update changelog (#2414 )

Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com>
hscontrol/db: add migration setting non existing pak on nodes to null (#2412 )
2025-08-15 05:57:43 +00:00 · 2025-02-07 11:32:01 +01:00 · 2025-02-07 10:22:23 +01:00 · 2025-02-05 17:29:30 +01:00 · 2025-02-05 12:02:32 +01:00 · 2025-02-05 11:05:03 +01:00
324 changed files with 33622 additions and 24181 deletions
--- a/.coderabbit.yaml
+++ b/.coderabbit.yaml
@@ -0,0 +1,15 @@
+# yaml-language-server: $schema=https://coderabbit.ai/integrations/schema.v2.json
+language: "en-GB"
+early_access: false
+reviews:
+  profile: "chill"
+  request_changes_workflow: false
+  high_level_summary: true
+  poem: true
+  review_status: true
+  collapse_walkthrough: false
+  auto_review:
+    enabled: true
+    drafts: true
+chat:
+  auto_reply: true
--- a/.github/CODEOWNERS
+++ b/.github/CODEOWNERS
@@ -1,10 +1,10 @@
 * @juanfont @kradalby

-*.md @ohdearaugustin
-*.yml @ohdearaugustin
-*.yaml @ohdearaugustin
-Dockerfile* @ohdearaugustin
-.goreleaser.yaml @ohdearaugustin
-/docs/ @ohdearaugustin
-/.github/workflows/ @ohdearaugustin
-/.github/renovate.json @ohdearaugustin
+*.md @ohdearaugustin @nblock
+*.yml @ohdearaugustin @nblock
+*.yaml @ohdearaugustin @nblock
+Dockerfile* @ohdearaugustin @nblock
+.goreleaser.yaml @ohdearaugustin @nblock
+/docs/ @ohdearaugustin @nblock
+/.github/workflows/ @ohdearaugustin @nblock
+/.github/renovate.json @ohdearaugustin @nblock
--- a/.github/ISSUE_TEMPLATE/bug_report.md
+++ b/.github/ISSUE_TEMPLATE/bug_report.md
@@ -1,52 +0,0 @@
---
-name: "Bug report"
-about: "Create a bug report to help us improve"
-title: ""
-labels: ["bug"]
-assignees: ""
---
-
-<!--
-Before posting a bug report, discuss the behaviour you are expecting with the Discord community
-to make sure that it is truly a bug.
-The issue tracker is not the place to ask for support or how to set up Headscale.
-
-Bug reports without the sufficient information will be closed.
-
-Headscale is a multinational community across the globe. Our language is English.
-All bug reports needs to be in English.
-->
-
-## Bug description
-
-<!-- A clear and concise description of what the bug is. Describe the expected bahavior
-  and how it is currently different. If you are unsure if it is a bug, consider discussing
-  it on our Discord server first. -->
-
-## Environment
-
-<!-- Please add relevant information about your system. For example:
- Version of headscale used
- Version of tailscale client
- OS (e.g. Linux, Mac, Cygwin, WSL, etc.) and version
- Kernel version
- The relevant config parameters you used
- Log output
-->
-
- OS:
- Headscale version:
- Tailscale version:
-
-<!--
-We do not support running Headscale in a container nor behind a (reverse) proxy.
-If either of these are true for your environment, ask the community in Discord
-instead of filing a bug report.
-->
-
- [ ] Headscale is behind a (reverse) proxy
- [ ] Headscale runs in a container
-
-## To Reproduce
-
-<!-- Steps to reproduce the behavior. -->
--- a/.github/ISSUE_TEMPLATE/bug_report.yaml
+++ b/.github/ISSUE_TEMPLATE/bug_report.yaml
@@ -0,0 +1,83 @@
+name: 🐞 Bug
+description: File a bug/issue
+title: "[Bug] <title>"
+labels: ["bug", "needs triage"]
+body:
+  - type: checkboxes
+    attributes:
+      label: Is this a support request?
+      description: This issue tracker is for bugs and feature requests only. If you need help, please use ask in our Discord community
+      options:
+        - label: This is not a support request
+          required: true
+  - type: checkboxes
+    attributes:
+      label: Is there an existing issue for this?
+      description: Please search to see if an issue already exists for the bug you encountered.
+      options:
+        - label: I have searched the existing issues
+          required: true
+  - type: textarea
+    attributes:
+      label: Current Behavior
+      description: A concise description of what you're experiencing.
+    validations:
+      required: true
+  - type: textarea
+    attributes:
+      label: Expected Behavior
+      description: A concise description of what you expected to happen.
+    validations:
+      required: true
+  - type: textarea
+    attributes:
+      label: Steps To Reproduce
+      description: Steps to reproduce the behavior.
+      placeholder: |
+        1. In this environment...
+        1. With this config...
+        1. Run '...'
+        1. See error...
+    validations:
+      required: true
+  - type: textarea
+    attributes:
+      label: Environment
+      description: |
+        examples:
+          - **OS**: Ubuntu 20.04
+          - **Headscale version**: 0.22.3
+          - **Tailscale version**: 1.64.0
+      value: |
+        - OS:
+        - Headscale version:
+        - Tailscale version:
+      render: markdown
+    validations:
+      required: true
+  - type: checkboxes
+    attributes:
+      label: Runtime environment
+      options:
+        - label: Headscale is behind a (reverse) proxy
+          required: false
+        - label: Headscale runs in a container
+          required: false
+  - type: textarea
+    attributes:
+      label: Anything else?
+      description: |
+        Links? References? Anything that will give us more context about the issue you are encountering!
+
+        - Client netmap dump (see below)
+        - ACL configuration
+        - Headscale configuration
+
+        Dump the netmap of tailscale clients:
+        `tailscale debug netmap > DESCRIPTIVE_NAME.json`
+
+        Please provide information describing the netmap, which client, which headscale version etc.
+
+        Tip: You can attach images or log files by clicking this area to highlight it and then dragging files in.
+    validations:
+      required: false
--- a/.github/ISSUE_TEMPLATE/feature_request.md
+++ b/.github/ISSUE_TEMPLATE/feature_request.md
@@ -1,26 +0,0 @@
---
-name: "Feature request"
-about: "Suggest an idea for headscale"
-title: ""
-labels: ["enhancement"]
-assignees: ""
---
-
-<!--
-We typically have a clear roadmap for what we want to improve and reserve the right
-to close feature requests that does not fit in the roadmap, or fit with the scope
-of the project, or we actually want to implement ourselves.
-
-Headscale is a multinational community across the globe. Our language is English.
-All bug reports needs to be in English.
-->
-
-## Why
-
-<!-- Include the reason, why you would need the feature. E.g. what problem
-  does it solve? Or which workflow is currently frustrating and will be improved by
-  this? -->
-
-## Description
-
-<!-- A clear and precise description of what new or changed feature you want. -->
--- a/.github/ISSUE_TEMPLATE/feature_request.yaml
+++ b/.github/ISSUE_TEMPLATE/feature_request.yaml
@@ -0,0 +1,36 @@
+name: 🚀 Feature Request
+description: Suggest an idea for Headscale
+title: "[Feature] <title>"
+labels: [enhancement]
+body:
+  - type: textarea
+    attributes:
+      label: Use case
+      description: Please describe the use case for this feature.
+      placeholder: |
+        <!-- Include the reason, why you would need the feature. E.g. what problem
+          does it solve? Or which workflow is currently frustrating and will be improved by
+          this? -->
+    validations:
+      required: true
+  - type: textarea
+    attributes:
+      label: Description
+      description: A clear and precise description of what new or changed feature you want.
+    validations:
+      required: true
+  - type: checkboxes
+    attributes:
+      label: Contribution
+      description: Are you willing to contribute to the implementation of this feature?
+      options:
+        - label: I can write the design doc for this feature
+          required: false
+        - label: I can contribute this feature
+          required: false
+  - type: textarea
+    attributes:
+      label: How can it be implemented?
+      description: Free text for your ideas on how this feature could be implemented.
+    validations:
+      required: false
--- a/.github/pull_request_template.md
+++ b/.github/pull_request_template.md
@@ -12,7 +12,7 @@ If you find mistakes in the documentation, please submit a fix to the documentat

 <!-- Please tick if the following things apply. You… -->

- [ ] read the [CONTRIBUTING guidelines](README.md#contributing)
+- [ ] have read the [CONTRIBUTING.md](./CONTRIBUTING.md) file
 - [ ] raised a GitHub issue or discussed it on the projects chat beforehand
 - [ ] added unit tests
 - [ ] added integration tests
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -13,34 +13,32 @@ concurrency:
  cancel-in-progress: true

 jobs:
-  build:
+  build-nix:
    runs-on: ubuntu-latest
    permissions: write-all
-
    steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@v4
        with:
          fetch-depth: 2
-
      - name: Get changed files
        id: changed-files
-        uses: tj-actions/changed-files@v34
+        uses: dorny/paths-filter@v3
        with:
-          files: |
-            *.nix
-            go.*
-            **/*.go
-            integration_test/
-            config-example.yaml
-
+          filters: |
+            files:
+              - '*.nix'
+              - 'go.*'
+              - '**/*.go'
+              - 'integration_test/'
+              - 'config-example.yaml'
      - uses: DeterminateSystems/nix-installer-action@main
-        if: steps.changed-files.outputs.any_changed == 'true'
+        if: steps.changed-files.outputs.files == 'true'
      - uses: DeterminateSystems/magic-nix-cache-action@main
-        if: steps.changed-files.outputs.any_changed == 'true'
+        if: steps.changed-files.outputs.files == 'true'

-      - name: Run build
+      - name: Run nix build
        id: build
-        if: steps.changed-files.outputs.any_changed == 'true'
+        if: steps.changed-files.outputs.files == 'true'
        run: |
          nix build |& tee build-result
          BUILD_STATUS="${PIPESTATUS[0]}"
@@ -66,8 +64,32 @@ jobs:
              body: 'Nix build failed with wrong gosum, please update "vendorSha256" (${{ steps.build.outputs.OLD_HASH }}) for the "headscale" package in flake.nix with the new SHA: ${{ steps.build.outputs.NEW_HASH }}'
            })

-      - uses: actions/upload-artifact@v3
-        if: steps.changed-files.outputs.any_changed == 'true'
+      - uses: actions/upload-artifact@v4
+        if: steps.changed-files.outputs.files == 'true'
        with:
          name: headscale-linux
          path: result/bin/headscale
+  build-cross:
+    runs-on: ubuntu-latest
+    strategy:
+      matrix:
+        env:
+          - "GOARCH=arm   GOOS=linux GOARM=5"
+          - "GOARCH=arm   GOOS=linux GOARM=6"
+          - "GOARCH=arm   GOOS=linux GOARM=7"
+          - "GOARCH=arm64 GOOS=linux"
+          - "GOARCH=386   GOOS=linux"
+          - "GOARCH=amd64 GOOS=linux"
+          - "GOARCH=arm64 GOOS=darwin"
+          - "GOARCH=amd64 GOOS=darwin"
+    steps:
+      - uses: actions/checkout@v4
+      - uses: DeterminateSystems/nix-installer-action@main
+      - uses: DeterminateSystems/magic-nix-cache-action@main
+
+      - name: Run go cross compile
+        run: env ${{ matrix.env }} nix develop --command -- go build -o "headscale" ./cmd/headscale
+      - uses: actions/upload-artifact@v4
+        with:
+          name: "headscale-${{ matrix.env }}"
+          path: "headscale"
--- a/.github/workflows/check-tests.yaml
+++ b/.github/workflows/check-tests.yaml
@@ -0,0 +1,41 @@
+name: Check integration tests workflow
+
+on: [pull_request]
+
+concurrency:
+  group: ${{ github.workflow }}-$${{ github.head_ref || github.run_id }}
+  cancel-in-progress: true
+
+jobs:
+  check-tests:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          fetch-depth: 2
+      - name: Get changed files
+        id: changed-files
+        uses: dorny/paths-filter@v3
+        with:
+          filters: |
+            files:
+              - '*.nix'
+              - 'go.*'
+              - '**/*.go'
+              - 'integration_test/'
+              - 'config-example.yaml'
+      - uses: DeterminateSystems/nix-installer-action@main
+        if: steps.changed-files.outputs.files == 'true'
+      - uses: DeterminateSystems/magic-nix-cache-action@main
+        if: steps.changed-files.outputs.files == 'true'
+
+      - name: Generate and check integration tests
+        if: steps.changed-files.outputs.files == 'true'
+        run: |
+          nix develop --command bash -c "cd .github/workflows && go generate"
+          git diff --exit-code .github/workflows/test-integration.yaml
+
+      - name: Show missing tests
+        if: failure()
+        run: |
+          git diff .github/workflows/test-integration.yaml
--- a/.github/workflows/contributors.yml
+++ b/.github/workflows/contributors.yml
@@ -1,35 +0,0 @@
-name: Contributors
-
-on:
-  push:
-    branches:
-      - main
-  workflow_dispatch:
-jobs:
-  add-contributors:
-    runs-on: ubuntu-latest
-    steps:
-      - uses: actions/checkout@v3
-      - name: Delete upstream contributor branch
-        # Allow continue on failure to account for when the
-        # upstream branch is deleted or does not exist.
-        continue-on-error: true
-        run: git push origin --delete update-contributors
-      - name: Create up-to-date contributors branch
-        run: git checkout -B update-contributors
-      - name: Push empty contributors branch
-        run: git push origin update-contributors
-      - name: Switch back to main
-        run: git checkout main
-      - uses: BobAnkh/add-contributors@v0.2.2
-        with:
-          CONTRIBUTOR: "## Contributors"
-          COLUMN_PER_ROW: "6"
-          ACCESS_TOKEN: ${{secrets.GITHUB_TOKEN}}
-          IMG_WIDTH: "100"
-          FONT_SIZE: "14"
-          PATH: "/README.md"
-          COMMIT_MESSAGE: "docs(README): update contributors"
-          AVATAR_SHAPE: "round"
-          BRANCH: "update-contributors"
-          PULL_REQUEST: "main"
--- a/.github/workflows/docs-deploy.yml
+++ b/.github/workflows/docs-deploy.yml
@@ -0,0 +1,51 @@
+name: Deploy docs
+
+on:
+  push:
+    branches:
+      # Main branch for development docs
+      - main
+
+      # Doc maintenance branches
+      - doc/[0-9]+.[0-9]+.[0-9]+
+    tags:
+      # Stable release tags
+      - v[0-9]+.[0-9]+.[0-9]+
+    paths:
+      - "docs/**"
+      - "mkdocs.yml"
+  workflow_dispatch:
+
+jobs:
+  deploy:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+      - name: Install python
+        uses: actions/setup-python@v5
+        with:
+          python-version: 3.x
+      - name: Setup cache
+        uses: actions/cache@v4
+        with:
+          key: ${{ github.ref }}
+          path: .cache
+      - name: Setup dependencies
+        run: pip install -r docs/requirements.txt
+      - name: Configure git
+        run: |
+          git config user.name github-actions
+          git config user.email github-actions@github.com
+      - name: Deploy development docs
+        if: github.ref == 'refs/heads/main'
+        run: mike deploy --push development unstable
+      - name: Deploy stable docs from doc branches
+        if: startsWith(github.ref, 'refs/heads/doc/')
+        run: mike deploy --push ${GITHUB_REF_NAME##*/}
+      - name: Deploy stable docs from tag
+        if: startsWith(github.ref, 'refs/tags/v')
+        # This assumes that only newer tags are pushed
+        run: mike deploy --push --update-aliases ${GITHUB_REF_NAME#v} stable latest
--- a/.github/workflows/docs-test.yml
+++ b/.github/workflows/docs-test.yml
@@ -0,0 +1,27 @@
+name: Test documentation build
+
+on: [pull_request]
+
+concurrency:
+  group: ${{ github.workflow }}-$${{ github.head_ref || github.run_id }}
+  cancel-in-progress: true
+
+jobs:
+  test:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+      - name: Install python
+        uses: actions/setup-python@v5
+        with:
+          python-version: 3.x
+      - name: Setup cache
+        uses: actions/cache@v4
+        with:
+          key: ${{ github.ref }}
+          path: .cache
+      - name: Setup dependencies
+        run: pip install -r docs/requirements.txt
+      - name: Build docs
+        run: mkdocs build --strict
--- a/.github/workflows/docs.yml
+++ b/.github/workflows/docs.yml
@@ -1,45 +0,0 @@
-name: Build documentation
-on:
-  push:
-    branches:
-      - main
-  workflow_dispatch:
-
-permissions:
-  contents: read
-  pages: write
-  id-token: write
-
-jobs:
-  build:
-    runs-on: ubuntu-latest
-    steps:
-      - name: Checkout repository
-        uses: actions/checkout@v3
-      - name: Install python
-        uses: actions/setup-python@v4
-        with:
-          python-version: 3.x
-      - name: Setup cache
-        uses: actions/cache@v2
-        with:
-          key: ${{ github.ref }}
-          path: .cache
-      - name: Setup dependencies
-        run: pip install mkdocs-material pillow cairosvg mkdocs-minify-plugin
-      - name: Build docs
-        run: mkdocs build --strict
-      - name: Upload artifact
-        uses: actions/upload-pages-artifact@v1
-        with:
-          path: ./site
-  deploy:
-    environment:
-      name: github-pages
-      url: ${{ steps.deployment.outputs.page_url }}
-    runs-on: ubuntu-latest
-    needs: build
-    steps:
-      - name: Deploy to GitHub Pages
-        id: deployment
-        uses: actions/deploy-pages@v1
--- a/.github/workflows/gh-action-integration-generator.go
+++ b/.github/workflows/gh-action-integration-generator.go
@@ -0,0 +1,73 @@
+package main
+
+//go:generate go run ./gh-action-integration-generator.go
+
+import (
+	"bytes"
+	"fmt"
+	"log"
+	"os/exec"
+	"strings"
+)
+
+func findTests() []string {
+	rgBin, err := exec.LookPath("rg")
+	if err != nil {
+		log.Fatalf("failed to find rg (ripgrep) binary")
+	}
+
+	args := []string{
+		"--regexp", "func (Test.+)\\(.*",
+		"../../integration/",
+		"--replace", "$1",
+		"--sort", "path",
+		"--no-line-number",
+		"--no-filename",
+		"--no-heading",
+	}
+
+	cmd := exec.Command(rgBin, args...)
+	var out bytes.Buffer
+	cmd.Stdout = &out
+	err = cmd.Run()
+	if err != nil {
+		log.Fatalf("failed to run command: %s", err)
+	}
+
+	tests := strings.Split(strings.TrimSpace(out.String()), "\n")
+	return tests
+}
+
+func updateYAML(tests []string) {
+	testsForYq := fmt.Sprintf("[%s]", strings.Join(tests, ", "))
+
+	yqCommand := fmt.Sprintf(
+		"yq eval '.jobs.integration-test.strategy.matrix.test = %s' ./test-integration.yaml -i",
+		testsForYq,
+	)
+	cmd := exec.Command("bash", "-c", yqCommand)
+
+	var stdout bytes.Buffer
+	var stderr bytes.Buffer
+	cmd.Stdout = &stdout
+	cmd.Stderr = &stderr
+	err := cmd.Run()
+	if err != nil {
+		log.Printf("stdout: %s", stdout.String())
+		log.Printf("stderr: %s", stderr.String())
+		log.Fatalf("failed to run yq command: %s", err)
+	}
+
+	fmt.Println("YAML file updated successfully")
+}
+
+func main() {
+	tests := findTests()
+
+	quotedTests := make([]string, len(tests))
+	for i, test := range tests {
+		quotedTests[i] = fmt.Sprintf("\"%s\"", test)
+	}
+
+	updateYAML(quotedTests)
+}
--- a/.github/workflows/gh-actions-updater.yaml
+++ b/.github/workflows/gh-actions-updater.yaml
@@ -1,6 +1,5 @@
 name: GitHub Actions Version Updater

-# Controls when the action will run.
 on:
  schedule:
    # Automatically run on every Sunday
@@ -8,16 +7,17 @@ on:

 jobs:
  build:
+    if: github.repository == 'juanfont/headscale'
    runs-on: ubuntu-latest

    steps:
-      - uses: actions/checkout@v2
+      - uses: actions/checkout@v4
        with:
          # [Required] Access token with `workflow` scope.
          token: ${{ secrets.WORKFLOW_SECRET }}

      - name: Run GitHub Actions Version Updater
-        uses: saadmk11/github-actions-version-updater@v0.7.1
+        uses: saadmk11/github-actions-version-updater@v0.8.1
        with:
          # [Required] Access token with `workflow` scope.
          token: ${{ secrets.WORKFLOW_SECRET }}
--- a/.github/workflows/lint.yml
+++ b/.github/workflows/lint.yml
@@ -1,7 +1,6 @@
---
 name: Lint

-on: [push, pull_request]
+on: [pull_request]

 concurrency:
  group: ${{ github.workflow }}-$${{ github.head_ref || github.run_id }}
@@ -11,70 +10,66 @@ jobs:
  golangci-lint:
    runs-on: ubuntu-latest
    steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@v4
        with:
          fetch-depth: 2
-
      - name: Get changed files
        id: changed-files
-        uses: tj-actions/changed-files@v34
+        uses: dorny/paths-filter@v3
        with:
-          files: |
-            *.nix
-            go.*
-            **/*.go
-            integration_test/
-            config-example.yaml
+          filters: |
+            files:
+              - '*.nix'
+              - 'go.*'
+              - '**/*.go'
+              - 'integration_test/'
+              - 'config-example.yaml'
+      - uses: DeterminateSystems/nix-installer-action@main
+        if: steps.changed-files.outputs.files == 'true'
+      - uses: DeterminateSystems/magic-nix-cache-action@main
+        if: steps.changed-files.outputs.files == 'true'

      - name: golangci-lint
-        if: steps.changed-files.outputs.any_changed == 'true'
-        uses: golangci/golangci-lint-action@v2
-        with:
-          version: v1.51.2
-
-          # Only block PRs on new problems.
-          # If this is not enabled, we will end up having PRs
-          # blocked because new linters has appared and other
-          # parts of the code is affected.
-          only-new-issues: true
+        if: steps.changed-files.outputs.files == 'true'
+        run: nix develop --command -- golangci-lint run --new-from-rev=${{github.event.pull_request.base.sha}} --out-format=colored-line-number

  prettier-lint:
    runs-on: ubuntu-latest
    steps:
-      - uses: actions/checkout@v2
+      - uses: actions/checkout@v4
        with:
          fetch-depth: 2
-
      - name: Get changed files
        id: changed-files
-        uses: tj-actions/changed-files@v14.1
+        uses: dorny/paths-filter@v3
        with:
-          files: |
-            *.nix
-            **/*.md
-            **/*.yml
-            **/*.yaml
-            **/*.ts
-            **/*.js
-            **/*.sass
-            **/*.css
-            **/*.scss
-            **/*.html
+          filters: |
+            files:
+              - '*.nix'
+              - '**/*.md'
+              - '**/*.yml'
+              - '**/*.yaml'
+              - '**/*.ts'
+              - '**/*.js'
+              - '**/*.sass'
+              - '**/*.css'
+              - '**/*.scss'
+              - '**/*.html'
+      - uses: DeterminateSystems/nix-installer-action@main
+        if: steps.changed-files.outputs.files == 'true'
+      - uses: DeterminateSystems/magic-nix-cache-action@main
+        if: steps.changed-files.outputs.files == 'true'

      - name: Prettify code
-        if: steps.changed-files.outputs.any_changed == 'true'
-        uses: creyD/prettier_action@v4.3
-        with:
-          prettier_options: >-
-            --check **/*.{ts,js,md,yaml,yml,sass,css,scss,html}
-          only_changed: false
-          dry: true
+        if: steps.changed-files.outputs.files == 'true'
+        run: nix develop --command -- prettier --no-error-on-unmatched-pattern --ignore-unknown --check **/*.{ts,js,md,yaml,yml,sass,css,scss,html}

  proto-lint:
    runs-on: ubuntu-latest
    steps:
-      - uses: actions/checkout@v2
-      - uses: bufbuild/buf-setup-action@v1.7.0
-      - uses: bufbuild/buf-lint-action@v1
-        with:
-          input: "proto"
+      - uses: actions/checkout@v4
+      - uses: DeterminateSystems/nix-installer-action@main
+      - uses: DeterminateSystems/magic-nix-cache-action@main
+
+      - name: Buf lint
+        run: nix develop --command -- buf lint proto
--- a/.github/workflows/release-docker.yml
+++ b/.github/workflows/release-docker.yml
@@ -1,138 +0,0 @@
---
-name: Release Docker
-
-on:
-  push:
-    tags:
-      - "*" # triggers only if push new tag version
-  workflow_dispatch:
-
-jobs:
-  docker-release:
-    runs-on: ubuntu-latest
-    steps:
-      - name: Checkout
-        uses: actions/checkout@v3
-        with:
-          fetch-depth: 0
-      - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v1
-      - name: Set up QEMU for multiple platforms
-        uses: docker/setup-qemu-action@master
-        with:
-          platforms: arm64,amd64
-      - name: Cache Docker layers
-        uses: actions/cache@v2
-        with:
-          path: /tmp/.buildx-cache
-          key: ${{ runner.os }}-buildx-${{ github.sha }}
-          restore-keys: |
-            ${{ runner.os }}-buildx-
-      - name: Docker meta
-        id: meta
-        uses: docker/metadata-action@v3
-        with:
-          # list of Docker images to use as base name for tags
-          images: |
-            ${{ secrets.DOCKERHUB_USERNAME }}/headscale
-            ghcr.io/${{ github.repository_owner }}/headscale
-          tags: |
-            type=semver,pattern={{version}}
-            type=semver,pattern={{major}}.{{minor}}
-            type=semver,pattern={{major}}
-            type=sha
-            type=raw,value=develop
-      - name: Login to DockerHub
-        uses: docker/login-action@v1
-        with:
-          username: ${{ secrets.DOCKERHUB_USERNAME }}
-          password: ${{ secrets.DOCKERHUB_TOKEN }}
-      - name: Login to GHCR
-        uses: docker/login-action@v1
-        with:
-          registry: ghcr.io
-          username: ${{ github.repository_owner }}
-          password: ${{ secrets.GITHUB_TOKEN }}
-      - name: Build and push
-        id: docker_build
-        uses: docker/build-push-action@v2
-        with:
-          push: true
-          context: .
-          tags: ${{ steps.meta.outputs.tags }}
-          labels: ${{ steps.meta.outputs.labels }}
-          platforms: linux/amd64,linux/arm64
-          cache-from: type=local,src=/tmp/.buildx-cache
-          cache-to: type=local,dest=/tmp/.buildx-cache-new
-          build-args: |
-            VERSION=${{ steps.meta.outputs.version }}
-      - name: Prepare cache for next build
-        run: |
-          rm -rf /tmp/.buildx-cache
-          mv /tmp/.buildx-cache-new /tmp/.buildx-cache
-
-  docker-debug-release:
-    runs-on: ubuntu-latest
-    steps:
-      - name: Checkout
-        uses: actions/checkout@v3
-        with:
-          fetch-depth: 0
-      - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v1
-      - name: Set up QEMU for multiple platforms
-        uses: docker/setup-qemu-action@master
-        with:
-          platforms: arm64,amd64
-      - name: Cache Docker layers
-        uses: actions/cache@v2
-        with:
-          path: /tmp/.buildx-cache-debug
-          key: ${{ runner.os }}-buildx-debug-${{ github.sha }}
-          restore-keys: |
-            ${{ runner.os }}-buildx-debug-
-      - name: Docker meta
-        id: meta-debug
-        uses: docker/metadata-action@v3
-        with:
-          # list of Docker images to use as base name for tags
-          images: |
-            ${{ secrets.DOCKERHUB_USERNAME }}/headscale
-            ghcr.io/${{ github.repository_owner }}/headscale
-          flavor: |
-            suffix=-debug,onlatest=true
-          tags: |
-            type=semver,pattern={{version}}
-            type=semver,pattern={{major}}.{{minor}}
-            type=semver,pattern={{major}}
-            type=sha
-            type=raw,value=develop
-      - name: Login to DockerHub
-        uses: docker/login-action@v1
-        with:
-          username: ${{ secrets.DOCKERHUB_USERNAME }}
-          password: ${{ secrets.DOCKERHUB_TOKEN }}
-      - name: Login to GHCR
-        uses: docker/login-action@v1
-        with:
-          registry: ghcr.io
-          username: ${{ github.repository_owner }}
-          password: ${{ secrets.GITHUB_TOKEN }}
-      - name: Build and push
-        id: docker_build
-        uses: docker/build-push-action@v2
-        with:
-          push: true
-          context: .
-          file: Dockerfile.debug
-          tags: ${{ steps.meta-debug.outputs.tags }}
-          labels: ${{ steps.meta-debug.outputs.labels }}
-          platforms: linux/amd64,linux/arm64
-          cache-from: type=local,src=/tmp/.buildx-cache-debug
-          cache-to: type=local,dest=/tmp/.buildx-cache-debug-new
-          build-args: |
-            VERSION=${{ steps.meta-debug.outputs.version }}
-      - name: Prepare cache for next build
-        run: |
-          rm -rf /tmp/.buildx-cache-debug
-          mv /tmp/.buildx-cache-debug-new /tmp/.buildx-cache-debug
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -9,13 +9,27 @@ on:

 jobs:
  goreleaser:
+    if: github.repository == 'juanfont/headscale'
    runs-on: ubuntu-latest
    steps:
      - name: Checkout
-        uses: actions/checkout@v3
+        uses: actions/checkout@v4
        with:
          fetch-depth: 0

+      - name: Login to DockerHub
+        uses: docker/login-action@v3
+        with:
+          username: ${{ secrets.DOCKERHUB_USERNAME }}
+          password: ${{ secrets.DOCKERHUB_TOKEN }}
+
+      - name: Login to GHCR
+        uses: docker/login-action@v3
+        with:
+          registry: ghcr.io
+          username: ${{ github.repository_owner }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
      - uses: DeterminateSystems/nix-installer-action@main
      - uses: DeterminateSystems/magic-nix-cache-action@main

--- a/.github/workflows/stale.yml
+++ b/.github/workflows/stale.yml
@@ -0,0 +1,25 @@
+name: Close inactive issues
+
+on:
+  schedule:
+    - cron: "30 1 * * *"
+
+jobs:
+  close-issues:
+    if: github.repository == 'juanfont/headscale'
+    runs-on: ubuntu-latest
+    permissions:
+      issues: write
+      pull-requests: write
+    steps:
+      - uses: actions/stale@v9
+        with:
+          days-before-issue-stale: 90
+          days-before-issue-close: 7
+          stale-issue-label: "stale"
+          stale-issue-message: "This issue is stale because it has been open for 90 days with no activity."
+          close-issue-message: "This issue was closed because it has been inactive for 14 days since being marked as stale."
+          days-before-pr-stale: -1
+          days-before-pr-close: -1
+          exempt-issue-labels: "no-stale-bot"
+          repo-token: ${{ secrets.GITHUB_TOKEN }}
--- a/.github/workflows/test-integration-v2-TestACLAllowStarDst.yaml
+++ b/.github/workflows/test-integration-v2-TestACLAllowStarDst.yaml
@@ -1,65 +0,0 @@
-# DO NOT EDIT, generated with cmd/gh-action-integration-generator/main.go
-# To regenerate, run "go generate" in cmd/gh-action-integration-generator/
-
-name: Integration Test v2 - TestACLAllowStarDst
-
-on: [pull_request]
-
-concurrency:
-  group: ${{ github.workflow }}-$${{ github.head_ref || github.run_id }}
-  cancel-in-progress: true
-
-jobs:
-  test:
-    runs-on: ubuntu-latest
-
-    steps:
-      - uses: actions/checkout@v3
-        with:
-          fetch-depth: 2
-
-      - uses: DeterminateSystems/nix-installer-action@main
-      - uses: DeterminateSystems/magic-nix-cache-action@main
-      - uses: satackey/action-docker-layer-caching@main
-        continue-on-error: true
-
-      - name: Get changed files
-        id: changed-files
-        uses: tj-actions/changed-files@v34
-        with:
-          files: |
-            *.nix
-            go.*
-            **/*.go
-            integration_test/
-            config-example.yaml
-
-      - name: Run general integration tests
-        if: steps.changed-files.outputs.any_changed == 'true'
-        run: |
-            nix develop --command -- docker run \
-              --tty --rm \
-              --volume ~/.cache/hs-integration-go:/go \
-              --name headscale-test-suite \
-              --volume $PWD:$PWD -w $PWD/integration \
-              --volume /var/run/docker.sock:/var/run/docker.sock \
-              --volume $PWD/control_logs:/tmp/control \
-              golang:1 \
-                go run gotest.tools/gotestsum@latest -- ./... \
-                  -tags ts2019 \
-                  -failfast \
-                  -timeout 120m \
-                  -parallel 1 \
-                  -run "^TestACLAllowStarDst$"
-
-      - uses: actions/upload-artifact@v3
-        if: always() && steps.changed-files.outputs.any_changed == 'true'
-        with:
-          name: logs
-          path: "control_logs/*.log"
-
-      - uses: actions/upload-artifact@v3
-        if: always() && steps.changed-files.outputs.any_changed == 'true'
-        with:
-          name: pprof
-          path: "control_logs/*.pprof.tar"
--- a/.github/workflows/test-integration-v2-TestACLAllowUser80Dst.yaml
+++ b/.github/workflows/test-integration-v2-TestACLAllowUser80Dst.yaml
@@ -1,65 +0,0 @@
-# DO NOT EDIT, generated with cmd/gh-action-integration-generator/main.go
-# To regenerate, run "go generate" in cmd/gh-action-integration-generator/
-
-name: Integration Test v2 - TestACLAllowUser80Dst
-
-on: [pull_request]
-
-concurrency:
-  group: ${{ github.workflow }}-$${{ github.head_ref || github.run_id }}
-  cancel-in-progress: true
-
-jobs:
-  test:
-    runs-on: ubuntu-latest
-
-    steps:
-      - uses: actions/checkout@v3
-        with:
-          fetch-depth: 2
-
-      - uses: DeterminateSystems/nix-installer-action@main
-      - uses: DeterminateSystems/magic-nix-cache-action@main
-      - uses: satackey/action-docker-layer-caching@main
-        continue-on-error: true
-
-      - name: Get changed files
-        id: changed-files
-        uses: tj-actions/changed-files@v34
-        with:
-          files: |
-            *.nix
-            go.*
-            **/*.go
-            integration_test/
-            config-example.yaml
-
-      - name: Run general integration tests
-        if: steps.changed-files.outputs.any_changed == 'true'
-        run: |
-            nix develop --command -- docker run \
-              --tty --rm \
-              --volume ~/.cache/hs-integration-go:/go \
-              --name headscale-test-suite \
-              --volume $PWD:$PWD -w $PWD/integration \
-              --volume /var/run/docker.sock:/var/run/docker.sock \
-              --volume $PWD/control_logs:/tmp/control \
-              golang:1 \
-                go run gotest.tools/gotestsum@latest -- ./... \
-                  -tags ts2019 \
-                  -failfast \
-                  -timeout 120m \
-                  -parallel 1 \
-                  -run "^TestACLAllowUser80Dst$"
-
-      - uses: actions/upload-artifact@v3
-        if: always() && steps.changed-files.outputs.any_changed == 'true'
-        with:
-          name: logs
-          path: "control_logs/*.log"
-
-      - uses: actions/upload-artifact@v3
-        if: always() && steps.changed-files.outputs.any_changed == 'true'
-        with:
-          name: pprof
-          path: "control_logs/*.pprof.tar"
--- a/.github/workflows/test-integration-v2-TestACLAllowUserDst.yaml
+++ b/.github/workflows/test-integration-v2-TestACLAllowUserDst.yaml
@@ -1,65 +0,0 @@
-# DO NOT EDIT, generated with cmd/gh-action-integration-generator/main.go
-# To regenerate, run "go generate" in cmd/gh-action-integration-generator/
-
-name: Integration Test v2 - TestACLAllowUserDst
-
-on: [pull_request]
-
-concurrency:
-  group: ${{ github.workflow }}-$${{ github.head_ref || github.run_id }}
-  cancel-in-progress: true
-
-jobs:
-  test:
-    runs-on: ubuntu-latest
-
-    steps:
-      - uses: actions/checkout@v3
-        with:
-          fetch-depth: 2
-
-      - uses: DeterminateSystems/nix-installer-action@main
-      - uses: DeterminateSystems/magic-nix-cache-action@main
-      - uses: satackey/action-docker-layer-caching@main
-        continue-on-error: true
-
-      - name: Get changed files
-        id: changed-files
-        uses: tj-actions/changed-files@v34
-        with:
-          files: |
-            *.nix
-            go.*
-            **/*.go
-            integration_test/
-            config-example.yaml
-
-      - name: Run general integration tests
-        if: steps.changed-files.outputs.any_changed == 'true'
-        run: |
-            nix develop --command -- docker run \
-              --tty --rm \
-              --volume ~/.cache/hs-integration-go:/go \
-              --name headscale-test-suite \
-              --volume $PWD:$PWD -w $PWD/integration \
-              --volume /var/run/docker.sock:/var/run/docker.sock \
-              --volume $PWD/control_logs:/tmp/control \
-              golang:1 \
-                go run gotest.tools/gotestsum@latest -- ./... \
-                  -tags ts2019 \
-                  -failfast \
-                  -timeout 120m \
-                  -parallel 1 \
-                  -run "^TestACLAllowUserDst$"
-
-      - uses: actions/upload-artifact@v3
-        if: always() && steps.changed-files.outputs.any_changed == 'true'
-        with:
-          name: logs
-          path: "control_logs/*.log"
-
-      - uses: actions/upload-artifact@v3
-        if: always() && steps.changed-files.outputs.any_changed == 'true'
-        with:
-          name: pprof
-          path: "control_logs/*.pprof.tar"
--- a/.github/workflows/test-integration-v2-TestACLDenyAllPort80.yaml
+++ b/.github/workflows/test-integration-v2-TestACLDenyAllPort80.yaml
@@ -1,65 +0,0 @@
-# DO NOT EDIT, generated with cmd/gh-action-integration-generator/main.go
-# To regenerate, run "go generate" in cmd/gh-action-integration-generator/
-
-name: Integration Test v2 - TestACLDenyAllPort80
-
-on: [pull_request]
-
-concurrency:
-  group: ${{ github.workflow }}-$${{ github.head_ref || github.run_id }}
-  cancel-in-progress: true
-
-jobs:
-  test:
-    runs-on: ubuntu-latest
-
-    steps:
-      - uses: actions/checkout@v3
-        with:
-          fetch-depth: 2
-
-      - uses: DeterminateSystems/nix-installer-action@main
-      - uses: DeterminateSystems/magic-nix-cache-action@main
-      - uses: satackey/action-docker-layer-caching@main
-        continue-on-error: true
-
-      - name: Get changed files
-        id: changed-files
-        uses: tj-actions/changed-files@v34
-        with:
-          files: |
-            *.nix
-            go.*
-            **/*.go
-            integration_test/
-            config-example.yaml
-
-      - name: Run general integration tests
-        if: steps.changed-files.outputs.any_changed == 'true'
-        run: |
-            nix develop --command -- docker run \
-              --tty --rm \
-              --volume ~/.cache/hs-integration-go:/go \
-              --name headscale-test-suite \
-              --volume $PWD:$PWD -w $PWD/integration \
-              --volume /var/run/docker.sock:/var/run/docker.sock \
-              --volume $PWD/control_logs:/tmp/control \
-              golang:1 \
-                go run gotest.tools/gotestsum@latest -- ./... \
-                  -tags ts2019 \
-                  -failfast \
-                  -timeout 120m \
-                  -parallel 1 \
-                  -run "^TestACLDenyAllPort80$"
-
-      - uses: actions/upload-artifact@v3
-        if: always() && steps.changed-files.outputs.any_changed == 'true'
-        with:
-          name: logs
-          path: "control_logs/*.log"
-
-      - uses: actions/upload-artifact@v3
-        if: always() && steps.changed-files.outputs.any_changed == 'true'
-        with:
-          name: pprof
-          path: "control_logs/*.pprof.tar"
--- a/.github/workflows/test-integration-v2-TestACLDevice1CanAccessDevice2.yaml
+++ b/.github/workflows/test-integration-v2-TestACLDevice1CanAccessDevice2.yaml
@@ -1,65 +0,0 @@
-# DO NOT EDIT, generated with cmd/gh-action-integration-generator/main.go
-# To regenerate, run "go generate" in cmd/gh-action-integration-generator/
-
-name: Integration Test v2 - TestACLDevice1CanAccessDevice2
-
-on: [pull_request]
-
-concurrency:
-  group: ${{ github.workflow }}-$${{ github.head_ref || github.run_id }}
-  cancel-in-progress: true
-
-jobs:
-  test:
-    runs-on: ubuntu-latest
-
-    steps:
-      - uses: actions/checkout@v3
-        with:
-          fetch-depth: 2
-
-      - uses: DeterminateSystems/nix-installer-action@main
-      - uses: DeterminateSystems/magic-nix-cache-action@main
-      - uses: satackey/action-docker-layer-caching@main
-        continue-on-error: true
-
-      - name: Get changed files
-        id: changed-files
-        uses: tj-actions/changed-files@v34
-        with:
-          files: |
-            *.nix
-            go.*
-            **/*.go
-            integration_test/
-            config-example.yaml
-
-      - name: Run general integration tests
-        if: steps.changed-files.outputs.any_changed == 'true'
-        run: |
-            nix develop --command -- docker run \
-              --tty --rm \
-              --volume ~/.cache/hs-integration-go:/go \
-              --name headscale-test-suite \
-              --volume $PWD:$PWD -w $PWD/integration \
-              --volume /var/run/docker.sock:/var/run/docker.sock \
-              --volume $PWD/control_logs:/tmp/control \
-              golang:1 \
-                go run gotest.tools/gotestsum@latest -- ./... \
-                  -tags ts2019 \
-                  -failfast \
-                  -timeout 120m \
-                  -parallel 1 \
-                  -run "^TestACLDevice1CanAccessDevice2$"
-
-      - uses: actions/upload-artifact@v3
-        if: always() && steps.changed-files.outputs.any_changed == 'true'
-        with:
-          name: logs
-          path: "control_logs/*.log"
-
-      - uses: actions/upload-artifact@v3
-        if: always() && steps.changed-files.outputs.any_changed == 'true'
-        with:
-          name: pprof
-          path: "control_logs/*.pprof.tar"
--- a/.github/workflows/test-integration-v2-TestACLHostsInNetMapTable.yaml
+++ b/.github/workflows/test-integration-v2-TestACLHostsInNetMapTable.yaml
@@ -1,65 +0,0 @@
-# DO NOT EDIT, generated with cmd/gh-action-integration-generator/main.go
-# To regenerate, run "go generate" in cmd/gh-action-integration-generator/
-
-name: Integration Test v2 - TestACLHostsInNetMapTable
-
-on: [pull_request]
-
-concurrency:
-  group: ${{ github.workflow }}-$${{ github.head_ref || github.run_id }}
-  cancel-in-progress: true
-
-jobs:
-  test:
-    runs-on: ubuntu-latest
-
-    steps:
-      - uses: actions/checkout@v3
-        with:
-          fetch-depth: 2
-
-      - uses: DeterminateSystems/nix-installer-action@main
-      - uses: DeterminateSystems/magic-nix-cache-action@main
-      - uses: satackey/action-docker-layer-caching@main
-        continue-on-error: true
-
-      - name: Get changed files
-        id: changed-files
-        uses: tj-actions/changed-files@v34
-        with:
-          files: |
-            *.nix
-            go.*
-            **/*.go
-            integration_test/
-            config-example.yaml
-
-      - name: Run general integration tests
-        if: steps.changed-files.outputs.any_changed == 'true'
-        run: |
-            nix develop --command -- docker run \
-              --tty --rm \
-              --volume ~/.cache/hs-integration-go:/go \
-              --name headscale-test-suite \
-              --volume $PWD:$PWD -w $PWD/integration \
-              --volume /var/run/docker.sock:/var/run/docker.sock \
-              --volume $PWD/control_logs:/tmp/control \
-              golang:1 \
-                go run gotest.tools/gotestsum@latest -- ./... \
-                  -tags ts2019 \
-                  -failfast \
-                  -timeout 120m \
-                  -parallel 1 \
-                  -run "^TestACLHostsInNetMapTable$"
-
-      - uses: actions/upload-artifact@v3
-        if: always() && steps.changed-files.outputs.any_changed == 'true'
-        with:
-          name: logs
-          path: "control_logs/*.log"
-
-      - uses: actions/upload-artifact@v3
-        if: always() && steps.changed-files.outputs.any_changed == 'true'
-        with:
-          name: pprof
-          path: "control_logs/*.pprof.tar"
--- a/.github/workflows/test-integration-v2-TestACLNamedHostsCanReach.yaml
+++ b/.github/workflows/test-integration-v2-TestACLNamedHostsCanReach.yaml
@@ -1,65 +0,0 @@
-# DO NOT EDIT, generated with cmd/gh-action-integration-generator/main.go
-# To regenerate, run "go generate" in cmd/gh-action-integration-generator/
-
-name: Integration Test v2 - TestACLNamedHostsCanReach
-
-on: [pull_request]
-
-concurrency:
-  group: ${{ github.workflow }}-$${{ github.head_ref || github.run_id }}
-  cancel-in-progress: true
-
-jobs:
-  test:
-    runs-on: ubuntu-latest
-
-    steps:
-      - uses: actions/checkout@v3
-        with:
-          fetch-depth: 2
-
-      - uses: DeterminateSystems/nix-installer-action@main
-      - uses: DeterminateSystems/magic-nix-cache-action@main
-      - uses: satackey/action-docker-layer-caching@main
-        continue-on-error: true
-
-      - name: Get changed files
-        id: changed-files
-        uses: tj-actions/changed-files@v34
-        with:
-          files: |
-            *.nix
-            go.*
-            **/*.go
-            integration_test/
-            config-example.yaml
-
-      - name: Run general integration tests
-        if: steps.changed-files.outputs.any_changed == 'true'
-        run: |
-            nix develop --command -- docker run \
-              --tty --rm \
-              --volume ~/.cache/hs-integration-go:/go \
-              --name headscale-test-suite \
-              --volume $PWD:$PWD -w $PWD/integration \
-              --volume /var/run/docker.sock:/var/run/docker.sock \
-              --volume $PWD/control_logs:/tmp/control \
-              golang:1 \
-                go run gotest.tools/gotestsum@latest -- ./... \
-                  -tags ts2019 \
-                  -failfast \
-                  -timeout 120m \
-                  -parallel 1 \
-                  -run "^TestACLNamedHostsCanReach$"
-
-      - uses: actions/upload-artifact@v3
-        if: always() && steps.changed-files.outputs.any_changed == 'true'
-        with:
-          name: logs
-          path: "control_logs/*.log"
-
-      - uses: actions/upload-artifact@v3
-        if: always() && steps.changed-files.outputs.any_changed == 'true'
-        with:
-          name: pprof
-          path: "control_logs/*.pprof.tar"
--- a/.github/workflows/test-integration-v2-TestACLNamedHostsCanReachBySubnet.yaml
+++ b/.github/workflows/test-integration-v2-TestACLNamedHostsCanReachBySubnet.yaml
@@ -1,65 +0,0 @@
-# DO NOT EDIT, generated with cmd/gh-action-integration-generator/main.go
-# To regenerate, run "go generate" in cmd/gh-action-integration-generator/
-
-name: Integration Test v2 - TestACLNamedHostsCanReachBySubnet
-
-on: [pull_request]
-
-concurrency:
-  group: ${{ github.workflow }}-$${{ github.head_ref || github.run_id }}
-  cancel-in-progress: true
-
-jobs:
-  test:
-    runs-on: ubuntu-latest
-
-    steps:
-      - uses: actions/checkout@v3
-        with:
-          fetch-depth: 2
-
-      - uses: DeterminateSystems/nix-installer-action@main
-      - uses: DeterminateSystems/magic-nix-cache-action@main
-      - uses: satackey/action-docker-layer-caching@main
-        continue-on-error: true
-
-      - name: Get changed files
-        id: changed-files
-        uses: tj-actions/changed-files@v34
-        with:
-          files: |
-            *.nix
-            go.*
-            **/*.go
-            integration_test/
-            config-example.yaml
-
-      - name: Run general integration tests
-        if: steps.changed-files.outputs.any_changed == 'true'
-        run: |
-            nix develop --command -- docker run \
-              --tty --rm \
-              --volume ~/.cache/hs-integration-go:/go \
-              --name headscale-test-suite \
-              --volume $PWD:$PWD -w $PWD/integration \
-              --volume /var/run/docker.sock:/var/run/docker.sock \
-              --volume $PWD/control_logs:/tmp/control \
-              golang:1 \
-                go run gotest.tools/gotestsum@latest -- ./... \
-                  -tags ts2019 \
-                  -failfast \
-                  -timeout 120m \
-                  -parallel 1 \
-                  -run "^TestACLNamedHostsCanReachBySubnet$"
-
-      - uses: actions/upload-artifact@v3
-        if: always() && steps.changed-files.outputs.any_changed == 'true'
-        with:
-          name: logs
-          path: "control_logs/*.log"
-
-      - uses: actions/upload-artifact@v3
-        if: always() && steps.changed-files.outputs.any_changed == 'true'
-        with:
-          name: pprof
-          path: "control_logs/*.pprof.tar"
--- a/.github/workflows/test-integration-v2-TestApiKeyCommand.yaml
+++ b/.github/workflows/test-integration-v2-TestApiKeyCommand.yaml
@@ -1,65 +0,0 @@
-# DO NOT EDIT, generated with cmd/gh-action-integration-generator/main.go
-# To regenerate, run "go generate" in cmd/gh-action-integration-generator/
-
-name: Integration Test v2 - TestApiKeyCommand
-
-on: [pull_request]
-
-concurrency:
-  group: ${{ github.workflow }}-$${{ github.head_ref || github.run_id }}
-  cancel-in-progress: true
-
-jobs:
-  test:
-    runs-on: ubuntu-latest
-
-    steps:
-      - uses: actions/checkout@v3
-        with:
-          fetch-depth: 2
-
-      - uses: DeterminateSystems/nix-installer-action@main
-      - uses: DeterminateSystems/magic-nix-cache-action@main
-      - uses: satackey/action-docker-layer-caching@main
-        continue-on-error: true
-
-      - name: Get changed files
-        id: changed-files
-        uses: tj-actions/changed-files@v34
-        with:
-          files: |
-            *.nix
-            go.*
-            **/*.go
-            integration_test/
-            config-example.yaml
-
-      - name: Run general integration tests
-        if: steps.changed-files.outputs.any_changed == 'true'
-        run: |
-            nix develop --command -- docker run \
-              --tty --rm \
-              --volume ~/.cache/hs-integration-go:/go \
-              --name headscale-test-suite \
-              --volume $PWD:$PWD -w $PWD/integration \
-              --volume /var/run/docker.sock:/var/run/docker.sock \
-              --volume $PWD/control_logs:/tmp/control \
-              golang:1 \
-                go run gotest.tools/gotestsum@latest -- ./... \
-                  -tags ts2019 \
-                  -failfast \
-                  -timeout 120m \
-                  -parallel 1 \
-                  -run "^TestApiKeyCommand$"
-
-      - uses: actions/upload-artifact@v3
-        if: always() && steps.changed-files.outputs.any_changed == 'true'
-        with:
-          name: logs
-          path: "control_logs/*.log"
-
-      - uses: actions/upload-artifact@v3
-        if: always() && steps.changed-files.outputs.any_changed == 'true'
-        with:
-          name: pprof
-          path: "control_logs/*.pprof.tar"
--- a/.github/workflows/test-integration-v2-TestAuthKeyLogoutAndRelogin.yaml
+++ b/.github/workflows/test-integration-v2-TestAuthKeyLogoutAndRelogin.yaml
@@ -1,65 +0,0 @@
-# DO NOT EDIT, generated with cmd/gh-action-integration-generator/main.go
-# To regenerate, run "go generate" in cmd/gh-action-integration-generator/
-
-name: Integration Test v2 - TestAuthKeyLogoutAndRelogin
-
-on: [pull_request]
-
-concurrency:
-  group: ${{ github.workflow }}-$${{ github.head_ref || github.run_id }}
-  cancel-in-progress: true
-
-jobs:
-  test:
-    runs-on: ubuntu-latest
-
-    steps:
-      - uses: actions/checkout@v3
-        with:
-          fetch-depth: 2
-
-      - uses: DeterminateSystems/nix-installer-action@main
-      - uses: DeterminateSystems/magic-nix-cache-action@main
-      - uses: satackey/action-docker-layer-caching@main
-        continue-on-error: true
-
-      - name: Get changed files
-        id: changed-files
-        uses: tj-actions/changed-files@v34
-        with:
-          files: |
-            *.nix
-            go.*
-            **/*.go
-            integration_test/
-            config-example.yaml
-
-      - name: Run general integration tests
-        if: steps.changed-files.outputs.any_changed == 'true'
-        run: |
-            nix develop --command -- docker run \
-              --tty --rm \
-              --volume ~/.cache/hs-integration-go:/go \
-              --name headscale-test-suite \
-              --volume $PWD:$PWD -w $PWD/integration \
-              --volume /var/run/docker.sock:/var/run/docker.sock \
-              --volume $PWD/control_logs:/tmp/control \
-              golang:1 \
-                go run gotest.tools/gotestsum@latest -- ./... \
-                  -tags ts2019 \
-                  -failfast \
-                  -timeout 120m \
-                  -parallel 1 \
-                  -run "^TestAuthKeyLogoutAndRelogin$"
-
-      - uses: actions/upload-artifact@v3
-        if: always() && steps.changed-files.outputs.any_changed == 'true'
-        with:
-          name: logs
-          path: "control_logs/*.log"
-
-      - uses: actions/upload-artifact@v3
-        if: always() && steps.changed-files.outputs.any_changed == 'true'
-        with:
-          name: pprof
-          path: "control_logs/*.pprof.tar"
--- a/.github/workflows/test-integration-v2-TestAuthWebFlowAuthenticationPingAll.yaml
+++ b/.github/workflows/test-integration-v2-TestAuthWebFlowAuthenticationPingAll.yaml
@@ -1,65 +0,0 @@
-# DO NOT EDIT, generated with cmd/gh-action-integration-generator/main.go
-# To regenerate, run "go generate" in cmd/gh-action-integration-generator/
-
-name: Integration Test v2 - TestAuthWebFlowAuthenticationPingAll
-
-on: [pull_request]
-
-concurrency:
-  group: ${{ github.workflow }}-$${{ github.head_ref || github.run_id }}
-  cancel-in-progress: true
-
-jobs:
-  test:
-    runs-on: ubuntu-latest
-
-    steps:
-      - uses: actions/checkout@v3
-        with:
-          fetch-depth: 2
-
-      - uses: DeterminateSystems/nix-installer-action@main
-      - uses: DeterminateSystems/magic-nix-cache-action@main
-      - uses: satackey/action-docker-layer-caching@main
-        continue-on-error: true
-
-      - name: Get changed files
-        id: changed-files
-        uses: tj-actions/changed-files@v34
-        with:
-          files: |
-            *.nix
-            go.*
-            **/*.go
-            integration_test/
-            config-example.yaml
-
-      - name: Run general integration tests
-        if: steps.changed-files.outputs.any_changed == 'true'
-        run: |
-            nix develop --command -- docker run \
-              --tty --rm \
-              --volume ~/.cache/hs-integration-go:/go \
-              --name headscale-test-suite \
-              --volume $PWD:$PWD -w $PWD/integration \
-              --volume /var/run/docker.sock:/var/run/docker.sock \
-              --volume $PWD/control_logs:/tmp/control \
-              golang:1 \
-                go run gotest.tools/gotestsum@latest -- ./... \
-                  -tags ts2019 \
-                  -failfast \
-                  -timeout 120m \
-                  -parallel 1 \
-                  -run "^TestAuthWebFlowAuthenticationPingAll$"
-
-      - uses: actions/upload-artifact@v3
-        if: always() && steps.changed-files.outputs.any_changed == 'true'
-        with:
-          name: logs
-          path: "control_logs/*.log"
-
-      - uses: actions/upload-artifact@v3
-        if: always() && steps.changed-files.outputs.any_changed == 'true'
-        with:
-          name: pprof
-          path: "control_logs/*.pprof.tar"
--- a/.github/workflows/test-integration-v2-TestAuthWebFlowLogoutAndRelogin.yaml
+++ b/.github/workflows/test-integration-v2-TestAuthWebFlowLogoutAndRelogin.yaml
@@ -1,65 +0,0 @@
-# DO NOT EDIT, generated with cmd/gh-action-integration-generator/main.go
-# To regenerate, run "go generate" in cmd/gh-action-integration-generator/
-
-name: Integration Test v2 - TestAuthWebFlowLogoutAndRelogin
-
-on: [pull_request]
-
-concurrency:
-  group: ${{ github.workflow }}-$${{ github.head_ref || github.run_id }}
-  cancel-in-progress: true
-
-jobs:
-  test:
-    runs-on: ubuntu-latest
-
-    steps:
-      - uses: actions/checkout@v3
-        with:
-          fetch-depth: 2
-
-      - uses: DeterminateSystems/nix-installer-action@main
-      - uses: DeterminateSystems/magic-nix-cache-action@main
-      - uses: satackey/action-docker-layer-caching@main
-        continue-on-error: true
-
-      - name: Get changed files
-        id: changed-files
-        uses: tj-actions/changed-files@v34
-        with:
-          files: |
-            *.nix
-            go.*
-            **/*.go
-            integration_test/
-            config-example.yaml
-
-      - name: Run general integration tests
-        if: steps.changed-files.outputs.any_changed == 'true'
-        run: |
-            nix develop --command -- docker run \
-              --tty --rm \
-              --volume ~/.cache/hs-integration-go:/go \
-              --name headscale-test-suite \
-              --volume $PWD:$PWD -w $PWD/integration \
-              --volume /var/run/docker.sock:/var/run/docker.sock \
-              --volume $PWD/control_logs:/tmp/control \
-              golang:1 \
-                go run gotest.tools/gotestsum@latest -- ./... \
-                  -tags ts2019 \
-                  -failfast \
-                  -timeout 120m \
-                  -parallel 1 \
-                  -run "^TestAuthWebFlowLogoutAndRelogin$"
-
-      - uses: actions/upload-artifact@v3
-        if: always() && steps.changed-files.outputs.any_changed == 'true'
-        with:
-          name: logs
-          path: "control_logs/*.log"
-
-      - uses: actions/upload-artifact@v3
-        if: always() && steps.changed-files.outputs.any_changed == 'true'
-        with:
-          name: pprof
-          path: "control_logs/*.pprof.tar"
--- a/.github/workflows/test-integration-v2-TestCreateTailscale.yaml
+++ b/.github/workflows/test-integration-v2-TestCreateTailscale.yaml
@@ -1,65 +0,0 @@
-# DO NOT EDIT, generated with cmd/gh-action-integration-generator/main.go
-# To regenerate, run "go generate" in cmd/gh-action-integration-generator/
-
-name: Integration Test v2 - TestCreateTailscale
-
-on: [pull_request]
-
-concurrency:
-  group: ${{ github.workflow }}-$${{ github.head_ref || github.run_id }}
-  cancel-in-progress: true
-
-jobs:
-  test:
-    runs-on: ubuntu-latest
-
-    steps:
-      - uses: actions/checkout@v3
-        with:
-          fetch-depth: 2
-
-      - uses: DeterminateSystems/nix-installer-action@main
-      - uses: DeterminateSystems/magic-nix-cache-action@main
-      - uses: satackey/action-docker-layer-caching@main
-        continue-on-error: true
-
-      - name: Get changed files
-        id: changed-files
-        uses: tj-actions/changed-files@v34
-        with:
-          files: |
-            *.nix
-            go.*
-            **/*.go
-            integration_test/
-            config-example.yaml
-
-      - name: Run general integration tests
-        if: steps.changed-files.outputs.any_changed == 'true'
-        run: |
-            nix develop --command -- docker run \
-              --tty --rm \
-              --volume ~/.cache/hs-integration-go:/go \
-              --name headscale-test-suite \
-              --volume $PWD:$PWD -w $PWD/integration \
-              --volume /var/run/docker.sock:/var/run/docker.sock \
-              --volume $PWD/control_logs:/tmp/control \
-              golang:1 \
-                go run gotest.tools/gotestsum@latest -- ./... \
-                  -tags ts2019 \
-                  -failfast \
-                  -timeout 120m \
-                  -parallel 1 \
-                  -run "^TestCreateTailscale$"
-
-      - uses: actions/upload-artifact@v3
-        if: always() && steps.changed-files.outputs.any_changed == 'true'
-        with:
-          name: logs
-          path: "control_logs/*.log"
-
-      - uses: actions/upload-artifact@v3
-        if: always() && steps.changed-files.outputs.any_changed == 'true'
-        with:
-          name: pprof
-          path: "control_logs/*.pprof.tar"
--- a/.github/workflows/test-integration-v2-TestDERPServerScenario.yaml
+++ b/.github/workflows/test-integration-v2-TestDERPServerScenario.yaml
@@ -1,65 +0,0 @@
-# DO NOT EDIT, generated with cmd/gh-action-integration-generator/main.go
-# To regenerate, run "go generate" in cmd/gh-action-integration-generator/
-
-name: Integration Test v2 - TestDERPServerScenario
-
-on: [pull_request]
-
-concurrency:
-  group: ${{ github.workflow }}-$${{ github.head_ref || github.run_id }}
-  cancel-in-progress: true
-
-jobs:
-  test:
-    runs-on: ubuntu-latest
-
-    steps:
-      - uses: actions/checkout@v3
-        with:
-          fetch-depth: 2
-
-      - uses: DeterminateSystems/nix-installer-action@main
-      - uses: DeterminateSystems/magic-nix-cache-action@main
-      - uses: satackey/action-docker-layer-caching@main
-        continue-on-error: true
-
-      - name: Get changed files
-        id: changed-files
-        uses: tj-actions/changed-files@v34
-        with:
-          files: |
-            *.nix
-            go.*
-            **/*.go
-            integration_test/
-            config-example.yaml
-
-      - name: Run general integration tests
-        if: steps.changed-files.outputs.any_changed == 'true'
-        run: |
-            nix develop --command -- docker run \
-              --tty --rm \
-              --volume ~/.cache/hs-integration-go:/go \
-              --name headscale-test-suite \
-              --volume $PWD:$PWD -w $PWD/integration \
-              --volume /var/run/docker.sock:/var/run/docker.sock \
-              --volume $PWD/control_logs:/tmp/control \
-              golang:1 \
-                go run gotest.tools/gotestsum@latest -- ./... \
-                  -tags ts2019 \
-                  -failfast \
-                  -timeout 120m \
-                  -parallel 1 \
-                  -run "^TestDERPServerScenario$"
-
-      - uses: actions/upload-artifact@v3
-        if: always() && steps.changed-files.outputs.any_changed == 'true'
-        with:
-          name: logs
-          path: "control_logs/*.log"
-
-      - uses: actions/upload-artifact@v3
-        if: always() && steps.changed-files.outputs.any_changed == 'true'
-        with:
-          name: pprof
-          path: "control_logs/*.pprof.tar"
--- a/.github/workflows/test-integration-v2-TestEnablingRoutes.yaml
+++ b/.github/workflows/test-integration-v2-TestEnablingRoutes.yaml
@@ -1,65 +0,0 @@
-# DO NOT EDIT, generated with cmd/gh-action-integration-generator/main.go
-# To regenerate, run "go generate" in cmd/gh-action-integration-generator/
-
-name: Integration Test v2 - TestEnablingRoutes
-
-on: [pull_request]
-
-concurrency:
-  group: ${{ github.workflow }}-$${{ github.head_ref || github.run_id }}
-  cancel-in-progress: true
-
-jobs:
-  test:
-    runs-on: ubuntu-latest
-
-    steps:
-      - uses: actions/checkout@v3
-        with:
-          fetch-depth: 2
-
-      - uses: DeterminateSystems/nix-installer-action@main
-      - uses: DeterminateSystems/magic-nix-cache-action@main
-      - uses: satackey/action-docker-layer-caching@main
-        continue-on-error: true
-
-      - name: Get changed files
-        id: changed-files
-        uses: tj-actions/changed-files@v34
-        with:
-          files: |
-            *.nix
-            go.*
-            **/*.go
-            integration_test/
-            config-example.yaml
-
-      - name: Run general integration tests
-        if: steps.changed-files.outputs.any_changed == 'true'
-        run: |
-            nix develop --command -- docker run \
-              --tty --rm \
-              --volume ~/.cache/hs-integration-go:/go \
-              --name headscale-test-suite \
-              --volume $PWD:$PWD -w $PWD/integration \
-              --volume /var/run/docker.sock:/var/run/docker.sock \
-              --volume $PWD/control_logs:/tmp/control \
-              golang:1 \
-                go run gotest.tools/gotestsum@latest -- ./... \
-                  -tags ts2019 \
-                  -failfast \
-                  -timeout 120m \
-                  -parallel 1 \
-                  -run "^TestEnablingRoutes$"
-
-      - uses: actions/upload-artifact@v3
-        if: always() && steps.changed-files.outputs.any_changed == 'true'
-        with:
-          name: logs
-          path: "control_logs/*.log"
-
-      - uses: actions/upload-artifact@v3
-        if: always() && steps.changed-files.outputs.any_changed == 'true'
-        with:
-          name: pprof
-          path: "control_logs/*.pprof.tar"
--- a/.github/workflows/test-integration-v2-TestEphemeral.yaml
+++ b/.github/workflows/test-integration-v2-TestEphemeral.yaml
@@ -1,65 +0,0 @@
-# DO NOT EDIT, generated with cmd/gh-action-integration-generator/main.go
-# To regenerate, run "go generate" in cmd/gh-action-integration-generator/
-
-name: Integration Test v2 - TestEphemeral
-
-on: [pull_request]
-
-concurrency:
-  group: ${{ github.workflow }}-$${{ github.head_ref || github.run_id }}
-  cancel-in-progress: true
-
-jobs:
-  test:
-    runs-on: ubuntu-latest
-
-    steps:
-      - uses: actions/checkout@v3
-        with:
-          fetch-depth: 2
-
-      - uses: DeterminateSystems/nix-installer-action@main
-      - uses: DeterminateSystems/magic-nix-cache-action@main
-      - uses: satackey/action-docker-layer-caching@main
-        continue-on-error: true
-
-      - name: Get changed files
-        id: changed-files
-        uses: tj-actions/changed-files@v34
-        with:
-          files: |
-            *.nix
-            go.*
-            **/*.go
-            integration_test/
-            config-example.yaml
-
-      - name: Run general integration tests
-        if: steps.changed-files.outputs.any_changed == 'true'
-        run: |
-            nix develop --command -- docker run \
-              --tty --rm \
-              --volume ~/.cache/hs-integration-go:/go \
-              --name headscale-test-suite \
-              --volume $PWD:$PWD -w $PWD/integration \
-              --volume /var/run/docker.sock:/var/run/docker.sock \
-              --volume $PWD/control_logs:/tmp/control \
-              golang:1 \
-                go run gotest.tools/gotestsum@latest -- ./... \
-                  -tags ts2019 \
-                  -failfast \
-                  -timeout 120m \
-                  -parallel 1 \
-                  -run "^TestEphemeral$"
-
-      - uses: actions/upload-artifact@v3
-        if: always() && steps.changed-files.outputs.any_changed == 'true'
-        with:
-          name: logs
-          path: "control_logs/*.log"
-
-      - uses: actions/upload-artifact@v3
-        if: always() && steps.changed-files.outputs.any_changed == 'true'
-        with:
-          name: pprof
-          path: "control_logs/*.pprof.tar"
--- a/.github/workflows/test-integration-v2-TestExpireNode.yaml
+++ b/.github/workflows/test-integration-v2-TestExpireNode.yaml
@@ -1,65 +0,0 @@
-# DO NOT EDIT, generated with cmd/gh-action-integration-generator/main.go
-# To regenerate, run "go generate" in cmd/gh-action-integration-generator/
-
-name: Integration Test v2 - TestExpireNode
-
-on: [pull_request]
-
-concurrency:
-  group: ${{ github.workflow }}-$${{ github.head_ref || github.run_id }}
-  cancel-in-progress: true
-
-jobs:
-  test:
-    runs-on: ubuntu-latest
-
-    steps:
-      - uses: actions/checkout@v3
-        with:
-          fetch-depth: 2
-
-      - uses: DeterminateSystems/nix-installer-action@main
-      - uses: DeterminateSystems/magic-nix-cache-action@main
-      - uses: satackey/action-docker-layer-caching@main
-        continue-on-error: true
-
-      - name: Get changed files
-        id: changed-files
-        uses: tj-actions/changed-files@v34
-        with:
-          files: |
-            *.nix
-            go.*
-            **/*.go
-            integration_test/
-            config-example.yaml
-
-      - name: Run general integration tests
-        if: steps.changed-files.outputs.any_changed == 'true'
-        run: |
-            nix develop --command -- docker run \
-              --tty --rm \
-              --volume ~/.cache/hs-integration-go:/go \
-              --name headscale-test-suite \
-              --volume $PWD:$PWD -w $PWD/integration \
-              --volume /var/run/docker.sock:/var/run/docker.sock \
-              --volume $PWD/control_logs:/tmp/control \
-              golang:1 \
-                go run gotest.tools/gotestsum@latest -- ./... \
-                  -tags ts2019 \
-                  -failfast \
-                  -timeout 120m \
-                  -parallel 1 \
-                  -run "^TestExpireNode$"
-
-      - uses: actions/upload-artifact@v3
-        if: always() && steps.changed-files.outputs.any_changed == 'true'
-        with:
-          name: logs
-          path: "control_logs/*.log"
-
-      - uses: actions/upload-artifact@v3
-        if: always() && steps.changed-files.outputs.any_changed == 'true'
-        with:
-          name: pprof
-          path: "control_logs/*.pprof.tar"
--- a/.github/workflows/test-integration-v2-TestHeadscale.yaml
+++ b/.github/workflows/test-integration-v2-TestHeadscale.yaml
@@ -1,65 +0,0 @@
-# DO NOT EDIT, generated with cmd/gh-action-integration-generator/main.go
-# To regenerate, run "go generate" in cmd/gh-action-integration-generator/
-
-name: Integration Test v2 - TestHeadscale
-
-on: [pull_request]
-
-concurrency:
-  group: ${{ github.workflow }}-$${{ github.head_ref || github.run_id }}
-  cancel-in-progress: true
-
-jobs:
-  test:
-    runs-on: ubuntu-latest
-
-    steps:
-      - uses: actions/checkout@v3
-        with:
-          fetch-depth: 2
-
-      - uses: DeterminateSystems/nix-installer-action@main
-      - uses: DeterminateSystems/magic-nix-cache-action@main
-      - uses: satackey/action-docker-layer-caching@main
-        continue-on-error: true
-
-      - name: Get changed files
-        id: changed-files
-        uses: tj-actions/changed-files@v34
-        with:
-          files: |
-            *.nix
-            go.*
-            **/*.go
-            integration_test/
-            config-example.yaml
-
-      - name: Run general integration tests
-        if: steps.changed-files.outputs.any_changed == 'true'
-        run: |
-            nix develop --command -- docker run \
-              --tty --rm \
-              --volume ~/.cache/hs-integration-go:/go \
-              --name headscale-test-suite \
-              --volume $PWD:$PWD -w $PWD/integration \
-              --volume /var/run/docker.sock:/var/run/docker.sock \
-              --volume $PWD/control_logs:/tmp/control \
-              golang:1 \
-                go run gotest.tools/gotestsum@latest -- ./... \
-                  -tags ts2019 \
-                  -failfast \
-                  -timeout 120m \
-                  -parallel 1 \
-                  -run "^TestHeadscale$"
-
-      - uses: actions/upload-artifact@v3
-        if: always() && steps.changed-files.outputs.any_changed == 'true'
-        with:
-          name: logs
-          path: "control_logs/*.log"
-
-      - uses: actions/upload-artifact@v3
-        if: always() && steps.changed-files.outputs.any_changed == 'true'
-        with:
-          name: pprof
-          path: "control_logs/*.pprof.tar"
--- a/.github/workflows/test-integration-v2-TestNodeCommand.yaml
+++ b/.github/workflows/test-integration-v2-TestNodeCommand.yaml
@@ -1,65 +0,0 @@
-# DO NOT EDIT, generated with cmd/gh-action-integration-generator/main.go
-# To regenerate, run "go generate" in cmd/gh-action-integration-generator/
-
-name: Integration Test v2 - TestNodeCommand
-
-on: [pull_request]
-
-concurrency:
-  group: ${{ github.workflow }}-$${{ github.head_ref || github.run_id }}
-  cancel-in-progress: true
-
-jobs:
-  test:
-    runs-on: ubuntu-latest
-
-    steps:
-      - uses: actions/checkout@v3
-        with:
-          fetch-depth: 2
-
-      - uses: DeterminateSystems/nix-installer-action@main
-      - uses: DeterminateSystems/magic-nix-cache-action@main
-      - uses: satackey/action-docker-layer-caching@main
-        continue-on-error: true
-
-      - name: Get changed files
-        id: changed-files
-        uses: tj-actions/changed-files@v34
-        with:
-          files: |
-            *.nix
-            go.*
-            **/*.go
-            integration_test/
-            config-example.yaml
-
-      - name: Run general integration tests
-        if: steps.changed-files.outputs.any_changed == 'true'
-        run: |
-            nix develop --command -- docker run \
-              --tty --rm \
-              --volume ~/.cache/hs-integration-go:/go \
-              --name headscale-test-suite \
-              --volume $PWD:$PWD -w $PWD/integration \
-              --volume /var/run/docker.sock:/var/run/docker.sock \
-              --volume $PWD/control_logs:/tmp/control \
-              golang:1 \
-                go run gotest.tools/gotestsum@latest -- ./... \
-                  -tags ts2019 \
-                  -failfast \
-                  -timeout 120m \
-                  -parallel 1 \
-                  -run "^TestNodeCommand$"
-
-      - uses: actions/upload-artifact@v3
-        if: always() && steps.changed-files.outputs.any_changed == 'true'
-        with:
-          name: logs
-          path: "control_logs/*.log"
-
-      - uses: actions/upload-artifact@v3
-        if: always() && steps.changed-files.outputs.any_changed == 'true'
-        with:
-          name: pprof
-          path: "control_logs/*.pprof.tar"
--- a/.github/workflows/test-integration-v2-TestNodeExpireCommand.yaml
+++ b/.github/workflows/test-integration-v2-TestNodeExpireCommand.yaml
@@ -1,65 +0,0 @@
-# DO NOT EDIT, generated with cmd/gh-action-integration-generator/main.go
-# To regenerate, run "go generate" in cmd/gh-action-integration-generator/
-
-name: Integration Test v2 - TestNodeExpireCommand
-
-on: [pull_request]
-
-concurrency:
-  group: ${{ github.workflow }}-$${{ github.head_ref || github.run_id }}
-  cancel-in-progress: true
-
-jobs:
-  test:
-    runs-on: ubuntu-latest
-
-    steps:
-      - uses: actions/checkout@v3
-        with:
-          fetch-depth: 2
-
-      - uses: DeterminateSystems/nix-installer-action@main
-      - uses: DeterminateSystems/magic-nix-cache-action@main
-      - uses: satackey/action-docker-layer-caching@main
-        continue-on-error: true
-
-      - name: Get changed files
-        id: changed-files
-        uses: tj-actions/changed-files@v34
-        with:
-          files: |
-            *.nix
-            go.*
-            **/*.go
-            integration_test/
-            config-example.yaml
-
-      - name: Run general integration tests
-        if: steps.changed-files.outputs.any_changed == 'true'
-        run: |
-            nix develop --command -- docker run \
-              --tty --rm \
-              --volume ~/.cache/hs-integration-go:/go \
-              --name headscale-test-suite \
-              --volume $PWD:$PWD -w $PWD/integration \
-              --volume /var/run/docker.sock:/var/run/docker.sock \
-              --volume $PWD/control_logs:/tmp/control \
-              golang:1 \
-                go run gotest.tools/gotestsum@latest -- ./... \
-                  -tags ts2019 \
-                  -failfast \
-                  -timeout 120m \
-                  -parallel 1 \
-                  -run "^TestNodeExpireCommand$"
-
-      - uses: actions/upload-artifact@v3
-        if: always() && steps.changed-files.outputs.any_changed == 'true'
-        with:
-          name: logs
-          path: "control_logs/*.log"
-
-      - uses: actions/upload-artifact@v3
-        if: always() && steps.changed-files.outputs.any_changed == 'true'
-        with:
-          name: pprof
-          path: "control_logs/*.pprof.tar"
--- a/.github/workflows/test-integration-v2-TestNodeMoveCommand.yaml
+++ b/.github/workflows/test-integration-v2-TestNodeMoveCommand.yaml
@@ -1,65 +0,0 @@
-# DO NOT EDIT, generated with cmd/gh-action-integration-generator/main.go
-# To regenerate, run "go generate" in cmd/gh-action-integration-generator/
-
-name: Integration Test v2 - TestNodeMoveCommand
-
-on: [pull_request]
-
-concurrency:
-  group: ${{ github.workflow }}-$${{ github.head_ref || github.run_id }}
-  cancel-in-progress: true
-
-jobs:
-  test:
-    runs-on: ubuntu-latest
-
-    steps:
-      - uses: actions/checkout@v3
-        with:
-          fetch-depth: 2
-
-      - uses: DeterminateSystems/nix-installer-action@main
-      - uses: DeterminateSystems/magic-nix-cache-action@main
-      - uses: satackey/action-docker-layer-caching@main
-        continue-on-error: true
-
-      - name: Get changed files
-        id: changed-files
-        uses: tj-actions/changed-files@v34
-        with:
-          files: |
-            *.nix
-            go.*
-            **/*.go
-            integration_test/
-            config-example.yaml
-
-      - name: Run general integration tests
-        if: steps.changed-files.outputs.any_changed == 'true'
-        run: |
-            nix develop --command -- docker run \
-              --tty --rm \
-              --volume ~/.cache/hs-integration-go:/go \
-              --name headscale-test-suite \
-              --volume $PWD:$PWD -w $PWD/integration \
-              --volume /var/run/docker.sock:/var/run/docker.sock \
-              --volume $PWD/control_logs:/tmp/control \
-              golang:1 \
-                go run gotest.tools/gotestsum@latest -- ./... \
-                  -tags ts2019 \
-                  -failfast \
-                  -timeout 120m \
-                  -parallel 1 \
-                  -run "^TestNodeMoveCommand$"
-
-      - uses: actions/upload-artifact@v3
-        if: always() && steps.changed-files.outputs.any_changed == 'true'
-        with:
-          name: logs
-          path: "control_logs/*.log"
-
-      - uses: actions/upload-artifact@v3
-        if: always() && steps.changed-files.outputs.any_changed == 'true'
-        with:
-          name: pprof
-          path: "control_logs/*.pprof.tar"
--- a/.github/workflows/test-integration-v2-TestNodeRenameCommand.yaml
+++ b/.github/workflows/test-integration-v2-TestNodeRenameCommand.yaml
@@ -1,65 +0,0 @@
-# DO NOT EDIT, generated with cmd/gh-action-integration-generator/main.go
-# To regenerate, run "go generate" in cmd/gh-action-integration-generator/
-
-name: Integration Test v2 - TestNodeRenameCommand
-
-on: [pull_request]
-
-concurrency:
-  group: ${{ github.workflow }}-$${{ github.head_ref || github.run_id }}
-  cancel-in-progress: true
-
-jobs:
-  test:
-    runs-on: ubuntu-latest
-
-    steps:
-      - uses: actions/checkout@v3
-        with:
-          fetch-depth: 2
-
-      - uses: DeterminateSystems/nix-installer-action@main
-      - uses: DeterminateSystems/magic-nix-cache-action@main
-      - uses: satackey/action-docker-layer-caching@main
-        continue-on-error: true
-
-      - name: Get changed files
-        id: changed-files
-        uses: tj-actions/changed-files@v34
-        with:
-          files: |
-            *.nix
-            go.*
-            **/*.go
-            integration_test/
-            config-example.yaml
-
-      - name: Run general integration tests
-        if: steps.changed-files.outputs.any_changed == 'true'
-        run: |
-            nix develop --command -- docker run \
-              --tty --rm \
-              --volume ~/.cache/hs-integration-go:/go \
-              --name headscale-test-suite \
-              --volume $PWD:$PWD -w $PWD/integration \
-              --volume /var/run/docker.sock:/var/run/docker.sock \
-              --volume $PWD/control_logs:/tmp/control \
-              golang:1 \
-                go run gotest.tools/gotestsum@latest -- ./... \
-                  -tags ts2019 \
-                  -failfast \
-                  -timeout 120m \
-                  -parallel 1 \
-                  -run "^TestNodeRenameCommand$"
-
-      - uses: actions/upload-artifact@v3
-        if: always() && steps.changed-files.outputs.any_changed == 'true'
-        with:
-          name: logs
-          path: "control_logs/*.log"
-
-      - uses: actions/upload-artifact@v3
-        if: always() && steps.changed-files.outputs.any_changed == 'true'
-        with:
-          name: pprof
-          path: "control_logs/*.pprof.tar"
--- a/.github/workflows/test-integration-v2-TestNodeTagCommand.yaml
+++ b/.github/workflows/test-integration-v2-TestNodeTagCommand.yaml
@@ -1,65 +0,0 @@
-# DO NOT EDIT, generated with cmd/gh-action-integration-generator/main.go
-# To regenerate, run "go generate" in cmd/gh-action-integration-generator/
-
-name: Integration Test v2 - TestNodeTagCommand
-
-on: [pull_request]
-
-concurrency:
-  group: ${{ github.workflow }}-$${{ github.head_ref || github.run_id }}
-  cancel-in-progress: true
-
-jobs:
-  test:
-    runs-on: ubuntu-latest
-
-    steps:
-      - uses: actions/checkout@v3
-        with:
-          fetch-depth: 2
-
-      - uses: DeterminateSystems/nix-installer-action@main
-      - uses: DeterminateSystems/magic-nix-cache-action@main
-      - uses: satackey/action-docker-layer-caching@main
-        continue-on-error: true
-
-      - name: Get changed files
-        id: changed-files
-        uses: tj-actions/changed-files@v34
-        with:
-          files: |
-            *.nix
-            go.*
-            **/*.go
-            integration_test/
-            config-example.yaml
-
-      - name: Run general integration tests
-        if: steps.changed-files.outputs.any_changed == 'true'
-        run: |
-            nix develop --command -- docker run \
-              --tty --rm \
-              --volume ~/.cache/hs-integration-go:/go \
-              --name headscale-test-suite \
-              --volume $PWD:$PWD -w $PWD/integration \
-              --volume /var/run/docker.sock:/var/run/docker.sock \
-              --volume $PWD/control_logs:/tmp/control \
-              golang:1 \
-                go run gotest.tools/gotestsum@latest -- ./... \
-                  -tags ts2019 \
-                  -failfast \
-                  -timeout 120m \
-                  -parallel 1 \
-                  -run "^TestNodeTagCommand$"
-
-      - uses: actions/upload-artifact@v3
-        if: always() && steps.changed-files.outputs.any_changed == 'true'
-        with:
-          name: logs
-          path: "control_logs/*.log"
-
-      - uses: actions/upload-artifact@v3
-        if: always() && steps.changed-files.outputs.any_changed == 'true'
-        with:
-          name: pprof
-          path: "control_logs/*.pprof.tar"
--- a/.github/workflows/test-integration-v2-TestOIDCAuthenticationPingAll.yaml
+++ b/.github/workflows/test-integration-v2-TestOIDCAuthenticationPingAll.yaml
@@ -1,65 +0,0 @@
-# DO NOT EDIT, generated with cmd/gh-action-integration-generator/main.go
-# To regenerate, run "go generate" in cmd/gh-action-integration-generator/
-
-name: Integration Test v2 - TestOIDCAuthenticationPingAll
-
-on: [pull_request]
-
-concurrency:
-  group: ${{ github.workflow }}-$${{ github.head_ref || github.run_id }}
-  cancel-in-progress: true
-
-jobs:
-  test:
-    runs-on: ubuntu-latest
-
-    steps:
-      - uses: actions/checkout@v3
-        with:
-          fetch-depth: 2
-
-      - uses: DeterminateSystems/nix-installer-action@main
-      - uses: DeterminateSystems/magic-nix-cache-action@main
-      - uses: satackey/action-docker-layer-caching@main
-        continue-on-error: true
-
-      - name: Get changed files
-        id: changed-files
-        uses: tj-actions/changed-files@v34
-        with:
-          files: |
-            *.nix
-            go.*
-            **/*.go
-            integration_test/
-            config-example.yaml
-
-      - name: Run general integration tests
-        if: steps.changed-files.outputs.any_changed == 'true'
-        run: |
-            nix develop --command -- docker run \
-              --tty --rm \
-              --volume ~/.cache/hs-integration-go:/go \
-              --name headscale-test-suite \
-              --volume $PWD:$PWD -w $PWD/integration \
-              --volume /var/run/docker.sock:/var/run/docker.sock \
-              --volume $PWD/control_logs:/tmp/control \
-              golang:1 \
-                go run gotest.tools/gotestsum@latest -- ./... \
-                  -tags ts2019 \
-                  -failfast \
-                  -timeout 120m \
-                  -parallel 1 \
-                  -run "^TestOIDCAuthenticationPingAll$"
-
-      - uses: actions/upload-artifact@v3
-        if: always() && steps.changed-files.outputs.any_changed == 'true'
-        with:
-          name: logs
-          path: "control_logs/*.log"
-
-      - uses: actions/upload-artifact@v3
-        if: always() && steps.changed-files.outputs.any_changed == 'true'
-        with:
-          name: pprof
-          path: "control_logs/*.pprof.tar"
--- a/.github/workflows/test-integration-v2-TestOIDCExpireNodesBasedOnTokenExpiry.yaml
+++ b/.github/workflows/test-integration-v2-TestOIDCExpireNodesBasedOnTokenExpiry.yaml
@@ -1,65 +0,0 @@
-# DO NOT EDIT, generated with cmd/gh-action-integration-generator/main.go
-# To regenerate, run "go generate" in cmd/gh-action-integration-generator/
-
-name: Integration Test v2 - TestOIDCExpireNodesBasedOnTokenExpiry
-
-on: [pull_request]
-
-concurrency:
-  group: ${{ github.workflow }}-$${{ github.head_ref || github.run_id }}
-  cancel-in-progress: true
-
-jobs:
-  test:
-    runs-on: ubuntu-latest
-
-    steps:
-      - uses: actions/checkout@v3
-        with:
-          fetch-depth: 2
-
-      - uses: DeterminateSystems/nix-installer-action@main
-      - uses: DeterminateSystems/magic-nix-cache-action@main
-      - uses: satackey/action-docker-layer-caching@main
-        continue-on-error: true
-
-      - name: Get changed files
-        id: changed-files
-        uses: tj-actions/changed-files@v34
-        with:
-          files: |
-            *.nix
-            go.*
-            **/*.go
-            integration_test/
-            config-example.yaml
-
-      - name: Run general integration tests
-        if: steps.changed-files.outputs.any_changed == 'true'
-        run: |
-            nix develop --command -- docker run \
-              --tty --rm \
-              --volume ~/.cache/hs-integration-go:/go \
-              --name headscale-test-suite \
-              --volume $PWD:$PWD -w $PWD/integration \
-              --volume /var/run/docker.sock:/var/run/docker.sock \
-              --volume $PWD/control_logs:/tmp/control \
-              golang:1 \
-                go run gotest.tools/gotestsum@latest -- ./... \
-                  -tags ts2019 \
-                  -failfast \
-                  -timeout 120m \
-                  -parallel 1 \
-                  -run "^TestOIDCExpireNodesBasedOnTokenExpiry$"
-
-      - uses: actions/upload-artifact@v3
-        if: always() && steps.changed-files.outputs.any_changed == 'true'
-        with:
-          name: logs
-          path: "control_logs/*.log"
-
-      - uses: actions/upload-artifact@v3
-        if: always() && steps.changed-files.outputs.any_changed == 'true'
-        with:
-          name: pprof
-          path: "control_logs/*.pprof.tar"
--- a/.github/workflows/test-integration-v2-TestPingAllByHostname.yaml
+++ b/.github/workflows/test-integration-v2-TestPingAllByHostname.yaml
@@ -1,65 +0,0 @@
-# DO NOT EDIT, generated with cmd/gh-action-integration-generator/main.go
-# To regenerate, run "go generate" in cmd/gh-action-integration-generator/
-
-name: Integration Test v2 - TestPingAllByHostname
-
-on: [pull_request]
-
-concurrency:
-  group: ${{ github.workflow }}-$${{ github.head_ref || github.run_id }}
-  cancel-in-progress: true
-
-jobs:
-  test:
-    runs-on: ubuntu-latest
-
-    steps:
-      - uses: actions/checkout@v3
-        with:
-          fetch-depth: 2
-
-      - uses: DeterminateSystems/nix-installer-action@main
-      - uses: DeterminateSystems/magic-nix-cache-action@main
-      - uses: satackey/action-docker-layer-caching@main
-        continue-on-error: true
-
-      - name: Get changed files
-        id: changed-files
-        uses: tj-actions/changed-files@v34
-        with:
-          files: |
-            *.nix
-            go.*
-            **/*.go
-            integration_test/
-            config-example.yaml
-
-      - name: Run general integration tests
-        if: steps.changed-files.outputs.any_changed == 'true'
-        run: |
-            nix develop --command -- docker run \
-              --tty --rm \
-              --volume ~/.cache/hs-integration-go:/go \
-              --name headscale-test-suite \
-              --volume $PWD:$PWD -w $PWD/integration \
-              --volume /var/run/docker.sock:/var/run/docker.sock \
-              --volume $PWD/control_logs:/tmp/control \
-              golang:1 \
-                go run gotest.tools/gotestsum@latest -- ./... \
-                  -tags ts2019 \
-                  -failfast \
-                  -timeout 120m \
-                  -parallel 1 \
-                  -run "^TestPingAllByHostname$"
-
-      - uses: actions/upload-artifact@v3
-        if: always() && steps.changed-files.outputs.any_changed == 'true'
-        with:
-          name: logs
-          path: "control_logs/*.log"
-
-      - uses: actions/upload-artifact@v3
-        if: always() && steps.changed-files.outputs.any_changed == 'true'
-        with:
-          name: pprof
-          path: "control_logs/*.pprof.tar"
--- a/.github/workflows/test-integration-v2-TestPingAllByIP.yaml
+++ b/.github/workflows/test-integration-v2-TestPingAllByIP.yaml
@@ -1,65 +0,0 @@
-# DO NOT EDIT, generated with cmd/gh-action-integration-generator/main.go
-# To regenerate, run "go generate" in cmd/gh-action-integration-generator/
-
-name: Integration Test v2 - TestPingAllByIP
-
-on: [pull_request]
-
-concurrency:
-  group: ${{ github.workflow }}-$${{ github.head_ref || github.run_id }}
-  cancel-in-progress: true
-
-jobs:
-  test:
-    runs-on: ubuntu-latest
-
-    steps:
-      - uses: actions/checkout@v3
-        with:
-          fetch-depth: 2
-
-      - uses: DeterminateSystems/nix-installer-action@main
-      - uses: DeterminateSystems/magic-nix-cache-action@main
-      - uses: satackey/action-docker-layer-caching@main
-        continue-on-error: true
-
-      - name: Get changed files
-        id: changed-files
-        uses: tj-actions/changed-files@v34
-        with:
-          files: |
-            *.nix
-            go.*
-            **/*.go
-            integration_test/
-            config-example.yaml
-
-      - name: Run general integration tests
-        if: steps.changed-files.outputs.any_changed == 'true'
-        run: |
-            nix develop --command -- docker run \
-              --tty --rm \
-              --volume ~/.cache/hs-integration-go:/go \
-              --name headscale-test-suite \
-              --volume $PWD:$PWD -w $PWD/integration \
-              --volume /var/run/docker.sock:/var/run/docker.sock \
-              --volume $PWD/control_logs:/tmp/control \
-              golang:1 \
-                go run gotest.tools/gotestsum@latest -- ./... \
-                  -tags ts2019 \
-                  -failfast \
-                  -timeout 120m \
-                  -parallel 1 \
-                  -run "^TestPingAllByIP$"
-
-      - uses: actions/upload-artifact@v3
-        if: always() && steps.changed-files.outputs.any_changed == 'true'
-        with:
-          name: logs
-          path: "control_logs/*.log"
-
-      - uses: actions/upload-artifact@v3
-        if: always() && steps.changed-files.outputs.any_changed == 'true'
-        with:
-          name: pprof
-          path: "control_logs/*.pprof.tar"
--- a/.github/workflows/test-integration-v2-TestPreAuthKeyCommand.yaml
+++ b/.github/workflows/test-integration-v2-TestPreAuthKeyCommand.yaml
@@ -1,65 +0,0 @@
-# DO NOT EDIT, generated with cmd/gh-action-integration-generator/main.go
-# To regenerate, run "go generate" in cmd/gh-action-integration-generator/
-
-name: Integration Test v2 - TestPreAuthKeyCommand
-
-on: [pull_request]
-
-concurrency:
-  group: ${{ github.workflow }}-$${{ github.head_ref || github.run_id }}
-  cancel-in-progress: true
-
-jobs:
-  test:
-    runs-on: ubuntu-latest
-
-    steps:
-      - uses: actions/checkout@v3
-        with:
-          fetch-depth: 2
-
-      - uses: DeterminateSystems/nix-installer-action@main
-      - uses: DeterminateSystems/magic-nix-cache-action@main
-      - uses: satackey/action-docker-layer-caching@main
-        continue-on-error: true
-
-      - name: Get changed files
-        id: changed-files
-        uses: tj-actions/changed-files@v34
-        with:
-          files: |
-            *.nix
-            go.*
-            **/*.go
-            integration_test/
-            config-example.yaml
-
-      - name: Run general integration tests
-        if: steps.changed-files.outputs.any_changed == 'true'
-        run: |
-            nix develop --command -- docker run \
-              --tty --rm \
-              --volume ~/.cache/hs-integration-go:/go \
-              --name headscale-test-suite \
-              --volume $PWD:$PWD -w $PWD/integration \
-              --volume /var/run/docker.sock:/var/run/docker.sock \
-              --volume $PWD/control_logs:/tmp/control \
-              golang:1 \
-                go run gotest.tools/gotestsum@latest -- ./... \
-                  -tags ts2019 \
-                  -failfast \
-                  -timeout 120m \
-                  -parallel 1 \
-                  -run "^TestPreAuthKeyCommand$"
-
-      - uses: actions/upload-artifact@v3
-        if: always() && steps.changed-files.outputs.any_changed == 'true'
-        with:
-          name: logs
-          path: "control_logs/*.log"
-
-      - uses: actions/upload-artifact@v3
-        if: always() && steps.changed-files.outputs.any_changed == 'true'
-        with:
-          name: pprof
-          path: "control_logs/*.pprof.tar"
--- a/.github/workflows/test-integration-v2-TestPreAuthKeyCommandReusableEphemeral.yaml
+++ b/.github/workflows/test-integration-v2-TestPreAuthKeyCommandReusableEphemeral.yaml
@@ -1,65 +0,0 @@
-# DO NOT EDIT, generated with cmd/gh-action-integration-generator/main.go
-# To regenerate, run "go generate" in cmd/gh-action-integration-generator/
-
-name: Integration Test v2 - TestPreAuthKeyCommandReusableEphemeral
-
-on: [pull_request]
-
-concurrency:
-  group: ${{ github.workflow }}-$${{ github.head_ref || github.run_id }}
-  cancel-in-progress: true
-
-jobs:
-  test:
-    runs-on: ubuntu-latest
-
-    steps:
-      - uses: actions/checkout@v3
-        with:
-          fetch-depth: 2
-
-      - uses: DeterminateSystems/nix-installer-action@main
-      - uses: DeterminateSystems/magic-nix-cache-action@main
-      - uses: satackey/action-docker-layer-caching@main
-        continue-on-error: true
-
-      - name: Get changed files
-        id: changed-files
-        uses: tj-actions/changed-files@v34
-        with:
-          files: |
-            *.nix
-            go.*
-            **/*.go
-            integration_test/
-            config-example.yaml
-
-      - name: Run general integration tests
-        if: steps.changed-files.outputs.any_changed == 'true'
-        run: |
-            nix develop --command -- docker run \
-              --tty --rm \
-              --volume ~/.cache/hs-integration-go:/go \
-              --name headscale-test-suite \
-              --volume $PWD:$PWD -w $PWD/integration \
-              --volume /var/run/docker.sock:/var/run/docker.sock \
-              --volume $PWD/control_logs:/tmp/control \
-              golang:1 \
-                go run gotest.tools/gotestsum@latest -- ./... \
-                  -tags ts2019 \
-                  -failfast \
-                  -timeout 120m \
-                  -parallel 1 \
-                  -run "^TestPreAuthKeyCommandReusableEphemeral$"
-
-      - uses: actions/upload-artifact@v3
-        if: always() && steps.changed-files.outputs.any_changed == 'true'
-        with:
-          name: logs
-          path: "control_logs/*.log"
-
-      - uses: actions/upload-artifact@v3
-        if: always() && steps.changed-files.outputs.any_changed == 'true'
-        with:
-          name: pprof
-          path: "control_logs/*.pprof.tar"
--- a/.github/workflows/test-integration-v2-TestPreAuthKeyCommandWithoutExpiry.yaml
+++ b/.github/workflows/test-integration-v2-TestPreAuthKeyCommandWithoutExpiry.yaml
@@ -1,65 +0,0 @@
-# DO NOT EDIT, generated with cmd/gh-action-integration-generator/main.go
-# To regenerate, run "go generate" in cmd/gh-action-integration-generator/
-
-name: Integration Test v2 - TestPreAuthKeyCommandWithoutExpiry
-
-on: [pull_request]
-
-concurrency:
-  group: ${{ github.workflow }}-$${{ github.head_ref || github.run_id }}
-  cancel-in-progress: true
-
-jobs:
-  test:
-    runs-on: ubuntu-latest
-
-    steps:
-      - uses: actions/checkout@v3
-        with:
-          fetch-depth: 2
-
-      - uses: DeterminateSystems/nix-installer-action@main
-      - uses: DeterminateSystems/magic-nix-cache-action@main
-      - uses: satackey/action-docker-layer-caching@main
-        continue-on-error: true
-
-      - name: Get changed files
-        id: changed-files
-        uses: tj-actions/changed-files@v34
-        with:
-          files: |
-            *.nix
-            go.*
-            **/*.go
-            integration_test/
-            config-example.yaml
-
-      - name: Run general integration tests
-        if: steps.changed-files.outputs.any_changed == 'true'
-        run: |
-            nix develop --command -- docker run \
-              --tty --rm \
-              --volume ~/.cache/hs-integration-go:/go \
-              --name headscale-test-suite \
-              --volume $PWD:$PWD -w $PWD/integration \
-              --volume /var/run/docker.sock:/var/run/docker.sock \
-              --volume $PWD/control_logs:/tmp/control \
-              golang:1 \
-                go run gotest.tools/gotestsum@latest -- ./... \
-                  -tags ts2019 \
-                  -failfast \
-                  -timeout 120m \
-                  -parallel 1 \
-                  -run "^TestPreAuthKeyCommandWithoutExpiry$"
-
-      - uses: actions/upload-artifact@v3
-        if: always() && steps.changed-files.outputs.any_changed == 'true'
-        with:
-          name: logs
-          path: "control_logs/*.log"
-
-      - uses: actions/upload-artifact@v3
-        if: always() && steps.changed-files.outputs.any_changed == 'true'
-        with:
-          name: pprof
-          path: "control_logs/*.pprof.tar"
--- a/.github/workflows/test-integration-v2-TestResolveMagicDNS.yaml
+++ b/.github/workflows/test-integration-v2-TestResolveMagicDNS.yaml
@@ -1,65 +0,0 @@
-# DO NOT EDIT, generated with cmd/gh-action-integration-generator/main.go
-# To regenerate, run "go generate" in cmd/gh-action-integration-generator/
-
-name: Integration Test v2 - TestResolveMagicDNS
-
-on: [pull_request]
-
-concurrency:
-  group: ${{ github.workflow }}-$${{ github.head_ref || github.run_id }}
-  cancel-in-progress: true
-
-jobs:
-  test:
-    runs-on: ubuntu-latest
-
-    steps:
-      - uses: actions/checkout@v3
-        with:
-          fetch-depth: 2
-
-      - uses: DeterminateSystems/nix-installer-action@main
-      - uses: DeterminateSystems/magic-nix-cache-action@main
-      - uses: satackey/action-docker-layer-caching@main
-        continue-on-error: true
-
-      - name: Get changed files
-        id: changed-files
-        uses: tj-actions/changed-files@v34
-        with:
-          files: |
-            *.nix
-            go.*
-            **/*.go
-            integration_test/
-            config-example.yaml
-
-      - name: Run general integration tests
-        if: steps.changed-files.outputs.any_changed == 'true'
-        run: |
-            nix develop --command -- docker run \
-              --tty --rm \
-              --volume ~/.cache/hs-integration-go:/go \
-              --name headscale-test-suite \
-              --volume $PWD:$PWD -w $PWD/integration \
-              --volume /var/run/docker.sock:/var/run/docker.sock \
-              --volume $PWD/control_logs:/tmp/control \
-              golang:1 \
-                go run gotest.tools/gotestsum@latest -- ./... \
-                  -tags ts2019 \
-                  -failfast \
-                  -timeout 120m \
-                  -parallel 1 \
-                  -run "^TestResolveMagicDNS$"
-
-      - uses: actions/upload-artifact@v3
-        if: always() && steps.changed-files.outputs.any_changed == 'true'
-        with:
-          name: logs
-          path: "control_logs/*.log"
-
-      - uses: actions/upload-artifact@v3
-        if: always() && steps.changed-files.outputs.any_changed == 'true'
-        with:
-          name: pprof
-          path: "control_logs/*.pprof.tar"
--- a/.github/workflows/test-integration-v2-TestSSHIsBlockedInACL.yaml
+++ b/.github/workflows/test-integration-v2-TestSSHIsBlockedInACL.yaml
@@ -1,65 +0,0 @@
-# DO NOT EDIT, generated with cmd/gh-action-integration-generator/main.go
-# To regenerate, run "go generate" in cmd/gh-action-integration-generator/
-
-name: Integration Test v2 - TestSSHIsBlockedInACL
-
-on: [pull_request]
-
-concurrency:
-  group: ${{ github.workflow }}-$${{ github.head_ref || github.run_id }}
-  cancel-in-progress: true
-
-jobs:
-  test:
-    runs-on: ubuntu-latest
-
-    steps:
-      - uses: actions/checkout@v3
-        with:
-          fetch-depth: 2
-
-      - uses: DeterminateSystems/nix-installer-action@main
-      - uses: DeterminateSystems/magic-nix-cache-action@main
-      - uses: satackey/action-docker-layer-caching@main
-        continue-on-error: true
-
-      - name: Get changed files
-        id: changed-files
-        uses: tj-actions/changed-files@v34
-        with:
-          files: |
-            *.nix
-            go.*
-            **/*.go
-            integration_test/
-            config-example.yaml
-
-      - name: Run general integration tests
-        if: steps.changed-files.outputs.any_changed == 'true'
-        run: |
-            nix develop --command -- docker run \
-              --tty --rm \
-              --volume ~/.cache/hs-integration-go:/go \
-              --name headscale-test-suite \
-              --volume $PWD:$PWD -w $PWD/integration \
-              --volume /var/run/docker.sock:/var/run/docker.sock \
-              --volume $PWD/control_logs:/tmp/control \
-              golang:1 \
-                go run gotest.tools/gotestsum@latest -- ./... \
-                  -tags ts2019 \
-                  -failfast \
-                  -timeout 120m \
-                  -parallel 1 \
-                  -run "^TestSSHIsBlockedInACL$"
-
-      - uses: actions/upload-artifact@v3
-        if: always() && steps.changed-files.outputs.any_changed == 'true'
-        with:
-          name: logs
-          path: "control_logs/*.log"
-
-      - uses: actions/upload-artifact@v3
-        if: always() && steps.changed-files.outputs.any_changed == 'true'
-        with:
-          name: pprof
-          path: "control_logs/*.pprof.tar"
--- a/.github/workflows/test-integration-v2-TestSSHMultipleUsersAllToAll.yaml
+++ b/.github/workflows/test-integration-v2-TestSSHMultipleUsersAllToAll.yaml
@@ -1,65 +0,0 @@
-# DO NOT EDIT, generated with cmd/gh-action-integration-generator/main.go
-# To regenerate, run "go generate" in cmd/gh-action-integration-generator/
-
-name: Integration Test v2 - TestSSHMultipleUsersAllToAll
-
-on: [pull_request]
-
-concurrency:
-  group: ${{ github.workflow }}-$${{ github.head_ref || github.run_id }}
-  cancel-in-progress: true
-
-jobs:
-  test:
-    runs-on: ubuntu-latest
-
-    steps:
-      - uses: actions/checkout@v3
-        with:
-          fetch-depth: 2
-
-      - uses: DeterminateSystems/nix-installer-action@main
-      - uses: DeterminateSystems/magic-nix-cache-action@main
-      - uses: satackey/action-docker-layer-caching@main
-        continue-on-error: true
-
-      - name: Get changed files
-        id: changed-files
-        uses: tj-actions/changed-files@v34
-        with:
-          files: |
-            *.nix
-            go.*
-            **/*.go
-            integration_test/
-            config-example.yaml
-
-      - name: Run general integration tests
-        if: steps.changed-files.outputs.any_changed == 'true'
-        run: |
-            nix develop --command -- docker run \
-              --tty --rm \
-              --volume ~/.cache/hs-integration-go:/go \
-              --name headscale-test-suite \
-              --volume $PWD:$PWD -w $PWD/integration \
-              --volume /var/run/docker.sock:/var/run/docker.sock \
-              --volume $PWD/control_logs:/tmp/control \
-              golang:1 \
-                go run gotest.tools/gotestsum@latest -- ./... \
-                  -tags ts2019 \
-                  -failfast \
-                  -timeout 120m \
-                  -parallel 1 \
-                  -run "^TestSSHMultipleUsersAllToAll$"
-
-      - uses: actions/upload-artifact@v3
-        if: always() && steps.changed-files.outputs.any_changed == 'true'
-        with:
-          name: logs
-          path: "control_logs/*.log"
-
-      - uses: actions/upload-artifact@v3
-        if: always() && steps.changed-files.outputs.any_changed == 'true'
-        with:
-          name: pprof
-          path: "control_logs/*.pprof.tar"
--- a/.github/workflows/test-integration-v2-TestSSHNoSSHConfigured.yaml
+++ b/.github/workflows/test-integration-v2-TestSSHNoSSHConfigured.yaml
@@ -1,65 +0,0 @@
-# DO NOT EDIT, generated with cmd/gh-action-integration-generator/main.go
-# To regenerate, run "go generate" in cmd/gh-action-integration-generator/
-
-name: Integration Test v2 - TestSSHNoSSHConfigured
-
-on: [pull_request]
-
-concurrency:
-  group: ${{ github.workflow }}-$${{ github.head_ref || github.run_id }}
-  cancel-in-progress: true
-
-jobs:
-  test:
-    runs-on: ubuntu-latest
-
-    steps:
-      - uses: actions/checkout@v3
-        with:
-          fetch-depth: 2
-
-      - uses: DeterminateSystems/nix-installer-action@main
-      - uses: DeterminateSystems/magic-nix-cache-action@main
-      - uses: satackey/action-docker-layer-caching@main
-        continue-on-error: true
-
-      - name: Get changed files
-        id: changed-files
-        uses: tj-actions/changed-files@v34
-        with:
-          files: |
-            *.nix
-            go.*
-            **/*.go
-            integration_test/
-            config-example.yaml
-
-      - name: Run general integration tests
-        if: steps.changed-files.outputs.any_changed == 'true'
-        run: |
-            nix develop --command -- docker run \
-              --tty --rm \
-              --volume ~/.cache/hs-integration-go:/go \
-              --name headscale-test-suite \
-              --volume $PWD:$PWD -w $PWD/integration \
-              --volume /var/run/docker.sock:/var/run/docker.sock \
-              --volume $PWD/control_logs:/tmp/control \
-              golang:1 \
-                go run gotest.tools/gotestsum@latest -- ./... \
-                  -tags ts2019 \
-                  -failfast \
-                  -timeout 120m \
-                  -parallel 1 \
-                  -run "^TestSSHNoSSHConfigured$"
-
-      - uses: actions/upload-artifact@v3
-        if: always() && steps.changed-files.outputs.any_changed == 'true'
-        with:
-          name: logs
-          path: "control_logs/*.log"
-
-      - uses: actions/upload-artifact@v3
-        if: always() && steps.changed-files.outputs.any_changed == 'true'
-        with:
-          name: pprof
-          path: "control_logs/*.pprof.tar"
--- a/.github/workflows/test-integration-v2-TestSSHOneUserAllToAll.yaml
+++ b/.github/workflows/test-integration-v2-TestSSHOneUserAllToAll.yaml
@@ -1,65 +0,0 @@
-# DO NOT EDIT, generated with cmd/gh-action-integration-generator/main.go
-# To regenerate, run "go generate" in cmd/gh-action-integration-generator/
-
-name: Integration Test v2 - TestSSHOneUserAllToAll
-
-on: [pull_request]
-
-concurrency:
-  group: ${{ github.workflow }}-$${{ github.head_ref || github.run_id }}
-  cancel-in-progress: true
-
-jobs:
-  test:
-    runs-on: ubuntu-latest
-
-    steps:
-      - uses: actions/checkout@v3
-        with:
-          fetch-depth: 2
-
-      - uses: DeterminateSystems/nix-installer-action@main
-      - uses: DeterminateSystems/magic-nix-cache-action@main
-      - uses: satackey/action-docker-layer-caching@main
-        continue-on-error: true
-
-      - name: Get changed files
-        id: changed-files
-        uses: tj-actions/changed-files@v34
-        with:
-          files: |
-            *.nix
-            go.*
-            **/*.go
-            integration_test/
-            config-example.yaml
-
-      - name: Run general integration tests
-        if: steps.changed-files.outputs.any_changed == 'true'
-        run: |
-            nix develop --command -- docker run \
-              --tty --rm \
-              --volume ~/.cache/hs-integration-go:/go \
-              --name headscale-test-suite \
-              --volume $PWD:$PWD -w $PWD/integration \
-              --volume /var/run/docker.sock:/var/run/docker.sock \
-              --volume $PWD/control_logs:/tmp/control \
-              golang:1 \
-                go run gotest.tools/gotestsum@latest -- ./... \
-                  -tags ts2019 \
-                  -failfast \
-                  -timeout 120m \
-                  -parallel 1 \
-                  -run "^TestSSHOneUserAllToAll$"
-
-      - uses: actions/upload-artifact@v3
-        if: always() && steps.changed-files.outputs.any_changed == 'true'
-        with:
-          name: logs
-          path: "control_logs/*.log"
-
-      - uses: actions/upload-artifact@v3
-        if: always() && steps.changed-files.outputs.any_changed == 'true'
-        with:
-          name: pprof
-          path: "control_logs/*.pprof.tar"
--- a/.github/workflows/test-integration-v2-TestSSUserOnlyIsolation.yaml
+++ b/.github/workflows/test-integration-v2-TestSSUserOnlyIsolation.yaml
@@ -1,65 +0,0 @@
-# DO NOT EDIT, generated with cmd/gh-action-integration-generator/main.go
-# To regenerate, run "go generate" in cmd/gh-action-integration-generator/
-
-name: Integration Test v2 - TestSSUserOnlyIsolation
-
-on: [pull_request]
-
-concurrency:
-  group: ${{ github.workflow }}-$${{ github.head_ref || github.run_id }}
-  cancel-in-progress: true
-
-jobs:
-  test:
-    runs-on: ubuntu-latest
-
-    steps:
-      - uses: actions/checkout@v3
-        with:
-          fetch-depth: 2
-
-      - uses: DeterminateSystems/nix-installer-action@main
-      - uses: DeterminateSystems/magic-nix-cache-action@main
-      - uses: satackey/action-docker-layer-caching@main
-        continue-on-error: true
-
-      - name: Get changed files
-        id: changed-files
-        uses: tj-actions/changed-files@v34
-        with:
-          files: |
-            *.nix
-            go.*
-            **/*.go
-            integration_test/
-            config-example.yaml
-
-      - name: Run general integration tests
-        if: steps.changed-files.outputs.any_changed == 'true'
-        run: |
-            nix develop --command -- docker run \
-              --tty --rm \
-              --volume ~/.cache/hs-integration-go:/go \
-              --name headscale-test-suite \
-              --volume $PWD:$PWD -w $PWD/integration \
-              --volume /var/run/docker.sock:/var/run/docker.sock \
-              --volume $PWD/control_logs:/tmp/control \
-              golang:1 \
-                go run gotest.tools/gotestsum@latest -- ./... \
-                  -tags ts2019 \
-                  -failfast \
-                  -timeout 120m \
-                  -parallel 1 \
-                  -run "^TestSSUserOnlyIsolation$"
-
-      - uses: actions/upload-artifact@v3
-        if: always() && steps.changed-files.outputs.any_changed == 'true'
-        with:
-          name: logs
-          path: "control_logs/*.log"
-
-      - uses: actions/upload-artifact@v3
-        if: always() && steps.changed-files.outputs.any_changed == 'true'
-        with:
-          name: pprof
-          path: "control_logs/*.pprof.tar"
--- a/.github/workflows/test-integration-v2-TestTaildrop.yaml
+++ b/.github/workflows/test-integration-v2-TestTaildrop.yaml
@@ -1,65 +0,0 @@
-# DO NOT EDIT, generated with cmd/gh-action-integration-generator/main.go
-# To regenerate, run "go generate" in cmd/gh-action-integration-generator/
-
-name: Integration Test v2 - TestTaildrop
-
-on: [pull_request]
-
-concurrency:
-  group: ${{ github.workflow }}-$${{ github.head_ref || github.run_id }}
-  cancel-in-progress: true
-
-jobs:
-  test:
-    runs-on: ubuntu-latest
-
-    steps:
-      - uses: actions/checkout@v3
-        with:
-          fetch-depth: 2
-
-      - uses: DeterminateSystems/nix-installer-action@main
-      - uses: DeterminateSystems/magic-nix-cache-action@main
-      - uses: satackey/action-docker-layer-caching@main
-        continue-on-error: true
-
-      - name: Get changed files
-        id: changed-files
-        uses: tj-actions/changed-files@v34
-        with:
-          files: |
-            *.nix
-            go.*
-            **/*.go
-            integration_test/
-            config-example.yaml
-
-      - name: Run general integration tests
-        if: steps.changed-files.outputs.any_changed == 'true'
-        run: |
-            nix develop --command -- docker run \
-              --tty --rm \
-              --volume ~/.cache/hs-integration-go:/go \
-              --name headscale-test-suite \
-              --volume $PWD:$PWD -w $PWD/integration \
-              --volume /var/run/docker.sock:/var/run/docker.sock \
-              --volume $PWD/control_logs:/tmp/control \
-              golang:1 \
-                go run gotest.tools/gotestsum@latest -- ./... \
-                  -tags ts2019 \
-                  -failfast \
-                  -timeout 120m \
-                  -parallel 1 \
-                  -run "^TestTaildrop$"
-
-      - uses: actions/upload-artifact@v3
-        if: always() && steps.changed-files.outputs.any_changed == 'true'
-        with:
-          name: logs
-          path: "control_logs/*.log"
-
-      - uses: actions/upload-artifact@v3
-        if: always() && steps.changed-files.outputs.any_changed == 'true'
-        with:
-          name: pprof
-          path: "control_logs/*.pprof.tar"
--- a/.github/workflows/test-integration-v2-TestTailscaleNodesJoiningHeadcale.yaml
+++ b/.github/workflows/test-integration-v2-TestTailscaleNodesJoiningHeadcale.yaml
@@ -1,65 +0,0 @@
-# DO NOT EDIT, generated with cmd/gh-action-integration-generator/main.go
-# To regenerate, run "go generate" in cmd/gh-action-integration-generator/
-
-name: Integration Test v2 - TestTailscaleNodesJoiningHeadcale
-
-on: [pull_request]
-
-concurrency:
-  group: ${{ github.workflow }}-$${{ github.head_ref || github.run_id }}
-  cancel-in-progress: true
-
-jobs:
-  test:
-    runs-on: ubuntu-latest
-
-    steps:
-      - uses: actions/checkout@v3
-        with:
-          fetch-depth: 2
-
-      - uses: DeterminateSystems/nix-installer-action@main
-      - uses: DeterminateSystems/magic-nix-cache-action@main
-      - uses: satackey/action-docker-layer-caching@main
-        continue-on-error: true
-
-      - name: Get changed files
-        id: changed-files
-        uses: tj-actions/changed-files@v34
-        with:
-          files: |
-            *.nix
-            go.*
-            **/*.go
-            integration_test/
-            config-example.yaml
-
-      - name: Run general integration tests
-        if: steps.changed-files.outputs.any_changed == 'true'
-        run: |
-            nix develop --command -- docker run \
-              --tty --rm \
-              --volume ~/.cache/hs-integration-go:/go \
-              --name headscale-test-suite \
-              --volume $PWD:$PWD -w $PWD/integration \
-              --volume /var/run/docker.sock:/var/run/docker.sock \
-              --volume $PWD/control_logs:/tmp/control \
-              golang:1 \
-                go run gotest.tools/gotestsum@latest -- ./... \
-                  -tags ts2019 \
-                  -failfast \
-                  -timeout 120m \
-                  -parallel 1 \
-                  -run "^TestTailscaleNodesJoiningHeadcale$"
-
-      - uses: actions/upload-artifact@v3
-        if: always() && steps.changed-files.outputs.any_changed == 'true'
-        with:
-          name: logs
-          path: "control_logs/*.log"
-
-      - uses: actions/upload-artifact@v3
-        if: always() && steps.changed-files.outputs.any_changed == 'true'
-        with:
-          name: pprof
-          path: "control_logs/*.pprof.tar"
--- a/.github/workflows/test-integration-v2-TestUserCommand.yaml
+++ b/.github/workflows/test-integration-v2-TestUserCommand.yaml
@@ -1,65 +0,0 @@
-# DO NOT EDIT, generated with cmd/gh-action-integration-generator/main.go
-# To regenerate, run "go generate" in cmd/gh-action-integration-generator/
-
-name: Integration Test v2 - TestUserCommand
-
-on: [pull_request]
-
-concurrency:
-  group: ${{ github.workflow }}-$${{ github.head_ref || github.run_id }}
-  cancel-in-progress: true
-
-jobs:
-  test:
-    runs-on: ubuntu-latest
-
-    steps:
-      - uses: actions/checkout@v3
-        with:
-          fetch-depth: 2
-
-      - uses: DeterminateSystems/nix-installer-action@main
-      - uses: DeterminateSystems/magic-nix-cache-action@main
-      - uses: satackey/action-docker-layer-caching@main
-        continue-on-error: true
-
-      - name: Get changed files
-        id: changed-files
-        uses: tj-actions/changed-files@v34
-        with:
-          files: |
-            *.nix
-            go.*
-            **/*.go
-            integration_test/
-            config-example.yaml
-
-      - name: Run general integration tests
-        if: steps.changed-files.outputs.any_changed == 'true'
-        run: |
-            nix develop --command -- docker run \
-              --tty --rm \
-              --volume ~/.cache/hs-integration-go:/go \
-              --name headscale-test-suite \
-              --volume $PWD:$PWD -w $PWD/integration \
-              --volume /var/run/docker.sock:/var/run/docker.sock \
-              --volume $PWD/control_logs:/tmp/control \
-              golang:1 \
-                go run gotest.tools/gotestsum@latest -- ./... \
-                  -tags ts2019 \
-                  -failfast \
-                  -timeout 120m \
-                  -parallel 1 \
-                  -run "^TestUserCommand$"
-
-      - uses: actions/upload-artifact@v3
-        if: always() && steps.changed-files.outputs.any_changed == 'true'
-        with:
-          name: logs
-          path: "control_logs/*.log"
-
-      - uses: actions/upload-artifact@v3
-        if: always() && steps.changed-files.outputs.any_changed == 'true'
-        with:
-          name: pprof
-          path: "control_logs/*.pprof.tar"
--- a/.github/workflows/test-integration.yaml
+++ b/.github/workflows/test-integration.yaml
@@ -0,0 +1,156 @@
+name: Integration Tests
+# To debug locally on a branch, and when needing secrets
+# change this to include `push` so the build is ran on
+# the main repository.
+on: [pull_request]
+concurrency:
+  group: ${{ github.workflow }}-${{ github.head_ref || github.run_id }}
+  cancel-in-progress: true
+jobs:
+  integration-test:
+    runs-on: ubuntu-latest
+    strategy:
+      fail-fast: false
+      matrix:
+        test:
+          - TestACLHostsInNetMapTable
+          - TestACLAllowUser80Dst
+          - TestACLDenyAllPort80
+          - TestACLAllowUserDst
+          - TestACLAllowStarDst
+          - TestACLNamedHostsCanReachBySubnet
+          - TestACLNamedHostsCanReach
+          - TestACLDevice1CanAccessDevice2
+          - TestPolicyUpdateWhileRunningWithCLIInDatabase
+          - TestAuthKeyLogoutAndReloginSameUser
+          - TestAuthKeyLogoutAndReloginNewUser
+          - TestOIDCAuthenticationPingAll
+          - TestOIDCExpireNodesBasedOnTokenExpiry
+          - TestOIDC024UserCreation
+          - TestOIDCAuthenticationWithPKCE
+          - TestOIDCReloginSameNodeNewUser
+          - TestAuthWebFlowAuthenticationPingAll
+          - TestAuthWebFlowLogoutAndRelogin
+          - TestUserCommand
+          - TestPreAuthKeyCommand
+          - TestPreAuthKeyCommandWithoutExpiry
+          - TestPreAuthKeyCommandReusableEphemeral
+          - TestPreAuthKeyCorrectUserLoggedInCommand
+          - TestApiKeyCommand
+          - TestNodeTagCommand
+          - TestNodeAdvertiseTagCommand
+          - TestNodeCommand
+          - TestNodeExpireCommand
+          - TestNodeRenameCommand
+          - TestNodeMoveCommand
+          - TestPolicyCommand
+          - TestPolicyBrokenConfigCommand
+          - TestDERPVerifyEndpoint
+          - TestResolveMagicDNS
+          - TestResolveMagicDNSExtraRecordsPath
+          - TestValidateResolvConf
+          - TestDERPServerScenario
+          - TestDERPServerWebsocketScenario
+          - TestPingAllByIP
+          - TestPingAllByIPPublicDERP
+          - TestEphemeral
+          - TestEphemeralInAlternateTimezone
+          - TestEphemeral2006DeletedTooQuickly
+          - TestPingAllByHostname
+          - TestTaildrop
+          - TestUpdateHostnameFromClient
+          - TestExpireNode
+          - TestNodeOnlineStatus
+          - TestPingAllByIPManyUpDown
+          - Test2118DeletingOnlineNodePanics
+          - TestEnablingRoutes
+          - TestHASubnetRouterFailover
+          - TestEnableDisableAutoApprovedRoute
+          - TestAutoApprovedSubRoute2068
+          - TestSubnetRouteACL
+          - TestHeadscale
+          - TestCreateTailscale
+          - TestTailscaleNodesJoiningHeadcale
+          - TestSSHOneUserToAll
+          - TestSSHMultipleUsersAllToAll
+          - TestSSHNoSSHConfigured
+          - TestSSHIsBlockedInACL
+          - TestSSHUserOnlyIsolation
+        database: [postgres, sqlite]
+    env:
+      # Github does not allow us to access secrets in pull requests,
+      # so this env var is used to check if we have the secret or not.
+      # If we have the secrets, meaning we are running on push in a fork,
+      # there might be secrets available for more debugging.
+      # If TS_OAUTH_CLIENT_ID and TS_OAUTH_SECRET is set, then the job
+      # will join a debug tailscale network, set up SSH and a tmux session.
+      # The SSH will be configured to use the SSH key of the Github user
+      # that triggered the build.
+      HAS_TAILSCALE_SECRET: ${{ secrets.TS_OAUTH_CLIENT_ID }}
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          fetch-depth: 2
+      - name: Get changed files
+        id: changed-files
+        uses: dorny/paths-filter@v3
+        with:
+          filters: |
+            files:
+              - '*.nix'
+              - 'go.*'
+              - '**/*.go'
+              - 'integration_test/'
+              - 'config-example.yaml'
+      - name: Tailscale
+        if: ${{ env.HAS_TAILSCALE_SECRET }}
+        uses: tailscale/github-action@v2
+        with:
+          oauth-client-id: ${{ secrets.TS_OAUTH_CLIENT_ID }}
+          oauth-secret: ${{ secrets.TS_OAUTH_SECRET }}
+          tags: tag:gh
+      - name: Setup SSH server for Actor
+        if: ${{ env.HAS_TAILSCALE_SECRET }}
+        uses: alexellis/setup-sshd-actor@master
+      - uses: DeterminateSystems/nix-installer-action@main
+        if: steps.changed-files.outputs.files == 'true'
+      - uses: DeterminateSystems/magic-nix-cache-action@main
+        if: steps.changed-files.outputs.files == 'true'
+      - uses: satackey/action-docker-layer-caching@main
+        if: steps.changed-files.outputs.files == 'true'
+        continue-on-error: true
+      - name: Run Integration Test
+        uses: Wandalen/wretry.action@master
+        if: steps.changed-files.outputs.files == 'true'
+        env:
+          USE_POSTGRES: ${{ matrix.database == 'postgres' && '1' || '0' }}
+        with:
+          attempt_limit: 5
+          command: |
+            nix develop --command -- docker run \
+              --tty --rm \
+              --volume ~/.cache/hs-integration-go:/go \
+              --name headscale-test-suite \
+              --volume $PWD:$PWD -w $PWD/integration \
+              --volume /var/run/docker.sock:/var/run/docker.sock \
+              --volume $PWD/control_logs:/tmp/control \
+              --env HEADSCALE_INTEGRATION_POSTGRES=${{env.USE_POSTGRES}} \
+              golang:1 \
+                go run gotest.tools/gotestsum@latest -- ./... \
+                  -failfast \
+                  -timeout 120m \
+                  -parallel 1 \
+                  -run "^${{ matrix.test }}$"
+      - uses: actions/upload-artifact@v4
+        if: always() && steps.changed-files.outputs.files == 'true'
+        with:
+          name: ${{ matrix.test }}-${{matrix.database}}-logs
+          path: "control_logs/*.log"
+      - uses: actions/upload-artifact@v4
+        if: always() && steps.changed-files.outputs.files == 'true'
+        with:
+          name: ${{ matrix.test }}-${{matrix.database}}-pprof
+          path: "control_logs/*.pprof.tar"
+      - name: Setup a blocking tmux session
+        if: ${{ env.HAS_TAILSCALE_SECRET }}
+        uses: alexellis/block-with-tmux-action@master
--- a/.github/workflows/test.yml
+++ b/.github/workflows/test.yml
@@ -11,26 +11,33 @@ jobs:
    runs-on: ubuntu-latest

    steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@v4
        with:
          fetch-depth: 2

      - name: Get changed files
        id: changed-files
-        uses: tj-actions/changed-files@v34
+        uses: dorny/paths-filter@v3
        with:
-          files: |
-            *.nix
-            go.*
-            **/*.go
-            integration_test/
-            config-example.yaml
+          filters: |
+            files:
+              - '*.nix'
+              - 'go.*'
+              - '**/*.go'
+              - 'integration_test/'
+              - 'config-example.yaml'

      - uses: DeterminateSystems/nix-installer-action@main
-        if: steps.changed-files.outputs.any_changed == 'true'
+        if: steps.changed-files.outputs.files == 'true'
      - uses: DeterminateSystems/magic-nix-cache-action@main
-        if: steps.changed-files.outputs.any_changed == 'true'
+        if: steps.changed-files.outputs.files == 'true'

      - name: Run tests
-        if: steps.changed-files.outputs.any_changed == 'true'
-        run: nix develop --check
+        if: steps.changed-files.outputs.files == 'true'
+        env:
+          # As of 2025-01-06, these env vars was not automatically
+          # set anymore which breaks the initdb for postgres on
+          # some of the database migration tests.
+          LC_ALL: "en_US.UTF-8"
+          LC_CTYPE: "en_US.UTF-8"
+        run: nix develop --command -- gotestsum
--- a/.github/workflows/update-flake.yml
+++ b/.github/workflows/update-flake.yml
@@ -0,0 +1,19 @@
+name: update-flake-lock
+on:
+  workflow_dispatch: # allows manual triggering
+  schedule:
+    - cron: "0 0 * * 0" # runs weekly on Sunday at 00:00
+
+jobs:
+  lockfile:
+    if: github.repository == 'juanfont/headscale'
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+      - name: Install Nix
+        uses: DeterminateSystems/nix-installer-action@main
+      - name: Update flake.lock
+        uses: DeterminateSystems/update-flake-lock@main
+        with:
+          pr-title: "Update flake.lock"
--- a/.gitignore
+++ b/.gitignore
@@ -1,4 +1,6 @@
 ignored/
+tailscale/
+.vscode/

 # Binaries for programs and plugins
 *.exe
@@ -20,6 +22,7 @@ dist/
 /headscale
 config.json
 config.yaml
+config*.yaml
 derp.yaml
 *.hujson
 *.key
--- a/.golangci.yaml
+++ b/.golangci.yaml
@@ -10,19 +10,15 @@ issues:
 linters:
  enable-all: true
  disable:
-    - exhaustivestruct
+    - depguard
+
    - revive
    - lll
-    - interfacer
-    - scopelint
-    - maligned
-    - golint
    - gofmt
    - gochecknoglobals
    - gochecknoinits
    - gocognit
    - funlen
-    - exhaustivestruct
    - tagliatelle
    - godox
    - ireturn
@@ -30,13 +26,8 @@ linters:
    - exhaustruct
    - nolintlint
    - musttag # causes issues with imported libs
-
-    # deprecated
-    - structcheck # replaced by unused
-    - ifshort # deprecated by the owner
-    - varcheck # replaced by unused
-    - nosnakecase # replaced by revive
-    - deadcode # replaced by unused
+    - depguard
+    - exportloopref

    # We should strive to enable these:
    - wrapcheck
@@ -66,9 +57,14 @@ linters-settings:
      - ok
      - c
      - tt
+      - tx
+      - rx

  gocritic:
    disabled-checks:
      - appendAssign
      # TODO(kradalby): Remove this
      - ifElseChain
+
+  nlreturn:
+    block-size: 4
--- a/.goreleaser.yml
+++ b/.goreleaser.yml
@@ -1,7 +1,8 @@
 ---
+version: 2
 before:
  hooks:
-    - go mod tidy -compat=1.20
+    - go mod tidy -compat=1.22
    - go mod vendor

 release:
@@ -9,7 +10,7 @@ release:

 builds:
  - id: headscale
-    main: ./cmd/headscale/headscale.go
+    main: ./cmd/headscale
    mod_timestamp: "{{ .CommitTimestamp }}"
    env:
      - CGO_ENABLED=0
@@ -63,7 +64,6 @@ nfpms:
    bindir: /usr/bin
    formats:
      - deb
-      # - rpm
    contents:
      - src: ./config-example.yaml
        dst: /etc/headscale/config.yaml
@@ -80,10 +80,71 @@ nfpms:
      postinstall: ./docs/packaging/postinstall.sh
      postremove: ./docs/packaging/postremove.sh

+kos:
+  - id: ghcr
+    repositories:
+      - ghcr.io/juanfont/headscale
+      - headscale/headscale
+
+    # bare tells KO to only use the repository
+    # for tagging and naming the container.
+    bare: true
+    base_image: gcr.io/distroless/base-debian12
+    build: headscale
+    main: ./cmd/headscale
+    env:
+      - CGO_ENABLED=0
+    platforms:
+      - linux/amd64
+      - linux/386
+      - linux/arm64
+      - linux/arm/v7
+    tags:
+      - "{{ if not .Prerelease }}latest{{ end }}"
+      - "{{ if not .Prerelease }}{{ .Major }}.{{ .Minor }}.{{ .Patch }}{{ end }}"
+      - "{{ if not .Prerelease }}{{ .Major }}.{{ .Minor }}{{ end }}"
+      - "{{ if not .Prerelease }}{{ .Major }}{{ end }}"
+      - "{{ if not .Prerelease }}v{{ .Major }}.{{ .Minor }}.{{ .Patch }}{{ end }}"
+      - "{{ if not .Prerelease }}v{{ .Major }}.{{ .Minor }}{{ end }}"
+      - "{{ if not .Prerelease }}v{{ .Major }}{{ end }}"
+      - "{{ if not .Prerelease }}stable{{ else }}unstable{{ end }}"
+      - "{{ .Tag }}"
+      - '{{ trimprefix .Tag "v" }}'
+      - "sha-{{ .ShortCommit }}"
+
+  - id: ghcr-debug
+    repositories:
+      - ghcr.io/juanfont/headscale
+      - headscale/headscale
+
+    bare: true
+    base_image: gcr.io/distroless/base-debian12:debug
+    build: headscale
+    main: ./cmd/headscale
+    env:
+      - CGO_ENABLED=0
+    platforms:
+      - linux/amd64
+      - linux/386
+      - linux/arm64
+      - linux/arm/v7
+    tags:
+      - "{{ if not .Prerelease }}latest-debug{{ end }}"
+      - "{{ if not .Prerelease }}{{ .Major }}.{{ .Minor }}.{{ .Patch }}-debug{{ end }}"
+      - "{{ if not .Prerelease }}{{ .Major }}.{{ .Minor }}-debug{{ end }}"
+      - "{{ if not .Prerelease }}{{ .Major }}-debug{{ end }}"
+      - "{{ if not .Prerelease }}v{{ .Major }}.{{ .Minor }}.{{ .Patch }}-debug{{ end }}"
+      - "{{ if not .Prerelease }}v{{ .Major }}.{{ .Minor }}-debug{{ end }}"
+      - "{{ if not .Prerelease }}v{{ .Major }}-debug{{ end }}"
+      - "{{ if not .Prerelease }}stable-debug{{ else }}unstable-debug{{ end }}"
+      - "{{ .Tag }}-debug"
+      - '{{ trimprefix .Tag "v" }}-debug'
+      - "sha-{{ .ShortCommit }}-debug"
+
 checksum:
  name_template: "checksums.txt"
 snapshot:
-  name_template: "{{ .Tag }}-next"
+  version_template: "{{ .Tag }}-next"
 changelog:
  sort: asc
  filters:
--- a/.prettierignore
+++ b/.prettierignore
@@ -1 +1,4 @@
 .github/workflows/test-integration-v2*
+docs/about/features.md
+docs/ref/configuration.md
+docs/ref/remote-cli.md
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
--- a/CODE_OF_CONDUCT.md
+++ b/CODE_OF_CONDUCT.md
@@ -62,7 +62,7 @@ event.

 Instances of abusive, harassing, or otherwise unacceptable behavior
 may be reported to the community leaders responsible for enforcement
-at our Discord channel. All complaints
+on our [Discord server](https://discord.gg/c84AZQhmpx). All complaints
 will be reviewed and investigated promptly and fairly.

 All community leaders are obligated to respect the privacy and
--- a/CONTRIBUTING.md
+++ b/CONTRIBUTING.md
@@ -0,0 +1,34 @@
+# Contributing
+
+Headscale is "Open Source, acknowledged contribution", this means that any contribution will have to be discussed with the maintainers before being added to the project.
+This model has been chosen to reduce the risk of burnout by limiting the maintenance overhead of reviewing and validating third-party code.
+
+## Why do we have this model?
+
+Headscale has a small maintainer team that tries to balance working on the project, fixing bugs and reviewing contributions.
+
+When we work on issues ourselves, we develop first hand knowledge of the code and it makes it possible for us to maintain and own the code as the project develops.
+
+Code contributions are seen as a positive thing. People enjoy and engage with our project, but it also comes with some challenges; we have to understand the code, we have to understand the feature, we might have to become familiar with external libraries or services and we think about security implications. All those steps are required during the reviewing process. After the code has been merged, the feature has to be maintained. Any changes reliant on external services must be updated and expanded accordingly.
+
+The review and day-1 maintenance adds a significant burden on the maintainers. Often we hope that the contributor will help out, but we found that most of the time, they disappear after their new feature was added.
+
+This means that when someone contributes, we are mostly happy about it, but we do have to run it through a series of checks to establish if we actually can maintain this feature.
+
+## What do we require?
+
+A general description is provided here and an explicit list is provided in our pull request template.
+
+All new features have to start out with a design document, which should be discussed on the issue tracker (not discord). It should include a use case for the feature, how it can be implemented, who will implement it and a plan for maintaining it.
+
+All features have to be end-to-end tested (integration tests) and have good unit test coverage to ensure that they work as expected. This will also ensure that the feature continues to work as expected over time. If a change cannot be tested, a strong case for why this is not possible needs to be presented.
+
+The contributor should help to maintain the feature over time. In case the feature is not maintained probably, the maintainers reserve themselves the right to remove features they redeem as unmaintainable. This should help to improve the quality of the software and keep it in a maintainable state.
+
+## Bug fixes
+
+Headscale is open to code contributions for bug fixes without discussion.
+
+## Documentation
+
+If you find mistakes in the documentation, please submit a fix to the documentation.
--- a/30
+++ b/30
@@ -1,30 +0,0 @@
-# Builder image
-FROM docker.io/golang:1.20-bullseye AS build
-ARG VERSION=dev
-ENV GOPATH /go
-WORKDIR /go/src/headscale
-
-COPY go.mod go.sum /go/src/headscale/
-RUN go mod download
-
-COPY . .
-
-RUN CGO_ENABLED=0 GOOS=linux go install -tags ts2019 -ldflags="-s -w -X github.com/juanfont/headscale/cmd/headscale/cli.Version=$VERSION" -a ./cmd/headscale
-RUN strip /go/bin/headscale
-RUN test -e /go/bin/headscale
-
-# Production image
-FROM docker.io/debian:bullseye-slim
-
-RUN apt-get update \
-    && apt-get install -y ca-certificates \
-    && rm -rf /var/lib/apt/lists/* \
-    && apt-get clean
-
-COPY --from=build /go/bin/headscale /bin/headscale
-ENV TZ UTC
-
-RUN mkdir -p /var/run/headscale
-
-EXPOSE 8080/tcp
-CMD ["headscale"]
--- a/Dockerfile.debug
+++ b/Dockerfile.debug
@@ -1,26 +0,0 @@
-# Builder image
-FROM docker.io/golang:1.20-bullseye AS build
-ARG VERSION=dev
-ENV GOPATH /go
-WORKDIR /go/src/headscale
-
-COPY go.mod go.sum /go/src/headscale/
-RUN go mod download
-
-COPY . .
-
-RUN CGO_ENABLED=0 GOOS=linux go install -tags ts2019 -ldflags="-s -w -X github.com/juanfont/headscale/cmd/headscale/cli.Version=$VERSION" -a ./cmd/headscale
-RUN test -e /go/bin/headscale
-
-# Debug image
-FROM docker.io/golang:1.20.0-bullseye
-
-COPY --from=build /go/bin/headscale /bin/headscale
-ENV TZ UTC
-
-RUN mkdir -p /var/run/headscale
-
-# Need to reset the entrypoint or everything will run as a busybox script
-ENTRYPOINT []
-EXPOSE 8080/tcp
-CMD ["headscale"]
--- a/Dockerfile.derper
+++ b/Dockerfile.derper
@@ -0,0 +1,19 @@
+# For testing purposes only
+
+FROM golang:alpine AS build-env
+
+WORKDIR /go/src
+
+RUN apk add --no-cache git
+ARG VERSION_BRANCH=main
+RUN git clone https://github.com/tailscale/tailscale.git --branch=$VERSION_BRANCH --depth=1
+WORKDIR /go/src/tailscale
+
+ARG TARGETARCH
+RUN GOARCH=$TARGETARCH go install -v ./cmd/derper
+
+FROM alpine:3.18
+RUN apk add --no-cache ca-certificates iptables iproute2 ip6tables curl
+
+COPY --from=build-env /go/bin/* /usr/local/bin/
+ENTRYPOINT [ "/usr/local/bin/derper" ]
--- a/Dockerfile.integration
+++ b/Dockerfile.integration
@@ -0,0 +1,26 @@
+# This Dockerfile and the images produced are for testing headscale,
+# and are in no way endorsed by Headscale's maintainers as an
+# official nor supported release or distribution.
+
+FROM docker.io/golang:1.23-bookworm
+ARG VERSION=dev
+ENV GOPATH /go
+WORKDIR /go/src/headscale
+
+RUN apt-get update \
+  && apt-get install --no-install-recommends --yes less jq sqlite3 dnsutils \
+  && rm -rf /var/lib/apt/lists/* \
+  && apt-get clean
+RUN mkdir -p /var/run/headscale
+
+COPY go.mod go.sum /go/src/headscale/
+RUN go mod download
+
+COPY . .
+
+RUN CGO_ENABLED=0 GOOS=linux go install -ldflags="-s -w -X github.com/juanfont/headscale/cmd/headscale/cli.Version=$VERSION" -a ./cmd/headscale && test -e /go/bin/headscale
+
+# Need to reset the entrypoint or everything will run as a busybox script
+ENTRYPOINT []
+EXPOSE 8080/tcp
+CMD ["headscale"]
--- a/Dockerfile.tailscale
+++ b/Dockerfile.tailscale
@@ -1,16 +0,0 @@
-FROM ubuntu:22.04
-
-ARG TAILSCALE_VERSION=*
-ARG TAILSCALE_CHANNEL=stable
-
-RUN apt-get update \
-    && apt-get install -y gnupg curl ssh dnsutils ca-certificates \
-    && adduser --shell=/bin/bash ssh-it-user
-
-# Tailscale is deliberately split into a second stage so we can cash utils as a seperate layer.
-RUN curl -fsSL https://pkgs.tailscale.com/${TAILSCALE_CHANNEL}/ubuntu/focal.gpg | apt-key add - \
-    && curl -fsSL https://pkgs.tailscale.com/${TAILSCALE_CHANNEL}/ubuntu/focal.list | tee /etc/apt/sources.list.d/tailscale.list \
-    && apt-get update \
-    && apt-get install -y tailscale=${TAILSCALE_VERSION} \
-    && apt-get clean \
-    && rm -rf /var/lib/apt/lists/*
--- a/Dockerfile.tailscale-HEAD
+++ b/Dockerfile.tailscale-HEAD
@@ -1,17 +1,45 @@
-FROM golang:latest
+# Copyright (c) Tailscale Inc & AUTHORS
+# SPDX-License-Identifier: BSD-3-Clause

-RUN apt-get update \
-    && apt-get install -y dnsutils git iptables ssh ca-certificates \
-    && rm -rf /var/lib/apt/lists/*
+# This Dockerfile is more or less lifted from tailscale/tailscale
+# to ensure a similar build process when testing the HEAD of tailscale.

-RUN useradd --shell=/bin/bash --create-home ssh-it-user
+FROM golang:1.23-alpine AS build-env

+WORKDIR /go/src
+
+RUN apk add --no-cache git
+
+# Replace `RUN git...` with `COPY` and a local checked out version of Tailscale in `./tailscale`
+# to test specific commits of the Tailscale client. This is useful when trying to find out why
+# something specific broke between two versions of Tailscale with for example `git bisect`.
+# COPY ./tailscale .
 RUN git clone https://github.com/tailscale/tailscale.git

-WORKDIR /go/tailscale
+WORKDIR /go/src/tailscale

-RUN git checkout main \
-    && sh build_dist.sh tailscale.com/cmd/tailscale \
-    && sh build_dist.sh tailscale.com/cmd/tailscaled \
-    && cp tailscale /usr/local/bin/ \
-    && cp tailscaled /usr/local/bin/
+
+# see build_docker.sh
+ARG VERSION_LONG=""
+ENV VERSION_LONG=$VERSION_LONG
+ARG VERSION_SHORT=""
+ENV VERSION_SHORT=$VERSION_SHORT
+ARG VERSION_GIT_HASH=""
+ENV VERSION_GIT_HASH=$VERSION_GIT_HASH
+ARG TARGETARCH
+
+ARG BUILD_TAGS=""
+
+RUN GOARCH=$TARGETARCH go install -tags="${BUILD_TAGS}" -ldflags="\
+      -X tailscale.com/version.longStamp=$VERSION_LONG \
+      -X tailscale.com/version.shortStamp=$VERSION_SHORT \
+      -X tailscale.com/version.gitCommitStamp=$VERSION_GIT_HASH" \
+      -v ./cmd/tailscale ./cmd/tailscaled ./cmd/containerboot
+
+FROM alpine:3.18
+RUN apk add --no-cache ca-certificates iptables iproute2 ip6tables curl
+
+COPY --from=build-env /go/bin/* /usr/local/bin/
+# For compat with the previous run.sh, although ideally you should be
+# using build_docker.sh which sets an entrypoint for the image.
+RUN mkdir /tailscale && ln -s /usr/local/bin/containerboot /tailscale/run.sh
--- a/23
+++ b/23
@@ -10,8 +10,6 @@ ifeq ($(filter $(GOOS), openbsd netbsd soloaris plan9), )
 else
 endif

-TAGS = -tags ts2019
-
 # GO_SOURCES = $(wildcard *.go)
 # PROTO_SOURCES = $(wildcard **/*.proto)
 GO_SOURCES = $(call rwildcard,,*.go)
@@ -24,7 +22,7 @@ build:
 dev: lint test build

 test:
-	gotestsum -- $(TAGS) -short -coverprofile=coverage.out ./...
+	gotestsum -- -short -race -coverprofile=coverage.out ./...

 test_integration:
 	docker run \
@@ -33,16 +31,27 @@ test_integration:
 		--name headscale-test-suite \
 		-v $$PWD:$$PWD -w $$PWD/integration \
 		-v /var/run/docker.sock:/var/run/docker.sock \
+		-v $$PWD/control_logs:/tmp/control \
 		golang:1 \
-		go run gotest.tools/gotestsum@latest -- $(TAGS) -failfast ./... -timeout 120m -parallel 8
+		go run gotest.tools/gotestsum@latest -- -race -failfast ./... -timeout 120m -parallel 8

 lint:
 	golangci-lint run --fix --timeout 10m

-fmt:
+fmt: fmt-go fmt-prettier fmt-proto
+
+fmt-prettier:
 	prettier --write '**/**.{ts,js,md,yaml,yml,sass,css,scss,html}'
-	golines --max-len=88 --base-formatter=gofumpt -w $(GO_SOURCES)
-	clang-format -style="{BasedOnStyle: Google, IndentWidth: 4, AlignConsecutiveDeclarations: true, AlignConsecutiveAssignments: true, ColumnLimit: 0}" -i $(PROTO_SOURCES)
+	prettier --write --print-width 80 --prose-wrap always CHANGELOG.md
+
+fmt-go:
+	# TODO(kradalby): Reeval if we want to use 88 in the future.
+	# golines --max-len=88 --base-formatter=gofumpt -w $(GO_SOURCES)
+	gofumpt -l -w .
+	golangci-lint run --fix
+
+fmt-proto:
+	clang-format -i $(PROTO_SOURCES)

 proto-lint:
 	cd proto/ && go run github.com/bufbuild/buf/cmd/buf lint
--- a/README.md
+++ b/README.md
--- a/cmd/build-docker-img/main.go
+++ b/cmd/build-docker-img/main.go
@@ -1,47 +0,0 @@
-package main
-
-import (
-	"log"
-
-	"github.com/juanfont/headscale/integration"
-	"github.com/juanfont/headscale/integration/tsic"
-	"github.com/ory/dockertest/v3"
-)
-
-func main() {
-	log.Printf("creating docker pool")
-	pool, err := dockertest.NewPool("")
-	if err != nil {
-		log.Fatalf("could not connect to docker: %s", err)
-	}
-
-	log.Printf("creating docker network")
-	network, err := pool.CreateNetwork("docker-integration-net")
-	if err != nil {
-		log.Fatalf("failed to create or get network: %s", err)
-	}
-
-	for _, version := range integration.TailscaleVersions {
-		log.Printf("creating container image for Tailscale (%s)", version)
-
-		tsClient, err := tsic.New(
-			pool,
-			version,
-			network,
-		)
-		if err != nil {
-			log.Fatalf("failed to create tailscale node: %s", err)
-		}
-
-		err = tsClient.Shutdown()
-		if err != nil {
-			log.Fatalf("failed to shut down container: %s", err)
-		}
-	}
-
-	network.Close()
-	err = pool.RemoveNetwork(network)
-	if err != nil {
-		log.Fatalf("failed to remove network: %s", err)
-	}
-}
--- a/cmd/gh-action-integration-generator/main.go
+++ b/cmd/gh-action-integration-generator/main.go
@@ -1,171 +0,0 @@
-package main
-
-//go:generate go run ./main.go
-
-import (
-	"bytes"
-	"fmt"
-	"log"
-	"os"
-	"os/exec"
-	"path"
-	"path/filepath"
-	"strings"
-	"text/template"
-)
-
-var (
-	githubWorkflowPath  = "../../.github/workflows/"
-	jobFileNameTemplate = `test-integration-v2-%s.yaml`
-	jobTemplate         = template.Must(
-		template.New("jobTemplate").
-			Parse(`# DO NOT EDIT, generated with cmd/gh-action-integration-generator/main.go
-# To regenerate, run "go generate" in cmd/gh-action-integration-generator/
-
-name: Integration Test v2 - {{.Name}}
-
-on: [pull_request]
-
-concurrency:
-  group: {{ "${{ github.workflow }}-$${{ github.head_ref || github.run_id }}" }}
-  cancel-in-progress: true
-
-jobs:
-  test:
-    runs-on: ubuntu-latest
-
-    steps:
-      - uses: actions/checkout@v3
-        with:
-          fetch-depth: 2
-
-      - uses: DeterminateSystems/nix-installer-action@main
-      - uses: DeterminateSystems/magic-nix-cache-action@main
-      - uses: satackey/action-docker-layer-caching@main
-        continue-on-error: true
-
-      - name: Get changed files
-        id: changed-files
-        uses: tj-actions/changed-files@v34
-        with:
-          files: |
-            *.nix
-            go.*
-            **/*.go
-            integration_test/
-            config-example.yaml
-
-      - name: Run general integration tests
-        if: steps.changed-files.outputs.any_changed == 'true'
-        run: |
-            nix develop --command -- docker run \
-              --tty --rm \
-              --volume ~/.cache/hs-integration-go:/go \
-              --name headscale-test-suite \
-              --volume $PWD:$PWD -w $PWD/integration \
-              --volume /var/run/docker.sock:/var/run/docker.sock \
-              --volume $PWD/control_logs:/tmp/control \
-              golang:1 \
-                go run gotest.tools/gotestsum@latest -- ./... \
-                  -tags ts2019 \
-                  -failfast \
-                  -timeout 120m \
-                  -parallel 1 \
-                  -run "^{{.Name}}$"
-
-      - uses: actions/upload-artifact@v3
-        if: always() && steps.changed-files.outputs.any_changed == 'true'
-        with:
-          name: logs
-          path: "control_logs/*.log"
-
-      - uses: actions/upload-artifact@v3
-        if: always() && steps.changed-files.outputs.any_changed == 'true'
-        with:
-          name: pprof
-          path: "control_logs/*.pprof.tar"
-`),
-	)
-)
-
-const workflowFilePerm = 0o600
-
-func removeTests() {
-	glob := fmt.Sprintf(jobFileNameTemplate, "*")
-
-	files, err := filepath.Glob(filepath.Join(githubWorkflowPath, glob))
-	if err != nil {
-		log.Fatalf("failed to find test files")
-	}
-
-	for _, file := range files {
-		err := os.Remove(file)
-		if err != nil {
-			log.Printf("failed to remove: %s", err)
-		}
-	}
-}
-
-func findTests() []string {
-	rgBin, err := exec.LookPath("rg")
-	if err != nil {
-		log.Fatalf("failed to find rg (ripgrep) binary")
-	}
-
-	args := []string{
-		"--regexp", "func (Test.+)\\(.*",
-		"../../integration/",
-		"--replace", "$1",
-		"--sort", "path",
-		"--no-line-number",
-		"--no-filename",
-		"--no-heading",
-	}
-
-	log.Printf("executing: %s %s", rgBin, strings.Join(args, " "))
-
-	ripgrep := exec.Command(
-		rgBin,
-		args...,
-	)
-
-	result, err := ripgrep.CombinedOutput()
-	if err != nil {
-		log.Printf("out: %s", result)
-		log.Fatalf("failed to run ripgrep: %s", err)
-	}
-
-	tests := strings.Split(string(result), "\n")
-	tests = tests[:len(tests)-1]
-
-	return tests
-}
-
-func main() {
-	type testConfig struct {
-		Name string
-	}
-
-	tests := findTests()
-
-	removeTests()
-
-	for _, test := range tests {
-		log.Printf("generating workflow for %s", test)
-
-		var content bytes.Buffer
-
-		if err := jobTemplate.Execute(&content, testConfig{
-			Name: test,
-		}); err != nil {
-			log.Fatalf("failed to render template: %s", err)
-		}
-
-		testPath := path.Join(githubWorkflowPath, fmt.Sprintf(jobFileNameTemplate, test))
-
-		err := os.WriteFile(testPath, content.Bytes(), workflowFilePerm)
-		if err != nil {
-			log.Fatalf("failed to write github job: %s", err)
-		}
-	}
-}
--- a/cmd/headscale/cli/api_key.go
+++ b/cmd/headscale/cli/api_key.go
@@ -29,11 +29,16 @@ func init() {
 	apiKeysCmd.AddCommand(createAPIKeyCmd)

 	expireAPIKeyCmd.Flags().StringP("prefix", "p", "", "ApiKey prefix")
-	err := expireAPIKeyCmd.MarkFlagRequired("prefix")
-	if err != nil {
+	if err := expireAPIKeyCmd.MarkFlagRequired("prefix"); err != nil {
 		log.Fatal().Err(err).Msg("")
 	}
 	apiKeysCmd.AddCommand(expireAPIKeyCmd)
+
+	deleteAPIKeyCmd.Flags().StringP("prefix", "p", "", "ApiKey prefix")
+	if err := deleteAPIKeyCmd.MarkFlagRequired("prefix"); err != nil {
+		log.Fatal().Err(err).Msg("")
+	}
+	apiKeysCmd.AddCommand(deleteAPIKeyCmd)
 }

 var apiKeysCmd = &cobra.Command{
@@ -49,7 +54,7 @@ var listAPIKeys = &cobra.Command{
 	Run: func(cmd *cobra.Command, args []string) {
 		output, _ := cmd.Flags().GetString("output")

-		ctx, client, conn, cancel := getHeadscaleCLIClient()
+		ctx, client, conn, cancel := newHeadscaleCLIWithConfig()
 		defer cancel()
 		defer conn.Close()

@@ -62,24 +67,20 @@ var listAPIKeys = &cobra.Command{
 				fmt.Sprintf("Error getting the list of keys: %s", err),
 				output,
 			)
-
-			return
 		}

 		if output != "" {
-			SuccessOutput(response.ApiKeys, "", output)
-
-			return
+			SuccessOutput(response.GetApiKeys(), "", output)
 		}

 		tableData := pterm.TableData{
 			{"ID", "Prefix", "Expiration", "Created"},
 		}
-		for _, key := range response.ApiKeys {
+		for _, key := range response.GetApiKeys() {
 			expiration := "-"

 			if key.GetExpiration() != nil {
-				expiration = ColourTime(key.Expiration.AsTime())
+				expiration = ColourTime(key.GetExpiration().AsTime())
 			}

 			tableData = append(tableData, []string{
@@ -97,8 +98,6 @@ var listAPIKeys = &cobra.Command{
 				fmt.Sprintf("Failed to render pterm table: %s", err),
 				output,
 			)
-
-			return
 		}
 	},
 }
@@ -114,9 +113,6 @@ If you loose a key, create a new one and revoke (expire) the old one.`,
 	Run: func(cmd *cobra.Command, args []string) {
 		output, _ := cmd.Flags().GetString("output")

-		log.Trace().
-			Msg("Preparing to create ApiKey")
-
 		request := &v1.CreateApiKeyRequest{}

 		durationStr, _ := cmd.Flags().GetString("expiration")
@@ -128,19 +124,13 @@ If you loose a key, create a new one and revoke (expire) the old one.`,
 				fmt.Sprintf("Could not parse duration: %s\n", err),
 				output,
 			)
-
-			return
 		}

 		expiration := time.Now().UTC().Add(time.Duration(duration))

-		log.Trace().
-			Dur("expiration", time.Duration(duration)).
-			Msg("expiration has been set")
-
 		request.Expiration = timestamppb.New(expiration)

-		ctx, client, conn, cancel := getHeadscaleCLIClient()
+		ctx, client, conn, cancel := newHeadscaleCLIWithConfig()
 		defer cancel()
 		defer conn.Close()

@@ -151,11 +141,9 @@ If you loose a key, create a new one and revoke (expire) the old one.`,
 				fmt.Sprintf("Cannot create Api Key: %s\n", err),
 				output,
 			)
-
-			return
 		}

-		SuccessOutput(response.ApiKey, response.ApiKey, output)
+		SuccessOutput(response.GetApiKey(), response.GetApiKey(), output)
 	},
 }

@@ -173,11 +161,9 @@ var expireAPIKeyCmd = &cobra.Command{
 				fmt.Sprintf("Error getting prefix from CLI flag: %s", err),
 				output,
 			)
-
-			return
 		}

-		ctx, client, conn, cancel := getHeadscaleCLIClient()
+		ctx, client, conn, cancel := newHeadscaleCLIWithConfig()
 		defer cancel()
 		defer conn.Close()

@@ -192,10 +178,45 @@ var expireAPIKeyCmd = &cobra.Command{
 				fmt.Sprintf("Cannot expire Api Key: %s\n", err),
 				output,
 			)
-
-			return
 		}

 		SuccessOutput(response, "Key expired", output)
 	},
 }
+
+var deleteAPIKeyCmd = &cobra.Command{
+	Use:     "delete",
+	Short:   "Delete an ApiKey",
+	Aliases: []string{"remove", "del"},
+	Run: func(cmd *cobra.Command, args []string) {
+		output, _ := cmd.Flags().GetString("output")
+
+		prefix, err := cmd.Flags().GetString("prefix")
+		if err != nil {
+			ErrorOutput(
+				err,
+				fmt.Sprintf("Error getting prefix from CLI flag: %s", err),
+				output,
+			)
+		}
+
+		ctx, client, conn, cancel := newHeadscaleCLIWithConfig()
+		defer cancel()
+		defer conn.Close()
+
+		request := &v1.DeleteApiKeyRequest{
+			Prefix: prefix,
+		}
+
+		response, err := client.DeleteApiKey(ctx, request)
+		if err != nil {
+			ErrorOutput(
+				err,
+				fmt.Sprintf("Cannot delete Api Key: %s\n", err),
+				output,
+			)
+		}
+
+		SuccessOutput(response, "Key deleted", output)
+	},
+}
--- a/cmd/headscale/cli/configtest.go
+++ b/cmd/headscale/cli/configtest.go
@@ -14,7 +14,7 @@ var configTestCmd = &cobra.Command{
 	Short: "Test the configuration.",
 	Long:  "Run a test of the configuration and exit.",
 	Run: func(cmd *cobra.Command, args []string) {
-		_, err := getHeadscaleApp()
+		_, err := newHeadscaleServerWithConfig()
 		if err != nil {
 			log.Fatal().Caller().Err(err).Msg("Error initializing")
 		}
--- a/cmd/headscale/cli/debug.go
+++ b/cmd/headscale/cli/debug.go
@@ -4,7 +4,7 @@ import (
 	"fmt"

 	v1 "github.com/juanfont/headscale/gen/go/headscale/v1"
-	"github.com/juanfont/headscale/hscontrol/util"
+	"github.com/juanfont/headscale/hscontrol/types"
 	"github.com/rs/zerolog/log"
 	"github.com/spf13/cobra"
 	"google.golang.org/grpc/status"
@@ -57,18 +57,16 @@ var debugCmd = &cobra.Command{

 var createNodeCmd = &cobra.Command{
 	Use:   "create-node",
-	Short: "Create a node (machine) that can be registered with `nodes register <>` command",
+	Short: "Create a node that can be registered with `nodes register <>` command",
 	Run: func(cmd *cobra.Command, args []string) {
 		output, _ := cmd.Flags().GetString("output")

 		user, err := cmd.Flags().GetString("user")
 		if err != nil {
 			ErrorOutput(err, fmt.Sprintf("Error getting user: %s", err), output)
-
-			return
 		}

-		ctx, client, conn, cancel := getHeadscaleCLIClient()
+		ctx, client, conn, cancel := newHeadscaleCLIWithConfig()
 		defer cancel()
 		defer conn.Close()

@@ -79,29 +77,24 @@ var createNodeCmd = &cobra.Command{
 				fmt.Sprintf("Error getting node from flag: %s", err),
 				output,
 			)
-
-			return
 		}

-		machineKey, err := cmd.Flags().GetString("key")
+		registrationID, err := cmd.Flags().GetString("key")
 		if err != nil {
 			ErrorOutput(
 				err,
 				fmt.Sprintf("Error getting key from flag: %s", err),
 				output,
 			)
-
-			return
 		}
-		if !util.NodePublicKeyRegex.Match([]byte(machineKey)) {
-			err = errPreAuthKeyMalformed
+
+		_, err = types.RegistrationIDFromString(registrationID)
+		if err != nil {
 			ErrorOutput(
 				err,
-				fmt.Sprintf("Error: %s", err),
+				fmt.Sprintf("Failed to parse machine key from flag: %s", err),
 				output,
 			)
-
-			return
 		}

 		routes, err := cmd.Flags().GetStringSlice("route")
@@ -111,28 +104,24 @@ var createNodeCmd = &cobra.Command{
 				fmt.Sprintf("Error getting routes from flag: %s", err),
 				output,
 			)
-
-			return
 		}

-		request := &v1.DebugCreateMachineRequest{
-			Key:    machineKey,
+		request := &v1.DebugCreateNodeRequest{
+			Key:    registrationID,
 			Name:   name,
 			User:   user,
 			Routes: routes,
 		}

-		response, err := client.DebugCreateMachine(ctx, request)
+		response, err := client.DebugCreateNode(ctx, request)
 		if err != nil {
 			ErrorOutput(
 				err,
-				fmt.Sprintf("Cannot create machine: %s", status.Convert(err).Message()),
+				fmt.Sprintf("Cannot create node: %s", status.Convert(err).Message()),
 				output,
 			)
-
-			return
 		}

-		SuccessOutput(response.Machine, "Machine created", output)
+		SuccessOutput(response.GetNode(), "Node created", output)
 	},
 }
--- a/cmd/headscale/cli/mockoidc.go
+++ b/cmd/headscale/cli/mockoidc.go
@@ -1,8 +1,10 @@
 package cli

 import (
+	"encoding/json"
 	"fmt"
 	"net"
+	"net/http"
 	"os"
 	"strconv"
 	"time"
@@ -64,6 +66,19 @@ func mockOIDC() error {
 		accessTTL = newTTL
 	}

+	userStr := os.Getenv("MOCKOIDC_USERS")
+	if userStr == "" {
+		return fmt.Errorf("MOCKOIDC_USERS not defined")
+	}
+
+	var users []mockoidc.MockUser
+	err := json.Unmarshal([]byte(userStr), &users)
+	if err != nil {
+		return fmt.Errorf("unmarshalling users: %w", err)
+	}
+
+	log.Info().Interface("users", users).Msg("loading users from JSON")
+
 	log.Info().Msgf("Access token TTL: %s", accessTTL)

 	port, err := strconv.Atoi(portStr)
@@ -71,7 +86,7 @@ func mockOIDC() error {
 		return err
 	}

-	mock, err := getMockOIDC(clientID, clientSecret)
+	mock, err := getMockOIDC(clientID, clientSecret, users)
 	if err != nil {
 		return err
 	}
@@ -93,12 +108,18 @@ func mockOIDC() error {
 	return nil
 }

-func getMockOIDC(clientID string, clientSecret string) (*mockoidc.MockOIDC, error) {
+func getMockOIDC(clientID string, clientSecret string, users []mockoidc.MockUser) (*mockoidc.MockOIDC, error) {
 	keypair, err := mockoidc.NewKeypair(nil)
 	if err != nil {
 		return nil, err
 	}

+	userQueue := mockoidc.UserQueue{}
+
+	for _, user := range users {
+		userQueue.Push(&user)
+	}
+
 	mock := mockoidc.MockOIDC{
 		ClientID:                      clientID,
 		ClientSecret:                  clientSecret,
@@ -107,9 +128,19 @@ func getMockOIDC(clientID string, clientSecret string) (*mockoidc.MockOIDC, erro
 		CodeChallengeMethodsSupported: []string{"plain", "S256"},
 		Keypair:                       keypair,
 		SessionStore:                  mockoidc.NewSessionStore(),
-		UserQueue:                     &mockoidc.UserQueue{},
+		UserQueue:                     &userQueue,
 		ErrorQueue:                    &mockoidc.ErrorQueue{},
 	}

+	mock.AddMiddleware(func(h http.Handler) http.Handler {
+		return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+			log.Info().Msgf("Request: %+v", r)
+			h.ServeHTTP(w, r)
+			if r.Response != nil {
+				log.Info().Msgf("Response: %+v", r.Response)
+			}
+		})
+	})
+
 	return &mock, nil
 }
--- a/cmd/headscale/cli/nodes.go
+++ b/cmd/headscale/cli/nodes.go
@@ -4,6 +4,7 @@ import (
 	"fmt"
 	"log"
 	"net/netip"
+	"slices"
 	"strconv"
 	"strings"
 	"time"
@@ -38,33 +39,33 @@ func init() {

 	err := registerNodeCmd.MarkFlagRequired("user")
 	if err != nil {
-		log.Fatalf(err.Error())
+		log.Fatal(err.Error())
 	}
 	registerNodeCmd.Flags().StringP("key", "k", "", "Key")
 	err = registerNodeCmd.MarkFlagRequired("key")
 	if err != nil {
-		log.Fatalf(err.Error())
+		log.Fatal(err.Error())
 	}
 	nodeCmd.AddCommand(registerNodeCmd)

 	expireNodeCmd.Flags().Uint64P("identifier", "i", 0, "Node identifier (ID)")
 	err = expireNodeCmd.MarkFlagRequired("identifier")
 	if err != nil {
-		log.Fatalf(err.Error())
+		log.Fatal(err.Error())
 	}
 	nodeCmd.AddCommand(expireNodeCmd)

 	renameNodeCmd.Flags().Uint64P("identifier", "i", 0, "Node identifier (ID)")
 	err = renameNodeCmd.MarkFlagRequired("identifier")
 	if err != nil {
-		log.Fatalf(err.Error())
+		log.Fatal(err.Error())
 	}
 	nodeCmd.AddCommand(renameNodeCmd)

 	deleteNodeCmd.Flags().Uint64P("identifier", "i", 0, "Node identifier (ID)")
 	err = deleteNodeCmd.MarkFlagRequired("identifier")
 	if err != nil {
-		log.Fatalf(err.Error())
+		log.Fatal(err.Error())
 	}
 	nodeCmd.AddCommand(deleteNodeCmd)

@@ -72,7 +73,7 @@ func init() {

 	err = moveNodeCmd.MarkFlagRequired("identifier")
 	if err != nil {
-		log.Fatalf(err.Error())
+		log.Fatal(err.Error())
 	}

 	moveNodeCmd.Flags().StringP("user", "u", "", "New user")
@@ -84,7 +85,7 @@ func init() {

 	err = moveNodeCmd.MarkFlagRequired("user")
 	if err != nil {
-		log.Fatalf(err.Error())
+		log.Fatal(err.Error())
 	}
 	nodeCmd.AddCommand(moveNodeCmd)

@@ -92,11 +93,13 @@ func init() {

 	err = tagCmd.MarkFlagRequired("identifier")
 	if err != nil {
-		log.Fatalf(err.Error())
+		log.Fatal(err.Error())
 	}
 	tagCmd.Flags().
 		StringSliceP("tags", "t", []string{}, "List of tags to add to the node")
 	nodeCmd.AddCommand(tagCmd)
+
+	nodeCmd.AddCommand(backfillNodeIPsCmd)
 }

 var nodeCmd = &cobra.Command{
@@ -107,53 +110,47 @@ var nodeCmd = &cobra.Command{

 var registerNodeCmd = &cobra.Command{
 	Use:   "register",
-	Short: "Registers a machine to your network",
+	Short: "Registers a node to your network",
 	Run: func(cmd *cobra.Command, args []string) {
 		output, _ := cmd.Flags().GetString("output")
 		user, err := cmd.Flags().GetString("user")
 		if err != nil {
 			ErrorOutput(err, fmt.Sprintf("Error getting user: %s", err), output)
-
-			return
 		}

-		ctx, client, conn, cancel := getHeadscaleCLIClient()
+		ctx, client, conn, cancel := newHeadscaleCLIWithConfig()
 		defer cancel()
 		defer conn.Close()

-		machineKey, err := cmd.Flags().GetString("key")
+		registrationID, err := cmd.Flags().GetString("key")
 		if err != nil {
 			ErrorOutput(
 				err,
 				fmt.Sprintf("Error getting node key from flag: %s", err),
 				output,
 			)
-
-			return
 		}

-		request := &v1.RegisterMachineRequest{
-			Key:  machineKey,
+		request := &v1.RegisterNodeRequest{
+			Key:  registrationID,
 			User: user,
 		}

-		response, err := client.RegisterMachine(ctx, request)
+		response, err := client.RegisterNode(ctx, request)
 		if err != nil {
 			ErrorOutput(
 				err,
 				fmt.Sprintf(
-					"Cannot register machine: %s\n",
+					"Cannot register node: %s\n",
 					status.Convert(err).Message(),
 				),
 				output,
 			)
-
-			return
 		}

 		SuccessOutput(
-			response.Machine,
-			fmt.Sprintf("Machine %s registered", response.Machine.GivenName), output)
+			response.GetNode(),
+			fmt.Sprintf("Node %s registered", response.GetNode().GetGivenName()), output)
 	},
 }

@@ -166,46 +163,36 @@ var listNodesCmd = &cobra.Command{
 		user, err := cmd.Flags().GetString("user")
 		if err != nil {
 			ErrorOutput(err, fmt.Sprintf("Error getting user: %s", err), output)
-
-			return
 		}
 		showTags, err := cmd.Flags().GetBool("tags")
 		if err != nil {
 			ErrorOutput(err, fmt.Sprintf("Error getting tags flag: %s", err), output)
-
-			return
 		}

-		ctx, client, conn, cancel := getHeadscaleCLIClient()
+		ctx, client, conn, cancel := newHeadscaleCLIWithConfig()
 		defer cancel()
 		defer conn.Close()

-		request := &v1.ListMachinesRequest{
+		request := &v1.ListNodesRequest{
 			User: user,
 		}

-		response, err := client.ListMachines(ctx, request)
+		response, err := client.ListNodes(ctx, request)
 		if err != nil {
 			ErrorOutput(
 				err,
 				fmt.Sprintf("Cannot get nodes: %s", status.Convert(err).Message()),
 				output,
 			)
-
-			return
 		}

 		if output != "" {
-			SuccessOutput(response.Machines, "", output)
-
-			return
+			SuccessOutput(response.GetNodes(), "", output)
 		}

-		tableData, err := nodesToPtables(user, showTags, response.Machines)
+		tableData, err := nodesToPtables(user, showTags, response.GetNodes())
 		if err != nil {
 			ErrorOutput(err, fmt.Sprintf("Error converting to table: %s", err), output)
-
-			return
 		}

 		err = pterm.DefaultTable.WithHasHeader().WithData(tableData).Render()
@@ -215,15 +202,13 @@ var listNodesCmd = &cobra.Command{
 				fmt.Sprintf("Failed to render pterm table: %s", err),
 				output,
 			)
-
-			return
 		}
 	},
 }

 var expireNodeCmd = &cobra.Command{
 	Use:     "expire",
-	Short:   "Expire (log out) a machine in your network",
+	Short:   "Expire (log out) a node in your network",
 	Long:    "Expiring a node will keep the node in the database and force it to reauthenticate.",
 	Aliases: []string{"logout", "exp", "e"},
 	Run: func(cmd *cobra.Command, args []string) {
@@ -240,20 +225,20 @@ var expireNodeCmd = &cobra.Command{
 			return
 		}

-		ctx, client, conn, cancel := getHeadscaleCLIClient()
+		ctx, client, conn, cancel := newHeadscaleCLIWithConfig()
 		defer cancel()
 		defer conn.Close()

-		request := &v1.ExpireMachineRequest{
-			MachineId: identifier,
+		request := &v1.ExpireNodeRequest{
+			NodeId: identifier,
 		}

-		response, err := client.ExpireMachine(ctx, request)
+		response, err := client.ExpireNode(ctx, request)
 		if err != nil {
 			ErrorOutput(
 				err,
 				fmt.Sprintf(
-					"Cannot expire machine: %s\n",
+					"Cannot expire node: %s\n",
 					status.Convert(err).Message(),
 				),
 				output,
@@ -262,13 +247,13 @@ var expireNodeCmd = &cobra.Command{
 			return
 		}

-		SuccessOutput(response.Machine, "Machine expired", output)
+		SuccessOutput(response.GetNode(), "Node expired", output)
 	},
 }

 var renameNodeCmd = &cobra.Command{
 	Use:   "rename NEW_NAME",
-	Short: "Renames a machine in your network",
+	Short: "Renames a node in your network",
 	Run: func(cmd *cobra.Command, args []string) {
 		output, _ := cmd.Flags().GetString("output")

@@ -283,7 +268,7 @@ var renameNodeCmd = &cobra.Command{
 			return
 		}

-		ctx, client, conn, cancel := getHeadscaleCLIClient()
+		ctx, client, conn, cancel := newHeadscaleCLIWithConfig()
 		defer cancel()
 		defer conn.Close()

@@ -291,17 +276,17 @@ var renameNodeCmd = &cobra.Command{
 		if len(args) > 0 {
 			newName = args[0]
 		}
-		request := &v1.RenameMachineRequest{
-			MachineId: identifier,
-			NewName:   newName,
+		request := &v1.RenameNodeRequest{
+			NodeId:  identifier,
+			NewName: newName,
 		}

-		response, err := client.RenameMachine(ctx, request)
+		response, err := client.RenameNode(ctx, request)
 		if err != nil {
 			ErrorOutput(
 				err,
 				fmt.Sprintf(
-					"Cannot rename machine: %s\n",
+					"Cannot rename node: %s\n",
 					status.Convert(err).Message(),
 				),
 				output,
@@ -310,7 +295,7 @@ var renameNodeCmd = &cobra.Command{
 			return
 		}

-		SuccessOutput(response.Machine, "Machine renamed", output)
+		SuccessOutput(response.GetNode(), "Node renamed", output)
 	},
 }

@@ -332,15 +317,15 @@ var deleteNodeCmd = &cobra.Command{
 			return
 		}

-		ctx, client, conn, cancel := getHeadscaleCLIClient()
+		ctx, client, conn, cancel := newHeadscaleCLIWithConfig()
 		defer cancel()
 		defer conn.Close()

-		getRequest := &v1.GetMachineRequest{
-			MachineId: identifier,
+		getRequest := &v1.GetNodeRequest{
+			NodeId: identifier,
 		}

-		getResponse, err := client.GetMachine(ctx, getRequest)
+		getResponse, err := client.GetNode(ctx, getRequest)
 		if err != nil {
 			ErrorOutput(
 				err,
@@ -354,8 +339,8 @@ var deleteNodeCmd = &cobra.Command{
 			return
 		}

-		deleteRequest := &v1.DeleteMachineRequest{
-			MachineId: identifier,
+		deleteRequest := &v1.DeleteNodeRequest{
+			NodeId: identifier,
 		}

 		confirm := false
@@ -364,7 +349,7 @@ var deleteNodeCmd = &cobra.Command{
 			prompt := &survey.Confirm{
 				Message: fmt.Sprintf(
 					"Do you want to remove the node %s?",
-					getResponse.GetMachine().Name,
+					getResponse.GetNode().GetName(),
 				),
 			}
 			err = survey.AskOne(prompt, &confirm)
@@ -374,7 +359,7 @@ var deleteNodeCmd = &cobra.Command{
 		}

 		if confirm || force {
-			response, err := client.DeleteMachine(ctx, deleteRequest)
+			response, err := client.DeleteNode(ctx, deleteRequest)
 			if output != "" {
 				SuccessOutput(response, "", output)

@@ -432,15 +417,15 @@ var moveNodeCmd = &cobra.Command{
 			return
 		}

-		ctx, client, conn, cancel := getHeadscaleCLIClient()
+		ctx, client, conn, cancel := newHeadscaleCLIWithConfig()
 		defer cancel()
 		defer conn.Close()

-		getRequest := &v1.GetMachineRequest{
-			MachineId: identifier,
+		getRequest := &v1.GetNodeRequest{
+			NodeId: identifier,
 		}

-		_, err = client.GetMachine(ctx, getRequest)
+		_, err = client.GetNode(ctx, getRequest)
 		if err != nil {
 			ErrorOutput(
 				err,
@@ -454,12 +439,12 @@ var moveNodeCmd = &cobra.Command{
 			return
 		}

-		moveRequest := &v1.MoveMachineRequest{
-			MachineId: identifier,
-			User:      user,
+		moveRequest := &v1.MoveNodeRequest{
+			NodeId: identifier,
+			User:   user,
 		}

-		moveResponse, err := client.MoveMachine(ctx, moveRequest)
+		moveResponse, err := client.MoveNode(ctx, moveRequest)
 		if err != nil {
 			ErrorOutput(
 				err,
@@ -473,14 +458,65 @@ var moveNodeCmd = &cobra.Command{
 			return
 		}

-		SuccessOutput(moveResponse.Machine, "Node moved to another user", output)
+		SuccessOutput(moveResponse.GetNode(), "Node moved to another user", output)
+	},
+}
+
+var backfillNodeIPsCmd = &cobra.Command{
+	Use:   "backfillips",
+	Short: "Backfill IPs missing from nodes",
+	Long: `
+Backfill IPs can be used to add/remove IPs from nodes
+based on the current configuration of Headscale.
+
+If there are nodes that does not have IPv4 or IPv6
+even if prefixes for both are configured in the config,
+this command can be used to assign IPs of the sort to
+all nodes that are missing.
+
+If you remove IPv4 or IPv6 prefixes from the config,
+it can be run to remove the IPs that should no longer
+be assigned to nodes.`,
+	Run: func(cmd *cobra.Command, args []string) {
+		var err error
+		output, _ := cmd.Flags().GetString("output")
+
+		confirm := false
+		prompt := &survey.Confirm{
+			Message: "Are you sure that you want to assign/remove IPs to/from nodes?",
+		}
+		err = survey.AskOne(prompt, &confirm)
+		if err != nil {
+			return
+		}
+		if confirm {
+			ctx, client, conn, cancel := newHeadscaleCLIWithConfig()
+			defer cancel()
+			defer conn.Close()
+
+			changes, err := client.BackfillNodeIPs(ctx, &v1.BackfillNodeIPsRequest{Confirmed: confirm})
+			if err != nil {
+				ErrorOutput(
+					err,
+					fmt.Sprintf(
+						"Error backfilling IPs: %s",
+						status.Convert(err).Message(),
+					),
+					output,
+				)
+
+				return
+			}
+
+			SuccessOutput(changes, "Node IPs backfilled successfully", output)
+		}
 	},
 }

 func nodesToPtables(
 	currentUser string,
 	showTags bool,
-	machines []*v1.Machine,
+	nodes []*v1.Node,
 ) (pterm.TableData, error) {
 	tableHeader := []string{
 		"ID",
@@ -493,7 +529,7 @@ func nodesToPtables(
 		"Ephemeral",
 		"Last seen",
 		"Expiration",
-		"Online",
+		"Connected",
 		"Expired",
 	}
 	if showTags {
@@ -505,23 +541,23 @@ func nodesToPtables(
 	}
 	tableData := pterm.TableData{tableHeader}

-	for _, machine := range machines {
+	for _, node := range nodes {
 		var ephemeral bool
-		if machine.PreAuthKey != nil && machine.PreAuthKey.Ephemeral {
+		if node.GetPreAuthKey() != nil && node.GetPreAuthKey().GetEphemeral() {
 			ephemeral = true
 		}

 		var lastSeen time.Time
 		var lastSeenTime string
-		if machine.LastSeen != nil {
-			lastSeen = machine.LastSeen.AsTime()
+		if node.GetLastSeen() != nil {
+			lastSeen = node.GetLastSeen().AsTime()
 			lastSeenTime = lastSeen.Format("2006-01-02 15:04:05")
 		}

 		var expiry time.Time
 		var expiryTime string
-		if machine.Expiry != nil {
-			expiry = machine.Expiry.AsTime()
+		if node.GetExpiry() != nil {
+			expiry = node.GetExpiry().AsTime()
 			expiryTime = expiry.Format("2006-01-02 15:04:05")
 		} else {
 			expiryTime = "N/A"
@@ -529,7 +565,7 @@ func nodesToPtables(

 		var machineKey key.MachinePublic
 		err := machineKey.UnmarshalText(
-			[]byte(util.MachinePublicKeyEnsurePrefix(machine.MachineKey)),
+			[]byte(node.GetMachineKey()),
 		)
 		if err != nil {
 			machineKey = key.MachinePublic{}
@@ -537,14 +573,14 @@ func nodesToPtables(

 		var nodeKey key.NodePublic
 		err = nodeKey.UnmarshalText(
-			[]byte(util.NodePublicKeyEnsurePrefix(machine.NodeKey)),
+			[]byte(node.GetNodeKey()),
 		)
 		if err != nil {
 			return nil, err
 		}

 		var online string
-		if machine.Online {
+		if node.GetOnline() {
 			online = pterm.LightGreen("online")
 		} else {
 			online = pterm.LightRed("offline")
@@ -558,36 +594,36 @@ func nodesToPtables(
 		}

 		var forcedTags string
-		for _, tag := range machine.ForcedTags {
+		for _, tag := range node.GetForcedTags() {
 			forcedTags += "," + tag
 		}
 		forcedTags = strings.TrimLeft(forcedTags, ",")
 		var invalidTags string
-		for _, tag := range machine.InvalidTags {
-			if !contains(machine.ForcedTags, tag) {
+		for _, tag := range node.GetInvalidTags() {
+			if !slices.Contains(node.GetForcedTags(), tag) {
 				invalidTags += "," + pterm.LightRed(tag)
 			}
 		}
 		invalidTags = strings.TrimLeft(invalidTags, ",")
 		var validTags string
-		for _, tag := range machine.ValidTags {
-			if !contains(machine.ForcedTags, tag) {
+		for _, tag := range node.GetValidTags() {
+			if !slices.Contains(node.GetForcedTags(), tag) {
 				validTags += "," + pterm.LightGreen(tag)
 			}
 		}
 		validTags = strings.TrimLeft(validTags, ",")

 		var user string
-		if currentUser == "" || (currentUser == machine.User.Name) {
-			user = pterm.LightMagenta(machine.User.Name)
+		if currentUser == "" || (currentUser == node.GetUser().GetName()) {
+			user = pterm.LightMagenta(node.GetUser().GetName())
 		} else {
 			// Shared into this user
-			user = pterm.LightYellow(machine.User.Name)
+			user = pterm.LightYellow(node.GetUser().GetName())
 		}

 		var IPV4Address string
 		var IPV6Address string
-		for _, addr := range machine.IpAddresses {
+		for _, addr := range node.GetIpAddresses() {
 			if netip.MustParseAddr(addr).Is4() {
 				IPV4Address = addr
 			} else {
@@ -596,9 +632,9 @@ func nodesToPtables(
 		}

 		nodeData := []string{
-			strconv.FormatUint(machine.Id, util.Base10),
-			machine.Name,
-			machine.GetGivenName(),
+			strconv.FormatUint(node.GetId(), util.Base10),
+			node.GetName(),
+			node.GetGivenName(),
 			machineKey.ShortString(),
 			nodeKey.ShortString(),
 			user,
@@ -627,7 +663,7 @@ var tagCmd = &cobra.Command{
 	Aliases: []string{"tags", "t"},
 	Run: func(cmd *cobra.Command, args []string) {
 		output, _ := cmd.Flags().GetString("output")
-		ctx, client, conn, cancel := getHeadscaleCLIClient()
+		ctx, client, conn, cancel := newHeadscaleCLIWithConfig()
 		defer cancel()
 		defer conn.Close()

@@ -646,17 +682,17 @@ var tagCmd = &cobra.Command{
 		if err != nil {
 			ErrorOutput(
 				err,
-				fmt.Sprintf("Error retrieving list of tags to add to machine, %v", err),
+				fmt.Sprintf("Error retrieving list of tags to add to node, %v", err),
 				output,
 			)

 			return
 		}

-		// Sending tags to machine
+		// Sending tags to node
 		request := &v1.SetTagsRequest{
-			MachineId: identifier,
-			Tags:      tagsToSet,
+			NodeId: identifier,
+			Tags:   tagsToSet,
 		}
 		resp, err := client.SetTags(ctx, request)
 		if err != nil {
@@ -671,8 +707,8 @@ var tagCmd = &cobra.Command{

 		if resp != nil {
 			SuccessOutput(
-				resp.GetMachine(),
-				"Machine updated",
+				resp.GetNode(),
+				"Node updated",
 				output,
 			)
 		}
--- a/cmd/headscale/cli/policy.go
+++ b/cmd/headscale/cli/policy.go
@@ -0,0 +1,87 @@
+package cli
+
+import (
+	"fmt"
+	"io"
+	"os"
+
+	v1 "github.com/juanfont/headscale/gen/go/headscale/v1"
+	"github.com/rs/zerolog/log"
+	"github.com/spf13/cobra"
+)
+
+func init() {
+	rootCmd.AddCommand(policyCmd)
+	policyCmd.AddCommand(getPolicy)
+
+	setPolicy.Flags().StringP("file", "f", "", "Path to a policy file in HuJSON format")
+	if err := setPolicy.MarkFlagRequired("file"); err != nil {
+		log.Fatal().Err(err).Msg("")
+	}
+	policyCmd.AddCommand(setPolicy)
+}
+
+var policyCmd = &cobra.Command{
+	Use:   "policy",
+	Short: "Manage the Headscale ACL Policy",
+}
+
+var getPolicy = &cobra.Command{
+	Use:     "get",
+	Short:   "Print the current ACL Policy",
+	Aliases: []string{"show", "view", "fetch"},
+	Run: func(cmd *cobra.Command, args []string) {
+		output, _ := cmd.Flags().GetString("output")
+		ctx, client, conn, cancel := newHeadscaleCLIWithConfig()
+		defer cancel()
+		defer conn.Close()
+
+		request := &v1.GetPolicyRequest{}
+
+		response, err := client.GetPolicy(ctx, request)
+		if err != nil {
+			ErrorOutput(err, fmt.Sprintf("Failed loading ACL Policy: %s", err), output)
+		}
+
+		// TODO(pallabpain): Maybe print this better?
+		// This does not pass output as we dont support yaml, json or json-line
+		// output for this command. It is HuJSON already.
+		SuccessOutput("", response.GetPolicy(), "")
+	},
+}
+
+var setPolicy = &cobra.Command{
+	Use:   "set",
+	Short: "Updates the ACL Policy",
+	Long: `
+	Updates the existing ACL Policy with the provided policy. The policy must be a valid HuJSON object.
+	This command only works when the acl.policy_mode is set to "db", and the policy will be stored in the database.`,
+	Aliases: []string{"put", "update"},
+	Run: func(cmd *cobra.Command, args []string) {
+		output, _ := cmd.Flags().GetString("output")
+		policyPath, _ := cmd.Flags().GetString("file")
+
+		f, err := os.Open(policyPath)
+		if err != nil {
+			ErrorOutput(err, fmt.Sprintf("Error opening the policy file: %s", err), output)
+		}
+		defer f.Close()
+
+		policyBytes, err := io.ReadAll(f)
+		if err != nil {
+			ErrorOutput(err, fmt.Sprintf("Error reading the policy file: %s", err), output)
+		}
+
+		request := &v1.SetPolicyRequest{Policy: string(policyBytes)}
+
+		ctx, client, conn, cancel := newHeadscaleCLIWithConfig()
+		defer cancel()
+		defer conn.Close()
+
+		if _, err := client.SetPolicy(ctx, request); err != nil {
+			ErrorOutput(err, fmt.Sprintf("Failed to set ACL Policy: %s", err), output)
+		}
+
+		SuccessOutput(nil, "Policy updated.", "")
+	},
+}
--- a/cmd/headscale/cli/preauthkeys.go
+++ b/cmd/headscale/cli/preauthkeys.go
@@ -60,11 +60,9 @@ var listPreAuthKeys = &cobra.Command{
 		user, err := cmd.Flags().GetString("user")
 		if err != nil {
 			ErrorOutput(err, fmt.Sprintf("Error getting user: %s", err), output)
-
-			return
 		}

-		ctx, client, conn, cancel := getHeadscaleCLIClient()
+		ctx, client, conn, cancel := newHeadscaleCLIWithConfig()
 		defer cancel()
 		defer conn.Close()

@@ -84,9 +82,7 @@ var listPreAuthKeys = &cobra.Command{
 		}

 		if output != "" {
-			SuccessOutput(response.PreAuthKeys, "", output)
-
-			return
+			SuccessOutput(response.GetPreAuthKeys(), "", output)
 		}

 		tableData := pterm.TableData{
@@ -101,22 +97,15 @@ var listPreAuthKeys = &cobra.Command{
 				"Tags",
 			},
 		}
-		for _, key := range response.PreAuthKeys {
+		for _, key := range response.GetPreAuthKeys() {
 			expiration := "-"
 			if key.GetExpiration() != nil {
-				expiration = ColourTime(key.Expiration.AsTime())
-			}
-
-			var reusable string
-			if key.GetEphemeral() {
-				reusable = "N/A"
-			} else {
-				reusable = fmt.Sprintf("%v", key.GetReusable())
+				expiration = ColourTime(key.GetExpiration().AsTime())
 			}

 			aclTags := ""

-			for _, tag := range key.AclTags {
+			for _, tag := range key.GetAclTags() {
 				aclTags += "," + tag
 			}

@@ -125,7 +114,7 @@ var listPreAuthKeys = &cobra.Command{
 			tableData = append(tableData, []string{
 				key.GetId(),
 				key.GetKey(),
-				reusable,
+				strconv.FormatBool(key.GetReusable()),
 				strconv.FormatBool(key.GetEphemeral()),
 				strconv.FormatBool(key.GetUsed()),
 				expiration,
@@ -141,8 +130,6 @@ var listPreAuthKeys = &cobra.Command{
 				fmt.Sprintf("Failed to render pterm table: %s", err),
 				output,
 			)
-
-			return
 		}
 	},
 }
@@ -157,20 +144,12 @@ var createPreAuthKeyCmd = &cobra.Command{
 		user, err := cmd.Flags().GetString("user")
 		if err != nil {
 			ErrorOutput(err, fmt.Sprintf("Error getting user: %s", err), output)
-
-			return
 		}

 		reusable, _ := cmd.Flags().GetBool("reusable")
 		ephemeral, _ := cmd.Flags().GetBool("ephemeral")
 		tags, _ := cmd.Flags().GetStringSlice("tags")

-		log.Trace().
-			Bool("reusable", reusable).
-			Bool("ephemeral", ephemeral).
-			Str("user", user).
-			Msg("Preparing to create preauthkey")
-
 		request := &v1.CreatePreAuthKeyRequest{
 			User:      user,
 			Reusable:  reusable,
@@ -187,8 +166,6 @@ var createPreAuthKeyCmd = &cobra.Command{
 				fmt.Sprintf("Could not parse duration: %s\n", err),
 				output,
 			)
-
-			return
 		}

 		expiration := time.Now().UTC().Add(time.Duration(duration))
@@ -199,7 +176,7 @@ var createPreAuthKeyCmd = &cobra.Command{

 		request.Expiration = timestamppb.New(expiration)

-		ctx, client, conn, cancel := getHeadscaleCLIClient()
+		ctx, client, conn, cancel := newHeadscaleCLIWithConfig()
 		defer cancel()
 		defer conn.Close()

@@ -210,11 +187,9 @@ var createPreAuthKeyCmd = &cobra.Command{
 				fmt.Sprintf("Cannot create Pre Auth Key: %s\n", err),
 				output,
 			)
-
-			return
 		}

-		SuccessOutput(response.PreAuthKey, response.PreAuthKey.Key, output)
+		SuccessOutput(response.GetPreAuthKey(), response.GetPreAuthKey().GetKey(), output)
 	},
 }

@@ -234,11 +209,9 @@ var expirePreAuthKeyCmd = &cobra.Command{
 		user, err := cmd.Flags().GetString("user")
 		if err != nil {
 			ErrorOutput(err, fmt.Sprintf("Error getting user: %s", err), output)
-
-			return
 		}

-		ctx, client, conn, cancel := getHeadscaleCLIClient()
+		ctx, client, conn, cancel := newHeadscaleCLIWithConfig()
 		defer cancel()
 		defer conn.Close()

@@ -254,8 +227,6 @@ var expirePreAuthKeyCmd = &cobra.Command{
 				fmt.Sprintf("Cannot expire Pre Auth Key: %s\n", err),
 				output,
 			)
-
-			return
 		}

 		SuccessOutput(response, "Key expired", output)
--- a/cmd/headscale/cli/root.go
+++ b/cmd/headscale/cli/root.go
@@ -9,6 +9,7 @@ import (
 	"github.com/rs/zerolog"
 	"github.com/rs/zerolog/log"
 	"github.com/spf13/cobra"
+	"github.com/spf13/viper"
 	"github.com/tcnksm/go-latest"
 )

@@ -49,26 +50,21 @@ func initConfig() {
 		}
 	}

-	cfg, err := types.GetHeadscaleConfig()
-	if err != nil {
-		log.Fatal().Caller().Err(err)
-	}
-
 	machineOutput := HasMachineOutputFlag()

-	zerolog.SetGlobalLevel(cfg.Log.Level)
-
-	// If the user has requested a "machine" readable format,
+	// If the user has requested a "node" readable format,
 	// then disable login so the output remains valid.
 	if machineOutput {
 		zerolog.SetGlobalLevel(zerolog.Disabled)
 	}

-	if cfg.Log.Format == types.JSONLogFormat {
-		log.Logger = log.Output(os.Stdout)
-	}
+	// logFormat := viper.GetString("log.format")
+	// if logFormat == types.JSONLogFormat {
+	// 	log.Logger = log.Output(os.Stdout)
+	// }

-	if !cfg.DisableUpdateCheck && !machineOutput {
+	disableUpdateCheck := viper.GetBool("disable_check_updates")
+	if !disableUpdateCheck && !machineOutput {
 		if (runtime.GOOS == "linux" || runtime.GOOS == "darwin") &&
 			Version != "dev" {
 			githubTag := &latest.GithubTag{
@@ -78,7 +74,7 @@ func initConfig() {
 			res, err := latest.Check(githubTag, Version)
 			if err == nil && res.Outdated {
 				//nolint
-				fmt.Printf(
+				log.Warn().Msgf(
 					"An updated version of Headscale has been found (%s vs. your current %s). Check it out https://github.com/juanfont/headscale/releases\n",
 					res.Current,
 					Version,
--- a/cmd/headscale/cli/routes.go
+++ b/cmd/headscale/cli/routes.go
@@ -7,10 +7,10 @@ import (
 	"strconv"

 	v1 "github.com/juanfont/headscale/gen/go/headscale/v1"
-	"github.com/juanfont/headscale/hscontrol/types"
 	"github.com/pterm/pterm"
 	"github.com/spf13/cobra"
 	"google.golang.org/grpc/status"
+	"tailscale.com/net/tsaddr"
 )

 const (
@@ -25,21 +25,21 @@ func init() {
 	enableRouteCmd.Flags().Uint64P("route", "r", 0, "Route identifier (ID)")
 	err := enableRouteCmd.MarkFlagRequired("route")
 	if err != nil {
-		log.Fatalf(err.Error())
+		log.Fatal(err.Error())
 	}
 	routesCmd.AddCommand(enableRouteCmd)

 	disableRouteCmd.Flags().Uint64P("route", "r", 0, "Route identifier (ID)")
 	err = disableRouteCmd.MarkFlagRequired("route")
 	if err != nil {
-		log.Fatalf(err.Error())
+		log.Fatal(err.Error())
 	}
 	routesCmd.AddCommand(disableRouteCmd)

 	deleteRouteCmd.Flags().Uint64P("route", "r", 0, "Route identifier (ID)")
 	err = deleteRouteCmd.MarkFlagRequired("route")
 	if err != nil {
-		log.Fatalf(err.Error())
+		log.Fatal(err.Error())
 	}
 	routesCmd.AddCommand(deleteRouteCmd)
 }
@@ -64,11 +64,9 @@ var listRoutesCmd = &cobra.Command{
 				fmt.Sprintf("Error getting machine id from flag: %s", err),
 				output,
 			)
-
-			return
 		}

-		ctx, client, conn, cancel := getHeadscaleCLIClient()
+		ctx, client, conn, cancel := newHeadscaleCLIWithConfig()
 		defer cancel()
 		defer conn.Close()

@@ -82,45 +80,35 @@ var listRoutesCmd = &cobra.Command{
 					fmt.Sprintf("Cannot get nodes: %s", status.Convert(err).Message()),
 					output,
 				)
-
-				return
 			}

 			if output != "" {
-				SuccessOutput(response.Routes, "", output)
-
-				return
+				SuccessOutput(response.GetRoutes(), "", output)
 			}

-			routes = response.Routes
+			routes = response.GetRoutes()
 		} else {
-			response, err := client.GetMachineRoutes(ctx, &v1.GetMachineRoutesRequest{
-				MachineId: machineID,
+			response, err := client.GetNodeRoutes(ctx, &v1.GetNodeRoutesRequest{
+				NodeId: machineID,
 			})
 			if err != nil {
 				ErrorOutput(
 					err,
-					fmt.Sprintf("Cannot get routes for machine %d: %s", machineID, status.Convert(err).Message()),
+					fmt.Sprintf("Cannot get routes for node %d: %s", machineID, status.Convert(err).Message()),
 					output,
 				)
-
-				return
 			}

 			if output != "" {
-				SuccessOutput(response.Routes, "", output)
-
-				return
+				SuccessOutput(response.GetRoutes(), "", output)
 			}

-			routes = response.Routes
+			routes = response.GetRoutes()
 		}

 		tableData := routesToPtables(routes)
 		if err != nil {
 			ErrorOutput(err, fmt.Sprintf("Error converting to table: %s", err), output)
-
-			return
 		}

 		err = pterm.DefaultTable.WithHasHeader().WithData(tableData).Render()
@@ -130,8 +118,6 @@ var listRoutesCmd = &cobra.Command{
 				fmt.Sprintf("Failed to render pterm table: %s", err),
 				output,
 			)
-
-			return
 		}
 	},
 }
@@ -150,11 +136,9 @@ var enableRouteCmd = &cobra.Command{
 				fmt.Sprintf("Error getting machine id from flag: %s", err),
 				output,
 			)
-
-			return
 		}

-		ctx, client, conn, cancel := getHeadscaleCLIClient()
+		ctx, client, conn, cancel := newHeadscaleCLIWithConfig()
 		defer cancel()
 		defer conn.Close()

@@ -167,14 +151,10 @@ var enableRouteCmd = &cobra.Command{
 				fmt.Sprintf("Cannot enable route %d: %s", routeID, status.Convert(err).Message()),
 				output,
 			)
-
-			return
 		}

 		if output != "" {
 			SuccessOutput(response, "", output)
-
-			return
 		}
 	},
 }
@@ -193,11 +173,9 @@ var disableRouteCmd = &cobra.Command{
 				fmt.Sprintf("Error getting machine id from flag: %s", err),
 				output,
 			)
-
-			return
 		}

-		ctx, client, conn, cancel := getHeadscaleCLIClient()
+		ctx, client, conn, cancel := newHeadscaleCLIWithConfig()
 		defer cancel()
 		defer conn.Close()

@@ -210,14 +188,10 @@ var disableRouteCmd = &cobra.Command{
 				fmt.Sprintf("Cannot disable route %d: %s", routeID, status.Convert(err).Message()),
 				output,
 			)
-
-			return
 		}

 		if output != "" {
 			SuccessOutput(response, "", output)
-
-			return
 		}
 	},
 }
@@ -236,11 +210,9 @@ var deleteRouteCmd = &cobra.Command{
 				fmt.Sprintf("Error getting machine id from flag: %s", err),
 				output,
 			)
-
-			return
 		}

-		ctx, client, conn, cancel := getHeadscaleCLIClient()
+		ctx, client, conn, cancel := newHeadscaleCLIWithConfig()
 		defer cancel()
 		defer conn.Close()

@@ -253,43 +225,44 @@ var deleteRouteCmd = &cobra.Command{
 				fmt.Sprintf("Cannot delete route %d: %s", routeID, status.Convert(err).Message()),
 				output,
 			)
-
-			return
 		}

 		if output != "" {
 			SuccessOutput(response, "", output)
-
-			return
 		}
 	},
 }

 // routesToPtables converts the list of routes to a nice table.
 func routesToPtables(routes []*v1.Route) pterm.TableData {
-	tableData := pterm.TableData{{"ID", "Machine", "Prefix", "Advertised", "Enabled", "Primary"}}
+	tableData := pterm.TableData{{"ID", "Node", "Prefix", "Advertised", "Enabled", "Primary"}}

 	for _, route := range routes {
 		var isPrimaryStr string
-		prefix, err := netip.ParsePrefix(route.Prefix)
+		prefix, err := netip.ParsePrefix(route.GetPrefix())
 		if err != nil {
-			log.Printf("Error parsing prefix %s: %s", route.Prefix, err)
+			log.Printf("Error parsing prefix %s: %s", route.GetPrefix(), err)

 			continue
 		}
-		if prefix == types.ExitRouteV4 || prefix == types.ExitRouteV6 {
+		if tsaddr.IsExitRoute(prefix) {
 			isPrimaryStr = "-"
 		} else {
-			isPrimaryStr = strconv.FormatBool(route.IsPrimary)
+			isPrimaryStr = strconv.FormatBool(route.GetIsPrimary())
+		}
+
+		var nodeName string
+		if route.GetNode() != nil {
+			nodeName = route.GetNode().GetGivenName()
 		}

 		tableData = append(tableData,
 			[]string{
-				strconv.FormatUint(route.Id, Base10),
-				route.Machine.GivenName,
-				route.Prefix,
-				strconv.FormatBool(route.Advertised),
-				strconv.FormatBool(route.Enabled),
+				strconv.FormatUint(route.GetId(), Base10),
+				nodeName,
+				route.GetPrefix(),
+				strconv.FormatBool(route.GetAdvertised()),
+				strconv.FormatBool(route.GetEnabled()),
 				isPrimaryStr,
 			})
 	}
--- a/cmd/headscale/cli/server.go
+++ b/cmd/headscale/cli/server.go
@@ -1,6 +1,9 @@
 package cli

 import (
+	"errors"
+	"net/http"
+
 	"github.com/rs/zerolog/log"
 	"github.com/spf13/cobra"
 )
@@ -16,14 +19,14 @@ var serveCmd = &cobra.Command{
 		return nil
 	},
 	Run: func(cmd *cobra.Command, args []string) {
-		app, err := getHeadscaleApp()
+		app, err := newHeadscaleServerWithConfig()
 		if err != nil {
 			log.Fatal().Caller().Err(err).Msg("Error initializing")
 		}

 		err = app.Serve()
-		if err != nil {
-			log.Fatal().Caller().Err(err).Msg("Error starting server")
+		if err != nil && !errors.Is(err, http.ErrServerClosed) {
+			log.Fatal().Caller().Err(err).Msg("Headscale ran into an error and had to shut down.")
 		}
 	},
 }
--- a/cmd/headscale/cli/users.go
+++ b/cmd/headscale/cli/users.go
@@ -3,6 +3,7 @@ package cli
 import (
 	"errors"
 	"fmt"
+	"net/url"

 	survey "github.com/AlecAivazis/survey/v2"
 	v1 "github.com/juanfont/headscale/gen/go/headscale/v1"
@@ -12,12 +13,46 @@ import (
 	"google.golang.org/grpc/status"
 )

+func usernameAndIDFlag(cmd *cobra.Command) {
+	cmd.Flags().Int64P("identifier", "i", -1, "User identifier (ID)")
+	cmd.Flags().StringP("name", "n", "", "Username")
+}
+
+// usernameAndIDFromFlag returns the username and ID from the flags of the command.
+// If both are empty, it will exit the program with an error.
+func usernameAndIDFromFlag(cmd *cobra.Command) (uint64, string) {
+	username, _ := cmd.Flags().GetString("name")
+	identifier, _ := cmd.Flags().GetInt64("identifier")
+	if username == "" && identifier < 0 {
+		err := errors.New("--name or --identifier flag is required")
+		ErrorOutput(
+			err,
+			fmt.Sprintf(
+				"Cannot rename user: %s",
+				status.Convert(err).Message(),
+			),
+			"",
+		)
+	}
+
+	return uint64(identifier), username
+}
+
 func init() {
 	rootCmd.AddCommand(userCmd)
 	userCmd.AddCommand(createUserCmd)
+	createUserCmd.Flags().StringP("display-name", "d", "", "Display name")
+	createUserCmd.Flags().StringP("email", "e", "", "Email")
+	createUserCmd.Flags().StringP("picture-url", "p", "", "Profile picture URL")
 	userCmd.AddCommand(listUsersCmd)
+	usernameAndIDFlag(listUsersCmd)
+	listUsersCmd.Flags().StringP("email", "e", "", "Email")
 	userCmd.AddCommand(destroyUserCmd)
+	usernameAndIDFlag(destroyUserCmd)
 	userCmd.AddCommand(renameUserCmd)
+	usernameAndIDFlag(renameUserCmd)
+	renameUserCmd.Flags().StringP("new-name", "r", "", "New username")
+	renameNodeCmd.MarkFlagRequired("new-name")
 }

 var errMissingParameter = errors.New("missing parameters")
@@ -44,7 +79,7 @@ var createUserCmd = &cobra.Command{

 		userName := args[0]

-		ctx, client, conn, cancel := getHeadscaleCLIClient()
+		ctx, client, conn, cancel := newHeadscaleCLIWithConfig()
 		defer cancel()
 		defer conn.Close()

@@ -52,6 +87,28 @@ var createUserCmd = &cobra.Command{

 		request := &v1.CreateUserRequest{Name: userName}

+		if displayName, _ := cmd.Flags().GetString("display-name"); displayName != "" {
+			request.DisplayName = displayName
+		}
+
+		if email, _ := cmd.Flags().GetString("email"); email != "" {
+			request.Email = email
+		}
+
+		if pictureURL, _ := cmd.Flags().GetString("picture-url"); pictureURL != "" {
+			if _, err := url.Parse(pictureURL); err != nil {
+				ErrorOutput(
+					err,
+					fmt.Sprintf(
+						"Invalid Picture URL: %s",
+						err,
+					),
+					output,
+				)
+			}
+			request.PictureUrl = pictureURL
+		}
+
 		log.Trace().Interface("request", request).Msg("Sending CreateUser request")
 		response, err := client.CreateUser(ctx, request)
 		if err != nil {
@@ -63,56 +120,56 @@ var createUserCmd = &cobra.Command{
 				),
 				output,
 			)
-
-			return
 		}

-		SuccessOutput(response.User, "User created", output)
+		SuccessOutput(response.GetUser(), "User created", output)
 	},
 }

 var destroyUserCmd = &cobra.Command{
-	Use:     "destroy NAME",
+	Use:     "destroy --identifier ID or --name NAME",
 	Short:   "Destroys a user",
 	Aliases: []string{"delete"},
-	Args: func(cmd *cobra.Command, args []string) error {
-		if len(args) < 1 {
-			return errMissingParameter
-		}
-
-		return nil
-	},
 	Run: func(cmd *cobra.Command, args []string) {
 		output, _ := cmd.Flags().GetString("output")

-		userName := args[0]
-
-		request := &v1.GetUserRequest{
-			Name: userName,
+		id, username := usernameAndIDFromFlag(cmd)
+		request := &v1.ListUsersRequest{
+			Name: username,
+			Id:   id,
 		}

-		ctx, client, conn, cancel := getHeadscaleCLIClient()
+		ctx, client, conn, cancel := newHeadscaleCLIWithConfig()
 		defer cancel()
 		defer conn.Close()

-		_, err := client.GetUser(ctx, request)
+		users, err := client.ListUsers(ctx, request)
 		if err != nil {
 			ErrorOutput(
 				err,
 				fmt.Sprintf("Error: %s", status.Convert(err).Message()),
 				output,
 			)
-
-			return
 		}

+		if len(users.GetUsers()) != 1 {
+			err := fmt.Errorf("Unable to determine user to delete, query returned multiple users, use ID")
+			ErrorOutput(
+				err,
+				fmt.Sprintf("Error: %s", status.Convert(err).Message()),
+				output,
+			)
+		}
+
+		user := users.GetUsers()[0]
+
 		confirm := false
 		force, _ := cmd.Flags().GetBool("force")
 		if !force {
 			prompt := &survey.Confirm{
 				Message: fmt.Sprintf(
-					"Do you want to remove the user '%s' and any associated preauthkeys?",
-					userName,
+					"Do you want to remove the user %q (%d) and any associated preauthkeys?",
+					user.GetName(), user.GetId(),
 				),
 			}
 			err := survey.AskOne(prompt, &confirm)
@@ -122,7 +179,7 @@ var destroyUserCmd = &cobra.Command{
 		}

 		if confirm || force {
-			request := &v1.DeleteUserRequest{Name: userName}
+			request := &v1.DeleteUserRequest{Id: user.GetId()}

 			response, err := client.DeleteUser(ctx, request)
 			if err != nil {
@@ -134,8 +191,6 @@ var destroyUserCmd = &cobra.Command{
 					),
 					output,
 				)
-
-				return
 			}
 			SuccessOutput(response, "User destroyed", output)
 		} else {
@@ -151,12 +206,29 @@ var listUsersCmd = &cobra.Command{
 	Run: func(cmd *cobra.Command, args []string) {
 		output, _ := cmd.Flags().GetString("output")

-		ctx, client, conn, cancel := getHeadscaleCLIClient()
+		ctx, client, conn, cancel := newHeadscaleCLIWithConfig()
 		defer cancel()
 		defer conn.Close()

 		request := &v1.ListUsersRequest{}

+		id, _ := cmd.Flags().GetInt64("identifier")
+		username, _ := cmd.Flags().GetString("name")
+		email, _ := cmd.Flags().GetString("email")
+
+		// filter by one param at most
+		switch {
+		case id > 0:
+			request.Id = uint64(id)
+			break
+		case username != "":
+			request.Name = username
+			break
+		case email != "":
+			request.Email = email
+			break
+		}
+
 		response, err := client.ListUsers(ctx, request)
 		if err != nil {
 			ErrorOutput(
@@ -164,23 +236,21 @@ var listUsersCmd = &cobra.Command{
 				fmt.Sprintf("Cannot get users: %s", status.Convert(err).Message()),
 				output,
 			)
-
-			return
 		}

 		if output != "" {
-			SuccessOutput(response.Users, "", output)
-
-			return
+			SuccessOutput(response.GetUsers(), "", output)
 		}

-		tableData := pterm.TableData{{"ID", "Name", "Created"}}
+		tableData := pterm.TableData{{"ID", "Name", "Username", "Email", "Created"}}
 		for _, user := range response.GetUsers() {
 			tableData = append(
 				tableData,
 				[]string{
-					user.GetId(),
+					fmt.Sprintf("%d", user.GetId()),
+					user.GetDisplayName(),
 					user.GetName(),
+					user.GetEmail(),
 					user.GetCreatedAt().AsTime().Format("2006-01-02 15:04:05"),
 				},
 			)
@@ -192,37 +262,53 @@ var listUsersCmd = &cobra.Command{
 				fmt.Sprintf("Failed to render pterm table: %s", err),
 				output,
 			)
-
-			return
 		}
 	},
 }

 var renameUserCmd = &cobra.Command{
-	Use:     "rename OLD_NAME NEW_NAME",
+	Use:     "rename",
 	Short:   "Renames a user",
 	Aliases: []string{"mv"},
-	Args: func(cmd *cobra.Command, args []string) error {
-		expectedArguments := 2
-		if len(args) < expectedArguments {
-			return errMissingParameter
-		}
-
-		return nil
-	},
 	Run: func(cmd *cobra.Command, args []string) {
 		output, _ := cmd.Flags().GetString("output")

-		ctx, client, conn, cancel := getHeadscaleCLIClient()
+		ctx, client, conn, cancel := newHeadscaleCLIWithConfig()
 		defer cancel()
 		defer conn.Close()

-		request := &v1.RenameUserRequest{
-			OldName: args[0],
-			NewName: args[1],
+		id, username := usernameAndIDFromFlag(cmd)
+		listReq := &v1.ListUsersRequest{
+			Name: username,
+			Id:   id,
 		}

-		response, err := client.RenameUser(ctx, request)
+		users, err := client.ListUsers(ctx, listReq)
+		if err != nil {
+			ErrorOutput(
+				err,
+				fmt.Sprintf("Error: %s", status.Convert(err).Message()),
+				output,
+			)
+		}
+
+		if len(users.GetUsers()) != 1 {
+			err := fmt.Errorf("Unable to determine user to delete, query returned multiple users, use ID")
+			ErrorOutput(
+				err,
+				fmt.Sprintf("Error: %s", status.Convert(err).Message()),
+				output,
+			)
+		}
+
+		newName, _ := cmd.Flags().GetString("new-name")
+
+		renameReq := &v1.RenameUserRequest{
+			OldId:   id,
+			NewName: newName,
+		}
+
+		response, err := client.RenameUser(ctx, renameReq)
 		if err != nil {
 			ErrorOutput(
 				err,
@@ -232,10 +318,8 @@ var renameUserCmd = &cobra.Command{
 				),
 				output,
 			)
-
-			return
 		}

-		SuccessOutput(response.User, "User renamed", output)
+		SuccessOutput(response.GetUser(), "User renamed", output)
 	},
 }
--- a/cmd/headscale/cli/utils.go
+++ b/cmd/headscale/cli/utils.go
@@ -6,11 +6,9 @@ import (
 	"encoding/json"
 	"fmt"
 	"os"
-	"reflect"

 	v1 "github.com/juanfont/headscale/gen/go/headscale/v1"
 	"github.com/juanfont/headscale/hscontrol"
-	"github.com/juanfont/headscale/hscontrol/policy"
 	"github.com/juanfont/headscale/hscontrol/types"
 	"github.com/juanfont/headscale/hscontrol/util"
 	"github.com/rs/zerolog/log"
@@ -25,8 +23,8 @@ const (
 	SocketWritePermissions  = 0o666
 )

-func getHeadscaleApp() (*hscontrol.Headscale, error) {
-	cfg, err := types.GetHeadscaleConfig()
+func newHeadscaleServerWithConfig() (*hscontrol.Headscale, error) {
+	cfg, err := types.LoadServerConfig()
 	if err != nil {
 		return nil, fmt.Errorf(
 			"failed to load configuration while creating headscale instance: %w",
@@ -39,26 +37,11 @@ func getHeadscaleApp() (*hscontrol.Headscale, error) {
 		return nil, err
 	}

-	// We are doing this here, as in the future could be cool to have it also hot-reload
-
-	if cfg.ACL.PolicyPath != "" {
-		aclPath := util.AbsolutePathFromConfigPath(cfg.ACL.PolicyPath)
-		pol, err := policy.LoadACLPolicyFromPath(aclPath)
-		if err != nil {
-			log.Fatal().
-				Str("path", aclPath).
-				Err(err).
-				Msg("Could not load the ACL policy")
-		}
-
-		app.ACLPolicy = pol
-	}
-
 	return app, nil
 }

-func getHeadscaleCLIClient() (context.Context, v1.HeadscaleServiceClient, *grpc.ClientConn, context.CancelFunc) {
-	cfg, err := types.GetHeadscaleConfig()
+func newHeadscaleCLIWithConfig() (context.Context, v1.HeadscaleServiceClient, *grpc.ClientConn, context.CancelFunc) {
+	cfg, err := types.LoadCLIConfig()
 	if err != nil {
 		log.Fatal().
 			Err(err).
@@ -89,7 +72,7 @@ func getHeadscaleCLIClient() (context.Context, v1.HeadscaleServiceClient, *grpc.

 		// Try to give the user better feedback if we cannot write to the headscale
 		// socket.
-		socket, err := os.OpenFile(cfg.UnixSocket, os.O_WRONLY, SocketWritePermissions) //nolint
+		socket, err := os.OpenFile(cfg.UnixSocket, os.O_WRONLY, SocketWritePermissions) // nolint
 		if err != nil {
 			if os.IsPermission(err) {
 				log.Fatal().
@@ -147,42 +130,47 @@ func getHeadscaleCLIClient() (context.Context, v1.HeadscaleServiceClient, *grpc.
 	return ctx, client, conn, cancel
 }

-func SuccessOutput(result interface{}, override string, outputFormat string) {
+func output(result interface{}, override string, outputFormat string) string {
 	var jsonBytes []byte
 	var err error
 	switch outputFormat {
 	case "json":
 		jsonBytes, err = json.MarshalIndent(result, "", "\t")
 		if err != nil {
-			log.Fatal().Err(err)
+			log.Fatal().Err(err).Msg("failed to unmarshal output")
 		}
 	case "json-line":
 		jsonBytes, err = json.Marshal(result)
 		if err != nil {
-			log.Fatal().Err(err)
+			log.Fatal().Err(err).Msg("failed to unmarshal output")
 		}
 	case "yaml":
 		jsonBytes, err = yaml.Marshal(result)
 		if err != nil {
-			log.Fatal().Err(err)
+			log.Fatal().Err(err).Msg("failed to unmarshal output")
 		}
 	default:
-		//nolint
-		fmt.Println(override)
-
-		return
+		// nolint
+		return override
 	}

-	//nolint
-	fmt.Println(string(jsonBytes))
+	return string(jsonBytes)
 }

+// SuccessOutput prints the result to stdout and exits with status code 0.
+func SuccessOutput(result interface{}, override string, outputFormat string) {
+	fmt.Println(output(result, override, outputFormat))
+	os.Exit(0)
+}
+
+// ErrorOutput prints an error message to stderr and exits with status code 1.
 func ErrorOutput(errResult error, override string, outputFormat string) {
 	type errOutput struct {
 		Error string `json:"error"`
 	}

-	SuccessOutput(errOutput{errResult.Error()}, override, outputFormat)
+	fmt.Fprintf(os.Stderr, "%s\n", output(errOutput{errResult.Error()}, override, outputFormat))
+	os.Exit(1)
 }

 func HasMachineOutputFlag() bool {
@@ -212,13 +200,3 @@ func (t tokenAuth) GetRequestMetadata(
 func (tokenAuth) RequireTransportSecurity() bool {
 	return true
 }
-
-func contains[T string](ts []T, t T) bool {
-	for _, v := range ts {
-		if reflect.DeepEqual(v, t) {
-			return true
-		}
-	}
-
-	return false
-}
--- a/cmd/headscale/headscale.go
+++ b/cmd/headscale/headscale.go
@@ -4,27 +4,13 @@ import (
 	"os"
 	"time"

-	"github.com/efekarakus/termcolor"
+	"github.com/jagottsicher/termcolor"
 	"github.com/juanfont/headscale/cmd/headscale/cli"
-	"github.com/pkg/profile"
 	"github.com/rs/zerolog"
 	"github.com/rs/zerolog/log"
 )

 func main() {
-	if _, enableProfile := os.LookupEnv("HEADSCALE_PROFILING_ENABLED"); enableProfile {
-		if profilePath, ok := os.LookupEnv("HEADSCALE_PROFILING_PATH"); ok {
-			err := os.MkdirAll(profilePath, os.ModePerm)
-			if err != nil {
-				log.Fatal().Err(err).Msg("failed to create profiling directory")
-			}
-
-			defer profile.Start(profile.ProfilePath(profilePath)).Stop()
-		} else {
-			defer profile.Start().Stop()
-		}
-	}
-
 	var colors bool
 	switch l := termcolor.SupportLevel(os.Stderr); l {
 	case termcolor.Level16M:
@@ -48,7 +34,7 @@ func main() {

 	zerolog.TimeFieldFormat = zerolog.TimeFormatUnix
 	log.Logger = log.Output(zerolog.ConsoleWriter{
-		Out:        os.Stdout,
+		Out:        os.Stderr,
 		TimeFormat: time.RFC3339,
 		NoColor:    !colors,
 	})
--- a/cmd/headscale/headscale_test.go
+++ b/cmd/headscale/headscale_test.go
@@ -4,7 +4,6 @@ import (
 	"io/fs"
 	"os"
 	"path/filepath"
-	"strings"
 	"testing"

 	"github.com/juanfont/headscale/hscontrol/types"
@@ -58,12 +57,11 @@ func (*Suite) TestConfigFileLoading(c *check.C) {
 	c.Assert(viper.GetString("server_url"), check.Equals, "http://127.0.0.1:8080")
 	c.Assert(viper.GetString("listen_addr"), check.Equals, "127.0.0.1:8080")
 	c.Assert(viper.GetString("metrics_listen_addr"), check.Equals, "127.0.0.1:9090")
-	c.Assert(viper.GetString("db_type"), check.Equals, "sqlite3")
-	c.Assert(viper.GetString("db_path"), check.Equals, "/var/lib/headscale/db.sqlite")
+	c.Assert(viper.GetString("database.type"), check.Equals, "sqlite")
+	c.Assert(viper.GetString("database.sqlite.path"), check.Equals, "/var/lib/headscale/db.sqlite")
 	c.Assert(viper.GetString("tls_letsencrypt_hostname"), check.Equals, "")
 	c.Assert(viper.GetString("tls_letsencrypt_listen"), check.Equals, ":http")
 	c.Assert(viper.GetString("tls_letsencrypt_challenge_type"), check.Equals, "HTTP-01")
-	c.Assert(viper.GetStringSlice("dns_config.nameservers")[0], check.Equals, "1.1.1.1")
 	c.Assert(
 		util.GetFileMode("unix_socket_permission"),
 		check.Equals,
@@ -101,12 +99,11 @@ func (*Suite) TestConfigLoading(c *check.C) {
 	c.Assert(viper.GetString("server_url"), check.Equals, "http://127.0.0.1:8080")
 	c.Assert(viper.GetString("listen_addr"), check.Equals, "127.0.0.1:8080")
 	c.Assert(viper.GetString("metrics_listen_addr"), check.Equals, "127.0.0.1:9090")
-	c.Assert(viper.GetString("db_type"), check.Equals, "sqlite3")
-	c.Assert(viper.GetString("db_path"), check.Equals, "/var/lib/headscale/db.sqlite")
+	c.Assert(viper.GetString("database.type"), check.Equals, "sqlite")
+	c.Assert(viper.GetString("database.sqlite.path"), check.Equals, "/var/lib/headscale/db.sqlite")
 	c.Assert(viper.GetString("tls_letsencrypt_hostname"), check.Equals, "")
 	c.Assert(viper.GetString("tls_letsencrypt_listen"), check.Equals, ":http")
 	c.Assert(viper.GetString("tls_letsencrypt_challenge_type"), check.Equals, "HTTP-01")
-	c.Assert(viper.GetStringSlice("dns_config.nameservers")[0], check.Equals, "1.1.1.1")
 	c.Assert(
 		util.GetFileMode("unix_socket_permission"),
 		check.Equals,
@@ -115,93 +112,3 @@ func (*Suite) TestConfigLoading(c *check.C) {
 	c.Assert(viper.GetBool("logtail.enabled"), check.Equals, false)
 	c.Assert(viper.GetBool("randomize_client_port"), check.Equals, false)
 }
-
-func (*Suite) TestDNSConfigLoading(c *check.C) {
-	tmpDir, err := os.MkdirTemp("", "headscale")
-	if err != nil {
-		c.Fatal(err)
-	}
-	defer os.RemoveAll(tmpDir)
-
-	path, err := os.Getwd()
-	if err != nil {
-		c.Fatal(err)
-	}
-
-	// Symlink the example config file
-	err = os.Symlink(
-		filepath.Clean(path+"/../../config-example.yaml"),
-		filepath.Join(tmpDir, "config.yaml"),
-	)
-	if err != nil {
-		c.Fatal(err)
-	}
-
-	// Load example config, it should load without validation errors
-	err = types.LoadConfig(tmpDir, false)
-	c.Assert(err, check.IsNil)
-
-	dnsConfig, baseDomain := types.GetDNSConfig()
-
-	c.Assert(dnsConfig.Nameservers[0].String(), check.Equals, "1.1.1.1")
-	c.Assert(dnsConfig.Resolvers[0].Addr, check.Equals, "1.1.1.1")
-	c.Assert(dnsConfig.Proxied, check.Equals, true)
-	c.Assert(baseDomain, check.Equals, "example.com")
-}
-
-func writeConfig(c *check.C, tmpDir string, configYaml []byte) {
-	// Populate a custom config file
-	configFile := filepath.Join(tmpDir, "config.yaml")
-	err := os.WriteFile(configFile, configYaml, 0o600)
-	if err != nil {
-		c.Fatalf("Couldn't write file %s", configFile)
-	}
-}
-
-func (*Suite) TestTLSConfigValidation(c *check.C) {
-	tmpDir, err := os.MkdirTemp("", "headscale")
-	if err != nil {
-		c.Fatal(err)
-	}
-	// defer os.RemoveAll(tmpDir)
-	configYaml := []byte(`---
-tls_letsencrypt_hostname: example.com
-tls_letsencrypt_challenge_type: ""
-tls_cert_path: abc.pem
-noise:
-  private_key_path: noise_private.key`)
-	writeConfig(c, tmpDir, configYaml)
-
-	// Check configuration validation errors (1)
-	err = types.LoadConfig(tmpDir, false)
-	c.Assert(err, check.NotNil)
-	// check.Matches can not handle multiline strings
-	tmp := strings.ReplaceAll(err.Error(), "\n", "***")
-	c.Assert(
-		tmp,
-		check.Matches,
-		".*Fatal config error: set either tls_letsencrypt_hostname or tls_cert_path/tls_key_path, not both.*",
-	)
-	c.Assert(
-		tmp,
-		check.Matches,
-		".*Fatal config error: the only supported values for tls_letsencrypt_challenge_type are.*",
-	)
-	c.Assert(
-		tmp,
-		check.Matches,
-		".*Fatal config error: server_url must start with https:// or http://.*",
-	)
-
-	// Check configuration validation errors (2)
-	configYaml = []byte(`---
-noise:
-  private_key_path: noise_private.key
-server_url: http://127.0.0.1:8080
-tls_letsencrypt_hostname: example.com
-tls_letsencrypt_challenge_type: TLS-ALPN-01
-`)
-	writeConfig(c, tmpDir, configYaml)
-	err = types.LoadConfig(tmpDir, false)
-	c.Assert(err, check.IsNil)
-}
--- a/config-example.yaml
+++ b/config-example.yaml
@@ -40,19 +40,12 @@ grpc_listen_addr: 127.0.0.1:50443
 # are doing.
 grpc_allow_insecure: false

-# Private key used to encrypt the traffic between headscale
-# and Tailscale clients.
-# The private key file will be autogenerated if it's missing.
-#
-private_key_path: /var/lib/headscale/private.key
-
 # The Noise section includes specific configuration for the
 # TS2021 Noise protocol
 noise:
  # The Noise private key is used to encrypt the
  # traffic between headscale and Tailscale clients when
-  # using the new Noise-based protocol. It must be different
-  # from the legacy private key.
+  # using the new Noise-based protocol.
  private_key_path: /var/lib/headscale/noise_private.key

 # List of IP prefixes to allocate tailaddresses from.
@@ -64,9 +57,14 @@ noise:
 # IPv6: https://github.com/tailscale/tailscale/blob/22ebb25e833264f58d7c3f534a8b166894a89536/net/tsaddr/tsaddr.go#LL81C52-L81C71
 # IPv4: https://github.com/tailscale/tailscale/blob/22ebb25e833264f58d7c3f534a8b166894a89536/net/tsaddr/tsaddr.go#L33
 # Any other range is NOT supported, and it will cause unexpected issues.
-ip_prefixes:
-  - fd7a:115c:a1e0::/48
-  - 100.64.0.0/10
+prefixes:
+  v4: 100.64.0.0/10
+  v6: fd7a:115c:a1e0::/48
+
+  # Strategy used for allocation of IPs to nodes, available options:
+  # - sequential (default): assigns the next free IP from the previous given IP.
+  # - random: assigns the next free IP from a pseudo-random IP generator (crypto/rand).
+  allocation: sequential

 # DERP is a relay system that Tailscale uses when a direct
 # connection cannot be established.
@@ -95,6 +93,22 @@ derp:
    # For more details on how this works, check this great article: https://tailscale.com/blog/how-tailscale-works/
    stun_listen_addr: "0.0.0.0:3478"

+    # Private key used to encrypt the traffic between headscale DERP
+    # and Tailscale clients.
+    # The private key file will be autogenerated if it's missing.
+    #
+    private_key_path: /var/lib/headscale/derp_server_private.key
+
+    # This flag can be used, so the DERP map entry for the embedded DERP server is not written automatically,
+    # it enables the creation of your very own DERP map entry using a locally available file with the parameter DERP.paths
+    # If you enable the DERP server and set this to false, it is required to add the DERP server to the DERP map using DERP.paths
+    automatically_add_embedded_derp_region: true
+
+    # For better connection stability (especially when using an Exit-Node and DNS is not working),
+    # it is possible to optionally add the public IPv4 and IPv6 address to the Derp-Map using:
+    ipv4: 1.2.3.4
+    ipv6: 2001:db8::1
+
  # List of externally available DERP maps encoded in JSON
  urls:
    - https://controlplane.tailscale.com/derpmap/default
@@ -123,30 +137,59 @@ disable_check_updates: false
 # Time before an inactive ephemeral node is deleted?
 ephemeral_node_inactivity_timeout: 30m

-# Period to check for node updates within the tailnet. A value too low will severely affect
-# CPU consumption of Headscale. A value too high (over 60s) will cause problems
-# for the nodes, as they won't get updates or keep alive messages frequently enough.
-# In case of doubts, do not touch the default 10s.
-node_update_check_interval: 10s
+database:
+  # Database type. Available options: sqlite, postgres
+  # Please note that using Postgres is highly discouraged as it is only supported for legacy reasons.
+  # All new development, testing and optimisations are done with SQLite in mind.
+  type: sqlite

-# SQLite config
-db_type: sqlite3
+  # Enable debug mode. This setting requires the log.level to be set to "debug" or "trace".
+  debug: false

-# For production:
-db_path: /var/lib/headscale/db.sqlite
+  # GORM configuration settings.
+  gorm:
+    # Enable prepared statements.
+    prepare_stmt: true

-# # Postgres config
-# If using a Unix socket to connect to Postgres, set the socket path in the 'host' field and leave 'port' blank.
-# db_type: postgres
-# db_host: localhost
-# db_port: 5432
-# db_name: headscale
-# db_user: foo
-# db_pass: bar
+    # Enable parameterized queries.
+    parameterized_queries: true

-# If other 'sslmode' is required instead of 'require(true)' and 'disabled(false)', set the 'sslmode' you need
-# in the 'db_ssl' field. Refers to https://www.postgresql.org/docs/current/libpq-ssl.html Table 34.1.
-# db_ssl: false
+    # Skip logging "record not found" errors.
+    skip_err_record_not_found: true
+
+    # Threshold for slow queries in milliseconds.
+    slow_threshold: 1000
+
+  # SQLite config
+  sqlite:
+    path: /var/lib/headscale/db.sqlite
+
+    # Enable WAL mode for SQLite. This is recommended for production environments.
+    # https://www.sqlite.org/wal.html
+    write_ahead_log: true
+
+    # Maximum number of WAL file frames before the WAL file is automatically checkpointed.
+    # https://www.sqlite.org/c3ref/wal_autocheckpoint.html
+    # Set to 0 to disable automatic checkpointing.
+    wal_autocheckpoint: 1000
+
+  # # Postgres config
+  # Please note that using Postgres is highly discouraged as it is only supported for legacy reasons.
+  # See database.type for more information.
+  # postgres:
+  #   # If using a Unix socket to connect to Postgres, set the socket path in the 'host' field and leave 'port' blank.
+  #   host: localhost
+  #   port: 5432
+  #   name: headscale
+  #   user: foo
+  #   pass: bar
+  #   max_open_conns: 10
+  #   max_idle_conns: 10
+  #   conn_max_idle_time_secs: 3600
+
+  #   # If other 'sslmode' is required instead of 'require(true)' and 'disabled(false)', set the 'sslmode' you need
+  #   # in the 'ssl' field. Refers to https://www.postgresql.org/docs/current/libpq-ssl.html Table 34.1.
+  #   ssl: false

 ### TLS configuration
 #
@@ -171,7 +214,7 @@ tls_letsencrypt_cache_dir: /var/lib/headscale/cache

 # Type of ACME challenge to use, currently supported types:
 # HTTP-01 or TLS-ALPN-01
-# See [docs/tls.md](docs/tls.md) for more information
+# See: docs/ref/tls.md for more information
 tls_letsencrypt_challenge_type: HTTP-01
 # When HTTP-01 challenge is chosen, letsencrypt must set up a
 # verification endpoint, and it will be listening on:
@@ -187,10 +230,17 @@ log:
  format: text
  level: info

-# Path to a file containg ACL policies.
-# ACLs can be defined as YAML or HUJSON.
-# https://tailscale.com/kb/1018/acls/
-acl_policy_path: ""
+## Policy
+# headscale supports Tailscale's ACL policies.
+# Please have a look to their KB to better
+# understand the concepts: https://tailscale.com/kb/1018/acls/
+policy:
+  # The mode can be "file" or "database" that defines
+  # where the ACL policies are stored and read from.
+  mode: file
+  # If the mode is set to "file", the path to a
+  # HuJSON file containing ACL policies.
+  path: ""

 ## DNS
 #
@@ -201,59 +251,69 @@ acl_policy_path: ""
 # - https://tailscale.com/kb/1081/magicdns/
 # - https://tailscale.com/blog/2021-09-private-dns-with-magicdns/
 #
-dns_config:
-  # Whether to prefer using Headscale provided DNS or use local.
-  override_local_dns: true
+# Please note that for the DNS configuration to have any effect,
+# clients must have the `--accept-dns=true` option enabled. This is the
+# default for the Tailscale client. This option is enabled by default
+# in the Tailscale client.
+#
+# Setting _any_ of the configuration and `--accept-dns=true` on the
+# clients will integrate with the DNS manager on the client or
+# overwrite /etc/resolv.conf.
+# https://tailscale.com/kb/1235/resolv-conf
+#
+# If you want stop Headscale from managing the DNS configuration
+# all the fields under `dns` should be set to empty values.
+dns:
+  # Whether to use [MagicDNS](https://tailscale.com/kb/1081/magicdns/).
+  magic_dns: true
+
+  # Defines the base domain to create the hostnames for MagicDNS.
+  # This domain _must_ be different from the server_url domain.
+  # `base_domain` must be a FQDN, without the trailing dot.
+  # The FQDN of the hosts will be
+  # `hostname.base_domain` (e.g., _myhost.example.com_).
+  base_domain: example.com

  # List of DNS servers to expose to clients.
  nameservers:
-    - 1.1.1.1
+    global:
+      - 1.1.1.1
+      - 1.0.0.1
+      - 2606:4700:4700::1111
+      - 2606:4700:4700::1001

-  # NextDNS (see https://tailscale.com/kb/1218/nextdns/).
-  # "abc123" is example NextDNS ID, replace with yours.
-  #
-  # With metadata sharing:
-  # nameservers:
-  #   - https://dns.nextdns.io/abc123
-  #
-  # Without metadata sharing:
-  # nameservers:
-  #   - 2a07:a8c0::ab:c123
-  #   - 2a07:a8c1::ab:c123
+      # NextDNS (see https://tailscale.com/kb/1218/nextdns/).
+      # "abc123" is example NextDNS ID, replace with yours.
+      # - https://dns.nextdns.io/abc123

-  # Split DNS (see https://tailscale.com/kb/1054/dns/),
-  # list of search domains and the DNS to query for each one.
-  #
-  # restricted_nameservers:
-  #   foo.bar.com:
-  #     - 1.1.1.1
-  #   darp.headscale.net:
-  #     - 1.1.1.1
-  #     - 8.8.8.8
+    # Split DNS (see https://tailscale.com/kb/1054/dns/),
+    # a map of domains and which DNS server to use for each.
+    split:
+      {}
+      # foo.bar.com:
+      #   - 1.1.1.1
+      # darp.headscale.net:
+      #   - 1.1.1.1
+      #   - 8.8.8.8

-  # Search domains to inject.
-  domains: []
+  # Set custom DNS search domains. With MagicDNS enabled,
+  # your tailnet base_domain is always the first search domain.
+  search_domains: []

  # Extra DNS records
-  # so far only A-records are supported (on the tailscale side)
-  # See https://github.com/juanfont/headscale/blob/main/docs/dns-records.md#Limitations
-  # extra_records:
+  # so far only A and AAAA records are supported (on the tailscale side)
+  # See: docs/ref/dns.md
+  extra_records: []
  #   - name: "grafana.myvpn.example.com"
  #     type: "A"
  #     value: "100.64.0.3"
  #
  #   # you can also put it in one line
  #   - { name: "prometheus.myvpn.example.com", type: "A", value: "100.64.0.3" }
-
-  # Whether to use [MagicDNS](https://tailscale.com/kb/1081/magicdns/).
-  # Only works if there is at least a nameserver defined.
-  magic_dns: true
-
-  # Defines the base domain to create the hostnames for MagicDNS.
-  # `base_domain` must be a FQDNs, without the trailing dot.
-  # The FQDN of the hosts will be
-  # `hostname.user.base_domain` (e.g., _myhost.myuser.example.com_).
-  base_domain: example.com
+  #
+  # Alternatively, extra DNS records can be loaded from a JSON file.
+  # Headscale processes this file on each change.
+  # extra_records_path: /var/lib/headscale/extra-records.json

 # Unix socket used for the CLI to connect without authentication
 # Note: for production you will want to set this to something like:
@@ -304,12 +364,30 @@ unix_socket_permission: "0770"
 #   allowed_users:
 #     - alice@example.com
 #
-#   # If `strip_email_domain` is set to `true`, the domain part of the username email address will be removed.
-#   # This will transform `first-name.last-name@example.com` to the user `first-name.last-name`
-#   # If `strip_email_domain` is set to `false` the domain part will NOT be removed resulting to the following
-#   user: `first-name.last-name.example.com`
+#   # Optional: PKCE (Proof Key for Code Exchange) configuration
+#   # PKCE adds an additional layer of security to the OAuth 2.0 authorization code flow
+#   # by preventing authorization code interception attacks
+#   # See https://datatracker.ietf.org/doc/html/rfc7636
+#   pkce:
+#     # Enable or disable PKCE support (default: false)
+#     enabled: false
+#     # PKCE method to use:
+#     # - plain: Use plain code verifier
+#     # - S256: Use SHA256 hashed code verifier (default, recommended)
+#     method: S256
 #
-#   strip_email_domain: true
+#   # Map legacy users from pre-0.24.0 versions of headscale to the new OIDC users
+#   # by taking the username from the legacy user and matching it with the username
+#   # provided by the OIDC. This is useful when migrating from legacy users to OIDC
+#   # to force them using the unique identifier from the OIDC and to give them a
+#   # proper display name and picture if available.
+#   # Note that this will only work if the username from the legacy user is the same
+#   # and there is a possibility for account takeover should a username have changed
+#   # with the provider.
+#   # When this feature is disabled, it will cause all new logins to be created as new users.
+#   # Note this option will be removed in the future and should be set to false
+#   # on all new installations, or when all users have logged in with OIDC once.
+#   map_legacy_users: false

 # Logtail configuration
 # Logtail is Tailscales logging and auditing infrastructure, it allows the control panel
--- a/docs/about/clients.md
+++ b/docs/about/clients.md
@@ -0,0 +1,16 @@
+# Client and operating system support
+
+We aim to support the [**last 10 releases** of the Tailscale client](https://tailscale.com/changelog#client) on all
+provided operating systems and platforms. Some platforms might require additional configuration to connect with
+headscale.
+
+| OS      | Supports headscale                                                                                    |
+| ------- | ----------------------------------------------------------------------------------------------------- |
+| Linux   | Yes                                                                                                   |
+| OpenBSD | Yes                                                                                                   |
+| FreeBSD | Yes                                                                                                   |
+| Windows | Yes (see [docs](../usage/connect/windows.md) and `/windows` on your headscale for more information)   |
+| Android | Yes (see [docs](../usage/connect/android.md) for more information)                                    |
+| macOS   | Yes (see [docs](../usage/connect/apple.md#macos) and `/apple` on your headscale for more information) |
+| iOS     | Yes (see [docs](../usage/connect/apple.md#ios) and `/apple` on your headscale for more information)   |
+| tvOS    | Yes (see [docs](../usage/connect/apple.md#tvos) and `/apple` on your headscale for more information)  |
--- a/docs/about/contributing.md
+++ b/docs/about/contributing.md
@@ -0,0 +1,3 @@
+{%
+    include-markdown "../../CONTRIBUTING.md"
+%}
--- a/docs/about/faq.md
+++ b/docs/about/faq.md
@@ -0,0 +1,68 @@
+# Frequently Asked Questions
+
+## What is the design goal of headscale?
+
+Headscale aims to implement a self-hosted, open source alternative to the
+[Tailscale](https://tailscale.com/) control server. Headscale's goal is to
+provide self-hosters and hobbyists with an open-source server they can use for
+their projects and labs. It implements a narrow scope, a _single_ Tailscale
+network (tailnet), suitable for a personal use, or a small open-source
+organisation.
+
+## How can I contribute?
+
+Headscale is "Open Source, acknowledged contribution", this means that any
+contribution will have to be discussed with the Maintainers before being submitted.
+
+Please see [Contributing](contributing.md) for more information.
+
+## Why is 'acknowledged contribution' the chosen model?
+
+Both maintainers have full-time jobs and families, and we want to avoid burnout. We also want to avoid frustration from contributors when their PRs are not accepted.
+
+We are more than happy to exchange emails, or to have dedicated calls before a PR is submitted.
+
+## When/Why is Feature X going to be implemented?
+
+We don't know. We might be working on it. If you're interested in contributing, please post a feature request about it.
+
+Please be aware that there are a number of reasons why we might not accept specific contributions:
+
+- It is not possible to implement the feature in a way that makes sense in a self-hosted environment.
+- Given that we are reverse-engineering Tailscale to satisfy our own curiosity, we might be interested in implementing the feature ourselves.
+- You are not sending unit and integration tests with it.
+
+## Do you support Y method of deploying headscale?
+
+We currently support deploying headscale using our binaries and the DEB packages. Visit our [installation guide using
+official releases](../setup/install/official.md) for more information.
+
+In addition to that, you may use packages provided by the community or from distributions. Learn more in the
+[installation guide using community packages](../setup/install/community.md).
+
+For convenience, we also [build Docker images with headscale](../setup/install/container.md). But **please be aware that
+we don't officially support deploying headscale using Docker**. On our [Discord server](https://discord.gg/c84AZQhmpx)
+we have a "docker-issues" channel where you can ask for Docker-specific help to the community.
+
+## Which database should I use?
+
+We recommend the use of SQLite as database for headscale:
+
+- SQLite is simple to setup and easy to use
+- It scales well for all of headscale's usecases
+- Development and testing happens primarily on SQLite
+- PostgreSQL is still supported, but is considered to be in "maintenance mode"
+
+The headscale project itself does not provide a tool to migrate from PostgreSQL to SQLite. Please have a look at [the
+related tools documentation](../ref/integration/tools.md) for migration tooling provided by the community.
+
+## Why is my reverse proxy not working with headscale?
+
+We don't know. We don't use reverse proxies with headscale ourselves, so we don't have any experience with them. We have
+[community documentation](../ref/integration/reverse-proxy.md) on how to configure various reverse proxies, and a
+dedicated "reverse-proxy-issues" channel on our [Discord server](https://discord.gg/c84AZQhmpx) where you can ask for
+help to the community.
+
+## Can I use headscale and tailscale on the same machine?
+
+Running headscale on a machine that is also in the tailnet can cause problems with subnet routers, traffic relay nodes, and MagicDNS. It might work, but it is not supported.
--- a/docs/about/features.md
+++ b/docs/about/features.md
@@ -0,0 +1,32 @@
+# Features
+
+Headscale aims to implement a self-hosted, open source alternative to the Tailscale control server. Headscale's goal is
+to provide self-hosters and hobbyists with an open-source server they can use for their projects and labs. This page
+provides on overview of headscale's feature and compatibility with the Tailscale control server:
+
+- [x] Full "base" support of Tailscale's features
+- [x] Node registration
+    - [x] Interactive
+    - [x] Pre authenticated key
+- [x] [DNS](https://tailscale.com/kb/1054/dns)
+    - [x] [MagicDNS](https://tailscale.com/kb/1081/magicdns)
+    - [x] [Global and restricted nameservers (split DNS)](https://tailscale.com/kb/1054/dns#nameservers)
+    - [x] [search domains](https://tailscale.com/kb/1054/dns#search-domains)
+    - [x] [Extra DNS records (headscale only)](../ref/dns.md#setting-extra-dns-records)
+- [x] [Taildrop (File Sharing)](https://tailscale.com/kb/1106/taildrop)
+- [x] Routing advertising (including exit nodes)
+- [x] Dual stack (IPv4 and IPv6)
+- [x] Ephemeral nodes
+- [x] Embedded [DERP server](https://tailscale.com/kb/1232/derp-servers)
+- [x] Access control lists ([GitHub label "policy"](https://github.com/juanfont/headscale/labels/policy%20%F0%9F%93%9D))
+    - [x] ACL management via API
+    - [x] `autogroup:internet`
+    - [ ] `autogroup:self`
+    - [ ] `autogroup:member`
+* [ ] Node registration using Single-Sign-On (OpenID Connect) ([GitHub label "OIDC"](https://github.com/juanfont/headscale/labels/OIDC))
+    - [x] Basic registration
+    - [x] Update user profile from identity provider
+    - [ ] Dynamic ACL support
+    - [ ] OIDC groups cannot be used in ACLs
+- [ ] [Funnel](https://tailscale.com/kb/1223/funnel) ([#1040](https://github.com/juanfont/headscale/issues/1040))
+- [ ] [Serve](https://tailscale.com/kb/1312/serve) ([#1234](https://github.com/juanfont/headscale/issues/1921))
--- a/docs/about/help.md
+++ b/docs/about/help.md
@@ -0,0 +1,5 @@
+# Getting help
+
+Join our [Discord server](https://discord.gg/c84AZQhmpx) for announcements and community support.
+
+Please report bugs via [GitHub issues](https://github.com/juanfont/headscale/issues)
--- a/docs/about/releases.md
+++ b/docs/about/releases.md
@@ -0,0 +1,9 @@
+# Releases
+
+All headscale releases are available on the [GitHub release page](https://github.com/juanfont/headscale/releases). Those
+releases are available as binaries for various platforms and architectures, packages for Debian based systems and source
+code archives. Container images are available on [Docker Hub](https://hub.docker.com/r/headscale/headscale).
+
+An Atom/RSS feed of headscale releases is available [here](https://github.com/juanfont/headscale/releases.atom).
+
+See the "announcements" channel on our [Discord server](https://discord.gg/c84AZQhmpx) for news about headscale.
--- a/docs/about/sponsor.md
+++ b/docs/about/sponsor.md
@@ -0,0 +1,4 @@
+# Sponsor
+
+If you like to support the development of headscale, please consider a donation via
+[ko-fi.com/headscale](https://ko-fi.com/headscale). Thank you!
--- a/Show More
+++ b/Show More