Reduce the number of containers

Temporary fix integration tests with dedicated Dockerfile
Merge pull request #680 from ohdearaugustin/topic/speedup-build
2025-08-16 12:23:25 +00:00 · 2022-08-04 21:36:38 +02:00 · 2022-07-31 10:44:09 +02:00 · 2022-07-28 23:07:32 +02:00 · 2022-07-28 22:58:07 +02:00 · 2022-07-28 22:52:35 +02:00
112 changed files with 9286 additions and 2529 deletions
--- a/.dockerignore
+++ b/.dockerignore
@@ -3,6 +3,7 @@
 // development
 integration_test.go
 integration_test/
+!integration_test/etc_embedded_derp/tls/server.crt

 Dockerfile*
 docker-compose*
--- a/.envrc
+++ b/.envrc
@@ -0,0 +1 @@
+use flake
--- a/.github/ISSUE_TEMPLATE/bug_report.md
+++ b/.github/ISSUE_TEMPLATE/bug_report.md
@@ -6,6 +6,8 @@ labels: ["bug"]
 assignees: ""
 ---

+<!-- Headscale is a multinational community across the globe. Our common language is English. Please consider raising the bug report in this language. -->
+
 **Bug description**

 <!-- A clear and concise description of what the bug is. Describe the expected bahavior
--- a/.github/ISSUE_TEMPLATE/config.yml
+++ b/.github/ISSUE_TEMPLATE/config.yml
@@ -7,5 +7,5 @@ contact_links:
    url: "https://github.com/juanfont/headscale/blob/main/docs"
    about: "Find documentation about how to configure and run headscale."
  - name: "headscale Discord community"
-    url: "https://discord.com/invite/XcQxk2VHjx"
+    url: "https://discord.gg/xGj2TuqyxY"
    about: "Please ask and answer questions about usage of headscale here."
--- a/.github/ISSUE_TEMPLATE/feature_request.md
+++ b/.github/ISSUE_TEMPLATE/feature_request.md
@@ -6,6 +6,8 @@ labels: ["enhancement"]
 assignees: ""
 ---

+<!-- Headscale is a multinational community across the globe. Our common language is English. Please consider raising the feature request in this language. -->
+
 **Feature request**

 <!-- A clear and precise description of what new or changed feature you want. -->
--- a/.github/ISSUE_TEMPLATE/other_issue.md
+++ b/.github/ISSUE_TEMPLATE/other_issue.md
@@ -6,6 +6,8 @@ labels: ["bug"]
 assignees: ""
 ---

+<!-- Headscale is a multinational community across the globe. Our common language is English. Please consider raising the issue in this language. -->
+
 <!-- If you have a question, please consider using our Discord for asking questions -->

 **Issue description**
--- a/.github/pull_request_template.md
+++ b/.github/pull_request_template.md
@@ -1,10 +1,10 @@
 <!-- Please tick if the following things apply. You… -->

- [] read the [CONTRIBUTING guidelines](README.md#user-content-contributing)
- [] raised a GitHub issue or discussed it on the projects chat beforehand
- [] added unit tests
- [] added integration tests
- [] updated documentation if needed
- [] updated CHANGELOG.md
+- [ ] read the [CONTRIBUTING guidelines](README.md#contributing)
+- [ ] raised a GitHub issue or discussed it on the projects chat beforehand
+- [ ] added unit tests
+- [ ] added integration tests
+- [ ] updated documentation if needed
+- [ ] updated CHANGELOG.md

 <!-- If applicable, please reference the issue using `Fixes #XXX` and add tests to cover your new code. -->
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -22,30 +22,21 @@ jobs:
        uses: tj-actions/changed-files@v14.1
        with:
          files: |
+            *.nix
            go.*
            **/*.go
            integration_test/
            config-example.yaml

-      - name: Setup Go
+      - uses: cachix/install-nix-action@v16
        if: steps.changed-files.outputs.any_changed == 'true'
-        uses: actions/setup-go@v2
-        with:
-          go-version: "1.17.7"
-
-      - name: Install dependencies
-        if: steps.changed-files.outputs.any_changed == 'true'
-        run: |
-          go version
-          sudo apt update
-          sudo apt install -y make

      - name: Run build
        if: steps.changed-files.outputs.any_changed == 'true'
-        run: make build
+        run: nix build

      - uses: actions/upload-artifact@v2
        if: steps.changed-files.outputs.any_changed == 'true'
        with:
          name: headscale-linux
-          path: headscale
+          path: result/bin/headscale
--- a/.github/workflows/contributors.yml
+++ b/.github/workflows/contributors.yml
@@ -17,6 +17,10 @@ jobs:
        run: git push origin --delete update-contributors
      - name: Create up-to-date contributors branch
        run: git checkout -B update-contributors
+      - name: Push empty contributors branch
+        run: git push origin update-contributors
+      - name: Switch back to main
+        run: git checkout main
      - uses: BobAnkh/add-contributors@v0.2.2
        with:
          CONTRIBUTOR: "## Contributors"
--- a/.github/workflows/lint.yml
+++ b/.github/workflows/lint.yml
@@ -16,6 +16,7 @@ jobs:
        uses: tj-actions/changed-files@v14.1
        with:
          files: |
+            *.nix
            go.*
            **/*.go
            integration_test/
@@ -25,7 +26,7 @@ jobs:
        if: steps.changed-files.outputs.any_changed == 'true'
        uses: golangci/golangci-lint-action@v2
        with:
-          version: latest
+          version: v1.46.1

          # Only block PRs on new problems.
          # If this is not enabled, we will end up having PRs
@@ -45,6 +46,7 @@ jobs:
        uses: tj-actions/changed-files@v14.1
        with:
          files: |
+            *.nix
            **/*.md
            **/*.yml
            **/*.yaml
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -18,7 +18,7 @@ jobs:
      - name: Set up Go
        uses: actions/setup-go@v2
        with:
-          go-version: 1.17.7
+          go-version: 1.18.0

      - name: Install dependencies
        run: |
@@ -89,6 +89,8 @@ jobs:
          platforms: linux/amd64,linux/arm64
          cache-from: type=local,src=/tmp/.buildx-cache
          cache-to: type=local,dest=/tmp/.buildx-cache-new
+          build-args: |
+            VERSION=${{ steps.meta.outputs.version }}
      - name: Prepare cache for next build
        run: |
          rm -rf /tmp/.buildx-cache
@@ -153,6 +155,8 @@ jobs:
          platforms: linux/amd64,linux/arm64
          cache-from: type=local,src=/tmp/.buildx-cache-debug
          cache-to: type=local,dest=/tmp/.buildx-cache-debug-new
+          build-args: |
+            VERSION=${{ steps.meta-debug.outputs.version }}
      - name: Prepare cache for next build
        run: |
          rm -rf /tmp/.buildx-cache-debug
@@ -217,6 +221,8 @@ jobs:
          platforms: linux/amd64,linux/arm64
          cache-from: type=local,src=/tmp/.buildx-cache-alpine
          cache-to: type=local,dest=/tmp/.buildx-cache-alpine-new
+          build-args: |
+            VERSION=${{ steps.meta-alpine.outputs.version }}
      - name: Prepare cache for next build
        run: |
          rm -rf /tmp/.buildx-cache-alpine
--- a/.github/workflows/test-integration.yml
+++ b/.github/workflows/test-integration.yml
@@ -16,17 +16,20 @@ jobs:
        uses: tj-actions/changed-files@v14.1
        with:
          files: |
+            *.nix
            go.*
            **/*.go
            integration_test/
            config-example.yaml

-      - name: Setup Go
+      - uses: cachix/install-nix-action@v16
        if: steps.changed-files.outputs.any_changed == 'true'
-        uses: actions/setup-go@v2
-        with:
-          go-version: "1.17.7"

      - name: Run Integration tests
        if: steps.changed-files.outputs.any_changed == 'true'
-        run: make test_integration
+        uses: nick-fields/retry@v2
+        with:
+          timeout_minutes: 240
+          max_attempts: 5
+          retry_on: error
+          command: nix develop --command -- make test_integration
--- a/.github/workflows/test.yml
+++ b/.github/workflows/test.yml
@@ -16,28 +16,15 @@ jobs:
        uses: tj-actions/changed-files@v14.1
        with:
          files: |
+            *.nix
            go.*
            **/*.go
            integration_test/
            config-example.yaml

-      - name: Setup Go
+      - uses: cachix/install-nix-action@v16
        if: steps.changed-files.outputs.any_changed == 'true'
-        uses: actions/setup-go@v2
-        with:
-          go-version: "1.17.7"
-
-      - name: Install dependencies
-        if: steps.changed-files.outputs.any_changed == 'true'
-        run: |
-          go version
-          sudo apt update
-          sudo apt install -y make

      - name: Run tests
        if: steps.changed-files.outputs.any_changed == 'true'
-        run: make test
-
-      - name: Run build
-        if: steps.changed-files.outputs.any_changed == 'true'
-        run: make
+        run: nix develop --check
--- a/.gitignore
+++ b/.gitignore
@@ -27,3 +27,9 @@ derp.yaml
 .idea

 test_output/ 
+
+# Nix build output
+result
+.direnv/
+
+integration_test/etc/config.dump.yaml
--- a/.golangci.yaml
+++ b/.golangci.yaml
@@ -24,6 +24,8 @@ linters:
    - tagliatelle
    - godox
    - ireturn
+    - execinquery
+    - exhaustruct

    # We should strive to enable these:
    - wrapcheck
--- a/.goreleaser.yml
+++ b/.goreleaser.yml
@@ -1,7 +1,7 @@
 ---
 before:
  hooks:
-    - go mod tidy -compat=1.17
+    - go mod tidy -compat=1.18

 release:
  prerelease: auto
@@ -21,17 +21,15 @@ builds:
    ldflags:
      - -s -w -X github.com/juanfont/headscale/cmd/headscale/cli.Version=v{{.Version}}

-  - id: linux-armhf
+  - id: darwin-arm64
    main: ./cmd/headscale/headscale.go
    mod_timestamp: "{{ .CommitTimestamp }}"
    env:
      - CGO_ENABLED=0
    goos:
-      - linux
+      - darwin
    goarch:
-      - arm
-    goarm:
-      - "7"
+      - arm64
    flags:
      - -mod=readonly
    ldflags:
@@ -65,7 +63,7 @@ archives:
  - id: golang-cross
    builds:
      - darwin-amd64
-      - linux-armhf
+      - darwin-arm64
      - linux-amd64
      - linux-arm64
    name_template: "{{ .ProjectName }}_{{ .Version }}_{{ .Os }}_{{ .Arch }}"
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -1,6 +1,47 @@
 # CHANGELOG

-## 0.15.0 (2022-xx-xx)
+## 0.17.0 (2022-xx-xx)
+
+## 0.16.0 (2022-07-25)
+
+**Note:** Take a backup of your database before upgrading.
+
+### BREAKING
+
+- Old ACL syntax is no longer supported ("users" & "ports" -> "src" & "dst"). Please check [the new syntax](https://tailscale.com/kb/1018/acls/).
+
+### Changes
+
+- **Drop** armhf (32-bit ARM) support. [#609](https://github.com/juanfont/headscale/pull/609)
+- Headscale fails to serve if the ACL policy file cannot be parsed [#537](https://github.com/juanfont/headscale/pull/537)
+- Fix labels cardinality error when registering unknown pre-auth key [#519](https://github.com/juanfont/headscale/pull/519)
+- Fix send on closed channel crash in polling [#542](https://github.com/juanfont/headscale/pull/542)
+- Fixed spurious calls to setLastStateChangeToNow from ephemeral nodes [#566](https://github.com/juanfont/headscale/pull/566)
+- Add command for moving nodes between namespaces [#362](https://github.com/juanfont/headscale/issues/362)
+- Added more configuration parameters for OpenID Connect (scopes, free-form paramters, domain and user allowlist)
+- Add command to set tags on a node [#525](https://github.com/juanfont/headscale/issues/525)
+- Add command to view tags of nodes [#356](https://github.com/juanfont/headscale/issues/356)
+- Add --all (-a) flag to enable routes command [#360](https://github.com/juanfont/headscale/issues/360)
+- Fix issue where nodes was not updated across namespaces [#560](https://github.com/juanfont/headscale/pull/560)
+- Add the ability to rename a nodes name [#560](https://github.com/juanfont/headscale/pull/560)
+  - Node DNS names are now unique, a random suffix will be added when a node joins
+  - This change contains database changes, remember to **backup** your database before upgrading
+- Add option to enable/disable logtail (Tailscale's logging infrastructure) [#596](https://github.com/juanfont/headscale/pull/596)
+  - This change disables the logs by default
+- Use [Prometheus]'s duration parser, supporting days (`d`), weeks (`w`) and years (`y`) [#598](https://github.com/juanfont/headscale/pull/598)
+- Add support for reloading ACLs with SIGHUP [#601](https://github.com/juanfont/headscale/pull/601)
+- Use new ACL syntax [#618](https://github.com/juanfont/headscale/pull/618)
+- Add -c option to specify config file from command line [#285](https://github.com/juanfont/headscale/issues/285) [#612](https://github.com/juanfont/headscale/pull/601)
+- Add configuration option to allow Tailscale clients to use a random WireGuard port. [kb/1181/firewalls](https://tailscale.com/kb/1181/firewalls) [#624](https://github.com/juanfont/headscale/pull/624)
+- Improve obtuse UX regarding missing configuration (`ephemeral_node_inactivity_timeout` not set) [#639](https://github.com/juanfont/headscale/pull/639)
+- Fix nodes being shown as 'offline' in `tailscale status` [#648](https://github.com/juanfont/headscale/pull/648)
+- Improve shutdown behaviour [#651](https://github.com/juanfont/headscale/pull/651)
+- Drop Gin as web framework in Headscale [648](https://github.com/juanfont/headscale/pull/648) [677](https://github.com/juanfont/headscale/pull/677)
+- Make tailnet node updates check interval configurable [#675](https://github.com/juanfont/headscale/pull/675)
+- Fix regression with HTTP API [#684](https://github.com/juanfont/headscale/pull/684)
+- nodes ls now print both Hostname and Name(Issue [#647](https://github.com/juanfont/headscale/issues/647) PR [#687](https://github.com/juanfont/headscale/pull/687))
+
+## 0.15.0 (2022-03-20)

 **Note:** Take a backup of your database before upgrading.

@@ -8,12 +49,18 @@

 - Boundaries between Namespaces has been removed and all nodes can communicate by default [#357](https://github.com/juanfont/headscale/pull/357)
  - To limit access between nodes, use [ACLs](./docs/acls.md).
+- `/metrics` is now a configurable host:port endpoint: [#344](https://github.com/juanfont/headscale/pull/344). You must update your `config.yaml` file to include:
+  ```yaml
+  metrics_listen_addr: 127.0.0.1:9090
+  ```

 ### Features

 - Add support for writing ACL files with YAML [#359](https://github.com/juanfont/headscale/pull/359)
 - Users can now use emails in ACL's groups [#372](https://github.com/juanfont/headscale/issues/372)
 - Add shorthand aliases for commands and subcommands [#376](https://github.com/juanfont/headscale/pull/376)
+- Add `/windows` endpoint for Windows configuration instructions + registry file download [#392](https://github.com/juanfont/headscale/pull/392)
+- Added embedded DERP (and STUN) server into Headscale [#388](https://github.com/juanfont/headscale/pull/388)

 ### Changes

@@ -22,6 +69,9 @@
  - Nodes are now only written to database if they are registrated successfully
 - Fix a limitation in the ACLs that prevented users to write rules with `*` as source [#374](https://github.com/juanfont/headscale/issues/374)
 - Reduce the overhead of marshal/unmarshal for Hostinfo, routes and endpoints by using specific types in Machine [#371](https://github.com/juanfont/headscale/pull/371)
+- Apply normalization function to FQDN on hostnames when hosts registers and retrieve informations [#363](https://github.com/juanfont/headscale/issues/363)
+- Fix a bug that prevented the use of `tailscale logout` with OIDC [#508](https://github.com/juanfont/headscale/issues/508)
+- Added Tailscale repo HEAD and unstable releases channel to the integration tests targets [#513](https://github.com/juanfont/headscale/pull/513)

 ## 0.14.0 (2022-02-24)

--- a/8
+++ b/8
@@ -1,5 +1,6 @@
 # Builder image
-FROM docker.io/golang:1.17.7-bullseye AS build
+FROM --platform=$BUILDPLATFORM docker.io/golang:1.18.0-bullseye AS build
+ARG VERSION=dev
 ENV GOPATH /go
 WORKDIR /go/src/headscale

@@ -7,9 +8,8 @@ COPY go.mod go.sum /go/src/headscale/
 RUN go mod download

 COPY . .
-
-RUN GGO_ENABLED=0 GOOS=linux go install -a ./cmd/headscale
-RUN strip /go/bin/headscale
+ARG TARGETOS TARGETARCH
+RUN CGO_ENABLED=0 GOOS=$TARGETOS GOARCH=$TARGETARCH go build -o /go/bin/headscale -ldflags="-s -w -X github.com/juanfont/headscale/cmd/headscale/cli.Version=$VERSION" -a ./cmd/headscale 
 RUN test -e /go/bin/headscale

 # Production image
--- a/Dockerfile.alpine
+++ b/Dockerfile.alpine
@@ -1,5 +1,6 @@
 # Builder image
-FROM docker.io/golang:1.17.7-alpine AS build
+FROM --platform=$BUILDPLATFORM docker.io/golang:1.18.0-alpine AS build
+ARG VERSION=dev
 ENV GOPATH /go
 WORKDIR /go/src/headscale

@@ -9,8 +10,8 @@ RUN go mod download

 COPY . .

-RUN GGO_ENABLED=0 GOOS=linux go install -a ./cmd/headscale
-RUN strip /go/bin/headscale
+ARG TARGETOS TARGETARCH
+RUN CGO_ENABLED=0 GOOS=$TARGETOS GOARCH=$TARGETARCH go build -o /go/bin/headscale -ldflags="-s -w -X github.com/juanfont/headscale/cmd/headscale/cli.Version=$VERSION" -a ./cmd/headscale 
 RUN test -e /go/bin/headscale

 # Production image
--- a/Dockerfile.debug
+++ b/Dockerfile.debug
@@ -1,5 +1,6 @@
 # Builder image
-FROM docker.io/golang:1.17.7-bullseye AS build
+FROM --platform=$BUILDPLATFORM docker.io/golang:1.18.0-bullseye AS build
+ARG VERSION=dev
 ENV GOPATH /go
 WORKDIR /go/src/headscale

@@ -8,7 +9,8 @@ RUN go mod download

 COPY . .

-RUN GGO_ENABLED=0 GOOS=linux go install -a ./cmd/headscale
+ARG TARGETOS TARGETARCH
+RUN CGO_ENABLED=0 GOOS=linux go install -ldflags="-s -w -X github.com/juanfont/headscale/cmd/headscale/cli.Version=$VERSION" -a ./cmd/headscale
 RUN test -e /go/bin/headscale

 # Debug image
--- a/Dockerfile.tailscale
+++ b/Dockerfile.tailscale
@@ -1,11 +1,17 @@
 FROM ubuntu:latest

-ARG TAILSCALE_VERSION
+ARG TAILSCALE_VERSION=*
+ARG TAILSCALE_CHANNEL=stable

 RUN apt-get update \
    && apt-get install -y gnupg curl \
-    && curl -fsSL https://pkgs.tailscale.com/stable/ubuntu/focal.gpg | apt-key add - \
-    && curl -fsSL https://pkgs.tailscale.com/stable/ubuntu/focal.list | tee /etc/apt/sources.list.d/tailscale.list \
+    && curl -fsSL https://pkgs.tailscale.com/${TAILSCALE_CHANNEL}/ubuntu/focal.gpg | apt-key add - \
+    && curl -fsSL https://pkgs.tailscale.com/${TAILSCALE_CHANNEL}/ubuntu/focal.list | tee /etc/apt/sources.list.d/tailscale.list \
    && apt-get update \
-    && apt-get install -y tailscale=${TAILSCALE_VERSION} dnsutils \
+    && apt-get install -y ca-certificates tailscale=${TAILSCALE_VERSION} dnsutils \
    && rm -rf /var/lib/apt/lists/*
+
+ADD integration_test/etc_embedded_derp/tls/server.crt /usr/local/share/ca-certificates/
+RUN chmod 644 /usr/local/share/ca-certificates/server.crt 
+
+RUN update-ca-certificates
--- a/Dockerfile.tailscale-HEAD
+++ b/Dockerfile.tailscale-HEAD
@@ -0,0 +1,21 @@
+FROM golang:latest
+
+RUN apt-get update \
+    && apt-get install -y ca-certificates dnsutils git iptables \
+    && rm -rf /var/lib/apt/lists/*
+
+
+RUN git clone https://github.com/tailscale/tailscale.git
+
+WORKDIR tailscale
+
+RUN sh build_dist.sh tailscale.com/cmd/tailscale
+RUN sh build_dist.sh tailscale.com/cmd/tailscaled
+
+RUN cp tailscale /usr/local/bin/
+RUN cp tailscaled /usr/local/bin/
+
+ADD integration_test/etc_embedded_derp/tls/server.crt /usr/local/share/ca-certificates/
+RUN chmod 644 /usr/local/share/ca-certificates/server.crt 
+
+RUN update-ca-certificates
--- a/Dockerfile.tmp-integration
+++ b/Dockerfile.tmp-integration
@@ -0,0 +1,21 @@
+# Builder image
+FROM docker.io/golang:1.18.0-bullseye AS build
+ARG VERSION=dev
+ENV GOPATH /go
+WORKDIR /go/src/headscale
+
+COPY go.mod go.sum /go/src/headscale/
+RUN go mod download
+
+COPY . .
+RUN CGO_ENABLED=0 go build -o /go/bin/headscale -ldflags="-s -w -X github.com/juanfont/headscale/cmd/headscale/cli.Version=$VERSION" -a ./cmd/headscale 
+RUN test -e /go/bin/headscale
+
+# Production image
+FROM gcr.io/distroless/base-debian11
+
+COPY --from=build /go/bin/headscale /bin/headscale
+ENV TZ UTC
+
+EXPOSE 8080/tcp
+CMD ["headscale"]
--- a/18
+++ b/18
@@ -1,8 +1,15 @@
 # Calculate version
-version = $(shell ./scripts/version-at-commit.sh)
+version ?= $(shell git describe --always --tags --dirty)

 rwildcard=$(foreach d,$(wildcard $1*),$(call rwildcard,$d/,$2) $(filter $(subst *,%,$2),$d))

+# Determine if OS supports pie
+GOOS ?= $(shell uname | tr '[:upper:]' '[:lower:]')
+ifeq ($(filter $(GOOS), openbsd netbsd soloaris plan9), )
+	pieflags = -buildmode=pie
+else
+endif
+
 # GO_SOURCES = $(wildcard *.go)
 # PROTO_SOURCES = $(wildcard **/*.proto)
 GO_SOURCES = $(call rwildcard,,*.go)
@@ -10,7 +17,7 @@ PROTO_SOURCES = $(call rwildcard,,*.proto)


 build:
-	GGO_ENABLED=0 go build -ldflags "-s -w -X github.com/juanfont/headscale/cmd/headscale/cli.Version=$(version)" cmd/headscale/headscale.go
+	GOOS=$(GOOS) CGO_ENABLED=0 go build -trimpath $(pieflags) -mod=readonly -ldflags "-s -w -X github.com/juanfont/headscale/cmd/headscale/cli.Version=$(version)" cmd/headscale/headscale.go

 dev: lint test build

@@ -23,6 +30,9 @@ test_integration:
 test_integration_cli:
 	go test -tags integration -v integration_cli_test.go integration_common_test.go

+test_integration_derp:
+	go test -tags integration -v integration_embedded_derp_test.go integration_common_test.go
+
 coverprofile_func:
 	go tool cover -func=coverage.out

@@ -38,14 +48,14 @@ fmt:
 	clang-format -style="{BasedOnStyle: Google, IndentWidth: 4, AlignConsecutiveDeclarations: true, AlignConsecutiveAssignments: true, ColumnLimit: 0}" -i $(PROTO_SOURCES)

 proto-lint:
-	cd proto/ && buf lint
+	cd proto/ && go run github.com/bufbuild/buf/cmd/buf lint

 compress: build
 	upx --brute headscale

 generate:
 	rm -rf gen
-	buf generate proto
+	go run github.com/bufbuild/buf/cmd/buf generate proto

 install-protobuf-plugins:
 	go install \
--- a/README.md
+++ b/README.md
@@ -4,7 +4,7 @@

 An open source, self-hosted implementation of the Tailscale control server.

-Join our [Discord](https://discord.gg/XcQxk2VHjx) server for a chat.
+Join our [Discord](https://discord.gg/c84AZQhmpx) server for a chat.

 **Note:** Always select the same GitHub tag as the released version you use
 to ensure you have the correct example configuration and documentation.
@@ -28,7 +28,7 @@ and exposes the advertised routes of your nodes.

 A [Tailscale network (tailnet)](https://tailscale.com/kb/1136/tailnet/) is private
 network which Tailscale assigns to a user in terms of private users or an
-organisations.
+organisation.

 ## Design goal

@@ -63,6 +63,7 @@ one of the maintainers.
 - Dual stack (IPv4 and IPv6)
 - Routing advertising (including exit nodes)
 - Ephemeral nodes
+- Embedded [DERP server](https://tailscale.com/blog/how-tailscale-works/#encrypted-tcp-relays-derp)

 ## Client OS support

@@ -90,6 +91,10 @@ Please have a look at the documentation under [`docs/`](docs/).
 To contribute to headscale you would need the lastest version of [Go](https://golang.org)
 and [Buf](https://buf.build)(Protobuf generator).

+We recommend using [Nix](https://nixos.org/) to setup a development environment. This can
+be done with `nix develop`, which will install the tools and give you a shell.
+This guarantees that you will have the same dev env as `headscale` maintainers.
+
 PRs and suggestions are welcome.

 ### Code style
@@ -114,10 +119,12 @@ Check out the `.golangci.yaml` and `Makefile` to see the specific configuration.

 - Go
 - Buf
- Protobuf tools:
+- Protobuf tools
+
+Install and activate:

 ```shell
-make install-protobuf-plugins
+nix develop
 ```

 ### Testing and building
@@ -139,6 +146,12 @@ make test

 To build the program:

+```shell
+nix build
+```
+
+or
+
 ```shell
 make build
 ```
@@ -161,6 +174,13 @@ make build
            <sub style="font-size:14px"><b>Juan Font</b></sub>
        </a>
    </td>
+    <td align="center" style="word-wrap: break-word; width: 150.0; height: 150.0">
+        <a href=https://github.com/restanrm>
+            <img src=https://avatars.githubusercontent.com/u/4344371?v=4 width="100;"  style="border-radius:50%;align-items:center;justify-content:center;overflow:hidden;padding-top:10px" alt=Adrien Raffin-Caboisse/>
+            <br />
+            <sub style="font-size:14px"><b>Adrien Raffin-Caboisse</b></sub>
+        </a>
+    </td>
    <td align="center" style="word-wrap: break-word; width: 150.0; height: 150.0">
        <a href=https://github.com/cure>
            <img src=https://avatars.githubusercontent.com/u/149135?v=4 width="100;"  style="border-radius:50%;align-items:center;justify-content:center;overflow:hidden;padding-top:10px" alt=Ward Vandewege/>
@@ -169,17 +189,33 @@ make build
        </a>
    </td>
    <td align="center" style="word-wrap: break-word; width: 150.0; height: 150.0">
-        <a href=https://github.com/ohdearaugustin>
-            <img src=https://avatars.githubusercontent.com/u/14001491?v=4 width="100;"  style="border-radius:50%;align-items:center;justify-content:center;overflow:hidden;padding-top:10px" alt=ohdearaugustin/>
+        <a href=https://github.com/huskyii>
+            <img src=https://avatars.githubusercontent.com/u/5499746?v=4 width="100;"  style="border-radius:50%;align-items:center;justify-content:center;overflow:hidden;padding-top:10px" alt=Jiang Zhu/>
            <br />
-            <sub style="font-size:14px"><b>ohdearaugustin</b></sub>
+            <sub style="font-size:14px"><b>Jiang Zhu</b></sub>
        </a>
    </td>
    <td align="center" style="word-wrap: break-word; width: 150.0; height: 150.0">
-        <a href=https://github.com/restanrm>
-            <img src=https://avatars.githubusercontent.com/u/4344371?v=4 width="100;"  style="border-radius:50%;align-items:center;justify-content:center;overflow:hidden;padding-top:10px" alt=Adrien Raffin-Caboisse/>
+        <a href=https://github.com/reynico>
+            <img src=https://avatars.githubusercontent.com/u/715768?v=4 width="100;"  style="border-radius:50%;align-items:center;justify-content:center;overflow:hidden;padding-top:10px" alt=Nico/>
            <br />
-            <sub style="font-size:14px"><b>Adrien Raffin-Caboisse</b></sub>
+            <sub style="font-size:14px"><b>Nico</b></sub>
+        </a>
+    </td>
+</tr>
+<tr>
+    <td align="center" style="word-wrap: break-word; width: 150.0; height: 150.0">
+        <a href=https://github.com/e-zk>
+            <img src=https://avatars.githubusercontent.com/u/58356365?v=4 width="100;"  style="border-radius:50%;align-items:center;justify-content:center;overflow:hidden;padding-top:10px" alt=e-zk/>
+            <br />
+            <sub style="font-size:14px"><b>e-zk</b></sub>
+        </a>
+    </td>
+    <td align="center" style="word-wrap: break-word; width: 150.0; height: 150.0">
+        <a href=https://github.com/arch4ngel>
+            <img src=https://avatars.githubusercontent.com/u/11574161?v=4 width="100;"  style="border-radius:50%;align-items:center;justify-content:center;overflow:hidden;padding-top:10px" alt=Justin Angel/>
+            <br />
+            <sub style="font-size:14px"><b>Justin Angel</b></sub>
        </a>
    </td>
    <td align="center" style="word-wrap: break-word; width: 150.0; height: 150.0">
@@ -189,8 +225,6 @@ make build
            <sub style="font-size:14px"><b>Alessandro (Ale) Segala</b></sub>
        </a>
    </td>
-</tr>
-<tr>
    <td align="center" style="word-wrap: break-word; width: 150.0; height: 150.0">
        <a href=https://github.com/unreality>
            <img src=https://avatars.githubusercontent.com/u/352522?v=4 width="100;"  style="border-radius:50%;align-items:center;justify-content:center;overflow:hidden;padding-top:10px" alt=unreality/>
@@ -198,6 +232,29 @@ make build
            <sub style="font-size:14px"><b>unreality</b></sub>
        </a>
    </td>
+    <td align="center" style="word-wrap: break-word; width: 150.0; height: 150.0">
+        <a href=https://github.com/mpldr>
+            <img src=https://avatars.githubusercontent.com/u/33086936?v=4 width="100;"  style="border-radius:50%;align-items:center;justify-content:center;overflow:hidden;padding-top:10px" alt=Moritz Poldrack/>
+            <br />
+            <sub style="font-size:14px"><b>Moritz Poldrack</b></sub>
+        </a>
+    </td>
+    <td align="center" style="word-wrap: break-word; width: 150.0; height: 150.0">
+        <a href=https://github.com/ohdearaugustin>
+            <img src=https://avatars.githubusercontent.com/u/14001491?v=4 width="100;"  style="border-radius:50%;align-items:center;justify-content:center;overflow:hidden;padding-top:10px" alt=ohdearaugustin/>
+            <br />
+            <sub style="font-size:14px"><b>ohdearaugustin</b></sub>
+        </a>
+    </td>
+</tr>
+<tr>
+    <td align="center" style="word-wrap: break-word; width: 150.0; height: 150.0">
+        <a href=https://github.com/Niek>
+            <img src=https://avatars.githubusercontent.com/u/213140?v=4 width="100;"  style="border-radius:50%;align-items:center;justify-content:center;overflow:hidden;padding-top:10px" alt=Niek van der Maas/>
+            <br />
+            <sub style="font-size:14px"><b>Niek van der Maas</b></sub>
+        </a>
+    </td>
    <td align="center" style="word-wrap: break-word; width: 150.0; height: 150.0">
        <a href=https://github.com/negbie>
            <img src=https://avatars.githubusercontent.com/u/20154956?v=4 width="100;"  style="border-radius:50%;align-items:center;justify-content:center;overflow:hidden;padding-top:10px" alt=Eugen Biegler/>
@@ -212,6 +269,13 @@ make build
            <sub style="font-size:14px"><b>Aaron Bieber</b></sub>
        </a>
    </td>
+    <td align="center" style="word-wrap: break-word; width: 150.0; height: 150.0">
+        <a href=https://github.com/iSchluff>
+            <img src=https://avatars.githubusercontent.com/u/1429641?v=4 width="100;"  style="border-radius:50%;align-items:center;justify-content:center;overflow:hidden;padding-top:10px" alt=Anton Schubert/>
+            <br />
+            <sub style="font-size:14px"><b>Anton Schubert</b></sub>
+        </a>
+    </td>
    <td align="center" style="word-wrap: break-word; width: 150.0; height: 150.0">
        <a href=https://github.com/fdelucchijr>
            <img src=https://avatars.githubusercontent.com/u/69133647?v=4 width="100;"  style="border-radius:50%;align-items:center;justify-content:center;overflow:hidden;padding-top:10px" alt=Fernando De Lucchi/>
@@ -219,6 +283,15 @@ make build
            <sub style="font-size:14px"><b>Fernando De Lucchi</b></sub>
        </a>
    </td>
+    <td align="center" style="word-wrap: break-word; width: 150.0; height: 150.0">
+        <a href=https://github.com/GrigoriyMikhalkin>
+            <img src=https://avatars.githubusercontent.com/u/3637857?v=4 width="100;"  style="border-radius:50%;align-items:center;justify-content:center;overflow:hidden;padding-top:10px" alt=GrigoriyMikhalkin/>
+            <br />
+            <sub style="font-size:14px"><b>GrigoriyMikhalkin</b></sub>
+        </a>
+    </td>
+</tr>
+<tr>
    <td align="center" style="word-wrap: break-word; width: 150.0; height: 150.0">
        <a href=https://github.com/hdhoang>
            <img src=https://avatars.githubusercontent.com/u/12537?v=4 width="100;"  style="border-radius:50%;align-items:center;justify-content:center;overflow:hidden;padding-top:10px" alt=Hoàng Đức Hiếu/>
@@ -226,6 +299,34 @@ make build
            <sub style="font-size:14px"><b>Hoàng Đức Hiếu</b></sub>
        </a>
    </td>
+    <td align="center" style="word-wrap: break-word; width: 150.0; height: 150.0">
+        <a href=https://github.com/bravechamp>
+            <img src=https://avatars.githubusercontent.com/u/48980452?v=4 width="100;"  style="border-radius:50%;align-items:center;justify-content:center;overflow:hidden;padding-top:10px" alt=bravechamp/>
+            <br />
+            <sub style="font-size:14px"><b>bravechamp</b></sub>
+        </a>
+    </td>
+    <td align="center" style="word-wrap: break-word; width: 150.0; height: 150.0">
+        <a href=https://github.com/deonthomasgy>
+            <img src=https://avatars.githubusercontent.com/u/150036?v=4 width="100;"  style="border-radius:50%;align-items:center;justify-content:center;overflow:hidden;padding-top:10px" alt=Deon Thomas/>
+            <br />
+            <sub style="font-size:14px"><b>Deon Thomas</b></sub>
+        </a>
+    </td>
+    <td align="center" style="word-wrap: break-word; width: 150.0; height: 150.0">
+        <a href=https://github.com/ChibangLW>
+            <img src=https://avatars.githubusercontent.com/u/22293464?v=4 width="100;"  style="border-radius:50%;align-items:center;justify-content:center;overflow:hidden;padding-top:10px" alt=ChibangLW/>
+            <br />
+            <sub style="font-size:14px"><b>ChibangLW</b></sub>
+        </a>
+    </td>
+    <td align="center" style="word-wrap: break-word; width: 150.0; height: 150.0">
+        <a href=https://github.com/mevansam>
+            <img src=https://avatars.githubusercontent.com/u/403630?v=4 width="100;"  style="border-radius:50%;align-items:center;justify-content:center;overflow:hidden;padding-top:10px" alt=Mevan Samaratunga/>
+            <br />
+            <sub style="font-size:14px"><b>Mevan Samaratunga</b></sub>
+        </a>
+    </td>
    <td align="center" style="word-wrap: break-word; width: 150.0; height: 150.0">
        <a href=https://github.com/dragetd>
            <img src=https://avatars.githubusercontent.com/u/3639577?v=4 width="100;"  style="border-radius:50%;align-items:center;justify-content:center;overflow:hidden;padding-top:10px" alt=Michael G./>
@@ -243,17 +344,10 @@ make build
        </a>
    </td>
    <td align="center" style="word-wrap: break-word; width: 150.0; height: 150.0">
-        <a href=https://github.com/cmars>
-            <img src=https://avatars.githubusercontent.com/u/23741?v=4 width="100;"  style="border-radius:50%;align-items:center;justify-content:center;overflow:hidden;padding-top:10px" alt=Casey Marshall/>
+        <a href=https://github.com/samson4649>
+            <img src=https://avatars.githubusercontent.com/u/12725953?v=4 width="100;"  style="border-radius:50%;align-items:center;justify-content:center;overflow:hidden;padding-top:10px" alt=Samuel Lock/>
            <br />
-            <sub style="font-size:14px"><b>Casey Marshall</b></sub>
-        </a>
-    </td>
-    <td align="center" style="word-wrap: break-word; width: 150.0; height: 150.0">
-        <a href=https://github.com/SilverBut>
-            <img src=https://avatars.githubusercontent.com/u/6560655?v=4 width="100;"  style="border-radius:50%;align-items:center;justify-content:center;overflow:hidden;padding-top:10px" alt=Silver Bullet/>
-            <br />
-            <sub style="font-size:14px"><b>Silver Bullet</b></sub>
+            <sub style="font-size:14px"><b>Samuel Lock</b></sub>
        </a>
    </td>
    <td align="center" style="word-wrap: break-word; width: 150.0; height: 150.0">
@@ -264,10 +358,40 @@ make build
        </a>
    </td>
    <td align="center" style="word-wrap: break-word; width: 150.0; height: 150.0">
-        <a href=https://github.com/lachy-2849>
-            <img src=https://avatars.githubusercontent.com/u/98844035?v=4 width="100;"  style="border-radius:50%;align-items:center;justify-content:center;overflow:hidden;padding-top:10px" alt=lachy-2849/>
+        <a href=https://github.com/artemklevtsov>
+            <img src=https://avatars.githubusercontent.com/u/603798?v=4 width="100;"  style="border-radius:50%;align-items:center;justify-content:center;overflow:hidden;padding-top:10px" alt=Artem Klevtsov/>
            <br />
-            <sub style="font-size:14px"><b>lachy-2849</b></sub>
+            <sub style="font-size:14px"><b>Artem Klevtsov</b></sub>
+        </a>
+    </td>
+    <td align="center" style="word-wrap: break-word; width: 150.0; height: 150.0">
+        <a href=https://github.com/cmars>
+            <img src=https://avatars.githubusercontent.com/u/23741?v=4 width="100;"  style="border-radius:50%;align-items:center;justify-content:center;overflow:hidden;padding-top:10px" alt=Casey Marshall/>
+            <br />
+            <sub style="font-size:14px"><b>Casey Marshall</b></sub>
+        </a>
+    </td>
+    <td align="center" style="word-wrap: break-word; width: 150.0; height: 150.0">
+        <a href=https://github.com/pvinis>
+            <img src=https://avatars.githubusercontent.com/u/100233?v=4 width="100;"  style="border-radius:50%;align-items:center;justify-content:center;overflow:hidden;padding-top:10px" alt=Pavlos Vinieratos/>
+            <br />
+            <sub style="font-size:14px"><b>Pavlos Vinieratos</b></sub>
+        </a>
+    </td>
+</tr>
+<tr>
+    <td align="center" style="word-wrap: break-word; width: 150.0; height: 150.0">
+        <a href=https://github.com/SilverBut>
+            <img src=https://avatars.githubusercontent.com/u/6560655?v=4 width="100;"  style="border-radius:50%;align-items:center;justify-content:center;overflow:hidden;padding-top:10px" alt=Silver Bullet/>
+            <br />
+            <sub style="font-size:14px"><b>Silver Bullet</b></sub>
+        </a>
+    </td>
+    <td align="center" style="word-wrap: break-word; width: 150.0; height: 150.0">
+        <a href=https://github.com/lachy2849>
+            <img src=https://avatars.githubusercontent.com/u/98844035?v=4 width="100;"  style="border-radius:50%;align-items:center;justify-content:center;overflow:hidden;padding-top:10px" alt=lachy2849/>
+            <br />
+            <sub style="font-size:14px"><b>lachy2849</b></sub>
        </a>
    </td>
    <td align="center" style="word-wrap: break-word; width: 150.0; height: 150.0">
@@ -277,8 +401,6 @@ make build
            <sub style="font-size:14px"><b>thomas</b></sub>
        </a>
    </td>
-</tr>
-<tr>
    <td align="center" style="word-wrap: break-word; width: 150.0; height: 150.0">
        <a href=https://github.com/aberoham>
            <img src=https://avatars.githubusercontent.com/u/586805?v=4 width="100;"  style="border-radius:50%;align-items:center;justify-content:center;overflow:hidden;padding-top:10px" alt=Abraham Ingersoll/>
@@ -287,12 +409,21 @@ make build
        </a>
    </td>
    <td align="center" style="word-wrap: break-word; width: 150.0; height: 150.0">
-        <a href=https://github.com/artemklevtsov>
-            <img src=https://avatars.githubusercontent.com/u/603798?v=4 width="100;"  style="border-radius:50%;align-items:center;justify-content:center;overflow:hidden;padding-top:10px" alt=Artem Klevtsov/>
+        <a href=https://github.com/apognu>
+            <img src=https://avatars.githubusercontent.com/u/3017182?v=4 width="100;"  style="border-radius:50%;align-items:center;justify-content:center;overflow:hidden;padding-top:10px" alt=Antoine POPINEAU/>
            <br />
-            <sub style="font-size:14px"><b>Artem Klevtsov</b></sub>
+            <sub style="font-size:14px"><b>Antoine POPINEAU</b></sub>
        </a>
    </td>
+    <td align="center" style="word-wrap: break-word; width: 150.0; height: 150.0">
+        <a href=https://github.com/aofei>
+            <img src=https://avatars.githubusercontent.com/u/5037285?v=4 width="100;"  style="border-radius:50%;align-items:center;justify-content:center;overflow:hidden;padding-top:10px" alt=Aofei Sheng/>
+            <br />
+            <sub style="font-size:14px"><b>Aofei Sheng</b></sub>
+        </a>
+    </td>
+</tr>
+<tr>
    <td align="center" style="word-wrap: break-word; width: 150.0; height: 150.0">
        <a href=https://github.com/awoimbee>
            <img src=https://avatars.githubusercontent.com/u/22431493?v=4 width="100;"  style="border-radius:50%;align-items:center;justify-content:center;overflow:hidden;padding-top:10px" alt=Arthur Woimbée/>
@@ -307,6 +438,20 @@ make build
            <sub style="font-size:14px"><b>Bryan Stenson</b></sub>
        </a>
    </td>
+    <td align="center" style="word-wrap: break-word; width: 150.0; height: 150.0">
+        <a href=https://github.com/yangchuansheng>
+            <img src=https://avatars.githubusercontent.com/u/15308462?v=4 width="100;"  style="border-radius:50%;align-items:center;justify-content:center;overflow:hidden;padding-top:10px" alt= Carson Yang/>
+            <br />
+            <sub style="font-size:14px"><b> Carson Yang</b></sub>
+        </a>
+    </td>
+    <td align="center" style="word-wrap: break-word; width: 150.0; height: 150.0">
+        <a href=https://github.com/kundel>
+            <img src=https://avatars.githubusercontent.com/u/10158899?v=4 width="100;"  style="border-radius:50%;align-items:center;justify-content:center;overflow:hidden;padding-top:10px" alt=kundel/>
+            <br />
+            <sub style="font-size:14px"><b>kundel</b></sub>
+        </a>
+    </td>
    <td align="center" style="word-wrap: break-word; width: 150.0; height: 150.0">
        <a href=https://github.com/fkr>
            <img src=https://avatars.githubusercontent.com/u/51063?v=4 width="100;"  style="border-radius:50%;align-items:center;justify-content:center;overflow:hidden;padding-top:10px" alt=Felix Kronlage-Dammers/>
@@ -358,6 +503,15 @@ make build
            <sub style="font-size:14px"><b>rcursaru</b></sub>
        </a>
    </td>
+    <td align="center" style="word-wrap: break-word; width: 150.0; height: 150.0">
+        <a href=https://github.com/renovate-bot>
+            <img src=https://avatars.githubusercontent.com/u/25180681?v=4 width="100;"  style="border-radius:50%;align-items:center;justify-content:center;overflow:hidden;padding-top:10px" alt=WhiteSource Renovate/>
+            <br />
+            <sub style="font-size:14px"><b>WhiteSource Renovate</b></sub>
+        </a>
+    </td>
+</tr>
+<tr>
    <td align="center" style="word-wrap: break-word; width: 150.0; height: 150.0">
        <a href=https://github.com/ryanfowler>
            <img src=https://avatars.githubusercontent.com/u/2668821?v=4 width="100;"  style="border-radius:50%;align-items:center;justify-content:center;overflow:hidden;padding-top:10px" alt=Ryan Fowler/>
@@ -365,8 +519,6 @@ make build
            <sub style="font-size:14px"><b>Ryan Fowler</b></sub>
        </a>
    </td>
-</tr>
-<tr>
    <td align="center" style="word-wrap: break-word; width: 150.0; height: 150.0">
        <a href=https://github.com/shaananc>
            <img src=https://avatars.githubusercontent.com/u/2287839?v=4 width="100;"  style="border-radius:50%;align-items:center;justify-content:center;overflow:hidden;padding-top:10px" alt=Shaanan Cohney/>
@@ -402,6 +554,8 @@ make build
            <sub style="font-size:14px"><b>Tianon Gravi</b></sub>
        </a>
    </td>
+</tr>
+<tr>
    <td align="center" style="word-wrap: break-word; width: 150.0; height: 150.0">
        <a href=https://github.com/woudsma>
            <img src=https://avatars.githubusercontent.com/u/6162978?v=4 width="100;"  style="border-radius:50%;align-items:center;justify-content:center;overflow:hidden;padding-top:10px" alt=Tjerk Woudsma/>
@@ -409,8 +563,13 @@ make build
            <sub style="font-size:14px"><b>Tjerk Woudsma</b></sub>
        </a>
    </td>
-</tr>
-<tr>
+    <td align="center" style="word-wrap: break-word; width: 150.0; height: 150.0">
+        <a href=https://github.com/y0ngb1n>
+            <img src=https://avatars.githubusercontent.com/u/25719408?v=4 width="100;"  style="border-radius:50%;align-items:center;justify-content:center;overflow:hidden;padding-top:10px" alt=Yang Bin/>
+            <br />
+            <sub style="font-size:14px"><b>Yang Bin</b></sub>
+        </a>
+    </td>
    <td align="center" style="word-wrap: break-word; width: 150.0; height: 150.0">
        <a href=https://github.com/zekker6>
            <img src=https://avatars.githubusercontent.com/u/1367798?v=4 width="100;"  style="border-radius:50%;align-items:center;justify-content:center;overflow:hidden;padding-top:10px" alt=Zakhar Bessarab/>
@@ -420,9 +579,9 @@ make build
    </td>
    <td align="center" style="word-wrap: break-word; width: 150.0; height: 150.0">
        <a href=https://github.com/Bpazy>
-            <img src=https://avatars.githubusercontent.com/u/9838749?v=4 width="100;"  style="border-radius:50%;align-items:center;justify-content:center;overflow:hidden;padding-top:10px" alt=ZiYuan/>
+            <img src=https://avatars.githubusercontent.com/u/9838749?v=4 width="100;"  style="border-radius:50%;align-items:center;justify-content:center;overflow:hidden;padding-top:10px" alt=Ziyuan Han/>
            <br />
-            <sub style="font-size:14px"><b>ZiYuan</b></sub>
+            <sub style="font-size:14px"><b>Ziyuan Han</b></sub>
        </a>
    </td>
    <td align="center" style="word-wrap: break-word; width: 150.0; height: 150.0">
@@ -433,12 +592,14 @@ make build
        </a>
    </td>
    <td align="center" style="word-wrap: break-word; width: 150.0; height: 150.0">
-        <a href=https://github.com/e-zk>
-            <img src=https://avatars.githubusercontent.com/u/58356365?v=4 width="100;"  style="border-radius:50%;align-items:center;justify-content:center;overflow:hidden;padding-top:10px" alt=e-zk/>
+        <a href=https://github.com/nning>
+            <img src=https://avatars.githubusercontent.com/u/557430?v=4 width="100;"  style="border-radius:50%;align-items:center;justify-content:center;overflow:hidden;padding-top:10px" alt=henning mueller/>
            <br />
-            <sub style="font-size:14px"><b>e-zk</b></sub>
+            <sub style="font-size:14px"><b>henning mueller</b></sub>
        </a>
    </td>
+</tr>
+<tr>
    <td align="center" style="word-wrap: break-word; width: 150.0; height: 150.0">
        <a href=https://github.com/ignoramous>
            <img src=https://avatars.githubusercontent.com/u/852289?v=4 width="100;"  style="border-radius:50%;align-items:center;justify-content:center;overflow:hidden;padding-top:10px" alt=ignoramous/>
@@ -453,8 +614,6 @@ make build
            <sub style="font-size:14px"><b>lion24</b></sub>
        </a>
    </td>
-</tr>
-<tr>
    <td align="center" style="word-wrap: break-word; width: 150.0; height: 150.0">
        <a href=https://github.com/pernila>
            <img src=https://avatars.githubusercontent.com/u/12460060?v=4 width="100;"  style="border-radius:50%;align-items:center;justify-content:center;overflow:hidden;padding-top:10px" alt=pernila/>
--- a/acls.go
+++ b/acls.go
@@ -2,6 +2,7 @@ package headscale

 import (
 	"encoding/json"
+	"errors"
 	"fmt"
 	"io"
 	"os"
@@ -17,12 +18,12 @@ import (
 )

 const (
-	errEmptyPolicy        = Error("empty policy")
-	errInvalidAction      = Error("invalid action")
-	errInvalidUserSection = Error("invalid user section")
-	errInvalidGroup       = Error("invalid group")
-	errInvalidTag         = Error("invalid tag")
-	errInvalidPortFormat  = Error("invalid port format")
+	errEmptyPolicy       = Error("empty policy")
+	errInvalidAction     = Error("invalid action")
+	errInvalidGroup      = Error("invalid group")
+	errInvalidTag        = Error("invalid tag")
+	errInvalidPortFormat = Error("invalid port format")
+	errWildcardIsNeeded  = Error("wildcard as port is required for the protocol")
 )

 const (
@@ -36,6 +37,23 @@ const (
 	expectedTokenItems = 2
 )

+// For some reason golang.org/x/net/internal/iana is an internal package.
+const (
+	protocolICMP     = 1   // Internet Control Message
+	protocolIGMP     = 2   // Internet Group Management
+	protocolIPv4     = 4   // IPv4 encapsulation
+	protocolTCP      = 6   // Transmission Control
+	protocolEGP      = 8   // Exterior Gateway Protocol
+	protocolIGP      = 9   // any private interior gateway (used by Cisco for their IGRP)
+	protocolUDP      = 17  // User Datagram
+	protocolGRE      = 47  // Generic Routing Encapsulation
+	protocolESP      = 50  // Encap Security Payload
+	protocolAH       = 51  // Authentication Header
+	protocolIPv6ICMP = 58  // ICMP for IPv6
+	protocolSCTP     = 132 // Stream Control Transmission Protocol
+	ProtocolFC       = 133 // Fibre Channel
+)
+
 // LoadACLPolicy loads the ACL policy from the specify path, and generates the ACL rules.
 func (h *Headscale) LoadACLPolicy(path string) error {
 	log.Debug().
@@ -123,23 +141,31 @@ func (h *Headscale) generateACLRules() ([]tailcfg.FilterRule, error) {
 		}

 		srcIPs := []string{}
-		for innerIndex, user := range acl.Users {
-			srcs, err := h.generateACLPolicySrcIP(machines, *h.aclPolicy, user)
+		for innerIndex, src := range acl.Sources {
+			srcs, err := h.generateACLPolicySrcIP(machines, *h.aclPolicy, src)
 			if err != nil {
 				log.Error().
-					Msgf("Error parsing ACL %d, User %d", index, innerIndex)
+					Msgf("Error parsing ACL %d, Source %d", index, innerIndex)

 				return nil, err
 			}
 			srcIPs = append(srcIPs, srcs...)
 		}

+		protocols, needsWildcard, err := parseProtocol(acl.Protocol)
+		if err != nil {
+			log.Error().
+				Msgf("Error parsing ACL %d. protocol unknown %s", index, acl.Protocol)
+
+			return nil, err
+		}
+
 		destPorts := []tailcfg.NetPortRange{}
-		for innerIndex, ports := range acl.Ports {
-			dests, err := h.generateACLPolicyDestPorts(machines, *h.aclPolicy, ports)
+		for innerIndex, dest := range acl.Destinations {
+			dests, err := h.generateACLPolicyDest(machines, *h.aclPolicy, dest, needsWildcard)
 			if err != nil {
 				log.Error().
-					Msgf("Error parsing ACL %d, Port %d", index, innerIndex)
+					Msgf("Error parsing ACL %d, Destination %d", index, innerIndex)

 				return nil, err
 			}
@@ -149,6 +175,7 @@ func (h *Headscale) generateACLRules() ([]tailcfg.FilterRule, error) {
 		rules = append(rules, tailcfg.FilterRule{
 			SrcIPs:   srcIPs,
 			DstPorts: destPorts,
+			IPProto:  protocols,
 		})
 	}

@@ -158,17 +185,18 @@ func (h *Headscale) generateACLRules() ([]tailcfg.FilterRule, error) {
 func (h *Headscale) generateACLPolicySrcIP(
 	machines []Machine,
 	aclPolicy ACLPolicy,
-	u string,
+	src string,
 ) ([]string, error) {
-	return expandAlias(machines, aclPolicy, u, h.cfg.OIDC.StripEmaildomain)
+	return expandAlias(machines, aclPolicy, src, h.cfg.OIDC.StripEmaildomain)
 }

-func (h *Headscale) generateACLPolicyDestPorts(
+func (h *Headscale) generateACLPolicyDest(
 	machines []Machine,
 	aclPolicy ACLPolicy,
-	d string,
+	dest string,
+	needsWildcard bool,
 ) ([]tailcfg.NetPortRange, error) {
-	tokens := strings.Split(d, ":")
+	tokens := strings.Split(dest, ":")
 	if len(tokens) < expectedTokenItems || len(tokens) > 3 {
 		return nil, errInvalidPortFormat
 	}
@@ -195,7 +223,7 @@ func (h *Headscale) generateACLPolicyDestPorts(
 	if err != nil {
 		return nil, err
 	}
-	ports, err := expandPorts(tokens[len(tokens)-1])
+	ports, err := expandPorts(tokens[len(tokens)-1], needsWildcard)
 	if err != nil {
 		return nil, err
 	}
@@ -214,6 +242,54 @@ func (h *Headscale) generateACLPolicyDestPorts(
 	return dests, nil
 }

+// parseProtocol reads the proto field of the ACL and generates a list of
+// protocols that will be allowed, following the IANA IP protocol number
+// https://www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtml
+//
+// If the ACL proto field is empty, it allows ICMPv4, ICMPv6, TCP, and UDP,
+// as per Tailscale behaviour (see tailcfg.FilterRule).
+//
+// Also returns a boolean indicating if the protocol
+// requires all the destinations to use wildcard as port number (only TCP,
+// UDP and SCTP support specifying ports).
+func parseProtocol(protocol string) ([]int, bool, error) {
+	switch protocol {
+	case "":
+		return []int{protocolICMP, protocolIPv6ICMP, protocolTCP, protocolUDP}, false, nil
+	case "igmp":
+		return []int{protocolIGMP}, true, nil
+	case "ipv4", "ip-in-ip":
+		return []int{protocolIPv4}, true, nil
+	case "tcp":
+		return []int{protocolTCP}, false, nil
+	case "egp":
+		return []int{protocolEGP}, true, nil
+	case "igp":
+		return []int{protocolIGP}, true, nil
+	case "udp":
+		return []int{protocolUDP}, false, nil
+	case "gre":
+		return []int{protocolGRE}, true, nil
+	case "esp":
+		return []int{protocolESP}, true, nil
+	case "ah":
+		return []int{protocolAH}, true, nil
+	case "sctp":
+		return []int{protocolSCTP}, false, nil
+	case "icmp":
+		return []int{protocolICMP, protocolIPv6ICMP}, true, nil
+
+	default:
+		protocolNumber, err := strconv.Atoi(protocol)
+		if err != nil {
+			return nil, false, err
+		}
+		needsWildcard := protocolNumber != protocolTCP && protocolNumber != protocolUDP && protocolNumber != protocolSCTP
+
+		return []int{protocolNumber}, needsWildcard, nil
+	}
+}
+
 // expandalias has an input of either
 // - a namespace
 // - a group
@@ -230,6 +306,10 @@ func expandAlias(
 		return []string{"*"}, nil
 	}

+	log.Debug().
+		Str("alias", alias).
+		Msg("Expanding")
+
 	if strings.HasPrefix(alias, "group:") {
 		namespaces, err := expandGroup(aclPolicy, alias, stripEmailDomain)
 		if err != nil {
@@ -246,18 +326,38 @@ func expandAlias(
 	}

 	if strings.HasPrefix(alias, "tag:") {
+		// check for forced tags
+		for _, machine := range machines {
+			if contains(machine.ForcedTags, alias) {
+				ips = append(ips, machine.IPAddresses.ToStringSlice()...)
+			}
+		}
+
+		// find tag owners
 		owners, err := expandTagOwners(aclPolicy, alias, stripEmailDomain)
 		if err != nil {
-			return ips, err
+			if errors.Is(err, errInvalidTag) {
+				if len(ips) == 0 {
+					return ips, fmt.Errorf(
+						"%w. %v isn't owned by a TagOwner and no forced tags are defined",
+						errInvalidTag,
+						alias,
+					)
+				}
+
+				return ips, nil
+			} else {
+				return ips, err
+			}
 		}
+
+		// filter out machines per tag owner
 		for _, namespace := range owners {
 			machines := filterMachinesByNamespace(machines, namespace)
 			for _, machine := range machines {
 				hi := machine.GetHostInfo()
-				for _, t := range hi.RequestTags {
-					if alias == t {
-						ips = append(ips, machine.IPAddresses.ToStringSlice()...)
-					}
+				if contains(hi.RequestTags, alias) {
+					ips = append(ips, machine.IPAddresses.ToStringSlice()...)
 				}
 			}
 		}
@@ -293,7 +393,9 @@ func expandAlias(
 		return []string{cidr.String()}, nil
 	}

-	return ips, errInvalidUserSection
+	log.Warn().Msgf("No IPs found with the alias %v", alias)
+
+	return ips, nil
 }

 // excludeCorrectlyTaggedNodes will remove from the list of input nodes the ones
@@ -307,7 +409,7 @@ func excludeCorrectlyTaggedNodes(
 	out := []Machine{}
 	tags := []string{}
 	for tag, ns := range aclPolicy.TagOwners {
-		if containsString(ns, namespace) {
+		if contains(ns, namespace) {
 			tags = append(tags, tag)
 		}
 	}
@@ -317,12 +419,15 @@ func excludeCorrectlyTaggedNodes(

 		found := false
 		for _, t := range hi.RequestTags {
-			if containsString(tags, t) {
+			if contains(tags, t) {
 				found = true

 				break
 			}
 		}
+		if len(machine.ForcedTags) > 0 {
+			found = true
+		}
 		if !found {
 			out = append(out, machine)
 		}
@@ -331,13 +436,17 @@ func excludeCorrectlyTaggedNodes(
 	return out
 }

-func expandPorts(portsStr string) (*[]tailcfg.PortRange, error) {
+func expandPorts(portsStr string, needsWildcard bool) (*[]tailcfg.PortRange, error) {
 	if portsStr == "*" {
 		return &[]tailcfg.PortRange{
 			{First: portRangeBegin, Last: portRangeEnd},
 		}, nil
 	}

+	if needsWildcard {
+		return nil, errWildcardIsNeeded
+	}
+
 	ports := []tailcfg.PortRange{}
 	for _, portStr := range strings.Split(portsStr, ",") {
 		rang := strings.Split(portStr, "-")
@@ -439,7 +548,7 @@ func expandGroup(
 				errInvalidGroup,
 			)
 		}
-		grp, err := NormalizeNamespaceName(group, stripEmailDomain)
+		grp, err := NormalizeToFQDNRules(group, stripEmailDomain)
 		if err != nil {
 			return []string{}, fmt.Errorf(
 				"failed to normalize group %q, err: %w",
--- a/acls_test.go
+++ b/acls_test.go
@@ -62,7 +62,7 @@ func (s *Suite) TestBasicRule(c *check.C) {
 func (s *Suite) TestInvalidAction(c *check.C) {
 	app.aclPolicy = &ACLPolicy{
 		ACLs: []ACL{
-			{Action: "invalidAction", Users: []string{"*"}, Ports: []string{"*:*"}},
+			{Action: "invalidAction", Sources: []string{"*"}, Destinations: []string{"*:*"}},
 		},
 	}
 	err := app.UpdateACLRules()
@@ -70,14 +70,14 @@ func (s *Suite) TestInvalidAction(c *check.C) {
 }

 func (s *Suite) TestInvalidGroupInGroup(c *check.C) {
-	// this ACL is wrong because the group in users sections doesn't exist
+	// this ACL is wrong because the group in Sources sections doesn't exist
 	app.aclPolicy = &ACLPolicy{
 		Groups: Groups{
 			"group:test":  []string{"foo"},
 			"group:error": []string{"foo", "group:test"},
 		},
 		ACLs: []ACL{
-			{Action: "accept", Users: []string{"group:error"}, Ports: []string{"*:*"}},
+			{Action: "accept", Sources: []string{"group:error"}, Destinations: []string{"*:*"}},
 		},
 	}
 	err := app.UpdateACLRules()
@@ -88,7 +88,7 @@ func (s *Suite) TestInvalidTagOwners(c *check.C) {
 	// this ACL is wrong because no tagOwners own the requested tag for the server
 	app.aclPolicy = &ACLPolicy{
 		ACLs: []ACL{
-			{Action: "accept", Users: []string{"tag:foo"}, Ports: []string{"*:*"}},
+			{Action: "accept", Sources: []string{"tag:foo"}, Destinations: []string{"*:*"}},
 		},
 	}
 	err := app.UpdateACLRules()
@@ -97,8 +97,8 @@ func (s *Suite) TestInvalidTagOwners(c *check.C) {

 // this test should validate that we can expand a group in a TagOWner section and
 // match properly the IP's of the related hosts. The owner is valid and the tag is also valid.
-// the tag is matched in the Users section.
-func (s *Suite) TestValidExpandTagOwnersInUsers(c *check.C) {
+// the tag is matched in the Sources section.
+func (s *Suite) TestValidExpandTagOwnersInSources(c *check.C) {
 	namespace, err := app.CreateNamespace("user1")
 	c.Assert(err, check.IsNil)

@@ -118,7 +118,7 @@ func (s *Suite) TestValidExpandTagOwnersInUsers(c *check.C) {
 		MachineKey:     "foo",
 		NodeKey:        "bar",
 		DiscoKey:       "faa",
-		Name:           "testmachine",
+		Hostname:       "testmachine",
 		IPAddresses:    MachineAddresses{netaddr.MustParseIP("100.64.0.1")},
 		NamespaceID:    namespace.ID,
 		RegisterMethod: RegisterMethodAuthKey,
@@ -131,7 +131,7 @@ func (s *Suite) TestValidExpandTagOwnersInUsers(c *check.C) {
 		Groups:    Groups{"group:test": []string{"user1", "user2"}},
 		TagOwners: TagOwners{"tag:test": []string{"user3", "group:test"}},
 		ACLs: []ACL{
-			{Action: "accept", Users: []string{"tag:test"}, Ports: []string{"*:*"}},
+			{Action: "accept", Sources: []string{"tag:test"}, Destinations: []string{"*:*"}},
 		},
 	}
 	err = app.UpdateACLRules()
@@ -143,8 +143,8 @@ func (s *Suite) TestValidExpandTagOwnersInUsers(c *check.C) {

 // this test should validate that we can expand a group in a TagOWner section and
 // match properly the IP's of the related hosts. The owner is valid and the tag is also valid.
-// the tag is matched in the Ports section.
-func (s *Suite) TestValidExpandTagOwnersInPorts(c *check.C) {
+// the tag is matched in the Destinations section.
+func (s *Suite) TestValidExpandTagOwnersInDestinations(c *check.C) {
 	namespace, err := app.CreateNamespace("user1")
 	c.Assert(err, check.IsNil)

@@ -164,7 +164,7 @@ func (s *Suite) TestValidExpandTagOwnersInPorts(c *check.C) {
 		MachineKey:     "12345",
 		NodeKey:        "bar",
 		DiscoKey:       "faa",
-		Name:           "testmachine",
+		Hostname:       "testmachine",
 		IPAddresses:    MachineAddresses{netaddr.MustParseIP("100.64.0.1")},
 		NamespaceID:    namespace.ID,
 		RegisterMethod: RegisterMethodAuthKey,
@@ -177,7 +177,7 @@ func (s *Suite) TestValidExpandTagOwnersInPorts(c *check.C) {
 		Groups:    Groups{"group:test": []string{"user1", "user2"}},
 		TagOwners: TagOwners{"tag:test": []string{"user3", "group:test"}},
 		ACLs: []ACL{
-			{Action: "accept", Users: []string{"*"}, Ports: []string{"tag:test:*"}},
+			{Action: "accept", Sources: []string{"*"}, Destinations: []string{"tag:test:*"}},
 		},
 	}
 	err = app.UpdateACLRules()
@@ -210,7 +210,7 @@ func (s *Suite) TestInvalidTagValidNamespace(c *check.C) {
 		MachineKey:     "12345",
 		NodeKey:        "bar",
 		DiscoKey:       "faa",
-		Name:           "testmachine",
+		Hostname:       "testmachine",
 		IPAddresses:    MachineAddresses{netaddr.MustParseIP("100.64.0.1")},
 		NamespaceID:    namespace.ID,
 		RegisterMethod: RegisterMethodAuthKey,
@@ -222,7 +222,7 @@ func (s *Suite) TestInvalidTagValidNamespace(c *check.C) {
 	app.aclPolicy = &ACLPolicy{
 		TagOwners: TagOwners{"tag:test": []string{"user1"}},
 		ACLs: []ACL{
-			{Action: "accept", Users: []string{"user1"}, Ports: []string{"*:*"}},
+			{Action: "accept", Sources: []string{"user1"}, Destinations: []string{"*:*"}},
 		},
 	}
 	err = app.UpdateACLRules()
@@ -255,7 +255,7 @@ func (s *Suite) TestValidTagInvalidNamespace(c *check.C) {
 		MachineKey:     "12345",
 		NodeKey:        "bar",
 		DiscoKey:       "faa",
-		Name:           "webserver",
+		Hostname:       "webserver",
 		IPAddresses:    MachineAddresses{netaddr.MustParseIP("100.64.0.1")},
 		NamespaceID:    namespace.ID,
 		RegisterMethod: RegisterMethodAuthKey,
@@ -274,7 +274,7 @@ func (s *Suite) TestValidTagInvalidNamespace(c *check.C) {
 		MachineKey:     "56789",
 		NodeKey:        "bar2",
 		DiscoKey:       "faab",
-		Name:           "user",
+		Hostname:       "user",
 		IPAddresses:    MachineAddresses{netaddr.MustParseIP("100.64.0.2")},
 		NamespaceID:    namespace.ID,
 		RegisterMethod: RegisterMethodAuthKey,
@@ -287,9 +287,9 @@ func (s *Suite) TestValidTagInvalidNamespace(c *check.C) {
 		TagOwners: TagOwners{"tag:webapp": []string{"user1"}},
 		ACLs: []ACL{
 			{
-				Action: "accept",
-				Users:  []string{"user1"},
-				Ports:  []string{"tag:webapp:80,443"},
+				Action:       "accept",
+				Sources:      []string{"user1"},
+				Destinations: []string{"tag:webapp:80,443"},
 			},
 		},
 	}
@@ -321,6 +321,20 @@ func (s *Suite) TestPortRange(c *check.C) {
 	c.Assert(rules[0].DstPorts[0].Ports.Last, check.Equals, uint16(5500))
 }

+func (s *Suite) TestProtocolParsing(c *check.C) {
+	err := app.LoadACLPolicy("./tests/acls/acl_policy_basic_protocols.hujson")
+	c.Assert(err, check.IsNil)
+
+	rules, err := app.generateACLRules()
+	c.Assert(err, check.IsNil)
+	c.Assert(rules, check.NotNil)
+
+	c.Assert(rules, check.HasLen, 3)
+	c.Assert(rules[0].IPProto[0], check.Equals, protocolTCP)
+	c.Assert(rules[1].IPProto[0], check.Equals, protocolUDP)
+	c.Assert(rules[2].IPProto[1], check.Equals, protocolIPv6ICMP)
+}
+
 func (s *Suite) TestPortWildcard(c *check.C) {
 	err := app.LoadACLPolicy("./tests/acls/acl_policy_basic_wildcards.hujson")
 	c.Assert(err, check.IsNil)
@@ -368,7 +382,7 @@ func (s *Suite) TestPortNamespace(c *check.C) {
 		MachineKey:     "12345",
 		NodeKey:        "bar",
 		DiscoKey:       "faa",
-		Name:           "testmachine",
+		Hostname:       "testmachine",
 		NamespaceID:    namespace.ID,
 		RegisterMethod: RegisterMethodAuthKey,
 		IPAddresses:    ips,
@@ -410,7 +424,7 @@ func (s *Suite) TestPortGroup(c *check.C) {
 		MachineKey:     "foo",
 		NodeKey:        "bar",
 		DiscoKey:       "faa",
-		Name:           "testmachine",
+		Hostname:       "testmachine",
 		NamespaceID:    namespace.ID,
 		RegisterMethod: RegisterMethodAuthKey,
 		IPAddresses:    ips,
@@ -628,7 +642,8 @@ func Test_expandTagOwners(t *testing.T) {

 func Test_expandPorts(t *testing.T) {
 	type args struct {
-		portsStr string
+		portsStr      string
+		needsWildcard bool
 	}
 	tests := []struct {
 		name    string
@@ -638,15 +653,29 @@ func Test_expandPorts(t *testing.T) {
 	}{
 		{
 			name: "wildcard",
-			args: args{portsStr: "*"},
+			args: args{portsStr: "*", needsWildcard: true},
 			want: &[]tailcfg.PortRange{
 				{First: portRangeBegin, Last: portRangeEnd},
 			},
 			wantErr: false,
 		},
 		{
-			name: "two ports",
-			args: args{portsStr: "80,443"},
+			name: "needs wildcard but does not require it",
+			args: args{portsStr: "*", needsWildcard: false},
+			want: &[]tailcfg.PortRange{
+				{First: portRangeBegin, Last: portRangeEnd},
+			},
+			wantErr: false,
+		},
+		{
+			name:    "needs wildcard but gets port",
+			args:    args{portsStr: "80,443", needsWildcard: true},
+			want:    nil,
+			wantErr: true,
+		},
+		{
+			name: "two Destinations",
+			args: args{portsStr: "80,443", needsWildcard: false},
 			want: &[]tailcfg.PortRange{
 				{First: 80, Last: 80},
 				{First: 443, Last: 443},
@@ -655,7 +684,7 @@ func Test_expandPorts(t *testing.T) {
 		},
 		{
 			name: "a range and a port",
-			args: args{portsStr: "80-1024,443"},
+			args: args{portsStr: "80-1024,443", needsWildcard: false},
 			want: &[]tailcfg.PortRange{
 				{First: 80, Last: 1024},
 				{First: 443, Last: 443},
@@ -664,38 +693,38 @@ func Test_expandPorts(t *testing.T) {
 		},
 		{
 			name:    "out of bounds",
-			args:    args{portsStr: "854038"},
+			args:    args{portsStr: "854038", needsWildcard: false},
 			want:    nil,
 			wantErr: true,
 		},
 		{
 			name:    "wrong port",
-			args:    args{portsStr: "85a38"},
+			args:    args{portsStr: "85a38", needsWildcard: false},
 			want:    nil,
 			wantErr: true,
 		},
 		{
 			name:    "wrong port in first",
-			args:    args{portsStr: "a-80"},
+			args:    args{portsStr: "a-80", needsWildcard: false},
 			want:    nil,
 			wantErr: true,
 		},
 		{
 			name:    "wrong port in last",
-			args:    args{portsStr: "80-85a38"},
+			args:    args{portsStr: "80-85a38", needsWildcard: false},
 			want:    nil,
 			wantErr: true,
 		},
 		{
 			name:    "wrong port format",
-			args:    args{portsStr: "80-85a38-3"},
+			args:    args{portsStr: "80-85a38-3", needsWildcard: false},
 			want:    nil,
 			wantErr: true,
 		},
 	}
 	for _, test := range tests {
 		t.Run(test.name, func(t *testing.T) {
-			got, err := expandPorts(test.args.portsStr)
+			got, err := expandPorts(test.args.portsStr, test.args.needsWildcard)
 			if (err != nil) != test.wantErr {
 				t.Errorf("expandPorts() error = %v, wantErr %v", err, test.wantErr)

@@ -1017,6 +1046,90 @@ func Test_expandAlias(t *testing.T) {
 			want:    []string{},
 			wantErr: true,
 		},
+		{
+			name: "Forced tag defined",
+			args: args{
+				alias: "tag:hr-webserver",
+				machines: []Machine{
+					{
+						IPAddresses: MachineAddresses{
+							netaddr.MustParseIP("100.64.0.1"),
+						},
+						Namespace:  Namespace{Name: "joe"},
+						ForcedTags: []string{"tag:hr-webserver"},
+					},
+					{
+						IPAddresses: MachineAddresses{
+							netaddr.MustParseIP("100.64.0.2"),
+						},
+						Namespace:  Namespace{Name: "joe"},
+						ForcedTags: []string{"tag:hr-webserver"},
+					},
+					{
+						IPAddresses: MachineAddresses{
+							netaddr.MustParseIP("100.64.0.3"),
+						},
+						Namespace: Namespace{Name: "marc"},
+					},
+					{
+						IPAddresses: MachineAddresses{
+							netaddr.MustParseIP("100.64.0.4"),
+						},
+						Namespace: Namespace{Name: "mickael"},
+					},
+				},
+				aclPolicy:        ACLPolicy{},
+				stripEmailDomain: true,
+			},
+			want:    []string{"100.64.0.1", "100.64.0.2"},
+			wantErr: false,
+		},
+		{
+			name: "Forced tag with legitimate tagOwner",
+			args: args{
+				alias: "tag:hr-webserver",
+				machines: []Machine{
+					{
+						IPAddresses: MachineAddresses{
+							netaddr.MustParseIP("100.64.0.1"),
+						},
+						Namespace:  Namespace{Name: "joe"},
+						ForcedTags: []string{"tag:hr-webserver"},
+					},
+					{
+						IPAddresses: MachineAddresses{
+							netaddr.MustParseIP("100.64.0.2"),
+						},
+						Namespace: Namespace{Name: "joe"},
+						HostInfo: HostInfo{
+							OS:          "centos",
+							Hostname:    "foo",
+							RequestTags: []string{"tag:hr-webserver"},
+						},
+					},
+					{
+						IPAddresses: MachineAddresses{
+							netaddr.MustParseIP("100.64.0.3"),
+						},
+						Namespace: Namespace{Name: "marc"},
+					},
+					{
+						IPAddresses: MachineAddresses{
+							netaddr.MustParseIP("100.64.0.4"),
+						},
+						Namespace: Namespace{Name: "mickael"},
+					},
+				},
+				aclPolicy: ACLPolicy{
+					TagOwners: TagOwners{
+						"tag:hr-webserver": []string{"joe"},
+					},
+				},
+				stripEmailDomain: true,
+			},
+			want:    []string{"100.64.0.1", "100.64.0.2"},
+			wantErr: false,
+		},
 		{
 			name: "list host in namespace without correctly tagged servers",
 			args: args{
@@ -1143,6 +1256,47 @@ func Test_excludeCorrectlyTaggedNodes(t *testing.T) {
 				},
 			},
 		},
+		{
+			name: "exclude nodes with valid tags and with forced tags",
+			args: args{
+				aclPolicy: ACLPolicy{
+					TagOwners: TagOwners{"tag:accountant-webserver": []string{"joe"}},
+				},
+				nodes: []Machine{
+					{
+						IPAddresses: MachineAddresses{
+							netaddr.MustParseIP("100.64.0.1"),
+						},
+						Namespace: Namespace{Name: "joe"},
+						HostInfo: HostInfo{
+							OS:          "centos",
+							Hostname:    "foo",
+							RequestTags: []string{"tag:accountant-webserver"},
+						},
+					},
+					{
+						IPAddresses: MachineAddresses{
+							netaddr.MustParseIP("100.64.0.2"),
+						},
+						Namespace:  Namespace{Name: "joe"},
+						ForcedTags: []string{"tag:accountant-webserver"},
+					},
+					{
+						IPAddresses: MachineAddresses{
+							netaddr.MustParseIP("100.64.0.4"),
+						},
+						Namespace: Namespace{Name: "joe"},
+					},
+				},
+				namespace: "joe",
+			},
+			want: []Machine{
+				{
+					IPAddresses: MachineAddresses{netaddr.MustParseIP("100.64.0.4")},
+					Namespace:   Namespace{Name: "joe"},
+				},
+			},
+		},
 		{
 			name: "all nodes have invalid tags, don't exclude them",
 			args: args{
--- a/acls_types.go
+++ b/acls_types.go
@@ -11,18 +11,19 @@ import (

 // ACLPolicy represents a Tailscale ACL Policy.
 type ACLPolicy struct {
-	Groups    Groups    `json:"Groups"    yaml:"Groups"`
-	Hosts     Hosts     `json:"Hosts"     yaml:"Hosts"`
-	TagOwners TagOwners `json:"TagOwners" yaml:"TagOwners"`
-	ACLs      []ACL     `json:"ACLs"      yaml:"ACLs"`
-	Tests     []ACLTest `json:"Tests"     yaml:"Tests"`
+	Groups    Groups    `json:"groups"    yaml:"groups"`
+	Hosts     Hosts     `json:"hosts"     yaml:"hosts"`
+	TagOwners TagOwners `json:"tagOwners" yaml:"tagOwners"`
+	ACLs      []ACL     `json:"acls"      yaml:"acls"`
+	Tests     []ACLTest `json:"tests"     yaml:"tests"`
 }

 // ACL is a basic rule for the ACL Policy.
 type ACL struct {
-	Action string   `json:"Action" yaml:"Action"`
-	Users  []string `json:"Users"  yaml:"Users"`
-	Ports  []string `json:"Ports"  yaml:"Ports"`
+	Action       string   `json:"action" yaml:"action"`
+	Protocol     string   `json:"proto" yaml:"proto"`
+	Sources      []string `json:"src"  yaml:"src"`
+	Destinations []string `json:"dst"  yaml:"dst"`
 }

 // Groups references a series of alias in the ACL rules.
@@ -36,9 +37,9 @@ type TagOwners map[string][]string

 // ACLTest is not implemented, but should be use to check if a certain rule is allowed.
 type ACLTest struct {
-	User  string   `json:"User"           yaml:"User"`
-	Allow []string `json:"Allow"          yaml:"Allow"`
-	Deny  []string `json:"Deny,omitempty" yaml:"Deny,omitempty"`
+	Source string   `json:"src"           yaml:"src"`
+	Accept []string `json:"accept"          yaml:"accept"`
+	Deny   []string `json:"deny,omitempty" yaml:"deny,omitempty"`
 }

 // UnmarshalJSON allows to parse the Hosts directly into netaddr objects.
--- a/api.go
+++ b/api.go
@@ -12,7 +12,7 @@ import (
 	"strings"
 	"time"

-	"github.com/gin-gonic/gin"
+	"github.com/gorilla/mux"
 	"github.com/klauspost/compress/zstd"
 	"github.com/rs/zerolog/log"
 	"gorm.io/gorm"
@@ -30,14 +30,59 @@ const (
 	)
 )

+func (h *Headscale) HealthHandler(
+	writer http.ResponseWriter,
+	req *http.Request,
+) {
+	respond := func(err error) {
+		writer.Header().Set("Content-Type", "application/health+json; charset=utf-8")
+
+		res := struct {
+			Status string `json:"status"`
+		}{
+			Status: "pass",
+		}
+
+		if err != nil {
+			writer.WriteHeader(http.StatusInternalServerError)
+			log.Error().Caller().Err(err).Msg("health check failed")
+			res.Status = "fail"
+		}
+
+		buf, err := json.Marshal(res)
+		if err != nil {
+			log.Error().Caller().Err(err).Msg("marshal failed")
+		}
+		_, err = writer.Write(buf)
+		if err != nil {
+			log.Error().Caller().Err(err).Msg("write failed")
+		}
+	}
+
+	if err := h.pingDB(); err != nil {
+		respond(err)
+
+		return
+	}
+
+	respond(nil)
+}
+
 // KeyHandler provides the Headscale pub key
 // Listens in /key.
-func (h *Headscale) KeyHandler(ctx *gin.Context) {
-	ctx.Data(
-		http.StatusOK,
-		"text/plain; charset=utf-8",
-		[]byte(MachinePublicKeyStripPrefix(h.privateKey.Public())),
-	)
+func (h *Headscale) KeyHandler(
+	writer http.ResponseWriter,
+	req *http.Request,
+) {
+	writer.Header().Set("Content-Type", "text/plain; charset=utf-8")
+	writer.WriteHeader(http.StatusOK)
+	_, err := writer.Write([]byte(MachinePublicKeyStripPrefix(h.privateKey.Public())))
+	if err != nil {
+		log.Error().
+			Caller().
+			Err(err).
+			Msg("Failed to write response")
+	}
 }

 type registerWebAPITemplateConfig struct {
@@ -45,29 +90,39 @@ type registerWebAPITemplateConfig struct {
 }

 var registerWebAPITemplate = template.Must(
-	template.New("registerweb").Parse(`<html>
+	template.New("registerweb").Parse(`
+<html>
+	<head>
+		<title>Registration - Headscale</title>
+	</head>
 	<body>
-	<h1>headscale</h1>
-	<p>
-		Run the command below in the headscale server to add this machine to your network:
-	</p>
-
-	<p>
-		<code>
-			<b>headscale -n NAMESPACE nodes register --key {{.Key}}</b>
-		</code>
-	</p>
-
+		<h1>headscale</h1>
+		<h2>Machine registration</h2>
+		<p>
+			Run the command below in the headscale server to add this machine to your network:
+		</p>
+		<pre><code>headscale -n NAMESPACE nodes register --key {{.Key}}</code></pre>
 	</body>
-	</html>`),
-)
+</html>
+`))

 // RegisterWebAPI shows a simple message in the browser to point to the CLI
 // Listens in /register.
-func (h *Headscale) RegisterWebAPI(ctx *gin.Context) {
-	machineKeyStr := ctx.Query("key")
+func (h *Headscale) RegisterWebAPI(
+	writer http.ResponseWriter,
+	req *http.Request,
+) {
+	machineKeyStr := req.URL.Query().Get("key")
 	if machineKeyStr == "" {
-		ctx.String(http.StatusBadRequest, "Wrong params")
+		writer.Header().Set("Content-Type", "text/plain; charset=utf-8")
+		writer.WriteHeader(http.StatusBadRequest)
+		_, err := writer.Write([]byte("Wrong params"))
+		if err != nil {
+			log.Error().
+				Caller().
+				Err(err).
+				Msg("Failed to write response")
+		}

 		return
 	}
@@ -80,21 +135,48 @@ func (h *Headscale) RegisterWebAPI(ctx *gin.Context) {
 			Str("func", "RegisterWebAPI").
 			Err(err).
 			Msg("Could not render register web API template")
-		ctx.Data(
-			http.StatusInternalServerError,
-			"text/html; charset=utf-8",
-			[]byte("Could not render register web API template"),
-		)
+		writer.Header().Set("Content-Type", "text/plain; charset=utf-8")
+		writer.WriteHeader(http.StatusInternalServerError)
+		_, err = writer.Write([]byte("Could not render register web API template"))
+		if err != nil {
+			log.Error().
+				Caller().
+				Err(err).
+				Msg("Failed to write response")
+		}
+
+		return
 	}

-	ctx.Data(http.StatusOK, "text/html; charset=utf-8", content.Bytes())
+	writer.Header().Set("Content-Type", "text/html; charset=utf-8")
+	writer.WriteHeader(http.StatusOK)
+	_, err := writer.Write(content.Bytes())
+	if err != nil {
+		log.Error().
+			Caller().
+			Err(err).
+			Msg("Failed to write response")
+	}
 }

 // RegistrationHandler handles the actual registration process of a machine
-// Endpoint /machine/:id.
-func (h *Headscale) RegistrationHandler(ctx *gin.Context) {
-	body, _ := io.ReadAll(ctx.Request.Body)
-	machineKeyStr := ctx.Param("id")
+// Endpoint /machine/:mkey.
+func (h *Headscale) RegistrationHandler(
+	writer http.ResponseWriter,
+	req *http.Request,
+) {
+	vars := mux.Vars(req)
+	machineKeyStr, ok := vars["mkey"]
+	if !ok || machineKeyStr == "" {
+		log.Error().
+			Str("handler", "RegistrationHandler").
+			Msg("No machine ID in request")
+		http.Error(writer, "No machine ID in request", http.StatusBadRequest)
+
+		return
+	}
+
+	body, _ := io.ReadAll(req.Body)

 	var machineKey key.MachinePublic
 	err := machineKey.UnmarshalText([]byte(MachinePublicKeyEnsurePrefix(machineKeyStr)))
@@ -104,19 +186,19 @@ func (h *Headscale) RegistrationHandler(ctx *gin.Context) {
 			Err(err).
 			Msg("Cannot parse machine key")
 		machineRegistrations.WithLabelValues("unknown", "web", "error", "unknown").Inc()
-		ctx.String(http.StatusInternalServerError, "Sad!")
+		http.Error(writer, "Cannot parse machine key", http.StatusBadRequest)

 		return
 	}
-	req := tailcfg.RegisterRequest{}
-	err = decode(body, &req, &machineKey, h.privateKey)
+	registerRequest := tailcfg.RegisterRequest{}
+	err = decode(body, &registerRequest, &machineKey, h.privateKey)
 	if err != nil {
 		log.Error().
 			Caller().
 			Err(err).
 			Msg("Cannot decode message")
 		machineRegistrations.WithLabelValues("unknown", "web", "error", "unknown").Inc()
-		ctx.String(http.StatusInternalServerError, "Very sad!")
+		http.Error(writer, "Cannot decode message", http.StatusBadRequest)

 		return
 	}
@@ -124,13 +206,24 @@ func (h *Headscale) RegistrationHandler(ctx *gin.Context) {
 	now := time.Now().UTC()
 	machine, err := h.GetMachineByMachineKey(machineKey)
 	if errors.Is(err, gorm.ErrRecordNotFound) {
-		log.Info().Str("machine", req.Hostinfo.Hostname).Msg("New machine")
+		log.Info().Str("machine", registerRequest.Hostinfo.Hostname).Msg("New machine")

 		machineKeyStr := MachinePublicKeyStripPrefix(machineKey)

 		// If the machine has AuthKey set, handle registration via PreAuthKeys
-		if req.Auth.AuthKey != "" {
-			h.handleAuthKey(ctx, machineKey, req)
+		if registerRequest.Auth.AuthKey != "" {
+			h.handleAuthKey(writer, req, machineKey, registerRequest)
+
+			return
+		}
+
+		givenName, err := h.GenerateGivenName(registerRequest.Hostinfo.Hostname)
+		if err != nil {
+			log.Error().
+				Caller().
+				Str("func", "RegistrationHandler").
+				Str("hostinfo.name", registerRequest.Hostinfo.Hostname).
+				Err(err)

 			return
 		}
@@ -141,19 +234,20 @@ func (h *Headscale) RegistrationHandler(ctx *gin.Context) {
 		// happens
 		newMachine := Machine{
 			MachineKey: machineKeyStr,
-			Name:       req.Hostinfo.Hostname,
-			NodeKey:    NodePublicKeyStripPrefix(req.NodeKey),
+			Hostname:   registerRequest.Hostinfo.Hostname,
+			GivenName:  givenName,
+			NodeKey:    NodePublicKeyStripPrefix(registerRequest.NodeKey),
 			LastSeen:   &now,
 			Expiry:     &time.Time{},
 		}

-		if !req.Expiry.IsZero() {
+		if !registerRequest.Expiry.IsZero() {
 			log.Trace().
 				Caller().
-				Str("machine", req.Hostinfo.Hostname).
-				Time("expiry", req.Expiry).
+				Str("machine", registerRequest.Hostinfo.Hostname).
+				Time("expiry", registerRequest.Expiry).
 				Msg("Non-zero expiry time requested")
-			newMachine.Expiry = &req.Expiry
+			newMachine.Expiry = &registerRequest.Expiry
 		}

 		h.registrationCache.Set(
@@ -162,7 +256,7 @@ func (h *Headscale) RegistrationHandler(ctx *gin.Context) {
 			registerCacheExpiration,
 		)

-		h.handleMachineRegistrationNew(ctx, machineKey, req)
+		h.handleMachineRegistrationNew(writer, req, machineKey, registerRequest)

 		return
 	}
@@ -174,11 +268,11 @@ func (h *Headscale) RegistrationHandler(ctx *gin.Context) {
 		// - Trying to log out (sending a expiry in the past)
 		// - A valid, registered machine, looking for the node map
 		// - Expired machine wanting to reauthenticate
-		if machine.NodeKey == NodePublicKeyStripPrefix(req.NodeKey) {
+		if machine.NodeKey == NodePublicKeyStripPrefix(registerRequest.NodeKey) {
 			// The client sends an Expiry in the past if the client is requesting to expire the key (aka logout)
 			//   https://github.com/tailscale/tailscale/blob/main/tailcfg/tailcfg.go#L648
-			if !req.Expiry.IsZero() && req.Expiry.UTC().Before(now) {
-				h.handleMachineLogOut(ctx, machineKey, *machine)
+			if !registerRequest.Expiry.IsZero() && registerRequest.Expiry.UTC().Before(now) {
+				h.handleMachineLogOut(writer, req, machineKey, *machine)

 				return
 			}
@@ -186,22 +280,22 @@ func (h *Headscale) RegistrationHandler(ctx *gin.Context) {
 			// If machine is not expired, and is register, we have a already accepted this machine,
 			// let it proceed with a valid registration
 			if !machine.isExpired() {
-				h.handleMachineValidRegistration(ctx, machineKey, *machine)
+				h.handleMachineValidRegistration(writer, req, machineKey, *machine)

 				return
 			}
 		}

 		// The NodeKey we have matches OldNodeKey, which means this is a refresh after a key expiration
-		if machine.NodeKey == NodePublicKeyStripPrefix(req.OldNodeKey) &&
+		if machine.NodeKey == NodePublicKeyStripPrefix(registerRequest.OldNodeKey) &&
 			!machine.isExpired() {
-			h.handleMachineRefreshKey(ctx, machineKey, req, *machine)
+			h.handleMachineRefreshKey(writer, req, machineKey, registerRequest, *machine)

 			return
 		}

 		// The machine has expired
-		h.handleMachineExpired(ctx, machineKey, req, *machine)
+		h.handleMachineExpired(writer, req, machineKey, registerRequest, *machine)

 		return
 	}
@@ -209,12 +303,12 @@ func (h *Headscale) RegistrationHandler(ctx *gin.Context) {

 func (h *Headscale) getMapResponse(
 	machineKey key.MachinePublic,
-	req tailcfg.MapRequest,
+	mapRequest tailcfg.MapRequest,
 	machine *Machine,
 ) ([]byte, error) {
 	log.Trace().
 		Str("func", "getMapResponse").
-		Str("machine", req.Hostinfo.Hostname).
+		Str("machine", mapRequest.Hostinfo.Hostname).
 		Msg("Creating Map response")
 	node, err := machine.toNode(h.cfg.BaseDomain, h.cfg.DNSConfig, true)
 	if err != nil {
@@ -267,16 +361,20 @@ func (h *Headscale) getMapResponse(
 		PacketFilter: h.aclRules,
 		DERPMap:      h.DERPMap,
 		UserProfiles: profiles,
+		Debug: &tailcfg.Debug{
+			DisableLogTail:      !h.cfg.LogTail.Enabled,
+			RandomizeClientPort: h.cfg.RandomizeClientPort,
+		},
 	}

 	log.Trace().
 		Str("func", "getMapResponse").
-		Str("machine", req.Hostinfo.Hostname).
+		Str("machine", mapRequest.Hostinfo.Hostname).
 		// Interface("payload", resp).
 		Msgf("Generated map response: %s", tailMapResponseToString(resp))

 	var respBody []byte
-	if req.Compress == "zstd" {
+	if mapRequest.Compress == "zstd" {
 		src, err := json.Marshal(resp)
 		if err != nil {
 			log.Error().
@@ -342,17 +440,28 @@ func (h *Headscale) getMapKeepAliveResponse(
 }

 func (h *Headscale) handleMachineLogOut(
-	ctx *gin.Context,
+	writer http.ResponseWriter,
+	req *http.Request,
 	machineKey key.MachinePublic,
 	machine Machine,
 ) {
 	resp := tailcfg.RegisterResponse{}

 	log.Info().
-		Str("machine", machine.Name).
+		Str("machine", machine.Hostname).
 		Msg("Client requested logout")

-	h.ExpireMachine(&machine)
+	err := h.ExpireMachine(&machine)
+	if err != nil {
+		log.Error().
+			Caller().
+			Str("func", "handleMachineLogOut").
+			Err(err).
+			Msg("Failed to expire machine")
+		http.Error(writer, "Internal server error", http.StatusInternalServerError)
+
+		return
+	}

 	resp.AuthURL = ""
 	resp.MachineAuthorized = false
@@ -363,15 +472,25 @@ func (h *Headscale) handleMachineLogOut(
 			Caller().
 			Err(err).
 			Msg("Cannot encode message")
-		ctx.String(http.StatusInternalServerError, "")
+		http.Error(writer, "Internal server error", http.StatusInternalServerError)

 		return
 	}
-	ctx.Data(http.StatusOK, "application/json; charset=utf-8", respBody)
+
+	writer.Header().Set("Content-Type", "application/json; charset=utf-8")
+	writer.WriteHeader(http.StatusOK)
+	_, err = writer.Write(respBody)
+	if err != nil {
+		log.Error().
+			Caller().
+			Err(err).
+			Msg("Failed to write response")
+	}
 }

 func (h *Headscale) handleMachineValidRegistration(
-	ctx *gin.Context,
+	writer http.ResponseWriter,
+	req *http.Request,
 	machineKey key.MachinePublic,
 	machine Machine,
 ) {
@@ -379,7 +498,7 @@ func (h *Headscale) handleMachineValidRegistration(

 	// The machine registration is valid, respond with redirect to /map
 	log.Debug().
-		Str("machine", machine.Name).
+		Str("machine", machine.Hostname).
 		Msg("Client is registered and we have the current NodeKey. All clear to /map")

 	resp.AuthURL = ""
@@ -395,17 +514,27 @@ func (h *Headscale) handleMachineValidRegistration(
 			Msg("Cannot encode message")
 		machineRegistrations.WithLabelValues("update", "web", "error", machine.Namespace.Name).
 			Inc()
-		ctx.String(http.StatusInternalServerError, "")
+		http.Error(writer, "Internal server error", http.StatusInternalServerError)

 		return
 	}
 	machineRegistrations.WithLabelValues("update", "web", "success", machine.Namespace.Name).
 		Inc()
-	ctx.Data(http.StatusOK, "application/json; charset=utf-8", respBody)
+
+	writer.Header().Set("Content-Type", "application/json; charset=utf-8")
+	writer.WriteHeader(http.StatusOK)
+	_, err = writer.Write(respBody)
+	if err != nil {
+		log.Error().
+			Caller().
+			Err(err).
+			Msg("Failed to write response")
+	}
 }

 func (h *Headscale) handleMachineExpired(
-	ctx *gin.Context,
+	writer http.ResponseWriter,
+	req *http.Request,
 	machineKey key.MachinePublic,
 	registerRequest tailcfg.RegisterRequest,
 	machine Machine,
@@ -414,11 +543,11 @@ func (h *Headscale) handleMachineExpired(

 	// The client has registered before, but has expired
 	log.Debug().
-		Str("machine", machine.Name).
+		Str("machine", machine.Hostname).
 		Msg("Machine registration has expired. Sending a authurl to register")

 	if registerRequest.Auth.AuthKey != "" {
-		h.handleAuthKey(ctx, machineKey, registerRequest)
+		h.handleAuthKey(writer, req, machineKey, registerRequest)

 		return
 	}
@@ -439,17 +568,27 @@ func (h *Headscale) handleMachineExpired(
 			Msg("Cannot encode message")
 		machineRegistrations.WithLabelValues("reauth", "web", "error", machine.Namespace.Name).
 			Inc()
-		ctx.String(http.StatusInternalServerError, "")
+		http.Error(writer, "Internal server error", http.StatusInternalServerError)

 		return
 	}
 	machineRegistrations.WithLabelValues("reauth", "web", "success", machine.Namespace.Name).
 		Inc()
-	ctx.Data(http.StatusOK, "application/json; charset=utf-8", respBody)
+
+	writer.Header().Set("Content-Type", "application/json; charset=utf-8")
+	writer.WriteHeader(http.StatusOK)
+	_, err = writer.Write(respBody)
+	if err != nil {
+		log.Error().
+			Caller().
+			Err(err).
+			Msg("Failed to write response")
+	}
 }

 func (h *Headscale) handleMachineRefreshKey(
-	ctx *gin.Context,
+	writer http.ResponseWriter,
+	req *http.Request,
 	machineKey key.MachinePublic,
 	registerRequest tailcfg.RegisterRequest,
 	machine Machine,
@@ -457,10 +596,19 @@ func (h *Headscale) handleMachineRefreshKey(
 	resp := tailcfg.RegisterResponse{}

 	log.Debug().
-		Str("machine", machine.Name).
+		Str("machine", machine.Hostname).
 		Msg("We have the OldNodeKey in the database. This is a key refresh")
 	machine.NodeKey = NodePublicKeyStripPrefix(registerRequest.NodeKey)
-	h.db.Save(&machine)
+
+	if err := h.db.Save(&machine).Error; err != nil {
+		log.Error().
+			Caller().
+			Err(err).
+			Msg("Failed to update machine key in the database")
+		http.Error(writer, "Internal server error", http.StatusInternalServerError)
+
+		return
+	}

 	resp.AuthURL = ""
 	resp.User = *machine.Namespace.toUser()
@@ -470,15 +618,25 @@ func (h *Headscale) handleMachineRefreshKey(
 			Caller().
 			Err(err).
 			Msg("Cannot encode message")
-		ctx.String(http.StatusInternalServerError, "Extremely sad!")
+		http.Error(writer, "Internal server error", http.StatusInternalServerError)

 		return
 	}
-	ctx.Data(http.StatusOK, "application/json; charset=utf-8", respBody)
+
+	writer.Header().Set("Content-Type", "application/json; charset=utf-8")
+	writer.WriteHeader(http.StatusOK)
+	_, err = writer.Write(respBody)
+	if err != nil {
+		log.Error().
+			Caller().
+			Err(err).
+			Msg("Failed to write response")
+	}
 }

 func (h *Headscale) handleMachineRegistrationNew(
-	ctx *gin.Context,
+	writer http.ResponseWriter,
+	req *http.Request,
 	machineKey key.MachinePublic,
 	registerRequest tailcfg.RegisterRequest,
 ) {
@@ -505,16 +663,26 @@ func (h *Headscale) handleMachineRegistrationNew(
 			Caller().
 			Err(err).
 			Msg("Cannot encode message")
-		ctx.String(http.StatusInternalServerError, "")
+		http.Error(writer, "Internal server error", http.StatusInternalServerError)

 		return
 	}
-	ctx.Data(http.StatusOK, "application/json; charset=utf-8", respBody)
+
+	writer.Header().Set("Content-Type", "application/json; charset=utf-8")
+	writer.WriteHeader(http.StatusOK)
+	_, err = writer.Write(respBody)
+	if err != nil {
+		log.Error().
+			Caller().
+			Err(err).
+			Msg("Failed to write response")
+	}
 }

 // TODO: check if any locks are needed around IP allocation.
 func (h *Headscale) handleAuthKey(
-	ctx *gin.Context,
+	writer http.ResponseWriter,
+	req *http.Request,
 	machineKey key.MachinePublic,
 	registerRequest tailcfg.RegisterRequest,
 ) {
@@ -543,21 +711,35 @@ func (h *Headscale) handleAuthKey(
 				Str("machine", registerRequest.Hostinfo.Hostname).
 				Err(err).
 				Msg("Cannot encode message")
-			ctx.String(http.StatusInternalServerError, "")
+			http.Error(writer, "Internal server error", http.StatusInternalServerError)
 			machineRegistrations.WithLabelValues("new", RegisterMethodAuthKey, "error", pak.Namespace.Name).
 				Inc()

 			return
 		}

-		ctx.Data(http.StatusUnauthorized, "application/json; charset=utf-8", respBody)
+		writer.Header().Set("Content-Type", "application/json; charset=utf-8")
+		writer.WriteHeader(http.StatusUnauthorized)
+		_, err = writer.Write(respBody)
+		if err != nil {
+			log.Error().
+				Caller().
+				Err(err).
+				Msg("Failed to write response")
+		}
+
 		log.Error().
 			Caller().
 			Str("func", "handleAuthKey").
 			Str("machine", registerRequest.Hostinfo.Hostname).
 			Msg("Failed authentication via AuthKey")
-		machineRegistrations.WithLabelValues("new", RegisterMethodAuthKey, "error", pak.Namespace.Name).
-			Inc()
+
+		if pak != nil {
+			machineRegistrations.WithLabelValues("new", RegisterMethodAuthKey, "error", pak.Namespace.Name).
+				Inc()
+		} else {
+			machineRegistrations.WithLabelValues("new", RegisterMethodAuthKey, "error", "unknown").Inc()
+		}

 		return
 	}
@@ -568,39 +750,85 @@ func (h *Headscale) handleAuthKey(
 		Msg("Authentication key was valid, proceeding to acquire IP addresses")

 	nodeKey := NodePublicKeyStripPrefix(registerRequest.NodeKey)
-	now := time.Now().UTC()

-	machineToRegister := Machine{
-		Name:           registerRequest.Hostinfo.Hostname,
-		NamespaceID:    pak.Namespace.ID,
-		MachineKey:     machineKeyStr,
-		RegisterMethod: RegisterMethodAuthKey,
-		Expiry:         &registerRequest.Expiry,
-		NodeKey:        nodeKey,
-		LastSeen:       &now,
-		AuthKeyID:      uint(pak.ID),
+	// retrieve machine information if it exist
+	// The error is not important, because if it does not
+	// exist, then this is a new machine and we will move
+	// on to registration.
+	machine, _ := h.GetMachineByMachineKey(machineKey)
+	if machine != nil {
+		log.Trace().
+			Caller().
+			Str("machine", machine.Hostname).
+			Msg("machine already registered, refreshing with new auth key")
+
+		machine.NodeKey = nodeKey
+		machine.AuthKeyID = uint(pak.ID)
+		err := h.RefreshMachine(machine, registerRequest.Expiry)
+		if err != nil {
+			log.Error().
+				Caller().
+				Str("machine", machine.Hostname).
+				Err(err).
+				Msg("Failed to refresh machine")
+
+			return
+		}
+	} else {
+		now := time.Now().UTC()
+
+		givenName, err := h.GenerateGivenName(registerRequest.Hostinfo.Hostname)
+		if err != nil {
+			log.Error().
+				Caller().
+				Str("func", "RegistrationHandler").
+				Str("hostinfo.name", registerRequest.Hostinfo.Hostname).
+				Err(err)
+
+			return
+		}
+
+		machineToRegister := Machine{
+			Hostname:       registerRequest.Hostinfo.Hostname,
+			GivenName:      givenName,
+			NamespaceID:    pak.Namespace.ID,
+			MachineKey:     machineKeyStr,
+			RegisterMethod: RegisterMethodAuthKey,
+			Expiry:         &registerRequest.Expiry,
+			NodeKey:        nodeKey,
+			LastSeen:       &now,
+			AuthKeyID:      uint(pak.ID),
+		}
+
+		machine, err = h.RegisterMachine(
+			machineToRegister,
+		)
+		if err != nil {
+			log.Error().
+				Caller().
+				Err(err).
+				Msg("could not register machine")
+			machineRegistrations.WithLabelValues("new", RegisterMethodAuthKey, "error", pak.Namespace.Name).
+				Inc()
+			http.Error(writer, "Internal server error", http.StatusInternalServerError)
+
+			return
+		}
 	}

-	machine, err := h.RegisterMachine(
-		machineToRegister,
-	)
+	err = h.UsePreAuthKey(pak)
 	if err != nil {
 		log.Error().
 			Caller().
 			Err(err).
-			Msg("could not register machine")
+			Msg("Failed to use pre-auth key")
 		machineRegistrations.WithLabelValues("new", RegisterMethodAuthKey, "error", pak.Namespace.Name).
 			Inc()
-		ctx.String(
-			http.StatusInternalServerError,
-			"could not register machine",
-		)
+		http.Error(writer, "Internal server error", http.StatusInternalServerError)

 		return
 	}

-	h.UsePreAuthKey(pak)
-
 	resp.MachineAuthorized = true
 	resp.User = *pak.Namespace.toUser()
 	respBody, err := encode(resp, &machineKey, h.privateKey)
@@ -613,13 +841,22 @@ func (h *Headscale) handleAuthKey(
 			Msg("Cannot encode message")
 		machineRegistrations.WithLabelValues("new", RegisterMethodAuthKey, "error", pak.Namespace.Name).
 			Inc()
-		ctx.String(http.StatusInternalServerError, "Extremely sad!")
+		http.Error(writer, "Internal server error", http.StatusInternalServerError)

 		return
 	}
 	machineRegistrations.WithLabelValues("new", RegisterMethodAuthKey, "success", pak.Namespace.Name).
 		Inc()
-	ctx.Data(http.StatusOK, "application/json; charset=utf-8", respBody)
+	writer.Header().Set("Content-Type", "application/json; charset=utf-8")
+	writer.WriteHeader(http.StatusOK)
+	_, err = writer.Write(respBody)
+	if err != nil {
+		log.Error().
+			Caller().
+			Err(err).
+			Msg("Failed to write response")
+	}
+
 	log.Info().
 		Str("func", "handleAuthKey").
 		Str("machine", registerRequest.Hostinfo.Hostname).
--- a/api_key.go
+++ b/api_key.go
@@ -13,7 +13,6 @@ import (
 const (
 	apiPrefixLength = 7
 	apiKeyLength    = 32
-	apiKeyParts     = 2

 	errAPIKeyFailedToParse = Error("Failed to parse ApiKey")
 )
@@ -57,7 +56,10 @@ func (h *Headscale) CreateAPIKey(
 		Hash:       hash,
 		Expiration: expiration,
 	}
-	h.db.Save(&key)
+
+	if err := h.db.Save(&key).Error; err != nil {
+		return "", nil, fmt.Errorf("failed to save API key to database: %w", err)
+	}

 	return keyStr, &key, nil
 }
@@ -112,9 +114,9 @@ func (h *Headscale) ExpireAPIKey(key *APIKey) error {
 }

 func (h *Headscale) ValidateAPIKey(keyStr string) (bool, error) {
-	prefix, hash, err := splitAPIKey(keyStr)
-	if err != nil {
-		return false, fmt.Errorf("failed to validate api key: %w", err)
+	prefix, hash, found := strings.Cut(keyStr, ".")
+	if !found {
+		return false, errAPIKeyFailedToParse
 	}

 	key, err := h.GetAPIKey(prefix)
@@ -133,15 +135,6 @@ func (h *Headscale) ValidateAPIKey(keyStr string) (bool, error) {
 	return true, nil
 }

-func splitAPIKey(key string) (string, string, error) {
-	parts := strings.Split(key, ".")
-	if len(parts) != apiKeyParts {
-		return "", "", errAPIKeyFailedToParse
-	}
-
-	return parts[0], parts[1], nil
-}
-
 func (key *APIKey) toProto() *v1.ApiKey {
 	protoKey := v1.ApiKey{
 		Id:     key.ID,
--- a/app.go
+++ b/app.go
@@ -6,10 +6,8 @@ import (
 	"errors"
 	"fmt"
 	"io"
-	"io/fs"
 	"net"
 	"net/http"
-	"net/url"
 	"os"
 	"os/signal"
 	"sort"
@@ -19,15 +17,16 @@ import (
 	"time"

 	"github.com/coreos/go-oidc/v3/oidc"
-	"github.com/gin-gonic/gin"
+	"github.com/gorilla/mux"
 	grpc_middleware "github.com/grpc-ecosystem/go-grpc-middleware"
 	"github.com/grpc-ecosystem/grpc-gateway/v2/runtime"
 	v1 "github.com/juanfont/headscale/gen/go/headscale/v1"
 	"github.com/patrickmn/go-cache"
 	zerolog "github.com/philip-bui/grpc-zerolog"
+	"github.com/prometheus/client_golang/prometheus/promhttp"
+	"github.com/puzpuzpuz/xsync"
 	zl "github.com/rs/zerolog"
 	"github.com/rs/zerolog/log"
-	ginprometheus "github.com/zsais/go-gin-prometheus"
 	"golang.org/x/crypto/acme"
 	"golang.org/x/crypto/acme/autocert"
 	"golang.org/x/oauth2"
@@ -41,112 +40,52 @@ import (
 	"google.golang.org/grpc/reflection"
 	"google.golang.org/grpc/status"
 	"gorm.io/gorm"
-	"inet.af/netaddr"
 	"tailscale.com/tailcfg"
 	"tailscale.com/types/dnstype"
 	"tailscale.com/types/key"
 )

 const (
-	AuthPrefix         = "Bearer "
-	Postgres           = "postgres"
-	Sqlite             = "sqlite3"
-	updateInterval     = 5000
-	HTTPReadTimeout    = 30 * time.Second
-	privateKeyFileMode = 0o600
-
-	registerCacheExpiration = time.Minute * 15
-	registerCacheCleanup    = time.Minute * 20
-
+	errSTUNAddressNotSet                   = Error("STUN address not set")
 	errUnsupportedDatabase                 = Error("unsupported DB")
 	errUnsupportedLetsEncryptChallengeType = Error(
 		"unknown value for Lets Encrypt challenge type",
 	)
+)
+
+const (
+	AuthPrefix          = "Bearer "
+	Postgres            = "postgres"
+	Sqlite              = "sqlite3"
+	updateInterval      = 5000
+	HTTPReadTimeout     = 30 * time.Second
+	HTTPShutdownTimeout = 3 * time.Second
+	privateKeyFileMode  = 0o600
+
+	registerCacheExpiration = time.Minute * 15
+	registerCacheCleanup    = time.Minute * 20

 	DisabledClientAuth = "disabled"
 	RelaxedClientAuth  = "relaxed"
 	EnforcedClientAuth = "enforced"
 )

-// Config contains the initial Headscale configuration.
-type Config struct {
-	ServerURL                      string
-	Addr                           string
-	GRPCAddr                       string
-	GRPCAllowInsecure              bool
-	EphemeralNodeInactivityTimeout time.Duration
-	IPPrefixes                     []netaddr.IPPrefix
-	PrivateKeyPath                 string
-	BaseDomain                     string
-
-	DERP DERPConfig
-
-	DBtype string
-	DBpath string
-	DBhost string
-	DBport int
-	DBname string
-	DBuser string
-	DBpass string
-
-	TLSLetsEncryptListen        string
-	TLSLetsEncryptHostname      string
-	TLSLetsEncryptCacheDir      string
-	TLSLetsEncryptChallengeType string
-
-	TLSCertPath       string
-	TLSKeyPath        string
-	TLSClientAuthMode tls.ClientAuthType
-
-	ACMEURL   string
-	ACMEEmail string
-
-	DNSConfig *tailcfg.DNSConfig
-
-	UnixSocket           string
-	UnixSocketPermission fs.FileMode
-
-	OIDC OIDCConfig
-
-	CLI CLIConfig
-}
-
-type OIDCConfig struct {
-	Issuer           string
-	ClientID         string
-	ClientSecret     string
-	StripEmaildomain bool
-}
-
-type DERPConfig struct {
-	URLs            []url.URL
-	Paths           []string
-	AutoUpdate      bool
-	UpdateFrequency time.Duration
-}
-
-type CLIConfig struct {
-	Address  string
-	APIKey   string
-	Timeout  time.Duration
-	Insecure bool
-}
-
 // Headscale represents the base app of the service.
 type Headscale struct {
-	cfg        Config
+	cfg        *Config
 	db         *gorm.DB
 	dbString   string
 	dbType     string
 	dbDebug    bool
 	privateKey *key.MachinePrivate

-	DERPMap *tailcfg.DERPMap
+	DERPMap    *tailcfg.DERPMap
+	DERPServer *DERPServer

 	aclPolicy *ACLPolicy
 	aclRules  []tailcfg.FilterRule

-	lastStateChange sync.Map
+	lastStateChange *xsync.MapOf[time.Time]

 	oidcProvider *oidc.Provider
 	oauth2Config *oauth2.Config
@@ -154,6 +93,9 @@ type Headscale struct {
 	registrationCache *cache.Cache

 	ipAllocationMutex sync.Mutex
+
+	shutdownChan       chan struct{}
+	pollNetMapStreamWG sync.WaitGroup
 }

 // Look up the TLS constant relative to user-supplied TLS client
@@ -177,8 +119,7 @@ func LookupTLSClientAuthMode(mode string) (tls.ClientAuthType, bool) {
 	}
 }

-// NewHeadscale returns the Headscale app.
-func NewHeadscale(cfg Config) (*Headscale, error) {
+func NewHeadscale(cfg *Config) (*Headscale, error) {
 	privKey, err := readOrCreatePrivateKey(cfg.PrivateKeyPath)
 	if err != nil {
 		return nil, fmt.Errorf("failed to read or create private key: %w", err)
@@ -207,12 +148,13 @@ func NewHeadscale(cfg Config) (*Headscale, error) {
 	)

 	app := Headscale{
-		cfg:               cfg,
-		dbType:            cfg.DBtype,
-		dbString:          dbString,
-		privateKey:        privKey,
-		aclRules:          tailcfg.FilterAllowAll, // default allowall
-		registrationCache: registrationCache,
+		cfg:                cfg,
+		dbType:             cfg.DBtype,
+		dbString:           dbString,
+		privateKey:         privKey,
+		aclRules:           tailcfg.FilterAllowAll, // default allowall
+		registrationCache:  registrationCache,
+		pollNetMapStreamWG: sync.WaitGroup{},
 	}

 	err = app.initDB()
@@ -231,13 +173,21 @@ func NewHeadscale(cfg Config) (*Headscale, error) {
 		magicDNSDomains := generateMagicDNSRootDomains(app.cfg.IPPrefixes)
 		// we might have routes already from Split DNS
 		if app.cfg.DNSConfig.Routes == nil {
-			app.cfg.DNSConfig.Routes = make(map[string][]dnstype.Resolver)
+			app.cfg.DNSConfig.Routes = make(map[string][]*dnstype.Resolver)
 		}
 		for _, d := range magicDNSDomains {
 			app.cfg.DNSConfig.Routes[d.WithoutTrailingDot()] = nil
 		}
 	}

+	if cfg.DERP.ServerEnabled {
+		embeddedDERPServer, err := app.NewDERPServer()
+		if err != nil {
+			return nil, err
+		}
+		app.DERPServer = embeddedDERPServer
+	}
+
 	return &app, nil
 }

@@ -275,33 +225,38 @@ func (h *Headscale) expireEphemeralNodesWorker() {
 			return
 		}

+		expiredFound := false
 		for _, machine := range machines {
 			if machine.AuthKey != nil && machine.LastSeen != nil &&
 				machine.AuthKey.Ephemeral &&
 				time.Now().
 					After(machine.LastSeen.Add(h.cfg.EphemeralNodeInactivityTimeout)) {
+				expiredFound = true
 				log.Info().
-					Str("machine", machine.Name).
+					Str("machine", machine.Hostname).
 					Msg("Ephemeral client removed from database")

 				err = h.db.Unscoped().Delete(machine).Error
 				if err != nil {
 					log.Error().
 						Err(err).
-						Str("machine", machine.Name).
+						Str("machine", machine.Hostname).
 						Msg("🤮 Cannot delete ephemeral machine from the database")
 				}
 			}
 		}

-		h.setLastStateChangeToNow(namespace.Name)
+		if expiredFound {
+			h.setLastStateChangeToNow(namespace.Name)
+		}
 	}
 }

 func (h *Headscale) grpcAuthenticationInterceptor(ctx context.Context,
 	req interface{},
 	info *grpc.UnaryServerInfo,
-	handler grpc.UnaryHandler) (interface{}, error) {
+	handler grpc.UnaryHandler,
+) (interface{}, error) {
 	// Check if the request is coming from the on-server client.
 	// This is not secure, but it is to maintain maintainability
 	// with the "legacy" database-based client
@@ -376,50 +331,74 @@ func (h *Headscale) grpcAuthenticationInterceptor(ctx context.Context,
 	return handler(ctx, req)
 }

-func (h *Headscale) httpAuthenticationMiddleware(ctx *gin.Context) {
-	log.Trace().
-		Caller().
-		Str("client_address", ctx.ClientIP()).
-		Msg("HTTP authentication invoked")
-
-	authHeader := ctx.GetHeader("authorization")
-
-	if !strings.HasPrefix(authHeader, AuthPrefix) {
-		log.Error().
+func (h *Headscale) httpAuthenticationMiddleware(next http.Handler) http.Handler {
+	return http.HandlerFunc(func(
+		writer http.ResponseWriter,
+		req *http.Request,
+	) {
+		log.Trace().
 			Caller().
-			Str("client_address", ctx.ClientIP()).
-			Msg(`missing "Bearer " prefix in "Authorization" header`)
-		ctx.AbortWithStatus(http.StatusUnauthorized)
+			Str("client_address", req.RemoteAddr).
+			Msg("HTTP authentication invoked")

-		return
-	}
+		authHeader := req.Header.Get("authorization")

-	ctx.AbortWithStatus(http.StatusUnauthorized)
+		if !strings.HasPrefix(authHeader, AuthPrefix) {
+			log.Error().
+				Caller().
+				Str("client_address", req.RemoteAddr).
+				Msg(`missing "Bearer " prefix in "Authorization" header`)
+			writer.WriteHeader(http.StatusUnauthorized)
+			_, err := writer.Write([]byte("Unauthorized"))
+			if err != nil {
+				log.Error().
+					Caller().
+					Err(err).
+					Msg("Failed to write response")
+			}

-	valid, err := h.ValidateAPIKey(strings.TrimPrefix(authHeader, AuthPrefix))
-	if err != nil {
-		log.Error().
-			Caller().
-			Err(err).
-			Str("client_address", ctx.ClientIP()).
-			Msg("failed to validate token")
+			return
+		}

-		ctx.AbortWithStatus(http.StatusInternalServerError)
+		valid, err := h.ValidateAPIKey(strings.TrimPrefix(authHeader, AuthPrefix))
+		if err != nil {
+			log.Error().
+				Caller().
+				Err(err).
+				Str("client_address", req.RemoteAddr).
+				Msg("failed to validate token")

-		return
-	}
+			writer.WriteHeader(http.StatusInternalServerError)
+			_, err := writer.Write([]byte("Unauthorized"))
+			if err != nil {
+				log.Error().
+					Caller().
+					Err(err).
+					Msg("Failed to write response")
+			}

-	if !valid {
-		log.Info().
-			Str("client_address", ctx.ClientIP()).
-			Msg("invalid token")
+			return
+		}

-		ctx.AbortWithStatus(http.StatusUnauthorized)
+		if !valid {
+			log.Info().
+				Str("client_address", req.RemoteAddr).
+				Msg("invalid token")

-		return
-	}
+			writer.WriteHeader(http.StatusUnauthorized)
+			_, err := writer.Write([]byte("Unauthorized"))
+			if err != nil {
+				log.Error().
+					Caller().
+					Err(err).
+					Msg("Failed to write response")
+			}

-	ctx.Next()
+			return
+		}
+
+		next.ServeHTTP(writer, req)
+	})
 }

 // ensureUnixSocketIsAbsent will check if the given path for headscales unix socket is clear
@@ -433,34 +412,34 @@ func (h *Headscale) ensureUnixSocketIsAbsent() error {
 	return os.Remove(h.cfg.UnixSocket)
 }

-func (h *Headscale) createRouter(grpcMux *runtime.ServeMux) *gin.Engine {
-	router := gin.Default()
+func (h *Headscale) createRouter(grpcMux *runtime.ServeMux) *mux.Router {
+	router := mux.NewRouter()

-	prometheus := ginprometheus.NewPrometheus("gin")
-	prometheus.Use(router)
+	router.HandleFunc("/health", h.HealthHandler).Methods(http.MethodGet)
+	router.HandleFunc("/key", h.KeyHandler).Methods(http.MethodGet)
+	router.HandleFunc("/register", h.RegisterWebAPI).Methods(http.MethodGet)
+	router.HandleFunc("/machine/{mkey}/map", h.PollNetMapHandler).Methods(http.MethodPost)
+	router.HandleFunc("/machine/{mkey}", h.RegistrationHandler).Methods(http.MethodPost)
+	router.HandleFunc("/oidc/register/{mkey}", h.RegisterOIDC).Methods(http.MethodGet)
+	router.HandleFunc("/oidc/callback", h.OIDCCallback).Methods(http.MethodGet)
+	router.HandleFunc("/apple", h.AppleConfigMessage).Methods(http.MethodGet)
+	router.HandleFunc("/apple/{platform}", h.ApplePlatformConfig).Methods(http.MethodGet)
+	router.HandleFunc("/windows", h.WindowsConfigMessage).Methods(http.MethodGet)
+	router.HandleFunc("/windows/tailscale.reg", h.WindowsRegConfig).Methods(http.MethodGet)
+	router.HandleFunc("/swagger", SwaggerUI).Methods(http.MethodGet)
+	router.HandleFunc("/swagger/v1/openapiv2.json", SwaggerAPIv1).Methods(http.MethodGet)

-	router.GET(
-		"/health",
-		func(c *gin.Context) { c.JSON(http.StatusOK, gin.H{"healthy": "ok"}) },
-	)
-	router.GET("/key", h.KeyHandler)
-	router.GET("/register", h.RegisterWebAPI)
-	router.POST("/machine/:id/map", h.PollNetMapHandler)
-	router.POST("/machine/:id", h.RegistrationHandler)
-	router.GET("/oidc/register/:mkey", h.RegisterOIDC)
-	router.GET("/oidc/callback", h.OIDCCallback)
-	router.GET("/apple", h.AppleMobileConfig)
-	router.GET("/apple/:platform", h.ApplePlatformConfig)
-	router.GET("/swagger", SwaggerUI)
-	router.GET("/swagger/v1/openapiv2.json", SwaggerAPIv1)
-
-	api := router.Group("/api")
-	api.Use(h.httpAuthenticationMiddleware)
-	{
-		api.Any("/v1/*any", gin.WrapF(grpcMux.ServeHTTP))
+	if h.cfg.DERP.ServerEnabled {
+		router.HandleFunc("/derp", h.DERPHandler)
+		router.HandleFunc("/derp/probe", h.DERPProbeHandler)
+		router.HandleFunc("/bootstrap-dns", h.DERPBootstrapDNSHandler)
 	}

-	router.NoRoute(stdoutHandler)
+	apiRouter := router.PathPrefix("/api").Subrouter()
+	apiRouter.Use(h.httpAuthenticationMiddleware)
+	apiRouter.PathPrefix("/v1/").HandlerFunc(grpcMux.ServeHTTP)
+
+	router.PathPrefix("/").HandlerFunc(stdoutHandler)

 	return router
 }
@@ -472,6 +451,16 @@ func (h *Headscale) Serve() error {
 	// Fetch an initial DERP Map before we start serving
 	h.DERPMap = GetDERPMap(h.cfg.DERP)

+	if h.cfg.DERP.ServerEnabled {
+		// When embedded DERP is enabled we always need a STUN server
+		if h.cfg.DERP.STUNAddr == "" {
+			return errSTUNAddressNotSet
+		}
+
+		h.DERPMap.Regions[h.DERPServer.region.RegionID] = &h.DERPServer.region
+		go h.ServeSTUN()
+	}
+
 	if h.cfg.DERP.AutoUpdate {
 		derpMapCancelChannel := make(chan struct{})
 		defer func() { derpMapCancelChannel <- struct{}{} }()
@@ -513,19 +502,6 @@ func (h *Headscale) Serve() error {
 		return fmt.Errorf("failed change permission of gRPC socket: %w", err)
 	}

-	// Handle common process-killing signals so we can gracefully shut down:
-	sigc := make(chan os.Signal, 1)
-	signal.Notify(sigc, os.Interrupt, syscall.SIGTERM)
-	go func(c chan os.Signal) {
-		// Wait for a SIGINT or SIGKILL:
-		sig := <-c
-		log.Printf("Caught signal %s: shutting down.", sig)
-		// Stop listening (and unlink the socket if unix type):
-		socketListener.Close()
-		// And we're done:
-		os.Exit(0)
-	}(sigc)
-
 	grpcGatewayMux := runtime.NewServeMux()

 	// Make the grpc-gateway connect to grpc over socket
@@ -579,6 +555,8 @@ func (h *Headscale) Serve() error {
 	// https://github.com/soheilhy/cmux/issues/68
 	// https://github.com/soheilhy/cmux/issues/91

+	var grpcServer *grpc.Server
+	var grpcListener net.Listener
 	if tlsConfig != nil || h.cfg.GRPCAllowInsecure {
 		log.Info().Msgf("Enabling remote gRPC at %s", h.cfg.GRPCAddr)

@@ -599,12 +577,12 @@ func (h *Headscale) Serve() error {
 			log.Warn().Msg("gRPC is running without security")
 		}

-		grpcServer := grpc.NewServer(grpcOptions...)
+		grpcServer = grpc.NewServer(grpcOptions...)

 		v1.RegisterHeadscaleServiceServer(grpcServer, newHeadscaleV1APIServer(h))
 		reflection.Register(grpcServer)

-		grpcListener, err := net.Listen("tcp", h.cfg.GRPCAddr)
+		grpcListener, err = net.Listen("tcp", h.cfg.GRPCAddr)
 		if err != nil {
 			return fmt.Errorf("failed to bind to TCP address: %w", err)
 		}
@@ -649,12 +627,124 @@ func (h *Headscale) Serve() error {
 	log.Info().
 		Msgf("listening and serving HTTP on: %s", h.cfg.Addr)

+	promMux := http.NewServeMux()
+	promMux.Handle("/metrics", promhttp.Handler())
+
+	promHTTPServer := &http.Server{
+		Addr:         h.cfg.MetricsAddr,
+		Handler:      promMux,
+		ReadTimeout:  HTTPReadTimeout,
+		WriteTimeout: 0,
+	}
+
+	var promHTTPListener net.Listener
+	promHTTPListener, err = net.Listen("tcp", h.cfg.MetricsAddr)
+
+	if err != nil {
+		return fmt.Errorf("failed to bind to TCP address: %w", err)
+	}
+
+	errorGroup.Go(func() error { return promHTTPServer.Serve(promHTTPListener) })
+
+	log.Info().
+		Msgf("listening and serving metrics on: %s", h.cfg.MetricsAddr)
+
+	// Handle common process-killing signals so we can gracefully shut down:
+	h.shutdownChan = make(chan struct{})
+	sigc := make(chan os.Signal, 1)
+	signal.Notify(sigc,
+		syscall.SIGHUP,
+		syscall.SIGINT,
+		syscall.SIGTERM,
+		syscall.SIGQUIT,
+		syscall.SIGHUP)
+	sigFunc := func(c chan os.Signal) {
+		// Wait for a SIGINT or SIGKILL:
+		for {
+			sig := <-c
+			switch sig {
+			case syscall.SIGHUP:
+				log.Info().
+					Str("signal", sig.String()).
+					Msg("Received SIGHUP, reloading ACL and Config")
+
+				// TODO(kradalby): Reload config on SIGHUP
+
+				if h.cfg.ACL.PolicyPath != "" {
+					aclPath := AbsolutePathFromConfigPath(h.cfg.ACL.PolicyPath)
+					err := h.LoadACLPolicy(aclPath)
+					if err != nil {
+						log.Error().Err(err).Msg("Failed to reload ACL policy")
+					}
+					log.Info().
+						Str("path", aclPath).
+						Msg("ACL policy successfully reloaded, notifying nodes of change")
+
+					h.setLastStateChangeToNow()
+				}
+
+			default:
+				log.Info().
+					Str("signal", sig.String()).
+					Msg("Received signal to stop, shutting down gracefully")
+
+				close(h.shutdownChan)
+				h.pollNetMapStreamWG.Wait()
+
+				// Gracefully shut down servers
+				ctx, cancel := context.WithTimeout(context.Background(), HTTPShutdownTimeout)
+				if err := promHTTPServer.Shutdown(ctx); err != nil {
+					log.Error().Err(err).Msg("Failed to shutdown prometheus http")
+				}
+				if err := httpServer.Shutdown(ctx); err != nil {
+					log.Error().Err(err).Msg("Failed to shutdown http")
+				}
+				grpcSocket.GracefulStop()
+
+				if grpcServer != nil {
+					grpcServer.GracefulStop()
+					grpcListener.Close()
+				}
+
+				// Close network listeners
+				promHTTPListener.Close()
+				httpListener.Close()
+				grpcGatewayConn.Close()
+
+				// Stop listening (and unlink the socket if unix type):
+				socketListener.Close()
+
+				// Close db connections
+				db, err := h.db.DB()
+				if err != nil {
+					log.Error().Err(err).Msg("Failed to get db handle")
+				}
+				err = db.Close()
+				if err != nil {
+					log.Error().Err(err).Msg("Failed to close db")
+				}
+
+				log.Info().
+					Msg("Headscale stopped")
+
+				// And we're done:
+				cancel()
+				os.Exit(0)
+			}
+		}
+	}
+	errorGroup.Go(func() error {
+		sigFunc(sigc)
+
+		return nil
+	})
+
 	return errorGroup.Wait()
 }

 func (h *Headscale) getTLSSettings() (*tls.Config, error) {
 	var err error
-	if h.cfg.TLSLetsEncryptHostname != "" {
+	if h.cfg.TLS.LetsEncrypt.Hostname != "" {
 		if !strings.HasPrefix(h.cfg.ServerURL, "https://") {
 			log.Warn().
 				Msg("Listening with TLS but ServerURL does not start with https://")
@@ -662,29 +752,29 @@ func (h *Headscale) getTLSSettings() (*tls.Config, error) {

 		certManager := autocert.Manager{
 			Prompt:     autocert.AcceptTOS,
-			HostPolicy: autocert.HostWhitelist(h.cfg.TLSLetsEncryptHostname),
-			Cache:      autocert.DirCache(h.cfg.TLSLetsEncryptCacheDir),
+			HostPolicy: autocert.HostWhitelist(h.cfg.TLS.LetsEncrypt.Hostname),
+			Cache:      autocert.DirCache(h.cfg.TLS.LetsEncrypt.CacheDir),
 			Client: &acme.Client{
 				DirectoryURL: h.cfg.ACMEURL,
 			},
 			Email: h.cfg.ACMEEmail,
 		}

-		switch h.cfg.TLSLetsEncryptChallengeType {
-		case "TLS-ALPN-01":
+		switch h.cfg.TLS.LetsEncrypt.ChallengeType {
+		case tlsALPN01ChallengeType:
 			// Configuration via autocert with TLS-ALPN-01 (https://tools.ietf.org/html/rfc8737)
 			// The RFC requires that the validation is done on port 443; in other words, headscale
 			// must be reachable on port 443.
 			return certManager.TLSConfig(), nil

-		case "HTTP-01":
+		case http01ChallengeType:
 			// Configuration via autocert with HTTP-01. This requires listening on
 			// port 80 for the certificate validation in addition to the headscale
 			// service, which can be configured to run on any other port.
 			go func() {
 				log.Fatal().
 					Caller().
-					Err(http.ListenAndServe(h.cfg.TLSLetsEncryptListen, certManager.HTTPHandler(http.HandlerFunc(h.redirect)))).
+					Err(http.ListenAndServe(h.cfg.TLS.LetsEncrypt.Listen, certManager.HTTPHandler(http.HandlerFunc(h.redirect)))).
 					Msg("failed to set up a HTTP server")
 			}()

@@ -693,7 +783,7 @@ func (h *Headscale) getTLSSettings() (*tls.Config, error) {
 		default:
 			return nil, errUnsupportedLetsEncryptChallengeType
 		}
-	} else if h.cfg.TLSCertPath == "" {
+	} else if h.cfg.TLS.CertPath == "" {
 		if !strings.HasPrefix(h.cfg.ServerURL, "http://") {
 			log.Warn().Msg("Listening without TLS but ServerURL does not start with http://")
 		}
@@ -706,36 +796,59 @@ func (h *Headscale) getTLSSettings() (*tls.Config, error) {

 		log.Info().Msg(fmt.Sprintf(
 			"Client authentication (mTLS) is \"%s\". See the docs to learn about configuring this setting.",
-			h.cfg.TLSClientAuthMode))
+			h.cfg.TLS.ClientAuthMode))

 		tlsConfig := &tls.Config{
-			ClientAuth:   h.cfg.TLSClientAuthMode,
+			ClientAuth:   h.cfg.TLS.ClientAuthMode,
 			NextProtos:   []string{"http/1.1"},
 			Certificates: make([]tls.Certificate, 1),
 			MinVersion:   tls.VersionTLS12,
 		}

-		tlsConfig.Certificates[0], err = tls.LoadX509KeyPair(h.cfg.TLSCertPath, h.cfg.TLSKeyPath)
+		tlsConfig.Certificates[0], err = tls.LoadX509KeyPair(h.cfg.TLS.CertPath, h.cfg.TLS.KeyPath)

 		return tlsConfig, err
 	}
 }

-func (h *Headscale) setLastStateChangeToNow(namespace string) {
+func (h *Headscale) setLastStateChangeToNow(namespaces ...string) {
+	var err error
+
 	now := time.Now().UTC()
-	lastStateUpdate.WithLabelValues("", "headscale").Set(float64(now.Unix()))
-	h.lastStateChange.Store(namespace, now)
+
+	if len(namespaces) == 0 {
+		namespaces, err = h.ListNamespacesStr()
+		if err != nil {
+			log.Error().Caller().Err(err).Msg("failed to fetch all namespaces, failing to update last changed state.")
+		}
+	}
+
+	for _, namespace := range namespaces {
+		lastStateUpdate.WithLabelValues(namespace, "headscale").Set(float64(now.Unix()))
+		if h.lastStateChange == nil {
+			h.lastStateChange = xsync.NewMapOf[time.Time]()
+		}
+		h.lastStateChange.Store(namespace, now)
+	}
 }

 func (h *Headscale) getLastStateChange(namespaces ...string) time.Time {
 	times := []time.Time{}

-	for _, namespace := range namespaces {
-		if wrapped, ok := h.lastStateChange.Load(namespace); ok {
-			lastChange, _ := wrapped.(time.Time)
-
-			times = append(times, lastChange)
+	// getLastStateChange takes a list of namespaces as a "filter", if no namespaces
+	// are past, then use the entier list of namespaces and look for the last update
+	if len(namespaces) > 0 {
+		for _, namespace := range namespaces {
+			if lastChange, ok := h.lastStateChange.Load(namespace); ok {
+				times = append(times, lastChange)
+			}
 		}
+	} else {
+		h.lastStateChange.Range(func(key string, value time.Time) bool {
+			times = append(times, value)
+
+			return true
+		})
 	}

 	sort.Slice(times, func(i, j int) bool {
@@ -751,13 +864,16 @@ func (h *Headscale) getLastStateChange(namespaces ...string) time.Time {
 	}
 }

-func stdoutHandler(ctx *gin.Context) {
-	body, _ := io.ReadAll(ctx.Request.Body)
+func stdoutHandler(
+	writer http.ResponseWriter,
+	req *http.Request,
+) {
+	body, _ := io.ReadAll(req.Body)

 	log.Trace().
-		Interface("header", ctx.Request.Header).
-		Interface("proto", ctx.Request.Proto).
-		Interface("url", ctx.Request.URL).
+		Interface("header", req.Header).
+		Interface("proto", req.Proto).
+		Interface("url", req.URL).
 		Bytes("body", body).
 		Msg("Request did not match")
 }
--- a/app_test.go
+++ b/app_test.go
@@ -46,7 +46,7 @@ func (s *Suite) ResetDB(c *check.C) {
 	}

 	app = Headscale{
-		cfg:      cfg,
+		cfg:      &cfg,
 		dbType:   "sqlite3",
 		dbString: tmpDir + "/headscale_test.db",
 	}
--- a/apple_mobileconfig.go
+++ b/apple_mobileconfig.go
@@ -1,267 +0,0 @@
-package headscale
-
-import (
-	"bytes"
-	"html/template"
-	"net/http"
-	textTemplate "text/template"
-
-	"github.com/gin-gonic/gin"
-	"github.com/gofrs/uuid"
-	"github.com/rs/zerolog/log"
-)
-
-// AppleMobileConfig shows a simple message in the browser to point to the CLI
-// Listens in /register.
-func (h *Headscale) AppleMobileConfig(ctx *gin.Context) {
-	appleTemplate := template.Must(template.New("apple").Parse(`
-<html>
-	<body>
-		<h1>Apple configuration profiles</h1>
-		<p>
-		    This page provides <a href="https://support.apple.com/guide/mdm/mdm-overview-mdmbf9e668/web">configuration profiles</a> for the official Tailscale clients for <a href="https://apps.apple.com/us/app/tailscale/id1470499037?ls=1">iOS</a> and <a href="https://apps.apple.com/ca/app/tailscale/id1475387142?mt=12">macOS</a>.
-		</p>
-		<p>
-		    The profiles will configure Tailscale.app to use {{.Url}} as its control server.
-		</p>
-
-		<h3>Caution</h3>
-		<p>You should always inspect the profile before installing it:</p>
-		<!--
-		<p><code>curl {{.Url}}/apple/ios</code></p>
-		-->
-		<p><code>curl {{.Url}}/apple/macos</code></p>
-
-		<h2>Profiles</h2>
-
-		<!--
-		<h3>iOS</h3>
-		<p>
-		    <a href="/apple/ios" download="headscale_ios.mobileconfig">iOS profile</a>
-		</p>
-		-->
-
-		<h3>macOS</h3>
-		<p>Headscale can be set to the default server by installing a Headscale configuration profile:</p>
-		<p>
-		    <a href="/apple/macos" download="headscale_macos.mobileconfig">macOS profile</a>
-		</p>
-
-		<ol>
-		<li>Download the profile, then open it. When it has been opened, there should be a notification that a profile can be installed</li>
-		<li>Open System Preferences and go to "Profiles"</li>
-		<li>Find and install the Headscale profile</li>
-		<li>Restart Tailscale.app and log in</li>
-		</ol>
-
-		<p>Or</p>
-		<p>Use your terminal to configure the default setting for Tailscale by issuing:</p>
-		<code>defaults write io.tailscale.ipn.macos ControlURL {{.URL}}</code>
-
-		<p>Restart Tailscale.app and log in.</p>
-
-	</body>
-</html>`))
-
-	config := map[string]interface{}{
-		"URL": h.cfg.ServerURL,
-	}
-
-	var payload bytes.Buffer
-	if err := appleTemplate.Execute(&payload, config); err != nil {
-		log.Error().
-			Str("handler", "AppleMobileConfig").
-			Err(err).
-			Msg("Could not render Apple index template")
-		ctx.Data(
-			http.StatusInternalServerError,
-			"text/html; charset=utf-8",
-			[]byte("Could not render Apple index template"),
-		)
-
-		return
-	}
-
-	ctx.Data(http.StatusOK, "text/html; charset=utf-8", payload.Bytes())
-}
-
-func (h *Headscale) ApplePlatformConfig(ctx *gin.Context) {
-	platform := ctx.Param("platform")
-
-	id, err := uuid.NewV4()
-	if err != nil {
-		log.Error().
-			Str("handler", "ApplePlatformConfig").
-			Err(err).
-			Msg("Failed not create UUID")
-		ctx.Data(
-			http.StatusInternalServerError,
-			"text/html; charset=utf-8",
-			[]byte("Failed to create UUID"),
-		)
-
-		return
-	}
-
-	contentID, err := uuid.NewV4()
-	if err != nil {
-		log.Error().
-			Str("handler", "ApplePlatformConfig").
-			Err(err).
-			Msg("Failed not create UUID")
-		ctx.Data(
-			http.StatusInternalServerError,
-			"text/html; charset=utf-8",
-			[]byte("Failed to create UUID"),
-		)
-
-		return
-	}
-
-	platformConfig := AppleMobilePlatformConfig{
-		UUID: contentID,
-		URL:  h.cfg.ServerURL,
-	}
-
-	var payload bytes.Buffer
-
-	switch platform {
-	case "macos":
-		if err := macosTemplate.Execute(&payload, platformConfig); err != nil {
-			log.Error().
-				Str("handler", "ApplePlatformConfig").
-				Err(err).
-				Msg("Could not render Apple macOS template")
-			ctx.Data(
-				http.StatusInternalServerError,
-				"text/html; charset=utf-8",
-				[]byte("Could not render Apple macOS template"),
-			)
-
-			return
-		}
-	case "ios":
-		if err := iosTemplate.Execute(&payload, platformConfig); err != nil {
-			log.Error().
-				Str("handler", "ApplePlatformConfig").
-				Err(err).
-				Msg("Could not render Apple iOS template")
-			ctx.Data(
-				http.StatusInternalServerError,
-				"text/html; charset=utf-8",
-				[]byte("Could not render Apple iOS template"),
-			)
-
-			return
-		}
-	default:
-		ctx.Data(
-			http.StatusOK,
-			"text/html; charset=utf-8",
-			[]byte("Invalid platform, only ios and macos is supported"),
-		)
-
-		return
-	}
-
-	config := AppleMobileConfig{
-		UUID:    id,
-		URL:     h.cfg.ServerURL,
-		Payload: payload.String(),
-	}
-
-	var content bytes.Buffer
-	if err := commonTemplate.Execute(&content, config); err != nil {
-		log.Error().
-			Str("handler", "ApplePlatformConfig").
-			Err(err).
-			Msg("Could not render Apple platform template")
-		ctx.Data(
-			http.StatusInternalServerError,
-			"text/html; charset=utf-8",
-			[]byte("Could not render Apple platform template"),
-		)
-
-		return
-	}
-
-	ctx.Data(
-		http.StatusOK,
-		"application/x-apple-aspen-config; charset=utf-8",
-		content.Bytes(),
-	)
-}
-
-type AppleMobileConfig struct {
-	UUID    uuid.UUID
-	URL     string
-	Payload string
-}
-
-type AppleMobilePlatformConfig struct {
-	UUID uuid.UUID
-	URL  string
-}
-
-var commonTemplate = textTemplate.Must(
-	textTemplate.New("mobileconfig").Parse(`<?xml version="1.0" encoding="UTF-8"?>
-<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
-<plist version="1.0">
-  <dict>
-    <key>PayloadUUID</key>
-    <string>{{.UUID}}</string>
-    <key>PayloadDisplayName</key>
-    <string>Headscale</string>
-    <key>PayloadDescription</key>
-    <string>Configure Tailscale login server to: {{.URL}}</string>
-    <key>PayloadIdentifier</key>
-    <string>com.github.juanfont.headscale</string>
-    <key>PayloadRemovalDisallowed</key>
-    <false/>
-    <key>PayloadType</key>
-    <string>Configuration</string>
-    <key>PayloadVersion</key>
-    <integer>1</integer>
-    <key>PayloadContent</key>
-    <array>
-    {{.Payload}}
-    </array>
-  </dict>
-</plist>`),
-)
-
-var iosTemplate = textTemplate.Must(textTemplate.New("iosTemplate").Parse(`
-    <dict>
-        <key>PayloadType</key>
-        <string>io.tailscale.ipn.ios</string>
-        <key>PayloadUUID</key>
-        <string>{{.UUID}}</string>
-        <key>PayloadIdentifier</key>
-        <string>com.github.juanfont.headscale</string>
-        <key>PayloadVersion</key>
-        <integer>1</integer>
-        <key>PayloadEnabled</key>
-        <true/>
-
-        <key>ControlURL</key>
-        <string>{{.URL}}</string>
-    </dict>
-`))
-
-var macosTemplate = template.Must(template.New("macosTemplate").Parse(`
-    <dict>
-        <key>PayloadType</key>
-        <string>io.tailscale.ipn.macos</string>
-        <key>PayloadUUID</key>
-        <string>{{.UUID}}</string>
-        <key>PayloadIdentifier</key>
-        <string>com.github.juanfont.headscale</string>
-        <key>PayloadVersion</key>
-        <integer>1</integer>
-        <key>PayloadEnabled</key>
-        <true/>
-
-        <key>ControlURL</key>
-        <string>{{.URL}}</string>
-    </dict>
-`))
--- a/cmd/headscale/cli/api_key.go
+++ b/cmd/headscale/cli/api_key.go
@@ -7,6 +7,7 @@ import (

 	"github.com/juanfont/headscale"
 	v1 "github.com/juanfont/headscale/gen/go/headscale/v1"
+	"github.com/prometheus/common/model"
 	"github.com/pterm/pterm"
 	"github.com/rs/zerolog/log"
 	"github.com/spf13/cobra"
@@ -15,7 +16,7 @@ import (

 const (
 	// 90 days.
-	DefaultAPIKeyExpiry = 90 * 24 * time.Hour
+	DefaultAPIKeyExpiry = "90d"
 )

 func init() {
@@ -23,7 +24,7 @@ func init() {
 	apiKeysCmd.AddCommand(listAPIKeys)

 	createAPIKeyCmd.Flags().
-		DurationP("expiration", "e", DefaultAPIKeyExpiry, "Human-readable expiration of the key (30m, 24h, 365d...)")
+		StringP("expiration", "e", DefaultAPIKeyExpiry, "Human-readable expiration of the key (e.g. 30m, 24h)")

 	apiKeysCmd.AddCommand(createAPIKeyCmd)

@@ -118,10 +119,22 @@ If you loose a key, create a new one and revoke (expire) the old one.`,

 		request := &v1.CreateApiKeyRequest{}

-		duration, _ := cmd.Flags().GetDuration("expiration")
-		expiration := time.Now().UTC().Add(duration)
+		durationStr, _ := cmd.Flags().GetString("expiration")

-		log.Trace().Dur("expiration", duration).Msg("expiration has been set")
+		duration, err := model.ParseDuration(durationStr)
+		if err != nil {
+			ErrorOutput(
+				err,
+				fmt.Sprintf("Could not parse duration: %s\n", err),
+				output,
+			)
+
+			return
+		}
+
+		expiration := time.Now().UTC().Add(time.Duration(duration))
+
+		log.Trace().Dur("expiration", time.Duration(duration)).Msg("expiration has been set")

 		request.Expiration = timestamppb.New(expiration)

--- a/cmd/headscale/cli/dump_config.go
+++ b/cmd/headscale/cli/dump_config.go
@@ -0,0 +1,28 @@
+package cli
+
+import (
+	"fmt"
+
+	"github.com/spf13/cobra"
+	"github.com/spf13/viper"
+)
+
+func init() {
+	rootCmd.AddCommand(dumpConfigCmd)
+}
+
+var dumpConfigCmd = &cobra.Command{
+	Use:    "dumpConfig",
+	Short:  "dump current config to /etc/headscale/config.dump.yaml, integration test only",
+	Hidden: true,
+	Args: func(cmd *cobra.Command, args []string) error {
+		return nil
+	},
+	Run: func(cmd *cobra.Command, args []string) {
+		err := viper.WriteConfigAs("/etc/headscale/config.dump.yaml")
+		if err != nil {
+			//nolint
+			fmt.Println("Failed to dump config")
+		}
+	},
+}
--- a/cmd/headscale/cli/nodes.go
+++ b/cmd/headscale/cli/nodes.go
@@ -13,12 +13,14 @@ import (
 	"github.com/pterm/pterm"
 	"github.com/spf13/cobra"
 	"google.golang.org/grpc/status"
+	"inet.af/netaddr"
 	"tailscale.com/types/key"
 )

 func init() {
 	rootCmd.AddCommand(nodeCmd)
 	listNodesCmd.Flags().StringP("namespace", "n", "", "Filter by namespace")
+	listNodesCmd.Flags().BoolP("tags", "t", false, "Show tags")
 	nodeCmd.AddCommand(listNodesCmd)

 	registerNodeCmd.Flags().StringP("namespace", "n", "", "Namespace")
@@ -40,12 +42,44 @@ func init() {
 	}
 	nodeCmd.AddCommand(expireNodeCmd)

+	renameNodeCmd.Flags().Uint64P("identifier", "i", 0, "Node identifier (ID)")
+	err = renameNodeCmd.MarkFlagRequired("identifier")
+	if err != nil {
+		log.Fatalf(err.Error())
+	}
+	nodeCmd.AddCommand(renameNodeCmd)
+
 	deleteNodeCmd.Flags().Uint64P("identifier", "i", 0, "Node identifier (ID)")
 	err = deleteNodeCmd.MarkFlagRequired("identifier")
 	if err != nil {
 		log.Fatalf(err.Error())
 	}
 	nodeCmd.AddCommand(deleteNodeCmd)
+
+	moveNodeCmd.Flags().Uint64P("identifier", "i", 0, "Node identifier (ID)")
+
+	err = moveNodeCmd.MarkFlagRequired("identifier")
+	if err != nil {
+		log.Fatalf(err.Error())
+	}
+
+	moveNodeCmd.Flags().StringP("namespace", "n", "", "New namespace")
+
+	err = moveNodeCmd.MarkFlagRequired("namespace")
+	if err != nil {
+		log.Fatalf(err.Error())
+	}
+	nodeCmd.AddCommand(moveNodeCmd)
+
+	tagCmd.Flags().Uint64P("identifier", "i", 0, "Node identifier (ID)")
+
+	err = tagCmd.MarkFlagRequired("identifier")
+	if err != nil {
+		log.Fatalf(err.Error())
+	}
+	tagCmd.Flags().
+		StringSliceP("tags", "t", []string{}, "List of tags to add to the node")
+	nodeCmd.AddCommand(tagCmd)
 }

 var nodeCmd = &cobra.Command{
@@ -116,6 +150,12 @@ var listNodesCmd = &cobra.Command{

 			return
 		}
+		showTags, err := cmd.Flags().GetBool("tags")
+		if err != nil {
+			ErrorOutput(err, fmt.Sprintf("Error getting tags flag: %s", err), output)
+
+			return
+		}

 		ctx, client, conn, cancel := getHeadscaleCLIClient()
 		defer cancel()
@@ -142,7 +182,7 @@ var listNodesCmd = &cobra.Command{
 			return
 		}

-		tableData, err := nodesToPtables(namespace, response.Machines)
+		tableData, err := nodesToPtables(namespace, showTags, response.Machines)
 		if err != nil {
 			ErrorOutput(err, fmt.Sprintf("Error converting to table: %s", err), output)

@@ -207,6 +247,54 @@ var expireNodeCmd = &cobra.Command{
 	},
 }

+var renameNodeCmd = &cobra.Command{
+	Use:   "rename NEW_NAME",
+	Short: "Renames a machine in your network",
+	Run: func(cmd *cobra.Command, args []string) {
+		output, _ := cmd.Flags().GetString("output")
+
+		identifier, err := cmd.Flags().GetUint64("identifier")
+		if err != nil {
+			ErrorOutput(
+				err,
+				fmt.Sprintf("Error converting ID to integer: %s", err),
+				output,
+			)
+
+			return
+		}
+
+		ctx, client, conn, cancel := getHeadscaleCLIClient()
+		defer cancel()
+		defer conn.Close()
+
+		newName := ""
+		if len(args) > 0 {
+			newName = args[0]
+		}
+		request := &v1.RenameMachineRequest{
+			MachineId: identifier,
+			NewName:   newName,
+		}
+
+		response, err := client.RenameMachine(ctx, request)
+		if err != nil {
+			ErrorOutput(
+				err,
+				fmt.Sprintf(
+					"Cannot rename machine: %s\n",
+					status.Convert(err).Message(),
+				),
+				output,
+			)
+
+			return
+		}
+
+		SuccessOutput(response.Machine, "Machine renamed", output)
+	},
+}
+
 var deleteNodeCmd = &cobra.Command{
 	Use:     "delete",
 	Short:   "Delete a node",
@@ -296,23 +384,105 @@ var deleteNodeCmd = &cobra.Command{
 	},
 }

+var moveNodeCmd = &cobra.Command{
+	Use:     "move",
+	Short:   "Move node to another namespace",
+	Aliases: []string{"mv"},
+	Run: func(cmd *cobra.Command, args []string) {
+		output, _ := cmd.Flags().GetString("output")
+
+		identifier, err := cmd.Flags().GetUint64("identifier")
+		if err != nil {
+			ErrorOutput(
+				err,
+				fmt.Sprintf("Error converting ID to integer: %s", err),
+				output,
+			)
+
+			return
+		}
+
+		namespace, err := cmd.Flags().GetString("namespace")
+		if err != nil {
+			ErrorOutput(
+				err,
+				fmt.Sprintf("Error getting namespace: %s", err),
+				output,
+			)
+
+			return
+		}
+
+		ctx, client, conn, cancel := getHeadscaleCLIClient()
+		defer cancel()
+		defer conn.Close()
+
+		getRequest := &v1.GetMachineRequest{
+			MachineId: identifier,
+		}
+
+		_, err = client.GetMachine(ctx, getRequest)
+		if err != nil {
+			ErrorOutput(
+				err,
+				fmt.Sprintf(
+					"Error getting node: %s",
+					status.Convert(err).Message(),
+				),
+				output,
+			)
+
+			return
+		}
+
+		moveRequest := &v1.MoveMachineRequest{
+			MachineId: identifier,
+			Namespace: namespace,
+		}
+
+		moveResponse, err := client.MoveMachine(ctx, moveRequest)
+		if err != nil {
+			ErrorOutput(
+				err,
+				fmt.Sprintf(
+					"Error moving node: %s",
+					status.Convert(err).Message(),
+				),
+				output,
+			)
+
+			return
+		}
+
+		SuccessOutput(moveResponse.Machine, "Node moved to another namespace", output)
+	},
+}
+
 func nodesToPtables(
 	currentNamespace string,
+	showTags bool,
 	machines []*v1.Machine,
 ) (pterm.TableData, error) {
-	tableData := pterm.TableData{
-		{
-			"ID",
-			"Name",
-			"NodeKey",
-			"Namespace",
-			"IP addresses",
-			"Ephemeral",
-			"Last seen",
-			"Online",
-			"Expired",
-		},
+	tableHeader := []string{
+		"ID",
+		"Hostname",
+		"Name",
+		"NodeKey",
+		"Namespace",
+		"IP addresses",
+		"Ephemeral",
+		"Last seen",
+		"Online",
+		"Expired",
 	}
+	if showTags {
+		tableHeader = append(tableHeader, []string{
+			"ForcedTags",
+			"InvalidTags",
+			"ValidTags",
+		}...)
+	}
+	tableData := pterm.TableData{tableHeader}

 	for _, machine := range machines {
 		var ephemeral bool
@@ -356,6 +526,26 @@ func nodesToPtables(
 			expired = pterm.LightRed("yes")
 		}

+		var forcedTags string
+		for _, tag := range machine.ForcedTags {
+			forcedTags += "," + tag
+		}
+		forcedTags = strings.TrimLeft(forcedTags, ",")
+		var invalidTags string
+		for _, tag := range machine.InvalidTags {
+			if !contains(machine.ForcedTags, tag) {
+				invalidTags += "," + pterm.LightRed(tag)
+			}
+		}
+		invalidTags = strings.TrimLeft(invalidTags, ",")
+		var validTags string
+		for _, tag := range machine.ValidTags {
+			if !contains(machine.ForcedTags, tag) {
+				validTags += "," + pterm.LightGreen(tag)
+			}
+		}
+		validTags = strings.TrimLeft(validTags, ",")
+
 		var namespace string
 		if currentNamespace == "" || (currentNamespace == machine.Namespace.Name) {
 			namespace = pterm.LightMagenta(machine.Namespace.Name)
@@ -363,21 +553,95 @@ func nodesToPtables(
 			// Shared into this namespace
 			namespace = pterm.LightYellow(machine.Namespace.Name)
 		}
+
+		var IPV4Address string
+		var IPV6Address string
+		for _, addr := range machine.IpAddresses {
+			if netaddr.MustParseIP(addr).Is4() {
+				IPV4Address = addr
+			} else {
+				IPV6Address = addr
+			}
+		}
+
+		nodeData := []string{
+			strconv.FormatUint(machine.Id, headscale.Base10),
+			machine.Name,
+			machine.GetGivenName(),
+			nodeKey.ShortString(),
+			namespace,
+			strings.Join([]string{IPV4Address, IPV6Address}, ", "),
+			strconv.FormatBool(ephemeral),
+			lastSeenTime,
+			online,
+			expired,
+		}
+		if showTags {
+			nodeData = append(nodeData, []string{forcedTags, invalidTags, validTags}...)
+		}
 		tableData = append(
 			tableData,
-			[]string{
-				strconv.FormatUint(machine.Id, headscale.Base10),
-				machine.Name,
-				nodeKey.ShortString(),
-				namespace,
-				strings.Join(machine.IpAddresses, ", "),
-				strconv.FormatBool(ephemeral),
-				lastSeenTime,
-				online,
-				expired,
-			},
+			nodeData,
 		)
 	}

 	return tableData, nil
 }
+
+var tagCmd = &cobra.Command{
+	Use:     "tag",
+	Short:   "Manage the tags of a node",
+	Aliases: []string{"tags", "t"},
+	Run: func(cmd *cobra.Command, args []string) {
+		output, _ := cmd.Flags().GetString("output")
+		ctx, client, conn, cancel := getHeadscaleCLIClient()
+		defer cancel()
+		defer conn.Close()
+
+		// retrieve flags from CLI
+		identifier, err := cmd.Flags().GetUint64("identifier")
+		if err != nil {
+			ErrorOutput(
+				err,
+				fmt.Sprintf("Error converting ID to integer: %s", err),
+				output,
+			)
+
+			return
+		}
+		tagsToSet, err := cmd.Flags().GetStringSlice("tags")
+		if err != nil {
+			ErrorOutput(
+				err,
+				fmt.Sprintf("Error retrieving list of tags to add to machine, %v", err),
+				output,
+			)
+
+			return
+		}
+
+		// Sending tags to machine
+		request := &v1.SetTagsRequest{
+			MachineId: identifier,
+			Tags:      tagsToSet,
+		}
+		resp, err := client.SetTags(ctx, request)
+		if err != nil {
+			ErrorOutput(
+				err,
+				fmt.Sprintf("Error while sending tags to headscale: %s", err),
+				output,
+			)
+
+			return
+		}
+
+		if resp != nil {
+			SuccessOutput(
+				resp.GetMachine(),
+				"Machine updated",
+				output,
+			)
+		}
+	},
+}
--- a/cmd/headscale/cli/preauthkeys.go
+++ b/cmd/headscale/cli/preauthkeys.go
@@ -6,6 +6,7 @@ import (
 	"time"

 	v1 "github.com/juanfont/headscale/gen/go/headscale/v1"
+	"github.com/prometheus/common/model"
 	"github.com/pterm/pterm"
 	"github.com/rs/zerolog/log"
 	"github.com/spf13/cobra"
@@ -13,7 +14,7 @@ import (
 )

 const (
-	DefaultPreAuthKeyExpiry = 1 * time.Hour
+	DefaultPreAuthKeyExpiry = "1h"
 )

 func init() {
@@ -31,7 +32,7 @@ func init() {
 	createPreAuthKeyCmd.PersistentFlags().
 		Bool("ephemeral", false, "Preauthkey for ephemeral nodes")
 	createPreAuthKeyCmd.Flags().
-		DurationP("expiration", "e", DefaultPreAuthKeyExpiry, "Human-readable expiration of the key (30m, 24h, 365d...)")
+		StringP("expiration", "e", DefaultPreAuthKeyExpiry, "Human-readable expiration of the key (e.g. 30m, 24h)")
 }

 var preauthkeysCmd = &cobra.Command{
@@ -148,10 +149,22 @@ var createPreAuthKeyCmd = &cobra.Command{
 			Ephemeral: ephemeral,
 		}

-		duration, _ := cmd.Flags().GetDuration("expiration")
-		expiration := time.Now().UTC().Add(duration)
+		durationStr, _ := cmd.Flags().GetString("expiration")

-		log.Trace().Dur("expiration", duration).Msg("expiration has been set")
+		duration, err := model.ParseDuration(durationStr)
+		if err != nil {
+			ErrorOutput(
+				err,
+				fmt.Sprintf("Could not parse duration: %s\n", err),
+				output,
+			)
+
+			return
+		}
+
+		expiration := time.Now().UTC().Add(time.Duration(duration))
+
+		log.Trace().Dur("expiration", time.Duration(duration)).Msg("expiration has been set")

 		request.Expiration = timestamppb.New(expiration)

--- a/cmd/headscale/cli/root.go
+++ b/cmd/headscale/cli/root.go
@@ -3,17 +3,75 @@ package cli
 import (
 	"fmt"
 	"os"
+	"runtime"

+	"github.com/juanfont/headscale"
+	"github.com/rs/zerolog"
+	"github.com/rs/zerolog/log"
 	"github.com/spf13/cobra"
+	"github.com/tcnksm/go-latest"
 )

+var cfgFile string = ""
+
 func init() {
+	cobra.OnInitialize(initConfig)
+	rootCmd.PersistentFlags().
+		StringVarP(&cfgFile, "config", "c", "", "config file (default is /etc/headscale/config.yaml)")
 	rootCmd.PersistentFlags().
 		StringP("output", "o", "", "Output format. Empty for human-readable, 'json', 'json-line' or 'yaml'")
 	rootCmd.PersistentFlags().
 		Bool("force", false, "Disable prompts and forces the execution")
 }

+func initConfig() {
+	if cfgFile != "" {
+		err := headscale.LoadConfig(cfgFile, true)
+		if err != nil {
+			log.Fatal().Caller().Err(err)
+		}
+	} else {
+		err := headscale.LoadConfig("", false)
+		if err != nil {
+			log.Fatal().Caller().Err(err)
+		}
+	}
+
+	cfg, err := headscale.GetHeadscaleConfig()
+	if err != nil {
+		log.Fatal().Caller().Err(err)
+	}
+
+	machineOutput := HasMachineOutputFlag()
+
+	zerolog.SetGlobalLevel(cfg.LogLevel)
+
+	// If the user has requested a "machine" readable format,
+	// then disable login so the output remains valid.
+	if machineOutput {
+		zerolog.SetGlobalLevel(zerolog.Disabled)
+	}
+
+	if !cfg.DisableUpdateCheck && !machineOutput {
+		if (runtime.GOOS == "linux" || runtime.GOOS == "darwin") &&
+			Version != "dev" {
+			githubTag := &latest.GithubTag{
+				Owner:      "juanfont",
+				Repository: "headscale",
+			}
+			res, err := latest.Check(githubTag, Version)
+			if err == nil && res.Outdated {
+				//nolint
+				fmt.Printf(
+					"An updated version of Headscale has been found (%s vs. your current %s). Check it out https://github.com/juanfont/headscale/releases\n",
+					res.Current,
+					Version,
+				)
+			}
+		}
+	}
+}
+
 var rootCmd = &cobra.Command{
 	Use:   "headscale",
 	Short: "headscale - a Tailscale control server",
--- a/cmd/headscale/cli/routes.go
+++ b/cmd/headscale/cli/routes.go
@@ -24,6 +24,8 @@ func init() {
 	enableRouteCmd.Flags().
 		StringSliceP("route", "r", []string{}, "List (or repeated flags) of routes to enable")
 	enableRouteCmd.Flags().Uint64P("identifier", "i", 0, "Node identifier (ID)")
+	enableRouteCmd.Flags().BoolP("all", "a", false, "All routes from host")
+
 	err = enableRouteCmd.MarkFlagRequired("identifier")
 	if err != nil {
 		log.Fatalf(err.Error())
@@ -125,21 +127,43 @@ omit the route you do not want to enable.
 			return
 		}

-		routes, err := cmd.Flags().GetStringSlice("route")
-		if err != nil {
-			ErrorOutput(
-				err,
-				fmt.Sprintf("Error getting routes from flag: %s", err),
-				output,
-			)
-
-			return
-		}
-
 		ctx, client, conn, cancel := getHeadscaleCLIClient()
 		defer cancel()
 		defer conn.Close()

+		var routes []string
+
+		isAll, _ := cmd.Flags().GetBool("all")
+		if isAll {
+			response, err := client.GetMachineRoute(ctx, &v1.GetMachineRouteRequest{
+				MachineId: machineID,
+			})
+			if err != nil {
+				ErrorOutput(
+					err,
+					fmt.Sprintf(
+						"Cannot get machine routes: %s\n",
+						status.Convert(err).Message(),
+					),
+					output,
+				)
+
+				return
+			}
+			routes = response.GetRoutes().GetAdvertisedRoutes()
+		} else {
+			routes, err = cmd.Flags().GetStringSlice("route")
+			if err != nil {
+				ErrorOutput(
+					err,
+					fmt.Sprintf("Error getting routes from flag: %s", err),
+					output,
+				)
+
+				return
+			}
+		}
+
 		request := &v1.EnableMachineRoutesRequest{
 			MachineId: machineID,
 			Routes:    routes,
--- a/cmd/headscale/cli/server.go
+++ b/cmd/headscale/cli/server.go
@@ -1,8 +1,7 @@
 package cli

 import (
-	"log"
-
+	"github.com/rs/zerolog/log"
 	"github.com/spf13/cobra"
 )

@@ -17,14 +16,14 @@ var serveCmd = &cobra.Command{
 		return nil
 	},
 	Run: func(cmd *cobra.Command, args []string) {
-		h, err := getHeadscaleApp()
+		app, err := getHeadscaleApp()
 		if err != nil {
-			log.Fatalf("Error initializing: %s", err)
+			log.Fatal().Caller().Err(err).Msg("Error initializing")
 		}

-		err = h.Serve()
+		err = app.Serve()
 		if err != nil {
-			log.Fatalf("Error initializing: %s", err)
+			log.Fatal().Caller().Err(err).Msg("Error starting server")
 		}
 	},
 }
--- a/cmd/headscale/cli/utils.go
+++ b/cmd/headscale/cli/utils.go
@@ -4,380 +4,29 @@ import (
 	"context"
 	"crypto/tls"
 	"encoding/json"
-	"errors"
 	"fmt"
-	"io/fs"
-	"net/url"
 	"os"
-	"path/filepath"
-	"strconv"
-	"strings"
-	"time"
+	"reflect"

 	"github.com/juanfont/headscale"
 	v1 "github.com/juanfont/headscale/gen/go/headscale/v1"
 	"github.com/rs/zerolog/log"
-	"github.com/spf13/viper"
 	"google.golang.org/grpc"
 	"google.golang.org/grpc/credentials"
 	"google.golang.org/grpc/credentials/insecure"
 	"gopkg.in/yaml.v2"
-	"inet.af/netaddr"
-	"tailscale.com/tailcfg"
-	"tailscale.com/types/dnstype"
 )

 const (
-	PermissionFallback      = 0o700
 	HeadscaleDateTimeFormat = "2006-01-02 15:04:05"
 )

-func LoadConfig(path string) error {
-	viper.SetConfigName("config")
-	if path == "" {
-		viper.AddConfigPath("/etc/headscale/")
-		viper.AddConfigPath("$HOME/.headscale")
-		viper.AddConfigPath(".")
-	} else {
-		// For testing
-		viper.AddConfigPath(path)
-	}
-
-	viper.SetEnvPrefix("headscale")
-	viper.SetEnvKeyReplacer(strings.NewReplacer(".", "_"))
-	viper.AutomaticEnv()
-
-	viper.SetDefault("tls_letsencrypt_cache_dir", "/var/www/.cache")
-	viper.SetDefault("tls_letsencrypt_challenge_type", "HTTP-01")
-	viper.SetDefault("tls_client_auth_mode", "relaxed")
-
-	viper.SetDefault("log_level", "info")
-
-	viper.SetDefault("dns_config", nil)
-
-	viper.SetDefault("unix_socket", "/var/run/headscale.sock")
-	viper.SetDefault("unix_socket_permission", "0o770")
-
-	viper.SetDefault("grpc_listen_addr", ":50443")
-	viper.SetDefault("grpc_allow_insecure", false)
-
-	viper.SetDefault("cli.timeout", "5s")
-	viper.SetDefault("cli.insecure", false)
-
-	viper.SetDefault("oidc.strip_email_domain", true)
-
-	if err := viper.ReadInConfig(); err != nil {
-		return fmt.Errorf("fatal error reading config file: %w", err)
-	}
-
-	// Collect any validation errors and return them all at once
-	var errorText string
-	if (viper.GetString("tls_letsencrypt_hostname") != "") &&
-		((viper.GetString("tls_cert_path") != "") || (viper.GetString("tls_key_path") != "")) {
-		errorText += "Fatal config error: set either tls_letsencrypt_hostname or tls_cert_path/tls_key_path, not both\n"
-	}
-
-	if (viper.GetString("tls_letsencrypt_hostname") != "") &&
-		(viper.GetString("tls_letsencrypt_challenge_type") == "TLS-ALPN-01") &&
-		(!strings.HasSuffix(viper.GetString("listen_addr"), ":443")) {
-		// this is only a warning because there could be something sitting in front of headscale that redirects the traffic (e.g. an iptables rule)
-		log.Warn().
-			Msg("Warning: when using tls_letsencrypt_hostname with TLS-ALPN-01 as challenge type, headscale must be reachable on port 443, i.e. listen_addr should probably end in :443")
-	}
-
-	if (viper.GetString("tls_letsencrypt_challenge_type") != "HTTP-01") &&
-		(viper.GetString("tls_letsencrypt_challenge_type") != "TLS-ALPN-01") {
-		errorText += "Fatal config error: the only supported values for tls_letsencrypt_challenge_type are HTTP-01 and TLS-ALPN-01\n"
-	}
-
-	if !strings.HasPrefix(viper.GetString("server_url"), "http://") &&
-		!strings.HasPrefix(viper.GetString("server_url"), "https://") {
-		errorText += "Fatal config error: server_url must start with https:// or http://\n"
-	}
-
-	_, authModeValid := headscale.LookupTLSClientAuthMode(
-		viper.GetString("tls_client_auth_mode"),
-	)
-
-	if !authModeValid {
-		errorText += fmt.Sprintf(
-			"Invalid tls_client_auth_mode supplied: %s. Accepted values: %s, %s, %s.",
-			viper.GetString("tls_client_auth_mode"),
-			headscale.DisabledClientAuth,
-			headscale.RelaxedClientAuth,
-			headscale.EnforcedClientAuth)
-	}
-
-	if errorText != "" {
-		//nolint
-		return errors.New(strings.TrimSuffix(errorText, "\n"))
-	} else {
-		return nil
-	}
-}
-
-func GetDERPConfig() headscale.DERPConfig {
-	urlStrs := viper.GetStringSlice("derp.urls")
-
-	urls := make([]url.URL, len(urlStrs))
-	for index, urlStr := range urlStrs {
-		urlAddr, err := url.Parse(urlStr)
-		if err != nil {
-			log.Error().
-				Str("url", urlStr).
-				Err(err).
-				Msg("Failed to parse url, ignoring...")
-		}
-
-		urls[index] = *urlAddr
-	}
-
-	paths := viper.GetStringSlice("derp.paths")
-
-	autoUpdate := viper.GetBool("derp.auto_update_enabled")
-	updateFrequency := viper.GetDuration("derp.update_frequency")
-
-	return headscale.DERPConfig{
-		URLs:            urls,
-		Paths:           paths,
-		AutoUpdate:      autoUpdate,
-		UpdateFrequency: updateFrequency,
-	}
-}
-
-func GetDNSConfig() (*tailcfg.DNSConfig, string) {
-	if viper.IsSet("dns_config") {
-		dnsConfig := &tailcfg.DNSConfig{}
-
-		if viper.IsSet("dns_config.nameservers") {
-			nameserversStr := viper.GetStringSlice("dns_config.nameservers")
-
-			nameservers := make([]netaddr.IP, len(nameserversStr))
-			resolvers := make([]dnstype.Resolver, len(nameserversStr))
-
-			for index, nameserverStr := range nameserversStr {
-				nameserver, err := netaddr.ParseIP(nameserverStr)
-				if err != nil {
-					log.Error().
-						Str("func", "getDNSConfig").
-						Err(err).
-						Msgf("Could not parse nameserver IP: %s", nameserverStr)
-				}
-
-				nameservers[index] = nameserver
-				resolvers[index] = dnstype.Resolver{
-					Addr: nameserver.String(),
-				}
-			}
-
-			dnsConfig.Nameservers = nameservers
-			dnsConfig.Resolvers = resolvers
-		}
-
-		if viper.IsSet("dns_config.restricted_nameservers") {
-			if len(dnsConfig.Nameservers) > 0 {
-				dnsConfig.Routes = make(map[string][]dnstype.Resolver)
-				restrictedDNS := viper.GetStringMapStringSlice(
-					"dns_config.restricted_nameservers",
-				)
-				for domain, restrictedNameservers := range restrictedDNS {
-					restrictedResolvers := make(
-						[]dnstype.Resolver,
-						len(restrictedNameservers),
-					)
-					for index, nameserverStr := range restrictedNameservers {
-						nameserver, err := netaddr.ParseIP(nameserverStr)
-						if err != nil {
-							log.Error().
-								Str("func", "getDNSConfig").
-								Err(err).
-								Msgf("Could not parse restricted nameserver IP: %s", nameserverStr)
-						}
-						restrictedResolvers[index] = dnstype.Resolver{
-							Addr: nameserver.String(),
-						}
-					}
-					dnsConfig.Routes[domain] = restrictedResolvers
-				}
-			} else {
-				log.Warn().
-					Msg("Warning: dns_config.restricted_nameservers is set, but no nameservers are configured. Ignoring restricted_nameservers.")
-			}
-		}
-
-		if viper.IsSet("dns_config.domains") {
-			dnsConfig.Domains = viper.GetStringSlice("dns_config.domains")
-		}
-
-		if viper.IsSet("dns_config.magic_dns") {
-			magicDNS := viper.GetBool("dns_config.magic_dns")
-			if len(dnsConfig.Nameservers) > 0 {
-				dnsConfig.Proxied = magicDNS
-			} else if magicDNS {
-				log.Warn().
-					Msg("Warning: dns_config.magic_dns is set, but no nameservers are configured. Ignoring magic_dns.")
-			}
-		}
-
-		var baseDomain string
-		if viper.IsSet("dns_config.base_domain") {
-			baseDomain = viper.GetString("dns_config.base_domain")
-		} else {
-			baseDomain = "headscale.net" // does not really matter when MagicDNS is not enabled
-		}
-
-		return dnsConfig, baseDomain
-	}
-
-	return nil, ""
-}
-
-func absPath(path string) string {
-	// If a relative path is provided, prefix it with the the directory where
-	// the config file was found.
-	if (path != "") && !strings.HasPrefix(path, string(os.PathSeparator)) {
-		dir, _ := filepath.Split(viper.ConfigFileUsed())
-		if dir != "" {
-			path = filepath.Join(dir, path)
-		}
-	}
-
-	return path
-}
-
-func getHeadscaleConfig() headscale.Config {
-	dnsConfig, baseDomain := GetDNSConfig()
-	derpConfig := GetDERPConfig()
-
-	configuredPrefixes := viper.GetStringSlice("ip_prefixes")
-	parsedPrefixes := make([]netaddr.IPPrefix, 0, len(configuredPrefixes)+1)
-
-	legacyPrefixField := viper.GetString("ip_prefix")
-	if len(legacyPrefixField) > 0 {
-		log.
-			Warn().
-			Msgf(
-				"%s, %s",
-				"use of 'ip_prefix' for configuration is deprecated",
-				"please see 'ip_prefixes' in the shipped example.",
-			)
-		legacyPrefix, err := netaddr.ParseIPPrefix(legacyPrefixField)
-		if err != nil {
-			panic(fmt.Errorf("failed to parse ip_prefix: %w", err))
-		}
-		parsedPrefixes = append(parsedPrefixes, legacyPrefix)
-	}
-
-	for i, prefixInConfig := range configuredPrefixes {
-		prefix, err := netaddr.ParseIPPrefix(prefixInConfig)
-		if err != nil {
-			panic(fmt.Errorf("failed to parse ip_prefixes[%d]: %w", i, err))
-		}
-		parsedPrefixes = append(parsedPrefixes, prefix)
-	}
-
-	prefixes := make([]netaddr.IPPrefix, 0, len(parsedPrefixes))
-	{
-		// dedup
-		normalizedPrefixes := make(map[string]int, len(parsedPrefixes))
-		for i, p := range parsedPrefixes {
-			normalized, _ := p.Range().Prefix()
-			normalizedPrefixes[normalized.String()] = i
-		}
-
-		// convert back to list
-		for _, i := range normalizedPrefixes {
-			prefixes = append(prefixes, parsedPrefixes[i])
-		}
-	}
-
-	if len(prefixes) < 1 {
-		prefixes = append(prefixes, netaddr.MustParseIPPrefix("100.64.0.0/10"))
-		log.Warn().
-			Msgf("'ip_prefixes' not configured, falling back to default: %v", prefixes)
-	}
-
-	tlsClientAuthMode, _ := headscale.LookupTLSClientAuthMode(
-		viper.GetString("tls_client_auth_mode"),
-	)
-
-	return headscale.Config{
-		ServerURL:         viper.GetString("server_url"),
-		Addr:              viper.GetString("listen_addr"),
-		GRPCAddr:          viper.GetString("grpc_listen_addr"),
-		GRPCAllowInsecure: viper.GetBool("grpc_allow_insecure"),
-
-		IPPrefixes:     prefixes,
-		PrivateKeyPath: absPath(viper.GetString("private_key_path")),
-		BaseDomain:     baseDomain,
-
-		DERP: derpConfig,
-
-		EphemeralNodeInactivityTimeout: viper.GetDuration(
-			"ephemeral_node_inactivity_timeout",
-		),
-
-		DBtype: viper.GetString("db_type"),
-		DBpath: absPath(viper.GetString("db_path")),
-		DBhost: viper.GetString("db_host"),
-		DBport: viper.GetInt("db_port"),
-		DBname: viper.GetString("db_name"),
-		DBuser: viper.GetString("db_user"),
-		DBpass: viper.GetString("db_pass"),
-
-		TLSLetsEncryptHostname: viper.GetString("tls_letsencrypt_hostname"),
-		TLSLetsEncryptListen:   viper.GetString("tls_letsencrypt_listen"),
-		TLSLetsEncryptCacheDir: absPath(
-			viper.GetString("tls_letsencrypt_cache_dir"),
-		),
-		TLSLetsEncryptChallengeType: viper.GetString("tls_letsencrypt_challenge_type"),
-
-		TLSCertPath:       absPath(viper.GetString("tls_cert_path")),
-		TLSKeyPath:        absPath(viper.GetString("tls_key_path")),
-		TLSClientAuthMode: tlsClientAuthMode,
-
-		DNSConfig: dnsConfig,
-
-		ACMEEmail: viper.GetString("acme_email"),
-		ACMEURL:   viper.GetString("acme_url"),
-
-		UnixSocket:           viper.GetString("unix_socket"),
-		UnixSocketPermission: GetFileMode("unix_socket_permission"),
-
-		OIDC: headscale.OIDCConfig{
-			Issuer:           viper.GetString("oidc.issuer"),
-			ClientID:         viper.GetString("oidc.client_id"),
-			ClientSecret:     viper.GetString("oidc.client_secret"),
-			StripEmaildomain: viper.GetBool("oidc.strip_email_domain"),
-		},
-
-		CLI: headscale.CLIConfig{
-			Address:  viper.GetString("cli.address"),
-			APIKey:   viper.GetString("cli.api_key"),
-			Timeout:  viper.GetDuration("cli.timeout"),
-			Insecure: viper.GetBool("cli.insecure"),
-		},
-	}
-}
-
 func getHeadscaleApp() (*headscale.Headscale, error) {
-	// Minimum inactivity time out is keepalive timeout (60s) plus a few seconds
-	// to avoid races
-	minInactivityTimeout, _ := time.ParseDuration("65s")
-	if viper.GetDuration("ephemeral_node_inactivity_timeout") <= minInactivityTimeout {
-		// TODO: Find a better way to return this text
-		//nolint
-		err := fmt.Errorf(
-			"ephemeral_node_inactivity_timeout (%s) is set too low, must be more than %s",
-			viper.GetString("ephemeral_node_inactivity_timeout"),
-			minInactivityTimeout,
-		)
-
-		return nil, err
+	cfg, err := headscale.GetHeadscaleConfig()
+	if err != nil {
+		return nil, fmt.Errorf("failed to load configuration while creating headscale instance: %w", err)
 	}

-	cfg := getHeadscaleConfig()
-
 	app, err := headscale.NewHeadscale(cfg)
 	if err != nil {
 		return nil, err
@@ -385,11 +34,11 @@ func getHeadscaleApp() (*headscale.Headscale, error) {

 	// We are doing this here, as in the future could be cool to have it also hot-reload

-	if viper.GetString("acl_policy_path") != "" {
-		aclPath := absPath(viper.GetString("acl_policy_path"))
+	if cfg.ACL.PolicyPath != "" {
+		aclPath := headscale.AbsolutePathFromConfigPath(cfg.ACL.PolicyPath)
 		err = app.LoadACLPolicy(aclPath)
 		if err != nil {
-			log.Error().
+			log.Fatal().
 				Str("path", aclPath).
 				Err(err).
 				Msg("Could not load the ACL policy")
@@ -400,7 +49,14 @@ func getHeadscaleApp() (*headscale.Headscale, error) {
 }

 func getHeadscaleCLIClient() (context.Context, v1.HeadscaleServiceClient, *grpc.ClientConn, context.CancelFunc) {
-	cfg := getHeadscaleConfig()
+	cfg, err := headscale.GetHeadscaleConfig()
+	if err != nil {
+		log.Fatal().
+			Err(err).
+			Caller().
+			Msgf("Failed to load configuration")
+		os.Exit(-1) // we get here if logging is suppressed (i.e., json output)
+	}

 	log.Debug().
 		Dur("timeout", cfg.CLI.Timeout).
@@ -461,6 +117,7 @@ func getHeadscaleCLIClient() (context.Context, v1.HeadscaleServiceClient, *grpc.
 	conn, err := grpc.DialContext(ctx, address, grpcOptions...)
 	if err != nil {
 		log.Fatal().Caller().Err(err).Msgf("Could not connect: %v", err)
+		os.Exit(-1) // we get here if logging is suppressed (i.e., json output)
 	}

 	client := v1.NewHeadscaleServiceClient(conn)
@@ -534,13 +191,12 @@ func (tokenAuth) RequireTransportSecurity() bool {
 	return true
 }

-func GetFileMode(key string) fs.FileMode {
-	modeStr := viper.GetString(key)
-
-	mode, err := strconv.ParseUint(modeStr, headscale.Base8, headscale.BitSize64)
-	if err != nil {
-		return PermissionFallback
+func contains[T string](ts []T, t T) bool {
+	for _, v := range ts {
+		if reflect.DeepEqual(v, t) {
+			return true
+		}
 	}

-	return fs.FileMode(mode)
+	return false
 }
--- a/cmd/headscale/headscale.go
+++ b/cmd/headscale/headscale.go
@@ -1,17 +1,13 @@
 package main

 import (
-	"fmt"
 	"os"
-	"runtime"
 	"time"

 	"github.com/efekarakus/termcolor"
 	"github.com/juanfont/headscale/cmd/headscale/cli"
 	"github.com/rs/zerolog"
 	"github.com/rs/zerolog/log"
-	"github.com/spf13/viper"
-	"github.com/tcnksm/go-latest"
 )

 func main() {
@@ -43,44 +39,5 @@ func main() {
 		NoColor:    !colors,
 	})

-	if err := cli.LoadConfig(""); err != nil {
-		log.Fatal().Caller().Err(err)
-	}
-
-	machineOutput := cli.HasMachineOutputFlag()
-
-	logLevel := viper.GetString("log_level")
-	level, err := zerolog.ParseLevel(logLevel)
-	if err != nil {
-		zerolog.SetGlobalLevel(zerolog.DebugLevel)
-	} else {
-		zerolog.SetGlobalLevel(level)
-	}
-
-	// If the user has requested a "machine" readable format,
-	// then disable login so the output remains valid.
-	if machineOutput {
-		zerolog.SetGlobalLevel(zerolog.Disabled)
-	}
-
-	if !viper.GetBool("disable_check_updates") && !machineOutput {
-		if (runtime.GOOS == "linux" || runtime.GOOS == "darwin") &&
-			cli.Version != "dev" {
-			githubTag := &latest.GithubTag{
-				Owner:      "juanfont",
-				Repository: "headscale",
-			}
-			res, err := latest.Check(githubTag, cli.Version)
-			if err == nil && res.Outdated {
-				//nolint
-				fmt.Printf(
-					"An updated version of Headscale has been found (%s vs. your current %s). Check it out https://github.com/juanfont/headscale/releases\n",
-					res.Current,
-					cli.Version,
-				)
-			}
-		}
-	}
-
 	cli.Execute()
 }
--- a/cmd/headscale/headscale_test.go
+++ b/cmd/headscale/headscale_test.go
@@ -8,7 +8,7 @@ import (
 	"strings"
 	"testing"

-	"github.com/juanfont/headscale/cmd/headscale/cli"
+	"github.com/juanfont/headscale"
 	"github.com/spf13/viper"
 	"gopkg.in/check.v1"
 )
@@ -27,6 +27,51 @@ func (s *Suite) SetUpSuite(c *check.C) {
 func (s *Suite) TearDownSuite(c *check.C) {
 }

+func (*Suite) TestConfigFileLoading(c *check.C) {
+	tmpDir, err := ioutil.TempDir("", "headscale")
+	if err != nil {
+		c.Fatal(err)
+	}
+	defer os.RemoveAll(tmpDir)
+
+	path, err := os.Getwd()
+	if err != nil {
+		c.Fatal(err)
+	}
+
+	cfgFile := filepath.Join(tmpDir, "config.yaml")
+
+	// Symlink the example config file
+	err = os.Symlink(
+		filepath.Clean(path+"/../../config-example.yaml"),
+		cfgFile,
+	)
+	if err != nil {
+		c.Fatal(err)
+	}
+
+	// Load example config, it should load without validation errors
+	err = headscale.LoadConfig(cfgFile, true)
+	c.Assert(err, check.IsNil)
+
+	// Test that config file was interpreted correctly
+	c.Assert(viper.GetString("server_url"), check.Equals, "http://127.0.0.1:8080")
+	c.Assert(viper.GetString("listen_addr"), check.Equals, "0.0.0.0:8080")
+	c.Assert(viper.GetString("metrics_listen_addr"), check.Equals, "127.0.0.1:9090")
+	c.Assert(viper.GetString("db_type"), check.Equals, "sqlite3")
+	c.Assert(viper.GetString("db_path"), check.Equals, "/var/lib/headscale/db.sqlite")
+	c.Assert(viper.GetString("tls_letsencrypt_hostname"), check.Equals, "")
+	c.Assert(viper.GetString("tls_letsencrypt_listen"), check.Equals, ":http")
+	c.Assert(viper.GetString("tls_letsencrypt_challenge_type"), check.Equals, "HTTP-01")
+	c.Assert(viper.GetStringSlice("dns_config.nameservers")[0], check.Equals, "1.1.1.1")
+	c.Assert(
+		headscale.GetFileMode("unix_socket_permission"),
+		check.Equals,
+		fs.FileMode(0o770),
+	)
+	c.Assert(viper.GetBool("logtail.enabled"), check.Equals, false)
+}
+
 func (*Suite) TestConfigLoading(c *check.C) {
 	tmpDir, err := ioutil.TempDir("", "headscale")
 	if err != nil {
@@ -49,12 +94,13 @@ func (*Suite) TestConfigLoading(c *check.C) {
 	}

 	// Load example config, it should load without validation errors
-	err = cli.LoadConfig(tmpDir)
+	err = headscale.LoadConfig(tmpDir, false)
 	c.Assert(err, check.IsNil)

 	// Test that config file was interpreted correctly
 	c.Assert(viper.GetString("server_url"), check.Equals, "http://127.0.0.1:8080")
 	c.Assert(viper.GetString("listen_addr"), check.Equals, "0.0.0.0:8080")
+	c.Assert(viper.GetString("metrics_listen_addr"), check.Equals, "127.0.0.1:9090")
 	c.Assert(viper.GetString("db_type"), check.Equals, "sqlite3")
 	c.Assert(viper.GetString("db_path"), check.Equals, "/var/lib/headscale/db.sqlite")
 	c.Assert(viper.GetString("tls_letsencrypt_hostname"), check.Equals, "")
@@ -62,10 +108,12 @@ func (*Suite) TestConfigLoading(c *check.C) {
 	c.Assert(viper.GetString("tls_letsencrypt_challenge_type"), check.Equals, "HTTP-01")
 	c.Assert(viper.GetStringSlice("dns_config.nameservers")[0], check.Equals, "1.1.1.1")
 	c.Assert(
-		cli.GetFileMode("unix_socket_permission"),
+		headscale.GetFileMode("unix_socket_permission"),
 		check.Equals,
 		fs.FileMode(0o770),
 	)
+	c.Assert(viper.GetBool("logtail.enabled"), check.Equals, false)
+	c.Assert(viper.GetBool("randomize_client_port"), check.Equals, false)
 }

 func (*Suite) TestDNSConfigLoading(c *check.C) {
@@ -90,10 +138,10 @@ func (*Suite) TestDNSConfigLoading(c *check.C) {
 	}

 	// Load example config, it should load without validation errors
-	err = cli.LoadConfig(tmpDir)
+	err = headscale.LoadConfig(tmpDir, false)
 	c.Assert(err, check.IsNil)

-	dnsConfig, baseDomain := cli.GetDNSConfig()
+	dnsConfig, baseDomain := headscale.GetDNSConfig()

 	c.Assert(dnsConfig.Nameservers[0].String(), check.Equals, "1.1.1.1")
 	c.Assert(dnsConfig.Resolvers[0].Addr, check.Equals, "1.1.1.1")
@@ -123,7 +171,7 @@ func (*Suite) TestTLSConfigValidation(c *check.C) {
 	writeConfig(c, tmpDir, configYaml)

 	// Check configuration validation errors (1)
-	err = cli.LoadConfig(tmpDir)
+	err = headscale.LoadConfig(tmpDir, false)
 	c.Assert(err, check.NotNil)
 	// check.Matches can not handle multiline strings
 	tmp := strings.ReplaceAll(err.Error(), "\n", "***")
@@ -148,6 +196,6 @@ func (*Suite) TestTLSConfigValidation(c *check.C) {
 		"---\nserver_url: \"http://127.0.0.1:8080\"\ntls_letsencrypt_hostname: \"example.com\"\ntls_letsencrypt_challenge_type: \"TLS-ALPN-01\"",
 	)
 	writeConfig(c, tmpDir, configYaml)
-	err = cli.LoadConfig(tmpDir)
+	err = headscale.LoadConfig(tmpDir, false)
 	c.Assert(err, check.IsNil)
 }
--- a/config-example.yaml
+++ b/config-example.yaml
@@ -16,6 +16,12 @@ server_url: http://127.0.0.1:8080
 #
 listen_addr: 0.0.0.0:8080

+# Address to listen to /metrics, you may want
+# to keep this endpoint private to your internal
+# network
+#
+metrics_listen_addr: 127.0.0.1:9090
+
 # Address to listen for gRPC.
 # gRPC is used for controlling a headscale server
 # remotely with the CLI
@@ -49,6 +55,26 @@ ip_prefixes:
 # headscale needs a list of DERP servers that can be presented
 # to the clients.
 derp:
+  server:
+    # If enabled, runs the embedded DERP server and merges it into the rest of the DERP config
+    # The Headscale server_url defined above MUST be using https, DERP requires TLS to be in place
+    enabled: false
+
+    # Region ID to use for the embedded DERP server.
+    # The local DERP prevails if the region ID collides with other region ID coming from
+    # the regular DERP config.
+    region_id: 999
+
+    # Region code and name are displayed in the Tailscale UI to identify a DERP region
+    region_code: "headscale"
+    region_name: "Headscale Embedded DERP"
+
+    # Listens in UDP at the configured address for STUN connections to help on NAT traversal.
+    # When the embedded DERP server is enabled stun_listen_addr MUST be defined.
+    #
+    # For more details on how this works, check this great article: https://tailscale.com/blog/how-tailscale-works/
+    stun_listen_addr: "0.0.0.0:3478"
+
  # List of externally available DERP maps encoded in JSON
  urls:
    - https://controlplane.tailscale.com/derpmap/default
@@ -77,6 +103,12 @@ disable_check_updates: false
 # Time before an inactive ephemeral node is deleted?
 ephemeral_node_inactivity_timeout: 30m

+# Period to check for node updates in the tailnet. A value too low will severily affect
+# CPU consumption of Headscale. A value too high (over 60s) will cause problems
+# to the nodes, as they won't get updates or keep alive messages in time.
+# In case of doubts, do not touch the default 10s.
+node_update_check_interval: 10s
+
 # SQLite config
 db_type: sqlite3
 db_path: /var/lib/headscale/db.sqlite
@@ -117,7 +149,7 @@ tls_client_auth_mode: relaxed
 tls_letsencrypt_cache_dir: /var/lib/headscale/cache

 # Type of ACME challenge to use, currently supported types:
-# HTTP-01 or TLS_ALPN-01
+# HTTP-01 or TLS-ALPN-01
 # See [docs/tls.md](docs/tls.md) for more information
 tls_letsencrypt_challenge_type: HTTP-01
 # When HTTP-01 challenge is chosen, letsencrypt must set up a
@@ -188,9 +220,38 @@ unix_socket_permission: "0770"
 #   client_id: "your-oidc-client-id"
 #   client_secret: "your-oidc-client-secret"
 #
+#   Customize the scopes used in the OIDC flow, defaults to "openid", "profile" and "email" and add custom query
+#   parameters to the Authorize Endpoint request. Scopes default to "openid", "profile" and "email".
+#
+#   scope: ["openid", "profile", "email", "custom"]
+#   extra_params:
+#     domain_hint: example.com
+#
+#   List allowed principal domains and/or users. If an authenticated user's domain is not in this list, the
+#   authentication request will be rejected.
+#
+#   allowed_domains:
+#     - example.com
+#   allowed_users:
+#     - alice@example.com
+#
 #   If `strip_email_domain` is set to `true`, the domain part of the username email address will be removed.
 #   This will transform `first-name.last-name@example.com` to the namespace `first-name.last-name`
 #   If `strip_email_domain` is set to `false` the domain part will NOT be removed resulting to the following
 #   namespace: `first-name.last-name.example.com`
 #
 #   strip_email_domain: true
+
+# Logtail configuration
+# Logtail is Tailscales logging and auditing infrastructure, it allows the control panel
+# to instruct tailscale nodes to log their activity to a remote server.
+logtail:
+  # Enable logtail for this headscales clients.
+  # As there is currently no support for overriding the log server in headscale, this is
+  # disabled by default. Enabling this will make your clients send logs to Tailscale Inc.
+  enabled: false
+
+# Enabling this option makes devices prefer a random port for WireGuard traffic over the
+# default static port 41641. This option is intended as a workaround for some buggy
+# firewall devices. See https://tailscale.com/kb/1181/firewalls/ for more information.
+randomize_client_port: false
--- a/config.go
+++ b/config.go
@@ -0,0 +1,543 @@
+package headscale
+
+import (
+	"crypto/tls"
+	"errors"
+	"fmt"
+	"io/fs"
+	"net/url"
+	"strings"
+	"time"
+
+	"github.com/coreos/go-oidc/v3/oidc"
+	"github.com/rs/zerolog"
+	"github.com/rs/zerolog/log"
+	"github.com/spf13/viper"
+	"inet.af/netaddr"
+	"tailscale.com/tailcfg"
+	"tailscale.com/types/dnstype"
+)
+
+const (
+	tlsALPN01ChallengeType = "TLS-ALPN-01"
+	http01ChallengeType    = "HTTP-01"
+)
+
+// Config contains the initial Headscale configuration.
+type Config struct {
+	ServerURL                      string
+	Addr                           string
+	MetricsAddr                    string
+	GRPCAddr                       string
+	GRPCAllowInsecure              bool
+	EphemeralNodeInactivityTimeout time.Duration
+	NodeUpdateCheckInterval        time.Duration
+	IPPrefixes                     []netaddr.IPPrefix
+	PrivateKeyPath                 string
+	BaseDomain                     string
+	LogLevel                       zerolog.Level
+	DisableUpdateCheck             bool
+
+	DERP DERPConfig
+
+	DBtype string
+	DBpath string
+	DBhost string
+	DBport int
+	DBname string
+	DBuser string
+	DBpass string
+
+	TLS TLSConfig
+
+	ACMEURL   string
+	ACMEEmail string
+
+	DNSConfig *tailcfg.DNSConfig
+
+	UnixSocket           string
+	UnixSocketPermission fs.FileMode
+
+	OIDC OIDCConfig
+
+	LogTail             LogTailConfig
+	RandomizeClientPort bool
+
+	CLI CLIConfig
+
+	ACL ACLConfig
+}
+
+type TLSConfig struct {
+	CertPath       string
+	KeyPath        string
+	ClientAuthMode tls.ClientAuthType
+
+	LetsEncrypt LetsEncryptConfig
+}
+
+type LetsEncryptConfig struct {
+	Listen        string
+	Hostname      string
+	CacheDir      string
+	ChallengeType string
+}
+
+type OIDCConfig struct {
+	Issuer           string
+	ClientID         string
+	ClientSecret     string
+	Scope            []string
+	ExtraParams      map[string]string
+	AllowedDomains   []string
+	AllowedUsers     []string
+	StripEmaildomain bool
+}
+
+type DERPConfig struct {
+	ServerEnabled    bool
+	ServerRegionID   int
+	ServerRegionCode string
+	ServerRegionName string
+	STUNAddr         string
+	URLs             []url.URL
+	Paths            []string
+	AutoUpdate       bool
+	UpdateFrequency  time.Duration
+}
+
+type LogTailConfig struct {
+	Enabled bool
+}
+
+type CLIConfig struct {
+	Address  string
+	APIKey   string
+	Timeout  time.Duration
+	Insecure bool
+}
+
+type ACLConfig struct {
+	PolicyPath string
+}
+
+func LoadConfig(path string, isFile bool) error {
+	if isFile {
+		viper.SetConfigFile(path)
+	} else {
+		viper.SetConfigName("config")
+		if path == "" {
+			viper.AddConfigPath("/etc/headscale/")
+			viper.AddConfigPath("$HOME/.headscale")
+			viper.AddConfigPath(".")
+		} else {
+			// For testing
+			viper.AddConfigPath(path)
+		}
+	}
+
+	viper.SetEnvPrefix("headscale")
+	viper.SetEnvKeyReplacer(strings.NewReplacer(".", "_"))
+	viper.AutomaticEnv()
+
+	viper.SetDefault("tls_letsencrypt_cache_dir", "/var/www/.cache")
+	viper.SetDefault("tls_letsencrypt_challenge_type", http01ChallengeType)
+	viper.SetDefault("tls_client_auth_mode", "relaxed")
+
+	viper.SetDefault("log_level", "info")
+
+	viper.SetDefault("dns_config", nil)
+
+	viper.SetDefault("derp.server.enabled", false)
+	viper.SetDefault("derp.server.stun.enabled", true)
+
+	viper.SetDefault("unix_socket", "/var/run/headscale.sock")
+	viper.SetDefault("unix_socket_permission", "0o770")
+
+	viper.SetDefault("grpc_listen_addr", ":50443")
+	viper.SetDefault("grpc_allow_insecure", false)
+
+	viper.SetDefault("cli.timeout", "5s")
+	viper.SetDefault("cli.insecure", false)
+
+	viper.SetDefault("oidc.scope", []string{oidc.ScopeOpenID, "profile", "email"})
+	viper.SetDefault("oidc.strip_email_domain", true)
+
+	viper.SetDefault("logtail.enabled", false)
+	viper.SetDefault("randomize_client_port", false)
+
+	viper.SetDefault("ephemeral_node_inactivity_timeout", "120s")
+
+	viper.SetDefault("node_update_check_interval", "10s")
+
+	if err := viper.ReadInConfig(); err != nil {
+		log.Warn().Err(err).Msg("Failed to read configuration from disk")
+
+		return fmt.Errorf("fatal error reading config file: %w", err)
+	}
+
+	// Collect any validation errors and return them all at once
+	var errorText string
+	if (viper.GetString("tls_letsencrypt_hostname") != "") &&
+		((viper.GetString("tls_cert_path") != "") || (viper.GetString("tls_key_path") != "")) {
+		errorText += "Fatal config error: set either tls_letsencrypt_hostname or tls_cert_path/tls_key_path, not both\n"
+	}
+
+	if (viper.GetString("tls_letsencrypt_hostname") != "") &&
+		(viper.GetString("tls_letsencrypt_challenge_type") == tlsALPN01ChallengeType) &&
+		(!strings.HasSuffix(viper.GetString("listen_addr"), ":443")) {
+		// this is only a warning because there could be something sitting in front of headscale that redirects the traffic (e.g. an iptables rule)
+		log.Warn().
+			Msg("Warning: when using tls_letsencrypt_hostname with TLS-ALPN-01 as challenge type, headscale must be reachable on port 443, i.e. listen_addr should probably end in :443")
+	}
+
+	if (viper.GetString("tls_letsencrypt_challenge_type") != http01ChallengeType) &&
+		(viper.GetString("tls_letsencrypt_challenge_type") != tlsALPN01ChallengeType) {
+		errorText += "Fatal config error: the only supported values for tls_letsencrypt_challenge_type are HTTP-01 and TLS-ALPN-01\n"
+	}
+
+	if !strings.HasPrefix(viper.GetString("server_url"), "http://") &&
+		!strings.HasPrefix(viper.GetString("server_url"), "https://") {
+		errorText += "Fatal config error: server_url must start with https:// or http://\n"
+	}
+
+	_, authModeValid := LookupTLSClientAuthMode(
+		viper.GetString("tls_client_auth_mode"),
+	)
+
+	if !authModeValid {
+		errorText += fmt.Sprintf(
+			"Invalid tls_client_auth_mode supplied: %s. Accepted values: %s, %s, %s.",
+			viper.GetString("tls_client_auth_mode"),
+			DisabledClientAuth,
+			RelaxedClientAuth,
+			EnforcedClientAuth)
+	}
+
+	// Minimum inactivity time out is keepalive timeout (60s) plus a few seconds
+	// to avoid races
+	minInactivityTimeout, _ := time.ParseDuration("65s")
+	if viper.GetDuration("ephemeral_node_inactivity_timeout") <= minInactivityTimeout {
+		errorText += fmt.Sprintf(
+			"Fatal config error: ephemeral_node_inactivity_timeout (%s) is set too low, must be more than %s",
+			viper.GetString("ephemeral_node_inactivity_timeout"),
+			minInactivityTimeout,
+		)
+	}
+
+	maxNodeUpdateCheckInterval, _ := time.ParseDuration("60s")
+	if viper.GetDuration("node_update_check_interval") > maxNodeUpdateCheckInterval {
+		errorText += fmt.Sprintf(
+			"Fatal config error: node_update_check_interval (%s) is set too high, must be less than %s",
+			viper.GetString("node_update_check_interval"),
+			maxNodeUpdateCheckInterval,
+		)
+	}
+
+	if errorText != "" {
+		//nolint
+		return errors.New(strings.TrimSuffix(errorText, "\n"))
+	} else {
+		return nil
+	}
+}
+
+func GetTLSConfig() TLSConfig {
+	tlsClientAuthMode, _ := LookupTLSClientAuthMode(
+		viper.GetString("tls_client_auth_mode"),
+	)
+
+	return TLSConfig{
+		LetsEncrypt: LetsEncryptConfig{
+			Hostname: viper.GetString("tls_letsencrypt_hostname"),
+			Listen:   viper.GetString("tls_letsencrypt_listen"),
+			CacheDir: AbsolutePathFromConfigPath(
+				viper.GetString("tls_letsencrypt_cache_dir"),
+			),
+			ChallengeType: viper.GetString("tls_letsencrypt_challenge_type"),
+		},
+		CertPath: AbsolutePathFromConfigPath(
+			viper.GetString("tls_cert_path"),
+		),
+		KeyPath: AbsolutePathFromConfigPath(
+			viper.GetString("tls_key_path"),
+		),
+		ClientAuthMode: tlsClientAuthMode,
+	}
+}
+
+func GetDERPConfig() DERPConfig {
+	serverEnabled := viper.GetBool("derp.server.enabled")
+	serverRegionID := viper.GetInt("derp.server.region_id")
+	serverRegionCode := viper.GetString("derp.server.region_code")
+	serverRegionName := viper.GetString("derp.server.region_name")
+	stunAddr := viper.GetString("derp.server.stun_listen_addr")
+
+	if serverEnabled && stunAddr == "" {
+		log.Fatal().
+			Msg("derp.server.stun_listen_addr must be set if derp.server.enabled is true")
+	}
+
+	urlStrs := viper.GetStringSlice("derp.urls")
+
+	urls := make([]url.URL, len(urlStrs))
+	for index, urlStr := range urlStrs {
+		urlAddr, err := url.Parse(urlStr)
+		if err != nil {
+			log.Error().
+				Str("url", urlStr).
+				Err(err).
+				Msg("Failed to parse url, ignoring...")
+		}
+
+		urls[index] = *urlAddr
+	}
+
+	paths := viper.GetStringSlice("derp.paths")
+
+	autoUpdate := viper.GetBool("derp.auto_update_enabled")
+	updateFrequency := viper.GetDuration("derp.update_frequency")
+
+	return DERPConfig{
+		ServerEnabled:    serverEnabled,
+		ServerRegionID:   serverRegionID,
+		ServerRegionCode: serverRegionCode,
+		ServerRegionName: serverRegionName,
+		STUNAddr:         stunAddr,
+		URLs:             urls,
+		Paths:            paths,
+		AutoUpdate:       autoUpdate,
+		UpdateFrequency:  updateFrequency,
+	}
+}
+
+func GetLogTailConfig() LogTailConfig {
+	enabled := viper.GetBool("logtail.enabled")
+
+	return LogTailConfig{
+		Enabled: enabled,
+	}
+}
+
+func GetACLConfig() ACLConfig {
+	policyPath := viper.GetString("acl_policy_path")
+
+	return ACLConfig{
+		PolicyPath: policyPath,
+	}
+}
+
+func GetDNSConfig() (*tailcfg.DNSConfig, string) {
+	if viper.IsSet("dns_config") {
+		dnsConfig := &tailcfg.DNSConfig{}
+
+		if viper.IsSet("dns_config.nameservers") {
+			nameserversStr := viper.GetStringSlice("dns_config.nameservers")
+
+			nameservers := make([]netaddr.IP, len(nameserversStr))
+			resolvers := make([]*dnstype.Resolver, len(nameserversStr))
+
+			for index, nameserverStr := range nameserversStr {
+				nameserver, err := netaddr.ParseIP(nameserverStr)
+				if err != nil {
+					log.Error().
+						Str("func", "getDNSConfig").
+						Err(err).
+						Msgf("Could not parse nameserver IP: %s", nameserverStr)
+				}
+
+				nameservers[index] = nameserver
+				resolvers[index] = &dnstype.Resolver{
+					Addr: nameserver.String(),
+				}
+			}
+
+			dnsConfig.Nameservers = nameservers
+			dnsConfig.Resolvers = resolvers
+		}
+
+		if viper.IsSet("dns_config.restricted_nameservers") {
+			if len(dnsConfig.Nameservers) > 0 {
+				dnsConfig.Routes = make(map[string][]*dnstype.Resolver)
+				restrictedDNS := viper.GetStringMapStringSlice(
+					"dns_config.restricted_nameservers",
+				)
+				for domain, restrictedNameservers := range restrictedDNS {
+					restrictedResolvers := make(
+						[]*dnstype.Resolver,
+						len(restrictedNameservers),
+					)
+					for index, nameserverStr := range restrictedNameservers {
+						nameserver, err := netaddr.ParseIP(nameserverStr)
+						if err != nil {
+							log.Error().
+								Str("func", "getDNSConfig").
+								Err(err).
+								Msgf("Could not parse restricted nameserver IP: %s", nameserverStr)
+						}
+						restrictedResolvers[index] = &dnstype.Resolver{
+							Addr: nameserver.String(),
+						}
+					}
+					dnsConfig.Routes[domain] = restrictedResolvers
+				}
+			} else {
+				log.Warn().
+					Msg("Warning: dns_config.restricted_nameservers is set, but no nameservers are configured. Ignoring restricted_nameservers.")
+			}
+		}
+
+		if viper.IsSet("dns_config.domains") {
+			dnsConfig.Domains = viper.GetStringSlice("dns_config.domains")
+		}
+
+		if viper.IsSet("dns_config.magic_dns") {
+			magicDNS := viper.GetBool("dns_config.magic_dns")
+			if len(dnsConfig.Nameservers) > 0 {
+				dnsConfig.Proxied = magicDNS
+			} else if magicDNS {
+				log.Warn().
+					Msg("Warning: dns_config.magic_dns is set, but no nameservers are configured. Ignoring magic_dns.")
+			}
+		}
+
+		var baseDomain string
+		if viper.IsSet("dns_config.base_domain") {
+			baseDomain = viper.GetString("dns_config.base_domain")
+		} else {
+			baseDomain = "headscale.net" // does not really matter when MagicDNS is not enabled
+		}
+
+		return dnsConfig, baseDomain
+	}
+
+	return nil, ""
+}
+
+func GetHeadscaleConfig() (*Config, error) {
+	dnsConfig, baseDomain := GetDNSConfig()
+	derpConfig := GetDERPConfig()
+	logConfig := GetLogTailConfig()
+	randomizeClientPort := viper.GetBool("randomize_client_port")
+
+	configuredPrefixes := viper.GetStringSlice("ip_prefixes")
+	parsedPrefixes := make([]netaddr.IPPrefix, 0, len(configuredPrefixes)+1)
+
+	logLevelStr := viper.GetString("log_level")
+	logLevel, err := zerolog.ParseLevel(logLevelStr)
+	if err != nil {
+		logLevel = zerolog.DebugLevel
+	}
+
+	legacyPrefixField := viper.GetString("ip_prefix")
+	if len(legacyPrefixField) > 0 {
+		log.
+			Warn().
+			Msgf(
+				"%s, %s",
+				"use of 'ip_prefix' for configuration is deprecated",
+				"please see 'ip_prefixes' in the shipped example.",
+			)
+		legacyPrefix, err := netaddr.ParseIPPrefix(legacyPrefixField)
+		if err != nil {
+			panic(fmt.Errorf("failed to parse ip_prefix: %w", err))
+		}
+		parsedPrefixes = append(parsedPrefixes, legacyPrefix)
+	}
+
+	for i, prefixInConfig := range configuredPrefixes {
+		prefix, err := netaddr.ParseIPPrefix(prefixInConfig)
+		if err != nil {
+			panic(fmt.Errorf("failed to parse ip_prefixes[%d]: %w", i, err))
+		}
+		parsedPrefixes = append(parsedPrefixes, prefix)
+	}
+
+	prefixes := make([]netaddr.IPPrefix, 0, len(parsedPrefixes))
+	{
+		// dedup
+		normalizedPrefixes := make(map[string]int, len(parsedPrefixes))
+		for i, p := range parsedPrefixes {
+			normalized, _ := p.Range().Prefix()
+			normalizedPrefixes[normalized.String()] = i
+		}
+
+		// convert back to list
+		for _, i := range normalizedPrefixes {
+			prefixes = append(prefixes, parsedPrefixes[i])
+		}
+	}
+
+	if len(prefixes) < 1 {
+		prefixes = append(prefixes, netaddr.MustParseIPPrefix("100.64.0.0/10"))
+		log.Warn().
+			Msgf("'ip_prefixes' not configured, falling back to default: %v", prefixes)
+	}
+
+	return &Config{
+		ServerURL:          viper.GetString("server_url"),
+		Addr:               viper.GetString("listen_addr"),
+		MetricsAddr:        viper.GetString("metrics_listen_addr"),
+		GRPCAddr:           viper.GetString("grpc_listen_addr"),
+		GRPCAllowInsecure:  viper.GetBool("grpc_allow_insecure"),
+		DisableUpdateCheck: viper.GetBool("disable_check_updates"),
+		LogLevel:           logLevel,
+
+		IPPrefixes: prefixes,
+		PrivateKeyPath: AbsolutePathFromConfigPath(
+			viper.GetString("private_key_path"),
+		),
+		BaseDomain: baseDomain,
+
+		DERP: derpConfig,
+
+		EphemeralNodeInactivityTimeout: viper.GetDuration(
+			"ephemeral_node_inactivity_timeout",
+		),
+
+		NodeUpdateCheckInterval: viper.GetDuration(
+			"node_update_check_interval",
+		),
+
+		DBtype: viper.GetString("db_type"),
+		DBpath: AbsolutePathFromConfigPath(viper.GetString("db_path")),
+		DBhost: viper.GetString("db_host"),
+		DBport: viper.GetInt("db_port"),
+		DBname: viper.GetString("db_name"),
+		DBuser: viper.GetString("db_user"),
+		DBpass: viper.GetString("db_pass"),
+
+		TLS: GetTLSConfig(),
+
+		DNSConfig: dnsConfig,
+
+		ACMEEmail: viper.GetString("acme_email"),
+		ACMEURL:   viper.GetString("acme_url"),
+
+		UnixSocket:           viper.GetString("unix_socket"),
+		UnixSocketPermission: GetFileMode("unix_socket_permission"),
+
+		OIDC: OIDCConfig{
+			Issuer:           viper.GetString("oidc.issuer"),
+			ClientID:         viper.GetString("oidc.client_id"),
+			ClientSecret:     viper.GetString("oidc.client_secret"),
+			Scope:            viper.GetStringSlice("oidc.scope"),
+			ExtraParams:      viper.GetStringMapString("oidc.extra_params"),
+			AllowedDomains:   viper.GetStringSlice("oidc.allowed_domains"),
+			AllowedUsers:     viper.GetStringSlice("oidc.allowed_users"),
+			StripEmaildomain: viper.GetBool("oidc.strip_email_domain"),
+		},
+
+		LogTail:             logConfig,
+		RandomizeClientPort: randomizeClientPort,
+
+		CLI: CLIConfig{
+			Address:  viper.GetString("cli.address"),
+			APIKey:   viper.GetString("cli.api_key"),
+			Timeout:  viper.GetDuration("cli.timeout"),
+			Insecure: viper.GetBool("cli.insecure"),
+		},
+
+		ACL: GetACLConfig(),
+	}, nil
+}
--- a/db.go
+++ b/db.go
@@ -1,6 +1,7 @@
 package headscale

 import (
+	"context"
 	"database/sql/driver"
 	"encoding/json"
 	"errors"
@@ -39,6 +40,12 @@ func (h *Headscale) initDB() error {
 	}

 	_ = db.Migrator().RenameColumn(&Machine{}, "ip_address", "ip_addresses")
+	_ = db.Migrator().RenameColumn(&Machine{}, "name", "hostname")
+
+	// GivenName is used as the primary source of DNS names, make sure
+	// the field is populated and normalized if it was not when the
+	// machine was registered.
+	_ = db.Migrator().RenameColumn(&Machine{}, "nickname", "given_name")

 	// If the Machine table has a column for registered,
 	// find all occourences of "false" and drop them. Then
@@ -54,13 +61,13 @@ func (h *Headscale) initDB() error {

 		for _, machine := range machines {
 			log.Info().
-				Str("machine", machine.Name).
+				Str("machine", machine.Hostname).
 				Str("machine_key", machine.MachineKey).
 				Msg("Deleting unregistered machine")
 			if err := h.db.Delete(&Machine{}, machine.ID).Error; err != nil {
 				log.Error().
 					Err(err).
-					Str("machine", machine.Name).
+					Str("machine", machine.Hostname).
 					Str("machine_key", machine.MachineKey).
 					Msg("Error deleting unregistered machine")
 			}
@@ -77,6 +84,38 @@ func (h *Headscale) initDB() error {
 		return err
 	}

+	if db.Migrator().HasColumn(&Machine{}, "given_name") {
+		machines := Machines{}
+		if err := h.db.Find(&machines).Error; err != nil {
+			log.Error().Err(err).Msg("Error accessing db")
+		}
+
+		for item, machine := range machines {
+			if machine.GivenName == "" {
+				normalizedHostname, err := NormalizeToFQDNRules(
+					machine.Hostname,
+					h.cfg.OIDC.StripEmaildomain,
+				)
+				if err != nil {
+					log.Error().
+						Caller().
+						Str("hostname", machine.Hostname).
+						Err(err).
+						Msg("Failed to normalize machine hostname in DB migration")
+				}
+
+				err = h.RenameMachine(&machines[item], normalizedHostname)
+				if err != nil {
+					log.Error().
+						Caller().
+						Str("hostname", machine.Hostname).
+						Err(err).
+						Msg("Failed to save normalized machine name in DB migration")
+				}
+			}
+		}
+	}
+
 	err = db.AutoMigrate(&KV{})
 	if err != nil {
 		return err
@@ -175,11 +214,24 @@ func (h *Headscale) setValue(key string, value string) error {
 		return nil
 	}

-	h.db.Create(keyValue)
+	if err := h.db.Create(keyValue).Error; err != nil {
+		return fmt.Errorf("failed to create key value pair in the database: %w", err)
+	}

 	return nil
 }

+func (h *Headscale) pingDB() error {
+	ctx, cancel := context.WithTimeout(context.Background(), time.Second)
+	defer cancel()
+	db, err := h.db.DB()
+	if err != nil {
+		return err
+	}
+
+	return db.PingContext(ctx)
+}
+
 // This is a "wrapper" type around tailscales
 // Hostinfo to allow us to add database "serialization"
 // methods. This allows us to use a typed values throughout
--- a/derp-example.yaml
+++ b/derp-example.yaml
@@ -12,4 +12,4 @@ regions:
        ipv6: "2604:a880:400:d1::828:b001"
        stunport: 0
        stunonly: false
-        derptestport: 0
+        derpport: 0
--- a/derp.go
+++ b/derp.go
@@ -148,17 +148,11 @@ func (h *Headscale) scheduledDERPMapUpdateWorker(cancelChan <-chan struct{}) {
 		case <-ticker.C:
 			log.Info().Msg("Fetching DERPMap updates")
 			h.DERPMap = GetDERPMap(h.cfg.DERP)
-
-			namespaces, err := h.ListNamespaces()
-			if err != nil {
-				log.Error().
-					Err(err).
-					Msg("Failed to fetch namespaces")
+			if h.cfg.DERP.ServerEnabled {
+				h.DERPMap.Regions[h.DERPServer.region.RegionID] = &h.DERPServer.region
 			}

-			for _, namespace := range namespaces {
-				h.setLastStateChangeToNow(namespace.Name)
-			}
+			h.setLastStateChangeToNow()
 		}
 	}
 }
--- a/derp_server.go
+++ b/derp_server.go
@@ -0,0 +1,287 @@
+package headscale
+
+import (
+	"context"
+	"encoding/json"
+	"fmt"
+	"net"
+	"net/http"
+	"net/url"
+	"strconv"
+	"strings"
+	"time"
+
+	"github.com/rs/zerolog/log"
+	"tailscale.com/derp"
+	"tailscale.com/net/stun"
+	"tailscale.com/tailcfg"
+	"tailscale.com/types/key"
+)
+
+// fastStartHeader is the header (with value "1") that signals to the HTTP
+// server that the DERP HTTP client does not want the HTTP 101 response
+// headers and it will begin writing & reading the DERP protocol immediately
+// following its HTTP request.
+const fastStartHeader = "Derp-Fast-Start"
+
+type DERPServer struct {
+	tailscaleDERP *derp.Server
+	region        tailcfg.DERPRegion
+}
+
+func (h *Headscale) NewDERPServer() (*DERPServer, error) {
+	log.Trace().Caller().Msg("Creating new embedded DERP server")
+	server := derp.NewServer(key.NodePrivate(*h.privateKey), log.Info().Msgf)
+	region, err := h.generateRegionLocalDERP()
+	if err != nil {
+		return nil, err
+	}
+
+	return &DERPServer{server, region}, nil
+}
+
+func (h *Headscale) generateRegionLocalDERP() (tailcfg.DERPRegion, error) {
+	serverURL, err := url.Parse(h.cfg.ServerURL)
+	if err != nil {
+		return tailcfg.DERPRegion{}, err
+	}
+	var host string
+	var port int
+	host, portStr, err := net.SplitHostPort(serverURL.Host)
+	if err != nil {
+		if serverURL.Scheme == "https" {
+			host = serverURL.Host
+			port = 443
+		} else {
+			host = serverURL.Host
+			port = 80
+		}
+	} else {
+		port, err = strconv.Atoi(portStr)
+		if err != nil {
+			return tailcfg.DERPRegion{}, err
+		}
+	}
+
+	localDERPregion := tailcfg.DERPRegion{
+		RegionID:   h.cfg.DERP.ServerRegionID,
+		RegionCode: h.cfg.DERP.ServerRegionCode,
+		RegionName: h.cfg.DERP.ServerRegionName,
+		Avoid:      false,
+		Nodes: []*tailcfg.DERPNode{
+			{
+				Name:     fmt.Sprintf("%d", h.cfg.DERP.ServerRegionID),
+				RegionID: h.cfg.DERP.ServerRegionID,
+				HostName: host,
+				DERPPort: port,
+			},
+		},
+	}
+
+	_, portSTUNStr, err := net.SplitHostPort(h.cfg.DERP.STUNAddr)
+	if err != nil {
+		return tailcfg.DERPRegion{}, err
+	}
+	portSTUN, err := strconv.Atoi(portSTUNStr)
+	if err != nil {
+		return tailcfg.DERPRegion{}, err
+	}
+	localDERPregion.Nodes[0].STUNPort = portSTUN
+
+	log.Info().Caller().Msgf("DERP region: %+v", localDERPregion)
+
+	return localDERPregion, nil
+}
+
+func (h *Headscale) DERPHandler(
+	writer http.ResponseWriter,
+	req *http.Request,
+) {
+	log.Trace().Caller().Msgf("/derp request from %v", req.RemoteAddr)
+	up := strings.ToLower(req.Header.Get("Upgrade"))
+	if up != "websocket" && up != "derp" {
+		if up != "" {
+			log.Warn().Caller().Msgf("Weird websockets connection upgrade: %q", up)
+		}
+		writer.Header().Set("Content-Type", "text/plain")
+		writer.WriteHeader(http.StatusUpgradeRequired)
+		_, err := writer.Write([]byte("DERP requires connection upgrade"))
+		if err != nil {
+			log.Error().
+				Caller().
+				Err(err).
+				Msg("Failed to write response")
+		}
+
+		return
+	}
+
+	fastStart := req.Header.Get(fastStartHeader) == "1"
+
+	hijacker, ok := writer.(http.Hijacker)
+	if !ok {
+		log.Error().Caller().Msg("DERP requires Hijacker interface from Gin")
+		writer.Header().Set("Content-Type", "text/plain")
+		writer.WriteHeader(http.StatusInternalServerError)
+		_, err := writer.Write([]byte("HTTP does not support general TCP support"))
+		if err != nil {
+			log.Error().
+				Caller().
+				Err(err).
+				Msg("Failed to write response")
+		}
+
+		return
+	}
+
+	netConn, conn, err := hijacker.Hijack()
+	if err != nil {
+		log.Error().Caller().Err(err).Msgf("Hijack failed")
+		writer.Header().Set("Content-Type", "text/plain")
+		writer.WriteHeader(http.StatusInternalServerError)
+		_, err = writer.Write([]byte("HTTP does not support general TCP support"))
+		if err != nil {
+			log.Error().
+				Caller().
+				Err(err).
+				Msg("Failed to write response")
+		}
+
+		return
+	}
+	log.Trace().Caller().Msgf("Hijacked connection from %v", req.RemoteAddr)
+
+	if !fastStart {
+		pubKey := h.privateKey.Public()
+		pubKeyStr := pubKey.UntypedHexString() // nolint
+		fmt.Fprintf(conn, "HTTP/1.1 101 Switching Protocols\r\n"+
+			"Upgrade: DERP\r\n"+
+			"Connection: Upgrade\r\n"+
+			"Derp-Version: %v\r\n"+
+			"Derp-Public-Key: %s\r\n\r\n",
+			derp.ProtocolVersion,
+			pubKeyStr)
+	}
+
+	h.DERPServer.tailscaleDERP.Accept(netConn, conn, netConn.RemoteAddr().String())
+}
+
+// DERPProbeHandler is the endpoint that js/wasm clients hit to measure
+// DERP latency, since they can't do UDP STUN queries.
+func (h *Headscale) DERPProbeHandler(
+	writer http.ResponseWriter,
+	req *http.Request,
+) {
+	switch req.Method {
+	case "HEAD", "GET":
+		writer.Header().Set("Access-Control-Allow-Origin", "*")
+		writer.WriteHeader(http.StatusOK)
+	default:
+		writer.WriteHeader(http.StatusMethodNotAllowed)
+		_, err := writer.Write([]byte("bogus probe method"))
+		if err != nil {
+			log.Error().
+				Caller().
+				Err(err).
+				Msg("Failed to write response")
+		}
+	}
+}
+
+// DERPBootstrapDNSHandler implements the /bootsrap-dns endpoint
+// Described in https://github.com/tailscale/tailscale/issues/1405,
+// this endpoint provides a way to help a client when it fails to start up
+// because its DNS are broken.
+// The initial implementation is here https://github.com/tailscale/tailscale/pull/1406
+// They have a cache, but not clear if that is really necessary at Headscale, uh, scale.
+// An example implementation is found here https://derp.tailscale.com/bootstrap-dns
+func (h *Headscale) DERPBootstrapDNSHandler(
+	writer http.ResponseWriter,
+	req *http.Request,
+) {
+	dnsEntries := make(map[string][]net.IP)
+
+	resolvCtx, cancel := context.WithTimeout(context.Background(), time.Minute)
+	defer cancel()
+	var resolver net.Resolver
+	for _, region := range h.DERPMap.Regions {
+		for _, node := range region.Nodes { // we don't care if we override some nodes
+			addrs, err := resolver.LookupIP(resolvCtx, "ip", node.HostName)
+			if err != nil {
+				log.Trace().
+					Caller().
+					Err(err).
+					Msgf("bootstrap DNS lookup failed %q", node.HostName)
+
+				continue
+			}
+			dnsEntries[node.HostName] = addrs
+		}
+	}
+	writer.Header().Set("Content-Type", "application/json")
+	writer.WriteHeader(http.StatusOK)
+	err := json.NewEncoder(writer).Encode(dnsEntries)
+	if err != nil {
+		log.Error().
+			Caller().
+			Err(err).
+			Msg("Failed to write response")
+	}
+}
+
+// ServeSTUN starts a STUN server on the configured addr.
+func (h *Headscale) ServeSTUN() {
+	packetConn, err := net.ListenPacket("udp", h.cfg.DERP.STUNAddr)
+	if err != nil {
+		log.Fatal().Msgf("failed to open STUN listener: %v", err)
+	}
+	log.Info().Msgf("STUN server started at %s", packetConn.LocalAddr())
+
+	udpConn, ok := packetConn.(*net.UDPConn)
+	if !ok {
+		log.Fatal().Msg("STUN listener is not a UDP listener")
+	}
+	serverSTUNListener(context.Background(), udpConn)
+}
+
+func serverSTUNListener(ctx context.Context, packetConn *net.UDPConn) {
+	var buf [64 << 10]byte
+	var (
+		bytesRead int
+		udpAddr   *net.UDPAddr
+		err       error
+	)
+	for {
+		bytesRead, udpAddr, err = packetConn.ReadFromUDP(buf[:])
+		if err != nil {
+			if ctx.Err() != nil {
+				return
+			}
+			log.Error().Caller().Err(err).Msgf("STUN ReadFrom")
+			time.Sleep(time.Second)
+
+			continue
+		}
+		log.Trace().Caller().Msgf("STUN request from %v", udpAddr)
+		pkt := buf[:bytesRead]
+		if !stun.Is(pkt) {
+			log.Trace().Caller().Msgf("UDP packet is not STUN")
+
+			continue
+		}
+		txid, err := stun.ParseBindingRequest(pkt)
+		if err != nil {
+			log.Trace().Caller().Err(err).Msgf("STUN parse error")
+
+			continue
+		}
+
+		res := stun.Response(txid, udpAddr.IP, uint16(udpAddr.Port))
+		_, err = packetConn.WriteTo(res, udpAddr)
+		if err != nil {
+			log.Trace().Caller().Err(err).Msgf("Issue writing to UDP")
+
+			continue
+		}
+	}
+}
--- a/dns.go
+++ b/dns.go
@@ -4,7 +4,7 @@ import (
 	"fmt"
 	"strings"

-	"github.com/fatih/set"
+	mapset "github.com/deckarep/golang-set/v2"
 	"inet.af/netaddr"
 	"tailscale.com/tailcfg"
 	"tailscale.com/util/dnsname"
@@ -170,18 +170,12 @@ func getMapResponseDNSConfig(
 			),
 		)

-		namespaceSet := set.New(set.ThreadSafe)
+		namespaceSet := mapset.NewSet[Namespace]()
 		namespaceSet.Add(machine.Namespace)
 		for _, p := range peers {
 			namespaceSet.Add(p.Namespace)
 		}
-		for _, ns := range namespaceSet.List() {
-			namespace, ok := ns.(Namespace)
-			if !ok {
-				dnsConfig = dnsConfigOrig
-
-				continue
-			}
+		for _, namespace := range namespaceSet.ToSlice() {
 			dnsRoute := fmt.Sprintf("%v.%v", namespace.Name, baseDomain)
 			dnsConfig.Routes[dnsRoute] = nil
 		}
--- a/dns_test.go
+++ b/dns_test.go
@@ -161,7 +161,7 @@ func (s *Suite) TestDNSConfigMapResponseWithMagicDNS(c *check.C) {
 		MachineKey:     "686824e749f3b7f2a5927ee6c1e422aee5292592d9179a271ed7b3e659b44a66",
 		NodeKey:        "686824e749f3b7f2a5927ee6c1e422aee5292592d9179a271ed7b3e659b44a66",
 		DiscoKey:       "686824e749f3b7f2a5927ee6c1e422aee5292592d9179a271ed7b3e659b44a66",
-		Name:           "test_get_shared_nodes_1",
+		Hostname:       "test_get_shared_nodes_1",
 		NamespaceID:    namespaceShared1.ID,
 		Namespace:      *namespaceShared1,
 		RegisterMethod: RegisterMethodAuthKey,
@@ -170,7 +170,7 @@ func (s *Suite) TestDNSConfigMapResponseWithMagicDNS(c *check.C) {
 	}
 	app.db.Save(machineInShared1)

-	_, err = app.GetMachine(namespaceShared1.Name, machineInShared1.Name)
+	_, err = app.GetMachine(namespaceShared1.Name, machineInShared1.Hostname)
 	c.Assert(err, check.IsNil)

 	machineInShared2 := &Machine{
@@ -178,7 +178,7 @@ func (s *Suite) TestDNSConfigMapResponseWithMagicDNS(c *check.C) {
 		MachineKey:     "dec46ef9dc45c7d2f03bfcd5a640d9e24e3cc68ce3d9da223867c9bc6d5e9863",
 		NodeKey:        "dec46ef9dc45c7d2f03bfcd5a640d9e24e3cc68ce3d9da223867c9bc6d5e9863",
 		DiscoKey:       "dec46ef9dc45c7d2f03bfcd5a640d9e24e3cc68ce3d9da223867c9bc6d5e9863",
-		Name:           "test_get_shared_nodes_2",
+		Hostname:       "test_get_shared_nodes_2",
 		NamespaceID:    namespaceShared2.ID,
 		Namespace:      *namespaceShared2,
 		RegisterMethod: RegisterMethodAuthKey,
@@ -187,7 +187,7 @@ func (s *Suite) TestDNSConfigMapResponseWithMagicDNS(c *check.C) {
 	}
 	app.db.Save(machineInShared2)

-	_, err = app.GetMachine(namespaceShared2.Name, machineInShared2.Name)
+	_, err = app.GetMachine(namespaceShared2.Name, machineInShared2.Hostname)
 	c.Assert(err, check.IsNil)

 	machineInShared3 := &Machine{
@@ -195,7 +195,7 @@ func (s *Suite) TestDNSConfigMapResponseWithMagicDNS(c *check.C) {
 		MachineKey:     "dec46ef9dc45c7d2f03bfcd5a640d9e24e3cc68ce3d9da223867c9bc6d5e9863",
 		NodeKey:        "dec46ef9dc45c7d2f03bfcd5a640d9e24e3cc68ce3d9da223867c9bc6d5e9863",
 		DiscoKey:       "dec46ef9dc45c7d2f03bfcd5a640d9e24e3cc68ce3d9da223867c9bc6d5e9863",
-		Name:           "test_get_shared_nodes_3",
+		Hostname:       "test_get_shared_nodes_3",
 		NamespaceID:    namespaceShared3.ID,
 		Namespace:      *namespaceShared3,
 		RegisterMethod: RegisterMethodAuthKey,
@@ -204,7 +204,7 @@ func (s *Suite) TestDNSConfigMapResponseWithMagicDNS(c *check.C) {
 	}
 	app.db.Save(machineInShared3)

-	_, err = app.GetMachine(namespaceShared3.Name, machineInShared3.Name)
+	_, err = app.GetMachine(namespaceShared3.Name, machineInShared3.Hostname)
 	c.Assert(err, check.IsNil)

 	machine2InShared1 := &Machine{
@@ -212,7 +212,7 @@ func (s *Suite) TestDNSConfigMapResponseWithMagicDNS(c *check.C) {
 		MachineKey:     "dec46ef9dc45c7d2f03bfcd5a640d9e24e3cc68ce3d9da223867c9bc6d5e9863",
 		NodeKey:        "dec46ef9dc45c7d2f03bfcd5a640d9e24e3cc68ce3d9da223867c9bc6d5e9863",
 		DiscoKey:       "dec46ef9dc45c7d2f03bfcd5a640d9e24e3cc68ce3d9da223867c9bc6d5e9863",
-		Name:           "test_get_shared_nodes_4",
+		Hostname:       "test_get_shared_nodes_4",
 		NamespaceID:    namespaceShared1.ID,
 		Namespace:      *namespaceShared1,
 		RegisterMethod: RegisterMethodAuthKey,
@@ -223,7 +223,7 @@ func (s *Suite) TestDNSConfigMapResponseWithMagicDNS(c *check.C) {

 	baseDomain := "foobar.headscale.net"
 	dnsConfigOrig := tailcfg.DNSConfig{
-		Routes:  make(map[string][]dnstype.Resolver),
+		Routes:  make(map[string][]*dnstype.Resolver),
 		Domains: []string{baseDomain},
 		Proxied: true,
 	}
@@ -304,7 +304,7 @@ func (s *Suite) TestDNSConfigMapResponseWithoutMagicDNS(c *check.C) {
 		MachineKey:     "686824e749f3b7f2a5927ee6c1e422aee5292592d9179a271ed7b3e659b44a66",
 		NodeKey:        "686824e749f3b7f2a5927ee6c1e422aee5292592d9179a271ed7b3e659b44a66",
 		DiscoKey:       "686824e749f3b7f2a5927ee6c1e422aee5292592d9179a271ed7b3e659b44a66",
-		Name:           "test_get_shared_nodes_1",
+		Hostname:       "test_get_shared_nodes_1",
 		NamespaceID:    namespaceShared1.ID,
 		Namespace:      *namespaceShared1,
 		RegisterMethod: RegisterMethodAuthKey,
@@ -313,7 +313,7 @@ func (s *Suite) TestDNSConfigMapResponseWithoutMagicDNS(c *check.C) {
 	}
 	app.db.Save(machineInShared1)

-	_, err = app.GetMachine(namespaceShared1.Name, machineInShared1.Name)
+	_, err = app.GetMachine(namespaceShared1.Name, machineInShared1.Hostname)
 	c.Assert(err, check.IsNil)

 	machineInShared2 := &Machine{
@@ -321,7 +321,7 @@ func (s *Suite) TestDNSConfigMapResponseWithoutMagicDNS(c *check.C) {
 		MachineKey:     "dec46ef9dc45c7d2f03bfcd5a640d9e24e3cc68ce3d9da223867c9bc6d5e9863",
 		NodeKey:        "dec46ef9dc45c7d2f03bfcd5a640d9e24e3cc68ce3d9da223867c9bc6d5e9863",
 		DiscoKey:       "dec46ef9dc45c7d2f03bfcd5a640d9e24e3cc68ce3d9da223867c9bc6d5e9863",
-		Name:           "test_get_shared_nodes_2",
+		Hostname:       "test_get_shared_nodes_2",
 		NamespaceID:    namespaceShared2.ID,
 		Namespace:      *namespaceShared2,
 		RegisterMethod: RegisterMethodAuthKey,
@@ -330,7 +330,7 @@ func (s *Suite) TestDNSConfigMapResponseWithoutMagicDNS(c *check.C) {
 	}
 	app.db.Save(machineInShared2)

-	_, err = app.GetMachine(namespaceShared2.Name, machineInShared2.Name)
+	_, err = app.GetMachine(namespaceShared2.Name, machineInShared2.Hostname)
 	c.Assert(err, check.IsNil)

 	machineInShared3 := &Machine{
@@ -338,7 +338,7 @@ func (s *Suite) TestDNSConfigMapResponseWithoutMagicDNS(c *check.C) {
 		MachineKey:     "dec46ef9dc45c7d2f03bfcd5a640d9e24e3cc68ce3d9da223867c9bc6d5e9863",
 		NodeKey:        "dec46ef9dc45c7d2f03bfcd5a640d9e24e3cc68ce3d9da223867c9bc6d5e9863",
 		DiscoKey:       "dec46ef9dc45c7d2f03bfcd5a640d9e24e3cc68ce3d9da223867c9bc6d5e9863",
-		Name:           "test_get_shared_nodes_3",
+		Hostname:       "test_get_shared_nodes_3",
 		NamespaceID:    namespaceShared3.ID,
 		Namespace:      *namespaceShared3,
 		RegisterMethod: RegisterMethodAuthKey,
@@ -347,7 +347,7 @@ func (s *Suite) TestDNSConfigMapResponseWithoutMagicDNS(c *check.C) {
 	}
 	app.db.Save(machineInShared3)

-	_, err = app.GetMachine(namespaceShared3.Name, machineInShared3.Name)
+	_, err = app.GetMachine(namespaceShared3.Name, machineInShared3.Hostname)
 	c.Assert(err, check.IsNil)

 	machine2InShared1 := &Machine{
@@ -355,7 +355,7 @@ func (s *Suite) TestDNSConfigMapResponseWithoutMagicDNS(c *check.C) {
 		MachineKey:     "dec46ef9dc45c7d2f03bfcd5a640d9e24e3cc68ce3d9da223867c9bc6d5e9863",
 		NodeKey:        "dec46ef9dc45c7d2f03bfcd5a640d9e24e3cc68ce3d9da223867c9bc6d5e9863",
 		DiscoKey:       "dec46ef9dc45c7d2f03bfcd5a640d9e24e3cc68ce3d9da223867c9bc6d5e9863",
-		Name:           "test_get_shared_nodes_4",
+		Hostname:       "test_get_shared_nodes_4",
 		NamespaceID:    namespaceShared1.ID,
 		Namespace:      *namespaceShared1,
 		RegisterMethod: RegisterMethodAuthKey,
@@ -366,7 +366,7 @@ func (s *Suite) TestDNSConfigMapResponseWithoutMagicDNS(c *check.C) {

 	baseDomain := "foobar.headscale.net"
 	dnsConfigOrig := tailcfg.DNSConfig{
-		Routes:  make(map[string][]dnstype.Resolver),
+		Routes:  make(map[string][]*dnstype.Resolver),
 		Domains: []string{baseDomain},
 		Proxied: false,
 	}
--- a/docs/README.md
+++ b/docs/README.md
@@ -3,7 +3,7 @@
 This page contains the official and community contributed documentation for `headscale`.

 If you are having trouble with following the documentation or get unexpected results,
-please ask on [Discord](https://discord.gg/XcQxk2VHjx) instead of opening an Issue.
+please ask on [Discord](https://discord.gg/c84AZQhmpx) instead of opening an Issue.

 ## Official documentation

@@ -27,6 +27,7 @@ written by community members. It is _not_ verified by `headscale` developers.
 **It might be outdated and it might miss necessary steps**.

 - [Running headscale in a container](running-headscale-container.md)
+- [Running headscale on OpenBSD](running-headscale-openbsd.md)

 ## Misc

--- a/docs/acls.md
+++ b/docs/acls.md
@@ -5,12 +5,16 @@ ACL's are the most useful).

 We have a small company with a boss, an admin, two developers and an intern.

-The boss should have access to all servers but not to the users hosts. Admin
+The boss should have access to all servers but not to the user's hosts. Admin
 should also have access to all hosts except that their permissions should be
 limited to maintaining the hosts (for example purposes). The developers can do
-anything they want on dev hosts, but only watch on productions hosts. Intern
+anything they want on dev hosts but only watch on productions hosts. Intern
 can only interact with the development servers.

+There's an additional server that acts as a router, connecting the VPN users
+to an internal network `10.20.0.0/16`. Developers must have access to those
+internal resources.
+
 Each user have at least a device connected to the network and we have some
 servers.

@@ -19,22 +23,19 @@ servers.
 - app-server1.prod
 - app-server1.dev
 - billing.internal
+- router.internal

-## Setup of the network
+![ACL implementation example](images/headscale-acl-network.png)

-Let's create the namespaces. Each user should have his own namespace. The users
-here are represented as namespaces.
+## ACL setup

-```bash
-headscale namespaces create boss
-headscale namespaces create admin1
-headscale namespaces create dev1
-headscale namespaces create dev2
-headscale namespaces create intern1
-```
+Note: Namespaces will be created automatically when users authenticate with the
+Headscale server.

-We don't need to create namespaces for the servers because the servers will be
-tagged. When registering the servers we will need to add the flag
+ACLs could be written either on [huJSON](https://github.com/tailscale/hujson)
+or YAML. Check the [test ACLs](../tests/acls) for further information.
+
+When registering the servers we will need to add the flag
 `--advertised-tags=tag:<tag1>,tag:<tag2>`, and the user (namespace) that is
 registering the server should be allowed to do it. Since anyone can add tags to
 a server they can register, the check of the tags is done on headscale server
@@ -70,12 +71,20 @@ Here are the ACL's to implement the same permissions as above:

    // interns cannot add servers
  },
+  // hosts should be defined using its IP addresses and a subnet mask.
+  // to define a single host, use a /32 mask. You cannot use DNS entries here,
+  // as they're prone to be hijacked by replacing their IP addresses.
+  // see https://github.com/tailscale/tailscale/issues/3800 for more information.
+  "Hosts": {
+    "postgresql.internal": "10.20.0.2/32",
+    "webservers.internal": "10.20.10.1/29"
+  },
  "acls": [
    // boss have access to all servers
    {
      "action": "accept",
-      "users": ["group:boss"],
-      "ports": [
+      "src": ["group:boss"],
+      "dst": [
        "tag:prod-databases:*",
        "tag:prod-app-servers:*",
        "tag:internal:*",
@@ -84,11 +93,12 @@ Here are the ACL's to implement the same permissions as above:
      ]
    },

-    // admin have only access to administrative ports of the servers
+    // admin have only access to administrative ports of the servers, in tcp/22
    {
      "action": "accept",
-      "users": ["group:admin"],
-      "ports": [
+      "src": ["group:admin"],
+      "proto": "tcp",
+      "dst": [
        "tag:prod-databases:22",
        "tag:prod-app-servers:22",
        "tag:internal:22",
@@ -97,45 +107,70 @@ Here are the ACL's to implement the same permissions as above:
      ]
    },

+    // we also allow admin to ping the servers
+    {
+      "action": "accept",
+      "src": ["group:admin"],
+      "proto": "icmp",
+      "dst": [
+        "tag:prod-databases:*",
+        "tag:prod-app-servers:*",
+        "tag:internal:*",
+        "tag:dev-databases:*",
+        "tag:dev-app-servers:*"
+      ]
+    },
+
    // developers have access to databases servers and application servers on all ports
    // they can only view the applications servers in prod and have no access to databases servers in production
    {
      "action": "accept",
-      "users": ["group:dev"],
-      "ports": [
+      "src": ["group:dev"],
+      "dst": [
        "tag:dev-databases:*",
        "tag:dev-app-servers:*",
        "tag:prod-app-servers:80,443"
      ]
    },
+    // developers have access to the internal network through the router.
+    // the internal network is composed of HTTPS endpoints and Postgresql
+    // database servers. There's an additional rule to allow traffic to be
+    // forwarded to the internal subnet, 10.20.0.0/16. See this issue
+    // https://github.com/juanfont/headscale/issues/502
+    {
+      "action": "accept",
+      "src": ["group:dev"],
+      "dst": ["10.20.0.0/16:443,5432", "router.internal:0"]
+    },

-    // servers should be able to talk to database. Database should not be able to initiate connections to
+    // servers should be able to talk to database in tcp/5432. Database should not be able to initiate connections to
    // applications servers
    {
      "action": "accept",
-      "users": ["tag:dev-app-servers"],
-      "ports": ["tag:dev-databases:5432"]
+      "src": ["tag:dev-app-servers"],
+      "proto": "tcp",
+      "dst": ["tag:dev-databases:5432"]
    },
    {
      "action": "accept",
-      "users": ["tag:prod-app-servers"],
-      "ports": ["tag:prod-databases:5432"]
+      "src": ["tag:prod-app-servers"],
+      "dst": ["tag:prod-databases:5432"]
    },

    // interns have access to dev-app-servers only in reading mode
    {
      "action": "accept",
-      "users": ["group:intern"],
-      "ports": ["tag:dev-app-servers:80,443"]
+      "src": ["group:intern"],
+      "dst": ["tag:dev-app-servers:80,443"]
    },

    // We still have to allow internal namespaces communications since nothing guarantees that each user have
    // their own namespaces.
-    { "action": "accept", "users": ["boss"], "ports": ["boss:*"] },
-    { "action": "accept", "users": ["dev1"], "ports": ["dev1:*"] },
-    { "action": "accept", "users": ["dev2"], "ports": ["dev2:*"] },
-    { "action": "accept", "users": ["admin1"], "ports": ["admin1:*"] },
-    { "action": "accept", "users": ["intern1"], "ports": ["intern1:*"] }
+    { "action": "accept", "src": ["boss"], "dst": ["boss:*"] },
+    { "action": "accept", "src": ["dev1"], "dst": ["dev1:*"] },
+    { "action": "accept", "src": ["dev2"], "dst": ["dev2:*"] },
+    { "action": "accept", "src": ["admin1"], "dst": ["admin1:*"] },
+    { "action": "accept", "src": ["intern1"], "dst": ["intern1:*"] }
  ]
 }
 ```
--- a/docs/build-headscale-container.md
+++ b/docs/build-headscale-container.md
@@ -0,0 +1,32 @@
+# Build docker from scratch
+
+The Dockerfiles included in the repository are using the [buildx plugin](https://docs.docker.com/buildx/working-with-buildx/). This plugin is includes in docker newer than Docker-ce CLI 19.03.2. The plugin is used to be able to build different container arches. Building the Dockerfiles without buildx is not possible.
+
+# Build native
+
+To build the container on the native arch you can just use:
+```
+$ sudo docker buildx build -t headscale:custom-arch .
+```
+
+For example: This will build a amd64(x86_64) container if your hostsystem is amd64(x86_64). Or a arm64 container on a arm64 hostsystem (raspberry pi4).
+
+# Build cross platform
+
+To build a arm64 container on a amd64 hostsystem you could use:
+```
+$ sudo docker buildx build --platform linux/arm64 -t headscale:custom-arm64 .
+
+```
+
+**Import: Currently arm32 build are not supported as there is a problem with a library used by headscale. Hopefully this will be fixed soon.**
+
+# Build multiple arches
+
+To build multiple archres you could use:
+
+```
+$ sudo docker buildx create --use
+$ sudo docker buildx build --platform linux/amd64,linux/arm64 .
+
+```
--- a/docs/examples/kustomize/base/configmap.yaml
+++ b/docs/examples/kustomize/base/configmap.yaml
@@ -5,4 +5,5 @@ metadata:
 data:
  server_url: $(PUBLIC_PROTO)://$(PUBLIC_HOSTNAME)
  listen_addr: "0.0.0.0:8080"
+  metrics_listen_addr: "127.0.0.1:9090"
  ephemeral_node_inactivity_timeout: "30m"
--- a/docs/examples/kustomize/postgres/deployment.yaml
+++ b/docs/examples/kustomize/postgres/deployment.yaml
@@ -25,6 +25,11 @@ spec:
                configMapKeyRef:
                  name: headscale-config
                  key: listen_addr
+            - name: METRICS_LISTEN_ADDR
+              valueFrom:
+                configMapKeyRef:
+                  name: headscale-config
+                  key: metrics_listen_addr
            - name: DERP_MAP_PATH
              value: /vol/config/derp.yaml
            - name: EPHEMERAL_NODE_INACTIVITY_TIMEOUT
--- a/docs/examples/kustomize/sqlite/statefulset.yaml
+++ b/docs/examples/kustomize/sqlite/statefulset.yaml
@@ -26,6 +26,11 @@ spec:
                configMapKeyRef:
                  name: headscale-config
                  key: listen_addr
+            - name: METRICS_LISTEN_ADDR
+              valueFrom:
+                configMapKeyRef:
+                  name: headscale-config
+                  key: metrics_listen_addr
            - name: DERP_MAP_PATH
              value: /vol/config/derp.yaml
            - name: EPHEMERAL_NODE_INACTIVITY_TIMEOUT
--- a/docs/images/headscale-acl-network.png
+++ b/docs/images/headscale-acl-network.png
--- a/docs/proposals/001-acls.md
+++ b/docs/proposals/001-acls.md
@@ -0,0 +1,362 @@
+# ACLs
+
+A key component of tailscale is the notion of Tailnet. This notion is hidden
+but the implications that it have on how to use tailscale are not.
+
+For tailscale an [tailnet](https://tailscale.com/kb/1136/tailnet/) is the
+following:
+
+> For personal users, you are a tailnet of many devices and one person. Each
+> device gets a private Tailscale IP address in the CGNAT range and every
+> device can talk directly to every other device, wherever they are on the
+> internet.
+>
+> For businesses and organizations, a tailnet is many devices and many users.
+> It can be based on your Microsoft Active Directory, your Google Workspace, a
+> GitHub organization, Okta tenancy, or other identity provider namespace. All
+> of the devices and users in your tailnet can be seen by the tailnet
+> administrators in the Tailscale admin console. There you can apply
+> tailnet-wide configuration, such as ACLs that affect visibility of devices
+> inside your tailnet, DNS settings, and more.
+
+## Current implementation and issues
+
+Currently in headscale, the namespaces are used both as tailnet and users. The
+issue is that if we want to use the ACL's we can't use both at the same time.
+
+Tailnet's cannot communicate with each others. So we can't have an ACL that
+authorize tailnet (namespace) A to talk to tailnet (namespace) B.
+
+We also can't write ACLs based on the users (namespaces in headscale) since all
+devices belong to the same user.
+
+With the current implementation the only ACL that we can user is to associate
+each headscale IP to a host manually then write the ACLs according to this
+manual mapping.
+
+```json
+{
+  "hosts": {
+    "host1": "100.64.0.1",
+    "server": "100.64.0.2"
+  },
+  "acls": [
+    { "action": "accept", "users": ["host1"], "ports": ["host2:80,443"] }
+  ]
+}
+```
+
+While this works, it requires a lot of manual editing on the configuration and
+to keep track of all devices IP address.
+
+## Proposition for a next implementation
+
+In order to ease the use of ACL's we need to split the tailnet and users
+notion.
+
+A solution could be to consider a headscale server (in it's entirety) as a
+tailnet.
+
+For personal users the default behavior could either allow all communications
+between all namespaces (like tailscale) or dissallow all communications between
+namespaces (current behavior).
+
+For businesses and organisations, viewing a headscale instance a single tailnet
+would allow users (namespace) to talk to each other with the ACLs. As described
+in tailscale's documentation [[1]], a server should be tagged and personnal
+devices should be tied to a user. Translated in headscale's terms each user can
+have multiple devices and all those devices should be in the same namespace.
+The servers should be tagged and used as such.
+
+This implementation would render useless the sharing feature that is currently
+implemented since an ACL could do the same. Simplifying to only one user
+interface to do one thing is easier and less confusing for the users.
+
+To better suit the ACLs in this proposition, it's advised to consider that each
+namespaces belong to one person. This person can have multiple devices, they
+will all be considered as the same user in the ACLs. OIDC feature wouldn't need
+to map people to namespace, just create a namespace if the person isn't
+registered yet.
+
+As a sidenote, users would like to write ACLs as YAML. We should offer users
+the ability to rules in either format (HuJSON or YAML).
+
+[1]: https://tailscale.com/kb/1068/acl-tags/
+
+## Example
+
+Let's build an example use case for a small business (It may be the place where
+ACL's are the most useful).
+
+We have a small company with a boss, an admin, two developper and an intern.
+
+The boss should have access to all servers but not to the users hosts. Admin
+should also have access to all hosts except that their permissions should be
+limited to maintaining the hosts (for example purposes). The developers can do
+anything they want on dev hosts, but only watch on productions hosts. Intern
+can only interact with the development servers.
+
+Each user have at least a device connected to the network and we have some
+servers.
+
+- database.prod
+- database.dev
+- app-server1.prod
+- app-server1.dev
+- billing.internal
+
+### Current headscale implementation
+
+Let's create some namespaces
+
+```bash
+headscale namespaces create prod
+headscale namespaces create dev
+headscale namespaces create internal
+headscale namespaces create users
+
+headscale nodes register -n users boss-computer
+headscale nodes register -n users admin1-computer
+headscale nodes register -n users dev1-computer
+headscale nodes register -n users dev1-phone
+headscale nodes register -n users dev2-computer
+headscale nodes register -n users intern1-computer
+
+headscale nodes register -n prod database
+headscale nodes register -n prod app-server1
+
+headscale nodes register -n dev database
+headscale nodes register -n dev app-server1
+
+headscale nodes register -n internal billing
+
+headscale nodes list
+ID  | Name              | Namespace | IP address
+1   | boss-computer     | users     | 100.64.0.1
+2   | admin1-computer   | users     | 100.64.0.2
+3   | dev1-computer     | users     | 100.64.0.3
+4   | dev1-phone        | users     | 100.64.0.4
+5   | dev2-computer     | users     | 100.64.0.5
+6   | intern1-computer  | users     | 100.64.0.6
+7   | database          | prod      | 100.64.0.7
+8   | app-server1       | prod      | 100.64.0.8
+9   | database          | dev       | 100.64.0.9
+10  | app-server1       | dev       | 100.64.0.10
+11  | internal          | internal  | 100.64.0.11
+```
+
+In order to only allow the communications related to our description above we
+need to add the following ACLs
+
+```json
+{
+  "hosts": {
+    "boss-computer": "100.64.0.1",
+    "admin1-computer": "100.64.0.2",
+    "dev1-computer": "100.64.0.3",
+    "dev1-phone": "100.64.0.4",
+    "dev2-computer": "100.64.0.5",
+    "intern1-computer": "100.64.0.6",
+    "prod-app-server1": "100.64.0.8"
+  },
+  "groups": {
+    "group:dev": ["dev1-computer", "dev1-phone", "dev2-computer"],
+    "group:admin": ["admin1-computer"],
+    "group:boss": ["boss-computer"],
+    "group:intern": ["intern1-computer"]
+  },
+  "acls": [
+    // boss have access to all servers but no users hosts
+    {
+      "action": "accept",
+      "users": ["group:boss"],
+      "ports": ["prod:*", "dev:*", "internal:*"]
+    },
+
+    // admin have access to adminstration port (lets only consider port 22 here)
+    {
+      "action": "accept",
+      "users": ["group:admin"],
+      "ports": ["prod:22", "dev:22", "internal:22"]
+    },
+
+    // dev can do anything on dev servers and check access on prod servers
+    {
+      "action": "accept",
+      "users": ["group:dev"],
+      "ports": ["dev:*", "prod-app-server1:80,443"]
+    },
+
+    // interns only have access to port 80 and 443 on dev servers (lame internship)
+    { "action": "accept", "users": ["group:intern"], "ports": ["dev:80,443"] },
+
+    // users can access their own devices
+    {
+      "action": "accept",
+      "users": ["dev1-computer"],
+      "ports": ["dev1-phone:*"]
+    },
+    {
+      "action": "accept",
+      "users": ["dev1-phone"],
+      "ports": ["dev1-computer:*"]
+    },
+
+    // internal namespace communications should still be allowed within the namespace
+    { "action": "accept", "users": ["dev"], "ports": ["dev:*"] },
+    { "action": "accept", "users": ["prod"], "ports": ["prod:*"] },
+    { "action": "accept", "users": ["internal"], "ports": ["internal:*"] }
+  ]
+}
+```
+
+Since communications between namespace isn't possible we also have to share the
+devices between the namespaces.
+
+```bash
+
+// add boss host to prod, dev and internal network
+headscale nodes share -i 1 -n prod
+headscale nodes share -i 1 -n dev
+headscale nodes share -i 1 -n internal
+
+// add admin computer to prod, dev and internal network
+headscale nodes share -i 2 -n prod
+headscale nodes share -i 2 -n dev
+headscale nodes share -i 2 -n internal
+
+// add all dev to prod and dev network
+headscale nodes share -i 3 -n dev
+headscale nodes share -i 4 -n dev
+headscale nodes share -i 3 -n prod
+headscale nodes share -i 4 -n prod
+headscale nodes share -i 5 -n dev
+headscale nodes share -i 5 -n prod
+
+headscale nodes share -i 6 -n dev
+```
+
+This fake network have not been tested but it should work. Operating it could
+be quite tedious if the company grows. Each time a new user join we have to add
+it to a group, and share it to the correct namespaces. If the user want
+multiple devices we have to allow communication to each of them one by one. If
+business conduct a change in the organisations we may have to rewrite all acls
+and reorganise all namespaces.
+
+If we add servers in production we should also update the ACLs to allow dev
+access to certain category of them (only app servers for example).
+
+### example based on the proposition in this document
+
+Let's create the namespaces
+
+```bash
+headscale namespaces create boss
+headscale namespaces create admin1
+headscale namespaces create dev1
+headscale namespaces create dev2
+headscale namespaces create intern1
+```
+
+We don't need to create namespaces for the servers because the servers will be
+tagged. When registering the servers we will need to add the flag
+`--advertised-tags=tag:<tag1>,tag:<tag2>`, and the user (namespace) that is
+registering the server should be allowed to do it. Since anyone can add tags to
+a server they can register, the check of the tags is done on headscale server
+and only valid tags are applied. A tag is valid if the namespace that is
+registering it is allowed to do it.
+
+Here are the ACL's to implement the same permissions as above:
+
+```json
+{
+  // groups are simpler and only list the namespaces name
+  "groups": {
+    "group:boss": ["boss"],
+    "group:dev": ["dev1", "dev2"],
+    "group:admin": ["admin1"],
+    "group:intern": ["intern1"]
+  },
+  "tagOwners": {
+    // the administrators can add servers in production
+    "tag:prod-databases": ["group:admin"],
+    "tag:prod-app-servers": ["group:admin"],
+
+    // the boss can tag any server as internal
+    "tag:internal": ["group:boss"],
+
+    // dev can add servers for dev purposes as well as admins
+    "tag:dev-databases": ["group:admin", "group:dev"],
+    "tag:dev-app-servers": ["group:admin", "group:dev"]
+
+    // interns cannot add servers
+  },
+  "acls": [
+    // boss have access to all servers
+    {
+      "action": "accept",
+      "users": ["group:boss"],
+      "ports": [
+        "tag:prod-databases:*",
+        "tag:prod-app-servers:*",
+        "tag:internal:*",
+        "tag:dev-databases:*",
+        "tag:dev-app-servers:*"
+      ]
+    },
+
+    // admin have only access to administrative ports of the servers
+    {
+      "action": "accept",
+      "users": ["group:admin"],
+      "ports": [
+        "tag:prod-databases:22",
+        "tag:prod-app-servers:22",
+        "tag:internal:22",
+        "tag:dev-databases:22",
+        "tag:dev-app-servers:22"
+      ]
+    },
+
+    {
+      "action": "accept",
+      "users": ["group:dev"],
+      "ports": [
+        "tag:dev-databases:*",
+        "tag:dev-app-servers:*",
+        "tag:prod-app-servers:80,443"
+      ]
+    },
+
+    // servers should be able to talk to database. Database should not be able to initiate connections to server
+    {
+      "action": "accept",
+      "users": ["tag:dev-app-servers"],
+      "ports": ["tag:dev-databases:5432"]
+    },
+    {
+      "action": "accept",
+      "users": ["tag:prod-app-servers"],
+      "ports": ["tag:prod-databases:5432"]
+    },
+
+    // interns have access to dev-app-servers only in reading mode
+    {
+      "action": "accept",
+      "users": ["group:intern"],
+      "ports": ["tag:dev-app-servers:80,443"]
+    },
+
+    // we still have to allow internal namespaces communications since nothing guarantees that each user have their own namespaces. This could be talked over.
+    { "action": "accept", "users": ["boss"], "ports": ["boss:*"] },
+    { "action": "accept", "users": ["dev1"], "ports": ["dev1:*"] },
+    { "action": "accept", "users": ["dev2"], "ports": ["dev2:*"] },
+    { "action": "accept", "users": ["admin1"], "ports": ["admin1:*"] },
+    { "action": "accept", "users": ["intern1"], "ports": ["intern1:*"] }
+  ]
+}
+```
+
+With this implementation, the sharing step is not necessary. Maintenance cost
+of the ACL file is lower and less tedious (no need to map hostname and IP's
+into it).
--- a/docs/remote-cli.md
+++ b/docs/remote-cli.md
@@ -24,7 +24,7 @@ To create a API key, log into your `headscale` server and generate a key:
 headscale apikeys create --expiration 90d
 ```

-Copy the output of the command and save it for later. Please not that you can not retrieve a key again,
+Copy the output of the command and save it for later. Please note that you can not retrieve a key again,
 if the key is lost, expire the old one, and create a new key.

 To list the keys currently assosicated with the server:
--- a/docs/running-headscale-container.md
+++ b/docs/running-headscale-container.md
@@ -14,8 +14,8 @@ not work with alternatives like [Podman](https://podman.io). The Docker image ca
 1. Prepare a directory on the host Docker node in your directory of choice, used to hold `headscale` configuration and the [SQLite](https://www.sqlite.org/) database:

 ```shell
-mkdir ./headscale && cd ./headscale
-mkdir ./config
+mkdir -p ./headscale/config
+cd ./headscale
 ```

 2. Create an empty SQlite datebase in the headscale directory:
@@ -45,6 +45,17 @@ touch ./config/config.yaml
 ```

 Modify the config file to your preferences before launching Docker container.
+Here are some settings that you likely want:
+
+```yaml
+server_url: http://your-host-name:8080 # Change to your hostname or host IP
+# Listen to 0.0.0.0 so it's accessible outside the container
+metrics_listen_addr: 0.0.0.0:9090
+# The default /var/lib/headscale path is not writable in the container
+private_key_path: /etc/headscale/private.key
+# The default /var/lib/headscale path is not writable  in the container
+db_path: /etc/headscale/db.sqlite
+```

 4. Start the headscale server while working in the host headscale directory:

@@ -55,11 +66,14 @@ docker run \
  --rm \
  --volume $(pwd)/config:/etc/headscale/ \
  --publish 127.0.0.1:8080:8080 \
+  --publish 127.0.0.1:9090:9090 \
  headscale/headscale:<VERSION> \
  headscale serve

 ```

+Note: use `0.0.0.0:8080:8080` instead of `127.0.0.1:8080:8080` if you want to expose the container externally.
+
 This command will mount `config/` under `/etc/headscale`, forward port 8080 out of the container so the
 `headscale` instance becomes available and then detach so headscale runs in the background.

@@ -80,13 +94,14 @@ docker ps
 Verify `headscale` is available:

 ```shell
-curl http://127.0.0.1:8080/metrics
+curl http://127.0.0.1:9090/metrics
 ```

 6. Create a namespace ([tailnet](https://tailscale.com/kb/1136/tailnet/)):

 ```shell
-docker exec headscale -- headscale namespaces create myfirstnamespace
+docker exec headscale \
+  headscale namespaces create myfirstnamespace
 ```

 ### Register a machine (normal login)
@@ -100,7 +115,7 @@ tailscale up --login-server YOUR_HEADSCALE_URL
 To register a machine when running `headscale` in a container, take the headscale command and pass it to the container:

 ```shell
-docker exec headscale -- \
+docker exec headscale \
  headscale --namespace myfirstnamespace nodes register --key <YOU_+MACHINE_KEY>
 ```

@@ -109,7 +124,7 @@ docker exec headscale -- \
 Generate a key using the command line:

 ```shell
-docker exec headscale -- \
+docker exec headscale \
  headscale --namespace myfirstnamespace preauthkeys create --reusable --expiration 24h
 ```

--- a/docs/running-headscale-linux.md
+++ b/docs/running-headscale-linux.md
@@ -30,6 +30,14 @@ mkdir -p /etc/headscale

 # Directory for Database, and other variable data (like certificates)
 mkdir -p /var/lib/headscale
+# or if you create a headscale user:
+useradd \
+	--create-home \
+	--home-dir /var/lib/headscale/ \
+	--system \
+	--user-group \
+	--shell /usr/bin/nologin \
+	headscale
 ```

 4. Create an empty SQLite database:
@@ -50,7 +58,7 @@ from the [headscale repository](../)
 6. Start the headscale server:

 ```shell
-  headscale serve
+headscale serve
 ```

 This command will start `headscale` in the current terminal session.
@@ -67,7 +75,7 @@ To run `headscale` in the background, please follow the steps in the [SystemD se
 Verify `headscale` is available:

 ```shell
-curl http://127.0.0.1:8080/metrics
+curl http://127.0.0.1:9090/metrics
 ```

 8. Create a namespace ([tailnet](https://tailscale.com/kb/1136/tailnet/)):
@@ -150,7 +158,7 @@ or run all headscale commands as the headscale user:
 su - headscale
 ```

-2. In `/etc/headscale/config.yaml`, override the default `headscale` unix socket with a SystemD friendly path:
+2. In `/etc/headscale/config.yaml`, override the default `headscale` unix socket with path that is writable by the `headscale` user or group:

 ```yaml
 unix_socket: /var/run/headscale/headscale.sock
@@ -165,8 +173,7 @@ systemctl daemon-reload
 4. Enable and start the new `headscale` service:

 ```shell
-systemctl enable headscale
-systemctl start headscale
+systemctl enable --now headscale
 ```

 5. Verify the headscale service:
@@ -178,7 +185,7 @@ systemctl status headscale
 Verify `headscale` is available:

 ```shell
-curl http://127.0.0.1:8080/metrics
+curl http://127.0.0.1:9090/metrics
 ```

 `headscale` will now run in the background and start at boot.
--- a/docs/running-headscale-openbsd.md
+++ b/docs/running-headscale-openbsd.md
@@ -0,0 +1,206 @@
+# Running headscale on OpenBSD
+
+## Goal
+
+This documentation has the goal of showing a user how-to install and run `headscale` on OpenBSD 7.1.
+In additional to the "get up and running section", there is an optional [rc.d section](#running-headscale-in-the-background-with-rcd)
+describing how to make `headscale` run properly in a server environment.
+
+## Install `headscale`
+
+1. Install from ports (Not Recommend)
+
+   As of OpenBSD 7.1, there's a headscale in ports collection, however, it's severely outdated(v0.12.4).
+   You can install it via `pkg_add headscale`.
+
+2. Install from source on OpenBSD 7.1
+
+```shell
+# Install prerequistes
+# 1. go v1.18+: headscale newer than 0.15 needs go 1.18+ to compile
+# 2. gmake: Makefile in the headscale repo is written in GNU make syntax
+pkg_add -D snap go
+pkg_add gmake
+
+git clone https://github.com/juanfont/headscale.git
+
+cd headscale
+
+# optionally checkout a release
+# option a. you can find offical relase at https://github.com/juanfont/headscale/releases/latest
+# option b. get latest tag, this may be a beta release
+latestTag=$(git describe --tags `git rev-list --tags --max-count=1`)
+
+git checkout $latestTag
+
+gmake build
+
+# make it executable
+chmod a+x headscale
+
+# copy it to /usr/local/sbin
+cp headscale /usr/local/sbin
+```
+
+3. Install from source via cross compile
+
+```shell
+# Install prerequistes
+# 1. go v1.18+: headscale newer than 0.15 needs go 1.18+ to compile
+# 2. gmake: Makefile in the headscale repo is written in GNU make syntax
+
+git clone https://github.com/juanfont/headscale.git
+
+cd headscale
+
+# optionally checkout a release
+# option a. you can find offical relase at https://github.com/juanfont/headscale/releases/latest
+# option b. get latest tag, this may be a beta release
+latestTag=$(git describe --tags `git rev-list --tags --max-count=1`)
+
+git checkout $latestTag
+
+make build GOOS=openbsd
+
+# copy headscale to openbsd machine and put it in /usr/local/sbin
+```
+
+## Configure and run `headscale`
+
+1. Prepare a directory to hold `headscale` configuration and the [SQLite](https://www.sqlite.org/) database:
+
+```shell
+# Directory for configuration
+
+mkdir -p /etc/headscale
+
+# Directory for Database, and other variable data (like certificates)
+mkdir -p /var/lib/headscale
+```
+
+2. Create an empty SQLite database:
+
+```shell
+touch /var/lib/headscale/db.sqlite
+```
+
+3. Create a `headscale` configuration:
+
+```shell
+touch /etc/headscale/config.yaml
+```
+
+It is **strongly recommended** to copy and modify the [example configuration](../config-example.yaml)
+from the [headscale repository](../)
+
+4. Start the headscale server:
+
+```shell
+headscale serve
+```
+
+This command will start `headscale` in the current terminal session.
+
+---
+
+To continue the tutorial, open a new terminal and let it run in the background.
+Alternatively use terminal emulators like [tmux](https://github.com/tmux/tmux).
+
+To run `headscale` in the background, please follow the steps in the [rc.d section](#running-headscale-in-the-background-with-rcd) before continuing.
+
+5. Verify `headscale` is running:
+
+Verify `headscale` is available:
+
+```shell
+curl http://127.0.0.1:9090/metrics
+```
+
+6. Create a namespace ([tailnet](https://tailscale.com/kb/1136/tailnet/)):
+
+```shell
+headscale namespaces create myfirstnamespace
+```
+
+### Register a machine (normal login)
+
+On a client machine, execute the `tailscale` login command:
+
+```shell
+tailscale up --login-server YOUR_HEADSCALE_URL
+```
+
+Register the machine:
+
+```shell
+headscale --namespace myfirstnamespace nodes register --key <YOU_+MACHINE_KEY>
+```
+
+### Register machine using a pre authenticated key
+
+Generate a key using the command line:
+
+```shell
+headscale --namespace myfirstnamespace preauthkeys create --reusable --expiration 24h
+```
+
+This will return a pre-authenticated key that can be used to connect a node to `headscale` during the `tailscale` command:
+
+```shell
+tailscale up --login-server <YOUR_HEADSCALE_URL> --authkey <YOUR_AUTH_KEY>
+```
+
+## Running `headscale` in the background with rc.d
+
+This section demonstrates how to run `headscale` as a service in the background with [rc.d](https://man.openbsd.org/rc.d).
+
+1. Create a rc.d service at `/etc/rc.d/headscale` containing:
+
+```shell
+#!/bin/ksh
+
+daemon="/usr/local/sbin/headscale"
+daemon_logger="daemon.info"
+daemon_user="root"
+daemon_flags="serve"
+daemon_timeout=60
+
+. /etc/rc.d/rc.subr
+
+rc_bg=YES
+rc_reload=NO
+
+rc_cmd $1
+```
+
+2. `/etc/rc.d/headscale` needs execute permission:
+
+```shell
+chmod a+x /etc/rc.d/headscale
+```
+
+3. Start `headscale` service:
+
+```shell
+rcctl start headscale
+```
+
+4. Make `headscale` service start at boot:
+
+```shell
+rcctl enable headscale
+```
+
+5. Verify the headscale service:
+
+```shell
+rcctl check headscale
+```
+
+Verify `headscale` is available:
+
+```shell
+curl http://127.0.0.1:9090/metrics
+```
+
+`headscale` will now run in the background and start at boot.
--- a/flake.lock
+++ b/flake.lock
@@ -0,0 +1,43 @@
+{
+  "nodes": {
+    "flake-utils": {
+      "locked": {
+        "lastModified": 1653893745,
+        "narHash": "sha256-0jntwV3Z8//YwuOjzhV2sgJJPt+HY6KhU7VZUL0fKZQ=",
+        "owner": "numtide",
+        "repo": "flake-utils",
+        "rev": "1ed9fb1935d260de5fe1c2f7ee0ebaae17ed2fa1",
+        "type": "github"
+      },
+      "original": {
+        "owner": "numtide",
+        "repo": "flake-utils",
+        "type": "github"
+      }
+    },
+    "nixpkgs": {
+      "locked": {
+        "lastModified": 1654847188,
+        "narHash": "sha256-MC+eP7XOGE1LAswOPqdcGoUqY9mEQ3ZaaxamVTbc0hM=",
+        "owner": "NixOS",
+        "repo": "nixpkgs",
+        "rev": "8b66e3f2ebcc644b78cec9d6f152192f4e7d322f",
+        "type": "github"
+      },
+      "original": {
+        "owner": "NixOS",
+        "ref": "nixos-22.05",
+        "repo": "nixpkgs",
+        "type": "github"
+      }
+    },
+    "root": {
+      "inputs": {
+        "flake-utils": "flake-utils",
+        "nixpkgs": "nixpkgs"
+      }
+    }
+  },
+  "root": "root",
+  "version": 7
+}
--- a/flake.nix
+++ b/flake.nix
@@ -0,0 +1,168 @@
+{
+  description = "headscale - Open Source Tailscale Control server";
+
+  inputs = {
+    nixpkgs.url = "github:NixOS/nixpkgs/nixos-22.05";
+    flake-utils.url = "github:numtide/flake-utils";
+  };
+
+  outputs = { self, nixpkgs, flake-utils, ... }:
+    let
+      headscaleVersion = if (self ? shortRev) then self.shortRev else "dev";
+    in
+    {
+      overlay = final: prev:
+        let
+          pkgs = nixpkgs.legacyPackages.${prev.system};
+        in
+        rec {
+          headscale =
+            pkgs.buildGo118Module rec {
+              pname = "headscale";
+              version = headscaleVersion;
+              src = pkgs.lib.cleanSource self;
+
+              # When updating go.mod or go.sum, a new sha will need to be calculated,
+              # update this if you have a mismatch after doing a change to thos files.
+              vendorSha256 = "sha256-2o78hsi0B9U5NOcYXRqkBmg34p71J/R8FibXsgwEcSo=";
+
+              ldflags = [ "-s" "-w" "-X github.com/juanfont/headscale/cmd/headscale/cli.Version=v${version}" ];
+            };
+
+          golines =
+            pkgs.buildGoModule rec {
+              pname = "golines";
+              version = "0.9.0";
+
+              src = pkgs.fetchFromGitHub {
+                owner = "segmentio";
+                repo = "golines";
+                rev = "v${version}";
+                sha256 = "sha256-BUXEg+4r9L/gqe4DhTlhN55P3jWt7ZyWFQycO6QePrw=";
+              };
+
+              vendorSha256 = "sha256-sEzWUeVk5GB0H41wrp12P8sBWRjg0FHUX6ABDEEBqK8=";
+
+              nativeBuildInputs = [ pkgs.installShellFiles ];
+            };
+
+          golangci-lint = prev.golangci-lint.override {
+            # Override https://github.com/NixOS/nixpkgs/pull/166801 which changed this
+            # to buildGo118Module because it does not build on Darwin.
+            inherit (prev) buildGoModule;
+          };
+
+          # golangci-lint =
+          #   pkgs.buildGo117Module rec {
+          #     pname = "golangci-lint";
+          #     version = "1.46.2";
+          #
+          #     src = pkgs.fetchFromGitHub {
+          #       owner = "golangci";
+          #       repo = "golangci-lint";
+          #       rev = "v${version}";
+          #       sha256 = "sha256-7sDAwWz+qoB/ngeH35tsJ5FZUfAQvQsU6kU9rUHIHMk=";
+          #     };
+          #
+          #     vendorSha256 = "sha256-w38OKN6HPoz37utG/2QSPMai55IRDXCIIymeMe6ogIU=";
+          #
+          #     nativeBuildInputs = [ pkgs.installShellFiles ];
+          #   };
+
+          protoc-gen-grpc-gateway =
+            pkgs.buildGoModule rec {
+              pname = "grpc-gateway";
+              version = "2.8.0";
+
+              src = pkgs.fetchFromGitHub {
+                owner = "grpc-ecosystem";
+                repo = "grpc-gateway";
+                rev = "v${version}";
+                sha256 = "sha256-8eBBBYJ+tBjB2fgPMX/ZlbN3eeS75e8TAZYOKXs6hcg=";
+              };
+
+              vendorSha256 = "sha256-AW2Gn/mlZyLMwF+NpK59eiOmQrYWW/9HPjbunYc9Ij4=";
+
+              nativeBuildInputs = [ pkgs.installShellFiles ];
+
+              subPackages = [ "protoc-gen-grpc-gateway" "protoc-gen-openapiv2" ];
+            };
+        };
+    } // flake-utils.lib.eachDefaultSystem
+      (system:
+        let
+          pkgs = import nixpkgs {
+            overlays = [ self.overlay ];
+            inherit system;
+          };
+          buildDeps = with pkgs; [ git go_1_18 gnumake ];
+          devDeps = with pkgs;
+            buildDeps ++ [
+              golangci-lint
+              golines
+              nodePackages.prettier
+
+              # Protobuf dependencies
+              protobuf
+              protoc-gen-go
+              protoc-gen-go-grpc
+              protoc-gen-grpc-gateway
+              buf
+              clang-tools # clang-format
+            ];
+
+
+          # Add entry to build a docker image with headscale
+          # caveat: only works on Linux
+          #
+          # Usage:
+          # nix build .#headscale-docker
+          # docker load < result
+          headscale-docker = pkgs.dockerTools.buildLayeredImage {
+            name = "headscale";
+            tag = headscaleVersion;
+            contents = [ pkgs.headscale ];
+            config.Entrypoint = [ (pkgs.headscale + "/bin/headscale") ];
+          };
+        in
+        rec {
+          # `nix develop`
+          devShell = pkgs.mkShell { buildInputs = devDeps; };
+
+          # `nix build`
+          packages = with pkgs; {
+            inherit headscale;
+            inherit headscale-docker;
+          };
+
+          defaultPackage = pkgs.headscale;
+
+          # `nix run`
+          apps.headscale = flake-utils.lib.mkApp {
+            drv = packages.headscale;
+          };
+          defaultApp = apps.headscale;
+
+          checks = {
+            format = pkgs.runCommand "check-format"
+              {
+                buildInputs = with pkgs; [
+                  gnumake
+                  nixpkgs-fmt
+                  golangci-lint
+                  nodePackages.prettier
+                  golines
+                  clang-tools
+                ];
+              } ''
+              ${pkgs.nixpkgs-fmt}/bin/nixpkgs-fmt ${./.}
+              ${pkgs.golangci-lint}/bin/golangci-lint run --fix --timeout 10m
+              ${pkgs.nodePackages.prettier}/bin/prettier --write '**/**.{ts,js,md,yaml,yml,sass,css,scss,html}'
+              ${pkgs.golines}/bin/golines --max-len=88 --base-formatter=gofumpt -w ${./.}
+              ${pkgs.clang-tools}/bin/clang-format -style="{BasedOnStyle: Google, IndentWidth: 4, AlignConsecutiveDeclarations: true, AlignConsecutiveAssignments: true, ColumnLimit: 0}" -i ${./.}
+            '';
+          };
+
+
+        });
+}
--- a/gen/go/headscale/v1/headscale.pb.go
+++ b/gen/go/headscale/v1/headscale.pb.go
@@ -36,7 +36,7 @@ var file_headscale_v1_headscale_proto_rawDesc = []byte{
 	0x6f, 0x74, 0x6f, 0x1a, 0x19, 0x68, 0x65, 0x61, 0x64, 0x73, 0x63, 0x61, 0x6c, 0x65, 0x2f, 0x76,
 	0x31, 0x2f, 0x72, 0x6f, 0x75, 0x74, 0x65, 0x73, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x1a, 0x19,
 	0x68, 0x65, 0x61, 0x64, 0x73, 0x63, 0x61, 0x6c, 0x65, 0x2f, 0x76, 0x31, 0x2f, 0x61, 0x70, 0x69,
-	0x6b, 0x65, 0x79, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x32, 0xa3, 0x13, 0x0a, 0x10, 0x48, 0x65,
+	0x6b, 0x65, 0x79, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x32, 0xb1, 0x16, 0x0a, 0x10, 0x48, 0x65,
 	0x61, 0x64, 0x73, 0x63, 0x61, 0x6c, 0x65, 0x53, 0x65, 0x72, 0x76, 0x69, 0x63, 0x65, 0x12, 0x77,
 	0x0a, 0x0c, 0x47, 0x65, 0x74, 0x4e, 0x61, 0x6d, 0x65, 0x73, 0x70, 0x61, 0x63, 0x65, 0x12, 0x21,
 	0x2e, 0x68, 0x65, 0x61, 0x64, 0x73, 0x63, 0x61, 0x6c, 0x65, 0x2e, 0x76, 0x31, 0x2e, 0x47, 0x65,
@@ -119,82 +119,106 @@ var file_headscale_v1_headscale_proto_rawDesc = []byte{
 	0x4d, 0x61, 0x63, 0x68, 0x69, 0x6e, 0x65, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x22,
 	0x24, 0x82, 0xd3, 0xe4, 0x93, 0x02, 0x1e, 0x12, 0x1c, 0x2f, 0x61, 0x70, 0x69, 0x2f, 0x76, 0x31,
 	0x2f, 0x6d, 0x61, 0x63, 0x68, 0x69, 0x6e, 0x65, 0x2f, 0x7b, 0x6d, 0x61, 0x63, 0x68, 0x69, 0x6e,
-	0x65, 0x5f, 0x69, 0x64, 0x7d, 0x12, 0x80, 0x01, 0x0a, 0x0f, 0x52, 0x65, 0x67, 0x69, 0x73, 0x74,
-	0x65, 0x72, 0x4d, 0x61, 0x63, 0x68, 0x69, 0x6e, 0x65, 0x12, 0x24, 0x2e, 0x68, 0x65, 0x61, 0x64,
-	0x73, 0x63, 0x61, 0x6c, 0x65, 0x2e, 0x76, 0x31, 0x2e, 0x52, 0x65, 0x67, 0x69, 0x73, 0x74, 0x65,
-	0x72, 0x4d, 0x61, 0x63, 0x68, 0x69, 0x6e, 0x65, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x1a,
-	0x25, 0x2e, 0x68, 0x65, 0x61, 0x64, 0x73, 0x63, 0x61, 0x6c, 0x65, 0x2e, 0x76, 0x31, 0x2e, 0x52,
+	0x65, 0x5f, 0x69, 0x64, 0x7d, 0x12, 0x74, 0x0a, 0x07, 0x53, 0x65, 0x74, 0x54, 0x61, 0x67, 0x73,
+	0x12, 0x1c, 0x2e, 0x68, 0x65, 0x61, 0x64, 0x73, 0x63, 0x61, 0x6c, 0x65, 0x2e, 0x76, 0x31, 0x2e,
+	0x53, 0x65, 0x74, 0x54, 0x61, 0x67, 0x73, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x1a, 0x1d,
+	0x2e, 0x68, 0x65, 0x61, 0x64, 0x73, 0x63, 0x61, 0x6c, 0x65, 0x2e, 0x76, 0x31, 0x2e, 0x53, 0x65,
+	0x74, 0x54, 0x61, 0x67, 0x73, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x22, 0x2c, 0x82,
+	0xd3, 0xe4, 0x93, 0x02, 0x26, 0x22, 0x21, 0x2f, 0x61, 0x70, 0x69, 0x2f, 0x76, 0x31, 0x2f, 0x6d,
+	0x61, 0x63, 0x68, 0x69, 0x6e, 0x65, 0x2f, 0x7b, 0x6d, 0x61, 0x63, 0x68, 0x69, 0x6e, 0x65, 0x5f,
+	0x69, 0x64, 0x7d, 0x2f, 0x74, 0x61, 0x67, 0x73, 0x3a, 0x01, 0x2a, 0x12, 0x80, 0x01, 0x0a, 0x0f,
+	0x52, 0x65, 0x67, 0x69, 0x73, 0x74, 0x65, 0x72, 0x4d, 0x61, 0x63, 0x68, 0x69, 0x6e, 0x65, 0x12,
+	0x24, 0x2e, 0x68, 0x65, 0x61, 0x64, 0x73, 0x63, 0x61, 0x6c, 0x65, 0x2e, 0x76, 0x31, 0x2e, 0x52,
 	0x65, 0x67, 0x69, 0x73, 0x74, 0x65, 0x72, 0x4d, 0x61, 0x63, 0x68, 0x69, 0x6e, 0x65, 0x52, 0x65,
-	0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x22, 0x20, 0x82, 0xd3, 0xe4, 0x93, 0x02, 0x1a, 0x22, 0x18,
-	0x2f, 0x61, 0x70, 0x69, 0x2f, 0x76, 0x31, 0x2f, 0x6d, 0x61, 0x63, 0x68, 0x69, 0x6e, 0x65, 0x2f,
-	0x72, 0x65, 0x67, 0x69, 0x73, 0x74, 0x65, 0x72, 0x12, 0x7e, 0x0a, 0x0d, 0x44, 0x65, 0x6c, 0x65,
-	0x74, 0x65, 0x4d, 0x61, 0x63, 0x68, 0x69, 0x6e, 0x65, 0x12, 0x22, 0x2e, 0x68, 0x65, 0x61, 0x64,
-	0x73, 0x63, 0x61, 0x6c, 0x65, 0x2e, 0x76, 0x31, 0x2e, 0x44, 0x65, 0x6c, 0x65, 0x74, 0x65, 0x4d,
-	0x61, 0x63, 0x68, 0x69, 0x6e, 0x65, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x1a, 0x23, 0x2e,
-	0x68, 0x65, 0x61, 0x64, 0x73, 0x63, 0x61, 0x6c, 0x65, 0x2e, 0x76, 0x31, 0x2e, 0x44, 0x65, 0x6c,
-	0x65, 0x74, 0x65, 0x4d, 0x61, 0x63, 0x68, 0x69, 0x6e, 0x65, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e,
-	0x73, 0x65, 0x22, 0x24, 0x82, 0xd3, 0xe4, 0x93, 0x02, 0x1e, 0x2a, 0x1c, 0x2f, 0x61, 0x70, 0x69,
-	0x2f, 0x76, 0x31, 0x2f, 0x6d, 0x61, 0x63, 0x68, 0x69, 0x6e, 0x65, 0x2f, 0x7b, 0x6d, 0x61, 0x63,
-	0x68, 0x69, 0x6e, 0x65, 0x5f, 0x69, 0x64, 0x7d, 0x12, 0x85, 0x01, 0x0a, 0x0d, 0x45, 0x78, 0x70,
-	0x69, 0x72, 0x65, 0x4d, 0x61, 0x63, 0x68, 0x69, 0x6e, 0x65, 0x12, 0x22, 0x2e, 0x68, 0x65, 0x61,
-	0x64, 0x73, 0x63, 0x61, 0x6c, 0x65, 0x2e, 0x76, 0x31, 0x2e, 0x45, 0x78, 0x70, 0x69, 0x72, 0x65,
-	0x4d, 0x61, 0x63, 0x68, 0x69, 0x6e, 0x65, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x1a, 0x23,
-	0x2e, 0x68, 0x65, 0x61, 0x64, 0x73, 0x63, 0x61, 0x6c, 0x65, 0x2e, 0x76, 0x31, 0x2e, 0x45, 0x78,
-	0x70, 0x69, 0x72, 0x65, 0x4d, 0x61, 0x63, 0x68, 0x69, 0x6e, 0x65, 0x52, 0x65, 0x73, 0x70, 0x6f,
-	0x6e, 0x73, 0x65, 0x22, 0x2b, 0x82, 0xd3, 0xe4, 0x93, 0x02, 0x25, 0x22, 0x23, 0x2f, 0x61, 0x70,
-	0x69, 0x2f, 0x76, 0x31, 0x2f, 0x6d, 0x61, 0x63, 0x68, 0x69, 0x6e, 0x65, 0x2f, 0x7b, 0x6d, 0x61,
-	0x63, 0x68, 0x69, 0x6e, 0x65, 0x5f, 0x69, 0x64, 0x7d, 0x2f, 0x65, 0x78, 0x70, 0x69, 0x72, 0x65,
-	0x12, 0x6e, 0x0a, 0x0c, 0x4c, 0x69, 0x73, 0x74, 0x4d, 0x61, 0x63, 0x68, 0x69, 0x6e, 0x65, 0x73,
-	0x12, 0x21, 0x2e, 0x68, 0x65, 0x61, 0x64, 0x73, 0x63, 0x61, 0x6c, 0x65, 0x2e, 0x76, 0x31, 0x2e,
-	0x4c, 0x69, 0x73, 0x74, 0x4d, 0x61, 0x63, 0x68, 0x69, 0x6e, 0x65, 0x73, 0x52, 0x65, 0x71, 0x75,
-	0x65, 0x73, 0x74, 0x1a, 0x22, 0x2e, 0x68, 0x65, 0x61, 0x64, 0x73, 0x63, 0x61, 0x6c, 0x65, 0x2e,
-	0x76, 0x31, 0x2e, 0x4c, 0x69, 0x73, 0x74, 0x4d, 0x61, 0x63, 0x68, 0x69, 0x6e, 0x65, 0x73, 0x52,
-	0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x22, 0x17, 0x82, 0xd3, 0xe4, 0x93, 0x02, 0x11, 0x12,
-	0x0f, 0x2f, 0x61, 0x70, 0x69, 0x2f, 0x76, 0x31, 0x2f, 0x6d, 0x61, 0x63, 0x68, 0x69, 0x6e, 0x65,
-	0x12, 0x8b, 0x01, 0x0a, 0x0f, 0x47, 0x65, 0x74, 0x4d, 0x61, 0x63, 0x68, 0x69, 0x6e, 0x65, 0x52,
-	0x6f, 0x75, 0x74, 0x65, 0x12, 0x24, 0x2e, 0x68, 0x65, 0x61, 0x64, 0x73, 0x63, 0x61, 0x6c, 0x65,
-	0x2e, 0x76, 0x31, 0x2e, 0x47, 0x65, 0x74, 0x4d, 0x61, 0x63, 0x68, 0x69, 0x6e, 0x65, 0x52, 0x6f,
-	0x75, 0x74, 0x65, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x1a, 0x25, 0x2e, 0x68, 0x65, 0x61,
-	0x64, 0x73, 0x63, 0x61, 0x6c, 0x65, 0x2e, 0x76, 0x31, 0x2e, 0x47, 0x65, 0x74, 0x4d, 0x61, 0x63,
-	0x68, 0x69, 0x6e, 0x65, 0x52, 0x6f, 0x75, 0x74, 0x65, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73,
-	0x65, 0x22, 0x2b, 0x82, 0xd3, 0xe4, 0x93, 0x02, 0x25, 0x12, 0x23, 0x2f, 0x61, 0x70, 0x69, 0x2f,
+	0x71, 0x75, 0x65, 0x73, 0x74, 0x1a, 0x25, 0x2e, 0x68, 0x65, 0x61, 0x64, 0x73, 0x63, 0x61, 0x6c,
+	0x65, 0x2e, 0x76, 0x31, 0x2e, 0x52, 0x65, 0x67, 0x69, 0x73, 0x74, 0x65, 0x72, 0x4d, 0x61, 0x63,
+	0x68, 0x69, 0x6e, 0x65, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x22, 0x20, 0x82, 0xd3,
+	0xe4, 0x93, 0x02, 0x1a, 0x22, 0x18, 0x2f, 0x61, 0x70, 0x69, 0x2f, 0x76, 0x31, 0x2f, 0x6d, 0x61,
+	0x63, 0x68, 0x69, 0x6e, 0x65, 0x2f, 0x72, 0x65, 0x67, 0x69, 0x73, 0x74, 0x65, 0x72, 0x12, 0x7e,
+	0x0a, 0x0d, 0x44, 0x65, 0x6c, 0x65, 0x74, 0x65, 0x4d, 0x61, 0x63, 0x68, 0x69, 0x6e, 0x65, 0x12,
+	0x22, 0x2e, 0x68, 0x65, 0x61, 0x64, 0x73, 0x63, 0x61, 0x6c, 0x65, 0x2e, 0x76, 0x31, 0x2e, 0x44,
+	0x65, 0x6c, 0x65, 0x74, 0x65, 0x4d, 0x61, 0x63, 0x68, 0x69, 0x6e, 0x65, 0x52, 0x65, 0x71, 0x75,
+	0x65, 0x73, 0x74, 0x1a, 0x23, 0x2e, 0x68, 0x65, 0x61, 0x64, 0x73, 0x63, 0x61, 0x6c, 0x65, 0x2e,
+	0x76, 0x31, 0x2e, 0x44, 0x65, 0x6c, 0x65, 0x74, 0x65, 0x4d, 0x61, 0x63, 0x68, 0x69, 0x6e, 0x65,
+	0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x22, 0x24, 0x82, 0xd3, 0xe4, 0x93, 0x02, 0x1e,
+	0x2a, 0x1c, 0x2f, 0x61, 0x70, 0x69, 0x2f, 0x76, 0x31, 0x2f, 0x6d, 0x61, 0x63, 0x68, 0x69, 0x6e,
+	0x65, 0x2f, 0x7b, 0x6d, 0x61, 0x63, 0x68, 0x69, 0x6e, 0x65, 0x5f, 0x69, 0x64, 0x7d, 0x12, 0x85,
+	0x01, 0x0a, 0x0d, 0x45, 0x78, 0x70, 0x69, 0x72, 0x65, 0x4d, 0x61, 0x63, 0x68, 0x69, 0x6e, 0x65,
+	0x12, 0x22, 0x2e, 0x68, 0x65, 0x61, 0x64, 0x73, 0x63, 0x61, 0x6c, 0x65, 0x2e, 0x76, 0x31, 0x2e,
+	0x45, 0x78, 0x70, 0x69, 0x72, 0x65, 0x4d, 0x61, 0x63, 0x68, 0x69, 0x6e, 0x65, 0x52, 0x65, 0x71,
+	0x75, 0x65, 0x73, 0x74, 0x1a, 0x23, 0x2e, 0x68, 0x65, 0x61, 0x64, 0x73, 0x63, 0x61, 0x6c, 0x65,
+	0x2e, 0x76, 0x31, 0x2e, 0x45, 0x78, 0x70, 0x69, 0x72, 0x65, 0x4d, 0x61, 0x63, 0x68, 0x69, 0x6e,
+	0x65, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x22, 0x2b, 0x82, 0xd3, 0xe4, 0x93, 0x02,
+	0x25, 0x22, 0x23, 0x2f, 0x61, 0x70, 0x69, 0x2f, 0x76, 0x31, 0x2f, 0x6d, 0x61, 0x63, 0x68, 0x69,
+	0x6e, 0x65, 0x2f, 0x7b, 0x6d, 0x61, 0x63, 0x68, 0x69, 0x6e, 0x65, 0x5f, 0x69, 0x64, 0x7d, 0x2f,
+	0x65, 0x78, 0x70, 0x69, 0x72, 0x65, 0x12, 0x90, 0x01, 0x0a, 0x0d, 0x52, 0x65, 0x6e, 0x61, 0x6d,
+	0x65, 0x4d, 0x61, 0x63, 0x68, 0x69, 0x6e, 0x65, 0x12, 0x22, 0x2e, 0x68, 0x65, 0x61, 0x64, 0x73,
+	0x63, 0x61, 0x6c, 0x65, 0x2e, 0x76, 0x31, 0x2e, 0x52, 0x65, 0x6e, 0x61, 0x6d, 0x65, 0x4d, 0x61,
+	0x63, 0x68, 0x69, 0x6e, 0x65, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x1a, 0x23, 0x2e, 0x68,
+	0x65, 0x61, 0x64, 0x73, 0x63, 0x61, 0x6c, 0x65, 0x2e, 0x76, 0x31, 0x2e, 0x52, 0x65, 0x6e, 0x61,
+	0x6d, 0x65, 0x4d, 0x61, 0x63, 0x68, 0x69, 0x6e, 0x65, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73,
+	0x65, 0x22, 0x36, 0x82, 0xd3, 0xe4, 0x93, 0x02, 0x30, 0x22, 0x2e, 0x2f, 0x61, 0x70, 0x69, 0x2f,
 	0x76, 0x31, 0x2f, 0x6d, 0x61, 0x63, 0x68, 0x69, 0x6e, 0x65, 0x2f, 0x7b, 0x6d, 0x61, 0x63, 0x68,
-	0x69, 0x6e, 0x65, 0x5f, 0x69, 0x64, 0x7d, 0x2f, 0x72, 0x6f, 0x75, 0x74, 0x65, 0x73, 0x12, 0x97,
-	0x01, 0x0a, 0x13, 0x45, 0x6e, 0x61, 0x62, 0x6c, 0x65, 0x4d, 0x61, 0x63, 0x68, 0x69, 0x6e, 0x65,
-	0x52, 0x6f, 0x75, 0x74, 0x65, 0x73, 0x12, 0x28, 0x2e, 0x68, 0x65, 0x61, 0x64, 0x73, 0x63, 0x61,
-	0x6c, 0x65, 0x2e, 0x76, 0x31, 0x2e, 0x45, 0x6e, 0x61, 0x62, 0x6c, 0x65, 0x4d, 0x61, 0x63, 0x68,
-	0x69, 0x6e, 0x65, 0x52, 0x6f, 0x75, 0x74, 0x65, 0x73, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74,
-	0x1a, 0x29, 0x2e, 0x68, 0x65, 0x61, 0x64, 0x73, 0x63, 0x61, 0x6c, 0x65, 0x2e, 0x76, 0x31, 0x2e,
-	0x45, 0x6e, 0x61, 0x62, 0x6c, 0x65, 0x4d, 0x61, 0x63, 0x68, 0x69, 0x6e, 0x65, 0x52, 0x6f, 0x75,
-	0x74, 0x65, 0x73, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x22, 0x2b, 0x82, 0xd3, 0xe4,
-	0x93, 0x02, 0x25, 0x22, 0x23, 0x2f, 0x61, 0x70, 0x69, 0x2f, 0x76, 0x31, 0x2f, 0x6d, 0x61, 0x63,
-	0x68, 0x69, 0x6e, 0x65, 0x2f, 0x7b, 0x6d, 0x61, 0x63, 0x68, 0x69, 0x6e, 0x65, 0x5f, 0x69, 0x64,
-	0x7d, 0x2f, 0x72, 0x6f, 0x75, 0x74, 0x65, 0x73, 0x12, 0x70, 0x0a, 0x0c, 0x43, 0x72, 0x65, 0x61,
-	0x74, 0x65, 0x41, 0x70, 0x69, 0x4b, 0x65, 0x79, 0x12, 0x21, 0x2e, 0x68, 0x65, 0x61, 0x64, 0x73,
-	0x63, 0x61, 0x6c, 0x65, 0x2e, 0x76, 0x31, 0x2e, 0x43, 0x72, 0x65, 0x61, 0x74, 0x65, 0x41, 0x70,
+	0x69, 0x6e, 0x65, 0x5f, 0x69, 0x64, 0x7d, 0x2f, 0x72, 0x65, 0x6e, 0x61, 0x6d, 0x65, 0x2f, 0x7b,
+	0x6e, 0x65, 0x77, 0x5f, 0x6e, 0x61, 0x6d, 0x65, 0x7d, 0x12, 0x6e, 0x0a, 0x0c, 0x4c, 0x69, 0x73,
+	0x74, 0x4d, 0x61, 0x63, 0x68, 0x69, 0x6e, 0x65, 0x73, 0x12, 0x21, 0x2e, 0x68, 0x65, 0x61, 0x64,
+	0x73, 0x63, 0x61, 0x6c, 0x65, 0x2e, 0x76, 0x31, 0x2e, 0x4c, 0x69, 0x73, 0x74, 0x4d, 0x61, 0x63,
+	0x68, 0x69, 0x6e, 0x65, 0x73, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x1a, 0x22, 0x2e, 0x68,
+	0x65, 0x61, 0x64, 0x73, 0x63, 0x61, 0x6c, 0x65, 0x2e, 0x76, 0x31, 0x2e, 0x4c, 0x69, 0x73, 0x74,
+	0x4d, 0x61, 0x63, 0x68, 0x69, 0x6e, 0x65, 0x73, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65,
+	0x22, 0x17, 0x82, 0xd3, 0xe4, 0x93, 0x02, 0x11, 0x12, 0x0f, 0x2f, 0x61, 0x70, 0x69, 0x2f, 0x76,
+	0x31, 0x2f, 0x6d, 0x61, 0x63, 0x68, 0x69, 0x6e, 0x65, 0x12, 0x82, 0x01, 0x0a, 0x0b, 0x4d, 0x6f,
+	0x76, 0x65, 0x4d, 0x61, 0x63, 0x68, 0x69, 0x6e, 0x65, 0x12, 0x20, 0x2e, 0x68, 0x65, 0x61, 0x64,
+	0x73, 0x63, 0x61, 0x6c, 0x65, 0x2e, 0x76, 0x31, 0x2e, 0x4d, 0x6f, 0x76, 0x65, 0x4d, 0x61, 0x63,
+	0x68, 0x69, 0x6e, 0x65, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x1a, 0x21, 0x2e, 0x68, 0x65,
+	0x61, 0x64, 0x73, 0x63, 0x61, 0x6c, 0x65, 0x2e, 0x76, 0x31, 0x2e, 0x4d, 0x6f, 0x76, 0x65, 0x4d,
+	0x61, 0x63, 0x68, 0x69, 0x6e, 0x65, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x22, 0x2e,
+	0x82, 0xd3, 0xe4, 0x93, 0x02, 0x28, 0x22, 0x26, 0x2f, 0x61, 0x70, 0x69, 0x2f, 0x76, 0x31, 0x2f,
+	0x6d, 0x61, 0x63, 0x68, 0x69, 0x6e, 0x65, 0x2f, 0x7b, 0x6d, 0x61, 0x63, 0x68, 0x69, 0x6e, 0x65,
+	0x5f, 0x69, 0x64, 0x7d, 0x2f, 0x6e, 0x61, 0x6d, 0x65, 0x73, 0x70, 0x61, 0x63, 0x65, 0x12, 0x8b,
+	0x01, 0x0a, 0x0f, 0x47, 0x65, 0x74, 0x4d, 0x61, 0x63, 0x68, 0x69, 0x6e, 0x65, 0x52, 0x6f, 0x75,
+	0x74, 0x65, 0x12, 0x24, 0x2e, 0x68, 0x65, 0x61, 0x64, 0x73, 0x63, 0x61, 0x6c, 0x65, 0x2e, 0x76,
+	0x31, 0x2e, 0x47, 0x65, 0x74, 0x4d, 0x61, 0x63, 0x68, 0x69, 0x6e, 0x65, 0x52, 0x6f, 0x75, 0x74,
+	0x65, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x1a, 0x25, 0x2e, 0x68, 0x65, 0x61, 0x64, 0x73,
+	0x63, 0x61, 0x6c, 0x65, 0x2e, 0x76, 0x31, 0x2e, 0x47, 0x65, 0x74, 0x4d, 0x61, 0x63, 0x68, 0x69,
+	0x6e, 0x65, 0x52, 0x6f, 0x75, 0x74, 0x65, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x22,
+	0x2b, 0x82, 0xd3, 0xe4, 0x93, 0x02, 0x25, 0x12, 0x23, 0x2f, 0x61, 0x70, 0x69, 0x2f, 0x76, 0x31,
+	0x2f, 0x6d, 0x61, 0x63, 0x68, 0x69, 0x6e, 0x65, 0x2f, 0x7b, 0x6d, 0x61, 0x63, 0x68, 0x69, 0x6e,
+	0x65, 0x5f, 0x69, 0x64, 0x7d, 0x2f, 0x72, 0x6f, 0x75, 0x74, 0x65, 0x73, 0x12, 0x97, 0x01, 0x0a,
+	0x13, 0x45, 0x6e, 0x61, 0x62, 0x6c, 0x65, 0x4d, 0x61, 0x63, 0x68, 0x69, 0x6e, 0x65, 0x52, 0x6f,
+	0x75, 0x74, 0x65, 0x73, 0x12, 0x28, 0x2e, 0x68, 0x65, 0x61, 0x64, 0x73, 0x63, 0x61, 0x6c, 0x65,
+	0x2e, 0x76, 0x31, 0x2e, 0x45, 0x6e, 0x61, 0x62, 0x6c, 0x65, 0x4d, 0x61, 0x63, 0x68, 0x69, 0x6e,
+	0x65, 0x52, 0x6f, 0x75, 0x74, 0x65, 0x73, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x1a, 0x29,
+	0x2e, 0x68, 0x65, 0x61, 0x64, 0x73, 0x63, 0x61, 0x6c, 0x65, 0x2e, 0x76, 0x31, 0x2e, 0x45, 0x6e,
+	0x61, 0x62, 0x6c, 0x65, 0x4d, 0x61, 0x63, 0x68, 0x69, 0x6e, 0x65, 0x52, 0x6f, 0x75, 0x74, 0x65,
+	0x73, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x22, 0x2b, 0x82, 0xd3, 0xe4, 0x93, 0x02,
+	0x25, 0x22, 0x23, 0x2f, 0x61, 0x70, 0x69, 0x2f, 0x76, 0x31, 0x2f, 0x6d, 0x61, 0x63, 0x68, 0x69,
+	0x6e, 0x65, 0x2f, 0x7b, 0x6d, 0x61, 0x63, 0x68, 0x69, 0x6e, 0x65, 0x5f, 0x69, 0x64, 0x7d, 0x2f,
+	0x72, 0x6f, 0x75, 0x74, 0x65, 0x73, 0x12, 0x70, 0x0a, 0x0c, 0x43, 0x72, 0x65, 0x61, 0x74, 0x65,
+	0x41, 0x70, 0x69, 0x4b, 0x65, 0x79, 0x12, 0x21, 0x2e, 0x68, 0x65, 0x61, 0x64, 0x73, 0x63, 0x61,
+	0x6c, 0x65, 0x2e, 0x76, 0x31, 0x2e, 0x43, 0x72, 0x65, 0x61, 0x74, 0x65, 0x41, 0x70, 0x69, 0x4b,
+	0x65, 0x79, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x1a, 0x22, 0x2e, 0x68, 0x65, 0x61, 0x64,
+	0x73, 0x63, 0x61, 0x6c, 0x65, 0x2e, 0x76, 0x31, 0x2e, 0x43, 0x72, 0x65, 0x61, 0x74, 0x65, 0x41,
+	0x70, 0x69, 0x4b, 0x65, 0x79, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x22, 0x19, 0x82,
+	0xd3, 0xe4, 0x93, 0x02, 0x13, 0x22, 0x0e, 0x2f, 0x61, 0x70, 0x69, 0x2f, 0x76, 0x31, 0x2f, 0x61,
+	0x70, 0x69, 0x6b, 0x65, 0x79, 0x3a, 0x01, 0x2a, 0x12, 0x77, 0x0a, 0x0c, 0x45, 0x78, 0x70, 0x69,
+	0x72, 0x65, 0x41, 0x70, 0x69, 0x4b, 0x65, 0x79, 0x12, 0x21, 0x2e, 0x68, 0x65, 0x61, 0x64, 0x73,
+	0x63, 0x61, 0x6c, 0x65, 0x2e, 0x76, 0x31, 0x2e, 0x45, 0x78, 0x70, 0x69, 0x72, 0x65, 0x41, 0x70,
 	0x69, 0x4b, 0x65, 0x79, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x1a, 0x22, 0x2e, 0x68, 0x65,
-	0x61, 0x64, 0x73, 0x63, 0x61, 0x6c, 0x65, 0x2e, 0x76, 0x31, 0x2e, 0x43, 0x72, 0x65, 0x61, 0x74,
+	0x61, 0x64, 0x73, 0x63, 0x61, 0x6c, 0x65, 0x2e, 0x76, 0x31, 0x2e, 0x45, 0x78, 0x70, 0x69, 0x72,
 	0x65, 0x41, 0x70, 0x69, 0x4b, 0x65, 0x79, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x22,
-	0x19, 0x82, 0xd3, 0xe4, 0x93, 0x02, 0x13, 0x22, 0x0e, 0x2f, 0x61, 0x70, 0x69, 0x2f, 0x76, 0x31,
-	0x2f, 0x61, 0x70, 0x69, 0x6b, 0x65, 0x79, 0x3a, 0x01, 0x2a, 0x12, 0x77, 0x0a, 0x0c, 0x45, 0x78,
-	0x70, 0x69, 0x72, 0x65, 0x41, 0x70, 0x69, 0x4b, 0x65, 0x79, 0x12, 0x21, 0x2e, 0x68, 0x65, 0x61,
-	0x64, 0x73, 0x63, 0x61, 0x6c, 0x65, 0x2e, 0x76, 0x31, 0x2e, 0x45, 0x78, 0x70, 0x69, 0x72, 0x65,
-	0x41, 0x70, 0x69, 0x4b, 0x65, 0x79, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x1a, 0x22, 0x2e,
-	0x68, 0x65, 0x61, 0x64, 0x73, 0x63, 0x61, 0x6c, 0x65, 0x2e, 0x76, 0x31, 0x2e, 0x45, 0x78, 0x70,
-	0x69, 0x72, 0x65, 0x41, 0x70, 0x69, 0x4b, 0x65, 0x79, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73,
-	0x65, 0x22, 0x20, 0x82, 0xd3, 0xe4, 0x93, 0x02, 0x1a, 0x22, 0x15, 0x2f, 0x61, 0x70, 0x69, 0x2f,
-	0x76, 0x31, 0x2f, 0x61, 0x70, 0x69, 0x6b, 0x65, 0x79, 0x2f, 0x65, 0x78, 0x70, 0x69, 0x72, 0x65,
-	0x3a, 0x01, 0x2a, 0x12, 0x6a, 0x0a, 0x0b, 0x4c, 0x69, 0x73, 0x74, 0x41, 0x70, 0x69, 0x4b, 0x65,
-	0x79, 0x73, 0x12, 0x20, 0x2e, 0x68, 0x65, 0x61, 0x64, 0x73, 0x63, 0x61, 0x6c, 0x65, 0x2e, 0x76,
-	0x31, 0x2e, 0x4c, 0x69, 0x73, 0x74, 0x41, 0x70, 0x69, 0x4b, 0x65, 0x79, 0x73, 0x52, 0x65, 0x71,
-	0x75, 0x65, 0x73, 0x74, 0x1a, 0x21, 0x2e, 0x68, 0x65, 0x61, 0x64, 0x73, 0x63, 0x61, 0x6c, 0x65,
-	0x2e, 0x76, 0x31, 0x2e, 0x4c, 0x69, 0x73, 0x74, 0x41, 0x70, 0x69, 0x4b, 0x65, 0x79, 0x73, 0x52,
-	0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x22, 0x16, 0x82, 0xd3, 0xe4, 0x93, 0x02, 0x10, 0x12,
-	0x0e, 0x2f, 0x61, 0x70, 0x69, 0x2f, 0x76, 0x31, 0x2f, 0x61, 0x70, 0x69, 0x6b, 0x65, 0x79, 0x42,
-	0x29, 0x5a, 0x27, 0x67, 0x69, 0x74, 0x68, 0x75, 0x62, 0x2e, 0x63, 0x6f, 0x6d, 0x2f, 0x6a, 0x75,
-	0x61, 0x6e, 0x66, 0x6f, 0x6e, 0x74, 0x2f, 0x68, 0x65, 0x61, 0x64, 0x73, 0x63, 0x61, 0x6c, 0x65,
-	0x2f, 0x67, 0x65, 0x6e, 0x2f, 0x67, 0x6f, 0x2f, 0x76, 0x31, 0x62, 0x06, 0x70, 0x72, 0x6f, 0x74,
-	0x6f, 0x33,
+	0x20, 0x82, 0xd3, 0xe4, 0x93, 0x02, 0x1a, 0x22, 0x15, 0x2f, 0x61, 0x70, 0x69, 0x2f, 0x76, 0x31,
+	0x2f, 0x61, 0x70, 0x69, 0x6b, 0x65, 0x79, 0x2f, 0x65, 0x78, 0x70, 0x69, 0x72, 0x65, 0x3a, 0x01,
+	0x2a, 0x12, 0x6a, 0x0a, 0x0b, 0x4c, 0x69, 0x73, 0x74, 0x41, 0x70, 0x69, 0x4b, 0x65, 0x79, 0x73,
+	0x12, 0x20, 0x2e, 0x68, 0x65, 0x61, 0x64, 0x73, 0x63, 0x61, 0x6c, 0x65, 0x2e, 0x76, 0x31, 0x2e,
+	0x4c, 0x69, 0x73, 0x74, 0x41, 0x70, 0x69, 0x4b, 0x65, 0x79, 0x73, 0x52, 0x65, 0x71, 0x75, 0x65,
+	0x73, 0x74, 0x1a, 0x21, 0x2e, 0x68, 0x65, 0x61, 0x64, 0x73, 0x63, 0x61, 0x6c, 0x65, 0x2e, 0x76,
+	0x31, 0x2e, 0x4c, 0x69, 0x73, 0x74, 0x41, 0x70, 0x69, 0x4b, 0x65, 0x79, 0x73, 0x52, 0x65, 0x73,
+	0x70, 0x6f, 0x6e, 0x73, 0x65, 0x22, 0x16, 0x82, 0xd3, 0xe4, 0x93, 0x02, 0x10, 0x12, 0x0e, 0x2f,
+	0x61, 0x70, 0x69, 0x2f, 0x76, 0x31, 0x2f, 0x61, 0x70, 0x69, 0x6b, 0x65, 0x79, 0x42, 0x29, 0x5a,
+	0x27, 0x67, 0x69, 0x74, 0x68, 0x75, 0x62, 0x2e, 0x63, 0x6f, 0x6d, 0x2f, 0x6a, 0x75, 0x61, 0x6e,
+	0x66, 0x6f, 0x6e, 0x74, 0x2f, 0x68, 0x65, 0x61, 0x64, 0x73, 0x63, 0x61, 0x6c, 0x65, 0x2f, 0x67,
+	0x65, 0x6e, 0x2f, 0x67, 0x6f, 0x2f, 0x76, 0x31, 0x62, 0x06, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x33,
 }

 var file_headscale_v1_headscale_proto_goTypes = []interface{}{
@@ -208,34 +232,40 @@ var file_headscale_v1_headscale_proto_goTypes = []interface{}{
 	(*ListPreAuthKeysRequest)(nil),      // 7: headscale.v1.ListPreAuthKeysRequest
 	(*DebugCreateMachineRequest)(nil),   // 8: headscale.v1.DebugCreateMachineRequest
 	(*GetMachineRequest)(nil),           // 9: headscale.v1.GetMachineRequest
-	(*RegisterMachineRequest)(nil),      // 10: headscale.v1.RegisterMachineRequest
-	(*DeleteMachineRequest)(nil),        // 11: headscale.v1.DeleteMachineRequest
-	(*ExpireMachineRequest)(nil),        // 12: headscale.v1.ExpireMachineRequest
-	(*ListMachinesRequest)(nil),         // 13: headscale.v1.ListMachinesRequest
-	(*GetMachineRouteRequest)(nil),      // 14: headscale.v1.GetMachineRouteRequest
-	(*EnableMachineRoutesRequest)(nil),  // 15: headscale.v1.EnableMachineRoutesRequest
-	(*CreateApiKeyRequest)(nil),         // 16: headscale.v1.CreateApiKeyRequest
-	(*ExpireApiKeyRequest)(nil),         // 17: headscale.v1.ExpireApiKeyRequest
-	(*ListApiKeysRequest)(nil),          // 18: headscale.v1.ListApiKeysRequest
-	(*GetNamespaceResponse)(nil),        // 19: headscale.v1.GetNamespaceResponse
-	(*CreateNamespaceResponse)(nil),     // 20: headscale.v1.CreateNamespaceResponse
-	(*RenameNamespaceResponse)(nil),     // 21: headscale.v1.RenameNamespaceResponse
-	(*DeleteNamespaceResponse)(nil),     // 22: headscale.v1.DeleteNamespaceResponse
-	(*ListNamespacesResponse)(nil),      // 23: headscale.v1.ListNamespacesResponse
-	(*CreatePreAuthKeyResponse)(nil),    // 24: headscale.v1.CreatePreAuthKeyResponse
-	(*ExpirePreAuthKeyResponse)(nil),    // 25: headscale.v1.ExpirePreAuthKeyResponse
-	(*ListPreAuthKeysResponse)(nil),     // 26: headscale.v1.ListPreAuthKeysResponse
-	(*DebugCreateMachineResponse)(nil),  // 27: headscale.v1.DebugCreateMachineResponse
-	(*GetMachineResponse)(nil),          // 28: headscale.v1.GetMachineResponse
-	(*RegisterMachineResponse)(nil),     // 29: headscale.v1.RegisterMachineResponse
-	(*DeleteMachineResponse)(nil),       // 30: headscale.v1.DeleteMachineResponse
-	(*ExpireMachineResponse)(nil),       // 31: headscale.v1.ExpireMachineResponse
-	(*ListMachinesResponse)(nil),        // 32: headscale.v1.ListMachinesResponse
-	(*GetMachineRouteResponse)(nil),     // 33: headscale.v1.GetMachineRouteResponse
-	(*EnableMachineRoutesResponse)(nil), // 34: headscale.v1.EnableMachineRoutesResponse
-	(*CreateApiKeyResponse)(nil),        // 35: headscale.v1.CreateApiKeyResponse
-	(*ExpireApiKeyResponse)(nil),        // 36: headscale.v1.ExpireApiKeyResponse
-	(*ListApiKeysResponse)(nil),         // 37: headscale.v1.ListApiKeysResponse
+	(*SetTagsRequest)(nil),              // 10: headscale.v1.SetTagsRequest
+	(*RegisterMachineRequest)(nil),      // 11: headscale.v1.RegisterMachineRequest
+	(*DeleteMachineRequest)(nil),        // 12: headscale.v1.DeleteMachineRequest
+	(*ExpireMachineRequest)(nil),        // 13: headscale.v1.ExpireMachineRequest
+	(*RenameMachineRequest)(nil),        // 14: headscale.v1.RenameMachineRequest
+	(*ListMachinesRequest)(nil),         // 15: headscale.v1.ListMachinesRequest
+	(*MoveMachineRequest)(nil),          // 16: headscale.v1.MoveMachineRequest
+	(*GetMachineRouteRequest)(nil),      // 17: headscale.v1.GetMachineRouteRequest
+	(*EnableMachineRoutesRequest)(nil),  // 18: headscale.v1.EnableMachineRoutesRequest
+	(*CreateApiKeyRequest)(nil),         // 19: headscale.v1.CreateApiKeyRequest
+	(*ExpireApiKeyRequest)(nil),         // 20: headscale.v1.ExpireApiKeyRequest
+	(*ListApiKeysRequest)(nil),          // 21: headscale.v1.ListApiKeysRequest
+	(*GetNamespaceResponse)(nil),        // 22: headscale.v1.GetNamespaceResponse
+	(*CreateNamespaceResponse)(nil),     // 23: headscale.v1.CreateNamespaceResponse
+	(*RenameNamespaceResponse)(nil),     // 24: headscale.v1.RenameNamespaceResponse
+	(*DeleteNamespaceResponse)(nil),     // 25: headscale.v1.DeleteNamespaceResponse
+	(*ListNamespacesResponse)(nil),      // 26: headscale.v1.ListNamespacesResponse
+	(*CreatePreAuthKeyResponse)(nil),    // 27: headscale.v1.CreatePreAuthKeyResponse
+	(*ExpirePreAuthKeyResponse)(nil),    // 28: headscale.v1.ExpirePreAuthKeyResponse
+	(*ListPreAuthKeysResponse)(nil),     // 29: headscale.v1.ListPreAuthKeysResponse
+	(*DebugCreateMachineResponse)(nil),  // 30: headscale.v1.DebugCreateMachineResponse
+	(*GetMachineResponse)(nil),          // 31: headscale.v1.GetMachineResponse
+	(*SetTagsResponse)(nil),             // 32: headscale.v1.SetTagsResponse
+	(*RegisterMachineResponse)(nil),     // 33: headscale.v1.RegisterMachineResponse
+	(*DeleteMachineResponse)(nil),       // 34: headscale.v1.DeleteMachineResponse
+	(*ExpireMachineResponse)(nil),       // 35: headscale.v1.ExpireMachineResponse
+	(*RenameMachineResponse)(nil),       // 36: headscale.v1.RenameMachineResponse
+	(*ListMachinesResponse)(nil),        // 37: headscale.v1.ListMachinesResponse
+	(*MoveMachineResponse)(nil),         // 38: headscale.v1.MoveMachineResponse
+	(*GetMachineRouteResponse)(nil),     // 39: headscale.v1.GetMachineRouteResponse
+	(*EnableMachineRoutesResponse)(nil), // 40: headscale.v1.EnableMachineRoutesResponse
+	(*CreateApiKeyResponse)(nil),        // 41: headscale.v1.CreateApiKeyResponse
+	(*ExpireApiKeyResponse)(nil),        // 42: headscale.v1.ExpireApiKeyResponse
+	(*ListApiKeysResponse)(nil),         // 43: headscale.v1.ListApiKeysResponse
 }
 var file_headscale_v1_headscale_proto_depIdxs = []int32{
 	0,  // 0: headscale.v1.HeadscaleService.GetNamespace:input_type -> headscale.v1.GetNamespaceRequest
@@ -248,36 +278,42 @@ var file_headscale_v1_headscale_proto_depIdxs = []int32{
 	7,  // 7: headscale.v1.HeadscaleService.ListPreAuthKeys:input_type -> headscale.v1.ListPreAuthKeysRequest
 	8,  // 8: headscale.v1.HeadscaleService.DebugCreateMachine:input_type -> headscale.v1.DebugCreateMachineRequest
 	9,  // 9: headscale.v1.HeadscaleService.GetMachine:input_type -> headscale.v1.GetMachineRequest
-	10, // 10: headscale.v1.HeadscaleService.RegisterMachine:input_type -> headscale.v1.RegisterMachineRequest
-	11, // 11: headscale.v1.HeadscaleService.DeleteMachine:input_type -> headscale.v1.DeleteMachineRequest
-	12, // 12: headscale.v1.HeadscaleService.ExpireMachine:input_type -> headscale.v1.ExpireMachineRequest
-	13, // 13: headscale.v1.HeadscaleService.ListMachines:input_type -> headscale.v1.ListMachinesRequest
-	14, // 14: headscale.v1.HeadscaleService.GetMachineRoute:input_type -> headscale.v1.GetMachineRouteRequest
-	15, // 15: headscale.v1.HeadscaleService.EnableMachineRoutes:input_type -> headscale.v1.EnableMachineRoutesRequest
-	16, // 16: headscale.v1.HeadscaleService.CreateApiKey:input_type -> headscale.v1.CreateApiKeyRequest
-	17, // 17: headscale.v1.HeadscaleService.ExpireApiKey:input_type -> headscale.v1.ExpireApiKeyRequest
-	18, // 18: headscale.v1.HeadscaleService.ListApiKeys:input_type -> headscale.v1.ListApiKeysRequest
-	19, // 19: headscale.v1.HeadscaleService.GetNamespace:output_type -> headscale.v1.GetNamespaceResponse
-	20, // 20: headscale.v1.HeadscaleService.CreateNamespace:output_type -> headscale.v1.CreateNamespaceResponse
-	21, // 21: headscale.v1.HeadscaleService.RenameNamespace:output_type -> headscale.v1.RenameNamespaceResponse
-	22, // 22: headscale.v1.HeadscaleService.DeleteNamespace:output_type -> headscale.v1.DeleteNamespaceResponse
-	23, // 23: headscale.v1.HeadscaleService.ListNamespaces:output_type -> headscale.v1.ListNamespacesResponse
-	24, // 24: headscale.v1.HeadscaleService.CreatePreAuthKey:output_type -> headscale.v1.CreatePreAuthKeyResponse
-	25, // 25: headscale.v1.HeadscaleService.ExpirePreAuthKey:output_type -> headscale.v1.ExpirePreAuthKeyResponse
-	26, // 26: headscale.v1.HeadscaleService.ListPreAuthKeys:output_type -> headscale.v1.ListPreAuthKeysResponse
-	27, // 27: headscale.v1.HeadscaleService.DebugCreateMachine:output_type -> headscale.v1.DebugCreateMachineResponse
-	28, // 28: headscale.v1.HeadscaleService.GetMachine:output_type -> headscale.v1.GetMachineResponse
-	29, // 29: headscale.v1.HeadscaleService.RegisterMachine:output_type -> headscale.v1.RegisterMachineResponse
-	30, // 30: headscale.v1.HeadscaleService.DeleteMachine:output_type -> headscale.v1.DeleteMachineResponse
-	31, // 31: headscale.v1.HeadscaleService.ExpireMachine:output_type -> headscale.v1.ExpireMachineResponse
-	32, // 32: headscale.v1.HeadscaleService.ListMachines:output_type -> headscale.v1.ListMachinesResponse
-	33, // 33: headscale.v1.HeadscaleService.GetMachineRoute:output_type -> headscale.v1.GetMachineRouteResponse
-	34, // 34: headscale.v1.HeadscaleService.EnableMachineRoutes:output_type -> headscale.v1.EnableMachineRoutesResponse
-	35, // 35: headscale.v1.HeadscaleService.CreateApiKey:output_type -> headscale.v1.CreateApiKeyResponse
-	36, // 36: headscale.v1.HeadscaleService.ExpireApiKey:output_type -> headscale.v1.ExpireApiKeyResponse
-	37, // 37: headscale.v1.HeadscaleService.ListApiKeys:output_type -> headscale.v1.ListApiKeysResponse
-	19, // [19:38] is the sub-list for method output_type
-	0,  // [0:19] is the sub-list for method input_type
+	10, // 10: headscale.v1.HeadscaleService.SetTags:input_type -> headscale.v1.SetTagsRequest
+	11, // 11: headscale.v1.HeadscaleService.RegisterMachine:input_type -> headscale.v1.RegisterMachineRequest
+	12, // 12: headscale.v1.HeadscaleService.DeleteMachine:input_type -> headscale.v1.DeleteMachineRequest
+	13, // 13: headscale.v1.HeadscaleService.ExpireMachine:input_type -> headscale.v1.ExpireMachineRequest
+	14, // 14: headscale.v1.HeadscaleService.RenameMachine:input_type -> headscale.v1.RenameMachineRequest
+	15, // 15: headscale.v1.HeadscaleService.ListMachines:input_type -> headscale.v1.ListMachinesRequest
+	16, // 16: headscale.v1.HeadscaleService.MoveMachine:input_type -> headscale.v1.MoveMachineRequest
+	17, // 17: headscale.v1.HeadscaleService.GetMachineRoute:input_type -> headscale.v1.GetMachineRouteRequest
+	18, // 18: headscale.v1.HeadscaleService.EnableMachineRoutes:input_type -> headscale.v1.EnableMachineRoutesRequest
+	19, // 19: headscale.v1.HeadscaleService.CreateApiKey:input_type -> headscale.v1.CreateApiKeyRequest
+	20, // 20: headscale.v1.HeadscaleService.ExpireApiKey:input_type -> headscale.v1.ExpireApiKeyRequest
+	21, // 21: headscale.v1.HeadscaleService.ListApiKeys:input_type -> headscale.v1.ListApiKeysRequest
+	22, // 22: headscale.v1.HeadscaleService.GetNamespace:output_type -> headscale.v1.GetNamespaceResponse
+	23, // 23: headscale.v1.HeadscaleService.CreateNamespace:output_type -> headscale.v1.CreateNamespaceResponse
+	24, // 24: headscale.v1.HeadscaleService.RenameNamespace:output_type -> headscale.v1.RenameNamespaceResponse
+	25, // 25: headscale.v1.HeadscaleService.DeleteNamespace:output_type -> headscale.v1.DeleteNamespaceResponse
+	26, // 26: headscale.v1.HeadscaleService.ListNamespaces:output_type -> headscale.v1.ListNamespacesResponse
+	27, // 27: headscale.v1.HeadscaleService.CreatePreAuthKey:output_type -> headscale.v1.CreatePreAuthKeyResponse
+	28, // 28: headscale.v1.HeadscaleService.ExpirePreAuthKey:output_type -> headscale.v1.ExpirePreAuthKeyResponse
+	29, // 29: headscale.v1.HeadscaleService.ListPreAuthKeys:output_type -> headscale.v1.ListPreAuthKeysResponse
+	30, // 30: headscale.v1.HeadscaleService.DebugCreateMachine:output_type -> headscale.v1.DebugCreateMachineResponse
+	31, // 31: headscale.v1.HeadscaleService.GetMachine:output_type -> headscale.v1.GetMachineResponse
+	32, // 32: headscale.v1.HeadscaleService.SetTags:output_type -> headscale.v1.SetTagsResponse
+	33, // 33: headscale.v1.HeadscaleService.RegisterMachine:output_type -> headscale.v1.RegisterMachineResponse
+	34, // 34: headscale.v1.HeadscaleService.DeleteMachine:output_type -> headscale.v1.DeleteMachineResponse
+	35, // 35: headscale.v1.HeadscaleService.ExpireMachine:output_type -> headscale.v1.ExpireMachineResponse
+	36, // 36: headscale.v1.HeadscaleService.RenameMachine:output_type -> headscale.v1.RenameMachineResponse
+	37, // 37: headscale.v1.HeadscaleService.ListMachines:output_type -> headscale.v1.ListMachinesResponse
+	38, // 38: headscale.v1.HeadscaleService.MoveMachine:output_type -> headscale.v1.MoveMachineResponse
+	39, // 39: headscale.v1.HeadscaleService.GetMachineRoute:output_type -> headscale.v1.GetMachineRouteResponse
+	40, // 40: headscale.v1.HeadscaleService.EnableMachineRoutes:output_type -> headscale.v1.EnableMachineRoutesResponse
+	41, // 41: headscale.v1.HeadscaleService.CreateApiKey:output_type -> headscale.v1.CreateApiKeyResponse
+	42, // 42: headscale.v1.HeadscaleService.ExpireApiKey:output_type -> headscale.v1.ExpireApiKeyResponse
+	43, // 43: headscale.v1.HeadscaleService.ListApiKeys:output_type -> headscale.v1.ListApiKeysResponse
+	22, // [22:44] is the sub-list for method output_type
+	0,  // [0:22] is the sub-list for method input_type
 	0,  // [0:0] is the sub-list for extension type_name
 	0,  // [0:0] is the sub-list for extension extendee
 	0,  // [0:0] is the sub-list for field type_name
--- a/gen/go/headscale/v1/headscale.pb.gw.go
+++ b/gen/go/headscale/v1/headscale.pb.gw.go
@@ -449,6 +449,74 @@ func local_request_HeadscaleService_GetMachine_0(ctx context.Context, marshaler

 }

+func request_HeadscaleService_SetTags_0(ctx context.Context, marshaler runtime.Marshaler, client HeadscaleServiceClient, req *http.Request, pathParams map[string]string) (proto.Message, runtime.ServerMetadata, error) {
+	var protoReq SetTagsRequest
+	var metadata runtime.ServerMetadata
+
+	newReader, berr := utilities.IOReaderFactory(req.Body)
+	if berr != nil {
+		return nil, metadata, status.Errorf(codes.InvalidArgument, "%v", berr)
+	}
+	if err := marshaler.NewDecoder(newReader()).Decode(&protoReq); err != nil && err != io.EOF {
+		return nil, metadata, status.Errorf(codes.InvalidArgument, "%v", err)
+	}
+
+	var (
+		val string
+		ok  bool
+		err error
+		_   = err
+	)
+
+	val, ok = pathParams["machine_id"]
+	if !ok {
+		return nil, metadata, status.Errorf(codes.InvalidArgument, "missing parameter %s", "machine_id")
+	}
+
+	protoReq.MachineId, err = runtime.Uint64(val)
+	if err != nil {
+		return nil, metadata, status.Errorf(codes.InvalidArgument, "type mismatch, parameter: %s, error: %v", "machine_id", err)
+	}
+
+	msg, err := client.SetTags(ctx, &protoReq, grpc.Header(&metadata.HeaderMD), grpc.Trailer(&metadata.TrailerMD))
+	return msg, metadata, err
+
+}
+
+func local_request_HeadscaleService_SetTags_0(ctx context.Context, marshaler runtime.Marshaler, server HeadscaleServiceServer, req *http.Request, pathParams map[string]string) (proto.Message, runtime.ServerMetadata, error) {
+	var protoReq SetTagsRequest
+	var metadata runtime.ServerMetadata
+
+	newReader, berr := utilities.IOReaderFactory(req.Body)
+	if berr != nil {
+		return nil, metadata, status.Errorf(codes.InvalidArgument, "%v", berr)
+	}
+	if err := marshaler.NewDecoder(newReader()).Decode(&protoReq); err != nil && err != io.EOF {
+		return nil, metadata, status.Errorf(codes.InvalidArgument, "%v", err)
+	}
+
+	var (
+		val string
+		ok  bool
+		err error
+		_   = err
+	)
+
+	val, ok = pathParams["machine_id"]
+	if !ok {
+		return nil, metadata, status.Errorf(codes.InvalidArgument, "missing parameter %s", "machine_id")
+	}
+
+	protoReq.MachineId, err = runtime.Uint64(val)
+	if err != nil {
+		return nil, metadata, status.Errorf(codes.InvalidArgument, "type mismatch, parameter: %s, error: %v", "machine_id", err)
+	}
+
+	msg, err := server.SetTags(ctx, &protoReq)
+	return msg, metadata, err
+
+}
+
 var (
 	filter_HeadscaleService_RegisterMachine_0 = &utilities.DoubleArray{Encoding: map[string]int{}, Base: []int(nil), Check: []int(nil)}
 )
@@ -589,6 +657,78 @@ func local_request_HeadscaleService_ExpireMachine_0(ctx context.Context, marshal

 }

+func request_HeadscaleService_RenameMachine_0(ctx context.Context, marshaler runtime.Marshaler, client HeadscaleServiceClient, req *http.Request, pathParams map[string]string) (proto.Message, runtime.ServerMetadata, error) {
+	var protoReq RenameMachineRequest
+	var metadata runtime.ServerMetadata
+
+	var (
+		val string
+		ok  bool
+		err error
+		_   = err
+	)
+
+	val, ok = pathParams["machine_id"]
+	if !ok {
+		return nil, metadata, status.Errorf(codes.InvalidArgument, "missing parameter %s", "machine_id")
+	}
+
+	protoReq.MachineId, err = runtime.Uint64(val)
+	if err != nil {
+		return nil, metadata, status.Errorf(codes.InvalidArgument, "type mismatch, parameter: %s, error: %v", "machine_id", err)
+	}
+
+	val, ok = pathParams["new_name"]
+	if !ok {
+		return nil, metadata, status.Errorf(codes.InvalidArgument, "missing parameter %s", "new_name")
+	}
+
+	protoReq.NewName, err = runtime.String(val)
+	if err != nil {
+		return nil, metadata, status.Errorf(codes.InvalidArgument, "type mismatch, parameter: %s, error: %v", "new_name", err)
+	}
+
+	msg, err := client.RenameMachine(ctx, &protoReq, grpc.Header(&metadata.HeaderMD), grpc.Trailer(&metadata.TrailerMD))
+	return msg, metadata, err
+
+}
+
+func local_request_HeadscaleService_RenameMachine_0(ctx context.Context, marshaler runtime.Marshaler, server HeadscaleServiceServer, req *http.Request, pathParams map[string]string) (proto.Message, runtime.ServerMetadata, error) {
+	var protoReq RenameMachineRequest
+	var metadata runtime.ServerMetadata
+
+	var (
+		val string
+		ok  bool
+		err error
+		_   = err
+	)
+
+	val, ok = pathParams["machine_id"]
+	if !ok {
+		return nil, metadata, status.Errorf(codes.InvalidArgument, "missing parameter %s", "machine_id")
+	}
+
+	protoReq.MachineId, err = runtime.Uint64(val)
+	if err != nil {
+		return nil, metadata, status.Errorf(codes.InvalidArgument, "type mismatch, parameter: %s, error: %v", "machine_id", err)
+	}
+
+	val, ok = pathParams["new_name"]
+	if !ok {
+		return nil, metadata, status.Errorf(codes.InvalidArgument, "missing parameter %s", "new_name")
+	}
+
+	protoReq.NewName, err = runtime.String(val)
+	if err != nil {
+		return nil, metadata, status.Errorf(codes.InvalidArgument, "type mismatch, parameter: %s, error: %v", "new_name", err)
+	}
+
+	msg, err := server.RenameMachine(ctx, &protoReq)
+	return msg, metadata, err
+
+}
+
 var (
 	filter_HeadscaleService_ListMachines_0 = &utilities.DoubleArray{Encoding: map[string]int{}, Base: []int(nil), Check: []int(nil)}
 )
@@ -625,6 +765,76 @@ func local_request_HeadscaleService_ListMachines_0(ctx context.Context, marshale

 }

+var (
+	filter_HeadscaleService_MoveMachine_0 = &utilities.DoubleArray{Encoding: map[string]int{"machine_id": 0}, Base: []int{1, 1, 0}, Check: []int{0, 1, 2}}
+)
+
+func request_HeadscaleService_MoveMachine_0(ctx context.Context, marshaler runtime.Marshaler, client HeadscaleServiceClient, req *http.Request, pathParams map[string]string) (proto.Message, runtime.ServerMetadata, error) {
+	var protoReq MoveMachineRequest
+	var metadata runtime.ServerMetadata
+
+	var (
+		val string
+		ok  bool
+		err error
+		_   = err
+	)
+
+	val, ok = pathParams["machine_id"]
+	if !ok {
+		return nil, metadata, status.Errorf(codes.InvalidArgument, "missing parameter %s", "machine_id")
+	}
+
+	protoReq.MachineId, err = runtime.Uint64(val)
+	if err != nil {
+		return nil, metadata, status.Errorf(codes.InvalidArgument, "type mismatch, parameter: %s, error: %v", "machine_id", err)
+	}
+
+	if err := req.ParseForm(); err != nil {
+		return nil, metadata, status.Errorf(codes.InvalidArgument, "%v", err)
+	}
+	if err := runtime.PopulateQueryParameters(&protoReq, req.Form, filter_HeadscaleService_MoveMachine_0); err != nil {
+		return nil, metadata, status.Errorf(codes.InvalidArgument, "%v", err)
+	}
+
+	msg, err := client.MoveMachine(ctx, &protoReq, grpc.Header(&metadata.HeaderMD), grpc.Trailer(&metadata.TrailerMD))
+	return msg, metadata, err
+
+}
+
+func local_request_HeadscaleService_MoveMachine_0(ctx context.Context, marshaler runtime.Marshaler, server HeadscaleServiceServer, req *http.Request, pathParams map[string]string) (proto.Message, runtime.ServerMetadata, error) {
+	var protoReq MoveMachineRequest
+	var metadata runtime.ServerMetadata
+
+	var (
+		val string
+		ok  bool
+		err error
+		_   = err
+	)
+
+	val, ok = pathParams["machine_id"]
+	if !ok {
+		return nil, metadata, status.Errorf(codes.InvalidArgument, "missing parameter %s", "machine_id")
+	}
+
+	protoReq.MachineId, err = runtime.Uint64(val)
+	if err != nil {
+		return nil, metadata, status.Errorf(codes.InvalidArgument, "type mismatch, parameter: %s, error: %v", "machine_id", err)
+	}
+
+	if err := req.ParseForm(); err != nil {
+		return nil, metadata, status.Errorf(codes.InvalidArgument, "%v", err)
+	}
+	if err := runtime.PopulateQueryParameters(&protoReq, req.Form, filter_HeadscaleService_MoveMachine_0); err != nil {
+		return nil, metadata, status.Errorf(codes.InvalidArgument, "%v", err)
+	}
+
+	msg, err := server.MoveMachine(ctx, &protoReq)
+	return msg, metadata, err
+
+}
+
 func request_HeadscaleService_GetMachineRoute_0(ctx context.Context, marshaler runtime.Marshaler, client HeadscaleServiceClient, req *http.Request, pathParams map[string]string) (proto.Message, runtime.ServerMetadata, error) {
 	var protoReq GetMachineRouteRequest
 	var metadata runtime.ServerMetadata
@@ -1069,6 +1279,29 @@ func RegisterHeadscaleServiceHandlerServer(ctx context.Context, mux *runtime.Ser

 	})

+	mux.Handle("POST", pattern_HeadscaleService_SetTags_0, func(w http.ResponseWriter, req *http.Request, pathParams map[string]string) {
+		ctx, cancel := context.WithCancel(req.Context())
+		defer cancel()
+		var stream runtime.ServerTransportStream
+		ctx = grpc.NewContextWithServerTransportStream(ctx, &stream)
+		inboundMarshaler, outboundMarshaler := runtime.MarshalerForRequest(mux, req)
+		rctx, err := runtime.AnnotateIncomingContext(ctx, mux, req, "/headscale.v1.HeadscaleService/SetTags", runtime.WithHTTPPathPattern("/api/v1/machine/{machine_id}/tags"))
+		if err != nil {
+			runtime.HTTPError(ctx, mux, outboundMarshaler, w, req, err)
+			return
+		}
+		resp, md, err := local_request_HeadscaleService_SetTags_0(rctx, inboundMarshaler, server, req, pathParams)
+		md.HeaderMD, md.TrailerMD = metadata.Join(md.HeaderMD, stream.Header()), metadata.Join(md.TrailerMD, stream.Trailer())
+		ctx = runtime.NewServerMetadataContext(ctx, md)
+		if err != nil {
+			runtime.HTTPError(ctx, mux, outboundMarshaler, w, req, err)
+			return
+		}
+
+		forward_HeadscaleService_SetTags_0(ctx, mux, outboundMarshaler, w, req, resp, mux.GetForwardResponseOptions()...)
+
+	})
+
 	mux.Handle("POST", pattern_HeadscaleService_RegisterMachine_0, func(w http.ResponseWriter, req *http.Request, pathParams map[string]string) {
 		ctx, cancel := context.WithCancel(req.Context())
 		defer cancel()
@@ -1138,6 +1371,29 @@ func RegisterHeadscaleServiceHandlerServer(ctx context.Context, mux *runtime.Ser

 	})

+	mux.Handle("POST", pattern_HeadscaleService_RenameMachine_0, func(w http.ResponseWriter, req *http.Request, pathParams map[string]string) {
+		ctx, cancel := context.WithCancel(req.Context())
+		defer cancel()
+		var stream runtime.ServerTransportStream
+		ctx = grpc.NewContextWithServerTransportStream(ctx, &stream)
+		inboundMarshaler, outboundMarshaler := runtime.MarshalerForRequest(mux, req)
+		rctx, err := runtime.AnnotateIncomingContext(ctx, mux, req, "/headscale.v1.HeadscaleService/RenameMachine", runtime.WithHTTPPathPattern("/api/v1/machine/{machine_id}/rename/{new_name}"))
+		if err != nil {
+			runtime.HTTPError(ctx, mux, outboundMarshaler, w, req, err)
+			return
+		}
+		resp, md, err := local_request_HeadscaleService_RenameMachine_0(rctx, inboundMarshaler, server, req, pathParams)
+		md.HeaderMD, md.TrailerMD = metadata.Join(md.HeaderMD, stream.Header()), metadata.Join(md.TrailerMD, stream.Trailer())
+		ctx = runtime.NewServerMetadataContext(ctx, md)
+		if err != nil {
+			runtime.HTTPError(ctx, mux, outboundMarshaler, w, req, err)
+			return
+		}
+
+		forward_HeadscaleService_RenameMachine_0(ctx, mux, outboundMarshaler, w, req, resp, mux.GetForwardResponseOptions()...)
+
+	})
+
 	mux.Handle("GET", pattern_HeadscaleService_ListMachines_0, func(w http.ResponseWriter, req *http.Request, pathParams map[string]string) {
 		ctx, cancel := context.WithCancel(req.Context())
 		defer cancel()
@@ -1161,6 +1417,29 @@ func RegisterHeadscaleServiceHandlerServer(ctx context.Context, mux *runtime.Ser

 	})

+	mux.Handle("POST", pattern_HeadscaleService_MoveMachine_0, func(w http.ResponseWriter, req *http.Request, pathParams map[string]string) {
+		ctx, cancel := context.WithCancel(req.Context())
+		defer cancel()
+		var stream runtime.ServerTransportStream
+		ctx = grpc.NewContextWithServerTransportStream(ctx, &stream)
+		inboundMarshaler, outboundMarshaler := runtime.MarshalerForRequest(mux, req)
+		rctx, err := runtime.AnnotateIncomingContext(ctx, mux, req, "/headscale.v1.HeadscaleService/MoveMachine", runtime.WithHTTPPathPattern("/api/v1/machine/{machine_id}/namespace"))
+		if err != nil {
+			runtime.HTTPError(ctx, mux, outboundMarshaler, w, req, err)
+			return
+		}
+		resp, md, err := local_request_HeadscaleService_MoveMachine_0(rctx, inboundMarshaler, server, req, pathParams)
+		md.HeaderMD, md.TrailerMD = metadata.Join(md.HeaderMD, stream.Header()), metadata.Join(md.TrailerMD, stream.Trailer())
+		ctx = runtime.NewServerMetadataContext(ctx, md)
+		if err != nil {
+			runtime.HTTPError(ctx, mux, outboundMarshaler, w, req, err)
+			return
+		}
+
+		forward_HeadscaleService_MoveMachine_0(ctx, mux, outboundMarshaler, w, req, resp, mux.GetForwardResponseOptions()...)
+
+	})
+
 	mux.Handle("GET", pattern_HeadscaleService_GetMachineRoute_0, func(w http.ResponseWriter, req *http.Request, pathParams map[string]string) {
 		ctx, cancel := context.WithCancel(req.Context())
 		defer cancel()
@@ -1517,6 +1796,26 @@ func RegisterHeadscaleServiceHandlerClient(ctx context.Context, mux *runtime.Ser

 	})

+	mux.Handle("POST", pattern_HeadscaleService_SetTags_0, func(w http.ResponseWriter, req *http.Request, pathParams map[string]string) {
+		ctx, cancel := context.WithCancel(req.Context())
+		defer cancel()
+		inboundMarshaler, outboundMarshaler := runtime.MarshalerForRequest(mux, req)
+		rctx, err := runtime.AnnotateContext(ctx, mux, req, "/headscale.v1.HeadscaleService/SetTags", runtime.WithHTTPPathPattern("/api/v1/machine/{machine_id}/tags"))
+		if err != nil {
+			runtime.HTTPError(ctx, mux, outboundMarshaler, w, req, err)
+			return
+		}
+		resp, md, err := request_HeadscaleService_SetTags_0(rctx, inboundMarshaler, client, req, pathParams)
+		ctx = runtime.NewServerMetadataContext(ctx, md)
+		if err != nil {
+			runtime.HTTPError(ctx, mux, outboundMarshaler, w, req, err)
+			return
+		}
+
+		forward_HeadscaleService_SetTags_0(ctx, mux, outboundMarshaler, w, req, resp, mux.GetForwardResponseOptions()...)
+
+	})
+
 	mux.Handle("POST", pattern_HeadscaleService_RegisterMachine_0, func(w http.ResponseWriter, req *http.Request, pathParams map[string]string) {
 		ctx, cancel := context.WithCancel(req.Context())
 		defer cancel()
@@ -1577,6 +1876,26 @@ func RegisterHeadscaleServiceHandlerClient(ctx context.Context, mux *runtime.Ser

 	})

+	mux.Handle("POST", pattern_HeadscaleService_RenameMachine_0, func(w http.ResponseWriter, req *http.Request, pathParams map[string]string) {
+		ctx, cancel := context.WithCancel(req.Context())
+		defer cancel()
+		inboundMarshaler, outboundMarshaler := runtime.MarshalerForRequest(mux, req)
+		rctx, err := runtime.AnnotateContext(ctx, mux, req, "/headscale.v1.HeadscaleService/RenameMachine", runtime.WithHTTPPathPattern("/api/v1/machine/{machine_id}/rename/{new_name}"))
+		if err != nil {
+			runtime.HTTPError(ctx, mux, outboundMarshaler, w, req, err)
+			return
+		}
+		resp, md, err := request_HeadscaleService_RenameMachine_0(rctx, inboundMarshaler, client, req, pathParams)
+		ctx = runtime.NewServerMetadataContext(ctx, md)
+		if err != nil {
+			runtime.HTTPError(ctx, mux, outboundMarshaler, w, req, err)
+			return
+		}
+
+		forward_HeadscaleService_RenameMachine_0(ctx, mux, outboundMarshaler, w, req, resp, mux.GetForwardResponseOptions()...)
+
+	})
+
 	mux.Handle("GET", pattern_HeadscaleService_ListMachines_0, func(w http.ResponseWriter, req *http.Request, pathParams map[string]string) {
 		ctx, cancel := context.WithCancel(req.Context())
 		defer cancel()
@@ -1597,6 +1916,26 @@ func RegisterHeadscaleServiceHandlerClient(ctx context.Context, mux *runtime.Ser

 	})

+	mux.Handle("POST", pattern_HeadscaleService_MoveMachine_0, func(w http.ResponseWriter, req *http.Request, pathParams map[string]string) {
+		ctx, cancel := context.WithCancel(req.Context())
+		defer cancel()
+		inboundMarshaler, outboundMarshaler := runtime.MarshalerForRequest(mux, req)
+		rctx, err := runtime.AnnotateContext(ctx, mux, req, "/headscale.v1.HeadscaleService/MoveMachine", runtime.WithHTTPPathPattern("/api/v1/machine/{machine_id}/namespace"))
+		if err != nil {
+			runtime.HTTPError(ctx, mux, outboundMarshaler, w, req, err)
+			return
+		}
+		resp, md, err := request_HeadscaleService_MoveMachine_0(rctx, inboundMarshaler, client, req, pathParams)
+		ctx = runtime.NewServerMetadataContext(ctx, md)
+		if err != nil {
+			runtime.HTTPError(ctx, mux, outboundMarshaler, w, req, err)
+			return
+		}
+
+		forward_HeadscaleService_MoveMachine_0(ctx, mux, outboundMarshaler, w, req, resp, mux.GetForwardResponseOptions()...)
+
+	})
+
 	mux.Handle("GET", pattern_HeadscaleService_GetMachineRoute_0, func(w http.ResponseWriter, req *http.Request, pathParams map[string]string) {
 		ctx, cancel := context.WithCancel(req.Context())
 		defer cancel()
@@ -1721,14 +2060,20 @@ var (

 	pattern_HeadscaleService_GetMachine_0 = runtime.MustPattern(runtime.NewPattern(1, []int{2, 0, 2, 1, 2, 2, 1, 0, 4, 1, 5, 3}, []string{"api", "v1", "machine", "machine_id"}, ""))

+	pattern_HeadscaleService_SetTags_0 = runtime.MustPattern(runtime.NewPattern(1, []int{2, 0, 2, 1, 2, 2, 1, 0, 4, 1, 5, 3, 2, 4}, []string{"api", "v1", "machine", "machine_id", "tags"}, ""))
+
 	pattern_HeadscaleService_RegisterMachine_0 = runtime.MustPattern(runtime.NewPattern(1, []int{2, 0, 2, 1, 2, 2, 2, 3}, []string{"api", "v1", "machine", "register"}, ""))

 	pattern_HeadscaleService_DeleteMachine_0 = runtime.MustPattern(runtime.NewPattern(1, []int{2, 0, 2, 1, 2, 2, 1, 0, 4, 1, 5, 3}, []string{"api", "v1", "machine", "machine_id"}, ""))

 	pattern_HeadscaleService_ExpireMachine_0 = runtime.MustPattern(runtime.NewPattern(1, []int{2, 0, 2, 1, 2, 2, 1, 0, 4, 1, 5, 3, 2, 4}, []string{"api", "v1", "machine", "machine_id", "expire"}, ""))

+	pattern_HeadscaleService_RenameMachine_0 = runtime.MustPattern(runtime.NewPattern(1, []int{2, 0, 2, 1, 2, 2, 1, 0, 4, 1, 5, 3, 2, 4, 1, 0, 4, 1, 5, 5}, []string{"api", "v1", "machine", "machine_id", "rename", "new_name"}, ""))
+
 	pattern_HeadscaleService_ListMachines_0 = runtime.MustPattern(runtime.NewPattern(1, []int{2, 0, 2, 1, 2, 2}, []string{"api", "v1", "machine"}, ""))

+	pattern_HeadscaleService_MoveMachine_0 = runtime.MustPattern(runtime.NewPattern(1, []int{2, 0, 2, 1, 2, 2, 1, 0, 4, 1, 5, 3, 2, 4}, []string{"api", "v1", "machine", "machine_id", "namespace"}, ""))
+
 	pattern_HeadscaleService_GetMachineRoute_0 = runtime.MustPattern(runtime.NewPattern(1, []int{2, 0, 2, 1, 2, 2, 1, 0, 4, 1, 5, 3, 2, 4}, []string{"api", "v1", "machine", "machine_id", "routes"}, ""))

 	pattern_HeadscaleService_EnableMachineRoutes_0 = runtime.MustPattern(runtime.NewPattern(1, []int{2, 0, 2, 1, 2, 2, 1, 0, 4, 1, 5, 3, 2, 4}, []string{"api", "v1", "machine", "machine_id", "routes"}, ""))
@@ -1761,14 +2106,20 @@ var (

 	forward_HeadscaleService_GetMachine_0 = runtime.ForwardResponseMessage

+	forward_HeadscaleService_SetTags_0 = runtime.ForwardResponseMessage
+
 	forward_HeadscaleService_RegisterMachine_0 = runtime.ForwardResponseMessage

 	forward_HeadscaleService_DeleteMachine_0 = runtime.ForwardResponseMessage

 	forward_HeadscaleService_ExpireMachine_0 = runtime.ForwardResponseMessage

+	forward_HeadscaleService_RenameMachine_0 = runtime.ForwardResponseMessage
+
 	forward_HeadscaleService_ListMachines_0 = runtime.ForwardResponseMessage

+	forward_HeadscaleService_MoveMachine_0 = runtime.ForwardResponseMessage
+
 	forward_HeadscaleService_GetMachineRoute_0 = runtime.ForwardResponseMessage

 	forward_HeadscaleService_EnableMachineRoutes_0 = runtime.ForwardResponseMessage
--- a/gen/go/headscale/v1/headscale_grpc.pb.go
+++ b/gen/go/headscale/v1/headscale_grpc.pb.go
@@ -1,8 +1,4 @@
 // Code generated by protoc-gen-go-grpc. DO NOT EDIT.
-// versions:
-// - protoc-gen-go-grpc v1.2.0
-// - protoc             (unknown)
-// source: headscale/v1/headscale.proto

 package v1

@@ -35,10 +31,13 @@ type HeadscaleServiceClient interface {
 	// --- Machine start ---
 	DebugCreateMachine(ctx context.Context, in *DebugCreateMachineRequest, opts ...grpc.CallOption) (*DebugCreateMachineResponse, error)
 	GetMachine(ctx context.Context, in *GetMachineRequest, opts ...grpc.CallOption) (*GetMachineResponse, error)
+	SetTags(ctx context.Context, in *SetTagsRequest, opts ...grpc.CallOption) (*SetTagsResponse, error)
 	RegisterMachine(ctx context.Context, in *RegisterMachineRequest, opts ...grpc.CallOption) (*RegisterMachineResponse, error)
 	DeleteMachine(ctx context.Context, in *DeleteMachineRequest, opts ...grpc.CallOption) (*DeleteMachineResponse, error)
 	ExpireMachine(ctx context.Context, in *ExpireMachineRequest, opts ...grpc.CallOption) (*ExpireMachineResponse, error)
+	RenameMachine(ctx context.Context, in *RenameMachineRequest, opts ...grpc.CallOption) (*RenameMachineResponse, error)
 	ListMachines(ctx context.Context, in *ListMachinesRequest, opts ...grpc.CallOption) (*ListMachinesResponse, error)
+	MoveMachine(ctx context.Context, in *MoveMachineRequest, opts ...grpc.CallOption) (*MoveMachineResponse, error)
 	// --- Route start ---
 	GetMachineRoute(ctx context.Context, in *GetMachineRouteRequest, opts ...grpc.CallOption) (*GetMachineRouteResponse, error)
 	EnableMachineRoutes(ctx context.Context, in *EnableMachineRoutesRequest, opts ...grpc.CallOption) (*EnableMachineRoutesResponse, error)
@@ -146,6 +145,15 @@ func (c *headscaleServiceClient) GetMachine(ctx context.Context, in *GetMachineR
 	return out, nil
 }

+func (c *headscaleServiceClient) SetTags(ctx context.Context, in *SetTagsRequest, opts ...grpc.CallOption) (*SetTagsResponse, error) {
+	out := new(SetTagsResponse)
+	err := c.cc.Invoke(ctx, "/headscale.v1.HeadscaleService/SetTags", in, out, opts...)
+	if err != nil {
+		return nil, err
+	}
+	return out, nil
+}
+
 func (c *headscaleServiceClient) RegisterMachine(ctx context.Context, in *RegisterMachineRequest, opts ...grpc.CallOption) (*RegisterMachineResponse, error) {
 	out := new(RegisterMachineResponse)
 	err := c.cc.Invoke(ctx, "/headscale.v1.HeadscaleService/RegisterMachine", in, out, opts...)
@@ -173,6 +181,15 @@ func (c *headscaleServiceClient) ExpireMachine(ctx context.Context, in *ExpireMa
 	return out, nil
 }

+func (c *headscaleServiceClient) RenameMachine(ctx context.Context, in *RenameMachineRequest, opts ...grpc.CallOption) (*RenameMachineResponse, error) {
+	out := new(RenameMachineResponse)
+	err := c.cc.Invoke(ctx, "/headscale.v1.HeadscaleService/RenameMachine", in, out, opts...)
+	if err != nil {
+		return nil, err
+	}
+	return out, nil
+}
+
 func (c *headscaleServiceClient) ListMachines(ctx context.Context, in *ListMachinesRequest, opts ...grpc.CallOption) (*ListMachinesResponse, error) {
 	out := new(ListMachinesResponse)
 	err := c.cc.Invoke(ctx, "/headscale.v1.HeadscaleService/ListMachines", in, out, opts...)
@@ -182,6 +199,15 @@ func (c *headscaleServiceClient) ListMachines(ctx context.Context, in *ListMachi
 	return out, nil
 }

+func (c *headscaleServiceClient) MoveMachine(ctx context.Context, in *MoveMachineRequest, opts ...grpc.CallOption) (*MoveMachineResponse, error) {
+	out := new(MoveMachineResponse)
+	err := c.cc.Invoke(ctx, "/headscale.v1.HeadscaleService/MoveMachine", in, out, opts...)
+	if err != nil {
+		return nil, err
+	}
+	return out, nil
+}
+
 func (c *headscaleServiceClient) GetMachineRoute(ctx context.Context, in *GetMachineRouteRequest, opts ...grpc.CallOption) (*GetMachineRouteResponse, error) {
 	out := new(GetMachineRouteResponse)
 	err := c.cc.Invoke(ctx, "/headscale.v1.HeadscaleService/GetMachineRoute", in, out, opts...)
@@ -244,10 +270,13 @@ type HeadscaleServiceServer interface {
 	// --- Machine start ---
 	DebugCreateMachine(context.Context, *DebugCreateMachineRequest) (*DebugCreateMachineResponse, error)
 	GetMachine(context.Context, *GetMachineRequest) (*GetMachineResponse, error)
+	SetTags(context.Context, *SetTagsRequest) (*SetTagsResponse, error)
 	RegisterMachine(context.Context, *RegisterMachineRequest) (*RegisterMachineResponse, error)
 	DeleteMachine(context.Context, *DeleteMachineRequest) (*DeleteMachineResponse, error)
 	ExpireMachine(context.Context, *ExpireMachineRequest) (*ExpireMachineResponse, error)
+	RenameMachine(context.Context, *RenameMachineRequest) (*RenameMachineResponse, error)
 	ListMachines(context.Context, *ListMachinesRequest) (*ListMachinesResponse, error)
+	MoveMachine(context.Context, *MoveMachineRequest) (*MoveMachineResponse, error)
 	// --- Route start ---
 	GetMachineRoute(context.Context, *GetMachineRouteRequest) (*GetMachineRouteResponse, error)
 	EnableMachineRoutes(context.Context, *EnableMachineRoutesRequest) (*EnableMachineRoutesResponse, error)
@@ -292,6 +321,9 @@ func (UnimplementedHeadscaleServiceServer) DebugCreateMachine(context.Context, *
 func (UnimplementedHeadscaleServiceServer) GetMachine(context.Context, *GetMachineRequest) (*GetMachineResponse, error) {
 	return nil, status.Errorf(codes.Unimplemented, "method GetMachine not implemented")
 }
+func (UnimplementedHeadscaleServiceServer) SetTags(context.Context, *SetTagsRequest) (*SetTagsResponse, error) {
+	return nil, status.Errorf(codes.Unimplemented, "method SetTags not implemented")
+}
 func (UnimplementedHeadscaleServiceServer) RegisterMachine(context.Context, *RegisterMachineRequest) (*RegisterMachineResponse, error) {
 	return nil, status.Errorf(codes.Unimplemented, "method RegisterMachine not implemented")
 }
@@ -301,9 +333,15 @@ func (UnimplementedHeadscaleServiceServer) DeleteMachine(context.Context, *Delet
 func (UnimplementedHeadscaleServiceServer) ExpireMachine(context.Context, *ExpireMachineRequest) (*ExpireMachineResponse, error) {
 	return nil, status.Errorf(codes.Unimplemented, "method ExpireMachine not implemented")
 }
+func (UnimplementedHeadscaleServiceServer) RenameMachine(context.Context, *RenameMachineRequest) (*RenameMachineResponse, error) {
+	return nil, status.Errorf(codes.Unimplemented, "method RenameMachine not implemented")
+}
 func (UnimplementedHeadscaleServiceServer) ListMachines(context.Context, *ListMachinesRequest) (*ListMachinesResponse, error) {
 	return nil, status.Errorf(codes.Unimplemented, "method ListMachines not implemented")
 }
+func (UnimplementedHeadscaleServiceServer) MoveMachine(context.Context, *MoveMachineRequest) (*MoveMachineResponse, error) {
+	return nil, status.Errorf(codes.Unimplemented, "method MoveMachine not implemented")
+}
 func (UnimplementedHeadscaleServiceServer) GetMachineRoute(context.Context, *GetMachineRouteRequest) (*GetMachineRouteResponse, error) {
 	return nil, status.Errorf(codes.Unimplemented, "method GetMachineRoute not implemented")
 }
@@ -512,6 +550,24 @@ func _HeadscaleService_GetMachine_Handler(srv interface{}, ctx context.Context,
 	return interceptor(ctx, in, info, handler)
 }

+func _HeadscaleService_SetTags_Handler(srv interface{}, ctx context.Context, dec func(interface{}) error, interceptor grpc.UnaryServerInterceptor) (interface{}, error) {
+	in := new(SetTagsRequest)
+	if err := dec(in); err != nil {
+		return nil, err
+	}
+	if interceptor == nil {
+		return srv.(HeadscaleServiceServer).SetTags(ctx, in)
+	}
+	info := &grpc.UnaryServerInfo{
+		Server:     srv,
+		FullMethod: "/headscale.v1.HeadscaleService/SetTags",
+	}
+	handler := func(ctx context.Context, req interface{}) (interface{}, error) {
+		return srv.(HeadscaleServiceServer).SetTags(ctx, req.(*SetTagsRequest))
+	}
+	return interceptor(ctx, in, info, handler)
+}
+
 func _HeadscaleService_RegisterMachine_Handler(srv interface{}, ctx context.Context, dec func(interface{}) error, interceptor grpc.UnaryServerInterceptor) (interface{}, error) {
 	in := new(RegisterMachineRequest)
 	if err := dec(in); err != nil {
@@ -566,6 +622,24 @@ func _HeadscaleService_ExpireMachine_Handler(srv interface{}, ctx context.Contex
 	return interceptor(ctx, in, info, handler)
 }

+func _HeadscaleService_RenameMachine_Handler(srv interface{}, ctx context.Context, dec func(interface{}) error, interceptor grpc.UnaryServerInterceptor) (interface{}, error) {
+	in := new(RenameMachineRequest)
+	if err := dec(in); err != nil {
+		return nil, err
+	}
+	if interceptor == nil {
+		return srv.(HeadscaleServiceServer).RenameMachine(ctx, in)
+	}
+	info := &grpc.UnaryServerInfo{
+		Server:     srv,
+		FullMethod: "/headscale.v1.HeadscaleService/RenameMachine",
+	}
+	handler := func(ctx context.Context, req interface{}) (interface{}, error) {
+		return srv.(HeadscaleServiceServer).RenameMachine(ctx, req.(*RenameMachineRequest))
+	}
+	return interceptor(ctx, in, info, handler)
+}
+
 func _HeadscaleService_ListMachines_Handler(srv interface{}, ctx context.Context, dec func(interface{}) error, interceptor grpc.UnaryServerInterceptor) (interface{}, error) {
 	in := new(ListMachinesRequest)
 	if err := dec(in); err != nil {
@@ -584,6 +658,24 @@ func _HeadscaleService_ListMachines_Handler(srv interface{}, ctx context.Context
 	return interceptor(ctx, in, info, handler)
 }

+func _HeadscaleService_MoveMachine_Handler(srv interface{}, ctx context.Context, dec func(interface{}) error, interceptor grpc.UnaryServerInterceptor) (interface{}, error) {
+	in := new(MoveMachineRequest)
+	if err := dec(in); err != nil {
+		return nil, err
+	}
+	if interceptor == nil {
+		return srv.(HeadscaleServiceServer).MoveMachine(ctx, in)
+	}
+	info := &grpc.UnaryServerInfo{
+		Server:     srv,
+		FullMethod: "/headscale.v1.HeadscaleService/MoveMachine",
+	}
+	handler := func(ctx context.Context, req interface{}) (interface{}, error) {
+		return srv.(HeadscaleServiceServer).MoveMachine(ctx, req.(*MoveMachineRequest))
+	}
+	return interceptor(ctx, in, info, handler)
+}
+
 func _HeadscaleService_GetMachineRoute_Handler(srv interface{}, ctx context.Context, dec func(interface{}) error, interceptor grpc.UnaryServerInterceptor) (interface{}, error) {
 	in := new(GetMachineRouteRequest)
 	if err := dec(in); err != nil {
@@ -721,6 +813,10 @@ var HeadscaleService_ServiceDesc = grpc.ServiceDesc{
 			MethodName: "GetMachine",
 			Handler:    _HeadscaleService_GetMachine_Handler,
 		},
+		{
+			MethodName: "SetTags",
+			Handler:    _HeadscaleService_SetTags_Handler,
+		},
 		{
 			MethodName: "RegisterMachine",
 			Handler:    _HeadscaleService_RegisterMachine_Handler,
@@ -733,10 +829,18 @@ var HeadscaleService_ServiceDesc = grpc.ServiceDesc{
 			MethodName: "ExpireMachine",
 			Handler:    _HeadscaleService_ExpireMachine_Handler,
 		},
+		{
+			MethodName: "RenameMachine",
+			Handler:    _HeadscaleService_RenameMachine_Handler,
+		},
 		{
 			MethodName: "ListMachines",
 			Handler:    _HeadscaleService_ListMachines_Handler,
 		},
+		{
+			MethodName: "MoveMachine",
+			Handler:    _HeadscaleService_MoveMachine_Handler,
+		},
 		{
 			MethodName: "GetMachineRoute",
 			Handler:    _HeadscaleService_GetMachineRoute_Handler,
--- a/gen/go/headscale/v1/machine.pb.go
+++ b/gen/go/headscale/v1/machine.pb.go
@@ -91,6 +91,10 @@ type Machine struct {
 	PreAuthKey           *PreAuthKey            `protobuf:"bytes,11,opt,name=pre_auth_key,json=preAuthKey,proto3" json:"pre_auth_key,omitempty"`
 	CreatedAt            *timestamppb.Timestamp `protobuf:"bytes,12,opt,name=created_at,json=createdAt,proto3" json:"created_at,omitempty"`
 	RegisterMethod       RegisterMethod         `protobuf:"varint,13,opt,name=register_method,json=registerMethod,proto3,enum=headscale.v1.RegisterMethod" json:"register_method,omitempty"`
+	ForcedTags           []string               `protobuf:"bytes,18,rep,name=forced_tags,json=forcedTags,proto3" json:"forced_tags,omitempty"`
+	InvalidTags          []string               `protobuf:"bytes,19,rep,name=invalid_tags,json=invalidTags,proto3" json:"invalid_tags,omitempty"`
+	ValidTags            []string               `protobuf:"bytes,20,rep,name=valid_tags,json=validTags,proto3" json:"valid_tags,omitempty"`
+	GivenName            string                 `protobuf:"bytes,21,opt,name=given_name,json=givenName,proto3" json:"given_name,omitempty"`
 }

 func (x *Machine) Reset() {
@@ -216,6 +220,34 @@ func (x *Machine) GetRegisterMethod() RegisterMethod {
 	return RegisterMethod_REGISTER_METHOD_UNSPECIFIED
 }

+func (x *Machine) GetForcedTags() []string {
+	if x != nil {
+		return x.ForcedTags
+	}
+	return nil
+}
+
+func (x *Machine) GetInvalidTags() []string {
+	if x != nil {
+		return x.InvalidTags
+	}
+	return nil
+}
+
+func (x *Machine) GetValidTags() []string {
+	if x != nil {
+		return x.ValidTags
+	}
+	return nil
+}
+
+func (x *Machine) GetGivenName() string {
+	if x != nil {
+		return x.GivenName
+	}
+	return ""
+}
+
 type RegisterMachineRequest struct {
 	state         protoimpl.MessageState
 	sizeCache     protoimpl.SizeCache
@@ -412,6 +444,108 @@ func (x *GetMachineResponse) GetMachine() *Machine {
 	return nil
 }

+type SetTagsRequest struct {
+	state         protoimpl.MessageState
+	sizeCache     protoimpl.SizeCache
+	unknownFields protoimpl.UnknownFields
+
+	MachineId uint64   `protobuf:"varint,1,opt,name=machine_id,json=machineId,proto3" json:"machine_id,omitempty"`
+	Tags      []string `protobuf:"bytes,2,rep,name=tags,proto3" json:"tags,omitempty"`
+}
+
+func (x *SetTagsRequest) Reset() {
+	*x = SetTagsRequest{}
+	if protoimpl.UnsafeEnabled {
+		mi := &file_headscale_v1_machine_proto_msgTypes[5]
+		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+		ms.StoreMessageInfo(mi)
+	}
+}
+
+func (x *SetTagsRequest) String() string {
+	return protoimpl.X.MessageStringOf(x)
+}
+
+func (*SetTagsRequest) ProtoMessage() {}
+
+func (x *SetTagsRequest) ProtoReflect() protoreflect.Message {
+	mi := &file_headscale_v1_machine_proto_msgTypes[5]
+	if protoimpl.UnsafeEnabled && x != nil {
+		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+		if ms.LoadMessageInfo() == nil {
+			ms.StoreMessageInfo(mi)
+		}
+		return ms
+	}
+	return mi.MessageOf(x)
+}
+
+// Deprecated: Use SetTagsRequest.ProtoReflect.Descriptor instead.
+func (*SetTagsRequest) Descriptor() ([]byte, []int) {
+	return file_headscale_v1_machine_proto_rawDescGZIP(), []int{5}
+}
+
+func (x *SetTagsRequest) GetMachineId() uint64 {
+	if x != nil {
+		return x.MachineId
+	}
+	return 0
+}
+
+func (x *SetTagsRequest) GetTags() []string {
+	if x != nil {
+		return x.Tags
+	}
+	return nil
+}
+
+type SetTagsResponse struct {
+	state         protoimpl.MessageState
+	sizeCache     protoimpl.SizeCache
+	unknownFields protoimpl.UnknownFields
+
+	Machine *Machine `protobuf:"bytes,1,opt,name=machine,proto3" json:"machine,omitempty"`
+}
+
+func (x *SetTagsResponse) Reset() {
+	*x = SetTagsResponse{}
+	if protoimpl.UnsafeEnabled {
+		mi := &file_headscale_v1_machine_proto_msgTypes[6]
+		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+		ms.StoreMessageInfo(mi)
+	}
+}
+
+func (x *SetTagsResponse) String() string {
+	return protoimpl.X.MessageStringOf(x)
+}
+
+func (*SetTagsResponse) ProtoMessage() {}
+
+func (x *SetTagsResponse) ProtoReflect() protoreflect.Message {
+	mi := &file_headscale_v1_machine_proto_msgTypes[6]
+	if protoimpl.UnsafeEnabled && x != nil {
+		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+		if ms.LoadMessageInfo() == nil {
+			ms.StoreMessageInfo(mi)
+		}
+		return ms
+	}
+	return mi.MessageOf(x)
+}
+
+// Deprecated: Use SetTagsResponse.ProtoReflect.Descriptor instead.
+func (*SetTagsResponse) Descriptor() ([]byte, []int) {
+	return file_headscale_v1_machine_proto_rawDescGZIP(), []int{6}
+}
+
+func (x *SetTagsResponse) GetMachine() *Machine {
+	if x != nil {
+		return x.Machine
+	}
+	return nil
+}
+
 type DeleteMachineRequest struct {
 	state         protoimpl.MessageState
 	sizeCache     protoimpl.SizeCache
@@ -423,7 +557,7 @@ type DeleteMachineRequest struct {
 func (x *DeleteMachineRequest) Reset() {
 	*x = DeleteMachineRequest{}
 	if protoimpl.UnsafeEnabled {
-		mi := &file_headscale_v1_machine_proto_msgTypes[5]
+		mi := &file_headscale_v1_machine_proto_msgTypes[7]
 		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 		ms.StoreMessageInfo(mi)
 	}
@@ -436,7 +570,7 @@ func (x *DeleteMachineRequest) String() string {
 func (*DeleteMachineRequest) ProtoMessage() {}

 func (x *DeleteMachineRequest) ProtoReflect() protoreflect.Message {
-	mi := &file_headscale_v1_machine_proto_msgTypes[5]
+	mi := &file_headscale_v1_machine_proto_msgTypes[7]
 	if protoimpl.UnsafeEnabled && x != nil {
 		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 		if ms.LoadMessageInfo() == nil {
@@ -449,7 +583,7 @@ func (x *DeleteMachineRequest) ProtoReflect() protoreflect.Message {

 // Deprecated: Use DeleteMachineRequest.ProtoReflect.Descriptor instead.
 func (*DeleteMachineRequest) Descriptor() ([]byte, []int) {
-	return file_headscale_v1_machine_proto_rawDescGZIP(), []int{5}
+	return file_headscale_v1_machine_proto_rawDescGZIP(), []int{7}
 }

 func (x *DeleteMachineRequest) GetMachineId() uint64 {
@@ -468,7 +602,7 @@ type DeleteMachineResponse struct {
 func (x *DeleteMachineResponse) Reset() {
 	*x = DeleteMachineResponse{}
 	if protoimpl.UnsafeEnabled {
-		mi := &file_headscale_v1_machine_proto_msgTypes[6]
+		mi := &file_headscale_v1_machine_proto_msgTypes[8]
 		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 		ms.StoreMessageInfo(mi)
 	}
@@ -481,7 +615,7 @@ func (x *DeleteMachineResponse) String() string {
 func (*DeleteMachineResponse) ProtoMessage() {}

 func (x *DeleteMachineResponse) ProtoReflect() protoreflect.Message {
-	mi := &file_headscale_v1_machine_proto_msgTypes[6]
+	mi := &file_headscale_v1_machine_proto_msgTypes[8]
 	if protoimpl.UnsafeEnabled && x != nil {
 		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 		if ms.LoadMessageInfo() == nil {
@@ -494,7 +628,7 @@ func (x *DeleteMachineResponse) ProtoReflect() protoreflect.Message {

 // Deprecated: Use DeleteMachineResponse.ProtoReflect.Descriptor instead.
 func (*DeleteMachineResponse) Descriptor() ([]byte, []int) {
-	return file_headscale_v1_machine_proto_rawDescGZIP(), []int{6}
+	return file_headscale_v1_machine_proto_rawDescGZIP(), []int{8}
 }

 type ExpireMachineRequest struct {
@@ -508,7 +642,7 @@ type ExpireMachineRequest struct {
 func (x *ExpireMachineRequest) Reset() {
 	*x = ExpireMachineRequest{}
 	if protoimpl.UnsafeEnabled {
-		mi := &file_headscale_v1_machine_proto_msgTypes[7]
+		mi := &file_headscale_v1_machine_proto_msgTypes[9]
 		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 		ms.StoreMessageInfo(mi)
 	}
@@ -521,7 +655,7 @@ func (x *ExpireMachineRequest) String() string {
 func (*ExpireMachineRequest) ProtoMessage() {}

 func (x *ExpireMachineRequest) ProtoReflect() protoreflect.Message {
-	mi := &file_headscale_v1_machine_proto_msgTypes[7]
+	mi := &file_headscale_v1_machine_proto_msgTypes[9]
 	if protoimpl.UnsafeEnabled && x != nil {
 		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 		if ms.LoadMessageInfo() == nil {
@@ -534,7 +668,7 @@ func (x *ExpireMachineRequest) ProtoReflect() protoreflect.Message {

 // Deprecated: Use ExpireMachineRequest.ProtoReflect.Descriptor instead.
 func (*ExpireMachineRequest) Descriptor() ([]byte, []int) {
-	return file_headscale_v1_machine_proto_rawDescGZIP(), []int{7}
+	return file_headscale_v1_machine_proto_rawDescGZIP(), []int{9}
 }

 func (x *ExpireMachineRequest) GetMachineId() uint64 {
@@ -555,7 +689,7 @@ type ExpireMachineResponse struct {
 func (x *ExpireMachineResponse) Reset() {
 	*x = ExpireMachineResponse{}
 	if protoimpl.UnsafeEnabled {
-		mi := &file_headscale_v1_machine_proto_msgTypes[8]
+		mi := &file_headscale_v1_machine_proto_msgTypes[10]
 		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 		ms.StoreMessageInfo(mi)
 	}
@@ -568,7 +702,7 @@ func (x *ExpireMachineResponse) String() string {
 func (*ExpireMachineResponse) ProtoMessage() {}

 func (x *ExpireMachineResponse) ProtoReflect() protoreflect.Message {
-	mi := &file_headscale_v1_machine_proto_msgTypes[8]
+	mi := &file_headscale_v1_machine_proto_msgTypes[10]
 	if protoimpl.UnsafeEnabled && x != nil {
 		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 		if ms.LoadMessageInfo() == nil {
@@ -581,7 +715,7 @@ func (x *ExpireMachineResponse) ProtoReflect() protoreflect.Message {

 // Deprecated: Use ExpireMachineResponse.ProtoReflect.Descriptor instead.
 func (*ExpireMachineResponse) Descriptor() ([]byte, []int) {
-	return file_headscale_v1_machine_proto_rawDescGZIP(), []int{8}
+	return file_headscale_v1_machine_proto_rawDescGZIP(), []int{10}
 }

 func (x *ExpireMachineResponse) GetMachine() *Machine {
@@ -591,6 +725,108 @@ func (x *ExpireMachineResponse) GetMachine() *Machine {
 	return nil
 }

+type RenameMachineRequest struct {
+	state         protoimpl.MessageState
+	sizeCache     protoimpl.SizeCache
+	unknownFields protoimpl.UnknownFields
+
+	MachineId uint64 `protobuf:"varint,1,opt,name=machine_id,json=machineId,proto3" json:"machine_id,omitempty"`
+	NewName   string `protobuf:"bytes,2,opt,name=new_name,json=newName,proto3" json:"new_name,omitempty"`
+}
+
+func (x *RenameMachineRequest) Reset() {
+	*x = RenameMachineRequest{}
+	if protoimpl.UnsafeEnabled {
+		mi := &file_headscale_v1_machine_proto_msgTypes[11]
+		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+		ms.StoreMessageInfo(mi)
+	}
+}
+
+func (x *RenameMachineRequest) String() string {
+	return protoimpl.X.MessageStringOf(x)
+}
+
+func (*RenameMachineRequest) ProtoMessage() {}
+
+func (x *RenameMachineRequest) ProtoReflect() protoreflect.Message {
+	mi := &file_headscale_v1_machine_proto_msgTypes[11]
+	if protoimpl.UnsafeEnabled && x != nil {
+		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+		if ms.LoadMessageInfo() == nil {
+			ms.StoreMessageInfo(mi)
+		}
+		return ms
+	}
+	return mi.MessageOf(x)
+}
+
+// Deprecated: Use RenameMachineRequest.ProtoReflect.Descriptor instead.
+func (*RenameMachineRequest) Descriptor() ([]byte, []int) {
+	return file_headscale_v1_machine_proto_rawDescGZIP(), []int{11}
+}
+
+func (x *RenameMachineRequest) GetMachineId() uint64 {
+	if x != nil {
+		return x.MachineId
+	}
+	return 0
+}
+
+func (x *RenameMachineRequest) GetNewName() string {
+	if x != nil {
+		return x.NewName
+	}
+	return ""
+}
+
+type RenameMachineResponse struct {
+	state         protoimpl.MessageState
+	sizeCache     protoimpl.SizeCache
+	unknownFields protoimpl.UnknownFields
+
+	Machine *Machine `protobuf:"bytes,1,opt,name=machine,proto3" json:"machine,omitempty"`
+}
+
+func (x *RenameMachineResponse) Reset() {
+	*x = RenameMachineResponse{}
+	if protoimpl.UnsafeEnabled {
+		mi := &file_headscale_v1_machine_proto_msgTypes[12]
+		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+		ms.StoreMessageInfo(mi)
+	}
+}
+
+func (x *RenameMachineResponse) String() string {
+	return protoimpl.X.MessageStringOf(x)
+}
+
+func (*RenameMachineResponse) ProtoMessage() {}
+
+func (x *RenameMachineResponse) ProtoReflect() protoreflect.Message {
+	mi := &file_headscale_v1_machine_proto_msgTypes[12]
+	if protoimpl.UnsafeEnabled && x != nil {
+		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+		if ms.LoadMessageInfo() == nil {
+			ms.StoreMessageInfo(mi)
+		}
+		return ms
+	}
+	return mi.MessageOf(x)
+}
+
+// Deprecated: Use RenameMachineResponse.ProtoReflect.Descriptor instead.
+func (*RenameMachineResponse) Descriptor() ([]byte, []int) {
+	return file_headscale_v1_machine_proto_rawDescGZIP(), []int{12}
+}
+
+func (x *RenameMachineResponse) GetMachine() *Machine {
+	if x != nil {
+		return x.Machine
+	}
+	return nil
+}
+
 type ListMachinesRequest struct {
 	state         protoimpl.MessageState
 	sizeCache     protoimpl.SizeCache
@@ -602,7 +838,7 @@ type ListMachinesRequest struct {
 func (x *ListMachinesRequest) Reset() {
 	*x = ListMachinesRequest{}
 	if protoimpl.UnsafeEnabled {
-		mi := &file_headscale_v1_machine_proto_msgTypes[9]
+		mi := &file_headscale_v1_machine_proto_msgTypes[13]
 		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 		ms.StoreMessageInfo(mi)
 	}
@@ -615,7 +851,7 @@ func (x *ListMachinesRequest) String() string {
 func (*ListMachinesRequest) ProtoMessage() {}

 func (x *ListMachinesRequest) ProtoReflect() protoreflect.Message {
-	mi := &file_headscale_v1_machine_proto_msgTypes[9]
+	mi := &file_headscale_v1_machine_proto_msgTypes[13]
 	if protoimpl.UnsafeEnabled && x != nil {
 		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 		if ms.LoadMessageInfo() == nil {
@@ -628,7 +864,7 @@ func (x *ListMachinesRequest) ProtoReflect() protoreflect.Message {

 // Deprecated: Use ListMachinesRequest.ProtoReflect.Descriptor instead.
 func (*ListMachinesRequest) Descriptor() ([]byte, []int) {
-	return file_headscale_v1_machine_proto_rawDescGZIP(), []int{9}
+	return file_headscale_v1_machine_proto_rawDescGZIP(), []int{13}
 }

 func (x *ListMachinesRequest) GetNamespace() string {
@@ -649,7 +885,7 @@ type ListMachinesResponse struct {
 func (x *ListMachinesResponse) Reset() {
 	*x = ListMachinesResponse{}
 	if protoimpl.UnsafeEnabled {
-		mi := &file_headscale_v1_machine_proto_msgTypes[10]
+		mi := &file_headscale_v1_machine_proto_msgTypes[14]
 		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 		ms.StoreMessageInfo(mi)
 	}
@@ -662,7 +898,7 @@ func (x *ListMachinesResponse) String() string {
 func (*ListMachinesResponse) ProtoMessage() {}

 func (x *ListMachinesResponse) ProtoReflect() protoreflect.Message {
-	mi := &file_headscale_v1_machine_proto_msgTypes[10]
+	mi := &file_headscale_v1_machine_proto_msgTypes[14]
 	if protoimpl.UnsafeEnabled && x != nil {
 		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 		if ms.LoadMessageInfo() == nil {
@@ -675,7 +911,7 @@ func (x *ListMachinesResponse) ProtoReflect() protoreflect.Message {

 // Deprecated: Use ListMachinesResponse.ProtoReflect.Descriptor instead.
 func (*ListMachinesResponse) Descriptor() ([]byte, []int) {
-	return file_headscale_v1_machine_proto_rawDescGZIP(), []int{10}
+	return file_headscale_v1_machine_proto_rawDescGZIP(), []int{14}
 }

 func (x *ListMachinesResponse) GetMachines() []*Machine {
@@ -685,6 +921,108 @@ func (x *ListMachinesResponse) GetMachines() []*Machine {
 	return nil
 }

+type MoveMachineRequest struct {
+	state         protoimpl.MessageState
+	sizeCache     protoimpl.SizeCache
+	unknownFields protoimpl.UnknownFields
+
+	MachineId uint64 `protobuf:"varint,1,opt,name=machine_id,json=machineId,proto3" json:"machine_id,omitempty"`
+	Namespace string `protobuf:"bytes,2,opt,name=namespace,proto3" json:"namespace,omitempty"`
+}
+
+func (x *MoveMachineRequest) Reset() {
+	*x = MoveMachineRequest{}
+	if protoimpl.UnsafeEnabled {
+		mi := &file_headscale_v1_machine_proto_msgTypes[15]
+		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+		ms.StoreMessageInfo(mi)
+	}
+}
+
+func (x *MoveMachineRequest) String() string {
+	return protoimpl.X.MessageStringOf(x)
+}
+
+func (*MoveMachineRequest) ProtoMessage() {}
+
+func (x *MoveMachineRequest) ProtoReflect() protoreflect.Message {
+	mi := &file_headscale_v1_machine_proto_msgTypes[15]
+	if protoimpl.UnsafeEnabled && x != nil {
+		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+		if ms.LoadMessageInfo() == nil {
+			ms.StoreMessageInfo(mi)
+		}
+		return ms
+	}
+	return mi.MessageOf(x)
+}
+
+// Deprecated: Use MoveMachineRequest.ProtoReflect.Descriptor instead.
+func (*MoveMachineRequest) Descriptor() ([]byte, []int) {
+	return file_headscale_v1_machine_proto_rawDescGZIP(), []int{15}
+}
+
+func (x *MoveMachineRequest) GetMachineId() uint64 {
+	if x != nil {
+		return x.MachineId
+	}
+	return 0
+}
+
+func (x *MoveMachineRequest) GetNamespace() string {
+	if x != nil {
+		return x.Namespace
+	}
+	return ""
+}
+
+type MoveMachineResponse struct {
+	state         protoimpl.MessageState
+	sizeCache     protoimpl.SizeCache
+	unknownFields protoimpl.UnknownFields
+
+	Machine *Machine `protobuf:"bytes,1,opt,name=machine,proto3" json:"machine,omitempty"`
+}
+
+func (x *MoveMachineResponse) Reset() {
+	*x = MoveMachineResponse{}
+	if protoimpl.UnsafeEnabled {
+		mi := &file_headscale_v1_machine_proto_msgTypes[16]
+		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+		ms.StoreMessageInfo(mi)
+	}
+}
+
+func (x *MoveMachineResponse) String() string {
+	return protoimpl.X.MessageStringOf(x)
+}
+
+func (*MoveMachineResponse) ProtoMessage() {}
+
+func (x *MoveMachineResponse) ProtoReflect() protoreflect.Message {
+	mi := &file_headscale_v1_machine_proto_msgTypes[16]
+	if protoimpl.UnsafeEnabled && x != nil {
+		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+		if ms.LoadMessageInfo() == nil {
+			ms.StoreMessageInfo(mi)
+		}
+		return ms
+	}
+	return mi.MessageOf(x)
+}
+
+// Deprecated: Use MoveMachineResponse.ProtoReflect.Descriptor instead.
+func (*MoveMachineResponse) Descriptor() ([]byte, []int) {
+	return file_headscale_v1_machine_proto_rawDescGZIP(), []int{16}
+}
+
+func (x *MoveMachineResponse) GetMachine() *Machine {
+	if x != nil {
+		return x.Machine
+	}
+	return nil
+}
+
 type DebugCreateMachineRequest struct {
 	state         protoimpl.MessageState
 	sizeCache     protoimpl.SizeCache
@@ -699,7 +1037,7 @@ type DebugCreateMachineRequest struct {
 func (x *DebugCreateMachineRequest) Reset() {
 	*x = DebugCreateMachineRequest{}
 	if protoimpl.UnsafeEnabled {
-		mi := &file_headscale_v1_machine_proto_msgTypes[11]
+		mi := &file_headscale_v1_machine_proto_msgTypes[17]
 		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 		ms.StoreMessageInfo(mi)
 	}
@@ -712,7 +1050,7 @@ func (x *DebugCreateMachineRequest) String() string {
 func (*DebugCreateMachineRequest) ProtoMessage() {}

 func (x *DebugCreateMachineRequest) ProtoReflect() protoreflect.Message {
-	mi := &file_headscale_v1_machine_proto_msgTypes[11]
+	mi := &file_headscale_v1_machine_proto_msgTypes[17]
 	if protoimpl.UnsafeEnabled && x != nil {
 		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 		if ms.LoadMessageInfo() == nil {
@@ -725,7 +1063,7 @@ func (x *DebugCreateMachineRequest) ProtoReflect() protoreflect.Message {

 // Deprecated: Use DebugCreateMachineRequest.ProtoReflect.Descriptor instead.
 func (*DebugCreateMachineRequest) Descriptor() ([]byte, []int) {
-	return file_headscale_v1_machine_proto_rawDescGZIP(), []int{11}
+	return file_headscale_v1_machine_proto_rawDescGZIP(), []int{17}
 }

 func (x *DebugCreateMachineRequest) GetNamespace() string {
@@ -767,7 +1105,7 @@ type DebugCreateMachineResponse struct {
 func (x *DebugCreateMachineResponse) Reset() {
 	*x = DebugCreateMachineResponse{}
 	if protoimpl.UnsafeEnabled {
-		mi := &file_headscale_v1_machine_proto_msgTypes[12]
+		mi := &file_headscale_v1_machine_proto_msgTypes[18]
 		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 		ms.StoreMessageInfo(mi)
 	}
@@ -780,7 +1118,7 @@ func (x *DebugCreateMachineResponse) String() string {
 func (*DebugCreateMachineResponse) ProtoMessage() {}

 func (x *DebugCreateMachineResponse) ProtoReflect() protoreflect.Message {
-	mi := &file_headscale_v1_machine_proto_msgTypes[12]
+	mi := &file_headscale_v1_machine_proto_msgTypes[18]
 	if protoimpl.UnsafeEnabled && x != nil {
 		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 		if ms.LoadMessageInfo() == nil {
@@ -793,7 +1131,7 @@ func (x *DebugCreateMachineResponse) ProtoReflect() protoreflect.Message {

 // Deprecated: Use DebugCreateMachineResponse.ProtoReflect.Descriptor instead.
 func (*DebugCreateMachineResponse) Descriptor() ([]byte, []int) {
-	return file_headscale_v1_machine_proto_rawDescGZIP(), []int{12}
+	return file_headscale_v1_machine_proto_rawDescGZIP(), []int{18}
 }

 func (x *DebugCreateMachineResponse) GetMachine() *Machine {
@@ -814,7 +1152,7 @@ var file_headscale_v1_machine_proto_rawDesc = []byte{
 	0x64, 0x73, 0x63, 0x61, 0x6c, 0x65, 0x2f, 0x76, 0x31, 0x2f, 0x6e, 0x61, 0x6d, 0x65, 0x73, 0x70,
 	0x61, 0x63, 0x65, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x1a, 0x1d, 0x68, 0x65, 0x61, 0x64, 0x73,
 	0x63, 0x61, 0x6c, 0x65, 0x2f, 0x76, 0x31, 0x2f, 0x70, 0x72, 0x65, 0x61, 0x75, 0x74, 0x68, 0x6b,
-	0x65, 0x79, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x22, 0xdd, 0x04, 0x0a, 0x07, 0x4d, 0x61, 0x63,
+	0x65, 0x79, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x22, 0xe5, 0x05, 0x0a, 0x07, 0x4d, 0x61, 0x63,
 	0x68, 0x69, 0x6e, 0x65, 0x12, 0x0e, 0x0a, 0x02, 0x69, 0x64, 0x18, 0x01, 0x20, 0x01, 0x28, 0x04,
 	0x52, 0x02, 0x69, 0x64, 0x12, 0x1f, 0x0a, 0x0b, 0x6d, 0x61, 0x63, 0x68, 0x69, 0x6e, 0x65, 0x5f,
 	0x6b, 0x65, 0x79, 0x18, 0x02, 0x20, 0x01, 0x28, 0x09, 0x52, 0x0a, 0x6d, 0x61, 0x63, 0x68, 0x69,
@@ -852,69 +1190,106 @@ var file_headscale_v1_machine_proto_rawDesc = []byte{
 	0x74, 0x68, 0x6f, 0x64, 0x18, 0x0d, 0x20, 0x01, 0x28, 0x0e, 0x32, 0x1c, 0x2e, 0x68, 0x65, 0x61,
 	0x64, 0x73, 0x63, 0x61, 0x6c, 0x65, 0x2e, 0x76, 0x31, 0x2e, 0x52, 0x65, 0x67, 0x69, 0x73, 0x74,
 	0x65, 0x72, 0x4d, 0x65, 0x74, 0x68, 0x6f, 0x64, 0x52, 0x0e, 0x72, 0x65, 0x67, 0x69, 0x73, 0x74,
-	0x65, 0x72, 0x4d, 0x65, 0x74, 0x68, 0x6f, 0x64, 0x22, 0x48, 0x0a, 0x16, 0x52, 0x65, 0x67, 0x69,
-	0x73, 0x74, 0x65, 0x72, 0x4d, 0x61, 0x63, 0x68, 0x69, 0x6e, 0x65, 0x52, 0x65, 0x71, 0x75, 0x65,
-	0x73, 0x74, 0x12, 0x1c, 0x0a, 0x09, 0x6e, 0x61, 0x6d, 0x65, 0x73, 0x70, 0x61, 0x63, 0x65, 0x18,
-	0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x09, 0x6e, 0x61, 0x6d, 0x65, 0x73, 0x70, 0x61, 0x63, 0x65,
-	0x12, 0x10, 0x0a, 0x03, 0x6b, 0x65, 0x79, 0x18, 0x02, 0x20, 0x01, 0x28, 0x09, 0x52, 0x03, 0x6b,
-	0x65, 0x79, 0x22, 0x4a, 0x0a, 0x17, 0x52, 0x65, 0x67, 0x69, 0x73, 0x74, 0x65, 0x72, 0x4d, 0x61,
-	0x63, 0x68, 0x69, 0x6e, 0x65, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x12, 0x2f, 0x0a,
-	0x07, 0x6d, 0x61, 0x63, 0x68, 0x69, 0x6e, 0x65, 0x18, 0x01, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x15,
-	0x2e, 0x68, 0x65, 0x61, 0x64, 0x73, 0x63, 0x61, 0x6c, 0x65, 0x2e, 0x76, 0x31, 0x2e, 0x4d, 0x61,
-	0x63, 0x68, 0x69, 0x6e, 0x65, 0x52, 0x07, 0x6d, 0x61, 0x63, 0x68, 0x69, 0x6e, 0x65, 0x22, 0x32,
-	0x0a, 0x11, 0x47, 0x65, 0x74, 0x4d, 0x61, 0x63, 0x68, 0x69, 0x6e, 0x65, 0x52, 0x65, 0x71, 0x75,
+	0x65, 0x72, 0x4d, 0x65, 0x74, 0x68, 0x6f, 0x64, 0x12, 0x1f, 0x0a, 0x0b, 0x66, 0x6f, 0x72, 0x63,
+	0x65, 0x64, 0x5f, 0x74, 0x61, 0x67, 0x73, 0x18, 0x12, 0x20, 0x03, 0x28, 0x09, 0x52, 0x0a, 0x66,
+	0x6f, 0x72, 0x63, 0x65, 0x64, 0x54, 0x61, 0x67, 0x73, 0x12, 0x21, 0x0a, 0x0c, 0x69, 0x6e, 0x76,
+	0x61, 0x6c, 0x69, 0x64, 0x5f, 0x74, 0x61, 0x67, 0x73, 0x18, 0x13, 0x20, 0x03, 0x28, 0x09, 0x52,
+	0x0b, 0x69, 0x6e, 0x76, 0x61, 0x6c, 0x69, 0x64, 0x54, 0x61, 0x67, 0x73, 0x12, 0x1d, 0x0a, 0x0a,
+	0x76, 0x61, 0x6c, 0x69, 0x64, 0x5f, 0x74, 0x61, 0x67, 0x73, 0x18, 0x14, 0x20, 0x03, 0x28, 0x09,
+	0x52, 0x09, 0x76, 0x61, 0x6c, 0x69, 0x64, 0x54, 0x61, 0x67, 0x73, 0x12, 0x1d, 0x0a, 0x0a, 0x67,
+	0x69, 0x76, 0x65, 0x6e, 0x5f, 0x6e, 0x61, 0x6d, 0x65, 0x18, 0x15, 0x20, 0x01, 0x28, 0x09, 0x52,
+	0x09, 0x67, 0x69, 0x76, 0x65, 0x6e, 0x4e, 0x61, 0x6d, 0x65, 0x4a, 0x04, 0x08, 0x0e, 0x10, 0x12,
+	0x22, 0x48, 0x0a, 0x16, 0x52, 0x65, 0x67, 0x69, 0x73, 0x74, 0x65, 0x72, 0x4d, 0x61, 0x63, 0x68,
+	0x69, 0x6e, 0x65, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x12, 0x1c, 0x0a, 0x09, 0x6e, 0x61,
+	0x6d, 0x65, 0x73, 0x70, 0x61, 0x63, 0x65, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x09, 0x6e,
+	0x61, 0x6d, 0x65, 0x73, 0x70, 0x61, 0x63, 0x65, 0x12, 0x10, 0x0a, 0x03, 0x6b, 0x65, 0x79, 0x18,
+	0x02, 0x20, 0x01, 0x28, 0x09, 0x52, 0x03, 0x6b, 0x65, 0x79, 0x22, 0x4a, 0x0a, 0x17, 0x52, 0x65,
+	0x67, 0x69, 0x73, 0x74, 0x65, 0x72, 0x4d, 0x61, 0x63, 0x68, 0x69, 0x6e, 0x65, 0x52, 0x65, 0x73,
+	0x70, 0x6f, 0x6e, 0x73, 0x65, 0x12, 0x2f, 0x0a, 0x07, 0x6d, 0x61, 0x63, 0x68, 0x69, 0x6e, 0x65,
+	0x18, 0x01, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x15, 0x2e, 0x68, 0x65, 0x61, 0x64, 0x73, 0x63, 0x61,
+	0x6c, 0x65, 0x2e, 0x76, 0x31, 0x2e, 0x4d, 0x61, 0x63, 0x68, 0x69, 0x6e, 0x65, 0x52, 0x07, 0x6d,
+	0x61, 0x63, 0x68, 0x69, 0x6e, 0x65, 0x22, 0x32, 0x0a, 0x11, 0x47, 0x65, 0x74, 0x4d, 0x61, 0x63,
+	0x68, 0x69, 0x6e, 0x65, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x12, 0x1d, 0x0a, 0x0a, 0x6d,
+	0x61, 0x63, 0x68, 0x69, 0x6e, 0x65, 0x5f, 0x69, 0x64, 0x18, 0x01, 0x20, 0x01, 0x28, 0x04, 0x52,
+	0x09, 0x6d, 0x61, 0x63, 0x68, 0x69, 0x6e, 0x65, 0x49, 0x64, 0x22, 0x45, 0x0a, 0x12, 0x47, 0x65,
+	0x74, 0x4d, 0x61, 0x63, 0x68, 0x69, 0x6e, 0x65, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65,
+	0x12, 0x2f, 0x0a, 0x07, 0x6d, 0x61, 0x63, 0x68, 0x69, 0x6e, 0x65, 0x18, 0x01, 0x20, 0x01, 0x28,
+	0x0b, 0x32, 0x15, 0x2e, 0x68, 0x65, 0x61, 0x64, 0x73, 0x63, 0x61, 0x6c, 0x65, 0x2e, 0x76, 0x31,
+	0x2e, 0x4d, 0x61, 0x63, 0x68, 0x69, 0x6e, 0x65, 0x52, 0x07, 0x6d, 0x61, 0x63, 0x68, 0x69, 0x6e,
+	0x65, 0x22, 0x43, 0x0a, 0x0e, 0x53, 0x65, 0x74, 0x54, 0x61, 0x67, 0x73, 0x52, 0x65, 0x71, 0x75,
 	0x65, 0x73, 0x74, 0x12, 0x1d, 0x0a, 0x0a, 0x6d, 0x61, 0x63, 0x68, 0x69, 0x6e, 0x65, 0x5f, 0x69,
 	0x64, 0x18, 0x01, 0x20, 0x01, 0x28, 0x04, 0x52, 0x09, 0x6d, 0x61, 0x63, 0x68, 0x69, 0x6e, 0x65,
-	0x49, 0x64, 0x22, 0x45, 0x0a, 0x12, 0x47, 0x65, 0x74, 0x4d, 0x61, 0x63, 0x68, 0x69, 0x6e, 0x65,
-	0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x12, 0x2f, 0x0a, 0x07, 0x6d, 0x61, 0x63, 0x68,
-	0x69, 0x6e, 0x65, 0x18, 0x01, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x15, 0x2e, 0x68, 0x65, 0x61, 0x64,
-	0x73, 0x63, 0x61, 0x6c, 0x65, 0x2e, 0x76, 0x31, 0x2e, 0x4d, 0x61, 0x63, 0x68, 0x69, 0x6e, 0x65,
-	0x52, 0x07, 0x6d, 0x61, 0x63, 0x68, 0x69, 0x6e, 0x65, 0x22, 0x35, 0x0a, 0x14, 0x44, 0x65, 0x6c,
-	0x65, 0x74, 0x65, 0x4d, 0x61, 0x63, 0x68, 0x69, 0x6e, 0x65, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73,
-	0x74, 0x12, 0x1d, 0x0a, 0x0a, 0x6d, 0x61, 0x63, 0x68, 0x69, 0x6e, 0x65, 0x5f, 0x69, 0x64, 0x18,
-	0x01, 0x20, 0x01, 0x28, 0x04, 0x52, 0x09, 0x6d, 0x61, 0x63, 0x68, 0x69, 0x6e, 0x65, 0x49, 0x64,
-	0x22, 0x17, 0x0a, 0x15, 0x44, 0x65, 0x6c, 0x65, 0x74, 0x65, 0x4d, 0x61, 0x63, 0x68, 0x69, 0x6e,
-	0x65, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x22, 0x35, 0x0a, 0x14, 0x45, 0x78, 0x70,
-	0x69, 0x72, 0x65, 0x4d, 0x61, 0x63, 0x68, 0x69, 0x6e, 0x65, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73,
-	0x74, 0x12, 0x1d, 0x0a, 0x0a, 0x6d, 0x61, 0x63, 0x68, 0x69, 0x6e, 0x65, 0x5f, 0x69, 0x64, 0x18,
-	0x01, 0x20, 0x01, 0x28, 0x04, 0x52, 0x09, 0x6d, 0x61, 0x63, 0x68, 0x69, 0x6e, 0x65, 0x49, 0x64,
-	0x22, 0x48, 0x0a, 0x15, 0x45, 0x78, 0x70, 0x69, 0x72, 0x65, 0x4d, 0x61, 0x63, 0x68, 0x69, 0x6e,
-	0x65, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x12, 0x2f, 0x0a, 0x07, 0x6d, 0x61, 0x63,
+	0x49, 0x64, 0x12, 0x12, 0x0a, 0x04, 0x74, 0x61, 0x67, 0x73, 0x18, 0x02, 0x20, 0x03, 0x28, 0x09,
+	0x52, 0x04, 0x74, 0x61, 0x67, 0x73, 0x22, 0x42, 0x0a, 0x0f, 0x53, 0x65, 0x74, 0x54, 0x61, 0x67,
+	0x73, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x12, 0x2f, 0x0a, 0x07, 0x6d, 0x61, 0x63,
 	0x68, 0x69, 0x6e, 0x65, 0x18, 0x01, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x15, 0x2e, 0x68, 0x65, 0x61,
 	0x64, 0x73, 0x63, 0x61, 0x6c, 0x65, 0x2e, 0x76, 0x31, 0x2e, 0x4d, 0x61, 0x63, 0x68, 0x69, 0x6e,
-	0x65, 0x52, 0x07, 0x6d, 0x61, 0x63, 0x68, 0x69, 0x6e, 0x65, 0x22, 0x33, 0x0a, 0x13, 0x4c, 0x69,
-	0x73, 0x74, 0x4d, 0x61, 0x63, 0x68, 0x69, 0x6e, 0x65, 0x73, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73,
-	0x74, 0x12, 0x1c, 0x0a, 0x09, 0x6e, 0x61, 0x6d, 0x65, 0x73, 0x70, 0x61, 0x63, 0x65, 0x18, 0x01,
-	0x20, 0x01, 0x28, 0x09, 0x52, 0x09, 0x6e, 0x61, 0x6d, 0x65, 0x73, 0x70, 0x61, 0x63, 0x65, 0x22,
-	0x49, 0x0a, 0x14, 0x4c, 0x69, 0x73, 0x74, 0x4d, 0x61, 0x63, 0x68, 0x69, 0x6e, 0x65, 0x73, 0x52,
-	0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x12, 0x31, 0x0a, 0x08, 0x6d, 0x61, 0x63, 0x68, 0x69,
-	0x6e, 0x65, 0x73, 0x18, 0x01, 0x20, 0x03, 0x28, 0x0b, 0x32, 0x15, 0x2e, 0x68, 0x65, 0x61, 0x64,
-	0x73, 0x63, 0x61, 0x6c, 0x65, 0x2e, 0x76, 0x31, 0x2e, 0x4d, 0x61, 0x63, 0x68, 0x69, 0x6e, 0x65,
-	0x52, 0x08, 0x6d, 0x61, 0x63, 0x68, 0x69, 0x6e, 0x65, 0x73, 0x22, 0x77, 0x0a, 0x19, 0x44, 0x65,
-	0x62, 0x75, 0x67, 0x43, 0x72, 0x65, 0x61, 0x74, 0x65, 0x4d, 0x61, 0x63, 0x68, 0x69, 0x6e, 0x65,
-	0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x12, 0x1c, 0x0a, 0x09, 0x6e, 0x61, 0x6d, 0x65, 0x73,
-	0x70, 0x61, 0x63, 0x65, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x09, 0x6e, 0x61, 0x6d, 0x65,
-	0x73, 0x70, 0x61, 0x63, 0x65, 0x12, 0x10, 0x0a, 0x03, 0x6b, 0x65, 0x79, 0x18, 0x02, 0x20, 0x01,
-	0x28, 0x09, 0x52, 0x03, 0x6b, 0x65, 0x79, 0x12, 0x12, 0x0a, 0x04, 0x6e, 0x61, 0x6d, 0x65, 0x18,
-	0x03, 0x20, 0x01, 0x28, 0x09, 0x52, 0x04, 0x6e, 0x61, 0x6d, 0x65, 0x12, 0x16, 0x0a, 0x06, 0x72,
-	0x6f, 0x75, 0x74, 0x65, 0x73, 0x18, 0x04, 0x20, 0x03, 0x28, 0x09, 0x52, 0x06, 0x72, 0x6f, 0x75,
-	0x74, 0x65, 0x73, 0x22, 0x4d, 0x0a, 0x1a, 0x44, 0x65, 0x62, 0x75, 0x67, 0x43, 0x72, 0x65, 0x61,
-	0x74, 0x65, 0x4d, 0x61, 0x63, 0x68, 0x69, 0x6e, 0x65, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73,
+	0x65, 0x52, 0x07, 0x6d, 0x61, 0x63, 0x68, 0x69, 0x6e, 0x65, 0x22, 0x35, 0x0a, 0x14, 0x44, 0x65,
+	0x6c, 0x65, 0x74, 0x65, 0x4d, 0x61, 0x63, 0x68, 0x69, 0x6e, 0x65, 0x52, 0x65, 0x71, 0x75, 0x65,
+	0x73, 0x74, 0x12, 0x1d, 0x0a, 0x0a, 0x6d, 0x61, 0x63, 0x68, 0x69, 0x6e, 0x65, 0x5f, 0x69, 0x64,
+	0x18, 0x01, 0x20, 0x01, 0x28, 0x04, 0x52, 0x09, 0x6d, 0x61, 0x63, 0x68, 0x69, 0x6e, 0x65, 0x49,
+	0x64, 0x22, 0x17, 0x0a, 0x15, 0x44, 0x65, 0x6c, 0x65, 0x74, 0x65, 0x4d, 0x61, 0x63, 0x68, 0x69,
+	0x6e, 0x65, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x22, 0x35, 0x0a, 0x14, 0x45, 0x78,
+	0x70, 0x69, 0x72, 0x65, 0x4d, 0x61, 0x63, 0x68, 0x69, 0x6e, 0x65, 0x52, 0x65, 0x71, 0x75, 0x65,
+	0x73, 0x74, 0x12, 0x1d, 0x0a, 0x0a, 0x6d, 0x61, 0x63, 0x68, 0x69, 0x6e, 0x65, 0x5f, 0x69, 0x64,
+	0x18, 0x01, 0x20, 0x01, 0x28, 0x04, 0x52, 0x09, 0x6d, 0x61, 0x63, 0x68, 0x69, 0x6e, 0x65, 0x49,
+	0x64, 0x22, 0x48, 0x0a, 0x15, 0x45, 0x78, 0x70, 0x69, 0x72, 0x65, 0x4d, 0x61, 0x63, 0x68, 0x69,
+	0x6e, 0x65, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x12, 0x2f, 0x0a, 0x07, 0x6d, 0x61,
+	0x63, 0x68, 0x69, 0x6e, 0x65, 0x18, 0x01, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x15, 0x2e, 0x68, 0x65,
+	0x61, 0x64, 0x73, 0x63, 0x61, 0x6c, 0x65, 0x2e, 0x76, 0x31, 0x2e, 0x4d, 0x61, 0x63, 0x68, 0x69,
+	0x6e, 0x65, 0x52, 0x07, 0x6d, 0x61, 0x63, 0x68, 0x69, 0x6e, 0x65, 0x22, 0x50, 0x0a, 0x14, 0x52,
+	0x65, 0x6e, 0x61, 0x6d, 0x65, 0x4d, 0x61, 0x63, 0x68, 0x69, 0x6e, 0x65, 0x52, 0x65, 0x71, 0x75,
+	0x65, 0x73, 0x74, 0x12, 0x1d, 0x0a, 0x0a, 0x6d, 0x61, 0x63, 0x68, 0x69, 0x6e, 0x65, 0x5f, 0x69,
+	0x64, 0x18, 0x01, 0x20, 0x01, 0x28, 0x04, 0x52, 0x09, 0x6d, 0x61, 0x63, 0x68, 0x69, 0x6e, 0x65,
+	0x49, 0x64, 0x12, 0x19, 0x0a, 0x08, 0x6e, 0x65, 0x77, 0x5f, 0x6e, 0x61, 0x6d, 0x65, 0x18, 0x02,
+	0x20, 0x01, 0x28, 0x09, 0x52, 0x07, 0x6e, 0x65, 0x77, 0x4e, 0x61, 0x6d, 0x65, 0x22, 0x48, 0x0a,
+	0x15, 0x52, 0x65, 0x6e, 0x61, 0x6d, 0x65, 0x4d, 0x61, 0x63, 0x68, 0x69, 0x6e, 0x65, 0x52, 0x65,
+	0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x12, 0x2f, 0x0a, 0x07, 0x6d, 0x61, 0x63, 0x68, 0x69, 0x6e,
+	0x65, 0x18, 0x01, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x15, 0x2e, 0x68, 0x65, 0x61, 0x64, 0x73, 0x63,
+	0x61, 0x6c, 0x65, 0x2e, 0x76, 0x31, 0x2e, 0x4d, 0x61, 0x63, 0x68, 0x69, 0x6e, 0x65, 0x52, 0x07,
+	0x6d, 0x61, 0x63, 0x68, 0x69, 0x6e, 0x65, 0x22, 0x33, 0x0a, 0x13, 0x4c, 0x69, 0x73, 0x74, 0x4d,
+	0x61, 0x63, 0x68, 0x69, 0x6e, 0x65, 0x73, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x12, 0x1c,
+	0x0a, 0x09, 0x6e, 0x61, 0x6d, 0x65, 0x73, 0x70, 0x61, 0x63, 0x65, 0x18, 0x01, 0x20, 0x01, 0x28,
+	0x09, 0x52, 0x09, 0x6e, 0x61, 0x6d, 0x65, 0x73, 0x70, 0x61, 0x63, 0x65, 0x22, 0x49, 0x0a, 0x14,
+	0x4c, 0x69, 0x73, 0x74, 0x4d, 0x61, 0x63, 0x68, 0x69, 0x6e, 0x65, 0x73, 0x52, 0x65, 0x73, 0x70,
+	0x6f, 0x6e, 0x73, 0x65, 0x12, 0x31, 0x0a, 0x08, 0x6d, 0x61, 0x63, 0x68, 0x69, 0x6e, 0x65, 0x73,
+	0x18, 0x01, 0x20, 0x03, 0x28, 0x0b, 0x32, 0x15, 0x2e, 0x68, 0x65, 0x61, 0x64, 0x73, 0x63, 0x61,
+	0x6c, 0x65, 0x2e, 0x76, 0x31, 0x2e, 0x4d, 0x61, 0x63, 0x68, 0x69, 0x6e, 0x65, 0x52, 0x08, 0x6d,
+	0x61, 0x63, 0x68, 0x69, 0x6e, 0x65, 0x73, 0x22, 0x51, 0x0a, 0x12, 0x4d, 0x6f, 0x76, 0x65, 0x4d,
+	0x61, 0x63, 0x68, 0x69, 0x6e, 0x65, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x12, 0x1d, 0x0a,
+	0x0a, 0x6d, 0x61, 0x63, 0x68, 0x69, 0x6e, 0x65, 0x5f, 0x69, 0x64, 0x18, 0x01, 0x20, 0x01, 0x28,
+	0x04, 0x52, 0x09, 0x6d, 0x61, 0x63, 0x68, 0x69, 0x6e, 0x65, 0x49, 0x64, 0x12, 0x1c, 0x0a, 0x09,
+	0x6e, 0x61, 0x6d, 0x65, 0x73, 0x70, 0x61, 0x63, 0x65, 0x18, 0x02, 0x20, 0x01, 0x28, 0x09, 0x52,
+	0x09, 0x6e, 0x61, 0x6d, 0x65, 0x73, 0x70, 0x61, 0x63, 0x65, 0x22, 0x46, 0x0a, 0x13, 0x4d, 0x6f,
+	0x76, 0x65, 0x4d, 0x61, 0x63, 0x68, 0x69, 0x6e, 0x65, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73,
 	0x65, 0x12, 0x2f, 0x0a, 0x07, 0x6d, 0x61, 0x63, 0x68, 0x69, 0x6e, 0x65, 0x18, 0x01, 0x20, 0x01,
 	0x28, 0x0b, 0x32, 0x15, 0x2e, 0x68, 0x65, 0x61, 0x64, 0x73, 0x63, 0x61, 0x6c, 0x65, 0x2e, 0x76,
 	0x31, 0x2e, 0x4d, 0x61, 0x63, 0x68, 0x69, 0x6e, 0x65, 0x52, 0x07, 0x6d, 0x61, 0x63, 0x68, 0x69,
-	0x6e, 0x65, 0x2a, 0x82, 0x01, 0x0a, 0x0e, 0x52, 0x65, 0x67, 0x69, 0x73, 0x74, 0x65, 0x72, 0x4d,
-	0x65, 0x74, 0x68, 0x6f, 0x64, 0x12, 0x1f, 0x0a, 0x1b, 0x52, 0x45, 0x47, 0x49, 0x53, 0x54, 0x45,
-	0x52, 0x5f, 0x4d, 0x45, 0x54, 0x48, 0x4f, 0x44, 0x5f, 0x55, 0x4e, 0x53, 0x50, 0x45, 0x43, 0x49,
-	0x46, 0x49, 0x45, 0x44, 0x10, 0x00, 0x12, 0x1c, 0x0a, 0x18, 0x52, 0x45, 0x47, 0x49, 0x53, 0x54,
-	0x45, 0x52, 0x5f, 0x4d, 0x45, 0x54, 0x48, 0x4f, 0x44, 0x5f, 0x41, 0x55, 0x54, 0x48, 0x5f, 0x4b,
-	0x45, 0x59, 0x10, 0x01, 0x12, 0x17, 0x0a, 0x13, 0x52, 0x45, 0x47, 0x49, 0x53, 0x54, 0x45, 0x52,
-	0x5f, 0x4d, 0x45, 0x54, 0x48, 0x4f, 0x44, 0x5f, 0x43, 0x4c, 0x49, 0x10, 0x02, 0x12, 0x18, 0x0a,
-	0x14, 0x52, 0x45, 0x47, 0x49, 0x53, 0x54, 0x45, 0x52, 0x5f, 0x4d, 0x45, 0x54, 0x48, 0x4f, 0x44,
-	0x5f, 0x4f, 0x49, 0x44, 0x43, 0x10, 0x03, 0x42, 0x29, 0x5a, 0x27, 0x67, 0x69, 0x74, 0x68, 0x75,
-	0x62, 0x2e, 0x63, 0x6f, 0x6d, 0x2f, 0x6a, 0x75, 0x61, 0x6e, 0x66, 0x6f, 0x6e, 0x74, 0x2f, 0x68,
-	0x65, 0x61, 0x64, 0x73, 0x63, 0x61, 0x6c, 0x65, 0x2f, 0x67, 0x65, 0x6e, 0x2f, 0x67, 0x6f, 0x2f,
-	0x76, 0x31, 0x62, 0x06, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x33,
+	0x6e, 0x65, 0x22, 0x77, 0x0a, 0x19, 0x44, 0x65, 0x62, 0x75, 0x67, 0x43, 0x72, 0x65, 0x61, 0x74,
+	0x65, 0x4d, 0x61, 0x63, 0x68, 0x69, 0x6e, 0x65, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x12,
+	0x1c, 0x0a, 0x09, 0x6e, 0x61, 0x6d, 0x65, 0x73, 0x70, 0x61, 0x63, 0x65, 0x18, 0x01, 0x20, 0x01,
+	0x28, 0x09, 0x52, 0x09, 0x6e, 0x61, 0x6d, 0x65, 0x73, 0x70, 0x61, 0x63, 0x65, 0x12, 0x10, 0x0a,
+	0x03, 0x6b, 0x65, 0x79, 0x18, 0x02, 0x20, 0x01, 0x28, 0x09, 0x52, 0x03, 0x6b, 0x65, 0x79, 0x12,
+	0x12, 0x0a, 0x04, 0x6e, 0x61, 0x6d, 0x65, 0x18, 0x03, 0x20, 0x01, 0x28, 0x09, 0x52, 0x04, 0x6e,
+	0x61, 0x6d, 0x65, 0x12, 0x16, 0x0a, 0x06, 0x72, 0x6f, 0x75, 0x74, 0x65, 0x73, 0x18, 0x04, 0x20,
+	0x03, 0x28, 0x09, 0x52, 0x06, 0x72, 0x6f, 0x75, 0x74, 0x65, 0x73, 0x22, 0x4d, 0x0a, 0x1a, 0x44,
+	0x65, 0x62, 0x75, 0x67, 0x43, 0x72, 0x65, 0x61, 0x74, 0x65, 0x4d, 0x61, 0x63, 0x68, 0x69, 0x6e,
+	0x65, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x12, 0x2f, 0x0a, 0x07, 0x6d, 0x61, 0x63,
+	0x68, 0x69, 0x6e, 0x65, 0x18, 0x01, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x15, 0x2e, 0x68, 0x65, 0x61,
+	0x64, 0x73, 0x63, 0x61, 0x6c, 0x65, 0x2e, 0x76, 0x31, 0x2e, 0x4d, 0x61, 0x63, 0x68, 0x69, 0x6e,
+	0x65, 0x52, 0x07, 0x6d, 0x61, 0x63, 0x68, 0x69, 0x6e, 0x65, 0x2a, 0x82, 0x01, 0x0a, 0x0e, 0x52,
+	0x65, 0x67, 0x69, 0x73, 0x74, 0x65, 0x72, 0x4d, 0x65, 0x74, 0x68, 0x6f, 0x64, 0x12, 0x1f, 0x0a,
+	0x1b, 0x52, 0x45, 0x47, 0x49, 0x53, 0x54, 0x45, 0x52, 0x5f, 0x4d, 0x45, 0x54, 0x48, 0x4f, 0x44,
+	0x5f, 0x55, 0x4e, 0x53, 0x50, 0x45, 0x43, 0x49, 0x46, 0x49, 0x45, 0x44, 0x10, 0x00, 0x12, 0x1c,
+	0x0a, 0x18, 0x52, 0x45, 0x47, 0x49, 0x53, 0x54, 0x45, 0x52, 0x5f, 0x4d, 0x45, 0x54, 0x48, 0x4f,
+	0x44, 0x5f, 0x41, 0x55, 0x54, 0x48, 0x5f, 0x4b, 0x45, 0x59, 0x10, 0x01, 0x12, 0x17, 0x0a, 0x13,
+	0x52, 0x45, 0x47, 0x49, 0x53, 0x54, 0x45, 0x52, 0x5f, 0x4d, 0x45, 0x54, 0x48, 0x4f, 0x44, 0x5f,
+	0x43, 0x4c, 0x49, 0x10, 0x02, 0x12, 0x18, 0x0a, 0x14, 0x52, 0x45, 0x47, 0x49, 0x53, 0x54, 0x45,
+	0x52, 0x5f, 0x4d, 0x45, 0x54, 0x48, 0x4f, 0x44, 0x5f, 0x4f, 0x49, 0x44, 0x43, 0x10, 0x03, 0x42,
+	0x29, 0x5a, 0x27, 0x67, 0x69, 0x74, 0x68, 0x75, 0x62, 0x2e, 0x63, 0x6f, 0x6d, 0x2f, 0x6a, 0x75,
+	0x61, 0x6e, 0x66, 0x6f, 0x6e, 0x74, 0x2f, 0x68, 0x65, 0x61, 0x64, 0x73, 0x63, 0x61, 0x6c, 0x65,
+	0x2f, 0x67, 0x65, 0x6e, 0x2f, 0x67, 0x6f, 0x2f, 0x76, 0x31, 0x62, 0x06, 0x70, 0x72, 0x6f, 0x74,
+	0x6f, 0x33,
 }

 var (
@@ -930,7 +1305,7 @@ func file_headscale_v1_machine_proto_rawDescGZIP() []byte {
 }

 var file_headscale_v1_machine_proto_enumTypes = make([]protoimpl.EnumInfo, 1)
-var file_headscale_v1_machine_proto_msgTypes = make([]protoimpl.MessageInfo, 13)
+var file_headscale_v1_machine_proto_msgTypes = make([]protoimpl.MessageInfo, 19)
 var file_headscale_v1_machine_proto_goTypes = []interface{}{
 	(RegisterMethod)(0),                // 0: headscale.v1.RegisterMethod
 	(*Machine)(nil),                    // 1: headscale.v1.Machine
@@ -938,36 +1313,45 @@ var file_headscale_v1_machine_proto_goTypes = []interface{}{
 	(*RegisterMachineResponse)(nil),    // 3: headscale.v1.RegisterMachineResponse
 	(*GetMachineRequest)(nil),          // 4: headscale.v1.GetMachineRequest
 	(*GetMachineResponse)(nil),         // 5: headscale.v1.GetMachineResponse
-	(*DeleteMachineRequest)(nil),       // 6: headscale.v1.DeleteMachineRequest
-	(*DeleteMachineResponse)(nil),      // 7: headscale.v1.DeleteMachineResponse
-	(*ExpireMachineRequest)(nil),       // 8: headscale.v1.ExpireMachineRequest
-	(*ExpireMachineResponse)(nil),      // 9: headscale.v1.ExpireMachineResponse
-	(*ListMachinesRequest)(nil),        // 10: headscale.v1.ListMachinesRequest
-	(*ListMachinesResponse)(nil),       // 11: headscale.v1.ListMachinesResponse
-	(*DebugCreateMachineRequest)(nil),  // 12: headscale.v1.DebugCreateMachineRequest
-	(*DebugCreateMachineResponse)(nil), // 13: headscale.v1.DebugCreateMachineResponse
-	(*Namespace)(nil),                  // 14: headscale.v1.Namespace
-	(*timestamppb.Timestamp)(nil),      // 15: google.protobuf.Timestamp
-	(*PreAuthKey)(nil),                 // 16: headscale.v1.PreAuthKey
+	(*SetTagsRequest)(nil),             // 6: headscale.v1.SetTagsRequest
+	(*SetTagsResponse)(nil),            // 7: headscale.v1.SetTagsResponse
+	(*DeleteMachineRequest)(nil),       // 8: headscale.v1.DeleteMachineRequest
+	(*DeleteMachineResponse)(nil),      // 9: headscale.v1.DeleteMachineResponse
+	(*ExpireMachineRequest)(nil),       // 10: headscale.v1.ExpireMachineRequest
+	(*ExpireMachineResponse)(nil),      // 11: headscale.v1.ExpireMachineResponse
+	(*RenameMachineRequest)(nil),       // 12: headscale.v1.RenameMachineRequest
+	(*RenameMachineResponse)(nil),      // 13: headscale.v1.RenameMachineResponse
+	(*ListMachinesRequest)(nil),        // 14: headscale.v1.ListMachinesRequest
+	(*ListMachinesResponse)(nil),       // 15: headscale.v1.ListMachinesResponse
+	(*MoveMachineRequest)(nil),         // 16: headscale.v1.MoveMachineRequest
+	(*MoveMachineResponse)(nil),        // 17: headscale.v1.MoveMachineResponse
+	(*DebugCreateMachineRequest)(nil),  // 18: headscale.v1.DebugCreateMachineRequest
+	(*DebugCreateMachineResponse)(nil), // 19: headscale.v1.DebugCreateMachineResponse
+	(*Namespace)(nil),                  // 20: headscale.v1.Namespace
+	(*timestamppb.Timestamp)(nil),      // 21: google.protobuf.Timestamp
+	(*PreAuthKey)(nil),                 // 22: headscale.v1.PreAuthKey
 }
 var file_headscale_v1_machine_proto_depIdxs = []int32{
-	14, // 0: headscale.v1.Machine.namespace:type_name -> headscale.v1.Namespace
-	15, // 1: headscale.v1.Machine.last_seen:type_name -> google.protobuf.Timestamp
-	15, // 2: headscale.v1.Machine.last_successful_update:type_name -> google.protobuf.Timestamp
-	15, // 3: headscale.v1.Machine.expiry:type_name -> google.protobuf.Timestamp
-	16, // 4: headscale.v1.Machine.pre_auth_key:type_name -> headscale.v1.PreAuthKey
-	15, // 5: headscale.v1.Machine.created_at:type_name -> google.protobuf.Timestamp
+	20, // 0: headscale.v1.Machine.namespace:type_name -> headscale.v1.Namespace
+	21, // 1: headscale.v1.Machine.last_seen:type_name -> google.protobuf.Timestamp
+	21, // 2: headscale.v1.Machine.last_successful_update:type_name -> google.protobuf.Timestamp
+	21, // 3: headscale.v1.Machine.expiry:type_name -> google.protobuf.Timestamp
+	22, // 4: headscale.v1.Machine.pre_auth_key:type_name -> headscale.v1.PreAuthKey
+	21, // 5: headscale.v1.Machine.created_at:type_name -> google.protobuf.Timestamp
 	0,  // 6: headscale.v1.Machine.register_method:type_name -> headscale.v1.RegisterMethod
 	1,  // 7: headscale.v1.RegisterMachineResponse.machine:type_name -> headscale.v1.Machine
 	1,  // 8: headscale.v1.GetMachineResponse.machine:type_name -> headscale.v1.Machine
-	1,  // 9: headscale.v1.ExpireMachineResponse.machine:type_name -> headscale.v1.Machine
-	1,  // 10: headscale.v1.ListMachinesResponse.machines:type_name -> headscale.v1.Machine
-	1,  // 11: headscale.v1.DebugCreateMachineResponse.machine:type_name -> headscale.v1.Machine
-	12, // [12:12] is the sub-list for method output_type
-	12, // [12:12] is the sub-list for method input_type
-	12, // [12:12] is the sub-list for extension type_name
-	12, // [12:12] is the sub-list for extension extendee
-	0,  // [0:12] is the sub-list for field type_name
+	1,  // 9: headscale.v1.SetTagsResponse.machine:type_name -> headscale.v1.Machine
+	1,  // 10: headscale.v1.ExpireMachineResponse.machine:type_name -> headscale.v1.Machine
+	1,  // 11: headscale.v1.RenameMachineResponse.machine:type_name -> headscale.v1.Machine
+	1,  // 12: headscale.v1.ListMachinesResponse.machines:type_name -> headscale.v1.Machine
+	1,  // 13: headscale.v1.MoveMachineResponse.machine:type_name -> headscale.v1.Machine
+	1,  // 14: headscale.v1.DebugCreateMachineResponse.machine:type_name -> headscale.v1.Machine
+	15, // [15:15] is the sub-list for method output_type
+	15, // [15:15] is the sub-list for method input_type
+	15, // [15:15] is the sub-list for extension type_name
+	15, // [15:15] is the sub-list for extension extendee
+	0,  // [0:15] is the sub-list for field type_name
 }

 func init() { file_headscale_v1_machine_proto_init() }
@@ -1039,7 +1423,7 @@ func file_headscale_v1_machine_proto_init() {
 			}
 		}
 		file_headscale_v1_machine_proto_msgTypes[5].Exporter = func(v interface{}, i int) interface{} {
-			switch v := v.(*DeleteMachineRequest); i {
+			switch v := v.(*SetTagsRequest); i {
 			case 0:
 				return &v.state
 			case 1:
@@ -1051,7 +1435,7 @@ func file_headscale_v1_machine_proto_init() {
 			}
 		}
 		file_headscale_v1_machine_proto_msgTypes[6].Exporter = func(v interface{}, i int) interface{} {
-			switch v := v.(*DeleteMachineResponse); i {
+			switch v := v.(*SetTagsResponse); i {
 			case 0:
 				return &v.state
 			case 1:
@@ -1063,7 +1447,7 @@ func file_headscale_v1_machine_proto_init() {
 			}
 		}
 		file_headscale_v1_machine_proto_msgTypes[7].Exporter = func(v interface{}, i int) interface{} {
-			switch v := v.(*ExpireMachineRequest); i {
+			switch v := v.(*DeleteMachineRequest); i {
 			case 0:
 				return &v.state
 			case 1:
@@ -1075,7 +1459,7 @@ func file_headscale_v1_machine_proto_init() {
 			}
 		}
 		file_headscale_v1_machine_proto_msgTypes[8].Exporter = func(v interface{}, i int) interface{} {
-			switch v := v.(*ExpireMachineResponse); i {
+			switch v := v.(*DeleteMachineResponse); i {
 			case 0:
 				return &v.state
 			case 1:
@@ -1087,7 +1471,7 @@ func file_headscale_v1_machine_proto_init() {
 			}
 		}
 		file_headscale_v1_machine_proto_msgTypes[9].Exporter = func(v interface{}, i int) interface{} {
-			switch v := v.(*ListMachinesRequest); i {
+			switch v := v.(*ExpireMachineRequest); i {
 			case 0:
 				return &v.state
 			case 1:
@@ -1099,7 +1483,7 @@ func file_headscale_v1_machine_proto_init() {
 			}
 		}
 		file_headscale_v1_machine_proto_msgTypes[10].Exporter = func(v interface{}, i int) interface{} {
-			switch v := v.(*ListMachinesResponse); i {
+			switch v := v.(*ExpireMachineResponse); i {
 			case 0:
 				return &v.state
 			case 1:
@@ -1111,7 +1495,7 @@ func file_headscale_v1_machine_proto_init() {
 			}
 		}
 		file_headscale_v1_machine_proto_msgTypes[11].Exporter = func(v interface{}, i int) interface{} {
-			switch v := v.(*DebugCreateMachineRequest); i {
+			switch v := v.(*RenameMachineRequest); i {
 			case 0:
 				return &v.state
 			case 1:
@@ -1123,6 +1507,78 @@ func file_headscale_v1_machine_proto_init() {
 			}
 		}
 		file_headscale_v1_machine_proto_msgTypes[12].Exporter = func(v interface{}, i int) interface{} {
+			switch v := v.(*RenameMachineResponse); i {
+			case 0:
+				return &v.state
+			case 1:
+				return &v.sizeCache
+			case 2:
+				return &v.unknownFields
+			default:
+				return nil
+			}
+		}
+		file_headscale_v1_machine_proto_msgTypes[13].Exporter = func(v interface{}, i int) interface{} {
+			switch v := v.(*ListMachinesRequest); i {
+			case 0:
+				return &v.state
+			case 1:
+				return &v.sizeCache
+			case 2:
+				return &v.unknownFields
+			default:
+				return nil
+			}
+		}
+		file_headscale_v1_machine_proto_msgTypes[14].Exporter = func(v interface{}, i int) interface{} {
+			switch v := v.(*ListMachinesResponse); i {
+			case 0:
+				return &v.state
+			case 1:
+				return &v.sizeCache
+			case 2:
+				return &v.unknownFields
+			default:
+				return nil
+			}
+		}
+		file_headscale_v1_machine_proto_msgTypes[15].Exporter = func(v interface{}, i int) interface{} {
+			switch v := v.(*MoveMachineRequest); i {
+			case 0:
+				return &v.state
+			case 1:
+				return &v.sizeCache
+			case 2:
+				return &v.unknownFields
+			default:
+				return nil
+			}
+		}
+		file_headscale_v1_machine_proto_msgTypes[16].Exporter = func(v interface{}, i int) interface{} {
+			switch v := v.(*MoveMachineResponse); i {
+			case 0:
+				return &v.state
+			case 1:
+				return &v.sizeCache
+			case 2:
+				return &v.unknownFields
+			default:
+				return nil
+			}
+		}
+		file_headscale_v1_machine_proto_msgTypes[17].Exporter = func(v interface{}, i int) interface{} {
+			switch v := v.(*DebugCreateMachineRequest); i {
+			case 0:
+				return &v.state
+			case 1:
+				return &v.sizeCache
+			case 2:
+				return &v.unknownFields
+			default:
+				return nil
+			}
+		}
+		file_headscale_v1_machine_proto_msgTypes[18].Exporter = func(v interface{}, i int) interface{} {
 			switch v := v.(*DebugCreateMachineResponse); i {
 			case 0:
 				return &v.state
@@ -1141,7 +1597,7 @@ func file_headscale_v1_machine_proto_init() {
 			GoPackagePath: reflect.TypeOf(x{}).PkgPath(),
 			RawDescriptor: file_headscale_v1_machine_proto_rawDesc,
 			NumEnums:      1,
-			NumMessages:   13,
+			NumMessages:   19,
 			NumExtensions: 0,
 			NumServices:   0,
 		},
--- a/gen/openapiv2/headscale/v1/headscale.swagger.json
+++ b/gen/openapiv2/headscale/v1/headscale.swagger.json
@@ -291,6 +291,80 @@
        ]
      }
    },
+    "/api/v1/machine/{machineId}/namespace": {
+      "post": {
+        "operationId": "HeadscaleService_MoveMachine",
+        "responses": {
+          "200": {
+            "description": "A successful response.",
+            "schema": {
+              "$ref": "#/definitions/v1MoveMachineResponse"
+            }
+          },
+          "default": {
+            "description": "An unexpected error response.",
+            "schema": {
+              "$ref": "#/definitions/rpcStatus"
+            }
+          }
+        },
+        "parameters": [
+          {
+            "name": "machineId",
+            "in": "path",
+            "required": true,
+            "type": "string",
+            "format": "uint64"
+          },
+          {
+            "name": "namespace",
+            "in": "query",
+            "required": false,
+            "type": "string"
+          }
+        ],
+        "tags": [
+          "HeadscaleService"
+        ]
+      }
+    },
+    "/api/v1/machine/{machineId}/rename/{newName}": {
+      "post": {
+        "operationId": "HeadscaleService_RenameMachine",
+        "responses": {
+          "200": {
+            "description": "A successful response.",
+            "schema": {
+              "$ref": "#/definitions/v1RenameMachineResponse"
+            }
+          },
+          "default": {
+            "description": "An unexpected error response.",
+            "schema": {
+              "$ref": "#/definitions/rpcStatus"
+            }
+          }
+        },
+        "parameters": [
+          {
+            "name": "machineId",
+            "in": "path",
+            "required": true,
+            "type": "string",
+            "format": "uint64"
+          },
+          {
+            "name": "newName",
+            "in": "path",
+            "required": true,
+            "type": "string"
+          }
+        ],
+        "tags": [
+          "HeadscaleService"
+        ]
+      }
+    },
    "/api/v1/machine/{machineId}/routes": {
      "get": {
        "summary": "--- Route start ---",
@@ -362,6 +436,53 @@
        ]
      }
    },
+    "/api/v1/machine/{machineId}/tags": {
+      "post": {
+        "operationId": "HeadscaleService_SetTags",
+        "responses": {
+          "200": {
+            "description": "A successful response.",
+            "schema": {
+              "$ref": "#/definitions/v1SetTagsResponse"
+            }
+          },
+          "default": {
+            "description": "An unexpected error response.",
+            "schema": {
+              "$ref": "#/definitions/rpcStatus"
+            }
+          }
+        },
+        "parameters": [
+          {
+            "name": "machineId",
+            "in": "path",
+            "required": true,
+            "type": "string",
+            "format": "uint64"
+          },
+          {
+            "name": "body",
+            "in": "body",
+            "required": true,
+            "schema": {
+              "type": "object",
+              "properties": {
+                "tags": {
+                  "type": "array",
+                  "items": {
+                    "type": "string"
+                  }
+                }
+              }
+            }
+          }
+        ],
+        "tags": [
+          "HeadscaleService"
+        ]
+      }
+    },
    "/api/v1/namespace": {
      "get": {
        "operationId": "HeadscaleService_ListNamespaces",
@@ -906,6 +1027,35 @@
        },
        "registerMethod": {
          "$ref": "#/definitions/v1RegisterMethod"
+        },
+        "forcedTags": {
+          "type": "array",
+          "items": {
+            "type": "string"
+          }
+        },
+        "invalidTags": {
+          "type": "array",
+          "items": {
+            "type": "string"
+          }
+        },
+        "validTags": {
+          "type": "array",
+          "items": {
+            "type": "string"
+          }
+        },
+        "givenName": {
+          "type": "string"
+        }
+      }
+    },
+    "v1MoveMachineResponse": {
+      "type": "object",
+      "properties": {
+        "machine": {
+          "$ref": "#/definitions/v1Machine"
        }
      }
    },
@@ -973,6 +1123,14 @@
      ],
      "default": "REGISTER_METHOD_UNSPECIFIED"
    },
+    "v1RenameMachineResponse": {
+      "type": "object",
+      "properties": {
+        "machine": {
+          "$ref": "#/definitions/v1Machine"
+        }
+      }
+    },
    "v1RenameNamespaceResponse": {
      "type": "object",
      "properties": {
@@ -997,6 +1155,14 @@
          }
        }
      }
+    },
+    "v1SetTagsResponse": {
+      "type": "object",
+      "properties": {
+        "machine": {
+          "$ref": "#/definitions/v1Machine"
+        }
+      }
    }
  }
 }
--- a/go.mod
+++ b/go.mod
@@ -1,72 +1,68 @@
 module github.com/juanfont/headscale

-go 1.17
+go 1.18

 require (
-	github.com/AlecAivazis/survey/v2 v2.3.2
+	github.com/AlecAivazis/survey/v2 v2.3.4
+	github.com/ccding/go-stun/stun v0.0.0-20200514191101-4dc67bcdb029
 	github.com/coreos/go-oidc/v3 v3.1.0
+	github.com/deckarep/golang-set/v2 v2.1.0
 	github.com/efekarakus/termcolor v1.0.1
-	github.com/fatih/set v0.2.1
-	github.com/gin-gonic/gin v1.7.7
-	github.com/glebarez/sqlite v1.3.5
+	github.com/glebarez/sqlite v1.4.3
 	github.com/gofrs/uuid v4.2.0+incompatible
+	github.com/gorilla/mux v1.8.0
 	github.com/grpc-ecosystem/go-grpc-middleware v1.3.0
-	github.com/grpc-ecosystem/grpc-gateway/v2 v2.7.3
-	github.com/infobloxopen/protoc-gen-gorm v1.1.0
-	github.com/klauspost/compress v1.14.4
-	github.com/ory/dockertest/v3 v3.8.1
+	github.com/grpc-ecosystem/grpc-gateway/v2 v2.10.0
+	github.com/klauspost/compress v1.15.4
+	github.com/ory/dockertest/v3 v3.9.1
 	github.com/patrickmn/go-cache v2.1.0+incompatible
 	github.com/philip-bui/grpc-zerolog v1.0.1
 	github.com/prometheus/client_golang v1.12.1
-	github.com/pterm/pterm v0.12.37
+	github.com/prometheus/common v0.32.1
+	github.com/pterm/pterm v0.12.41
+	github.com/puzpuzpuz/xsync v1.2.1
 	github.com/rs/zerolog v1.26.1
-	github.com/spf13/cobra v1.3.0
-	github.com/spf13/viper v1.10.1
-	github.com/stretchr/testify v1.7.0
-	github.com/tailscale/hujson v0.0.0-20211215203138-ffd971c5f362
+	github.com/spf13/cobra v1.4.0
+	github.com/spf13/viper v1.11.0
+	github.com/stretchr/testify v1.7.1
+	github.com/tailscale/hujson v0.0.0-20220506202205-92b4b88a9e17
 	github.com/tcnksm/go-latest v0.0.0-20170313132115-e3007ae9052e
-	github.com/zsais/go-gin-prometheus v0.1.0
-	golang.org/x/crypto v0.0.0-20220214200702-86341886e292
-	golang.org/x/oauth2 v0.0.0-20220223155221-ee480838109b
-	golang.org/x/sync v0.0.0-20210220032951-036812b2e83c
-	google.golang.org/genproto v0.0.0-20220228195345-15d65a4533f7
-	google.golang.org/grpc v1.44.0
-	google.golang.org/grpc/cmd/protoc-gen-go-grpc v1.2.0
-	google.golang.org/protobuf v1.27.1
+	golang.org/x/crypto v0.0.0-20220427172511-eb4f295cb31f
+	golang.org/x/oauth2 v0.0.0-20220411215720-9780585627b5
+	golang.org/x/sync v0.0.0-20220513210516-0976fa681c29
+	google.golang.org/genproto v0.0.0-20220422154200-b37d22cd5731
+	google.golang.org/grpc v1.46.0
+	google.golang.org/protobuf v1.28.0
 	gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c
 	gopkg.in/yaml.v2 v2.4.0
 	gopkg.in/yaml.v3 v3.0.0-20210107192922-496545a6307b
-	gorm.io/driver/postgres v1.3.1
-	gorm.io/gorm v1.23.1
+	gorm.io/driver/postgres v1.3.5
+	gorm.io/gorm v1.23.4
 	inet.af/netaddr v0.0.0-20211027220019-c74959edd3b6
-	tailscale.com v1.22.0
+	tailscale.com v1.26.0
 )

 require (
-	github.com/Azure/go-ansiterm v0.0.0-20210617225240-d185dfc1b5a1 // indirect
+	github.com/Azure/go-ansiterm v0.0.0-20170929234023-d6e3b3328b78 // indirect
 	github.com/Microsoft/go-winio v0.5.2 // indirect
 	github.com/Nvveen/Gotty v0.0.0-20120604004816-cd527374f1e5 // indirect
+	github.com/akutz/memconn v0.1.0 // indirect
+	github.com/alexbrainman/sspi v0.0.0-20210105120005-909beea2cc74 // indirect
 	github.com/atomicgo/cursor v0.0.1 // indirect
 	github.com/beorn7/perks v1.0.1 // indirect
-	github.com/cenkalti/backoff/v4 v4.1.2 // indirect
+	github.com/cenkalti/backoff/v4 v4.1.3 // indirect
 	github.com/cespare/xxhash/v2 v2.1.2 // indirect
-	github.com/containerd/continuity v0.2.2 // indirect
+	github.com/containerd/continuity v0.3.0 // indirect
 	github.com/davecgh/go-spew v1.1.1 // indirect
-	github.com/denisenkom/go-mssqldb v0.12.0 // indirect
-	github.com/docker/cli v20.10.12+incompatible // indirect
-	github.com/docker/docker v20.10.12+incompatible // indirect
+	github.com/docker/cli v20.10.16+incompatible // indirect
+	github.com/docker/docker v20.10.16+incompatible // indirect
 	github.com/docker/go-connections v0.4.0 // indirect
 	github.com/docker/go-units v0.4.0 // indirect
 	github.com/fsnotify/fsnotify v1.5.1 // indirect
-	github.com/gin-contrib/sse v0.1.0 // indirect
-	github.com/glebarez/go-sqlite v1.14.8 // indirect
-	github.com/go-playground/locales v0.14.0 // indirect
-	github.com/go-playground/universal-translator v0.18.0 // indirect
-	github.com/go-playground/validator/v10 v10.10.0 // indirect
-	github.com/go-sql-driver/mysql v1.6.0 // indirect
+	github.com/glebarez/go-sqlite v1.16.0 // indirect
 	github.com/gogo/protobuf v1.3.2 // indirect
-	github.com/golang/glog v1.0.0 // indirect
 	github.com/golang/protobuf v1.5.2 // indirect
+	github.com/google/go-cmp v0.5.8 // indirect
 	github.com/google/go-github v17.0.0+incompatible // indirect
 	github.com/google/go-querystring v1.1.0 // indirect
 	github.com/google/shlex v0.0.0-20191202100458-e7afc7fbc510 // indirect
@@ -77,69 +73,67 @@ require (
 	github.com/imdario/mergo v0.3.12 // indirect
 	github.com/inconshreveable/mousetrap v1.0.0 // indirect
 	github.com/jackc/chunkreader/v2 v2.0.1 // indirect
-	github.com/jackc/pgconn v1.11.0 // indirect
+	github.com/jackc/pgconn v1.12.0 // indirect
 	github.com/jackc/pgio v1.0.0 // indirect
 	github.com/jackc/pgpassfile v1.0.0 // indirect
-	github.com/jackc/pgproto3/v2 v2.2.0 // indirect
+	github.com/jackc/pgproto3/v2 v2.3.0 // indirect
 	github.com/jackc/pgservicefile v0.0.0-20200714003250-2b9c44734f2b // indirect
-	github.com/jackc/pgtype v1.10.0 // indirect
-	github.com/jackc/pgx/v4 v4.15.0 // indirect
-	github.com/jinzhu/gorm v1.9.16 // indirect
+	github.com/jackc/pgtype v1.11.0 // indirect
+	github.com/jackc/pgx/v4 v4.16.0 // indirect
 	github.com/jinzhu/inflection v1.0.0 // indirect
 	github.com/jinzhu/now v1.1.4 // indirect
-	github.com/json-iterator/go v1.1.12 // indirect
+	github.com/josharian/native v1.0.0 // indirect
+	github.com/jsimonetti/rtnetlink v1.1.2-0.20220408201609-d380b505068b // indirect
 	github.com/kballard/go-shellquote v0.0.0-20180428030007-95032a82bc51 // indirect
 	github.com/kr/pretty v0.3.0 // indirect
 	github.com/kr/text v0.2.0 // indirect
-	github.com/leodido/go-urn v1.2.1 // indirect
-	github.com/lib/pq v1.10.3 // indirect
 	github.com/magiconair/properties v1.8.6 // indirect
 	github.com/mattn/go-colorable v0.1.12 // indirect
 	github.com/mattn/go-isatty v0.0.14 // indirect
 	github.com/mattn/go-runewidth v0.0.13 // indirect
-	github.com/mattn/go-sqlite3 v1.14.11 // indirect
 	github.com/matttproud/golang_protobuf_extensions v1.0.1 // indirect
-	github.com/mgutz/ansi v0.0.0-20200706080929-d51e80ef957d // indirect
+	github.com/mdlayher/netlink v1.6.0 // indirect
+	github.com/mdlayher/socket v0.2.3 // indirect
+	github.com/mgutz/ansi v0.0.0-20170206155736-9520e82c474b // indirect
+	github.com/mitchellh/go-ps v1.0.0 // indirect
 	github.com/mitchellh/mapstructure v1.4.3 // indirect
-	github.com/moby/term v0.0.0-20210619224110-3f7ff695adc6 // indirect
-	github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd // indirect
-	github.com/modern-go/reflect2 v1.0.2 // indirect
+	github.com/moby/term v0.0.0-20201216013528-df9cb8a40635 // indirect
 	github.com/opencontainers/go-digest v1.0.0 // indirect
-	github.com/opencontainers/image-spec v1.0.2 // indirect
-	github.com/opencontainers/runc v1.1.0 // indirect
+	github.com/opencontainers/image-spec v1.0.3-0.20220114050600-8b9d41f48198 // indirect
+	github.com/opencontainers/runc v1.1.2 // indirect
 	github.com/pelletier/go-toml v1.9.4 // indirect
+	github.com/pelletier/go-toml/v2 v2.0.0-beta.8 // indirect
 	github.com/pkg/errors v0.9.1 // indirect
 	github.com/pmezard/go-difflib v1.0.0 // indirect
 	github.com/prometheus/client_model v0.2.0 // indirect
-	github.com/prometheus/common v0.32.1 // indirect
 	github.com/prometheus/procfs v0.7.3 // indirect
 	github.com/remyoudompheng/bigfft v0.0.0-20200410134404-eec4a21b6bb0 // indirect
 	github.com/rivo/uniseg v0.2.0 // indirect
-	github.com/rogpeppe/go-internal v1.8.1 // indirect
+	github.com/rogpeppe/go-internal v1.8.1-0.20211023094830-115ce09fd6b4 // indirect
 	github.com/sirupsen/logrus v1.8.1 // indirect
-	github.com/spf13/afero v1.8.1 // indirect
+	github.com/spf13/afero v1.8.2 // indirect
 	github.com/spf13/cast v1.4.1 // indirect
 	github.com/spf13/jwalterweatherman v1.1.0 // indirect
 	github.com/spf13/pflag v1.0.5 // indirect
 	github.com/subosito/gotenv v1.2.0 // indirect
-	github.com/ugorji/go/codec v1.2.7 // indirect
-	github.com/xeipuuv/gojsonpointer v0.0.0-20190905194746-02993c407bfb // indirect
+	github.com/xeipuuv/gojsonpointer v0.0.0-20180127040702-4e3ac2762d5f // indirect
 	github.com/xeipuuv/gojsonreference v0.0.0-20180127040603-bd5ef7bd5415 // indirect
 	github.com/xeipuuv/gojsonschema v1.2.0 // indirect
 	github.com/xo/terminfo v0.0.0-20210125001918-ca9a967f8778 // indirect
 	go4.org/intern v0.0.0-20211027215823-ae77deb06f29 // indirect
 	go4.org/mem v0.0.0-20210711025021-927187094b94 // indirect
 	go4.org/unsafe/assume-no-moving-gc v0.0.0-20211027215541-db492cf91b37 // indirect
-	golang.org/x/net v0.0.0-20220225172249-27dd8689420f // indirect
-	golang.org/x/sys v0.0.0-20220227234510-4e6760a101f9 // indirect
-	golang.org/x/term v0.0.0-20210927222741-03fcf44c2211 // indirect
+	golang.org/x/net v0.0.0-20220516155154-20f960328961 // indirect
+	golang.org/x/sys v0.0.0-20220513210249-45d2b4557a2a // indirect
+	golang.org/x/term v0.0.0-20220411215600-e5f449aeb171 // indirect
 	golang.org/x/text v0.3.7 // indirect
+	golang.org/x/time v0.0.0-20211116232009-f0f3c7e86c11 // indirect
+	golang.zx2c4.com/wireguard/windows v0.4.10 // indirect
 	google.golang.org/appengine v1.6.7 // indirect
 	gopkg.in/ini.v1 v1.66.4 // indirect
-	gopkg.in/square/go-jose.v2 v2.6.0 // indirect
-	modernc.org/libc v1.14.5 // indirect
+	gopkg.in/square/go-jose.v2 v2.5.1 // indirect
+	modernc.org/libc v1.14.12 // indirect
 	modernc.org/mathutil v1.4.1 // indirect
-	modernc.org/memory v1.0.5 // indirect
-	modernc.org/sqlite v1.14.7 // indirect
-	sigs.k8s.io/yaml v1.3.0 // indirect
+	modernc.org/memory v1.0.7 // indirect
+	modernc.org/sqlite v1.16.0 // indirect
 )
--- a/go.sum
+++ b/go.sum
--- a/grpcv1.go
+++ b/grpcv1.go
@@ -3,10 +3,14 @@ package headscale

 import (
 	"context"
+	"fmt"
+	"strings"
 	"time"

-	"github.com/juanfont/headscale/gen/go/headscale/v1"
+	v1 "github.com/juanfont/headscale/gen/go/headscale/v1"
 	"github.com/rs/zerolog/log"
+	"google.golang.org/grpc/codes"
+	"google.golang.org/grpc/status"
 	"tailscale.com/tailcfg"
 )

@@ -182,6 +186,52 @@ func (api headscaleV1APIServer) GetMachine(
 	return &v1.GetMachineResponse{Machine: machine.toProto()}, nil
 }

+func (api headscaleV1APIServer) SetTags(
+	ctx context.Context,
+	request *v1.SetTagsRequest,
+) (*v1.SetTagsResponse, error) {
+	machine, err := api.h.GetMachineByID(request.GetMachineId())
+	if err != nil {
+		return nil, err
+	}
+
+	for _, tag := range request.GetTags() {
+		err := validateTag(tag)
+		if err != nil {
+			return &v1.SetTagsResponse{
+					Machine: nil,
+			}, status.Error(codes.InvalidArgument, err.Error())
+		}
+	}
+
+	err = api.h.SetTags(machine, request.GetTags())
+	if err != nil {
+		return &v1.SetTagsResponse{
+			Machine: nil,
+		}, status.Error(codes.Internal, err.Error())
+	}
+
+	log.Trace().
+		Str("machine", machine.Hostname).
+		Strs("tags", request.GetTags()).
+		Msg("Changing tags of machine")
+
+	return &v1.SetTagsResponse{Machine: machine.toProto()}, nil
+}
+
+func validateTag(tag string) error {
+	if strings.Index(tag, "tag:") != 0 {
+		return fmt.Errorf("tag must start with the string 'tag:'")
+	}
+	if strings.ToLower(tag) != tag {
+		return fmt.Errorf("tag should be lowercase")
+	}
+	if len(strings.Fields(tag)) > 1 {
+		return fmt.Errorf("tag should not contains space")
+	}
+	return nil
+}
+
 func (api headscaleV1APIServer) DeleteMachine(
 	ctx context.Context,
 	request *v1.DeleteMachineRequest,
@@ -215,13 +265,38 @@ func (api headscaleV1APIServer) ExpireMachine(
 	)

 	log.Trace().
-		Str("machine", machine.Name).
+		Str("machine", machine.Hostname).
 		Time("expiry", *machine.Expiry).
 		Msg("machine expired")

 	return &v1.ExpireMachineResponse{Machine: machine.toProto()}, nil
 }

+func (api headscaleV1APIServer) RenameMachine(
+	ctx context.Context,
+	request *v1.RenameMachineRequest,
+) (*v1.RenameMachineResponse, error) {
+	machine, err := api.h.GetMachineByID(request.GetMachineId())
+	if err != nil {
+		return nil, err
+	}
+
+	err = api.h.RenameMachine(
+		machine,
+		request.GetNewName(),
+	)
+	if err != nil {
+		return nil, err
+	}
+
+	log.Trace().
+		Str("machine", machine.Hostname).
+		Str("new_name", request.GetNewName()).
+		Msg("machine renamed")
+
+	return &v1.RenameMachineResponse{Machine: machine.toProto()}, nil
+}
+
 func (api headscaleV1APIServer) ListMachines(
 	ctx context.Context,
 	request *v1.ListMachinesRequest,
@@ -247,12 +322,37 @@ func (api headscaleV1APIServer) ListMachines(

 	response := make([]*v1.Machine, len(machines))
 	for index, machine := range machines {
-		response[index] = machine.toProto()
+		m := machine.toProto()
+		validTags, invalidTags := getTags(
+			api.h.aclPolicy,
+			machine,
+			api.h.cfg.OIDC.StripEmaildomain,
+		)
+		m.InvalidTags = invalidTags
+		m.ValidTags = validTags
+		response[index] = m
 	}

 	return &v1.ListMachinesResponse{Machines: response}, nil
 }

+func (api headscaleV1APIServer) MoveMachine(
+	ctx context.Context,
+	request *v1.MoveMachineRequest,
+) (*v1.MoveMachineResponse, error) {
+	machine, err := api.h.GetMachineByID(request.GetMachineId())
+	if err != nil {
+		return nil, err
+	}
+
+	err = api.h.SetMachineNamespace(machine, request.GetNamespace())
+	if err != nil {
+		return nil, err
+	}
+
+	return &v1.MoveMachineResponse{Machine: machine.toProto()}, nil
+}
+
 func (api headscaleV1APIServer) GetMachineRoute(
 	ctx context.Context,
 	request *v1.GetMachineRouteRequest,
@@ -369,9 +469,15 @@ func (api headscaleV1APIServer) DebugCreateMachine(
 		Hostname:    "DebugTestMachine",
 	}

+	givenName, err := api.h.GenerateGivenName(request.GetName())
+	if err != nil {
+		return nil, err
+	}
+
 	newMachine := Machine{
 		MachineKey: request.GetKey(),
-		Name:       request.GetName(),
+		Hostname:   request.GetName(),
+		GivenName:  givenName,
 		Namespace:  *namespace,

 		Expiry:               &time.Time{},
--- a/grpcv1_test.go
+++ b/grpcv1_test.go
@@ -0,0 +1,42 @@
+package headscale
+
+import "testing"
+
+func Test_validateTag(t *testing.T) {
+	type args struct {
+		tag string
+	}
+	tests := []struct {
+		name    string
+		args    args
+		wantErr bool
+	}{
+		{
+			name:    "valid tag",
+			args:    args{tag: "tag:test"},
+			wantErr: false,
+		},
+		{
+			name:    "tag without tag prefix",
+			args:    args{tag: "test"},
+			wantErr: true,
+		},
+		{
+			name:    "uppercase tag",
+			args:    args{tag: "tag:tEST"},
+			wantErr: true,
+		},
+		{
+			name:    "tag that contains space",
+			args:    args{tag: "tag:this is a spaced tag"},
+			wantErr: true,
+		},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			if err := validateTag(tt.args.tag); (err != nil) != tt.wantErr {
+				t.Errorf("validateTag() error = %v, wantErr %v", err, tt.wantErr)
+			}
+		})
+	}
+}
--- a/integration_cli_test.go
+++ b/integration_cli_test.go
@@ -40,27 +40,27 @@ func (s *IntegrationCLITestSuite) SetupTest() {
 	if ppool, err := dockertest.NewPool(""); err == nil {
 		s.pool = *ppool
 	} else {
-		log.Fatalf("Could not connect to docker: %s", err)
+		s.FailNow(fmt.Sprintf("Could not connect to docker: %s", err), "")
 	}

 	if pnetwork, err := s.pool.CreateNetwork("headscale-test"); err == nil {
 		s.network = *pnetwork
 	} else {
-		log.Fatalf("Could not create network: %s", err)
+		s.FailNow(fmt.Sprintf("Could not create network: %s", err), "")
 	}

 	headscaleBuildOptions := &dockertest.BuildOptions{
-		Dockerfile: "Dockerfile",
+		Dockerfile: "Dockerfile.tmp-integration",
 		ContextDir: ".",
 	}

 	currentPath, err := os.Getwd()
 	if err != nil {
-		log.Fatalf("Could not determine current path: %s", err)
+		s.FailNow(fmt.Sprintf("Could not determine current path: %s", err), "")
 	}

 	headscaleOptions := &dockertest.RunOptions{
-		Name: "headscale",
+		Name: "headscale-cli",
 		Mounts: []string{
 			fmt.Sprintf("%s/integration_test/etc:/etc/headscale", currentPath),
 		},
@@ -68,11 +68,16 @@ func (s *IntegrationCLITestSuite) SetupTest() {
 		Cmd:      []string{"headscale", "serve"},
 	}

+	err = s.pool.RemoveContainerByName(headscaleHostname)
+	if err != nil {
+		s.FailNow(fmt.Sprintf("Could not remove existing container before building test: %s", err), "")
+	}
+
 	fmt.Println("Creating headscale container")
 	if pheadscale, err := s.pool.BuildAndRunWithBuildOptions(headscaleBuildOptions, headscaleOptions, DockerRestartPolicy); err == nil {
 		s.headscale = *pheadscale
 	} else {
-		log.Fatalf("Could not start resource: %s", err)
+		s.FailNow(fmt.Sprintf("Could not start headscale container: %s", err), "")
 	}
 	fmt.Println("Created headscale container")

@@ -525,6 +530,135 @@ func (s *IntegrationCLITestSuite) TestPreAuthKeyCommandReusableEphemeral() {
 	assert.Len(s.T(), listedPreAuthKeys, 2)
 }

+func (s *IntegrationCLITestSuite) TestNodeTagCommand() {
+	namespace, err := s.createNamespace("machine-namespace")
+	assert.Nil(s.T(), err)
+
+	machineKeys := []string{
+		"9b2ffa7e08cc421a3d2cca9012280f6a236fd0de0b4ce005b30a98ad930306fe",
+		"6abd00bb5fdda622db51387088c68e97e71ce58e7056aa54f592b6a8219d524c",
+	}
+	machines := make([]*v1.Machine, len(machineKeys))
+	assert.Nil(s.T(), err)
+
+	for index, machineKey := range machineKeys {
+		_, err := ExecuteCommand(
+			&s.headscale,
+			[]string{
+				"headscale",
+				"debug",
+				"create-node",
+				"--name",
+				fmt.Sprintf("machine-%d", index+1),
+				"--namespace",
+				namespace.Name,
+				"--key",
+				machineKey,
+				"--output",
+				"json",
+			},
+			[]string{},
+		)
+		assert.Nil(s.T(), err)
+
+		machineResult, err := ExecuteCommand(
+			&s.headscale,
+			[]string{
+				"headscale",
+				"nodes",
+				"--namespace",
+				namespace.Name,
+				"register",
+				"--key",
+				machineKey,
+				"--output",
+				"json",
+			},
+			[]string{},
+		)
+		assert.Nil(s.T(), err)
+
+		var machine v1.Machine
+		err = json.Unmarshal([]byte(machineResult), &machine)
+		assert.Nil(s.T(), err)
+
+		machines[index] = &machine
+	}
+	assert.Len(s.T(), machines, len(machineKeys))
+
+	addTagResult, err := ExecuteCommand(
+		&s.headscale,
+		[]string{
+			"headscale",
+			"nodes",
+			"tag",
+			"-i", "1",
+			"-t", "tag:test",
+			"--output", "json",
+		},
+		[]string{},
+	)
+	assert.Nil(s.T(), err)
+
+	var machine v1.Machine
+	err = json.Unmarshal([]byte(addTagResult), &machine)
+	assert.Nil(s.T(), err)
+	assert.Equal(s.T(), []string{"tag:test"}, machine.ForcedTags)
+
+	// try to set a wrong tag and retrieve the error
+	wrongTagResult, err := ExecuteCommand(
+		&s.headscale,
+		[]string{
+			"headscale",
+			"nodes",
+			"tag",
+			"-i", "2",
+			"-t", "wrong-tag",
+			"--output", "json",
+		},
+		[]string{},
+	)
+	assert.Nil(s.T(), err)
+	type errOutput struct {
+		Error string `json:"error"`
+	}
+	var errorOutput errOutput
+	err = json.Unmarshal([]byte(wrongTagResult), &errorOutput)
+	assert.Nil(s.T(), err)
+	assert.Contains(s.T(), errorOutput.Error, "tag must start with the string 'tag:'")
+
+	// Test list all nodes after added seconds
+	listAllResult, err := ExecuteCommand(
+		&s.headscale,
+		[]string{
+			"headscale",
+			"nodes",
+			"list",
+			"--output", "json",
+		},
+		[]string{},
+	)
+	resultMachines := make([]*v1.Machine, len(machineKeys))
+	assert.Nil(s.T(), err)
+	json.Unmarshal([]byte(listAllResult), &resultMachines)
+	found := false
+	for _, machine := range resultMachines {
+		if machine.ForcedTags != nil {
+			for _, tag := range machine.ForcedTags {
+				if tag == "tag:test" {
+					found = true
+				}
+			}
+		}
+	}
+	assert.Equal(
+		s.T(),
+		true,
+		found,
+		"should find a machine with the tag 'tag:test' in the list of machines",
+	)
+}
+
 func (s *IntegrationCLITestSuite) TestNodeCommand() {
 	namespace, err := s.createNamespace("machine-namespace")
 	assert.Nil(s.T(), err)
@@ -914,6 +1048,178 @@ func (s *IntegrationCLITestSuite) TestNodeExpireCommand() {
 	assert.True(s.T(), listAllAfterExpiry[4].Expiry.AsTime().IsZero())
 }

+func (s *IntegrationCLITestSuite) TestNodeRenameCommand() {
+	namespace, err := s.createNamespace("machine-rename-command")
+	assert.Nil(s.T(), err)
+
+	// Randomly generated machine keys
+	machineKeys := []string{
+		"cf7b0fd05da556fdc3bab365787b506fd82d64a70745db70e00e86c1b1c03084",
+		"8bc13285cee598acf76b1824a6f4490f7f2e3751b201e28aeb3b07fe81d5b4a1",
+		"f08305b4ee4250b95a70f3b7504d048d75d899993c624a26d422c67af0422507",
+		"6abd00bb5fdda622db51387088c68e97e71ce58e7056aa54f592b6a8219d524c",
+		"9b2ffa7e08cc421a3d2cca9012280f6a236fd0de0b4ce005b30a98ad930306fe",
+	}
+	machines := make([]*v1.Machine, len(machineKeys))
+	assert.Nil(s.T(), err)
+
+	for index, machineKey := range machineKeys {
+		_, err := ExecuteCommand(
+			&s.headscale,
+			[]string{
+				"headscale",
+				"debug",
+				"create-node",
+				"--name",
+				fmt.Sprintf("machine-%d", index+1),
+				"--namespace",
+				namespace.Name,
+				"--key",
+				machineKey,
+				"--output",
+				"json",
+			},
+			[]string{},
+		)
+		assert.Nil(s.T(), err)
+
+		machineResult, err := ExecuteCommand(
+			&s.headscale,
+			[]string{
+				"headscale",
+				"nodes",
+				"--namespace",
+				namespace.Name,
+				"register",
+				"--key",
+				machineKey,
+				"--output",
+				"json",
+			},
+			[]string{},
+		)
+		assert.Nil(s.T(), err)
+
+		var machine v1.Machine
+		err = json.Unmarshal([]byte(machineResult), &machine)
+		assert.Nil(s.T(), err)
+
+		machines[index] = &machine
+	}
+
+	assert.Len(s.T(), machines, len(machineKeys))
+
+	listAllResult, err := ExecuteCommand(
+		&s.headscale,
+		[]string{
+			"headscale",
+			"nodes",
+			"list",
+			"--output",
+			"json",
+		},
+		[]string{},
+	)
+	assert.Nil(s.T(), err)
+
+	var listAll []v1.Machine
+	err = json.Unmarshal([]byte(listAllResult), &listAll)
+	assert.Nil(s.T(), err)
+
+	assert.Len(s.T(), listAll, 5)
+
+	assert.Contains(s.T(), listAll[0].GetGivenName(), "machine-1")
+	assert.Contains(s.T(), listAll[1].GetGivenName(), "machine-2")
+	assert.Contains(s.T(), listAll[2].GetGivenName(), "machine-3")
+	assert.Contains(s.T(), listAll[3].GetGivenName(), "machine-4")
+	assert.Contains(s.T(), listAll[4].GetGivenName(), "machine-5")
+
+	for i := 0; i < 3; i++ {
+		_, err := ExecuteCommand(
+			&s.headscale,
+			[]string{
+				"headscale",
+				"nodes",
+				"rename",
+				"--identifier",
+				fmt.Sprintf("%d", listAll[i].Id),
+				fmt.Sprintf("newmachine-%d", i+1),
+			},
+			[]string{},
+		)
+		assert.Nil(s.T(), err)
+	}
+
+	listAllAfterRenameResult, err := ExecuteCommand(
+		&s.headscale,
+		[]string{
+			"headscale",
+			"nodes",
+			"list",
+			"--output",
+			"json",
+		},
+		[]string{},
+	)
+	assert.Nil(s.T(), err)
+
+	var listAllAfterRename []v1.Machine
+	err = json.Unmarshal([]byte(listAllAfterRenameResult), &listAllAfterRename)
+	assert.Nil(s.T(), err)
+
+	assert.Len(s.T(), listAllAfterRename, 5)
+
+	assert.Equal(s.T(), "newmachine-1", listAllAfterRename[0].GetGivenName())
+	assert.Equal(s.T(), "newmachine-2", listAllAfterRename[1].GetGivenName())
+	assert.Equal(s.T(), "newmachine-3", listAllAfterRename[2].GetGivenName())
+	assert.Contains(s.T(), listAllAfterRename[3].GetGivenName(), "machine-4")
+	assert.Contains(s.T(), listAllAfterRename[4].GetGivenName(), "machine-5")
+
+	// Test failure for too long names
+	result, err := ExecuteCommand(
+		&s.headscale,
+		[]string{
+			"headscale",
+			"nodes",
+			"rename",
+			"--identifier",
+			fmt.Sprintf("%d", listAll[4].Id),
+			"testmaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaachine12345678901234567890",
+		},
+		[]string{},
+	)
+	assert.Nil(s.T(), err)
+	assert.Contains(s.T(), result, "not be over 63 chars")
+
+	listAllAfterRenameAttemptResult, err := ExecuteCommand(
+		&s.headscale,
+		[]string{
+			"headscale",
+			"nodes",
+			"list",
+			"--output",
+			"json",
+		},
+		[]string{},
+	)
+	assert.Nil(s.T(), err)
+
+	var listAllAfterRenameAttempt []v1.Machine
+	err = json.Unmarshal(
+		[]byte(listAllAfterRenameAttemptResult),
+		&listAllAfterRenameAttempt,
+	)
+	assert.Nil(s.T(), err)
+
+	assert.Len(s.T(), listAllAfterRenameAttempt, 5)
+
+	assert.Equal(s.T(), "newmachine-1", listAllAfterRenameAttempt[0].GetGivenName())
+	assert.Equal(s.T(), "newmachine-2", listAllAfterRenameAttempt[1].GetGivenName())
+	assert.Equal(s.T(), "newmachine-3", listAllAfterRenameAttempt[2].GetGivenName())
+	assert.Contains(s.T(), listAllAfterRenameAttempt[3].GetGivenName(), "machine-4")
+	assert.Contains(s.T(), listAllAfterRenameAttempt[4].GetGivenName(), "machine-5")
+}
+
 func (s *IntegrationCLITestSuite) TestRouteCommand() {
 	namespace, err := s.createNamespace("routes-namespace")
 	assert.Nil(s.T(), err)
@@ -1076,6 +1382,35 @@ func (s *IntegrationCLITestSuite) TestRouteCommand() {
 		string(failEnableNonAdvertisedRoute),
 		"route (route-machine) is not available on node",
 	)
+
+	// Enable all routes on host
+	enableAllRouteResult, err := ExecuteCommand(
+		&s.headscale,
+		[]string{
+			"headscale",
+			"routes",
+			"enable",
+			"--output",
+			"json",
+			"--identifier",
+			"0",
+			"--all",
+		},
+		[]string{},
+	)
+	assert.Nil(s.T(), err)
+
+	var enableAllRoute v1.Routes
+	err = json.Unmarshal([]byte(enableAllRouteResult), &enableAllRoute)
+	assert.Nil(s.T(), err)
+
+	assert.Len(s.T(), enableAllRoute.AdvertisedRoutes, 2)
+	assert.Contains(s.T(), enableAllRoute.AdvertisedRoutes, "10.0.0.0/8")
+	assert.Contains(s.T(), enableAllRoute.AdvertisedRoutes, "192.168.1.0/24")
+
+	assert.Len(s.T(), enableAllRoute.EnabledRoutes, 2)
+	assert.Contains(s.T(), enableAllRoute.EnabledRoutes, "10.0.0.0/8")
+	assert.Contains(s.T(), enableAllRoute.EnabledRoutes, "192.168.1.0/24")
 }

 func (s *IntegrationCLITestSuite) TestApiKeyCommand() {
@@ -1222,3 +1557,212 @@ func (s *IntegrationCLITestSuite) TestApiKeyCommand() {
 		}
 	}
 }
+
+func (s *IntegrationCLITestSuite) TestNodeMoveCommand() {
+	oldNamespace, err := s.createNamespace("old-namespace")
+	assert.Nil(s.T(), err)
+	newNamespace, err := s.createNamespace("new-namespace")
+	assert.Nil(s.T(), err)
+
+	// Randomly generated machine key
+	machineKey := "688411b767663479632d44140f08a9fde87383adc7cdeb518f62ce28a17ef0aa"
+
+	_, err = ExecuteCommand(
+		&s.headscale,
+		[]string{
+			"headscale",
+			"debug",
+			"create-node",
+			"--name",
+			"nomad-machine",
+			"--namespace",
+			oldNamespace.Name,
+			"--key",
+			machineKey,
+			"--output",
+			"json",
+		},
+		[]string{},
+	)
+	assert.Nil(s.T(), err)
+
+	machineResult, err := ExecuteCommand(
+		&s.headscale,
+		[]string{
+			"headscale",
+			"nodes",
+			"--namespace",
+			oldNamespace.Name,
+			"register",
+			"--key",
+			machineKey,
+			"--output",
+			"json",
+		},
+		[]string{},
+	)
+	assert.Nil(s.T(), err)
+
+	var machine v1.Machine
+	err = json.Unmarshal([]byte(machineResult), &machine)
+	assert.Nil(s.T(), err)
+
+	assert.Equal(s.T(), uint64(1), machine.Id)
+	assert.Equal(s.T(), "nomad-machine", machine.Name)
+	assert.Equal(s.T(), machine.Namespace.Name, oldNamespace.Name)
+
+	machineId := fmt.Sprintf("%d", machine.Id)
+
+	moveToNewNSResult, err := ExecuteCommand(
+		&s.headscale,
+		[]string{
+			"headscale",
+			"nodes",
+			"move",
+			"--identifier",
+			machineId,
+			"--namespace",
+			newNamespace.Name,
+			"--output",
+			"json",
+		},
+		[]string{},
+	)
+	assert.Nil(s.T(), err)
+
+	err = json.Unmarshal([]byte(moveToNewNSResult), &machine)
+	assert.Nil(s.T(), err)
+
+	assert.Equal(s.T(), machine.Namespace, newNamespace)
+
+	listAllNodesResult, err := ExecuteCommand(
+		&s.headscale,
+		[]string{
+			"headscale",
+			"nodes",
+			"list",
+			"--output",
+			"json",
+		},
+		[]string{},
+	)
+	assert.Nil(s.T(), err)
+
+	var allNodes []v1.Machine
+	err = json.Unmarshal([]byte(listAllNodesResult), &allNodes)
+	assert.Nil(s.T(), err)
+
+	assert.Len(s.T(), allNodes, 1)
+
+	assert.Equal(s.T(), allNodes[0].Id, machine.Id)
+	assert.Equal(s.T(), allNodes[0].Namespace, machine.Namespace)
+	assert.Equal(s.T(), allNodes[0].Namespace, newNamespace)
+
+	moveToNonExistingNSResult, err := ExecuteCommand(
+		&s.headscale,
+		[]string{
+			"headscale",
+			"nodes",
+			"move",
+			"--identifier",
+			machineId,
+			"--namespace",
+			"non-existing-namespace",
+			"--output",
+			"json",
+		},
+		[]string{},
+	)
+	assert.Nil(s.T(), err)
+
+	assert.Contains(
+		s.T(),
+		string(moveToNonExistingNSResult),
+		"Namespace not found",
+	)
+	assert.Equal(s.T(), machine.Namespace, newNamespace)
+
+	moveToOldNSResult, err := ExecuteCommand(
+		&s.headscale,
+		[]string{
+			"headscale",
+			"nodes",
+			"move",
+			"--identifier",
+			machineId,
+			"--namespace",
+			oldNamespace.Name,
+			"--output",
+			"json",
+		},
+		[]string{},
+	)
+	assert.Nil(s.T(), err)
+
+	err = json.Unmarshal([]byte(moveToOldNSResult), &machine)
+	assert.Nil(s.T(), err)
+
+	assert.Equal(s.T(), machine.Namespace, oldNamespace)
+
+	moveToSameNSResult, err := ExecuteCommand(
+		&s.headscale,
+		[]string{
+			"headscale",
+			"nodes",
+			"move",
+			"--identifier",
+			machineId,
+			"--namespace",
+			oldNamespace.Name,
+			"--output",
+			"json",
+		},
+		[]string{},
+	)
+	assert.Nil(s.T(), err)
+
+	err = json.Unmarshal([]byte(moveToSameNSResult), &machine)
+	assert.Nil(s.T(), err)
+
+	assert.Equal(s.T(), machine.Namespace, oldNamespace)
+}
+
+func (s *IntegrationCLITestSuite) TestLoadConfigFromCommand() {
+	// TODO: make sure defaultConfig is not same as altConfig
+	defaultConfig, err := os.ReadFile("integration_test/etc/config.dump.gold.yaml")
+	assert.Nil(s.T(), err)
+	altConfig, err := os.ReadFile("integration_test/etc/alt-config.dump.gold.yaml")
+	assert.Nil(s.T(), err)
+
+	_, err = ExecuteCommand(
+		&s.headscale,
+		[]string{
+			"headscale",
+			"dumpConfig",
+		},
+		[]string{},
+	)
+	assert.Nil(s.T(), err)
+
+	defaultDumpConfig, err := os.ReadFile("integration_test/etc/config.dump.yaml")
+	assert.Nil(s.T(), err)
+
+	assert.YAMLEq(s.T(), string(defaultConfig), string(defaultDumpConfig))
+
+	_, err = ExecuteCommand(
+		&s.headscale,
+		[]string{
+			"headscale",
+			"-c",
+			"/etc/headscale/alt-config.yaml",
+			"dumpConfig",
+		},
+		[]string{},
+	)
+	assert.Nil(s.T(), err)
+
+	altDumpConfig, err := os.ReadFile("integration_test/etc/config.dump.yaml")
+	assert.Nil(s.T(), err)
+
+	assert.YAMLEq(s.T(), string(altConfig), string(altDumpConfig))
+}
--- a/integration_common_test.go
+++ b/integration_common_test.go
@@ -5,21 +5,49 @@ package headscale

 import (
 	"bytes"
+	"encoding/json"
+	"errors"
 	"fmt"
+	"os"
+	"strconv"
+	"strings"
 	"time"

+	v1 "github.com/juanfont/headscale/gen/go/headscale/v1"
 	"github.com/ory/dockertest/v3"
 	"github.com/ory/dockertest/v3/docker"
 	"inet.af/netaddr"
 )

-const DOCKER_EXECUTE_TIMEOUT = 10 * time.Second
+const (
+	DOCKER_EXECUTE_TIMEOUT = 10 * time.Second
+)

 var (
+	errEnvVarEmpty = errors.New("getenv: environment variable empty")
+
 	IpPrefix4 = netaddr.MustParseIPPrefix("100.64.0.0/10")
 	IpPrefix6 = netaddr.MustParseIPPrefix("fd7a:115c:a1e0::/48")
+
+	tailscaleVersions = []string{
+		"head",
+		"unstable",
+		"1.26.0",
+		"1.24.2",
+		"1.22.2",
+		"1.20.4",
+		"1.18.2",
+		"1.16.2",
+		"1.14.3",
+		"1.12.3",
+	}
 )

+type TestNamespace struct {
+	count      int
+	tailscales map[string]dockertest.Resource
+}
+
 type ExecuteCommandConfig struct {
 	timeout time.Duration
 }
@@ -119,3 +147,168 @@ func DockerAllowNetworkAdministration(config *docker.HostConfig) {
 		Target: "/dev/net/tun",
 	})
 }
+
+func getDockerBuildOptions(version string) *dockertest.BuildOptions {
+	var tailscaleBuildOptions *dockertest.BuildOptions
+	switch version {
+	case "head":
+		tailscaleBuildOptions = &dockertest.BuildOptions{
+			Dockerfile: "Dockerfile.tailscale-HEAD",
+			ContextDir: ".",
+			BuildArgs:  []docker.BuildArg{},
+		}
+	case "unstable":
+		tailscaleBuildOptions = &dockertest.BuildOptions{
+			Dockerfile: "Dockerfile.tailscale",
+			ContextDir: ".",
+			BuildArgs: []docker.BuildArg{
+				{
+					Name:  "TAILSCALE_VERSION",
+					Value: "*", // Installs the latest version https://askubuntu.com/a/824926
+				},
+				{
+					Name:  "TAILSCALE_CHANNEL",
+					Value: "unstable",
+				},
+			},
+		}
+	default:
+		tailscaleBuildOptions = &dockertest.BuildOptions{
+			Dockerfile: "Dockerfile.tailscale",
+			ContextDir: ".",
+			BuildArgs: []docker.BuildArg{
+				{
+					Name:  "TAILSCALE_VERSION",
+					Value: version,
+				},
+				{
+					Name:  "TAILSCALE_CHANNEL",
+					Value: "stable",
+				},
+			},
+		}
+	}
+	return tailscaleBuildOptions
+}
+
+func getIPs(
+	tailscales map[string]dockertest.Resource,
+) (map[string][]netaddr.IP, error) {
+	ips := make(map[string][]netaddr.IP)
+	for hostname, tailscale := range tailscales {
+		command := []string{"tailscale", "ip"}
+
+		result, err := ExecuteCommand(
+			&tailscale,
+			command,
+			[]string{},
+		)
+		if err != nil {
+			return nil, err
+		}
+
+		for _, address := range strings.Split(result, "\n") {
+			address = strings.TrimSuffix(address, "\n")
+			if len(address) < 1 {
+				continue
+			}
+			ip, err := netaddr.ParseIP(address)
+			if err != nil {
+				return nil, err
+			}
+			ips[hostname] = append(ips[hostname], ip)
+		}
+	}
+
+	return ips, nil
+}
+
+func getDNSNames(
+	headscale *dockertest.Resource,
+) ([]string, error) {
+
+	listAllResult, err := ExecuteCommand(
+		headscale,
+		[]string{
+			"headscale",
+			"nodes",
+			"list",
+			"--output",
+			"json",
+		},
+		[]string{},
+	)
+	if err != nil {
+		return nil, err
+	}
+
+	var listAll []v1.Machine
+	err = json.Unmarshal([]byte(listAllResult), &listAll)
+	if err != nil {
+		return nil, err
+	}
+
+	hostnames := make([]string, len(listAll))
+
+	for index := range listAll {
+		hostnames[index] = listAll[index].GetGivenName()
+	}
+
+	return hostnames, nil
+}
+
+func getMagicFQDN(
+	headscale *dockertest.Resource,
+) ([]string, error) {
+
+	listAllResult, err := ExecuteCommand(
+		headscale,
+		[]string{
+			"headscale",
+			"nodes",
+			"list",
+			"--output",
+			"json",
+		},
+		[]string{},
+	)
+	if err != nil {
+		return nil, err
+	}
+
+	var listAll []v1.Machine
+	err = json.Unmarshal([]byte(listAllResult), &listAll)
+	if err != nil {
+		return nil, err
+	}
+
+	hostnames := make([]string, len(listAll))
+
+	for index := range listAll {
+		hostnames[index] = fmt.Sprintf("%s.%s.headscale.net", listAll[index].GetGivenName(), listAll[index].GetNamespace().GetName())
+	}
+
+	return hostnames, nil
+}
+
+func GetEnvStr(key string) (string, error) {
+	v := os.Getenv(key)
+	if v == "" {
+		return v, errEnvVarEmpty
+	}
+
+	return v, nil
+}
+
+func GetEnvBool(key string) (bool, error) {
+	s, err := GetEnvStr(key)
+	if err != nil {
+		return false, err
+	}
+	v, err := strconv.ParseBool(s)
+	if err != nil {
+		return false, err
+	}
+
+	return v, nil
+}
--- a/integration_embedded_derp_test.go
+++ b/integration_embedded_derp_test.go
@@ -0,0 +1,433 @@
+//go:build integration
+
+package headscale
+
+import (
+	"bytes"
+	"context"
+	"crypto/tls"
+	"encoding/json"
+	"fmt"
+	"io/ioutil"
+	"log"
+	"net/http"
+	"os"
+	"path"
+	"strings"
+	"sync"
+	"testing"
+	"time"
+
+	v1 "github.com/juanfont/headscale/gen/go/headscale/v1"
+	"github.com/ory/dockertest/v3"
+	"github.com/ory/dockertest/v3/docker"
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/suite"
+
+	"github.com/ccding/go-stun/stun"
+)
+
+const (
+	headscaleHostname = "headscale-derp"
+	namespaceName     = "derpnamespace"
+	totalContainers   = 3
+)
+
+type IntegrationDERPTestSuite struct {
+	suite.Suite
+	stats *suite.SuiteInformation
+
+	pool      dockertest.Pool
+	networks  map[int]dockertest.Network // so we keep the containers isolated
+	headscale dockertest.Resource
+	saveLogs  bool
+
+	tailscales    map[string]dockertest.Resource
+	joinWaitGroup sync.WaitGroup
+}
+
+func TestDERPIntegrationTestSuite(t *testing.T) {
+	saveLogs, err := GetEnvBool("HEADSCALE_INTEGRATION_SAVE_LOG")
+	if err != nil {
+		saveLogs = false
+	}
+
+	s := new(IntegrationDERPTestSuite)
+
+	s.tailscales = make(map[string]dockertest.Resource)
+	s.networks = make(map[int]dockertest.Network)
+	s.saveLogs = saveLogs
+
+	suite.Run(t, s)
+
+	// HandleStats, which allows us to check if we passed and save logs
+	// is called after TearDown, so we cannot tear down containers before
+	// we have potentially saved the logs.
+	if s.saveLogs {
+		for _, tailscale := range s.tailscales {
+			if err := s.pool.Purge(&tailscale); err != nil {
+				log.Printf("Could not purge resource: %s\n", err)
+			}
+		}
+
+		if !s.stats.Passed() {
+			err := s.saveLog(&s.headscale, "test_output")
+			if err != nil {
+				log.Printf("Could not save log: %s\n", err)
+			}
+		}
+		if err := s.pool.Purge(&s.headscale); err != nil {
+			log.Printf("Could not purge resource: %s\n", err)
+		}
+
+		for _, network := range s.networks {
+			if err := network.Close(); err != nil {
+				log.Printf("Could not close network: %s\n", err)
+			}
+		}
+	}
+}
+
+func (s *IntegrationDERPTestSuite) SetupSuite() {
+	if ppool, err := dockertest.NewPool(""); err == nil {
+		s.pool = *ppool
+	} else {
+		s.FailNow(fmt.Sprintf("Could not connect to docker: %s", err), "")
+	}
+
+	for i := 0; i < totalContainers; i++ {
+		if pnetwork, err := s.pool.CreateNetwork(fmt.Sprintf("headscale-derp-%d", i)); err == nil {
+			s.networks[i] = *pnetwork
+		} else {
+			s.FailNow(fmt.Sprintf("Could not create network: %s", err), "")
+		}
+	}
+
+	headscaleBuildOptions := &dockertest.BuildOptions{
+		Dockerfile: "Dockerfile.tmp-integration",
+		ContextDir: ".",
+	}
+
+	currentPath, err := os.Getwd()
+	if err != nil {
+		s.FailNow(fmt.Sprintf("Could not determine current path: %s", err), "")
+	}
+
+	headscaleOptions := &dockertest.RunOptions{
+		Name: headscaleHostname,
+		Mounts: []string{
+			fmt.Sprintf(
+				"%s/integration_test/etc_embedded_derp:/etc/headscale",
+				currentPath,
+			),
+		},
+		Cmd:          []string{"headscale", "serve"},
+		ExposedPorts: []string{"8443/tcp", "3478/udp"},
+		PortBindings: map[docker.Port][]docker.PortBinding{
+			"8443/tcp": {{HostPort: "8443"}},
+			"3478/udp": {{HostPort: "3478"}},
+		},
+	}
+
+	err = s.pool.RemoveContainerByName(headscaleHostname)
+	if err != nil {
+		s.FailNow(fmt.Sprintf("Could not remove existing container before building test: %s", err), "")
+	}
+
+	log.Println("Creating headscale container")
+	if pheadscale, err := s.pool.BuildAndRunWithBuildOptions(headscaleBuildOptions, headscaleOptions, DockerRestartPolicy); err == nil {
+		s.headscale = *pheadscale
+	} else {
+		s.FailNow(fmt.Sprintf("Could not start headscale container: %s", err), "")
+	}
+	log.Println("Created headscale container to test DERP")
+
+	log.Println("Creating tailscale containers")
+
+	for i := 0; i < totalContainers; i++ {
+		version := tailscaleVersions[i%len(tailscaleVersions)]
+		hostname, container := s.tailscaleContainer(
+			fmt.Sprint(i),
+			version,
+			s.networks[i],
+		)
+		s.tailscales[hostname] = *container
+	}
+
+	log.Println("Waiting for headscale to be ready")
+	hostEndpoint := fmt.Sprintf("localhost:%s", s.headscale.GetPort("8443/tcp"))
+
+	if err := s.pool.Retry(func() error {
+		url := fmt.Sprintf("https://%s/health", hostEndpoint)
+		insecureTransport := http.DefaultTransport.(*http.Transport).Clone()
+		insecureTransport.TLSClientConfig = &tls.Config{InsecureSkipVerify: true}
+		client := &http.Client{Transport: insecureTransport}
+		resp, err := client.Get(url)
+		if err != nil {
+			return err
+		}
+
+		if resp.StatusCode != http.StatusOK {
+			return fmt.Errorf("status code not OK")
+		}
+
+		return nil
+	}); err != nil {
+		// TODO(kradalby): If we cannot access headscale, or any other fatal error during
+		// test setup, we need to abort and tear down. However, testify does not seem to
+		// support that at the moment:
+		// https://github.com/stretchr/testify/issues/849
+		return // fmt.Errorf("Could not connect to headscale: %s", err)
+	}
+	log.Println("headscale container is ready")
+
+	log.Printf("Creating headscale namespace: %s\n", namespaceName)
+	result, err := ExecuteCommand(
+		&s.headscale,
+		[]string{"headscale", "namespaces", "create", namespaceName},
+		[]string{},
+	)
+	log.Println("headscale create namespace result: ", result)
+	assert.Nil(s.T(), err)
+
+	log.Printf("Creating pre auth key for %s\n", namespaceName)
+	preAuthResult, err := ExecuteCommand(
+		&s.headscale,
+		[]string{
+			"headscale",
+			"--namespace",
+			namespaceName,
+			"preauthkeys",
+			"create",
+			"--reusable",
+			"--expiration",
+			"24h",
+			"--output",
+			"json",
+		},
+		[]string{"LOG_LEVEL=error"},
+	)
+	assert.Nil(s.T(), err)
+
+	var preAuthKey v1.PreAuthKey
+	err = json.Unmarshal([]byte(preAuthResult), &preAuthKey)
+	assert.Nil(s.T(), err)
+	assert.True(s.T(), preAuthKey.Reusable)
+
+	headscaleEndpoint := fmt.Sprintf(
+		"https://headscale:%s",
+		s.headscale.GetPort("8443/tcp"),
+	)
+
+	log.Printf(
+		"Joining tailscale containers to headscale at %s\n",
+		headscaleEndpoint,
+	)
+	for hostname, tailscale := range s.tailscales {
+		s.joinWaitGroup.Add(1)
+		go s.Join(headscaleEndpoint, preAuthKey.Key, hostname, tailscale)
+	}
+
+	s.joinWaitGroup.Wait()
+
+	// The nodes need a bit of time to get their updated maps from headscale
+	// TODO: See if we can have a more deterministic wait here.
+	time.Sleep(60 * time.Second)
+}
+
+func (s *IntegrationDERPTestSuite) Join(
+	endpoint, key, hostname string,
+	tailscale dockertest.Resource,
+) {
+	defer s.joinWaitGroup.Done()
+
+	command := []string{
+		"tailscale",
+		"up",
+		"-login-server",
+		endpoint,
+		"--authkey",
+		key,
+		"--hostname",
+		hostname,
+	}
+
+	log.Println("Join command:", command)
+	log.Printf("Running join command for %s\n", hostname)
+	_, err := ExecuteCommand(
+		&tailscale,
+		command,
+		[]string{},
+	)
+	assert.Nil(s.T(), err)
+	log.Printf("%s joined\n", hostname)
+}
+
+func (s *IntegrationDERPTestSuite) tailscaleContainer(
+	identifier, version string,
+	network dockertest.Network,
+) (string, *dockertest.Resource) {
+	tailscaleBuildOptions := getDockerBuildOptions(version)
+
+	hostname := fmt.Sprintf(
+		"tailscale-%s-%s",
+		strings.Replace(version, ".", "-", -1),
+		identifier,
+	)
+	tailscaleOptions := &dockertest.RunOptions{
+		Name:     hostname,
+		Networks: []*dockertest.Network{&network},
+		Cmd: []string{
+			"tailscaled", "--tun=tsdev",
+		},
+
+		// expose the host IP address, so we can access it from inside the container
+		ExtraHosts: []string{
+			"host.docker.internal:host-gateway",
+			"headscale:host-gateway",
+		},
+	}
+
+	pts, err := s.pool.BuildAndRunWithBuildOptions(
+		tailscaleBuildOptions,
+		tailscaleOptions,
+		DockerRestartPolicy,
+		DockerAllowLocalIPv6,
+		DockerAllowNetworkAdministration,
+	)
+	if err != nil {
+		log.Fatalf("Could not start tailscale container version %s: %s", version, err)
+	}
+	log.Printf("Created %s container\n", hostname)
+
+	return hostname, pts
+}
+
+func (s *IntegrationDERPTestSuite) TearDownSuite() {
+	if !s.saveLogs {
+		for _, tailscale := range s.tailscales {
+			if err := s.pool.Purge(&tailscale); err != nil {
+				log.Printf("Could not purge resource: %s\n", err)
+			}
+		}
+
+		if err := s.pool.Purge(&s.headscale); err != nil {
+			log.Printf("Could not purge resource: %s\n", err)
+		}
+
+		for _, network := range s.networks {
+			if err := network.Close(); err != nil {
+				log.Printf("Could not close network: %s\n", err)
+			}
+		}
+	}
+}
+
+func (s *IntegrationDERPTestSuite) HandleStats(
+	suiteName string,
+	stats *suite.SuiteInformation,
+) {
+	s.stats = stats
+}
+
+func (s *IntegrationDERPTestSuite) saveLog(
+	resource *dockertest.Resource,
+	basePath string,
+) error {
+	err := os.MkdirAll(basePath, os.ModePerm)
+	if err != nil {
+		return err
+	}
+
+	var stdout bytes.Buffer
+	var stderr bytes.Buffer
+
+	err = s.pool.Client.Logs(
+		docker.LogsOptions{
+			Context:      context.TODO(),
+			Container:    resource.Container.ID,
+			OutputStream: &stdout,
+			ErrorStream:  &stderr,
+			Tail:         "all",
+			RawTerminal:  false,
+			Stdout:       true,
+			Stderr:       true,
+			Follow:       false,
+			Timestamps:   false,
+		},
+	)
+	if err != nil {
+		return err
+	}
+
+	log.Printf("Saving logs for %s to %s\n", resource.Container.Name, basePath)
+
+	err = ioutil.WriteFile(
+		path.Join(basePath, resource.Container.Name+".stdout.log"),
+		[]byte(stdout.String()),
+		0o644,
+	)
+	if err != nil {
+		return err
+	}
+
+	err = ioutil.WriteFile(
+		path.Join(basePath, resource.Container.Name+".stderr.log"),
+		[]byte(stdout.String()),
+		0o644,
+	)
+	if err != nil {
+		return err
+	}
+
+	return nil
+}
+
+func (s *IntegrationDERPTestSuite) TestPingAllPeersByHostname() {
+	hostnames, err := getDNSNames(&s.headscale)
+	assert.Nil(s.T(), err)
+
+	log.Printf("Hostnames: %#v\n", hostnames)
+
+	for hostname, tailscale := range s.tailscales {
+		for _, peername := range hostnames {
+			if strings.Contains(peername, hostname) {
+				continue
+			}
+			s.T().Run(fmt.Sprintf("%s-%s", hostname, peername), func(t *testing.T) {
+				command := []string{
+					"tailscale", "ping",
+					"--timeout=10s",
+					"--c=5",
+					"--until-direct=false",
+					peername,
+				}
+
+				log.Printf(
+					"Pinging using hostname from %s to %s\n",
+					hostname,
+					peername,
+				)
+				log.Println(command)
+				result, err := ExecuteCommand(
+					&tailscale,
+					command,
+					[]string{},
+				)
+				assert.Nil(t, err)
+				log.Printf("Result for %s: %s\n", hostname, result)
+				assert.Contains(t, result, "via DERP(headscale)")
+			})
+		}
+	}
+}
+
+func (s *IntegrationDERPTestSuite) TestDERPSTUN() {
+	headscaleSTUNAddr := fmt.Sprintf("localhost:%s", s.headscale.GetPort("3478/udp"))
+	client := stun.NewClient()
+	client.SetVerbose(true)
+	client.SetVVerbose(true)
+	client.SetServerAddr(headscaleSTUNAddr)
+	_, _, err := client.Discover()
+	assert.Nil(s.T(), err)
+}
--- a/integration_test.go
+++ b/integration_test.go
@@ -29,13 +29,6 @@ import (
 	"tailscale.com/ipn/ipnstate"
 )

-var tailscaleVersions = []string{"1.20.4", "1.18.2", "1.16.2", "1.14.3", "1.12.3"}
-
-type TestNamespace struct {
-	count      int
-	tailscales map[string]dockertest.Resource
-}
-
 type IntegrationTestSuite struct {
 	suite.Suite
 	stats *suite.SuiteInformation
@@ -43,6 +36,7 @@ type IntegrationTestSuite struct {
 	pool      dockertest.Pool
 	network   dockertest.Network
 	headscale dockertest.Resource
+	saveLogs  bool

 	namespaces map[string]TestNamespace

@@ -50,44 +44,52 @@ type IntegrationTestSuite struct {
 }

 func TestIntegrationTestSuite(t *testing.T) {
+	saveLogs, err := GetEnvBool("HEADSCALE_INTEGRATION_SAVE_LOG")
+	if err != nil {
+		saveLogs = false
+	}
+
 	s := new(IntegrationTestSuite)

 	s.namespaces = map[string]TestNamespace{
 		"thisspace": {
-			count:      15,
-			tailscales: make(map[string]dockertest.Resource),
-		},
-		"otherspace": {
 			count:      5,
 			tailscales: make(map[string]dockertest.Resource),
 		},
+		"otherspace": {
+			count:      2,
+			tailscales: make(map[string]dockertest.Resource),
+		},
 	}
+	s.saveLogs = saveLogs

 	suite.Run(t, s)

 	// HandleStats, which allows us to check if we passed and save logs
 	// is called after TearDown, so we cannot tear down containers before
 	// we have potentially saved the logs.
-	for _, scales := range s.namespaces {
-		for _, tailscale := range scales.tailscales {
-			if err := s.pool.Purge(&tailscale); err != nil {
-				log.Printf("Could not purge resource: %s\n", err)
+	if s.saveLogs {
+		for _, scales := range s.namespaces {
+			for _, tailscale := range scales.tailscales {
+				if err := s.pool.Purge(&tailscale); err != nil {
+					log.Printf("Could not purge resource: %s\n", err)
+				}
 			}
 		}
-	}

-	if !s.stats.Passed() {
-		err := s.saveLog(&s.headscale, "test_output")
-		if err != nil {
-			log.Printf("Could not save log: %s\n", err)
+		if !s.stats.Passed() {
+			err := s.saveLog(&s.headscale, "test_output")
+			if err != nil {
+				log.Printf("Could not save log: %s\n", err)
+			}
+		}
+		if err := s.pool.Purge(&s.headscale); err != nil {
+			log.Printf("Could not purge resource: %s\n", err)
 		}
-	}
-	if err := s.pool.Purge(&s.headscale); err != nil {
-		log.Printf("Could not purge resource: %s\n", err)
-	}

-	if err := s.network.Close(); err != nil {
-		log.Printf("Could not close network: %s\n", err)
+		if err := s.network.Close(); err != nil {
+			log.Printf("Could not close network: %s\n", err)
+		}
 	}
 }

@@ -175,16 +177,8 @@ func (s *IntegrationTestSuite) Join(
 func (s *IntegrationTestSuite) tailscaleContainer(
 	namespace, identifier, version string,
 ) (string, *dockertest.Resource) {
-	tailscaleBuildOptions := &dockertest.BuildOptions{
-		Dockerfile: "Dockerfile.tailscale",
-		ContextDir: ".",
-		BuildArgs: []docker.BuildArg{
-			{
-				Name:  "TAILSCALE_VERSION",
-				Value: version,
-			},
-		},
-	}
+	tailscaleBuildOptions := getDockerBuildOptions(version)
+
 	hostname := fmt.Sprintf(
 		"%s-tailscale-%s-%s",
 		namespace,
@@ -207,7 +201,7 @@ func (s *IntegrationTestSuite) tailscaleContainer(
 		DockerAllowNetworkAdministration,
 	)
 	if err != nil {
-		log.Fatalf("Could not start resource: %s", err)
+		log.Fatalf("Could not start tailscale container version %s: %s", version, err)
 	}
 	log.Printf("Created %s container\n", hostname)

@@ -224,23 +218,23 @@ func (s *IntegrationTestSuite) SetupSuite() {
 	if ppool, err := dockertest.NewPool(""); err == nil {
 		s.pool = *ppool
 	} else {
-		log.Fatalf("Could not connect to docker: %s", err)
+		s.FailNow(fmt.Sprintf("Could not connect to docker: %s", err), "")
 	}

 	if pnetwork, err := s.pool.CreateNetwork("headscale-test"); err == nil {
 		s.network = *pnetwork
 	} else {
-		log.Fatalf("Could not create network: %s", err)
+		s.FailNow(fmt.Sprintf("Could not create network: %s", err), "")
 	}

 	headscaleBuildOptions := &dockertest.BuildOptions{
-		Dockerfile: "Dockerfile",
+		Dockerfile: "Dockerfile.tmp-integration",
 		ContextDir: ".",
 	}

 	currentPath, err := os.Getwd()
 	if err != nil {
-		log.Fatalf("Could not determine current path: %s", err)
+		s.FailNow(fmt.Sprintf("Could not determine current path: %s", err), "")
 	}

 	headscaleOptions := &dockertest.RunOptions{
@@ -252,11 +246,16 @@ func (s *IntegrationTestSuite) SetupSuite() {
 		Cmd:      []string{"headscale", "serve"},
 	}

+	err = s.pool.RemoveContainerByName(headscaleHostname)
+	if err != nil {
+		s.FailNow(fmt.Sprintf("Could not remove existing container before building test: %s", err), "")
+	}
+
 	log.Println("Creating headscale container")
 	if pheadscale, err := s.pool.BuildAndRunWithBuildOptions(headscaleBuildOptions, headscaleOptions, DockerRestartPolicy); err == nil {
 		s.headscale = *pheadscale
 	} else {
-		log.Fatalf("Could not start resource: %s", err)
+		s.FailNow(fmt.Sprintf("Could not start headscale container: %s", err), "")
 	}
 	log.Println("Created headscale container")

@@ -353,6 +352,23 @@ func (s *IntegrationTestSuite) SetupSuite() {
 }

 func (s *IntegrationTestSuite) TearDownSuite() {
+	if !s.saveLogs {
+		for _, scales := range s.namespaces {
+			for _, tailscale := range scales.tailscales {
+				if err := s.pool.Purge(&tailscale); err != nil {
+					log.Printf("Could not purge resource: %s\n", err)
+				}
+			}
+		}
+
+		if err := s.pool.Purge(&s.headscale); err != nil {
+			log.Printf("Could not purge resource: %s\n", err)
+		}
+
+		if err := s.network.Close(); err != nil {
+			log.Printf("Could not close network: %s\n", err)
+		}
+	}
 }

 func (s *IntegrationTestSuite) HandleStats(
@@ -516,7 +532,6 @@ func (s *IntegrationTestSuite) TestTailDrop() {
 	for _, scales := range s.namespaces {
 		ips, err := getIPs(scales.tailscales)
 		assert.Nil(s.T(), err)
-		assert.Nil(s.T(), err)

 		retry := func(times int, sleepInverval time.Duration, doWork func() error) (err error) {
 			for attempts := 0; attempts < times; attempts++ {
@@ -546,7 +561,7 @@ func (s *IntegrationTestSuite) TestTailDrop() {
 					command := []string{
 						"tailscale", "file", "cp",
 						fmt.Sprintf("/tmp/file_from_%s", hostname),
-						fmt.Sprintf("%s:", peername),
+						fmt.Sprintf("%s:", ips[peername][1]),
 					}
 					retry(10, 1*time.Second, func() error {
 						log.Printf(
@@ -591,7 +606,7 @@ func (s *IntegrationTestSuite) TestTailDrop() {
 					log.Printf(
 						"Checking file in %s (%s) from %s (%s)\n",
 						hostname,
-						ips[hostname],
+						ips[hostname][1],
 						peername,
 						ip,
 					)
@@ -614,21 +629,24 @@ func (s *IntegrationTestSuite) TestTailDrop() {
 }

 func (s *IntegrationTestSuite) TestPingAllPeersByHostname() {
-	for namespace, scales := range s.namespaces {
-		ips, err := getIPs(scales.tailscales)
-		assert.Nil(s.T(), err)
+	hostnames, err := getMagicFQDN(&s.headscale)
+	assert.Nil(s.T(), err)
+
+	log.Printf("Resolved hostnames: %#v", hostnames)
+	for _, scales := range s.namespaces {
 		for hostname, tailscale := range scales.tailscales {
-			for peername := range ips {
-				if peername == hostname {
+			for _, peername := range hostnames {
+				if strings.Contains(peername, hostname) {
 					continue
 				}
+
 				s.T().Run(fmt.Sprintf("%s-%s", hostname, peername), func(t *testing.T) {
 					command := []string{
 						"tailscale", "ping",
 						"--timeout=10s",
 						"--c=20",
 						"--until-direct=true",
-						fmt.Sprintf("%s.%s.headscale.net", peername, namespace),
+						peername,
 					}

 					log.Printf(
@@ -651,18 +669,24 @@ func (s *IntegrationTestSuite) TestPingAllPeersByHostname() {
 }

 func (s *IntegrationTestSuite) TestMagicDNS() {
-	for namespace, scales := range s.namespaces {
+	hostnames, err := getMagicFQDN(&s.headscale)
+	assert.Nil(s.T(), err)
+
+	log.Printf("Resolved hostnames: %#v", hostnames)
+
+	for _, scales := range s.namespaces {
 		ips, err := getIPs(scales.tailscales)
 		assert.Nil(s.T(), err)
+
 		for hostname, tailscale := range scales.tailscales {
-			for peername, ips := range ips {
-				if peername == hostname {
+			for _, peername := range hostnames {
+				if strings.Contains(peername, hostname) {
 					continue
 				}
+
 				s.T().Run(fmt.Sprintf("%s-%s", hostname, peername), func(t *testing.T) {
 					command := []string{
-						"tailscale", "ip",
-						fmt.Sprintf("%s.%s.headscale.net", peername, namespace),
+						"tailscale", "ip", peername,
 					}

 					log.Printf(
@@ -678,7 +702,9 @@ func (s *IntegrationTestSuite) TestMagicDNS() {
 					assert.Nil(t, err)
 					log.Printf("Result for %s: %s\n", hostname, result)

-					for _, ip := range ips {
+					peerBaseName := peername[:len(peername)-MachineGivenNameHashLength-1]
+					expectedAddresses := ips[peerBaseName]
+					for _, ip := range expectedAddresses {
 						assert.Contains(t, result, ip.String())
 					}
 				})
@@ -687,38 +713,6 @@ func (s *IntegrationTestSuite) TestMagicDNS() {
 	}
 }

-func getIPs(
-	tailscales map[string]dockertest.Resource,
-) (map[string][]netaddr.IP, error) {
-	ips := make(map[string][]netaddr.IP)
-	for hostname, tailscale := range tailscales {
-		command := []string{"tailscale", "ip"}
-
-		result, err := ExecuteCommand(
-			&tailscale,
-			command,
-			[]string{},
-		)
-		if err != nil {
-			return nil, err
-		}
-
-		for _, address := range strings.Split(result, "\n") {
-			address = strings.TrimSuffix(address, "\n")
-			if len(address) < 1 {
-				continue
-			}
-			ip, err := netaddr.ParseIP(address)
-			if err != nil {
-				return nil, err
-			}
-			ips[hostname] = append(ips[hostname], ip)
-		}
-	}
-
-	return ips, nil
-}
-
 func getAPIURLs(
 	tailscales map[string]dockertest.Resource,
 ) (map[netaddr.IP]string, error) {
--- a/integration_test/etc/alt-config.dump.gold.yaml
+++ b/integration_test/etc/alt-config.dump.gold.yaml
@@ -0,0 +1,47 @@
+acl_policy_path: ""
+cli:
+  insecure: false
+  timeout: 5s
+db_path: /tmp/integration_test_db.sqlite3
+db_type: sqlite3
+derp:
+  auto_update_enabled: false
+  server:
+    enabled: false
+    stun:
+      enabled: true
+  update_frequency: 1m
+  urls:
+    - https://controlplane.tailscale.com/derpmap/default
+dns_config:
+  base_domain: headscale.net
+  domains: []
+  magic_dns: true
+  nameservers:
+    - 1.1.1.1
+ephemeral_node_inactivity_timeout: 30m
+node_update_check_interval: 10s
+grpc_allow_insecure: false
+grpc_listen_addr: :50443
+ip_prefixes:
+  - fd7a:115c:a1e0::/48
+  - 100.64.0.0/10
+listen_addr: 0.0.0.0:18080
+log_level: disabled
+logtail:
+  enabled: false
+metrics_listen_addr: 127.0.0.1:19090
+oidc:
+  scope:
+    - openid
+    - profile
+    - email
+  strip_email_domain: true
+private_key_path: private.key
+server_url: http://headscale:18080
+tls_client_auth_mode: relaxed
+tls_letsencrypt_cache_dir: /var/www/.cache
+tls_letsencrypt_challenge_type: HTTP-01
+unix_socket: /var/run/headscale.sock
+unix_socket_permission: "0o770"
+randomize_client_port: false
--- a/integration_test/etc/alt-config.yaml
+++ b/integration_test/etc/alt-config.yaml
@@ -0,0 +1,25 @@
+log_level: trace
+acl_policy_path: ""
+db_type: sqlite3
+ephemeral_node_inactivity_timeout: 30m
+node_update_check_interval: 10s
+ip_prefixes:
+  - fd7a:115c:a1e0::/48
+  - 100.64.0.0/10
+dns_config:
+  base_domain: headscale.net
+  magic_dns: true
+  domains: []
+  nameservers:
+    - 1.1.1.1
+db_path: /tmp/integration_test_db.sqlite3
+private_key_path: private.key
+listen_addr: 0.0.0.0:18080
+metrics_listen_addr: 127.0.0.1:19090
+server_url: http://headscale:18080
+
+derp:
+  urls:
+    - https://controlplane.tailscale.com/derpmap/default
+  auto_update_enabled: false
+  update_frequency: 1m
--- a/integration_test/etc/config.dump.gold.yaml
+++ b/integration_test/etc/config.dump.gold.yaml
@@ -0,0 +1,47 @@
+acl_policy_path: ""
+cli:
+  insecure: false
+  timeout: 5s
+db_path: /tmp/integration_test_db.sqlite3
+db_type: sqlite3
+derp:
+  auto_update_enabled: false
+  server:
+    enabled: false
+    stun:
+      enabled: true
+  update_frequency: 1m
+  urls:
+    - https://controlplane.tailscale.com/derpmap/default
+dns_config:
+  base_domain: headscale.net
+  domains: []
+  magic_dns: true
+  nameservers:
+    - 1.1.1.1
+ephemeral_node_inactivity_timeout: 30m
+node_update_check_interval: 10s
+grpc_allow_insecure: false
+grpc_listen_addr: :50443
+ip_prefixes:
+  - fd7a:115c:a1e0::/48
+  - 100.64.0.0/10
+listen_addr: 0.0.0.0:8080
+log_level: disabled
+logtail:
+  enabled: false
+metrics_listen_addr: 127.0.0.1:9090
+oidc:
+  scope:
+    - openid
+    - profile
+    - email
+  strip_email_domain: true
+private_key_path: private.key
+server_url: http://headscale:8080
+tls_client_auth_mode: relaxed
+tls_letsencrypt_cache_dir: /var/www/.cache
+tls_letsencrypt_challenge_type: HTTP-01
+unix_socket: /var/run/headscale.sock
+unix_socket_permission: "0o770"
+randomize_client_port: false
--- a/integration_test/etc/config.yaml
+++ b/integration_test/etc/config.yaml
@@ -2,6 +2,7 @@ log_level: trace
 acl_policy_path: ""
 db_type: sqlite3
 ephemeral_node_inactivity_timeout: 30m
+node_update_check_interval: 10s
 ip_prefixes:
  - fd7a:115c:a1e0::/48
  - 100.64.0.0/10
@@ -14,6 +15,7 @@ dns_config:
 db_path: /tmp/integration_test_db.sqlite3
 private_key_path: private.key
 listen_addr: 0.0.0.0:8080
+metrics_listen_addr: 127.0.0.1:9090
 server_url: http://headscale:8080

 derp:
--- a/integration_test/etc_embedded_derp/config.yaml
+++ b/integration_test/etc_embedded_derp/config.yaml
@@ -0,0 +1,29 @@
+log_level: trace
+acl_policy_path: ""
+db_type: sqlite3
+ephemeral_node_inactivity_timeout: 30m
+node_update_check_interval: 10s
+ip_prefixes:
+  - fd7a:115c:a1e0::/48
+  - 100.64.0.0/10
+dns_config:
+  base_domain: headscale.net
+  magic_dns: true
+  domains: []
+  nameservers:
+    - 1.1.1.1
+db_path: /tmp/integration_test_db.sqlite3
+private_key_path: private.key
+listen_addr: 0.0.0.0:8443
+server_url: https://headscale:8443
+tls_cert_path: "/etc/headscale/tls/server.crt"
+tls_key_path: "/etc/headscale/tls/server.key"
+tls_client_auth_mode: disabled
+derp:
+  server:
+    enabled: true
+    region_id: 999
+    region_code: "headscale"
+    region_name: "Headscale Embedded DERP"
+
+    stun_listen_addr: "0.0.0.0:3478"
--- a/integration_test/etc_embedded_derp/tls/server.crt
+++ b/integration_test/etc_embedded_derp/tls/server.crt
@@ -0,0 +1,22 @@
+
+-----BEGIN CERTIFICATE-----
+MIIC8jCCAdqgAwIBAgIULbu+UbSTMG/LtxooLLh7BgSEyqEwDQYJKoZIhvcNAQEL
+BQAwFDESMBAGA1UEAwwJaGVhZHNjYWxlMCAXDTIyMDMwNTE2NDgwM1oYDzI1MjEx
+MTA0MTY0ODAzWjAUMRIwEAYDVQQDDAloZWFkc2NhbGUwggEiMA0GCSqGSIb3DQEB
+AQUAA4IBDwAwggEKAoIBAQDqcfpToLZUF0rlNwXkkt3lbyw4Cl4TJdx36o2PKaOK
+U+tze/IjRsCWeMwrcR1o9TNZcxsD+c2J48D1WATuQJlMeg+2UJXGaTGRKkkbPMy3
+5m7AFf/Q16UEOgm2NYjZaQ8faRGIMYURG/6sXmNeETJvBixpBev9yKJuVXgqHNS4
+NpEkNwdOCuAZXrmw0HCbiusawJOay4tFvhH14rav8Uimonl8UTNVXufMzyUOuoaQ
+TGflmzYX3hIoswRnTPlIWFoqObvx2Q8H+of3uQJXy0m8I6OrIoXLNxnqYMfFls79
+9SYgVc2jPsCbh5fwyRbx2Hof7sIZ1K/mNgxJRG1E3ZiLAgMBAAGjOjA4MBQGA1Ud
+EQQNMAuCCWhlYWRzY2FsZTALBgNVHQ8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUH
+AwEwDQYJKoZIhvcNAQELBQADggEBANGlVN7NCsJaKz0k0nhlRGK+tcxn2p1PXN/i
+Iy+JX8ahixPC4ocRwOhrXgb390ZXLLwq08HrWYRB/Wi1VUzCp5d8dVxvrR43dJ+v
+L2EOBiIKgcu2C3pWW1qRR46/EoXUU9kSH2VNBvIhNufi32kEOidoDzxtQf6qVCoF
+guUt1JkAqrynv1UvR/2ZRM/WzM/oJ8qfECwrwDxyYhkqU5Z5jCWg0C6kPIBvNdzt
+B0eheWS+ZxVwkePTR4e17kIafwknth3lo+orxVrq/xC+OVM1bGrt2ZyD64ZvEqQl
+w6kgbzBdLScAQptWOFThwhnJsg0UbYKimZsnYmjVEuN59TJv92M=
+-----END CERTIFICATE-----
+
+(Expires on Nov  4 16:48:03 2521 GMT)
+
--- a/integration_test/etc_embedded_derp/tls/server.key
+++ b/integration_test/etc_embedded_derp/tls/server.key
@@ -0,0 +1,28 @@
+-----BEGIN PRIVATE KEY-----
+MIIEwAIBADANBgkqhkiG9w0BAQEFAASCBKowggSmAgEAAoIBAQDqcfpToLZUF0rl
+NwXkkt3lbyw4Cl4TJdx36o2PKaOKU+tze/IjRsCWeMwrcR1o9TNZcxsD+c2J48D1
+WATuQJlMeg+2UJXGaTGRKkkbPMy35m7AFf/Q16UEOgm2NYjZaQ8faRGIMYURG/6s
+XmNeETJvBixpBev9yKJuVXgqHNS4NpEkNwdOCuAZXrmw0HCbiusawJOay4tFvhH1
+4rav8Uimonl8UTNVXufMzyUOuoaQTGflmzYX3hIoswRnTPlIWFoqObvx2Q8H+of3
+uQJXy0m8I6OrIoXLNxnqYMfFls799SYgVc2jPsCbh5fwyRbx2Hof7sIZ1K/mNgxJ
+RG1E3ZiLAgMBAAECggEBALu1Ni/u5Qy++YA8ZcN0s6UXNdhItLmv/q0kZuLQ+9et
+CT8VZfFInLndTdsaXenDKLHdryunviFA8SV+q7P2lMbek+Xs735EiyMnMBFWxLIZ
+FWNGOeQERGL19QCmLEOmEi2b+iWJQHlKaMWpbPXL3w11a+lKjIBNO4ALfoJ5QveZ
+cGMKsJdm/mpqBvLeNeh2eAFk3Gp6sT1g80Ge8NkgyzFBNIqnut0eerM15kPTc6Qz
+12JLaOXUuV3PrcB4PN4nOwrTDg88GDNOQtc1Pc9r4nOHyLfr8X7QEtj1wXSwmOuK
+d6ynMnAmoxVA9wEnupLbil1bzohRzpsTpkmDruYaBEECgYEA/Z09I8D6mt2NVqIE
+KyvLjBK39ijSV9r3/lvB2Ple2OOL5YQEd+yTrIFy+3zdUnDgD1zmNnXjmjvHZ9Lc
+IFf2o06AF84QLNB5gLPdDQkGNFdDqUxljBrfAfE3oANmPS/B0SijMGOOOiDO2FtO
+xl1nfRr78mswuRs9awoUWCdNRKUCgYEA7KaTYKIQW/FEjw9lshp74q5vbn6zoXF5
+7N8VkwI+bBVNvRbM9XZ8qhfgRdu9eXs5oL/N4mSYY54I8fA//pJ0Z2vpmureMm1V
+mL5WBUmSD9DIbAchoK+sRiQhVmNMBQC6cHMABA7RfXvBeGvWrm9pKCS6ZLgLjkjp
+PsmAcaXQcW8CgYEA2inAxljjOwUK6FNGsrxhxIT1qtNC3kCGxE+6WSNq67gSR8Vg
+8qiX//T7LEslOB3RIGYRwxd2St7RkgZZRZllmOWWWuPwFhzf6E7RAL2akLvggGov
+kG4tGEagSw2hjVDfsUT73ExHtMk0Jfmlsg33UC8+PDLpHtLH6qQpDAwC8+ECgYEA
+o+AqOIWhvHmT11l7O915Ip1WzvZwYADbxLsrDnVEUsZh4epTHjvh0kvcY6PqTqCV
+ZIrOANNWb811Nkz/k8NJVoD08PFp0xPBbZeIq/qpachTsfMyRzq/mobUiyUR9Hjv
+ooUQYr78NOApNsG+lWbTNBhS9wI4BlzZIECbcJe5g4MCgYEAndRoy8S+S0Hx/S8a
+O3hzXeDmivmgWqn8NVD4AKOovpkz4PaIVVQbAQkiNfAx8/DavPvjEKAbDezJ4ECV
+j7IsOWtDVI7pd6eF9fTcECwisrda8aUoiOap8AQb48153Vx+g2N4Vy3uH0xJs4cz
+TDALZPOBg8VlV+HEFDP43sp9Bf0=
+-----END PRIVATE KEY-----
--- a/machine.go
+++ b/machine.go
@@ -2,13 +2,13 @@ package headscale

 import (
 	"database/sql/driver"
+	"errors"
 	"fmt"
 	"sort"
 	"strconv"
 	"strings"
 	"time"

-	"github.com/fatih/set"
 	v1 "github.com/juanfont/headscale/gen/go/headscale/v1"
 	"github.com/rs/zerolog/log"
 	"google.golang.org/protobuf/types/known/timestamppb"
@@ -26,6 +26,8 @@ const (
 	)
 	errCouldNotConvertMachineInterface = Error("failed to convert machine interface")
 	errHostnameTooLong                 = Error("Hostname too long")
+	MachineGivenNameHashLength         = 8
+	MachineGivenNameTrimSize           = 2
 )

 const (
@@ -39,12 +41,25 @@ type Machine struct {
 	NodeKey     string
 	DiscoKey    string
 	IPAddresses MachineAddresses
-	Name        string
+
+	// Hostname represents the name given by the Tailscale
+	// client during registration
+	Hostname string
+
+	// Givenname represents either:
+	// a DNS normalized version of Hostname
+	// a valid name set by the User
+	//
+	// GivenName is the name used in all DNS related
+	// parts of headscale.
+	GivenName   string `gorm:"type:varchar(63);unique_index"`
 	NamespaceID uint
 	Namespace   Namespace `gorm:"foreignKey:NamespaceID"`

 	RegisterMethod string

+	ForcedTags StringList
+
 	// TODO(kradalby): This seems like irrelevant information?
 	AuthKeyID uint
 	AuthKey   *PreAuthKey
@@ -122,7 +137,7 @@ func (machine Machine) isExpired() bool {

 func containsAddresses(inputs []string, addrs []string) bool {
 	for _, addr := range addrs {
-		if containsString(inputs, addr) {
+		if contains(inputs, addr) {
 			return true
 		}
 	}
@@ -149,7 +164,7 @@ func getFilteredByACLPeers(
 ) Machines {
 	log.Trace().
 		Caller().
-		Str("machine", machine.Name).
+		Str("machine", machine.Hostname).
 		Msg("Finding peers filtered by ACLs")

 	peers := make(map[uint64]Machine)
@@ -216,7 +231,7 @@ func getFilteredByACLPeers(

 	log.Trace().
 		Caller().
-		Str("machine", machine.Name).
+		Str("machine", machine.Hostname).
 		Msgf("Found some machines: %v", machines)

 	return authorizedPeers
@@ -225,7 +240,7 @@ func getFilteredByACLPeers(
 func (h *Headscale) ListPeers(machine *Machine) (Machines, error) {
 	log.Trace().
 		Caller().
-		Str("machine", machine.Name).
+		Str("machine", machine.Hostname).
 		Msg("Finding direct peers")

 	machines := Machines{}
@@ -240,7 +255,7 @@ func (h *Headscale) ListPeers(machine *Machine) (Machines, error) {

 	log.Trace().
 		Caller().
-		Str("machine", machine.Name).
+		Str("machine", machine.Hostname).
 		Msgf("Found peers: %s", machines.String())

 	return machines, nil
@@ -277,7 +292,7 @@ func (h *Headscale) getPeers(machine *Machine) (Machines, error) {

 	log.Trace().
 		Caller().
-		Str("machine", machine.Name).
+		Str("machine", machine.Hostname).
 		Msgf("Found total peers: %s", peers.String())

 	return peers, nil
@@ -317,7 +332,7 @@ func (h *Headscale) GetMachine(namespace string, name string) (*Machine, error)
 	}

 	for _, m := range machines {
-		if m.Name == name {
+		if m.Hostname == name {
 			return &m, nil
 		}
 	}
@@ -347,9 +362,9 @@ func (h *Headscale) GetMachineByMachineKey(
 	return &m, nil
 }

-// UpdateMachine takes a Machine struct pointer (typically already loaded from database
+// UpdateMachineFromDatabase takes a Machine struct pointer (typically already loaded from database
 // and updates it with the latest data from the database.
-func (h *Headscale) UpdateMachine(machine *Machine) error {
+func (h *Headscale) UpdateMachineFromDatabase(machine *Machine) error {
 	if result := h.db.Find(machine).First(&machine); result.Error != nil {
 		return result.Error
 	}
@@ -357,18 +372,70 @@ func (h *Headscale) UpdateMachine(machine *Machine) error {
 	return nil
 }

+// SetTags takes a Machine struct pointer and update the forced tags.
+func (h *Headscale) SetTags(machine *Machine, tags []string) error {
+	newTags := []string{}
+	for _, tag := range tags {
+		if !contains(newTags, tag) {
+			newTags = append(newTags, tag)
+		}
+	}
+	machine.ForcedTags = newTags
+	if err := h.UpdateACLRules(); err != nil && !errors.Is(err, errEmptyPolicy) {
+		return err
+	}
+	h.setLastStateChangeToNow(machine.Namespace.Name)
+
+	if err := h.db.Save(machine).Error; err != nil {
+		return fmt.Errorf("failed to update tags for machine in the database: %w", err)
+	}
+
+	return nil
+}
+
 // ExpireMachine takes a Machine struct and sets the expire field to now.
-func (h *Headscale) ExpireMachine(machine *Machine) {
+func (h *Headscale) ExpireMachine(machine *Machine) error {
 	now := time.Now()
 	machine.Expiry = &now

 	h.setLastStateChangeToNow(machine.Namespace.Name)

-	h.db.Save(machine)
+	if err := h.db.Save(machine).Error; err != nil {
+		return fmt.Errorf("failed to expire machine in the database: %w", err)
+	}
+
+	return nil
+}
+
+// RenameMachine takes a Machine struct and a new GivenName for the machines
+// and renames it.
+func (h *Headscale) RenameMachine(machine *Machine, newName string) error {
+	err := CheckForFQDNRules(
+		newName,
+	)
+	if err != nil {
+		log.Error().
+			Caller().
+			Str("func", "RenameMachine").
+			Str("machine", machine.Hostname).
+			Str("newName", newName).
+			Err(err)
+
+		return err
+	}
+	machine.GivenName = newName
+
+	h.setLastStateChangeToNow(machine.Namespace.Name)
+
+	if err := h.db.Save(machine).Error; err != nil {
+		return fmt.Errorf("failed to rename machine in the database: %w", err)
+	}
+
+	return nil
 }

 // RefreshMachine takes a Machine struct and sets the expire field to now.
-func (h *Headscale) RefreshMachine(machine *Machine, expiry time.Time) {
+func (h *Headscale) RefreshMachine(machine *Machine, expiry time.Time) error {
 	now := time.Now()

 	machine.LastSuccessfulUpdate = &now
@@ -376,7 +443,14 @@ func (h *Headscale) RefreshMachine(machine *Machine, expiry time.Time) {

 	h.setLastStateChangeToNow(machine.Namespace.Name)

-	h.db.Save(machine)
+	if err := h.db.Save(machine).Error; err != nil {
+		return fmt.Errorf(
+			"failed to refresh machine (update expiration) in the database: %w",
+			err,
+		)
+	}
+
+	return nil
 }

 // DeleteMachine softs deletes a Machine from the database.
@@ -411,46 +485,41 @@ func (machine *Machine) GetHostInfo() tailcfg.Hostinfo {
 }

 func (h *Headscale) isOutdated(machine *Machine) bool {
-	if err := h.UpdateMachine(machine); err != nil {
+	if err := h.UpdateMachineFromDatabase(machine); err != nil {
 		// It does not seem meaningful to propagate this error as the end result
 		// will have to be that the machine has to be considered outdated.
 		return true
 	}

-	namespaceSet := set.New(set.ThreadSafe)
-	namespaceSet.Add(machine.Namespace.Name)
-
-	namespaces := make([]string, namespaceSet.Size())
-	for index, namespace := range namespaceSet.List() {
-		if name, ok := namespace.(string); ok {
-			namespaces[index] = name
-		}
-	}
-
-	lastChange := h.getLastStateChange(namespaces...)
+	// Get the last update from all headscale namespaces to compare with our nodes
+	// last update.
+	// TODO(kradalby): Only request updates from namespaces where we can talk to nodes
+	// This would mostly be for a bit of performance, and can be calculated based on
+	// ACLs.
+	lastChange := h.getLastStateChange()
 	lastUpdate := machine.CreatedAt
 	if machine.LastSuccessfulUpdate != nil {
 		lastUpdate = *machine.LastSuccessfulUpdate
 	}
 	log.Trace().
 		Caller().
-		Str("machine", machine.Name).
+		Str("machine", machine.Hostname).
 		Time("last_successful_update", lastChange).
 		Time("last_state_change", lastUpdate).
-		Msgf("Checking if %s is missing updates", machine.Name)
+		Msgf("Checking if %s is missing updates", machine.Hostname)

 	return lastUpdate.Before(lastChange)
 }

 func (machine Machine) String() string {
-	return machine.Name
+	return machine.Hostname
 }

 func (machines Machines) String() string {
 	temp := make([]string, len(machines))

 	for index, machine := range machines {
-		temp[index] = machine.Name
+		temp[index] = machine.Hostname
 	}

 	return fmt.Sprintf("[ %s ](%d)", strings.Join(temp, ", "), len(temp))
@@ -461,7 +530,7 @@ func (machines MachinesP) String() string {
 	temp := make([]string, len(machines))

 	for index, machine := range machines {
-		temp[index] = machine.Name
+		temp[index] = machine.Hostname
 	}

 	return fmt.Sprintf("[ %s ](%d)", strings.Join(temp, ", "), len(temp))
@@ -558,7 +627,7 @@ func (machine Machine) toNode(
 	if dnsConfig != nil && dnsConfig.Proxied { // MagicDNS
 		hostname = fmt.Sprintf(
 			"%s.%s.%s",
-			machine.Name,
+			machine.GivenName,
 			machine.Namespace.Name,
 			baseDomain,
 		)
@@ -570,11 +639,15 @@ func (machine Machine) toNode(
 			)
 		}
 	} else {
-		hostname = machine.Name
+		hostname = machine.GivenName
 	}

 	hostInfo := machine.GetHostInfo()

+	// A node is Online if it is connected to the control server,
+	// and we now we update LastSeen every keepAliveInterval duration at least.
+	online := machine.LastSeen.After(time.Now().Add(-keepAliveInterval))
+
 	node := tailcfg.Node{
 		ID: tailcfg.NodeID(machine.ID), // this is the actual ID
 		StableID: tailcfg.StableNodeID(
@@ -591,6 +664,7 @@ func (machine Machine) toNode(
 		Endpoints:  machine.Endpoints,
 		DERP:       derp,

+		Online:   &online,
 		Hostinfo: hostInfo.View(),
 		Created:  machine.CreatedAt,
 		LastSeen: machine.LastSeen,
@@ -611,8 +685,10 @@ func (machine *Machine) toProto() *v1.Machine {
 		NodeKey:     machine.NodeKey,
 		DiscoKey:    machine.DiscoKey,
 		IpAddresses: machine.IPAddresses.ToStringSlice(),
-		Name:        machine.Name,
+		Name:        machine.Hostname,
+		GivenName:   machine.GivenName,
 		Namespace:   machine.Namespace.toProto(),
+		ForcedTags:  machine.ForcedTags,

 		// TODO(kradalby): Implement register method enum converter
 		// RegisterMethod: ,
@@ -641,6 +717,50 @@ func (machine *Machine) toProto() *v1.Machine {
 	return machineProto
 }

+// getTags will return the tags of the current machine.
+// Invalid tags are tags added by a user on a node, and that user doesn't have authority to add this tag.
+// Valid tags are tags added by a user that is allowed in the ACL policy to add this tag.
+func getTags(
+	aclPolicy *ACLPolicy,
+	machine Machine,
+	stripEmailDomain bool,
+) ([]string, []string) {
+	validTags := make([]string, 0)
+	invalidTags := make([]string, 0)
+	if aclPolicy == nil {
+		return validTags, invalidTags
+	}
+	validTagMap := make(map[string]bool)
+	invalidTagMap := make(map[string]bool)
+	for _, tag := range machine.HostInfo.RequestTags {
+		owners, err := expandTagOwners(*aclPolicy, tag, stripEmailDomain)
+		if errors.Is(err, errInvalidTag) {
+			invalidTagMap[tag] = true
+
+			continue
+		}
+		var found bool
+		for _, owner := range owners {
+			if machine.Namespace.Name == owner {
+				found = true
+			}
+		}
+		if found {
+			validTagMap[tag] = true
+		} else {
+			invalidTagMap[tag] = true
+		}
+	}
+	for tag := range invalidTagMap {
+		invalidTags = append(invalidTags, tag)
+	}
+	for tag := range validTagMap {
+		validTags = append(validTags, tag)
+	}
+
+	return validTags, invalidTags
+}
+
 func (h *Headscale) RegisterMachineFromAuthCallback(
 	machineKeyStr string,
 	namespaceName string,
@@ -682,7 +802,7 @@ func (h *Headscale) RegisterMachine(machine Machine,

 	log.Trace().
 		Caller().
-		Str("machine", machine.Name).
+		Str("machine", machine.Hostname).
 		Msg("Attempting to register machine")

 	h.ipAllocationMutex.Lock()
@@ -693,7 +813,7 @@ func (h *Headscale) RegisterMachine(machine Machine,
 		log.Error().
 			Caller().
 			Err(err).
-			Str("machine", machine.Name).
+			Str("machine", machine.Hostname).
 			Msg("Could not find IP for the new machine")

 		return nil, err
@@ -701,11 +821,13 @@ func (h *Headscale) RegisterMachine(machine Machine,

 	machine.IPAddresses = ips

-	h.db.Save(&machine)
+	if err := h.db.Save(&machine).Error; err != nil {
+		return nil, fmt.Errorf("failed register(save) machine in the database: %w", err)
+	}

 	log.Trace().
 		Caller().
-		Str("machine", machine.Name).
+		Str("machine", machine.Hostname).
 		Str("ip", strings.Join(ips.ToStringSlice(), ",")).
 		Msg("Machine registered with the database")

@@ -751,17 +873,20 @@ func (h *Headscale) EnableRoutes(machine *Machine, routeStrs ...string) error {
 	}

 	for _, newRoute := range newRoutes {
-		if !containsIPPrefix(machine.GetAdvertisedRoutes(), newRoute) {
+		if !contains(machine.GetAdvertisedRoutes(), newRoute) {
 			return fmt.Errorf(
 				"route (%s) is not available on node %s: %w",
-				machine.Name,
+				machine.Hostname,
 				newRoute, errMachineRouteIsNotAvailable,
 			)
 		}
 	}

 	machine.EnabledRoutes = newRoutes
-	h.db.Save(&machine)
+
+	if err := h.db.Save(machine).Error; err != nil {
+		return fmt.Errorf("failed enable routes for machine in the database: %w", err)
+	}

 	return nil
 }
@@ -776,3 +901,32 @@ func (machine *Machine) RoutesToProto() *v1.Routes {
 		EnabledRoutes:    ipPrefixToString(enabledRoutes),
 	}
 }
+
+func (h *Headscale) GenerateGivenName(suppliedName string) (string, error) {
+	// If a hostname is or will be longer than 63 chars after adding the hash,
+	// it needs to be trimmed.
+	trimmedHostnameLength := labelHostnameLength - MachineGivenNameHashLength - MachineGivenNameTrimSize
+
+	normalizedHostname, err := NormalizeToFQDNRules(
+		suppliedName,
+		h.cfg.OIDC.StripEmaildomain,
+	)
+	if err != nil {
+		return "", err
+	}
+
+	postfix, err := GenerateRandomStringDNSSafe(MachineGivenNameHashLength)
+	if err != nil {
+		return "", err
+	}
+
+	// Verify that that the new unique name is shorter than the maximum allowed
+	// DNS segment.
+	if len(normalizedHostname) <= trimmedHostnameLength {
+		normalizedHostname = fmt.Sprintf("%s-%s", normalizedHostname, postfix)
+	} else {
+		normalizedHostname = fmt.Sprintf("%s-%s", normalizedHostname[:trimmedHostnameLength], postfix)
+	}
+
+	return normalizedHostname, nil
+}
--- a/machine_test.go
+++ b/machine_test.go
@@ -4,6 +4,7 @@ import (
 	"fmt"
 	"reflect"
 	"strconv"
+	"strings"
 	"testing"
 	"time"

@@ -27,7 +28,7 @@ func (s *Suite) TestGetMachine(c *check.C) {
 		MachineKey:     "foo",
 		NodeKey:        "bar",
 		DiscoKey:       "faa",
-		Name:           "testmachine",
+		Hostname:       "testmachine",
 		NamespaceID:    namespace.ID,
 		RegisterMethod: RegisterMethodAuthKey,
 		AuthKeyID:      uint(pak.ID),
@@ -53,7 +54,7 @@ func (s *Suite) TestGetMachineByID(c *check.C) {
 		MachineKey:     "foo",
 		NodeKey:        "bar",
 		DiscoKey:       "faa",
-		Name:           "testmachine",
+		Hostname:       "testmachine",
 		NamespaceID:    namespace.ID,
 		RegisterMethod: RegisterMethodAuthKey,
 		AuthKeyID:      uint(pak.ID),
@@ -72,7 +73,7 @@ func (s *Suite) TestDeleteMachine(c *check.C) {
 		MachineKey:     "foo",
 		NodeKey:        "bar",
 		DiscoKey:       "faa",
-		Name:           "testmachine",
+		Hostname:       "testmachine",
 		NamespaceID:    namespace.ID,
 		RegisterMethod: RegisterMethodAuthKey,
 		AuthKeyID:      uint(1),
@@ -94,7 +95,7 @@ func (s *Suite) TestHardDeleteMachine(c *check.C) {
 		MachineKey:     "foo",
 		NodeKey:        "bar",
 		DiscoKey:       "faa",
-		Name:           "testmachine3",
+		Hostname:       "testmachine3",
 		NamespaceID:    namespace.ID,
 		RegisterMethod: RegisterMethodAuthKey,
 		AuthKeyID:      uint(1),
@@ -124,7 +125,7 @@ func (s *Suite) TestListPeers(c *check.C) {
 			MachineKey:     "foo" + strconv.Itoa(index),
 			NodeKey:        "bar" + strconv.Itoa(index),
 			DiscoKey:       "faa" + strconv.Itoa(index),
-			Name:           "testmachine" + strconv.Itoa(index),
+			Hostname:       "testmachine" + strconv.Itoa(index),
 			NamespaceID:    namespace.ID,
 			RegisterMethod: RegisterMethodAuthKey,
 			AuthKeyID:      uint(pak.ID),
@@ -139,9 +140,9 @@ func (s *Suite) TestListPeers(c *check.C) {
 	c.Assert(err, check.IsNil)

 	c.Assert(len(peersOfMachine0), check.Equals, 9)
-	c.Assert(peersOfMachine0[0].Name, check.Equals, "testmachine2")
-	c.Assert(peersOfMachine0[5].Name, check.Equals, "testmachine7")
-	c.Assert(peersOfMachine0[8].Name, check.Equals, "testmachine10")
+	c.Assert(peersOfMachine0[0].Hostname, check.Equals, "testmachine2")
+	c.Assert(peersOfMachine0[5].Hostname, check.Equals, "testmachine7")
+	c.Assert(peersOfMachine0[8].Hostname, check.Equals, "testmachine10")
 }

 func (s *Suite) TestGetACLFilteredPeers(c *check.C) {
@@ -172,7 +173,7 @@ func (s *Suite) TestGetACLFilteredPeers(c *check.C) {
 			IPAddresses: MachineAddresses{
 				netaddr.MustParseIP(fmt.Sprintf("100.64.0.%v", strconv.Itoa(index+1))),
 			},
-			Name:           "testmachine" + strconv.Itoa(index),
+			Hostname:       "testmachine" + strconv.Itoa(index),
 			NamespaceID:    stor[index%2].namespace.ID,
 			RegisterMethod: RegisterMethodAuthKey,
 			AuthKeyID:      uint(stor[index%2].key.ID),
@@ -187,8 +188,8 @@ func (s *Suite) TestGetACLFilteredPeers(c *check.C) {
 		Hosts:     map[string]netaddr.IPPrefix{},
 		TagOwners: map[string][]string{},
 		ACLs: []ACL{
-			{Action: "accept", Users: []string{"admin"}, Ports: []string{"*:*"}},
-			{Action: "accept", Users: []string{"test"}, Ports: []string{"test:*"}},
+			{Action: "accept", Sources: []string{"admin"}, Destinations: []string{"*:*"}},
+			{Action: "accept", Sources: []string{"test"}, Destinations: []string{"test:*"}},
 		},
 		Tests: []ACLTest{},
 	}
@@ -197,11 +198,11 @@ func (s *Suite) TestGetACLFilteredPeers(c *check.C) {
 	c.Assert(err, check.IsNil)

 	adminMachine, err := app.GetMachineByID(1)
-	c.Logf("Machine(%v), namespace: %v", adminMachine.Name, adminMachine.Namespace)
+	c.Logf("Machine(%v), namespace: %v", adminMachine.Hostname, adminMachine.Namespace)
 	c.Assert(err, check.IsNil)

 	testMachine, err := app.GetMachineByID(2)
-	c.Logf("Machine(%v), namespace: %v", testMachine.Name, testMachine.Namespace)
+	c.Logf("Machine(%v), namespace: %v", testMachine.Hostname, testMachine.Namespace)
 	c.Assert(err, check.IsNil)

 	machines, err := app.ListMachines()
@@ -212,15 +213,15 @@ func (s *Suite) TestGetACLFilteredPeers(c *check.C) {

 	c.Log(peersOfTestMachine)
 	c.Assert(len(peersOfTestMachine), check.Equals, 4)
-	c.Assert(peersOfTestMachine[0].Name, check.Equals, "testmachine4")
-	c.Assert(peersOfTestMachine[1].Name, check.Equals, "testmachine6")
-	c.Assert(peersOfTestMachine[3].Name, check.Equals, "testmachine10")
+	c.Assert(peersOfTestMachine[0].Hostname, check.Equals, "testmachine4")
+	c.Assert(peersOfTestMachine[1].Hostname, check.Equals, "testmachine6")
+	c.Assert(peersOfTestMachine[3].Hostname, check.Equals, "testmachine10")

 	c.Log(peersOfAdminMachine)
 	c.Assert(len(peersOfAdminMachine), check.Equals, 9)
-	c.Assert(peersOfAdminMachine[0].Name, check.Equals, "testmachine2")
-	c.Assert(peersOfAdminMachine[2].Name, check.Equals, "testmachine4")
-	c.Assert(peersOfAdminMachine[5].Name, check.Equals, "testmachine7")
+	c.Assert(peersOfAdminMachine[0].Hostname, check.Equals, "testmachine2")
+	c.Assert(peersOfAdminMachine[2].Hostname, check.Equals, "testmachine4")
+	c.Assert(peersOfAdminMachine[5].Hostname, check.Equals, "testmachine7")
 }

 func (s *Suite) TestExpireMachine(c *check.C) {
@@ -238,7 +239,7 @@ func (s *Suite) TestExpireMachine(c *check.C) {
 		MachineKey:     "foo",
 		NodeKey:        "bar",
 		DiscoKey:       "faa",
-		Name:           "testmachine",
+		Hostname:       "testmachine",
 		NamespaceID:    namespace.ID,
 		RegisterMethod: RegisterMethodAuthKey,
 		AuthKeyID:      uint(pak.ID),
@@ -248,10 +249,12 @@ func (s *Suite) TestExpireMachine(c *check.C) {

 	machineFromDB, err := app.GetMachine("test", "testmachine")
 	c.Assert(err, check.IsNil)
+	c.Assert(machineFromDB, check.NotNil)

 	c.Assert(machineFromDB.isExpired(), check.Equals, false)

-	app.ExpireMachine(machineFromDB)
+	err = app.ExpireMachine(machineFromDB)
+	c.Assert(err, check.IsNil)

 	c.Assert(machineFromDB.isExpired(), check.Equals, true)
 }
@@ -277,6 +280,200 @@ func (s *Suite) TestSerdeAddressStrignSlice(c *check.C) {
 	}
 }

+func (s *Suite) TestSetTags(c *check.C) {
+	namespace, err := app.CreateNamespace("test")
+	c.Assert(err, check.IsNil)
+
+	pak, err := app.CreatePreAuthKey(namespace.Name, false, false, nil)
+	c.Assert(err, check.IsNil)
+
+	_, err = app.GetMachine("test", "testmachine")
+	c.Assert(err, check.NotNil)
+
+	machine := &Machine{
+		ID:             0,
+		MachineKey:     "foo",
+		NodeKey:        "bar",
+		DiscoKey:       "faa",
+		Hostname:       "testmachine",
+		NamespaceID:    namespace.ID,
+		RegisterMethod: RegisterMethodAuthKey,
+		AuthKeyID:      uint(pak.ID),
+	}
+	app.db.Save(machine)
+
+	// assign simple tags
+	sTags := []string{"tag:test", "tag:foo"}
+	err = app.SetTags(machine, sTags)
+	c.Assert(err, check.IsNil)
+	machine, err = app.GetMachine("test", "testmachine")
+	c.Assert(err, check.IsNil)
+	c.Assert(machine.ForcedTags, check.DeepEquals, StringList(sTags))
+
+	// assign duplicat tags, expect no errors but no doubles in DB
+	eTags := []string{"tag:bar", "tag:test", "tag:unknown", "tag:test"}
+	err = app.SetTags(machine, eTags)
+	c.Assert(err, check.IsNil)
+	machine, err = app.GetMachine("test", "testmachine")
+	c.Assert(err, check.IsNil)
+	c.Assert(
+		machine.ForcedTags,
+		check.DeepEquals,
+		StringList([]string{"tag:bar", "tag:test", "tag:unknown"}),
+	)
+}
+
+func Test_getTags(t *testing.T) {
+	type args struct {
+		aclPolicy        *ACLPolicy
+		machine          Machine
+		stripEmailDomain bool
+	}
+	tests := []struct {
+		name        string
+		args        args
+		wantInvalid []string
+		wantValid   []string
+	}{
+		{
+			name: "valid tag one machine",
+			args: args{
+				aclPolicy: &ACLPolicy{
+					TagOwners: TagOwners{
+						"tag:valid": []string{"joe"},
+					},
+				},
+				machine: Machine{
+					Namespace: Namespace{
+						Name: "joe",
+					},
+					HostInfo: HostInfo{
+						RequestTags: []string{"tag:valid"},
+					},
+				},
+				stripEmailDomain: false,
+			},
+			wantValid:   []string{"tag:valid"},
+			wantInvalid: nil,
+		},
+		{
+			name: "invalid tag and valid tag one machine",
+			args: args{
+				aclPolicy: &ACLPolicy{
+					TagOwners: TagOwners{
+						"tag:valid": []string{"joe"},
+					},
+				},
+				machine: Machine{
+					Namespace: Namespace{
+						Name: "joe",
+					},
+					HostInfo: HostInfo{
+						RequestTags: []string{"tag:valid", "tag:invalid"},
+					},
+				},
+				stripEmailDomain: false,
+			},
+			wantValid:   []string{"tag:valid"},
+			wantInvalid: []string{"tag:invalid"},
+		},
+		{
+			name: "multiple invalid and identical tags, should return only one invalid tag",
+			args: args{
+				aclPolicy: &ACLPolicy{
+					TagOwners: TagOwners{
+						"tag:valid": []string{"joe"},
+					},
+				},
+				machine: Machine{
+					Namespace: Namespace{
+						Name: "joe",
+					},
+					HostInfo: HostInfo{
+						RequestTags: []string{
+							"tag:invalid",
+							"tag:valid",
+							"tag:invalid",
+						},
+					},
+				},
+				stripEmailDomain: false,
+			},
+			wantValid:   []string{"tag:valid"},
+			wantInvalid: []string{"tag:invalid"},
+		},
+		{
+			name: "only invalid tags",
+			args: args{
+				aclPolicy: &ACLPolicy{
+					TagOwners: TagOwners{
+						"tag:valid": []string{"joe"},
+					},
+				},
+				machine: Machine{
+					Namespace: Namespace{
+						Name: "joe",
+					},
+					HostInfo: HostInfo{
+						RequestTags: []string{"tag:invalid", "very-invalid"},
+					},
+				},
+				stripEmailDomain: false,
+			},
+			wantValid:   nil,
+			wantInvalid: []string{"tag:invalid", "very-invalid"},
+		},
+		{
+			name: "empty ACLPolicy should return empty tags and should not panic",
+			args: args{
+				aclPolicy: nil,
+				machine: Machine{
+					Namespace: Namespace{
+						Name: "joe",
+					},
+					HostInfo: HostInfo{
+						RequestTags: []string{"tag:invalid", "very-invalid"},
+					},
+				},
+				stripEmailDomain: false,
+			},
+			wantValid:   nil,
+			wantInvalid: nil,
+		},
+	}
+	for _, test := range tests {
+		t.Run(test.name, func(t *testing.T) {
+			gotValid, gotInvalid := getTags(
+				test.args.aclPolicy,
+				test.args.machine,
+				test.args.stripEmailDomain,
+			)
+			for _, valid := range gotValid {
+				if !contains(test.wantValid, valid) {
+					t.Errorf(
+						"valids: getTags() = %v, want %v",
+						gotValid,
+						test.wantValid,
+					)
+
+					break
+				}
+			}
+			for _, invalid := range gotInvalid {
+				if !contains(test.wantInvalid, invalid) {
+					t.Errorf(
+						"invalids: getTags() = %v, want %v",
+						gotInvalid,
+						test.wantInvalid,
+					)
+
+					break
+				}
+			}
+		})
+	}
+}
+
 // nolint
 func Test_getFilteredByACLPeers(t *testing.T) {
 	type args struct {
@@ -654,3 +851,137 @@ func Test_getFilteredByACLPeers(t *testing.T) {
 		})
 	}
 }
+
+func TestHeadscale_GenerateGivenName(t *testing.T) {
+	type args struct {
+		suppliedName string
+	}
+	tests := []struct {
+		name    string
+		h       *Headscale
+		args    args
+		want    string
+		wantErr bool
+	}{
+		{
+			name: "simple machine name generation",
+			h: &Headscale{
+				cfg: &Config{
+					OIDC: OIDCConfig{
+						StripEmaildomain: true,
+					},
+				},
+			},
+			args: args{
+				suppliedName: "testmachine",
+			},
+			want:    "testmachine",
+			wantErr: false,
+		},
+		{
+			name: "machine name with 53 chars",
+			h: &Headscale{
+				cfg: &Config{
+					OIDC: OIDCConfig{
+						StripEmaildomain: true,
+					},
+				},
+			},
+			args: args{
+				suppliedName: "testmaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaachine",
+			},
+			want:    "testmaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaachine",
+			wantErr: false,
+		},
+		{
+			name: "machine name with 60 chars",
+			h: &Headscale{
+				cfg: &Config{
+					OIDC: OIDCConfig{
+						StripEmaildomain: true,
+					},
+				},
+			},
+			args: args{
+				suppliedName: "testmaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaachine1234567",
+			},
+			want:    "testmaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaachine",
+			wantErr: false,
+		},
+		{
+			name: "machine name with 63 chars",
+			h: &Headscale{
+				cfg: &Config{
+					OIDC: OIDCConfig{
+						StripEmaildomain: true,
+					},
+				},
+			},
+			args: args{
+				suppliedName: "testmaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaachine1234567890",
+			},
+			want:    "testmaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa",
+			wantErr: false,
+		},
+		{
+			name: "machine name with 64 chars",
+			h: &Headscale{
+				cfg: &Config{
+					OIDC: OIDCConfig{
+						StripEmaildomain: true,
+					},
+				},
+			},
+			args: args{
+				suppliedName: "testmaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaachine1234567891",
+			},
+			want:    "testmaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa",
+			wantErr: false,
+		},
+		{
+			name: "machine name with 73 chars",
+			h: &Headscale{
+				cfg: &Config{
+					OIDC: OIDCConfig{
+						StripEmaildomain: true,
+					},
+				},
+			},
+			args: args{
+				suppliedName: "testmaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaachine12345678901234567890",
+			},
+			want:    "",
+			wantErr: true,
+		},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			got, err := tt.h.GenerateGivenName(tt.args.suppliedName)
+			if (err != nil) != tt.wantErr {
+				t.Errorf(
+					"Headscale.GenerateGivenName() error = %v, wantErr %v",
+					err,
+					tt.wantErr,
+				)
+
+				return
+			}
+
+			if tt.want != "" && strings.Contains(tt.want, got) {
+				t.Errorf(
+					"Headscale.GenerateGivenName() = %v, is not a substring of %v",
+					tt.want,
+					got,
+				)
+			}
+
+			if len(got) > labelHostnameLength {
+				t.Errorf(
+					"Headscale.GenerateGivenName() = %v is larger than allowed DNS segment %d",
+					got,
+					labelHostnameLength,
+				)
+			}
+		})
+	}
+}
--- a/namespaces.go
+++ b/namespaces.go
@@ -41,7 +41,7 @@ type Namespace struct {
 // CreateNamespace creates a new Namespace. Returns error if could not be created
 // or another namespace already exists.
 func (h *Headscale) CreateNamespace(name string) (*Namespace, error) {
-	err := CheckNamespaceName(name)
+	err := CheckForFQDNRules(name)
 	if err != nil {
 		return nil, err
 	}
@@ -104,7 +104,7 @@ func (h *Headscale) RenameNamespace(oldName, newName string) error {
 	if err != nil {
 		return err
 	}
-	err = CheckNamespaceName(newName)
+	err = CheckForFQDNRules(newName)
 	if err != nil {
 		return err
 	}
@@ -148,9 +148,24 @@ func (h *Headscale) ListNamespaces() ([]Namespace, error) {
 	return namespaces, nil
 }

+func (h *Headscale) ListNamespacesStr() ([]string, error) {
+	namespaces, err := h.ListNamespaces()
+	if err != nil {
+		return []string{}, err
+	}
+
+	namespaceStrs := make([]string, len(namespaces))
+
+	for index, namespace := range namespaces {
+		namespaceStrs[index] = namespace.Name
+	}
+
+	return namespaceStrs, nil
+}
+
 // ListMachinesInNamespace gets all the nodes in a given namespace.
 func (h *Headscale) ListMachinesInNamespace(name string) ([]Machine, error) {
-	err := CheckNamespaceName(name)
+	err := CheckForFQDNRules(name)
 	if err != nil {
 		return nil, err
 	}
@@ -169,7 +184,7 @@ func (h *Headscale) ListMachinesInNamespace(name string) ([]Machine, error) {

 // SetMachineNamespace assigns a Machine to a namespace.
 func (h *Headscale) SetMachineNamespace(machine *Machine, namespaceName string) error {
-	err := CheckNamespaceName(namespaceName)
+	err := CheckForFQDNRules(namespaceName)
 	if err != nil {
 		return err
 	}
@@ -177,8 +192,10 @@ func (h *Headscale) SetMachineNamespace(machine *Machine, namespaceName string)
 	if err != nil {
 		return err
 	}
-	machine.NamespaceID = namespace.ID
-	h.db.Save(&machine)
+	machine.Namespace = *namespace
+	if result := h.db.Save(&machine); result.Error != nil {
+		return result.Error
+	}

 	return nil
 }
@@ -237,9 +254,9 @@ func (n *Namespace) toProto() *v1.Namespace {
 	}
 }

-// NormalizeNamespaceName will replace forbidden chars in namespace
+// NormalizeToFQDNRules will replace forbidden chars in namespace
 // it can also return an error if the namespace doesn't respect RFC 952 and 1123.
-func NormalizeNamespaceName(name string, stripEmailDomain bool) (string, error) {
+func NormalizeToFQDNRules(name string, stripEmailDomain bool) (string, error) {
 	name = strings.ToLower(name)
 	name = strings.ReplaceAll(name, "'", "")
 	atIdx := strings.Index(name, "@")
@@ -263,24 +280,24 @@ func NormalizeNamespaceName(name string, stripEmailDomain bool) (string, error)
 	return name, nil
 }

-func CheckNamespaceName(name string) error {
+func CheckForFQDNRules(name string) error {
 	if len(name) > labelHostnameLength {
 		return fmt.Errorf(
-			"Namespace must not be over 63 chars. %v doesn't comply with this rule: %w",
+			"DNS segment must not be over 63 chars. %v doesn't comply with this rule: %w",
 			name,
 			errInvalidNamespaceName,
 		)
 	}
 	if strings.ToLower(name) != name {
 		return fmt.Errorf(
-			"Namespace name should be lowercase. %v doesn't comply with this rule: %w",
+			"DNS segment should be lowercase. %v doesn't comply with this rule: %w",
 			name,
 			errInvalidNamespaceName,
 		)
 	}
 	if invalidCharsInNamespaceRegex.MatchString(name) {
 		return fmt.Errorf(
-			"Namespace name should only be composed of lowercase ASCII letters numbers, hyphen and dots. %v doesn't comply with theses rules: %w",
+			"DNS segment should only be composed of lowercase ASCII letters numbers, hyphen and dots. %v doesn't comply with theses rules: %w",
 			name,
 			errInvalidNamespaceName,
 		)
--- a/namespaces_test.go
+++ b/namespaces_test.go
@@ -52,7 +52,7 @@ func (s *Suite) TestDestroyNamespaceErrors(c *check.C) {
 		MachineKey:     "foo",
 		NodeKey:        "bar",
 		DiscoKey:       "faa",
-		Name:           "testmachine",
+		Hostname:       "testmachine",
 		NamespaceID:    namespace.ID,
 		RegisterMethod: RegisterMethodAuthKey,
 		AuthKeyID:      uint(pak.ID),
@@ -142,7 +142,7 @@ func (s *Suite) TestGetMapResponseUserProfiles(c *check.C) {
 		MachineKey:     "686824e749f3b7f2a5927ee6c1e422aee5292592d9179a271ed7b3e659b44a66",
 		NodeKey:        "686824e749f3b7f2a5927ee6c1e422aee5292592d9179a271ed7b3e659b44a66",
 		DiscoKey:       "686824e749f3b7f2a5927ee6c1e422aee5292592d9179a271ed7b3e659b44a66",
-		Name:           "test_get_shared_nodes_1",
+		Hostname:       "test_get_shared_nodes_1",
 		NamespaceID:    namespaceShared1.ID,
 		Namespace:      *namespaceShared1,
 		RegisterMethod: RegisterMethodAuthKey,
@@ -151,7 +151,7 @@ func (s *Suite) TestGetMapResponseUserProfiles(c *check.C) {
 	}
 	app.db.Save(machineInShared1)

-	_, err = app.GetMachine(namespaceShared1.Name, machineInShared1.Name)
+	_, err = app.GetMachine(namespaceShared1.Name, machineInShared1.Hostname)
 	c.Assert(err, check.IsNil)

 	machineInShared2 := &Machine{
@@ -159,7 +159,7 @@ func (s *Suite) TestGetMapResponseUserProfiles(c *check.C) {
 		MachineKey:     "dec46ef9dc45c7d2f03bfcd5a640d9e24e3cc68ce3d9da223867c9bc6d5e9863",
 		NodeKey:        "dec46ef9dc45c7d2f03bfcd5a640d9e24e3cc68ce3d9da223867c9bc6d5e9863",
 		DiscoKey:       "dec46ef9dc45c7d2f03bfcd5a640d9e24e3cc68ce3d9da223867c9bc6d5e9863",
-		Name:           "test_get_shared_nodes_2",
+		Hostname:       "test_get_shared_nodes_2",
 		NamespaceID:    namespaceShared2.ID,
 		Namespace:      *namespaceShared2,
 		RegisterMethod: RegisterMethodAuthKey,
@@ -168,7 +168,7 @@ func (s *Suite) TestGetMapResponseUserProfiles(c *check.C) {
 	}
 	app.db.Save(machineInShared2)

-	_, err = app.GetMachine(namespaceShared2.Name, machineInShared2.Name)
+	_, err = app.GetMachine(namespaceShared2.Name, machineInShared2.Hostname)
 	c.Assert(err, check.IsNil)

 	machineInShared3 := &Machine{
@@ -176,7 +176,7 @@ func (s *Suite) TestGetMapResponseUserProfiles(c *check.C) {
 		MachineKey:     "dec46ef9dc45c7d2f03bfcd5a640d9e24e3cc68ce3d9da223867c9bc6d5e9863",
 		NodeKey:        "dec46ef9dc45c7d2f03bfcd5a640d9e24e3cc68ce3d9da223867c9bc6d5e9863",
 		DiscoKey:       "dec46ef9dc45c7d2f03bfcd5a640d9e24e3cc68ce3d9da223867c9bc6d5e9863",
-		Name:           "test_get_shared_nodes_3",
+		Hostname:       "test_get_shared_nodes_3",
 		NamespaceID:    namespaceShared3.ID,
 		Namespace:      *namespaceShared3,
 		RegisterMethod: RegisterMethodAuthKey,
@@ -185,7 +185,7 @@ func (s *Suite) TestGetMapResponseUserProfiles(c *check.C) {
 	}
 	app.db.Save(machineInShared3)

-	_, err = app.GetMachine(namespaceShared3.Name, machineInShared3.Name)
+	_, err = app.GetMachine(namespaceShared3.Name, machineInShared3.Hostname)
 	c.Assert(err, check.IsNil)

 	machine2InShared1 := &Machine{
@@ -193,7 +193,7 @@ func (s *Suite) TestGetMapResponseUserProfiles(c *check.C) {
 		MachineKey:     "dec46ef9dc45c7d2f03bfcd5a640d9e24e3cc68ce3d9da223867c9bc6d5e9863",
 		NodeKey:        "dec46ef9dc45c7d2f03bfcd5a640d9e24e3cc68ce3d9da223867c9bc6d5e9863",
 		DiscoKey:       "dec46ef9dc45c7d2f03bfcd5a640d9e24e3cc68ce3d9da223867c9bc6d5e9863",
-		Name:           "test_get_shared_nodes_4",
+		Hostname:       "test_get_shared_nodes_4",
 		NamespaceID:    namespaceShared1.ID,
 		Namespace:      *namespaceShared1,
 		RegisterMethod: RegisterMethodAuthKey,
@@ -233,7 +233,7 @@ func (s *Suite) TestGetMapResponseUserProfiles(c *check.C) {
 	c.Assert(found, check.Equals, true)
 }

-func TestNormalizeNamespaceName(t *testing.T) {
+func TestNormalizeToFQDNRules(t *testing.T) {
 	type args struct {
 		name             string
 		stripEmailDomain bool
@@ -310,10 +310,10 @@ func TestNormalizeNamespaceName(t *testing.T) {
 	}
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
-			got, err := NormalizeNamespaceName(tt.args.name, tt.args.stripEmailDomain)
+			got, err := NormalizeToFQDNRules(tt.args.name, tt.args.stripEmailDomain)
 			if (err != nil) != tt.wantErr {
 				t.Errorf(
-					"NormalizeNamespaceName() error = %v, wantErr %v",
+					"NormalizeToFQDNRules() error = %v, wantErr %v",
 					err,
 					tt.wantErr,
 				)
@@ -321,13 +321,13 @@ func TestNormalizeNamespaceName(t *testing.T) {
 				return
 			}
 			if got != tt.want {
-				t.Errorf("NormalizeNamespaceName() = %v, want %v", got, tt.want)
+				t.Errorf("NormalizeToFQDNRules() = %v, want %v", got, tt.want)
 			}
 		})
 	}
 }

-func TestCheckNamespaceName(t *testing.T) {
+func TestCheckForFQDNRules(t *testing.T) {
 	type args struct {
 		name string
 	}
@@ -366,9 +366,46 @@ func TestCheckNamespaceName(t *testing.T) {
 	}
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
-			if err := CheckNamespaceName(tt.args.name); (err != nil) != tt.wantErr {
-				t.Errorf("CheckNamespaceName() error = %v, wantErr %v", err, tt.wantErr)
+			if err := CheckForFQDNRules(tt.args.name); (err != nil) != tt.wantErr {
+				t.Errorf("CheckForFQDNRules() error = %v, wantErr %v", err, tt.wantErr)
 			}
 		})
 	}
 }
+
+func (s *Suite) TestSetMachineNamespace(c *check.C) {
+	oldNamespace, err := app.CreateNamespace("old")
+	c.Assert(err, check.IsNil)
+
+	newNamespace, err := app.CreateNamespace("new")
+	c.Assert(err, check.IsNil)
+
+	pak, err := app.CreatePreAuthKey(oldNamespace.Name, false, false, nil)
+	c.Assert(err, check.IsNil)
+
+	machine := Machine{
+		ID:             0,
+		MachineKey:     "foo",
+		NodeKey:        "bar",
+		DiscoKey:       "faa",
+		Hostname:       "testmachine",
+		NamespaceID:    oldNamespace.ID,
+		RegisterMethod: RegisterMethodAuthKey,
+		AuthKeyID:      uint(pak.ID),
+	}
+	app.db.Save(&machine)
+	c.Assert(machine.NamespaceID, check.Equals, oldNamespace.ID)
+
+	err = app.SetMachineNamespace(&machine, newNamespace.Name)
+	c.Assert(err, check.IsNil)
+	c.Assert(machine.NamespaceID, check.Equals, newNamespace.ID)
+	c.Assert(machine.Namespace.Name, check.Equals, newNamespace.Name)
+
+	err = app.SetMachineNamespace(&machine, "non-existing-namespace")
+	c.Assert(err, check.Equals, errNamespaceNotFound)
+
+	err = app.SetMachineNamespace(&machine, newNamespace.Name)
+	c.Assert(err, check.IsNil)
+	c.Assert(machine.NamespaceID, check.Equals, newNamespace.ID)
+	c.Assert(machine.Namespace.Name, check.Equals, newNamespace.Name)
+}
--- a/oidc.go
+++ b/oidc.go
@@ -10,9 +10,10 @@ import (
 	"html/template"
 	"net/http"
 	"strings"
+	"time"

 	"github.com/coreos/go-oidc/v3/oidc"
-	"github.com/gin-gonic/gin"
+	"github.com/gorilla/mux"
 	"github.com/rs/zerolog/log"
 	"golang.org/x/oauth2"
 	"tailscale.com/types/key"
@@ -52,7 +53,7 @@ func (h *Headscale) initOIDC() error {
 				"%s/oidc/callback",
 				strings.TrimSuffix(h.cfg.ServerURL, "/"),
 			),
-			Scopes: []string{oidc.ScopeOpenID, "profile", "email"},
+			Scopes: h.cfg.OIDC.Scope,
 		}
 	}

@@ -62,10 +63,17 @@ func (h *Headscale) initOIDC() error {
 // RegisterOIDC redirects to the OIDC provider for authentication
 // Puts machine key in cache so the callback can retrieve it using the oidc state param
 // Listens in /oidc/register/:mKey.
-func (h *Headscale) RegisterOIDC(ctx *gin.Context) {
-	machineKeyStr := ctx.Param("mkey")
-	if machineKeyStr == "" {
-		ctx.String(http.StatusBadRequest, "Wrong params")
+func (h *Headscale) RegisterOIDC(
+	writer http.ResponseWriter,
+	req *http.Request,
+) {
+	vars := mux.Vars(req)
+	machineKeyStr, ok := vars["mkey"]
+	if !ok || machineKeyStr == "" {
+		log.Error().
+			Caller().
+			Msg("Missing machine key in URL")
+		http.Error(writer, "Missing machine key in URL", http.StatusBadRequest)

 		return
 	}
@@ -80,7 +88,7 @@ func (h *Headscale) RegisterOIDC(ctx *gin.Context) {
 		log.Error().
 			Caller().
 			Msg("could not read 16 bytes from rand")
-		ctx.String(http.StatusInternalServerError, "could not read 16 bytes from rand")
+		http.Error(writer, "Internal server error", http.StatusInternalServerError)

 		return
 	}
@@ -90,10 +98,17 @@ func (h *Headscale) RegisterOIDC(ctx *gin.Context) {
 	// place the machine key into the state cache, so it can be retrieved later
 	h.registrationCache.Set(stateStr, machineKeyStr, registerCacheExpiration)

-	authURL := h.oauth2Config.AuthCodeURL(stateStr)
+	// Add any extra parameter provided in the configuration to the Authorize Endpoint request
+	extras := make([]oauth2.AuthCodeOption, 0, len(h.cfg.OIDC.ExtraParams))
+
+	for k, v := range h.cfg.OIDC.ExtraParams {
+		extras = append(extras, oauth2.SetAuthURLParam(k, v))
+	}
+
+	authURL := h.oauth2Config.AuthCodeURL(stateStr, extras...)
 	log.Debug().Msgf("Redirecting to %s for authentication", authURL)

-	ctx.Redirect(http.StatusFound, authURL)
+	http.Redirect(writer, req, authURL, http.StatusFound)
 }

 type oidcCallbackTemplateConfig struct {
@@ -117,19 +132,42 @@ var oidcCallbackTemplate = template.Must(
 // TODO: A confirmation page for new machines should be added to avoid phishing vulnerabilities
 // TODO: Add groups information from OIDC tokens into machine HostInfo
 // Listens in /oidc/callback.
-func (h *Headscale) OIDCCallback(ctx *gin.Context) {
-	code := ctx.Query("code")
-	state := ctx.Query("state")
+func (h *Headscale) OIDCCallback(
+	writer http.ResponseWriter,
+	req *http.Request,
+) {
+	code := req.URL.Query().Get("code")
+	state := req.URL.Query().Get("state")

 	if code == "" || state == "" {
-		ctx.String(http.StatusBadRequest, "Wrong params")
+		writer.Header().Set("Content-Type", "text/plain; charset=utf-8")
+		writer.WriteHeader(http.StatusBadRequest)
+		_, err := writer.Write([]byte("Wrong params"))
+		if err != nil {
+			log.Error().
+				Caller().
+				Err(err).
+				Msg("Failed to write response")
+		}

 		return
 	}

 	oauth2Token, err := h.oauth2Config.Exchange(context.Background(), code)
 	if err != nil {
-		ctx.String(http.StatusBadRequest, "Could not exchange code for token")
+		log.Error().
+			Err(err).
+			Caller().
+			Msg("Could not exchange code for token")
+		writer.Header().Set("Content-Type", "text/plain; charset=utf-8")
+		writer.WriteHeader(http.StatusBadRequest)
+		_, err := writer.Write([]byte("Could not exchange code for token"))
+		if err != nil {
+			log.Error().
+				Caller().
+				Err(err).
+				Msg("Failed to write response")
+		}

 		return
 	}
@@ -142,7 +180,15 @@ func (h *Headscale) OIDCCallback(ctx *gin.Context) {

 	rawIDToken, rawIDTokenOK := oauth2Token.Extra("id_token").(string)
 	if !rawIDTokenOK {
-		ctx.String(http.StatusBadRequest, "Could not extract ID Token")
+		writer.Header().Set("Content-Type", "text/plain; charset=utf-8")
+		writer.WriteHeader(http.StatusBadRequest)
+		_, err := writer.Write([]byte("Could not extract ID Token"))
+		if err != nil {
+			log.Error().
+				Caller().
+				Err(err).
+				Msg("Failed to write response")
+		}

 		return
 	}
@@ -155,7 +201,15 @@ func (h *Headscale) OIDCCallback(ctx *gin.Context) {
 			Err(err).
 			Caller().
 			Msg("failed to verify id token")
-		ctx.String(http.StatusBadRequest, "Failed to verify id token")
+		writer.Header().Set("Content-Type", "text/plain; charset=utf-8")
+		writer.WriteHeader(http.StatusBadRequest)
+		_, err := writer.Write([]byte("Failed to verify id token"))
+		if err != nil {
+			log.Error().
+				Caller().
+				Err(err).
+				Msg("Failed to write response")
+		}

 		return
 	}
@@ -174,10 +228,51 @@ func (h *Headscale) OIDCCallback(ctx *gin.Context) {
 			Err(err).
 			Caller().
 			Msg("Failed to decode id token claims")
-		ctx.String(
-			http.StatusBadRequest,
-			"Failed to decode id token claims",
-		)
+		writer.Header().Set("Content-Type", "text/plain; charset=utf-8")
+		writer.WriteHeader(http.StatusBadRequest)
+		_, err := writer.Write([]byte("Failed to decode id token claims"))
+		if err != nil {
+			log.Error().
+				Caller().
+				Err(err).
+				Msg("Failed to write response")
+		}
+
+		return
+	}
+
+	// If AllowedDomains is provided, check that the authenticated principal ends with @<alloweddomain>.
+	if len(h.cfg.OIDC.AllowedDomains) > 0 {
+		if at := strings.LastIndex(claims.Email, "@"); at < 0 ||
+			!IsStringInSlice(h.cfg.OIDC.AllowedDomains, claims.Email[at+1:]) {
+			log.Error().Msg("authenticated principal does not match any allowed domain")
+			writer.Header().Set("Content-Type", "text/plain; charset=utf-8")
+			writer.WriteHeader(http.StatusBadRequest)
+			_, err := writer.Write([]byte("unauthorized principal (domain mismatch)"))
+			if err != nil {
+				log.Error().
+					Caller().
+					Err(err).
+					Msg("Failed to write response")
+			}
+
+			return
+		}
+	}
+
+	// If AllowedUsers is provided, check that the authenticated princial is part of that list.
+	if len(h.cfg.OIDC.AllowedUsers) > 0 &&
+		!IsStringInSlice(h.cfg.OIDC.AllowedUsers, claims.Email) {
+		log.Error().Msg("authenticated principal does not match any allowed user")
+		writer.Header().Set("Content-Type", "text/plain; charset=utf-8")
+		writer.WriteHeader(http.StatusBadRequest)
+		_, err := writer.Write([]byte("unauthorized principal (user mismatch)"))
+		if err != nil {
+			log.Error().
+				Caller().
+				Err(err).
+				Msg("Failed to write response")
+		}

 		return
 	}
@@ -188,7 +283,15 @@ func (h *Headscale) OIDCCallback(ctx *gin.Context) {
 	if !machineKeyFound {
 		log.Error().
 			Msg("requested machine state key expired before authorisation completed")
-		ctx.String(http.StatusBadRequest, "state has expired")
+		writer.Header().Set("Content-Type", "text/plain; charset=utf-8")
+		writer.WriteHeader(http.StatusBadRequest)
+		_, err := writer.Write([]byte("state has expired"))
+		if err != nil {
+			log.Error().
+				Caller().
+				Err(err).
+				Msg("Failed to write response")
+		}

 		return
 	}
@@ -202,17 +305,30 @@ func (h *Headscale) OIDCCallback(ctx *gin.Context) {
 	if err != nil {
 		log.Error().
 			Msg("could not parse machine public key")
-		ctx.String(http.StatusBadRequest, "could not parse public key")
+		writer.Header().Set("Content-Type", "text/plain; charset=utf-8")
+		writer.WriteHeader(http.StatusBadRequest)
+		_, err := writer.Write([]byte("could not parse public key"))
+		if err != nil {
+			log.Error().
+				Caller().
+				Err(err).
+				Msg("Failed to write response")
+		}

 		return
 	}

 	if !machineKeyOK {
 		log.Error().Msg("could not get machine key from cache")
-		ctx.String(
-			http.StatusInternalServerError,
-			"could not get machine key from cache",
-		)
+		writer.Header().Set("Content-Type", "text/plain; charset=utf-8")
+		writer.WriteHeader(http.StatusInternalServerError)
+		_, err := writer.Write([]byte("could not get machine key from cache"))
+		if err != nil {
+			log.Error().
+				Caller().
+				Err(err).
+				Msg("Failed to write response")
+		}

 		return
 	}
@@ -226,10 +342,19 @@ func (h *Headscale) OIDCCallback(ctx *gin.Context) {
 	if machine != nil {
 		log.Trace().
 			Caller().
-			Str("machine", machine.Name).
+			Str("machine", machine.Hostname).
 			Msg("machine already registered, reauthenticating")

-		h.RefreshMachine(machine, *machine.Expiry)
+		err := h.RefreshMachine(machine, time.Time{})
+		if err != nil {
+			log.Error().
+				Caller().
+				Err(err).
+				Msg("Failed to refresh machine")
+			http.Error(writer, "Failed to refresh machine", http.StatusInternalServerError)
+
+			return
+		}

 		var content bytes.Buffer
 		if err := oidcCallbackTemplate.Execute(&content, oidcCallbackTemplateConfig{
@@ -241,28 +366,48 @@ func (h *Headscale) OIDCCallback(ctx *gin.Context) {
 				Str("type", "reauthenticate").
 				Err(err).
 				Msg("Could not render OIDC callback template")
-			ctx.Data(
-				http.StatusInternalServerError,
-				"text/html; charset=utf-8",
-				[]byte("Could not render OIDC callback template"),
-			)
+
+			writer.Header().Set("Content-Type", "text/plain; charset=utf-8")
+			writer.WriteHeader(http.StatusInternalServerError)
+			_, err := writer.Write([]byte("Could not render OIDC callback template"))
+			if err != nil {
+				log.Error().
+					Caller().
+					Err(err).
+					Msg("Failed to write response")
+			}
+
+			return
 		}

-		ctx.Data(http.StatusOK, "text/html; charset=utf-8", content.Bytes())
+		writer.Header().Set("Content-Type", "text/html; charset=utf-8")
+		writer.WriteHeader(http.StatusOK)
+		_, err = writer.Write(content.Bytes())
+		if err != nil {
+			log.Error().
+				Caller().
+				Err(err).
+				Msg("Failed to write response")
+		}

 		return
 	}

-	namespaceName, err := NormalizeNamespaceName(
+	namespaceName, err := NormalizeToFQDNRules(
 		claims.Email,
 		h.cfg.OIDC.StripEmaildomain,
 	)
 	if err != nil {
 		log.Error().Err(err).Caller().Msgf("couldn't normalize email")
-		ctx.String(
-			http.StatusInternalServerError,
-			"couldn't normalize email",
-		)
+		writer.Header().Set("Content-Type", "text/plain; charset=utf-8")
+		writer.WriteHeader(http.StatusInternalServerError)
+		_, err := writer.Write([]byte("couldn't normalize email"))
+		if err != nil {
+			log.Error().
+				Caller().
+				Err(err).
+				Msg("Failed to write response")
+		}

 		return
 	}
@@ -279,10 +424,15 @@ func (h *Headscale) OIDCCallback(ctx *gin.Context) {
 				Err(err).
 				Caller().
 				Msgf("could not create new namespace '%s'", namespaceName)
-			ctx.String(
-				http.StatusInternalServerError,
-				"could not create new namespace",
-			)
+			writer.Header().Set("Content-Type", "text/plain; charset=utf-8")
+			writer.WriteHeader(http.StatusInternalServerError)
+			_, err := writer.Write([]byte("could not create namespace"))
+			if err != nil {
+				log.Error().
+					Caller().
+					Err(err).
+					Msg("Failed to write response")
+			}

 			return
 		}
@@ -292,10 +442,15 @@ func (h *Headscale) OIDCCallback(ctx *gin.Context) {
 			Err(err).
 			Str("namespace", namespaceName).
 			Msg("could not find or create namespace")
-		ctx.String(
-			http.StatusInternalServerError,
-			"could not find or create namespace",
-		)
+		writer.Header().Set("Content-Type", "text/plain; charset=utf-8")
+		writer.WriteHeader(http.StatusInternalServerError)
+		_, err := writer.Write([]byte("could not find or create namespace"))
+		if err != nil {
+			log.Error().
+				Caller().
+				Err(err).
+				Msg("Failed to write response")
+		}

 		return
 	}
@@ -312,10 +467,15 @@ func (h *Headscale) OIDCCallback(ctx *gin.Context) {
 			Caller().
 			Err(err).
 			Msg("could not register machine")
-		ctx.String(
-			http.StatusInternalServerError,
-			"could not register machine",
-		)
+		writer.Header().Set("Content-Type", "text/plain; charset=utf-8")
+		writer.WriteHeader(http.StatusInternalServerError)
+		_, err := writer.Write([]byte("could not register machine"))
+		if err != nil {
+			log.Error().
+				Caller().
+				Err(err).
+				Msg("Failed to write response")
+		}

 		return
 	}
@@ -330,12 +490,27 @@ func (h *Headscale) OIDCCallback(ctx *gin.Context) {
 			Str("type", "authenticate").
 			Err(err).
 			Msg("Could not render OIDC callback template")
-		ctx.Data(
-			http.StatusInternalServerError,
-			"text/html; charset=utf-8",
-			[]byte("Could not render OIDC callback template"),
-		)
+
+		writer.Header().Set("Content-Type", "text/plain; charset=utf-8")
+		writer.WriteHeader(http.StatusInternalServerError)
+		_, err := writer.Write([]byte("Could not render OIDC callback template"))
+		if err != nil {
+			log.Error().
+				Caller().
+				Err(err).
+				Msg("Failed to write response")
+		}
+
+		return
 	}

-	ctx.Data(http.StatusOK, "text/html; charset=utf-8", content.Bytes())
+	writer.Header().Set("Content-Type", "text/html; charset=utf-8")
+	writer.WriteHeader(http.StatusOK)
+	_, err = writer.Write(content.Bytes())
+	if err != nil {
+		log.Error().
+			Caller().
+			Err(err).
+			Msg("Failed to write response")
+	}
 }
--- a/platform_config.go
+++ b/platform_config.go
@@ -0,0 +1,460 @@
+package headscale
+
+import (
+	"bytes"
+	"html/template"
+	"net/http"
+	textTemplate "text/template"
+
+	"github.com/gofrs/uuid"
+	"github.com/gorilla/mux"
+	"github.com/rs/zerolog/log"
+)
+
+// WindowsConfigMessage shows a simple message in the browser for how to configure the Windows Tailscale client.
+func (h *Headscale) WindowsConfigMessage(
+	writer http.ResponseWriter,
+	req *http.Request,
+) {
+	winTemplate := template.Must(template.New("windows").Parse(`
+<html>
+	<body>
+		<h1>headscale</h1>
+		<h2>Windows registry configuration</h2>
+		<p>
+		    This page provides Windows registry information for the official Windows Tailscale client.
+		<p>
+		<p>
+		    The registry file will configure Tailscale to use <code>{{.URL}}</code> as its control server.
+		<p>
+		<h3>Caution</h3>
+		<p>You should always download and inspect the registry file before installing it:</p>
+		<pre><code>curl {{.URL}}/windows/tailscale.reg</code></pre>
+
+		<h2>Installation</h2>
+		<p>Headscale can be set to the default server by running the registry file:</p>
+
+		<p>
+		    <a href="/windows/tailscale.reg" download="tailscale.reg">Windows registry file</a>
+		</p>
+
+		<ol>
+			<li>Download the registry file, then run it</li>
+			<li>Follow the prompts</li>
+			<li>Install and run the official windows Tailscale client</li>
+			<li>When the installation has finished, start Tailscale, and log in by clicking the icon in the system tray</li>
+		</ol>
+		<p>Or</p>
+		<p>Open command prompt with Administrator rights. Issue the following commands to add the required registry entries:</p>
+		<pre>
+<code>REG ADD "HKLM\Software\Tailscale IPN" /v UnattendedMode /t REG_SZ /d always
+REG ADD "HKLM\Software\Tailscale IPN" /v LoginURL /t REG_SZ /d "{{.URL}}"</code></pre>
+		<p>
+		    Restart Tailscale and log in.
+		<p>
+	</body>
+</html>
+`))
+
+	config := map[string]interface{}{
+		"URL": h.cfg.ServerURL,
+	}
+
+	var payload bytes.Buffer
+	if err := winTemplate.Execute(&payload, config); err != nil {
+		log.Error().
+			Str("handler", "WindowsRegConfig").
+			Err(err).
+			Msg("Could not render Windows index template")
+
+		writer.Header().Set("Content-Type", "text/plain; charset=utf-8")
+		writer.WriteHeader(http.StatusInternalServerError)
+		_, err := writer.Write([]byte("Could not render Windows index template"))
+		if err != nil {
+			log.Error().
+				Caller().
+				Err(err).
+				Msg("Failed to write response")
+		}
+
+		return
+	}
+
+	writer.Header().Set("Content-Type", "text/html; charset=utf-8")
+	writer.WriteHeader(http.StatusOK)
+	_, err := writer.Write(payload.Bytes())
+	if err != nil {
+		log.Error().
+			Caller().
+			Err(err).
+			Msg("Failed to write response")
+	}
+}
+
+// WindowsRegConfig generates and serves a .reg file configured with the Headscale server address.
+func (h *Headscale) WindowsRegConfig(
+	writer http.ResponseWriter,
+	req *http.Request,
+) {
+	config := WindowsRegistryConfig{
+		URL: h.cfg.ServerURL,
+	}
+
+	var content bytes.Buffer
+	if err := windowsRegTemplate.Execute(&content, config); err != nil {
+		log.Error().
+			Str("handler", "WindowsRegConfig").
+			Err(err).
+			Msg("Could not render Apple macOS template")
+
+		writer.Header().Set("Content-Type", "text/plain; charset=utf-8")
+		writer.WriteHeader(http.StatusInternalServerError)
+		_, err := writer.Write([]byte("Could not render Windows registry template"))
+		if err != nil {
+			log.Error().
+				Caller().
+				Err(err).
+				Msg("Failed to write response")
+		}
+
+		return
+	}
+
+	writer.Header().Set("Content-Type", "text/x-ms-regedit; charset=utf-8")
+	writer.WriteHeader(http.StatusOK)
+	_, err := writer.Write(content.Bytes())
+	if err != nil {
+		log.Error().
+			Caller().
+			Err(err).
+			Msg("Failed to write response")
+	}
+}
+
+// AppleConfigMessage shows a simple message in the browser to point the user to the iOS/MacOS profile and instructions for how to install it.
+func (h *Headscale) AppleConfigMessage(
+	writer http.ResponseWriter,
+	req *http.Request,
+) {
+	appleTemplate := template.Must(template.New("apple").Parse(`
+<html>
+	<body>
+		<h1>headscale</h1>
+		<h2>Apple configuration profiles</h2>
+		<p>
+		    This page provides <a href="https://support.apple.com/guide/mdm/mdm-overview-mdmbf9e668/web">configuration profiles</a> for the official Tailscale clients for <a href="https://apps.apple.com/us/app/tailscale/id1470499037?ls=1">iOS</a> and <a href="https://apps.apple.com/ca/app/tailscale/id1475387142?mt=12">macOS</a>.
+		</p>
+		<p>
+		    The profiles will configure Tailscale.app to use <code>{{.URL}}</code> as its control server.
+		</p>
+
+		<h3>Caution</h3>
+		<p>You should always download and inspect the profile before installing it:</p>
+		<!--
+		<pre><code>curl {{.URL}}/apple/ios</code></pre>
+		-->
+		<pre><code>curl {{.URL}}/apple/macos</code></pre>
+
+		<h2>Profiles</h2>
+
+		<!--
+		<h3>iOS</h3>
+		<p>
+		    <a href="/apple/ios" download="headscale_ios.mobileconfig">iOS profile</a>
+		</p>
+		-->
+
+		<h3>macOS</h3>
+		<p>Headscale can be set to the default server by installing a Headscale configuration profile:</p>
+		<p>
+		    <a href="/apple/macos" download="headscale_macos.mobileconfig">macOS profile</a>
+		</p>
+
+		<ol>
+		<li>Download the profile, then open it. When it has been opened, there should be a notification that a profile can be installed</li>
+		<li>Open System Preferences and go to "Profiles"</li>
+		<li>Find and install the Headscale profile</li>
+		<li>Restart Tailscale.app and log in</li>
+		</ol>
+
+		<p>Or</p>
+		<p>Use your terminal to configure the default setting for Tailscale by issuing:</p>
+		<code>defaults write io.tailscale.ipn.macos ControlURL {{.URL}}</code>
+
+		<p>Restart Tailscale.app and log in.</p>
+
+	</body>
+</html>`))
+
+	config := map[string]interface{}{
+		"URL": h.cfg.ServerURL,
+	}
+
+	var payload bytes.Buffer
+	if err := appleTemplate.Execute(&payload, config); err != nil {
+		log.Error().
+			Str("handler", "AppleMobileConfig").
+			Err(err).
+			Msg("Could not render Apple index template")
+
+		writer.Header().Set("Content-Type", "text/plain; charset=utf-8")
+		writer.WriteHeader(http.StatusInternalServerError)
+		_, err := writer.Write([]byte("Could not render Apple index template"))
+		if err != nil {
+			log.Error().
+				Caller().
+				Err(err).
+				Msg("Failed to write response")
+		}
+
+		return
+	}
+
+	writer.Header().Set("Content-Type", "text/html; charset=utf-8")
+	writer.WriteHeader(http.StatusOK)
+	_, err := writer.Write(payload.Bytes())
+	if err != nil {
+		log.Error().
+			Caller().
+			Err(err).
+			Msg("Failed to write response")
+	}
+}
+
+func (h *Headscale) ApplePlatformConfig(
+	writer http.ResponseWriter,
+	req *http.Request,
+) {
+	vars := mux.Vars(req)
+	platform, ok := vars["platform"]
+	if !ok {
+		log.Error().
+			Str("handler", "ApplePlatformConfig").
+			Msg("No platform specified")
+		http.Error(writer, "No platform specified", http.StatusBadRequest)
+
+		return
+	}
+
+	id, err := uuid.NewV4()
+	if err != nil {
+		log.Error().
+			Str("handler", "ApplePlatformConfig").
+			Err(err).
+			Msg("Failed not create UUID")
+
+		writer.Header().Set("Content-Type", "text/plain; charset=utf-8")
+		writer.WriteHeader(http.StatusInternalServerError)
+		_, err := writer.Write([]byte("Failed to create UUID"))
+		if err != nil {
+			log.Error().
+				Caller().
+				Err(err).
+				Msg("Failed to write response")
+		}
+
+		return
+	}
+
+	contentID, err := uuid.NewV4()
+	if err != nil {
+		log.Error().
+			Str("handler", "ApplePlatformConfig").
+			Err(err).
+			Msg("Failed not create UUID")
+
+		writer.Header().Set("Content-Type", "text/plain; charset=utf-8")
+		writer.WriteHeader(http.StatusInternalServerError)
+		_, err := writer.Write([]byte("Failed to create content UUID"))
+		if err != nil {
+			log.Error().
+				Caller().
+				Err(err).
+				Msg("Failed to write response")
+		}
+
+		return
+	}
+
+	platformConfig := AppleMobilePlatformConfig{
+		UUID: contentID,
+		URL:  h.cfg.ServerURL,
+	}
+
+	var payload bytes.Buffer
+
+	switch platform {
+	case "macos":
+		if err := macosTemplate.Execute(&payload, platformConfig); err != nil {
+			log.Error().
+				Str("handler", "ApplePlatformConfig").
+				Err(err).
+				Msg("Could not render Apple macOS template")
+
+			writer.Header().Set("Content-Type", "text/plain; charset=utf-8")
+			writer.WriteHeader(http.StatusInternalServerError)
+			_, err := writer.Write([]byte("Could not render Apple macOS template"))
+			if err != nil {
+				log.Error().
+					Caller().
+					Err(err).
+					Msg("Failed to write response")
+			}
+
+			return
+		}
+	case "ios":
+		if err := iosTemplate.Execute(&payload, platformConfig); err != nil {
+			log.Error().
+				Str("handler", "ApplePlatformConfig").
+				Err(err).
+				Msg("Could not render Apple iOS template")
+
+			writer.Header().Set("Content-Type", "text/plain; charset=utf-8")
+			writer.WriteHeader(http.StatusInternalServerError)
+			_, err := writer.Write([]byte("Could not render Apple iOS template"))
+			if err != nil {
+				log.Error().
+					Caller().
+					Err(err).
+					Msg("Failed to write response")
+			}
+
+			return
+		}
+	default:
+		writer.Header().Set("Content-Type", "text/plain; charset=utf-8")
+		writer.WriteHeader(http.StatusBadRequest)
+		_, err := writer.Write([]byte("Invalid platform, only ios and macos is supported"))
+		if err != nil {
+			log.Error().
+				Caller().
+				Err(err).
+				Msg("Failed to write response")
+		}
+
+		return
+	}
+
+	config := AppleMobileConfig{
+		UUID:    id,
+		URL:     h.cfg.ServerURL,
+		Payload: payload.String(),
+	}
+
+	var content bytes.Buffer
+	if err := commonTemplate.Execute(&content, config); err != nil {
+		log.Error().
+			Str("handler", "ApplePlatformConfig").
+			Err(err).
+			Msg("Could not render Apple platform template")
+
+		writer.Header().Set("Content-Type", "text/plain; charset=utf-8")
+		writer.WriteHeader(http.StatusInternalServerError)
+		_, err := writer.Write([]byte("Could not render Apple platform template"))
+		if err != nil {
+			log.Error().
+				Caller().
+				Err(err).
+				Msg("Failed to write response")
+		}
+
+		return
+	}
+
+	writer.Header().Set("Content-Type", "application/x-apple-aspen-config; charset=utf-8")
+	writer.WriteHeader(http.StatusOK)
+	_, err = writer.Write(content.Bytes())
+	if err != nil {
+		log.Error().
+			Caller().
+			Err(err).
+			Msg("Failed to write response")
+	}
+}
+
+type WindowsRegistryConfig struct {
+	URL string
+}
+
+type AppleMobileConfig struct {
+	UUID    uuid.UUID
+	URL     string
+	Payload string
+}
+
+type AppleMobilePlatformConfig struct {
+	UUID uuid.UUID
+	URL  string
+}
+
+var windowsRegTemplate = textTemplate.Must(
+	textTemplate.New("windowsconfig").Parse(`Windows Registry Editor Version 5.00
+
+[HKEY_LOCAL_MACHINE\SOFTWARE\Tailscale IPN]
+"UnattendedMode"="always"
+"LoginURL"="{{.URL}}"
+`))
+
+var commonTemplate = textTemplate.Must(
+	textTemplate.New("mobileconfig").Parse(`<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
+<plist version="1.0">
+  <dict>
+    <key>PayloadUUID</key>
+    <string>{{.UUID}}</string>
+    <key>PayloadDisplayName</key>
+    <string>Headscale</string>
+    <key>PayloadDescription</key>
+    <string>Configure Tailscale login server to: {{.URL}}</string>
+    <key>PayloadIdentifier</key>
+    <string>com.github.juanfont.headscale</string>
+    <key>PayloadRemovalDisallowed</key>
+    <false/>
+    <key>PayloadType</key>
+    <string>Configuration</string>
+    <key>PayloadVersion</key>
+    <integer>1</integer>
+    <key>PayloadContent</key>
+    <array>
+    {{.Payload}}
+    </array>
+  </dict>
+</plist>`),
+)
+
+var iosTemplate = textTemplate.Must(textTemplate.New("iosTemplate").Parse(`
+    <dict>
+        <key>PayloadType</key>
+        <string>io.tailscale.ipn.ios</string>
+        <key>PayloadUUID</key>
+        <string>{{.UUID}}</string>
+        <key>PayloadIdentifier</key>
+        <string>com.github.juanfont.headscale</string>
+        <key>PayloadVersion</key>
+        <integer>1</integer>
+        <key>PayloadEnabled</key>
+        <true/>
+
+        <key>ControlURL</key>
+        <string>{{.URL}}</string>
+    </dict>
+`))
+
+var macosTemplate = template.Must(template.New("macosTemplate").Parse(`
+    <dict>
+        <key>PayloadType</key>
+        <string>io.tailscale.ipn.macos</string>
+        <key>PayloadUUID</key>
+        <string>{{.UUID}}</string>
+        <key>PayloadIdentifier</key>
+        <string>com.github.juanfont.headscale</string>
+        <key>PayloadVersion</key>
+        <integer>1</integer>
+        <key>PayloadEnabled</key>
+        <true/>
+
+        <key>ControlURL</key>
+        <string>{{.URL}}</string>
+    </dict>
+`))
--- a/poll.go
+++ b/poll.go
@@ -8,7 +8,7 @@ import (
 	"net/http"
 	"time"

-	"github.com/gin-gonic/gin"
+	"github.com/gorilla/mux"
 	"github.com/rs/zerolog/log"
 	"gorm.io/gorm"
 	"tailscale.com/tailcfg"
@@ -16,10 +16,13 @@ import (
 )

 const (
-	keepAliveInterval   = 60 * time.Second
-	updateCheckInterval = 10 * time.Second
+	keepAliveInterval = 60 * time.Second
 )

+type contextKey string
+
+const machineNameContextKey = contextKey("machineName")
+
 // PollNetMapHandler takes care of /machine/:id/map
 //
 // This is the busiest endpoint, as it keeps the HTTP long poll that updates
@@ -29,13 +32,25 @@ const (
 // only after their first request (marked with the ReadOnly field).
 //
 // At this moment the updates are sent in a quite horrendous way, but they kinda work.
-func (h *Headscale) PollNetMapHandler(ctx *gin.Context) {
+func (h *Headscale) PollNetMapHandler(
+	writer http.ResponseWriter,
+	req *http.Request,
+) {
+	vars := mux.Vars(req)
+	machineKeyStr, ok := vars["mkey"]
+	if !ok || machineKeyStr == "" {
+		log.Error().
+			Str("handler", "PollNetMap").
+			Msg("No machine key in request")
+		http.Error(writer, "No machine key in request", http.StatusBadRequest)
+
+		return
+	}
 	log.Trace().
 		Str("handler", "PollNetMap").
-		Str("id", ctx.Param("id")).
+		Str("id", machineKeyStr).
 		Msg("PollNetMapHandler called")
-	body, _ := io.ReadAll(ctx.Request.Body)
-	machineKeyStr := ctx.Param("id")
+	body, _ := io.ReadAll(req.Body)

 	var machineKey key.MachinePublic
 	err := machineKey.UnmarshalText([]byte(MachinePublicKeyEnsurePrefix(machineKeyStr)))
@@ -44,18 +59,19 @@ func (h *Headscale) PollNetMapHandler(ctx *gin.Context) {
 			Str("handler", "PollNetMap").
 			Err(err).
 			Msg("Cannot parse client key")
-		ctx.String(http.StatusBadRequest, "")
+
+		http.Error(writer, "Cannot parse client key", http.StatusBadRequest)

 		return
 	}
-	req := tailcfg.MapRequest{}
-	err = decode(body, &req, &machineKey, h.privateKey)
+	mapRequest := tailcfg.MapRequest{}
+	err = decode(body, &mapRequest, &machineKey, h.privateKey)
 	if err != nil {
 		log.Error().
 			Str("handler", "PollNetMap").
 			Err(err).
 			Msg("Cannot decode message")
-		ctx.String(http.StatusBadRequest, "")
+		http.Error(writer, "Cannot decode message", http.StatusBadRequest)

 		return
 	}
@@ -66,26 +82,27 @@ func (h *Headscale) PollNetMapHandler(ctx *gin.Context) {
 			log.Warn().
 				Str("handler", "PollNetMap").
 				Msgf("Ignoring request, cannot find machine with key %s", machineKey.String())
-			ctx.String(http.StatusUnauthorized, "")
+
+			http.Error(writer, "", http.StatusUnauthorized)

 			return
 		}
 		log.Error().
 			Str("handler", "PollNetMap").
 			Msgf("Failed to fetch machine from the database with Machine key: %s", machineKey.String())
-		ctx.String(http.StatusInternalServerError, "")
+		http.Error(writer, "", http.StatusInternalServerError)

 		return
 	}
 	log.Trace().
 		Str("handler", "PollNetMap").
-		Str("id", ctx.Param("id")).
-		Str("machine", machine.Name).
+		Str("id", machineKeyStr).
+		Str("machine", machine.Hostname).
 		Msg("Found machine in database")

-	machine.Name = req.Hostinfo.Hostname
-	machine.HostInfo = HostInfo(*req.Hostinfo)
-	machine.DiscoKey = DiscoPublicKeyStripPrefix(req.DiscoKey)
+	machine.Hostname = mapRequest.Hostinfo.Hostname
+	machine.HostInfo = HostInfo(*mapRequest.Hostinfo)
+	machine.DiscoKey = DiscoPublicKeyStripPrefix(mapRequest.DiscoKey)
 	now := time.Now().UTC()

 	// update ACLRules with peer informations (to update server tags if necessary)
@@ -95,7 +112,7 @@ func (h *Headscale) PollNetMapHandler(ctx *gin.Context) {
 			log.Error().
 				Caller().
 				Str("func", "handleAuthKey").
-				Str("machine", machine.Name).
+				Str("machine", machine.Hostname).
 				Err(err)
 		}
 	}
@@ -107,21 +124,34 @@ func (h *Headscale) PollNetMapHandler(ctx *gin.Context) {
 	//
 	// The intended use is for clients to discover the DERP map at start-up
 	// before their first real endpoint update.
-	if !req.ReadOnly {
-		machine.Endpoints = req.Endpoints
+	if !mapRequest.ReadOnly {
+		machine.Endpoints = mapRequest.Endpoints
 		machine.LastSeen = &now
 	}
-	h.db.Updates(machine)

-	data, err := h.getMapResponse(machineKey, req, machine)
+	if err := h.db.Updates(machine).Error; err != nil {
+		if err != nil {
+			log.Error().
+				Str("handler", "PollNetMap").
+				Str("id", machineKeyStr).
+				Str("machine", machine.Hostname).
+				Err(err).
+				Msg("Failed to persist/update machine in the database")
+			http.Error(writer, "", http.StatusInternalServerError)
+
+			return
+		}
+	}
+
+	data, err := h.getMapResponse(machineKey, mapRequest, machine)
 	if err != nil {
 		log.Error().
 			Str("handler", "PollNetMap").
-			Str("id", ctx.Param("id")).
-			Str("machine", machine.Name).
+			Str("id", machineKeyStr).
+			Str("machine", machine.Hostname).
 			Err(err).
 			Msg("Failed to get Map response")
-		ctx.String(http.StatusInternalServerError, ":(")
+		http.Error(writer, "", http.StatusInternalServerError)

 		return
 	}
@@ -133,19 +163,28 @@ func (h *Headscale) PollNetMapHandler(ctx *gin.Context) {
 	// Details on the protocol can be found in https://github.com/tailscale/tailscale/blob/main/tailcfg/tailcfg.go#L696
 	log.Debug().
 		Str("handler", "PollNetMap").
-		Str("id", ctx.Param("id")).
-		Str("machine", machine.Name).
-		Bool("readOnly", req.ReadOnly).
-		Bool("omitPeers", req.OmitPeers).
-		Bool("stream", req.Stream).
+		Str("id", machineKeyStr).
+		Str("machine", machine.Hostname).
+		Bool("readOnly", mapRequest.ReadOnly).
+		Bool("omitPeers", mapRequest.OmitPeers).
+		Bool("stream", mapRequest.Stream).
 		Msg("Client map request processed")

-	if req.ReadOnly {
+	if mapRequest.ReadOnly {
 		log.Info().
 			Str("handler", "PollNetMap").
-			Str("machine", machine.Name).
+			Str("machine", machine.Hostname).
 			Msg("Client is starting up. Probably interested in a DERP map")
-		ctx.Data(http.StatusOK, "application/json; charset=utf-8", data)
+
+		writer.Header().Set("Content-Type", "application/json; charset=utf-8")
+		writer.WriteHeader(http.StatusOK)
+		_, err := writer.Write(data)
+		if err != nil {
+			log.Error().
+				Caller().
+				Err(err).
+				Msg("Failed to write response")
+		}

 		return
 	}
@@ -160,83 +199,72 @@ func (h *Headscale) PollNetMapHandler(ctx *gin.Context) {
 	// Only create update channel if it has not been created
 	log.Trace().
 		Str("handler", "PollNetMap").
-		Str("id", ctx.Param("id")).
-		Str("machine", machine.Name).
+		Str("id", machineKeyStr).
+		Str("machine", machine.Hostname).
 		Msg("Loading or creating update channel")

-	// TODO: could probably remove all that duplication once generics land.
-	closeChanWithLog := func(channel interface{}, name string) {
-		log.Trace().
-			Str("handler", "PollNetMap").
-			Str("machine", machine.Name).
-			Str("channel", "Done").
-			Msg(fmt.Sprintf("Closing %s channel", name))
-
-		switch c := channel.(type) {
-		case (chan struct{}):
-			close(c)
-
-		case (chan []byte):
-			close(c)
-		}
-	}
-
 	const chanSize = 8
 	updateChan := make(chan struct{}, chanSize)
-	defer closeChanWithLog(updateChan, "updateChan")

 	pollDataChan := make(chan []byte, chanSize)
-	defer closeChanWithLog(pollDataChan, "pollDataChan")
+	defer closeChanWithLog(pollDataChan, machine.Hostname, "pollDataChan")

 	keepAliveChan := make(chan []byte)
-	defer closeChanWithLog(keepAliveChan, "keepAliveChan")

-	if req.OmitPeers && !req.Stream {
+	if mapRequest.OmitPeers && !mapRequest.Stream {
 		log.Info().
 			Str("handler", "PollNetMap").
-			Str("machine", machine.Name).
+			Str("machine", machine.Hostname).
 			Msg("Client sent endpoint update and is ok with a response without peer list")
-		ctx.Data(http.StatusOK, "application/json; charset=utf-8", data)
-
+		writer.Header().Set("Content-Type", "application/json; charset=utf-8")
+		writer.WriteHeader(http.StatusOK)
+		_, err := writer.Write(data)
+		if err != nil {
+			log.Error().
+				Caller().
+				Err(err).
+				Msg("Failed to write response")
+		}
 		// It sounds like we should update the nodes when we have received a endpoint update
 		// even tho the comments in the tailscale code dont explicitly say so.
-		updateRequestsFromNode.WithLabelValues(machine.Namespace.Name, machine.Name, "endpoint-update").
+		updateRequestsFromNode.WithLabelValues(machine.Namespace.Name, machine.Hostname, "endpoint-update").
 			Inc()
 		updateChan <- struct{}{}

 		return
-	} else if req.OmitPeers && req.Stream {
+	} else if mapRequest.OmitPeers && mapRequest.Stream {
 		log.Warn().
 			Str("handler", "PollNetMap").
-			Str("machine", machine.Name).
+			Str("machine", machine.Hostname).
 			Msg("Ignoring request, don't know how to handle it")
-		ctx.String(http.StatusBadRequest, "")
+		http.Error(writer, "", http.StatusBadRequest)

 		return
 	}

 	log.Info().
 		Str("handler", "PollNetMap").
-		Str("machine", machine.Name).
+		Str("machine", machine.Hostname).
 		Msg("Client is ready to access the tailnet")
 	log.Info().
 		Str("handler", "PollNetMap").
-		Str("machine", machine.Name).
+		Str("machine", machine.Hostname).
 		Msg("Sending initial map")
 	pollDataChan <- data

 	log.Info().
 		Str("handler", "PollNetMap").
-		Str("machine", machine.Name).
+		Str("machine", machine.Hostname).
 		Msg("Notifying peers")
-	updateRequestsFromNode.WithLabelValues(machine.Namespace.Name, machine.Name, "full-update").
+	updateRequestsFromNode.WithLabelValues(machine.Namespace.Name, machine.Hostname, "full-update").
 		Inc()
 	updateChan <- struct{}{}

 	h.PollNetMapStream(
-		ctx,
-		machine,
+		writer,
 		req,
+		machine,
+		mapRequest,
 		machineKey,
 		pollDataChan,
 		keepAliveChan,
@@ -244,8 +272,8 @@ func (h *Headscale) PollNetMapHandler(ctx *gin.Context) {
 	)
 	log.Trace().
 		Str("handler", "PollNetMap").
-		Str("id", ctx.Param("id")).
-		Str("machine", machine.Name).
+		Str("id", machineKeyStr).
+		Str("machine", machine.Hostname).
 		Msg("Finished stream, closing PollNetMap session")
 }

@@ -253,7 +281,8 @@ func (h *Headscale) PollNetMapHandler(ctx *gin.Context) {
 // stream logic, ensuring we communicate updates and data
 // to the connected clients.
 func (h *Headscale) PollNetMapStream(
-	ctx *gin.Context,
+	writer http.ResponseWriter,
+	req *http.Request,
 	machine *Machine,
 	mapRequest tailcfg.MapRequest,
 	machineKey key.MachinePublic,
@@ -261,36 +290,39 @@ func (h *Headscale) PollNetMapStream(
 	keepAliveChan chan []byte,
 	updateChan chan struct{},
 ) {
-	{
-		ctx, cancel := context.WithCancel(ctx.Request.Context())
-		defer cancel()
+	h.pollNetMapStreamWG.Add(1)
+	defer h.pollNetMapStreamWG.Done()

-		go h.scheduledPollWorker(
-			ctx,
-			updateChan,
-			keepAliveChan,
-			machineKey,
-			mapRequest,
-			machine,
-		)
-	}
+	ctx := context.WithValue(req.Context(), machineNameContextKey, machine.Hostname)

-	ctx.Stream(func(writer io.Writer) bool {
-		log.Trace().
-			Str("handler", "PollNetMapStream").
-			Str("machine", machine.Name).
-			Msg("Waiting for data to stream...")
+	ctx, cancel := context.WithCancel(ctx)
+	defer cancel()

-		log.Trace().
-			Str("handler", "PollNetMapStream").
-			Str("machine", machine.Name).
-			Msgf("pollData is %#v, keepAliveChan is %#v, updateChan is %#v", pollDataChan, keepAliveChan, updateChan)
+	go h.scheduledPollWorker(
+		ctx,
+		updateChan,
+		keepAliveChan,
+		machineKey,
+		mapRequest,
+		machine,
+	)

+	log.Trace().
+		Str("handler", "PollNetMapStream").
+		Str("machine", machine.Hostname).
+		Msg("Waiting for data to stream...")
+
+	log.Trace().
+		Str("handler", "PollNetMapStream").
+		Str("machine", machine.Hostname).
+		Msgf("pollData is %#v, keepAliveChan is %#v, updateChan is %#v", pollDataChan, keepAliveChan, updateChan)
+
+	for {
 		select {
 		case data := <-pollDataChan:
 			log.Trace().
 				Str("handler", "PollNetMapStream").
-				Str("machine", machine.Name).
+				Str("machine", machine.Hostname).
 				Str("channel", "pollData").
 				Int("bytes", len(data)).
 				Msg("Sending data received via pollData channel")
@@ -298,39 +330,52 @@ func (h *Headscale) PollNetMapStream(
 			if err != nil {
 				log.Error().
 					Str("handler", "PollNetMapStream").
-					Str("machine", machine.Name).
+					Str("machine", machine.Hostname).
 					Str("channel", "pollData").
 					Err(err).
 					Msg("Cannot write data")

-				return false
+				return
 			}
+
+			flusher, ok := writer.(http.Flusher)
+			if !ok {
+				log.Error().
+					Caller().
+					Str("handler", "PollNetMapStream").
+					Str("machine", machine.Hostname).
+					Str("channel", "pollData").
+					Msg("Cannot cast writer to http.Flusher")
+			} else {
+				flusher.Flush()
+			}
+
 			log.Trace().
 				Str("handler", "PollNetMapStream").
-				Str("machine", machine.Name).
+				Str("machine", machine.Hostname).
 				Str("channel", "pollData").
 				Int("bytes", len(data)).
 				Msg("Data from pollData channel written successfully")
 				// TODO(kradalby): Abstract away all the database calls, this can cause race conditions
 				// when an outdated machine object is kept alive, e.g. db is update from
 				// command line, but then overwritten.
-			err = h.UpdateMachine(machine)
+			err = h.UpdateMachineFromDatabase(machine)
 			if err != nil {
 				log.Error().
 					Str("handler", "PollNetMapStream").
-					Str("machine", machine.Name).
+					Str("machine", machine.Hostname).
 					Str("channel", "pollData").
 					Err(err).
 					Msg("Cannot update machine from database")

 				// client has been removed from database
 				// since the stream opened, terminate connection.
-				return false
+				return
 			}
 			now := time.Now().UTC()
 			machine.LastSeen = &now

-			lastStateUpdate.WithLabelValues(machine.Namespace.Name, machine.Name).
+			lastStateUpdate.WithLabelValues(machine.Namespace.Name, machine.Hostname).
 				Set(float64(now.Unix()))
 			machine.LastSuccessfulUpdate = &now

@@ -338,25 +383,25 @@ func (h *Headscale) PollNetMapStream(
 			if err != nil {
 				log.Error().
 					Str("handler", "PollNetMapStream").
-					Str("machine", machine.Name).
+					Str("machine", machine.Hostname).
 					Str("channel", "pollData").
 					Err(err).
 					Msg("Cannot update machine LastSuccessfulUpdate")
-			} else {
-				log.Trace().
-					Str("handler", "PollNetMapStream").
-					Str("machine", machine.Name).
-					Str("channel", "pollData").
-					Int("bytes", len(data)).
-					Msg("Machine entry in database updated successfully after sending pollData")
+
+				return
 			}

-			return true
+			log.Trace().
+				Str("handler", "PollNetMapStream").
+				Str("machine", machine.Hostname).
+				Str("channel", "pollData").
+				Int("bytes", len(data)).
+				Msg("Machine entry in database updated successfully after sending data")

 		case data := <-keepAliveChan:
 			log.Trace().
 				Str("handler", "PollNetMapStream").
-				Str("machine", machine.Name).
+				Str("machine", machine.Hostname).
 				Str("channel", "keepAlive").
 				Int("bytes", len(data)).
 				Msg("Sending keep alive message")
@@ -364,34 +409,46 @@ func (h *Headscale) PollNetMapStream(
 			if err != nil {
 				log.Error().
 					Str("handler", "PollNetMapStream").
-					Str("machine", machine.Name).
+					Str("machine", machine.Hostname).
 					Str("channel", "keepAlive").
 					Err(err).
 					Msg("Cannot write keep alive message")

-				return false
+				return
 			}
+			flusher, ok := writer.(http.Flusher)
+			if !ok {
+				log.Error().
+					Caller().
+					Str("handler", "PollNetMapStream").
+					Str("machine", machine.Hostname).
+					Str("channel", "keepAlive").
+					Msg("Cannot cast writer to http.Flusher")
+			} else {
+				flusher.Flush()
+			}
+
 			log.Trace().
 				Str("handler", "PollNetMapStream").
-				Str("machine", machine.Name).
+				Str("machine", machine.Hostname).
 				Str("channel", "keepAlive").
 				Int("bytes", len(data)).
 				Msg("Keep alive sent successfully")
 				// TODO(kradalby): Abstract away all the database calls, this can cause race conditions
 				// when an outdated machine object is kept alive, e.g. db is update from
 				// command line, but then overwritten.
-			err = h.UpdateMachine(machine)
+			err = h.UpdateMachineFromDatabase(machine)
 			if err != nil {
 				log.Error().
 					Str("handler", "PollNetMapStream").
-					Str("machine", machine.Name).
+					Str("machine", machine.Hostname).
 					Str("channel", "keepAlive").
 					Err(err).
 					Msg("Cannot update machine from database")

 				// client has been removed from database
 				// since the stream opened, terminate connection.
-				return false
+				return
 			}
 			now := time.Now().UTC()
 			machine.LastSeen = &now
@@ -399,29 +456,30 @@ func (h *Headscale) PollNetMapStream(
 			if err != nil {
 				log.Error().
 					Str("handler", "PollNetMapStream").
-					Str("machine", machine.Name).
+					Str("machine", machine.Hostname).
 					Str("channel", "keepAlive").
 					Err(err).
 					Msg("Cannot update machine LastSeen")
-			} else {
-				log.Trace().
-					Str("handler", "PollNetMapStream").
-					Str("machine", machine.Name).
-					Str("channel", "keepAlive").
-					Int("bytes", len(data)).
-					Msg("Machine updated successfully after sending keep alive")
+
+				return
 			}

-			return true
+			log.Trace().
+				Str("handler", "PollNetMapStream").
+				Str("machine", machine.Hostname).
+				Str("channel", "keepAlive").
+				Int("bytes", len(data)).
+				Msg("Machine updated successfully after sending keep alive")

 		case <-updateChan:
 			log.Trace().
 				Str("handler", "PollNetMapStream").
-				Str("machine", machine.Name).
+				Str("machine", machine.Hostname).
 				Str("channel", "update").
 				Msg("Received a request for update")
-			updateRequestsReceivedOnChannel.WithLabelValues(machine.Namespace.Name, machine.Name).
+			updateRequestsReceivedOnChannel.WithLabelValues(machine.Namespace.Name, machine.Hostname).
 				Inc()
+
 			if h.isOutdated(machine) {
 				var lastUpdate time.Time
 				if machine.LastSuccessfulUpdate != nil {
@@ -429,38 +487,53 @@ func (h *Headscale) PollNetMapStream(
 				}
 				log.Debug().
 					Str("handler", "PollNetMapStream").
-					Str("machine", machine.Name).
+					Str("machine", machine.Hostname).
 					Time("last_successful_update", lastUpdate).
 					Time("last_state_change", h.getLastStateChange(machine.Namespace.Name)).
-					Msgf("There has been updates since the last successful update to %s", machine.Name)
+					Msgf("There has been updates since the last successful update to %s", machine.Hostname)
 				data, err := h.getMapResponse(machineKey, mapRequest, machine)
 				if err != nil {
 					log.Error().
 						Str("handler", "PollNetMapStream").
-						Str("machine", machine.Name).
+						Str("machine", machine.Hostname).
 						Str("channel", "update").
 						Err(err).
 						Msg("Could not get the map update")
+
+					return
 				}
 				_, err = writer.Write(data)
 				if err != nil {
 					log.Error().
 						Str("handler", "PollNetMapStream").
-						Str("machine", machine.Name).
+						Str("machine", machine.Hostname).
 						Str("channel", "update").
 						Err(err).
 						Msg("Could not write the map response")
-					updateRequestsSentToNode.WithLabelValues(machine.Namespace.Name, machine.Name, "failed").
+					updateRequestsSentToNode.WithLabelValues(machine.Namespace.Name, machine.Hostname, "failed").
 						Inc()

-					return false
+					return
 				}
+
+				flusher, ok := writer.(http.Flusher)
+				if !ok {
+					log.Error().
+						Caller().
+						Str("handler", "PollNetMapStream").
+						Str("machine", machine.Hostname).
+						Str("channel", "update").
+						Msg("Cannot cast writer to http.Flusher")
+				} else {
+					flusher.Flush()
+				}
+
 				log.Trace().
 					Str("handler", "PollNetMapStream").
-					Str("machine", machine.Name).
+					Str("machine", machine.Hostname).
 					Str("channel", "update").
 					Msg("Updated Map has been sent")
-				updateRequestsSentToNode.WithLabelValues(machine.Namespace.Name, machine.Name, "success").
+				updateRequestsSentToNode.WithLabelValues(machine.Namespace.Name, machine.Hostname, "success").
 					Inc()

 				// Keep track of the last successful update,
@@ -470,22 +543,22 @@ func (h *Headscale) PollNetMapStream(
 				// TODO(kradalby): Abstract away all the database calls, this can cause race conditions
 				// when an outdated machine object is kept alive, e.g. db is update from
 				// command line, but then overwritten.
-				err = h.UpdateMachine(machine)
+				err = h.UpdateMachineFromDatabase(machine)
 				if err != nil {
 					log.Error().
 						Str("handler", "PollNetMapStream").
-						Str("machine", machine.Name).
+						Str("machine", machine.Hostname).
 						Str("channel", "update").
 						Err(err).
 						Msg("Cannot update machine from database")

 					// client has been removed from database
 					// since the stream opened, terminate connection.
-					return false
+					return
 				}
 				now := time.Now().UTC()

-				lastStateUpdate.WithLabelValues(machine.Namespace.Name, machine.Name).
+				lastStateUpdate.WithLabelValues(machine.Namespace.Name, machine.Hostname).
 					Set(float64(now.Unix()))
 				machine.LastSuccessfulUpdate = &now

@@ -493,10 +566,12 @@ func (h *Headscale) PollNetMapStream(
 				if err != nil {
 					log.Error().
 						Str("handler", "PollNetMapStream").
-						Str("machine", machine.Name).
+						Str("machine", machine.Hostname).
 						Str("channel", "update").
 						Err(err).
 						Msg("Cannot update machine LastSuccessfulUpdate")
+
+					return
 				}
 			} else {
 				var lastUpdate time.Time
@@ -505,34 +580,32 @@ func (h *Headscale) PollNetMapStream(
 				}
 				log.Trace().
 					Str("handler", "PollNetMapStream").
-					Str("machine", machine.Name).
+					Str("machine", machine.Hostname).
 					Time("last_successful_update", lastUpdate).
 					Time("last_state_change", h.getLastStateChange(machine.Namespace.Name)).
-					Msgf("%s is up to date", machine.Name)
+					Msgf("%s is up to date", machine.Hostname)
 			}

-			return true
-
-		case <-ctx.Request.Context().Done():
+		case <-ctx.Done():
 			log.Info().
 				Str("handler", "PollNetMapStream").
-				Str("machine", machine.Name).
+				Str("machine", machine.Hostname).
 				Msg("The client has closed the connection")
 				// TODO: Abstract away all the database calls, this can cause race conditions
 				// when an outdated machine object is kept alive, e.g. db is update from
 				// command line, but then overwritten.
-			err := h.UpdateMachine(machine)
+			err := h.UpdateMachineFromDatabase(machine)
 			if err != nil {
 				log.Error().
 					Str("handler", "PollNetMapStream").
-					Str("machine", machine.Name).
+					Str("machine", machine.Hostname).
 					Str("channel", "Done").
 					Err(err).
 					Msg("Cannot update machine from database")

 				// client has been removed from database
 				// since the stream opened, terminate connection.
-				return false
+				return
 			}
 			now := time.Now().UTC()
 			machine.LastSeen = &now
@@ -540,27 +613,47 @@ func (h *Headscale) PollNetMapStream(
 			if err != nil {
 				log.Error().
 					Str("handler", "PollNetMapStream").
-					Str("machine", machine.Name).
+					Str("machine", machine.Hostname).
 					Str("channel", "Done").
 					Err(err).
 					Msg("Cannot update machine LastSeen")
 			}

-			return false
+			// The connection has been closed, so we can stop polling.
+			return
+
+		case <-h.shutdownChan:
+			log.Info().
+				Str("handler", "PollNetMapStream").
+				Str("machine", machine.Hostname).
+				Msg("The long-poll handler is shutting down")
+
+			return
 		}
-	})
+	}
 }

 func (h *Headscale) scheduledPollWorker(
 	ctx context.Context,
-	updateChan chan<- struct{},
-	keepAliveChan chan<- []byte,
+	updateChan chan struct{},
+	keepAliveChan chan []byte,
 	machineKey key.MachinePublic,
 	mapRequest tailcfg.MapRequest,
 	machine *Machine,
 ) {
 	keepAliveTicker := time.NewTicker(keepAliveInterval)
-	updateCheckerTicker := time.NewTicker(updateCheckInterval)
+	updateCheckerTicker := time.NewTicker(h.cfg.NodeUpdateCheckInterval)
+
+	defer closeChanWithLog(
+		updateChan,
+		fmt.Sprint(ctx.Value(machineNameContextKey)),
+		"updateChan",
+	)
+	defer closeChanWithLog(
+		keepAliveChan,
+		fmt.Sprint(ctx.Value(machineNameContextKey)),
+		"updateChan",
+	)

 	for {
 		select {
@@ -580,18 +673,28 @@ func (h *Headscale) scheduledPollWorker(

 			log.Debug().
 				Str("func", "keepAlive").
-				Str("machine", machine.Name).
+				Str("machine", machine.Hostname).
 				Msg("Sending keepalive")
 			keepAliveChan <- data

 		case <-updateCheckerTicker.C:
 			log.Debug().
 				Str("func", "scheduledPollWorker").
-				Str("machine", machine.Name).
+				Str("machine", machine.Hostname).
 				Msg("Sending update request")
-			updateRequestsFromNode.WithLabelValues(machine.Namespace.Name, machine.Name, "scheduled-update").
+			updateRequestsFromNode.WithLabelValues(machine.Namespace.Name, machine.Hostname, "scheduled-update").
 				Inc()
 			updateChan <- struct{}{}
 		}
 	}
 }
+
+func closeChanWithLog[C chan []byte | chan struct{}](channel C, machine, name string) {
+	log.Trace().
+		Str("handler", "PollNetMap").
+		Str("machine", machine).
+		Str("channel", "Done").
+		Msg(fmt.Sprintf("Closing %s channel", name))
+
+	close(channel)
+}
--- a/preauth_keys.go
+++ b/preauth_keys.go
@@ -4,6 +4,7 @@ import (
 	"crypto/rand"
 	"encoding/hex"
 	"errors"
+	"fmt"
 	"strconv"
 	"time"

@@ -60,7 +61,10 @@ func (h *Headscale) CreatePreAuthKey(
 		CreatedAt:   &now,
 		Expiration:  expiration,
 	}
-	h.db.Save(&key)
+
+	if err := h.db.Save(&key).Error; err != nil {
+		return nil, fmt.Errorf("failed to create key in the database: %w", err)
+	}

 	return &key, nil
 }
@@ -114,9 +118,13 @@ func (h *Headscale) ExpirePreAuthKey(k *PreAuthKey) error {
 }

 // UsePreAuthKey marks a PreAuthKey as used.
-func (h *Headscale) UsePreAuthKey(k *PreAuthKey) {
+func (h *Headscale) UsePreAuthKey(k *PreAuthKey) error {
 	k.Used = true
-	h.db.Save(k)
+	if err := h.db.Save(k).Error; err != nil {
+		return fmt.Errorf("failed to update key used status in the database: %w", err)
+	}
+
+	return nil
 }

 // checkKeyValidity does the heavy lifting for validation of the PreAuthKey coming from a node
--- a/preauth_keys_test.go
+++ b/preauth_keys_test.go
@@ -78,7 +78,7 @@ func (*Suite) TestAlreadyUsedKey(c *check.C) {
 		MachineKey:     "foo",
 		NodeKey:        "bar",
 		DiscoKey:       "faa",
-		Name:           "testest",
+		Hostname:       "testest",
 		NamespaceID:    namespace.ID,
 		RegisterMethod: RegisterMethodAuthKey,
 		AuthKeyID:      uint(pak.ID),
@@ -102,7 +102,7 @@ func (*Suite) TestReusableBeingUsedKey(c *check.C) {
 		MachineKey:     "foo",
 		NodeKey:        "bar",
 		DiscoKey:       "faa",
-		Name:           "testest",
+		Hostname:       "testest",
 		NamespaceID:    namespace.ID,
 		RegisterMethod: RegisterMethodAuthKey,
 		AuthKeyID:      uint(pak.ID),
@@ -139,7 +139,7 @@ func (*Suite) TestEphemeralKey(c *check.C) {
 		MachineKey:     "foo",
 		NodeKey:        "bar",
 		DiscoKey:       "faa",
-		Name:           "testest",
+		Hostname:       "testest",
 		NamespaceID:    namespace.ID,
 		RegisterMethod: RegisterMethodAuthKey,
 		LastSeen:       &now,
--- a/proto/headscale/v1/headscale.proto
+++ b/proto/headscale/v1/headscale.proto
@@ -81,6 +81,13 @@ service HeadscaleService {
        };
    }

+    rpc SetTags(SetTagsRequest) returns (SetTagsResponse) {
+        option (google.api.http) = {
+            post: "/api/v1/machine/{machine_id}/tags"
+            body: "*"
+        };
+    }
+
    rpc RegisterMachine(RegisterMachineRequest) returns (RegisterMachineResponse) {
        option (google.api.http) = {
            post: "/api/v1/machine/register"
@@ -99,11 +106,23 @@ service HeadscaleService {
        };
    }

+    rpc RenameMachine(RenameMachineRequest) returns (RenameMachineResponse) {
+        option (google.api.http) = {
+            post: "/api/v1/machine/{machine_id}/rename/{new_name}"
+        };
+    }
+
    rpc ListMachines(ListMachinesRequest) returns (ListMachinesResponse) {
        option (google.api.http) = {
            get: "/api/v1/machine"
        };
    }
+
+    rpc MoveMachine(MoveMachineRequest) returns (MoveMachineResponse) {
+        option (google.api.http) = {
+            post: "/api/v1/machine/{machine_id}/namespace"
+        };
+    }
    // --- Machine end ---

    // --- Route start ---
--- a/proto/headscale/v1/machine.proto
+++ b/proto/headscale/v1/machine.proto
@@ -22,7 +22,6 @@ message Machine {
    string          name         = 6;
    Namespace namespace          = 7;

-
    google.protobuf.Timestamp last_seen              = 8;
    google.protobuf.Timestamp last_successful_update = 9;
    google.protobuf.Timestamp expiry                 = 10;
@@ -32,12 +31,19 @@ message Machine {
    google.protobuf.Timestamp created_at = 12;

    RegisterMethod register_method = 13;
+
+    reserved 14 to 17;
    // google.protobuf.Timestamp updated_at = 14;
    // google.protobuf.Timestamp deleted_at = 15;

    // bytes host_info      = 15;
    // bytes endpoints      = 16;
    // bytes enabled_routes = 17;
+
+    repeated string forced_tags  = 18;
+    repeated string invalid_tags = 19;
+    repeated string valid_tags   = 20;
+    string          given_name   = 21;
 }

 message RegisterMachineRequest {
@@ -57,6 +63,15 @@ message GetMachineResponse {
    Machine machine = 1;
 }

+message SetTagsRequest {
+    uint64          machine_id = 1;
+    repeated string tags       = 2;
+}
+
+message SetTagsResponse {
+    Machine machine = 1;
+}
+
 message DeleteMachineRequest {
    uint64 machine_id = 1;
 }
@@ -72,6 +87,15 @@ message ExpireMachineResponse {
    Machine machine = 1;
 }

+message RenameMachineRequest {
+    uint64 machine_id = 1;
+    string new_name   = 2;
+}
+
+message RenameMachineResponse {
+    Machine machine = 1;
+}
+
 message ListMachinesRequest {
    string namespace = 1;
 }
@@ -80,6 +104,15 @@ message ListMachinesResponse {
    repeated Machine machines = 1;
 }

+message MoveMachineRequest {
+    uint64 machine_id = 1;
+    string namespace  = 2;
+}
+
+message MoveMachineResponse {
+    Machine machine = 1;
+}
+
 message DebugCreateMachineRequest {
    string namespace       = 1;
    string          key    = 2;
--- a/routes.go
+++ b/routes.go
@@ -1,6 +1,8 @@
 package headscale

 import (
+	"fmt"
+
 	"inet.af/netaddr"
 )

@@ -108,7 +110,10 @@ func (h *Headscale) EnableNodeRoute(
 	}

 	machine.EnabledRoutes = enabledRoutes
-	h.db.Save(&machine)
+
+	if err := h.db.Save(&machine).Error; err != nil {
+		return fmt.Errorf("failed to update node routes in the database: %w", err)
+	}

 	return nil
 }
--- a/routes_test.go
+++ b/routes_test.go
@@ -28,7 +28,7 @@ func (s *Suite) TestGetRoutes(c *check.C) {
 		MachineKey:     "foo",
 		NodeKey:        "bar",
 		DiscoKey:       "faa",
-		Name:           "test_get_route_machine",
+		Hostname:       "test_get_route_machine",
 		NamespaceID:    namespace.ID,
 		RegisterMethod: RegisterMethodAuthKey,
 		AuthKeyID:      uint(pak.ID),
@@ -79,7 +79,7 @@ func (s *Suite) TestGetEnableRoutes(c *check.C) {
 		MachineKey:     "foo",
 		NodeKey:        "bar",
 		DiscoKey:       "faa",
-		Name:           "test_enable_route_machine",
+		Hostname:       "test_enable_route_machine",
 		NamespaceID:    namespace.ID,
 		RegisterMethod: RegisterMethodAuthKey,
 		AuthKeyID:      uint(pak.ID),
--- a/scripts/version-at-commit.sh
+++ b/scripts/version-at-commit.sh
@@ -1,39 +0,0 @@
-#!/usr/bin/env bash
-
-set -e -o pipefail
-commit="$1"
-versionglob="v[0-9].[0-9]*.[0-9]*"
-devsuffix=".dev"
-if [ -z "$commit" ]; then
-  commit=`git log -n1 --first-parent "--format=format:%h"`
-fi
-
-# automatically assign version
-#
-# handles the following cases:
-#
-# 0. no tags on the repository. Print "dev".
-#
-# 1. no local modifications and commit is directly tagged. Print tag.
-#
-# 2. no local modifications and commit is not tagged. Take greatest version tag in repo X.Y.Z and assign X.Y.(Z+1). Print that + $devsuffix + $timestamp.
-#
-# 3. local modifications. Print "dev".
-
-tags=$(git tag)
-if [[ -z "$tags" ]]; then
-  echo "dev"
-elif `git diff --quiet 2>/dev/null`; then
-  tagged=$(git tag --points-at "$commit")
-  if [[ -n "$tagged" ]] ; then
-    echo $tagged
-  else
-    nearest_tag=$(git describe --tags --abbrev=0 --match "$versionglob" "$commit")
-    v=$(echo $nearest_tag | perl -pe 's/(\d+)$/$1+1/e')
-    isodate=$(TZ=UTC git log -n1 --format=%cd --date=iso "$commit")
-    ts=$(TZ=UTC date --date="$isodate" "+%Y%m%d%H%M%S")
-    echo "${v}${devsuffix}${ts}"
-  fi
-else
-  echo "dev"
-fi
--- a/swagger.go
+++ b/swagger.go
@@ -6,14 +6,16 @@ import (
 	"html/template"
 	"net/http"

-	"github.com/gin-gonic/gin"
 	"github.com/rs/zerolog/log"
 )

 //go:embed gen/openapiv2/headscale/v1/headscale.swagger.json
 var apiV1JSON []byte

-func SwaggerUI(ctx *gin.Context) {
+func SwaggerUI(
+	writer http.ResponseWriter,
+	req *http.Request,
+) {
 	swaggerTemplate := template.Must(template.New("swagger").Parse(`
 <html>
 	<head>
@@ -52,18 +54,41 @@ func SwaggerUI(ctx *gin.Context) {
 			Caller().
 			Err(err).
 			Msg("Could not render Swagger")
-		ctx.Data(
-			http.StatusInternalServerError,
-			"text/html; charset=utf-8",
-			[]byte("Could not render Swagger"),
-		)
+
+		writer.Header().Set("Content-Type", "text/plain; charset=utf-8")
+		writer.WriteHeader(http.StatusInternalServerError)
+		_, err := writer.Write([]byte("Could not render Swagger"))
+		if err != nil {
+			log.Error().
+				Caller().
+				Err(err).
+				Msg("Failed to write response")
+		}

 		return
 	}

-	ctx.Data(http.StatusOK, "text/html; charset=utf-8", payload.Bytes())
+	writer.Header().Set("Content-Type", "text/html; charset=utf-8")
+	writer.WriteHeader(http.StatusOK)
+	_, err := writer.Write(payload.Bytes())
+	if err != nil {
+		log.Error().
+			Caller().
+			Err(err).
+			Msg("Failed to write response")
+	}
 }

-func SwaggerAPIv1(ctx *gin.Context) {
-	ctx.Data(http.StatusOK, "application/json; charset=utf-8", apiV1JSON)
+func SwaggerAPIv1(
+	writer http.ResponseWriter,
+	req *http.Request,
+) {
+	writer.Header().Set("Content-Type", "application/json; charset=utf-88")
+	writer.WriteHeader(http.StatusOK)
+	if _, err := writer.Write(apiV1JSON); err != nil {
+		log.Error().
+			Caller().
+			Err(err).
+			Msg("Failed to write response")
+	}
 }
--- a/Show More
+++ b/Show More