use smallzstd and sync pool

Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com>

.dockerignore

@@ -3,6 +3,7 @@
 // development
 integration_test.go
 integration_test/
+!integration_test/etc_embedded_derp/tls/server.crt
 
 Dockerfile*
 docker-compose*
@@ -15,3 +16,4 @@ README.md
 LICENSE
 .vscode
 
+*.sock

.envrc

@@ -0,0 +1 @@
+use flake

.github/CODEOWNERS

@@ -0,0 +1,10 @@
+* @juanfont @kradalby
+
+*.md @ohdearaugustin
+*.yml @ohdearaugustin
+*.yaml @ohdearaugustin
+Dockerfile* @ohdearaugustin
+.goreleaser.yaml @ohdearaugustin
+/docs/ @ohdearaugustin
+/.github/workflows/ @ohdearaugustin
+/.github/renovate.json @ohdearaugustin

.github/FUNDING.yml

@@ -0,0 +1,3 @@
+# These are supported funding model platforms
+
+ko_fi: headscale

.github/ISSUE_TEMPLATE/bug_report.md

@@ -0,0 +1,30 @@
+---
+name: "Bug report"
+about: "Create a bug report to help us improve"
+title: ""
+labels: ["bug"]
+assignees: ""
+---
+
+<!-- Headscale is a multinational community across the globe. Our common language is English. Please consider raising the bug report in this language. -->
+
+**Bug description**
+
+<!-- A clear and concise description of what the bug is. Describe the expected bahavior
+  and how it is currently different. If you are unsure if it is a bug, consider discussing
+  it on our Discord server first. -->
+
+**To Reproduce**
+
+<!-- Steps to reproduce the behavior. -->
+
+**Context info**
+
+<!-- Please add relevant information about your system. For example:
+- Version of headscale used
+- Version of tailscale client
+- OS (e.g. Linux, Mac, Cygwin, WSL, etc.) and version
+- Kernel version
+- The relevant config parameters you used
+- Log output
+-->

.github/ISSUE_TEMPLATE/config.yml

@@ -0,0 +1,11 @@
+# Issues must have some content
+blank_issues_enabled: false
+
+# Contact links
+contact_links:
+  - name: "headscale usage documentation"
+    url: "https://github.com/juanfont/headscale/blob/main/docs"
+    about: "Find documentation about how to configure and run headscale."
+  - name: "headscale Discord community"
+    url: "https://discord.gg/xGj2TuqyxY"
+    about: "Please ask and answer questions about usage of headscale here."

.github/ISSUE_TEMPLATE/feature_request.md

@@ -0,0 +1,17 @@
+---
+name: "Feature request"
+about: "Suggest an idea for headscale"
+title: ""
+labels: ["enhancement"]
+assignees: ""
+---
+
+<!-- Headscale is a multinational community across the globe. Our common language is English. Please consider raising the feature request in this language. -->
+
+**Feature request**
+
+<!-- A clear and precise description of what new or changed feature you want. -->
+
+<!-- Please include the reason, why you would need the feature. E.g. what problem
+  does it solve? Or which workflow is currently frustrating and will be improved by
+  this? -->

.github/ISSUE_TEMPLATE/other_issue.md

@@ -0,0 +1,30 @@
+---
+name: "Other issue"
+about: "Report a different issue"
+title: ""
+labels: ["bug"]
+assignees: ""
+---
+
+<!-- Headscale is a multinational community across the globe. Our common language is English. Please consider raising the issue in this language. -->
+
+<!-- If you have a question, please consider using our Discord for asking questions -->
+
+**Issue description**
+
+<!-- Please add your issue description. -->
+
+**To Reproduce**
+
+<!-- Steps to reproduce the behavior. -->
+
+**Context info**
+
+<!-- Please add relevant information about your system. For example:
+- Version of headscale used
+- Version of tailscale client
+- OS (e.g. Linux, Mac, Cygwin, WSL, etc.) and version
+- Kernel version
+- The relevant config parameters you used
+- Log output
+-->

.github/pull_request_template.md

@@ -0,0 +1,10 @@
+<!-- Please tick if the following things apply. You… -->
+
+- [ ] read the [CONTRIBUTING guidelines](README.md#contributing)
+- [ ] raised a GitHub issue or discussed it on the projects chat beforehand
+- [ ] added unit tests
+- [ ] added integration tests
+- [ ] updated documentation if needed
+- [ ] updated CHANGELOG.md
+
+<!-- If applicable, please reference the issue using `Fixes #XXX` and add tests to cover your new code. -->

.github/renovate.json

@@ -0,0 +1,38 @@
+{
+  "baseBranches": ["main"],
+  "username": "renovate-release",
+  "gitAuthor": "Renovate Bot <bot@renovateapp.com>",
+  "branchPrefix": "renovateaction/",
+  "onboarding": false,
+  "extends": ["config:base", ":rebaseStalePrs"],
+  "ignorePresets": [":prHourlyLimit2"],
+  "enabledManagers": ["dockerfile", "gomod", "github-actions","regex" ],
+  "includeForks": true,
+  "repositories": ["juanfont/headscale"],
+  "platform": "github",
+  "packageRules": [
+    {
+        "matchDatasources": ["go"],
+        "groupName": "Go modules",
+        "groupSlug": "gomod",
+        "separateMajorMinor": false
+    },
+    {
+        "matchDatasources": ["docker"],
+        "groupName": "Dockerfiles",
+        "groupSlug": "dockerfiles"
+    } 
+  ],
+  "regexManagers": [
+    {
+      "fileMatch": [
+          ".github/workflows/.*.yml$"
+      ],
+      "matchStrings": [
+        "\\s*go-version:\\s*\"?(?<currentValue>.*?)\"?\\n"
+      ],
+      "datasourceTemplate": "golang-version",
+      "depNameTemplate": "actions/go-version"
+    }
+  ]
+}

.github/workflows/build.yml

@@ -13,24 +13,30 @@ jobs:
     runs-on: ubuntu-latest
 
     steps:
-      - uses: actions/checkout@v2
-
-      - name: Setup Go
-        uses: actions/setup-go@v2
+      - uses: actions/checkout@v3
         with:
-          go-version: "1.16.3"
+          fetch-depth: 2
 
-      - name: Install dependencies
-        run: |
-          go version
-          go install golang.org/x/lint/golint@latest
-          sudo apt update
-          sudo apt install -y make
+      - name: Get changed files
+        id: changed-files
+        uses: tj-actions/changed-files@v34
+        with:
+          files: |
+            *.nix
+            go.*
+            **/*.go
+            integration_test/
+            config-example.yaml
 
-      - name: Run lint
-        run: make build
+      - uses: cachix/install-nix-action@v16
+        if: steps.changed-files.outputs.any_changed == 'true'
+
+      - name: Run build
+        if: steps.changed-files.outputs.any_changed == 'true'
+        run: nix build
 
       - uses: actions/upload-artifact@v2
+        if: steps.changed-files.outputs.any_changed == 'true'
         with:
           name: headscale-linux
-          path: headscale
+          path: result/bin/headscale

.github/workflows/contributors.yml

@@ -0,0 +1,35 @@
+name: Contributors
+
+on:
+  push:
+    branches:
+      - main
+  workflow_dispatch:
+jobs:
+  add-contributors:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v3
+      - name: Delete upstream contributor branch
+        # Allow continue on failure to account for when the
+        # upstream branch is deleted or does not exist.
+        continue-on-error: true
+        run: git push origin --delete update-contributors
+      - name: Create up-to-date contributors branch
+        run: git checkout -B update-contributors
+      - name: Push empty contributors branch
+        run: git push origin update-contributors
+      - name: Switch back to main
+        run: git checkout main
+      - uses: BobAnkh/add-contributors@v0.2.2
+        with:
+          CONTRIBUTOR: "## Contributors"
+          COLUMN_PER_ROW: "6"
+          ACCESS_TOKEN: ${{secrets.GITHUB_TOKEN}}
+          IMG_WIDTH: "100"
+          FONT_SIZE: "14"
+          PATH: "/README.md"
+          COMMIT_MESSAGE: "docs(README): update contributors"
+          AVATAR_SHAPE: "round"
+          BRANCH: "update-contributors"
+          PULL_REQUEST: "main"

.github/workflows/gh-actions-updater.yaml

@@ -0,0 +1,23 @@
+name: GitHub Actions Version Updater
+
+# Controls when the action will run.
+on:
+  schedule:
+    # Automatically run on every Sunday
+    - cron: "0 0 * * 0"
+
+jobs:
+  build:
+    runs-on: ubuntu-latest
+
+    steps:
+      - uses: actions/checkout@v2
+        with:
+          # [Required] Access token with `workflow` scope.
+          token: ${{ secrets.WORKFLOW_SECRET }}
+
+      - name: Run GitHub Actions Version Updater
+        uses: saadmk11/github-actions-version-updater@v0.7.1
+        with:
+          # [Required] Access token with `workflow` scope.
+          token: ${{ secrets.WORKFLOW_SECRET }}

.github/workflows/lint.yml

@@ -1,39 +1,76 @@
-name: CI
+---
+name: Lint
 
 on: [push, pull_request]
 
 jobs:
-  # The "build" workflow
-  lint:
-    # The type of runner that the job will run on
+  golangci-lint:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v3
+        with:
+          fetch-depth: 2
+
+      - name: Get changed files
+        id: changed-files
+        uses: tj-actions/changed-files@v34
+        with:
+          files: |
+            *.nix
+            go.*
+            **/*.go
+            integration_test/
+            config-example.yaml
+
+      - name: golangci-lint
+        if: steps.changed-files.outputs.any_changed == 'true'
+        uses: golangci/golangci-lint-action@v2
+        with:
+          version: v1.49.0
+
+          # Only block PRs on new problems.
+          # If this is not enabled, we will end up having PRs
+          # blocked because new linters has appared and other
+          # parts of the code is affected.
+          only-new-issues: true
+
+  prettier-lint:
     runs-on: ubuntu-latest
-
-    # Steps represent a sequence of tasks that will be executed as part of the job
     steps:
-      # Checks-out your repository under $GITHUB_WORKSPACE, so your job can access it
       - uses: actions/checkout@v2
-
-      # Install and run golangci-lint as a separate step, it's much faster this
-      # way because this action has caching. It'll get run again in `make lint`
-      # below, but it's still much faster in the end than installing
-      # golangci-lint manually in the `Run lint` step.
-      - uses: golangci/golangci-lint-action@v2
         with:
-          args: --timeout 5m
+          fetch-depth: 2
 
-      # Setup Go
-      - name: Setup Go
-        uses: actions/setup-go@v2
+      - name: Get changed files
+        id: changed-files
+        uses: tj-actions/changed-files@v14.1
         with:
-          go-version: "1.16.3" # The Go version to download (if necessary) and use.
+          files: |
+            *.nix
+            **/*.md
+            **/*.yml
+            **/*.yaml
+            **/*.ts
+            **/*.js
+            **/*.sass
+            **/*.css
+            **/*.scss
+            **/*.html
 
-      # Install all the dependencies
-      - name: Install dependencies
-        run: |
-          go version
-          go install golang.org/x/lint/golint@latest
-          sudo apt update
-          sudo apt install -y make
+      - name: Prettify code
+        if: steps.changed-files.outputs.any_changed == 'true'
+        uses: creyD/prettier_action@v4.0
+        with:
+          prettier_options: >-
+            --check **/*.{ts,js,md,yaml,yml,sass,css,scss,html}
+          only_changed: false
+          dry: true
 
-      - name: Run lint
-        run: make lint
+  proto-lint:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v2
+      - uses: bufbuild/buf-setup-action@v1.7.0
+      - uses: bufbuild/buf-lint-action@v1
+        with:
+          input: "proto"

.github/workflows/release.yml

@@ -1,46 +1,49 @@
 ---
-name: release
+name: Release
 
 on:
   push:
     tags:
-      - "*"  # triggers only if push new tag version
+      - "*" # triggers only if push new tag version
   workflow_dispatch:
 
 jobs:
   goreleaser:
-    runs-on: ubuntu-18.04  # due to CGO we need to user an older version
+    runs-on: ubuntu-latest
     steps:
-      -
-        name: Checkout
-        uses: actions/checkout@v2
+      - name: Checkout
+        uses: actions/checkout@v3
         with:
           fetch-depth: 0
-      -
-        name: Set up Go
-        uses: actions/setup-go@v2
-        with:
-          go-version: 1.16
-      -
-        name: Run GoReleaser
-        uses: goreleaser/goreleaser-action@v2
-        with:
-          distribution: goreleaser
-          version: latest
-          args: release --rm-dist
+
+      - uses: cachix/install-nix-action@v16
+
+      - name: Run goreleaser
+        run: nix develop --command -- goreleaser release --rm-dist
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
 
   docker-release:
     runs-on: ubuntu-latest
     steps:
-      -
-        name: Checkout
-        uses: actions/checkout@v2
+      - name: Checkout
+        uses: actions/checkout@v3
         with:
           fetch-depth: 0
-      -
-        name: Docker meta
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v1
+      - name: Set up QEMU for multiple platforms
+        uses: docker/setup-qemu-action@master
+        with:
+          platforms: arm64,amd64
+      - name: Cache Docker layers
+        uses: actions/cache@v2
+        with:
+          path: /tmp/.buildx-cache
+          key: ${{ runner.os }}-buildx-${{ github.sha }}
+          restore-keys: |
+            ${{ runner.os }}-buildx-
+      - name: Docker meta
         id: meta
         uses: docker/metadata-action@v3
         with:
@@ -53,21 +56,19 @@ jobs:
             type=semver,pattern={{major}}.{{minor}}
             type=semver,pattern={{major}}
             type=sha
-      -
-        name: Login to DockerHub
+            type=raw,value=develop
+      - name: Login to DockerHub
         uses: docker/login-action@v1
         with:
           username: ${{ secrets.DOCKERHUB_USERNAME }}
           password: ${{ secrets.DOCKERHUB_TOKEN }}
-      -
-        name: Login to GHCR
+      - name: Login to GHCR
         uses: docker/login-action@v1
         with:
           registry: ghcr.io
           username: ${{ github.repository_owner }}
           password: ${{ secrets.GITHUB_TOKEN }}
-      -
-        name: Build and push
+      - name: Build and push
         id: docker_build
         uses: docker/build-push-action@v2
         with:
@@ -75,3 +76,78 @@ jobs:
           context: .
           tags: ${{ steps.meta.outputs.tags }}
           labels: ${{ steps.meta.outputs.labels }}
+          platforms: linux/amd64,linux/arm64
+          cache-from: type=local,src=/tmp/.buildx-cache
+          cache-to: type=local,dest=/tmp/.buildx-cache-new
+          build-args: |
+            VERSION=${{ steps.meta.outputs.version }}
+      - name: Prepare cache for next build
+        run: |
+          rm -rf /tmp/.buildx-cache
+          mv /tmp/.buildx-cache-new /tmp/.buildx-cache
+
+  docker-debug-release:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v3
+        with:
+          fetch-depth: 0
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v1
+      - name: Set up QEMU for multiple platforms
+        uses: docker/setup-qemu-action@master
+        with:
+          platforms: arm64,amd64
+      - name: Cache Docker layers
+        uses: actions/cache@v2
+        with:
+          path: /tmp/.buildx-cache-debug
+          key: ${{ runner.os }}-buildx-debug-${{ github.sha }}
+          restore-keys: |
+            ${{ runner.os }}-buildx-debug-
+      - name: Docker meta
+        id: meta-debug
+        uses: docker/metadata-action@v3
+        with:
+          # list of Docker images to use as base name for tags
+          images: |
+            ${{ secrets.DOCKERHUB_USERNAME }}/headscale
+            ghcr.io/${{ github.repository_owner }}/headscale
+          flavor: |
+            suffix=-debug,onlatest=true
+          tags: |
+            type=semver,pattern={{version}}
+            type=semver,pattern={{major}}.{{minor}}
+            type=semver,pattern={{major}}
+            type=sha
+            type=raw,value=develop
+      - name: Login to DockerHub
+        uses: docker/login-action@v1
+        with:
+          username: ${{ secrets.DOCKERHUB_USERNAME }}
+          password: ${{ secrets.DOCKERHUB_TOKEN }}
+      - name: Login to GHCR
+        uses: docker/login-action@v1
+        with:
+          registry: ghcr.io
+          username: ${{ github.repository_owner }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+      - name: Build and push
+        id: docker_build
+        uses: docker/build-push-action@v2
+        with:
+          push: true
+          context: .
+          file: Dockerfile.debug
+          tags: ${{ steps.meta-debug.outputs.tags }}
+          labels: ${{ steps.meta-debug.outputs.labels }}
+          platforms: linux/amd64,linux/arm64
+          cache-from: type=local,src=/tmp/.buildx-cache-debug
+          cache-to: type=local,dest=/tmp/.buildx-cache-debug-new
+          build-args: |
+            VERSION=${{ steps.meta-debug.outputs.version }}
+      - name: Prepare cache for next build
+        run: |
+          rm -rf /tmp/.buildx-cache-debug
+          mv /tmp/.buildx-cache-debug-new /tmp/.buildx-cache-debug

.github/workflows/test-integration-cli.yml

@@ -0,0 +1,35 @@
+name: Integration Test CLI
+
+on: [pull_request]
+
+jobs:
+  integration-test-cli:
+    runs-on: ubuntu-latest
+
+    steps:
+      - uses: actions/checkout@v3
+        with:
+          fetch-depth: 2
+
+      - name: Set Swap Space
+        uses: pierotofy/set-swap-space@master
+        with:
+          swap-size-gb: 10
+
+      - name: Get changed files
+        id: changed-files
+        uses: tj-actions/changed-files@v34
+        with:
+          files: |
+            *.nix
+            go.*
+            **/*.go
+            integration_test/
+            config-example.yaml
+
+      - uses: cachix/install-nix-action@v16
+        if: steps.changed-files.outputs.any_changed == 'true'
+
+      - name: Run CLI integration tests
+        if: steps.changed-files.outputs.any_changed == 'true'
+        run: nix develop --command -- make test_integration_cli

.github/workflows/test-integration-derp.yml

@@ -0,0 +1,35 @@
+name: Integration Test DERP
+
+on: [pull_request]
+
+jobs:
+  integration-test-derp:
+    runs-on: ubuntu-latest
+
+    steps:
+      - uses: actions/checkout@v3
+        with:
+          fetch-depth: 2
+
+      - name: Set Swap Space
+        uses: pierotofy/set-swap-space@master
+        with:
+          swap-size-gb: 10
+
+      - name: Get changed files
+        id: changed-files
+        uses: tj-actions/changed-files@v34
+        with:
+          files: |
+            *.nix
+            go.*
+            **/*.go
+            integration_test/
+            config-example.yaml
+
+      - uses: cachix/install-nix-action@v16
+        if: steps.changed-files.outputs.any_changed == 'true'
+
+      - name: Run Embedded DERP server integration tests
+        if: steps.changed-files.outputs.any_changed == 'true'
+        run: nix develop --command -- make test_integration_derp

.github/workflows/test-integration-v2-TestAuthKeyLogoutAndRelogin.yaml

@@ -0,0 +1,47 @@
+
+# DO NOT EDIT, generated with cmd/gh-action-integration-generator/main.go
+# To regenerate, run "go generate" in cmd/gh-action-integration-generator/
+
+name: Integration Test v2 - TestAuthKeyLogoutAndRelogin
+
+on: [pull_request]
+
+jobs:
+  test:
+    runs-on: ubuntu-latest
+
+    steps:
+      - uses: actions/checkout@v3
+        with:
+          fetch-depth: 2
+
+      - name: Get changed files
+        id: changed-files
+        uses: tj-actions/changed-files@v34
+        with:
+          files: |
+            *.nix
+            go.*
+            **/*.go
+            integration_test/
+            config-example.yaml
+
+      - uses: cachix/install-nix-action@v16
+        if: steps.changed-files.outputs.any_changed == 'true'
+
+      - name: Run general integration tests
+        if: steps.changed-files.outputs.any_changed == 'true'
+        run: |
+            nix develop --command -- docker run \
+              --tty --rm \
+              --volume ~/.cache/hs-integration-go:/go \
+              --name headscale-test-suite \
+              --volume $PWD:$PWD -w $PWD/integration \
+              --volume /var/run/docker.sock:/var/run/docker.sock \
+              golang:1 \
+                go test ./... \
+                  -tags ts2019 \
+                  -failfast \
+                  -timeout 120m \
+                  -parallel 1 \
+                  -run "^TestAuthKeyLogoutAndRelogin$"

.github/workflows/test-integration-v2-TestAuthWebFlowAuthenticationPingAll.yaml

@@ -0,0 +1,47 @@
+
+# DO NOT EDIT, generated with cmd/gh-action-integration-generator/main.go
+# To regenerate, run "go generate" in cmd/gh-action-integration-generator/
+
+name: Integration Test v2 - TestAuthWebFlowAuthenticationPingAll
+
+on: [pull_request]
+
+jobs:
+  test:
+    runs-on: ubuntu-latest
+
+    steps:
+      - uses: actions/checkout@v3
+        with:
+          fetch-depth: 2
+
+      - name: Get changed files
+        id: changed-files
+        uses: tj-actions/changed-files@v34
+        with:
+          files: |
+            *.nix
+            go.*
+            **/*.go
+            integration_test/
+            config-example.yaml
+
+      - uses: cachix/install-nix-action@v16
+        if: steps.changed-files.outputs.any_changed == 'true'
+
+      - name: Run general integration tests
+        if: steps.changed-files.outputs.any_changed == 'true'
+        run: |
+            nix develop --command -- docker run \
+              --tty --rm \
+              --volume ~/.cache/hs-integration-go:/go \
+              --name headscale-test-suite \
+              --volume $PWD:$PWD -w $PWD/integration \
+              --volume /var/run/docker.sock:/var/run/docker.sock \
+              golang:1 \
+                go test ./... \
+                  -tags ts2019 \
+                  -failfast \
+                  -timeout 120m \
+                  -parallel 1 \
+                  -run "^TestAuthWebFlowAuthenticationPingAll$"

.github/workflows/test-integration-v2-TestAuthWebFlowLogoutAndRelogin.yaml

@@ -0,0 +1,47 @@
+
+# DO NOT EDIT, generated with cmd/gh-action-integration-generator/main.go
+# To regenerate, run "go generate" in cmd/gh-action-integration-generator/
+
+name: Integration Test v2 - TestAuthWebFlowLogoutAndRelogin
+
+on: [pull_request]
+
+jobs:
+  test:
+    runs-on: ubuntu-latest
+
+    steps:
+      - uses: actions/checkout@v3
+        with:
+          fetch-depth: 2
+
+      - name: Get changed files
+        id: changed-files
+        uses: tj-actions/changed-files@v34
+        with:
+          files: |
+            *.nix
+            go.*
+            **/*.go
+            integration_test/
+            config-example.yaml
+
+      - uses: cachix/install-nix-action@v16
+        if: steps.changed-files.outputs.any_changed == 'true'
+
+      - name: Run general integration tests
+        if: steps.changed-files.outputs.any_changed == 'true'
+        run: |
+            nix develop --command -- docker run \
+              --tty --rm \
+              --volume ~/.cache/hs-integration-go:/go \
+              --name headscale-test-suite \
+              --volume $PWD:$PWD -w $PWD/integration \
+              --volume /var/run/docker.sock:/var/run/docker.sock \
+              golang:1 \
+                go test ./... \
+                  -tags ts2019 \
+                  -failfast \
+                  -timeout 120m \
+                  -parallel 1 \
+                  -run "^TestAuthWebFlowLogoutAndRelogin$"

.github/workflows/test-integration-v2-TestCreateTailscale.yaml

@@ -0,0 +1,47 @@
+
+# DO NOT EDIT, generated with cmd/gh-action-integration-generator/main.go
+# To regenerate, run "go generate" in cmd/gh-action-integration-generator/
+
+name: Integration Test v2 - TestCreateTailscale
+
+on: [pull_request]
+
+jobs:
+  test:
+    runs-on: ubuntu-latest
+
+    steps:
+      - uses: actions/checkout@v3
+        with:
+          fetch-depth: 2
+
+      - name: Get changed files
+        id: changed-files
+        uses: tj-actions/changed-files@v34
+        with:
+          files: |
+            *.nix
+            go.*
+            **/*.go
+            integration_test/
+            config-example.yaml
+
+      - uses: cachix/install-nix-action@v16
+        if: steps.changed-files.outputs.any_changed == 'true'
+
+      - name: Run general integration tests
+        if: steps.changed-files.outputs.any_changed == 'true'
+        run: |
+            nix develop --command -- docker run \
+              --tty --rm \
+              --volume ~/.cache/hs-integration-go:/go \
+              --name headscale-test-suite \
+              --volume $PWD:$PWD -w $PWD/integration \
+              --volume /var/run/docker.sock:/var/run/docker.sock \
+              golang:1 \
+                go test ./... \
+                  -tags ts2019 \
+                  -failfast \
+                  -timeout 120m \
+                  -parallel 1 \
+                  -run "^TestCreateTailscale$"

.github/workflows/test-integration-v2-TestEnablingRoutes.yaml

@@ -0,0 +1,47 @@
+
+# DO NOT EDIT, generated with cmd/gh-action-integration-generator/main.go
+# To regenerate, run "go generate" in cmd/gh-action-integration-generator/
+
+name: Integration Test v2 - TestEnablingRoutes
+
+on: [pull_request]
+
+jobs:
+  test:
+    runs-on: ubuntu-latest
+
+    steps:
+      - uses: actions/checkout@v3
+        with:
+          fetch-depth: 2
+
+      - name: Get changed files
+        id: changed-files
+        uses: tj-actions/changed-files@v34
+        with:
+          files: |
+            *.nix
+            go.*
+            **/*.go
+            integration_test/
+            config-example.yaml
+
+      - uses: cachix/install-nix-action@v16
+        if: steps.changed-files.outputs.any_changed == 'true'
+
+      - name: Run general integration tests
+        if: steps.changed-files.outputs.any_changed == 'true'
+        run: |
+            nix develop --command -- docker run \
+              --tty --rm \
+              --volume ~/.cache/hs-integration-go:/go \
+              --name headscale-test-suite \
+              --volume $PWD:$PWD -w $PWD/integration \
+              --volume /var/run/docker.sock:/var/run/docker.sock \
+              golang:1 \
+                go test ./... \
+                  -tags ts2019 \
+                  -failfast \
+                  -timeout 120m \
+                  -parallel 1 \
+                  -run "^TestEnablingRoutes$"

.github/workflows/test-integration-v2-TestHeadscale.yaml

@@ -0,0 +1,47 @@
+
+# DO NOT EDIT, generated with cmd/gh-action-integration-generator/main.go
+# To regenerate, run "go generate" in cmd/gh-action-integration-generator/
+
+name: Integration Test v2 - TestHeadscale
+
+on: [pull_request]
+
+jobs:
+  test:
+    runs-on: ubuntu-latest
+
+    steps:
+      - uses: actions/checkout@v3
+        with:
+          fetch-depth: 2
+
+      - name: Get changed files
+        id: changed-files
+        uses: tj-actions/changed-files@v34
+        with:
+          files: |
+            *.nix
+            go.*
+            **/*.go
+            integration_test/
+            config-example.yaml
+
+      - uses: cachix/install-nix-action@v16
+        if: steps.changed-files.outputs.any_changed == 'true'
+
+      - name: Run general integration tests
+        if: steps.changed-files.outputs.any_changed == 'true'
+        run: |
+            nix develop --command -- docker run \
+              --tty --rm \
+              --volume ~/.cache/hs-integration-go:/go \
+              --name headscale-test-suite \
+              --volume $PWD:$PWD -w $PWD/integration \
+              --volume /var/run/docker.sock:/var/run/docker.sock \
+              golang:1 \
+                go test ./... \
+                  -tags ts2019 \
+                  -failfast \
+                  -timeout 120m \
+                  -parallel 1 \
+                  -run "^TestHeadscale$"

.github/workflows/test-integration-v2-TestNamespaceCommand.yaml

@@ -0,0 +1,47 @@
+
+# DO NOT EDIT, generated with cmd/gh-action-integration-generator/main.go
+# To regenerate, run "go generate" in cmd/gh-action-integration-generator/
+
+name: Integration Test v2 - TestNamespaceCommand
+
+on: [pull_request]
+
+jobs:
+  test:
+    runs-on: ubuntu-latest
+
+    steps:
+      - uses: actions/checkout@v3
+        with:
+          fetch-depth: 2
+
+      - name: Get changed files
+        id: changed-files
+        uses: tj-actions/changed-files@v34
+        with:
+          files: |
+            *.nix
+            go.*
+            **/*.go
+            integration_test/
+            config-example.yaml
+
+      - uses: cachix/install-nix-action@v16
+        if: steps.changed-files.outputs.any_changed == 'true'
+
+      - name: Run general integration tests
+        if: steps.changed-files.outputs.any_changed == 'true'
+        run: |
+            nix develop --command -- docker run \
+              --tty --rm \
+              --volume ~/.cache/hs-integration-go:/go \
+              --name headscale-test-suite \
+              --volume $PWD:$PWD -w $PWD/integration \
+              --volume /var/run/docker.sock:/var/run/docker.sock \
+              golang:1 \
+                go test ./... \
+                  -tags ts2019 \
+                  -failfast \
+                  -timeout 120m \
+                  -parallel 1 \
+                  -run "^TestNamespaceCommand$"

.github/workflows/test-integration-v2-TestOIDCAuthenticationPingAll.yaml

@@ -0,0 +1,47 @@
+
+# DO NOT EDIT, generated with cmd/gh-action-integration-generator/main.go
+# To regenerate, run "go generate" in cmd/gh-action-integration-generator/
+
+name: Integration Test v2 - TestOIDCAuthenticationPingAll
+
+on: [pull_request]
+
+jobs:
+  test:
+    runs-on: ubuntu-latest
+
+    steps:
+      - uses: actions/checkout@v3
+        with:
+          fetch-depth: 2
+
+      - name: Get changed files
+        id: changed-files
+        uses: tj-actions/changed-files@v34
+        with:
+          files: |
+            *.nix
+            go.*
+            **/*.go
+            integration_test/
+            config-example.yaml
+
+      - uses: cachix/install-nix-action@v16
+        if: steps.changed-files.outputs.any_changed == 'true'
+
+      - name: Run general integration tests
+        if: steps.changed-files.outputs.any_changed == 'true'
+        run: |
+            nix develop --command -- docker run \
+              --tty --rm \
+              --volume ~/.cache/hs-integration-go:/go \
+              --name headscale-test-suite \
+              --volume $PWD:$PWD -w $PWD/integration \
+              --volume /var/run/docker.sock:/var/run/docker.sock \
+              golang:1 \
+                go test ./... \
+                  -tags ts2019 \
+                  -failfast \
+                  -timeout 120m \
+                  -parallel 1 \
+                  -run "^TestOIDCAuthenticationPingAll$"

.github/workflows/test-integration-v2-TestOIDCExpireNodes.yaml

@@ -0,0 +1,47 @@
+
+# DO NOT EDIT, generated with cmd/gh-action-integration-generator/main.go
+# To regenerate, run "go generate" in cmd/gh-action-integration-generator/
+
+name: Integration Test v2 - TestOIDCExpireNodes
+
+on: [pull_request]
+
+jobs:
+  test:
+    runs-on: ubuntu-latest
+
+    steps:
+      - uses: actions/checkout@v3
+        with:
+          fetch-depth: 2
+
+      - name: Get changed files
+        id: changed-files
+        uses: tj-actions/changed-files@v34
+        with:
+          files: |
+            *.nix
+            go.*
+            **/*.go
+            integration_test/
+            config-example.yaml
+
+      - uses: cachix/install-nix-action@v16
+        if: steps.changed-files.outputs.any_changed == 'true'
+
+      - name: Run general integration tests
+        if: steps.changed-files.outputs.any_changed == 'true'
+        run: |
+            nix develop --command -- docker run \
+              --tty --rm \
+              --volume ~/.cache/hs-integration-go:/go \
+              --name headscale-test-suite \
+              --volume $PWD:$PWD -w $PWD/integration \
+              --volume /var/run/docker.sock:/var/run/docker.sock \
+              golang:1 \
+                go test ./... \
+                  -tags ts2019 \
+                  -failfast \
+                  -timeout 120m \
+                  -parallel 1 \
+                  -run "^TestOIDCExpireNodes$"

.github/workflows/test-integration-v2-TestPingAllByHostname.yaml

@@ -0,0 +1,47 @@
+
+# DO NOT EDIT, generated with cmd/gh-action-integration-generator/main.go
+# To regenerate, run "go generate" in cmd/gh-action-integration-generator/
+
+name: Integration Test v2 - TestPingAllByHostname
+
+on: [pull_request]
+
+jobs:
+  test:
+    runs-on: ubuntu-latest
+
+    steps:
+      - uses: actions/checkout@v3
+        with:
+          fetch-depth: 2
+
+      - name: Get changed files
+        id: changed-files
+        uses: tj-actions/changed-files@v34
+        with:
+          files: |
+            *.nix
+            go.*
+            **/*.go
+            integration_test/
+            config-example.yaml
+
+      - uses: cachix/install-nix-action@v16
+        if: steps.changed-files.outputs.any_changed == 'true'
+
+      - name: Run general integration tests
+        if: steps.changed-files.outputs.any_changed == 'true'
+        run: |
+            nix develop --command -- docker run \
+              --tty --rm \
+              --volume ~/.cache/hs-integration-go:/go \
+              --name headscale-test-suite \
+              --volume $PWD:$PWD -w $PWD/integration \
+              --volume /var/run/docker.sock:/var/run/docker.sock \
+              golang:1 \
+                go test ./... \
+                  -tags ts2019 \
+                  -failfast \
+                  -timeout 120m \
+                  -parallel 1 \
+                  -run "^TestPingAllByHostname$"

.github/workflows/test-integration-v2-TestPingAllByIP.yaml

@@ -0,0 +1,47 @@
+
+# DO NOT EDIT, generated with cmd/gh-action-integration-generator/main.go
+# To regenerate, run "go generate" in cmd/gh-action-integration-generator/
+
+name: Integration Test v2 - TestPingAllByIP
+
+on: [pull_request]
+
+jobs:
+  test:
+    runs-on: ubuntu-latest
+
+    steps:
+      - uses: actions/checkout@v3
+        with:
+          fetch-depth: 2
+
+      - name: Get changed files
+        id: changed-files
+        uses: tj-actions/changed-files@v34
+        with:
+          files: |
+            *.nix
+            go.*
+            **/*.go
+            integration_test/
+            config-example.yaml
+
+      - uses: cachix/install-nix-action@v16
+        if: steps.changed-files.outputs.any_changed == 'true'
+
+      - name: Run general integration tests
+        if: steps.changed-files.outputs.any_changed == 'true'
+        run: |
+            nix develop --command -- docker run \
+              --tty --rm \
+              --volume ~/.cache/hs-integration-go:/go \
+              --name headscale-test-suite \
+              --volume $PWD:$PWD -w $PWD/integration \
+              --volume /var/run/docker.sock:/var/run/docker.sock \
+              golang:1 \
+                go test ./... \
+                  -tags ts2019 \
+                  -failfast \
+                  -timeout 120m \
+                  -parallel 1 \
+                  -run "^TestPingAllByIP$"

.github/workflows/test-integration-v2-TestPreAuthKeyCommand.yaml

@@ -0,0 +1,47 @@
+
+# DO NOT EDIT, generated with cmd/gh-action-integration-generator/main.go
+# To regenerate, run "go generate" in cmd/gh-action-integration-generator/
+
+name: Integration Test v2 - TestPreAuthKeyCommand
+
+on: [pull_request]
+
+jobs:
+  test:
+    runs-on: ubuntu-latest
+
+    steps:
+      - uses: actions/checkout@v3
+        with:
+          fetch-depth: 2
+
+      - name: Get changed files
+        id: changed-files
+        uses: tj-actions/changed-files@v34
+        with:
+          files: |
+            *.nix
+            go.*
+            **/*.go
+            integration_test/
+            config-example.yaml
+
+      - uses: cachix/install-nix-action@v16
+        if: steps.changed-files.outputs.any_changed == 'true'
+
+      - name: Run general integration tests
+        if: steps.changed-files.outputs.any_changed == 'true'
+        run: |
+            nix develop --command -- docker run \
+              --tty --rm \
+              --volume ~/.cache/hs-integration-go:/go \
+              --name headscale-test-suite \
+              --volume $PWD:$PWD -w $PWD/integration \
+              --volume /var/run/docker.sock:/var/run/docker.sock \
+              golang:1 \
+                go test ./... \
+                  -tags ts2019 \
+                  -failfast \
+                  -timeout 120m \
+                  -parallel 1 \
+                  -run "^TestPreAuthKeyCommand$"

.github/workflows/test-integration-v2-TestPreAuthKeyCommandReusableEphemeral.yaml

@@ -0,0 +1,47 @@
+
+# DO NOT EDIT, generated with cmd/gh-action-integration-generator/main.go
+# To regenerate, run "go generate" in cmd/gh-action-integration-generator/
+
+name: Integration Test v2 - TestPreAuthKeyCommandReusableEphemeral
+
+on: [pull_request]
+
+jobs:
+  test:
+    runs-on: ubuntu-latest
+
+    steps:
+      - uses: actions/checkout@v3
+        with:
+          fetch-depth: 2
+
+      - name: Get changed files
+        id: changed-files
+        uses: tj-actions/changed-files@v34
+        with:
+          files: |
+            *.nix
+            go.*
+            **/*.go
+            integration_test/
+            config-example.yaml
+
+      - uses: cachix/install-nix-action@v16
+        if: steps.changed-files.outputs.any_changed == 'true'
+
+      - name: Run general integration tests
+        if: steps.changed-files.outputs.any_changed == 'true'
+        run: |
+            nix develop --command -- docker run \
+              --tty --rm \
+              --volume ~/.cache/hs-integration-go:/go \
+              --name headscale-test-suite \
+              --volume $PWD:$PWD -w $PWD/integration \
+              --volume /var/run/docker.sock:/var/run/docker.sock \
+              golang:1 \
+                go test ./... \
+                  -tags ts2019 \
+                  -failfast \
+                  -timeout 120m \
+                  -parallel 1 \
+                  -run "^TestPreAuthKeyCommandReusableEphemeral$"

.github/workflows/test-integration-v2-TestPreAuthKeyCommandWithoutExpiry.yaml

@@ -0,0 +1,47 @@
+
+# DO NOT EDIT, generated with cmd/gh-action-integration-generator/main.go
+# To regenerate, run "go generate" in cmd/gh-action-integration-generator/
+
+name: Integration Test v2 - TestPreAuthKeyCommandWithoutExpiry
+
+on: [pull_request]
+
+jobs:
+  test:
+    runs-on: ubuntu-latest
+
+    steps:
+      - uses: actions/checkout@v3
+        with:
+          fetch-depth: 2
+
+      - name: Get changed files
+        id: changed-files
+        uses: tj-actions/changed-files@v34
+        with:
+          files: |
+            *.nix
+            go.*
+            **/*.go
+            integration_test/
+            config-example.yaml
+
+      - uses: cachix/install-nix-action@v16
+        if: steps.changed-files.outputs.any_changed == 'true'
+
+      - name: Run general integration tests
+        if: steps.changed-files.outputs.any_changed == 'true'
+        run: |
+            nix develop --command -- docker run \
+              --tty --rm \
+              --volume ~/.cache/hs-integration-go:/go \
+              --name headscale-test-suite \
+              --volume $PWD:$PWD -w $PWD/integration \
+              --volume /var/run/docker.sock:/var/run/docker.sock \
+              golang:1 \
+                go test ./... \
+                  -tags ts2019 \
+                  -failfast \
+                  -timeout 120m \
+                  -parallel 1 \
+                  -run "^TestPreAuthKeyCommandWithoutExpiry$"

.github/workflows/test-integration-v2-TestResolveMagicDNS.yaml

@@ -0,0 +1,47 @@
+
+# DO NOT EDIT, generated with cmd/gh-action-integration-generator/main.go
+# To regenerate, run "go generate" in cmd/gh-action-integration-generator/
+
+name: Integration Test v2 - TestResolveMagicDNS
+
+on: [pull_request]
+
+jobs:
+  test:
+    runs-on: ubuntu-latest
+
+    steps:
+      - uses: actions/checkout@v3
+        with:
+          fetch-depth: 2
+
+      - name: Get changed files
+        id: changed-files
+        uses: tj-actions/changed-files@v34
+        with:
+          files: |
+            *.nix
+            go.*
+            **/*.go
+            integration_test/
+            config-example.yaml
+
+      - uses: cachix/install-nix-action@v16
+        if: steps.changed-files.outputs.any_changed == 'true'
+
+      - name: Run general integration tests
+        if: steps.changed-files.outputs.any_changed == 'true'
+        run: |
+            nix develop --command -- docker run \
+              --tty --rm \
+              --volume ~/.cache/hs-integration-go:/go \
+              --name headscale-test-suite \
+              --volume $PWD:$PWD -w $PWD/integration \
+              --volume /var/run/docker.sock:/var/run/docker.sock \
+              golang:1 \
+                go test ./... \
+                  -tags ts2019 \
+                  -failfast \
+                  -timeout 120m \
+                  -parallel 1 \
+                  -run "^TestResolveMagicDNS$"

.github/workflows/test-integration-v2-TestSSHIsBlockedInACL.yaml

@@ -0,0 +1,47 @@
+
+# DO NOT EDIT, generated with cmd/gh-action-integration-generator/main.go
+# To regenerate, run "go generate" in cmd/gh-action-integration-generator/
+
+name: Integration Test v2 - TestSSHIsBlockedInACL
+
+on: [pull_request]
+
+jobs:
+  test:
+    runs-on: ubuntu-latest
+
+    steps:
+      - uses: actions/checkout@v3
+        with:
+          fetch-depth: 2
+
+      - name: Get changed files
+        id: changed-files
+        uses: tj-actions/changed-files@v34
+        with:
+          files: |
+            *.nix
+            go.*
+            **/*.go
+            integration_test/
+            config-example.yaml
+
+      - uses: cachix/install-nix-action@v16
+        if: steps.changed-files.outputs.any_changed == 'true'
+
+      - name: Run general integration tests
+        if: steps.changed-files.outputs.any_changed == 'true'
+        run: |
+            nix develop --command -- docker run \
+              --tty --rm \
+              --volume ~/.cache/hs-integration-go:/go \
+              --name headscale-test-suite \
+              --volume $PWD:$PWD -w $PWD/integration \
+              --volume /var/run/docker.sock:/var/run/docker.sock \
+              golang:1 \
+                go test ./... \
+                  -tags ts2019 \
+                  -failfast \
+                  -timeout 120m \
+                  -parallel 1 \
+                  -run "^TestSSHIsBlockedInACL$"

.github/workflows/test-integration-v2-TestSSHMultipleNamespacesAllToAll.yaml

@@ -0,0 +1,47 @@
+
+# DO NOT EDIT, generated with cmd/gh-action-integration-generator/main.go
+# To regenerate, run "go generate" in cmd/gh-action-integration-generator/
+
+name: Integration Test v2 - TestSSHMultipleNamespacesAllToAll
+
+on: [pull_request]
+
+jobs:
+  test:
+    runs-on: ubuntu-latest
+
+    steps:
+      - uses: actions/checkout@v3
+        with:
+          fetch-depth: 2
+
+      - name: Get changed files
+        id: changed-files
+        uses: tj-actions/changed-files@v34
+        with:
+          files: |
+            *.nix
+            go.*
+            **/*.go
+            integration_test/
+            config-example.yaml
+
+      - uses: cachix/install-nix-action@v16
+        if: steps.changed-files.outputs.any_changed == 'true'
+
+      - name: Run general integration tests
+        if: steps.changed-files.outputs.any_changed == 'true'
+        run: |
+            nix develop --command -- docker run \
+              --tty --rm \
+              --volume ~/.cache/hs-integration-go:/go \
+              --name headscale-test-suite \
+              --volume $PWD:$PWD -w $PWD/integration \
+              --volume /var/run/docker.sock:/var/run/docker.sock \
+              golang:1 \
+                go test ./... \
+                  -tags ts2019 \
+                  -failfast \
+                  -timeout 120m \
+                  -parallel 1 \
+                  -run "^TestSSHMultipleNamespacesAllToAll$"

.github/workflows/test-integration-v2-TestSSHNoSSHConfigured.yaml

@@ -0,0 +1,47 @@
+
+# DO NOT EDIT, generated with cmd/gh-action-integration-generator/main.go
+# To regenerate, run "go generate" in cmd/gh-action-integration-generator/
+
+name: Integration Test v2 - TestSSHNoSSHConfigured
+
+on: [pull_request]
+
+jobs:
+  test:
+    runs-on: ubuntu-latest
+
+    steps:
+      - uses: actions/checkout@v3
+        with:
+          fetch-depth: 2
+
+      - name: Get changed files
+        id: changed-files
+        uses: tj-actions/changed-files@v34
+        with:
+          files: |
+            *.nix
+            go.*
+            **/*.go
+            integration_test/
+            config-example.yaml
+
+      - uses: cachix/install-nix-action@v16
+        if: steps.changed-files.outputs.any_changed == 'true'
+
+      - name: Run general integration tests
+        if: steps.changed-files.outputs.any_changed == 'true'
+        run: |
+            nix develop --command -- docker run \
+              --tty --rm \
+              --volume ~/.cache/hs-integration-go:/go \
+              --name headscale-test-suite \
+              --volume $PWD:$PWD -w $PWD/integration \
+              --volume /var/run/docker.sock:/var/run/docker.sock \
+              golang:1 \
+                go test ./... \
+                  -tags ts2019 \
+                  -failfast \
+                  -timeout 120m \
+                  -parallel 1 \
+                  -run "^TestSSHNoSSHConfigured$"

.github/workflows/test-integration-v2-TestSSHOneNamespaceAllToAll.yaml

@@ -0,0 +1,47 @@
+
+# DO NOT EDIT, generated with cmd/gh-action-integration-generator/main.go
+# To regenerate, run "go generate" in cmd/gh-action-integration-generator/
+
+name: Integration Test v2 - TestSSHOneNamespaceAllToAll
+
+on: [pull_request]
+
+jobs:
+  test:
+    runs-on: ubuntu-latest
+
+    steps:
+      - uses: actions/checkout@v3
+        with:
+          fetch-depth: 2
+
+      - name: Get changed files
+        id: changed-files
+        uses: tj-actions/changed-files@v34
+        with:
+          files: |
+            *.nix
+            go.*
+            **/*.go
+            integration_test/
+            config-example.yaml
+
+      - uses: cachix/install-nix-action@v16
+        if: steps.changed-files.outputs.any_changed == 'true'
+
+      - name: Run general integration tests
+        if: steps.changed-files.outputs.any_changed == 'true'
+        run: |
+            nix develop --command -- docker run \
+              --tty --rm \
+              --volume ~/.cache/hs-integration-go:/go \
+              --name headscale-test-suite \
+              --volume $PWD:$PWD -w $PWD/integration \
+              --volume /var/run/docker.sock:/var/run/docker.sock \
+              golang:1 \
+                go test ./... \
+                  -tags ts2019 \
+                  -failfast \
+                  -timeout 120m \
+                  -parallel 1 \
+                  -run "^TestSSHOneNamespaceAllToAll$"

.github/workflows/test-integration-v2-TestSSNamespaceOnlyIsolation.yaml

@@ -0,0 +1,47 @@
+
+# DO NOT EDIT, generated with cmd/gh-action-integration-generator/main.go
+# To regenerate, run "go generate" in cmd/gh-action-integration-generator/
+
+name: Integration Test v2 - TestSSNamespaceOnlyIsolation
+
+on: [pull_request]
+
+jobs:
+  test:
+    runs-on: ubuntu-latest
+
+    steps:
+      - uses: actions/checkout@v3
+        with:
+          fetch-depth: 2
+
+      - name: Get changed files
+        id: changed-files
+        uses: tj-actions/changed-files@v34
+        with:
+          files: |
+            *.nix
+            go.*
+            **/*.go
+            integration_test/
+            config-example.yaml
+
+      - uses: cachix/install-nix-action@v16
+        if: steps.changed-files.outputs.any_changed == 'true'
+
+      - name: Run general integration tests
+        if: steps.changed-files.outputs.any_changed == 'true'
+        run: |
+            nix develop --command -- docker run \
+              --tty --rm \
+              --volume ~/.cache/hs-integration-go:/go \
+              --name headscale-test-suite \
+              --volume $PWD:$PWD -w $PWD/integration \
+              --volume /var/run/docker.sock:/var/run/docker.sock \
+              golang:1 \
+                go test ./... \
+                  -tags ts2019 \
+                  -failfast \
+                  -timeout 120m \
+                  -parallel 1 \
+                  -run "^TestSSNamespaceOnlyIsolation$"

.github/workflows/test-integration-v2-TestTaildrop.yaml

@@ -0,0 +1,47 @@
+
+# DO NOT EDIT, generated with cmd/gh-action-integration-generator/main.go
+# To regenerate, run "go generate" in cmd/gh-action-integration-generator/
+
+name: Integration Test v2 - TestTaildrop
+
+on: [pull_request]
+
+jobs:
+  test:
+    runs-on: ubuntu-latest
+
+    steps:
+      - uses: actions/checkout@v3
+        with:
+          fetch-depth: 2
+
+      - name: Get changed files
+        id: changed-files
+        uses: tj-actions/changed-files@v34
+        with:
+          files: |
+            *.nix
+            go.*
+            **/*.go
+            integration_test/
+            config-example.yaml
+
+      - uses: cachix/install-nix-action@v16
+        if: steps.changed-files.outputs.any_changed == 'true'
+
+      - name: Run general integration tests
+        if: steps.changed-files.outputs.any_changed == 'true'
+        run: |
+            nix develop --command -- docker run \
+              --tty --rm \
+              --volume ~/.cache/hs-integration-go:/go \
+              --name headscale-test-suite \
+              --volume $PWD:$PWD -w $PWD/integration \
+              --volume /var/run/docker.sock:/var/run/docker.sock \
+              golang:1 \
+                go test ./... \
+                  -tags ts2019 \
+                  -failfast \
+                  -timeout 120m \
+                  -parallel 1 \
+                  -run "^TestTaildrop$"

.github/workflows/test-integration-v2-TestTailscaleNodesJoiningHeadcale.yaml

@@ -0,0 +1,47 @@
+
+# DO NOT EDIT, generated with cmd/gh-action-integration-generator/main.go
+# To regenerate, run "go generate" in cmd/gh-action-integration-generator/
+
+name: Integration Test v2 - TestTailscaleNodesJoiningHeadcale
+
+on: [pull_request]
+
+jobs:
+  test:
+    runs-on: ubuntu-latest
+
+    steps:
+      - uses: actions/checkout@v3
+        with:
+          fetch-depth: 2
+
+      - name: Get changed files
+        id: changed-files
+        uses: tj-actions/changed-files@v34
+        with:
+          files: |
+            *.nix
+            go.*
+            **/*.go
+            integration_test/
+            config-example.yaml
+
+      - uses: cachix/install-nix-action@v16
+        if: steps.changed-files.outputs.any_changed == 'true'
+
+      - name: Run general integration tests
+        if: steps.changed-files.outputs.any_changed == 'true'
+        run: |
+            nix develop --command -- docker run \
+              --tty --rm \
+              --volume ~/.cache/hs-integration-go:/go \
+              --name headscale-test-suite \
+              --volume $PWD:$PWD -w $PWD/integration \
+              --volume /var/run/docker.sock:/var/run/docker.sock \
+              golang:1 \
+                go test ./... \
+                  -tags ts2019 \
+                  -failfast \
+                  -timeout 120m \
+                  -parallel 1 \
+                  -run "^TestTailscaleNodesJoiningHeadcale$"

.github/workflows/test-integration.yml

@@ -1,23 +0,0 @@
-name: CI
-
-on: [pull_request]
-
-jobs:
-  # The "build" workflow
-  integration-test:
-    # The type of runner that the job will run on
-    runs-on: ubuntu-latest
-
-    # Steps represent a sequence of tasks that will be executed as part of the job
-    steps:
-      # Checks-out your repository under $GITHUB_WORKSPACE, so your job can access it
-      - uses: actions/checkout@v2
-
-      # Setup Go
-      - name: Setup Go
-        uses: actions/setup-go@v2
-        with:
-          go-version: "1.16.3"
-
-      - name: Run Integration tests
-        run: go test -tags integration -timeout 30m

.github/workflows/test.yml

@@ -1,33 +1,30 @@
-name: CI
+name: Tests
 
 on: [push, pull_request]
 
 jobs:
-  # The "build" workflow
   test:
-    # The type of runner that the job will run on
     runs-on: ubuntu-latest
 
-    # Steps represent a sequence of tasks that will be executed as part of the job
     steps:
-      # Checks-out your repository under $GITHUB_WORKSPACE, so your job can access it
-      - uses: actions/checkout@v2
-
-      # Setup Go
-      - name: Setup Go
-        uses: actions/setup-go@v2
+      - uses: actions/checkout@v3
         with:
-          go-version: "1.16.3" # The Go version to download (if necessary) and use.
+          fetch-depth: 2
 
-      # Install all the dependencies
-      - name: Install dependencies
-        run: |
-          go version
-          sudo apt update
-          sudo apt install -y make
+      - name: Get changed files
+        id: changed-files
+        uses: tj-actions/changed-files@v34
+        with:
+          files: |
+            *.nix
+            go.*
+            **/*.go
+            integration_test/
+            config-example.yaml
+
+      - uses: cachix/install-nix-action@v16
+        if: steps.changed-files.outputs.any_changed == 'true'
 
       - name: Run tests
-        run: make test
-
-      - name: Run build
-        run: make
+        if: steps.changed-files.outputs.any_changed == 'true'
+        run: nix develop --check

.gitignore

@@ -16,6 +16,9 @@
 
 /headscale
 config.json
+config.yaml
+derp.yaml
+*.hujson
 *.key
 /db.sqlite
 *.sqlite3
@@ -24,3 +27,9 @@ config.json
 .idea
 
 test_output/ 
+
+# Nix build output
+result
+.direnv/
+
+integration_test/etc/config.dump.yaml

.golangci.yaml

@@ -0,0 +1,66 @@
+---
+run:
+  timeout: 10m
+  build-tags:
+    - ts2019
+
+issues:
+  skip-dirs:
+    - gen
+linters:
+  enable-all: true
+  disable:
+    - exhaustivestruct
+    - revive
+    - lll
+    - interfacer
+    - scopelint
+    - maligned
+    - golint
+    - gofmt
+    - gochecknoglobals
+    - gochecknoinits
+    - gocognit
+    - funlen
+    - exhaustivestruct
+    - tagliatelle
+    - godox
+    - ireturn
+    - execinquery
+    - exhaustruct
+    - nolintlint
+
+    # We should strive to enable these:
+    - wrapcheck
+    - dupl
+    - makezero
+    - maintidx
+
+    # Limits the methods of an interface to 10. We have more in integration tests
+    - interfacebloat
+
+    # We might want to enable this, but it might be a lot of work
+    - cyclop
+    - nestif
+    - wsl # might be incompatible with gofumpt
+    - testpackage
+    - paralleltest
+
+linters-settings:
+  varnamelen:
+    ignore-type-assert-ok: true
+    ignore-map-index-ok: true
+    ignore-names:
+      - err
+      - db
+      - id
+      - ip
+      - ok
+      - c
+      - tt
+
+  gocritic:
+    disabled-checks:
+      - appendAssign
+      # TODO(kradalby): Remove this
+      - ifElseChain

.goreleaser.yml

@@ -1,87 +1,89 @@
-# This is an example .goreleaser.yml file with some sane defaults.
-# Make sure to check the documentation at http://goreleaser.com
+---
 before:
   hooks:
-    - go mod tidy
+    - go mod tidy -compat=1.19
+
+release:
+  prerelease: auto
+
 builds:
   - id: darwin-amd64
     main: ./cmd/headscale/headscale.go
-    mod_timestamp: '{{ .CommitTimestamp }}'
+    mod_timestamp: "{{ .CommitTimestamp }}"
+    env:
+      - CGO_ENABLED=0
     goos:
       - darwin
     goarch:
       - amd64
-    env:
-      - PKG_CONFIG_SYSROOT_DIR=/sysroot/macos/amd64
-      - PKG_CONFIG_PATH=/sysroot/macos/amd64/usr/local/lib/pkgconfig
-      - CC=o64-clang
-      - CXX=o64-clang++
     flags:
       - -mod=readonly
     ldflags:
       - -s -w -X github.com/juanfont/headscale/cmd/headscale/cli.Version=v{{.Version}}
+    tags:
+      - ts2019
 
-  - id: linux-armhf
+  - id: darwin-arm64
     main: ./cmd/headscale/headscale.go
-    mod_timestamp: '{{ .CommitTimestamp }}'
-    goos:
-      - linux
-    goarch:
-      - arm
-    goarm:
-      - 7
+    mod_timestamp: "{{ .CommitTimestamp }}"
     env:
-      - CC=arm-linux-gnueabihf-gcc
-      - CXX=arm-linux-gnueabihf-g++
-      - CGO_FLAGS=--sysroot=/sysroot/linux/armhf
-      - CGO_LDFLAGS=--sysroot=/sysroot/linux/armhf
-      - PKG_CONFIG_SYSROOT_DIR=/sysroot/linux/armhf
-      - PKG_CONFIG_PATH=/sysroot/linux/armhf/opt/vc/lib/pkgconfig:/sysroot/linux/armhf/usr/lib/arm-linux-gnueabihf/pkgconfig:/sysroot/linux/armhf/usr/lib/pkgconfig:/sysroot/linux/armhf/usr/local/lib/pkgconfig
+      - CGO_ENABLED=0
+    goos:
+      - darwin
+    goarch:
+      - arm64
     flags:
       - -mod=readonly
     ldflags:
       - -s -w -X github.com/juanfont/headscale/cmd/headscale/cli.Version=v{{.Version}}
-
+    tags:
+      - ts2019
 
   - id: linux-amd64
+    mod_timestamp: "{{ .CommitTimestamp }}"
     env:
-      - CGO_ENABLED=1
+      - CGO_ENABLED=0
     goos:
       - linux
     goarch:
       - amd64
     main: ./cmd/headscale/headscale.go
-    mod_timestamp: '{{ .CommitTimestamp }}'
     ldflags:
       - -s -w -X github.com/juanfont/headscale/cmd/headscale/cli.Version=v{{.Version}}
+    tags:
+      - ts2019
 
   - id: linux-arm64
+    mod_timestamp: "{{ .CommitTimestamp }}"
+    env:
+      - CGO_ENABLED=0
     goos:
       - linux
     goarch:
       - arm64
     main: ./cmd/headscale/headscale.go
-    mod_timestamp: '{{ .CommitTimestamp }}'
     ldflags:
       - -s -w -X github.com/juanfont/headscale/cmd/headscale/cli.Version=v{{.Version}}
+    tags:
+      - ts2019
 
 archives:
   - id: golang-cross
     builds:
       - darwin-amd64
-      - linux-armhf
+      - darwin-arm64
       - linux-amd64
       - linux-arm64
     name_template: "{{ .ProjectName }}_{{ .Version }}_{{ .Os }}_{{ .Arch }}"
     format: binary
 
 checksum:
-  name_template: 'checksums.txt'
+  name_template: "checksums.txt"
 snapshot:
   name_template: "{{ .Tag }}-next"
 changelog:
   sort: asc
   filters:
     exclude:
-      - '^docs:'
-      - '^test:'
+      - "^docs:"
+      - "^test:"

.prettierignore

@@ -0,0 +1 @@
+.github/workflows/test-integration-v2*

CHANGELOG.md

@@ -0,0 +1,273 @@
+# CHANGELOG
+
+## 0.19.0 (2022-11-26)
+
+### BREAKING
+
+- Rename Namespace to User [#1144](https://github.com/juanfont/headscale/pull/1144)
+  - **BACKUP your database before upgrading**
+- Command line flags previously taking `--namespace` or `-n` will now require `--user` or `-u`
+
+## 0.18.0 (2022-01-14)
+
+### Changes
+
+- Reworked routing and added support for subnet router failover [#1024](https://github.com/juanfont/headscale/pull/1024)
+- Added an OIDC AllowGroups Configuration options and authorization check [#1041](https://github.com/juanfont/headscale/pull/1041)
+- Set `db_ssl` to false by default [#1052](https://github.com/juanfont/headscale/pull/1052)
+- Fix duplicate nodes due to incorrect implementation of the protocol [#1058](https://github.com/juanfont/headscale/pull/1058)
+- Report if a machine is online in CLI more accurately [#1062](https://github.com/juanfont/headscale/pull/1062)
+- Added config option for custom DNS records [#1035](https://github.com/juanfont/headscale/pull/1035)
+- Expire nodes based on OIDC token expiry [#1067](https://github.com/juanfont/headscale/pull/1067)
+- Remove ephemeral nodes on logout [#1098](https://github.com/juanfont/headscale/pull/1098)
+- Performance improvements in ACLs [#1129](https://github.com/juanfont/headscale/pull/1129)
+- OIDC client secret can be passed via a file [#1127](https://github.com/juanfont/headscale/pull/1127)
+
+## 0.17.1 (2022-12-05)
+
+### Changes
+
+- Correct typo on macOS standalone profile link [#1028](https://github.com/juanfont/headscale/pull/1028)
+- Update platform docs with Fast User Switching [#1016](https://github.com/juanfont/headscale/pull/1016)
+
+## 0.17.0 (2022-11-26)
+
+### BREAKING
+
+- `noise.private_key_path` has been added and is required for the new noise protocol.
+- Log level option `log_level` was moved to a distinct `log` config section and renamed to `level` [#768](https://github.com/juanfont/headscale/pull/768)
+- Removed Alpine Linux container image [#962](https://github.com/juanfont/headscale/pull/962)
+
+### Important Changes
+
+- Added support for Tailscale TS2021 protocol [#738](https://github.com/juanfont/headscale/pull/738)
+- Add experimental support for [SSH ACL](https://tailscale.com/kb/1018/acls/#tailscale-ssh) (see docs for limitations) [#847](https://github.com/juanfont/headscale/pull/847)
+  - Please note that this support should be considered _partially_ implemented
+  - SSH ACLs status:
+    - Support `accept` and `check` (SSH can be enabled and used for connecting and authentication)
+    - Rejecting connections **are not supported**, meaning that if you enable SSH, then assume that _all_ `ssh` connections **will be allowed**.
+    - If you decied to try this feature, please carefully managed permissions by blocking port `22` with regular ACLs or do _not_ set `--ssh` on your clients.
+    - We are currently improving our testing of the SSH ACLs, help us get an overview by testing and giving feedback.
+  - This feature should be considered dangerous and it is disabled by default. Enable by setting `HEADSCALE_EXPERIMENTAL_FEATURE_SSH=1`.
+
+### Changes
+
+- Add ability to specify config location via env var `HEADSCALE_CONFIG` [#674](https://github.com/juanfont/headscale/issues/674)
+- Target Go 1.19 for Headscale [#778](https://github.com/juanfont/headscale/pull/778)
+- Target Tailscale v1.30.0 to build Headscale [#780](https://github.com/juanfont/headscale/pull/780)
+- Give a warning when running Headscale with reverse proxy improperly configured for WebSockets [#788](https://github.com/juanfont/headscale/pull/788)
+- Fix subnet routers with Primary Routes [#811](https://github.com/juanfont/headscale/pull/811)
+- Added support for JSON logs [#653](https://github.com/juanfont/headscale/issues/653)
+- Sanitise the node key passed to registration url [#823](https://github.com/juanfont/headscale/pull/823)
+- Add support for generating pre-auth keys with tags [#767](https://github.com/juanfont/headscale/pull/767)
+- Add support for evaluating `autoApprovers` ACL entries when a machine is registered [#763](https://github.com/juanfont/headscale/pull/763)
+- Add config flag to allow Headscale to start if OIDC provider is down [#829](https://github.com/juanfont/headscale/pull/829)
+- Fix prefix length comparison bug in AutoApprovers route evaluation [#862](https://github.com/juanfont/headscale/pull/862)
+- Random node DNS suffix only applied if names collide in namespace. [#766](https://github.com/juanfont/headscale/issues/766)
+- Remove `ip_prefix` configuration option and warning [#899](https://github.com/juanfont/headscale/pull/899)
+- Add `dns_config.override_local_dns` option [#905](https://github.com/juanfont/headscale/pull/905)
+- Fix some DNS config issues [#660](https://github.com/juanfont/headscale/issues/660)
+- Make it possible to disable TS2019 with build flag [#928](https://github.com/juanfont/headscale/pull/928)
+- Fix OIDC registration issues [#960](https://github.com/juanfont/headscale/pull/960) and [#971](https://github.com/juanfont/headscale/pull/971)
+- Add support for specifying NextDNS DNS-over-HTTPS resolver [#940](https://github.com/juanfont/headscale/pull/940)
+- Make more sslmode available for postgresql connection [#927](https://github.com/juanfont/headscale/pull/927)
+
+## 0.16.4 (2022-08-21)
+
+### Changes
+
+- Add ability to connect to PostgreSQL over TLS/SSL [#745](https://github.com/juanfont/headscale/pull/745)
+- Fix CLI registration of expired machines [#754](https://github.com/juanfont/headscale/pull/754)
+
+## 0.16.3 (2022-08-17)
+
+### Changes
+
+- Fix issue with OIDC authentication [#747](https://github.com/juanfont/headscale/pull/747)
+
+## 0.16.2 (2022-08-14)
+
+### Changes
+
+- Fixed bugs in the client registration process after migration to NodeKey [#735](https://github.com/juanfont/headscale/pull/735)
+
+## 0.16.1 (2022-08-12)
+
+### Changes
+
+- Updated dependencies (including the library that lacked armhf support) [#722](https://github.com/juanfont/headscale/pull/722)
+- Fix missing group expansion in function `excludeCorretlyTaggedNodes` [#563](https://github.com/juanfont/headscale/issues/563)
+- Improve registration protocol implementation and switch to NodeKey as main identifier [#725](https://github.com/juanfont/headscale/pull/725)
+- Add ability to connect to PostgreSQL via unix socket [#734](https://github.com/juanfont/headscale/pull/734)
+
+## 0.16.0 (2022-07-25)
+
+**Note:** Take a backup of your database before upgrading.
+
+### BREAKING
+
+- Old ACL syntax is no longer supported ("users" & "ports" -> "src" & "dst"). Please check [the new syntax](https://tailscale.com/kb/1018/acls/).
+
+### Changes
+
+- **Drop** armhf (32-bit ARM) support. [#609](https://github.com/juanfont/headscale/pull/609)
+- Headscale fails to serve if the ACL policy file cannot be parsed [#537](https://github.com/juanfont/headscale/pull/537)
+- Fix labels cardinality error when registering unknown pre-auth key [#519](https://github.com/juanfont/headscale/pull/519)
+- Fix send on closed channel crash in polling [#542](https://github.com/juanfont/headscale/pull/542)
+- Fixed spurious calls to setLastStateChangeToNow from ephemeral nodes [#566](https://github.com/juanfont/headscale/pull/566)
+- Add command for moving nodes between namespaces [#362](https://github.com/juanfont/headscale/issues/362)
+- Added more configuration parameters for OpenID Connect (scopes, free-form paramters, domain and user allowlist)
+- Add command to set tags on a node [#525](https://github.com/juanfont/headscale/issues/525)
+- Add command to view tags of nodes [#356](https://github.com/juanfont/headscale/issues/356)
+- Add --all (-a) flag to enable routes command [#360](https://github.com/juanfont/headscale/issues/360)
+- Fix issue where nodes was not updated across namespaces [#560](https://github.com/juanfont/headscale/pull/560)
+- Add the ability to rename a nodes name [#560](https://github.com/juanfont/headscale/pull/560)
+  - Node DNS names are now unique, a random suffix will be added when a node joins
+  - This change contains database changes, remember to **backup** your database before upgrading
+- Add option to enable/disable logtail (Tailscale's logging infrastructure) [#596](https://github.com/juanfont/headscale/pull/596)
+  - This change disables the logs by default
+- Use [Prometheus]'s duration parser, supporting days (`d`), weeks (`w`) and years (`y`) [#598](https://github.com/juanfont/headscale/pull/598)
+- Add support for reloading ACLs with SIGHUP [#601](https://github.com/juanfont/headscale/pull/601)
+- Use new ACL syntax [#618](https://github.com/juanfont/headscale/pull/618)
+- Add -c option to specify config file from command line [#285](https://github.com/juanfont/headscale/issues/285) [#612](https://github.com/juanfont/headscale/pull/601)
+- Add configuration option to allow Tailscale clients to use a random WireGuard port. [kb/1181/firewalls](https://tailscale.com/kb/1181/firewalls) [#624](https://github.com/juanfont/headscale/pull/624)
+- Improve obtuse UX regarding missing configuration (`ephemeral_node_inactivity_timeout` not set) [#639](https://github.com/juanfont/headscale/pull/639)
+- Fix nodes being shown as 'offline' in `tailscale status` [#648](https://github.com/juanfont/headscale/pull/648)
+- Improve shutdown behaviour [#651](https://github.com/juanfont/headscale/pull/651)
+- Drop Gin as web framework in Headscale [648](https://github.com/juanfont/headscale/pull/648) [677](https://github.com/juanfont/headscale/pull/677)
+- Make tailnet node updates check interval configurable [#675](https://github.com/juanfont/headscale/pull/675)
+- Fix regression with HTTP API [#684](https://github.com/juanfont/headscale/pull/684)
+- nodes ls now print both Hostname and Name(Issue [#647](https://github.com/juanfont/headscale/issues/647) PR [#687](https://github.com/juanfont/headscale/pull/687))
+
+## 0.15.0 (2022-03-20)
+
+**Note:** Take a backup of your database before upgrading.
+
+### BREAKING
+
+- Boundaries between Namespaces has been removed and all nodes can communicate by default [#357](https://github.com/juanfont/headscale/pull/357)
+  - To limit access between nodes, use [ACLs](./docs/acls.md).
+- `/metrics` is now a configurable host:port endpoint: [#344](https://github.com/juanfont/headscale/pull/344). You must update your `config.yaml` file to include:
+  ```yaml
+  metrics_listen_addr: 127.0.0.1:9090
+  ```
+
+### Features
+
+- Add support for writing ACL files with YAML [#359](https://github.com/juanfont/headscale/pull/359)
+- Users can now use emails in ACL's groups [#372](https://github.com/juanfont/headscale/issues/372)
+- Add shorthand aliases for commands and subcommands [#376](https://github.com/juanfont/headscale/pull/376)
+- Add `/windows` endpoint for Windows configuration instructions + registry file download [#392](https://github.com/juanfont/headscale/pull/392)
+- Added embedded DERP (and STUN) server into Headscale [#388](https://github.com/juanfont/headscale/pull/388)
+
+### Changes
+
+- Fix a bug were the same IP could be assigned to multiple hosts if joined in quick succession [#346](https://github.com/juanfont/headscale/pull/346)
+- Simplify the code behind registration of machines [#366](https://github.com/juanfont/headscale/pull/366)
+  - Nodes are now only written to database if they are registrated successfully
+- Fix a limitation in the ACLs that prevented users to write rules with `*` as source [#374](https://github.com/juanfont/headscale/issues/374)
+- Reduce the overhead of marshal/unmarshal for Hostinfo, routes and endpoints by using specific types in Machine [#371](https://github.com/juanfont/headscale/pull/371)
+- Apply normalization function to FQDN on hostnames when hosts registers and retrieve informations [#363](https://github.com/juanfont/headscale/issues/363)
+- Fix a bug that prevented the use of `tailscale logout` with OIDC [#508](https://github.com/juanfont/headscale/issues/508)
+- Added Tailscale repo HEAD and unstable releases channel to the integration tests targets [#513](https://github.com/juanfont/headscale/pull/513)
+
+## 0.14.0 (2022-02-24)
+
+**UPCOMING ### BREAKING
+From the **next\*\* version (`0.15.0`), all machines will be able to communicate regardless of
+if they are in the same namespace. This means that the behaviour currently limited to ACLs
+will become default. From version `0.15.0`, all limitation of communications must be done
+with ACLs.
+
+This is a part of aligning `headscale`'s behaviour with Tailscale's upstream behaviour.
+
+### BREAKING
+
+- ACLs have been rewritten to align with the bevaviour Tailscale Control Panel provides. **NOTE:** This is only active if you use ACLs
+  - Namespaces are now treated as Users
+  - All machines can communicate with all machines by default
+  - Tags should now work correctly and adding a host to Headscale should now reload the rules.
+  - The documentation have a [fictional example](docs/acls.md) that should cover some use cases of the ACLs features
+
+### Features
+
+- Add support for configurable mTLS [docs](docs/tls.md#configuring-mutual-tls-authentication-mtls) [#297](https://github.com/juanfont/headscale/pull/297)
+
+### Changes
+
+- Remove dependency on CGO (switch from CGO SQLite to pure Go) [#346](https://github.com/juanfont/headscale/pull/346)
+
+**0.13.0 (2022-02-18):**
+
+### Features
+
+- Add IPv6 support to the prefix assigned to namespaces
+- Add API Key support
+  - Enable remote control of `headscale` via CLI [docs](docs/remote-cli.md)
+  - Enable HTTP API (beta, subject to change)
+- OpenID Connect users will be mapped per namespaces
+  - Each user will get its own namespace, created if it does not exist
+  - `oidc.domain_map` option has been removed
+  - `strip_email_domain` option has been added (see [config-example.yaml](./config-example.yaml))
+
+### Changes
+
+- `ip_prefix` is now superseded by `ip_prefixes` in the configuration [#208](https://github.com/juanfont/headscale/pull/208)
+- Upgrade `tailscale` (1.20.4) and other dependencies to latest [#314](https://github.com/juanfont/headscale/pull/314)
+- fix swapped machine<->namespace labels in `/metrics` [#312](https://github.com/juanfont/headscale/pull/312)
+- remove key-value based update mechanism for namespace changes [#316](https://github.com/juanfont/headscale/pull/316)
+
+**0.12.4 (2022-01-29):**
+
+### Changes
+
+- Make gRPC Unix Socket permissions configurable [#292](https://github.com/juanfont/headscale/pull/292)
+- Trim whitespace before reading Private Key from file [#289](https://github.com/juanfont/headscale/pull/289)
+- Add new command to generate a private key for `headscale` [#290](https://github.com/juanfont/headscale/pull/290)
+- Fixed issue where hosts deleted from control server may be written back to the database, as long as they are connected to the control server [#278](https://github.com/juanfont/headscale/pull/278)
+
+## 0.12.3 (2022-01-13)
+
+### Changes
+
+- Added Alpine container [#270](https://github.com/juanfont/headscale/pull/270)
+- Minor updates in dependencies [#271](https://github.com/juanfont/headscale/pull/271)
+
+## 0.12.2 (2022-01-11)
+
+Happy New Year!
+
+### Changes
+
+- Fix Docker release [#258](https://github.com/juanfont/headscale/pull/258)
+- Rewrite main docs [#262](https://github.com/juanfont/headscale/pull/262)
+- Improve Docker docs [#263](https://github.com/juanfont/headscale/pull/263)
+
+## 0.12.1 (2021-12-24)
+
+(We are skipping 0.12.0 to correct a mishap done weeks ago with the version tagging)
+
+### BREAKING
+
+- Upgrade to Tailscale 1.18 [#229](https://github.com/juanfont/headscale/pull/229)
+  - This change requires a new format for private key, private keys are now generated automatically:
+    1. Delete your current key
+    2. Restart `headscale`, a new key will be generated.
+    3. Restart all Tailscale clients to fetch the new key
+
+### Changes
+
+- Unify configuration example [#197](https://github.com/juanfont/headscale/pull/197)
+- Add stricter linting and formatting [#223](https://github.com/juanfont/headscale/pull/223)
+
+### Features
+
+- Add gRPC and HTTP API (HTTP API is currently disabled) [#204](https://github.com/juanfont/headscale/pull/204)
+- Use gRPC between the CLI and the server [#206](https://github.com/juanfont/headscale/pull/206), [#212](https://github.com/juanfont/headscale/pull/212)
+- Beta OpenID Connect support [#126](https://github.com/juanfont/headscale/pull/126), [#227](https://github.com/juanfont/headscale/pull/227)
+
+## 0.11.0 (2021-10-25)
+
+### BREAKING
+
+- Make headscale fetch DERP map from URL and file [#196](https://github.com/juanfont/headscale/pull/196)

CODE_OF_CONDUCT.md

@@ -0,0 +1,134 @@
+# Contributor Covenant Code of Conduct
+
+## Our Pledge
+
+We as members, contributors, and leaders pledge to make participation
+in our community a harassment-free experience for everyone, regardless
+of age, body size, visible or invisible disability, ethnicity, sex
+characteristics, gender identity and expression, level of experience,
+education, socio-economic status, nationality, personal appearance,
+race, religion, or sexual identity and orientation.
+
+We pledge to act and interact in ways that contribute to an open,
+welcoming, diverse, inclusive, and healthy community.
+
+## Our Standards
+
+Examples of behavior that contributes to a positive environment for
+our community include:
+
+- Demonstrating empathy and kindness toward other people
+- Being respectful of differing opinions, viewpoints, and experiences
+- Giving and gracefully accepting constructive feedback
+- Accepting responsibility and apologizing to those affected by our
+  mistakes, and learning from the experience
+- Focusing on what is best not just for us as individuals, but for the
+  overall community
+
+Examples of unacceptable behavior include:
+
+- The use of sexualized language or imagery, and sexual attention or
+  advances of any kind
+- Trolling, insulting or derogatory comments, and personal or
+  political attacks
+- Public or private harassment
+- Publishing others' private information, such as a physical or email
+  address, without their explicit permission
+- Other conduct which could reasonably be considered inappropriate in
+  a professional setting
+
+## Enforcement Responsibilities
+
+Community leaders are responsible for clarifying and enforcing our
+standards of acceptable behavior and will take appropriate and fair
+corrective action in response to any behavior that they deem
+inappropriate, threatening, offensive, or harmful.
+
+Community leaders have the right and responsibility to remove, edit,
+or reject comments, commits, code, wiki edits, issues, and other
+contributions that are not aligned to this Code of Conduct, and will
+communicate reasons for moderation decisions when appropriate.
+
+## Scope
+
+This Code of Conduct applies within all community spaces, and also
+applies when an individual is officially representing the community in
+public spaces. Examples of representing our community include using an
+official e-mail address, posting via an official social media account,
+or acting as an appointed representative at an online or offline
+event.
+
+## Enforcement
+
+Instances of abusive, harassing, or otherwise unacceptable behavior
+may be reported to the community leaders responsible for enforcement
+at our Discord channel. All complaints
+will be reviewed and investigated promptly and fairly.
+
+All community leaders are obligated to respect the privacy and
+security of the reporter of any incident.
+
+## Enforcement Guidelines
+
+Community leaders will follow these Community Impact Guidelines in
+determining the consequences for any action they deem in violation of
+this Code of Conduct:
+
+### 1. Correction
+
+**Community Impact**: Use of inappropriate language or other behavior
+deemed unprofessional or unwelcome in the community.
+
+**Consequence**: A private, written warning from community leaders,
+providing clarity around the nature of the violation and an
+explanation of why the behavior was inappropriate. A public apology
+may be requested.
+
+### 2. Warning
+
+**Community Impact**: A violation through a single incident or series
+of actions.
+
+**Consequence**: A warning with consequences for continued
+behavior. No interaction with the people involved, including
+unsolicited interaction with those enforcing the Code of Conduct, for
+a specified period of time. This includes avoiding interactions in
+community spaces as well as external channels like social
+media. Violating these terms may lead to a temporary or permanent ban.
+
+### 3. Temporary Ban
+
+**Community Impact**: A serious violation of community standards,
+including sustained inappropriate behavior.
+
+**Consequence**: A temporary ban from any sort of interaction or
+public communication with the community for a specified period of
+time. No public or private interaction with the people involved,
+including unsolicited interaction with those enforcing the Code of
+Conduct, is allowed during this period. Violating these terms may lead
+to a permanent ban.
+
+### 4. Permanent Ban
+
+**Community Impact**: Demonstrating a pattern of violation of
+community standards, including sustained inappropriate behavior,
+harassment of an individual, or aggression toward or disparagement of
+classes of individuals.
+
+**Consequence**: A permanent ban from any sort of public interaction
+within the community.
+
+## Attribution
+
+This Code of Conduct is adapted from the [Contributor
+Covenant][homepage], version 2.0, available at
+https://www.contributor-covenant.org/version/2/0/code_of_conduct.html.
+
+Community Impact Guidelines were inspired by [Mozilla's code of
+conduct enforcement ladder](https://github.com/mozilla/diversity).
+
+[homepage]: https://www.contributor-covenant.org
+
+For answers to common questions about this code of conduct, see the
+FAQ at https://www.contributor-covenant.org/faq. Translations are
+available at https://www.contributor-covenant.org/translations.

Dockerfile

@@ -1,18 +1,22 @@
-FROM golang:1.17.1-bullseye AS build
+# Builder image
+FROM docker.io/golang:1.19-bullseye AS build
+ARG VERSION=dev
 ENV GOPATH /go
+WORKDIR /go/src/headscale
 
 COPY go.mod go.sum /go/src/headscale/
-WORKDIR /go/src/headscale
 RUN go mod download
 
-COPY . /go/src/headscale
+COPY . .
 
-RUN go install -a -ldflags="-extldflags=-static" -tags netgo,sqlite_omit_load_extension ./cmd/headscale
+RUN CGO_ENABLED=0 GOOS=linux go install -tags ts2019 -ldflags="-s -w -X github.com/juanfont/headscale/cmd/headscale/cli.Version=$VERSION" -a ./cmd/headscale
+RUN strip /go/bin/headscale
 RUN test -e /go/bin/headscale
 
-FROM ubuntu:20.04
+# Production image
+FROM gcr.io/distroless/base-debian11
 
-COPY --from=build /go/bin/headscale /usr/local/bin/headscale
+COPY --from=build /go/bin/headscale /bin/headscale
 ENV TZ UTC
 
 EXPOSE 8080/tcp

Dockerfile.debug

@@ -0,0 +1,24 @@
+# Builder image
+FROM docker.io/golang:1.19-bullseye AS build
+ARG VERSION=dev
+ENV GOPATH /go
+WORKDIR /go/src/headscale
+
+COPY go.mod go.sum /go/src/headscale/
+RUN go mod download
+
+COPY . .
+
+RUN CGO_ENABLED=0 GOOS=linux go install -tags ts2019 -ldflags="-s -w -X github.com/juanfont/headscale/cmd/headscale/cli.Version=$VERSION" -a ./cmd/headscale
+RUN test -e /go/bin/headscale
+
+# Debug image
+FROM docker.io/golang:1.19.0-bullseye
+
+COPY --from=build /go/bin/headscale /bin/headscale
+ENV TZ UTC
+
+# Need to reset the entrypoint or everything will run as a busybox script
+ENTRYPOINT []
+EXPOSE 8080/tcp
+CMD ["headscale"]

Dockerfile.tailscale

@@ -1,11 +1,19 @@
 FROM ubuntu:latest
 
-ARG TAILSCALE_VERSION
+ARG TAILSCALE_VERSION=*
+ARG TAILSCALE_CHANNEL=stable
 
 RUN apt-get update \
-    && apt-get install -y gnupg curl \
-    && curl -fsSL https://pkgs.tailscale.com/stable/ubuntu/focal.gpg | apt-key add - \
-    && curl -fsSL https://pkgs.tailscale.com/stable/ubuntu/focal.list | tee /etc/apt/sources.list.d/tailscale.list \
+    && apt-get install -y gnupg curl ssh \
+    && curl -fsSL https://pkgs.tailscale.com/${TAILSCALE_CHANNEL}/ubuntu/focal.gpg | apt-key add - \
+    && curl -fsSL https://pkgs.tailscale.com/${TAILSCALE_CHANNEL}/ubuntu/focal.list | tee /etc/apt/sources.list.d/tailscale.list \
     && apt-get update \
-    && apt-get install -y tailscale=${TAILSCALE_VERSION} \
+    && apt-get install -y ca-certificates tailscale=${TAILSCALE_VERSION} dnsutils \
     && rm -rf /var/lib/apt/lists/*
+
+RUN adduser --shell=/bin/bash ssh-it-user
+
+ADD integration_test/etc_embedded_derp/tls/server.crt /usr/local/share/ca-certificates/
+RUN chmod 644 /usr/local/share/ca-certificates/server.crt
+
+RUN update-ca-certificates

Dockerfile.tailscale-HEAD

@@ -0,0 +1,24 @@
+FROM golang:latest
+
+RUN apt-get update \
+    && apt-get install -y ca-certificates dnsutils git iptables ssh \
+    && rm -rf /var/lib/apt/lists/*
+
+RUN useradd --shell=/bin/bash --create-home ssh-it-user
+
+RUN git clone https://github.com/tailscale/tailscale.git
+
+WORKDIR /go/tailscale
+
+RUN git checkout main
+
+RUN sh build_dist.sh tailscale.com/cmd/tailscale
+RUN sh build_dist.sh tailscale.com/cmd/tailscaled
+
+RUN cp tailscale /usr/local/bin/
+RUN cp tailscaled /usr/local/bin/
+
+ADD integration_test/etc_embedded_derp/tls/server.crt /usr/local/share/ca-certificates/
+RUN chmod 644 /usr/local/share/ca-certificates/server.crt
+
+RUN update-ca-certificates

Makefile

@@ -1,16 +1,62 @@
 # Calculate version
-version = $(shell ./scripts/version-at-commit.sh)
+version ?= $(shell git describe --always --tags --dirty)
+
+rwildcard=$(foreach d,$(wildcard $1*),$(call rwildcard,$d/,$2) $(filter $(subst *,%,$2),$d))
+
+# Determine if OS supports pie
+GOOS ?= $(shell uname | tr '[:upper:]' '[:lower:]')
+ifeq ($(filter $(GOOS), openbsd netbsd soloaris plan9), )
+	pieflags = -buildmode=pie
+else
+endif
+
+TAGS = -tags ts2019
+
+# GO_SOURCES = $(wildcard *.go)
+# PROTO_SOURCES = $(wildcard **/*.proto)
+GO_SOURCES = $(call rwildcard,,*.go)
+PROTO_SOURCES = $(call rwildcard,,*.proto)
+
 
 build:
-	go build -ldflags "-s -w -X github.com/juanfont/headscale/cmd/headscale/cli.Version=$(version)" cmd/headscale/headscale.go
+	nix build
 
 dev: lint test build
 
 test:
-	@go test -coverprofile=coverage.out ./...
+	@go test $(TAGS) -short -coverprofile=coverage.out ./...
 
-test_integration:
-	go test -tags integration -timeout 30m ./...
+test_integration: test_integration_cli test_integration_derp test_integration_v2_general
+
+test_integration_cli:
+	docker network rm $$(docker network ls --filter name=headscale --quiet) || true
+	docker network create headscale-test || true
+	docker run -t --rm \
+		--network headscale-test \
+		-v ~/.cache/hs-integration-go:/go \
+		-v $$PWD:$$PWD -w $$PWD \
+		-v /var/run/docker.sock:/var/run/docker.sock golang:1 \
+		go test $(TAGS) -failfast -timeout 30m -count=1 -run IntegrationCLI ./...
+
+test_integration_derp:
+	docker network rm $$(docker network ls --filter name=headscale --quiet) || true
+	docker network create headscale-test || true
+	docker run -t --rm \
+		--network headscale-test \
+		-v ~/.cache/hs-integration-go:/go \
+		-v $$PWD:$$PWD -w $$PWD \
+		-v /var/run/docker.sock:/var/run/docker.sock golang:1 \
+		go test $(TAGS) -failfast -timeout 30m -count=1 -run IntegrationDERP ./...
+
+test_integration_v2_general:
+	docker run \
+		-t --rm \
+		-v ~/.cache/hs-integration-go:/go \
+		--name headscale-test-suite \
+		-v $$PWD:$$PWD -w $$PWD/integration \
+		-v /var/run/docker.sock:/var/run/docker.sock \
+		golang:1 \
+		go test $(TAGS) -failfast ./... -timeout 120m -parallel 8
 
 coverprofile_func:
 	go tool cover -func=coverage.out
@@ -19,9 +65,26 @@ coverprofile_html:
 	go tool cover -html=coverage.out
 
 lint:
-	golint
-	golangci-lint run --timeout 5m
+	golangci-lint run --fix --timeout 10m
+
+fmt:
+	prettier --write '**/**.{ts,js,md,yaml,yml,sass,css,scss,html}'
+	golines --max-len=88 --base-formatter=gofumpt -w $(GO_SOURCES)
+	clang-format -style="{BasedOnStyle: Google, IndentWidth: 4, AlignConsecutiveDeclarations: true, AlignConsecutiveAssignments: true, ColumnLimit: 0}" -i $(PROTO_SOURCES)
+
+proto-lint:
+	cd proto/ && go run github.com/bufbuild/buf/cmd/buf lint
 
 compress: build
 	upx --brute headscale
 
+generate:
+	rm -rf gen
+	go run github.com/bufbuild/buf/cmd/buf generate proto
+
+install-protobuf-plugins:
+	go install \
+		github.com/grpc-ecosystem/grpc-gateway/v2/protoc-gen-grpc-gateway \
+		github.com/grpc-ecosystem/grpc-gateway/v2/protoc-gen-openapiv2 \
+		google.golang.org/protobuf/cmd/protoc-gen-go \
+		google.golang.org/grpc/cmd/protoc-gen-go-grpc

acls.go

@@ -2,29 +2,69 @@ package headscale
 
 import (
 	"encoding/json"
+	"errors"
 	"fmt"
 	"io"
+	"net/netip"
 	"os"
+	"path/filepath"
 	"strconv"
 	"strings"
+	"time"
 
 	"github.com/rs/zerolog/log"
-
 	"github.com/tailscale/hujson"
-	"inet.af/netaddr"
+	"gopkg.in/yaml.v3"
+	"tailscale.com/envknob"
 	"tailscale.com/tailcfg"
 )
 
-const errorEmptyPolicy = Error("empty policy")
-const errorInvalidAction = Error("invalid action")
-const errorInvalidUserSection = Error("invalid user section")
-const errorInvalidGroup = Error("invalid group")
-const errorInvalidTag = Error("invalid tag")
-const errorInvalidNamespace = Error("invalid namespace")
-const errorInvalidPortFormat = Error("invalid port format")
+const (
+	errEmptyPolicy       = Error("empty policy")
+	errInvalidAction     = Error("invalid action")
+	errInvalidGroup      = Error("invalid group")
+	errInvalidTag        = Error("invalid tag")
+	errInvalidPortFormat = Error("invalid port format")
+	errWildcardIsNeeded  = Error("wildcard as port is required for the protocol")
+)
 
-// LoadACLPolicy loads the ACL policy from the specify path, and generates the ACL rules
+const (
+	Base8              = 8
+	Base10             = 10
+	BitSize16          = 16
+	BitSize32          = 32
+	BitSize64          = 64
+	portRangeBegin     = 0
+	portRangeEnd       = 65535
+	expectedTokenItems = 2
+)
+
+// For some reason golang.org/x/net/internal/iana is an internal package.
+const (
+	protocolICMP     = 1   // Internet Control Message
+	protocolIGMP     = 2   // Internet Group Management
+	protocolIPv4     = 4   // IPv4 encapsulation
+	protocolTCP      = 6   // Transmission Control
+	protocolEGP      = 8   // Exterior Gateway Protocol
+	protocolIGP      = 9   // any private interior gateway (used by Cisco for their IGRP)
+	protocolUDP      = 17  // User Datagram
+	protocolGRE      = 47  // Generic Routing Encapsulation
+	protocolESP      = 50  // Encap Security Payload
+	protocolAH       = 51  // Authentication Header
+	protocolIPv6ICMP = 58  // ICMP for IPv6
+	protocolSCTP     = 132 // Stream Control Transmission Protocol
+	ProtocolFC       = 133 // Fibre Channel
+)
+
+var featureEnableSSH = envknob.RegisterBool("HEADSCALE_EXPERIMENTAL_FEATURE_SSH")
+
+// LoadACLPolicy loads the ACL policy from the specify path, and generates the ACL rules.
 func (h *Headscale) LoadACLPolicy(path string) error {
+	log.Debug().
+		Str("func", "LoadACLPolicy").
+		Str("path", path).
+		Msg("Loading ACL policy from path")
+
 	policyFile, err := os.Open(path)
 	if err != nil {
 		return err
@@ -32,77 +72,264 @@ func (h *Headscale) LoadACLPolicy(path string) error {
 	defer policyFile.Close()
 
 	var policy ACLPolicy
-	b, err := io.ReadAll(policyFile)
+	policyBytes, err := io.ReadAll(policyFile)
 	if err != nil {
 		return err
 	}
-	err = hujson.Unmarshal(b, &policy)
-	if err != nil {
-		return err
+
+	switch filepath.Ext(path) {
+	case ".yml", ".yaml":
+		log.Debug().
+			Str("path", path).
+			Bytes("file", policyBytes).
+			Msg("Loading ACLs from YAML")
+
+		err := yaml.Unmarshal(policyBytes, &policy)
+		if err != nil {
+			return err
+		}
+
+		log.Trace().
+			Interface("policy", policy).
+			Msg("Loaded policy from YAML")
+
+	default:
+		ast, err := hujson.Parse(policyBytes)
+		if err != nil {
+			return err
+		}
+
+		ast.Standardize()
+		policyBytes = ast.Pack()
+		err = json.Unmarshal(policyBytes, &policy)
+		if err != nil {
+			return err
+		}
 	}
+
 	if policy.IsZero() {
-		return errorEmptyPolicy
+		return errEmptyPolicy
 	}
 
 	h.aclPolicy = &policy
-	rules, err := h.generateACLRules()
+
+	return h.UpdateACLRules()
+}
+
+func (h *Headscale) UpdateACLRules() error {
+	machines, err := h.ListMachines()
 	if err != nil {
 		return err
 	}
+
+	if h.aclPolicy == nil {
+		return errEmptyPolicy
+	}
+
+	rules, err := generateACLRules(machines, *h.aclPolicy, h.cfg.OIDC.StripEmaildomain)
+	if err != nil {
+		return err
+	}
+	log.Trace().Interface("ACL", rules).Msg("ACL rules generated")
 	h.aclRules = rules
+
+	if featureEnableSSH() {
+		sshRules, err := h.generateSSHRules()
+		if err != nil {
+			return err
+		}
+		log.Trace().Interface("SSH", sshRules).Msg("SSH rules generated")
+		if h.sshPolicy == nil {
+			h.sshPolicy = &tailcfg.SSHPolicy{}
+		}
+		h.sshPolicy.Rules = sshRules
+	} else if h.aclPolicy != nil && len(h.aclPolicy.SSHs) > 0 {
+		log.Info().Msg("SSH ACLs has been defined, but HEADSCALE_EXPERIMENTAL_FEATURE_SSH is not enabled, this is a unstable feature, check docs before activating")
+	}
+
 	return nil
 }
 
-func (h *Headscale) generateACLRules() (*[]tailcfg.FilterRule, error) {
+func generateACLRules(machines []Machine, aclPolicy ACLPolicy, stripEmaildomain bool) ([]tailcfg.FilterRule, error) {
 	rules := []tailcfg.FilterRule{}
 
-	for i, a := range h.aclPolicy.ACLs {
-		if a.Action != "accept" {
-			return nil, errorInvalidAction
+	for index, acl := range aclPolicy.ACLs {
+		if acl.Action != "accept" {
+			return nil, errInvalidAction
 		}
 
-		r := tailcfg.FilterRule{}
-
 		srcIPs := []string{}
-		for j, u := range a.Users {
-			srcs, err := h.generateACLPolicySrcIP(u)
+		for innerIndex, src := range acl.Sources {
+			srcs, err := generateACLPolicySrcIP(machines, aclPolicy, src, stripEmaildomain)
 			if err != nil {
 				log.Error().
-					Msgf("Error parsing ACL %d, User %d", i, j)
+					Msgf("Error parsing ACL %d, Source %d", index, innerIndex)
+
 				return nil, err
 			}
-			srcIPs = append(srcIPs, *srcs...)
+			srcIPs = append(srcIPs, srcs...)
+		}
+
+		protocols, needsWildcard, err := parseProtocol(acl.Protocol)
+		if err != nil {
+			log.Error().
+				Msgf("Error parsing ACL %d. protocol unknown %s", index, acl.Protocol)
+
+			return nil, err
 		}
-		r.SrcIPs = srcIPs
 
 		destPorts := []tailcfg.NetPortRange{}
-		for j, d := range a.Ports {
-			dests, err := h.generateACLPolicyDestPorts(d)
+		for innerIndex, dest := range acl.Destinations {
+			dests, err := generateACLPolicyDest(
+				machines,
+				aclPolicy,
+				dest,
+				needsWildcard,
+				stripEmaildomain,
+			)
 			if err != nil {
 				log.Error().
-					Msgf("Error parsing ACL %d, Port %d", i, j)
+					Msgf("Error parsing ACL %d, Destination %d", index, innerIndex)
+
 				return nil, err
 			}
-			destPorts = append(destPorts, *dests...)
+			destPorts = append(destPorts, dests...)
 		}
 
 		rules = append(rules, tailcfg.FilterRule{
 			SrcIPs:   srcIPs,
 			DstPorts: destPorts,
+			IPProto:  protocols,
 		})
 	}
 
-	return &rules, nil
+	return rules, nil
 }
 
-func (h *Headscale) generateACLPolicySrcIP(u string) (*[]string, error) {
-	return h.expandAlias(u)
+func (h *Headscale) generateSSHRules() ([]*tailcfg.SSHRule, error) {
+	rules := []*tailcfg.SSHRule{}
+
+	if h.aclPolicy == nil {
+		return nil, errEmptyPolicy
+	}
+
+	machines, err := h.ListMachines()
+	if err != nil {
+		return nil, err
+	}
+
+	acceptAction := tailcfg.SSHAction{
+		Message:                  "",
+		Reject:                   false,
+		Accept:                   true,
+		SessionDuration:          0,
+		AllowAgentForwarding:     false,
+		HoldAndDelegate:          "",
+		AllowLocalPortForwarding: true,
+	}
+
+	rejectAction := tailcfg.SSHAction{
+		Message:                  "",
+		Reject:                   true,
+		Accept:                   false,
+		SessionDuration:          0,
+		AllowAgentForwarding:     false,
+		HoldAndDelegate:          "",
+		AllowLocalPortForwarding: false,
+	}
+
+	for index, sshACL := range h.aclPolicy.SSHs {
+		action := rejectAction
+		switch sshACL.Action {
+		case "accept":
+			action = acceptAction
+		case "check":
+			checkAction, err := sshCheckAction(sshACL.CheckPeriod)
+			if err != nil {
+				log.Error().
+					Msgf("Error parsing SSH %d, check action with unparsable duration '%s'", index, sshACL.CheckPeriod)
+			} else {
+				action = *checkAction
+			}
+		default:
+			log.Error().
+				Msgf("Error parsing SSH %d, unknown action '%s'", index, sshACL.Action)
+
+			return nil, err
+		}
+
+		principals := make([]*tailcfg.SSHPrincipal, 0, len(sshACL.Sources))
+		for innerIndex, rawSrc := range sshACL.Sources {
+			expandedSrcs, err := expandAlias(
+				machines,
+				*h.aclPolicy,
+				rawSrc,
+				h.cfg.OIDC.StripEmaildomain,
+			)
+			if err != nil {
+				log.Error().
+					Msgf("Error parsing SSH %d, Source %d", index, innerIndex)
+
+				return nil, err
+			}
+			for _, expandedSrc := range expandedSrcs {
+				principals = append(principals, &tailcfg.SSHPrincipal{
+					NodeIP: expandedSrc,
+				})
+			}
+		}
+
+		userMap := make(map[string]string, len(sshACL.Users))
+		for _, user := range sshACL.Users {
+			userMap[user] = "="
+		}
+		rules = append(rules, &tailcfg.SSHRule{
+			RuleExpires: nil,
+			Principals:  principals,
+			SSHUsers:    userMap,
+			Action:      &action,
+		})
+	}
+
+	return rules, nil
 }
 
-func (h *Headscale) generateACLPolicyDestPorts(d string) (*[]tailcfg.NetPortRange, error) {
-	tokens := strings.Split(d, ":")
-	if len(tokens) < 2 || len(tokens) > 3 {
-		return nil, errorInvalidPortFormat
+func sshCheckAction(duration string) (*tailcfg.SSHAction, error) {
+	sessionLength, err := time.ParseDuration(duration)
+	if err != nil {
+		return nil, err
+	}
+
+	return &tailcfg.SSHAction{
+		Message:                  "",
+		Reject:                   false,
+		Accept:                   true,
+		SessionDuration:          sessionLength,
+		AllowAgentForwarding:     false,
+		HoldAndDelegate:          "",
+		AllowLocalPortForwarding: true,
+	}, nil
+}
+
+func generateACLPolicySrcIP(
+	machines []Machine,
+	aclPolicy ACLPolicy,
+	src string,
+	stripEmaildomain bool,
+) ([]string, error) {
+	return expandAlias(machines, aclPolicy, src, stripEmaildomain)
+}
+
+func generateACLPolicyDest(
+	machines []Machine,
+	aclPolicy ACLPolicy,
+	dest string,
+	needsWildcard bool,
+	stripEmaildomain bool,
+) ([]tailcfg.NetPortRange, error) {
+	tokens := strings.Split(dest, ":")
+	if len(tokens) < expectedTokenItems || len(tokens) > 3 {
+		return nil, errInvalidPortFormat
 	}
 
 	var alias string
@@ -112,23 +339,28 @@ func (h *Headscale) generateACLPolicyDestPorts(d string) (*[]tailcfg.NetPortRang
 	// tag:montreal-webserver:80,443
 	// tag:api-server:443
 	// example-host-1:*
-	if len(tokens) == 2 {
+	if len(tokens) == expectedTokenItems {
 		alias = tokens[0]
 	} else {
 		alias = fmt.Sprintf("%s:%s", tokens[0], tokens[1])
 	}
 
-	expanded, err := h.expandAlias(alias)
+	expanded, err := expandAlias(
+		machines,
+		aclPolicy,
+		alias,
+		stripEmaildomain,
+	)
 	if err != nil {
 		return nil, err
 	}
-	ports, err := h.expandPorts(tokens[len(tokens)-1])
+	ports, err := expandPorts(tokens[len(tokens)-1], needsWildcard)
 	if err != nil {
 		return nil, err
 	}
 
 	dests := []tailcfg.NetPortRange{}
-	for _, d := range *expanded {
+	for _, d := range expanded {
 		for _, p := range *ports {
 			pr := tailcfg.NetPortRange{
 				IP:    d,
@@ -137,120 +369,240 @@ func (h *Headscale) generateACLPolicyDestPorts(d string) (*[]tailcfg.NetPortRang
 			dests = append(dests, pr)
 		}
 	}
-	return &dests, nil
+
+	return dests, nil
 }
 
-func (h *Headscale) expandAlias(s string) (*[]string, error) {
-	if s == "*" {
-		return &[]string{"*"}, nil
-	}
+// parseProtocol reads the proto field of the ACL and generates a list of
+// protocols that will be allowed, following the IANA IP protocol number
+// https://www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtml
+//
+// If the ACL proto field is empty, it allows ICMPv4, ICMPv6, TCP, and UDP,
+// as per Tailscale behaviour (see tailcfg.FilterRule).
+//
+// Also returns a boolean indicating if the protocol
+// requires all the destinations to use wildcard as port number (only TCP,
+// UDP and SCTP support specifying ports).
+func parseProtocol(protocol string) ([]int, bool, error) {
+	switch protocol {
+	case "":
+		return nil, false, nil
+	case "igmp":
+		return []int{protocolIGMP}, true, nil
+	case "ipv4", "ip-in-ip":
+		return []int{protocolIPv4}, true, nil
+	case "tcp":
+		return []int{protocolTCP}, false, nil
+	case "egp":
+		return []int{protocolEGP}, true, nil
+	case "igp":
+		return []int{protocolIGP}, true, nil
+	case "udp":
+		return []int{protocolUDP}, false, nil
+	case "gre":
+		return []int{protocolGRE}, true, nil
+	case "esp":
+		return []int{protocolESP}, true, nil
+	case "ah":
+		return []int{protocolAH}, true, nil
+	case "sctp":
+		return []int{protocolSCTP}, false, nil
+	case "icmp":
+		return []int{protocolICMP, protocolIPv6ICMP}, true, nil
 
-	if strings.HasPrefix(s, "group:") {
-		if _, ok := h.aclPolicy.Groups[s]; !ok {
-			return nil, errorInvalidGroup
-		}
-		ips := []string{}
-		for _, n := range h.aclPolicy.Groups[s] {
-			nodes, err := h.ListMachinesInNamespace(n)
-			if err != nil {
-				return nil, errorInvalidNamespace
-			}
-			for _, node := range *nodes {
-				ips = append(ips, node.IPAddress)
-			}
-		}
-		return &ips, nil
-	}
-
-	if strings.HasPrefix(s, "tag:") {
-		if _, ok := h.aclPolicy.TagOwners[s]; !ok {
-			return nil, errorInvalidTag
-		}
-
-		// This will have HORRIBLE performance.
-		// We need to change the data model to better store tags
-		machines := []Machine{}
-		if err := h.db.Where("registered").Find(&machines).Error; err != nil {
-			return nil, err
-		}
-		ips := []string{}
-		for _, m := range machines {
-			hostinfo := tailcfg.Hostinfo{}
-			if len(m.HostInfo) != 0 {
-				hi, err := m.HostInfo.MarshalJSON()
-				if err != nil {
-					return nil, err
-				}
-				err = json.Unmarshal(hi, &hostinfo)
-				if err != nil {
-					return nil, err
-				}
-
-				// FIXME: Check TagOwners allows this
-				for _, t := range hostinfo.RequestTags {
-					if s[4:] == t {
-						ips = append(ips, m.IPAddress)
-						break
-					}
-				}
-			}
-		}
-		return &ips, nil
-	}
-
-	n, err := h.GetNamespace(s)
-	if err == nil {
-		nodes, err := h.ListMachinesInNamespace(n.Name)
+	default:
+		protocolNumber, err := strconv.Atoi(protocol)
 		if err != nil {
-			return nil, err
+			return nil, false, err
 		}
-		ips := []string{}
-		for _, n := range *nodes {
-			ips = append(ips, n.IPAddress)
-		}
-		return &ips, nil
-	}
+		needsWildcard := protocolNumber != protocolTCP &&
+			protocolNumber != protocolUDP &&
+			protocolNumber != protocolSCTP
 
-	if h, ok := h.aclPolicy.Hosts[s]; ok {
-		return &[]string{h.String()}, nil
+		return []int{protocolNumber}, needsWildcard, nil
 	}
-
-	ip, err := netaddr.ParseIP(s)
-	if err == nil {
-		return &[]string{ip.String()}, nil
-	}
-
-	cidr, err := netaddr.ParseIPPrefix(s)
-	if err == nil {
-		return &[]string{cidr.String()}, nil
-	}
-
-	return nil, errorInvalidUserSection
 }
 
-func (h *Headscale) expandPorts(s string) (*[]tailcfg.PortRange, error) {
-	if s == "*" {
-		return &[]tailcfg.PortRange{{First: 0, Last: 65535}}, nil
+// expandalias has an input of either
+// - a user
+// - a group
+// - a tag
+// and transform these in IPAddresses.
+func expandAlias(
+	machines []Machine,
+	aclPolicy ACLPolicy,
+	alias string,
+	stripEmailDomain bool,
+) ([]string, error) {
+	ips := []string{}
+	if alias == "*" {
+		return []string{"*"}, nil
+	}
+
+	log.Debug().
+		Str("alias", alias).
+		Msg("Expanding")
+
+	if strings.HasPrefix(alias, "group:") {
+		users, err := expandGroup(aclPolicy, alias, stripEmailDomain)
+		if err != nil {
+			return ips, err
+		}
+		for _, n := range users {
+			nodes := filterMachinesByUser(machines, n)
+			for _, node := range nodes {
+				ips = append(ips, node.IPAddresses.ToStringSlice()...)
+			}
+		}
+
+		return ips, nil
+	}
+
+	if strings.HasPrefix(alias, "tag:") {
+		// check for forced tags
+		for _, machine := range machines {
+			if contains(machine.ForcedTags, alias) {
+				ips = append(ips, machine.IPAddresses.ToStringSlice()...)
+			}
+		}
+
+		// find tag owners
+		owners, err := expandTagOwners(aclPolicy, alias, stripEmailDomain)
+		if err != nil {
+			if errors.Is(err, errInvalidTag) {
+				if len(ips) == 0 {
+					return ips, fmt.Errorf(
+						"%w. %v isn't owned by a TagOwner and no forced tags are defined",
+						errInvalidTag,
+						alias,
+					)
+				}
+
+				return ips, nil
+			} else {
+				return ips, err
+			}
+		}
+
+		// filter out machines per tag owner
+		for _, user := range owners {
+			machines := filterMachinesByUser(machines, user)
+			for _, machine := range machines {
+				hi := machine.GetHostInfo()
+				if contains(hi.RequestTags, alias) {
+					ips = append(ips, machine.IPAddresses.ToStringSlice()...)
+				}
+			}
+		}
+
+		return ips, nil
+	}
+
+	// if alias is a user
+	nodes := filterMachinesByUser(machines, alias)
+	nodes = excludeCorrectlyTaggedNodes(aclPolicy, nodes, alias, stripEmailDomain)
+
+	for _, n := range nodes {
+		ips = append(ips, n.IPAddresses.ToStringSlice()...)
+	}
+	if len(ips) > 0 {
+		return ips, nil
+	}
+
+	// if alias is an host
+	if h, ok := aclPolicy.Hosts[alias]; ok {
+		return []string{h.String()}, nil
+	}
+
+	// if alias is an IP
+	ip, err := netip.ParseAddr(alias)
+	if err == nil {
+		return []string{ip.String()}, nil
+	}
+
+	// if alias is an CIDR
+	cidr, err := netip.ParsePrefix(alias)
+	if err == nil {
+		return []string{cidr.String()}, nil
+	}
+
+	log.Warn().Msgf("No IPs found with the alias %v", alias)
+
+	return ips, nil
+}
+
+// excludeCorrectlyTaggedNodes will remove from the list of input nodes the ones
+// that are correctly tagged since they should not be listed as being in the user
+// we assume in this function that we only have nodes from 1 user.
+func excludeCorrectlyTaggedNodes(
+	aclPolicy ACLPolicy,
+	nodes []Machine,
+	user string,
+	stripEmailDomain bool,
+) []Machine {
+	out := []Machine{}
+	tags := []string{}
+	for tag := range aclPolicy.TagOwners {
+		owners, _ := expandTagOwners(aclPolicy, user, stripEmailDomain)
+		ns := append(owners, user)
+		if contains(ns, user) {
+			tags = append(tags, tag)
+		}
+	}
+	// for each machine if tag is in tags list, don't append it.
+	for _, machine := range nodes {
+		hi := machine.GetHostInfo()
+
+		found := false
+		for _, t := range hi.RequestTags {
+			if contains(tags, t) {
+				found = true
+
+				break
+			}
+		}
+		if len(machine.ForcedTags) > 0 {
+			found = true
+		}
+		if !found {
+			out = append(out, machine)
+		}
+	}
+
+	return out
+}
+
+func expandPorts(portsStr string, needsWildcard bool) (*[]tailcfg.PortRange, error) {
+	if portsStr == "*" {
+		return &[]tailcfg.PortRange{
+			{First: portRangeBegin, Last: portRangeEnd},
+		}, nil
+	}
+
+	if needsWildcard {
+		return nil, errWildcardIsNeeded
 	}
 
 	ports := []tailcfg.PortRange{}
-	for _, p := range strings.Split(s, ",") {
-		rang := strings.Split(p, "-")
-		if len(rang) == 1 {
-			pi, err := strconv.ParseUint(rang[0], 10, 16)
+	for _, portStr := range strings.Split(portsStr, ",") {
+		rang := strings.Split(portStr, "-")
+		switch len(rang) {
+		case 1:
+			port, err := strconv.ParseUint(rang[0], Base10, BitSize16)
 			if err != nil {
 				return nil, err
 			}
 			ports = append(ports, tailcfg.PortRange{
-				First: uint16(pi),
-				Last:  uint16(pi),
+				First: uint16(port),
+				Last:  uint16(port),
 			})
-		} else if len(rang) == 2 {
-			start, err := strconv.ParseUint(rang[0], 10, 16)
+
+		case expectedTokenItems:
+			start, err := strconv.ParseUint(rang[0], Base10, BitSize16)
 			if err != nil {
 				return nil, err
 			}
-			last, err := strconv.ParseUint(rang[1], 10, 16)
+			last, err := strconv.ParseUint(rang[1], Base10, BitSize16)
 			if err != nil {
 				return nil, err
 			}
@@ -258,9 +610,90 @@ func (h *Headscale) expandPorts(s string) (*[]tailcfg.PortRange, error) {
 				First: uint16(start),
 				Last:  uint16(last),
 			})
-		} else {
-			return nil, errorInvalidPortFormat
+
+		default:
+			return nil, errInvalidPortFormat
 		}
 	}
+
 	return &ports, nil
 }
+
+func filterMachinesByUser(machines []Machine, user string) []Machine {
+	out := []Machine{}
+	for _, machine := range machines {
+		if machine.User.Name == user {
+			out = append(out, machine)
+		}
+	}
+
+	return out
+}
+
+// expandTagOwners will return a list of user. An owner can be either a user or a group
+// a group cannot be composed of groups.
+func expandTagOwners(
+	aclPolicy ACLPolicy,
+	tag string,
+	stripEmailDomain bool,
+) ([]string, error) {
+	var owners []string
+	ows, ok := aclPolicy.TagOwners[tag]
+	if !ok {
+		return []string{}, fmt.Errorf(
+			"%w. %v isn't owned by a TagOwner. Please add one first. https://tailscale.com/kb/1018/acls/#tag-owners",
+			errInvalidTag,
+			tag,
+		)
+	}
+	for _, owner := range ows {
+		if strings.HasPrefix(owner, "group:") {
+			gs, err := expandGroup(aclPolicy, owner, stripEmailDomain)
+			if err != nil {
+				return []string{}, err
+			}
+			owners = append(owners, gs...)
+		} else {
+			owners = append(owners, owner)
+		}
+	}
+
+	return owners, nil
+}
+
+// expandGroup will return the list of user inside the group
+// after some validation.
+func expandGroup(
+	aclPolicy ACLPolicy,
+	group string,
+	stripEmailDomain bool,
+) ([]string, error) {
+	outGroups := []string{}
+	aclGroups, ok := aclPolicy.Groups[group]
+	if !ok {
+		return []string{}, fmt.Errorf(
+			"group %v isn't registered. %w",
+			group,
+			errInvalidGroup,
+		)
+	}
+	for _, group := range aclGroups {
+		if strings.HasPrefix(group, "group:") {
+			return []string{}, fmt.Errorf(
+				"%w. A group cannot be composed of groups. https://tailscale.com/kb/1018/acls/#groups",
+				errInvalidGroup,
+			)
+		}
+		grp, err := NormalizeToFQDNRules(group, stripEmailDomain)
+		if err != nil {
+			return []string{}, fmt.Errorf(
+				"failed to normalize group %q, err: %w",
+				group,
+				errInvalidGroup,
+			)
+		}
+		outGroups = append(outGroups, grp)
+	}
+
+	return outGroups, nil
+}

acls_types.go

@@ -1,70 +1,145 @@
 package headscale
 
 import (
+	"encoding/json"
+	"net/netip"
 	"strings"
 
 	"github.com/tailscale/hujson"
-	"inet.af/netaddr"
+	"gopkg.in/yaml.v3"
 )
 
-// ACLPolicy represents a Tailscale ACL Policy
+// ACLPolicy represents a Tailscale ACL Policy.
 type ACLPolicy struct {
-	Groups    Groups    `json:"Groups"`
-	Hosts     Hosts     `json:"Hosts"`
-	TagOwners TagOwners `json:"TagOwners"`
-	ACLs      []ACL     `json:"ACLs"`
-	Tests     []ACLTest `json:"Tests"`
+	Groups        Groups        `json:"groups"        yaml:"groups"`
+	Hosts         Hosts         `json:"hosts"         yaml:"hosts"`
+	TagOwners     TagOwners     `json:"tagOwners"     yaml:"tagOwners"`
+	ACLs          []ACL         `json:"acls"          yaml:"acls"`
+	Tests         []ACLTest     `json:"tests"         yaml:"tests"`
+	AutoApprovers AutoApprovers `json:"autoApprovers" yaml:"autoApprovers"`
+	SSHs          []SSH         `json:"ssh"           yaml:"ssh"`
 }
 
-// ACL is a basic rule for the ACL Policy
+// ACL is a basic rule for the ACL Policy.
 type ACL struct {
-	Action string   `json:"Action"`
-	Users  []string `json:"Users"`
-	Ports  []string `json:"Ports"`
+	Action       string   `json:"action" yaml:"action"`
+	Protocol     string   `json:"proto"  yaml:"proto"`
+	Sources      []string `json:"src"    yaml:"src"`
+	Destinations []string `json:"dst"    yaml:"dst"`
 }
 
-// Groups references a series of alias in the ACL rules
+// Groups references a series of alias in the ACL rules.
 type Groups map[string][]string
 
-// Hosts are alias for IP addresses or subnets
-type Hosts map[string]netaddr.IPPrefix
+// Hosts are alias for IP addresses or subnets.
+type Hosts map[string]netip.Prefix
 
-// TagOwners specify what users (namespaces?) are allow to use certain tags
+// TagOwners specify what users (users?) are allow to use certain tags.
 type TagOwners map[string][]string
 
-// ACLTest is not implemented, but should be use to check if a certain rule is allowed
+// ACLTest is not implemented, but should be use to check if a certain rule is allowed.
 type ACLTest struct {
-	User  string   `json:"User"`
-	Allow []string `json:"Allow"`
-	Deny  []string `json:"Deny,omitempty"`
+	Source string   `json:"src"            yaml:"src"`
+	Accept []string `json:"accept"         yaml:"accept"`
+	Deny   []string `json:"deny,omitempty" yaml:"deny,omitempty"`
 }
 
-// UnmarshalJSON allows to parse the Hosts directly into netaddr objects
-func (h *Hosts) UnmarshalJSON(data []byte) error {
-	hosts := Hosts{}
-	hs := make(map[string]string)
-	err := hujson.Unmarshal(data, &hs)
+// AutoApprovers specify which users (users?), groups or tags have their advertised routes
+// or exit node status automatically enabled.
+type AutoApprovers struct {
+	Routes   map[string][]string `json:"routes"   yaml:"routes"`
+	ExitNode []string            `json:"exitNode" yaml:"exitNode"`
+}
+
+// SSH controls who can ssh into which machines.
+type SSH struct {
+	Action       string   `json:"action"                yaml:"action"`
+	Sources      []string `json:"src"                   yaml:"src"`
+	Destinations []string `json:"dst"                   yaml:"dst"`
+	Users        []string `json:"users"                 yaml:"users"`
+	CheckPeriod  string   `json:"checkPeriod,omitempty" yaml:"checkPeriod,omitempty"`
+}
+
+// UnmarshalJSON allows to parse the Hosts directly into netip objects.
+func (hosts *Hosts) UnmarshalJSON(data []byte) error {
+	newHosts := Hosts{}
+	hostIPPrefixMap := make(map[string]string)
+	ast, err := hujson.Parse(data)
 	if err != nil {
 		return err
 	}
-	for k, v := range hs {
-		if !strings.Contains(v, "/") {
-			v = v + "/32"
+	ast.Standardize()
+	data = ast.Pack()
+	err = json.Unmarshal(data, &hostIPPrefixMap)
+	if err != nil {
+		return err
+	}
+	for host, prefixStr := range hostIPPrefixMap {
+		if !strings.Contains(prefixStr, "/") {
+			prefixStr += "/32"
 		}
-		prefix, err := netaddr.ParseIPPrefix(v)
+		prefix, err := netip.ParsePrefix(prefixStr)
 		if err != nil {
 			return err
 		}
-		hosts[k] = prefix
+		newHosts[host] = prefix
 	}
-	*h = hosts
+	*hosts = newHosts
+
 	return nil
 }
 
-// IsZero is perhaps a bit naive here
-func (p ACLPolicy) IsZero() bool {
-	if len(p.Groups) == 0 && len(p.Hosts) == 0 && len(p.ACLs) == 0 {
+// UnmarshalYAML allows to parse the Hosts directly into netip objects.
+func (hosts *Hosts) UnmarshalYAML(data []byte) error {
+	newHosts := Hosts{}
+	hostIPPrefixMap := make(map[string]string)
+
+	err := yaml.Unmarshal(data, &hostIPPrefixMap)
+	if err != nil {
+		return err
+	}
+	for host, prefixStr := range hostIPPrefixMap {
+		prefix, err := netip.ParsePrefix(prefixStr)
+		if err != nil {
+			return err
+		}
+		newHosts[host] = prefix
+	}
+	*hosts = newHosts
+
+	return nil
+}
+
+// IsZero is perhaps a bit naive here.
+func (policy ACLPolicy) IsZero() bool {
+	if len(policy.Groups) == 0 && len(policy.Hosts) == 0 && len(policy.ACLs) == 0 {
 		return true
 	}
+
 	return false
 }
+
+// Returns the list of autoApproving users, groups or tags for a given IPPrefix.
+func (autoApprovers *AutoApprovers) GetRouteApprovers(
+	prefix netip.Prefix,
+) ([]string, error) {
+	if prefix.Bits() == 0 {
+		return autoApprovers.ExitNode, nil // 0.0.0.0/0, ::/0 or equivalent
+	}
+
+	approverAliases := []string{}
+
+	for autoApprovedPrefix, autoApproverAliases := range autoApprovers.Routes {
+		autoApprovedPrefix, err := netip.ParsePrefix(autoApprovedPrefix)
+		if err != nil {
+			return nil, err
+		}
+
+		if prefix.Bits() >= autoApprovedPrefix.Bits() &&
+			autoApprovedPrefix.Contains(prefix.Masked().Addr()) {
+			approverAliases = append(approverAliases, autoApproverAliases...)
+		}
+	}
+
+	return approverAliases, nil
+}

api.go

@@ -1,421 +1,168 @@
 package headscale
 
 import (
-	"encoding/binary"
+	"bytes"
 	"encoding/json"
-	"errors"
-	"fmt"
-	"io"
+	"html/template"
 	"net/http"
 	"time"
 
+	"github.com/gorilla/mux"
 	"github.com/rs/zerolog/log"
-
-	"github.com/gin-gonic/gin"
-	"github.com/klauspost/compress/zstd"
-	"gorm.io/gorm"
-	"tailscale.com/tailcfg"
-	"tailscale.com/types/wgkey"
+	"tailscale.com/types/key"
 )
 
-// KeyHandler provides the Headscale pub key
-// Listens in /key
-func (h *Headscale) KeyHandler(c *gin.Context) {
-	c.Data(200, "text/plain; charset=utf-8", []byte(h.publicKey.HexString()))
+const (
+	// TODO(juan): remove this once https://github.com/juanfont/headscale/issues/727 is fixed.
+	registrationHoldoff                      = time.Second * 5
+	reservedResponseHeaderSize               = 4
+	RegisterMethodAuthKey                    = "authkey"
+	RegisterMethodOIDC                       = "oidc"
+	RegisterMethodCLI                        = "cli"
+	ErrRegisterMethodCLIDoesNotSupportExpire = Error(
+		"machines registered with CLI does not support expire",
+	)
+)
+
+func (h *Headscale) HealthHandler(
+	writer http.ResponseWriter,
+	req *http.Request,
+) {
+	respond := func(err error) {
+		writer.Header().Set("Content-Type", "application/health+json; charset=utf-8")
+
+		res := struct {
+			Status string `json:"status"`
+		}{
+			Status: "pass",
+		}
+
+		if err != nil {
+			writer.WriteHeader(http.StatusInternalServerError)
+			log.Error().Caller().Err(err).Msg("health check failed")
+			res.Status = "fail"
+		}
+
+		buf, err := json.Marshal(res)
+		if err != nil {
+			log.Error().Caller().Err(err).Msg("marshal failed")
+		}
+		_, err = writer.Write(buf)
+		if err != nil {
+			log.Error().Caller().Err(err).Msg("write failed")
+		}
+	}
+
+	if err := h.pingDB(req.Context()); err != nil {
+		respond(err)
+
+		return
+	}
+
+	respond(nil)
 }
 
+type registerWebAPITemplateConfig struct {
+	Key string
+}
+
+var registerWebAPITemplate = template.Must(
+	template.New("registerweb").Parse(`
+<html>
+	<head>
+		<title>Registration - Headscale</title>
+	</head>
+	<body>
+		<h1>headscale</h1>
+		<h2>Machine registration</h2>
+		<p>
+			Run the command below in the headscale server to add this machine to your network:
+		</p>
+		<pre><code>headscale nodes register --user USERNAME --key {{.Key}}</code></pre>
+	</body>
+</html>
+`))
+
 // RegisterWebAPI shows a simple message in the browser to point to the CLI
-// Listens in /register
-func (h *Headscale) RegisterWebAPI(c *gin.Context) {
-	mKeyStr := c.Query("key")
-	if mKeyStr == "" {
-		c.String(http.StatusBadRequest, "Wrong params")
-		return
-	}
+// Listens in /register/:nkey.
+//
+// This is not part of the Tailscale control API, as we could send whatever URL
+// in the RegisterResponse.AuthURL field.
+func (h *Headscale) RegisterWebAPI(
+	writer http.ResponseWriter,
+	req *http.Request,
+) {
+	vars := mux.Vars(req)
+	nodeKeyStr, ok := vars["nkey"]
 
-	c.Data(http.StatusOK, "text/html; charset=utf-8", []byte(fmt.Sprintf(`
-	<html>
-	<body>
-	<h1>headscale</h1>
-	<p>
-		Run the command below in the headscale server to add this machine to your network:
-	</p>
+	if !NodePublicKeyRegex.Match([]byte(nodeKeyStr)) {
+		log.Warn().Str("node_key", nodeKeyStr).Msg("Invalid node key passed to registration url")
 
-	<p>
-		<code>
-			<b>headscale -n NAMESPACE nodes register %s</b>
-		</code>
-	</p>
-
-	</body>
-	</html>
-
-	`, mKeyStr)))
-}
-
-// RegistrationHandler handles the actual registration process of a machine
-// Endpoint /machine/:id
-func (h *Headscale) RegistrationHandler(c *gin.Context) {
-	body, _ := io.ReadAll(c.Request.Body)
-	mKeyStr := c.Param("id")
-	mKey, err := wgkey.ParseHex(mKeyStr)
-	if err != nil {
-		log.Error().
-			Str("handler", "Registration").
-			Err(err).
-			Msg("Cannot parse machine key")
-		machineRegistrations.WithLabelValues("unkown", "web", "error", "unknown").Inc()
-		c.String(http.StatusInternalServerError, "Sad!")
-		return
-	}
-	req := tailcfg.RegisterRequest{}
-	err = decode(body, &req, &mKey, h.privateKey)
-	if err != nil {
-		log.Error().
-			Str("handler", "Registration").
-			Err(err).
-			Msg("Cannot decode message")
-		machineRegistrations.WithLabelValues("unkown", "web", "error", "unknown").Inc()
-		c.String(http.StatusInternalServerError, "Very sad!")
-		return
-	}
-
-	now := time.Now().UTC()
-	var m Machine
-	if result := h.db.Preload("Namespace").First(&m, "machine_key = ?", mKey.HexString()); errors.Is(result.Error, gorm.ErrRecordNotFound) {
-		log.Info().Str("machine", req.Hostinfo.Hostname).Msg("New machine")
-		m = Machine{
-			Expiry:               &req.Expiry,
-			MachineKey:           mKey.HexString(),
-			Name:                 req.Hostinfo.Hostname,
-			NodeKey:              wgkey.Key(req.NodeKey).HexString(),
-			LastSuccessfulUpdate: &now,
-		}
-		if err := h.db.Create(&m).Error; err != nil {
-			log.Error().
-				Str("handler", "Registration").
-				Err(err).
-				Msg("Could not create row")
-			machineRegistrations.WithLabelValues("unkown", "web", "error", m.Namespace.Name).Inc()
-			return
-		}
-	}
-
-	if !m.Registered && req.Auth.AuthKey != "" {
-		h.handleAuthKey(c, h.db, mKey, req, m)
-		return
-	}
-
-	resp := tailcfg.RegisterResponse{}
-
-	// We have the updated key!
-	if m.NodeKey == wgkey.Key(req.NodeKey).HexString() {
-		if m.Registered {
-			log.Debug().
-				Str("handler", "Registration").
-				Str("machine", m.Name).
-				Msg("Client is registered and we have the current NodeKey. All clear to /map")
-
-			resp.AuthURL = ""
-			resp.MachineAuthorized = true
-			resp.User = *m.Namespace.toUser()
-			respBody, err := encode(resp, &mKey, h.privateKey)
-			if err != nil {
-				log.Error().
-					Str("handler", "Registration").
-					Err(err).
-					Msg("Cannot encode message")
-				machineRegistrations.WithLabelValues("update", "web", "error", m.Namespace.Name).Inc()
-				c.String(http.StatusInternalServerError, "")
-				return
-			}
-			machineRegistrations.WithLabelValues("update", "web", "success", m.Namespace.Name).Inc()
-			c.Data(200, "application/json; charset=utf-8", respBody)
-			return
-		}
-
-		log.Debug().
-			Str("handler", "Registration").
-			Str("machine", m.Name).
-			Msg("Not registered and not NodeKey rotation. Sending a authurl to register")
-		resp.AuthURL = fmt.Sprintf("%s/register?key=%s",
-			h.cfg.ServerURL, mKey.HexString())
-		respBody, err := encode(resp, &mKey, h.privateKey)
+		writer.Header().Set("Content-Type", "text/plain; charset=utf-8")
+		writer.WriteHeader(http.StatusUnauthorized)
+		_, err := writer.Write([]byte("Unauthorized"))
 		if err != nil {
 			log.Error().
-				Str("handler", "Registration").
+				Caller().
 				Err(err).
-				Msg("Cannot encode message")
-			machineRegistrations.WithLabelValues("new", "web", "error", m.Namespace.Name).Inc()
-			c.String(http.StatusInternalServerError, "")
-			return
+				Msg("Failed to write response")
 		}
-		machineRegistrations.WithLabelValues("new", "web", "success", m.Namespace.Name).Inc()
-		c.Data(200, "application/json; charset=utf-8", respBody)
+
 		return
 	}
 
-	// The NodeKey we have matches OldNodeKey, which means this is a refresh after an key expiration
-	if m.NodeKey == wgkey.Key(req.OldNodeKey).HexString() {
-		log.Debug().
-			Str("handler", "Registration").
-			Str("machine", m.Name).
-			Msg("We have the OldNodeKey in the database. This is a key refresh")
-		m.NodeKey = wgkey.Key(req.NodeKey).HexString()
-		h.db.Save(&m)
+	// We need to make sure we dont open for XSS style injections, if the parameter that
+	// is passed as a key is not parsable/validated as a NodePublic key, then fail to render
+	// the template and log an error.
+	var nodeKey key.NodePublic
+	err := nodeKey.UnmarshalText(
+		[]byte(NodePublicKeyEnsurePrefix(nodeKeyStr)),
+	)
 
-		resp.AuthURL = ""
-		resp.User = *m.Namespace.toUser()
-		respBody, err := encode(resp, &mKey, h.privateKey)
+	if !ok || nodeKeyStr == "" || err != nil {
+		log.Warn().Err(err).Msg("Failed to parse incoming nodekey")
+
+		writer.Header().Set("Content-Type", "text/plain; charset=utf-8")
+		writer.WriteHeader(http.StatusBadRequest)
+		_, err := writer.Write([]byte("Wrong params"))
 		if err != nil {
 			log.Error().
-				Str("handler", "Registration").
+				Caller().
 				Err(err).
-				Msg("Cannot encode message")
-			c.String(http.StatusInternalServerError, "Extremely sad!")
-			return
+				Msg("Failed to write response")
 		}
-		c.Data(200, "application/json; charset=utf-8", respBody)
+
 		return
 	}
 
-	// We arrive here after a client is restarted without finalizing the authentication flow or
-	// when headscale is stopped in the middle of the auth process.
-	if m.Registered {
-		log.Debug().
-			Str("handler", "Registration").
-			Str("machine", m.Name).
-			Msg("The node is sending us a new NodeKey, but machine is registered. All clear for /map")
-		resp.AuthURL = ""
-		resp.MachineAuthorized = true
-		resp.User = *m.Namespace.toUser()
-		respBody, err := encode(resp, &mKey, h.privateKey)
+	var content bytes.Buffer
+	if err := registerWebAPITemplate.Execute(&content, registerWebAPITemplateConfig{
+		Key: nodeKeyStr,
+	}); err != nil {
+		log.Error().
+			Str("func", "RegisterWebAPI").
+			Err(err).
+			Msg("Could not render register web API template")
+		writer.Header().Set("Content-Type", "text/plain; charset=utf-8")
+		writer.WriteHeader(http.StatusInternalServerError)
+		_, err = writer.Write([]byte("Could not render register web API template"))
 		if err != nil {
 			log.Error().
-				Str("handler", "Registration").
+				Caller().
 				Err(err).
-				Msg("Cannot encode message")
-			c.String(http.StatusInternalServerError, "")
-			return
+				Msg("Failed to write response")
 		}
-		c.Data(200, "application/json; charset=utf-8", respBody)
+
 		return
 	}
 
-	log.Debug().
-		Str("handler", "Registration").
-		Str("machine", m.Name).
-		Msg("The node is sending us a new NodeKey, sending auth url")
-	resp.AuthURL = fmt.Sprintf("%s/register?key=%s",
-		h.cfg.ServerURL, mKey.HexString())
-	respBody, err := encode(resp, &mKey, h.privateKey)
+	writer.Header().Set("Content-Type", "text/html; charset=utf-8")
+	writer.WriteHeader(http.StatusOK)
+	_, err = writer.Write(content.Bytes())
 	if err != nil {
 		log.Error().
-			Str("handler", "Registration").
+			Caller().
 			Err(err).
-			Msg("Cannot encode message")
-		c.String(http.StatusInternalServerError, "")
-		return
+			Msg("Failed to write response")
 	}
-	c.Data(200, "application/json; charset=utf-8", respBody)
-}
-
-func (h *Headscale) getMapResponse(mKey wgkey.Key, req tailcfg.MapRequest, m *Machine) ([]byte, error) {
-	log.Trace().
-		Str("func", "getMapResponse").
-		Str("machine", req.Hostinfo.Hostname).
-		Msg("Creating Map response")
-	node, err := m.toNode(h.cfg.BaseDomain, h.cfg.DNSConfig, true)
-	if err != nil {
-		log.Error().
-			Str("func", "getMapResponse").
-			Err(err).
-			Msg("Cannot convert to node")
-		return nil, err
-	}
-
-	peers, err := h.getPeers(m)
-	if err != nil {
-		log.Error().
-			Str("func", "getMapResponse").
-			Err(err).
-			Msg("Cannot fetch peers")
-		return nil, err
-	}
-
-	profile := tailcfg.UserProfile{
-		ID:          tailcfg.UserID(m.NamespaceID),
-		LoginName:   m.Namespace.Name,
-		DisplayName: m.Namespace.Name,
-	}
-
-	nodePeers, err := peers.toNodes(h.cfg.BaseDomain, h.cfg.DNSConfig, true)
-	if err != nil {
-		log.Error().
-			Str("func", "getMapResponse").
-			Err(err).
-			Msg("Failed to convert peers to Tailscale nodes")
-		return nil, err
-	}
-
-	var dnsConfig *tailcfg.DNSConfig
-	if h.cfg.DNSConfig != nil && h.cfg.DNSConfig.Proxied { // if MagicDNS is enabled
-		// Only inject the Search Domain of the current namespace - shared nodes should use their full FQDN
-		dnsConfig = h.cfg.DNSConfig.Clone()
-		dnsConfig.Domains = append(dnsConfig.Domains, fmt.Sprintf("%s.%s", m.Namespace.Name, h.cfg.BaseDomain))
-	} else {
-		dnsConfig = h.cfg.DNSConfig
-	}
-
-	resp := tailcfg.MapResponse{
-		KeepAlive:    false,
-		Node:         node,
-		Peers:        nodePeers,
-		DNSConfig:    dnsConfig,
-		Domain:       h.cfg.BaseDomain,
-		PacketFilter: *h.aclRules,
-		DERPMap:      h.cfg.DerpMap,
-
-		// TODO(juanfont): We should send the profiles of all the peers (this own namespace + those from the shared peers)
-		UserProfiles: []tailcfg.UserProfile{profile},
-	}
-	log.Trace().
-		Str("func", "getMapResponse").
-		Str("machine", req.Hostinfo.Hostname).
-		// Interface("payload", resp).
-		Msgf("Generated map response: %s", tailMapResponseToString(resp))
-
-	var respBody []byte
-	if req.Compress == "zstd" {
-		src, _ := json.Marshal(resp)
-
-		encoder, _ := zstd.NewWriter(nil)
-		srcCompressed := encoder.EncodeAll(src, nil)
-		respBody, err = encodeMsg(srcCompressed, &mKey, h.privateKey)
-		if err != nil {
-			return nil, err
-		}
-	} else {
-		respBody, err = encode(resp, &mKey, h.privateKey)
-		if err != nil {
-			return nil, err
-		}
-	}
-	// declare the incoming size on the first 4 bytes
-	data := make([]byte, 4)
-	binary.LittleEndian.PutUint32(data, uint32(len(respBody)))
-	data = append(data, respBody...)
-	return data, nil
-}
-
-func (h *Headscale) getMapKeepAliveResponse(mKey wgkey.Key, req tailcfg.MapRequest, m *Machine) ([]byte, error) {
-	resp := tailcfg.MapResponse{
-		KeepAlive: true,
-	}
-	var respBody []byte
-	var err error
-	if req.Compress == "zstd" {
-		src, _ := json.Marshal(resp)
-		encoder, _ := zstd.NewWriter(nil)
-		srcCompressed := encoder.EncodeAll(src, nil)
-		respBody, err = encodeMsg(srcCompressed, &mKey, h.privateKey)
-		if err != nil {
-			return nil, err
-		}
-	} else {
-		respBody, err = encode(resp, &mKey, h.privateKey)
-		if err != nil {
-			return nil, err
-		}
-	}
-	data := make([]byte, 4)
-	binary.LittleEndian.PutUint32(data, uint32(len(respBody)))
-	data = append(data, respBody...)
-	return data, nil
-}
-
-func (h *Headscale) handleAuthKey(c *gin.Context, db *gorm.DB, idKey wgkey.Key, req tailcfg.RegisterRequest, m Machine) {
-	log.Debug().
-		Str("func", "handleAuthKey").
-		Str("machine", req.Hostinfo.Hostname).
-		Msgf("Processing auth key for %s", req.Hostinfo.Hostname)
-	resp := tailcfg.RegisterResponse{}
-	pak, err := h.checkKeyValidity(req.Auth.AuthKey)
-	if err != nil {
-		log.Error().
-			Str("func", "handleAuthKey").
-			Str("machine", m.Name).
-			Err(err).
-			Msg("Failed authentication via AuthKey")
-		resp.MachineAuthorized = false
-		respBody, err := encode(resp, &idKey, h.privateKey)
-		if err != nil {
-			log.Error().
-				Str("func", "handleAuthKey").
-				Str("machine", m.Name).
-				Err(err).
-				Msg("Cannot encode message")
-			c.String(http.StatusInternalServerError, "")
-			machineRegistrations.WithLabelValues("new", "authkey", "error", m.Namespace.Name).Inc()
-			return
-		}
-		c.Data(401, "application/json; charset=utf-8", respBody)
-		log.Error().
-			Str("func", "handleAuthKey").
-			Str("machine", m.Name).
-			Msg("Failed authentication via AuthKey")
-		machineRegistrations.WithLabelValues("new", "authkey", "error", m.Namespace.Name).Inc()
-		return
-	}
-
-	log.Debug().
-		Str("func", "handleAuthKey").
-		Str("machine", m.Name).
-		Msg("Authentication key was valid, proceeding to acquire an IP address")
-	ip, err := h.getAvailableIP()
-	if err != nil {
-		log.Error().
-			Str("func", "handleAuthKey").
-			Str("machine", m.Name).
-			Msg("Failed to find an available IP")
-		machineRegistrations.WithLabelValues("new", "authkey", "error", m.Namespace.Name).Inc()
-		return
-	}
-	log.Info().
-		Str("func", "handleAuthKey").
-		Str("machine", m.Name).
-		Str("ip", ip.String()).
-		Msgf("Assigning %s to %s", ip, m.Name)
-
-	m.AuthKeyID = uint(pak.ID)
-	m.IPAddress = ip.String()
-	m.NamespaceID = pak.NamespaceID
-	m.NodeKey = wgkey.Key(req.NodeKey).HexString() // we update it just in case
-	m.Registered = true
-	m.RegisterMethod = "authKey"
-	db.Save(&m)
-
-	pak.Used = true
-	db.Save(&pak)
-
-	resp.MachineAuthorized = true
-	resp.User = *pak.Namespace.toUser()
-	respBody, err := encode(resp, &idKey, h.privateKey)
-	if err != nil {
-		log.Error().
-			Str("func", "handleAuthKey").
-			Str("machine", m.Name).
-			Err(err).
-			Msg("Cannot encode message")
-		machineRegistrations.WithLabelValues("new", "authkey", "error", m.Namespace.Name).Inc()
-		c.String(http.StatusInternalServerError, "Extremely sad!")
-		return
-	}
-	machineRegistrations.WithLabelValues("new", "authkey", "success", m.Namespace.Name).Inc()
-	c.Data(200, "application/json; charset=utf-8", respBody)
-	log.Info().
-		Str("func", "handleAuthKey").
-		Str("machine", m.Name).
-		Str("ip", ip.String()).
-		Msg("Successfully authenticated via AuthKey")
 }

api_common.go

@@ -0,0 +1,81 @@
+package headscale
+
+import (
+	"github.com/rs/zerolog/log"
+	"tailscale.com/tailcfg"
+)
+
+func (h *Headscale) generateMapResponse(
+	mapRequest tailcfg.MapRequest,
+	machine *Machine,
+) (*tailcfg.MapResponse, error) {
+	log.Trace().
+		Str("func", "generateMapResponse").
+		Str("machine", mapRequest.Hostinfo.Hostname).
+		Msg("Creating Map response")
+	node, err := h.toNode(*machine, h.cfg.BaseDomain, h.cfg.DNSConfig)
+	if err != nil {
+		log.Error().
+			Caller().
+			Str("func", "generateMapResponse").
+			Err(err).
+			Msg("Cannot convert to node")
+
+		return nil, err
+	}
+
+	peers, err := h.getValidPeers(machine)
+	if err != nil {
+		log.Error().
+			Caller().
+			Str("func", "generateMapResponse").
+			Err(err).
+			Msg("Cannot fetch peers")
+
+		return nil, err
+	}
+
+	profiles := h.getMapResponseUserProfiles(*machine, peers)
+
+	nodePeers, err := h.toNodes(peers, h.cfg.BaseDomain, h.cfg.DNSConfig)
+	if err != nil {
+		log.Error().
+			Caller().
+			Str("func", "generateMapResponse").
+			Err(err).
+			Msg("Failed to convert peers to Tailscale nodes")
+
+		return nil, err
+	}
+
+	dnsConfig := getMapResponseDNSConfig(
+		h.cfg.DNSConfig,
+		h.cfg.BaseDomain,
+		*machine,
+		peers,
+	)
+
+	resp := tailcfg.MapResponse{
+		KeepAlive:    false,
+		Node:         node,
+		Peers:        nodePeers,
+		DNSConfig:    dnsConfig,
+		Domain:       h.cfg.BaseDomain,
+		PacketFilter: h.aclRules,
+		SSHPolicy:    h.sshPolicy,
+		DERPMap:      h.DERPMap,
+		UserProfiles: profiles,
+		Debug: &tailcfg.Debug{
+			DisableLogTail:      !h.cfg.LogTail.Enabled,
+			RandomizeClientPort: h.cfg.RandomizeClientPort,
+		},
+	}
+
+	log.Trace().
+		Str("func", "generateMapResponse").
+		Str("machine", mapRequest.Hostinfo.Hostname).
+		// Interface("payload", resp).
+		Msgf("Generated map response: %s", tailMapResponseToString(resp))
+
+	return &resp, nil
+}

api_key.go

@@ -0,0 +1,157 @@
+package headscale
+
+import (
+	"fmt"
+	"strings"
+	"time"
+
+	v1 "github.com/juanfont/headscale/gen/go/headscale/v1"
+	"golang.org/x/crypto/bcrypt"
+	"google.golang.org/protobuf/types/known/timestamppb"
+)
+
+const (
+	apiPrefixLength = 7
+	apiKeyLength    = 32
+
+	ErrAPIKeyFailedToParse = Error("Failed to parse ApiKey")
+)
+
+// APIKey describes the datamodel for API keys used to remotely authenticate with
+// headscale.
+type APIKey struct {
+	ID     uint64 `gorm:"primary_key"`
+	Prefix string `gorm:"uniqueIndex"`
+	Hash   []byte
+
+	CreatedAt  *time.Time
+	Expiration *time.Time
+	LastSeen   *time.Time
+}
+
+// CreateAPIKey creates a new ApiKey in a user, and returns it.
+func (h *Headscale) CreateAPIKey(
+	expiration *time.Time,
+) (string, *APIKey, error) {
+	prefix, err := GenerateRandomStringURLSafe(apiPrefixLength)
+	if err != nil {
+		return "", nil, err
+	}
+
+	toBeHashed, err := GenerateRandomStringURLSafe(apiKeyLength)
+	if err != nil {
+		return "", nil, err
+	}
+
+	// Key to return to user, this will only be visible _once_
+	keyStr := prefix + "." + toBeHashed
+
+	hash, err := bcrypt.GenerateFromPassword([]byte(toBeHashed), bcrypt.DefaultCost)
+	if err != nil {
+		return "", nil, err
+	}
+
+	key := APIKey{
+		Prefix:     prefix,
+		Hash:       hash,
+		Expiration: expiration,
+	}
+
+	if err := h.db.Save(&key).Error; err != nil {
+		return "", nil, fmt.Errorf("failed to save API key to database: %w", err)
+	}
+
+	return keyStr, &key, nil
+}
+
+// ListAPIKeys returns the list of ApiKeys for a user.
+func (h *Headscale) ListAPIKeys() ([]APIKey, error) {
+	keys := []APIKey{}
+	if err := h.db.Find(&keys).Error; err != nil {
+		return nil, err
+	}
+
+	return keys, nil
+}
+
+// GetAPIKey returns a ApiKey for a given key.
+func (h *Headscale) GetAPIKey(prefix string) (*APIKey, error) {
+	key := APIKey{}
+	if result := h.db.First(&key, "prefix = ?", prefix); result.Error != nil {
+		return nil, result.Error
+	}
+
+	return &key, nil
+}
+
+// GetAPIKeyByID returns a ApiKey for a given id.
+func (h *Headscale) GetAPIKeyByID(id uint64) (*APIKey, error) {
+	key := APIKey{}
+	if result := h.db.Find(&APIKey{ID: id}).First(&key); result.Error != nil {
+		return nil, result.Error
+	}
+
+	return &key, nil
+}
+
+// DestroyAPIKey destroys a ApiKey. Returns error if the ApiKey
+// does not exist.
+func (h *Headscale) DestroyAPIKey(key APIKey) error {
+	if result := h.db.Unscoped().Delete(key); result.Error != nil {
+		return result.Error
+	}
+
+	return nil
+}
+
+// ExpireAPIKey marks a ApiKey as expired.
+func (h *Headscale) ExpireAPIKey(key *APIKey) error {
+	if err := h.db.Model(&key).Update("Expiration", time.Now()).Error; err != nil {
+		return err
+	}
+
+	return nil
+}
+
+func (h *Headscale) ValidateAPIKey(keyStr string) (bool, error) {
+	prefix, hash, found := strings.Cut(keyStr, ".")
+	if !found {
+		return false, ErrAPIKeyFailedToParse
+	}
+
+	key, err := h.GetAPIKey(prefix)
+	if err != nil {
+		return false, fmt.Errorf("failed to validate api key: %w", err)
+	}
+
+	if key.Expiration.Before(time.Now()) {
+		return false, nil
+	}
+
+	if err := bcrypt.CompareHashAndPassword(key.Hash, []byte(hash)); err != nil {
+		return false, err
+	}
+
+	return true, nil
+}
+
+func (key *APIKey) toProto() *v1.ApiKey {
+	protoKey := v1.ApiKey{
+		Id:     key.ID,
+		Prefix: key.Prefix,
+	}
+
+	if key.Expiration != nil {
+		protoKey.Expiration = timestamppb.New(*key.Expiration)
+	}
+
+	if key.CreatedAt != nil {
+		protoKey.CreatedAt = timestamppb.New(*key.CreatedAt)
+	}
+
+	if key.LastSeen != nil {
+		protoKey.LastSeen = timestamppb.New(*key.LastSeen)
+	}
+
+	return &protoKey
+}

api_key_test.go

@@ -0,0 +1,89 @@
+package headscale
+
+import (
+	"time"
+
+	"gopkg.in/check.v1"
+)
+
+func (*Suite) TestCreateAPIKey(c *check.C) {
+	apiKeyStr, apiKey, err := app.CreateAPIKey(nil)
+	c.Assert(err, check.IsNil)
+	c.Assert(apiKey, check.NotNil)
+
+	// Did we get a valid key?
+	c.Assert(apiKey.Prefix, check.NotNil)
+	c.Assert(apiKey.Hash, check.NotNil)
+	c.Assert(apiKeyStr, check.Not(check.Equals), "")
+
+	_, err = app.ListAPIKeys()
+	c.Assert(err, check.IsNil)
+
+	keys, err := app.ListAPIKeys()
+	c.Assert(err, check.IsNil)
+	c.Assert(len(keys), check.Equals, 1)
+}
+
+func (*Suite) TestAPIKeyDoesNotExist(c *check.C) {
+	key, err := app.GetAPIKey("does-not-exist")
+	c.Assert(err, check.NotNil)
+	c.Assert(key, check.IsNil)
+}
+
+func (*Suite) TestValidateAPIKeyOk(c *check.C) {
+	nowPlus2 := time.Now().Add(2 * time.Hour)
+	apiKeyStr, apiKey, err := app.CreateAPIKey(&nowPlus2)
+	c.Assert(err, check.IsNil)
+	c.Assert(apiKey, check.NotNil)
+
+	valid, err := app.ValidateAPIKey(apiKeyStr)
+	c.Assert(err, check.IsNil)
+	c.Assert(valid, check.Equals, true)
+}
+
+func (*Suite) TestValidateAPIKeyNotOk(c *check.C) {
+	nowMinus2 := time.Now().Add(time.Duration(-2) * time.Hour)
+	apiKeyStr, apiKey, err := app.CreateAPIKey(&nowMinus2)
+	c.Assert(err, check.IsNil)
+	c.Assert(apiKey, check.NotNil)
+
+	valid, err := app.ValidateAPIKey(apiKeyStr)
+	c.Assert(err, check.IsNil)
+	c.Assert(valid, check.Equals, false)
+
+	now := time.Now()
+	apiKeyStrNow, apiKey, err := app.CreateAPIKey(&now)
+	c.Assert(err, check.IsNil)
+	c.Assert(apiKey, check.NotNil)
+
+	validNow, err := app.ValidateAPIKey(apiKeyStrNow)
+	c.Assert(err, check.IsNil)
+	c.Assert(validNow, check.Equals, false)
+
+	validSilly, err := app.ValidateAPIKey("nota.validkey")
+	c.Assert(err, check.NotNil)
+	c.Assert(validSilly, check.Equals, false)
+
+	validWithErr, err := app.ValidateAPIKey("produceerrorkey")
+	c.Assert(err, check.NotNil)
+	c.Assert(validWithErr, check.Equals, false)
+}
+
+func (*Suite) TestExpireAPIKey(c *check.C) {
+	nowPlus2 := time.Now().Add(2 * time.Hour)
+	apiKeyStr, apiKey, err := app.CreateAPIKey(&nowPlus2)
+	c.Assert(err, check.IsNil)
+	c.Assert(apiKey, check.NotNil)
+
+	valid, err := app.ValidateAPIKey(apiKeyStr)
+	c.Assert(err, check.IsNil)
+	c.Assert(valid, check.Equals, true)
+
+	err = app.ExpireAPIKey(apiKey)
+	c.Assert(err, check.IsNil)
+	c.Assert(apiKey.Expiration, check.NotNil)
+
+	notValid, err := app.ValidateAPIKey(apiKeyStr)
+	c.Assert(err, check.IsNil)
+	c.Assert(notValid, check.Equals, false)
+}

app_test.go

@@ -1,12 +1,11 @@
 package headscale
 
 import (
-	"io/ioutil"
+	"net/netip"
 	"os"
 	"testing"
 
 	"gopkg.in/check.v1"
-	"inet.af/netaddr"
 )
 
 func Test(t *testing.T) {
@@ -17,8 +16,10 @@ var _ = check.Suite(&Suite{})
 
 type Suite struct{}
 
-var tmpDir string
-var h Headscale
+var (
+	tmpDir string
+	app    Headscale
+)
 
 func (s *Suite) SetUpTest(c *check.C) {
 	s.ResetDB(c)
@@ -33,26 +34,28 @@ func (s *Suite) ResetDB(c *check.C) {
 		os.RemoveAll(tmpDir)
 	}
 	var err error
-	tmpDir, err = ioutil.TempDir("", "autoygg-client-test")
+	tmpDir, err = os.MkdirTemp("", "autoygg-client-test")
 	if err != nil {
 		c.Fatal(err)
 	}
 	cfg := Config{
-		IPPrefix: netaddr.MustParseIPPrefix("10.27.0.0/23"),
+		IPPrefixes: []netip.Prefix{
+			netip.MustParsePrefix("10.27.0.0/23"),
+		},
 	}
 
-	h = Headscale{
-		cfg:      cfg,
+	app = Headscale{
+		cfg:      &cfg,
 		dbType:   "sqlite3",
 		dbString: tmpDir + "/headscale_test.db",
 	}
-	err = h.initDB()
+	err = app.initDB()
 	if err != nil {
 		c.Fatal(err)
 	}
-	db, err := h.openDB()
+	db, err := app.openDB()
 	if err != nil {
 		c.Fatal(err)
 	}
-	h.db = db
+	app.db = db
 }

apple_mobileconfig.go

@@ -1,226 +0,0 @@
-package headscale
-
-import (
-	"bytes"
-	"net/http"
-	"text/template"
-
-	"github.com/rs/zerolog/log"
-
-	"github.com/gin-gonic/gin"
-	"github.com/gofrs/uuid"
-)
-
-// AppleMobileConfig shows a simple message in the browser to point to the CLI
-// Listens in /register
-func (h *Headscale) AppleMobileConfig(c *gin.Context) {
-	t := template.Must(template.New("apple").Parse(`
-<html>
-	<body>
-		<h1>Apple configuration profiles</h1>
-		<p>
-		    This page provides <a href="https://support.apple.com/guide/mdm/mdm-overview-mdmbf9e668/web">configuration profiles</a> for the official Tailscale clients for <a href="https://apps.apple.com/us/app/tailscale/id1470499037?ls=1">iOS</a> and <a href="https://apps.apple.com/ca/app/tailscale/id1475387142?mt=12">macOS</a>.
-		</p>
-		<p>
-		    The profiles will configure Tailscale.app to use {{.Url}} as its control server.
-		</p>
-
-		<h3>Caution</h3>
-		<p>You should always inspect the profile before installing it:</p>
-		<!--
-		<p><code>curl {{.Url}}/apple/ios</code></p>
-		-->
-		<p><code>curl {{.Url}}/apple/macos</code></p>
-		
-		<h2>Profiles</h2>
-
-		<!--
-		<h3>iOS</h3>
-		<p>
-		    <a href="/apple/ios" download="headscale_ios.mobileconfig">iOS profile</a>
-		</p>
-		-->
-		
-		<h3>macOS</h3>
-		<p>Headscale can be set to the default server by installing a Headscale configuration profile:</p>
-		<p>
-		    <a href="/apple/macos" download="headscale_macos.mobileconfig">macOS profile</a>
-		</p>
-
-		<ol>
-		<li>Download the profile, then open it. When it has been opened, there should be a notification that a profile can be installed</li>
-		<li>Open System Preferences and go to "Profiles"</li>
-		<li>Find and install the Headscale profile</li>
-		<li>Restart Tailscale.app and log in</li>
-		</ol>
-
-		<p>Or</p>
-		<p>Use your terminal to configure the default setting for Tailscale by issuing:</p>
-		<code>defaults write io.tailscale.ipn.macos ControlURL {{.Url}}</code>
-
-		<p>Restart Tailscale.app and log in.</p>
-	
-	</body>
-</html>`))
-
-	config := map[string]interface{}{
-		"Url": h.cfg.ServerURL,
-	}
-
-	var payload bytes.Buffer
-	if err := t.Execute(&payload, config); err != nil {
-		log.Error().
-			Str("handler", "AppleMobileConfig").
-			Err(err).
-			Msg("Could not render Apple index template")
-		c.Data(http.StatusInternalServerError, "text/html; charset=utf-8", []byte("Could not render Apple index template"))
-		return
-	}
-
-	c.Data(http.StatusOK, "text/html; charset=utf-8", payload.Bytes())
-}
-
-func (h *Headscale) ApplePlatformConfig(c *gin.Context) {
-	platform := c.Param("platform")
-
-	id, err := uuid.NewV4()
-	if err != nil {
-		log.Error().
-			Str("handler", "ApplePlatformConfig").
-			Err(err).
-			Msg("Failed not create UUID")
-		c.Data(http.StatusInternalServerError, "text/html; charset=utf-8", []byte("Failed to create UUID"))
-		return
-	}
-
-	contentId, err := uuid.NewV4()
-	if err != nil {
-		log.Error().
-			Str("handler", "ApplePlatformConfig").
-			Err(err).
-			Msg("Failed not create UUID")
-		c.Data(http.StatusInternalServerError, "text/html; charset=utf-8", []byte("Failed to create UUID"))
-		return
-	}
-
-	platformConfig := AppleMobilePlatformConfig{
-		UUID: contentId,
-		Url:  h.cfg.ServerURL,
-	}
-
-	var payload bytes.Buffer
-
-	switch platform {
-	case "macos":
-		if err := macosTemplate.Execute(&payload, platformConfig); err != nil {
-			log.Error().
-				Str("handler", "ApplePlatformConfig").
-				Err(err).
-				Msg("Could not render Apple macOS template")
-			c.Data(http.StatusInternalServerError, "text/html; charset=utf-8", []byte("Could not render Apple macOS template"))
-			return
-		}
-	case "ios":
-		if err := iosTemplate.Execute(&payload, platformConfig); err != nil {
-			log.Error().
-				Str("handler", "ApplePlatformConfig").
-				Err(err).
-				Msg("Could not render Apple iOS template")
-			c.Data(http.StatusInternalServerError, "text/html; charset=utf-8", []byte("Could not render Apple iOS template"))
-			return
-		}
-	default:
-		c.Data(http.StatusOK, "text/html; charset=utf-8", []byte("Invalid platform, only ios and macos is supported"))
-		return
-	}
-
-	config := AppleMobileConfig{
-		UUID:    id,
-		Url:     h.cfg.ServerURL,
-		Payload: payload.String(),
-	}
-
-	var content bytes.Buffer
-	if err := commonTemplate.Execute(&content, config); err != nil {
-		log.Error().
-			Str("handler", "ApplePlatformConfig").
-			Err(err).
-			Msg("Could not render Apple platform template")
-		c.Data(http.StatusInternalServerError, "text/html; charset=utf-8", []byte("Could not render Apple platform template"))
-		return
-	}
-
-	c.Data(http.StatusOK, "application/x-apple-aspen-config; charset=utf-8", content.Bytes())
-}
-
-type AppleMobileConfig struct {
-	UUID    uuid.UUID
-	Url     string
-	Payload string
-}
-
-type AppleMobilePlatformConfig struct {
-	UUID uuid.UUID
-	Url  string
-}
-
-var commonTemplate = template.Must(template.New("mobileconfig").Parse(`<?xml version="1.0" encoding="UTF-8"?>
-<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
-<plist version="1.0">
-  <dict>
-    <key>PayloadUUID</key>
-    <string>{{.UUID}}</string>
-    <key>PayloadDisplayName</key>
-    <string>Headscale</string>
-    <key>PayloadDescription</key>
-    <string>Configure Tailscale login server to: {{.Url}}</string>
-    <key>PayloadIdentifier</key>
-    <string>com.github.juanfont.headscale</string>
-    <key>PayloadRemovalDisallowed</key>
-    <false/>
-    <key>PayloadType</key>
-    <string>Configuration</string>
-    <key>PayloadVersion</key>
-    <integer>1</integer>
-    <key>PayloadContent</key>
-    <array>
-    {{.Payload}}
-    </array>
-  </dict>
-</plist>`))
-
-var iosTemplate = template.Must(template.New("iosTemplate").Parse(`
-    <dict>
-        <key>PayloadType</key>
-        <string>io.tailscale.ipn.ios</string>
-        <key>PayloadUUID</key>
-        <string>{{.UUID}}</string>
-        <key>PayloadIdentifier</key>
-        <string>com.github.juanfont.headscale</string>
-        <key>PayloadVersion</key>
-        <integer>1</integer>
-        <key>PayloadEnabled</key>
-        <true/>
-
-        <key>ControlURL</key>
-        <string>{{.Url}}</string>
-    </dict>
-`))
-
-var macosTemplate = template.Must(template.New("macosTemplate").Parse(`
-    <dict>
-        <key>PayloadType</key>
-        <string>io.tailscale.ipn.macos</string>
-        <key>PayloadUUID</key>
-        <string>{{.UUID}}</string>
-        <key>PayloadIdentifier</key>
-        <string>com.github.juanfont.headscale</string>
-        <key>PayloadVersion</key>
-        <integer>1</integer>
-        <key>PayloadEnabled</key>
-        <true/>
-
-        <key>ControlURL</key>
-        <string>{{.Url}}</string>
-    </dict>
-`))

buf.gen.yaml

@@ -0,0 +1,21 @@
+version: v1
+plugins:
+  - name: go
+    out: gen/go
+    opt:
+      - paths=source_relative
+  - name: go-grpc
+    out: gen/go
+    opt:
+      - paths=source_relative
+  - name: grpc-gateway
+    out: gen/go
+    opt:
+      - paths=source_relative
+      - generate_unbound_methods=true
+  # - name: gorm
+  #   out: gen/go
+  #   opt:
+  #     - paths=source_relative,enums=string,gateway=true
+  - name: openapiv2
+    out: gen/openapiv2

cli.go

@@ -1,40 +0,0 @@
-package headscale
-
-import (
-	"errors"
-
-	"gorm.io/gorm"
-	"tailscale.com/types/wgkey"
-)
-
-// RegisterMachine is executed from the CLI to register a new Machine using its MachineKey
-func (h *Headscale) RegisterMachine(key string, namespace string) (*Machine, error) {
-	ns, err := h.GetNamespace(namespace)
-	if err != nil {
-		return nil, err
-	}
-	mKey, err := wgkey.ParseHex(key)
-	if err != nil {
-		return nil, err
-	}
-
-	m := Machine{}
-	if result := h.db.First(&m, "machine_key = ?", mKey.HexString()); errors.Is(result.Error, gorm.ErrRecordNotFound) {
-		return nil, errors.New("Machine not found")
-	}
-
-	if m.isAlreadyRegistered() {
-		return nil, errors.New("Machine already registered")
-	}
-
-	ip, err := h.getAvailableIP()
-	if err != nil {
-		return nil, err
-	}
-	m.IPAddress = ip.String()
-	m.NamespaceID = ns.ID
-	m.Registered = true
-	m.RegisterMethod = "cli"
-	h.db.Save(&m)
-	return &m, nil
-}

cli_test.go

@@ -1,31 +0,0 @@
-package headscale
-
-import (
-	"gopkg.in/check.v1"
-)
-
-func (s *Suite) TestRegisterMachine(c *check.C) {
-	n, err := h.CreateNamespace("test")
-	c.Assert(err, check.IsNil)
-
-	m := Machine{
-		ID:          0,
-		MachineKey:  "8ce002a935f8c394e55e78fbbb410576575ff8ec5cfa2e627e4b807f1be15b0e",
-		NodeKey:     "bar",
-		DiscoKey:    "faa",
-		Name:        "testmachine",
-		NamespaceID: n.ID,
-		IPAddress:   "10.0.0.1",
-	}
-	h.db.Save(&m)
-
-	_, err = h.GetMachine("test", "testmachine")
-	c.Assert(err, check.IsNil)
-
-	m2, err := h.RegisterMachine("8ce002a935f8c394e55e78fbbb410576575ff8ec5cfa2e627e4b807f1be15b0e", n.Name)
-	c.Assert(err, check.IsNil)
-	c.Assert(m2.Registered, check.Equals, true)
-
-	_, err = m2.GetHostInfo()
-	c.Assert(err, check.IsNil)
-}

cmd/gh-action-integration-generator/main.go

@@ -0,0 +1,114 @@
+package main
+
+//go:generate go run ./main.go
+
+import (
+	"bytes"
+	"fmt"
+	"log"
+	"os"
+	"text/template"
+)
+
+var (
+	jobFileNameTemplate = `test-integration-v2-%s.yaml`
+	jobTemplate         = template.Must(template.New("jobTemplate").Parse(`
+# DO NOT EDIT, generated with cmd/gh-action-integration-generator/main.go
+# To regenerate, run "go generate" in cmd/gh-action-integration-generator/
+
+name: Integration Test v2 - {{.Name}}
+
+on: [pull_request]
+
+jobs:
+  test:
+    runs-on: ubuntu-latest
+
+    steps:
+      - uses: actions/checkout@v3
+        with:
+          fetch-depth: 2
+
+      - name: Get changed files
+        id: changed-files
+        uses: tj-actions/changed-files@v34
+        with:
+          files: |
+            *.nix
+            go.*
+            **/*.go
+            integration_test/
+            config-example.yaml
+
+      - uses: cachix/install-nix-action@v16
+        if: steps.changed-files.outputs.any_changed == 'true'
+
+      - name: Run general integration tests
+        if: steps.changed-files.outputs.any_changed == 'true'
+        run: |
+            nix develop --command -- docker run \
+              --tty --rm \
+              --volume ~/.cache/hs-integration-go:/go \
+              --name headscale-test-suite \
+              --volume $PWD:$PWD -w $PWD/integration \
+              --volume /var/run/docker.sock:/var/run/docker.sock \
+              golang:1 \
+                go test ./... \
+                  -tags ts2019 \
+                  -failfast \
+                  -timeout 120m \
+                  -parallel 1 \
+                  -run "^{{.Name}}$"
+`))
+)
+
+const workflowFilePerm = 0o600
+
+func main() {
+	type testConfig struct {
+		Name string
+	}
+
+	// TODO(kradalby): automatic fetch tests at runtime
+	tests := []string{
+		"TestAuthKeyLogoutAndRelogin",
+		"TestAuthWebFlowAuthenticationPingAll",
+		"TestAuthWebFlowLogoutAndRelogin",
+		"TestCreateTailscale",
+		"TestEnablingRoutes",
+		"TestHeadscale",
+		"TestUserCommand",
+		"TestOIDCAuthenticationPingAll",
+		"TestOIDCExpireNodes",
+		"TestPingAllByHostname",
+		"TestPingAllByIP",
+		"TestPreAuthKeyCommand",
+		"TestPreAuthKeyCommandReusableEphemeral",
+		"TestPreAuthKeyCommandWithoutExpiry",
+		"TestResolveMagicDNS",
+		"TestSSHIsBlockedInACL",
+		"TestSSHMultipleUsersAllToAll",
+		"TestSSHNoSSHConfigured",
+		"TestSSHOneUserAllToAll",
+		"TestSSUserOnlyIsolation",
+		"TestTaildrop",
+		"TestTailscaleNodesJoiningHeadcale",
+	}
+
+	for _, test := range tests {
+		var content bytes.Buffer
+
+		if err := jobTemplate.Execute(&content, testConfig{
+			Name: test,
+		}); err != nil {
+			log.Fatalf("failed to render template: %s", err)
+		}
+
+		path := "../../.github/workflows/" + fmt.Sprintf(jobFileNameTemplate, test)
+
+		err := os.WriteFile(path, content.Bytes(), workflowFilePerm)
+		if err != nil {
+			log.Fatalf("failed to write github job: %s", err)
+		}
+	}
+}

cmd/headscale/cli/api_key.go

@@ -0,0 +1,201 @@
+package cli
+
+import (
+	"fmt"
+	"strconv"
+	"time"
+
+	"github.com/juanfont/headscale"
+	v1 "github.com/juanfont/headscale/gen/go/headscale/v1"
+	"github.com/prometheus/common/model"
+	"github.com/pterm/pterm"
+	"github.com/rs/zerolog/log"
+	"github.com/spf13/cobra"
+	"google.golang.org/protobuf/types/known/timestamppb"
+)
+
+const (
+	// 90 days.
+	DefaultAPIKeyExpiry = "90d"
+)
+
+func init() {
+	rootCmd.AddCommand(apiKeysCmd)
+	apiKeysCmd.AddCommand(listAPIKeys)
+
+	createAPIKeyCmd.Flags().
+		StringP("expiration", "e", DefaultAPIKeyExpiry, "Human-readable expiration of the key (e.g. 30m, 24h)")
+
+	apiKeysCmd.AddCommand(createAPIKeyCmd)
+
+	expireAPIKeyCmd.Flags().StringP("prefix", "p", "", "ApiKey prefix")
+	err := expireAPIKeyCmd.MarkFlagRequired("prefix")
+	if err != nil {
+		log.Fatal().Err(err).Msg("")
+	}
+	apiKeysCmd.AddCommand(expireAPIKeyCmd)
+}
+
+var apiKeysCmd = &cobra.Command{
+	Use:     "apikeys",
+	Short:   "Handle the Api keys in Headscale",
+	Aliases: []string{"apikey", "api"},
+}
+
+var listAPIKeys = &cobra.Command{
+	Use:     "list",
+	Short:   "List the Api keys for headscale",
+	Aliases: []string{"ls", "show"},
+	Run: func(cmd *cobra.Command, args []string) {
+		output, _ := cmd.Flags().GetString("output")
+
+		ctx, client, conn, cancel := getHeadscaleCLIClient()
+		defer cancel()
+		defer conn.Close()
+
+		request := &v1.ListApiKeysRequest{}
+
+		response, err := client.ListApiKeys(ctx, request)
+		if err != nil {
+			ErrorOutput(
+				err,
+				fmt.Sprintf("Error getting the list of keys: %s", err),
+				output,
+			)
+
+			return
+		}
+
+		if output != "" {
+			SuccessOutput(response.ApiKeys, "", output)
+
+			return
+		}
+
+		tableData := pterm.TableData{
+			{"ID", "Prefix", "Expiration", "Created"},
+		}
+		for _, key := range response.ApiKeys {
+			expiration := "-"
+
+			if key.GetExpiration() != nil {
+				expiration = ColourTime(key.Expiration.AsTime())
+			}
+
+			tableData = append(tableData, []string{
+				strconv.FormatUint(key.GetId(), headscale.Base10),
+				key.GetPrefix(),
+				expiration,
+				key.GetCreatedAt().AsTime().Format(HeadscaleDateTimeFormat),
+			})
+
+		}
+		err = pterm.DefaultTable.WithHasHeader().WithData(tableData).Render()
+		if err != nil {
+			ErrorOutput(
+				err,
+				fmt.Sprintf("Failed to render pterm table: %s", err),
+				output,
+			)
+
+			return
+		}
+	},
+}
+
+var createAPIKeyCmd = &cobra.Command{
+	Use:   "create",
+	Short: "Creates a new Api key",
+	Long: `
+Creates a new Api key, the Api key is only visible on creation
+and cannot be retrieved again.
+If you loose a key, create a new one and revoke (expire) the old one.`,
+	Aliases: []string{"c", "new"},
+	Run: func(cmd *cobra.Command, args []string) {
+		output, _ := cmd.Flags().GetString("output")
+
+		log.Trace().
+			Msg("Preparing to create ApiKey")
+
+		request := &v1.CreateApiKeyRequest{}
+
+		durationStr, _ := cmd.Flags().GetString("expiration")
+
+		duration, err := model.ParseDuration(durationStr)
+		if err != nil {
+			ErrorOutput(
+				err,
+				fmt.Sprintf("Could not parse duration: %s\n", err),
+				output,
+			)
+
+			return
+		}
+
+		expiration := time.Now().UTC().Add(time.Duration(duration))
+
+		log.Trace().
+			Dur("expiration", time.Duration(duration)).
+			Msg("expiration has been set")
+
+		request.Expiration = timestamppb.New(expiration)
+
+		ctx, client, conn, cancel := getHeadscaleCLIClient()
+		defer cancel()
+		defer conn.Close()
+
+		response, err := client.CreateApiKey(ctx, request)
+		if err != nil {
+			ErrorOutput(
+				err,
+				fmt.Sprintf("Cannot create Api Key: %s\n", err),
+				output,
+			)
+
+			return
+		}
+
+		SuccessOutput(response.ApiKey, response.ApiKey, output)
+	},
+}
+
+var expireAPIKeyCmd = &cobra.Command{
+	Use:     "expire",
+	Short:   "Expire an ApiKey",
+	Aliases: []string{"revoke", "exp", "e"},
+	Run: func(cmd *cobra.Command, args []string) {
+		output, _ := cmd.Flags().GetString("output")
+
+		prefix, err := cmd.Flags().GetString("prefix")
+		if err != nil {
+			ErrorOutput(
+				err,
+				fmt.Sprintf("Error getting prefix from CLI flag: %s", err),
+				output,
+			)
+
+			return
+		}
+
+		ctx, client, conn, cancel := getHeadscaleCLIClient()
+		defer cancel()
+		defer conn.Close()
+
+		request := &v1.ExpireApiKeyRequest{
+			Prefix: prefix,
+		}
+
+		response, err := client.ExpireApiKey(ctx, request)
+		if err != nil {
+			ErrorOutput(
+				err,
+				fmt.Sprintf("Cannot expire Api Key: %s\n", err),
+				output,
+			)
+
+			return
+		}
+
+		SuccessOutput(response, "Key expired", output)
+	},
+}

cmd/headscale/cli/debug.go

@@ -0,0 +1,138 @@
+package cli
+
+import (
+	"fmt"
+
+	"github.com/juanfont/headscale"
+	v1 "github.com/juanfont/headscale/gen/go/headscale/v1"
+	"github.com/rs/zerolog/log"
+	"github.com/spf13/cobra"
+	"google.golang.org/grpc/status"
+)
+
+const (
+	errPreAuthKeyMalformed = Error("key is malformed. expected 64 hex characters with `nodekey` prefix")
+)
+
+// Error is used to compare errors as per https://dave.cheney.net/2016/04/07/constant-errors
+type Error string
+
+func (e Error) Error() string { return string(e) }
+
+func init() {
+	rootCmd.AddCommand(debugCmd)
+
+	createNodeCmd.Flags().StringP("name", "", "", "Name")
+	err := createNodeCmd.MarkFlagRequired("name")
+	if err != nil {
+		log.Fatal().Err(err).Msg("")
+	}
+	createNodeCmd.Flags().StringP("user", "u", "", "User")
+
+	createNodeCmd.Flags().StringP("namespace", "n", "", "User")
+	createNodeNamespaceFlag := createNodeCmd.Flags().Lookup("namespace")
+	createNodeNamespaceFlag.Deprecated = deprecateNamespaceMessage
+	createNodeNamespaceFlag.Hidden = true
+
+	err = createNodeCmd.MarkFlagRequired("user")
+	if err != nil {
+		log.Fatal().Err(err).Msg("")
+	}
+	createNodeCmd.Flags().StringP("key", "k", "", "Key")
+	err = createNodeCmd.MarkFlagRequired("key")
+	if err != nil {
+		log.Fatal().Err(err).Msg("")
+	}
+	createNodeCmd.Flags().
+		StringSliceP("route", "r", []string{}, "List (or repeated flags) of routes to advertise")
+
+	debugCmd.AddCommand(createNodeCmd)
+}
+
+var debugCmd = &cobra.Command{
+	Use:   "debug",
+	Short: "debug and testing commands",
+	Long:  "debug contains extra commands used for debugging and testing headscale",
+}
+
+var createNodeCmd = &cobra.Command{
+	Use:   "create-node",
+	Short: "Create a node (machine) that can be registered with `nodes register <>` command",
+	Run: func(cmd *cobra.Command, args []string) {
+		output, _ := cmd.Flags().GetString("output")
+
+		user, err := cmd.Flags().GetString("user")
+		if err != nil {
+			ErrorOutput(err, fmt.Sprintf("Error getting user: %s", err), output)
+
+			return
+		}
+
+		ctx, client, conn, cancel := getHeadscaleCLIClient()
+		defer cancel()
+		defer conn.Close()
+
+		name, err := cmd.Flags().GetString("name")
+		if err != nil {
+			ErrorOutput(
+				err,
+				fmt.Sprintf("Error getting node from flag: %s", err),
+				output,
+			)
+
+			return
+		}
+
+		machineKey, err := cmd.Flags().GetString("key")
+		if err != nil {
+			ErrorOutput(
+				err,
+				fmt.Sprintf("Error getting key from flag: %s", err),
+				output,
+			)
+
+			return
+		}
+		if !headscale.NodePublicKeyRegex.Match([]byte(machineKey)) {
+			err = errPreAuthKeyMalformed
+			ErrorOutput(
+				err,
+				fmt.Sprintf("Error: %s", err),
+				output,
+			)
+
+			return
+		}
+
+		routes, err := cmd.Flags().GetStringSlice("route")
+		if err != nil {
+			ErrorOutput(
+				err,
+				fmt.Sprintf("Error getting routes from flag: %s", err),
+				output,
+			)
+
+			return
+		}
+
+		request := &v1.DebugCreateMachineRequest{
+			Key:    machineKey,
+			Name:   name,
+			User:   user,
+			Routes: routes,
+		}
+
+		response, err := client.DebugCreateMachine(ctx, request)
+		if err != nil {
+			ErrorOutput(
+				err,
+				fmt.Sprintf("Cannot create machine: %s", status.Convert(err).Message()),
+				output,
+			)
+
+			return
+		}
+
+		SuccessOutput(response.Machine, "Machine created", output)
+	},
+}

cmd/headscale/cli/dump_config.go

@@ -0,0 +1,28 @@
+package cli
+
+import (
+	"fmt"
+
+	"github.com/spf13/cobra"
+	"github.com/spf13/viper"
+)
+
+func init() {
+	rootCmd.AddCommand(dumpConfigCmd)
+}
+
+var dumpConfigCmd = &cobra.Command{
+	Use:    "dumpConfig",
+	Short:  "dump current config to /etc/headscale/config.dump.yaml, integration test only",
+	Hidden: true,
+	Args: func(cmd *cobra.Command, args []string) error {
+		return nil
+	},
+	Run: func(cmd *cobra.Command, args []string) {
+		err := viper.WriteConfigAs("/etc/headscale/config.dump.yaml")
+		if err != nil {
+			//nolint
+			fmt.Println("Failed to dump config")
+		}
+	},
+}

cmd/headscale/cli/generate.go

@@ -0,0 +1,42 @@
+package cli
+
+import (
+	"fmt"
+
+	"github.com/spf13/cobra"
+	"tailscale.com/types/key"
+)
+
+func init() {
+	rootCmd.AddCommand(generateCmd)
+	generateCmd.AddCommand(generatePrivateKeyCmd)
+}
+
+var generateCmd = &cobra.Command{
+	Use:     "generate",
+	Short:   "Generate commands",
+	Aliases: []string{"gen"},
+}
+
+var generatePrivateKeyCmd = &cobra.Command{
+	Use:   "private-key",
+	Short: "Generate a private key for the headscale server",
+	Run: func(cmd *cobra.Command, args []string) {
+		output, _ := cmd.Flags().GetString("output")
+		machineKey := key.NewMachine()
+
+		machineKeyStr, err := machineKey.MarshalText()
+		if err != nil {
+			ErrorOutput(
+				err,
+				fmt.Sprintf("Error getting machine key from flag: %s", err),
+				output,
+			)
+		}
+
+		SuccessOutput(map[string]string{
+			"private_key": string(machineKeyStr),
+		},
+			string(machineKeyStr), output)
+	},
+}

cmd/headscale/cli/mockoidc.go

@@ -0,0 +1,115 @@
+package cli
+
+import (
+	"fmt"
+	"net"
+	"os"
+	"strconv"
+	"time"
+
+	"github.com/oauth2-proxy/mockoidc"
+	"github.com/rs/zerolog/log"
+	"github.com/spf13/cobra"
+)
+
+const (
+	errMockOidcClientIDNotDefined     = Error("MOCKOIDC_CLIENT_ID not defined")
+	errMockOidcClientSecretNotDefined = Error("MOCKOIDC_CLIENT_SECRET not defined")
+	errMockOidcPortNotDefined         = Error("MOCKOIDC_PORT not defined")
+	refreshTTL                        = 60 * time.Minute
+)
+
+var accessTTL = 2 * time.Minute
+
+func init() {
+	rootCmd.AddCommand(mockOidcCmd)
+}
+
+var mockOidcCmd = &cobra.Command{
+	Use:   "mockoidc",
+	Short: "Runs a mock OIDC server for testing",
+	Long:  "This internal command runs a OpenID Connect for testing purposes",
+	Run: func(cmd *cobra.Command, args []string) {
+		err := mockOIDC()
+		if err != nil {
+			log.Error().Err(err).Msgf("Error running mock OIDC server")
+			os.Exit(1)
+		}
+	},
+}
+
+func mockOIDC() error {
+	clientID := os.Getenv("MOCKOIDC_CLIENT_ID")
+	if clientID == "" {
+		return errMockOidcClientIDNotDefined
+	}
+	clientSecret := os.Getenv("MOCKOIDC_CLIENT_SECRET")
+	if clientSecret == "" {
+		return errMockOidcClientSecretNotDefined
+	}
+	addrStr := os.Getenv("MOCKOIDC_ADDR")
+	if addrStr == "" {
+		return errMockOidcPortNotDefined
+	}
+	portStr := os.Getenv("MOCKOIDC_PORT")
+	if portStr == "" {
+		return errMockOidcPortNotDefined
+	}
+	accessTTLOverride := os.Getenv("MOCKOIDC_ACCESS_TTL")
+	if accessTTLOverride != "" {
+		newTTL, err := time.ParseDuration(accessTTLOverride)
+		if err != nil {
+			return err
+		}
+		accessTTL = newTTL
+	}
+
+	log.Info().Msgf("Access token TTL: %s", accessTTL)
+
+	port, err := strconv.Atoi(portStr)
+	if err != nil {
+		return err
+	}
+
+	mock, err := getMockOIDC(clientID, clientSecret)
+	if err != nil {
+		return err
+	}
+
+	listener, err := net.Listen("tcp", fmt.Sprintf("%s:%d", addrStr, port))
+	if err != nil {
+		return err
+	}
+
+	err = mock.Start(listener, nil)
+	if err != nil {
+		return err
+	}
+	log.Info().Msgf("Mock OIDC server listening on %s", listener.Addr().String())
+	log.Info().Msgf("Issuer: %s", mock.Issuer())
+	c := make(chan struct{})
+	<-c
+
+	return nil
+}
+
+func getMockOIDC(clientID string, clientSecret string) (*mockoidc.MockOIDC, error) {
+	keypair, err := mockoidc.NewKeypair(nil)
+	if err != nil {
+		return nil, err
+	}
+
+	mock := mockoidc.MockOIDC{
+		ClientID:                      clientID,
+		ClientSecret:                  clientSecret,
+		AccessTTL:                     accessTTL,
+		RefreshTTL:                    refreshTTL,
+		CodeChallengeMethodsSupported: []string{"plain", "S256"},
+		Keypair:                       keypair,
+		SessionStore:                  mockoidc.NewSessionStore(),
+		UserQueue:                     &mockoidc.UserQueue{},
+		ErrorQueue:                    &mockoidc.ErrorQueue{},
+	}
+
+	return &mock, nil
+}

cmd/headscale/cli/namespaces.go

@@ -1,109 +0,0 @@
-package cli
-
-import (
-	"fmt"
-	"log"
-	"strconv"
-	"strings"
-
-	"github.com/pterm/pterm"
-	"github.com/spf13/cobra"
-)
-
-func init() {
-	rootCmd.AddCommand(namespaceCmd)
-	namespaceCmd.AddCommand(createNamespaceCmd)
-	namespaceCmd.AddCommand(listNamespacesCmd)
-	namespaceCmd.AddCommand(destroyNamespaceCmd)
-}
-
-var namespaceCmd = &cobra.Command{
-	Use:   "namespaces",
-	Short: "Manage the namespaces of Headscale",
-}
-
-var createNamespaceCmd = &cobra.Command{
-	Use:   "create NAME",
-	Short: "Creates a new namespace",
-	Args: func(cmd *cobra.Command, args []string) error {
-		if len(args) < 1 {
-			return fmt.Errorf("Missing parameters")
-		}
-		return nil
-	},
-	Run: func(cmd *cobra.Command, args []string) {
-		o, _ := cmd.Flags().GetString("output")
-		h, err := getHeadscaleApp()
-		if err != nil {
-			log.Fatalf("Error initializing: %s", err)
-		}
-		namespace, err := h.CreateNamespace(args[0])
-		if strings.HasPrefix(o, "json") {
-			JsonOutput(namespace, err, o)
-			return
-		}
-		if err != nil {
-			fmt.Printf("Error creating namespace: %s\n", err)
-			return
-		}
-		fmt.Printf("Namespace created\n")
-	},
-}
-
-var destroyNamespaceCmd = &cobra.Command{
-	Use:   "destroy NAME",
-	Short: "Destroys a namespace",
-	Args: func(cmd *cobra.Command, args []string) error {
-		if len(args) < 1 {
-			return fmt.Errorf("Missing parameters")
-		}
-		return nil
-	},
-	Run: func(cmd *cobra.Command, args []string) {
-		o, _ := cmd.Flags().GetString("output")
-		h, err := getHeadscaleApp()
-		if err != nil {
-			log.Fatalf("Error initializing: %s", err)
-		}
-		err = h.DestroyNamespace(args[0])
-		if strings.HasPrefix(o, "json") {
-			JsonOutput(map[string]string{"Result": "Namespace destroyed"}, err, o)
-			return
-		}
-		if err != nil {
-			fmt.Printf("Error destroying namespace: %s\n", err)
-			return
-		}
-		fmt.Printf("Namespace destroyed\n")
-	},
-}
-
-var listNamespacesCmd = &cobra.Command{
-	Use:   "list",
-	Short: "List all the namespaces",
-	Run: func(cmd *cobra.Command, args []string) {
-		o, _ := cmd.Flags().GetString("output")
-		h, err := getHeadscaleApp()
-		if err != nil {
-			log.Fatalf("Error initializing: %s", err)
-		}
-		namespaces, err := h.ListNamespaces()
-		if strings.HasPrefix(o, "json") {
-			JsonOutput(namespaces, err, o)
-			return
-		}
-		if err != nil {
-			fmt.Println(err)
-			return
-		}
-
-		d := pterm.TableData{{"ID", "Name", "Created"}}
-		for _, n := range *namespaces {
-			d = append(d, []string{strconv.FormatUint(uint64(n.ID), 10), n.Name, n.CreatedAt.Format("2006-01-02 15:04:05")})
-		}
-		err = pterm.DefaultTable.WithHasHeader().WithData(d).Render()
-		if err != nil {
-			log.Fatal(err)
-		}
-	},
-}

cmd/headscale/cli/nodes.go

@@ -3,151 +3,369 @@ package cli
 import (
 	"fmt"
 	"log"
+	"net/netip"
 	"strconv"
 	"strings"
 	"time"
 
 	survey "github.com/AlecAivazis/survey/v2"
 	"github.com/juanfont/headscale"
+	v1 "github.com/juanfont/headscale/gen/go/headscale/v1"
 	"github.com/pterm/pterm"
 	"github.com/spf13/cobra"
-	"tailscale.com/tailcfg"
-	"tailscale.com/types/wgkey"
+	"google.golang.org/grpc/status"
+	"tailscale.com/types/key"
 )
 
 func init() {
 	rootCmd.AddCommand(nodeCmd)
-	nodeCmd.PersistentFlags().StringP("namespace", "n", "", "Namespace")
-	err := nodeCmd.MarkPersistentFlagRequired("namespace")
+	listNodesCmd.Flags().StringP("user", "u", "", "Filter by user")
+	listNodesCmd.Flags().BoolP("tags", "t", false, "Show tags")
+
+	listNodesCmd.Flags().StringP("namespace", "n", "", "User")
+	listNodesNamespaceFlag := listNodesCmd.Flags().Lookup("namespace")
+	listNodesNamespaceFlag.Deprecated = deprecateNamespaceMessage
+	listNodesNamespaceFlag.Hidden = true
+
+	nodeCmd.AddCommand(listNodesCmd)
+
+	registerNodeCmd.Flags().StringP("user", "u", "", "User")
+
+	registerNodeCmd.Flags().StringP("namespace", "n", "", "User")
+	registerNodeNamespaceFlag := registerNodeCmd.Flags().Lookup("namespace")
+	registerNodeNamespaceFlag.Deprecated = deprecateNamespaceMessage
+	registerNodeNamespaceFlag.Hidden = true
+
+	err := registerNodeCmd.MarkFlagRequired("user")
+	if err != nil {
+		log.Fatalf(err.Error())
+	}
+	registerNodeCmd.Flags().StringP("key", "k", "", "Key")
+	err = registerNodeCmd.MarkFlagRequired("key")
 	if err != nil {
 		log.Fatalf(err.Error())
 	}
-	nodeCmd.AddCommand(listNodesCmd)
 	nodeCmd.AddCommand(registerNodeCmd)
+
+	expireNodeCmd.Flags().Uint64P("identifier", "i", 0, "Node identifier (ID)")
+	err = expireNodeCmd.MarkFlagRequired("identifier")
+	if err != nil {
+		log.Fatalf(err.Error())
+	}
+	nodeCmd.AddCommand(expireNodeCmd)
+
+	renameNodeCmd.Flags().Uint64P("identifier", "i", 0, "Node identifier (ID)")
+	err = renameNodeCmd.MarkFlagRequired("identifier")
+	if err != nil {
+		log.Fatalf(err.Error())
+	}
+	nodeCmd.AddCommand(renameNodeCmd)
+
+	deleteNodeCmd.Flags().Uint64P("identifier", "i", 0, "Node identifier (ID)")
+	err = deleteNodeCmd.MarkFlagRequired("identifier")
+	if err != nil {
+		log.Fatalf(err.Error())
+	}
 	nodeCmd.AddCommand(deleteNodeCmd)
-	nodeCmd.AddCommand(shareMachineCmd)
+
+	moveNodeCmd.Flags().Uint64P("identifier", "i", 0, "Node identifier (ID)")
+
+	err = moveNodeCmd.MarkFlagRequired("identifier")
+	if err != nil {
+		log.Fatalf(err.Error())
+	}
+
+	moveNodeCmd.Flags().StringP("user", "u", "", "New user")
+
+	moveNodeCmd.Flags().StringP("namespace", "n", "", "User")
+	moveNodeNamespaceFlag := moveNodeCmd.Flags().Lookup("namespace")
+	moveNodeNamespaceFlag.Deprecated = deprecateNamespaceMessage
+	moveNodeNamespaceFlag.Hidden = true
+
+	err = moveNodeCmd.MarkFlagRequired("user")
+	if err != nil {
+		log.Fatalf(err.Error())
+	}
+	nodeCmd.AddCommand(moveNodeCmd)
+
+	tagCmd.Flags().Uint64P("identifier", "i", 0, "Node identifier (ID)")
+
+	err = tagCmd.MarkFlagRequired("identifier")
+	if err != nil {
+		log.Fatalf(err.Error())
+	}
+	tagCmd.Flags().
+		StringSliceP("tags", "t", []string{}, "List of tags to add to the node")
+	nodeCmd.AddCommand(tagCmd)
 }
 
 var nodeCmd = &cobra.Command{
-	Use:   "nodes",
-	Short: "Manage the nodes of Headscale",
+	Use:     "nodes",
+	Short:   "Manage the nodes of Headscale",
+	Aliases: []string{"node", "machine", "machines"},
 }
 
 var registerNodeCmd = &cobra.Command{
-	Use:   "register machineID",
+	Use:   "register",
 	Short: "Registers a machine to your network",
-	Args: func(cmd *cobra.Command, args []string) error {
-		if len(args) < 1 {
-			return fmt.Errorf("missing parameters")
-		}
-		return nil
-	},
 	Run: func(cmd *cobra.Command, args []string) {
-		n, err := cmd.Flags().GetString("namespace")
+		output, _ := cmd.Flags().GetString("output")
+		user, err := cmd.Flags().GetString("user")
 		if err != nil {
-			log.Fatalf("Error getting namespace: %s", err)
-		}
-		o, _ := cmd.Flags().GetString("output")
+			ErrorOutput(err, fmt.Sprintf("Error getting user: %s", err), output)
 
-		h, err := getHeadscaleApp()
-		if err != nil {
-			log.Fatalf("Error initializing: %s", err)
-		}
-		m, err := h.RegisterMachine(args[0], n)
-		if strings.HasPrefix(o, "json") {
-			JsonOutput(m, err, o)
 			return
 		}
+
+		ctx, client, conn, cancel := getHeadscaleCLIClient()
+		defer cancel()
+		defer conn.Close()
+
+		machineKey, err := cmd.Flags().GetString("key")
 		if err != nil {
-			fmt.Printf("Cannot register machine: %s\n", err)
+			ErrorOutput(
+				err,
+				fmt.Sprintf("Error getting node key from flag: %s", err),
+				output,
+			)
+
 			return
 		}
-		fmt.Printf("Machine registered\n")
+
+		request := &v1.RegisterMachineRequest{
+			Key:  machineKey,
+			User: user,
+		}
+
+		response, err := client.RegisterMachine(ctx, request)
+		if err != nil {
+			ErrorOutput(
+				err,
+				fmt.Sprintf(
+					"Cannot register machine: %s\n",
+					status.Convert(err).Message(),
+				),
+				output,
+			)
+
+			return
+		}
+
+		SuccessOutput(
+			response.Machine,
+			fmt.Sprintf("Machine %s registered", response.Machine.GivenName), output)
 	},
 }
 
 var listNodesCmd = &cobra.Command{
-	Use:   "list",
-	Short: "List the nodes in a given namespace",
+	Use:     "list",
+	Short:   "List nodes",
+	Aliases: []string{"ls", "show"},
 	Run: func(cmd *cobra.Command, args []string) {
-		n, err := cmd.Flags().GetString("namespace")
+		output, _ := cmd.Flags().GetString("output")
+		user, err := cmd.Flags().GetString("user")
 		if err != nil {
-			log.Fatalf("Error getting namespace: %s", err)
-		}
-		o, _ := cmd.Flags().GetString("output")
+			ErrorOutput(err, fmt.Sprintf("Error getting user: %s", err), output)
 
-		h, err := getHeadscaleApp()
+			return
+		}
+		showTags, err := cmd.Flags().GetBool("tags")
 		if err != nil {
-			log.Fatalf("Error initializing: %s", err)
-		}
+			ErrorOutput(err, fmt.Sprintf("Error getting tags flag: %s", err), output)
 
-		namespace, err := h.GetNamespace(n)
-		if err != nil {
-			log.Fatalf("Error fetching namespace: %s", err)
-		}
-
-		machines, err := h.ListMachinesInNamespace(n)
-		if err != nil {
-			log.Fatalf("Error fetching machines: %s", err)
-		}
-
-		sharedMachines, err := h.ListSharedMachinesInNamespace(n)
-		if err != nil {
-			log.Fatalf("Error fetching shared machines: %s", err)
-		}
-
-		allMachines := append(*machines, *sharedMachines...)
-
-		if strings.HasPrefix(o, "json") {
-			JsonOutput(allMachines, err, o)
 			return
 		}
 
-		if err != nil {
-			log.Fatalf("Error getting nodes: %s", err)
+		ctx, client, conn, cancel := getHeadscaleCLIClient()
+		defer cancel()
+		defer conn.Close()
+
+		request := &v1.ListMachinesRequest{
+			User: user,
 		}
 
-		d, err := nodesToPtables(*namespace, allMachines)
+		response, err := client.ListMachines(ctx, request)
 		if err != nil {
-			log.Fatalf("Error converting to table: %s", err)
+			ErrorOutput(
+				err,
+				fmt.Sprintf("Cannot get nodes: %s", status.Convert(err).Message()),
+				output,
+			)
+
+			return
 		}
 
-		err = pterm.DefaultTable.WithHasHeader().WithData(d).Render()
+		if output != "" {
+			SuccessOutput(response.Machines, "", output)
+
+			return
+		}
+
+		tableData, err := nodesToPtables(user, showTags, response.Machines)
 		if err != nil {
-			log.Fatal(err)
+			ErrorOutput(err, fmt.Sprintf("Error converting to table: %s", err), output)
+
+			return
+		}
+
+		err = pterm.DefaultTable.WithHasHeader().WithData(tableData).Render()
+		if err != nil {
+			ErrorOutput(
+				err,
+				fmt.Sprintf("Failed to render pterm table: %s", err),
+				output,
+			)
+
+			return
 		}
 	},
 }
 
-var deleteNodeCmd = &cobra.Command{
-	Use:   "delete ID",
-	Short: "Delete a node",
-	Args: func(cmd *cobra.Command, args []string) error {
-		if len(args) < 1 {
-			return fmt.Errorf("missing parameters")
-		}
-		return nil
-	},
+var expireNodeCmd = &cobra.Command{
+	Use:     "expire",
+	Short:   "Expire (log out) a machine in your network",
+	Long:    "Expiring a node will keep the node in the database and force it to reauthenticate.",
+	Aliases: []string{"logout", "exp", "e"},
 	Run: func(cmd *cobra.Command, args []string) {
 		output, _ := cmd.Flags().GetString("output")
-		h, err := getHeadscaleApp()
+
+		identifier, err := cmd.Flags().GetUint64("identifier")
 		if err != nil {
-			log.Fatalf("Error initializing: %s", err)
+			ErrorOutput(
+				err,
+				fmt.Sprintf("Error converting ID to integer: %s", err),
+				output,
+			)
+
+			return
 		}
-		id, err := strconv.Atoi(args[0])
-		if err != nil {
-			log.Fatalf("Error converting ID to integer: %s", err)
+
+		ctx, client, conn, cancel := getHeadscaleCLIClient()
+		defer cancel()
+		defer conn.Close()
+
+		request := &v1.ExpireMachineRequest{
+			MachineId: identifier,
 		}
-		m, err := h.GetMachineByID(uint64(id))
+
+		response, err := client.ExpireMachine(ctx, request)
 		if err != nil {
-			log.Fatalf("Error getting node: %s", err)
+			ErrorOutput(
+				err,
+				fmt.Sprintf(
+					"Cannot expire machine: %s\n",
+					status.Convert(err).Message(),
+				),
+				output,
+			)
+
+			return
+		}
+
+		SuccessOutput(response.Machine, "Machine expired", output)
+	},
+}
+
+var renameNodeCmd = &cobra.Command{
+	Use:   "rename NEW_NAME",
+	Short: "Renames a machine in your network",
+	Run: func(cmd *cobra.Command, args []string) {
+		output, _ := cmd.Flags().GetString("output")
+
+		identifier, err := cmd.Flags().GetUint64("identifier")
+		if err != nil {
+			ErrorOutput(
+				err,
+				fmt.Sprintf("Error converting ID to integer: %s", err),
+				output,
+			)
+
+			return
+		}
+
+		ctx, client, conn, cancel := getHeadscaleCLIClient()
+		defer cancel()
+		defer conn.Close()
+
+		newName := ""
+		if len(args) > 0 {
+			newName = args[0]
+		}
+		request := &v1.RenameMachineRequest{
+			MachineId: identifier,
+			NewName:   newName,
+		}
+
+		response, err := client.RenameMachine(ctx, request)
+		if err != nil {
+			ErrorOutput(
+				err,
+				fmt.Sprintf(
+					"Cannot rename machine: %s\n",
+					status.Convert(err).Message(),
+				),
+				output,
+			)
+
+			return
+		}
+
+		SuccessOutput(response.Machine, "Machine renamed", output)
+	},
+}
+
+var deleteNodeCmd = &cobra.Command{
+	Use:     "delete",
+	Short:   "Delete a node",
+	Aliases: []string{"del"},
+	Run: func(cmd *cobra.Command, args []string) {
+		output, _ := cmd.Flags().GetString("output")
+
+		identifier, err := cmd.Flags().GetUint64("identifier")
+		if err != nil {
+			ErrorOutput(
+				err,
+				fmt.Sprintf("Error converting ID to integer: %s", err),
+				output,
+			)
+
+			return
+		}
+
+		ctx, client, conn, cancel := getHeadscaleCLIClient()
+		defer cancel()
+		defer conn.Close()
+
+		getRequest := &v1.GetMachineRequest{
+			MachineId: identifier,
+		}
+
+		getResponse, err := client.GetMachine(ctx, getRequest)
+		if err != nil {
+			ErrorOutput(
+				err,
+				fmt.Sprintf(
+					"Error getting node node: %s",
+					status.Convert(err).Message(),
+				),
+				output,
+			)
+
+			return
+		}
+
+		deleteRequest := &v1.DeleteMachineRequest{
+			MachineId: identifier,
 		}
 
 		confirm := false
 		force, _ := cmd.Flags().GetBool("force")
 		if !force {
 			prompt := &survey.Confirm{
-				Message: fmt.Sprintf("Do you want to remove the node %s?", m.Name),
+				Message: fmt.Sprintf(
+					"Do you want to remove the node %s?",
+					getResponse.GetMachine().Name,
+				),
 			}
 			err = survey.AskOne(prompt, &confirm)
 			if err != nil {
@@ -156,113 +374,307 @@ var deleteNodeCmd = &cobra.Command{
 		}
 
 		if confirm || force {
-			err = h.DeleteMachine(m)
-			if strings.HasPrefix(output, "json") {
-				JsonOutput(map[string]string{"Result": "Node deleted"}, err, output)
+			response, err := client.DeleteMachine(ctx, deleteRequest)
+			if output != "" {
+				SuccessOutput(response, "", output)
+
 				return
 			}
 			if err != nil {
-				log.Fatalf("Error deleting node: %s", err)
-			}
-			fmt.Printf("Node deleted\n")
-		} else {
-			if strings.HasPrefix(output, "json") {
-				JsonOutput(map[string]string{"Result": "Node not deleted"}, err, output)
+				ErrorOutput(
+					err,
+					fmt.Sprintf(
+						"Error deleting node: %s",
+						status.Convert(err).Message(),
+					),
+					output,
+				)
+
 				return
 			}
-			fmt.Printf("Node not deleted\n")
+			SuccessOutput(
+				map[string]string{"Result": "Node deleted"},
+				"Node deleted",
+				output,
+			)
+		} else {
+			SuccessOutput(map[string]string{"Result": "Node not deleted"}, "Node not deleted", output)
 		}
 	},
 }
 
-var shareMachineCmd = &cobra.Command{
-	Use:   "share ID namespace",
-	Short: "Shares a node from the current namespace to the specified one",
-	Args: func(cmd *cobra.Command, args []string) error {
-		if len(args) < 2 {
-			return fmt.Errorf("missing parameters")
-		}
-		return nil
-	},
+var moveNodeCmd = &cobra.Command{
+	Use:     "move",
+	Short:   "Move node to another user",
+	Aliases: []string{"mv"},
 	Run: func(cmd *cobra.Command, args []string) {
-		namespace, err := cmd.Flags().GetString("namespace")
-		if err != nil {
-			log.Fatalf("Error getting namespace: %s", err)
-		}
 		output, _ := cmd.Flags().GetString("output")
 
-		h, err := getHeadscaleApp()
+		identifier, err := cmd.Flags().GetUint64("identifier")
 		if err != nil {
-			log.Fatalf("Error initializing: %s", err)
-		}
+			ErrorOutput(
+				err,
+				fmt.Sprintf("Error converting ID to integer: %s", err),
+				output,
+			)
 
-		_, err = h.GetNamespace(namespace)
-		if err != nil {
-			log.Fatalf("Error fetching origin namespace: %s", err)
-		}
-
-		destinationNamespace, err := h.GetNamespace(args[1])
-		if err != nil {
-			log.Fatalf("Error fetching destination namespace: %s", err)
-		}
-
-		id, err := strconv.Atoi(args[0])
-		if err != nil {
-			log.Fatalf("Error converting ID to integer: %s", err)
-		}
-		machine, err := h.GetMachineByID(uint64(id))
-		if err != nil {
-			log.Fatalf("Error getting node: %s", err)
-		}
-
-		err = h.AddSharedMachineToNamespace(machine, destinationNamespace)
-		if strings.HasPrefix(output, "json") {
-			JsonOutput(map[string]string{"Result": "Node shared"}, err, output)
-			return
-		}
-		if err != nil {
-			fmt.Printf("Error sharing node: %s\n", err)
 			return
 		}
 
-		fmt.Println("Node shared!")
+		user, err := cmd.Flags().GetString("user")
+		if err != nil {
+			ErrorOutput(
+				err,
+				fmt.Sprintf("Error getting user: %s", err),
+				output,
+			)
+
+			return
+		}
+
+		ctx, client, conn, cancel := getHeadscaleCLIClient()
+		defer cancel()
+		defer conn.Close()
+
+		getRequest := &v1.GetMachineRequest{
+			MachineId: identifier,
+		}
+
+		_, err = client.GetMachine(ctx, getRequest)
+		if err != nil {
+			ErrorOutput(
+				err,
+				fmt.Sprintf(
+					"Error getting node: %s",
+					status.Convert(err).Message(),
+				),
+				output,
+			)
+
+			return
+		}
+
+		moveRequest := &v1.MoveMachineRequest{
+			MachineId: identifier,
+			User:      user,
+		}
+
+		moveResponse, err := client.MoveMachine(ctx, moveRequest)
+		if err != nil {
+			ErrorOutput(
+				err,
+				fmt.Sprintf(
+					"Error moving node: %s",
+					status.Convert(err).Message(),
+				),
+				output,
+			)
+
+			return
+		}
+
+		SuccessOutput(moveResponse.Machine, "Node moved to another user", output)
 	},
 }
 
-func nodesToPtables(currentNamespace headscale.Namespace, machines []headscale.Machine) (pterm.TableData, error) {
-	d := pterm.TableData{{"ID", "Name", "NodeKey", "Namespace", "IP address", "Ephemeral", "Last seen", "Online"}}
+func nodesToPtables(
+	currentUser string,
+	showTags bool,
+	machines []*v1.Machine,
+) (pterm.TableData, error) {
+	tableHeader := []string{
+		"ID",
+		"Hostname",
+		"Name",
+		"MachineKey",
+		"NodeKey",
+		"User",
+		"IP addresses",
+		"Ephemeral",
+		"Last seen",
+		"Expiration",
+		"Online",
+		"Expired",
+	}
+	if showTags {
+		tableHeader = append(tableHeader, []string{
+			"ForcedTags",
+			"InvalidTags",
+			"ValidTags",
+		}...)
+	}
+	tableData := pterm.TableData{tableHeader}
 
 	for _, machine := range machines {
 		var ephemeral bool
-		if machine.AuthKey != nil && machine.AuthKey.Ephemeral {
+		if machine.PreAuthKey != nil && machine.PreAuthKey.Ephemeral {
 			ephemeral = true
 		}
+
 		var lastSeen time.Time
 		var lastSeenTime string
 		if machine.LastSeen != nil {
-			lastSeen = *machine.LastSeen
+			lastSeen = machine.LastSeen.AsTime()
 			lastSeenTime = lastSeen.Format("2006-01-02 15:04:05")
 		}
-		nKey, err := wgkey.ParseHex(machine.NodeKey)
+
+		var expiry time.Time
+		var expiryTime string
+		if machine.Expiry != nil {
+			expiry = machine.Expiry.AsTime()
+			expiryTime = expiry.Format("2006-01-02 15:04:05")
+		} else {
+			expiryTime = "N/A"
+		}
+
+		var machineKey key.MachinePublic
+		err := machineKey.UnmarshalText(
+			[]byte(headscale.MachinePublicKeyEnsurePrefix(machine.MachineKey)),
+		)
+		if err != nil {
+			machineKey = key.MachinePublic{}
+		}
+
+		var nodeKey key.NodePublic
+		err = nodeKey.UnmarshalText(
+			[]byte(headscale.NodePublicKeyEnsurePrefix(machine.NodeKey)),
+		)
 		if err != nil {
 			return nil, err
 		}
-		nodeKey := tailcfg.NodeKey(nKey)
 
 		var online string
-		if lastSeen.After(time.Now().Add(-5 * time.Minute)) { // TODO: Find a better way to reliably show if online
-			online = pterm.LightGreen("true")
+		if machine.Online {
+			online = pterm.LightGreen("online")
 		} else {
-			online = pterm.LightRed("false")
+			online = pterm.LightRed("offline")
 		}
 
-		var namespace string
-		if currentNamespace.ID == machine.NamespaceID {
-			namespace = pterm.LightMagenta(machine.Namespace.Name)
+		var expired string
+		if expiry.IsZero() || expiry.After(time.Now()) {
+			expired = pterm.LightGreen("no")
 		} else {
-			namespace = pterm.LightYellow(machine.Namespace.Name)
+			expired = pterm.LightRed("yes")
 		}
-		d = append(d, []string{strconv.FormatUint(machine.ID, 10), machine.Name, nodeKey.ShortString(), namespace, machine.IPAddress, strconv.FormatBool(ephemeral), lastSeenTime, online})
+
+		var forcedTags string
+		for _, tag := range machine.ForcedTags {
+			forcedTags += "," + tag
+		}
+		forcedTags = strings.TrimLeft(forcedTags, ",")
+		var invalidTags string
+		for _, tag := range machine.InvalidTags {
+			if !contains(machine.ForcedTags, tag) {
+				invalidTags += "," + pterm.LightRed(tag)
+			}
+		}
+		invalidTags = strings.TrimLeft(invalidTags, ",")
+		var validTags string
+		for _, tag := range machine.ValidTags {
+			if !contains(machine.ForcedTags, tag) {
+				validTags += "," + pterm.LightGreen(tag)
+			}
+		}
+		validTags = strings.TrimLeft(validTags, ",")
+
+		var user string
+		if currentUser == "" || (currentUser == machine.User.Name) {
+			user = pterm.LightMagenta(machine.User.Name)
+		} else {
+			// Shared into this user
+			user = pterm.LightYellow(machine.User.Name)
+		}
+
+		var IPV4Address string
+		var IPV6Address string
+		for _, addr := range machine.IpAddresses {
+			if netip.MustParseAddr(addr).Is4() {
+				IPV4Address = addr
+			} else {
+				IPV6Address = addr
+			}
+		}
+
+		nodeData := []string{
+			strconv.FormatUint(machine.Id, headscale.Base10),
+			machine.Name,
+			machine.GetGivenName(),
+			machineKey.ShortString(),
+			nodeKey.ShortString(),
+			user,
+			strings.Join([]string{IPV4Address, IPV6Address}, ", "),
+			strconv.FormatBool(ephemeral),
+			lastSeenTime,
+			expiryTime,
+			online,
+			expired,
+		}
+		if showTags {
+			nodeData = append(nodeData, []string{forcedTags, invalidTags, validTags}...)
+		}
+		tableData = append(
+			tableData,
+			nodeData,
+		)
 	}
-	return d, nil
+
+	return tableData, nil
+}
+
+var tagCmd = &cobra.Command{
+	Use:     "tag",
+	Short:   "Manage the tags of a node",
+	Aliases: []string{"tags", "t"},
+	Run: func(cmd *cobra.Command, args []string) {
+		output, _ := cmd.Flags().GetString("output")
+		ctx, client, conn, cancel := getHeadscaleCLIClient()
+		defer cancel()
+		defer conn.Close()
+
+		// retrieve flags from CLI
+		identifier, err := cmd.Flags().GetUint64("identifier")
+		if err != nil {
+			ErrorOutput(
+				err,
+				fmt.Sprintf("Error converting ID to integer: %s", err),
+				output,
+			)
+
+			return
+		}
+		tagsToSet, err := cmd.Flags().GetStringSlice("tags")
+		if err != nil {
+			ErrorOutput(
+				err,
+				fmt.Sprintf("Error retrieving list of tags to add to machine, %v", err),
+				output,
+			)
+
+			return
+		}
+
+		// Sending tags to machine
+		request := &v1.SetTagsRequest{
+			MachineId: identifier,
+			Tags:      tagsToSet,
+		}
+		resp, err := client.SetTags(ctx, request)
+		if err != nil {
+			ErrorOutput(
+				err,
+				fmt.Sprintf("Error while sending tags to headscale: %s", err),
+				output,
+			)
+
+			return
+		}
+
+		if resp != nil {
+			SuccessOutput(
+				resp.GetMachine(),
+				"Machine updated",
+				output,
+			)
+		}
+	},
 }

cmd/headscale/cli/preauthkeys.go

@@ -2,173 +2,262 @@ package cli
 
 import (
 	"fmt"
-	"log"
 	"strconv"
 	"strings"
 	"time"
 
-	"github.com/hako/durafmt"
+	v1 "github.com/juanfont/headscale/gen/go/headscale/v1"
+	"github.com/prometheus/common/model"
 	"github.com/pterm/pterm"
+	"github.com/rs/zerolog/log"
 	"github.com/spf13/cobra"
+	"google.golang.org/protobuf/types/known/timestamppb"
+)
+
+const (
+	DefaultPreAuthKeyExpiry = "1h"
 )
 
 func init() {
 	rootCmd.AddCommand(preauthkeysCmd)
-	preauthkeysCmd.PersistentFlags().StringP("namespace", "n", "", "Namespace")
-	err := preauthkeysCmd.MarkPersistentFlagRequired("namespace")
+	preauthkeysCmd.PersistentFlags().StringP("user", "u", "", "User")
+
+	preauthkeysCmd.PersistentFlags().StringP("namespace", "n", "", "User")
+	pakNamespaceFlag := preauthkeysCmd.PersistentFlags().Lookup("namespace")
+	pakNamespaceFlag.Deprecated = deprecateNamespaceMessage
+	pakNamespaceFlag.Hidden = true
+
+	err := preauthkeysCmd.MarkPersistentFlagRequired("user")
 	if err != nil {
-		log.Fatalf(err.Error())
+		log.Fatal().Err(err).Msg("")
 	}
 	preauthkeysCmd.AddCommand(listPreAuthKeys)
 	preauthkeysCmd.AddCommand(createPreAuthKeyCmd)
 	preauthkeysCmd.AddCommand(expirePreAuthKeyCmd)
-	createPreAuthKeyCmd.PersistentFlags().Bool("reusable", false, "Make the preauthkey reusable")
-	createPreAuthKeyCmd.PersistentFlags().Bool("ephemeral", false, "Preauthkey for ephemeral nodes")
-	createPreAuthKeyCmd.Flags().StringP("expiration", "e", "", "Human-readable expiration of the key (30m, 24h, 365d...)")
+	createPreAuthKeyCmd.PersistentFlags().
+		Bool("reusable", false, "Make the preauthkey reusable")
+	createPreAuthKeyCmd.PersistentFlags().
+		Bool("ephemeral", false, "Preauthkey for ephemeral nodes")
+	createPreAuthKeyCmd.Flags().
+		StringP("expiration", "e", DefaultPreAuthKeyExpiry, "Human-readable expiration of the key (e.g. 30m, 24h)")
+	createPreAuthKeyCmd.Flags().
+		StringSlice("tags", []string{}, "Tags to automatically assign to node")
 }
 
 var preauthkeysCmd = &cobra.Command{
-	Use:   "preauthkeys",
-	Short: "Handle the preauthkeys in Headscale",
+	Use:     "preauthkeys",
+	Short:   "Handle the preauthkeys in Headscale",
+	Aliases: []string{"preauthkey", "authkey", "pre"},
 }
 
 var listPreAuthKeys = &cobra.Command{
-	Use:   "list",
-	Short: "List the preauthkeys for this namespace",
+	Use:     "list",
+	Short:   "List the preauthkeys for this user",
+	Aliases: []string{"ls", "show"},
 	Run: func(cmd *cobra.Command, args []string) {
-		n, err := cmd.Flags().GetString("namespace")
-		if err != nil {
-			log.Fatalf("Error getting namespace: %s", err)
-		}
-		o, _ := cmd.Flags().GetString("output")
+		output, _ := cmd.Flags().GetString("output")
 
-		h, err := getHeadscaleApp()
+		user, err := cmd.Flags().GetString("user")
 		if err != nil {
-			log.Fatalf("Error initializing: %s", err)
-		}
-		keys, err := h.GetPreAuthKeys(n)
-		if strings.HasPrefix(o, "json") {
-			JsonOutput(keys, err, o)
+			ErrorOutput(err, fmt.Sprintf("Error getting user: %s", err), output)
+
 			return
 		}
 
+		ctx, client, conn, cancel := getHeadscaleCLIClient()
+		defer cancel()
+		defer conn.Close()
+
+		request := &v1.ListPreAuthKeysRequest{
+			User: user,
+		}
+
+		response, err := client.ListPreAuthKeys(ctx, request)
 		if err != nil {
-			fmt.Printf("Error getting the list of keys: %s\n", err)
+			ErrorOutput(
+				err,
+				fmt.Sprintf("Error getting the list of keys: %s", err),
+				output,
+			)
+
 			return
 		}
 
-		d := pterm.TableData{{"ID", "Key", "Reusable", "Ephemeral", "Used", "Expiration", "Created"}}
-		for _, k := range *keys {
+		if output != "" {
+			SuccessOutput(response.PreAuthKeys, "", output)
+
+			return
+		}
+
+		tableData := pterm.TableData{
+			{
+				"ID",
+				"Key",
+				"Reusable",
+				"Ephemeral",
+				"Used",
+				"Expiration",
+				"Created",
+				"Tags",
+			},
+		}
+		for _, key := range response.PreAuthKeys {
 			expiration := "-"
-			if k.Expiration != nil {
-				expiration = k.Expiration.Format("2006-01-02 15:04:05")
+			if key.GetExpiration() != nil {
+				expiration = ColourTime(key.Expiration.AsTime())
 			}
 
 			var reusable string
-			if k.Ephemeral {
+			if key.GetEphemeral() {
 				reusable = "N/A"
 			} else {
-				reusable = fmt.Sprintf("%v", k.Reusable)
+				reusable = fmt.Sprintf("%v", key.GetReusable())
 			}
 
-			d = append(d, []string{
-				strconv.FormatUint(k.ID, 10),
-				k.Key,
+			aclTags := ""
+
+			for _, tag := range key.AclTags {
+				aclTags += "," + tag
+			}
+
+			aclTags = strings.TrimLeft(aclTags, ",")
+
+			tableData = append(tableData, []string{
+				key.GetId(),
+				key.GetKey(),
 				reusable,
-				strconv.FormatBool(k.Ephemeral),
-				fmt.Sprintf("%v", k.Used),
+				strconv.FormatBool(key.GetEphemeral()),
+				strconv.FormatBool(key.GetUsed()),
 				expiration,
-				k.CreatedAt.Format("2006-01-02 15:04:05"),
+				key.GetCreatedAt().AsTime().Format("2006-01-02 15:04:05"),
+				aclTags,
 			})
 
 		}
-		err = pterm.DefaultTable.WithHasHeader().WithData(d).Render()
+		err = pterm.DefaultTable.WithHasHeader().WithData(tableData).Render()
 		if err != nil {
-			log.Fatal(err)
+			ErrorOutput(
+				err,
+				fmt.Sprintf("Failed to render pterm table: %s", err),
+				output,
+			)
+
+			return
 		}
 	},
 }
 
 var createPreAuthKeyCmd = &cobra.Command{
-	Use:   "create",
-	Short: "Creates a new preauthkey in the specified namespace",
+	Use:     "create",
+	Short:   "Creates a new preauthkey in the specified user",
+	Aliases: []string{"c", "new"},
 	Run: func(cmd *cobra.Command, args []string) {
-		n, err := cmd.Flags().GetString("namespace")
-		if err != nil {
-			log.Fatalf("Error getting namespace: %s", err)
-		}
-		o, _ := cmd.Flags().GetString("output")
+		output, _ := cmd.Flags().GetString("output")
 
-		h, err := getHeadscaleApp()
+		user, err := cmd.Flags().GetString("user")
 		if err != nil {
-			log.Fatalf("Error initializing: %s", err)
+			ErrorOutput(err, fmt.Sprintf("Error getting user: %s", err), output)
+
+			return
 		}
+
 		reusable, _ := cmd.Flags().GetBool("reusable")
 		ephemeral, _ := cmd.Flags().GetBool("ephemeral")
+		tags, _ := cmd.Flags().GetStringSlice("tags")
 
-		e, _ := cmd.Flags().GetString("expiration")
-		var expiration *time.Time
-		if e != "" {
-			duration, err := durafmt.ParseStringShort(e)
-			if err != nil {
-				log.Fatalf("Error parsing expiration: %s", err)
-			}
-			exp := time.Now().UTC().Add(duration.Duration())
-			expiration = &exp
+		log.Trace().
+			Bool("reusable", reusable).
+			Bool("ephemeral", ephemeral).
+			Str("user", user).
+			Msg("Preparing to create preauthkey")
+
+		request := &v1.CreatePreAuthKeyRequest{
+			User:      user,
+			Reusable:  reusable,
+			Ephemeral: ephemeral,
+			AclTags:   tags,
 		}
 
-		k, err := h.CreatePreAuthKey(n, reusable, ephemeral, expiration)
-		if strings.HasPrefix(o, "json") {
-			JsonOutput(k, err, o)
-			return
-		}
+		durationStr, _ := cmd.Flags().GetString("expiration")
+
+		duration, err := model.ParseDuration(durationStr)
 		if err != nil {
-			fmt.Println(err)
+			ErrorOutput(
+				err,
+				fmt.Sprintf("Could not parse duration: %s\n", err),
+				output,
+			)
+
 			return
 		}
-		fmt.Printf("%s\n", k.Key)
+
+		expiration := time.Now().UTC().Add(time.Duration(duration))
+
+		log.Trace().
+			Dur("expiration", time.Duration(duration)).
+			Msg("expiration has been set")
+
+		request.Expiration = timestamppb.New(expiration)
+
+		ctx, client, conn, cancel := getHeadscaleCLIClient()
+		defer cancel()
+		defer conn.Close()
+
+		response, err := client.CreatePreAuthKey(ctx, request)
+		if err != nil {
+			ErrorOutput(
+				err,
+				fmt.Sprintf("Cannot create Pre Auth Key: %s\n", err),
+				output,
+			)
+
+			return
+		}
+
+		SuccessOutput(response.PreAuthKey, response.PreAuthKey.Key, output)
 	},
 }
 
 var expirePreAuthKeyCmd = &cobra.Command{
-	Use:   "expire KEY",
-	Short: "Expire a preauthkey",
+	Use:     "expire KEY",
+	Short:   "Expire a preauthkey",
+	Aliases: []string{"revoke", "exp", "e"},
 	Args: func(cmd *cobra.Command, args []string) error {
 		if len(args) < 1 {
-			return fmt.Errorf("missing parameters")
+			return errMissingParameter
 		}
+
 		return nil
 	},
 	Run: func(cmd *cobra.Command, args []string) {
-		n, err := cmd.Flags().GetString("namespace")
+		output, _ := cmd.Flags().GetString("output")
+		user, err := cmd.Flags().GetString("user")
 		if err != nil {
-			log.Fatalf("Error getting namespace: %s", err)
-		}
-		o, _ := cmd.Flags().GetString("output")
+			ErrorOutput(err, fmt.Sprintf("Error getting user: %s", err), output)
 
-		h, err := getHeadscaleApp()
-		if err != nil {
-			log.Fatalf("Error initializing: %s", err)
-		}
-
-		k, err := h.GetPreAuthKey(n, args[0])
-		if err != nil {
-			if strings.HasPrefix(o, "json") {
-				JsonOutput(k, err, o)
-				return
-			}
-			log.Fatalf("Error getting the key: %s", err)
-		}
-
-		err = h.MarkExpirePreAuthKey(k)
-		if strings.HasPrefix(o, "json") {
-			JsonOutput(k, err, o)
 			return
 		}
+
+		ctx, client, conn, cancel := getHeadscaleCLIClient()
+		defer cancel()
+		defer conn.Close()
+
+		request := &v1.ExpirePreAuthKeyRequest{
+			User: user,
+			Key:  args[0],
+		}
+
+		response, err := client.ExpirePreAuthKey(ctx, request)
 		if err != nil {
-			fmt.Println(err)
+			ErrorOutput(
+				err,
+				fmt.Sprintf("Cannot expire Pre Auth Key: %s\n", err),
+				output,
+			)
+
 			return
 		}
-		fmt.Println("Expired")
+
+		SuccessOutput(response, "Key expired", output)
 	},
 }

cmd/headscale/cli/pterm_style.go

@@ -0,0 +1,19 @@
+package cli
+
+import (
+	"time"
+
+	"github.com/pterm/pterm"
+)
+
+func ColourTime(date time.Time) string {
+	dateStr := date.Format("2006-01-02 15:04:05")
+
+	if date.After(time.Now()) {
+		dateStr = pterm.LightGreen(dateStr)
+	} else {
+		dateStr = pterm.LightRed(dateStr)
+	}
+
+	return dateStr
+}

cmd/headscale/cli/root.go

@@ -3,13 +3,89 @@ package cli
 import (
 	"fmt"
 	"os"
+	"runtime"
 
+	"github.com/juanfont/headscale"
+	"github.com/rs/zerolog"
+	"github.com/rs/zerolog/log"
 	"github.com/spf13/cobra"
+	"github.com/tcnksm/go-latest"
 )
 
+const (
+	deprecateNamespaceMessage = "use --user"
+)
+
+var cfgFile string = ""
+
 func init() {
-	rootCmd.PersistentFlags().StringP("output", "o", "", "Output format. Empty for human-readable, 'json' or 'json-line'")
-	rootCmd.PersistentFlags().Bool("force", false, "Disable prompts and forces the execution")
+	if len(os.Args) > 1 &&
+		(os.Args[1] == "version" || os.Args[1] == "mockoidc" || os.Args[1] == "completion") {
+		return
+	}
+
+	cobra.OnInitialize(initConfig)
+	rootCmd.PersistentFlags().
+		StringVarP(&cfgFile, "config", "c", "", "config file (default is /etc/headscale/config.yaml)")
+	rootCmd.PersistentFlags().
+		StringP("output", "o", "", "Output format. Empty for human-readable, 'json', 'json-line' or 'yaml'")
+	rootCmd.PersistentFlags().
+		Bool("force", false, "Disable prompts and forces the execution")
+}
+
+func initConfig() {
+	if cfgFile == "" {
+		cfgFile = os.Getenv("HEADSCALE_CONFIG")
+	}
+	if cfgFile != "" {
+		err := headscale.LoadConfig(cfgFile, true)
+		if err != nil {
+			log.Fatal().Caller().Err(err).Msgf("Error loading config file %s", cfgFile)
+		}
+	} else {
+		err := headscale.LoadConfig("", false)
+		if err != nil {
+			log.Fatal().Caller().Err(err).Msgf("Error loading config")
+		}
+	}
+
+	cfg, err := headscale.GetHeadscaleConfig()
+	if err != nil {
+		log.Fatal().Caller().Err(err)
+	}
+
+	machineOutput := HasMachineOutputFlag()
+
+	zerolog.SetGlobalLevel(cfg.Log.Level)
+
+	// If the user has requested a "machine" readable format,
+	// then disable login so the output remains valid.
+	if machineOutput {
+		zerolog.SetGlobalLevel(zerolog.Disabled)
+	}
+
+	if cfg.Log.Format == headscale.JSONLogFormat {
+		log.Logger = log.Output(os.Stdout)
+	}
+
+	if !cfg.DisableUpdateCheck && !machineOutput {
+		if (runtime.GOOS == "linux" || runtime.GOOS == "darwin") &&
+			Version != "dev" {
+			githubTag := &latest.GithubTag{
+				Owner:      "juanfont",
+				Repository: "headscale",
+			}
+			res, err := latest.Check(githubTag, Version)
+			if err == nil && res.Outdated {
+				//nolint
+				fmt.Printf(
+					"An updated version of Headscale has been found (%s vs. your current %s). Check it out https://github.com/juanfont/headscale/releases\n",
+					res.Current,
+					Version,
+				)
+			}
+		}
+	}
 }
 
 var rootCmd = &cobra.Command{

cmd/headscale/cli/routes.go

@@ -3,145 +3,231 @@ package cli
 import (
 	"fmt"
 	"log"
-	"strings"
+	"strconv"
 
+	v1 "github.com/juanfont/headscale/gen/go/headscale/v1"
 	"github.com/pterm/pterm"
 	"github.com/spf13/cobra"
+	"google.golang.org/grpc/status"
+)
+
+const (
+	Base10 = 10
 )
 
 func init() {
 	rootCmd.AddCommand(routesCmd)
-	routesCmd.PersistentFlags().StringP("namespace", "n", "", "Namespace")
-	err := routesCmd.MarkPersistentFlagRequired("namespace")
+	listRoutesCmd.Flags().Uint64P("identifier", "i", 0, "Node identifier (ID)")
+	routesCmd.AddCommand(listRoutesCmd)
+
+	enableRouteCmd.Flags().Uint64P("route", "r", 0, "Route identifier (ID)")
+	err := enableRouteCmd.MarkFlagRequired("route")
 	if err != nil {
 		log.Fatalf(err.Error())
 	}
-
-	enableRouteCmd.Flags().BoolP("all", "a", false, "Enable all routes advertised by the node")
-
-	routesCmd.AddCommand(listRoutesCmd)
 	routesCmd.AddCommand(enableRouteCmd)
+
+	disableRouteCmd.Flags().Uint64P("route", "r", 0, "Route identifier (ID)")
+	err = disableRouteCmd.MarkFlagRequired("route")
+	if err != nil {
+		log.Fatalf(err.Error())
+	}
+	routesCmd.AddCommand(disableRouteCmd)
 }
 
 var routesCmd = &cobra.Command{
-	Use:   "routes",
-	Short: "Manage the routes of Headscale",
+	Use:     "routes",
+	Short:   "Manage the routes of Headscale",
+	Aliases: []string{"r", "route"},
 }
 
 var listRoutesCmd = &cobra.Command{
-	Use:   "list NODE",
-	Short: "List the routes exposed by this node",
-	Args: func(cmd *cobra.Command, args []string) error {
-		if len(args) < 1 {
-			return fmt.Errorf("Missing parameters")
-		}
-		return nil
-	},
+	Use:     "list",
+	Short:   "List all routes",
+	Aliases: []string{"ls", "show"},
 	Run: func(cmd *cobra.Command, args []string) {
-		n, err := cmd.Flags().GetString("namespace")
-		if err != nil {
-			log.Fatalf("Error getting namespace: %s", err)
-		}
-		o, _ := cmd.Flags().GetString("output")
+		output, _ := cmd.Flags().GetString("output")
 
-		h, err := getHeadscaleApp()
+		machineID, err := cmd.Flags().GetUint64("identifier")
 		if err != nil {
-			log.Fatalf("Error initializing: %s", err)
-		}
+			ErrorOutput(
+				err,
+				fmt.Sprintf("Error getting machine id from flag: %s", err),
+				output,
+			)
 
-		availableRoutes, err := h.GetAdvertisedNodeRoutes(n, args[0])
-		if err != nil {
-			fmt.Println(err)
 			return
 		}
 
-		if strings.HasPrefix(o, "json") {
-			// TODO: Add enable/disabled information to this interface
-			JsonOutput(availableRoutes, err, o)
+		ctx, client, conn, cancel := getHeadscaleCLIClient()
+		defer cancel()
+		defer conn.Close()
+
+		var routes []*v1.Route
+
+		if machineID == 0 {
+			response, err := client.GetRoutes(ctx, &v1.GetRoutesRequest{})
+			if err != nil {
+				ErrorOutput(
+					err,
+					fmt.Sprintf("Cannot get nodes: %s", status.Convert(err).Message()),
+					output,
+				)
+
+				return
+			}
+
+			if output != "" {
+				SuccessOutput(response.Routes, "", output)
+
+				return
+			}
+
+			routes = response.Routes
+		} else {
+			response, err := client.GetMachineRoutes(ctx, &v1.GetMachineRoutesRequest{
+				MachineId: machineID,
+			})
+			if err != nil {
+				ErrorOutput(
+					err,
+					fmt.Sprintf("Cannot get routes for machine %d: %s", machineID, status.Convert(err).Message()),
+					output,
+				)
+
+				return
+			}
+
+			if output != "" {
+				SuccessOutput(response.Routes, "", output)
+
+				return
+			}
+
+			routes = response.Routes
+		}
+
+		tableData := routesToPtables(routes)
+		if err != nil {
+			ErrorOutput(err, fmt.Sprintf("Error converting to table: %s", err), output)
+
 			return
 		}
 
-		d := h.RoutesToPtables(n, args[0], *availableRoutes)
-
-		err = pterm.DefaultTable.WithHasHeader().WithData(d).Render()
+		err = pterm.DefaultTable.WithHasHeader().WithData(tableData).Render()
 		if err != nil {
-			log.Fatal(err)
+			ErrorOutput(
+				err,
+				fmt.Sprintf("Failed to render pterm table: %s", err),
+				output,
+			)
+
+			return
 		}
 	},
 }
 
 var enableRouteCmd = &cobra.Command{
-	Use:   "enable node-name route",
-	Short: "Allows exposing a route declared by this node to the rest of the nodes",
-	Args: func(cmd *cobra.Command, args []string) error {
-		all, err := cmd.Flags().GetBool("all")
-		if err != nil {
-			log.Fatalf("Error getting namespace: %s", err)
-		}
-
-		if all {
-			if len(args) < 1 {
-				return fmt.Errorf("Missing parameters")
-			}
-			return nil
-		} else {
-			if len(args) < 2 {
-				return fmt.Errorf("Missing parameters")
-			}
-			return nil
-		}
-	},
+	Use:   "enable",
+	Short: "Set a route as enabled",
+	Long:  `This command will make as enabled a given route.`,
 	Run: func(cmd *cobra.Command, args []string) {
-		n, err := cmd.Flags().GetString("namespace")
+		output, _ := cmd.Flags().GetString("output")
+
+		routeID, err := cmd.Flags().GetUint64("route")
 		if err != nil {
-			log.Fatalf("Error getting namespace: %s", err)
+			ErrorOutput(
+				err,
+				fmt.Sprintf("Error getting machine id from flag: %s", err),
+				output,
+			)
+
+			return
 		}
 
-		o, _ := cmd.Flags().GetString("output")
+		ctx, client, conn, cancel := getHeadscaleCLIClient()
+		defer cancel()
+		defer conn.Close()
 
-		all, err := cmd.Flags().GetBool("all")
+		response, err := client.EnableRoute(ctx, &v1.EnableRouteRequest{
+			RouteId: routeID,
+		})
 		if err != nil {
-			log.Fatalf("Error getting namespace: %s", err)
+			ErrorOutput(
+				err,
+				fmt.Sprintf("Cannot enable route %d: %s", routeID, status.Convert(err).Message()),
+				output,
+			)
+
+			return
 		}
 
-		h, err := getHeadscaleApp()
-		if err != nil {
-			log.Fatalf("Error initializing: %s", err)
-		}
+		if output != "" {
+			SuccessOutput(response, "", output)
 
-		if all {
-			availableRoutes, err := h.GetAdvertisedNodeRoutes(n, args[0])
-			if err != nil {
-				fmt.Println(err)
-				return
-			}
-
-			for _, availableRoute := range *availableRoutes {
-				err = h.EnableNodeRoute(n, args[0], availableRoute.String())
-				if err != nil {
-					fmt.Println(err)
-					return
-				}
-
-				if strings.HasPrefix(o, "json") {
-					JsonOutput(availableRoute, err, o)
-				} else {
-					fmt.Printf("Enabled route %s\n", availableRoute)
-				}
-			}
-		} else {
-			err = h.EnableNodeRoute(n, args[0], args[1])
-
-			if strings.HasPrefix(o, "json") {
-				JsonOutput(args[1], err, o)
-				return
-			}
-
-			if err != nil {
-				fmt.Println(err)
-				return
-			}
-			fmt.Printf("Enabled route %s\n", args[1])
+			return
 		}
 	},
 }
+
+var disableRouteCmd = &cobra.Command{
+	Use:   "disable",
+	Short: "Set as disabled a given route",
+	Long:  `This command will make as disabled a given route.`,
+	Run: func(cmd *cobra.Command, args []string) {
+		output, _ := cmd.Flags().GetString("output")
+
+		routeID, err := cmd.Flags().GetUint64("route")
+		if err != nil {
+			ErrorOutput(
+				err,
+				fmt.Sprintf("Error getting machine id from flag: %s", err),
+				output,
+			)
+
+			return
+		}
+
+		ctx, client, conn, cancel := getHeadscaleCLIClient()
+		defer cancel()
+		defer conn.Close()
+
+		response, err := client.DisableRoute(ctx, &v1.DisableRouteRequest{
+			RouteId: routeID,
+		})
+		if err != nil {
+			ErrorOutput(
+				err,
+				fmt.Sprintf("Cannot enable route %d: %s", routeID, status.Convert(err).Message()),
+				output,
+			)
+
+			return
+		}
+
+		if output != "" {
+			SuccessOutput(response, "", output)
+
+			return
+		}
+	},
+}
+
+// routesToPtables converts the list of routes to a nice table.
+func routesToPtables(routes []*v1.Route) pterm.TableData {
+	tableData := pterm.TableData{{"ID", "Machine", "Prefix", "Advertised", "Enabled", "Primary"}}
+
+	for _, route := range routes {
+		tableData = append(tableData,
+			[]string{
+				strconv.FormatUint(route.Id, Base10),
+				route.Machine.GivenName,
+				route.Prefix,
+				strconv.FormatBool(route.Advertised),
+				strconv.FormatBool(route.Enabled),
+				strconv.FormatBool(route.IsPrimary),
+			})
+	}
+
+	return tableData
+}

cmd/headscale/cli/server.go

@@ -1,8 +1,7 @@
 package cli
 
 import (
-	"log"
-
+	"github.com/rs/zerolog/log"
 	"github.com/spf13/cobra"
 )
 
@@ -17,14 +16,14 @@ var serveCmd = &cobra.Command{
 		return nil
 	},
 	Run: func(cmd *cobra.Command, args []string) {
-		h, err := getHeadscaleApp()
+		app, err := getHeadscaleApp()
 		if err != nil {
-			log.Fatalf("Error initializing: %s", err)
+			log.Fatal().Caller().Err(err).Msg("Error initializing")
 		}
 
-		err = h.Serve()
+		err = app.Serve()
 		if err != nil {
-			log.Fatalf("Error initializing: %s", err)
+			log.Fatal().Caller().Err(err).Msg("Error starting server")
 		}
 	},
 }

cmd/headscale/cli/users.go

@@ -0,0 +1,243 @@
+package cli
+
+import (
+	"fmt"
+
+	survey "github.com/AlecAivazis/survey/v2"
+	"github.com/juanfont/headscale"
+	v1 "github.com/juanfont/headscale/gen/go/headscale/v1"
+	"github.com/pterm/pterm"
+	"github.com/rs/zerolog/log"
+	"github.com/spf13/cobra"
+	"google.golang.org/grpc/status"
+)
+
+func init() {
+	rootCmd.AddCommand(userCmd)
+	userCmd.AddCommand(createUserCmd)
+	userCmd.AddCommand(listUsersCmd)
+	userCmd.AddCommand(destroyUserCmd)
+	userCmd.AddCommand(renameUserCmd)
+}
+
+const (
+	errMissingParameter = headscale.Error("missing parameters")
+)
+
+var userCmd = &cobra.Command{
+	Use:     "users",
+	Short:   "Manage the users of Headscale",
+	Aliases: []string{"user", "namespace", "namespaces", "ns"},
+}
+
+var createUserCmd = &cobra.Command{
+	Use:     "create NAME",
+	Short:   "Creates a new user",
+	Aliases: []string{"c", "new"},
+	Args: func(cmd *cobra.Command, args []string) error {
+		if len(args) < 1 {
+			return errMissingParameter
+		}
+
+		return nil
+	},
+	Run: func(cmd *cobra.Command, args []string) {
+		output, _ := cmd.Flags().GetString("output")
+
+		userName := args[0]
+
+		ctx, client, conn, cancel := getHeadscaleCLIClient()
+		defer cancel()
+		defer conn.Close()
+
+		log.Trace().Interface("client", client).Msg("Obtained gRPC client")
+
+		request := &v1.CreateUserRequest{Name: userName}
+
+		log.Trace().Interface("request", request).Msg("Sending CreateUser request")
+		response, err := client.CreateUser(ctx, request)
+		if err != nil {
+			ErrorOutput(
+				err,
+				fmt.Sprintf(
+					"Cannot create user: %s",
+					status.Convert(err).Message(),
+				),
+				output,
+			)
+
+			return
+		}
+
+		SuccessOutput(response.User, "User created", output)
+	},
+}
+
+var destroyUserCmd = &cobra.Command{
+	Use:     "destroy NAME",
+	Short:   "Destroys a user",
+	Aliases: []string{"delete"},
+	Args: func(cmd *cobra.Command, args []string) error {
+		if len(args) < 1 {
+			return errMissingParameter
+		}
+
+		return nil
+	},
+	Run: func(cmd *cobra.Command, args []string) {
+		output, _ := cmd.Flags().GetString("output")
+
+		userName := args[0]
+
+		request := &v1.GetUserRequest{
+			Name: userName,
+		}
+
+		ctx, client, conn, cancel := getHeadscaleCLIClient()
+		defer cancel()
+		defer conn.Close()
+
+		_, err := client.GetUser(ctx, request)
+		if err != nil {
+			ErrorOutput(
+				err,
+				fmt.Sprintf("Error: %s", status.Convert(err).Message()),
+				output,
+			)
+
+			return
+		}
+
+		confirm := false
+		force, _ := cmd.Flags().GetBool("force")
+		if !force {
+			prompt := &survey.Confirm{
+				Message: fmt.Sprintf(
+					"Do you want to remove the user '%s' and any associated preauthkeys?",
+					userName,
+				),
+			}
+			err := survey.AskOne(prompt, &confirm)
+			if err != nil {
+				return
+			}
+		}
+
+		if confirm || force {
+			request := &v1.DeleteUserRequest{Name: userName}
+
+			response, err := client.DeleteUser(ctx, request)
+			if err != nil {
+				ErrorOutput(
+					err,
+					fmt.Sprintf(
+						"Cannot destroy user: %s",
+						status.Convert(err).Message(),
+					),
+					output,
+				)
+
+				return
+			}
+			SuccessOutput(response, "User destroyed", output)
+		} else {
+			SuccessOutput(map[string]string{"Result": "User not destroyed"}, "User not destroyed", output)
+		}
+	},
+}
+
+var listUsersCmd = &cobra.Command{
+	Use:     "list",
+	Short:   "List all the users",
+	Aliases: []string{"ls", "show"},
+	Run: func(cmd *cobra.Command, args []string) {
+		output, _ := cmd.Flags().GetString("output")
+
+		ctx, client, conn, cancel := getHeadscaleCLIClient()
+		defer cancel()
+		defer conn.Close()
+
+		request := &v1.ListUsersRequest{}
+
+		response, err := client.ListUsers(ctx, request)
+		if err != nil {
+			ErrorOutput(
+				err,
+				fmt.Sprintf("Cannot get users: %s", status.Convert(err).Message()),
+				output,
+			)
+
+			return
+		}
+
+		if output != "" {
+			SuccessOutput(response.Users, "", output)
+
+			return
+		}
+
+		tableData := pterm.TableData{{"ID", "Name", "Created"}}
+		for _, user := range response.GetUsers() {
+			tableData = append(
+				tableData,
+				[]string{
+					user.GetId(),
+					user.GetName(),
+					user.GetCreatedAt().AsTime().Format("2006-01-02 15:04:05"),
+				},
+			)
+		}
+		err = pterm.DefaultTable.WithHasHeader().WithData(tableData).Render()
+		if err != nil {
+			ErrorOutput(
+				err,
+				fmt.Sprintf("Failed to render pterm table: %s", err),
+				output,
+			)
+
+			return
+		}
+	},
+}
+
+var renameUserCmd = &cobra.Command{
+	Use:     "rename OLD_NAME NEW_NAME",
+	Short:   "Renames a user",
+	Aliases: []string{"mv"},
+	Args: func(cmd *cobra.Command, args []string) error {
+		expectedArguments := 2
+		if len(args) < expectedArguments {
+			return errMissingParameter
+		}
+
+		return nil
+	},
+	Run: func(cmd *cobra.Command, args []string) {
+		output, _ := cmd.Flags().GetString("output")
+
+		ctx, client, conn, cancel := getHeadscaleCLIClient()
+		defer cancel()
+		defer conn.Close()
+
+		request := &v1.RenameUserRequest{
+			OldName: args[0],
+			NewName: args[1],
+		}
+
+		response, err := client.RenameUser(ctx, request)
+		if err != nil {
+			ErrorOutput(
+				err,
+				fmt.Sprintf(
+					"Cannot rename user: %s",
+					status.Convert(err).Message(),
+				),
+				output,
+			)
+
+			return
+		}
+
+		SuccessOutput(response.User, "User renamed", output)
+	},
+}

cmd/headscale/cli/utils.go

@@ -1,273 +1,219 @@
 package cli
 
 import (
+	"context"
+	"crypto/tls"
 	"encoding/json"
-	"errors"
 	"fmt"
-	"io"
 	"os"
-	"path/filepath"
-	"strings"
-	"time"
+	"reflect"
 
 	"github.com/juanfont/headscale"
+	v1 "github.com/juanfont/headscale/gen/go/headscale/v1"
 	"github.com/rs/zerolog/log"
-	"github.com/spf13/viper"
+	"google.golang.org/grpc"
+	"google.golang.org/grpc/credentials"
+	"google.golang.org/grpc/credentials/insecure"
 	"gopkg.in/yaml.v2"
-	"inet.af/netaddr"
-	"tailscale.com/tailcfg"
-	"tailscale.com/types/dnstype"
 )
 
-type ErrorOutput struct {
-	Error string
-}
-
-func LoadConfig(path string) error {
-	viper.SetConfigName("config")
-	if path == "" {
-		viper.AddConfigPath("/etc/headscale/")
-		viper.AddConfigPath("$HOME/.headscale")
-		viper.AddConfigPath(".")
-	} else {
-		// For testing
-		viper.AddConfigPath(path)
-	}
-	viper.AutomaticEnv()
-
-	viper.SetDefault("tls_letsencrypt_cache_dir", "/var/www/.cache")
-	viper.SetDefault("tls_letsencrypt_challenge_type", "HTTP-01")
-
-	viper.SetDefault("ip_prefix", "100.64.0.0/10")
-
-	viper.SetDefault("log_level", "info")
-
-	viper.SetDefault("dns_config", nil)
-
-	err := viper.ReadInConfig()
-	if err != nil {
-		return fmt.Errorf("Fatal error reading config file: %s \n", err)
-	}
-
-	// Collect any validation errors and return them all at once
-	var errorText string
-	if (viper.GetString("tls_letsencrypt_hostname") != "") && ((viper.GetString("tls_cert_path") != "") || (viper.GetString("tls_key_path") != "")) {
-		errorText += "Fatal config error: set either tls_letsencrypt_hostname or tls_cert_path/tls_key_path, not both\n"
-	}
-
-	if (viper.GetString("tls_letsencrypt_hostname") != "") && (viper.GetString("tls_letsencrypt_challenge_type") == "TLS-ALPN-01") && (!strings.HasSuffix(viper.GetString("listen_addr"), ":443")) {
-		// this is only a warning because there could be something sitting in front of headscale that redirects the traffic (e.g. an iptables rule)
-		log.Warn().
-			Msg("Warning: when using tls_letsencrypt_hostname with TLS-ALPN-01 as challenge type, headscale must be reachable on port 443, i.e. listen_addr should probably end in :443")
-	}
-
-	if (viper.GetString("tls_letsencrypt_challenge_type") != "HTTP-01") && (viper.GetString("tls_letsencrypt_challenge_type") != "TLS-ALPN-01") {
-		errorText += "Fatal config error: the only supported values for tls_letsencrypt_challenge_type are HTTP-01 and TLS-ALPN-01\n"
-	}
-
-	if !strings.HasPrefix(viper.GetString("server_url"), "http://") && !strings.HasPrefix(viper.GetString("server_url"), "https://") {
-		errorText += "Fatal config error: server_url must start with https:// or http://\n"
-	}
-	if errorText != "" {
-		return errors.New(strings.TrimSuffix(errorText, "\n"))
-	} else {
-		return nil
-	}
-
-}
-
-func GetDNSConfig() (*tailcfg.DNSConfig, string) {
-	if viper.IsSet("dns_config") {
-		dnsConfig := &tailcfg.DNSConfig{}
-
-		if viper.IsSet("dns_config.nameservers") {
-			nameserversStr := viper.GetStringSlice("dns_config.nameservers")
-
-			nameservers := make([]netaddr.IP, len(nameserversStr))
-			resolvers := make([]dnstype.Resolver, len(nameserversStr))
-
-			for index, nameserverStr := range nameserversStr {
-				nameserver, err := netaddr.ParseIP(nameserverStr)
-				if err != nil {
-					log.Error().
-						Str("func", "getDNSConfig").
-						Err(err).
-						Msgf("Could not parse nameserver IP: %s", nameserverStr)
-				}
-
-				nameservers[index] = nameserver
-				resolvers[index] = dnstype.Resolver{
-					Addr: nameserver.String(),
-				}
-			}
-
-			dnsConfig.Nameservers = nameservers
-			dnsConfig.Resolvers = resolvers
-		}
-		if viper.IsSet("dns_config.domains") {
-			dnsConfig.Domains = viper.GetStringSlice("dns_config.domains")
-		}
-
-		if viper.IsSet("dns_config.magic_dns") {
-			magicDNS := viper.GetBool("dns_config.magic_dns")
-			if len(dnsConfig.Nameservers) > 0 {
-				dnsConfig.Proxied = magicDNS
-			} else if magicDNS {
-				log.Warn().
-					Msg("Warning: dns_config.magic_dns is set, but no nameservers are configured. Ignoring magic_dns.")
-			}
-		}
-
-		var baseDomain string
-		if viper.IsSet("dns_config.base_domain") {
-			baseDomain = viper.GetString("dns_config.base_domain")
-		} else {
-			baseDomain = "headscale.net" // does not really matter when MagicDNS is not enabled
-		}
-
-		return dnsConfig, baseDomain
-	}
-
-	return nil, ""
-}
-
-func absPath(path string) string {
-	// If a relative path is provided, prefix it with the the directory where
-	// the config file was found.
-	if (path != "") && !strings.HasPrefix(path, string(os.PathSeparator)) {
-		dir, _ := filepath.Split(viper.ConfigFileUsed())
-		if dir != "" {
-			path = filepath.Join(dir, path)
-		}
-	}
-	return path
-}
+const (
+	HeadscaleDateTimeFormat = "2006-01-02 15:04:05"
+	SocketWritePermissions  = 0o666
+)
 
 func getHeadscaleApp() (*headscale.Headscale, error) {
-	derpPath := absPath(viper.GetString("derp_map_path"))
-	derpMap, err := loadDerpMap(derpPath)
+	cfg, err := headscale.GetHeadscaleConfig()
 	if err != nil {
-		log.Error().
-			Str("path", derpPath).
-			Err(err).
-			Msg("Could not load DERP servers map file")
+		return nil, fmt.Errorf(
+			"failed to load configuration while creating headscale instance: %w",
+			err,
+		)
 	}
 
-	// Minimum inactivity time out is keepalive timeout (60s) plus a few seconds
-	// to avoid races
-	minInactivityTimeout, _ := time.ParseDuration("65s")
-	if viper.GetDuration("ephemeral_node_inactivity_timeout") <= minInactivityTimeout {
-		err = fmt.Errorf("ephemeral_node_inactivity_timeout (%s) is set too low, must be more than %s\n", viper.GetString("ephemeral_node_inactivity_timeout"), minInactivityTimeout)
-		return nil, err
-	}
-
-	dnsConfig, baseDomain := GetDNSConfig()
-
-	cfg := headscale.Config{
-		ServerURL:      viper.GetString("server_url"),
-		Addr:           viper.GetString("listen_addr"),
-		PrivateKeyPath: absPath(viper.GetString("private_key_path")),
-		DerpMap:        derpMap,
-		IPPrefix:       netaddr.MustParseIPPrefix(viper.GetString("ip_prefix")),
-		BaseDomain:     baseDomain,
-
-		EphemeralNodeInactivityTimeout: viper.GetDuration("ephemeral_node_inactivity_timeout"),
-
-		DBtype: viper.GetString("db_type"),
-		DBpath: absPath(viper.GetString("db_path")),
-		DBhost: viper.GetString("db_host"),
-		DBport: viper.GetInt("db_port"),
-		DBname: viper.GetString("db_name"),
-		DBuser: viper.GetString("db_user"),
-		DBpass: viper.GetString("db_pass"),
-
-		TLSLetsEncryptHostname:      viper.GetString("tls_letsencrypt_hostname"),
-		TLSLetsEncryptListen:        viper.GetString("tls_letsencrypt_listen"),
-		TLSLetsEncryptCacheDir:      absPath(viper.GetString("tls_letsencrypt_cache_dir")),
-		TLSLetsEncryptChallengeType: viper.GetString("tls_letsencrypt_challenge_type"),
-
-		TLSCertPath: absPath(viper.GetString("tls_cert_path")),
-		TLSKeyPath:  absPath(viper.GetString("tls_key_path")),
-
-		DNSConfig: dnsConfig,
-
-		ACMEEmail: viper.GetString("acme_email"),
-		ACMEURL:   viper.GetString("acme_url"),
-	}
-
-	h, err := headscale.NewHeadscale(cfg)
+	app, err := headscale.NewHeadscale(cfg)
 	if err != nil {
 		return nil, err
 	}
 
 	// We are doing this here, as in the future could be cool to have it also hot-reload
 
-	if viper.GetString("acl_policy_path") != "" {
-		aclPath := absPath(viper.GetString("acl_policy_path"))
-		err = h.LoadACLPolicy(aclPath)
+	if cfg.ACL.PolicyPath != "" {
+		aclPath := headscale.AbsolutePathFromConfigPath(cfg.ACL.PolicyPath)
+		err = app.LoadACLPolicy(aclPath)
 		if err != nil {
-			log.Error().
+			log.Fatal().
 				Str("path", aclPath).
 				Err(err).
 				Msg("Could not load the ACL policy")
 		}
 	}
 
-	return h, nil
+	return app, nil
 }
 
-func loadDerpMap(path string) (*tailcfg.DERPMap, error) {
-	derpFile, err := os.Open(path)
+func getHeadscaleCLIClient() (context.Context, v1.HeadscaleServiceClient, *grpc.ClientConn, context.CancelFunc) {
+	cfg, err := headscale.GetHeadscaleConfig()
 	if err != nil {
-		return nil, err
+		log.Fatal().
+			Err(err).
+			Caller().
+			Msgf("Failed to load configuration")
+		os.Exit(-1) // we get here if logging is suppressed (i.e., json output)
 	}
-	defer derpFile.Close()
-	var derpMap tailcfg.DERPMap
-	b, err := io.ReadAll(derpFile)
+
+	log.Debug().
+		Dur("timeout", cfg.CLI.Timeout).
+		Msgf("Setting timeout")
+
+	ctx, cancel := context.WithTimeout(context.Background(), cfg.CLI.Timeout)
+
+	grpcOptions := []grpc.DialOption{
+		grpc.WithBlock(),
+	}
+
+	address := cfg.CLI.Address
+
+	// If the address is not set, we assume that we are on the server hosting headscale.
+	if address == "" {
+		log.Debug().
+			Str("socket", cfg.UnixSocket).
+			Msgf("HEADSCALE_CLI_ADDRESS environment is not set, connecting to unix socket.")
+
+		address = cfg.UnixSocket
+
+		// Try to give the user better feedback if we cannot write to the headscale
+		// socket.
+		socket, err := os.OpenFile(cfg.UnixSocket, os.O_WRONLY, SocketWritePermissions) //nolint
+		if err != nil {
+			if os.IsPermission(err) {
+				log.Fatal().
+					Err(err).
+					Str("socket", cfg.UnixSocket).
+					Msgf("Unable to read/write to headscale socket, do you have the correct permissions?")
+			}
+		}
+		socket.Close()
+
+		grpcOptions = append(
+			grpcOptions,
+			grpc.WithTransportCredentials(insecure.NewCredentials()),
+			grpc.WithContextDialer(headscale.GrpcSocketDialer),
+		)
+	} else {
+		// If we are not connecting to a local server, require an API key for authentication
+		apiKey := cfg.CLI.APIKey
+		if apiKey == "" {
+			log.Fatal().Caller().Msgf("HEADSCALE_CLI_API_KEY environment variable needs to be set.")
+		}
+		grpcOptions = append(grpcOptions,
+			grpc.WithPerRPCCredentials(tokenAuth{
+				token: apiKey,
+			}),
+		)
+
+		if cfg.CLI.Insecure {
+			tlsConfig := &tls.Config{
+				// turn of gosec as we are intentionally setting
+				// insecure.
+				//nolint:gosec
+				InsecureSkipVerify: true,
+			}
+
+			grpcOptions = append(grpcOptions,
+				grpc.WithTransportCredentials(credentials.NewTLS(tlsConfig)),
+			)
+		} else {
+			grpcOptions = append(grpcOptions,
+				grpc.WithTransportCredentials(credentials.NewClientTLSFromCert(nil, "")),
+			)
+		}
+	}
+
+	log.Trace().Caller().Str("address", address).Msg("Connecting via gRPC")
+	conn, err := grpc.DialContext(ctx, address, grpcOptions...)
 	if err != nil {
-		return nil, err
+		log.Fatal().Caller().Err(err).Msgf("Could not connect: %v", err)
+		os.Exit(-1) // we get here if logging is suppressed (i.e., json output)
 	}
-	err = yaml.Unmarshal(b, &derpMap)
-	return &derpMap, err
+
+	client := v1.NewHeadscaleServiceClient(conn)
+
+	return ctx, client, conn, cancel
 }
 
-func JsonOutput(result interface{}, errResult error, outputFormat string) {
-	var j []byte
+func SuccessOutput(result interface{}, override string, outputFormat string) {
+	var jsonBytes []byte
 	var err error
 	switch outputFormat {
 	case "json":
-		if errResult != nil {
-			j, err = json.MarshalIndent(ErrorOutput{errResult.Error()}, "", "\t")
-			if err != nil {
-				log.Fatal().Err(err)
-			}
-		} else {
-			j, err = json.MarshalIndent(result, "", "\t")
-			if err != nil {
-				log.Fatal().Err(err)
-			}
+		jsonBytes, err = json.MarshalIndent(result, "", "\t")
+		if err != nil {
+			log.Fatal().Err(err)
 		}
 	case "json-line":
-		if errResult != nil {
-			j, err = json.Marshal(ErrorOutput{errResult.Error()})
-			if err != nil {
-				log.Fatal().Err(err)
-			}
-		} else {
-			j, err = json.Marshal(result)
-			if err != nil {
-				log.Fatal().Err(err)
-			}
+		jsonBytes, err = json.Marshal(result)
+		if err != nil {
+			log.Fatal().Err(err)
 		}
+	case "yaml":
+		jsonBytes, err = yaml.Marshal(result)
+		if err != nil {
+			log.Fatal().Err(err)
+		}
+	default:
+		//nolint
+		fmt.Println(override)
+
+		return
 	}
-	fmt.Println(string(j))
+
+	//nolint
+	fmt.Println(string(jsonBytes))
 }
 
-func HasJsonOutputFlag() bool {
+func ErrorOutput(errResult error, override string, outputFormat string) {
+	type errOutput struct {
+		Error string `json:"error"`
+	}
+
+	SuccessOutput(errOutput{errResult.Error()}, override, outputFormat)
+}
+
+func HasMachineOutputFlag() bool {
 	for _, arg := range os.Args {
-		if arg == "json" || arg == "json-line" {
+		if arg == "json" || arg == "json-line" || arg == "yaml" {
 			return true
 		}
 	}
+
+	return false
+}
+
+type tokenAuth struct {
+	token string
+}
+
+// Return value is mapped to request headers.
+func (t tokenAuth) GetRequestMetadata(
+	ctx context.Context,
+	in ...string,
+) (map[string]string, error) {
+	return map[string]string{
+		"authorization": "Bearer " + t.token,
+	}, nil
+}
+
+func (tokenAuth) RequireTransportSecurity() bool {
+	return true
+}
+
+func contains[T string](ts []T, t T) bool {
+	for _, v := range ts {
+		if reflect.DeepEqual(v, t) {
+			return true
+		}
+	}
+
 	return false
 }

cmd/headscale/cli/version.go

@@ -1,9 +1,6 @@
 package cli
 
 import (
-	"fmt"
-	"strings"
-
 	"github.com/spf13/cobra"
 )
 
@@ -18,11 +15,7 @@ var versionCmd = &cobra.Command{
 	Short: "Print the version.",
 	Long:  "The version of headscale.",
 	Run: func(cmd *cobra.Command, args []string) {
-		o, _ := cmd.Flags().GetString("output")
-		if strings.HasPrefix(o, "json") {
-			JsonOutput(map[string]string{"version": Version}, nil, o)
-			return
-		}
-		fmt.Println(Version)
+		output, _ := cmd.Flags().GetString("output")
+		SuccessOutput(map[string]string{"version": Version}, Version, output)
 	},
 }

cmd/headscale/headscale.go

@@ -1,17 +1,13 @@
 package main
 
 import (
-	"fmt"
 	"os"
-	"runtime"
 	"time"
 
 	"github.com/efekarakus/termcolor"
 	"github.com/juanfont/headscale/cmd/headscale/cli"
 	"github.com/rs/zerolog"
 	"github.com/rs/zerolog/log"
-	"github.com/spf13/viper"
-	"github.com/tcnksm/go-latest"
 )
 
 func main() {
@@ -23,6 +19,8 @@ func main() {
 		colors = true
 	case termcolor.LevelBasic:
 		colors = true
+	case termcolor.LevelNone:
+		colors = false
 	default:
 		// no color, return text as is.
 		colors = false
@@ -41,41 +39,5 @@ func main() {
 		NoColor:    !colors,
 	})
 
-	err := cli.LoadConfig("")
-	if err != nil {
-		log.Fatal().Err(err)
-	}
-
-	logLevel := viper.GetString("log_level")
-	switch logLevel {
-	case "trace":
-		zerolog.SetGlobalLevel(zerolog.TraceLevel)
-	case "debug":
-		zerolog.SetGlobalLevel(zerolog.DebugLevel)
-	case "info":
-		zerolog.SetGlobalLevel(zerolog.InfoLevel)
-	case "warn":
-		zerolog.SetGlobalLevel(zerolog.WarnLevel)
-	case "error":
-		zerolog.SetGlobalLevel(zerolog.ErrorLevel)
-	default:
-		zerolog.SetGlobalLevel(zerolog.DebugLevel)
-	}
-
-	jsonOutput := cli.HasJsonOutputFlag()
-	if !viper.GetBool("disable_check_updates") && !jsonOutput {
-		if (runtime.GOOS == "linux" || runtime.GOOS == "darwin") && cli.Version != "dev" {
-			githubTag := &latest.GithubTag{
-				Owner:      "juanfont",
-				Repository: "headscale",
-			}
-			res, err := latest.Check(githubTag, cli.Version)
-			if err == nil && res.Outdated {
-				fmt.Printf("An updated version of Headscale has been found (%s vs. your current %s). Check it out https://github.com/juanfont/headscale/releases\n",
-					res.Current, cli.Version)
-			}
-		}
-	}
-
 	cli.Execute()
 }

cmd/headscale/headscale_test.go

@@ -1,14 +1,13 @@
 package main
 
 import (
-	"fmt"
-	"io/ioutil"
+	"io/fs"
 	"os"
 	"path/filepath"
 	"strings"
 	"testing"
 
-	"github.com/juanfont/headscale/cmd/headscale/cli"
+	"github.com/juanfont/headscale"
 	"github.com/spf13/viper"
 	"gopkg.in/check.v1"
 )
@@ -25,11 +24,10 @@ func (s *Suite) SetUpSuite(c *check.C) {
 }
 
 func (s *Suite) TearDownSuite(c *check.C) {
-
 }
 
-func (*Suite) TestPostgresConfigLoading(c *check.C) {
-	tmpDir, err := ioutil.TempDir("", "headscale")
+func (*Suite) TestConfigFileLoading(c *check.C) {
+	tmpDir, err := os.MkdirTemp("", "headscale")
 	if err != nil {
 		c.Fatal(err)
 	}
@@ -40,63 +38,41 @@ func (*Suite) TestPostgresConfigLoading(c *check.C) {
 		c.Fatal(err)
 	}
 
+	cfgFile := filepath.Join(tmpDir, "config.yaml")
+
 	// Symlink the example config file
-	err = os.Symlink(filepath.Clean(path+"/../../config.json.postgres.example"), filepath.Join(tmpDir, "config.json"))
+	err = os.Symlink(
+		filepath.Clean(path+"/../../config-example.yaml"),
+		cfgFile,
+	)
 	if err != nil {
 		c.Fatal(err)
 	}
 
 	// Load example config, it should load without validation errors
-	err = cli.LoadConfig(tmpDir)
+	err = headscale.LoadConfig(cfgFile, true)
 	c.Assert(err, check.IsNil)
 
 	// Test that config file was interpreted correctly
 	c.Assert(viper.GetString("server_url"), check.Equals, "http://127.0.0.1:8080")
-	c.Assert(viper.GetString("listen_addr"), check.Equals, "0.0.0.0:8080")
-	c.Assert(viper.GetString("derp_map_path"), check.Equals, "derp.yaml")
-	c.Assert(viper.GetString("db_type"), check.Equals, "postgres")
-	c.Assert(viper.GetString("db_port"), check.Equals, "5432")
-	c.Assert(viper.GetString("tls_letsencrypt_hostname"), check.Equals, "")
-	c.Assert(viper.GetString("tls_letsencrypt_listen"), check.Equals, ":http")
-	c.Assert(viper.GetStringSlice("dns_config.nameservers")[0], check.Equals, "1.1.1.1")
-}
-
-func (*Suite) TestSqliteConfigLoading(c *check.C) {
-	tmpDir, err := ioutil.TempDir("", "headscale")
-	if err != nil {
-		c.Fatal(err)
-	}
-	defer os.RemoveAll(tmpDir)
-
-	path, err := os.Getwd()
-	if err != nil {
-		c.Fatal(err)
-	}
-
-	// Symlink the example config file
-	err = os.Symlink(filepath.Clean(path+"/../../config.json.sqlite.example"), filepath.Join(tmpDir, "config.json"))
-	if err != nil {
-		c.Fatal(err)
-	}
-
-	// Load example config, it should load without validation errors
-	err = cli.LoadConfig(tmpDir)
-	c.Assert(err, check.IsNil)
-
-	// Test that config file was interpreted correctly
-	c.Assert(viper.GetString("server_url"), check.Equals, "http://127.0.0.1:8080")
-	c.Assert(viper.GetString("listen_addr"), check.Equals, "0.0.0.0:8080")
-	c.Assert(viper.GetString("derp_map_path"), check.Equals, "derp.yaml")
+	c.Assert(viper.GetString("listen_addr"), check.Equals, "127.0.0.1:8080")
+	c.Assert(viper.GetString("metrics_listen_addr"), check.Equals, "127.0.0.1:9090")
 	c.Assert(viper.GetString("db_type"), check.Equals, "sqlite3")
-	c.Assert(viper.GetString("db_path"), check.Equals, "db.sqlite")
+	c.Assert(viper.GetString("db_path"), check.Equals, "./db.sqlite")
 	c.Assert(viper.GetString("tls_letsencrypt_hostname"), check.Equals, "")
 	c.Assert(viper.GetString("tls_letsencrypt_listen"), check.Equals, ":http")
 	c.Assert(viper.GetString("tls_letsencrypt_challenge_type"), check.Equals, "HTTP-01")
 	c.Assert(viper.GetStringSlice("dns_config.nameservers")[0], check.Equals, "1.1.1.1")
+	c.Assert(
+		headscale.GetFileMode("unix_socket_permission"),
+		check.Equals,
+		fs.FileMode(0o770),
+	)
+	c.Assert(viper.GetBool("logtail.enabled"), check.Equals, false)
 }
 
-func (*Suite) TestDNSConfigLoading(c *check.C) {
-	tmpDir, err := ioutil.TempDir("", "headscale")
+func (*Suite) TestConfigLoading(c *check.C) {
+	tmpDir, err := os.MkdirTemp("", "headscale")
 	if err != nil {
 		c.Fatal(err)
 	}
@@ -108,16 +84,63 @@ func (*Suite) TestDNSConfigLoading(c *check.C) {
 	}
 
 	// Symlink the example config file
-	err = os.Symlink(filepath.Clean(path+"/../../config.json.sqlite.example"), filepath.Join(tmpDir, "config.json"))
+	err = os.Symlink(
+		filepath.Clean(path+"/../../config-example.yaml"),
+		filepath.Join(tmpDir, "config.yaml"),
+	)
 	if err != nil {
 		c.Fatal(err)
 	}
 
 	// Load example config, it should load without validation errors
-	err = cli.LoadConfig(tmpDir)
+	err = headscale.LoadConfig(tmpDir, false)
 	c.Assert(err, check.IsNil)
 
-	dnsConfig, baseDomain := cli.GetDNSConfig()
+	// Test that config file was interpreted correctly
+	c.Assert(viper.GetString("server_url"), check.Equals, "http://127.0.0.1:8080")
+	c.Assert(viper.GetString("listen_addr"), check.Equals, "127.0.0.1:8080")
+	c.Assert(viper.GetString("metrics_listen_addr"), check.Equals, "127.0.0.1:9090")
+	c.Assert(viper.GetString("db_type"), check.Equals, "sqlite3")
+	c.Assert(viper.GetString("db_path"), check.Equals, "./db.sqlite")
+	c.Assert(viper.GetString("tls_letsencrypt_hostname"), check.Equals, "")
+	c.Assert(viper.GetString("tls_letsencrypt_listen"), check.Equals, ":http")
+	c.Assert(viper.GetString("tls_letsencrypt_challenge_type"), check.Equals, "HTTP-01")
+	c.Assert(viper.GetStringSlice("dns_config.nameservers")[0], check.Equals, "1.1.1.1")
+	c.Assert(
+		headscale.GetFileMode("unix_socket_permission"),
+		check.Equals,
+		fs.FileMode(0o770),
+	)
+	c.Assert(viper.GetBool("logtail.enabled"), check.Equals, false)
+	c.Assert(viper.GetBool("randomize_client_port"), check.Equals, false)
+}
+
+func (*Suite) TestDNSConfigLoading(c *check.C) {
+	tmpDir, err := os.MkdirTemp("", "headscale")
+	if err != nil {
+		c.Fatal(err)
+	}
+	defer os.RemoveAll(tmpDir)
+
+	path, err := os.Getwd()
+	if err != nil {
+		c.Fatal(err)
+	}
+
+	// Symlink the example config file
+	err = os.Symlink(
+		filepath.Clean(path+"/../../config-example.yaml"),
+		filepath.Join(tmpDir, "config.yaml"),
+	)
+	if err != nil {
+		c.Fatal(err)
+	}
+
+	// Load example config, it should load without validation errors
+	err = headscale.LoadConfig(tmpDir, false)
+	c.Assert(err, check.IsNil)
+
+	dnsConfig, baseDomain := headscale.GetDNSConfig()
 
 	c.Assert(dnsConfig.Nameservers[0].String(), check.Equals, "1.1.1.1")
 	c.Assert(dnsConfig.Resolvers[0].Addr, check.Equals, "1.1.1.1")
@@ -128,36 +151,56 @@ func (*Suite) TestDNSConfigLoading(c *check.C) {
 func writeConfig(c *check.C, tmpDir string, configYaml []byte) {
 	// Populate a custom config file
 	configFile := filepath.Join(tmpDir, "config.yaml")
-	err := ioutil.WriteFile(configFile, configYaml, 0644)
+	err := os.WriteFile(configFile, configYaml, 0o600)
 	if err != nil {
 		c.Fatalf("Couldn't write file %s", configFile)
 	}
 }
 
 func (*Suite) TestTLSConfigValidation(c *check.C) {
-	tmpDir, err := ioutil.TempDir("", "headscale")
+	tmpDir, err := os.MkdirTemp("", "headscale")
 	if err != nil {
 		c.Fatal(err)
 	}
-	//defer os.RemoveAll(tmpDir)
-	fmt.Println(tmpDir)
-
-	configYaml := []byte("---\ntls_letsencrypt_hostname: \"example.com\"\ntls_letsencrypt_challenge_type: \"\"\ntls_cert_path: \"abc.pem\"")
+	// defer os.RemoveAll(tmpDir)
+	configYaml := []byte(`---
+tls_letsencrypt_hostname: example.com
+tls_letsencrypt_challenge_type: ""
+tls_cert_path: abc.pem
+noise:
+  private_key_path: noise_private.key`)
 	writeConfig(c, tmpDir, configYaml)
 
 	// Check configuration validation errors (1)
-	err = cli.LoadConfig(tmpDir)
+	err = headscale.LoadConfig(tmpDir, false)
 	c.Assert(err, check.NotNil)
 	// check.Matches can not handle multiline strings
 	tmp := strings.ReplaceAll(err.Error(), "\n", "***")
-	c.Assert(tmp, check.Matches, ".*Fatal config error: set either tls_letsencrypt_hostname or tls_cert_path/tls_key_path, not both.*")
-	c.Assert(tmp, check.Matches, ".*Fatal config error: the only supported values for tls_letsencrypt_challenge_type are.*")
-	c.Assert(tmp, check.Matches, ".*Fatal config error: server_url must start with https:// or http://.*")
-	fmt.Println(tmp)
+	c.Assert(
+		tmp,
+		check.Matches,
+		".*Fatal config error: set either tls_letsencrypt_hostname or tls_cert_path/tls_key_path, not both.*",
+	)
+	c.Assert(
+		tmp,
+		check.Matches,
+		".*Fatal config error: the only supported values for tls_letsencrypt_challenge_type are.*",
+	)
+	c.Assert(
+		tmp,
+		check.Matches,
+		".*Fatal config error: server_url must start with https:// or http://.*",
+	)
 
 	// Check configuration validation errors (2)
-	configYaml = []byte("---\nserver_url: \"http://127.0.0.1:8080\"\ntls_letsencrypt_hostname: \"example.com\"\ntls_letsencrypt_challenge_type: \"TLS-ALPN-01\"")
+	configYaml = []byte(`---
+noise:
+  private_key_path: noise_private.key
+server_url: http://127.0.0.1:8080
+tls_letsencrypt_hostname: example.com
+tls_letsencrypt_challenge_type: TLS-ALPN-01
+`)
 	writeConfig(c, tmpDir, configYaml)
-	err = cli.LoadConfig(tmpDir)
+	err = headscale.LoadConfig(tmpDir, false)
 	c.Assert(err, check.IsNil)
 }

config-example.yaml

@@ -0,0 +1,322 @@
+---
+# headscale will look for a configuration file named `config.yaml` (or `config.json`) in the following order:
+#
+# - `/etc/headscale`
+# - `~/.headscale`
+# - current working directory
+
+# The url clients will connect to.
+# Typically this will be a domain like:
+#
+# https://myheadscale.example.com:443
+#
+server_url: http://127.0.0.1:8080
+
+# Address to listen to / bind to on the server
+#
+# For production:
+# listen_addr: 0.0.0.0:8080
+listen_addr: 127.0.0.1:8080
+
+# Address to listen to /metrics, you may want
+# to keep this endpoint private to your internal
+# network
+#
+metrics_listen_addr: 127.0.0.1:9090
+
+# Address to listen for gRPC.
+# gRPC is used for controlling a headscale server
+# remotely with the CLI
+# Note: Remote access _only_ works if you have
+# valid certificates.
+#
+# For production:
+# grpc_listen_addr: 0.0.0.0:50443
+grpc_listen_addr: 127.0.0.1:50443
+
+# Allow the gRPC admin interface to run in INSECURE
+# mode. This is not recommended as the traffic will
+# be unencrypted. Only enable if you know what you
+# are doing.
+grpc_allow_insecure: false
+
+# Private key used to encrypt the traffic between headscale
+# and Tailscale clients.
+# The private key file will be autogenerated if it's missing.
+#
+# For production:
+# /var/lib/headscale/private.key
+private_key_path: ./private.key
+
+# The Noise section includes specific configuration for the
+# TS2021 Noise protocol
+noise:
+  # The Noise private key is used to encrypt the
+  # traffic between headscale and Tailscale clients when
+  # using the new Noise-based protocol. It must be different
+  # from the legacy private key.
+  #
+  # For production:
+  # private_key_path: /var/lib/headscale/noise_private.key
+  private_key_path: ./noise_private.key
+
+# List of IP prefixes to allocate tailaddresses from.
+# Each prefix consists of either an IPv4 or IPv6 address,
+# and the associated prefix length, delimited by a slash.
+# While this looks like it can take arbitrary values, it
+# needs to be within IP ranges supported by the Tailscale
+# client.
+# IPv6: https://github.com/tailscale/tailscale/blob/22ebb25e833264f58d7c3f534a8b166894a89536/net/tsaddr/tsaddr.go#LL81C52-L81C71
+# IPv4: https://github.com/tailscale/tailscale/blob/22ebb25e833264f58d7c3f534a8b166894a89536/net/tsaddr/tsaddr.go#L33
+ip_prefixes:
+  - fd7a:115c:a1e0::/48
+  - 100.64.0.0/10
+
+# DERP is a relay system that Tailscale uses when a direct
+# connection cannot be established.
+# https://tailscale.com/blog/how-tailscale-works/#encrypted-tcp-relays-derp
+#
+# headscale needs a list of DERP servers that can be presented
+# to the clients.
+derp:
+  server:
+    # If enabled, runs the embedded DERP server and merges it into the rest of the DERP config
+    # The Headscale server_url defined above MUST be using https, DERP requires TLS to be in place
+    enabled: false
+
+    # Region ID to use for the embedded DERP server.
+    # The local DERP prevails if the region ID collides with other region ID coming from
+    # the regular DERP config.
+    region_id: 999
+
+    # Region code and name are displayed in the Tailscale UI to identify a DERP region
+    region_code: "headscale"
+    region_name: "Headscale Embedded DERP"
+
+    # Listens over UDP at the configured address for STUN connections - to help with NAT traversal.
+    # When the embedded DERP server is enabled stun_listen_addr MUST be defined.
+    #
+    # For more details on how this works, check this great article: https://tailscale.com/blog/how-tailscale-works/
+    stun_listen_addr: "0.0.0.0:3478"
+
+  # List of externally available DERP maps encoded in JSON
+  urls:
+    - https://controlplane.tailscale.com/derpmap/default
+
+  # Locally available DERP map files encoded in YAML
+  #
+  # This option is mostly interesting for people hosting
+  # their own DERP servers:
+  # https://tailscale.com/kb/1118/custom-derp-servers/
+  #
+  # paths:
+  #   - /etc/headscale/derp-example.yaml
+  paths: []
+
+  # If enabled, a worker will be set up to periodically
+  # refresh the given sources and update the derpmap
+  # will be set up.
+  auto_update_enabled: true
+
+  # How often should we check for DERP updates?
+  update_frequency: 24h
+
+# Disables the automatic check for headscale updates on startup
+disable_check_updates: false
+
+# Time before an inactive ephemeral node is deleted?
+ephemeral_node_inactivity_timeout: 30m
+
+# Period to check for node updates within the tailnet. A value too low will severely affect
+# CPU consumption of Headscale. A value too high (over 60s) will cause problems
+# for the nodes, as they won't get updates or keep alive messages frequently enough.
+# In case of doubts, do not touch the default 10s.
+node_update_check_interval: 10s
+
+# SQLite config
+db_type: sqlite3
+
+# For production:
+# db_path: /var/lib/headscale/db.sqlite
+db_path: ./db.sqlite
+
+# # Postgres config
+# If using a Unix socket to connect to Postgres, set the socket path in the 'host' field and leave 'port' blank.
+# db_type: postgres
+# db_host: localhost
+# db_port: 5432
+# db_name: headscale
+# db_user: foo
+# db_pass: bar
+
+# If other 'sslmode' is required instead of 'require(true)' and 'disabled(false)', set the 'sslmode' you need
+# in the 'db_ssl' field. Refers to https://www.postgresql.org/docs/current/libpq-ssl.html Table 34.1.
+# db_ssl: false
+
+### TLS configuration
+#
+## Let's encrypt / ACME
+#
+# headscale supports automatically requesting and setting up
+# TLS for a domain with Let's Encrypt.
+#
+# URL to ACME directory
+acme_url: https://acme-v02.api.letsencrypt.org/directory
+
+# Email to register with ACME provider
+acme_email: ""
+
+# Domain name to request a TLS certificate for:
+tls_letsencrypt_hostname: ""
+
+# Path to store certificates and metadata needed by
+# letsencrypt
+# For production:
+# tls_letsencrypt_cache_dir: /var/lib/headscale/cache
+tls_letsencrypt_cache_dir: ./cache
+
+# Type of ACME challenge to use, currently supported types:
+# HTTP-01 or TLS-ALPN-01
+# See [docs/tls.md](docs/tls.md) for more information
+tls_letsencrypt_challenge_type: HTTP-01
+# When HTTP-01 challenge is chosen, letsencrypt must set up a
+# verification endpoint, and it will be listening on:
+# :http = port 80
+tls_letsencrypt_listen: ":http"
+
+## Use already defined certificates:
+tls_cert_path: ""
+tls_key_path: ""
+
+log:
+  # Output formatting for logs: text or json
+  format: text
+  level: info
+
+# Path to a file containg ACL policies.
+# ACLs can be defined as YAML or HUJSON.
+# https://tailscale.com/kb/1018/acls/
+acl_policy_path: ""
+
+## DNS
+#
+# headscale supports Tailscale's DNS configuration and MagicDNS.
+# Please have a look to their KB to better understand the concepts:
+#
+# - https://tailscale.com/kb/1054/dns/
+# - https://tailscale.com/kb/1081/magicdns/
+# - https://tailscale.com/blog/2021-09-private-dns-with-magicdns/
+#
+dns_config:
+  # Whether to prefer using Headscale provided DNS or use local.
+  override_local_dns: true
+
+  # List of DNS servers to expose to clients.
+  nameservers:
+    - 1.1.1.1
+
+  # NextDNS (see https://tailscale.com/kb/1218/nextdns/).
+  # "abc123" is example NextDNS ID, replace with yours.
+  #
+  # With metadata sharing:
+  # nameservers:
+  #   - https://dns.nextdns.io/abc123
+  #
+  # Without metadata sharing:
+  # nameservers:
+  #   - 2a07:a8c0::ab:c123
+  #   - 2a07:a8c1::ab:c123
+
+  # Split DNS (see https://tailscale.com/kb/1054/dns/),
+  # list of search domains and the DNS to query for each one.
+  #
+  # restricted_nameservers:
+  #   foo.bar.com:
+  #     - 1.1.1.1
+  #   darp.headscale.net:
+  #     - 1.1.1.1
+  #     - 8.8.8.8
+
+  # Search domains to inject.
+  domains: []
+
+  # Extra DNS records
+  # so far only A-records are supported (on the tailscale side)
+  # See https://github.com/juanfont/headscale/blob/main/docs/dns-records.md#Limitations
+  # extra_records:
+  #   - name: "grafana.myvpn.example.com"
+  #     type: "A"
+  #     value: "100.64.0.3"
+  #
+  #   # you can also put it in one line
+  #   - { name: "prometheus.myvpn.example.com", type: "A", value: "100.64.0.3" }
+
+  # Whether to use [MagicDNS](https://tailscale.com/kb/1081/magicdns/).
+  # Only works if there is at least a nameserver defined.
+  magic_dns: true
+
+  # Defines the base domain to create the hostnames for MagicDNS.
+  # `base_domain` must be a FQDNs, without the trailing dot.
+  # The FQDN of the hosts will be
+  # `hostname.user.base_domain` (e.g., _myhost.myuser.example.com_).
+  base_domain: example.com
+
+# Unix socket used for the CLI to connect without authentication
+# Note: for production you will want to set this to something like:
+# unix_socket: /var/run/headscale.sock
+unix_socket: ./headscale.sock
+unix_socket_permission: "0770"
+#
+# headscale supports experimental OpenID connect support,
+# it is still being tested and might have some bugs, please
+# help us test it.
+# OpenID Connect
+# oidc:
+#   only_start_if_oidc_is_available: true
+#   issuer: "https://your-oidc.issuer.com/path"
+#   client_id: "your-oidc-client-id"
+#   client_secret: "your-oidc-client-secret"
+#   # Alternatively, set `client_secret_path` to read the secret from the file.
+#   # It resolves environment variables, making integration to systemd's
+#   # `LoadCredential` straightforward:
+#   client_secret_path: "${CREDENTIALS_DIRECTORY}/oidc_client_secret"
+#   # client_secret and client_secret_path are mutually exclusive.
+#
+#   Customize the scopes used in the OIDC flow, defaults to "openid", "profile" and "email" and add custom query
+#   parameters to the Authorize Endpoint request. Scopes default to "openid", "profile" and "email".
+#
+#   scope: ["openid", "profile", "email", "custom"]
+#   extra_params:
+#     domain_hint: example.com
+#
+#   List allowed principal domains and/or users. If an authenticated user's domain is not in this list, the
+#   authentication request will be rejected.
+#
+#   allowed_domains:
+#     - example.com
+# Groups from keycloak have a leading '/'
+#   allowed_groups:
+#     - /headscale
+#   allowed_users:
+#     - alice@example.com
+#
+#   If `strip_email_domain` is set to `true`, the domain part of the username email address will be removed.
+#   This will transform `first-name.last-name@example.com` to the user `first-name.last-name`
+#   If `strip_email_domain` is set to `false` the domain part will NOT be removed resulting to the following
+#   user: `first-name.last-name.example.com`
+#
+#   strip_email_domain: true
+
+# Logtail configuration
+# Logtail is Tailscales logging and auditing infrastructure, it allows the control panel
+# to instruct tailscale nodes to log their activity to a remote server.
+logtail:
+  # Enable logtail for this headscales clients.
+  # As there is currently no support for overriding the log server in headscale, this is
+  # disabled by default. Enabling this will make your clients send logs to Tailscale Inc.
+  enabled: false
+
+# Enabling this option makes devices prefer a random port for WireGuard traffic over the
+# default static port 41641. This option is intended as a workaround for some buggy
+# firewall devices. See https://tailscale.com/kb/1181/firewalls/ for more information.
+randomize_client_port: false

config.go

@@ -0,0 +1,626 @@
+package headscale
+
+import (
+	"errors"
+	"fmt"
+	"io/fs"
+	"net/netip"
+	"net/url"
+	"os"
+	"strings"
+	"time"
+
+	"github.com/coreos/go-oidc/v3/oidc"
+	"github.com/rs/zerolog"
+	"github.com/rs/zerolog/log"
+	"github.com/spf13/viper"
+	"go4.org/netipx"
+	"tailscale.com/tailcfg"
+	"tailscale.com/types/dnstype"
+)
+
+const (
+	tlsALPN01ChallengeType = "TLS-ALPN-01"
+	http01ChallengeType    = "HTTP-01"
+
+	JSONLogFormat = "json"
+	TextLogFormat = "text"
+)
+
+var errOidcMutuallyExclusive = errors.New("oidc_client_secret and oidc_client_secret_path are mutually exclusive")
+
+// Config contains the initial Headscale configuration.
+type Config struct {
+	ServerURL                      string
+	Addr                           string
+	MetricsAddr                    string
+	GRPCAddr                       string
+	GRPCAllowInsecure              bool
+	EphemeralNodeInactivityTimeout time.Duration
+	NodeUpdateCheckInterval        time.Duration
+	IPPrefixes                     []netip.Prefix
+	PrivateKeyPath                 string
+	NoisePrivateKeyPath            string
+	BaseDomain                     string
+	Log                            LogConfig
+	DisableUpdateCheck             bool
+
+	DERP DERPConfig
+
+	DBtype string
+	DBpath string
+	DBhost string
+	DBport int
+	DBname string
+	DBuser string
+	DBpass string
+	DBssl  string
+
+	TLS TLSConfig
+
+	ACMEURL   string
+	ACMEEmail string
+
+	DNSConfig *tailcfg.DNSConfig
+
+	UnixSocket           string
+	UnixSocketPermission fs.FileMode
+
+	OIDC OIDCConfig
+
+	LogTail             LogTailConfig
+	RandomizeClientPort bool
+
+	CLI CLIConfig
+
+	ACL ACLConfig
+}
+
+type TLSConfig struct {
+	CertPath string
+	KeyPath  string
+
+	LetsEncrypt LetsEncryptConfig
+}
+
+type LetsEncryptConfig struct {
+	Listen        string
+	Hostname      string
+	CacheDir      string
+	ChallengeType string
+}
+
+type OIDCConfig struct {
+	OnlyStartIfOIDCIsAvailable bool
+	Issuer                     string
+	ClientID                   string
+	ClientSecret               string
+	Scope                      []string
+	ExtraParams                map[string]string
+	AllowedDomains             []string
+	AllowedUsers               []string
+	AllowedGroups              []string
+	StripEmaildomain           bool
+}
+
+type DERPConfig struct {
+	ServerEnabled    bool
+	ServerRegionID   int
+	ServerRegionCode string
+	ServerRegionName string
+	STUNAddr         string
+	URLs             []url.URL
+	Paths            []string
+	AutoUpdate       bool
+	UpdateFrequency  time.Duration
+}
+
+type LogTailConfig struct {
+	Enabled bool
+}
+
+type CLIConfig struct {
+	Address  string
+	APIKey   string
+	Timeout  time.Duration
+	Insecure bool
+}
+
+type ACLConfig struct {
+	PolicyPath string
+}
+
+type LogConfig struct {
+	Format string
+	Level  zerolog.Level
+}
+
+func LoadConfig(path string, isFile bool) error {
+	if isFile {
+		viper.SetConfigFile(path)
+	} else {
+		viper.SetConfigName("config")
+		if path == "" {
+			viper.AddConfigPath("/etc/headscale/")
+			viper.AddConfigPath("$HOME/.headscale")
+			viper.AddConfigPath(".")
+		} else {
+			// For testing
+			viper.AddConfigPath(path)
+		}
+	}
+
+	viper.SetEnvPrefix("headscale")
+	viper.SetEnvKeyReplacer(strings.NewReplacer(".", "_"))
+	viper.AutomaticEnv()
+
+	viper.SetDefault("tls_letsencrypt_cache_dir", "/var/www/.cache")
+	viper.SetDefault("tls_letsencrypt_challenge_type", http01ChallengeType)
+
+	viper.SetDefault("log.level", "info")
+	viper.SetDefault("log.format", TextLogFormat)
+
+	viper.SetDefault("dns_config", nil)
+	viper.SetDefault("dns_config.override_local_dns", true)
+
+	viper.SetDefault("derp.server.enabled", false)
+	viper.SetDefault("derp.server.stun.enabled", true)
+
+	viper.SetDefault("unix_socket", "/var/run/headscale.sock")
+	viper.SetDefault("unix_socket_permission", "0o770")
+
+	viper.SetDefault("grpc_listen_addr", ":50443")
+	viper.SetDefault("grpc_allow_insecure", false)
+
+	viper.SetDefault("cli.timeout", "5s")
+	viper.SetDefault("cli.insecure", false)
+
+	viper.SetDefault("db_ssl", false)
+
+	viper.SetDefault("oidc.scope", []string{oidc.ScopeOpenID, "profile", "email"})
+	viper.SetDefault("oidc.strip_email_domain", true)
+	viper.SetDefault("oidc.only_start_if_oidc_is_available", true)
+
+	viper.SetDefault("logtail.enabled", false)
+	viper.SetDefault("randomize_client_port", false)
+
+	viper.SetDefault("ephemeral_node_inactivity_timeout", "120s")
+
+	viper.SetDefault("node_update_check_interval", "10s")
+
+	if IsCLIConfigured() {
+		return nil
+	}
+
+	if err := viper.ReadInConfig(); err != nil {
+		log.Warn().Err(err).Msg("Failed to read configuration from disk")
+
+		return fmt.Errorf("fatal error reading config file: %w", err)
+	}
+
+	// Collect any validation errors and return them all at once
+	var errorText string
+	if (viper.GetString("tls_letsencrypt_hostname") != "") &&
+		((viper.GetString("tls_cert_path") != "") || (viper.GetString("tls_key_path") != "")) {
+		errorText += "Fatal config error: set either tls_letsencrypt_hostname or tls_cert_path/tls_key_path, not both\n"
+	}
+
+	if !viper.IsSet("noise") || viper.GetString("noise.private_key_path") == "" {
+		errorText += "Fatal config error: headscale now requires a new `noise.private_key_path` field in the config file for the Tailscale v2 protocol\n"
+	}
+
+	if (viper.GetString("tls_letsencrypt_hostname") != "") &&
+		(viper.GetString("tls_letsencrypt_challenge_type") == tlsALPN01ChallengeType) &&
+		(!strings.HasSuffix(viper.GetString("listen_addr"), ":443")) {
+		// this is only a warning because there could be something sitting in front of headscale that redirects the traffic (e.g. an iptables rule)
+		log.Warn().
+			Msg("Warning: when using tls_letsencrypt_hostname with TLS-ALPN-01 as challenge type, headscale must be reachable on port 443, i.e. listen_addr should probably end in :443")
+	}
+
+	if (viper.GetString("tls_letsencrypt_challenge_type") != http01ChallengeType) &&
+		(viper.GetString("tls_letsencrypt_challenge_type") != tlsALPN01ChallengeType) {
+		errorText += "Fatal config error: the only supported values for tls_letsencrypt_challenge_type are HTTP-01 and TLS-ALPN-01\n"
+	}
+
+	if !strings.HasPrefix(viper.GetString("server_url"), "http://") &&
+		!strings.HasPrefix(viper.GetString("server_url"), "https://") {
+		errorText += "Fatal config error: server_url must start with https:// or http://\n"
+	}
+
+	// Minimum inactivity time out is keepalive timeout (60s) plus a few seconds
+	// to avoid races
+	minInactivityTimeout, _ := time.ParseDuration("65s")
+	if viper.GetDuration("ephemeral_node_inactivity_timeout") <= minInactivityTimeout {
+		errorText += fmt.Sprintf(
+			"Fatal config error: ephemeral_node_inactivity_timeout (%s) is set too low, must be more than %s",
+			viper.GetString("ephemeral_node_inactivity_timeout"),
+			minInactivityTimeout,
+		)
+	}
+
+	maxNodeUpdateCheckInterval, _ := time.ParseDuration("60s")
+	if viper.GetDuration("node_update_check_interval") > maxNodeUpdateCheckInterval {
+		errorText += fmt.Sprintf(
+			"Fatal config error: node_update_check_interval (%s) is set too high, must be less than %s",
+			viper.GetString("node_update_check_interval"),
+			maxNodeUpdateCheckInterval,
+		)
+	}
+
+	if errorText != "" {
+		//nolint
+		return errors.New(strings.TrimSuffix(errorText, "\n"))
+	} else {
+		return nil
+	}
+}
+
+func GetTLSConfig() TLSConfig {
+	return TLSConfig{
+		LetsEncrypt: LetsEncryptConfig{
+			Hostname: viper.GetString("tls_letsencrypt_hostname"),
+			Listen:   viper.GetString("tls_letsencrypt_listen"),
+			CacheDir: AbsolutePathFromConfigPath(
+				viper.GetString("tls_letsencrypt_cache_dir"),
+			),
+			ChallengeType: viper.GetString("tls_letsencrypt_challenge_type"),
+		},
+		CertPath: AbsolutePathFromConfigPath(
+			viper.GetString("tls_cert_path"),
+		),
+		KeyPath: AbsolutePathFromConfigPath(
+			viper.GetString("tls_key_path"),
+		),
+	}
+}
+
+func GetDERPConfig() DERPConfig {
+	serverEnabled := viper.GetBool("derp.server.enabled")
+	serverRegionID := viper.GetInt("derp.server.region_id")
+	serverRegionCode := viper.GetString("derp.server.region_code")
+	serverRegionName := viper.GetString("derp.server.region_name")
+	stunAddr := viper.GetString("derp.server.stun_listen_addr")
+
+	if serverEnabled && stunAddr == "" {
+		log.Fatal().
+			Msg("derp.server.stun_listen_addr must be set if derp.server.enabled is true")
+	}
+
+	urlStrs := viper.GetStringSlice("derp.urls")
+
+	urls := make([]url.URL, len(urlStrs))
+	for index, urlStr := range urlStrs {
+		urlAddr, err := url.Parse(urlStr)
+		if err != nil {
+			log.Error().
+				Str("url", urlStr).
+				Err(err).
+				Msg("Failed to parse url, ignoring...")
+		}
+
+		urls[index] = *urlAddr
+	}
+
+	paths := viper.GetStringSlice("derp.paths")
+
+	autoUpdate := viper.GetBool("derp.auto_update_enabled")
+	updateFrequency := viper.GetDuration("derp.update_frequency")
+
+	return DERPConfig{
+		ServerEnabled:    serverEnabled,
+		ServerRegionID:   serverRegionID,
+		ServerRegionCode: serverRegionCode,
+		ServerRegionName: serverRegionName,
+		STUNAddr:         stunAddr,
+		URLs:             urls,
+		Paths:            paths,
+		AutoUpdate:       autoUpdate,
+		UpdateFrequency:  updateFrequency,
+	}
+}
+
+func GetLogTailConfig() LogTailConfig {
+	enabled := viper.GetBool("logtail.enabled")
+
+	return LogTailConfig{
+		Enabled: enabled,
+	}
+}
+
+func GetACLConfig() ACLConfig {
+	policyPath := viper.GetString("acl_policy_path")
+
+	return ACLConfig{
+		PolicyPath: policyPath,
+	}
+}
+
+func GetLogConfig() LogConfig {
+	logLevelStr := viper.GetString("log.level")
+	logLevel, err := zerolog.ParseLevel(logLevelStr)
+	if err != nil {
+		logLevel = zerolog.DebugLevel
+	}
+
+	logFormatOpt := viper.GetString("log.format")
+	var logFormat string
+	switch logFormatOpt {
+	case "json":
+		logFormat = JSONLogFormat
+	case "text":
+		logFormat = TextLogFormat
+	case "":
+		logFormat = TextLogFormat
+	default:
+		log.Error().
+			Str("func", "GetLogConfig").
+			Msgf("Could not parse log format: %s. Valid choices are 'json' or 'text'", logFormatOpt)
+	}
+
+	return LogConfig{
+		Format: logFormat,
+		Level:  logLevel,
+	}
+}
+
+func GetDNSConfig() (*tailcfg.DNSConfig, string) {
+	if viper.IsSet("dns_config") {
+		dnsConfig := &tailcfg.DNSConfig{}
+
+		overrideLocalDNS := viper.GetBool("dns_config.override_local_dns")
+
+		if viper.IsSet("dns_config.nameservers") {
+			nameserversStr := viper.GetStringSlice("dns_config.nameservers")
+
+			nameservers := []netip.Addr{}
+			resolvers := []*dnstype.Resolver{}
+
+			for _, nameserverStr := range nameserversStr {
+				// Search for explicit DNS-over-HTTPS resolvers
+				if strings.HasPrefix(nameserverStr, "https://") {
+					resolvers = append(resolvers, &dnstype.Resolver{
+						Addr: nameserverStr,
+					})
+
+					// This nameserver can not be parsed as an IP address
+					continue
+				}
+
+				// Parse nameserver as a regular IP
+				nameserver, err := netip.ParseAddr(nameserverStr)
+				if err != nil {
+					log.Error().
+						Str("func", "getDNSConfig").
+						Err(err).
+						Msgf("Could not parse nameserver IP: %s", nameserverStr)
+				}
+
+				nameservers = append(nameservers, nameserver)
+				resolvers = append(resolvers, &dnstype.Resolver{
+					Addr: nameserver.String(),
+				})
+			}
+
+			dnsConfig.Nameservers = nameservers
+
+			if overrideLocalDNS {
+				dnsConfig.Resolvers = resolvers
+			} else {
+				dnsConfig.FallbackResolvers = resolvers
+			}
+		}
+
+		if viper.IsSet("dns_config.restricted_nameservers") {
+			if len(dnsConfig.Resolvers) > 0 {
+				dnsConfig.Routes = make(map[string][]*dnstype.Resolver)
+				restrictedDNS := viper.GetStringMapStringSlice(
+					"dns_config.restricted_nameservers",
+				)
+				for domain, restrictedNameservers := range restrictedDNS {
+					restrictedResolvers := make(
+						[]*dnstype.Resolver,
+						len(restrictedNameservers),
+					)
+					for index, nameserverStr := range restrictedNameservers {
+						nameserver, err := netip.ParseAddr(nameserverStr)
+						if err != nil {
+							log.Error().
+								Str("func", "getDNSConfig").
+								Err(err).
+								Msgf("Could not parse restricted nameserver IP: %s", nameserverStr)
+						}
+						restrictedResolvers[index] = &dnstype.Resolver{
+							Addr: nameserver.String(),
+						}
+					}
+					dnsConfig.Routes[domain] = restrictedResolvers
+				}
+			} else {
+				log.Warn().
+					Msg("Warning: dns_config.restricted_nameservers is set, but no nameservers are configured. Ignoring restricted_nameservers.")
+			}
+		}
+
+		if viper.IsSet("dns_config.domains") {
+			domains := viper.GetStringSlice("dns_config.domains")
+			if len(dnsConfig.Resolvers) > 0 {
+				dnsConfig.Domains = domains
+			} else if domains != nil {
+				log.Warn().
+					Msg("Warning: dns_config.domains is set, but no nameservers are configured. Ignoring domains.")
+			}
+		}
+
+		if viper.IsSet("dns_config.extra_records") {
+			var extraRecords []tailcfg.DNSRecord
+
+			err := viper.UnmarshalKey("dns_config.extra_records", &extraRecords)
+			if err != nil {
+				log.Error().
+					Str("func", "getDNSConfig").
+					Err(err).
+					Msgf("Could not parse dns_config.extra_records")
+			}
+
+			dnsConfig.ExtraRecords = extraRecords
+		}
+
+		if viper.IsSet("dns_config.magic_dns") {
+			dnsConfig.Proxied = viper.GetBool("dns_config.magic_dns")
+		}
+
+		var baseDomain string
+		if viper.IsSet("dns_config.base_domain") {
+			baseDomain = viper.GetString("dns_config.base_domain")
+		} else {
+			baseDomain = "headscale.net" // does not really matter when MagicDNS is not enabled
+		}
+
+		return dnsConfig, baseDomain
+	}
+
+	return nil, ""
+}
+
+func GetHeadscaleConfig() (*Config, error) {
+	if IsCLIConfigured() {
+		return &Config{
+			CLI: CLIConfig{
+				Address:  viper.GetString("cli.address"),
+				APIKey:   viper.GetString("cli.api_key"),
+				Timeout:  viper.GetDuration("cli.timeout"),
+				Insecure: viper.GetBool("cli.insecure"),
+			},
+		}, nil
+	}
+
+	dnsConfig, baseDomain := GetDNSConfig()
+	derpConfig := GetDERPConfig()
+	logConfig := GetLogTailConfig()
+	randomizeClientPort := viper.GetBool("randomize_client_port")
+
+	configuredPrefixes := viper.GetStringSlice("ip_prefixes")
+	parsedPrefixes := make([]netip.Prefix, 0, len(configuredPrefixes)+1)
+
+	for i, prefixInConfig := range configuredPrefixes {
+		prefix, err := netip.ParsePrefix(prefixInConfig)
+		if err != nil {
+			panic(fmt.Errorf("failed to parse ip_prefixes[%d]: %w", i, err))
+		}
+		parsedPrefixes = append(parsedPrefixes, prefix)
+	}
+
+	prefixes := make([]netip.Prefix, 0, len(parsedPrefixes))
+	{
+		// dedup
+		normalizedPrefixes := make(map[string]int, len(parsedPrefixes))
+		for i, p := range parsedPrefixes {
+			normalized, _ := netipx.RangeOfPrefix(p).Prefix()
+			normalizedPrefixes[normalized.String()] = i
+		}
+
+		// convert back to list
+		for _, i := range normalizedPrefixes {
+			prefixes = append(prefixes, parsedPrefixes[i])
+		}
+	}
+
+	if len(prefixes) < 1 {
+		prefixes = append(prefixes, netip.MustParsePrefix("100.64.0.0/10"))
+		log.Warn().
+			Msgf("'ip_prefixes' not configured, falling back to default: %v", prefixes)
+	}
+
+	oidcClientSecret := viper.GetString("oidc.client_secret")
+	oidcClientSecretPath := viper.GetString("oidc.client_secret_path")
+	if oidcClientSecretPath != "" && oidcClientSecret != "" {
+		return nil, errOidcMutuallyExclusive
+	}
+	if oidcClientSecretPath != "" {
+		secretBytes, err := os.ReadFile(os.ExpandEnv(oidcClientSecretPath))
+		if err != nil {
+			return nil, err
+		}
+		oidcClientSecret = string(secretBytes)
+	}
+
+	return &Config{
+		ServerURL:          viper.GetString("server_url"),
+		Addr:               viper.GetString("listen_addr"),
+		MetricsAddr:        viper.GetString("metrics_listen_addr"),
+		GRPCAddr:           viper.GetString("grpc_listen_addr"),
+		GRPCAllowInsecure:  viper.GetBool("grpc_allow_insecure"),
+		DisableUpdateCheck: viper.GetBool("disable_check_updates"),
+
+		IPPrefixes: prefixes,
+		PrivateKeyPath: AbsolutePathFromConfigPath(
+			viper.GetString("private_key_path"),
+		),
+		NoisePrivateKeyPath: AbsolutePathFromConfigPath(
+			viper.GetString("noise.private_key_path"),
+		),
+		BaseDomain: baseDomain,
+
+		DERP: derpConfig,
+
+		EphemeralNodeInactivityTimeout: viper.GetDuration(
+			"ephemeral_node_inactivity_timeout",
+		),
+
+		NodeUpdateCheckInterval: viper.GetDuration(
+			"node_update_check_interval",
+		),
+
+		DBtype: viper.GetString("db_type"),
+		DBpath: AbsolutePathFromConfigPath(viper.GetString("db_path")),
+		DBhost: viper.GetString("db_host"),
+		DBport: viper.GetInt("db_port"),
+		DBname: viper.GetString("db_name"),
+		DBuser: viper.GetString("db_user"),
+		DBpass: viper.GetString("db_pass"),
+		DBssl:  viper.GetString("db_ssl"),
+
+		TLS: GetTLSConfig(),
+
+		DNSConfig: dnsConfig,
+
+		ACMEEmail: viper.GetString("acme_email"),
+		ACMEURL:   viper.GetString("acme_url"),
+
+		UnixSocket:           viper.GetString("unix_socket"),
+		UnixSocketPermission: GetFileMode("unix_socket_permission"),
+
+		OIDC: OIDCConfig{
+			OnlyStartIfOIDCIsAvailable: viper.GetBool(
+				"oidc.only_start_if_oidc_is_available",
+			),
+			Issuer:           viper.GetString("oidc.issuer"),
+			ClientID:         viper.GetString("oidc.client_id"),
+			ClientSecret:     oidcClientSecret,
+			Scope:            viper.GetStringSlice("oidc.scope"),
+			ExtraParams:      viper.GetStringMapString("oidc.extra_params"),
+			AllowedDomains:   viper.GetStringSlice("oidc.allowed_domains"),
+			AllowedUsers:     viper.GetStringSlice("oidc.allowed_users"),
+			AllowedGroups:    viper.GetStringSlice("oidc.allowed_groups"),
+			StripEmaildomain: viper.GetBool("oidc.strip_email_domain"),
+		},
+
+		LogTail:             logConfig,
+		RandomizeClientPort: randomizeClientPort,
+
+		ACL: GetACLConfig(),
+
+		CLI: CLIConfig{
+			Address:  viper.GetString("cli.address"),
+			APIKey:   viper.GetString("cli.api_key"),
+			Timeout:  viper.GetDuration("cli.timeout"),
+			Insecure: viper.GetBool("cli.insecure"),
+		},
+
+		Log: GetLogConfig(),
+	}, nil
+}
+
+func IsCLIConfigured() bool {
+	return viper.GetString("cli.address") != "" && viper.GetString("cli.api_key") != ""
+}

config.json.postgres.example

@@ -1,30 +0,0 @@
-{
-    "server_url": "http://127.0.0.1:8080",
-    "listen_addr": "0.0.0.0:8080",
-    "private_key_path": "private.key",
-    "derp_map_path": "derp.yaml",
-    "ephemeral_node_inactivity_timeout": "30m",
-    "db_type": "postgres",
-    "db_host": "localhost",
-    "db_port": 5432,
-    "db_name": "headscale",
-    "db_user": "foo",
-    "db_pass": "bar",
-    "acme_url": "https://acme-v02.api.letsencrypt.org/directory",
-    "acme_email": "",
-    "tls_letsencrypt_hostname": "",
-    "tls_letsencrypt_listen": ":http",
-    "tls_letsencrypt_cache_dir": ".cache",
-    "tls_letsencrypt_challenge_type": "HTTP-01",
-    "tls_cert_path": "",
-    "tls_key_path": "",
-    "acl_policy_path": "",
-    "dns_config": {
-        "nameservers": [
-            "1.1.1.1"
-        ],
-        "domains": [],
-        "magic_dns": true,
-        "base_domain": "example.com"
-    }
-}

config.json.sqlite.example

@@ -1,26 +0,0 @@
-{
-    "server_url": "http://127.0.0.1:8080",
-    "listen_addr": "0.0.0.0:8080",
-    "private_key_path": "private.key",
-    "derp_map_path": "derp.yaml",
-    "ephemeral_node_inactivity_timeout": "30m",
-    "db_type": "sqlite3",
-    "db_path": "db.sqlite",
-    "acme_url": "https://acme-v02.api.letsencrypt.org/directory",
-    "acme_email": "",
-    "tls_letsencrypt_hostname": "",
-    "tls_letsencrypt_listen": ":http",
-    "tls_letsencrypt_cache_dir": ".cache",
-    "tls_letsencrypt_challenge_type": "HTTP-01",
-    "tls_cert_path": "",
-    "tls_key_path": "",
-    "acl_policy_path": "",
-    "dns_config": {
-        "nameservers": [
-            "1.1.1.1"
-        ],
-        "domains": [],
-        "magic_dns": true,
-        "base_domain": "example.com"
-    }
-}

db.go

@@ -1,15 +1,28 @@
 package headscale
 
 import (
+	"context"
+	"database/sql/driver"
+	"encoding/json"
 	"errors"
+	"fmt"
+	"net/netip"
+	"time"
 
+	"github.com/glebarez/sqlite"
+	"github.com/rs/zerolog/log"
 	"gorm.io/driver/postgres"
-	"gorm.io/driver/sqlite"
 	"gorm.io/gorm"
 	"gorm.io/gorm/logger"
+	"tailscale.com/tailcfg"
 )
 
-const dbVersion = "1"
+const (
+	dbVersion = "1"
+
+	errValueNotFound     = Error("not found")
+	ErrCannotParsePrefix = Error("cannot parse prefix")
+)
 
 // KV is a key-value store in a psql table. For future use...
 type KV struct {
@@ -24,32 +37,185 @@ func (h *Headscale) initDB() error {
 	}
 	h.db = db
 
-	if h.dbType == "postgres" {
-		db.Exec("create extension if not exists \"uuid-ossp\";")
+	if h.dbType == Postgres {
+		db.Exec(`create extension if not exists "uuid-ossp";`)
 	}
+
+	_ = db.Migrator().RenameTable("namespaces", "users")
+
+	err = db.AutoMigrate(&User{})
+	if err != nil {
+		return err
+	}
+
+	_ = db.Migrator().RenameColumn(&Machine{}, "namespace_id", "user_id")
+	_ = db.Migrator().RenameColumn(&PreAuthKey{}, "namespace_id", "user_id")
+
+	_ = db.Migrator().RenameColumn(&Machine{}, "ip_address", "ip_addresses")
+	_ = db.Migrator().RenameColumn(&Machine{}, "name", "hostname")
+
+	// GivenName is used as the primary source of DNS names, make sure
+	// the field is populated and normalized if it was not when the
+	// machine was registered.
+	_ = db.Migrator().RenameColumn(&Machine{}, "nickname", "given_name")
+
+	// If the Machine table has a column for registered,
+	// find all occourences of "false" and drop them. Then
+	// remove the column.
+	if db.Migrator().HasColumn(&Machine{}, "registered") {
+		log.Info().
+			Msg(`Database has legacy "registered" column in machine, removing...`)
+
+		machines := Machines{}
+		if err := h.db.Not("registered").Find(&machines).Error; err != nil {
+			log.Error().Err(err).Msg("Error accessing db")
+		}
+
+		for _, machine := range machines {
+			log.Info().
+				Str("machine", machine.Hostname).
+				Str("machine_key", machine.MachineKey).
+				Msg("Deleting unregistered machine")
+			if err := h.db.Delete(&Machine{}, machine.ID).Error; err != nil {
+				log.Error().
+					Err(err).
+					Str("machine", machine.Hostname).
+					Str("machine_key", machine.MachineKey).
+					Msg("Error deleting unregistered machine")
+			}
+		}
+
+		err := db.Migrator().DropColumn(&Machine{}, "registered")
+		if err != nil {
+			log.Error().Err(err).Msg("Error dropping registered column")
+		}
+	}
+
+	err = db.AutoMigrate(&Route{})
+	if err != nil {
+		return err
+	}
+
+	if db.Migrator().HasColumn(&Machine{}, "enabled_routes") {
+		log.Info().Msgf("Database has legacy enabled_routes column in machine, migrating...")
+
+		type MachineAux struct {
+			ID            uint64
+			EnabledRoutes IPPrefixes
+		}
+
+		machinesAux := []MachineAux{}
+		err := db.Table("machines").Select("id, enabled_routes").Scan(&machinesAux).Error
+		if err != nil {
+			log.Fatal().Err(err).Msg("Error accessing db")
+		}
+		for _, machine := range machinesAux {
+			for _, prefix := range machine.EnabledRoutes {
+				if err != nil {
+					log.Error().
+						Err(err).
+						Str("enabled_route", prefix.String()).
+						Msg("Error parsing enabled_route")
+
+					continue
+				}
+
+				err = db.Preload("Machine").
+					Where("machine_id = ? AND prefix = ?", machine.ID, IPPrefix(prefix)).
+					First(&Route{}).
+					Error
+				if err == nil {
+					log.Info().
+						Str("enabled_route", prefix.String()).
+						Msg("Route already migrated to new table, skipping")
+
+					continue
+				}
+
+				route := Route{
+					MachineID:  machine.ID,
+					Advertised: true,
+					Enabled:    true,
+					Prefix:     IPPrefix(prefix),
+				}
+				if err := h.db.Create(&route).Error; err != nil {
+					log.Error().Err(err).Msg("Error creating route")
+				} else {
+					log.Info().
+						Uint64("machine_id", route.MachineID).
+						Str("prefix", prefix.String()).
+						Msg("Route migrated")
+				}
+			}
+		}
+
+		err = db.Migrator().DropColumn(&Machine{}, "enabled_routes")
+		if err != nil {
+			log.Error().Err(err).Msg("Error dropping enabled_routes column")
+		}
+	}
+
 	err = db.AutoMigrate(&Machine{})
 	if err != nil {
 		return err
 	}
+
+	if db.Migrator().HasColumn(&Machine{}, "given_name") {
+		machines := Machines{}
+		if err := h.db.Find(&machines).Error; err != nil {
+			log.Error().Err(err).Msg("Error accessing db")
+		}
+
+		for item, machine := range machines {
+			if machine.GivenName == "" {
+				normalizedHostname, err := NormalizeToFQDNRules(
+					machine.Hostname,
+					h.cfg.OIDC.StripEmaildomain,
+				)
+				if err != nil {
+					log.Error().
+						Caller().
+						Str("hostname", machine.Hostname).
+						Err(err).
+						Msg("Failed to normalize machine hostname in DB migration")
+				}
+
+				err = h.RenameMachine(&machines[item], normalizedHostname)
+				if err != nil {
+					log.Error().
+						Caller().
+						Str("hostname", machine.Hostname).
+						Err(err).
+						Msg("Failed to save normalized machine name in DB migration")
+				}
+			}
+		}
+	}
+
 	err = db.AutoMigrate(&KV{})
 	if err != nil {
 		return err
 	}
-	err = db.AutoMigrate(&Namespace{})
-	if err != nil {
-		return err
-	}
+
 	err = db.AutoMigrate(&PreAuthKey{})
 	if err != nil {
 		return err
 	}
 
-	err = db.AutoMigrate(&SharedMachine{})
+	err = db.AutoMigrate(&PreAuthKeyACLTag{})
+	if err != nil {
+		return err
+	}
+
+	_ = db.Migrator().DropTable("shared_machines")
+
+	err = db.AutoMigrate(&APIKey{})
 	if err != nil {
 		return err
 	}
 
 	err = h.setValue("db_version", dbVersion)
+
 	return err
 }
 
@@ -65,12 +231,26 @@ func (h *Headscale) openDB() (*gorm.DB, error) {
 	}
 
 	switch h.dbType {
-	case "sqlite3":
-		db, err = gorm.Open(sqlite.Open(h.dbString), &gorm.Config{
-			DisableForeignKeyConstraintWhenMigrating: true,
-			Logger:                                   log,
-		})
-	case "postgres":
+	case Sqlite:
+		db, err = gorm.Open(
+			sqlite.Open(h.dbString+"?_synchronous=1&_journal_mode=WAL"),
+			&gorm.Config{
+				DisableForeignKeyConstraintWhenMigrating: true,
+				Logger:                                   log,
+			},
+		)
+
+		db.Exec("PRAGMA foreign_keys=ON")
+
+		// The pure Go SQLite library does not handle locking in
+		// the same way as the C based one and we cant use the gorm
+		// connection pool as of 2022/02/23.
+		sqlDB, _ := db.DB()
+		sqlDB.SetMaxIdleConns(1)
+		sqlDB.SetMaxOpenConns(1)
+		sqlDB.SetConnMaxIdleTime(time.Hour)
+
+	case Postgres:
 		db, err = gorm.Open(postgres.Open(h.dbString), &gorm.Config{
 			DisableForeignKeyConstraintWhenMigrating: true,
 			Logger:                                   log,
@@ -84,28 +264,141 @@ func (h *Headscale) openDB() (*gorm.DB, error) {
 	return db, nil
 }
 
-// getValue returns the value for the given key in KV
+// getValue returns the value for the given key in KV.
 func (h *Headscale) getValue(key string) (string, error) {
 	var row KV
-	if result := h.db.First(&row, "key = ?", key); errors.Is(result.Error, gorm.ErrRecordNotFound) {
-		return "", errors.New("not found")
+	if result := h.db.First(&row, "key = ?", key); errors.Is(
+		result.Error,
+		gorm.ErrRecordNotFound,
+	) {
+		return "", errValueNotFound
 	}
+
 	return row.Value, nil
 }
 
-// setValue sets value for the given key in KV
+// setValue sets value for the given key in KV.
 func (h *Headscale) setValue(key string, value string) error {
-	kv := KV{
+	keyValue := KV{
 		Key:   key,
 		Value: value,
 	}
 
-	_, err := h.getValue(key)
-	if err == nil {
-		h.db.Model(&kv).Where("key = ?", key).Update("value", value)
+	if _, err := h.getValue(key); err == nil {
+		h.db.Model(&keyValue).Where("key = ?", key).Update("value", value)
+
 		return nil
 	}
 
-	h.db.Create(kv)
+	if err := h.db.Create(keyValue).Error; err != nil {
+		return fmt.Errorf("failed to create key value pair in the database: %w", err)
+	}
+
 	return nil
 }
+
+func (h *Headscale) pingDB(ctx context.Context) error {
+	ctx, cancel := context.WithTimeout(ctx, time.Second)
+	defer cancel()
+	db, err := h.db.DB()
+	if err != nil {
+		return err
+	}
+
+	return db.PingContext(ctx)
+}
+
+// This is a "wrapper" type around tailscales
+// Hostinfo to allow us to add database "serialization"
+// methods. This allows us to use a typed values throughout
+// the code and not have to marshal/unmarshal and error
+// check all over the code.
+type HostInfo tailcfg.Hostinfo
+
+func (hi *HostInfo) Scan(destination interface{}) error {
+	switch value := destination.(type) {
+	case []byte:
+		return json.Unmarshal(value, hi)
+
+	case string:
+		return json.Unmarshal([]byte(value), hi)
+
+	default:
+		return fmt.Errorf("%w: unexpected data type %T", ErrMachineAddressesInvalid, destination)
+	}
+}
+
+// Value return json value, implement driver.Valuer interface.
+func (hi HostInfo) Value() (driver.Value, error) {
+	bytes, err := json.Marshal(hi)
+
+	return string(bytes), err
+}
+
+type IPPrefix netip.Prefix
+
+func (i *IPPrefix) Scan(destination interface{}) error {
+	switch value := destination.(type) {
+	case string:
+		prefix, err := netip.ParsePrefix(value)
+		if err != nil {
+			return err
+		}
+		*i = IPPrefix(prefix)
+
+		return nil
+	default:
+		return fmt.Errorf("%w: unexpected data type %T", ErrCannotParsePrefix, destination)
+	}
+}
+
+// Value return json value, implement driver.Valuer interface.
+func (i IPPrefix) Value() (driver.Value, error) {
+	prefixStr := netip.Prefix(i).String()
+
+	return prefixStr, nil
+}
+
+type IPPrefixes []netip.Prefix
+
+func (i *IPPrefixes) Scan(destination interface{}) error {
+	switch value := destination.(type) {
+	case []byte:
+		return json.Unmarshal(value, i)
+
+	case string:
+		return json.Unmarshal([]byte(value), i)
+
+	default:
+		return fmt.Errorf("%w: unexpected data type %T", ErrMachineAddressesInvalid, destination)
+	}
+}
+
+// Value return json value, implement driver.Valuer interface.
+func (i IPPrefixes) Value() (driver.Value, error) {
+	bytes, err := json.Marshal(i)
+
+	return string(bytes), err
+}
+
+type StringList []string
+
+func (i *StringList) Scan(destination interface{}) error {
+	switch value := destination.(type) {
+	case []byte:
+		return json.Unmarshal(value, i)
+
+	case string:
+		return json.Unmarshal([]byte(value), i)
+
+	default:
+		return fmt.Errorf("%w: unexpected data type %T", ErrMachineAddressesInvalid, destination)
+	}
+}
+
+// Value return json value, implement driver.Valuer interface.
+func (i StringList) Value() (driver.Value, error) {
+	bytes, err := json.Marshal(i)
+
+	return string(bytes), err
+}

derp-example.yaml

@@ -0,0 +1,15 @@
+# If you plan to somehow use headscale, please deploy your own DERP infra: https://tailscale.com/kb/1118/custom-derp-servers/
+regions:
+  900:
+    regionid: 900
+    regioncode: custom
+    regionname: My Region
+    nodes:
+      - name: 900a
+        regionid: 900
+        hostname: myderp.mydomain.no
+        ipv4: 123.123.123.123
+        ipv6: "2604:a880:400:d1::828:b001"
+        stunport: 0
+        stunonly: false
+        derpport: 0

derp.go

@@ -0,0 +1,157 @@
+package headscale
+
+import (
+	"context"
+	"encoding/json"
+	"io"
+	"net/http"
+	"net/url"
+	"os"
+	"time"
+
+	"github.com/rs/zerolog/log"
+	"gopkg.in/yaml.v2"
+	"tailscale.com/tailcfg"
+)
+
+func loadDERPMapFromPath(path string) (*tailcfg.DERPMap, error) {
+	derpFile, err := os.Open(path)
+	if err != nil {
+		return nil, err
+	}
+	defer derpFile.Close()
+	var derpMap tailcfg.DERPMap
+	b, err := io.ReadAll(derpFile)
+	if err != nil {
+		return nil, err
+	}
+	err = yaml.Unmarshal(b, &derpMap)
+
+	return &derpMap, err
+}
+
+func loadDERPMapFromURL(addr url.URL) (*tailcfg.DERPMap, error) {
+	ctx, cancel := context.WithTimeout(context.Background(), HTTPReadTimeout)
+	defer cancel()
+
+	req, err := http.NewRequestWithContext(ctx, http.MethodGet, addr.String(), nil)
+	if err != nil {
+		return nil, err
+	}
+
+	client := http.Client{
+		Timeout: HTTPReadTimeout,
+	}
+
+	resp, err := client.Do(req)
+	if err != nil {
+		return nil, err
+	}
+
+	defer resp.Body.Close()
+	body, err := io.ReadAll(resp.Body)
+	if err != nil {
+		return nil, err
+	}
+
+	var derpMap tailcfg.DERPMap
+	err = json.Unmarshal(body, &derpMap)
+
+	return &derpMap, err
+}
+
+// mergeDERPMaps naively merges a list of DERPMaps into a single
+// DERPMap, it will _only_ look at the Regions, an integer.
+// If a region exists in two of the given DERPMaps, the region
+// form the _last_ DERPMap will be preserved.
+// An empty DERPMap list will result in a DERPMap with no regions.
+func mergeDERPMaps(derpMaps []*tailcfg.DERPMap) *tailcfg.DERPMap {
+	result := tailcfg.DERPMap{
+		OmitDefaultRegions: false,
+		Regions:            map[int]*tailcfg.DERPRegion{},
+	}
+
+	for _, derpMap := range derpMaps {
+		for id, region := range derpMap.Regions {
+			result.Regions[id] = region
+		}
+	}
+
+	return &result
+}
+
+func GetDERPMap(cfg DERPConfig) *tailcfg.DERPMap {
+	derpMaps := make([]*tailcfg.DERPMap, 0)
+
+	for _, path := range cfg.Paths {
+		log.Debug().
+			Str("func", "GetDERPMap").
+			Str("path", path).
+			Msg("Loading DERPMap from path")
+		derpMap, err := loadDERPMapFromPath(path)
+		if err != nil {
+			log.Error().
+				Str("func", "GetDERPMap").
+				Str("path", path).
+				Err(err).
+				Msg("Could not load DERP map from path")
+
+			break
+		}
+
+		derpMaps = append(derpMaps, derpMap)
+	}
+
+	for _, addr := range cfg.URLs {
+		derpMap, err := loadDERPMapFromURL(addr)
+		log.Debug().
+			Str("func", "GetDERPMap").
+			Str("url", addr.String()).
+			Msg("Loading DERPMap from path")
+		if err != nil {
+			log.Error().
+				Str("func", "GetDERPMap").
+				Str("url", addr.String()).
+				Err(err).
+				Msg("Could not load DERP map from path")
+
+			break
+		}
+
+		derpMaps = append(derpMaps, derpMap)
+	}
+
+	derpMap := mergeDERPMaps(derpMaps)
+
+	log.Trace().Interface("derpMap", derpMap).Msg("DERPMap loaded")
+
+	if len(derpMap.Regions) == 0 {
+		log.Warn().
+			Msg("DERP map is empty, not a single DERP map datasource was loaded correctly or contained a region")
+	}
+
+	return derpMap
+}
+
+func (h *Headscale) scheduledDERPMapUpdateWorker(cancelChan <-chan struct{}) {
+	log.Info().
+		Dur("frequency", h.cfg.DERP.UpdateFrequency).
+		Msg("Setting up a DERPMap update worker")
+	ticker := time.NewTicker(h.cfg.DERP.UpdateFrequency)
+
+	for {
+		select {
+		case <-cancelChan:
+			return
+
+		case <-ticker.C:
+			log.Info().Msg("Fetching DERPMap updates")
+			h.DERPMap = GetDERPMap(h.cfg.DERP)
+			if h.cfg.DERP.ServerEnabled {
+				h.DERPMap.Regions[h.DERPServer.region.RegionID] = &h.DERPServer.region
+			}
+
+			h.setLastStateChangeToNow()
+		}
+	}
+}

derp.yaml

@@ -1,146 +0,0 @@
-# This file contains some of the official Tailscale DERP servers, 
-# shamelessly taken from https://github.com/tailscale/tailscale/blob/main/net/dnsfallback/dns-fallback-servers.json
-#
-# If you plan to somehow use headscale, please deploy your own DERP infra: https://tailscale.com/kb/1118/custom-derp-servers/
-regions: 
-  1:
-    regionid: 1
-    regioncode: nyc
-    regionname: New York City
-    nodes:
-    - name: 1a
-      regionid: 1
-      hostname: derp1.tailscale.com
-      ipv4: 159.89.225.99
-      ipv6: "2604:a880:400:d1::828:b001"
-      stunport: 0
-      stunonly: false
-      derptestport: 0
-    - name: 1b
-      regionid: 1
-      hostname: derp1b.tailscale.com
-      ipv4: 45.55.35.93
-      ipv6: "2604:a880:800:a1::f:2001"
-      stunport: 0
-      stunonly: false
-      derptestport: 0
-  2:
-    regionid: 2
-    regioncode: sfo
-    regionname: San Francisco
-    nodes:
-    - name: 2a
-      regionid: 2
-      hostname: derp2.tailscale.com
-      ipv4: 167.172.206.31
-      ipv6: "2604:a880:2:d1::c5:7001"
-      stunport: 0
-      stunonly: false
-      derptestport: 0
-    - name: 2b
-      regionid: 2
-      hostname: derp2b.tailscale.com
-      ipv4: 64.227.106.23
-      ipv6: "2604:a880:4:1d0::29:9000"
-      stunport: 0
-      stunonly: false
-      derptestport: 0
-  3:
-    regionid: 3
-    regioncode: sin
-    regionname: Singapore
-    nodes:
-    - name: 3a
-      regionid: 3
-      hostname: derp3.tailscale.com
-      ipv4: 68.183.179.66
-      ipv6: "2400:6180:0:d1::67d:8001"
-      stunport: 0
-      stunonly: false
-      derptestport: 0
-  4:
-    regionid: 4
-    regioncode: fra
-    regionname: Frankfurt
-    nodes:
-    - name: 4a
-      regionid: 4
-      hostname: derp4.tailscale.com
-      ipv4: 167.172.182.26
-      ipv6: "2a03:b0c0:3:e0::36e:900"
-      stunport: 0
-      stunonly: false
-      derptestport: 0
-    - name: 4b
-      regionid: 4
-      hostname: derp4b.tailscale.com
-      ipv4: 157.230.25.0
-      ipv6: "2a03:b0c0:3:e0::58f:3001"
-      stunport: 0
-      stunonly: false
-      derptestport: 0
-  5:
-    regionid: 5
-    regioncode: syd
-    regionname: Sydney
-    nodes:
-    - name: 5a
-      regionid: 5
-      hostname: derp5.tailscale.com
-      ipv4: 103.43.75.49
-      ipv6: "2001:19f0:5801:10b7:5400:2ff:feaa:284c"
-      stunport: 0
-      stunonly: false
-      derptestport: 0
-  6:
-    regionid: 6
-    regioncode: blr
-    regionname: Bangalore
-    nodes:
-    - name: 6a
-      regionid: 6
-      hostname: derp6.tailscale.com
-      ipv4: 68.183.90.120
-      ipv6: "2400:6180:100:d0::982:d001"
-      stunport: 0
-      stunonly: false
-      derptestport: 0
-  7:
-    regionid: 7
-    regioncode: tok
-    regionname: Tokyo
-    nodes:
-    - name: 7a
-      regionid: 7
-      hostname: derp7.tailscale.com
-      ipv4: 167.179.89.145
-      ipv6: "2401:c080:1000:467f:5400:2ff:feee:22aa"
-      stunport: 0
-      stunonly: false
-      derptestport: 0
-  8:
-    regionid: 8
-    regioncode: lhr
-    regionname: London
-    nodes:
-    - name: 8a
-      regionid: 8
-      hostname: derp8.tailscale.com
-      ipv4: 167.71.139.179
-      ipv6: "2a03:b0c0:1:e0::3cc:e001"
-      stunport: 0
-      stunonly: false
-      derptestport: 0
-  9:
-    regionid: 9
-    regioncode: sao
-    regionname: São Paulo
-    nodes:
-    - name: 9a
-      regionid: 9
-      hostname: derp9.tailscale.com
-      ipv4: 207.148.3.137
-      ipv6: "2001:19f0:6401:1d9c:5400:2ff:feef:bb82"
-      stunport: 0
-      stunonly: false
-      derptestport: 0

derp_server.go

@@ -0,0 +1,292 @@
+package headscale
+
+import (
+	"context"
+	"encoding/json"
+	"fmt"
+	"net"
+	"net/http"
+	"net/netip"
+	"net/url"
+	"strconv"
+	"strings"
+	"time"
+
+	"github.com/rs/zerolog/log"
+	"tailscale.com/derp"
+	"tailscale.com/net/stun"
+	"tailscale.com/tailcfg"
+	"tailscale.com/types/key"
+)
+
+// fastStartHeader is the header (with value "1") that signals to the HTTP
+// server that the DERP HTTP client does not want the HTTP 101 response
+// headers and it will begin writing & reading the DERP protocol immediately
+// following its HTTP request.
+const fastStartHeader = "Derp-Fast-Start"
+
+type DERPServer struct {
+	tailscaleDERP *derp.Server
+	region        tailcfg.DERPRegion
+}
+
+func (h *Headscale) NewDERPServer() (*DERPServer, error) {
+	log.Trace().Caller().Msg("Creating new embedded DERP server")
+	server := derp.NewServer(key.NodePrivate(*h.privateKey), log.Info().Msgf)
+	region, err := h.generateRegionLocalDERP()
+	if err != nil {
+		return nil, err
+	}
+
+	return &DERPServer{server, region}, nil
+}
+
+func (h *Headscale) generateRegionLocalDERP() (tailcfg.DERPRegion, error) {
+	serverURL, err := url.Parse(h.cfg.ServerURL)
+	if err != nil {
+		return tailcfg.DERPRegion{}, err
+	}
+	var host string
+	var port int
+	host, portStr, err := net.SplitHostPort(serverURL.Host)
+	if err != nil {
+		if serverURL.Scheme == "https" {
+			host = serverURL.Host
+			port = 443
+		} else {
+			host = serverURL.Host
+			port = 80
+		}
+	} else {
+		port, err = strconv.Atoi(portStr)
+		if err != nil {
+			return tailcfg.DERPRegion{}, err
+		}
+	}
+
+	localDERPregion := tailcfg.DERPRegion{
+		RegionID:   h.cfg.DERP.ServerRegionID,
+		RegionCode: h.cfg.DERP.ServerRegionCode,
+		RegionName: h.cfg.DERP.ServerRegionName,
+		Avoid:      false,
+		Nodes: []*tailcfg.DERPNode{
+			{
+				Name:     fmt.Sprintf("%d", h.cfg.DERP.ServerRegionID),
+				RegionID: h.cfg.DERP.ServerRegionID,
+				HostName: host,
+				DERPPort: port,
+			},
+		},
+	}
+
+	_, portSTUNStr, err := net.SplitHostPort(h.cfg.DERP.STUNAddr)
+	if err != nil {
+		return tailcfg.DERPRegion{}, err
+	}
+	portSTUN, err := strconv.Atoi(portSTUNStr)
+	if err != nil {
+		return tailcfg.DERPRegion{}, err
+	}
+	localDERPregion.Nodes[0].STUNPort = portSTUN
+
+	log.Info().Caller().Msgf("DERP region: %+v", localDERPregion)
+
+	return localDERPregion, nil
+}
+
+func (h *Headscale) DERPHandler(
+	writer http.ResponseWriter,
+	req *http.Request,
+) {
+	log.Trace().Caller().Msgf("/derp request from %v", req.RemoteAddr)
+	upgrade := strings.ToLower(req.Header.Get("Upgrade"))
+
+	if upgrade != "websocket" && upgrade != "derp" {
+		if upgrade != "" {
+			log.Warn().
+				Caller().
+				Msg("No Upgrade header in DERP server request. If headscale is behind a reverse proxy, make sure it is configured to pass WebSockets through.")
+		}
+		writer.Header().Set("Content-Type", "text/plain")
+		writer.WriteHeader(http.StatusUpgradeRequired)
+		_, err := writer.Write([]byte("DERP requires connection upgrade"))
+		if err != nil {
+			log.Error().
+				Caller().
+				Err(err).
+				Msg("Failed to write response")
+		}
+
+		return
+	}
+
+	fastStart := req.Header.Get(fastStartHeader) == "1"
+
+	hijacker, ok := writer.(http.Hijacker)
+	if !ok {
+		log.Error().Caller().Msg("DERP requires Hijacker interface from Gin")
+		writer.Header().Set("Content-Type", "text/plain")
+		writer.WriteHeader(http.StatusInternalServerError)
+		_, err := writer.Write([]byte("HTTP does not support general TCP support"))
+		if err != nil {
+			log.Error().
+				Caller().
+				Err(err).
+				Msg("Failed to write response")
+		}
+
+		return
+	}
+
+	netConn, conn, err := hijacker.Hijack()
+	if err != nil {
+		log.Error().Caller().Err(err).Msgf("Hijack failed")
+		writer.Header().Set("Content-Type", "text/plain")
+		writer.WriteHeader(http.StatusInternalServerError)
+		_, err = writer.Write([]byte("HTTP does not support general TCP support"))
+		if err != nil {
+			log.Error().
+				Caller().
+				Err(err).
+				Msg("Failed to write response")
+		}
+
+		return
+	}
+	log.Trace().Caller().Msgf("Hijacked connection from %v", req.RemoteAddr)
+
+	if !fastStart {
+		pubKey := h.privateKey.Public()
+		pubKeyStr := pubKey.UntypedHexString() //nolint
+		fmt.Fprintf(conn, "HTTP/1.1 101 Switching Protocols\r\n"+
+			"Upgrade: DERP\r\n"+
+			"Connection: Upgrade\r\n"+
+			"Derp-Version: %v\r\n"+
+			"Derp-Public-Key: %s\r\n\r\n",
+			derp.ProtocolVersion,
+			pubKeyStr)
+	}
+
+	h.DERPServer.tailscaleDERP.Accept(req.Context(), netConn, conn, netConn.RemoteAddr().String())
+}
+
+// DERPProbeHandler is the endpoint that js/wasm clients hit to measure
+// DERP latency, since they can't do UDP STUN queries.
+func (h *Headscale) DERPProbeHandler(
+	writer http.ResponseWriter,
+	req *http.Request,
+) {
+	switch req.Method {
+	case http.MethodHead, http.MethodGet:
+		writer.Header().Set("Access-Control-Allow-Origin", "*")
+		writer.WriteHeader(http.StatusOK)
+	default:
+		writer.WriteHeader(http.StatusMethodNotAllowed)
+		_, err := writer.Write([]byte("bogus probe method"))
+		if err != nil {
+			log.Error().
+				Caller().
+				Err(err).
+				Msg("Failed to write response")
+		}
+	}
+}
+
+// DERPBootstrapDNSHandler implements the /bootsrap-dns endpoint
+// Described in https://github.com/tailscale/tailscale/issues/1405,
+// this endpoint provides a way to help a client when it fails to start up
+// because its DNS are broken.
+// The initial implementation is here https://github.com/tailscale/tailscale/pull/1406
+// They have a cache, but not clear if that is really necessary at Headscale, uh, scale.
+// An example implementation is found here https://derp.tailscale.com/bootstrap-dns
+func (h *Headscale) DERPBootstrapDNSHandler(
+	writer http.ResponseWriter,
+	req *http.Request,
+) {
+	dnsEntries := make(map[string][]net.IP)
+
+	resolvCtx, cancel := context.WithTimeout(req.Context(), time.Minute)
+	defer cancel()
+	var resolver net.Resolver
+	for _, region := range h.DERPMap.Regions {
+		for _, node := range region.Nodes { // we don't care if we override some nodes
+			addrs, err := resolver.LookupIP(resolvCtx, "ip", node.HostName)
+			if err != nil {
+				log.Trace().
+					Caller().
+					Err(err).
+					Msgf("bootstrap DNS lookup failed %q", node.HostName)
+
+				continue
+			}
+			dnsEntries[node.HostName] = addrs
+		}
+	}
+	writer.Header().Set("Content-Type", "application/json")
+	writer.WriteHeader(http.StatusOK)
+	err := json.NewEncoder(writer).Encode(dnsEntries)
+	if err != nil {
+		log.Error().
+			Caller().
+			Err(err).
+			Msg("Failed to write response")
+	}
+}
+
+// ServeSTUN starts a STUN server on the configured addr.
+func (h *Headscale) ServeSTUN() {
+	packetConn, err := net.ListenPacket("udp", h.cfg.DERP.STUNAddr)
+	if err != nil {
+		log.Fatal().Msgf("failed to open STUN listener: %v", err)
+	}
+	log.Info().Msgf("STUN server started at %s", packetConn.LocalAddr())
+
+	udpConn, ok := packetConn.(*net.UDPConn)
+	if !ok {
+		log.Fatal().Msg("STUN listener is not a UDP listener")
+	}
+	serverSTUNListener(context.Background(), udpConn)
+}
+
+func serverSTUNListener(ctx context.Context, packetConn *net.UDPConn) {
+	var buf [64 << 10]byte
+	var (
+		bytesRead int
+		udpAddr   *net.UDPAddr
+		err       error
+	)
+	for {
+		bytesRead, udpAddr, err = packetConn.ReadFromUDP(buf[:])
+		if err != nil {
+			if ctx.Err() != nil {
+				return
+			}
+			log.Error().Caller().Err(err).Msgf("STUN ReadFrom")
+			time.Sleep(time.Second)
+
+			continue
+		}
+		log.Trace().Caller().Msgf("STUN request from %v", udpAddr)
+		pkt := buf[:bytesRead]
+		if !stun.Is(pkt) {
+			log.Trace().Caller().Msgf("UDP packet is not STUN")
+
+			continue
+		}
+		txid, err := stun.ParseBindingRequest(pkt)
+		if err != nil {
+			log.Trace().Caller().Err(err).Msgf("STUN parse error")
+
+			continue
+		}
+
+		addr, _ := netip.AddrFromSlice(udpAddr.IP)
+		res := stun.Response(txid, netip.AddrPortFrom(addr, uint16(udpAddr.Port)))
+		_, err = packetConn.WriteTo(res, udpAddr)
+		if err != nil {
+			log.Trace().Caller().Err(err).Msgf("Issue writing to UDP")
+
+			continue
+		}
+	}
+}

dns.go

@@ -2,12 +2,30 @@ package headscale
 
 import (
 	"fmt"
+	"net/netip"
+	"net/url"
 	"strings"
 
-	"inet.af/netaddr"
+	mapset "github.com/deckarep/golang-set/v2"
+	"go4.org/netipx"
+	"tailscale.com/tailcfg"
+	"tailscale.com/types/dnstype"
 	"tailscale.com/util/dnsname"
 )
 
+const (
+	ByteSize = 8
+)
+
+const (
+	ipv4AddressLength = 32
+	ipv6AddressLength = 128
+)
+
+const (
+	nextDNSDoHPrefix = "https://dns.nextdns.io"
+)
+
 // generateMagicDNSRootDomains generates a list of DNS entries to be included in `Routes` in `MapResponse`.
 // This list of reverse DNS entries instructs the OS on what subnets and domains the Tailscale embedded DNS
 // server (listening in 100.100.100.100 udp/53) should be used for.
@@ -28,31 +46,47 @@ import (
 
 // From the netmask we can find out the wildcard bits (the bits that are not set in the netmask).
 // This allows us to then calculate the subnets included in the subsequent class block and generate the entries.
-func generateMagicDNSRootDomains(ipPrefix netaddr.IPPrefix, baseDomain string) ([]dnsname.FQDN, error) {
-	base, err := dnsname.ToFQDN(baseDomain)
-	if err != nil {
-		return nil, err
+func generateMagicDNSRootDomains(ipPrefixes []netip.Prefix) []dnsname.FQDN {
+	fqdns := make([]dnsname.FQDN, 0, len(ipPrefixes))
+	for _, ipPrefix := range ipPrefixes {
+		var generateDNSRoot func(netip.Prefix) []dnsname.FQDN
+		switch ipPrefix.Addr().BitLen() {
+		case ipv4AddressLength:
+			generateDNSRoot = generateIPv4DNSRootDomain
+
+		case ipv6AddressLength:
+			generateDNSRoot = generateIPv6DNSRootDomain
+
+		default:
+			panic(
+				fmt.Sprintf(
+					"unsupported IP version with address length %d",
+					ipPrefix.Addr().BitLen(),
+				),
+			)
+		}
+
+		fqdns = append(fqdns, generateDNSRoot(ipPrefix)...)
 	}
 
-	// TODO(juanfont): we are not handing out IPv6 addresses yet
-	// and in fact this is Tailscale.com's range (note the fd7a:115c:a1e0: range in the fc00::/7 network)
-	ipv6base := dnsname.FQDN("0.e.1.a.c.5.1.1.a.7.d.f.ip6.arpa.")
-	fqdns := []dnsname.FQDN{base, ipv6base}
+	return fqdns
+}
 
+func generateIPv4DNSRootDomain(ipPrefix netip.Prefix) []dnsname.FQDN {
 	// Conversion to the std lib net.IPnet, a bit easier to operate
-	netRange := ipPrefix.IPNet()
+	netRange := netipx.PrefixIPNet(ipPrefix)
 	maskBits, _ := netRange.Mask.Size()
 
 	// lastOctet is the last IP byte covered by the mask
-	lastOctet := maskBits / 8
+	lastOctet := maskBits / ByteSize
 
 	// wildcardBits is the number of bits not under the mask in the lastOctet
-	wildcardBits := 8 - maskBits%8
+	wildcardBits := ByteSize - maskBits%ByteSize
 
 	// min is the value in the lastOctet byte of the IP
 	// max is basically 2^wildcardBits - i.e., the value when all the wildcardBits are set to 1
 	min := uint(netRange.IP[lastOctet])
-	max := uint((min + 1<<uint(wildcardBits)) - 1)
+	max := (min + 1<<uint(wildcardBits)) - 1
 
 	// here we generate the base domain (e.g., 100.in-addr.arpa., 16.172.in-addr.arpa., etc.)
 	rdnsSlice := []string{}
@@ -62,6 +96,7 @@ func generateMagicDNSRootDomains(ipPrefix netaddr.IPPrefix, baseDomain string) (
 	rdnsSlice = append(rdnsSlice, "in-addr.arpa.")
 	rdnsBase := strings.Join(rdnsSlice, ".")
 
+	fqdns := make([]dnsname.FQDN, 0, max-min+1)
 	for i := min; i <= max; i++ {
 		fqdn, err := dnsname.ToFQDN(fmt.Sprintf("%d.%s", i, rdnsBase))
 		if err != nil {
@@ -69,5 +104,116 @@ func generateMagicDNSRootDomains(ipPrefix netaddr.IPPrefix, baseDomain string) (
 		}
 		fqdns = append(fqdns, fqdn)
 	}
-	return fqdns, nil
+
+	return fqdns
+}
+
+func generateIPv6DNSRootDomain(ipPrefix netip.Prefix) []dnsname.FQDN {
+	const nibbleLen = 4
+
+	maskBits, _ := netipx.PrefixIPNet(ipPrefix).Mask.Size()
+	expanded := ipPrefix.Addr().StringExpanded()
+	nibbleStr := strings.Map(func(r rune) rune {
+		if r == ':' {
+			return -1
+		}
+
+		return r
+	}, expanded)
+
+	// TODO?: that does not look the most efficient implementation,
+	// but the inputs are not so long as to cause problems,
+	// and from what I can see, the generateMagicDNSRootDomains
+	// function is called only once over the lifetime of a server process.
+	prefixConstantParts := []string{}
+	for i := 0; i < maskBits/nibbleLen; i++ {
+		prefixConstantParts = append(
+			[]string{string(nibbleStr[i])},
+			prefixConstantParts...)
+	}
+
+	makeDomain := func(variablePrefix ...string) (dnsname.FQDN, error) {
+		prefix := strings.Join(append(variablePrefix, prefixConstantParts...), ".")
+
+		return dnsname.ToFQDN(fmt.Sprintf("%s.ip6.arpa", prefix))
+	}
+
+	var fqdns []dnsname.FQDN
+	if maskBits%4 == 0 {
+		dom, _ := makeDomain()
+		fqdns = append(fqdns, dom)
+	} else {
+		domCount := 1 << (maskBits % nibbleLen)
+		fqdns = make([]dnsname.FQDN, 0, domCount)
+		for i := 0; i < domCount; i++ {
+			varNibble := fmt.Sprintf("%x", i)
+			dom, err := makeDomain(varNibble)
+			if err != nil {
+				continue
+			}
+			fqdns = append(fqdns, dom)
+		}
+	}
+
+	return fqdns
+}
+
+// If any nextdns DoH resolvers are present in the list of resolvers it will
+// take metadata from the machine metadata and instruct tailscale to add it
+// to the requests. This makes it possible to identify from which device the
+// requests come in the NextDNS dashboard.
+//
+// This will produce a resolver like:
+// `https://dns.nextdns.io/<nextdns-id>?device_name=node-name&device_model=linux&device_ip=100.64.0.1`
+func addNextDNSMetadata(resolvers []*dnstype.Resolver, machine Machine) {
+	for _, resolver := range resolvers {
+		if strings.HasPrefix(resolver.Addr, nextDNSDoHPrefix) {
+			attrs := url.Values{
+				"device_name":  []string{machine.Hostname},
+				"device_model": []string{machine.HostInfo.OS},
+			}
+
+			if len(machine.IPAddresses) > 0 {
+				attrs.Add("device_ip", machine.IPAddresses[0].String())
+			}
+
+			resolver.Addr = fmt.Sprintf("%s?%s", resolver.Addr, attrs.Encode())
+		}
+	}
+}
+
+func getMapResponseDNSConfig(
+	dnsConfigOrig *tailcfg.DNSConfig,
+	baseDomain string,
+	machine Machine,
+	peers Machines,
+) *tailcfg.DNSConfig {
+	var dnsConfig *tailcfg.DNSConfig = dnsConfigOrig.Clone()
+	if dnsConfigOrig != nil && dnsConfigOrig.Proxied { // if MagicDNS is enabled
+		// Only inject the Search Domain of the current user - shared nodes should use their full FQDN
+		dnsConfig.Domains = append(
+			dnsConfig.Domains,
+			fmt.Sprintf(
+				"%s.%s",
+				machine.User.Name,
+				baseDomain,
+			),
+		)
+
+		userSet := mapset.NewSet[User]()
+		userSet.Add(machine.User)
+		for _, p := range peers {
+			userSet.Add(p.User)
+		}
+		for _, user := range userSet.ToSlice() {
+			dnsRoute := fmt.Sprintf("%v.%v", user.Name, baseDomain)
+			dnsConfig.Routes[dnsRoute] = nil
+		}
+	} else {
+		dnsConfig = dnsConfigOrig
+	}
+
+	addNextDNSMetadata(dnsConfig.Resolvers, machine)
+
+	return dnsConfig
 }

dns_test.go

@@ -1,19 +1,25 @@
 package headscale
 
 import (
+	"fmt"
+	"net/netip"
+
 	"gopkg.in/check.v1"
-	"inet.af/netaddr"
+	"tailscale.com/tailcfg"
+	"tailscale.com/types/dnstype"
 )
 
 func (s *Suite) TestMagicDNSRootDomains100(c *check.C) {
-	prefix := netaddr.MustParseIPPrefix("100.64.0.0/10")
-	domains, err := generateMagicDNSRootDomains(prefix, "headscale.net")
-	c.Assert(err, check.IsNil)
+	prefixes := []netip.Prefix{
+		netip.MustParsePrefix("100.64.0.0/10"),
+	}
+	domains := generateMagicDNSRootDomains(prefixes)
 
 	found := false
 	for _, domain := range domains {
 		if domain == "64.100.in-addr.arpa." {
 			found = true
+
 			break
 		}
 	}
@@ -23,6 +29,7 @@ func (s *Suite) TestMagicDNSRootDomains100(c *check.C) {
 	for _, domain := range domains {
 		if domain == "100.100.in-addr.arpa." {
 			found = true
+
 			break
 		}
 	}
@@ -32,6 +39,7 @@ func (s *Suite) TestMagicDNSRootDomains100(c *check.C) {
 	for _, domain := range domains {
 		if domain == "127.100.in-addr.arpa." {
 			found = true
+
 			break
 		}
 	}
@@ -39,14 +47,16 @@ func (s *Suite) TestMagicDNSRootDomains100(c *check.C) {
 }
 
 func (s *Suite) TestMagicDNSRootDomains172(c *check.C) {
-	prefix := netaddr.MustParseIPPrefix("172.16.0.0/16")
-	domains, err := generateMagicDNSRootDomains(prefix, "headscale.net")
-	c.Assert(err, check.IsNil)
+	prefixes := []netip.Prefix{
+		netip.MustParsePrefix("172.16.0.0/16"),
+	}
+	domains := generateMagicDNSRootDomains(prefixes)
 
 	found := false
 	for _, domain := range domains {
 		if domain == "0.16.172.in-addr.arpa." {
 			found = true
+
 			break
 		}
 	}
@@ -56,8 +66,329 @@ func (s *Suite) TestMagicDNSRootDomains172(c *check.C) {
 	for _, domain := range domains {
 		if domain == "255.16.172.in-addr.arpa." {
 			found = true
+
 			break
 		}
 	}
 	c.Assert(found, check.Equals, true)
 }
+
+// Happens when netmask is a multiple of 4 bits (sounds likely).
+func (s *Suite) TestMagicDNSRootDomainsIPv6Single(c *check.C) {
+	prefixes := []netip.Prefix{
+		netip.MustParsePrefix("fd7a:115c:a1e0::/48"),
+	}
+	domains := generateMagicDNSRootDomains(prefixes)
+
+	c.Assert(len(domains), check.Equals, 1)
+	c.Assert(
+		domains[0].WithTrailingDot(),
+		check.Equals,
+		"0.e.1.a.c.5.1.1.a.7.d.f.ip6.arpa.",
+	)
+}
+
+func (s *Suite) TestMagicDNSRootDomainsIPv6SingleMultiple(c *check.C) {
+	prefixes := []netip.Prefix{
+		netip.MustParsePrefix("fd7a:115c:a1e0::/50"),
+	}
+	domains := generateMagicDNSRootDomains(prefixes)
+
+	yieldsRoot := func(dom string) bool {
+		for _, candidate := range domains {
+			if candidate.WithTrailingDot() == dom {
+				return true
+			}
+		}
+
+		return false
+	}
+
+	c.Assert(len(domains), check.Equals, 4)
+	c.Assert(yieldsRoot("0.0.e.1.a.c.5.1.1.a.7.d.f.ip6.arpa."), check.Equals, true)
+	c.Assert(yieldsRoot("1.0.e.1.a.c.5.1.1.a.7.d.f.ip6.arpa."), check.Equals, true)
+	c.Assert(yieldsRoot("2.0.e.1.a.c.5.1.1.a.7.d.f.ip6.arpa."), check.Equals, true)
+	c.Assert(yieldsRoot("3.0.e.1.a.c.5.1.1.a.7.d.f.ip6.arpa."), check.Equals, true)
+}
+
+func (s *Suite) TestDNSConfigMapResponseWithMagicDNS(c *check.C) {
+	userShared1, err := app.CreateUser("shared1")
+	c.Assert(err, check.IsNil)
+
+	userShared2, err := app.CreateUser("shared2")
+	c.Assert(err, check.IsNil)
+
+	userShared3, err := app.CreateUser("shared3")
+	c.Assert(err, check.IsNil)
+
+	preAuthKeyInShared1, err := app.CreatePreAuthKey(
+		userShared1.Name,
+		false,
+		false,
+		nil,
+		nil,
+	)
+	c.Assert(err, check.IsNil)
+
+	preAuthKeyInShared2, err := app.CreatePreAuthKey(
+		userShared2.Name,
+		false,
+		false,
+		nil,
+		nil,
+	)
+	c.Assert(err, check.IsNil)
+
+	preAuthKeyInShared3, err := app.CreatePreAuthKey(
+		userShared3.Name,
+		false,
+		false,
+		nil,
+		nil,
+	)
+	c.Assert(err, check.IsNil)
+
+	PreAuthKey2InShared1, err := app.CreatePreAuthKey(
+		userShared1.Name,
+		false,
+		false,
+		nil,
+		nil,
+	)
+	c.Assert(err, check.IsNil)
+
+	_, err = app.GetMachine(userShared1.Name, "test_get_shared_nodes_1")
+	c.Assert(err, check.NotNil)
+
+	machineInShared1 := &Machine{
+		ID:             1,
+		MachineKey:     "686824e749f3b7f2a5927ee6c1e422aee5292592d9179a271ed7b3e659b44a66",
+		NodeKey:        "686824e749f3b7f2a5927ee6c1e422aee5292592d9179a271ed7b3e659b44a66",
+		DiscoKey:       "686824e749f3b7f2a5927ee6c1e422aee5292592d9179a271ed7b3e659b44a66",
+		Hostname:       "test_get_shared_nodes_1",
+		UserID:         userShared1.ID,
+		User:           *userShared1,
+		RegisterMethod: RegisterMethodAuthKey,
+		IPAddresses:    []netip.Addr{netip.MustParseAddr("100.64.0.1")},
+		AuthKeyID:      uint(preAuthKeyInShared1.ID),
+	}
+	app.db.Save(machineInShared1)
+
+	_, err = app.GetMachine(userShared1.Name, machineInShared1.Hostname)
+	c.Assert(err, check.IsNil)
+
+	machineInShared2 := &Machine{
+		ID:             2,
+		MachineKey:     "dec46ef9dc45c7d2f03bfcd5a640d9e24e3cc68ce3d9da223867c9bc6d5e9863",
+		NodeKey:        "dec46ef9dc45c7d2f03bfcd5a640d9e24e3cc68ce3d9da223867c9bc6d5e9863",
+		DiscoKey:       "dec46ef9dc45c7d2f03bfcd5a640d9e24e3cc68ce3d9da223867c9bc6d5e9863",
+		Hostname:       "test_get_shared_nodes_2",
+		UserID:         userShared2.ID,
+		User:           *userShared2,
+		RegisterMethod: RegisterMethodAuthKey,
+		IPAddresses:    []netip.Addr{netip.MustParseAddr("100.64.0.2")},
+		AuthKeyID:      uint(preAuthKeyInShared2.ID),
+	}
+	app.db.Save(machineInShared2)
+
+	_, err = app.GetMachine(userShared2.Name, machineInShared2.Hostname)
+	c.Assert(err, check.IsNil)
+
+	machineInShared3 := &Machine{
+		ID:             3,
+		MachineKey:     "dec46ef9dc45c7d2f03bfcd5a640d9e24e3cc68ce3d9da223867c9bc6d5e9863",
+		NodeKey:        "dec46ef9dc45c7d2f03bfcd5a640d9e24e3cc68ce3d9da223867c9bc6d5e9863",
+		DiscoKey:       "dec46ef9dc45c7d2f03bfcd5a640d9e24e3cc68ce3d9da223867c9bc6d5e9863",
+		Hostname:       "test_get_shared_nodes_3",
+		UserID:         userShared3.ID,
+		User:           *userShared3,
+		RegisterMethod: RegisterMethodAuthKey,
+		IPAddresses:    []netip.Addr{netip.MustParseAddr("100.64.0.3")},
+		AuthKeyID:      uint(preAuthKeyInShared3.ID),
+	}
+	app.db.Save(machineInShared3)
+
+	_, err = app.GetMachine(userShared3.Name, machineInShared3.Hostname)
+	c.Assert(err, check.IsNil)
+
+	machine2InShared1 := &Machine{
+		ID:             4,
+		MachineKey:     "dec46ef9dc45c7d2f03bfcd5a640d9e24e3cc68ce3d9da223867c9bc6d5e9863",
+		NodeKey:        "dec46ef9dc45c7d2f03bfcd5a640d9e24e3cc68ce3d9da223867c9bc6d5e9863",
+		DiscoKey:       "dec46ef9dc45c7d2f03bfcd5a640d9e24e3cc68ce3d9da223867c9bc6d5e9863",
+		Hostname:       "test_get_shared_nodes_4",
+		UserID:         userShared1.ID,
+		User:           *userShared1,
+		RegisterMethod: RegisterMethodAuthKey,
+		IPAddresses:    []netip.Addr{netip.MustParseAddr("100.64.0.4")},
+		AuthKeyID:      uint(PreAuthKey2InShared1.ID),
+	}
+	app.db.Save(machine2InShared1)
+
+	baseDomain := "foobar.headscale.net"
+	dnsConfigOrig := tailcfg.DNSConfig{
+		Routes:  make(map[string][]*dnstype.Resolver),
+		Domains: []string{baseDomain},
+		Proxied: true,
+	}
+
+	peersOfMachineInShared1, err := app.getPeers(machineInShared1)
+	c.Assert(err, check.IsNil)
+
+	dnsConfig := getMapResponseDNSConfig(
+		&dnsConfigOrig,
+		baseDomain,
+		*machineInShared1,
+		peersOfMachineInShared1,
+	)
+	c.Assert(dnsConfig, check.NotNil)
+
+	c.Assert(len(dnsConfig.Routes), check.Equals, 3)
+
+	domainRouteShared1 := fmt.Sprintf("%s.%s", userShared1.Name, baseDomain)
+	_, ok := dnsConfig.Routes[domainRouteShared1]
+	c.Assert(ok, check.Equals, true)
+
+	domainRouteShared2 := fmt.Sprintf("%s.%s", userShared2.Name, baseDomain)
+	_, ok = dnsConfig.Routes[domainRouteShared2]
+	c.Assert(ok, check.Equals, true)
+
+	domainRouteShared3 := fmt.Sprintf("%s.%s", userShared3.Name, baseDomain)
+	_, ok = dnsConfig.Routes[domainRouteShared3]
+	c.Assert(ok, check.Equals, true)
+}
+
+func (s *Suite) TestDNSConfigMapResponseWithoutMagicDNS(c *check.C) {
+	userShared1, err := app.CreateUser("shared1")
+	c.Assert(err, check.IsNil)
+
+	userShared2, err := app.CreateUser("shared2")
+	c.Assert(err, check.IsNil)
+
+	userShared3, err := app.CreateUser("shared3")
+	c.Assert(err, check.IsNil)
+
+	preAuthKeyInShared1, err := app.CreatePreAuthKey(
+		userShared1.Name,
+		false,
+		false,
+		nil,
+		nil,
+	)
+	c.Assert(err, check.IsNil)
+
+	preAuthKeyInShared2, err := app.CreatePreAuthKey(
+		userShared2.Name,
+		false,
+		false,
+		nil,
+		nil,
+	)
+	c.Assert(err, check.IsNil)
+
+	preAuthKeyInShared3, err := app.CreatePreAuthKey(
+		userShared3.Name,
+		false,
+		false,
+		nil,
+		nil,
+	)
+	c.Assert(err, check.IsNil)
+
+	preAuthKey2InShared1, err := app.CreatePreAuthKey(
+		userShared1.Name,
+		false,
+		false,
+		nil,
+		nil,
+	)
+	c.Assert(err, check.IsNil)
+
+	_, err = app.GetMachine(userShared1.Name, "test_get_shared_nodes_1")
+	c.Assert(err, check.NotNil)
+
+	machineInShared1 := &Machine{
+		ID:             1,
+		MachineKey:     "686824e749f3b7f2a5927ee6c1e422aee5292592d9179a271ed7b3e659b44a66",
+		NodeKey:        "686824e749f3b7f2a5927ee6c1e422aee5292592d9179a271ed7b3e659b44a66",
+		DiscoKey:       "686824e749f3b7f2a5927ee6c1e422aee5292592d9179a271ed7b3e659b44a66",
+		Hostname:       "test_get_shared_nodes_1",
+		UserID:         userShared1.ID,
+		User:           *userShared1,
+		RegisterMethod: RegisterMethodAuthKey,
+		IPAddresses:    []netip.Addr{netip.MustParseAddr("100.64.0.1")},
+		AuthKeyID:      uint(preAuthKeyInShared1.ID),
+	}
+	app.db.Save(machineInShared1)
+
+	_, err = app.GetMachine(userShared1.Name, machineInShared1.Hostname)
+	c.Assert(err, check.IsNil)
+
+	machineInShared2 := &Machine{
+		ID:             2,
+		MachineKey:     "dec46ef9dc45c7d2f03bfcd5a640d9e24e3cc68ce3d9da223867c9bc6d5e9863",
+		NodeKey:        "dec46ef9dc45c7d2f03bfcd5a640d9e24e3cc68ce3d9da223867c9bc6d5e9863",
+		DiscoKey:       "dec46ef9dc45c7d2f03bfcd5a640d9e24e3cc68ce3d9da223867c9bc6d5e9863",
+		Hostname:       "test_get_shared_nodes_2",
+		UserID:         userShared2.ID,
+		User:           *userShared2,
+		RegisterMethod: RegisterMethodAuthKey,
+		IPAddresses:    []netip.Addr{netip.MustParseAddr("100.64.0.2")},
+		AuthKeyID:      uint(preAuthKeyInShared2.ID),
+	}
+	app.db.Save(machineInShared2)
+
+	_, err = app.GetMachine(userShared2.Name, machineInShared2.Hostname)
+	c.Assert(err, check.IsNil)
+
+	machineInShared3 := &Machine{
+		ID:             3,
+		MachineKey:     "dec46ef9dc45c7d2f03bfcd5a640d9e24e3cc68ce3d9da223867c9bc6d5e9863",
+		NodeKey:        "dec46ef9dc45c7d2f03bfcd5a640d9e24e3cc68ce3d9da223867c9bc6d5e9863",
+		DiscoKey:       "dec46ef9dc45c7d2f03bfcd5a640d9e24e3cc68ce3d9da223867c9bc6d5e9863",
+		Hostname:       "test_get_shared_nodes_3",
+		UserID:         userShared3.ID,
+		User:           *userShared3,
+		RegisterMethod: RegisterMethodAuthKey,
+		IPAddresses:    []netip.Addr{netip.MustParseAddr("100.64.0.3")},
+		AuthKeyID:      uint(preAuthKeyInShared3.ID),
+	}
+	app.db.Save(machineInShared3)
+
+	_, err = app.GetMachine(userShared3.Name, machineInShared3.Hostname)
+	c.Assert(err, check.IsNil)
+
+	machine2InShared1 := &Machine{
+		ID:             4,
+		MachineKey:     "dec46ef9dc45c7d2f03bfcd5a640d9e24e3cc68ce3d9da223867c9bc6d5e9863",
+		NodeKey:        "dec46ef9dc45c7d2f03bfcd5a640d9e24e3cc68ce3d9da223867c9bc6d5e9863",
+		DiscoKey:       "dec46ef9dc45c7d2f03bfcd5a640d9e24e3cc68ce3d9da223867c9bc6d5e9863",
+		Hostname:       "test_get_shared_nodes_4",
+		UserID:         userShared1.ID,
+		User:           *userShared1,
+		RegisterMethod: RegisterMethodAuthKey,
+		IPAddresses:    []netip.Addr{netip.MustParseAddr("100.64.0.4")},
+		AuthKeyID:      uint(preAuthKey2InShared1.ID),
+	}
+	app.db.Save(machine2InShared1)
+
+	baseDomain := "foobar.headscale.net"
+	dnsConfigOrig := tailcfg.DNSConfig{
+		Routes:  make(map[string][]*dnstype.Resolver),
+		Domains: []string{baseDomain},
+		Proxied: false,
+	}
+
+	peersOfMachine1Shared1, err := app.getPeers(machineInShared1)
+	c.Assert(err, check.IsNil)
+
+	dnsConfig := getMapResponseDNSConfig(
+		&dnsConfigOrig,
+		baseDomain,
+		*machineInShared1,
+		peersOfMachine1Shared1,
+	)
+	c.Assert(dnsConfig, check.NotNil)
+	c.Assert(len(dnsConfig.Routes), check.Equals, 0)
+	c.Assert(len(dnsConfig.Domains), check.Equals, 1)
+}

docs/DNS.md

@@ -1,33 +0,0 @@
-# DNS in Headscale
-
-Headscale supports Tailscale's DNS configuration and MagicDNS. Please have a look to their KB to better understand what this means:
-
-- https://tailscale.com/kb/1054/dns/
-- https://tailscale.com/kb/1081/magicdns/
-- https://tailscale.com/blog/2021-09-private-dns-with-magicdns/
-
-Long story short, you can define the DNS servers you want to use in your tailnets, activate MagicDNS (so you don't have to remember the IP addresses of your nodes), define search domains, as well as predefined hosts. Headscale will inject that settings into your nodes.
-
-
-## Configuration reference
-
-The setup is done via the `config.json` file, under the `dns_config` key. 
-
-```json
-{
-    "server_url": "http://127.0.0.1:8001",
-    "listen_addr": "0.0.0.0:8001",
-    "private_key_path": "private.key",
-    //...
-    "dns_config": {
-        "nameservers": ["1.1.1.1", "8.8.8.8"],
-        "domains": [],
-        "magic_dns": true,
-        "base_domain": "example.com"
-    }
-}
-```
-- `nameservers`:  The list of DNS servers to use.
-- `domains`: Search domains to inject.
-- `magic_dns`: Whether to use [MagicDNS](https://tailscale.com/kb/1081/magicdns/). Only works if there is at least a nameserver defined.
-- `base_domain`: Defines the base domain to create the hostnames for MagicDNS. `base_domain` must be a FQDNs, without the trailing dot. The FQDN of the hosts will be `hostname.namespace.base_domain` (e.g., _myhost.mynamespace.example.com_).

docs/README.md

@@ -0,0 +1,56 @@
+# headscale documentation
+
+This page contains the official and community contributed documentation for `headscale`.
+
+If you are having trouble with following the documentation or get unexpected results,
+please ask on [Discord](https://discord.gg/c84AZQhmpx) instead of opening an Issue.
+
+## Official documentation
+
+### How-to
+
+- [Running headscale on Linux](running-headscale-linux.md)
+- [Control headscale remotely](remote-cli.md)
+- [Using a Windows client with headscale](windows-client.md)
+- [Configuring OIDC](oidc.md)
+
+### References
+
+- [Configuration](../config-example.yaml)
+- [Glossary](glossary.md)
+- [TLS](tls.md)
+
+## Community documentation
+
+Community documentation is not actively maintained by the headscale authors and is
+written by community members. It is _not_ verified by `headscale` developers.
+
+**It might be outdated and it might miss necessary steps**.
+
+- [Running headscale in a container](running-headscale-container.md)
+- [Running headscale on OpenBSD](running-headscale-openbsd.md)
+- [Running headscale behind a reverse proxy](reverse-proxy.md)
+- [Set Custom DNS records](dns-records.md)
+
+## Misc
+
+### Policy ACLs
+
+Headscale implements the same policy ACLs as Tailscale.com, adapted to the self-hosted environment.
+
+For instance, instead of referring to users when defining groups you must
+use users (which are the equivalent to user/logins in Tailscale.com).
+
+Please check https://tailscale.com/kb/1018/acls/, and `./tests/acls/` in this repo for working examples.
+
+When using ACL's the User borders are no longer applied. All machines
+whichever the User have the ability to communicate with other hosts as
+long as the ACL's permits this exchange.
+
+The [ACLs](acls.md) document should help understand a fictional case of setting
+up ACLs in a small company. All concepts presented in this document could be
+applied outside of business oriented usage.
+
+### Apple devices
+
+An endpoint with information on how to connect your Apple devices (currently macOS only) is available at `/apple` on your running instance.

docs/acls.md

@@ -0,0 +1,176 @@
+# ACLs use case example
+
+Let's build an example use case for a small business (It may be the place where
+ACL's are the most useful).
+
+We have a small company with a boss, an admin, two developers and an intern.
+
+The boss should have access to all servers but not to the user's hosts. Admin
+should also have access to all hosts except that their permissions should be
+limited to maintaining the hosts (for example purposes). The developers can do
+anything they want on dev hosts but only watch on productions hosts. Intern
+can only interact with the development servers.
+
+There's an additional server that acts as a router, connecting the VPN users
+to an internal network `10.20.0.0/16`. Developers must have access to those
+internal resources.
+
+Each user have at least a device connected to the network and we have some
+servers.
+
+- database.prod
+- database.dev
+- app-server1.prod
+- app-server1.dev
+- billing.internal
+- router.internal
+
+![ACL implementation example](images/headscale-acl-network.png)
+
+## ACL setup
+
+Note: Users will be created automatically when users authenticate with the
+Headscale server.
+
+ACLs could be written either on [huJSON](https://github.com/tailscale/hujson)
+or YAML. Check the [test ACLs](../tests/acls) for further information.
+
+When registering the servers we will need to add the flag
+`--advertise-tags=tag:<tag1>,tag:<tag2>`, and the user that is
+registering the server should be allowed to do it. Since anyone can add tags to
+a server they can register, the check of the tags is done on headscale server
+and only valid tags are applied. A tag is valid if the user that is
+registering it is allowed to do it.
+
+Here are the ACL's to implement the same permissions as above:
+
+```json
+{
+  // groups are collections of users having a common scope. A user can be in multiple groups
+  // groups cannot be composed of groups
+  "groups": {
+    "group:boss": ["boss"],
+    "group:dev": ["dev1", "dev2"],
+    "group:admin": ["admin1"],
+    "group:intern": ["intern1"]
+  },
+  // tagOwners in tailscale is an association between a TAG and the people allowed to set this TAG on a server.
+  // This is documented [here](https://tailscale.com/kb/1068/acl-tags#defining-a-tag)
+  // and explained [here](https://tailscale.com/blog/rbac-like-it-was-meant-to-be/)
+  "tagOwners": {
+    // the administrators can add servers in production
+    "tag:prod-databases": ["group:admin"],
+    "tag:prod-app-servers": ["group:admin"],
+
+    // the boss can tag any server as internal
+    "tag:internal": ["group:boss"],
+
+    // dev can add servers for dev purposes as well as admins
+    "tag:dev-databases": ["group:admin", "group:dev"],
+    "tag:dev-app-servers": ["group:admin", "group:dev"]
+
+    // interns cannot add servers
+  },
+  // hosts should be defined using its IP addresses and a subnet mask.
+  // to define a single host, use a /32 mask. You cannot use DNS entries here,
+  // as they're prone to be hijacked by replacing their IP addresses.
+  // see https://github.com/tailscale/tailscale/issues/3800 for more information.
+  "Hosts": {
+    "postgresql.internal": "10.20.0.2/32",
+    "webservers.internal": "10.20.10.1/29"
+  },
+  "acls": [
+    // boss have access to all servers
+    {
+      "action": "accept",
+      "src": ["group:boss"],
+      "dst": [
+        "tag:prod-databases:*",
+        "tag:prod-app-servers:*",
+        "tag:internal:*",
+        "tag:dev-databases:*",
+        "tag:dev-app-servers:*"
+      ]
+    },
+
+    // admin have only access to administrative ports of the servers, in tcp/22
+    {
+      "action": "accept",
+      "src": ["group:admin"],
+      "proto": "tcp",
+      "dst": [
+        "tag:prod-databases:22",
+        "tag:prod-app-servers:22",
+        "tag:internal:22",
+        "tag:dev-databases:22",
+        "tag:dev-app-servers:22"
+      ]
+    },
+
+    // we also allow admin to ping the servers
+    {
+      "action": "accept",
+      "src": ["group:admin"],
+      "proto": "icmp",
+      "dst": [
+        "tag:prod-databases:*",
+        "tag:prod-app-servers:*",
+        "tag:internal:*",
+        "tag:dev-databases:*",
+        "tag:dev-app-servers:*"
+      ]
+    },
+
+    // developers have access to databases servers and application servers on all ports
+    // they can only view the applications servers in prod and have no access to databases servers in production
+    {
+      "action": "accept",
+      "src": ["group:dev"],
+      "dst": [
+        "tag:dev-databases:*",
+        "tag:dev-app-servers:*",
+        "tag:prod-app-servers:80,443"
+      ]
+    },
+    // developers have access to the internal network through the router.
+    // the internal network is composed of HTTPS endpoints and Postgresql
+    // database servers. There's an additional rule to allow traffic to be
+    // forwarded to the internal subnet, 10.20.0.0/16. See this issue
+    // https://github.com/juanfont/headscale/issues/502
+    {
+      "action": "accept",
+      "src": ["group:dev"],
+      "dst": ["10.20.0.0/16:443,5432", "router.internal:0"]
+    },
+
+    // servers should be able to talk to database in tcp/5432. Database should not be able to initiate connections to
+    // applications servers
+    {
+      "action": "accept",
+      "src": ["tag:dev-app-servers"],
+      "proto": "tcp",
+      "dst": ["tag:dev-databases:5432"]
+    },
+    {
+      "action": "accept",
+      "src": ["tag:prod-app-servers"],
+      "dst": ["tag:prod-databases:5432"]
+    },
+
+    // interns have access to dev-app-servers only in reading mode
+    {
+      "action": "accept",
+      "src": ["group:intern"],
+      "dst": ["tag:dev-app-servers:80,443"]
+    },
+
+    // We still have to allow internal users communications since nothing guarantees that each user have
+    // their own users.
+    { "action": "accept", "src": ["boss"], "dst": ["boss:*"] },
+    { "action": "accept", "src": ["dev1"], "dst": ["dev1:*"] },
+    { "action": "accept", "src": ["dev2"], "dst": ["dev2:*"] },
+    { "action": "accept", "src": ["admin1"], "dst": ["admin1:*"] },
+    { "action": "accept", "src": ["intern1"], "dst": ["intern1:*"] }
+  ]
+}
+```

docs/android-client.md

@@ -0,0 +1,19 @@
+# Connecting an Android client
+
+## Goal
+
+This documentation has the goal of showing how a user can use the official Android [Tailscale](https://tailscale.com) client with `headscale`.
+
+## Installation
+
+Install the official Tailscale Android client from the [Google Play Store](https://play.google.com/store/apps/details?id=com.tailscale.ipn) or [F-Droid](https://f-droid.org/packages/com.tailscale.ipn/).
+
+Ensure that the installed version is at least 1.30.0, as that is the first release to support custom URLs.
+
+## Configuring the headscale URL
+
+After opening the app, the kebab menu icon (three dots) on the top bar on the right must be repeatedly opened and closed until the _Change server_ option appears in the menu. This is where you can enter your headscale URL.
+
+A screen recording of this process can be seen in the `tailscale-android` PR which implemented this functionality: <https://github.com/tailscale/tailscale-android/pull/55>
+
+After saving and restarting the app, selecting the regular _Sign in_ option (non-SSO) should open up the headscale authentication page.

docs/dns-records.md

@@ -0,0 +1,83 @@
+# Setting custom DNS records
+
+## Goal
+
+This documentation has the goal of showing how a user can set custom DNS records with `headscale`s magic dns.
+An example use case is to serve apps on the same host via a reverse proxy like NGINX, in this case a Prometheus monitoring stack. This allows to nicely access the service with "http://grafana.myvpn.example.com" instead of the hostname and portnum combination "http://hostname-in-magic-dns.myvpn.example.com:3000".
+
+## Setup
+
+### 1. Change the configuration
+
+1. Change the `config.yaml` to contain the desired records like so:
+
+```yaml
+dns_config:
+  ...
+  extra_records:
+    - name: "prometheus.myvpn.example.com"
+      type: "A"
+      value: "100.64.0.3"
+
+    - name: "grafana.myvpn.example.com"
+      type: "A"
+      value: "100.64.0.3"
+  ...
+```
+
+2. Restart your headscale instance.
+
+Beware of the limitations listed later on!
+
+### 2. Verify that the records are set
+
+You can use a DNS querying tool of your choice on one of your hosts to verify that your newly set records are actually available in MagicDNS, here we used [`dig`](https://man.archlinux.org/man/dig.1.en):
+
+```
+$ dig grafana.myvpn.example.com
+
+; <<>> DiG 9.18.10 <<>> grafana.myvpn.example.com
+;; global options: +cmd
+;; Got answer:
+;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 44054
+;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
+
+;; OPT PSEUDOSECTION:
+; EDNS: version: 0, flags:; udp: 65494
+;; QUESTION SECTION:
+;grafana.myvpn.example.com.         IN      A
+
+;; ANSWER SECTION:
+grafana.myvpn.example.com.  593     IN      A       100.64.0.3
+
+;; Query time: 0 msec
+;; SERVER: 127.0.0.53#53(127.0.0.53) (UDP)
+;; WHEN: Sat Dec 31 11:46:55 CET 2022
+;; MSG SIZE  rcvd: 66
+```
+
+### 3. Optional: Setup the reverse proxy
+
+The motivating example here was to be able to access internal monitoring services on the same host without specifying a port:
+
+```
+server {
+    listen 80;
+    listen [::]:80;
+
+    server_name grafana.myvpn.example.com;
+
+    location / {
+        proxy_pass http://localhost:3000;
+        proxy_set_header Host $http_host;
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Proto $scheme;
+    }
+
+}
+```
+
+## Limitations
+
+[Not all types of records are supported](https://github.com/tailscale/tailscale/blob/6edf357b96b28ee1be659a70232c0135b2ffedfd/ipn/ipnlocal/local.go#L2989-L3007), especially no CNAME records.