintf(
-					"Cannot create user: %s",
-					status.Convert(err).Message(),
-				),
+				"Cannot create user: "+status.Convert(err).Message(),
 				output,
 			)
-
-			return
 		}

 		SuccessOutput(response.GetUser(), "User created", output)
@@ -72,47 +122,49 @@ var createUserCmd = &cobra.Command{
 }

 var destroyUserCmd = &cobra.Command{
-	Use:     "destroy NAME",
+	Use:     "destroy --identifier ID or --name NAME",
 	Short:   "Destroys a user",
 	Aliases: []string{"delete"},
-	Args: func(cmd *cobra.Command, args []string) error {
-		if len(args) < 1 {
-			return errMissingParameter
-		}
-
-		return nil
-	},
 	Run: func(cmd *cobra.Command, args []string) {
 		output, _ := cmd.Flags().GetString("output")

-		userName := args[0]
-
-		request := &v1.GetUserRequest{
-			Name: userName,
+		id, username := usernameAndIDFromFlag(cmd)
+		request := &v1.ListUsersRequest{
+			Name: username,
+			Id:   id,
 		}

-		ctx, client, conn, cancel := getHeadscaleCLIClient()
+		ctx, client, conn, cancel := newHeadscaleCLIWithConfig()
 		defer cancel()
 		defer conn.Close()

-		_, err := client.GetUser(ctx, request)
+		users, err := client.ListUsers(ctx, request)
 		if err != nil {
 			ErrorOutput(
 				err,
-				fmt.Sprintf("Error: %s", status.Convert(err).Message()),
+				"Error: "+status.Convert(err).Message(),
 				output,
 			)
-
-			return
 		}

+		if len(users.GetUsers()) != 1 {
+			err := errors.New("Unable to determine user to delete, query returned multiple users, use ID")
+			ErrorOutput(
+				err,
+				"Error: "+status.Convert(err).Message(),
+				output,
+			)
+		}
+
+		user := users.GetUsers()[0]
+
 		confirm := false
 		force, _ := cmd.Flags().GetBool("force")
 		if !force {
 			prompt := &survey.Confirm{
 				Message: fmt.Sprintf(
-					"Do you want to remove the user '%s' and any associated preauthkeys?",
-					userName,
+					"Do you want to remove the user %q (%d) and any associated preauthkeys?",
+					user.GetName(), user.GetId(),
 				),
 			}
 			err := survey.AskOne(prompt, &confirm)
@@ -122,20 +174,15 @@ var destroyUserCmd = &cobra.Command{
 		}

 		if confirm || force {
-			request := &v1.DeleteUserRequest{Name: userName}
+			request := &v1.DeleteUserRequest{Id: user.GetId()}

 			response, err := client.DeleteUser(ctx, request)
 			if err != nil {
 				ErrorOutput(
 					err,
-					fmt.Sprintf(
-						"Cannot destroy user: %s",
-						status.Convert(err).Message(),
-					),
+					"Cannot destroy user: "+status.Convert(err).Message(),
 					output,
 				)
-
-				return
 			}
 			SuccessOutput(response, "User destroyed", output)
 		} else {
@@ -151,36 +198,48 @@ var listUsersCmd = &cobra.Command{
 	Run: func(cmd *cobra.Command, args []string) {
 		output, _ := cmd.Flags().GetString("output")

-		ctx, client, conn, cancel := getHeadscaleCLIClient()
+		ctx, client, conn, cancel := newHeadscaleCLIWithConfig()
 		defer cancel()
 		defer conn.Close()

 		request := &v1.ListUsersRequest{}

+		id, _ := cmd.Flags().GetInt64("identifier")
+		username, _ := cmd.Flags().GetString("name")
+		email, _ := cmd.Flags().GetString("email")
+
+		// filter by one param at most
+		switch {
+		case id > 0:
+			request.Id = uint64(id)
+		case username != "":
+			request.Name = username
+		case email != "":
+			request.Email = email
+		}
+
 		response, err := client.ListUsers(ctx, request)
 		if err != nil {
 			ErrorOutput(
 				err,
-				fmt.Sprintf("Cannot get users: %s", status.Convert(err).Message()),
+				"Cannot get users: "+status.Convert(err).Message(),
 				output,
 			)
-
-			return
 		}

 		if output != "" {
 			SuccessOutput(response.GetUsers(), "", output)
-
-			return
 		}

-		tableData := pterm.TableData{{"ID", "Name", "Created"}}
+		tableData := pterm.TableData{{"ID", "Name", "Username", "Email", "Created"}}
 		for _, user := range response.GetUsers() {
 			tableData = append(
 				tableData,
 				[]string{
-					user.GetId(),
+					strconv.FormatUint(user.GetId(), 10),
+					user.GetDisplayName(),
 					user.GetName(),
+					user.GetEmail(),
 					user.GetCreatedAt().AsTime().Format("2006-01-02 15:04:05"),
 				},
 			)
@@ -192,48 +251,59 @@ var listUsersCmd = &cobra.Command{
 				fmt.Sprintf("Failed to render pterm table: %s", err),
 				output,
 			)
-
-			return
 		}
 	},
 }

 var renameUserCmd = &cobra.Command{
-	Use:     "rename OLD_NAME NEW_NAME",
+	Use:     "rename",
 	Short:   "Renames a user",
 	Aliases: []string{"mv"},
-	Args: func(cmd *cobra.Command, args []string) error {
-		expectedArguments := 2
-		if len(args) < expectedArguments {
-			return errMissingParameter
-		}
-
-		return nil
-	},
 	Run: func(cmd *cobra.Command, args []string) {
 		output, _ := cmd.Flags().GetString("output")

-		ctx, client, conn, cancel := getHeadscaleCLIClient()
+		ctx, client, conn, cancel := newHeadscaleCLIWithConfig()
 		defer cancel()
 		defer conn.Close()

-		request := &v1.RenameUserRequest{
-			OldName: args[0],
-			NewName: args[1],
+		id, username := usernameAndIDFromFlag(cmd)
+		listReq := &v1.ListUsersRequest{
+			Name: username,
+			Id:   id,
 		}

-		response, err := client.RenameUser(ctx, request)
+		users, err := client.ListUsers(ctx, listReq)
 		if err != nil {
 			ErrorOutput(
 				err,
-				fmt.Sprintf(
-					"Cannot rename user: %s",
-					status.Convert(err).Message(),
-				),
+				"Error: "+status.Convert(err).Message(),
 				output,
 			)
+		}

-			return
+		if len(users.GetUsers()) != 1 {
+			err := errors.New("Unable to determine user to delete, query returned multiple users, use ID")
+			ErrorOutput(
+				err,
+				"Error: "+status.Convert(err).Message(),
+				output,
+			)
+		}
+
+		newName, _ := cmd.Flags().GetString("new-name")
+
+		renameReq := &v1.RenameUserRequest{
+			OldId:   id,
+			NewName: newName,
+		}
+
+		response, err := client.RenameUser(ctx, renameReq)
+		if err != nil {
+			ErrorOutput(
+				err,
+				"Cannot rename user: "+status.Convert(err).Message(),
+				output,
+			)
 		}

 		SuccessOutput(response.GetUser(), "User renamed", output)
--- a/cmd/headscale/cli/utils.go
+++ b/cmd/headscale/cli/utils.go
@@ -23,25 +23,25 @@ const (
 	SocketWritePermissions  = 0o666
 )

-func getHeadscaleApp() (*hscontrol.Headscale, error) {
-	cfg, err := types.GetHeadscaleConfig()
+func newHeadscaleServerWithConfig() (*hscontrol.Headscale, error) {
+	cfg, err := types.LoadServerConfig()
 	if err != nil {
 		return nil, fmt.Errorf(
-			"failed to load configuration while creating headscale instance: %w",
+			"loading configuration: %w",
 			err,
 		)
 	}

 	app, err := hscontrol.NewHeadscale(cfg)
 	if err != nil {
-		return nil, err
+		return nil, fmt.Errorf("creating new headscale: %w", err)
 	}

 	return app, nil
 }

-func getHeadscaleCLIClient() (context.Context, v1.HeadscaleServiceClient, *grpc.ClientConn, context.CancelFunc) {
-	cfg, err := types.GetHeadscaleConfig()
+func newHeadscaleCLIWithConfig() (context.Context, v1.HeadscaleServiceClient, *grpc.ClientConn, context.CancelFunc) {
+	cfg, err := types.LoadCLIConfig()
 	if err != nil {
 		log.Fatal().
 			Err(err).
@@ -130,7 +130,7 @@ func getHeadscaleCLIClient() (context.Context, v1.HeadscaleServiceClient, *grpc.
 	return ctx, client, conn, cancel
 }

-func SuccessOutput(result interface{}, override string, outputFormat string) {
+func output(result interface{}, override string, outputFormat string) string {
 	var jsonBytes []byte
 	var err error
 	switch outputFormat {
@@ -151,21 +151,26 @@ func SuccessOutput(result interface{}, override string, outputFormat string) {
 		}
 	default:
 		// nolint
-		fmt.Println(override)
-
-		return
+		return override
 	}

-	// nolint
-	fmt.Println(string(jsonBytes))
+	return string(jsonBytes)
 }

+// SuccessOutput prints the result to stdout and exits with status code 0.
+func SuccessOutput(result interface{}, override string, outputFormat string) {
+	fmt.Println(output(result, override, outputFormat))
+	os.Exit(0)
+}
+
+// ErrorOutput prints an error message to stderr and exits with status code 1.
 func ErrorOutput(errResult error, override string, outputFormat string) {
 	type errOutput struct {
 		Error string `json:"error"`
 	}

-	SuccessOutput(errOutput{errResult.Error()}, override, outputFormat)
+	fmt.Fprintf(os.Stderr, "%s\n", output(errOutput{errResult.Error()}, override, outputFormat))
+	os.Exit(1)
 }

 func HasMachineOutputFlag() bool {
--- a/cmd/headscale/cli/version.go
+++ b/cmd/headscale/cli/version.go
@@ -1,11 +1,10 @@
 package cli

 import (
+	"github.com/juanfont/headscale/hscontrol/types"
 	"github.com/spf13/cobra"
 )

-var Version = "dev"
-
 func init() {
 	rootCmd.AddCommand(versionCmd)
 }
@@ -16,6 +15,9 @@ var versionCmd = &cobra.Command{
 	Long:  "The version of headscale.",
 	Run: func(cmd *cobra.Command, args []string) {
 		output, _ := cmd.Flags().GetString("output")
-		SuccessOutput(map[string]string{"version": Version}, Version, output)
+		SuccessOutput(map[string]string{
+			"version": types.Version,
+			"commit":  types.GitCommitHash,
+		}, types.Version, output)
 	},
 }
--- a/cmd/headscale/headscale_test.go
+++ b/cmd/headscale/headscale_test.go
@@ -4,7 +4,6 @@ import (
 	"io/fs"
 	"os"
 	"path/filepath"
-	"strings"
 	"testing"

 	"github.com/juanfont/headscale/hscontrol/types"
@@ -63,7 +62,6 @@ func (*Suite) TestConfigFileLoading(c *check.C) {
 	c.Assert(viper.GetString("tls_letsencrypt_hostname"), check.Equals, "")
 	c.Assert(viper.GetString("tls_letsencrypt_listen"), check.Equals, ":http")
 	c.Assert(viper.GetString("tls_letsencrypt_challenge_type"), check.Equals, "HTTP-01")
-	c.Assert(viper.GetStringSlice("dns_config.nameservers")[0], check.Equals, "1.1.1.1")
 	c.Assert(
 		util.GetFileMode("unix_socket_permission"),
 		check.Equals,
@@ -106,7 +104,6 @@ func (*Suite) TestConfigLoading(c *check.C) {
 	c.Assert(viper.GetString("tls_letsencrypt_hostname"), check.Equals, "")
 	c.Assert(viper.GetString("tls_letsencrypt_listen"), check.Equals, ":http")
 	c.Assert(viper.GetString("tls_letsencrypt_challenge_type"), check.Equals, "HTTP-01")
-	c.Assert(viper.GetStringSlice("dns_config.nameservers")[0], check.Equals, "1.1.1.1")
 	c.Assert(
 		util.GetFileMode("unix_socket_permission"),
 		check.Equals,
@@ -115,93 +112,3 @@ func (*Suite) TestConfigLoading(c *check.C) {
 	c.Assert(viper.GetBool("logtail.enabled"), check.Equals, false)
 	c.Assert(viper.GetBool("randomize_client_port"), check.Equals, false)
 }
-
-func (*Suite) TestDNSConfigLoading(c *check.C) {
-	tmpDir, err := os.MkdirTemp("", "headscale")
-	if err != nil {
-		c.Fatal(err)
-	}
-	defer os.RemoveAll(tmpDir)
-
-	path, err := os.Getwd()
-	if err != nil {
-		c.Fatal(err)
-	}
-
-	// Symlink the example config file
-	err = os.Symlink(
-		filepath.Clean(path+"/../../config-example.yaml"),
-		filepath.Join(tmpDir, "config.yaml"),
-	)
-	if err != nil {
-		c.Fatal(err)
-	}
-
-	// Load example config, it should load without validation errors
-	err = types.LoadConfig(tmpDir, false)
-	c.Assert(err, check.IsNil)
-
-	dnsConfig, baseDomain := types.GetDNSConfig()
-
-	c.Assert(dnsConfig.Nameservers[0].String(), check.Equals, "1.1.1.1")
-	c.Assert(dnsConfig.Resolvers[0].Addr, check.Equals, "1.1.1.1")
-	c.Assert(dnsConfig.Proxied, check.Equals, true)
-	c.Assert(baseDomain, check.Equals, "example.com")
-}
-
-func writeConfig(c *check.C, tmpDir string, configYaml []byte) {
-	// Populate a custom config file
-	configFile := filepath.Join(tmpDir, "config.yaml")
-	err := os.WriteFile(configFile, configYaml, 0o600)
-	if err != nil {
-		c.Fatalf("Couldn't write file %s", configFile)
-	}
-}
-
-func (*Suite) TestTLSConfigValidation(c *check.C) {
-	tmpDir, err := os.MkdirTemp("", "headscale")
-	if err != nil {
-		c.Fatal(err)
-	}
-	// defer os.RemoveAll(tmpDir)
-	configYaml := []byte(`---
-tls_letsencrypt_hostname: example.com
-tls_letsencrypt_challenge_type: ""
-tls_cert_path: abc.pem
-noise:
-  private_key_path: noise_private.key`)
-	writeConfig(c, tmpDir, configYaml)
-
-	// Check configuration validation errors (1)
-	err = types.LoadConfig(tmpDir, false)
-	c.Assert(err, check.NotNil)
-	// check.Matches can not handle multiline strings
-	tmp := strings.ReplaceAll(err.Error(), "\n", "***")
-	c.Assert(
-		tmp,
-		check.Matches,
-		".*Fatal config error: set either tls_letsencrypt_hostname or tls_cert_path/tls_key_path, not both.*",
-	)
-	c.Assert(
-		tmp,
-		check.Matches,
-		".*Fatal config error: the only supported values for tls_letsencrypt_challenge_type are.*",
-	)
-	c.Assert(
-		tmp,
-		check.Matches,
-		".*Fatal config error: server_url must start with https:// or http://.*",
-	)
-
-	// Check configuration validation errors (2)
-	configYaml = []byte(`---
-noise:
-  private_key_path: noise_private.key
-server_url: http://127.0.0.1:8080
-tls_letsencrypt_hostname: example.com
-tls_letsencrypt_challenge_type: TLS-ALPN-01
-`)
-	writeConfig(c, tmpDir, configYaml)
-	err = types.LoadConfig(tmpDir, false)
-	c.Assert(err, check.IsNil)
-}
--- a/cmd/hi/cleanup.go
+++ b/cmd/hi/cleanup.go
@@ -0,0 +1,207 @@
+package main
+
+import (
+	"context"
+	"fmt"
+	"strings"
+	"time"
+
+	"github.com/docker/docker/api/types/container"
+	"github.com/docker/docker/api/types/filters"
+	"github.com/docker/docker/api/types/image"
+	"github.com/docker/docker/client"
+	"github.com/docker/docker/errdefs"
+)
+
+// cleanupBeforeTest performs cleanup operations before running tests.
+func cleanupBeforeTest(ctx context.Context) error {
+	if err := killTestContainers(ctx); err != nil {
+		return fmt.Errorf("failed to kill test containers: %w", err)
+	}
+
+	if err := pruneDockerNetworks(ctx); err != nil {
+		return fmt.Errorf("failed to prune networks: %w", err)
+	}
+
+	return nil
+}
+
+// cleanupAfterTest removes the test container after completion.
+func cleanupAfterTest(ctx context.Context, cli *client.Client, containerID string) error {
+	return cli.ContainerRemove(ctx, containerID, container.RemoveOptions{
+		Force: true,
+	})
+}
+
+// killTestContainers terminates and removes all test containers.
+func killTestContainers(ctx context.Context) error {
+	cli, err := createDockerClient()
+	if err != nil {
+		return fmt.Errorf("failed to create Docker client: %w", err)
+	}
+	defer cli.Close()
+
+	containers, err := cli.ContainerList(ctx, container.ListOptions{
+		All: true,
+	})
+	if err != nil {
+		return fmt.Errorf("failed to list containers: %w", err)
+	}
+
+	removed := 0
+	for _, cont := range containers {
+		shouldRemove := false
+		for _, name := range cont.Names {
+			if strings.Contains(name, "headscale-test-suite") ||
+				strings.Contains(name, "hs-") ||
+				strings.Contains(name, "ts-") ||
+				strings.Contains(name, "derp-") {
+				shouldRemove = true
+				break
+			}
+		}
+
+		if shouldRemove {
+			// First kill the container if it's running
+			if cont.State == "running" {
+				_ = cli.ContainerKill(ctx, cont.ID, "KILL")
+			}
+
+			// Then remove the container with retry logic
+			if removeContainerWithRetry(ctx, cli, cont.ID) {
+				removed++
+			}
+		}
+	}
+
+	if removed > 0 {
+		fmt.Printf("Removed %d test containers\n", removed)
+	} else {
+		fmt.Println("No test containers found to remove")
+	}
+
+	return nil
+}
+
+// removeContainerWithRetry attempts to remove a container with exponential backoff retry logic.
+func removeContainerWithRetry(ctx context.Context, cli *client.Client, containerID string) bool {
+	maxRetries := 3
+	baseDelay := 100 * time.Millisecond
+
+	for attempt := range maxRetries {
+		err := cli.ContainerRemove(ctx, containerID, container.RemoveOptions{
+			Force: true,
+		})
+		if err == nil {
+			return true
+		}
+
+		// If this is the last attempt, don't wait
+		if attempt == maxRetries-1 {
+			break
+		}
+
+		// Wait with exponential backoff
+		delay := baseDelay * time.Duration(1<<attempt)
+		time.Sleep(delay)
+	}
+
+	return false
+}
+
+// pruneDockerNetworks removes unused Docker networks.
+func pruneDockerNetworks(ctx context.Context) error {
+	cli, err := createDockerClient()
+	if err != nil {
+		return fmt.Errorf("failed to create Docker client: %w", err)
+	}
+	defer cli.Close()
+
+	report, err := cli.NetworksPrune(ctx, filters.Args{})
+	if err != nil {
+		return fmt.Errorf("failed to prune networks: %w", err)
+	}
+
+	if len(report.NetworksDeleted) > 0 {
+		fmt.Printf("Removed %d unused networks\n", len(report.NetworksDeleted))
+	} else {
+		fmt.Println("No unused networks found to remove")
+	}
+
+	return nil
+}
+
+// cleanOldImages removes test-related and old dangling Docker images.
+func cleanOldImages(ctx context.Context) error {
+	cli, err := createDockerClient()
+	if err != nil {
+		return fmt.Errorf("failed to create Docker client: %w", err)
+	}
+	defer cli.Close()
+
+	images, err := cli.ImageList(ctx, image.ListOptions{
+		All: true,
+	})
+	if err != nil {
+		return fmt.Errorf("failed to list images: %w", err)
+	}
+
+	removed := 0
+	for _, img := range images {
+		shouldRemove := false
+		for _, tag := range img.RepoTags {
+			if strings.Contains(tag, "hs-") ||
+				strings.Contains(tag, "headscale-integration") ||
+				strings.Contains(tag, "tailscale") {
+				shouldRemove = true
+				break
+			}
+		}
+
+		if len(img.RepoTags) == 0 && time.Unix(img.Created, 0).Before(time.Now().Add(-7*24*time.Hour)) {
+			shouldRemove = true
+		}
+
+		if shouldRemove {
+			_, err := cli.ImageRemove(ctx, img.ID, image.RemoveOptions{
+				Force: true,
+			})
+			if err == nil {
+				removed++
+			}
+		}
+	}
+
+	if removed > 0 {
+		fmt.Printf("Removed %d test images\n", removed)
+	} else {
+		fmt.Println("No test images found to remove")
+	}
+
+	return nil
+}
+
+// cleanCacheVolume removes the Docker volume used for Go module cache.
+func cleanCacheVolume(ctx context.Context) error {
+	cli, err := createDockerClient()
+	if err != nil {
+		return fmt.Errorf("failed to create Docker client: %w", err)
+	}
+	defer cli.Close()
+
+	volumeName := "hs-integration-go-cache"
+	err = cli.VolumeRemove(ctx, volumeName, true)
+	if err != nil {
+		if errdefs.IsNotFound(err) {
+			fmt.Printf("Go module cache volume not found: %s\n", volumeName)
+		} else if errdefs.IsConflict(err) {
+			fmt.Printf("Go module cache volume is in use and cannot be removed: %s\n", volumeName)
+		} else {
+			fmt.Printf("Failed to remove Go module cache volume %s: %v\n", volumeName, err)
+		}
+	} else {
+		fmt.Printf("Removed Go module cache volume: %s\n", volumeName)
+	}
+
+	return nil
+}
--- a/cmd/hi/docker.go
+++ b/cmd/hi/docker.go
@@ -0,0 +1,762 @@
+package main
+
+import (
+	"bytes"
+	"context"
+	"encoding/json"
+	"errors"
+	"fmt"
+	"io"
+	"log"
+	"os"
+	"os/exec"
+	"path/filepath"
+	"strings"
+	"time"
+
+	"github.com/docker/docker/api/types/container"
+	"github.com/docker/docker/api/types/image"
+	"github.com/docker/docker/api/types/mount"
+	"github.com/docker/docker/client"
+	"github.com/docker/docker/pkg/stdcopy"
+	"github.com/juanfont/headscale/integration/dockertestutil"
+)
+
+var (
+	ErrTestFailed              = errors.New("test failed")
+	ErrUnexpectedContainerWait = errors.New("unexpected end of container wait")
+	ErrNoDockerContext         = errors.New("no docker context found")
+)
+
+// runTestContainer executes integration tests in a Docker container.
+func runTestContainer(ctx context.Context, config *RunConfig) error {
+	cli, err := createDockerClient()
+	if err != nil {
+		return fmt.Errorf("failed to create Docker client: %w", err)
+	}
+	defer cli.Close()
+
+	runID := dockertestutil.GenerateRunID()
+	containerName := "headscale-test-suite-" + runID
+	logsDir := filepath.Join(config.LogsDir, runID)
+
+	if config.Verbose {
+		log.Printf("Run ID: %s", runID)
+		log.Printf("Container name: %s", containerName)
+		log.Printf("Logs directory: %s", logsDir)
+	}
+
+	absLogsDir, err := filepath.Abs(logsDir)
+	if err != nil {
+		return fmt.Errorf("failed to get absolute path for logs directory: %w", err)
+	}
+
+	const dirPerm = 0o755
+	if err := os.MkdirAll(absLogsDir, dirPerm); err != nil {
+		return fmt.Errorf("failed to create logs directory: %w", err)
+	}
+
+	if config.CleanBefore {
+		if config.Verbose {
+			log.Printf("Running pre-test cleanup...")
+		}
+		if err := cleanupBeforeTest(ctx); err != nil && config.Verbose {
+			log.Printf("Warning: pre-test cleanup failed: %v", err)
+		}
+	}
+
+	goTestCmd := buildGoTestCommand(config)
+	if config.Verbose {
+		log.Printf("Command: %s", strings.Join(goTestCmd, " "))
+	}
+
+	imageName := "golang:" + config.GoVersion
+	if err := ensureImageAvailable(ctx, cli, imageName, config.Verbose); err != nil {
+		return fmt.Errorf("failed to ensure image availability: %w", err)
+	}
+
+	resp, err := createGoTestContainer(ctx, cli, config, containerName, absLogsDir, goTestCmd)
+	if err != nil {
+		return fmt.Errorf("failed to create container: %w", err)
+	}
+
+	if config.Verbose {
+		log.Printf("Created container: %s", resp.ID)
+	}
+
+	if err := cli.ContainerStart(ctx, resp.ID, container.StartOptions{}); err != nil {
+		return fmt.Errorf("failed to start container: %w", err)
+	}
+
+	log.Printf("Starting test: %s", config.TestPattern)
+
+	// Start stats collection for container resource monitoring (if enabled)
+	var statsCollector *StatsCollector
+	if config.Stats {
+		var err error
+		statsCollector, err = NewStatsCollector()
+		if err != nil {
+			if config.Verbose {
+				log.Printf("Warning: failed to create stats collector: %v", err)
+			}
+			statsCollector = nil
+		}
+
+		if statsCollector != nil {
+			defer statsCollector.Close()
+			
+			// Start stats collection immediately - no need for complex retry logic
+			// The new implementation monitors Docker events and will catch containers as they start
+			if err := statsCollector.StartCollection(ctx, runID, config.Verbose); err != nil {
+				if config.Verbose {
+					log.Printf("Warning: failed to start stats collection: %v", err)
+				}
+			}
+			defer statsCollector.StopCollection()
+		}
+	}
+
+	exitCode, err := streamAndWait(ctx, cli, resp.ID)
+
+	// Ensure all containers have finished and logs are flushed before extracting artifacts
+	if waitErr := waitForContainerFinalization(ctx, cli, resp.ID, config.Verbose); waitErr != nil && config.Verbose {
+		log.Printf("Warning: failed to wait for container finalization: %v", waitErr)
+	}
+
+	// Extract artifacts from test containers before cleanup
+	if err := extractArtifactsFromContainers(ctx, resp.ID, logsDir, config.Verbose); err != nil && config.Verbose {
+		log.Printf("Warning: failed to extract artifacts from containers: %v", err)
+	}
+
+	// Always list control files regardless of test outcome
+	listControlFiles(logsDir)
+
+	// Print stats summary and check memory limits if enabled
+	if config.Stats && statsCollector != nil {
+		violations := statsCollector.PrintSummaryAndCheckLimits(config.HSMemoryLimit, config.TSMemoryLimit)
+		if len(violations) > 0 {
+			log.Printf("MEMORY LIMIT VIOLATIONS DETECTED:")
+			log.Printf("=================================")
+			for _, violation := range violations {
+				log.Printf("Container %s exceeded memory limit: %.1f MB > %.1f MB", 
+					violation.ContainerName, violation.MaxMemoryMB, violation.LimitMB)
+			}
+			return fmt.Errorf("test failed: %d container(s) exceeded memory limits", len(violations))
+		}
+	}
+
+	shouldCleanup := config.CleanAfter && (!config.KeepOnFailure || exitCode == 0)
+	if shouldCleanup {
+		if config.Verbose {
+			log.Printf("Running post-test cleanup...")
+		}
+		if cleanErr := cleanupAfterTest(ctx, cli, resp.ID); cleanErr != nil && config.Verbose {
+			log.Printf("Warning: post-test cleanup failed: %v", cleanErr)
+		}
+	}
+
+	if err != nil {
+		return fmt.Errorf("test execution failed: %w", err)
+	}
+
+	if exitCode != 0 {
+		return fmt.Errorf("%w: exit code %d", ErrTestFailed, exitCode)
+	}
+
+	log.Printf("Test completed successfully!")
+
+	return nil
+}
+
+// buildGoTestCommand constructs the go test command arguments.
+func buildGoTestCommand(config *RunConfig) []string {
+	cmd := []string{"go", "test", "./..."}
+
+	if config.TestPattern != "" {
+		cmd = append(cmd, "-run", config.TestPattern)
+	}
+
+	if config.FailFast {
+		cmd = append(cmd, "-failfast")
+	}
+
+	cmd = append(cmd, "-timeout", config.Timeout.String())
+	cmd = append(cmd, "-v")
+
+	return cmd
+}
+
+// createGoTestContainer creates a Docker container configured for running integration tests.
+func createGoTestContainer(ctx context.Context, cli *client.Client, config *RunConfig, containerName, logsDir string, goTestCmd []string) (container.CreateResponse, error) {
+	pwd, err := os.Getwd()
+	if err != nil {
+		return container.CreateResponse{}, fmt.Errorf("failed to get working directory: %w", err)
+	}
+
+	projectRoot := findProjectRoot(pwd)
+
+	runID := dockertestutil.ExtractRunIDFromContainerName(containerName)
+
+	env := []string{
+		fmt.Sprintf("HEADSCALE_INTEGRATION_POSTGRES=%d", boolToInt(config.UsePostgres)),
+		"HEADSCALE_INTEGRATION_RUN_ID=" + runID,
+	}
+	containerConfig := &container.Config{
+		Image:      "golang:" + config.GoVersion,
+		Cmd:        goTestCmd,
+		Env:        env,
+		WorkingDir: projectRoot + "/integration",
+		Tty:        true,
+		Labels: map[string]string{
+			"hi.run-id":    runID,
+			"hi.test-type": "test-runner",
+		},
+	}
+
+	// Get the correct Docker socket path from the current context
+	dockerSocketPath := getDockerSocketPath()
+
+	if config.Verbose {
+		log.Printf("Using Docker socket: %s", dockerSocketPath)
+	}
+
+	hostConfig := &container.HostConfig{
+		AutoRemove: false, // We'll remove manually for better control
+		Binds: []string{
+			fmt.Sprintf("%s:%s", projectRoot, projectRoot),
+			dockerSocketPath + ":/var/run/docker.sock",
+			logsDir + ":/tmp/control",
+		},
+		Mounts: []mount.Mount{
+			{
+				Type:   mount.TypeVolume,
+				Source: "hs-integration-go-cache",
+				Target: "/go",
+			},
+		},
+	}
+
+	return cli.ContainerCreate(ctx, containerConfig, hostConfig, nil, nil, containerName)
+}
+
+// streamAndWait streams container output and waits for completion.
+func streamAndWait(ctx context.Context, cli *client.Client, containerID string) (int, error) {
+	out, err := cli.ContainerLogs(ctx, containerID, container.LogsOptions{
+		ShowStdout: true,
+		ShowStderr: true,
+		Follow:     true,
+	})
+	if err != nil {
+		return -1, fmt.Errorf("failed to get container logs: %w", err)
+	}
+	defer out.Close()
+
+	go func() {
+		_, _ = io.Copy(os.Stdout, out)
+	}()
+
+	statusCh, errCh := cli.ContainerWait(ctx, containerID, container.WaitConditionNotRunning)
+	select {
+	case err := <-errCh:
+		if err != nil {
+			return -1, fmt.Errorf("error waiting for container: %w", err)
+		}
+	case status := <-statusCh:
+		return int(status.StatusCode), nil
+	}
+
+	return -1, ErrUnexpectedContainerWait
+}
+
+// waitForContainerFinalization ensures all test containers have properly finished and flushed their output.
+func waitForContainerFinalization(ctx context.Context, cli *client.Client, testContainerID string, verbose bool) error {
+	// First, get all related test containers
+	containers, err := cli.ContainerList(ctx, container.ListOptions{All: true})
+	if err != nil {
+		return fmt.Errorf("failed to list containers: %w", err)
+	}
+
+	testContainers := getCurrentTestContainers(containers, testContainerID, verbose)
+
+	// Wait for all test containers to reach a final state
+	maxWaitTime := 10 * time.Second
+	checkInterval := 500 * time.Millisecond
+	timeout := time.After(maxWaitTime)
+	ticker := time.NewTicker(checkInterval)
+	defer ticker.Stop()
+
+	for {
+		select {
+		case <-timeout:
+			if verbose {
+				log.Printf("Timeout waiting for container finalization, proceeding with artifact extraction")
+			}
+			return nil
+		case <-ticker.C:
+			allFinalized := true
+
+			for _, testCont := range testContainers {
+				inspect, err := cli.ContainerInspect(ctx, testCont.ID)
+				if err != nil {
+					if verbose {
+						log.Printf("Warning: failed to inspect container %s: %v", testCont.name, err)
+					}
+					continue
+				}
+
+				// Check if container is in a final state
+				if !isContainerFinalized(inspect.State) {
+					allFinalized = false
+					if verbose {
+						log.Printf("Container %s still finalizing (state: %s)", testCont.name, inspect.State.Status)
+					}
+
+					break
+				}
+			}
+
+			if allFinalized {
+				if verbose {
+					log.Printf("All test containers finalized, ready for artifact extraction")
+				}
+				return nil
+			}
+		}
+	}
+}
+
+// isContainerFinalized checks if a container has reached a final state where logs are flushed.
+func isContainerFinalized(state *container.State) bool {
+	// Container is finalized if it's not running and has a finish time
+	return !state.Running && state.FinishedAt != ""
+}
+
+// findProjectRoot locates the project root by finding the directory containing go.mod.
+func findProjectRoot(startPath string) string {
+	current := startPath
+	for {
+		if _, err := os.Stat(filepath.Join(current, "go.mod")); err == nil {
+			return current
+		}
+		parent := filepath.Dir(current)
+		if parent == current {
+			return startPath
+		}
+		current = parent
+	}
+}
+
+// boolToInt converts a boolean to an integer for environment variables.
+func boolToInt(b bool) int {
+	if b {
+		return 1
+	}
+	return 0
+}
+
+// DockerContext represents Docker context information.
+type DockerContext struct {
+	Name      string                 `json:"Name"`
+	Metadata  map[string]interface{} `json:"Metadata"`
+	Endpoints map[string]interface{} `json:"Endpoints"`
+	Current   bool                   `json:"Current"`
+}
+
+// createDockerClient creates a Docker client with context detection.
+func createDockerClient() (*client.Client, error) {
+	contextInfo, err := getCurrentDockerContext()
+	if err != nil {
+		return client.NewClientWithOpts(client.FromEnv, client.WithAPIVersionNegotiation())
+	}
+
+	var clientOpts []client.Opt
+	clientOpts = append(clientOpts, client.WithAPIVersionNegotiation())
+
+	if contextInfo != nil {
+		if endpoints, ok := contextInfo.Endpoints["docker"]; ok {
+			if endpointMap, ok := endpoints.(map[string]interface{}); ok {
+				if host, ok := endpointMap["Host"].(string); ok {
+					if runConfig.Verbose {
+						log.Printf("Using Docker host from context '%s': %s", contextInfo.Name, host)
+					}
+					clientOpts = append(clientOpts, client.WithHost(host))
+				}
+			}
+		}
+	}
+
+	if len(clientOpts) == 1 {
+		clientOpts = append(clientOpts, client.FromEnv)
+	}
+
+	return client.NewClientWithOpts(clientOpts...)
+}
+
+// getCurrentDockerContext retrieves the current Docker context information.
+func getCurrentDockerContext() (*DockerContext, error) {
+	cmd := exec.Command("docker", "context", "inspect")
+	output, err := cmd.Output()
+	if err != nil {
+		return nil, fmt.Errorf("failed to get docker context: %w", err)
+	}
+
+	var contexts []DockerContext
+	if err := json.Unmarshal(output, &contexts); err != nil {
+		return nil, fmt.Errorf("failed to parse docker context: %w", err)
+	}
+
+	if len(contexts) > 0 {
+		return &contexts[0], nil
+	}
+
+	return nil, ErrNoDockerContext
+}
+
+// getDockerSocketPath returns the correct Docker socket path for the current context.
+func getDockerSocketPath() string {
+	// Always use the default socket path for mounting since Docker handles
+	// the translation to the actual socket (e.g., colima socket) internally
+	return "/var/run/docker.sock"
+}
+
+// checkImageAvailableLocally checks if the specified Docker image is available locally.
+func checkImageAvailableLocally(ctx context.Context, cli *client.Client, imageName string) (bool, error) {
+	_, _, err := cli.ImageInspectWithRaw(ctx, imageName)
+	if err != nil {
+		if client.IsErrNotFound(err) {
+			return false, nil
+		}
+		return false, fmt.Errorf("failed to inspect image %s: %w", imageName, err)
+	}
+
+	return true, nil
+}
+
+// ensureImageAvailable checks if the image is available locally first, then pulls if needed.
+func ensureImageAvailable(ctx context.Context, cli *client.Client, imageName string, verbose bool) error {
+	// First check if image is available locally
+	available, err := checkImageAvailableLocally(ctx, cli, imageName)
+	if err != nil {
+		return fmt.Errorf("failed to check local image availability: %w", err)
+	}
+
+	if available {
+		if verbose {
+			log.Printf("Image %s is available locally", imageName)
+		}
+		return nil
+	}
+
+	// Image not available locally, try to pull it
+	if verbose {
+		log.Printf("Image %s not found locally, pulling...", imageName)
+	}
+
+	reader, err := cli.ImagePull(ctx, imageName, image.PullOptions{})
+	if err != nil {
+		return fmt.Errorf("failed to pull image %s: %w", imageName, err)
+	}
+	defer reader.Close()
+
+	if verbose {
+		_, err = io.Copy(os.Stdout, reader)
+		if err != nil {
+			return fmt.Errorf("failed to read pull output: %w", err)
+		}
+	} else {
+		_, err = io.Copy(io.Discard, reader)
+		if err != nil {
+			return fmt.Errorf("failed to read pull output: %w", err)
+		}
+		log.Printf("Image %s pulled successfully", imageName)
+	}
+
+	return nil
+}
+
+// listControlFiles displays the headscale test artifacts created in the control logs directory.
+func listControlFiles(logsDir string) {
+	entries, err := os.ReadDir(logsDir)
+	if err != nil {
+		log.Printf("Logs directory: %s", logsDir)
+		return
+	}
+
+	var logFiles []string
+	var dataFiles []string
+	var dataDirs []string
+
+	for _, entry := range entries {
+		name := entry.Name()
+		// Only show headscale (hs-*) files and directories
+		if !strings.HasPrefix(name, "hs-") {
+			continue
+		}
+
+		if entry.IsDir() {
+			// Include directories (pprof, mapresponses)
+			if strings.Contains(name, "-pprof") || strings.Contains(name, "-mapresponses") {
+				dataDirs = append(dataDirs, name)
+			}
+		} else {
+			// Include files
+			switch {
+			case strings.HasSuffix(name, ".stderr.log") || strings.HasSuffix(name, ".stdout.log"):
+				logFiles = append(logFiles, name)
+			case strings.HasSuffix(name, ".db"):
+				dataFiles = append(dataFiles, name)
+			}
+		}
+	}
+
+	log.Printf("Test artifacts saved to: %s", logsDir)
+
+	if len(logFiles) > 0 {
+		log.Printf("Headscale logs:")
+		for _, file := range logFiles {
+			log.Printf("  %s", file)
+		}
+	}
+
+	if len(dataFiles) > 0 || len(dataDirs) > 0 {
+		log.Printf("Headscale data:")
+		for _, file := range dataFiles {
+			log.Printf("  %s", file)
+		}
+		for _, dir := range dataDirs {
+			log.Printf("  %s/", dir)
+		}
+	}
+}
+
+// extractArtifactsFromContainers collects container logs and files from the specific test run.
+func extractArtifactsFromContainers(ctx context.Context, testContainerID, logsDir string, verbose bool) error {
+	cli, err := createDockerClient()
+	if err != nil {
+		return fmt.Errorf("failed to create Docker client: %w", err)
+	}
+	defer cli.Close()
+
+	// List all containers
+	containers, err := cli.ContainerList(ctx, container.ListOptions{All: true})
+	if err != nil {
+		return fmt.Errorf("failed to list containers: %w", err)
+	}
+
+	// Get containers from the specific test run
+	currentTestContainers := getCurrentTestContainers(containers, testContainerID, verbose)
+
+	extractedCount := 0
+	for _, cont := range currentTestContainers {
+		// Extract container logs and tar files
+		if err := extractContainerArtifacts(ctx, cli, cont.ID, cont.name, logsDir, verbose); err != nil {
+			if verbose {
+				log.Printf("Warning: failed to extract artifacts from container %s (%s): %v", cont.name, cont.ID[:12], err)
+			}
+		} else {
+			if verbose {
+				log.Printf("Extracted artifacts from container %s (%s)", cont.name, cont.ID[:12])
+			}
+			extractedCount++
+		}
+	}
+
+	if verbose && extractedCount > 0 {
+		log.Printf("Extracted artifacts from %d containers", extractedCount)
+	}
+
+	return nil
+}
+
+// testContainer represents a container from the current test run.
+type testContainer struct {
+	ID   string
+	name string
+}
+
+// getCurrentTestContainers filters containers to only include those from the current test run.
+func getCurrentTestContainers(containers []container.Summary, testContainerID string, verbose bool) []testContainer {
+	var testRunContainers []testContainer
+
+	// Find the test container to get its run ID label
+	var runID string
+	for _, cont := range containers {
+		if cont.ID == testContainerID {
+			if cont.Labels != nil {
+				runID = cont.Labels["hi.run-id"]
+			}
+			break
+		}
+	}
+
+	if runID == "" {
+		log.Printf("Error: test container %s missing required hi.run-id label", testContainerID[:12])
+		return testRunContainers
+	}
+
+	if verbose {
+		log.Printf("Looking for containers with run ID: %s", runID)
+	}
+
+	// Find all containers with the same run ID
+	for _, cont := range containers {
+		for _, name := range cont.Names {
+			containerName := strings.TrimPrefix(name, "/")
+			if strings.HasPrefix(containerName, "hs-") || strings.HasPrefix(containerName, "ts-") {
+				// Check if container has matching run ID label
+				if cont.Labels != nil && cont.Labels["hi.run-id"] == runID {
+					testRunContainers = append(testRunContainers, testContainer{
+						ID:   cont.ID,
+						name: containerName,
+					})
+					if verbose {
+						log.Printf("Including container %s (run ID: %s)", containerName, runID)
+					}
+				}
+
+				break
+			}
+		}
+	}
+
+	return testRunContainers
+}
+
+// extractContainerArtifacts saves logs and tar files from a container.
+func extractContainerArtifacts(ctx context.Context, cli *client.Client, containerID, containerName, logsDir string, verbose bool) error {
+	// Ensure the logs directory exists
+	if err := os.MkdirAll(logsDir, 0o755); err != nil {
+		return fmt.Errorf("failed to create logs directory: %w", err)
+	}
+
+	// Extract container logs
+	if err := extractContainerLogs(ctx, cli, containerID, containerName, logsDir, verbose); err != nil {
+		return fmt.Errorf("failed to extract logs: %w", err)
+	}
+
+	// Extract tar files for headscale containers only
+	if strings.HasPrefix(containerName, "hs-") {
+		if err := extractContainerFiles(ctx, cli, containerID, containerName, logsDir, verbose); err != nil {
+			if verbose {
+				log.Printf("Warning: failed to extract files from %s: %v", containerName, err)
+			}
+			// Don't fail the whole extraction if files are missing
+		}
+	}
+
+	return nil
+}
+
+// extractContainerLogs saves the stdout and stderr logs from a container to files.
+func extractContainerLogs(ctx context.Context, cli *client.Client, containerID, containerName, logsDir string, verbose bool) error {
+	// Get container logs
+	logReader, err := cli.ContainerLogs(ctx, containerID, container.LogsOptions{
+		ShowStdout: true,
+		ShowStderr: true,
+		Timestamps: false,
+		Follow:     false,
+		Tail:       "all",
+	})
+	if err != nil {
+		return fmt.Errorf("failed to get container logs: %w", err)
+	}
+	defer logReader.Close()
+
+	// Create log files following the headscale naming convention
+	stdoutPath := filepath.Join(logsDir, containerName+".stdout.log")
+	stderrPath := filepath.Join(logsDir, containerName+".stderr.log")
+
+	// Create buffers to capture stdout and stderr separately
+	var stdoutBuf, stderrBuf bytes.Buffer
+
+	// Demultiplex the Docker logs stream to separate stdout and stderr
+	_, err = stdcopy.StdCopy(&stdoutBuf, &stderrBuf, logReader)
+	if err != nil {
+		return fmt.Errorf("failed to demultiplex container logs: %w", err)
+	}
+
+	// Write stdout logs
+	if err := os.WriteFile(stdoutPath, stdoutBuf.Bytes(), 0o644); err != nil {
+		return fmt.Errorf("failed to write stdout log: %w", err)
+	}
+
+	// Write stderr logs
+	if err := os.WriteFile(stderrPath, stderrBuf.Bytes(), 0o644); err != nil {
+		return fmt.Errorf("failed to write stderr log: %w", err)
+	}
+
+	if verbose {
+		log.Printf("Saved logs for %s: %s, %s", containerName, stdoutPath, stderrPath)
+	}
+
+	return nil
+}
+
+// extractContainerFiles extracts database file and directories from headscale containers.
+// Note: The actual file extraction is now handled by the integration tests themselves
+// via SaveProfile, SaveMapResponses, and SaveDatabase functions in hsic.go.
+func extractContainerFiles(ctx context.Context, cli *client.Client, containerID, containerName, logsDir string, verbose bool) error {
+	// Files are now extracted directly by the integration tests
+	// This function is kept for potential future use or other file types
+	return nil
+}
+
+// logExtractionError logs extraction errors with appropriate level based on error type.
+func logExtractionError(artifactType, containerName string, err error, verbose bool) {
+	if errors.Is(err, ErrFileNotFoundInTar) {
+		// File not found is expected and only logged in verbose mode
+		if verbose {
+			log.Printf("No %s found in container %s", artifactType, containerName)
+		}
+	} else {
+		// Other errors are actual failures and should be logged as warnings
+		log.Printf("Warning: failed to extract %s from %s: %v", artifactType, containerName, err)
+	}
+}
+
+// extractSingleFile copies a single file from a container.
+func extractSingleFile(ctx context.Context, cli *client.Client, containerID, sourcePath, fileName, logsDir string, verbose bool) error {
+	tarReader, _, err := cli.CopyFromContainer(ctx, containerID, sourcePath)
+	if err != nil {
+		return fmt.Errorf("failed to copy %s from container: %w", sourcePath, err)
+	}
+	defer tarReader.Close()
+
+	// Extract the single file from the tar
+	filePath := filepath.Join(logsDir, fileName)
+	if err := extractFileFromTar(tarReader, filepath.Base(sourcePath), filePath); err != nil {
+		return fmt.Errorf("failed to extract file from tar: %w", err)
+	}
+
+	if verbose {
+		log.Printf("Extracted %s from %s", fileName, containerID[:12])
+	}
+
+	return nil
+}
+
+// extractDirectory copies a directory from a container and extracts its contents.
+func extractDirectory(ctx context.Context, cli *client.Client, containerID, sourcePath, dirName, logsDir string, verbose bool) error {
+	tarReader, _, err := cli.CopyFromContainer(ctx, containerID, sourcePath)
+	if err != nil {
+		return fmt.Errorf("failed to copy %s from container: %w", sourcePath, err)
+	}
+	defer tarReader.Close()
+
+	// Create target directory
+	targetDir := filepath.Join(logsDir, dirName)
+	if err := os.MkdirAll(targetDir, 0o755); err != nil {
+		return fmt.Errorf("failed to create directory %s: %w", targetDir, err)
+	}
+
+	// Extract the directory from the tar
+	if err := extractDirectoryFromTar(tarReader, targetDir); err != nil {
+		return fmt.Errorf("failed to extract directory from tar: %w", err)
+	}
+
+	if verbose {
+		log.Printf("Extracted %s/ from %s", dirName, containerID[:12])
+	}
+
+	return nil
+}
--- a/cmd/hi/doctor.go
+++ b/cmd/hi/doctor.go
@@ -0,0 +1,374 @@
+package main
+
+import (
+	"context"
+	"errors"
+	"fmt"
+	"log"
+	"os/exec"
+	"strings"
+)
+
+var ErrSystemChecksFailed = errors.New("system checks failed")
+
+// DoctorResult represents the result of a single health check.
+type DoctorResult struct {
+	Name        string
+	Status      string // "PASS", "FAIL", "WARN"
+	Message     string
+	Suggestions []string
+}
+
+// runDoctorCheck performs comprehensive pre-flight checks for integration testing.
+func runDoctorCheck(ctx context.Context) error {
+	results := []DoctorResult{}
+
+	// Check 1: Docker binary availability
+	results = append(results, checkDockerBinary())
+
+	// Check 2: Docker daemon connectivity
+	dockerResult := checkDockerDaemon(ctx)
+	results = append(results, dockerResult)
+
+	// If Docker is available, run additional checks
+	if dockerResult.Status == "PASS" {
+		results = append(results, checkDockerContext(ctx))
+		results = append(results, checkDockerSocket(ctx))
+		results = append(results, checkGolangImage(ctx))
+	}
+
+	// Check 3: Go installation
+	results = append(results, checkGoInstallation())
+
+	// Check 4: Git repository
+	results = append(results, checkGitRepository())
+
+	// Check 5: Required files
+	results = append(results, checkRequiredFiles())
+
+	// Display results
+	displayDoctorResults(results)
+
+	// Return error if any critical checks failed
+	for _, result := range results {
+		if result.Status == "FAIL" {
+			return fmt.Errorf("%w - see details above", ErrSystemChecksFailed)
+		}
+	}
+
+	log.Printf("✅ All system checks passed - ready to run integration tests!")
+
+	return nil
+}
+
+// checkDockerBinary verifies Docker binary is available.
+func checkDockerBinary() DoctorResult {
+	_, err := exec.LookPath("docker")
+	if err != nil {
+		return DoctorResult{
+			Name:    "Docker Binary",
+			Status:  "FAIL",
+			Message: "Docker binary not found in PATH",
+			Suggestions: []string{
+				"Install Docker: https://docs.docker.com/get-docker/",
+				"For macOS: consider using colima or Docker Desktop",
+				"Ensure docker is in your PATH",
+			},
+		}
+	}
+
+	return DoctorResult{
+		Name:    "Docker Binary",
+		Status:  "PASS",
+		Message: "Docker binary found",
+	}
+}
+
+// checkDockerDaemon verifies Docker daemon is running and accessible.
+func checkDockerDaemon(ctx context.Context) DoctorResult {
+	cli, err := createDockerClient()
+	if err != nil {
+		return DoctorResult{
+			Name:    "Docker Daemon",
+			Status:  "FAIL",
+			Message: fmt.Sprintf("Cannot create Docker client: %v", err),
+			Suggestions: []string{
+				"Start Docker daemon/service",
+				"Check Docker Desktop is running (if using Docker Desktop)",
+				"For colima: run 'colima start'",
+				"Verify DOCKER_HOST environment variable if set",
+			},
+		}
+	}
+	defer cli.Close()
+
+	_, err = cli.Ping(ctx)
+	if err != nil {
+		return DoctorResult{
+			Name:    "Docker Daemon",
+			Status:  "FAIL",
+			Message: fmt.Sprintf("Cannot ping Docker daemon: %v", err),
+			Suggestions: []string{
+				"Ensure Docker daemon is running",
+				"Check Docker socket permissions",
+				"Try: docker info",
+			},
+		}
+	}
+
+	return DoctorResult{
+		Name:    "Docker Daemon",
+		Status:  "PASS",
+		Message: "Docker daemon is running and accessible",
+	}
+}
+
+// checkDockerContext verifies Docker context configuration.
+func checkDockerContext(_ context.Context) DoctorResult {
+	contextInfo, err := getCurrentDockerContext()
+	if err != nil {
+		return DoctorResult{
+			Name:    "Docker Context",
+			Status:  "WARN",
+			Message: "Could not detect Docker context, using default settings",
+			Suggestions: []string{
+				"Check: docker context ls",
+				"Consider setting up a specific context if needed",
+			},
+		}
+	}
+
+	if contextInfo == nil {
+		return DoctorResult{
+			Name:    "Docker Context",
+			Status:  "PASS",
+			Message: "Using default Docker context",
+		}
+	}
+
+	return DoctorResult{
+		Name:    "Docker Context",
+		Status:  "PASS",
+		Message: "Using Docker context: " + contextInfo.Name,
+	}
+}
+
+// checkDockerSocket verifies Docker socket accessibility.
+func checkDockerSocket(ctx context.Context) DoctorResult {
+	cli, err := createDockerClient()
+	if err != nil {
+		return DoctorResult{
+			Name:    "Docker Socket",
+			Status:  "FAIL",
+			Message: fmt.Sprintf("Cannot access Docker socket: %v", err),
+			Suggestions: []string{
+				"Check Docker socket permissions",
+				"Add user to docker group: sudo usermod -aG docker $USER",
+				"For colima: ensure socket is accessible",
+			},
+		}
+	}
+	defer cli.Close()
+
+	info, err := cli.Info(ctx)
+	if err != nil {
+		return DoctorResult{
+			Name:    "Docker Socket",
+			Status:  "FAIL",
+			Message: fmt.Sprintf("Cannot get Docker info: %v", err),
+			Suggestions: []string{
+				"Check Docker daemon status",
+				"Verify socket permissions",
+			},
+		}
+	}
+
+	return DoctorResult{
+		Name:    "Docker Socket",
+		Status:  "PASS",
+		Message: fmt.Sprintf("Docker socket accessible (Server: %s)", info.ServerVersion),
+	}
+}
+
+// checkGolangImage verifies the golang Docker image is available locally or can be pulled.
+func checkGolangImage(ctx context.Context) DoctorResult {
+	cli, err := createDockerClient()
+	if err != nil {
+		return DoctorResult{
+			Name:    "Golang Image",
+			Status:  "FAIL",
+			Message: "Cannot create Docker client for image check",
+		}
+	}
+	defer cli.Close()
+
+	goVersion := detectGoVersion()
+	imageName := "golang:" + goVersion
+
+	// First check if image is available locally
+	available, err := checkImageAvailableLocally(ctx, cli, imageName)
+	if err != nil {
+		return DoctorResult{
+			Name:    "Golang Image",
+			Status:  "FAIL",
+			Message: fmt.Sprintf("Cannot check golang image %s: %v", imageName, err),
+			Suggestions: []string{
+				"Check Docker daemon status",
+				"Try: docker images | grep golang",
+			},
+		}
+	}
+
+	if available {
+		return DoctorResult{
+			Name:    "Golang Image",
+			Status:  "PASS",
+			Message: fmt.Sprintf("Golang image %s is available locally", imageName),
+		}
+	}
+
+	// Image not available locally, try to pull it
+	err = ensureImageAvailable(ctx, cli, imageName, false)
+	if err != nil {
+		return DoctorResult{
+			Name:    "Golang Image",
+			Status:  "FAIL",
+			Message: fmt.Sprintf("Golang image %s not available locally and cannot pull: %v", imageName, err),
+			Suggestions: []string{
+				"Check internet connectivity",
+				"Verify Docker Hub access",
+				"Try: docker pull " + imageName,
+				"Or run tests offline if image was pulled previously",
+			},
+		}
+	}
+
+	return DoctorResult{
+		Name:    "Golang Image",
+		Status:  "PASS",
+		Message: fmt.Sprintf("Golang image %s is now available", imageName),
+	}
+}
+
+// checkGoInstallation verifies Go is installed and working.
+func checkGoInstallation() DoctorResult {
+	_, err := exec.LookPath("go")
+	if err != nil {
+		return DoctorResult{
+			Name:    "Go Installation",
+			Status:  "FAIL",
+			Message: "Go binary not found in PATH",
+			Suggestions: []string{
+				"Install Go: https://golang.org/dl/",
+				"Ensure go is in your PATH",
+			},
+		}
+	}
+
+	cmd := exec.Command("go", "version")
+	output, err := cmd.Output()
+	if err != nil {
+		return DoctorResult{
+			Name:    "Go Installation",
+			Status:  "FAIL",
+			Message: fmt.Sprintf("Cannot get Go version: %v", err),
+		}
+	}
+
+	version := strings.TrimSpace(string(output))
+
+	return DoctorResult{
+		Name:    "Go Installation",
+		Status:  "PASS",
+		Message: version,
+	}
+}
+
+// checkGitRepository verifies we're in a git repository.
+func checkGitRepository() DoctorResult {
+	cmd := exec.Command("git", "rev-parse", "--git-dir")
+	err := cmd.Run()
+	if err != nil {
+		return DoctorResult{
+			Name:    "Git Repository",
+			Status:  "FAIL",
+			Message: "Not in a Git repository",
+			Suggestions: []string{
+				"Run from within the headscale git repository",
+				"Clone the repository: git clone https://github.com/juanfont/headscale.git",
+			},
+		}
+	}
+
+	return DoctorResult{
+		Name:    "Git Repository",
+		Status:  "PASS",
+		Message: "Running in Git repository",
+	}
+}
+
+// checkRequiredFiles verifies required files exist.
+func checkRequiredFiles() DoctorResult {
+	requiredFiles := []string{
+		"go.mod",
+		"integration/",
+		"cmd/hi/",
+	}
+
+	var missingFiles []string
+	for _, file := range requiredFiles {
+		cmd := exec.Command("test", "-e", file)
+		if err := cmd.Run(); err != nil {
+			missingFiles = append(missingFiles, file)
+		}
+	}
+
+	if len(missingFiles) > 0 {
+		return DoctorResult{
+			Name:    "Required Files",
+			Status:  "FAIL",
+			Message: "Missing required files: " + strings.Join(missingFiles, ", "),
+			Suggestions: []string{
+				"Ensure you're in the headscale project root directory",
+				"Check that integration/ directory exists",
+				"Verify this is a complete headscale repository",
+			},
+		}
+	}
+
+	return DoctorResult{
+		Name:    "Required Files",
+		Status:  "PASS",
+		Message: "All required files found",
+	}
+}
+
+// displayDoctorResults shows the results in a formatted way.
+func displayDoctorResults(results []DoctorResult) {
+	log.Printf("🔍 System Health Check Results")
+	log.Printf("================================")
+
+	for _, result := range results {
+		var icon string
+		switch result.Status {
+		case "PASS":
+			icon = "✅"
+		case "WARN":
+			icon = "⚠️"
+		case "FAIL":
+			icon = "❌"
+		default:
+			icon = "❓"
+		}
+
+		log.Printf("%s %s: %s", icon, result.Name, result.Message)
+
+		if len(result.Suggestions) > 0 {
+			for _, suggestion := range result.Suggestions {
+				log.Printf("   💡 %s", suggestion)
+			}
+		}
+	}
+
+	log.Printf("================================")
+}
--- a/cmd/hi/main.go
+++ b/cmd/hi/main.go
@@ -0,0 +1,93 @@
+package main
+
+import (
+	"context"
+	"os"
+
+	"github.com/creachadair/command"
+	"github.com/creachadair/flax"
+)
+
+var runConfig RunConfig
+
+func main() {
+	root := command.C{
+		Name: "hi",
+		Help: "Headscale Integration test runner",
+		Commands: []*command.C{
+			{
+				Name:     "run",
+				Help:     "Run integration tests",
+				Usage:    "run [test-pattern] [flags]",
+				SetFlags: command.Flags(flax.MustBind, &runConfig),
+				Run:      runIntegrationTest,
+			},
+			{
+				Name: "doctor",
+				Help: "Check system requirements for running integration tests",
+				Run: func(env *command.Env) error {
+					return runDoctorCheck(env.Context())
+				},
+			},
+			{
+				Name: "clean",
+				Help: "Clean Docker resources",
+				Commands: []*command.C{
+					{
+						Name: "networks",
+						Help: "Prune unused Docker networks",
+						Run: func(env *command.Env) error {
+							return pruneDockerNetworks(env.Context())
+						},
+					},
+					{
+						Name: "images",
+						Help: "Clean old test images",
+						Run: func(env *command.Env) error {
+							return cleanOldImages(env.Context())
+						},
+					},
+					{
+						Name: "containers",
+						Help: "Kill all test containers",
+						Run: func(env *command.Env) error {
+							return killTestContainers(env.Context())
+						},
+					},
+					{
+						Name: "cache",
+						Help: "Clean Go module cache volume",
+						Run: func(env *command.Env) error {
+							return cleanCacheVolume(env.Context())
+						},
+					},
+					{
+						Name: "all",
+						Help: "Run all cleanup operations",
+						Run: func(env *command.Env) error {
+							return cleanAll(env.Context())
+						},
+					},
+				},
+			},
+			command.HelpCommand(nil),
+		},
+	}
+
+	env := root.NewEnv(nil).MergeFlags(true)
+	command.RunOrFail(env, os.Args[1:])
+}
+
+func cleanAll(ctx context.Context) error {
+	if err := killTestContainers(ctx); err != nil {
+		return err
+	}
+	if err := pruneDockerNetworks(ctx); err != nil {
+		return err
+	}
+	if err := cleanOldImages(ctx); err != nil {
+		return err
+	}
+
+	return cleanCacheVolume(ctx)
+}
--- a/cmd/hi/run.go
+++ b/cmd/hi/run.go
@@ -0,0 +1,125 @@
+package main
+
+import (
+	"errors"
+	"fmt"
+	"log"
+	"os"
+	"path/filepath"
+	"time"
+
+	"github.com/creachadair/command"
+)
+
+var ErrTestPatternRequired = errors.New("test pattern is required as first argument or use --test flag")
+
+type RunConfig struct {
+	TestPattern   string        `flag:"test,Test pattern to run"`
+	Timeout       time.Duration `flag:"timeout,default=120m,Test timeout"`
+	FailFast      bool          `flag:"failfast,default=true,Stop on first test failure"`
+	UsePostgres   bool          `flag:"postgres,default=false,Use PostgreSQL instead of SQLite"`
+	GoVersion     string        `flag:"go-version,Go version to use (auto-detected from go.mod)"`
+	CleanBefore   bool          `flag:"clean-before,default=true,Clean resources before test"`
+	CleanAfter    bool          `flag:"clean-after,default=true,Clean resources after test"`
+	KeepOnFailure bool          `flag:"keep-on-failure,default=false,Keep containers on test failure"`
+	LogsDir       string        `flag:"logs-dir,default=control_logs,Control logs directory"`
+	Verbose       bool          `flag:"verbose,default=false,Verbose output"`
+	Stats           bool          `flag:"stats,default=false,Collect and display container resource usage statistics"`
+	HSMemoryLimit   float64       `flag:"hs-memory-limit,default=0,Fail test if any Headscale container exceeds this memory limit in MB (0 = disabled)"`
+	TSMemoryLimit   float64       `flag:"ts-memory-limit,default=0,Fail test if any Tailscale container exceeds this memory limit in MB (0 = disabled)"`
+}
+
+// runIntegrationTest executes the integration test workflow.
+func runIntegrationTest(env *command.Env) error {
+	args := env.Args
+	if len(args) > 0 && runConfig.TestPattern == "" {
+		runConfig.TestPattern = args[0]
+	}
+
+	if runConfig.TestPattern == "" {
+		return ErrTestPatternRequired
+	}
+
+	if runConfig.GoVersion == "" {
+		runConfig.GoVersion = detectGoVersion()
+	}
+
+	// Run pre-flight checks
+	if runConfig.Verbose {
+		log.Printf("Running pre-flight system checks...")
+	}
+	if err := runDoctorCheck(env.Context()); err != nil {
+		return fmt.Errorf("pre-flight checks failed: %w", err)
+	}
+
+	if runConfig.Verbose {
+		log.Printf("Running test: %s", runConfig.TestPattern)
+		log.Printf("Go version: %s", runConfig.GoVersion)
+		log.Printf("Timeout: %s", runConfig.Timeout)
+		log.Printf("Use PostgreSQL: %t", runConfig.UsePostgres)
+	}
+
+	return runTestContainer(env.Context(), &runConfig)
+}
+
+// detectGoVersion reads the Go version from go.mod file.
+func detectGoVersion() string {
+	goModPath := filepath.Join("..", "..", "go.mod")
+
+	if _, err := os.Stat("go.mod"); err == nil {
+		goModPath = "go.mod"
+	} else if _, err := os.Stat("../../go.mod"); err == nil {
+		goModPath = "../../go.mod"
+	}
+
+	content, err := os.ReadFile(goModPath)
+	if err != nil {
+		return "1.24"
+	}
+
+	lines := splitLines(string(content))
+	for _, line := range lines {
+		if len(line) > 3 && line[:3] == "go " {
+			version := line[3:]
+			if idx := indexOf(version, " "); idx != -1 {
+				version = version[:idx]
+			}
+
+			return version
+		}
+	}
+
+	return "1.24"
+}
+
+// splitLines splits a string into lines without using strings.Split.
+func splitLines(s string) []string {
+	var lines []string
+	var current string
+
+	for _, char := range s {
+		if char == '\n' {
+			lines = append(lines, current)
+			current = ""
+		} else {
+			current += string(char)
+		}
+	}
+
+	if current != "" {
+		lines = append(lines, current)
+	}
+
+	return lines
+}
+
+// indexOf finds the first occurrence of substr in s.
+func indexOf(s, substr string) int {
+	for i := 0; i <= len(s)-len(substr); i++ {
+		if s[i:i+len(substr)] == substr {
+			return i
+		}
+	}
+
+	return -1
+}
--- a/cmd/hi/stats.go
+++ b/cmd/hi/stats.go
@@ -0,0 +1,468 @@
+package main
+
+import (
+	"context"
+	"encoding/json"
+	"fmt"
+	"log"
+	"sort"
+	"strings"
+	"sync"
+	"time"
+
+	"github.com/docker/docker/api/types"
+	"github.com/docker/docker/api/types/container"
+	"github.com/docker/docker/api/types/events"
+	"github.com/docker/docker/api/types/filters"
+	"github.com/docker/docker/client"
+)
+
+// ContainerStats represents statistics for a single container
+type ContainerStats struct {
+	ContainerID   string
+	ContainerName string
+	Stats         []StatsSample
+	mutex         sync.RWMutex
+}
+
+// StatsSample represents a single stats measurement
+type StatsSample struct {
+	Timestamp time.Time
+	CPUUsage  float64 // CPU usage percentage
+	MemoryMB  float64 // Memory usage in MB
+}
+
+// StatsCollector manages collection of container statistics
+type StatsCollector struct {
+	client            *client.Client
+	containers        map[string]*ContainerStats
+	stopChan          chan struct{}
+	wg                sync.WaitGroup
+	mutex             sync.RWMutex
+	collectionStarted bool
+}
+
+// NewStatsCollector creates a new stats collector instance
+func NewStatsCollector() (*StatsCollector, error) {
+	cli, err := createDockerClient()
+	if err != nil {
+		return nil, fmt.Errorf("failed to create Docker client: %w", err)
+	}
+
+	return &StatsCollector{
+		client:     cli,
+		containers: make(map[string]*ContainerStats),
+		stopChan:   make(chan struct{}),
+	}, nil
+}
+
+// StartCollection begins monitoring all containers and collecting stats for hs- and ts- containers with matching run ID
+func (sc *StatsCollector) StartCollection(ctx context.Context, runID string, verbose bool) error {
+	sc.mutex.Lock()
+	defer sc.mutex.Unlock()
+
+	if sc.collectionStarted {
+		return fmt.Errorf("stats collection already started")
+	}
+
+	sc.collectionStarted = true
+
+	// Start monitoring existing containers
+	sc.wg.Add(1)
+	go sc.monitorExistingContainers(ctx, runID, verbose)
+
+	// Start Docker events monitoring for new containers
+	sc.wg.Add(1)
+	go sc.monitorDockerEvents(ctx, runID, verbose)
+
+	if verbose {
+		log.Printf("Started container monitoring for run ID %s", runID)
+	}
+
+	return nil
+}
+
+// StopCollection stops all stats collection
+func (sc *StatsCollector) StopCollection() {
+	// Check if already stopped without holding lock
+	sc.mutex.RLock()
+	if !sc.collectionStarted {
+		sc.mutex.RUnlock()
+		return
+	}
+	sc.mutex.RUnlock()
+
+	// Signal stop to all goroutines
+	close(sc.stopChan)
+	
+	// Wait for all goroutines to finish
+	sc.wg.Wait()
+	
+	// Mark as stopped
+	sc.mutex.Lock()
+	sc.collectionStarted = false
+	sc.mutex.Unlock()
+}
+
+// monitorExistingContainers checks for existing containers that match our criteria
+func (sc *StatsCollector) monitorExistingContainers(ctx context.Context, runID string, verbose bool) {
+	defer sc.wg.Done()
+
+	containers, err := sc.client.ContainerList(ctx, container.ListOptions{})
+	if err != nil {
+		if verbose {
+			log.Printf("Failed to list existing containers: %v", err)
+		}
+		return
+	}
+
+	for _, cont := range containers {
+		if sc.shouldMonitorContainer(cont, runID) {
+			sc.startStatsForContainer(ctx, cont.ID, cont.Names[0], verbose)
+		}
+	}
+}
+
+// monitorDockerEvents listens for container start events and begins monitoring relevant containers
+func (sc *StatsCollector) monitorDockerEvents(ctx context.Context, runID string, verbose bool) {
+	defer sc.wg.Done()
+
+	filter := filters.NewArgs()
+	filter.Add("type", "container")
+	filter.Add("event", "start")
+	
+	eventOptions := events.ListOptions{
+		Filters: filter,
+	}
+
+	events, errs := sc.client.Events(ctx, eventOptions)
+
+	for {
+		select {
+		case <-sc.stopChan:
+			return
+		case <-ctx.Done():
+			return
+		case event := <-events:
+			if event.Type == "container" && event.Action == "start" {
+				// Get container details
+				containerInfo, err := sc.client.ContainerInspect(ctx, event.ID)
+				if err != nil {
+					continue
+				}
+
+				// Convert to types.Container format for consistency
+				cont := types.Container{
+					ID:     containerInfo.ID,
+					Names:  []string{containerInfo.Name},
+					Labels: containerInfo.Config.Labels,
+				}
+
+				if sc.shouldMonitorContainer(cont, runID) {
+					sc.startStatsForContainer(ctx, cont.ID, cont.Names[0], verbose)
+				}
+			}
+		case err := <-errs:
+			if verbose {
+				log.Printf("Error in Docker events stream: %v", err)
+			}
+			return
+		}
+	}
+}
+
+// shouldMonitorContainer determines if a container should be monitored
+func (sc *StatsCollector) shouldMonitorContainer(cont types.Container, runID string) bool {
+	// Check if it has the correct run ID label
+	if cont.Labels == nil || cont.Labels["hi.run-id"] != runID {
+		return false
+	}
+
+	// Check if it's an hs- or ts- container
+	for _, name := range cont.Names {
+		containerName := strings.TrimPrefix(name, "/")
+		if strings.HasPrefix(containerName, "hs-") || strings.HasPrefix(containerName, "ts-") {
+			return true
+		}
+	}
+
+	return false
+}
+
+// startStatsForContainer begins stats collection for a specific container
+func (sc *StatsCollector) startStatsForContainer(ctx context.Context, containerID, containerName string, verbose bool) {
+	containerName = strings.TrimPrefix(containerName, "/")
+
+	sc.mutex.Lock()
+	// Check if we're already monitoring this container
+	if _, exists := sc.containers[containerID]; exists {
+		sc.mutex.Unlock()
+		return
+	}
+
+	sc.containers[containerID] = &ContainerStats{
+		ContainerID:   containerID,
+		ContainerName: containerName,
+		Stats:         make([]StatsSample, 0),
+	}
+	sc.mutex.Unlock()
+
+	if verbose {
+		log.Printf("Starting stats collection for container %s (%s)", containerName, containerID[:12])
+	}
+
+	sc.wg.Add(1)
+	go sc.collectStatsForContainer(ctx, containerID, verbose)
+}
+
+// collectStatsForContainer collects stats for a specific container using Docker API streaming
+func (sc *StatsCollector) collectStatsForContainer(ctx context.Context, containerID string, verbose bool) {
+	defer sc.wg.Done()
+
+	// Use Docker API streaming stats - much more efficient than CLI
+	statsResponse, err := sc.client.ContainerStats(ctx, containerID, true)
+	if err != nil {
+		if verbose {
+			log.Printf("Failed to get stats stream for container %s: %v", containerID[:12], err)
+		}
+		return
+	}
+	defer statsResponse.Body.Close()
+
+	decoder := json.NewDecoder(statsResponse.Body)
+	var prevStats *container.Stats
+
+	for {
+		select {
+		case <-sc.stopChan:
+			return
+		case <-ctx.Done():
+			return
+		default:
+			var stats container.Stats
+			if err := decoder.Decode(&stats); err != nil {
+				// EOF is expected when container stops or stream ends
+				if err.Error() != "EOF" && verbose {
+					log.Printf("Failed to decode stats for container %s: %v", containerID[:12], err)
+				}
+				return
+			}
+
+			// Calculate CPU percentage (only if we have previous stats)
+			var cpuPercent float64
+			if prevStats != nil {
+				cpuPercent = calculateCPUPercent(prevStats, &stats)
+			}
+
+			// Calculate memory usage in MB
+			memoryMB := float64(stats.MemoryStats.Usage) / (1024 * 1024)
+
+			// Store the sample (skip first sample since CPU calculation needs previous stats)
+			if prevStats != nil {
+				// Get container stats reference without holding the main mutex
+				var containerStats *ContainerStats
+				var exists bool
+				
+				sc.mutex.RLock()
+				containerStats, exists = sc.containers[containerID]
+				sc.mutex.RUnlock()
+
+				if exists && containerStats != nil {
+					containerStats.mutex.Lock()
+					containerStats.Stats = append(containerStats.Stats, StatsSample{
+						Timestamp: time.Now(),
+						CPUUsage:  cpuPercent,
+						MemoryMB:  memoryMB,
+					})
+					containerStats.mutex.Unlock()
+				}
+			}
+
+			// Save current stats for next iteration
+			prevStats = &stats
+		}
+	}
+}
+
+// calculateCPUPercent calculates CPU usage percentage from Docker stats
+func calculateCPUPercent(prevStats, stats *container.Stats) float64 {
+	// CPU calculation based on Docker's implementation
+	cpuDelta := float64(stats.CPUStats.CPUUsage.TotalUsage) - float64(prevStats.CPUStats.CPUUsage.TotalUsage)
+	systemDelta := float64(stats.CPUStats.SystemUsage) - float64(prevStats.CPUStats.SystemUsage)
+	
+	if systemDelta > 0 && cpuDelta >= 0 {
+		// Calculate CPU percentage: (container CPU delta / system CPU delta) * number of CPUs * 100
+		numCPUs := float64(len(stats.CPUStats.CPUUsage.PercpuUsage))
+		if numCPUs == 0 {
+			// Fallback: if PercpuUsage is not available, assume 1 CPU
+			numCPUs = 1.0
+		}
+		return (cpuDelta / systemDelta) * numCPUs * 100.0
+	}
+	return 0.0
+}
+
+// ContainerStatsSummary represents summary statistics for a container
+type ContainerStatsSummary struct {
+	ContainerName string
+	SampleCount   int
+	CPU           StatsSummary
+	Memory        StatsSummary
+}
+
+// MemoryViolation represents a container that exceeded the memory limit
+type MemoryViolation struct {
+	ContainerName string
+	MaxMemoryMB   float64
+	LimitMB       float64
+}
+
+// StatsSummary represents min, max, and average for a metric
+type StatsSummary struct {
+	Min     float64
+	Max     float64
+	Average float64
+}
+
+// GetSummary returns a summary of collected statistics
+func (sc *StatsCollector) GetSummary() []ContainerStatsSummary {
+	// Take snapshot of container references without holding main lock long
+	sc.mutex.RLock()
+	containerRefs := make([]*ContainerStats, 0, len(sc.containers))
+	for _, containerStats := range sc.containers {
+		containerRefs = append(containerRefs, containerStats)
+	}
+	sc.mutex.RUnlock()
+
+	summaries := make([]ContainerStatsSummary, 0, len(containerRefs))
+
+	for _, containerStats := range containerRefs {
+		containerStats.mutex.RLock()
+		stats := make([]StatsSample, len(containerStats.Stats))
+		copy(stats, containerStats.Stats)
+		containerName := containerStats.ContainerName
+		containerStats.mutex.RUnlock()
+
+		if len(stats) == 0 {
+			continue
+		}
+
+		summary := ContainerStatsSummary{
+			ContainerName: containerName,
+			SampleCount:   len(stats),
+		}
+
+		// Calculate CPU stats
+		cpuValues := make([]float64, len(stats))
+		memoryValues := make([]float64, len(stats))
+		
+		for i, sample := range stats {
+			cpuValues[i] = sample.CPUUsage
+			memoryValues[i] = sample.MemoryMB
+		}
+
+		summary.CPU = calculateStatsSummary(cpuValues)
+		summary.Memory = calculateStatsSummary(memoryValues)
+
+		summaries = append(summaries, summary)
+	}
+
+	// Sort by container name for consistent output
+	sort.Slice(summaries, func(i, j int) bool {
+		return summaries[i].ContainerName < summaries[j].ContainerName
+	})
+
+	return summaries
+}
+
+// calculateStatsSummary calculates min, max, and average for a slice of values
+func calculateStatsSummary(values []float64) StatsSummary {
+	if len(values) == 0 {
+		return StatsSummary{}
+	}
+
+	min := values[0]
+	max := values[0]
+	sum := 0.0
+
+	for _, value := range values {
+		if value < min {
+			min = value
+		}
+		if value > max {
+			max = value
+		}
+		sum += value
+	}
+
+	return StatsSummary{
+		Min:     min,
+		Max:     max,
+		Average: sum / float64(len(values)),
+	}
+}
+
+// PrintSummary prints the statistics summary to the console
+func (sc *StatsCollector) PrintSummary() {
+	summaries := sc.GetSummary()
+	
+	if len(summaries) == 0 {
+		log.Printf("No container statistics collected")
+		return
+	}
+
+	log.Printf("Container Resource Usage Summary:")
+	log.Printf("================================")
+	
+	for _, summary := range summaries {
+		log.Printf("Container: %s (%d samples)", summary.ContainerName, summary.SampleCount)
+		log.Printf("  CPU Usage:    Min: %6.2f%%  Max: %6.2f%%  Avg: %6.2f%%", 
+			summary.CPU.Min, summary.CPU.Max, summary.CPU.Average)
+		log.Printf("  Memory Usage: Min: %6.1f MB Max: %6.1f MB Avg: %6.1f MB", 
+			summary.Memory.Min, summary.Memory.Max, summary.Memory.Average)
+		log.Printf("")
+	}
+}
+
+// CheckMemoryLimits checks if any containers exceeded their memory limits
+func (sc *StatsCollector) CheckMemoryLimits(hsLimitMB, tsLimitMB float64) []MemoryViolation {
+	if hsLimitMB <= 0 && tsLimitMB <= 0 {
+		return nil
+	}
+
+	summaries := sc.GetSummary()
+	var violations []MemoryViolation
+
+	for _, summary := range summaries {
+		var limitMB float64
+		if strings.HasPrefix(summary.ContainerName, "hs-") {
+			limitMB = hsLimitMB
+		} else if strings.HasPrefix(summary.ContainerName, "ts-") {
+			limitMB = tsLimitMB
+		} else {
+			continue // Skip containers that don't match our patterns
+		}
+
+		if limitMB > 0 && summary.Memory.Max > limitMB {
+			violations = append(violations, MemoryViolation{
+				ContainerName: summary.ContainerName,
+				MaxMemoryMB:   summary.Memory.Max,
+				LimitMB:       limitMB,
+			})
+		}
+	}
+
+	return violations
+}
+
+// PrintSummaryAndCheckLimits prints the statistics summary and returns memory violations if any
+func (sc *StatsCollector) PrintSummaryAndCheckLimits(hsLimitMB, tsLimitMB float64) []MemoryViolation {
+	sc.PrintSummary()
+	return sc.CheckMemoryLimits(hsLimitMB, tsLimitMB)
+}
+
+// Close closes the stats collector and cleans up resources
+func (sc *StatsCollector) Close() error {
+	sc.StopCollection()
+	return sc.client.Close()
+}
--- a/cmd/hi/tar_utils.go
+++ b/cmd/hi/tar_utils.go
@@ -0,0 +1,100 @@
+package main
+
+import (
+	"archive/tar"
+	"errors"
+	"fmt"
+	"io"
+	"os"
+	"path/filepath"
+	"strings"
+)
+
+// ErrFileNotFoundInTar indicates a file was not found in the tar archive.
+var ErrFileNotFoundInTar = errors.New("file not found in tar")
+
+// extractFileFromTar extracts a single file from a tar reader.
+func extractFileFromTar(tarReader io.Reader, fileName, outputPath string) error {
+	tr := tar.NewReader(tarReader)
+
+	for {
+		header, err := tr.Next()
+		if err == io.EOF {
+			break
+		}
+		if err != nil {
+			return fmt.Errorf("failed to read tar header: %w", err)
+		}
+
+		// Check if this is the file we're looking for
+		if filepath.Base(header.Name) == fileName {
+			if header.Typeflag == tar.TypeReg {
+				// Create the output file
+				outFile, err := os.Create(outputPath)
+				if err != nil {
+					return fmt.Errorf("failed to create output file: %w", err)
+				}
+				defer outFile.Close()
+
+				// Copy file contents
+				if _, err := io.Copy(outFile, tr); err != nil {
+					return fmt.Errorf("failed to copy file contents: %w", err)
+				}
+
+				return nil
+			}
+		}
+	}
+
+	return fmt.Errorf("%w: %s", ErrFileNotFoundInTar, fileName)
+}
+
+// extractDirectoryFromTar extracts all files from a tar reader to a target directory.
+func extractDirectoryFromTar(tarReader io.Reader, targetDir string) error {
+	tr := tar.NewReader(tarReader)
+
+	for {
+		header, err := tr.Next()
+		if err == io.EOF {
+			break
+		}
+		if err != nil {
+			return fmt.Errorf("failed to read tar header: %w", err)
+		}
+
+		// Clean the path to prevent directory traversal
+		cleanName := filepath.Clean(header.Name)
+		if strings.Contains(cleanName, "..") {
+			continue // Skip potentially dangerous paths
+		}
+
+		targetPath := filepath.Join(targetDir, filepath.Base(cleanName))
+
+		switch header.Typeflag {
+		case tar.TypeDir:
+			// Create directory
+			if err := os.MkdirAll(targetPath, os.FileMode(header.Mode)); err != nil {
+				return fmt.Errorf("failed to create directory %s: %w", targetPath, err)
+			}
+		case tar.TypeReg:
+			// Create file
+			outFile, err := os.Create(targetPath)
+			if err != nil {
+				return fmt.Errorf("failed to create file %s: %w", targetPath, err)
+			}
+
+			if _, err := io.Copy(outFile, tr); err != nil {
+				outFile.Close()
+				return fmt.Errorf("failed to copy file contents: %w", err)
+			}
+			outFile.Close()
+
+			// Set file permissions
+			if err := os.Chmod(targetPath, os.FileMode(header.Mode)); err != nil {
+				return fmt.Errorf("failed to set file permissions: %w", err)
+			}
+		}
+	}
+
+	return nil
+}
--- a/config-example.yaml
+++ b/config-example.yaml
@@ -18,10 +18,8 @@ server_url: http://127.0.0.1:8080
 # listen_addr: 0.0.0.0:8080
 listen_addr: 127.0.0.1:8080

-# Address to listen to /metrics, you may want
-# to keep this endpoint private to your internal
-# network
-#
+# Address to listen to /metrics and /debug, you may want
+# to keep this endpoint private to your internal network
 metrics_listen_addr: 127.0.0.1:9090

 # Address to listen for gRPC.
@@ -43,9 +41,9 @@ grpc_allow_insecure: false
 # The Noise section includes specific configuration for the
 # TS2021 Noise protocol
 noise:
-  # The Noise private key is used to encrypt the
-  # traffic between headscale and Tailscale clients when
-  # using the new Noise-based protocol.
+  # The Noise private key is used to encrypt the traffic between headscale and
+  # Tailscale clients when using the new Noise-based protocol. A missing key
+  # will be automatically generated.
  private_key_path: /var/lib/headscale/noise_private.key

 # List of IP prefixes to allocate tailaddresses from.
@@ -58,8 +56,8 @@ noise:
 # IPv4: https://github.com/tailscale/tailscale/blob/22ebb25e833264f58d7c3f534a8b166894a89536/net/tsaddr/tsaddr.go#L33
 # Any other range is NOT supported, and it will cause unexpected issues.
 prefixes:
-  v6: fd7a:115c:a1e0::/48
  v4: 100.64.0.0/10
+  v6: fd7a:115c:a1e0::/48

  # Strategy used for allocation of IPs to nodes, available options:
  # - sequential (default): assigns the next free IP from the previous given IP.
@@ -87,16 +85,17 @@ derp:
    region_code: "headscale"
    region_name: "Headscale Embedded DERP"

+    # Only allow clients associated with this server access
+    verify_clients: true
+
    # Listens over UDP at the configured address for STUN connections - to help with NAT traversal.
    # When the embedded DERP server is enabled stun_listen_addr MUST be defined.
    #
    # For more details on how this works, check this great article: https://tailscale.com/blog/how-tailscale-works/
    stun_listen_addr: "0.0.0.0:3478"

-    # Private key used to encrypt the traffic between headscale DERP
-    # and Tailscale clients.
-    # The private key file will be autogenerated if it's missing.
-    #
+    # Private key used to encrypt the traffic between headscale DERP and
+    # Tailscale clients. A missing key will be automatically generated.
    private_key_path: /var/lib/headscale/derp_server_private.key

    # This flag can be used, so the DERP map entry for the embedded DERP server is not written automatically,
@@ -138,8 +137,28 @@ disable_check_updates: false
 ephemeral_node_inactivity_timeout: 30m

 database:
+  # Database type. Available options: sqlite, postgres
+  # Please note that using Postgres is highly discouraged as it is only supported for legacy reasons.
+  # All new development, testing and optimisations are done with SQLite in mind.
  type: sqlite

+  # Enable debug mode. This setting requires the log.level to be set to "debug" or "trace".
+  debug: false
+
+  # GORM configuration settings.
+  gorm:
+    # Enable prepared statements.
+    prepare_stmt: true
+
+    # Enable parameterized queries.
+    parameterized_queries: true
+
+    # Skip logging "record not found" errors.
+    skip_err_record_not_found: true
+
+    # Threshold for slow queries in milliseconds.
+    slow_threshold: 1000
+
  # SQLite config
  sqlite:
    path: /var/lib/headscale/db.sqlite
@@ -148,7 +167,14 @@ database:
    # https://www.sqlite.org/wal.html
    write_ahead_log: true

+    # Maximum number of WAL file frames before the WAL file is automatically checkpointed.
+    # https://www.sqlite.org/c3ref/wal_autocheckpoint.html
+    # Set to 0 to disable automatic checkpointing.
+    wal_autocheckpoint: 1000
+
  # # Postgres config
+  # Please note that using Postgres is highly discouraged as it is only supported for legacy reasons.
+  # See database.type for more information.
  # postgres:
  #   # If using a Unix socket to connect to Postgres, set the socket path in the 'host' field and leave 'port' blank.
  #   host: localhost
@@ -187,7 +213,7 @@ tls_letsencrypt_cache_dir: /var/lib/headscale/cache

 # Type of ACME challenge to use, currently supported types:
 # HTTP-01 or TLS-ALPN-01
-# See [docs/tls.md](docs/tls.md) for more information
+# See: docs/ref/tls.md for more information
 tls_letsencrypt_challenge_type: HTTP-01
 # When HTTP-01 challenge is chosen, letsencrypt must set up a
 # verification endpoint, and it will be listening on:
@@ -199,9 +225,11 @@ tls_cert_path: ""
 tls_key_path: ""

 log:
+  # Valid log levels: panic, fatal, error, warn, info, debug, trace
+  level: info
+
  # Output formatting for logs: text or json
  format: text
-  level: info

 ## Policy
 # headscale supports Tailscale's ACL policies.
@@ -224,124 +252,144 @@ policy:
 # - https://tailscale.com/kb/1081/magicdns/
 # - https://tailscale.com/blog/2021-09-private-dns-with-magicdns/
 #
-dns_config:
-  # Whether to prefer using Headscale provided DNS or use local.
-  override_local_dns: true
+# Please note that for the DNS configuration to have any effect,
+# clients must have the `--accept-dns=true` option enabled. This is the
+# default for the Tailscale client. This option is enabled by default
+# in the Tailscale client.
+#
+# Setting _any_ of the configuration and `--accept-dns=true` on the
+# clients will integrate with the DNS manager on the client or
+# overwrite /etc/resolv.conf.
+# https://tailscale.com/kb/1235/resolv-conf
+#
+# If you want stop Headscale from managing the DNS configuration
+# all the fields under `dns` should be set to empty values.
+dns:
+  # Whether to use [MagicDNS](https://tailscale.com/kb/1081/magicdns/).
+  magic_dns: true
+
+  # Defines the base domain to create the hostnames for MagicDNS.
+  # This domain _must_ be different from the server_url domain.
+  # `base_domain` must be a FQDN, without the trailing dot.
+  # The FQDN of the hosts will be
+  # `hostname.base_domain` (e.g., _myhost.example.com_).
+  base_domain: example.com
+
+  # Whether to use the local DNS settings of a node (default) or override the
+  # local DNS settings and force the use of Headscale's DNS configuration.
+  override_local_dns: false

  # List of DNS servers to expose to clients.
  nameservers:
-    - 1.1.1.1
+    global:
+      - 1.1.1.1
+      - 1.0.0.1
+      - 2606:4700:4700::1111
+      - 2606:4700:4700::1001

-  # NextDNS (see https://tailscale.com/kb/1218/nextdns/).
-  # "abc123" is example NextDNS ID, replace with yours.
-  #
-  # With metadata sharing:
-  # nameservers:
-  #   - https://dns.nextdns.io/abc123
-  #
-  # Without metadata sharing:
-  # nameservers:
-  #   - 2a07:a8c0::ab:c123
-  #   - 2a07:a8c1::ab:c123
+      # NextDNS (see https://tailscale.com/kb/1218/nextdns/).
+      # "abc123" is example NextDNS ID, replace with yours.
+      # - https://dns.nextdns.io/abc123

-  # Split DNS (see https://tailscale.com/kb/1054/dns/),
-  # list of search domains and the DNS to query for each one.
-  #
-  # restricted_nameservers:
-  #   foo.bar.com:
-  #     - 1.1.1.1
-  #   darp.headscale.net:
-  #     - 1.1.1.1
-  #     - 8.8.8.8
+    # Split DNS (see https://tailscale.com/kb/1054/dns/),
+    # a map of domains and which DNS server to use for each.
+    split:
+      {}
+      # foo.bar.com:
+      #   - 1.1.1.1
+      # darp.headscale.net:
+      #   - 1.1.1.1
+      #   - 8.8.8.8

-  # Search domains to inject.
-  domains: []
+  # Set custom DNS search domains. With MagicDNS enabled,
+  # your tailnet base_domain is always the first search domain.
+  search_domains: []

  # Extra DNS records
-  # so far only A-records are supported (on the tailscale side)
-  # See https://github.com/juanfont/headscale/blob/main/docs/dns-records.md#Limitations
-  # extra_records:
+  # so far only A and AAAA records are supported (on the tailscale side)
+  # See: docs/ref/dns.md
+  extra_records: []
  #   - name: "grafana.myvpn.example.com"
  #     type: "A"
  #     value: "100.64.0.3"
  #
  #   # you can also put it in one line
  #   - { name: "prometheus.myvpn.example.com", type: "A", value: "100.64.0.3" }
-
-  # Whether to use [MagicDNS](https://tailscale.com/kb/1081/magicdns/).
-  # Only works if there is at least a nameserver defined.
-  magic_dns: true
-
-  # DEPRECATED
-  # Use the username as part of the DNS name for nodes, with this option enabled:
-  # node1.username.example.com
-  # while when this is disabled:
-  # node1.example.com
-  # This is a legacy option as Headscale has have this wrongly implemented
-  # while in upstream Tailscale, the username is not included.
-  use_username_in_magic_dns: false
-
-  # Defines the base domain to create the hostnames for MagicDNS.
-  # `base_domain` must be a FQDNs, without the trailing dot.
-  # The FQDN of the hosts will be
-  # `hostname.user.base_domain` (e.g., _myhost.myuser.example.com_).
-  base_domain: example.com
+  #
+  # Alternatively, extra DNS records can be loaded from a JSON file.
+  # Headscale processes this file on each change.
+  # extra_records_path: /var/lib/headscale/extra-records.json

 # Unix socket used for the CLI to connect without authentication
 # Note: for production you will want to set this to something like:
 unix_socket: /var/run/headscale/headscale.sock
 unix_socket_permission: "0770"
-#
-# headscale supports experimental OpenID connect support,
-# it is still being tested and might have some bugs, please
-# help us test it.
+
 # OpenID Connect
 # oidc:
+#   # Block startup until the identity provider is available and healthy.
 #   only_start_if_oidc_is_available: true
+#
+#   # OpenID Connect Issuer URL from the identity provider
 #   issuer: "https://your-oidc.issuer.com/path"
+#
+#   # Client ID from the identity provider
 #   client_id: "your-oidc-client-id"
+#
+#   # Client secret generated by the identity provider
+#   # Note: client_secret and client_secret_path are mutually exclusive.
 #   client_secret: "your-oidc-client-secret"
 #   # Alternatively, set `client_secret_path` to read the secret from the file.
 #   # It resolves environment variables, making integration to systemd's
 #   # `LoadCredential` straightforward:
 #   client_secret_path: "${CREDENTIALS_DIRECTORY}/oidc_client_secret"
-#   # client_secret and client_secret_path are mutually exclusive.
 #
-#   # The amount of time from a node is authenticated with OpenID until it
-#   # expires and needs to reauthenticate.
+#   # The amount of time a node is authenticated with OpenID until it expires
+#   # and needs to reauthenticate.
 #   # Setting the value to "0" will mean no expiry.
 #   expiry: 180d
 #
 #   # Use the expiry from the token received from OpenID when the user logged
-#   # in, this will typically lead to frequent need to reauthenticate and should
-#   # only been enabled if you know what you are doing.
+#   # in. This will typically lead to frequent need to reauthenticate and should
+#   # only be enabled if you know what you are doing.
 #   # Note: enabling this will cause `oidc.expiry` to be ignored.
 #   use_expiry_from_token: false
 #
-#   # Customize the scopes used in the OIDC flow, defaults to "openid", "profile" and "email" and add custom query
-#   # parameters to the Authorize Endpoint request. Scopes default to "openid", "profile" and "email".
+#   # The OIDC scopes to use, defaults to "openid", "profile" and "email".
+#   # Custom scopes can be configured as needed, be sure to always include the
+#   # required "openid" scope.
+#   scope: ["openid", "profile", "email"]
 #
-#   scope: ["openid", "profile", "email", "custom"]
+#   # Provide custom key/value pairs which get sent to the identity provider's
+#   # authorization endpoint.
 #   extra_params:
 #     domain_hint: example.com
 #
-#   # List allowed principal domains and/or users. If an authenticated user's domain is not in this list, the
-#   # authentication request will be rejected.
-#
+#   # Only accept users whose email domain is part of the allowed_domains list.
 #   allowed_domains:
 #     - example.com
-#   # Note: Groups from keycloak have a leading '/'
-#   allowed_groups:
-#     - /headscale
+#
+#   # Only accept users whose email address is part of the allowed_users list.
 #   allowed_users:
 #     - alice@example.com
 #
-#   # If `strip_email_domain` is set to `true`, the domain part of the username email address will be removed.
-#   # This will transform `first-name.last-name@example.com` to the user `first-name.last-name`
-#   # If `strip_email_domain` is set to `false` the domain part will NOT be removed resulting to the following
-#   user: `first-name.last-name.example.com`
+#   # Only accept users which are members of at least one group in the
+#   # allowed_groups list.
+#   allowed_groups:
+#     - /headscale
 #
-#   strip_email_domain: true
+#   # Optional: PKCE (Proof Key for Code Exchange) configuration
+#   # PKCE adds an additional layer of security to the OAuth 2.0 authorization code flow
+#   # by preventing authorization code interception attacks
+#   # See https://datatracker.ietf.org/doc/html/rfc7636
+#   pkce:
+#     # Enable or disable PKCE support (default: false)
+#     enabled: false
+#
+#     # PKCE method to use:
+#     # - plain: Use plain code verifier
+#     # - S256: Use SHA256 hashed code verifier (default, recommended)
+#     method: S256

 # Logtail configuration
 # Logtail is Tailscales logging and auditing infrastructure, it allows the control panel
--- a/docs/about/clients.md
+++ b/docs/about/clients.md
@@ -0,0 +1,16 @@
+# Client and operating system support
+
+We aim to support the [**last 10 releases** of the Tailscale client](https://tailscale.com/changelog#client) on all
+provided operating systems and platforms. Some platforms might require additional configuration to connect with
+headscale.
+
+| OS      | Supports headscale                                                                                    |
+| ------- | ----------------------------------------------------------------------------------------------------- |
+| Linux   | Yes                                                                                                   |
+| OpenBSD | Yes                                                                                                   |
+| FreeBSD | Yes                                                                                                   |
+| Windows | Yes (see [docs](../usage/connect/windows.md) and `/windows` on your headscale for more information)   |
+| Android | Yes (see [docs](../usage/connect/android.md) for more information)                                    |
+| macOS   | Yes (see [docs](../usage/connect/apple.md#macos) and `/apple` on your headscale for more information) |
+| iOS     | Yes (see [docs](../usage/connect/apple.md#ios) and `/apple` on your headscale for more information)   |
+| tvOS    | Yes (see [docs](../usage/connect/apple.md#tvos) and `/apple` on your headscale for more information)  |
--- a/docs/about/contributing.md
+++ b/docs/about/contributing.md
@@ -0,0 +1,3 @@
+{%
+    include-markdown "../../CONTRIBUTING.md"
+%}
--- a/docs/about/faq.md
+++ b/docs/about/faq.md
@@ -0,0 +1,136 @@
+# Frequently Asked Questions
+
+## What is the design goal of headscale?
+
+Headscale aims to implement a self-hosted, open source alternative to the
+[Tailscale](https://tailscale.com/) control server. Headscale's goal is to
+provide self-hosters and hobbyists with an open-source server they can use for
+their projects and labs. It implements a narrow scope, a _single_ Tailscale
+network (tailnet), suitable for a personal use, or a small open-source
+organisation.
+
+## How can I contribute?
+
+Headscale is "Open Source, acknowledged contribution", this means that any
+contribution will have to be discussed with the Maintainers before being submitted.
+
+Please see [Contributing](contributing.md) for more information.
+
+## Why is 'acknowledged contribution' the chosen model?
+
+Both maintainers have full-time jobs and families, and we want to avoid burnout. We also want to avoid frustration from contributors when their PRs are not accepted.
+
+We are more than happy to exchange emails, or to have dedicated calls before a PR is submitted.
+
+## When/Why is Feature X going to be implemented?
+
+We don't know. We might be working on it. If you're interested in contributing, please post a feature request about it.
+
+Please be aware that there are a number of reasons why we might not accept specific contributions:
+
+- It is not possible to implement the feature in a way that makes sense in a self-hosted environment.
+- Given that we are reverse-engineering Tailscale to satisfy our own curiosity, we might be interested in implementing the feature ourselves.
+- You are not sending unit and integration tests with it.
+
+## Do you support Y method of deploying headscale?
+
+We currently support deploying headscale using our binaries and the DEB packages. Visit our [installation guide using
+official releases](../setup/install/official.md) for more information.
+
+In addition to that, you may use packages provided by the community or from distributions. Learn more in the
+[installation guide using community packages](../setup/install/community.md).
+
+For convenience, we also [build container images with headscale](../setup/install/container.md). But **please be aware that
+we don't officially support deploying headscale using Docker**. On our [Discord server](https://discord.gg/c84AZQhmpx)
+we have a "docker-issues" channel where you can ask for Docker-specific help to the community.
+
+## Scaling / How many clients does Headscale support?
+
+It depends. As often stated, Headscale is not enterprise software and our focus
+is homelabbers and self-hosters. Of course, we do not prevent people from using
+it in a commercial/professional setting and often get questions about scaling.
+
+Please note that when Headscale is developed, performance is not part of the
+consideration as the main audience is considered to be users with a modest
+amount of devices. We focus on correctness and feature parity with Tailscale
+SaaS over time.
+
+To understand if you might be able to use Headscale for your use case, I will
+describe two scenarios in an effort to explain what is the central bottleneck
+of Headscale:
+
+1. An environment with 1000 servers
+
+   - they rarely "move" (change their endpoints)
+   - new nodes are added rarely
+
+2. An environment with 80 laptops/phones (end user devices)
+
+   - nodes move often, e.g. switching from home to office
+
+Headscale calculates a map of all nodes that need to talk to each other,
+creating this "world map" requires a lot of CPU time. When an event that
+requires changes to this map happens, the whole "world" is recalculated, and a
+new "world map" is created for every node in the network.
+
+This means that under certain conditions, Headscale can likely handle 100s
+of devices (maybe more), if there is _little to no change_ happening in the
+network. For example, in Scenario 1, the process of computing the world map is
+extremely demanding due to the size of the network, but when the map has been
+created and the nodes are not changing, the Headscale instance will likely
+return to a very low resource usage until the next time there is an event
+requiring the new map.
+
+In the case of Scenario 2, the process of computing the world map is less
+demanding due to the smaller size of the network, however, the type of nodes
+will likely change frequently, which would lead to a constant resource usage.
+
+Headscale will start to struggle when the two scenarios overlap, e.g. many nodes
+with frequent changes will cause the resource usage to remain constantly high.
+In the worst case scenario, the queue of nodes waiting for their map will grow
+to a point where Headscale never will be able to catch up, and nodes will never
+learn about the current state of the world.
+
+We expect that the performance will improve over time as we improve the code
+base, but it is not a focus. In general, we will never make the tradeoff to make
+things faster on the cost of less maintainable or readable code. We are a small
+team and have to optimise for maintainability.
+
+## Which database should I use?
+
+We recommend the use of SQLite as database for headscale:
+
+- SQLite is simple to setup and easy to use
+- It scales well for all of headscale's use cases
+- Development and testing happens primarily on SQLite
+- PostgreSQL is still supported, but is considered to be in "maintenance mode"
+
+The headscale project itself does not provide a tool to migrate from PostgreSQL to SQLite. Please have a look at [the
+related tools documentation](../ref/integration/tools.md) for migration tooling provided by the community.
+
+The choice of database has little to no impact on the performance of the server,
+see [Scaling / How many clients does Headscale support?](#scaling-how-many-clients-does-headscale-support) for understanding how Headscale spends its resources.
+
+## Why is my reverse proxy not working with headscale?
+
+We don't know. We don't use reverse proxies with headscale ourselves, so we don't have any experience with them. We have
+[community documentation](../ref/integration/reverse-proxy.md) on how to configure various reverse proxies, and a
+dedicated "reverse-proxy-issues" channel on our [Discord server](https://discord.gg/c84AZQhmpx) where you can ask for
+help to the community.
+
+## Can I use headscale and tailscale on the same machine?
+
+Running headscale on a machine that is also in the tailnet can cause problems with subnet routers, traffic relay nodes, and MagicDNS. It might work, but it is not supported.
+
+## Why do two nodes see each other in their status, even if an ACL allows traffic only in one direction?
+
+A frequent use case is to allow traffic only from one node to another, but not the other way around. For example, the
+workstation of an administrator should be able to connect to all nodes but the nodes themselves shouldn't be able to
+connect back to the administrator's node. Why do all nodes see the administrator's workstation in the output of
+`tailscale status`?
+
+This is essentially how Tailscale works. If traffic is allowed to flow in one direction, then both nodes see each other
+in their output of `tailscale status`. Traffic is still filtered according to the ACL, with the exception of `tailscale
+ping` which is always allowed in either direction.
+
+See also <https://tailscale.com/kb/1087/device-visibility>.
--- a/docs/about/features.md
+++ b/docs/about/features.md
@@ -0,0 +1,37 @@
+# Features
+
+Headscale aims to implement a self-hosted, open source alternative to the Tailscale control server. Headscale's goal is
+to provide self-hosters and hobbyists with an open-source server they can use for their projects and labs. This page
+provides on overview of Headscale's feature and compatibility with the Tailscale control server:
+
+- [x] Full "base" support of Tailscale's features
+- [x] Node registration
+    - [x] Interactive
+    - [x] Pre authenticated key
+- [x] [DNS](../ref/dns.md)
+    - [x] [MagicDNS](https://tailscale.com/kb/1081/magicdns)
+    - [x] [Global and restricted nameservers (split DNS)](https://tailscale.com/kb/1054/dns#nameservers)
+    - [x] [search domains](https://tailscale.com/kb/1054/dns#search-domains)
+    - [x] [Extra DNS records (Headscale only)](../ref/dns.md#setting-extra-dns-records)
+- [x] [Taildrop (File Sharing)](https://tailscale.com/kb/1106/taildrop)
+- [x] [Routes](../ref/routes.md)
+    - [x] [Subnet routers](../ref/routes.md#subnet-router)
+    - [x] [Exit nodes](../ref/routes.md#exit-node)
+- [x] Dual stack (IPv4 and IPv6)
+- [x] Ephemeral nodes
+- [x] Embedded [DERP server](https://tailscale.com/kb/1232/derp-servers)
+- [x] Access control lists ([GitHub label "policy"](https://github.com/juanfont/headscale/labels/policy%20%F0%9F%93%9D))
+    - [x] ACL management via API
+    - [x] Some [Autogroups](https://tailscale.com/kb/1396/targets#autogroups), currently: `autogroup:internet`,
+      `autogroup:nonroot`, `autogroup:member`, `autogroup:tagged`
+    - [x] [Auto approvers](https://tailscale.com/kb/1337/acl-syntax#auto-approvers) for [subnet
+      routers](../ref/routes.md#automatically-approve-routes-of-a-subnet-router) and [exit
+      nodes](../ref/routes.md#automatically-approve-an-exit-node-with-auto-approvers)
+    - [x] [Tailscale SSH](https://tailscale.com/kb/1193/tailscale-ssh)
+* [x] [Node registration using Single-Sign-On (OpenID Connect)](../ref/oidc.md) ([GitHub label "OIDC"](https://github.com/juanfont/headscale/labels/OIDC))
+    - [x] Basic registration
+    - [x] Update user profile from identity provider
+    - [ ] OIDC groups cannot be used in ACLs
+- [ ] [Funnel](https://tailscale.com/kb/1223/funnel) ([#1040](https://github.com/juanfont/headscale/issues/1040))
+- [ ] [Serve](https://tailscale.com/kb/1312/serve) ([#1234](https://github.com/juanfont/headscale/issues/1921))
+- [ ] [Network flow logs](https://tailscale.com/kb/1219/network-flow-logs) ([#1687](https://github.com/juanfont/headscale/issues/1687))
--- a/docs/about/help.md
+++ b/docs/about/help.md
@@ -0,0 +1,5 @@
+# Getting help
+
+Join our [Discord server](https://discord.gg/c84AZQhmpx) for announcements and community support.
+
+Please report bugs via [GitHub issues](https://github.com/juanfont/headscale/issues)
--- a/docs/about/releases.md
+++ b/docs/about/releases.md
@@ -0,0 +1,10 @@
+# Releases
+
+All headscale releases are available on the [GitHub release page](https://github.com/juanfont/headscale/releases). Those
+releases are available as binaries for various platforms and architectures, packages for Debian based systems and source
+code archives. Container images are available on [Docker Hub](https://hub.docker.com/r/headscale/headscale) and
+[GitHub Container Registry](https://github.com/juanfont/headscale/pkgs/container/headscale).
+
+An Atom/RSS feed of headscale releases is available [here](https://github.com/juanfont/headscale/releases.atom).
+
+See the "announcements" channel on our [Discord server](https://discord.gg/c84AZQhmpx) for news about headscale.
--- a/docs/about/sponsor.md
+++ b/docs/about/sponsor.md
@@ -0,0 +1,4 @@
+# Sponsor
+
+If you like to support the development of headscale, please consider a donation via
+[ko-fi.com/headscale](https://ko-fi.com/headscale). Thank you!
--- a/docs/dns-records.md
+++ b/docs/dns-records.md
@@ -1,92 +0,0 @@
-# Setting custom DNS records
-
-!!! warning "Community documentation"
-
-    This page is not actively maintained by the headscale authors and is
-    written by community members. It is _not_ verified by `headscale` developers.
-
-    **It might be outdated and it might miss necessary steps**.
-
-## Goal
-
-This documentation has the goal of showing how a user can set custom DNS records with `headscale`s magic dns.
-An example use case is to serve apps on the same host via a reverse proxy like NGINX, in this case a Prometheus monitoring stack. This allows to nicely access the service with "http://grafana.myvpn.example.com" instead of the hostname and portnum combination "http://hostname-in-magic-dns.myvpn.example.com:3000".
-
-## Setup
-
-### 1. Change the configuration
-
-1. Change the `config.yaml` to contain the desired records like so:
-
-    ```yaml
-    dns_config:
-      ...
-      extra_records:
-        - name: "prometheus.myvpn.example.com"
-          type: "A"
-          value: "100.64.0.3"
-
-        - name: "grafana.myvpn.example.com"
-          type: "A"
-          value: "100.64.0.3"
-      ...
-    ```
-
-1. Restart your headscale instance.
-
-    !!! warning
-
-        Beware of the limitations listed later on!
-
-### 2. Verify that the records are set
-
-You can use a DNS querying tool of your choice on one of your hosts to verify that your newly set records are actually available in MagicDNS, here we used [`dig`](https://man.archlinux.org/man/dig.1.en):
-
-```
-$ dig grafana.myvpn.example.com
-
-; <<>> DiG 9.18.10 <<>> grafana.myvpn.example.com
-;; global options: +cmd
-;; Got answer:
-;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 44054
-;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
-
-;; OPT PSEUDOSECTION:
-; EDNS: version: 0, flags:; udp: 65494
-;; QUESTION SECTION:
-;grafana.myvpn.example.com.         IN      A
-
-;; ANSWER SECTION:
-grafana.myvpn.example.com.  593     IN      A       100.64.0.3
-
-;; Query time: 0 msec
-;; SERVER: 127.0.0.53#53(127.0.0.53) (UDP)
-;; WHEN: Sat Dec 31 11:46:55 CET 2022
-;; MSG SIZE  rcvd: 66
-```
-
-### 3. Optional: Setup the reverse proxy
-
-The motivating example here was to be able to access internal monitoring services on the same host without specifying a port:
-
-```
-server {
-    listen 80;
-    listen [::]:80;
-
-    server_name grafana.myvpn.example.com;
-
-    location / {
-        proxy_pass http://localhost:3000;
-        proxy_set_header Host $http_host;
-        proxy_set_header X-Real-IP $remote_addr;
-        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
-        proxy_set_header X-Forwarded-Proto $scheme;
-    }
-
-}
-```
-
-## Limitations
-
-[Not all types of records are supported](https://github.com/tailscale/tailscale/blob/6edf357b96b28ee1be659a70232c0135b2ffedfd/ipn/ipnlocal/local.go#L2989-L3007), especially no CNAME records.
--- a/docs/exit-node.md
+++ b/docs/exit-node.md
@@ -1,49 +0,0 @@
-# Exit Nodes
-
-## On the node
-
-Register the node and make it advertise itself as an exit node:
-
-```console
-$ sudo tailscale up --login-server https://my-server.com --advertise-exit-node
-```
-
-If the node is already registered, it can advertise exit capabilities like this:
-
-```console
-$ sudo tailscale set --advertise-exit-node
-```
-
-To use a node as an exit node, IP forwarding must be enabled on the node. Check the official [Tailscale documentation](https://tailscale.com/kb/1019/subnets/?tab=linux#enable-ip-forwarding) for how to enable IP forwarding.
-
-## On the control server
-
-```console
-$ # list nodes
-$ headscale routes list
-ID | Machine | Prefix    | Advertised | Enabled | Primary
-1  |         | 0.0.0.0/0 | false      | false   | -
-2  |         | ::/0      | false      | false   | -
-3  | phobos  | 0.0.0.0/0 | true       | false   | -
-4  | phobos  | ::/0      | true       | false   | -
-$ # enable routes for phobos
-$ headscale routes enable -r 3
-$ headscale routes enable -r 4
-$ # Check node list again. The routes are now enabled.
-$ headscale routes list
-ID | Machine | Prefix    | Advertised | Enabled | Primary
-1  |         | 0.0.0.0/0 | false      | false   | -
-2  |         | ::/0      | false      | false   | -
-3  | phobos  | 0.0.0.0/0 | true       | true    | -
-4  | phobos  | ::/0      | true       | true    | -
-```
-
-## On the client
-
-The exit node can now be used with:
-
-```console
-$ sudo tailscale set --exit-node phobos
-```
-
-Check the official [Tailscale documentation](https://tailscale.com/kb/1103/exit-nodes/?q=exit#step-3-use-the-exit-node) for how to do it on your device.
--- a/docs/faq.md
+++ b/docs/faq.md
@@ -1,57 +0,0 @@
---
-hide:
-  - navigation
---
-
-# Frequently Asked Questions
-
-## What is the design goal of headscale?
-
-`headscale` aims to implement a self-hosted, open source alternative to the [Tailscale](https://tailscale.com/)
-control server.
-`headscale`'s goal is to provide self-hosters and hobbyists with an open-source
-server they can use for their projects and labs.
-It implements a narrow scope, a _single_ Tailnet, suitable for a personal use, or a small
-open-source organisation.
-
-## How can I contribute?
-
-Headscale is "Open Source, acknowledged contribution", this means that any
-contribution will have to be discussed with the Maintainers before being submitted.
-
-Headscale is open to code contributions for bug fixes without discussion.
-
-If you find mistakes in the documentation, please also submit a fix to the documentation.
-
-## Why is 'acknowledged contribution' the chosen model?
-
-Both maintainers have full-time jobs and families, and we want to avoid burnout. We also want to avoid frustration from contributors when their PRs are not accepted.
-
-We are more than happy to exchange emails, or to have dedicated calls before a PR is submitted.
-
-## When/Why is Feature X going to be implemented?
-
-We don't know. We might be working on it. If you want to help, please send us a PR.
-
-Please be aware that there are a number of reasons why we might not accept specific contributions:
-
- It is not possible to implement the feature in a way that makes sense in a self-hosted environment.
- Given that we are reverse-engineering Tailscale to satisfy our own curiosity, we might be interested in implementing the feature ourselves.
- You are not sending unit and integration tests with it.
-
-## Do you support Y method of deploying Headscale?
-
-We currently support deploying `headscale` using our binaries and the DEB packages. Both can be found in the
-[GitHub releases page](https://github.com/juanfont/headscale/releases).
-
-In addition to that, there are semi-official RPM packages by the Fedora infra team https://copr.fedorainfracloud.org/coprs/jonathanspw/headscale/
-
-For convenience, we also build Docker images with `headscale`. But **please be aware that we don't officially support deploying `headscale` using Docker**. We have a [Discord channel](https://discord.com/channels/896711691637780480/1070619770942148618) where you can ask for Docker-specific help to the community.
-
-## Why is my reverse proxy not working with Headscale?
-
-We don't know. We don't use reverse proxies with `headscale` ourselves, so we don't have any experience with them. We have [community documentation](https://headscale.net/reverse-proxy/) on how to configure various reverse proxies, and a dedicated [Discord channel](https://discord.com/channels/896711691637780480/1070619818346164324) where you can ask for help to the community.
-
-## Can I use headscale and tailscale on the same machine?
-
-Running headscale on a machine that is also in the tailnet can cause problems with subnet routers, traffic relay nodes, and MagicDNS. It might work, but it is not supported.
--- a/docs/glossary.md
+++ b/docs/glossary.md
@@ -1,6 +0,0 @@
-# Glossary
-
-| Term      | Description                                                                                                                                 |
-| --------- | ------------------------------------------------------------------------------------------------------------------------------------------- |
-| Machine   | A machine is a single entity connected to `headscale`, typically an installation of Tailscale. Also known as **Node**                       |
-| Namespace | A namespace was a logical grouping of machines "owned" by the same entity, in Tailscale, this is typically a User (This is now called user) |
--- a/docs/iOS-client.md
+++ b/docs/iOS-client.md
@@ -1,30 +0,0 @@
-# Connecting an iOS client
-
-## Goal
-
-This documentation has the goal of showing how a user can use the official iOS [Tailscale](https://tailscale.com) client with `headscale`.
-
-## Installation
-
-Install the official Tailscale iOS client from the [App Store](https://apps.apple.com/app/tailscale/id1470499037).
-
-Ensure that the installed version is at least 1.38.1, as that is the first release to support alternate control servers.
-
-## Configuring the headscale URL
-
-!!! info "Apple devices"
-
-    An endpoint with information on how to connect your Apple devices
-    (currently macOS only) is available at `/apple` on your running instance.
-
-Ensure that the tailscale app is logged out before proceeding.
-
-Go to iOS settings, scroll down past game center and tv provider to the tailscale app and select it. The headscale URL can be entered into the _"ALTERNATE COORDINATION SERVER URL"_ box.
-
-> **Note**
->
-> If the app was previously logged into tailscale, toggle on the _Reset Keychain_ switch.
-
-Restart the app by closing it from the iOS app switcher, open the app and select the regular _Sign in_ option (non-SSO), and it should open up to the headscale authentication page.
-
-Enter your credentials and log in. Headscale should now be working on your iOS device.
--- a/docs/images/headscale-sealos-grpc-url.png
+++ b/docs/images/headscale-sealos-grpc-url.png
--- a/docs/images/headscale-sealos-url.png
+++ b/docs/images/headscale-sealos-url.png
--- a/docs/images/windows-registry.png
+++ b/docs/images/windows-registry.png
--- a/docs/index.md
+++ b/docs/index.md
@@ -4,40 +4,34 @@ hide:
  - toc
 ---

-# headscale
+# Welcome to headscale

-`headscale` is an open source, self-hosted implementation of the Tailscale control server.
+Headscale is an open source, self-hosted implementation of the Tailscale control server.

-This page contains the documentation for the latest version of headscale. Please also check our [FAQ](faq.md).
+This page contains the documentation for the latest version of headscale. Please also check our [FAQ](./about/faq.md).

-Join our [Discord](https://discord.gg/c84AZQhmpx) server for a chat and community support.
+Join our [Discord server](https://discord.gg/c84AZQhmpx) for a chat and community support.

 ## Design goal

-Headscale aims to implement a self-hosted, open source alternative to the Tailscale
-control server.
-Headscale's goal is to provide self-hosters and hobbyists with an open-source
-server they can use for their projects and labs.
-It implements a narrower scope, a single Tailnet, suitable for a personal use, or a small
-open-source organisation.
+Headscale aims to implement a self-hosted, open source alternative to the
+[Tailscale](https://tailscale.com/) control server. Headscale's goal is to
+provide self-hosters and hobbyists with an open-source server they can use for
+their projects and labs. It implements a narrow scope, a _single_ Tailscale
+network (tailnet), suitable for a personal use, or a small open-source
+organisation.

 ## Supporting headscale

-If you like `headscale` and find it useful, there is a sponsorship and donation
-buttons available in the repo.
+Please see [Sponsor](about/sponsor.md) for more information.

 ## Contributing

 Headscale is "Open Source, acknowledged contribution", this means that any
 contribution will have to be discussed with the Maintainers before being submitted.

-This model has been chosen to reduce the risk of burnout by limiting the
-maintenance overhead of reviewing and validating third-party code.
-
-Headscale is open to code contributions for bug fixes without discussion.
-
-If you find mistakes in the documentation, please submit a fix to the documentation.
+Please see [Contributing](about/contributing.md) for more information.

 ## About

-`headscale` is maintained by [Kristoffer Dalby](https://kradalby.no/) and [Juan Font](https://font.eu).
+Headscale is maintained by [Kristoffer Dalby](https://kradalby.no/) and [Juan Font](https://font.eu).
--- a/docs/oidc.md
+++ b/docs/oidc.md
@@ -1,174 +0,0 @@
-# Configuring Headscale to use OIDC authentication
-
-In order to authenticate users through a centralized solution one must enable the OIDC integration.
-
-Known limitations:
-
- No dynamic ACL support
- OIDC groups cannot be used in ACLs
-
-## Basic configuration
-
-In your `config.yaml`, customize this to your liking:
-
-```yaml
-oidc:
-  # Block further startup until the OIDC provider is healthy and available
-  only_start_if_oidc_is_available: true
-  # Specified by your OIDC provider
-  issuer: "https://your-oidc.issuer.com/path"
-  # Specified/generated by your OIDC provider
-  client_id: "your-oidc-client-id"
-  client_secret: "your-oidc-client-secret"
-  # alternatively, set `client_secret_path` to read the secret from the file.
-  # It resolves environment variables, making integration to systemd's
-  # `LoadCredential` straightforward:
-  #client_secret_path: "${CREDENTIALS_DIRECTORY}/oidc_client_secret"
-  # as third option, it's also possible to load the oidc secret from environment variables
-  # set HEADSCALE_OIDC_CLIENT_SECRET to the required value
-
-  # Customize the scopes used in the OIDC flow, defaults to "openid", "profile" and "email" and add custom query
-  # parameters to the Authorize Endpoint request. Scopes default to "openid", "profile" and "email".
-  scope: ["openid", "profile", "email", "custom"]
-  # Optional: Passed on to the browser login request – used to tweak behaviour for the OIDC provider
-  extra_params:
-    domain_hint: example.com
-
-  # Optional: List allowed principal domains and/or users. If an authenticated user's domain is not in this list,
-  # the authentication request will be rejected.
-  allowed_domains:
-    - example.com
-  # Optional. Note that groups from Keycloak have a leading '/'.
-  allowed_groups:
-    - /headscale
-  # Optional.
-  allowed_users:
-    - alice@example.com
-
-  # If `strip_email_domain` is set to `true`, the domain part of the username email address will be removed.
-  # This will transform `first-name.last-name@example.com` to the user `first-name.last-name`
-  # If `strip_email_domain` is set to `false` the domain part will NOT be removed resulting to the following
-  # user: `first-name.last-name.example.com`
-  strip_email_domain: true
-```
-
-## Azure AD example
-
-In order to integrate Headscale with Azure Active Directory, we'll need to provision an App Registration with the correct scopes and redirect URI. Here with Terraform:
-
-```hcl
-resource "azuread_application" "headscale" {
-  display_name = "Headscale"
-
-  sign_in_audience = "AzureADMyOrg"
-  fallback_public_client_enabled = false
-
-  required_resource_access {
-    // Microsoft Graph
-    resource_app_id = "00000003-0000-0000-c000-000000000000"
-
-    resource_access {
-      // scope: profile
-      id   = "14dad69e-099b-42c9-810b-d002981feec1"
-      type = "Scope"
-    }
-    resource_access {
-      // scope: openid
-      id   = "37f7f235-527c-4136-accd-4a02d197296e"
-      type = "Scope"
-    }
-    resource_access {
-      // scope: email
-      id   = "64a6cdd6-aab1-4aaf-94b8-3cc8405e90d0"
-      type = "Scope"
-    }
-  }
-  web {
-    # Points at your running Headscale instance
-    redirect_uris = ["https://headscale.example.com/oidc/callback"]
-
-    implicit_grant {
-      access_token_issuance_enabled = false
-      id_token_issuance_enabled = true
-    }
-  }
-
-  group_membership_claims = ["SecurityGroup"]
-  optional_claims {
-    # Expose group memberships
-    id_token {
-      name = "groups"
-    }
-  }
-}
-
-resource "azuread_application_password" "headscale-application-secret" {
-  display_name          = "Headscale Server"
-  application_object_id = azuread_application.headscale.object_id
-}
-
-resource "azuread_service_principal" "headscale" {
-  application_id = azuread_application.headscale.application_id
-}
-
-resource "azuread_service_principal_password" "headscale" {
-  service_principal_id = azuread_service_principal.headscale.id
-  end_date_relative    = "44640h"
-}
-
-output "headscale_client_id" {
-  value = azuread_application.headscale.application_id
-}
-
-output "headscale_client_secret" {
-  value = azuread_application_password.headscale-application-secret.value
-}
-```
-
-And in your Headscale `config.yaml`:
-
-```yaml
-oidc:
-  issuer: "https://login.microsoftonline.com/<tenant-UUID>/v2.0"
-  client_id: "<client-id-from-terraform>"
-  client_secret: "<client-secret-from-terraform>"
-
-  # Optional: add "groups"
-  scope: ["openid", "profile", "email"]
-  extra_params:
-    # Use your own domain, associated with Azure AD
-    domain_hint: example.com
-    # Optional: Force the Azure AD account picker
-    prompt: select_account
-```
-
-## Google OAuth Example
-
-In order to integrate Headscale with Google, you'll need to have a [Google Cloud Console](https://console.cloud.google.com) account.
-
-Google OAuth has a [verification process](https://support.google.com/cloud/answer/9110914?hl=en) if you need to have users authenticate who are outside of your domain. If you only need to authenticate users from your domain name (ie `@example.com`), you don't need to go through the verification process.
-
-However if you don't have a domain, or need to add users outside of your domain, you can manually add emails via Google Console.
-
-### Steps
-
-1. Go to [Google Console](https://console.cloud.google.com) and login or create an account if you don't have one.
-2. Create a project (if you don't already have one).
-3. On the left hand menu, go to `APIs and services` -> `Credentials`
-4. Click `Create Credentials` -> `OAuth client ID`
-5. Under `Application Type`, choose `Web Application`
-6. For `Name`, enter whatever you like
-7. Under `Authorised redirect URIs`, use `https://example.com/oidc/callback`, replacing example.com with your Headscale URL.
-8. Click `Save` at the bottom of the form
-9. Take note of the `Client ID` and `Client secret`, you can also download it for reference if you need it.
-10. Edit your headscale config, under `oidc`, filling in your `client_id` and `client_secret`:
-
-```yaml
-oidc:
-  issuer: "https://accounts.google.com"
-  client_id: ""
-  client_secret: ""
-  scope: ["openid", "profile", "email"]
-```
-
-You can also use `allowed_domains` and `allowed_users` to restrict the users who can authenticate.
--- a/docs/packaging/README.md
+++ b/docs/packaging/README.md
@@ -1,5 +0,0 @@
-# Packaging
-
-We use [nFPM](https://nfpm.goreleaser.com/) for making `.deb`, `.rpm` and `.apk`.
-
-This folder contains files we need to package with these releases.
--- a/docs/packaging/postinstall.sh
+++ b/docs/packaging/postinstall.sh
@@ -1,86 +0,0 @@
-#!/bin/sh
-# Determine OS platform
-# shellcheck source=/dev/null
-. /etc/os-release
-
-HEADSCALE_EXE="/usr/bin/headscale"
-BSD_HIER=""
-HEADSCALE_RUN_DIR="/var/run/headscale"
-HEADSCALE_USER="headscale"
-HEADSCALE_GROUP="headscale"
-
-ensure_sudo() {
-	if [ "$(id -u)" = "0" ]; then
-		echo "Sudo permissions detected"
-	else
-		echo "No sudo permission detected, please run as sudo"
-		exit 1
-	fi
-}
-
-ensure_headscale_path() {
-	if [ ! -f "$HEADSCALE_EXE" ]; then
-		echo "headscale not in default path, exiting..."
-		exit 1
-	fi
-
-	printf "Found headscale %s\n" "$HEADSCALE_EXE"
-}
-
-create_headscale_user() {
-	printf "PostInstall: Adding headscale user %s\n" "$HEADSCALE_USER"
-	useradd -s /bin/sh -c "headscale default user" headscale
-}
-
-create_headscale_group() {
-	if command -V systemctl >/dev/null 2>&1; then
-		printf "PostInstall: Adding headscale group %s\n" "$HEADSCALE_GROUP"
-		groupadd "$HEADSCALE_GROUP"
-
-		printf "PostInstall: Adding headscale user %s to group %s\n" "$HEADSCALE_USER" "$HEADSCALE_GROUP"
-		usermod -a -G "$HEADSCALE_GROUP" "$HEADSCALE_USER"
-	fi
-
-	if [ "$ID" = "alpine" ]; then
-		printf "PostInstall: Adding headscale group %s\n" "$HEADSCALE_GROUP"
-		addgroup "$HEADSCALE_GROUP"
-
-		printf "PostInstall: Adding headscale user %s to group %s\n" "$HEADSCALE_USER" "$HEADSCALE_GROUP"
-		addgroup "$HEADSCALE_USER" "$HEADSCALE_GROUP"
-	fi
-}
-
-create_run_dir() {
-	printf "PostInstall: Creating headscale run directory \n"
-	mkdir -p "$HEADSCALE_RUN_DIR"
-
-	printf "PostInstall: Modifying group ownership of headscale run directory \n"
-	chown "$HEADSCALE_USER":"$HEADSCALE_GROUP" "$HEADSCALE_RUN_DIR"
-}
-
-summary() {
-	echo "----------------------------------------------------------------------"
-	echo " headscale package has been successfully installed."
-	echo ""
-	echo " Please follow the next steps to start the software:"
-	echo ""
-	echo "    sudo systemctl enable headscale"
-	echo "    sudo systemctl start headscale"
-	echo ""
-	echo " Configuration settings can be adjusted here:"
-	echo "    ${BSD_HIER}/etc/headscale/config.yaml"
-	echo ""
-	echo "----------------------------------------------------------------------"
-}
-
-#
-# Main body of the script
-#
-{
-	ensure_sudo
-	ensure_headscale_path
-	create_headscale_user
-	create_headscale_group
-	create_run_dir
-	summary
-}
--- a/docs/packaging/postremove.sh
+++ b/docs/packaging/postremove.sh
@@ -1,15 +0,0 @@
-#!/bin/sh
-# Determine OS platform
-# shellcheck source=/dev/null
-. /etc/os-release
-
-if command -V systemctl >/dev/null 2>&1; then
-	echo "Stop and disable headscale service"
-	systemctl stop headscale >/dev/null 2>&1 || true
-	systemctl disable headscale >/dev/null 2>&1 || true
-	echo "Running daemon-reload"
-	systemctl daemon-reload || true
-fi
-
-echo "Removing run directory"
-rm -rf "/var/run/headscale.sock"
--- a/docs/proposals/001-acls.md
+++ b/docs/proposals/001-acls.md
@@ -1,362 +0,0 @@
-# ACLs
-
-A key component of tailscale is the notion of Tailnet. This notion is hidden
-but the implications that it have on how to use tailscale are not.
-
-For tailscale an [tailnet](https://tailscale.com/kb/1136/tailnet/) is the
-following:
-
-> For personal users, you are a tailnet of many devices and one person. Each
-> device gets a private Tailscale IP address in the CGNAT range and every
-> device can talk directly to every other device, wherever they are on the
-> internet.
->
-> For businesses and organizations, a tailnet is many devices and many users.
-> It can be based on your Microsoft Active Directory, your Google Workspace, a
-> GitHub organization, Okta tenancy, or other identity provider namespace. All
-> of the devices and users in your tailnet can be seen by the tailnet
-> administrators in the Tailscale admin console. There you can apply
-> tailnet-wide configuration, such as ACLs that affect visibility of devices
-> inside your tailnet, DNS settings, and more.
-
-## Current implementation and issues
-
-Currently in headscale, the namespaces are used both as tailnet and users. The
-issue is that if we want to use the ACL's we can't use both at the same time.
-
-Tailnet's cannot communicate with each others. So we can't have an ACL that
-authorize tailnet (namespace) A to talk to tailnet (namespace) B.
-
-We also can't write ACLs based on the users (namespaces in headscale) since all
-devices belong to the same user.
-
-With the current implementation the only ACL that we can user is to associate
-each headscale IP to a host manually then write the ACLs according to this
-manual mapping.
-
-```json
-{
-  "hosts": {
-    "host1": "100.64.0.1",
-    "server": "100.64.0.2"
-  },
-  "acls": [
-    { "action": "accept", "users": ["host1"], "ports": ["host2:80,443"] }
-  ]
-}
-```
-
-While this works, it requires a lot of manual editing on the configuration and
-to keep track of all devices IP address.
-
-## Proposition for a next implementation
-
-In order to ease the use of ACL's we need to split the tailnet and users
-notion.
-
-A solution could be to consider a headscale server (in it's entirety) as a
-tailnet.
-
-For personal users the default behavior could either allow all communications
-between all namespaces (like tailscale) or disallow all communications between
-namespaces (current behavior).
-
-For businesses and organisations, viewing a headscale instance a single tailnet
-would allow users (namespace) to talk to each other with the ACLs. As described
-in tailscale's documentation [[1]], a server should be tagged and personal
-devices should be tied to a user. Translated in headscale's terms each user can
-have multiple devices and all those devices should be in the same namespace.
-The servers should be tagged and used as such.
-
-This implementation would render useless the sharing feature that is currently
-implemented since an ACL could do the same. Simplifying to only one user
-interface to do one thing is easier and less confusing for the users.
-
-To better suit the ACLs in this proposition, it's advised to consider that each
-namespaces belong to one person. This person can have multiple devices, they
-will all be considered as the same user in the ACLs. OIDC feature wouldn't need
-to map people to namespace, just create a namespace if the person isn't
-registered yet.
-
-As a sidenote, users would like to write ACLs as YAML. We should offer users
-the ability to rules in either format (HuJSON or YAML).
-
-[1]: https://tailscale.com/kb/1068/acl-tags/
-
-## Example
-
-Let's build an example use case for a small business (It may be the place where
-ACL's are the most useful).
-
-We have a small company with a boss, an admin, two developer and an intern.
-
-The boss should have access to all servers but not to the users hosts. Admin
-should also have access to all hosts except that their permissions should be
-limited to maintaining the hosts (for example purposes). The developers can do
-anything they want on dev hosts, but only watch on productions hosts. Intern
-can only interact with the development servers.
-
-Each user have at least a device connected to the network and we have some
-servers.
-
- database.prod
- database.dev
- app-server1.prod
- app-server1.dev
- billing.internal
-
-### Current headscale implementation
-
-Let's create some namespaces
-
-```bash
-headscale namespaces create prod
-headscale namespaces create dev
-headscale namespaces create internal
-headscale namespaces create users
-
-headscale nodes register -n users boss-computer
-headscale nodes register -n users admin1-computer
-headscale nodes register -n users dev1-computer
-headscale nodes register -n users dev1-phone
-headscale nodes register -n users dev2-computer
-headscale nodes register -n users intern1-computer
-
-headscale nodes register -n prod database
-headscale nodes register -n prod app-server1
-
-headscale nodes register -n dev database
-headscale nodes register -n dev app-server1
-
-headscale nodes register -n internal billing
-
-headscale nodes list
-ID  | Name              | Namespace | IP address
-1   | boss-computer     | users     | 100.64.0.1
-2   | admin1-computer   | users     | 100.64.0.2
-3   | dev1-computer     | users     | 100.64.0.3
-4   | dev1-phone        | users     | 100.64.0.4
-5   | dev2-computer     | users     | 100.64.0.5
-6   | intern1-computer  | users     | 100.64.0.6
-7   | database          | prod      | 100.64.0.7
-8   | app-server1       | prod      | 100.64.0.8
-9   | database          | dev       | 100.64.0.9
-10  | app-server1       | dev       | 100.64.0.10
-11  | internal          | internal  | 100.64.0.11
-```
-
-In order to only allow the communications related to our description above we
-need to add the following ACLs
-
-```json
-{
-  "hosts": {
-    "boss-computer": "100.64.0.1",
-    "admin1-computer": "100.64.0.2",
-    "dev1-computer": "100.64.0.3",
-    "dev1-phone": "100.64.0.4",
-    "dev2-computer": "100.64.0.5",
-    "intern1-computer": "100.64.0.6",
-    "prod-app-server1": "100.64.0.8"
-  },
-  "groups": {
-    "group:dev": ["dev1-computer", "dev1-phone", "dev2-computer"],
-    "group:admin": ["admin1-computer"],
-    "group:boss": ["boss-computer"],
-    "group:intern": ["intern1-computer"]
-  },
-  "acls": [
-    // boss have access to all servers but no users hosts
-    {
-      "action": "accept",
-      "users": ["group:boss"],
-      "ports": ["prod:*", "dev:*", "internal:*"]
-    },
-
-    // admin have access to administration port (lets only consider port 22 here)
-    {
-      "action": "accept",
-      "users": ["group:admin"],
-      "ports": ["prod:22", "dev:22", "internal:22"]
-    },
-
-    // dev can do anything on dev servers and check access on prod servers
-    {
-      "action": "accept",
-      "users": ["group:dev"],
-      "ports": ["dev:*", "prod-app-server1:80,443"]
-    },
-
-    // interns only have access to port 80 and 443 on dev servers (lame internship)
-    { "action": "accept", "users": ["group:intern"], "ports": ["dev:80,443"] },
-
-    // users can access their own devices
-    {
-      "action": "accept",
-      "users": ["dev1-computer"],
-      "ports": ["dev1-phone:*"]
-    },
-    {
-      "action": "accept",
-      "users": ["dev1-phone"],
-      "ports": ["dev1-computer:*"]
-    },
-
-    // internal namespace communications should still be allowed within the namespace
-    { "action": "accept", "users": ["dev"], "ports": ["dev:*"] },
-    { "action": "accept", "users": ["prod"], "ports": ["prod:*"] },
-    { "action": "accept", "users": ["internal"], "ports": ["internal:*"] }
-  ]
-}
-```
-
-Since communications between namespace isn't possible we also have to share the
-devices between the namespaces.
-
-```bash
-
-// add boss host to prod, dev and internal network
-headscale nodes share -i 1 -n prod
-headscale nodes share -i 1 -n dev
-headscale nodes share -i 1 -n internal
-
-// add admin computer to prod, dev and internal network
-headscale nodes share -i 2 -n prod
-headscale nodes share -i 2 -n dev
-headscale nodes share -i 2 -n internal
-
-// add all dev to prod and dev network
-headscale nodes share -i 3 -n dev
-headscale nodes share -i 4 -n dev
-headscale nodes share -i 3 -n prod
-headscale nodes share -i 4 -n prod
-headscale nodes share -i 5 -n dev
-headscale nodes share -i 5 -n prod
-
-headscale nodes share -i 6 -n dev
-```
-
-This fake network have not been tested but it should work. Operating it could
-be quite tedious if the company grows. Each time a new user join we have to add
-it to a group, and share it to the correct namespaces. If the user want
-multiple devices we have to allow communication to each of them one by one. If
-business conduct a change in the organisations we may have to rewrite all acls
-and reorganise all namespaces.
-
-If we add servers in production we should also update the ACLs to allow dev
-access to certain category of them (only app servers for example).
-
-### example based on the proposition in this document
-
-Let's create the namespaces
-
-```bash
-headscale namespaces create boss
-headscale namespaces create admin1
-headscale namespaces create dev1
-headscale namespaces create dev2
-headscale namespaces create intern1
-```
-
-We don't need to create namespaces for the servers because the servers will be
-tagged. When registering the servers we will need to add the flag
-`--advertised-tags=tag:<tag1>,tag:<tag2>`, and the user (namespace) that is
-registering the server should be allowed to do it. Since anyone can add tags to
-a server they can register, the check of the tags is done on headscale server
-and only valid tags are applied. A tag is valid if the namespace that is
-registering it is allowed to do it.
-
-Here are the ACL's to implement the same permissions as above:
-
-```json
-{
-  // groups are simpler and only list the namespaces name
-  "groups": {
-    "group:boss": ["boss"],
-    "group:dev": ["dev1", "dev2"],
-    "group:admin": ["admin1"],
-    "group:intern": ["intern1"]
-  },
-  "tagOwners": {
-    // the administrators can add servers in production
-    "tag:prod-databases": ["group:admin"],
-    "tag:prod-app-servers": ["group:admin"],
-
-    // the boss can tag any server as internal
-    "tag:internal": ["group:boss"],
-
-    // dev can add servers for dev purposes as well as admins
-    "tag:dev-databases": ["group:admin", "group:dev"],
-    "tag:dev-app-servers": ["group:admin", "group:dev"]
-
-    // interns cannot add servers
-  },
-  "acls": [
-    // boss have access to all servers
-    {
-      "action": "accept",
-      "users": ["group:boss"],
-      "ports": [
-        "tag:prod-databases:*",
-        "tag:prod-app-servers:*",
-        "tag:internal:*",
-        "tag:dev-databases:*",
-        "tag:dev-app-servers:*"
-      ]
-    },
-
-    // admin have only access to administrative ports of the servers
-    {
-      "action": "accept",
-      "users": ["group:admin"],
-      "ports": [
-        "tag:prod-databases:22",
-        "tag:prod-app-servers:22",
-        "tag:internal:22",
-        "tag:dev-databases:22",
-        "tag:dev-app-servers:22"
-      ]
-    },
-
-    {
-      "action": "accept",
-      "users": ["group:dev"],
-      "ports": [
-        "tag:dev-databases:*",
-        "tag:dev-app-servers:*",
-        "tag:prod-app-servers:80,443"
-      ]
-    },
-
-    // servers should be able to talk to database. Database should not be able to initiate connections to server
-    {
-      "action": "accept",
-      "users": ["tag:dev-app-servers"],
-      "ports": ["tag:dev-databases:5432"]
-    },
-    {
-      "action": "accept",
-      "users": ["tag:prod-app-servers"],
-      "ports": ["tag:prod-databases:5432"]
-    },
-
-    // interns have access to dev-app-servers only in reading mode
-    {
-      "action": "accept",
-      "users": ["group:intern"],
-      "ports": ["tag:dev-app-servers:80,443"]
-    },
-
-    // we still have to allow internal namespaces communications since nothing guarantees that each user have their own namespaces. This could be talked over.
-    { "action": "accept", "users": ["boss"], "ports": ["boss:*"] },
-    { "action": "accept", "users": ["dev1"], "ports": ["dev1:*"] },
-    { "action": "accept", "users": ["dev2"], "ports": ["dev2:*"] },
-    { "action": "accept", "users": ["admin1"], "ports": ["admin1:*"] },
-    { "action": "accept", "users": ["intern1"], "ports": ["intern1:*"] }
-  ]
-}
-```
-
-With this implementation, the sharing step is not necessary. Maintenance cost
-of the ACL file is lower and less tedious (no need to map hostname and IP's
-into it).
--- a/docs/proposals/002-better-routing.md
+++ b/docs/proposals/002-better-routing.md
@@ -1,48 +0,0 @@
-# Better route management
-
-As of today, route management in Headscale is very basic and does not allow for much flexibility, including implementing subnet HA, 4via6 or more advanced features. We also have a number of bugs (e.g., routes exposed by ephemeral nodes)
-
-This proposal aims to improve the route management.
-
-## Current situation
-
-Routes advertised by the nodes are read from the Hostinfo struct. If approved from the the CLI or via autoApprovers, the route is added to the EnabledRoutes field in `Machine`.
-
-This means that the advertised routes are not persisted in the database, as Hostinfo is always replaced. In the same way, EnabledRoutes can get out of sync with the actual routes in the node.
-
-In case of colliding routes (i.e., subnets that are exposed from multiple nodes), we are currently just sending all of them in `PrimaryRoutes`... and hope for the best. (`PrimaryRoutes` is the field in `Node` used for subnet failover).
-
-## Proposal
-
-The core part is to create a new `Route` struct (and DB table), with the following fields:
-
-```go
-type Route struct {
-	ID          uint64 `gorm:"primary_key"`
-
-    Machine     *Machine
-    Prefix      IPPrefix
-
-    Advertised  bool
-    Enabled     bool
-    IsPrimary   bool
-
-
-    CreatedAt   *time.Time
-    UpdatedAt   *time.Time
-    DeletedAt   *time.Time
-}
-```
-
- The `Advertised` field is set to true if the route is being advertised by the node. It is set to false if the route is removed. This way we can indicate if a later enabled route has stopped being advertised. A similar behaviour happens in the Tailscale.com control panel.
-
- The `Enabled` field is set to true if the route is enabled - via CLI or autoApprovers.
-
- `IsPrimary` indicates if Headscale has selected this route as the primary route for that particular subnet. This allows us to implement subnet failover. This would be fully automatic if there is more than subnet routers advertising the same network - which is the behaviour of Tailscale.com.
-
-## Stuff to bear in mind
-
- We need to make sure to migrate the current `EnabledRoutes` of `Machine` into the new table.
- When a node stops sharing a subnet, I reckon we should mark it both as not `Advertised` and not `Enabled`. Users should re-enable it if the node advertises it again.
- If only one subnet router is advertising a subnet, we should mark it as primary.
- Regarding subnet failover, the current behaviour of Tailscale.com is to perform the failover after 15 seconds from the node disconnecting from their control panel. I reckon we cannot do the same currently. Our maximum granularity is the keep alive period.
--- a/docs/ref/acls.md
+++ b/docs/ref/acls.md
@@ -3,7 +3,7 @@ Headscale implements the same policy ACLs as Tailscale.com, adapted to the self-
 For instance, instead of referring to users when defining groups you must
 use users (which are the equivalent to user/logins in Tailscale.com).

-Please check https://tailscale.com/kb/1018/acls/, and `./tests/acls/` in this repo for working examples.
+Please check https://tailscale.com/kb/1018/acls/ for further information.

 When using ACL's the User borders are no longer applied. All machines
 whichever the User have the ability to communicate with other hosts as
@@ -36,36 +36,38 @@ servers.
 - billing.internal
 - router.internal

-![ACL implementation example](images/headscale-acl-network.png)
+![ACL implementation example](../images/headscale-acl-network.png)

 ## ACL setup

-Note: Users will be created automatically when users authenticate with the
-Headscale server.
+ACLs have to be written in [huJSON](https://github.com/tailscale/hujson).

-ACLs could be written either on [huJSON](https://github.com/tailscale/hujson)
-or YAML. Check the [test ACLs](../tests/acls) for further information.
-
-When registering the servers we will need to add the flag
-`--advertise-tags=tag:<tag1>,tag:<tag2>`, and the user that is
-registering the server should be allowed to do it. Since anyone can add tags to
-a server they can register, the check of the tags is done on headscale server
-and only valid tags are applied. A tag is valid if the user that is
+When [registering the servers](../usage/getting-started.md#register-a-node) we
+will need to add the flag `--advertise-tags=tag:<tag1>,tag:<tag2>`, and the user
+that is registering the server should be allowed to do it. Since anyone can add
+tags to a server they can register, the check of the tags is done on headscale
+server and only valid tags are applied. A tag is valid if the user that is
 registering it is allowed to do it.

-To use ACLs in headscale, you must edit your config.yaml file. In there you will find a `acl_policy_path: ""` parameter. This will need to point to your ACL file. More info on how these policies are written can be found [here](https://tailscale.com/kb/1018/acls/).
+To use ACLs in headscale, you must edit your `config.yaml` file. In there you will find a `policy.path` parameter. This
+will need to point to your ACL file. More info on how these policies are written can be found
+[here](https://tailscale.com/kb/1018/acls/).
+
+Please reload or restart Headscale after updating the ACL file. Headscale may be reloaded either via its systemd service
+(`sudo systemctl reload headscale`) or by sending a SIGHUP signal (`sudo kill -HUP $(pidof headscale)`) to the main
+process. Headscale logs the result of ACL policy processing after each reload.

 Here are the ACL's to implement the same permissions as above:

-```json
+```json title="acl.json"
 {
  // groups are collections of users having a common scope. A user can be in multiple groups
  // groups cannot be composed of groups
  "groups": {
-    "group:boss": ["boss"],
-    "group:dev": ["dev1", "dev2"],
-    "group:admin": ["admin1"],
-    "group:intern": ["intern1"]
+    "group:boss": ["boss@"],
+    "group:dev": ["dev1@", "dev2@"],
+    "group:admin": ["admin1@"],
+    "group:intern": ["intern1@"]
  },
  // tagOwners in tailscale is an association between a TAG and the people allowed to set this TAG on a server.
  // This is documented [here](https://tailscale.com/kb/1068/acl-tags#defining-a-tag)
@@ -88,7 +90,7 @@ Here are the ACL's to implement the same permissions as above:
  // to define a single host, use a /32 mask. You cannot use DNS entries here,
  // as they're prone to be hijacked by replacing their IP addresses.
  // see https://github.com/tailscale/tailscale/issues/3800 for more information.
-  "Hosts": {
+  "hosts": {
    "postgresql.internal": "10.20.0.2/32",
    "webservers.internal": "10.20.10.1/29"
  },
@@ -147,13 +149,11 @@ Here are the ACL's to implement the same permissions as above:
    },
    // developers have access to the internal network through the router.
    // the internal network is composed of HTTPS endpoints and Postgresql
-    // database servers. There's an additional rule to allow traffic to be
-    // forwarded to the internal subnet, 10.20.0.0/16. See this issue
-    // https://github.com/juanfont/headscale/issues/502
+    // database servers.
    {
      "action": "accept",
      "src": ["group:dev"],
-      "dst": ["10.20.0.0/16:443,5432", "router.internal:0"]
+      "dst": ["10.20.0.0/16:443,5432"]
    },

    // servers should be able to talk to database in tcp/5432. Database should not be able to initiate connections to
@@ -179,11 +179,11 @@ Here are the ACL's to implement the same permissions as above:

    // We still have to allow internal users communications since nothing guarantees that each user have
    // their own users.
-    { "action": "accept", "src": ["boss"], "dst": ["boss:*"] },
-    { "action": "accept", "src": ["dev1"], "dst": ["dev1:*"] },
-    { "action": "accept", "src": ["dev2"], "dst": ["dev2:*"] },
-    { "action": "accept", "src": ["admin1"], "dst": ["admin1:*"] },
-    { "action": "accept", "src": ["intern1"], "dst": ["intern1:*"] }
+    { "action": "accept", "src": ["boss@"], "dst": ["boss@:*"] },
+    { "action": "accept", "src": ["dev1@"], "dst": ["dev1@:*"] },
+    { "action": "accept", "src": ["dev2@"], "dst": ["dev2@:*"] },
+    { "action": "accept", "src": ["admin1@"], "dst": ["admin1@:*"] },
+    { "action": "accept", "src": ["intern1@"], "dst": ["intern1@:*"] }
  ]
 }
 ```
--- a/docs/ref/configuration.md
+++ b/docs/ref/configuration.md
@@ -0,0 +1,41 @@
+# Configuration
+
+- Headscale loads its configuration from a YAML file
+- It searches for `config.yaml` in the following paths:
+    - `/etc/headscale`
+    - `$HOME/.headscale`
+    - the current working directory
+- To load the configuration from a different path, use:
+    - the command line flag `-c`, `--config`
+    - the environment variable `HEADSCALE_CONFIG`
+- Validate the configuration file with: `headscale configtest`
+
+!!! example "Get the [example configuration from the GitHub repository](https://github.com/juanfont/headscale/blob/main/config-example.yaml)"
+
+    Always select the [same GitHub tag](https://github.com/juanfont/headscale/tags) as the released version you use to
+    ensure you have the correct example configuration. The `main` branch might contain unreleased changes.
+
+    === "View on GitHub"
+
+        * Development version: <https://github.com/juanfont/headscale/blob/main/config-example.yaml>
+        * Version {{ headscale.version }}: <https://github.com/juanfont/headscale/blob/v{{ headscale.version }}/config-example.yaml>
+
+    === "Download with `wget`"
+
+        ```shell
+        # Development version
+        wget -O config.yaml https://raw.githubusercontent.com/juanfont/headscale/main/config-example.yaml
+
+        # Version {{ headscale.version }}
+        wget -O config.yaml https://raw.githubusercontent.com/juanfont/headscale/v{{ headscale.version }}/config-example.yaml
+        ```
+
+    === "Download with `curl`"
+
+        ```shell
+        # Development version
+        curl -o config.yaml https://raw.githubusercontent.com/juanfont/headscale/main/config-example.yaml
+
+        # Version {{ headscale.version }}
+        curl -o config.yaml https://raw.githubusercontent.com/juanfont/headscale/v{{ headscale.version }}/config-example.yaml
+        ```
--- a/docs/ref/debug.md
+++ b/docs/ref/debug.md
@@ -0,0 +1,115 @@
+# Debugging and troubleshooting
+
+Headscale and Tailscale provide debug and introspection capabilities that can be helpful when things don't work as
+expected. This page explains some debugging techniques to help pinpoint problems.
+
+Please also have a look at [Tailscale's Troubleshooting guide](https://tailscale.com/kb/1023/troubleshooting). It offers
+a many tips and suggestions to troubleshoot common issues.
+
+## Tailscale
+
+The Tailscale client itself offers many commands to introspect its state as well as the state of the network:
+
+- [Check local network conditions](https://tailscale.com/kb/1080/cli#netcheck): `tailscale netcheck`
+- [Get the client status](https://tailscale.com/kb/1080/cli#status): `tailscale status --json`
+- [Get DNS status](https://tailscale.com/kb/1080/cli#dns): `tailscale dns status --all`
+- Client logs: `tailscale debug daemon-logs`
+- Client netmap: `tailscale debug netmap`
+- Test DERP connection: `tailscale debug derp headscale`
+- And many more, see: `tailscale debug --help`
+
+Many of the commands are helpful when trying to understand differences between Headscale and Tailscale SaaS.
+
+## Headscale
+
+### Application logging
+
+The log levels `debug` and `trace` can be useful to get more information from Headscale.
+
+```yaml hl_lines="3"
+log:
+  # Valid log levels: panic, fatal, error, warn, info, debug, trace
+  level: debug
+```
+
+### Database logging
+
+The database debug mode logs all database queries. Enable it to see how Headscale interacts with its database. This also
+requires the application log level to be set to either `debug` or `trace`.
+
+```yaml hl_lines="3 7"
+database:
+  # Enable debug mode. This setting requires the log.level to be set to "debug" or "trace".
+  debug: false
+
+log:
+  # Valid log levels: panic, fatal, error, warn, info, debug, trace
+  level: debug
+```
+
+### Metrics and debug endpoint
+
+Headscale provides a metrics and debug endpoint. It allows to introspect different aspects such as:
+
+- Information about the Go runtime, memory usage and statistics
+- Connected nodes and pending registrations
+- Active ACLs, filters and SSH policy
+- Current DERPMap
+- Prometheus metrics
+
+!!! warning "Keep the metrics and debug endpoint private"
+
+    The listen address and port can be configured with the `metrics_listen_addr` variable in the [configuration
+    file](./configuration.md). By default it listens on localhost, port 9090.
+
+    Keep the metrics and debug endpoint private to your internal network and don't expose it to the Internet.
+
+Query metrics via <http://localhost:9090/metrics> and get an overview of available debug information via
+<http://localhost:9090/debug/>. Metrics may be queried from outside localhost but the debug interface is subject to
+additional protection despite listening on all interfaces.
+
+=== "Direct access"
+
+    Access the debug interface directly on the server where Headscale is installed.
+
+    ```console
+    curl http://localhost:9090/debug/
+    ```
+
+=== "SSH port forwarding"
+
+    Use SSH port forwarding to forward Headscale's metrics and debug port to your device.
+
+    ```console
+    ssh <HEADSCALE_SERVER> -L 9090:localhost:9090
+    ```
+
+    Access the debug interface on your device by opening <http://localhost:9090/debug/> in your web browser.
+
+=== "Via debug key"
+
+    The access control of the debug interface supports the use of a debug key. Traffic is accepted if the path to a
+    debug key is set via the environment variable `TS_DEBUG_KEY_PATH` and the debug key sent as value for `debugkey`
+    parameter with each request.
+
+    ```console
+    openssl rand -hex 32 | tee debugkey.txt
+    export TS_DEBUG_KEY_PATH=debugkey.txt
+    headscale serve
+    ```
+
+    Access the debug interface on your device by opening `http://<IP_OF_HEADSCALE>:9090/debug/?debugkey=<DEBUG_KEY>` in
+    your web browser. The `debugkey` parameter must be sent with every request.
+
+=== "Via debug IP address"
+
+    The debug endpoint expects traffic from localhost. A different debug IP address may be configured by setting the
+    `TS_ALLOW_DEBUG_IP` environment variable before starting Headscale. The debug IP address is ignored when the HTTP
+    header `X-Forwarded-For` is present.
+
+    ```console
+    export TS_ALLOW_DEBUG_IP=192.168.0.10       # IP address of your device
+    headscale serve
+    ```
+
+    Access the debug interface on your device by opening `http://<IP_OF_HEADSCALE>:9090/debug/` in your web browser.
--- a/docs/ref/dns.md
+++ b/docs/ref/dns.md
@@ -0,0 +1,111 @@
+# DNS
+
+Headscale supports [most DNS features](../about/features.md) from Tailscale. DNS related settings can be configured
+within `dns` section of the [configuration file](./configuration.md).
+
+## Setting extra DNS records
+
+Headscale allows to set extra DNS records which are made available via
+[MagicDNS](https://tailscale.com/kb/1081/magicdns). Extra DNS records can be configured either via static entries in the
+[configuration file](./configuration.md) or from a JSON file that Headscale continuously watches for changes:
+
+- Use the `dns.extra_records` option in the [configuration file](./configuration.md) for entries that are static and
+  don't change while Headscale is running. Those entries are processed when Headscale is starting up and changes to the
+  configuration require a restart of Headscale.
+- For dynamic DNS records that may be added, updated or removed while Headscale is running or DNS records that are
+  generated by scripts the option `dns.extra_records_path` in the [configuration file](./configuration.md) is useful.
+  Set it to the absolute path of the JSON file containing DNS records and Headscale processes this file as it detects
+  changes.
+
+An example use case is to serve multiple apps on the same host via a reverse proxy like NGINX, in this case a Prometheus
+monitoring stack. This allows to nicely access the service with "http://grafana.myvpn.example.com" instead of the
+hostname and port combination "http://hostname-in-magic-dns.myvpn.example.com:3000".
+
+!!! warning "Limitations"
+
+    Currently, [only A and AAAA records are processed by Tailscale](https://github.com/tailscale/tailscale/blob/v1.78.3/ipn/ipnlocal/local.go#L4461-L4479).
+
+1.  Configure extra DNS records using one of the available configuration options:
+
+    === "Static entries, via `dns.extra_records`"
+
+        ```yaml title="config.yaml"
+        dns:
+          ...
+          extra_records:
+            - name: "grafana.myvpn.example.com"
+              type: "A"
+              value: "100.64.0.3"
+
+            - name: "prometheus.myvpn.example.com"
+              type: "A"
+              value: "100.64.0.3"
+          ...
+        ```
+
+        Restart your headscale instance.
+
+    === "Dynamic entries, via `dns.extra_records_path`"
+
+        ```json title="extra-records.json"
+        [
+          {
+            "name": "grafana.myvpn.example.com",
+            "type": "A",
+            "value": "100.64.0.3"
+          },
+          {
+            "name": "prometheus.myvpn.example.com",
+            "type": "A",
+            "value": "100.64.0.3"
+          }
+        ]
+        ```
+
+        Headscale picks up changes to the above JSON file automatically.
+
+        !!! tip "Good to know"
+
+            * The `dns.extra_records_path` option in the [configuration file](./configuration.md) needs to reference the
+              JSON file containing extra DNS records.
+            * Be sure to "sort keys" and produce a stable output in case you generate the JSON file with a script.
+              Headscale uses a checksum to detect changes to the file and a stable output avoids unnecessary processing.
+
+1.  Verify that DNS records are properly set using the DNS querying tool of your choice:
+
+    === "Query with dig"
+
+        ```console
+        dig +short grafana.myvpn.example.com
+        100.64.0.3
+        ```
+
+    === "Query with drill"
+
+        ```console
+        drill -Q grafana.myvpn.example.com
+        100.64.0.3
+        ```
+
+1.  Optional: Setup the reverse proxy
+
+    The motivating example here was to be able to access internal monitoring services on the same host without
+    specifying a port, depicted as NGINX configuration snippet:
+
+    ```nginx title="nginx.conf"
+    server {
+        listen 80;
+        listen [::]:80;
+
+        server_name grafana.myvpn.example.com;
+
+        location / {
+            proxy_pass http://localhost:3000;
+            proxy_set_header Host $http_host;
+            proxy_set_header X-Real-IP $remote_addr;
+            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+            proxy_set_header X-Forwarded-Proto $scheme;
+        }
+
+    }
+    ```
--- a/docs/ref/integration/reverse-proxy.md
+++ b/docs/ref/integration/reverse-proxy.md
@@ -3,7 +3,7 @@
 !!! warning "Community documentation"

    This page is not actively maintained by the headscale authors and is
-    written by community members. It is _not_ verified by `headscale` developers.
+    written by community members. It is _not_ verified by headscale developers.

    **It might be outdated and it might miss necessary steps**.

@@ -11,9 +11,9 @@ Running headscale behind a reverse proxy is useful when running multiple applica

 ### WebSockets

-The reverse proxy MUST be configured to support WebSockets, as it is needed for clients running Tailscale v1.30+.
+The reverse proxy MUST be configured to support WebSockets to communicate with Tailscale clients.

-WebSockets support is required when using the headscale embedded DERP server. In this case, you will also need to expose the UDP port used for STUN (by default, udp/3478). Please check our [config-example.yaml](https://github.com/juanfont/headscale/blob/main/config-example.yaml).
+WebSockets support is also required when using the headscale embedded DERP server. In this case, you will also need to expose the UDP port used for STUN (by default, udp/3478). Please check our [config-example.yaml](https://github.com/juanfont/headscale/blob/main/config-example.yaml).

 ### Cloudflare

@@ -23,7 +23,7 @@ Running headscale behind a cloudflare proxy or cloudflare tunnel is not supporte

 Headscale can be configured not to use TLS, leaving it to the reverse proxy to handle. Add the following configuration values to your headscale config file.

-```yaml
+```yaml title="config.yaml"
 server_url: https://<YOUR_SERVER_NAME> # This should be the FQDN at which headscale will be served
 listen_addr: 0.0.0.0:8080
 metrics_listen_addr: 0.0.0.0:9090
@@ -35,7 +35,7 @@ tls_key_path: ""

 The following example configuration can be used in your nginx setup, substituting values as necessary. `<IP:PORT>` should be the IP address and port where headscale is running. In most cases, this will be `http://localhost:8080`.

-```Nginx
+```nginx title="nginx.conf"
 map $http_upgrade $connection_upgrade {
    default      upgrade;
    ''           close;
@@ -80,7 +80,7 @@ Sending local reply with details upgrade_failed

 ### Envoy

-You need add a new upgrade_type named `tailscale-control-protocol`. [see detail](https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/filters/network/http_connection_manager/v3/http_connection_manager.proto#extensions-filters-network-http-connection-manager-v3-httpconnectionmanager-upgradeconfig)
+You need to add a new upgrade_type named `tailscale-control-protocol`. [see details](https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/filters/network/http_connection_manager/v3/http_connection_manager.proto#extensions-filters-network-http-connection-manager-v3-httpconnectionmanager-upgradeconfig)

 ### Istio

@@ -113,7 +113,7 @@ spec:

 The following Caddyfile is all that is necessary to use Caddy as a reverse proxy for headscale, in combination with the `config.yaml` specifications above to disable headscale's built in TLS. Replace values as necessary - `<YOUR_SERVER_NAME>` should be the FQDN at which headscale will be served, and `<IP:PORT>` should be the IP address and port where headscale is running. In most cases, this will be `localhost:8080`.

-```
+```none title="Caddyfile"
 <YOUR_SERVER_NAME> {
    reverse_proxy <IP:PORT>
 }
@@ -121,13 +121,13 @@ The following Caddyfile is all that is necessary to use Caddy as a reverse proxy

 Caddy v2 will [automatically](https://caddyserver.com/docs/automatic-https) provision a certificate for your domain/subdomain, force HTTPS, and proxy websockets - no further configuration is necessary.

-For a slightly more complex configuration which utilizes Docker containers to manage Caddy, Headscale, and Headscale-UI, [Guru Computing's guide](https://blog.gurucomputing.com.au/smart-vpns-with-headscale/) is an excellent reference.
+For a slightly more complex configuration which utilizes Docker containers to manage Caddy, headscale, and Headscale-UI, [Guru Computing's guide](https://blog.gurucomputing.com.au/smart-vpns-with-headscale/) is an excellent reference.

 ## Apache

-The following minimal Apache config will proxy traffic to the Headscale instance on `<IP:PORT>`. Note that `upgrade=any` is required as a parameter for `ProxyPass` so that WebSockets traffic whose `Upgrade` header value is not equal to `WebSocket` (i. e. Tailscale Control Protocol) is forwarded correctly. See the [Apache docs](https://httpd.apache.org/docs/2.4/mod/mod_proxy_wstunnel.html) for more information on this.
+The following minimal Apache config will proxy traffic to the headscale instance on `<IP:PORT>`. Note that `upgrade=any` is required as a parameter for `ProxyPass` so that WebSockets traffic whose `Upgrade` header value is not equal to `WebSocket` (i. e. Tailscale Control Protocol) is forwarded correctly. See the [Apache docs](https://httpd.apache.org/docs/2.4/mod/mod_proxy_wstunnel.html) for more information on this.

-```
+```apache title="apache.conf"
 <VirtualHost *:443>
 	ServerName <YOUR_SERVER_NAME>

--- a/docs/ref/integration/tools.md
+++ b/docs/ref/integration/tools.md
@@ -0,0 +1,15 @@
+# Tools related to headscale
+
+!!! warning "Community contributions"
+
+    This page contains community contributions. The projects listed here are not
+    maintained by the headscale authors and are written by community members.
+
+This page collects third-party tools, client libraries, and scripts related to headscale.
+
+| Name                  | Repository Link                                                 | Description                                                          |
+| --------------------- | --------------------------------------------------------------- | -------------------------------------------------------------------- |
+| tailscale-manager     | [Github](https://github.com/singlestore-labs/tailscale-manager) | Dynamically manage Tailscale route advertisements                    |
+| headscalebacktosqlite | [Github](https://github.com/bigbozza/headscalebacktosqlite)     | Migrate headscale from PostgreSQL back to SQLite                     |
+| headscale-pf          | [Github](https://github.com/YouSysAdmin/headscale-pf)           | Populates user groups based on user groups in Jumpcloud or Authentik |
+| headscale-client-go   | [Github](https://github.com/hibare/headscale-client-go)         | A Go client implementation for the Headscale HTTP API.               |
--- a/docs/ref/integration/web-ui.md
+++ b/docs/ref/integration/web-ui.md
@@ -0,0 +1,20 @@
+# Web interfaces for headscale
+
+!!! warning "Community contributions"
+
+    This page contains community contributions. The projects listed here are not
+    maintained by the headscale authors and are written by community members.
+
+Headscale doesn't provide a built-in web interface but users may pick one from the available options.
+
+| Name                   | Repository Link                                             | Description                                                                                  |
+| ---------------------- | ----------------------------------------------------------- | -------------------------------------------------------------------------------------------- |
+| headscale-ui           | [Github](https://github.com/gurucomputing/headscale-ui)     | A web frontend for the headscale Tailscale-compatible coordination server                    |
+| HeadscaleUi            | [GitHub](https://github.com/simcu/headscale-ui)             | A static headscale admin ui, no backend environment required                                 |
+| Headplane              | [GitHub](https://github.com/tale/headplane)                 | An advanced Tailscale inspired frontend for headscale                                        |
+| headscale-admin        | [Github](https://github.com/GoodiesHQ/headscale-admin)      | Headscale-Admin is meant to be a simple, modern web interface for headscale                  |
+| ouroboros              | [Github](https://github.com/yellowsink/ouroboros)           | Ouroboros is designed for users to manage their own devices, rather than for admins          |
+| unraid-headscale-admin | [Github](https://github.com/ich777/unraid-headscale-admin)  | A simple headscale admin UI for Unraid, it offers Local (`docker exec`) and API Mode         |
+| headscale-console      | [Github](https://github.com/rickli-cloud/headscale-console) | WebAssembly-based client supporting SSH, VNC and RDP with optional self-service capabilities |
+
+You can ask for support on our [Discord server](https://discord.gg/c84AZQhmpx) in the "web-interfaces" channel.
--- a/docs/ref/oidc.md
+++ b/docs/ref/oidc.md
@@ -0,0 +1,317 @@
+# OpenID Connect
+
+Headscale supports authentication via external identity providers using OpenID Connect (OIDC). It features:
+
+- Auto configuration via OpenID Connect Discovery Protocol
+- [Proof Key for Code Exchange (PKCE) code verification](#enable-pkce-recommended)
+- [Authorization based on a user's domain, email address or group membership](#authorize-users-with-filters)
+- Synchronization of [standard OIDC claims](#supported-oidc-claims)
+
+Please see [limitations](#limitations) for known issues and limitations.
+
+## Configuration
+
+OpenID requires configuration in Headscale and your identity provider:
+
+- Headscale: The `oidc` section of the Headscale [configuration](configuration.md) contains all available configuration
+  options along with a description and their default values.
+- Identity provider: Please refer to the official documentation of your identity provider for specific instructions.
+  Additionally, there might be some useful hints in the [Identity provider specific
+  configuration](#identity-provider-specific-configuration) section below.
+
+### Basic configuration
+
+A basic configuration connects Headscale to an identity provider and typically requires:
+
+- OpenID Connect Issuer URL from the identity provider. Headscale uses the OpenID Connect Discovery Protocol 1.0 to
+  automatically obtain OpenID configuration parameters (example: `https://sso.example.com`).
+- Client ID from the identity provider (example: `headscale`).
+- Client secret generated by the identity provider (example: `generated-secret`).
+- Redirect URI for your identity provider (example: `https://headscale.example.com/oidc/callback`).
+
+=== "Headscale"
+
+    ```yaml
+    oidc:
+      issuer: "https://sso.example.com"
+      client_id: "headscale"
+      client_secret: "generated-secret"
+    ```
+
+=== "Identity provider"
+
+    * Create a new confidential client (`Client ID`, `Client secret`)
+    * Add Headscale's OIDC callback URL as valid redirect URL: `https://headscale.example.com/oidc/callback`
+    * Configure additional parameters to improve user experience such as: name, description, logo, …
+
+### Enable PKCE (recommended)
+
+Proof Key for Code Exchange (PKCE) adds an additional layer of security to the OAuth 2.0 authorization code flow by
+preventing authorization code interception attacks, see: <https://datatracker.ietf.org/doc/html/rfc7636>. PKCE is
+recommended and needs to be configured for Headscale and the identity provider alike:
+
+=== "Headscale"
+
+    ```yaml hl_lines="5-6"
+    oidc:
+      issuer: "https://sso.example.com"
+      client_id: "headscale"
+      client_secret: "generated-secret"
+      pkce:
+        enabled: true
+    ```
+
+=== "Identity provider"
+
+    * Enable PKCE for the headscale client
+    * Set the PKCE challenge method to "S256"
+
+### Authorize users with filters
+
+Headscale allows to filter for allowed users based on their domain, email address or group membership. These filters can
+be helpful to apply additional restrictions and control which users are allowed to join. Filters are disabled by
+default, users are allowed to join once the authentication with the identity provider succeeds. In case multiple filters
+are configured, a user needs to pass all of them.
+
+=== "Allowed domains"
+
+    * Check the email domain of each authenticating user against the list of allowed domains and only authorize users
+      whose email domain matches `example.com`.
+    * Access allowed: `alice@example.com`
+    * Access denied: `bob@example.net`
+
+    ```yaml hl_lines="5-6"
+    oidc:
+      issuer: "https://sso.example.com"
+      client_id: "headscale"
+      client_secret: "generated-secret"
+      allowed_domains:
+        - "example.com"
+    ```
+
+=== "Allowed users/emails"
+
+    * Check the email address of each authenticating user against the list of allowed email addresses and only authorize
+      users whose email is part of the `allowed_users` list.
+    * Access allowed: `alice@example.com`, `bob@example.net`
+    * Access denied: `mallory@example.net`
+
+    ```yaml hl_lines="5-7"
+    oidc:
+      issuer: "https://sso.example.com"
+      client_id: "headscale"
+      client_secret: "generated-secret"
+      allowed_users:
+        - "alice@example.com"
+        - "bob@example.net"
+    ```
+
+=== "Allowed groups"
+
+    * Use the OIDC `groups` claim of each authenticating user to get their group membership and only authorize users
+      which are members in at least one of the referenced groups.
+    * Access allowed: users in the `headscale_users` group
+    * Access denied: users without groups, users with other groups
+
+    ```yaml hl_lines="5-7"
+    oidc:
+      issuer: "https://sso.example.com"
+      client_id: "headscale"
+      client_secret: "generated-secret"
+      scope: ["openid", "profile", "email", "groups"]
+      allowed_groups:
+        - "headscale_users"
+    ```
+
+### Customize node expiration
+
+The node expiration is the amount of time a node is authenticated with OpenID Connect until it expires and needs to
+reauthenticate. The default node expiration is 180 days. This can either be customized or set to the expiration from the
+Access Token.
+
+=== "Customize node expiration"
+
+    ```yaml hl_lines="5"
+    oidc:
+      issuer: "https://sso.example.com"
+      client_id: "headscale"
+      client_secret: "generated-secret"
+      expiry: 30d   # Use 0 to disable node expiration
+    ```
+
+=== "Use expiration from Access Token"
+
+    Please keep in mind that the Access Token is typically a short-lived token that expires within a few minutes. You
+    will have to configure token expiration in your identity provider to avoid frequent re-authentication.
+
+
+    ```yaml hl_lines="5"
+    oidc:
+      issuer: "https://sso.example.com"
+      client_id: "headscale"
+      client_secret: "generated-secret"
+      use_expiry_from_token: true
+    ```
+
+!!! tip "Expire a node and force re-authentication"
+
+    A node can be expired immediately via:
+    ```console
+    headscale node expire -i <NODE_ID>
+    ```
+
+### Reference a user in the policy
+
+You may refer to users in the Headscale policy via:
+
+- Email address
+- Username
+- Provider identifier (only available in the database or from your identity provider)
+
+!!! note "A user identifier in the policy must contain a single `@`"
+
+    The Headscale policy requires a single `@` to reference a user. If the username or provider identifier doesn't
+    already contain a single `@`, it needs to be appended at the end. For example: the username `ssmith` has to be
+    written as `ssmith@` to be correctly identified as user within the policy.
+
+!!! warning "Email address or username might be updated by users"
+
+    Many identity providers allow users to update their own profile. Depending on the identity provider and its
+    configuration, the values for username or email address might change over time. This might have unexpected
+    consequences for Headscale where a policy might no longer work or a user might obtain more access by hijacking an
+    existing username or email address.
+
+## Supported OIDC claims
+
+Headscale uses [the standard OIDC claims](https://openid.net/specs/openid-connect-core-1_0.html#StandardClaims) to
+populate and update its local user profile on each login. OIDC claims are read from the ID Token or from the UserInfo
+endpoint.
+
+| Headscale profile   | OIDC claim           | Notes / examples                                                                                  |
+| ------------------- | -------------------- | ------------------------------------------------------------------------------------------------- |
+| email address       | `email`              | Only used when `email_verified: true`                                                             |
+| display name        | `name`               | eg: `Sam Smith`                                                                                   |
+| username            | `preferred_username` | Depends on identity provider, eg: `ssmith`, `ssmith@idp.example.com`, `\\example.com\ssmith`      |
+| profile picture     | `picture`            | URL to a profile picture or avatar                                                                |
+| provider identifier | `iss`, `sub`         | A stable and unique identifier for a user, typically a combination of `iss` and `sub` OIDC claims |
+|                     | `groups`             | [Only used to filter for allowed groups](#authorize-users-with-filters)                           |
+
+## Limitations
+
+- Support for OpenID Connect aims to be generic and vendor independent. It offers only limited support for quirks of
+  specific identity providers.
+- OIDC groups cannot be used in ACLs.
+- The username provided by the identity provider needs to adhere to this pattern:
+    - The username must be at least two characters long.
+    - It must only contain letters, digits, hyphens, dots, underscores, and up to a single `@`.
+    - The username must start with a letter.
+- A user's email address is only synchronized to the local user profile when the identity provider marks the email
+  address as verified (`email_verified: true`).
+
+Please see the [GitHub label "OIDC"](https://github.com/juanfont/headscale/labels/OIDC) for OIDC related issues.
+
+## Identity provider specific configuration
+
+!!! warning "Third-party software and services"
+
+    This section of the documentation is specific for third-party software and services. We recommend users read the
+    third-party documentation on how to configure and integrate an OIDC client. Please see the [Configuration
+    section](#configuration) for a description of Headscale's OIDC related configuration settings.
+
+Any identity provider with OpenID Connect support should "just work" with Headscale. The following identity providers
+are known to work:
+
+- [Authelia](#authelia)
+- [Authentik](#authentik)
+- [Kanidm](#kanidm)
+- [Keycloak](#keycloak)
+
+### Authelia
+
+Authelia is fully supported by Headscale.
+
+#### Additional configuration to authorize users based on filters
+
+Authelia (4.39.0 or newer) no longer provides standard OIDC claims such as `email` or `groups` via the ID Token. The
+OIDC `email` and `groups` claims are used to [authorize users with filters](#authorize-users-with-filters). This extra
+configuration step is **only** needed if you need to authorize access based on one of the following user properties:
+
+- domain
+- email address
+- group membership
+
+Please follow the instructions from Authelia's documentation on how to [Restore Functionality Prior to Claims
+Parameter](https://www.authelia.com/integration/openid-connect/openid-connect-1.0-claims/#restore-functionality-prior-to-claims-parameter).
+
+### Authentik
+
+- Authentik is fully supported by Headscale.
+- [Headscale does not JSON Web Encryption](https://github.com/juanfont/headscale/issues/2446). Leave the field
+  `Encryption Key` in the providers section unset.
+
+### Google OAuth
+
+!!! warning "No username due to missing preferred_username"
+
+    Google OAuth does not send the `preferred_username` claim when the scope `profile` is requested. The username in
+    Headscale will be blank/not set.
+
+In order to integrate Headscale with Google, you'll need to have a [Google Cloud
+Console](https://console.cloud.google.com) account.
+
+Google OAuth has a [verification process](https://support.google.com/cloud/answer/9110914?hl=en) if you need to have
+users authenticate who are outside of your domain. If you only need to authenticate users from your domain name (ie
+`@example.com`), you don't need to go through the verification process.
+
+However if you don't have a domain, or need to add users outside of your domain, you can manually add emails via Google
+Console.
+
+#### Steps
+
+1. Go to [Google Console](https://console.cloud.google.com) and login or create an account if you don't have one.
+2. Create a project (if you don't already have one).
+3. On the left hand menu, go to `APIs and services` -> `Credentials`
+4. Click `Create Credentials` -> `OAuth client ID`
+5. Under `Application Type`, choose `Web Application`
+6. For `Name`, enter whatever you like
+7. Under `Authorised redirect URIs`, add Headscale's OIDC callback URL: `https://headscale.example.com/oidc/callback`
+8. Click `Save` at the bottom of the form
+9. Take note of the `Client ID` and `Client secret`, you can also download it for reference if you need it.
+10. [Configure Headscale following the "Basic configuration" steps](#basic-configuration). The issuer URL for Google
+    OAuth is: `https://accounts.google.com`.
+
+### Kanidm
+
+- Kanidm is fully supported by Headscale.
+- Groups for the [allowed groups filter](#authorize-users-with-filters) need to be specified with their full SPN, for
+  example: `headscale_users@sso.example.com`.
+
+### Keycloak
+
+Keycloak is fully supported by Headscale.
+
+#### Additional configuration to use the allowed groups filter
+
+Keycloak has no built-in client scope for the OIDC `groups` claim. This extra configuration step is **only** needed if
+you need to [authorize access based on group membership](#authorize-users-with-filters).
+
+- Create a new client scope `groups` for OpenID Connect:
+    - Configure a `Group Membership` mapper with name `groups` and the token claim name `groups`.
+    - Enable the mapper for the ID Token, Access Token and UserInfo endpoint.
+- Configure the new client scope for your Headscale client:
+    - Edit the Headscale client.
+    - Search for the client scope `group`.
+    - Add it with assigned type `Default`.
+- [Configure the allowed groups in Headscale](#authorize-users-with-filters). Keep in mind that groups in Keycloak start
+  with a leading `/`.
+
+### Microsoft Entra ID
+
+In order to integrate Headscale with Microsoft Entra ID, you'll need to provision an App Registration with the correct
+scopes and redirect URI.
+
+[Configure Headscale following the "Basic configuration" steps](#basic-configuration). The issuer URL for Microsoft
+Entra ID is: `https://login.microsoftonline.com/<tenant-UUID>/v2.0`. The following `extra_params` might be useful:
+
+- `domain_hint: example.com` to use your own domain
+- `prompt: select_account` to force an account picker during login
--- a/docs/ref/remote-cli.md
+++ b/docs/ref/remote-cli.md
@@ -0,0 +1,105 @@
+# Controlling headscale with remote CLI
+
+This documentation has the goal of showing a user how-to control a headscale instance
+from a remote machine with the `headscale` command line binary.
+
+## Prerequisite
+
+- A workstation to run `headscale` (any supported platform, e.g. Linux).
+- A headscale server with gRPC enabled.
+- Connections to the gRPC port (default: `50443`) are allowed.
+- Remote access requires an encrypted connection via TLS.
+- An API key to authenticate with the headscale server.
+
+## Create an API key
+
+We need to create an API key to authenticate with the remote headscale server when using it from our workstation.
+
+To create an API key, log into your headscale server and generate a key:
+
+```shell
+headscale apikeys create --expiration 90d
+```
+
+Copy the output of the command and save it for later. Please note that you can not retrieve a key again,
+if the key is lost, expire the old one, and create a new key.
+
+To list the keys currently associated with the server:
+
+```shell
+headscale apikeys list
+```
+
+and to expire a key:
+
+```shell
+headscale apikeys expire --prefix "<PREFIX>"
+```
+
+## Download and configure headscale
+
+1.  Download the [`headscale` binary from GitHub's release page](https://github.com/juanfont/headscale/releases). Make
+    sure to use the same version as on the server.
+
+1.  Put the binary somewhere in your `PATH`, e.g. `/usr/local/bin/headscale`
+
+1.  Make `headscale` executable:
+
+    ```shell
+    chmod +x /usr/local/bin/headscale
+    ```
+
+1.  Provide the connection parameters for the remote headscale server either via a minimal YAML configuration file or via
+    environment variables:
+
+    === "Minimal YAML configuration file"
+
+        ```yaml title="config.yaml"
+        cli:
+            address: <HEADSCALE_ADDRESS>:<PORT>
+            api_key: <API_KEY_FROM_PREVIOUS_STEP>
+        ```
+
+    === "Environment variables"
+
+        ```shell
+        export HEADSCALE_CLI_ADDRESS="<HEADSCALE_ADDRESS>:<PORT>"
+        export HEADSCALE_CLI_API_KEY="<API_KEY_FROM_PREVIOUS_STEP>"
+        ```
+
+        !!! bug
+
+            Headscale currently requires at least an empty configuration file when environment variables are used to
+            specify connection details. See [issue 2193](https://github.com/juanfont/headscale/issues/2193) for more
+            information.
+
+    This instructs the `headscale` binary to connect to a remote instance at `<HEADSCALE_ADDRESS>:<PORT>`, instead of
+    connecting to the local instance.
+
+1.  Test the connection
+
+    Let us run the headscale command to verify that we can connect by listing our nodes:
+
+    ```shell
+    headscale nodes list
+    ```
+
+    You should now be able to see a list of your nodes from your workstation, and you can
+    now control the headscale server from your workstation.
+
+## Behind a proxy
+
+It is possible to run the gRPC remote endpoint behind a reverse proxy, like Nginx, and have it run on the _same_ port as headscale.
+
+While this is _not a supported_ feature, an example on how this can be set up on
+[NixOS is shown here](https://github.com/kradalby/dotfiles/blob/4489cdbb19cddfbfae82cd70448a38fde5a76711/machines/headscale.oracldn/headscale.nix#L61-L91).
+
+## Troubleshooting
+
+- Make sure you have the _same_ headscale version on your server and workstation.
+- Ensure that connections to the gRPC port are allowed.
+- Verify that your TLS certificate is valid and trusted.
+- If you don't have access to a trusted certificate (e.g. from Let's Encrypt), either:
+    - Add your self-signed certificate to the trust store of your OS _or_
+    - Disable certificate verification by either setting `cli.insecure: true` in the configuration file or by setting
+      `HEADSCALE_CLI_INSECURE=1` via an environment variable. We do **not** recommend to disable certificate validation.
--- a/docs/ref/routes.md
+++ b/docs/ref/routes.md
@@ -0,0 +1,271 @@
+# Routes
+
+Headscale supports route advertising and can be used to manage [subnet routers](https://tailscale.com/kb/1019/subnets)
+and [exit nodes](https://tailscale.com/kb/1103/exit-nodes) for a tailnet.
+
+- [Subnet routers](#subnet-router) may be used to connect an existing network such as a virtual
+  private cloud or an on-premise network with your tailnet. Use a subnet router to access devices where Tailscale can't
+  be installed or to gradually rollout Tailscale.
+- [Exit nodes](#exit-node) can be used to route all Internet traffic for another Tailscale
+  node. Use it to securely access the Internet on an untrusted Wi-Fi or to access online services that expect traffic
+  from a specific IP address.
+
+## Subnet router
+
+The setup of a subnet router requires double opt-in, once from a subnet router and once on the control server to allow
+its use within the tailnet. Optionally, use [`autoApprovers` to automatically approve routes from a subnet
+router](#automatically-approve-routes-of-a-subnet-router).
+
+### Setup a subnet router
+
+#### Configure a node as subnet router
+
+Register a node and advertise the routes it should handle as comma separated list:
+
+```console
+$ sudo tailscale up --login-server <YOUR_HEADSCALE_URL> --advertise-routes=10.0.0.0/8,192.168.0.0/24
+```
+
+If the node is already registered, it can advertise new routes or update previously announced routes with:
+
+```console
+$ sudo tailscale set --advertise-routes=10.0.0.0/8,192.168.0.0/24
+```
+
+Finally, [enable IP forwarding](#enable-ip-forwarding) to route traffic.
+
+#### Enable the subnet router on the control server
+
+The routes of a tailnet can be displayed with the `headscale nodes list-routes` command. A subnet router with the
+hostname `myrouter` announced the IPv4 networks `10.0.0.0/8` and `192.168.0.0/24`. Those need to be approved before they
+can be used.
+
+```console
+$ headscale nodes list-routes
+ID | Hostname | Approved | Available                  | Serving (Primary)
+1  | myrouter |          | 10.0.0.0/8, 192.168.0.0/24 |
+```
+
+Approve all desired routes of a subnet router by specifying them as comma separated list:
+
+```console
+$ headscale nodes approve-routes --identifier 1 --routes 10.0.0.0/8,192.168.0.0/24
+Node updated
+```
+
+The node `myrouter` can now route the IPv4 networks `10.0.0.0/8` and `192.168.0.0/24` for the tailnet.
+
+```console
+$ headscale nodes list-routes
+ID | Hostname | Approved                   | Available                  | Serving (Primary)
+1  | myrouter | 10.0.0.0/8, 192.168.0.0/24 | 10.0.0.0/8, 192.168.0.0/24 | 10.0.0.0/8, 192.168.0.0/24
+```
+
+#### Use the subnet router
+
+To accept routes advertised by a subnet router on a node:
+
+```console
+$ sudo tailscale set --accept-routes
+```
+
+Please refer to the official [Tailscale
+documentation](https://tailscale.com/kb/1019/subnets#use-your-subnet-routes-from-other-devices) for how to use a subnet
+router on different operating systems.
+
+### Restrict the use of a subnet router with ACL
+
+The routes announced by subnet routers are available to the nodes in a tailnet. By default, without an ACL enabled, all
+nodes can accept and use such routes. Configure an ACL to explicitly manage who can use routes.
+
+The ACL snippet below defines three hosts, a subnet router `router`, a regular node `node` and `service.example.net` as
+internal service that can be reached via a route on the subnet router `router`. It allows the node `node` to access
+`service.example.net` on port 80 and 443 which is reachable via the subnet router. Access to the subnet router itself is
+denied.
+
+```json title="Access the routes of a subnet router without the subnet router itself"
+{
+  "hosts": {
+    // the router is not referenced but announces 192.168.0.0/24"
+    "router": "100.64.0.1/32",
+    "node": "100.64.0.2/32",
+    "service.example.net": "192.168.0.1/32"
+  },
+  "acls": [
+    {
+      "action": "accept",
+      "src": ["node"],
+      "dst": ["service.example.net:80,443"]
+    }
+  ]
+}
+```
+
+### Automatically approve routes of a subnet router
+
+The initial setup of a subnet router usually requires manual approval of their announced routes on the control server
+before they can be used by a node in a tailnet. Headscale supports the `autoApprovers` section of an ACL to automate the
+approval of routes served with a subnet router.
+
+The ACL snippet below defines the tag `tag:router` owned by the user `alice`. This tag is used for `routes` in the
+`autoApprovers` section. The IPv4 route `192.168.0.0/24` is automatically approved once announced by a subnet router
+owned by the user `alice` and that also advertises the tag `tag:router`.
+
+```json title="Subnet routers owned by alice and tagged with tag:router are automatically approved"
+{
+  "tagOwners": {
+    "tag:router": ["alice@"]
+  },
+  "autoApprovers": {
+    "routes": {
+      "192.168.0.0/24": ["tag:router"]
+    }
+  },
+  "acls": [
+    // more rules
+  ]
+}
+```
+
+Advertise the route `192.168.0.0/24` from a subnet router that also advertises the tag `tag:router` when joining the tailnet:
+
+```console
+$ sudo tailscale up --login-server <YOUR_HEADSCALE_URL> --advertise-tags tag:router --advertise-routes 192.168.0.0/24
+```
+
+Please see the [official Tailscale documentation](https://tailscale.com/kb/1337/acl-syntax#autoapprovers) for more
+information on auto approvers.
+
+## Exit node
+
+The setup of an exit node requires double opt-in, once from an exit node and once on the control server to allow its use
+within the tailnet. Optionally, use [`autoApprovers` to automatically approve an exit
+node](#automatically-approve-an-exit-node-with-auto-approvers).
+
+### Setup an exit node
+
+#### Configure a node as exit node
+
+Register a node and make it advertise itself as an exit node:
+
+```console
+$ sudo tailscale up --login-server <YOUR_HEADSCALE_URL> --advertise-exit-node
+```
+
+If the node is already registered, it can advertise exit capabilities like this:
+
+```console
+$ sudo tailscale set --advertise-exit-node
+```
+
+Finally, [enable IP forwarding](#enable-ip-forwarding) to route traffic.
+
+#### Enable the exit node on the control server
+
+The routes of a tailnet can be displayed with the `headscale nodes list-routes` command. An exit node can be recognized
+by its announced routes: `0.0.0.0/0` for IPv4 and `::/0` for IPv6. The exit node with the hostname `myexit` is already
+available, but needs to be approved:
+
+```console
+$ headscale nodes list-routes
+ID | Hostname | Approved | Available       | Serving (Primary)
+1  | myexit   |          | 0.0.0.0/0, ::/0 |
+```
+
+For exit nodes, it is sufficient to approve either the IPv4 or IPv6 route. The other will be approved automatically.
+
+```console
+$ headscale nodes approve-routes --identifier 1 --routes 0.0.0.0/0
+Node updated
+```
+
+The node `myexit` is now approved as exit node for the tailnet:
+
+```console
+$ headscale nodes list-routes
+ID | Hostname | Approved        | Available       | Serving (Primary)
+1  | myexit   | 0.0.0.0/0, ::/0 | 0.0.0.0/0, ::/0 | 0.0.0.0/0, ::/0
+```
+
+#### Use the exit node
+
+The exit node can now be used on a node with:
+
+```console
+$ sudo tailscale set --exit-node myexit
+```
+
+Please refer to the official [Tailscale documentation](https://tailscale.com/kb/1103/exit-nodes#use-the-exit-node) for
+how to use an exit node on different operating systems.
+
+### Restrict the use of an exit node with ACL
+
+An exit node is offered to all nodes in a tailnet. By default, without an ACL enabled, all nodes in a tailnet can select
+and use an exit node. Configure `autogroup:internet` in an ACL rule to restrict who can use _any_ of the available exit
+nodes.
+
+```json title="Example use of autogroup:internet"
+{
+  "acls": [
+    {
+      "action": "accept",
+      "src": ["..."],
+      "dst": ["autogroup:internet:*"]
+    }
+  ]
+}
+```
+
+### Automatically approve an exit node with auto approvers
+
+The initial setup of an exit node usually requires manual approval on the control server before it can be used by a node
+in a tailnet. Headscale supports the `autoApprovers` section of an ACL to automate the approval of a new exit node as
+soon as it joins the tailnet.
+
+The ACL snippet below defines the tag `tag:exit` owned by the user `alice`. This tag is used for `exitNode` in the
+`autoApprovers` section. A new exit node which is owned by the user `alice` and that also advertises the tag `tag:exit`
+is automatically approved:
+
+```json title="Exit nodes owned by alice and tagged with tag:exit are automatically approved"
+{
+  "tagOwners": {
+    "tag:exit": ["alice@"]
+  },
+  "autoApprovers": {
+    "exitNode": ["tag:exit"]
+  },
+  "acls": [
+    // more rules
+  ]
+}
+```
+
+Advertise a node as exit node and also advertise the tag `tag:exit` when joining the tailnet:
+
+```console
+$ sudo tailscale up --login-server <YOUR_HEADSCALE_URL> --advertise-tags tag:exit --advertise-exit-node
+```
+
+Please see the [official Tailscale documentation](https://tailscale.com/kb/1337/acl-syntax#autoapprovers) for more
+information on auto approvers.
+
+## High availability
+
+Headscale has limited support for high availability routing. Multiple subnet routers with overlapping routes or multiple
+exit nodes can be used to provide high availability for users. If one router node goes offline, another one can serve
+the same routes to clients. Please see the official [Tailscale documentation on high
+availability](https://tailscale.com/kb/1115/high-availability#subnet-router-high-availability) for details.
+
+!!! bug
+
+    In certain situations it might take up to 16 minutes for Headscale to detect a node as offline. A failover node
+    might not be selected fast enough, if such a node is used as subnet router or exit node causing service
+    interruptions for clients. See [issue 2129](https://github.com/juanfont/headscale/issues/2129) for more information.
+
+## Troubleshooting
+
+### Enable IP forwarding
+
+A subnet router or exit node is routing traffic on behalf of other nodes and thus requires IP forwarding. Check the
+official [Tailscale documentation](https://tailscale.com/kb/1019/subnets/?tab=linux#enable-ip-forwarding) for how to
+enable IP forwarding.
--- a/docs/ref/tls.md
+++ b/docs/ref/tls.md
@@ -2,18 +2,20 @@

 ## Bring your own certificate

-Headscale can be configured to expose its web service via TLS. To configure the certificate and key file manually, set the `tls_cert_path` and `tls_cert_path` configuration parameters. If the path is relative, it will be interpreted as relative to the directory the configuration file was read from.
+Headscale can be configured to expose its web service via TLS. To configure the certificate and key file manually, set the `tls_cert_path` and `tls_key_path` configuration parameters. If the path is relative, it will be interpreted as relative to the directory the configuration file was read from.

-```yaml
+```yaml title="config.yaml"
 tls_cert_path: ""
 tls_key_path: ""
 ```

+The certificate should contain the full chain, else some clients, like the Tailscale Android client, will reject it.
+
 ## Let's Encrypt / ACME

 To get a certificate automatically via [Let's Encrypt](https://letsencrypt.org/), set `tls_letsencrypt_hostname` to the desired certificate hostname. This name must resolve to the IP address(es) headscale is reachable on (i.e., it must correspond to the `server_url` configuration parameter). The certificate and Let's Encrypt account credentials will be stored in the directory configured in `tls_letsencrypt_cache_dir`. If the path is relative, it will be interpreted as relative to the directory the configuration file was read from.

-```yaml
+```yaml title="config.yaml"
 tls_letsencrypt_hostname: ""
 tls_letsencrypt_listen: ":http"
 tls_letsencrypt_cache_dir: ".cache"
@@ -47,10 +49,10 @@ Headscale uses [autocert](https://pkg.go.dev/golang.org/x/crypto/acme/autocert),

 If you want to validate that certificate renewal completed successfully, this can be done either manually, or through external monitoring software. Two examples of doing this manually:

-1. Open the URL for your Headscale server in your browser of choice, and manually inspecting the expiry date of the certificate you receive.
+1. Open the URL for your headscale server in your browser of choice, and manually inspecting the expiry date of the certificate you receive.
 2. Or, check remotely from CLI using `openssl`:

-```bash
+```console
 $ openssl s_client -servername [hostname] -connect [hostname]:443 | openssl x509 -noout -dates
 (...)
 notBefore=Feb  8 09:48:26 2024 GMT
--- a/docs/remote-cli.md
+++ b/docs/remote-cli.md
@@ -1,100 +0,0 @@
-# Controlling `headscale` with remote CLI
-
-## Prerequisite
-
- A workstation to run `headscale` (could be Linux, macOS, other supported platforms)
- A `headscale` server (version `0.13.0` or newer)
- Access to create API keys (local access to the `headscale` server)
- `headscale` _must_ be served over TLS/HTTPS
-  - Remote access does _not_ support unencrypted traffic.
- Port `50443` must be open in the firewall (or port overridden by `grpc_listen_addr` option)
-
-## Goal
-
-This documentation has the goal of showing a user how-to set control a `headscale` instance
-from a remote machine with the `headscale` command line binary.
-
-## Create an API key
-
-We need to create an API key to authenticate our remote `headscale` when using it from our workstation.
-
-To create a API key, log into your `headscale` server and generate a key:
-
-```shell
-headscale apikeys create --expiration 90d
-```
-
-Copy the output of the command and save it for later. Please note that you can not retrieve a key again,
-if the key is lost, expire the old one, and create a new key.
-
-To list the keys currently assosicated with the server:
-
-```shell
-headscale apikeys list
-```
-
-and to expire a key:
-
-```shell
-headscale apikeys expire --prefix "<PREFIX>"
-```
-
-## Download and configure `headscale`
-
-1. Download the latest [`headscale` binary from GitHub's release page](https://github.com/juanfont/headscale/releases):
-
-2. Put the binary somewhere in your `PATH`, e.g. `/usr/local/bin/headscale`
-
-3. Make `headscale` executable:
-
-```shell
-chmod +x /usr/local/bin/headscale
-```
-
-4. Configure the CLI through Environment Variables
-
-```shell
-export HEADSCALE_CLI_ADDRESS="<HEADSCALE ADDRESS>:<PORT>"
-export HEADSCALE_CLI_API_KEY="<API KEY FROM PREVIOUS STAGE>"
-```
-
-for example:
-
-```shell
-export HEADSCALE_CLI_ADDRESS="headscale.example.com:50443"
-export HEADSCALE_CLI_API_KEY="abcde12345"
-```
-
-This will tell the `headscale` binary to connect to a remote instance, instead of looking
-for a local instance (which is what it does on the server).
-
-The API key is needed to make sure that your are allowed to access the server. The key is _not_
-needed when running directly on the server, as the connection is local.
-
-5. Test the connection
-
-Let us run the headscale command to verify that we can connect by listing our nodes:
-
-```shell
-headscale nodes list
-```
-
-You should now be able to see a list of your nodes from your workstation, and you can
-now control the `headscale` server from your workstation.
-
-## Behind a proxy
-
-It is possible to run the gRPC remote endpoint behind a reverse proxy, like Nginx, and have it run on the _same_ port as `headscale`.
-
-While this is _not a supported_ feature, an example on how this can be set up on
-[NixOS is shown here](https://github.com/kradalby/dotfiles/blob/4489cdbb19cddfbfae82cd70448a38fde5a76711/machines/headscale.oracldn/headscale.nix#L61-L91).
-
-## Troubleshooting
-
-Checklist:
-
- Make sure you have the _same_ `headscale` version on your server and workstation
- Make sure you use version `0.13.0` or newer.
- Verify that your TLS certificate is valid and trusted
-  - If you do not have access to a trusted certificate (e.g. from Let's Encrypt), add your self signed certificate to the trust store of your OS or
-  - Set `HEADSCALE_CLI_INSECURE` to 0 in your environment
--- a/docs/requirements.txt
+++ b/docs/requirements.txt
@@ -1,4 +1,6 @@
-cairosvg~=2.7.1
-mkdocs-material~=9.5.18
-mkdocs-minify-plugin~=0.7.1
-pillow~=10.1.0
+mike~=2.1
+mkdocs-include-markdown-plugin~=7.1
+mkdocs-macros-plugin~=1.3
+mkdocs-material[imaging]~=9.5
+mkdocs-minify-plugin~=0.7
+mkdocs-redirects~=1.2
--- a/docs/running-headscale-container.md
+++ b/docs/running-headscale-container.md
@@ -1,195 +0,0 @@
-# Running headscale in a container
-
-!!! warning "Community documentation"
-
-    This page is not actively maintained by the headscale authors and is
-    written by community members. It is _not_ verified by `headscale` developers.
-
-    **It might be outdated and it might miss necessary steps**.
-
-## Goal
-
-This documentation has the goal of showing a user how-to set up and run `headscale` in a container.
-[Docker](https://www.docker.com) is used as the reference container implementation, but there is no reason that it should
-not work with alternatives like [Podman](https://podman.io). The Docker image can be found on Docker Hub [here](https://hub.docker.com/r/headscale/headscale).
-
-## Configure and run `headscale`
-
-1. Prepare a directory on the host Docker node in your directory of choice, used to hold `headscale` configuration and the [SQLite](https://www.sqlite.org/) database:
-
-    ```shell
-    mkdir -p ./headscale/config
-    cd ./headscale
-    ```
-
-1. Create an empty SQlite datebase in the headscale directory:
-
-    ```shell
-    touch ./config/db.sqlite
-    ```
-
-1. **(Strongly Recommended)** Download a copy of the [example configuration](https://github.com/juanfont/headscale/blob/main/config-example.yaml) from the headscale repository.
-
-    - Using `wget`:
-
-        ```shell
-        wget -O ./config/config.yaml https://raw.githubusercontent.com/juanfont/headscale/main/config-example.yaml
-        ```
-
-    - Using `curl`:
-
-        ```shell
-        curl https://raw.githubusercontent.com/juanfont/headscale/main/config-example.yaml -o ./config/config.yaml
-        ```
-
-    - **(Advanced)** If you would like to hand craft a config file **instead** of downloading the example config file, create a blank `headscale` configuration in the headscale directory to edit:
-
-        ```shell
-        touch ./config/config.yaml
-        ```
-
-        Modify the config file to your preferences before launching Docker container.
-        Here are some settings that you likely want:
-
-        ```yaml
-        # Change to your hostname or host IP
-        server_url: http://your-host-name:8080
-        # Listen to 0.0.0.0 so it's accessible outside the container
-        metrics_listen_addr: 0.0.0.0:9090
-        # The default /var/lib/headscale path is not writable in the container
-        noise:
-          private_key_path: /etc/headscale/noise_private.key
-        # The default /var/lib/headscale path is not writable in the container
-        derp:
-          private_key_path: /etc/headscale/private.key
-        # The default /var/run/headscale path is not writable  in the container
-        unix_socket: /etc/headscale/headscale.sock
-        # The default /var/lib/headscale path is not writable  in the container
-        database.type: sqlite3
-        database.sqlite.path: /etc/headscale/db.sqlite
-        ```
-
-        Alternatively, you can mount `/var/lib` and `/var/run` from your host system by adding
-        `--volume $(pwd)/lib:/var/lib/headscale` and `--volume $(pwd)/run:/var/run/headscale`
-        in the next step.
-
-1. Start the headscale server while working in the host headscale directory:
-
-    ```shell
-    docker run \
-      --name headscale \
-      --detach \
-      --volume $(pwd)/config:/etc/headscale/ \
-      --publish 127.0.0.1:8080:8080 \
-      --publish 127.0.0.1:9090:9090 \
-      headscale/headscale:<VERSION> \
-      headscale serve
-    ```
-
-    Note: use `0.0.0.0:8080:8080` instead of `127.0.0.1:8080:8080` if you want to expose the container externally.
-
-    This command will mount `config/` under `/etc/headscale`, forward port 8080 out of the container so the
-    `headscale` instance becomes available and then detach so headscale runs in the background.
-
-    Example `docker-compose.yaml`
-
-      ```yaml
-      version: "3.7"
-      
-      services:
-        headscale:
-          image: headscale/headscale:0.22.3
-          restart: unless-stopped
-          container_name: headscale
-          ports:
-            - "127.0.0.1:8080:8080"
-            - "127.0.0.1:9090:9090"
-          volumes:
-            # pls change [config_path] to the fullpath of the config folder just created
-            - [config_path]:/etc/headscale
-          command: headscale serve
-      ```
-
-1. Verify `headscale` is running:
-   Follow the container logs:
-
-    ```shell
-    docker logs --follow headscale
-    ```
-
-    Verify running containers:
-
-    ```shell
-    docker ps
-    ```
-
-    Verify `headscale` is available:
-
-    ```shell
-    curl http://127.0.0.1:9090/metrics
-    ```
-
-1. Create a user ([tailnet](https://tailscale.com/kb/1136/tailnet/)):
-
-    ```shell
-    docker exec headscale \
-    headscale users create myfirstuser
-    ```
-
-### Register a machine (normal login)
-
-On a client machine, execute the `tailscale` login command:
-
-```shell
-tailscale up --login-server YOUR_HEADSCALE_URL
-```
-
-To register a machine when running `headscale` in a container, take the headscale command and pass it to the container:
-
-```shell
-docker exec headscale \
-  headscale --user myfirstuser nodes register --key <YOU_+MACHINE_KEY>
-```
-
-### Register machine using a pre authenticated key
-
-Generate a key using the command line:
-
-```shell
-docker exec headscale \
-  headscale --user myfirstuser preauthkeys create --reusable --expiration 24h
-```
-
-This will return a pre-authenticated key that can be used to connect a node to `headscale` during the `tailscale` command:
-
-```shell
-tailscale up --login-server <YOUR_HEADSCALE_URL> --authkey <YOUR_AUTH_KEY>
-```
-
-## Debugging headscale running in Docker
-
-The `headscale/headscale` Docker container is based on a "distroless" image that does not contain a shell or any other debug tools. If you need to debug your application running in the Docker container, you can use the `-debug` variant, for example `headscale/headscale:x.x.x-debug`.
-
-### Running the debug Docker container
-
-To run the debug Docker container, use the exact same commands as above, but replace `headscale/headscale:x.x.x` with `headscale/headscale:x.x.x-debug` (`x.x.x` is the version of headscale). The two containers are compatible with each other, so you can alternate between them.
-
-### Executing commands in the debug container
-
-The default command in the debug container is to run `headscale`, which is located at `/bin/headscale` inside the container.
-
-Additionally, the debug container includes a minimalist Busybox shell.
-
-To launch a shell in the container, use:
-
-```
-docker run -it headscale/headscale:x.x.x-debug sh
-```
-
-You can also execute commands directly, such as `ls /bin` in this example:
-
-```
-docker run headscale/headscale:x.x.x-debug ls /bin
-```
-
-Using `docker exec` allows you to run commands in an existing container.
--- a/docs/running-headscale-linux-manual.md
+++ b/docs/running-headscale-linux-manual.md
@@ -1,197 +0,0 @@
-# Running headscale on Linux
-
-## Note: Outdated and "advanced"
-
-This documentation is considered the "legacy"/advanced/manual version of the documentation, you most likely do not
-want to use this documentation and rather look at the distro specific documentation (TODO LINK)[].
-
-## Goal
-
-This documentation has the goal of showing a user how-to set up and run `headscale` on Linux.
-In additional to the "get up and running section", there is an optional [SystemD section](#running-headscale-in-the-background-with-systemd)
-describing how to make `headscale` run properly in a server environment.
-
-## Configure and run `headscale`
-
-1. Download the latest [`headscale` binary from GitHub's release page](https://github.com/juanfont/headscale/releases):
-
-    ```shell
-    wget --output-document=/usr/local/bin/headscale \
-    https://github.com/juanfont/headscale/releases/download/v<HEADSCALE VERSION>/headscale_<HEADSCALE VERSION>_linux_<ARCH>
-    ```
-
-1. Make `headscale` executable:
-
-    ```shell
-    chmod +x /usr/local/bin/headscale
-    ```
-
-1. Prepare a directory to hold `headscale` configuration and the [SQLite](https://www.sqlite.org/) database:
-
-    ```shell
-    # Directory for configuration
-
-    mkdir -p /etc/headscale
-
-    # Directory for Database, and other variable data (like certificates)
-    mkdir -p /var/lib/headscale
-    # or if you create a headscale user:
-    useradd \
-      --create-home \
-      --home-dir /var/lib/headscale/ \
-      --system \
-      --user-group \
-      --shell /usr/sbin/nologin \
-      headscale
-    ```
-
-1. Create an empty SQLite database:
-
-    ```shell
-    touch /var/lib/headscale/db.sqlite
-    ```
-
-1. Create a `headscale` configuration:
-
-    ```shell
-    touch /etc/headscale/config.yaml
-    ```
-
-    **(Strongly Recommended)** Download a copy of the [example configuration](https://github.com/juanfont/headscale/blob/main/config-example.yaml) from the headscale repository.
-
-1. Start the headscale server:
-
-    ```shell
-    headscale serve
-    ```
-
-    This command will start `headscale` in the current terminal session.
-
-    ---
-
-    To continue the tutorial, open a new terminal and let it run in the background.
-    Alternatively use terminal emulators like [tmux](https://github.com/tmux/tmux) or [screen](https://www.gnu.org/software/screen/).
-
-    To run `headscale` in the background, please follow the steps in the [SystemD section](#running-headscale-in-the-background-with-systemd) before continuing.
-
-1. Verify `headscale` is running:
-  Verify `headscale` is available:
-
-    ```shell
-    curl http://127.0.0.1:9090/metrics
-    ```
-
-1. Create a user ([tailnet](https://tailscale.com/kb/1136/tailnet/)):
-
-    ```shell
-    headscale users create myfirstuser
-    ```
-
-### Register a machine (normal login)
-
-On a client machine, execute the `tailscale` login command:
-
-```shell
-tailscale up --login-server YOUR_HEADSCALE_URL
-```
-
-Register the machine:
-
-```shell
-headscale --user myfirstuser nodes register --key <YOUR_MACHINE_KEY>
-```
-
-### Register machine using a pre authenticated key
-
-Generate a key using the command line:
-
-```shell
-headscale --user myfirstuser preauthkeys create --reusable --expiration 24h
-```
-
-This will return a pre-authenticated key that can be used to connect a node to `headscale` during the `tailscale` command:
-
-```shell
-tailscale up --login-server <YOUR_HEADSCALE_URL> --authkey <YOUR_AUTH_KEY>
-```
-
-## Running `headscale` in the background with SystemD
-
-:warning: **Deprecated**: This part is very outdated and you should use the [pre-packaged Headscale for this](./running-headscale-linux.md)
-
-This section demonstrates how to run `headscale` as a service in the background with [SystemD](https://www.freedesktop.org/wiki/Software/systemd/).
-This should work on most modern Linux distributions.
-
-1. Create a SystemD service configuration at `/etc/systemd/system/headscale.service` containing:
-
-    ```systemd
-    [Unit]
-    Description=headscale controller
-    After=syslog.target
-    After=network.target
-
-    [Service]
-    Type=simple
-    User=headscale
-    Group=headscale
-    ExecStart=/usr/local/bin/headscale serve
-    Restart=always
-    RestartSec=5
-
-    # Optional security enhancements
-    NoNewPrivileges=yes
-    PrivateTmp=yes
-    ProtectSystem=strict
-    ProtectHome=yes
-    WorkingDirectory=/var/lib/headscale
-    ReadWritePaths=/var/lib/headscale /var/run/headscale
-    AmbientCapabilities=CAP_NET_BIND_SERVICE
-    RuntimeDirectory=headscale
-
-    [Install]
-    WantedBy=multi-user.target
-    ```
-
-    Note that when running as the headscale user ensure that, either you add your current user to the headscale group:
-
-    ```shell
-    usermod -a -G headscale current_user
-    ```
-
-    or run all headscale commands as the headscale user:
-
-    ```shell
-    su - headscale
-    ```
-
-1. In `/etc/headscale/config.yaml`, override the default `headscale` unix socket with path that is writable by the `headscale` user or group:
-
-    ```yaml
-    unix_socket: /var/run/headscale/headscale.sock
-    ```
-
-1. Reload SystemD to load the new configuration file:
-
-    ```shell
-    systemctl daemon-reload
-    ```
-
-1. Enable and start the new `headscale` service:
-
-    ```shell
-    systemctl enable --now headscale
-    ```
-
-1. Verify the headscale service:
-
-    ```shell
-    systemctl status headscale
-    ```
-
-    Verify `headscale` is available:
-
-    ```shell
-    curl http://127.0.0.1:9090/metrics
-    ```
-
-`headscale` will now run in the background and start at boot.
--- a/docs/running-headscale-linux.md
+++ b/docs/running-headscale-linux.md
@@ -1,97 +0,0 @@
-# Running headscale on Linux
-
-## Requirements
-
- Ubuntu 20.04 or newer, Debian 11 or newer.
-
-## Goal
-
-Get Headscale up and running.
-
-This includes running Headscale with SystemD.
-
-## Migrating from manual install
-
-If you are migrating from the old manual install, the best thing would be to remove
-the files installed by following [the guide in reverse](./running-headscale-linux-manual.md).
-
-You should _not_ delete the database (`/var/lib/headscale/db.sqlite`) and the
-configuration (`/etc/headscale/config.yaml`).
-
-## Installation
-
-1. Download the [latest Headscale package](https://github.com/juanfont/headscale/releases/latest) for your platform (`.deb` for Ubuntu and Debian).
-
-    ```shell
-    HEADSCALE_VERSION="" # See above URL for latest version, e.g. "X.Y.Z" (NOTE: do not add the "v" prefix!)
-    HEADSCALE_ARCH="" # Your system architecture, e.g. "amd64"
-    wget --output-document=headscale.deb \
-      "https://github.com/juanfont/headscale/releases/download/v${HEADSCALE_VERSION}/headscale_${HEADSCALE_VERSION}_linux_${HEADSCALE_ARCH}.deb"
-    ```
-
-1. Install Headscale:
-
-    ```shell
-    sudo apt install ./headscale.deb
-    ```
-
-1. Enable Headscale service, this will start Headscale at boot:
-
-    ```shell
-    sudo systemctl enable headscale
-    ```
-
-1. Configure Headscale by editing the configuration file:
-
-    ```shell
-    nano /etc/headscale/config.yaml
-    ```
-
-1. Start Headscale:
-
-    ```shell
-    sudo systemctl start headscale
-    ```
-
-1. Check that Headscale is running as intended:
-
-    ```shell
-    systemctl status headscale
-    ```
-
-## Using Headscale
-
-### Create a user
-
-```shell
-headscale users create myfirstuser
-```
-
-### Register a machine (normal login)
-
-On a client machine, run the `tailscale` login command:
-
-```shell
-tailscale up --login-server <YOUR_HEADSCALE_URL>
-```
-
-Register the machine:
-
-```shell
-headscale --user myfirstuser nodes register --key <YOUR_MACHINE_KEY>
-```
-
-### Register machine using a pre authenticated key
-
-Generate a key using the command line:
-
-```shell
-headscale --user myfirstuser preauthkeys create --reusable --expiration 24h
-```
-
-This will return a pre-authenticated key that is used to
-connect a node to `headscale` during the `tailscale` command:
-
-```shell
-tailscale up --login-server <YOUR_HEADSCALE_URL> --authkey <YOUR_AUTH_KEY>
-```
--- a/docs/running-headscale-openbsd.md
+++ b/docs/running-headscale-openbsd.md
@@ -1,208 +0,0 @@
-# Running headscale on OpenBSD
-
-!!! warning "Community documentation"
-
-    This page is not actively maintained by the headscale authors and is
-    written by community members. It is _not_ verified by `headscale` developers.
-
-    **It might be outdated and it might miss necessary steps**.
-
-## Goal
-
-This documentation has the goal of showing a user how-to install and run `headscale` on OpenBSD.
-In additional to the "get up and running section", there is an optional [rc.d section](#running-headscale-in-the-background-with-rcd)
-describing how to make `headscale` run properly in a server environment.
-
-## Install `headscale`
-
-1. Install from ports
-
-    You can install headscale from ports by running `pkg_add headscale`.
-
-1. Install from source
-
-    ```shell
-    # Install prerequistes
-    pkg_add go
-
-    git clone https://github.com/juanfont/headscale.git
-
-    cd headscale
-
-    # optionally checkout a release
-    # option a. you can find official release at https://github.com/juanfont/headscale/releases/latest
-    # option b. get latest tag, this may be a beta release
-    latestTag=$(git describe --tags `git rev-list --tags --max-count=1`)
-
-    git checkout $latestTag
-
-    go build -ldflags="-s -w -X github.com/juanfont/headscale/cmd/headscale/cli.Version=$latestTag" github.com/juanfont/headscale
-
-    # make it executable
-    chmod a+x headscale
-
-    # copy it to /usr/local/sbin
-    cp headscale /usr/local/sbin
-    ```
-
-1. Install from source via cross compile
-
-    ```shell
-    # Install prerequistes
-    # 1. go v1.20+: headscale newer than 0.21 needs go 1.20+ to compile
-    # 2. gmake: Makefile in the headscale repo is written in GNU make syntax
-
-    git clone https://github.com/juanfont/headscale.git
-
-    cd headscale
-
-    # optionally checkout a release
-    # option a. you can find official release at https://github.com/juanfont/headscale/releases/latest
-    # option b. get latest tag, this may be a beta release
-    latestTag=$(git describe --tags `git rev-list --tags --max-count=1`)
-
-    git checkout $latestTag
-
-    make build GOOS=openbsd
-
-    # copy headscale to openbsd machine and put it in /usr/local/sbin
-    ```
-
-## Configure and run `headscale`
-
-1. Prepare a directory to hold `headscale` configuration and the [SQLite](https://www.sqlite.org/) database:
-
-    ```shell
-    # Directory for configuration
-
-    mkdir -p /etc/headscale
-
-    # Directory for Database, and other variable data (like certificates)
-    mkdir -p /var/lib/headscale
-    ```
-
-1. Create an empty SQLite database:
-
-    ```shell
-    touch /var/lib/headscale/db.sqlite
-    ```
-
-1. Create a `headscale` configuration:
-
-    ```shell
-    touch /etc/headscale/config.yaml
-    ```
-
-**(Strongly Recommended)** Download a copy of the [example configuration](https://github.com/juanfont/headscale/blob/main/config-example.yaml) from the headscale repository.
-
-1. Start the headscale server:
-
-    ```shell
-    headscale serve
-    ```
-
-    This command will start `headscale` in the current terminal session.
-
-    ***
-
-    To continue the tutorial, open a new terminal and let it run in the background.
-    Alternatively use terminal emulators like [tmux](https://github.com/tmux/tmux).
-
-    To run `headscale` in the background, please follow the steps in the [rc.d section](#running-headscale-in-the-background-with-rcd) before continuing.
-
-1. Verify `headscale` is running:
-
-    Verify `headscale` is available:
-
-    ```shell
-    curl http://127.0.0.1:9090/metrics
-    ```
-
-1. Create a user ([tailnet](https://tailscale.com/kb/1136/tailnet/)):
-
-    ```shell
-    headscale users create myfirstuser
-    ```
-
-### Register a machine (normal login)
-
-On a client machine, execute the `tailscale` login command:
-
-```shell
-tailscale up --login-server YOUR_HEADSCALE_URL
-```
-
-Register the machine:
-
-```shell
-headscale --user myfirstuser nodes register --key <YOU_+MACHINE_KEY>
-```
-
-### Register machine using a pre authenticated key
-
-Generate a key using the command line:
-
-```shell
-headscale --user myfirstuser preauthkeys create --reusable --expiration 24h
-```
-
-This will return a pre-authenticated key that can be used to connect a node to `headscale` during the `tailscale` command:
-
-```shell
-tailscale up --login-server <YOUR_HEADSCALE_URL> --authkey <YOUR_AUTH_KEY>
-```
-
-## Running `headscale` in the background with rc.d
-
-This section demonstrates how to run `headscale` as a service in the background with [rc.d](https://man.openbsd.org/rc.d).
-
-1. Create a rc.d service at `/etc/rc.d/headscale` containing:
-
-    ```shell
-    #!/bin/ksh
-
-    daemon="/usr/local/sbin/headscale"
-    daemon_logger="daemon.info"
-    daemon_user="root"
-    daemon_flags="serve"
-    daemon_timeout=60
-
-    . /etc/rc.d/rc.subr
-
-    rc_bg=YES
-    rc_reload=NO
-
-    rc_cmd $1
-    ```
-
-1. `/etc/rc.d/headscale` needs execute permission:
-
-    ```shell
-    chmod a+x /etc/rc.d/headscale
-    ```
-
-1. Start `headscale` service:
-
-    ```shell
-    rcctl start headscale
-    ```
-
-1. Make `headscale` service start at boot:
-
-    ```shell
-    rcctl enable headscale
-    ```
-
-1. Verify the headscale service:
-
-    ```shell
-    rcctl check headscale
-    ```
-
-    Verify `headscale` is available:
-
-    ```shell
-    curl http://127.0.0.1:9090/metrics
-    ```
-
-    `headscale` will now run in the background and start at boot.
--- a/docs/running-headscale-sealos.md
+++ b/docs/running-headscale-sealos.md
@@ -1,136 +0,0 @@
-# Running headscale on Sealos
-
-!!! warning "Community documentation"
-
-    This page is not actively maintained by the headscale authors and is
-    written by community members. It is _not_ verified by `headscale` developers.
-
-    **It might be outdated and it might miss necessary steps**.
-
-## Goal
-
-This documentation has the goal of showing a user how-to run `headscale` on Sealos.
-
-## Running headscale server
-
-1. Click the following prebuilt template(version [0.23.0-alpha2](https://github.com/juanfont/headscale/releases/tag/v0.23.0-alpha2)):
-
-   [![](https://cdn.jsdelivr.net/gh/labring-actions/templates@main/Deploy-on-Sealos.svg)](https://cloud.sealos.io/?openapp=system-template%3FtemplateName%3Dheadscale)
-
-2. Click "Deploy Application" on the template page to start deployment. Upon completion, two applications appear: Headscale, and its [visual interface](https://github.com/GoodiesHQ/headscale-admin).
-3. Once deployment concludes, click 'Details' on the Headscale application page to navigate to the application's details.
-4. Wait for the application's status to switch to running. For accessing the headscale server, the Public Address associated with port 8080 is the address of the headscale server. To access the Headscale console, simply append `/admin/` to the Headscale public URL.
-
-   ![](./images/headscale-sealos-url.png)
-
-5. Click on 'Terminal' button on the right side of the details to access the Terminal of the headscale application. then create a user ([tailnet](https://tailscale.com/kb/1136/tailnet/)):
-
-   ```bash
-   headscale users create myfirstuser
-   ```
-
-### Register a machine (normal login)
-
-On a client machine, execute the `tailscale` login command:
-
-```bash
-# replace <YOUR_HEADSCALE_URL> with the public domain provided by Sealos
-tailscale up --login-server YOUR_HEADSCALE_URL
-```
-
-To register a machine when running headscale in [Sealos](https://sealos.io), click on 'Terminal' button on the right side of the headscale application's detail page to access the Terminal of the headscale application, then take the headscale command:
-
-```bash
-headscale --user myfirstuser nodes register --key <YOU_+MACHINE_KEY>
-```
-
-### Register machine using a pre authenticated key
-
-click on 'Terminal' button on the right side of the headscale application's detail page to access the Terminal of the headscale application, then generate a key using the command line:
-
-```bash
-headscale --user myfirstuser preauthkeys create --reusable --expiration 24h
-```
-
-This will return a pre-authenticated key that can be used to connect a node to `headscale` during the `tailscale` command:
-
-```bash
-tailscale up --login-server <YOUR_HEADSCALE_URL> --authkey <YOUR_AUTH_KEY>
-```
-
-## Controlling headscale with remote CLI
-
-This documentation has the goal of showing a user how-to set control a headscale instance from a remote machine with the headscale command line binary.
-
-### Create an API key
-
-We need to create an API key to authenticate our remote headscale when using it from our workstation.
-
-To create a API key, click on 'Terminal' button on the right side of the headscale application's detail page to access the Terminal of the headscale application, then generate a key:
-
-```bash
-headscale apikeys create --expiration 90d
-```
-
-Copy the output of the command and save it for later. Please note that you can not retrieve a key again, if the key is lost, expire the old one, and create a new key.
-
-To list the keys currently assosicated with the server:
-
-```bash
-headscale apikeys list
-```
-
-and to expire a key:
-
-```bash
-headscale apikeys expire --prefix "<PREFIX>"
-```
-
-### Download and configure `headscale` client
-
-1. Download the latest [`headscale` binary from GitHub's release page](https://github.com/juanfont/headscale/releases):
-
-2. Put the binary somewhere in your `PATH`, e.g. `/usr/local/bin/headscale`
-
-3. Make `headscale` executable:
-
-```shell
-chmod +x /usr/local/bin/headscale
-```
-
-4. Configure the CLI through Environment Variables
-
-```shell
-export HEADSCALE_CLI_ADDRESS="<HEADSCALE ADDRESS>:443"
-export HEADSCALE_CLI_API_KEY="<API KEY FROM PREVIOUS STAGE>"
-```
-
-In the headscale application's detail page, The Public Address corresponding to port 50443 corresponds to the value of <HEADSCALE ADDRESS>.
-
-![](./images/headscale-sealos-grpc-url.png)
-
-for example:
-
-```shell
-export HEADSCALE_CLI_ADDRESS="pwnjnnly.cloud.sealos.io:443"
-export HEADSCALE_CLI_API_KEY="abcde12345"
-```
-
-This will tell the `headscale` binary to connect to a remote instance, instead of looking
-for a local instance.
-
-The API key is needed to make sure that your are allowed to access the server. The key is _not_
-needed when running directly on the server, as the connection is local.
-
-1. Test the connection
-
-Let us run the headscale command to verify that we can connect by listing our nodes:
-
-```shell
-headscale nodes list
-```
-
-You should now be able to see a list of your nodes from your workstation, and you can
-now control the `headscale` server from your workstation.
-
-> Reference: [Headscale Deployment and Usage Guide: Mastering Tailscale's Self-Hosting Basics](https://icloudnative.io/en/posts/how-to-set-up-or-migrate-headscale/)
--- a/docs/setup/install/community.md
+++ b/docs/setup/install/community.md
@@ -0,0 +1,55 @@
+# Community packages
+
+Several Linux distributions and community members provide packages for headscale. Those packages may be used instead of
+the [official releases](./official.md) provided by the headscale maintainers. Such packages offer improved integration
+for their targeted operating system and usually:
+
+- setup a dedicated local user account to run headscale
+- provide a default configuration
+- install headscale as system service
+
+!!! warning "Community packages might be outdated"
+
+    The packages mentioned on this page might be outdated or unmaintained. Use the [official releases](./official.md) to
+    get the current stable version or to test pre-releases.
+
+    [![Packaging status](https://repology.org/badge/vertical-allrepos/headscale.svg)](https://repology.org/project/headscale/versions)
+
+## Arch Linux
+
+Arch Linux offers a package for headscale, install via:
+
+```shell
+pacman -S headscale
+```
+
+The [AUR package `headscale-git`](https://aur.archlinux.org/packages/headscale-git) can be used to build the current
+development version.
+
+## Fedora, RHEL, CentOS
+
+A third-party repository for various RPM based distributions is available at:
+<https://copr.fedorainfracloud.org/coprs/jonathanspw/headscale/>. The site provides detailed setup and installation
+instructions.
+
+## Nix, NixOS
+
+A Nix package is available as: `headscale`. See the [NixOS package site for installation
+details](https://search.nixos.org/packages?show=headscale).
+
+## Gentoo
+
+```shell
+emerge --ask net-vpn/headscale
+```
+
+Gentoo specific documentation is available [here](https://wiki.gentoo.org/wiki/User:Maffblaster/Drafts/Headscale).
+
+## OpenBSD
+
+Headscale is available in ports. The port installs headscale as system service with `rc.d` and provides usage
+instructions upon installation.
+
+```shell
+pkg_add headscale
+```
--- a/docs/setup/install/container.md
+++ b/docs/setup/install/container.md
@@ -0,0 +1,154 @@
+# Running headscale in a container
+
+!!! warning "Community documentation"
+
+    This page is not actively maintained by the headscale authors and is
+    written by community members. It is _not_ verified by headscale developers.
+
+    **It might be outdated and it might miss necessary steps**.
+
+This documentation has the goal of showing a user how-to set up and run headscale in a container. A container runtime
+such as [Docker](https://www.docker.com) or [Podman](https://podman.io) is required. The container image can be found on
+[Docker Hub](https://hub.docker.com/r/headscale/headscale) and [GitHub Container
+Registry](https://github.com/juanfont/headscale/pkgs/container/headscale). The container image URLs are:
+
+- [Docker Hub](https://hub.docker.com/r/headscale/headscale): `docker.io/headscale/headscale:<VERSION>`
+- [GitHub Container Registry](https://github.com/juanfont/headscale/pkgs/container/headscale):
+  `ghcr.io/juanfont/headscale:<VERSION>`
+
+## Configure and run headscale
+
+1.  Create a directory on the Docker host to store headscale's [configuration](../../ref/configuration.md) and the [SQLite](https://www.sqlite.org/) database:
+
+    ```shell
+    mkdir -p ./headscale/{config,lib,run}
+    cd ./headscale
+    ```
+
+1.  Download the example configuration for your chosen version and save it as: `$(pwd)/config/config.yaml`. Adjust the
+    configuration to suit your local environment. See [Configuration](../../ref/configuration.md) for details.
+
+1.  Start headscale from within the previously created `./headscale` directory:
+
+    ```shell
+    docker run \
+      --name headscale \
+      --detach \
+      --volume "$(pwd)/config:/etc/headscale" \
+      --volume "$(pwd)/lib:/var/lib/headscale" \
+      --volume "$(pwd)/run:/var/run/headscale" \
+      --publish 127.0.0.1:8080:8080 \
+      --publish 127.0.0.1:9090:9090 \
+      docker.io/headscale/headscale:<VERSION> \
+      serve
+    ```
+
+    Note: use `0.0.0.0:8080:8080` instead of `127.0.0.1:8080:8080` if you want to expose the container externally.
+
+    This command mounts the local directories inside the container, forwards port 8080 and 9090 out of the container so
+    the headscale instance becomes available and then detaches so headscale runs in the background.
+
+    A similar configuration for `docker-compose`:
+
+    ```yaml title="docker-compose.yaml"
+    services:
+      headscale:
+        image: docker.io/headscale/headscale:<VERSION>
+        restart: unless-stopped
+        container_name: headscale
+        ports:
+          - "127.0.0.1:8080:8080"
+          - "127.0.0.1:9090:9090"
+        volumes:
+          # Please set <HEADSCALE_PATH> to the absolute path
+          # of the previously created headscale directory.
+          - <HEADSCALE_PATH>/config:/etc/headscale
+          - <HEADSCALE_PATH>/lib:/var/lib/headscale
+          - <HEADSCALE_PATH>/run:/var/run/headscale
+        command: serve
+    ```
+
+1.  Verify headscale is running:
+
+    Follow the container logs:
+
+    ```shell
+    docker logs --follow headscale
+    ```
+
+    Verify running containers:
+
+    ```shell
+    docker ps
+    ```
+
+    Verify headscale is available:
+
+    ```shell
+    curl http://127.0.0.1:9090/metrics
+    ```
+
+1.  Create a headscale user:
+
+    ```shell
+    docker exec -it headscale \
+      headscale users create myfirstuser
+    ```
+
+### Register a machine (normal login)
+
+On a client machine, execute the `tailscale up` command to login:
+
+```shell
+tailscale up --login-server YOUR_HEADSCALE_URL
+```
+
+To register a machine when running headscale in a container, take the headscale command and pass it to the container:
+
+```shell
+docker exec -it headscale \
+  headscale nodes register --user myfirstuser --key <YOUR_MACHINE_KEY>
+```
+
+### Register a machine using a pre authenticated key
+
+Generate a key using the command line for the user with ID 1:
+
+```shell
+docker exec -it headscale \
+  headscale preauthkeys create --user 1 --reusable --expiration 24h
+```
+
+This will return a pre-authenticated key that can be used to connect a node to headscale with the `tailscale up` command:
+
+```shell
+tailscale up --login-server <YOUR_HEADSCALE_URL> --authkey <YOUR_AUTH_KEY>
+```
+
+## Debugging headscale running in Docker
+
+The Headscale container image is based on a "distroless" image that does not contain a shell or any other debug tools. If you need to debug headscale running in the Docker container, you can use the `-debug` variant, for example `docker.io/headscale/headscale:x.x.x-debug`.
+
+### Running the debug Docker container
+
+To run the debug Docker container, use the exact same commands as above, but replace `docker.io/headscale/headscale:x.x.x` with `docker.io/headscale/headscale:x.x.x-debug` (`x.x.x` is the version of headscale). The two containers are compatible with each other, so you can alternate between them.
+
+### Executing commands in the debug container
+
+The default command in the debug container is to run `headscale`, which is located at `/ko-app/headscale` inside the container.
+
+Additionally, the debug container includes a minimalist Busybox shell.
+
+To launch a shell in the container, use:
+
+```shell
+docker run -it docker.io/headscale/headscale:x.x.x-debug sh
+```
+
+You can also execute commands directly, such as `ls /ko-app` in this example:
+
+```shell
+docker run docker.io/headscale/headscale:x.x.x-debug ls /ko-app
+```
+
+Using `docker exec -it` allows you to run commands in an existing container.
--- a/docs/setup/install/official.md
+++ b/docs/setup/install/official.md
@@ -0,0 +1,117 @@
+# Official releases
+
+Official releases for headscale are available as binaries for various platforms and DEB packages for Debian and Ubuntu.
+Both are available on the [GitHub releases page](https://github.com/juanfont/headscale/releases).
+
+## Using packages for Debian/Ubuntu (recommended)
+
+It is recommended to use our DEB packages to install headscale on a Debian based system as those packages configure a
+local user to run headscale, provide a default configuration and ship with a systemd service file. Supported
+distributions are Ubuntu 22.04 or newer, Debian 11 or newer.
+
+1.  Download the [latest headscale package](https://github.com/juanfont/headscale/releases/latest) for your platform (`.deb` for Ubuntu and Debian).
+
+    ```shell
+    HEADSCALE_VERSION="" # See above URL for latest version, e.g. "X.Y.Z" (NOTE: do not add the "v" prefix!)
+    HEADSCALE_ARCH="" # Your system architecture, e.g. "amd64"
+    wget --output-document=headscale.deb \
+     "https://github.com/juanfont/headscale/releases/download/v${HEADSCALE_VERSION}/headscale_${HEADSCALE_VERSION}_linux_${HEADSCALE_ARCH}.deb"
+    ```
+
+1.  Install headscale:
+
+    ```shell
+    sudo apt install ./headscale.deb
+    ```
+
+1.  [Configure headscale by editing the configuration file](../../ref/configuration.md):
+
+    ```shell
+    sudo nano /etc/headscale/config.yaml
+    ```
+
+1.  Enable and start the headscale service:
+
+    ```shell
+    sudo systemctl enable --now headscale
+    ```
+
+1.  Verify that headscale is running as intended:
+
+    ```shell
+    sudo systemctl status headscale
+    ```
+
+## Using standalone binaries (advanced)
+
+!!! warning "Advanced"
+
+    This installation method is considered advanced as one needs to take care of the local user and the systemd
+    service themselves. If possible, use the [DEB packages](#using-packages-for-debianubuntu-recommended) or a
+    [community package](./community.md) instead.
+
+This section describes the installation of headscale according to the [Requirements and
+assumptions](../requirements.md#assumptions). Headscale is run by a dedicated local user and the service itself is
+managed by systemd.
+
+1.  Download the latest [`headscale` binary from GitHub's release page](https://github.com/juanfont/headscale/releases):
+
+    ```shell
+    sudo wget --output-document=/usr/local/bin/headscale \
+    https://github.com/juanfont/headscale/releases/download/v<HEADSCALE VERSION>/headscale_<HEADSCALE VERSION>_linux_<ARCH>
+    ```
+
+1.  Make `headscale` executable:
+
+    ```shell
+    sudo chmod +x /usr/local/bin/headscale
+    ```
+
+1.  Add a dedicated local user to run headscale:
+
+    ```shell
+    sudo useradd \
+     --create-home \
+     --home-dir /var/lib/headscale/ \
+     --system \
+     --user-group \
+     --shell /usr/sbin/nologin \
+     headscale
+    ```
+
+1.  Download the example configuration for your chosen version and save it as: `/etc/headscale/config.yaml`. Adjust the
+    configuration to suit your local environment. See [Configuration](../../ref/configuration.md) for details.
+
+    ```shell
+    sudo mkdir -p /etc/headscale
+    sudo nano /etc/headscale/config.yaml
+    ```
+
+1.  Copy [headscale's systemd service file](https://github.com/juanfont/headscale/blob/main/packaging/systemd/headscale.service)
+    to `/etc/systemd/system/headscale.service` and adjust it to suit your local setup. The following parameters likely need
+    to be modified: `ExecStart`, `WorkingDirectory`, `ReadWritePaths`.
+
+1.  In `/etc/headscale/config.yaml`, override the default `headscale` unix socket with a path that is writable by the
+    `headscale` user or group:
+
+    ```yaml title="config.yaml"
+    unix_socket: /var/run/headscale/headscale.sock
+    ```
+
+1.  Reload systemd to load the new configuration file:
+
+    ```shell
+    systemctl daemon-reload
+    ```
+
+1.  Enable and start the new headscale service:
+
+    ```shell
+    systemctl enable --now headscale
+    ```
+
+1.  Verify that headscale is running as intended:
+
+    ```shell
+    systemctl status headscale
+    ```
--- a/Show More
+++ b/Show More