Updated changelog

Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com>

.github/FUNDING.yml

@@ -1,2 +0,0 @@
-ko_fi: kradalby
-github: [kradalby]

.github/workflows/build.yml

@@ -13,13 +13,13 @@ jobs:
     runs-on: ubuntu-latest
 
     steps:
-      - uses: actions/checkout@v2
+      - uses: actions/checkout@v3
         with:
           fetch-depth: 2
 
       - name: Get changed files
         id: changed-files
-        uses: tj-actions/changed-files@v14.1
+        uses: tj-actions/changed-files@v34
         with:
           files: |
             *.nix

.github/workflows/contributors.yml

@@ -9,7 +9,7 @@ jobs:
   add-contributors:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v2
+      - uses: actions/checkout@v3
       - name: Delete upstream contributor branch
         # Allow continue on failure to account for when the
         # upstream branch is deleted or does not exist.

.github/workflows/lint.yml

@@ -1,5 +1,5 @@
 ---
-name: CI
+name: Lint
 
 on: [push, pull_request]
 
@@ -7,13 +7,13 @@ jobs:
   golangci-lint:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v2
+      - uses: actions/checkout@v3
         with:
           fetch-depth: 2
 
       - name: Get changed files
         id: changed-files
-        uses: tj-actions/changed-files@v14.1
+        uses: tj-actions/changed-files@v34
         with:
           files: |
             *.nix
@@ -26,7 +26,7 @@ jobs:
         if: steps.changed-files.outputs.any_changed == 'true'
         uses: golangci/golangci-lint-action@v2
         with:
-          version: v1.46.1
+          version: v1.49.0
 
           # Only block PRs on new problems.
           # If this is not enabled, we will end up having PRs
@@ -70,7 +70,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v2
-      - uses: bufbuild/buf-setup-action@v0.7.0
+      - uses: bufbuild/buf-setup-action@v1.7.0
       - uses: bufbuild/buf-lint-action@v1
         with:
           input: "proto"

.github/workflows/release.yml

@@ -1,5 +1,5 @@
 ---
-name: release
+name: Release
 
 on:
   push:
@@ -12,13 +12,13 @@ jobs:
     runs-on: ubuntu-18.04 # due to CGO we need to user an older version
     steps:
       - name: Checkout
-        uses: actions/checkout@v2
+        uses: actions/checkout@v3
         with:
           fetch-depth: 0
       - name: Set up Go
-        uses: actions/setup-go@v2
+        uses: actions/setup-go@v3
         with:
-          go-version: 1.18.0
+          go-version: 1.19.0
 
       - name: Install dependencies
         run: |
@@ -37,7 +37,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout
-        uses: actions/checkout@v2
+        uses: actions/checkout@v3
         with:
           fetch-depth: 0
       - name: Set up Docker Buildx
@@ -65,7 +65,6 @@ jobs:
             type=semver,pattern={{version}}
             type=semver,pattern={{major}}.{{minor}}
             type=semver,pattern={{major}}
-            type=raw,value=latest
             type=sha
       - name: Login to DockerHub
         uses: docker/login-action@v1
@@ -89,6 +88,8 @@ jobs:
           platforms: linux/amd64,linux/arm64
           cache-from: type=local,src=/tmp/.buildx-cache
           cache-to: type=local,dest=/tmp/.buildx-cache-new
+          build-args: |
+            VERSION=${{ steps.meta.outputs.version }}
       - name: Prepare cache for next build
         run: |
           rm -rf /tmp/.buildx-cache
@@ -98,7 +99,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout
-        uses: actions/checkout@v2
+        uses: actions/checkout@v3
         with:
           fetch-depth: 0
       - name: Set up Docker Buildx
@@ -123,13 +124,12 @@ jobs:
             ${{ secrets.DOCKERHUB_USERNAME }}/headscale
             ghcr.io/${{ github.repository_owner }}/headscale
           flavor: |
-            latest=false
+            suffix=-debug,onlatest=true
           tags: |
-            type=semver,pattern={{version}}-debug
-            type=semver,pattern={{major}}.{{minor}}-debug
-            type=semver,pattern={{major}}-debug
-            type=raw,value=latest-debug
-            type=sha,suffix=-debug
+            type=semver,pattern={{version}}
+            type=semver,pattern={{major}}.{{minor}}
+            type=semver,pattern={{major}}
+            type=sha
       - name: Login to DockerHub
         uses: docker/login-action@v1
         with:
@@ -153,71 +153,9 @@ jobs:
           platforms: linux/amd64,linux/arm64
           cache-from: type=local,src=/tmp/.buildx-cache-debug
           cache-to: type=local,dest=/tmp/.buildx-cache-debug-new
+          build-args: |
+            VERSION=${{ steps.meta-debug.outputs.version }}
       - name: Prepare cache for next build
         run: |
           rm -rf /tmp/.buildx-cache-debug
           mv /tmp/.buildx-cache-debug-new /tmp/.buildx-cache-debug
-
-  docker-alpine-release:
-    runs-on: ubuntu-latest
-    steps:
-      - name: Checkout
-        uses: actions/checkout@v2
-        with:
-          fetch-depth: 0
-      - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v1
-      - name: Set up QEMU for multiple platforms
-        uses: docker/setup-qemu-action@master
-        with:
-          platforms: arm64,amd64
-      - name: Cache Docker layers
-        uses: actions/cache@v2
-        with:
-          path: /tmp/.buildx-cache-alpine
-          key: ${{ runner.os }}-buildx-alpine-${{ github.sha }}
-          restore-keys: |
-            ${{ runner.os }}-buildx-alpine-
-      - name: Docker meta
-        id: meta-alpine
-        uses: docker/metadata-action@v3
-        with:
-          # list of Docker images to use as base name for tags
-          images: |
-            ${{ secrets.DOCKERHUB_USERNAME }}/headscale
-            ghcr.io/${{ github.repository_owner }}/headscale
-          flavor: |
-            latest=false
-          tags: |
-            type=semver,pattern={{version}}-alpine
-            type=semver,pattern={{major}}.{{minor}}-alpine
-            type=semver,pattern={{major}}-alpine
-            type=raw,value=latest-alpine
-            type=sha,suffix=-alpine
-      - name: Login to DockerHub
-        uses: docker/login-action@v1
-        with:
-          username: ${{ secrets.DOCKERHUB_USERNAME }}
-          password: ${{ secrets.DOCKERHUB_TOKEN }}
-      - name: Login to GHCR
-        uses: docker/login-action@v1
-        with:
-          registry: ghcr.io
-          username: ${{ github.repository_owner }}
-          password: ${{ secrets.GITHUB_TOKEN }}
-      - name: Build and push
-        id: docker_build
-        uses: docker/build-push-action@v2
-        with:
-          push: true
-          context: .
-          file: Dockerfile.alpine
-          tags: ${{ steps.meta-alpine.outputs.tags }}
-          labels: ${{ steps.meta-alpine.outputs.labels }}
-          platforms: linux/amd64,linux/arm64
-          cache-from: type=local,src=/tmp/.buildx-cache-alpine
-          cache-to: type=local,dest=/tmp/.buildx-cache-alpine-new
-      - name: Prepare cache for next build
-        run: |
-          rm -rf /tmp/.buildx-cache-alpine
-          mv /tmp/.buildx-cache-alpine-new /tmp/.buildx-cache-alpine

.github/workflows/renovatebot.yml

@@ -16,7 +16,7 @@ jobs:
           APP_ID: ${{ secrets.RENOVATEBOT_APP_ID }}
 
       - name: Checkout
-        uses: actions/checkout@v2.0.0
+        uses: actions/checkout@v3
 
       - name: Self-hosted Renovate
         uses: renovatebot/github-action@v31.81.3

.github/workflows/test-integration-cli.yml

@@ -1,19 +1,24 @@
-name: CI
+name: Integration Test CLI
 
 on: [pull_request]
 
 jobs:
-  integration-test:
+  integration-test-cli:
     runs-on: ubuntu-latest
 
     steps:
-      - uses: actions/checkout@v2
+      - uses: actions/checkout@v3
         with:
           fetch-depth: 2
 
+      - name: Set Swap Space
+        uses: pierotofy/set-swap-space@master
+        with:
+          swap-size-gb: 10
+
       - name: Get changed files
         id: changed-files
-        uses: tj-actions/changed-files@v14.1
+        uses: tj-actions/changed-files@v34
         with:
           files: |
             *.nix
@@ -25,6 +30,6 @@ jobs:
       - uses: cachix/install-nix-action@v16
         if: steps.changed-files.outputs.any_changed == 'true'
 
-      - name: Run Integration tests
+      - name: Run CLI integration tests
         if: steps.changed-files.outputs.any_changed == 'true'
-        run: nix develop --command -- make test_integration
+        run: nix develop --command -- make test_integration_cli

.github/workflows/test-integration-derp.yml

@@ -0,0 +1,35 @@
+name: Integration Test DERP
+
+on: [pull_request]
+
+jobs:
+  integration-test-derp:
+    runs-on: ubuntu-latest
+
+    steps:
+      - uses: actions/checkout@v3
+        with:
+          fetch-depth: 2
+
+      - name: Set Swap Space
+        uses: pierotofy/set-swap-space@master
+        with:
+          swap-size-gb: 10
+
+      - name: Get changed files
+        id: changed-files
+        uses: tj-actions/changed-files@v34
+        with:
+          files: |
+            *.nix
+            go.*
+            **/*.go
+            integration_test/
+            config-example.yaml
+
+      - uses: cachix/install-nix-action@v16
+        if: steps.changed-files.outputs.any_changed == 'true'
+
+      - name: Run Embedded DERP server integration tests
+        if: steps.changed-files.outputs.any_changed == 'true'
+        run: nix develop --command -- make test_integration_derp

.github/workflows/test-integration-oidc.yml

@@ -0,0 +1,35 @@
+name: Integration Test OIDC
+
+on: [pull_request]
+
+jobs:
+  integration-test-oidc:
+    runs-on: ubuntu-latest
+
+    steps:
+      - uses: actions/checkout@v3
+        with:
+          fetch-depth: 2
+
+      - name: Set Swap Space
+        uses: pierotofy/set-swap-space@master
+        with:
+          swap-size-gb: 10
+
+      - name: Get changed files
+        id: changed-files
+        uses: tj-actions/changed-files@v34
+        with:
+          files: |
+            *.nix
+            go.*
+            **/*.go
+            integration_test/
+            config-example.yaml
+
+      - uses: cachix/install-nix-action@v16
+        if: steps.changed-files.outputs.any_changed == 'true'
+
+      - name: Run OIDC integration tests
+        if: steps.changed-files.outputs.any_changed == 'true'
+        run: nix develop --command -- make test_integration_oidc

.github/workflows/test-integration-v2-kradalby.yml

@@ -0,0 +1,27 @@
+name: Integration Test v2 - kradalby
+
+on: [pull_request]
+
+jobs:
+  integration-test-v2-kradalby:
+    runs-on: [self-hosted, linux, x64, nixos, docker]
+
+    steps:
+      - uses: actions/checkout@v3
+        with:
+          fetch-depth: 2
+
+      - name: Get changed files
+        id: changed-files
+        uses: tj-actions/changed-files@v34
+        with:
+          files: |
+            *.nix
+            go.*
+            **/*.go
+            integration_test/
+            config-example.yaml
+
+      - name: Run general integration tests
+        if: steps.changed-files.outputs.any_changed == 'true'
+        run: nix develop --command -- make test_integration_v2_general

.github/workflows/test.yml

@@ -1,4 +1,4 @@
-name: CI
+name: Tests
 
 on: [push, pull_request]
 
@@ -7,13 +7,13 @@ jobs:
     runs-on: ubuntu-latest
 
     steps:
-      - uses: actions/checkout@v2
+      - uses: actions/checkout@v3
         with:
           fetch-depth: 2
 
       - name: Get changed files
         id: changed-files
-        uses: tj-actions/changed-files@v14.1
+        uses: tj-actions/changed-files@v34
         with:
           files: |
             *.nix

.gitignore

@@ -31,3 +31,5 @@ test_output/
 # Nix build output
 result
 .direnv/
+
+integration_test/etc/config.dump.yaml

.golangci.yaml

@@ -1,6 +1,8 @@
 ---
 run:
   timeout: 10m
+  build-tags:
+    - ts2019
 
 issues:
   skip-dirs:
@@ -26,6 +28,7 @@ linters:
     - ireturn
     - execinquery
     - exhaustruct
+    - nolintlint
 
     # We should strive to enable these:
     - wrapcheck
@@ -33,6 +36,9 @@ linters:
     - makezero
     - maintidx
 
+    # Limits the methods of an interface to 10. We have more in integration tests
+    - interfacebloat
+
     # We might want to enable this, but it might be a lot of work
     - cyclop
     - nestif

.goreleaser.yml

@@ -1,7 +1,7 @@
 ---
 before:
   hooks:
-    - go mod tidy -compat=1.18
+    - go mod tidy -compat=1.19
 
 release:
   prerelease: auto
@@ -20,6 +20,8 @@ builds:
       - -mod=readonly
     ldflags:
       - -s -w -X github.com/juanfont/headscale/cmd/headscale/cli.Version=v{{.Version}}
+    tags:
+      - ts2019
 
   - id: darwin-arm64
     main: ./cmd/headscale/headscale.go
@@ -34,6 +36,8 @@ builds:
       - -mod=readonly
     ldflags:
       - -s -w -X github.com/juanfont/headscale/cmd/headscale/cli.Version=v{{.Version}}
+    tags:
+      - ts2019
 
   - id: linux-amd64
     mod_timestamp: "{{ .CommitTimestamp }}"
@@ -46,6 +50,8 @@ builds:
     main: ./cmd/headscale/headscale.go
     ldflags:
       - -s -w -X github.com/juanfont/headscale/cmd/headscale/cli.Version=v{{.Version}}
+    tags:
+      - ts2019
 
   - id: linux-arm64
     mod_timestamp: "{{ .CommitTimestamp }}"
@@ -58,6 +64,8 @@ builds:
     main: ./cmd/headscale/headscale.go
     ldflags:
       - -s -w -X github.com/juanfont/headscale/cmd/headscale/cli.Version=v{{.Version}}
+    tags:
+      - ts2019
 
 archives:
   - id: golang-cross

CHANGELOG.md

@@ -1,6 +1,68 @@
 # CHANGELOG
 
-## 0.16.0 (2022-xx-xx)
+## 0.17.0 (2022-XX-XX)
+
+### BREAKING
+
+- Log level option `log_level` was moved to a distinct `log` config section and renamed to `level` [#768](https://github.com/juanfont/headscale/pull/768)
+- Removed Alpine Linux container image [#962](https://github.com/juanfont/headscale/pull/962)
+
+### Changes
+
+- Added support for Tailscale TS2021 protocol [#738](https://github.com/juanfont/headscale/pull/738)
+- Add ability to specify config location via env var `HEADSCALE_CONFIG` [#674](https://github.com/juanfont/headscale/issues/674)
+- Target Go 1.19 for Headscale [#778](https://github.com/juanfont/headscale/pull/778)
+- Target Tailscale v1.30.0 to build Headscale [#780](https://github.com/juanfont/headscale/pull/780)
+- Give a warning when running Headscale with reverse proxy improperly configured for WebSockets [#788](https://github.com/juanfont/headscale/pull/788)
+- Fix subnet routers with Primary Routes [#811](https://github.com/juanfont/headscale/pull/811)
+- Added support for JSON logs [#653](https://github.com/juanfont/headscale/issues/653)
+- Sanitise the node key passed to registration url [#823](https://github.com/juanfont/headscale/pull/823)
+- Add support for generating pre-auth keys with tags [#767](https://github.com/juanfont/headscale/pull/767)
+- Add support for evaluating `autoApprovers` ACL entries when a machine is registered [#763](https://github.com/juanfont/headscale/pull/763)
+- Add config flag to allow Headscale to start if OIDC provider is down [#829](https://github.com/juanfont/headscale/pull/829)
+- Fix prefix length comparison bug in AutoApprovers route evaluation [#862](https://github.com/juanfont/headscale/pull/862)
+- Random node DNS suffix only applied if names collide in namespace. [#766](https://github.com/juanfont/headscale/issues/766)
+- Remove `ip_prefix` configuration option and warning [#899](https://github.com/juanfont/headscale/pull/899)
+- Add `dns_config.override_local_dns` option [#905](https://github.com/juanfont/headscale/pull/905)
+- Fix some DNS config issues [#660](https://github.com/juanfont/headscale/issues/660)
+- Make it possible to disable TS2019 with build flag [#928](https://github.com/juanfont/headscale/pull/928)
+- Fix OIDC registration issues [#960](https://github.com/juanfont/headscale/pull/960) and [#971](https://github.com/juanfont/headscale/pull/971)
+
+## 0.16.4 (2022-08-21)
+
+### Changes
+
+- Add ability to connect to PostgreSQL over TLS/SSL [#745](https://github.com/juanfont/headscale/pull/745)
+- Fix CLI registration of expired machines [#754](https://github.com/juanfont/headscale/pull/754)
+
+## 0.16.3 (2022-08-17)
+
+### Changes
+
+- Fix issue with OIDC authentication [#747](https://github.com/juanfont/headscale/pull/747)
+
+## 0.16.2 (2022-08-14)
+
+### Changes
+
+- Fixed bugs in the client registration process after migration to NodeKey [#735](https://github.com/juanfont/headscale/pull/735)
+
+## 0.16.1 (2022-08-12)
+
+### Changes
+
+- Updated dependencies (including the library that lacked armhf support) [#722](https://github.com/juanfont/headscale/pull/722)
+- Fix missing group expansion in function `excludeCorretlyTaggedNodes` [#563](https://github.com/juanfont/headscale/issues/563)
+- Improve registration protocol implementation and switch to NodeKey as main identifier [#725](https://github.com/juanfont/headscale/pull/725)
+- Add ability to connect to PostgreSQL via unix socket [#734](https://github.com/juanfont/headscale/pull/734)
+
+## 0.16.0 (2022-07-25)
+
+**Note:** Take a backup of your database before upgrading.
+
+### BREAKING
+
+- Old ACL syntax is no longer supported ("users" & "ports" -> "src" & "dst"). Please check [the new syntax](https://tailscale.com/kb/1018/acls/).
 
 ### Changes
 
@@ -22,6 +84,16 @@
   - This change disables the logs by default
 - Use [Prometheus]'s duration parser, supporting days (`d`), weeks (`w`) and years (`y`) [#598](https://github.com/juanfont/headscale/pull/598)
 - Add support for reloading ACLs with SIGHUP [#601](https://github.com/juanfont/headscale/pull/601)
+- Use new ACL syntax [#618](https://github.com/juanfont/headscale/pull/618)
+- Add -c option to specify config file from command line [#285](https://github.com/juanfont/headscale/issues/285) [#612](https://github.com/juanfont/headscale/pull/601)
+- Add configuration option to allow Tailscale clients to use a random WireGuard port. [kb/1181/firewalls](https://tailscale.com/kb/1181/firewalls) [#624](https://github.com/juanfont/headscale/pull/624)
+- Improve obtuse UX regarding missing configuration (`ephemeral_node_inactivity_timeout` not set) [#639](https://github.com/juanfont/headscale/pull/639)
+- Fix nodes being shown as 'offline' in `tailscale status` [#648](https://github.com/juanfont/headscale/pull/648)
+- Improve shutdown behaviour [#651](https://github.com/juanfont/headscale/pull/651)
+- Drop Gin as web framework in Headscale [648](https://github.com/juanfont/headscale/pull/648) [677](https://github.com/juanfont/headscale/pull/677)
+- Make tailnet node updates check interval configurable [#675](https://github.com/juanfont/headscale/pull/675)
+- Fix regression with HTTP API [#684](https://github.com/juanfont/headscale/pull/684)
+- nodes ls now print both Hostname and Name(Issue [#647](https://github.com/juanfont/headscale/issues/647) PR [#687](https://github.com/juanfont/headscale/pull/687))
 
 ## 0.15.0 (2022-03-20)
 
@@ -92,7 +164,7 @@ This is a part of aligning `headscale`'s behaviour with Tailscale's upstream beh
 - OpenID Connect users will be mapped per namespaces
   - Each user will get its own namespace, created if it does not exist
   - `oidc.domain_map` option has been removed
-  - `strip_email_domain` option has been added (see [config-example.yaml](./config_example.yaml))
+  - `strip_email_domain` option has been added (see [config-example.yaml](./config-example.yaml))
 
 ### Changes
 

CODE_OF_CONDUCT.md

@@ -0,0 +1,134 @@
+# Contributor Covenant Code of Conduct
+
+## Our Pledge
+
+We as members, contributors, and leaders pledge to make participation
+in our community a harassment-free experience for everyone, regardless
+of age, body size, visible or invisible disability, ethnicity, sex
+characteristics, gender identity and expression, level of experience,
+education, socio-economic status, nationality, personal appearance,
+race, religion, or sexual identity and orientation.
+
+We pledge to act and interact in ways that contribute to an open,
+welcoming, diverse, inclusive, and healthy community.
+
+## Our Standards
+
+Examples of behavior that contributes to a positive environment for
+our community include:
+
+- Demonstrating empathy and kindness toward other people
+- Being respectful of differing opinions, viewpoints, and experiences
+- Giving and gracefully accepting constructive feedback
+- Accepting responsibility and apologizing to those affected by our
+  mistakes, and learning from the experience
+- Focusing on what is best not just for us as individuals, but for the
+  overall community
+
+Examples of unacceptable behavior include:
+
+- The use of sexualized language or imagery, and sexual attention or
+  advances of any kind
+- Trolling, insulting or derogatory comments, and personal or
+  political attacks
+- Public or private harassment
+- Publishing others' private information, such as a physical or email
+  address, without their explicit permission
+- Other conduct which could reasonably be considered inappropriate in
+  a professional setting
+
+## Enforcement Responsibilities
+
+Community leaders are responsible for clarifying and enforcing our
+standards of acceptable behavior and will take appropriate and fair
+corrective action in response to any behavior that they deem
+inappropriate, threatening, offensive, or harmful.
+
+Community leaders have the right and responsibility to remove, edit,
+or reject comments, commits, code, wiki edits, issues, and other
+contributions that are not aligned to this Code of Conduct, and will
+communicate reasons for moderation decisions when appropriate.
+
+## Scope
+
+This Code of Conduct applies within all community spaces, and also
+applies when an individual is officially representing the community in
+public spaces. Examples of representing our community include using an
+official e-mail address, posting via an official social media account,
+or acting as an appointed representative at an online or offline
+event.
+
+## Enforcement
+
+Instances of abusive, harassing, or otherwise unacceptable behavior
+may be reported to the community leaders responsible for enforcement
+at our Discord channel. All complaints
+will be reviewed and investigated promptly and fairly.
+
+All community leaders are obligated to respect the privacy and
+security of the reporter of any incident.
+
+## Enforcement Guidelines
+
+Community leaders will follow these Community Impact Guidelines in
+determining the consequences for any action they deem in violation of
+this Code of Conduct:
+
+### 1. Correction
+
+**Community Impact**: Use of inappropriate language or other behavior
+deemed unprofessional or unwelcome in the community.
+
+**Consequence**: A private, written warning from community leaders,
+providing clarity around the nature of the violation and an
+explanation of why the behavior was inappropriate. A public apology
+may be requested.
+
+### 2. Warning
+
+**Community Impact**: A violation through a single incident or series
+of actions.
+
+**Consequence**: A warning with consequences for continued
+behavior. No interaction with the people involved, including
+unsolicited interaction with those enforcing the Code of Conduct, for
+a specified period of time. This includes avoiding interactions in
+community spaces as well as external channels like social
+media. Violating these terms may lead to a temporary or permanent ban.
+
+### 3. Temporary Ban
+
+**Community Impact**: A serious violation of community standards,
+including sustained inappropriate behavior.
+
+**Consequence**: A temporary ban from any sort of interaction or
+public communication with the community for a specified period of
+time. No public or private interaction with the people involved,
+including unsolicited interaction with those enforcing the Code of
+Conduct, is allowed during this period. Violating these terms may lead
+to a permanent ban.
+
+### 4. Permanent Ban
+
+**Community Impact**: Demonstrating a pattern of violation of
+community standards, including sustained inappropriate behavior,
+harassment of an individual, or aggression toward or disparagement of
+classes of individuals.
+
+**Consequence**: A permanent ban from any sort of public interaction
+within the community.
+
+## Attribution
+
+This Code of Conduct is adapted from the [Contributor
+Covenant][homepage], version 2.0, available at
+https://www.contributor-covenant.org/version/2/0/code_of_conduct.html.
+
+Community Impact Guidelines were inspired by [Mozilla's code of
+conduct enforcement ladder](https://github.com/mozilla/diversity).
+
+[homepage]: https://www.contributor-covenant.org
+
+For answers to common questions about this code of conduct, see the
+FAQ at https://www.contributor-covenant.org/faq. Translations are
+available at https://www.contributor-covenant.org/translations.

Dockerfile

@@ -1,5 +1,6 @@
 # Builder image
-FROM docker.io/golang:1.18.0-bullseye AS build
+FROM docker.io/golang:1.19.0-bullseye AS build
+ARG VERSION=dev
 ENV GOPATH /go
 WORKDIR /go/src/headscale
 
@@ -8,7 +9,7 @@ RUN go mod download
 
 COPY . .
 
-RUN GGO_ENABLED=0 GOOS=linux go install -a ./cmd/headscale
+RUN CGO_ENABLED=0 GOOS=linux go install -tags ts2019 -ldflags="-s -w -X github.com/juanfont/headscale/cmd/headscale/cli.Version=$VERSION" -a ./cmd/headscale
 RUN strip /go/bin/headscale
 RUN test -e /go/bin/headscale
 

Dockerfile.alpine

@@ -1,23 +0,0 @@
-# Builder image
-FROM docker.io/golang:1.18.0-alpine AS build
-ENV GOPATH /go
-WORKDIR /go/src/headscale
-
-COPY go.mod go.sum /go/src/headscale/
-RUN apk add gcc musl-dev
-RUN go mod download
-
-COPY . .
-
-RUN GGO_ENABLED=0 GOOS=linux go install -a ./cmd/headscale
-RUN strip /go/bin/headscale
-RUN test -e /go/bin/headscale
-
-# Production image
-FROM docker.io/alpine:latest
-
-COPY --from=build /go/bin/headscale /bin/headscale
-ENV TZ UTC
-
-EXPOSE 8080/tcp
-CMD ["headscale"]

Dockerfile.debug

@@ -1,5 +1,6 @@
 # Builder image
-FROM docker.io/golang:1.18.0-bullseye AS build
+FROM docker.io/golang:1.19.0-bullseye AS build
+ARG VERSION=dev
 ENV GOPATH /go
 WORKDIR /go/src/headscale
 
@@ -8,11 +9,11 @@ RUN go mod download
 
 COPY . .
 
-RUN GGO_ENABLED=0 GOOS=linux go install -a ./cmd/headscale
+RUN CGO_ENABLED=0 GOOS=linux go install -tags ts2019 -ldflags="-s -w -X github.com/juanfont/headscale/cmd/headscale/cli.Version=$VERSION" -a ./cmd/headscale
 RUN test -e /go/bin/headscale
 
 # Debug image
-FROM gcr.io/distroless/base-debian11:debug
+FROM docker.io/golang:1.19.0-bullseye
 
 COPY --from=build /go/bin/headscale /bin/headscale
 ENV TZ UTC

Dockerfile.tailscale-HEAD

@@ -7,7 +7,9 @@ RUN apt-get update \
 
 RUN git clone https://github.com/tailscale/tailscale.git
 
-WORKDIR tailscale
+WORKDIR /go/tailscale
+
+RUN git checkout main
 
 RUN sh build_dist.sh tailscale.com/cmd/tailscale
 RUN sh build_dist.sh tailscale.com/cmd/tailscaled

Makefile

@@ -1,5 +1,5 @@
 # Calculate version
-version = $(git describe --always --tags --dirty)
+version ?= $(shell git describe --always --tags --dirty)
 
 rwildcard=$(foreach d,$(wildcard $1*),$(call rwildcard,$d/,$2) $(filter $(subst *,%,$2),$d))
 
@@ -10,6 +10,8 @@ ifeq ($(filter $(GOOS), openbsd netbsd soloaris plan9), )
 else
 endif
 
+TAGS = -tags ts2019
+
 # GO_SOURCES = $(wildcard *.go)
 # PROTO_SOURCES = $(wildcard **/*.proto)
 GO_SOURCES = $(call rwildcard,,*.go)
@@ -17,21 +19,54 @@ PROTO_SOURCES = $(call rwildcard,,*.proto)
 
 
 build:
-	GOOS=$(GOOS) CGO_ENABLED=0 go build -trimpath $(pieflags) -mod=readonly -ldflags "-s -w -X github.com/juanfont/headscale/cmd/headscale/cli.Version=$(version)" cmd/headscale/headscale.go
+	nix build
 
 dev: lint test build
 
 test:
-	@go test -coverprofile=coverage.out ./...
+	@go test $(TAGS) -short -coverprofile=coverage.out ./...
 
-test_integration:
-	go test -failfast -tags integration -timeout 30m -count=1 ./...
+test_integration: test_integration_cli test_integration_derp test_integration_oidc test_integration_v2_general
 
 test_integration_cli:
-	go test -tags integration -v integration_cli_test.go integration_common_test.go
+	docker network rm $$(docker network ls --filter name=headscale --quiet) || true
+	docker network create headscale-test || true
+	docker run -t --rm \
+		--network headscale-test \
+		-v ~/.cache/hs-integration-go:/go \
+		-v $$PWD:$$PWD -w $$PWD \
+		-v /var/run/docker.sock:/var/run/docker.sock golang:1 \
+		go test $(TAGS) -failfast -timeout 30m -count=1 -run IntegrationCLI ./...
 
 test_integration_derp:
-	go test -tags integration -v integration_embedded_derp_test.go integration_common_test.go
+	docker network rm $$(docker network ls --filter name=headscale --quiet) || true
+	docker network create headscale-test || true
+	docker run -t --rm \
+		--network headscale-test \
+		-v ~/.cache/hs-integration-go:/go \
+		-v $$PWD:$$PWD -w $$PWD \
+		-v /var/run/docker.sock:/var/run/docker.sock golang:1 \
+		go test $(TAGS) -failfast -timeout 30m -count=1 -run IntegrationDERP ./...
+
+test_integration_oidc:
+	docker network rm $$(docker network ls --filter name=headscale --quiet) || true
+	docker network create headscale-test || true
+	docker run -t --rm \
+		--network headscale-test \
+		-v ~/.cache/hs-integration-go:/go \
+		-v $$PWD:$$PWD -w $$PWD \
+		-v /var/run/docker.sock:/var/run/docker.sock golang:1 \
+		go test $(TAGS) -failfast -timeout 30m -count=1 -run IntegrationOIDC ./...
+
+test_integration_v2_general:
+	docker run \
+		-t --rm \
+		-v ~/.cache/hs-integration-go:/go \
+		--name headscale-test-suite \
+		-v $$PWD:$$PWD -w $$PWD/integration \
+		-v /var/run/docker.sock:/var/run/docker.sock \
+		golang:1 \
+		go test $(TAGS) -failfast ./... -timeout 60m -parallel 6
 
 coverprofile_func:
 	go tool cover -func=coverage.out

README.md

@@ -1,4 +1,4 @@
-# headscale
+![headscale logo](./docs/logo/headscale3_header_stacked_left.png)
 
 ![ci](https://github.com/juanfont/headscale/actions/workflows/test.yml/badge.svg)
 
@@ -67,15 +67,15 @@ one of the maintainers.
 
 ## Client OS support
 
-| OS      | Supports headscale                                                                                                |
-| ------- | ----------------------------------------------------------------------------------------------------------------- |
-| Linux   | Yes                                                                                                               |
-| OpenBSD | Yes                                                                                                               |
-| FreeBSD | Yes                                                                                                               |
-| macOS   | Yes (see `/apple` on your headscale for more information)                                                         |
-| Windows | Yes [docs](./docs/windows-client.md)                                                                              |
-| Android | [You need to compile the client yourself](https://github.com/juanfont/headscale/issues/58#issuecomment-885255270) |
-| iOS     | Not yet                                                                                                           |
+| OS      | Supports headscale                                        |
+| ------- | --------------------------------------------------------- |
+| Linux   | Yes                                                       |
+| OpenBSD | Yes                                                       |
+| FreeBSD | Yes                                                       |
+| macOS   | Yes (see `/apple` on your headscale for more information) |
+| Windows | Yes [docs](./docs/windows-client.md)                      |
+| Android | Yes [docs](./docs/android-client.md)                      |
+| iOS     | Not yet                                                   |
 
 ## Running headscale
 
@@ -188,6 +188,22 @@ make build
             <sub style="font-size:14px"><b>Ward Vandewege</b></sub>
         </a>
     </td>
+    <td align="center" style="word-wrap: break-word; width: 150.0; height: 150.0">
+        <a href=https://github.com/huskyii>
+            <img src=https://avatars.githubusercontent.com/u/5499746?v=4 width="100;"  style="border-radius:50%;align-items:center;justify-content:center;overflow:hidden;padding-top:10px" alt=Jiang Zhu/>
+            <br />
+            <sub style="font-size:14px"><b>Jiang Zhu</b></sub>
+        </a>
+    </td>
+    <td align="center" style="word-wrap: break-word; width: 150.0; height: 150.0">
+        <a href=https://github.com/tsujamin>
+            <img src=https://avatars.githubusercontent.com/u/2435619?v=4 width="100;"  style="border-radius:50%;align-items:center;justify-content:center;overflow:hidden;padding-top:10px" alt=Benjamin Roberts/>
+            <br />
+            <sub style="font-size:14px"><b>Benjamin Roberts</b></sub>
+        </a>
+    </td>
+</tr>
+<tr>
     <td align="center" style="word-wrap: break-word; width: 150.0; height: 150.0">
         <a href=https://github.com/reynico>
             <img src=https://avatars.githubusercontent.com/u/715768?v=4 width="100;"  style="border-radius:50%;align-items:center;justify-content:center;overflow:hidden;padding-top:10px" alt=Nico/>
@@ -202,8 +218,6 @@ make build
             <sub style="font-size:14px"><b>e-zk</b></sub>
         </a>
     </td>
-</tr>
-<tr>
     <td align="center" style="word-wrap: break-word; width: 150.0; height: 150.0">
         <a href=https://github.com/arch4ngel>
             <img src=https://avatars.githubusercontent.com/u/11574161?v=4 width="100;"  style="border-radius:50%;align-items:center;justify-content:center;overflow:hidden;padding-top:10px" alt=Justin Angel/>
@@ -225,6 +239,15 @@ make build
             <sub style="font-size:14px"><b>unreality</b></sub>
         </a>
     </td>
+    <td align="center" style="word-wrap: break-word; width: 150.0; height: 150.0">
+        <a href=https://github.com/ohdearaugustin>
+            <img src=https://avatars.githubusercontent.com/u/14001491?v=4 width="100;"  style="border-radius:50%;align-items:center;justify-content:center;overflow:hidden;padding-top:10px" alt=ohdearaugustin/>
+            <br />
+            <sub style="font-size:14px"><b>ohdearaugustin</b></sub>
+        </a>
+    </td>
+</tr>
+<tr>
     <td align="center" style="word-wrap: break-word; width: 150.0; height: 150.0">
         <a href=https://github.com/mpldr>
             <img src=https://avatars.githubusercontent.com/u/33086936?v=4 width="100;"  style="border-radius:50%;align-items:center;justify-content:center;overflow:hidden;padding-top:10px" alt=Moritz Poldrack/>
@@ -233,10 +256,17 @@ make build
         </a>
     </td>
     <td align="center" style="word-wrap: break-word; width: 150.0; height: 150.0">
-        <a href=https://github.com/ohdearaugustin>
-            <img src=https://avatars.githubusercontent.com/u/14001491?v=4 width="100;"  style="border-radius:50%;align-items:center;justify-content:center;overflow:hidden;padding-top:10px" alt=ohdearaugustin/>
+        <a href=https://github.com/GrigoriyMikhalkin>
+            <img src=https://avatars.githubusercontent.com/u/3637857?v=4 width="100;"  style="border-radius:50%;align-items:center;justify-content:center;overflow:hidden;padding-top:10px" alt=GrigoriyMikhalkin/>
             <br />
-            <sub style="font-size:14px"><b>ohdearaugustin</b></sub>
+            <sub style="font-size:14px"><b>GrigoriyMikhalkin</b></sub>
+        </a>
+    </td>
+    <td align="center" style="word-wrap: break-word; width: 150.0; height: 150.0">
+        <a href=https://github.com/mike-lloyd03>
+            <img src=https://avatars.githubusercontent.com/u/49411532?v=4 width="100;"  style="border-radius:50%;align-items:center;justify-content:center;overflow:hidden;padding-top:10px" alt=Mike Lloyd/>
+            <br />
+            <sub style="font-size:14px"><b>Mike Lloyd</b></sub>
         </a>
     </td>
     <td align="center" style="word-wrap: break-word; width: 150.0; height: 150.0">
@@ -246,8 +276,6 @@ make build
             <sub style="font-size:14px"><b>Niek van der Maas</b></sub>
         </a>
     </td>
-</tr>
-<tr>
     <td align="center" style="word-wrap: break-word; width: 150.0; height: 150.0">
         <a href=https://github.com/negbie>
             <img src=https://avatars.githubusercontent.com/u/20154956?v=4 width="100;"  style="border-radius:50%;align-items:center;justify-content:center;overflow:hidden;padding-top:10px" alt=Eugen Biegler/>
@@ -255,6 +283,22 @@ make build
             <sub style="font-size:14px"><b>Eugen Biegler</b></sub>
         </a>
     </td>
+    <td align="center" style="word-wrap: break-word; width: 150.0; height: 150.0">
+        <a href=https://github.com/617a7a>
+            <img src=https://avatars.githubusercontent.com/u/67651251?v=4 width="100;"  style="border-radius:50%;align-items:center;justify-content:center;overflow:hidden;padding-top:10px" alt=Azz/>
+            <br />
+            <sub style="font-size:14px"><b>Azz</b></sub>
+        </a>
+    </td>
+</tr>
+<tr>
+    <td align="center" style="word-wrap: break-word; width: 150.0; height: 150.0">
+        <a href=https://github.com/iSchluff>
+            <img src=https://avatars.githubusercontent.com/u/1429641?v=4 width="100;"  style="border-radius:50%;align-items:center;justify-content:center;overflow:hidden;padding-top:10px" alt=Anton Schubert/>
+            <br />
+            <sub style="font-size:14px"><b>Anton Schubert</b></sub>
+        </a>
+    </td>
     <td align="center" style="word-wrap: break-word; width: 150.0; height: 150.0">
         <a href=https://github.com/qbit>
             <img src=https://avatars.githubusercontent.com/u/68368?v=4 width="100;"  style="border-radius:50%;align-items:center;justify-content:center;overflow:hidden;padding-top:10px" alt=Aaron Bieber/>
@@ -262,6 +306,20 @@ make build
             <sub style="font-size:14px"><b>Aaron Bieber</b></sub>
         </a>
     </td>
+    <td align="center" style="word-wrap: break-word; width: 150.0; height: 150.0">
+        <a href=https://github.com/kazauwa>
+            <img src=https://avatars.githubusercontent.com/u/12330159?v=4 width="100;"  style="border-radius:50%;align-items:center;justify-content:center;overflow:hidden;padding-top:10px" alt=Igor Perepilitsyn/>
+            <br />
+            <sub style="font-size:14px"><b>Igor Perepilitsyn</b></sub>
+        </a>
+    </td>
+    <td align="center" style="word-wrap: break-word; width: 150.0; height: 150.0">
+        <a href=https://github.com/Aluxima>
+            <img src=https://avatars.githubusercontent.com/u/16262531?v=4 width="100;"  style="border-radius:50%;align-items:center;justify-content:center;overflow:hidden;padding-top:10px" alt=Laurent Marchaud/>
+            <br />
+            <sub style="font-size:14px"><b>Laurent Marchaud</b></sub>
+        </a>
+    </td>
     <td align="center" style="word-wrap: break-word; width: 150.0; height: 150.0">
         <a href=https://github.com/fdelucchijr>
             <img src=https://avatars.githubusercontent.com/u/69133647?v=4 width="100;"  style="border-radius:50%;align-items:center;justify-content:center;overflow:hidden;padding-top:10px" alt=Fernando De Lucchi/>
@@ -271,11 +329,13 @@ make build
     </td>
     <td align="center" style="word-wrap: break-word; width: 150.0; height: 150.0">
         <a href=https://github.com/hdhoang>
-            <img src=https://avatars.githubusercontent.com/u/12537?v=4 width="100;"  style="border-radius:50%;align-items:center;justify-content:center;overflow:hidden;padding-top:10px" alt=Hoàng Đức Hiếu/>
+            <img src=https://avatars.githubusercontent.com/u/12537?v=4 width="100;"  style="border-radius:50%;align-items:center;justify-content:center;overflow:hidden;padding-top:10px" alt=hdhoang/>
             <br />
-            <sub style="font-size:14px"><b>Hoàng Đức Hiếu</b></sub>
+            <sub style="font-size:14px"><b>hdhoang</b></sub>
         </a>
     </td>
+</tr>
+<tr>
     <td align="center" style="word-wrap: break-word; width: 150.0; height: 150.0">
         <a href=https://github.com/bravechamp>
             <img src=https://avatars.githubusercontent.com/u/48980452?v=4 width="100;"  style="border-radius:50%;align-items:center;justify-content:center;overflow:hidden;padding-top:10px" alt=bravechamp/>
@@ -290,8 +350,20 @@ make build
             <sub style="font-size:14px"><b>Deon Thomas</b></sub>
         </a>
     </td>
-</tr>
-<tr>
+    <td align="center" style="word-wrap: break-word; width: 150.0; height: 150.0">
+        <a href=https://github.com/madjam002>
+            <img src=https://avatars.githubusercontent.com/u/679137?v=4 width="100;"  style="border-radius:50%;align-items:center;justify-content:center;overflow:hidden;padding-top:10px" alt=Jamie Greeff/>
+            <br />
+            <sub style="font-size:14px"><b>Jamie Greeff</b></sub>
+        </a>
+    </td>
+    <td align="center" style="word-wrap: break-word; width: 150.0; height: 150.0">
+        <a href=https://github.com/ChibangLW>
+            <img src=https://avatars.githubusercontent.com/u/22293464?v=4 width="100;"  style="border-radius:50%;align-items:center;justify-content:center;overflow:hidden;padding-top:10px" alt=ChibangLW/>
+            <br />
+            <sub style="font-size:14px"><b>ChibangLW</b></sub>
+        </a>
+    </td>
     <td align="center" style="word-wrap: break-word; width: 150.0; height: 150.0">
         <a href=https://github.com/mevansam>
             <img src=https://avatars.githubusercontent.com/u/403630?v=4 width="100;"  style="border-radius:50%;align-items:center;justify-content:center;overflow:hidden;padding-top:10px" alt=Mevan Samaratunga/>
@@ -306,6 +378,8 @@ make build
             <sub style="font-size:14px"><b>Michael G.</b></sub>
         </a>
     </td>
+</tr>
+<tr>
     <td align="center" style="word-wrap: break-word; width: 150.0; height: 150.0">
         <a href=https://github.com/ptman>
             <img src=https://avatars.githubusercontent.com/u/24669?v=4 width="100;"  style="border-radius:50%;align-items:center;justify-content:center;overflow:hidden;padding-top:10px" alt=Paul Tötterman/>
@@ -313,6 +387,27 @@ make build
             <sub style="font-size:14px"><b>Paul Tötterman</b></sub>
         </a>
     </td>
+    <td align="center" style="word-wrap: break-word; width: 150.0; height: 150.0">
+        <a href=https://github.com/samson4649>
+            <img src=https://avatars.githubusercontent.com/u/12725953?v=4 width="100;"  style="border-radius:50%;align-items:center;justify-content:center;overflow:hidden;padding-top:10px" alt=Samuel Lock/>
+            <br />
+            <sub style="font-size:14px"><b>Samuel Lock</b></sub>
+        </a>
+    </td>
+    <td align="center" style="word-wrap: break-word; width: 150.0; height: 150.0">
+        <a href=https://github.com/majst01>
+            <img src=https://avatars.githubusercontent.com/u/410110?v=4 width="100;"  style="border-radius:50%;align-items:center;justify-content:center;overflow:hidden;padding-top:10px" alt=Stefan Majer/>
+            <br />
+            <sub style="font-size:14px"><b>Stefan Majer</b></sub>
+        </a>
+    </td>
+    <td align="center" style="word-wrap: break-word; width: 150.0; height: 150.0">
+        <a href=https://github.com/kevin1sMe>
+            <img src=https://avatars.githubusercontent.com/u/6886076?v=4 width="100;"  style="border-radius:50%;align-items:center;justify-content:center;overflow:hidden;padding-top:10px" alt=kevinlin/>
+            <br />
+            <sub style="font-size:14px"><b>kevinlin</b></sub>
+        </a>
+    </td>
     <td align="center" style="word-wrap: break-word; width: 150.0; height: 150.0">
         <a href=https://github.com/artemklevtsov>
             <img src=https://avatars.githubusercontent.com/u/603798?v=4 width="100;"  style="border-radius:50%;align-items:center;justify-content:center;overflow:hidden;padding-top:10px" alt=Artem Klevtsov/>
@@ -327,6 +422,15 @@ make build
             <sub style="font-size:14px"><b>Casey Marshall</b></sub>
         </a>
     </td>
+</tr>
+<tr>
+    <td align="center" style="word-wrap: break-word; width: 150.0; height: 150.0">
+        <a href=https://github.com/CNLHC>
+            <img src=https://avatars.githubusercontent.com/u/21005146?v=4 width="100;"  style="border-radius:50%;align-items:center;justify-content:center;overflow:hidden;padding-top:10px" alt=LiuHanCheng/>
+            <br />
+            <sub style="font-size:14px"><b>LiuHanCheng</b></sub>
+        </a>
+    </td>
     <td align="center" style="word-wrap: break-word; width: 150.0; height: 150.0">
         <a href=https://github.com/pvinis>
             <img src=https://avatars.githubusercontent.com/u/100233?v=4 width="100;"  style="border-radius:50%;align-items:center;justify-content:center;overflow:hidden;padding-top:10px" alt=Pavlos Vinieratos/>
@@ -334,8 +438,6 @@ make build
             <sub style="font-size:14px"><b>Pavlos Vinieratos</b></sub>
         </a>
     </td>
-</tr>
-<tr>
     <td align="center" style="word-wrap: break-word; width: 150.0; height: 150.0">
         <a href=https://github.com/SilverBut>
             <img src=https://avatars.githubusercontent.com/u/6560655?v=4 width="100;"  style="border-radius:50%;align-items:center;justify-content:center;overflow:hidden;padding-top:10px" alt=Silver Bullet/>
@@ -344,10 +446,10 @@ make build
         </a>
     </td>
     <td align="center" style="word-wrap: break-word; width: 150.0; height: 150.0">
-        <a href=https://github.com/majst01>
-            <img src=https://avatars.githubusercontent.com/u/410110?v=4 width="100;"  style="border-radius:50%;align-items:center;justify-content:center;overflow:hidden;padding-top:10px" alt=Stefan Majer/>
+        <a href=https://github.com/ratsclub>
+            <img src=https://avatars.githubusercontent.com/u/25647735?v=4 width="100;"  style="border-radius:50%;align-items:center;justify-content:center;overflow:hidden;padding-top:10px" alt=Victor Freire/>
             <br />
-            <sub style="font-size:14px"><b>Stefan Majer</b></sub>
+            <sub style="font-size:14px"><b>Victor Freire</b></sub>
         </a>
     </td>
     <td align="center" style="word-wrap: break-word; width: 150.0; height: 150.0">
@@ -364,6 +466,8 @@ make build
             <sub style="font-size:14px"><b>thomas</b></sub>
         </a>
     </td>
+</tr>
+<tr>
     <td align="center" style="word-wrap: break-word; width: 150.0; height: 150.0">
         <a href=https://github.com/aberoham>
             <img src=https://avatars.githubusercontent.com/u/586805?v=4 width="100;"  style="border-radius:50%;align-items:center;justify-content:center;overflow:hidden;padding-top:10px" alt=Abraham Ingersoll/>
@@ -371,6 +475,13 @@ make build
             <sub style="font-size:14px"><b>Abraham Ingersoll</b></sub>
         </a>
     </td>
+    <td align="center" style="word-wrap: break-word; width: 150.0; height: 150.0">
+        <a href=https://github.com/puzpuzpuz>
+            <img src=https://avatars.githubusercontent.com/u/37772591?v=4 width="100;"  style="border-radius:50%;align-items:center;justify-content:center;overflow:hidden;padding-top:10px" alt=Andrei Pechkurov/>
+            <br />
+            <sub style="font-size:14px"><b>Andrei Pechkurov</b></sub>
+        </a>
+    </td>
     <td align="center" style="word-wrap: break-word; width: 150.0; height: 150.0">
         <a href=https://github.com/apognu>
             <img src=https://avatars.githubusercontent.com/u/3017182?v=4 width="100;"  style="border-radius:50%;align-items:center;justify-content:center;overflow:hidden;padding-top:10px" alt=Antoine POPINEAU/>
@@ -378,15 +489,6 @@ make build
             <sub style="font-size:14px"><b>Antoine POPINEAU</b></sub>
         </a>
     </td>
-</tr>
-<tr>
-    <td align="center" style="word-wrap: break-word; width: 150.0; height: 150.0">
-        <a href=https://github.com/iSchluff>
-            <img src=https://avatars.githubusercontent.com/u/1429641?v=4 width="100;"  style="border-radius:50%;align-items:center;justify-content:center;overflow:hidden;padding-top:10px" alt=Anton Schubert/>
-            <br />
-            <sub style="font-size:14px"><b>Anton Schubert</b></sub>
-        </a>
-    </td>
     <td align="center" style="word-wrap: break-word; width: 150.0; height: 150.0">
         <a href=https://github.com/aofei>
             <img src=https://avatars.githubusercontent.com/u/5037285?v=4 width="100;"  style="border-radius:50%;align-items:center;justify-content:center;overflow:hidden;padding-top:10px" alt=Aofei Sheng/>
@@ -408,6 +510,8 @@ make build
             <sub style="font-size:14px"><b>Bryan Stenson</b></sub>
         </a>
     </td>
+</tr>
+<tr>
     <td align="center" style="word-wrap: break-word; width: 150.0; height: 150.0">
         <a href=https://github.com/yangchuansheng>
             <img src=https://avatars.githubusercontent.com/u/15308462?v=4 width="100;"  style="border-radius:50%;align-items:center;justify-content:center;overflow:hidden;padding-top:10px" alt= Carson Yang/>
@@ -415,6 +519,13 @@ make build
             <sub style="font-size:14px"><b> Carson Yang</b></sub>
         </a>
     </td>
+    <td align="center" style="word-wrap: break-word; width: 150.0; height: 150.0">
+        <a href=https://github.com/kundel>
+            <img src=https://avatars.githubusercontent.com/u/10158899?v=4 width="100;"  style="border-radius:50%;align-items:center;justify-content:center;overflow:hidden;padding-top:10px" alt=kundel/>
+            <br />
+            <sub style="font-size:14px"><b>kundel</b></sub>
+        </a>
+    </td>
     <td align="center" style="word-wrap: break-word; width: 150.0; height: 150.0">
         <a href=https://github.com/fkr>
             <img src=https://avatars.githubusercontent.com/u/51063?v=4 width="100;"  style="border-radius:50%;align-items:center;justify-content:center;overflow:hidden;padding-top:10px" alt=Felix Kronlage-Dammers/>
@@ -422,8 +533,6 @@ make build
             <sub style="font-size:14px"><b>Felix Kronlage-Dammers</b></sub>
         </a>
     </td>
-</tr>
-<tr>
     <td align="center" style="word-wrap: break-word; width: 150.0; height: 150.0">
         <a href=https://github.com/felixonmars>
             <img src=https://avatars.githubusercontent.com/u/1006477?v=4 width="100;"  style="border-radius:50%;align-items:center;justify-content:center;overflow:hidden;padding-top:10px" alt=Felix Yan/>
@@ -438,13 +547,6 @@ make build
             <sub style="font-size:14px"><b>JJGadgets</b></sub>
         </a>
     </td>
-    <td align="center" style="word-wrap: break-word; width: 150.0; height: 150.0">
-        <a href=https://github.com/madjam002>
-            <img src=https://avatars.githubusercontent.com/u/679137?v=4 width="100;"  style="border-radius:50%;align-items:center;justify-content:center;overflow:hidden;padding-top:10px" alt=Jamie Greeff/>
-            <br />
-            <sub style="font-size:14px"><b>Jamie Greeff</b></sub>
-        </a>
-    </td>
     <td align="center" style="word-wrap: break-word; width: 150.0; height: 150.0">
         <a href=https://github.com/jimt>
             <img src=https://avatars.githubusercontent.com/u/180326?v=4 width="100;"  style="border-radius:50%;align-items:center;justify-content:center;overflow:hidden;padding-top:10px" alt=Jim Tittsler/>
@@ -452,6 +554,15 @@ make build
             <sub style="font-size:14px"><b>Jim Tittsler</b></sub>
         </a>
     </td>
+</tr>
+<tr>
+    <td align="center" style="word-wrap: break-word; width: 150.0; height: 150.0">
+        <a href=https://github.com/ShadowJonathan>
+            <img src=https://avatars.githubusercontent.com/u/22740616?v=4 width="100;"  style="border-radius:50%;align-items:center;justify-content:center;overflow:hidden;padding-top:10px" alt=Jonathan de Jong/>
+            <br />
+            <sub style="font-size:14px"><b>Jonathan de Jong</b></sub>
+        </a>
+    </td>
     <td align="center" style="word-wrap: break-word; width: 150.0; height: 150.0">
         <a href=https://github.com/piec>
             <img src=https://avatars.githubusercontent.com/u/781471?v=4 width="100;"  style="border-radius:50%;align-items:center;justify-content:center;overflow:hidden;padding-top:10px" alt=Pierre Carru/>
@@ -459,6 +570,20 @@ make build
             <sub style="font-size:14px"><b>Pierre Carru</b></sub>
         </a>
     </td>
+    <td align="center" style="word-wrap: break-word; width: 150.0; height: 150.0">
+        <a href=https://github.com/Donran>
+            <img src=https://avatars.githubusercontent.com/u/4838348?v=4 width="100;"  style="border-radius:50%;align-items:center;justify-content:center;overflow:hidden;padding-top:10px" alt=Pontus N/>
+            <br />
+            <sub style="font-size:14px"><b>Pontus N</b></sub>
+        </a>
+    </td>
+    <td align="center" style="word-wrap: break-word; width: 150.0; height: 150.0">
+        <a href=https://github.com/nnsee>
+            <img src=https://avatars.githubusercontent.com/u/36747857?v=4 width="100;"  style="border-radius:50%;align-items:center;justify-content:center;overflow:hidden;padding-top:10px" alt=Rasmus Moorats/>
+            <br />
+            <sub style="font-size:14px"><b>Rasmus Moorats</b></sub>
+        </a>
+    </td>
     <td align="center" style="word-wrap: break-word; width: 150.0; height: 150.0">
         <a href=https://github.com/rcursaru>
             <img src=https://avatars.githubusercontent.com/u/16259641?v=4 width="100;"  style="border-radius:50%;align-items:center;justify-content:center;overflow:hidden;padding-top:10px" alt=rcursaru/>
@@ -466,15 +591,15 @@ make build
             <sub style="font-size:14px"><b>rcursaru</b></sub>
         </a>
     </td>
-</tr>
-<tr>
     <td align="center" style="word-wrap: break-word; width: 150.0; height: 150.0">
         <a href=https://github.com/renovate-bot>
-            <img src=https://avatars.githubusercontent.com/u/25180681?v=4 width="100;"  style="border-radius:50%;align-items:center;justify-content:center;overflow:hidden;padding-top:10px" alt=WhiteSource Renovate/>
+            <img src=https://avatars.githubusercontent.com/u/25180681?v=4 width="100;"  style="border-radius:50%;align-items:center;justify-content:center;overflow:hidden;padding-top:10px" alt=Mend Renovate/>
             <br />
-            <sub style="font-size:14px"><b>WhiteSource Renovate</b></sub>
+            <sub style="font-size:14px"><b>Mend Renovate</b></sub>
         </a>
     </td>
+</tr>
+<tr>
     <td align="center" style="word-wrap: break-word; width: 150.0; height: 150.0">
         <a href=https://github.com/ryanfowler>
             <img src=https://avatars.githubusercontent.com/u/2668821?v=4 width="100;"  style="border-radius:50%;align-items:center;justify-content:center;overflow:hidden;padding-top:10px" alt=Ryan Fowler/>
@@ -489,6 +614,20 @@ make build
             <sub style="font-size:14px"><b>Shaanan Cohney</b></sub>
         </a>
     </td>
+    <td align="center" style="word-wrap: break-word; width: 150.0; height: 150.0">
+        <a href=https://github.com/stefanvanburen>
+            <img src=https://avatars.githubusercontent.com/u/622527?v=4 width="100;"  style="border-radius:50%;align-items:center;justify-content:center;overflow:hidden;padding-top:10px" alt=Stefan VanBuren/>
+            <br />
+            <sub style="font-size:14px"><b>Stefan VanBuren</b></sub>
+        </a>
+    </td>
+    <td align="center" style="word-wrap: break-word; width: 150.0; height: 150.0">
+        <a href=https://github.com/sophware>
+            <img src=https://avatars.githubusercontent.com/u/41669?v=4 width="100;"  style="border-radius:50%;align-items:center;justify-content:center;overflow:hidden;padding-top:10px" alt=sophware/>
+            <br />
+            <sub style="font-size:14px"><b>sophware</b></sub>
+        </a>
+    </td>
     <td align="center" style="word-wrap: break-word; width: 150.0; height: 150.0">
         <a href=https://github.com/m-tanner-dev0>
             <img src=https://avatars.githubusercontent.com/u/97977342?v=4 width="100;"  style="border-radius:50%;align-items:center;justify-content:center;overflow:hidden;padding-top:10px" alt=Tanner/>
@@ -503,6 +642,8 @@ make build
             <sub style="font-size:14px"><b>Teteros</b></sub>
         </a>
     </td>
+</tr>
+<tr>
     <td align="center" style="word-wrap: break-word; width: 150.0; height: 150.0">
         <a href=https://github.com/gitter-badger>
             <img src=https://avatars.githubusercontent.com/u/8518239?v=4 width="100;"  style="border-radius:50%;align-items:center;justify-content:center;overflow:hidden;padding-top:10px" alt=The Gitter Badger/>
@@ -510,8 +651,6 @@ make build
             <sub style="font-size:14px"><b>The Gitter Badger</b></sub>
         </a>
     </td>
-</tr>
-<tr>
     <td align="center" style="word-wrap: break-word; width: 150.0; height: 150.0">
         <a href=https://github.com/tianon>
             <img src=https://avatars.githubusercontent.com/u/161631?v=4 width="100;"  style="border-radius:50%;align-items:center;justify-content:center;overflow:hidden;padding-top:10px" alt=Tianon Gravi/>
@@ -519,6 +658,13 @@ make build
             <sub style="font-size:14px"><b>Tianon Gravi</b></sub>
         </a>
     </td>
+    <td align="center" style="word-wrap: break-word; width: 150.0; height: 150.0">
+        <a href=https://github.com/thetillhoff>
+            <img src=https://avatars.githubusercontent.com/u/25052289?v=4 width="100;"  style="border-radius:50%;align-items:center;justify-content:center;overflow:hidden;padding-top:10px" alt=Till Hoffmann/>
+            <br />
+            <sub style="font-size:14px"><b>Till Hoffmann</b></sub>
+        </a>
+    </td>
     <td align="center" style="word-wrap: break-word; width: 150.0; height: 150.0">
         <a href=https://github.com/woudsma>
             <img src=https://avatars.githubusercontent.com/u/6162978?v=4 width="100;"  style="border-radius:50%;align-items:center;justify-content:center;overflow:hidden;padding-top:10px" alt=Tjerk Woudsma/>
@@ -533,6 +679,15 @@ make build
             <sub style="font-size:14px"><b>Yang Bin</b></sub>
         </a>
     </td>
+    <td align="center" style="word-wrap: break-word; width: 150.0; height: 150.0">
+        <a href=https://github.com/gozssky>
+            <img src=https://avatars.githubusercontent.com/u/17199941?v=4 width="100;"  style="border-radius:50%;align-items:center;justify-content:center;overflow:hidden;padding-top:10px" alt=Yujie Xia/>
+            <br />
+            <sub style="font-size:14px"><b>Yujie Xia</b></sub>
+        </a>
+    </td>
+</tr>
+<tr>
     <td align="center" style="word-wrap: break-word; width: 150.0; height: 150.0">
         <a href=https://github.com/zekker6>
             <img src=https://avatars.githubusercontent.com/u/1367798?v=4 width="100;"  style="border-radius:50%;align-items:center;justify-content:center;overflow:hidden;padding-top:10px" alt=Zakhar Bessarab/>
@@ -541,10 +696,17 @@ make build
         </a>
     </td>
     <td align="center" style="word-wrap: break-word; width: 150.0; height: 150.0">
-        <a href=https://github.com/Bpazy>
-            <img src=https://avatars.githubusercontent.com/u/9838749?v=4 width="100;"  style="border-radius:50%;align-items:center;justify-content:center;overflow:hidden;padding-top:10px" alt=ZiYuan/>
+        <a href=https://github.com/zhzy0077>
+            <img src=https://avatars.githubusercontent.com/u/8717471?v=4 width="100;"  style="border-radius:50%;align-items:center;justify-content:center;overflow:hidden;padding-top:10px" alt=Zhiyuan Zheng/>
             <br />
-            <sub style="font-size:14px"><b>ZiYuan</b></sub>
+            <sub style="font-size:14px"><b>Zhiyuan Zheng</b></sub>
+        </a>
+    </td>
+    <td align="center" style="word-wrap: break-word; width: 150.0; height: 150.0">
+        <a href=https://github.com/Bpazy>
+            <img src=https://avatars.githubusercontent.com/u/9838749?v=4 width="100;"  style="border-radius:50%;align-items:center;justify-content:center;overflow:hidden;padding-top:10px" alt=Ziyuan Han/>
+            <br />
+            <sub style="font-size:14px"><b>Ziyuan Han</b></sub>
         </a>
     </td>
     <td align="center" style="word-wrap: break-word; width: 150.0; height: 150.0">
@@ -554,8 +716,6 @@ make build
             <sub style="font-size:14px"><b>derelm</b></sub>
         </a>
     </td>
-</tr>
-<tr>
     <td align="center" style="word-wrap: break-word; width: 150.0; height: 150.0">
         <a href=https://github.com/nning>
             <img src=https://avatars.githubusercontent.com/u/557430?v=4 width="100;"  style="border-radius:50%;align-items:center;justify-content:center;overflow:hidden;padding-top:10px" alt=henning mueller/>
@@ -570,11 +730,13 @@ make build
             <sub style="font-size:14px"><b>ignoramous</b></sub>
         </a>
     </td>
+</tr>
+<tr>
     <td align="center" style="word-wrap: break-word; width: 150.0; height: 150.0">
         <a href=https://github.com/lion24>
-            <img src=https://avatars.githubusercontent.com/u/1382102?v=4 width="100;"  style="border-radius:50%;align-items:center;justify-content:center;overflow:hidden;padding-top:10px" alt=lion24/>
+            <img src=https://avatars.githubusercontent.com/u/1382102?v=4 width="100;"  style="border-radius:50%;align-items:center;justify-content:center;overflow:hidden;padding-top:10px" alt=sharkonet/>
             <br />
-            <sub style="font-size:14px"><b>lion24</b></sub>
+            <sub style="font-size:14px"><b>sharkonet</b></sub>
         </a>
     </td>
     <td align="center" style="word-wrap: break-word; width: 150.0; height: 150.0">
@@ -584,6 +746,13 @@ make build
             <sub style="font-size:14px"><b>pernila</b></sub>
         </a>
     </td>
+    <td align="center" style="word-wrap: break-word; width: 150.0; height: 150.0">
+        <a href=https://github.com/phpmalik>
+            <img src=https://avatars.githubusercontent.com/u/26834645?v=4 width="100;"  style="border-radius:50%;align-items:center;justify-content:center;overflow:hidden;padding-top:10px" alt=phpmalik/>
+            <br />
+            <sub style="font-size:14px"><b>phpmalik</b></sub>
+        </a>
+    </td>
     <td align="center" style="word-wrap: break-word; width: 150.0; height: 150.0">
         <a href=https://github.com/Wakeful-Cloud>
             <img src=https://avatars.githubusercontent.com/u/38930607?v=4 width="100;"  style="border-radius:50%;align-items:center;justify-content:center;overflow:hidden;padding-top:10px" alt=Wakeful-Cloud/>

acls.go

@@ -5,6 +5,7 @@ import (
 	"errors"
 	"fmt"
 	"io"
+	"net/netip"
 	"os"
 	"path/filepath"
 	"strconv"
@@ -13,7 +14,6 @@ import (
 	"github.com/rs/zerolog/log"
 	"github.com/tailscale/hujson"
 	"gopkg.in/yaml.v3"
-	"inet.af/netaddr"
 	"tailscale.com/tailcfg"
 )
 
@@ -23,6 +23,7 @@ const (
 	errInvalidGroup      = Error("invalid group")
 	errInvalidTag        = Error("invalid tag")
 	errInvalidPortFormat = Error("invalid port format")
+	errWildcardIsNeeded  = Error("wildcard as port is required for the protocol")
 )
 
 const (
@@ -36,6 +37,23 @@ const (
 	expectedTokenItems = 2
 )
 
+// For some reason golang.org/x/net/internal/iana is an internal package.
+const (
+	protocolICMP     = 1   // Internet Control Message
+	protocolIGMP     = 2   // Internet Group Management
+	protocolIPv4     = 4   // IPv4 encapsulation
+	protocolTCP      = 6   // Transmission Control
+	protocolEGP      = 8   // Exterior Gateway Protocol
+	protocolIGP      = 9   // any private interior gateway (used by Cisco for their IGRP)
+	protocolUDP      = 17  // User Datagram
+	protocolGRE      = 47  // Generic Routing Encapsulation
+	protocolESP      = 50  // Encap Security Payload
+	protocolAH       = 51  // Authentication Header
+	protocolIPv6ICMP = 58  // ICMP for IPv6
+	protocolSCTP     = 132 // Stream Control Transmission Protocol
+	ProtocolFC       = 133 // Fibre Channel
+)
+
 // LoadACLPolicy loads the ACL policy from the specify path, and generates the ACL rules.
 func (h *Headscale) LoadACLPolicy(path string) error {
 	log.Debug().
@@ -123,23 +141,36 @@ func (h *Headscale) generateACLRules() ([]tailcfg.FilterRule, error) {
 		}
 
 		srcIPs := []string{}
-		for innerIndex, user := range acl.Users {
-			srcs, err := h.generateACLPolicySrcIP(machines, *h.aclPolicy, user)
+		for innerIndex, src := range acl.Sources {
+			srcs, err := h.generateACLPolicySrcIP(machines, *h.aclPolicy, src)
 			if err != nil {
 				log.Error().
-					Msgf("Error parsing ACL %d, User %d", index, innerIndex)
+					Msgf("Error parsing ACL %d, Source %d", index, innerIndex)
 
 				return nil, err
 			}
 			srcIPs = append(srcIPs, srcs...)
 		}
 
+		protocols, needsWildcard, err := parseProtocol(acl.Protocol)
+		if err != nil {
+			log.Error().
+				Msgf("Error parsing ACL %d. protocol unknown %s", index, acl.Protocol)
+
+			return nil, err
+		}
+
 		destPorts := []tailcfg.NetPortRange{}
-		for innerIndex, ports := range acl.Ports {
-			dests, err := h.generateACLPolicyDestPorts(machines, *h.aclPolicy, ports)
+		for innerIndex, dest := range acl.Destinations {
+			dests, err := h.generateACLPolicyDest(
+				machines,
+				*h.aclPolicy,
+				dest,
+				needsWildcard,
+			)
 			if err != nil {
 				log.Error().
-					Msgf("Error parsing ACL %d, Port %d", index, innerIndex)
+					Msgf("Error parsing ACL %d, Destination %d", index, innerIndex)
 
 				return nil, err
 			}
@@ -149,6 +180,7 @@ func (h *Headscale) generateACLRules() ([]tailcfg.FilterRule, error) {
 		rules = append(rules, tailcfg.FilterRule{
 			SrcIPs:   srcIPs,
 			DstPorts: destPorts,
+			IPProto:  protocols,
 		})
 	}
 
@@ -158,17 +190,18 @@ func (h *Headscale) generateACLRules() ([]tailcfg.FilterRule, error) {
 func (h *Headscale) generateACLPolicySrcIP(
 	machines []Machine,
 	aclPolicy ACLPolicy,
-	u string,
+	src string,
 ) ([]string, error) {
-	return expandAlias(machines, aclPolicy, u, h.cfg.OIDC.StripEmaildomain)
+	return expandAlias(machines, aclPolicy, src, h.cfg.OIDC.StripEmaildomain)
 }
 
-func (h *Headscale) generateACLPolicyDestPorts(
+func (h *Headscale) generateACLPolicyDest(
 	machines []Machine,
 	aclPolicy ACLPolicy,
-	d string,
+	dest string,
+	needsWildcard bool,
 ) ([]tailcfg.NetPortRange, error) {
-	tokens := strings.Split(d, ":")
+	tokens := strings.Split(dest, ":")
 	if len(tokens) < expectedTokenItems || len(tokens) > 3 {
 		return nil, errInvalidPortFormat
 	}
@@ -195,7 +228,7 @@ func (h *Headscale) generateACLPolicyDestPorts(
 	if err != nil {
 		return nil, err
 	}
-	ports, err := expandPorts(tokens[len(tokens)-1])
+	ports, err := expandPorts(tokens[len(tokens)-1], needsWildcard)
 	if err != nil {
 		return nil, err
 	}
@@ -214,6 +247,61 @@ func (h *Headscale) generateACLPolicyDestPorts(
 	return dests, nil
 }
 
+// parseProtocol reads the proto field of the ACL and generates a list of
+// protocols that will be allowed, following the IANA IP protocol number
+// https://www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtml
+//
+// If the ACL proto field is empty, it allows ICMPv4, ICMPv6, TCP, and UDP,
+// as per Tailscale behaviour (see tailcfg.FilterRule).
+//
+// Also returns a boolean indicating if the protocol
+// requires all the destinations to use wildcard as port number (only TCP,
+// UDP and SCTP support specifying ports).
+func parseProtocol(protocol string) ([]int, bool, error) {
+	switch protocol {
+	case "":
+		return []int{
+			protocolICMP,
+			protocolIPv6ICMP,
+			protocolTCP,
+			protocolUDP,
+		}, false, nil
+	case "igmp":
+		return []int{protocolIGMP}, true, nil
+	case "ipv4", "ip-in-ip":
+		return []int{protocolIPv4}, true, nil
+	case "tcp":
+		return []int{protocolTCP}, false, nil
+	case "egp":
+		return []int{protocolEGP}, true, nil
+	case "igp":
+		return []int{protocolIGP}, true, nil
+	case "udp":
+		return []int{protocolUDP}, false, nil
+	case "gre":
+		return []int{protocolGRE}, true, nil
+	case "esp":
+		return []int{protocolESP}, true, nil
+	case "ah":
+		return []int{protocolAH}, true, nil
+	case "sctp":
+		return []int{protocolSCTP}, false, nil
+	case "icmp":
+		return []int{protocolICMP, protocolIPv6ICMP}, true, nil
+
+	default:
+		protocolNumber, err := strconv.Atoi(protocol)
+		if err != nil {
+			return nil, false, err
+		}
+		needsWildcard := protocolNumber != protocolTCP &&
+			protocolNumber != protocolUDP &&
+			protocolNumber != protocolSCTP
+
+		return []int{protocolNumber}, needsWildcard, nil
+	}
+}
+
 // expandalias has an input of either
 // - a namespace
 // - a group
@@ -268,6 +356,7 @@ func expandAlias(
 						alias,
 					)
 				}
+
 				return ips, nil
 			} else {
 				return ips, err
@@ -290,7 +379,7 @@ func expandAlias(
 
 	// if alias is a namespace
 	nodes := filterMachinesByNamespace(machines, alias)
-	nodes = excludeCorrectlyTaggedNodes(aclPolicy, nodes, alias)
+	nodes = excludeCorrectlyTaggedNodes(aclPolicy, nodes, alias, stripEmailDomain)
 
 	for _, n := range nodes {
 		ips = append(ips, n.IPAddresses.ToStringSlice()...)
@@ -305,13 +394,13 @@ func expandAlias(
 	}
 
 	// if alias is an IP
-	ip, err := netaddr.ParseIP(alias)
+	ip, err := netip.ParseAddr(alias)
 	if err == nil {
 		return []string{ip.String()}, nil
 	}
 
 	// if alias is an CIDR
-	cidr, err := netaddr.ParseIPPrefix(alias)
+	cidr, err := netip.ParsePrefix(alias)
 	if err == nil {
 		return []string{cidr.String()}, nil
 	}
@@ -328,10 +417,13 @@ func excludeCorrectlyTaggedNodes(
 	aclPolicy ACLPolicy,
 	nodes []Machine,
 	namespace string,
+	stripEmailDomain bool,
 ) []Machine {
 	out := []Machine{}
 	tags := []string{}
-	for tag, ns := range aclPolicy.TagOwners {
+	for tag := range aclPolicy.TagOwners {
+		owners, _ := expandTagOwners(aclPolicy, namespace, stripEmailDomain)
+		ns := append(owners, namespace)
 		if contains(ns, namespace) {
 			tags = append(tags, tag)
 		}
@@ -359,13 +451,17 @@ func excludeCorrectlyTaggedNodes(
 	return out
 }
 
-func expandPorts(portsStr string) (*[]tailcfg.PortRange, error) {
+func expandPorts(portsStr string, needsWildcard bool) (*[]tailcfg.PortRange, error) {
 	if portsStr == "*" {
 		return &[]tailcfg.PortRange{
 			{First: portRangeBegin, Last: portRangeEnd},
 		}, nil
 	}
 
+	if needsWildcard {
+		return nil, errWildcardIsNeeded
+	}
+
 	ports := []tailcfg.PortRange{}
 	for _, portStr := range strings.Split(portsStr, ",") {
 		rang := strings.Split(portStr, "-")

acls_test.go

@@ -2,11 +2,11 @@ package headscale
 
 import (
 	"errors"
+	"net/netip"
 	"reflect"
 	"testing"
 
 	"gopkg.in/check.v1"
-	"inet.af/netaddr"
 	"tailscale.com/tailcfg"
 )
 
@@ -62,7 +62,11 @@ func (s *Suite) TestBasicRule(c *check.C) {
 func (s *Suite) TestInvalidAction(c *check.C) {
 	app.aclPolicy = &ACLPolicy{
 		ACLs: []ACL{
-			{Action: "invalidAction", Users: []string{"*"}, Ports: []string{"*:*"}},
+			{
+				Action:       "invalidAction",
+				Sources:      []string{"*"},
+				Destinations: []string{"*:*"},
+			},
 		},
 	}
 	err := app.UpdateACLRules()
@@ -70,14 +74,18 @@ func (s *Suite) TestInvalidAction(c *check.C) {
 }
 
 func (s *Suite) TestInvalidGroupInGroup(c *check.C) {
-	// this ACL is wrong because the group in users sections doesn't exist
+	// this ACL is wrong because the group in Sources sections doesn't exist
 	app.aclPolicy = &ACLPolicy{
 		Groups: Groups{
 			"group:test":  []string{"foo"},
 			"group:error": []string{"foo", "group:test"},
 		},
 		ACLs: []ACL{
-			{Action: "accept", Users: []string{"group:error"}, Ports: []string{"*:*"}},
+			{
+				Action:       "accept",
+				Sources:      []string{"group:error"},
+				Destinations: []string{"*:*"},
+			},
 		},
 	}
 	err := app.UpdateACLRules()
@@ -88,7 +96,11 @@ func (s *Suite) TestInvalidTagOwners(c *check.C) {
 	// this ACL is wrong because no tagOwners own the requested tag for the server
 	app.aclPolicy = &ACLPolicy{
 		ACLs: []ACL{
-			{Action: "accept", Users: []string{"tag:foo"}, Ports: []string{"*:*"}},
+			{
+				Action:       "accept",
+				Sources:      []string{"tag:foo"},
+				Destinations: []string{"*:*"},
+			},
 		},
 	}
 	err := app.UpdateACLRules()
@@ -97,12 +109,12 @@ func (s *Suite) TestInvalidTagOwners(c *check.C) {
 
 // this test should validate that we can expand a group in a TagOWner section and
 // match properly the IP's of the related hosts. The owner is valid and the tag is also valid.
-// the tag is matched in the Users section.
-func (s *Suite) TestValidExpandTagOwnersInUsers(c *check.C) {
+// the tag is matched in the Sources section.
+func (s *Suite) TestValidExpandTagOwnersInSources(c *check.C) {
 	namespace, err := app.CreateNamespace("user1")
 	c.Assert(err, check.IsNil)
 
-	pak, err := app.CreatePreAuthKey(namespace.Name, false, false, nil)
+	pak, err := app.CreatePreAuthKey(namespace.Name, false, false, nil, nil)
 	c.Assert(err, check.IsNil)
 
 	_, err = app.GetMachine("user1", "testmachine")
@@ -119,7 +131,7 @@ func (s *Suite) TestValidExpandTagOwnersInUsers(c *check.C) {
 		NodeKey:        "bar",
 		DiscoKey:       "faa",
 		Hostname:       "testmachine",
-		IPAddresses:    MachineAddresses{netaddr.MustParseIP("100.64.0.1")},
+		IPAddresses:    MachineAddresses{netip.MustParseAddr("100.64.0.1")},
 		NamespaceID:    namespace.ID,
 		RegisterMethod: RegisterMethodAuthKey,
 		AuthKeyID:      uint(pak.ID),
@@ -131,7 +143,11 @@ func (s *Suite) TestValidExpandTagOwnersInUsers(c *check.C) {
 		Groups:    Groups{"group:test": []string{"user1", "user2"}},
 		TagOwners: TagOwners{"tag:test": []string{"user3", "group:test"}},
 		ACLs: []ACL{
-			{Action: "accept", Users: []string{"tag:test"}, Ports: []string{"*:*"}},
+			{
+				Action:       "accept",
+				Sources:      []string{"tag:test"},
+				Destinations: []string{"*:*"},
+			},
 		},
 	}
 	err = app.UpdateACLRules()
@@ -143,12 +159,12 @@ func (s *Suite) TestValidExpandTagOwnersInUsers(c *check.C) {
 
 // this test should validate that we can expand a group in a TagOWner section and
 // match properly the IP's of the related hosts. The owner is valid and the tag is also valid.
-// the tag is matched in the Ports section.
-func (s *Suite) TestValidExpandTagOwnersInPorts(c *check.C) {
+// the tag is matched in the Destinations section.
+func (s *Suite) TestValidExpandTagOwnersInDestinations(c *check.C) {
 	namespace, err := app.CreateNamespace("user1")
 	c.Assert(err, check.IsNil)
 
-	pak, err := app.CreatePreAuthKey(namespace.Name, false, false, nil)
+	pak, err := app.CreatePreAuthKey(namespace.Name, false, false, nil, nil)
 	c.Assert(err, check.IsNil)
 
 	_, err = app.GetMachine("user1", "testmachine")
@@ -165,7 +181,7 @@ func (s *Suite) TestValidExpandTagOwnersInPorts(c *check.C) {
 		NodeKey:        "bar",
 		DiscoKey:       "faa",
 		Hostname:       "testmachine",
-		IPAddresses:    MachineAddresses{netaddr.MustParseIP("100.64.0.1")},
+		IPAddresses:    MachineAddresses{netip.MustParseAddr("100.64.0.1")},
 		NamespaceID:    namespace.ID,
 		RegisterMethod: RegisterMethodAuthKey,
 		AuthKeyID:      uint(pak.ID),
@@ -177,7 +193,11 @@ func (s *Suite) TestValidExpandTagOwnersInPorts(c *check.C) {
 		Groups:    Groups{"group:test": []string{"user1", "user2"}},
 		TagOwners: TagOwners{"tag:test": []string{"user3", "group:test"}},
 		ACLs: []ACL{
-			{Action: "accept", Users: []string{"*"}, Ports: []string{"tag:test:*"}},
+			{
+				Action:       "accept",
+				Sources:      []string{"*"},
+				Destinations: []string{"tag:test:*"},
+			},
 		},
 	}
 	err = app.UpdateACLRules()
@@ -194,7 +214,7 @@ func (s *Suite) TestInvalidTagValidNamespace(c *check.C) {
 	namespace, err := app.CreateNamespace("user1")
 	c.Assert(err, check.IsNil)
 
-	pak, err := app.CreatePreAuthKey(namespace.Name, false, false, nil)
+	pak, err := app.CreatePreAuthKey(namespace.Name, false, false, nil, nil)
 	c.Assert(err, check.IsNil)
 
 	_, err = app.GetMachine("user1", "testmachine")
@@ -211,7 +231,7 @@ func (s *Suite) TestInvalidTagValidNamespace(c *check.C) {
 		NodeKey:        "bar",
 		DiscoKey:       "faa",
 		Hostname:       "testmachine",
-		IPAddresses:    MachineAddresses{netaddr.MustParseIP("100.64.0.1")},
+		IPAddresses:    MachineAddresses{netip.MustParseAddr("100.64.0.1")},
 		NamespaceID:    namespace.ID,
 		RegisterMethod: RegisterMethodAuthKey,
 		AuthKeyID:      uint(pak.ID),
@@ -222,7 +242,11 @@ func (s *Suite) TestInvalidTagValidNamespace(c *check.C) {
 	app.aclPolicy = &ACLPolicy{
 		TagOwners: TagOwners{"tag:test": []string{"user1"}},
 		ACLs: []ACL{
-			{Action: "accept", Users: []string{"user1"}, Ports: []string{"*:*"}},
+			{
+				Action:       "accept",
+				Sources:      []string{"user1"},
+				Destinations: []string{"*:*"},
+			},
 		},
 	}
 	err = app.UpdateACLRules()
@@ -239,7 +263,7 @@ func (s *Suite) TestValidTagInvalidNamespace(c *check.C) {
 	namespace, err := app.CreateNamespace("user1")
 	c.Assert(err, check.IsNil)
 
-	pak, err := app.CreatePreAuthKey(namespace.Name, false, false, nil)
+	pak, err := app.CreatePreAuthKey(namespace.Name, false, false, nil, nil)
 	c.Assert(err, check.IsNil)
 
 	_, err = app.GetMachine("user1", "webserver")
@@ -256,7 +280,7 @@ func (s *Suite) TestValidTagInvalidNamespace(c *check.C) {
 		NodeKey:        "bar",
 		DiscoKey:       "faa",
 		Hostname:       "webserver",
-		IPAddresses:    MachineAddresses{netaddr.MustParseIP("100.64.0.1")},
+		IPAddresses:    MachineAddresses{netip.MustParseAddr("100.64.0.1")},
 		NamespaceID:    namespace.ID,
 		RegisterMethod: RegisterMethodAuthKey,
 		AuthKeyID:      uint(pak.ID),
@@ -275,7 +299,7 @@ func (s *Suite) TestValidTagInvalidNamespace(c *check.C) {
 		NodeKey:        "bar2",
 		DiscoKey:       "faab",
 		Hostname:       "user",
-		IPAddresses:    MachineAddresses{netaddr.MustParseIP("100.64.0.2")},
+		IPAddresses:    MachineAddresses{netip.MustParseAddr("100.64.0.2")},
 		NamespaceID:    namespace.ID,
 		RegisterMethod: RegisterMethodAuthKey,
 		AuthKeyID:      uint(pak.ID),
@@ -287,9 +311,9 @@ func (s *Suite) TestValidTagInvalidNamespace(c *check.C) {
 		TagOwners: TagOwners{"tag:webapp": []string{"user1"}},
 		ACLs: []ACL{
 			{
-				Action: "accept",
-				Users:  []string{"user1"},
-				Ports:  []string{"tag:webapp:80,443"},
+				Action:       "accept",
+				Sources:      []string{"user1"},
+				Destinations: []string{"tag:webapp:80,443"},
 			},
 		},
 	}
@@ -321,6 +345,20 @@ func (s *Suite) TestPortRange(c *check.C) {
 	c.Assert(rules[0].DstPorts[0].Ports.Last, check.Equals, uint16(5500))
 }
 
+func (s *Suite) TestProtocolParsing(c *check.C) {
+	err := app.LoadACLPolicy("./tests/acls/acl_policy_basic_protocols.hujson")
+	c.Assert(err, check.IsNil)
+
+	rules, err := app.generateACLRules()
+	c.Assert(err, check.IsNil)
+	c.Assert(rules, check.NotNil)
+
+	c.Assert(rules, check.HasLen, 3)
+	c.Assert(rules[0].IPProto[0], check.Equals, protocolTCP)
+	c.Assert(rules[1].IPProto[0], check.Equals, protocolUDP)
+	c.Assert(rules[2].IPProto[1], check.Equals, protocolIPv6ICMP)
+}
+
 func (s *Suite) TestPortWildcard(c *check.C) {
 	err := app.LoadACLPolicy("./tests/acls/acl_policy_basic_wildcards.hujson")
 	c.Assert(err, check.IsNil)
@@ -357,7 +395,7 @@ func (s *Suite) TestPortNamespace(c *check.C) {
 	namespace, err := app.CreateNamespace("testnamespace")
 	c.Assert(err, check.IsNil)
 
-	pak, err := app.CreatePreAuthKey(namespace.Name, false, false, nil)
+	pak, err := app.CreatePreAuthKey(namespace.Name, false, false, nil, nil)
 	c.Assert(err, check.IsNil)
 
 	_, err = app.GetMachine("testnamespace", "testmachine")
@@ -399,7 +437,7 @@ func (s *Suite) TestPortGroup(c *check.C) {
 	namespace, err := app.CreateNamespace("testnamespace")
 	c.Assert(err, check.IsNil)
 
-	pak, err := app.CreatePreAuthKey(namespace.Name, false, false, nil)
+	pak, err := app.CreatePreAuthKey(namespace.Name, false, false, nil, nil)
 	c.Assert(err, check.IsNil)
 
 	_, err = app.GetMachine("testnamespace", "testmachine")
@@ -628,7 +666,8 @@ func Test_expandTagOwners(t *testing.T) {
 
 func Test_expandPorts(t *testing.T) {
 	type args struct {
-		portsStr string
+		portsStr      string
+		needsWildcard bool
 	}
 	tests := []struct {
 		name    string
@@ -638,15 +677,29 @@ func Test_expandPorts(t *testing.T) {
 	}{
 		{
 			name: "wildcard",
-			args: args{portsStr: "*"},
+			args: args{portsStr: "*", needsWildcard: true},
 			want: &[]tailcfg.PortRange{
 				{First: portRangeBegin, Last: portRangeEnd},
 			},
 			wantErr: false,
 		},
 		{
-			name: "two ports",
-			args: args{portsStr: "80,443"},
+			name: "needs wildcard but does not require it",
+			args: args{portsStr: "*", needsWildcard: false},
+			want: &[]tailcfg.PortRange{
+				{First: portRangeBegin, Last: portRangeEnd},
+			},
+			wantErr: false,
+		},
+		{
+			name:    "needs wildcard but gets port",
+			args:    args{portsStr: "80,443", needsWildcard: true},
+			want:    nil,
+			wantErr: true,
+		},
+		{
+			name: "two Destinations",
+			args: args{portsStr: "80,443", needsWildcard: false},
 			want: &[]tailcfg.PortRange{
 				{First: 80, Last: 80},
 				{First: 443, Last: 443},
@@ -655,7 +708,7 @@ func Test_expandPorts(t *testing.T) {
 		},
 		{
 			name: "a range and a port",
-			args: args{portsStr: "80-1024,443"},
+			args: args{portsStr: "80-1024,443", needsWildcard: false},
 			want: &[]tailcfg.PortRange{
 				{First: 80, Last: 1024},
 				{First: 443, Last: 443},
@@ -664,38 +717,38 @@ func Test_expandPorts(t *testing.T) {
 		},
 		{
 			name:    "out of bounds",
-			args:    args{portsStr: "854038"},
+			args:    args{portsStr: "854038", needsWildcard: false},
 			want:    nil,
 			wantErr: true,
 		},
 		{
 			name:    "wrong port",
-			args:    args{portsStr: "85a38"},
+			args:    args{portsStr: "85a38", needsWildcard: false},
 			want:    nil,
 			wantErr: true,
 		},
 		{
 			name:    "wrong port in first",
-			args:    args{portsStr: "a-80"},
+			args:    args{portsStr: "a-80", needsWildcard: false},
 			want:    nil,
 			wantErr: true,
 		},
 		{
 			name:    "wrong port in last",
-			args:    args{portsStr: "80-85a38"},
+			args:    args{portsStr: "80-85a38", needsWildcard: false},
 			want:    nil,
 			wantErr: true,
 		},
 		{
 			name:    "wrong port format",
-			args:    args{portsStr: "80-85a38-3"},
+			args:    args{portsStr: "80-85a38-3", needsWildcard: false},
 			want:    nil,
 			wantErr: true,
 		},
 	}
 	for _, test := range tests {
 		t.Run(test.name, func(t *testing.T) {
-			got, err := expandPorts(test.args.portsStr)
+			got, err := expandPorts(test.args.portsStr, test.args.needsWildcard)
 			if (err != nil) != test.wantErr {
 				t.Errorf("expandPorts() error = %v, wantErr %v", err, test.wantErr)
 
@@ -772,7 +825,6 @@ func Test_listMachinesInNamespace(t *testing.T) {
 	}
 }
 
-// nolint
 func Test_expandAlias(t *testing.T) {
 	type args struct {
 		machines         []Machine
@@ -791,10 +843,10 @@ func Test_expandAlias(t *testing.T) {
 			args: args{
 				alias: "*",
 				machines: []Machine{
-					{IPAddresses: MachineAddresses{netaddr.MustParseIP("100.64.0.1")}},
+					{IPAddresses: MachineAddresses{netip.MustParseAddr("100.64.0.1")}},
 					{
 						IPAddresses: MachineAddresses{
-							netaddr.MustParseIP("100.78.84.227"),
+							netip.MustParseAddr("100.78.84.227"),
 						},
 					},
 				},
@@ -811,25 +863,25 @@ func Test_expandAlias(t *testing.T) {
 				machines: []Machine{
 					{
 						IPAddresses: MachineAddresses{
-							netaddr.MustParseIP("100.64.0.1"),
+							netip.MustParseAddr("100.64.0.1"),
 						},
 						Namespace: Namespace{Name: "joe"},
 					},
 					{
 						IPAddresses: MachineAddresses{
-							netaddr.MustParseIP("100.64.0.2"),
+							netip.MustParseAddr("100.64.0.2"),
 						},
 						Namespace: Namespace{Name: "joe"},
 					},
 					{
 						IPAddresses: MachineAddresses{
-							netaddr.MustParseIP("100.64.0.3"),
+							netip.MustParseAddr("100.64.0.3"),
 						},
 						Namespace: Namespace{Name: "marc"},
 					},
 					{
 						IPAddresses: MachineAddresses{
-							netaddr.MustParseIP("100.64.0.4"),
+							netip.MustParseAddr("100.64.0.4"),
 						},
 						Namespace: Namespace{Name: "mickael"},
 					},
@@ -849,25 +901,25 @@ func Test_expandAlias(t *testing.T) {
 				machines: []Machine{
 					{
 						IPAddresses: MachineAddresses{
-							netaddr.MustParseIP("100.64.0.1"),
+							netip.MustParseAddr("100.64.0.1"),
 						},
 						Namespace: Namespace{Name: "joe"},
 					},
 					{
 						IPAddresses: MachineAddresses{
-							netaddr.MustParseIP("100.64.0.2"),
+							netip.MustParseAddr("100.64.0.2"),
 						},
 						Namespace: Namespace{Name: "joe"},
 					},
 					{
 						IPAddresses: MachineAddresses{
-							netaddr.MustParseIP("100.64.0.3"),
+							netip.MustParseAddr("100.64.0.3"),
 						},
 						Namespace: Namespace{Name: "marc"},
 					},
 					{
 						IPAddresses: MachineAddresses{
-							netaddr.MustParseIP("100.64.0.4"),
+							netip.MustParseAddr("100.64.0.4"),
 						},
 						Namespace: Namespace{Name: "mickael"},
 					},
@@ -898,7 +950,7 @@ func Test_expandAlias(t *testing.T) {
 				machines: []Machine{},
 				aclPolicy: ACLPolicy{
 					Hosts: Hosts{
-						"homeNetwork": netaddr.MustParseIPPrefix("192.168.1.0/24"),
+						"homeNetwork": netip.MustParsePrefix("192.168.1.0/24"),
 					},
 				},
 				stripEmailDomain: true,
@@ -935,7 +987,7 @@ func Test_expandAlias(t *testing.T) {
 				machines: []Machine{
 					{
 						IPAddresses: MachineAddresses{
-							netaddr.MustParseIP("100.64.0.1"),
+							netip.MustParseAddr("100.64.0.1"),
 						},
 						Namespace: Namespace{Name: "joe"},
 						HostInfo: HostInfo{
@@ -946,7 +998,7 @@ func Test_expandAlias(t *testing.T) {
 					},
 					{
 						IPAddresses: MachineAddresses{
-							netaddr.MustParseIP("100.64.0.2"),
+							netip.MustParseAddr("100.64.0.2"),
 						},
 						Namespace: Namespace{Name: "joe"},
 						HostInfo: HostInfo{
@@ -957,13 +1009,13 @@ func Test_expandAlias(t *testing.T) {
 					},
 					{
 						IPAddresses: MachineAddresses{
-							netaddr.MustParseIP("100.64.0.3"),
+							netip.MustParseAddr("100.64.0.3"),
 						},
 						Namespace: Namespace{Name: "marc"},
 					},
 					{
 						IPAddresses: MachineAddresses{
-							netaddr.MustParseIP("100.64.0.4"),
+							netip.MustParseAddr("100.64.0.4"),
 						},
 						Namespace: Namespace{Name: "joe"},
 					},
@@ -983,25 +1035,25 @@ func Test_expandAlias(t *testing.T) {
 				machines: []Machine{
 					{
 						IPAddresses: MachineAddresses{
-							netaddr.MustParseIP("100.64.0.1"),
+							netip.MustParseAddr("100.64.0.1"),
 						},
 						Namespace: Namespace{Name: "joe"},
 					},
 					{
 						IPAddresses: MachineAddresses{
-							netaddr.MustParseIP("100.64.0.2"),
+							netip.MustParseAddr("100.64.0.2"),
 						},
 						Namespace: Namespace{Name: "joe"},
 					},
 					{
 						IPAddresses: MachineAddresses{
-							netaddr.MustParseIP("100.64.0.3"),
+							netip.MustParseAddr("100.64.0.3"),
 						},
 						Namespace: Namespace{Name: "marc"},
 					},
 					{
 						IPAddresses: MachineAddresses{
-							netaddr.MustParseIP("100.64.0.4"),
+							netip.MustParseAddr("100.64.0.4"),
 						},
 						Namespace: Namespace{Name: "mickael"},
 					},
@@ -1024,27 +1076,27 @@ func Test_expandAlias(t *testing.T) {
 				machines: []Machine{
 					{
 						IPAddresses: MachineAddresses{
-							netaddr.MustParseIP("100.64.0.1"),
+							netip.MustParseAddr("100.64.0.1"),
 						},
 						Namespace:  Namespace{Name: "joe"},
 						ForcedTags: []string{"tag:hr-webserver"},
 					},
 					{
 						IPAddresses: MachineAddresses{
-							netaddr.MustParseIP("100.64.0.2"),
+							netip.MustParseAddr("100.64.0.2"),
 						},
 						Namespace:  Namespace{Name: "joe"},
 						ForcedTags: []string{"tag:hr-webserver"},
 					},
 					{
 						IPAddresses: MachineAddresses{
-							netaddr.MustParseIP("100.64.0.3"),
+							netip.MustParseAddr("100.64.0.3"),
 						},
 						Namespace: Namespace{Name: "marc"},
 					},
 					{
 						IPAddresses: MachineAddresses{
-							netaddr.MustParseIP("100.64.0.4"),
+							netip.MustParseAddr("100.64.0.4"),
 						},
 						Namespace: Namespace{Name: "mickael"},
 					},
@@ -1062,14 +1114,14 @@ func Test_expandAlias(t *testing.T) {
 				machines: []Machine{
 					{
 						IPAddresses: MachineAddresses{
-							netaddr.MustParseIP("100.64.0.1"),
+							netip.MustParseAddr("100.64.0.1"),
 						},
 						Namespace:  Namespace{Name: "joe"},
 						ForcedTags: []string{"tag:hr-webserver"},
 					},
 					{
 						IPAddresses: MachineAddresses{
-							netaddr.MustParseIP("100.64.0.2"),
+							netip.MustParseAddr("100.64.0.2"),
 						},
 						Namespace: Namespace{Name: "joe"},
 						HostInfo: HostInfo{
@@ -1080,13 +1132,13 @@ func Test_expandAlias(t *testing.T) {
 					},
 					{
 						IPAddresses: MachineAddresses{
-							netaddr.MustParseIP("100.64.0.3"),
+							netip.MustParseAddr("100.64.0.3"),
 						},
 						Namespace: Namespace{Name: "marc"},
 					},
 					{
 						IPAddresses: MachineAddresses{
-							netaddr.MustParseIP("100.64.0.4"),
+							netip.MustParseAddr("100.64.0.4"),
 						},
 						Namespace: Namespace{Name: "mickael"},
 					},
@@ -1108,7 +1160,7 @@ func Test_expandAlias(t *testing.T) {
 				machines: []Machine{
 					{
 						IPAddresses: MachineAddresses{
-							netaddr.MustParseIP("100.64.0.1"),
+							netip.MustParseAddr("100.64.0.1"),
 						},
 						Namespace: Namespace{Name: "joe"},
 						HostInfo: HostInfo{
@@ -1119,7 +1171,7 @@ func Test_expandAlias(t *testing.T) {
 					},
 					{
 						IPAddresses: MachineAddresses{
-							netaddr.MustParseIP("100.64.0.2"),
+							netip.MustParseAddr("100.64.0.2"),
 						},
 						Namespace: Namespace{Name: "joe"},
 						HostInfo: HostInfo{
@@ -1130,13 +1182,13 @@ func Test_expandAlias(t *testing.T) {
 					},
 					{
 						IPAddresses: MachineAddresses{
-							netaddr.MustParseIP("100.64.0.3"),
+							netip.MustParseAddr("100.64.0.3"),
 						},
 						Namespace: Namespace{Name: "marc"},
 					},
 					{
 						IPAddresses: MachineAddresses{
-							netaddr.MustParseIP("100.64.0.4"),
+							netip.MustParseAddr("100.64.0.4"),
 						},
 						Namespace: Namespace{Name: "joe"},
 					},
@@ -1172,9 +1224,10 @@ func Test_expandAlias(t *testing.T) {
 
 func Test_excludeCorrectlyTaggedNodes(t *testing.T) {
 	type args struct {
-		aclPolicy ACLPolicy
-		nodes     []Machine
-		namespace string
+		aclPolicy        ACLPolicy
+		nodes            []Machine
+		namespace        string
+		stripEmailDomain bool
 	}
 	tests := []struct {
 		name    string
@@ -1191,7 +1244,7 @@ func Test_excludeCorrectlyTaggedNodes(t *testing.T) {
 				nodes: []Machine{
 					{
 						IPAddresses: MachineAddresses{
-							netaddr.MustParseIP("100.64.0.1"),
+							netip.MustParseAddr("100.64.0.1"),
 						},
 						Namespace: Namespace{Name: "joe"},
 						HostInfo: HostInfo{
@@ -1202,7 +1255,7 @@ func Test_excludeCorrectlyTaggedNodes(t *testing.T) {
 					},
 					{
 						IPAddresses: MachineAddresses{
-							netaddr.MustParseIP("100.64.0.2"),
+							netip.MustParseAddr("100.64.0.2"),
 						},
 						Namespace: Namespace{Name: "joe"},
 						HostInfo: HostInfo{
@@ -1213,16 +1266,68 @@ func Test_excludeCorrectlyTaggedNodes(t *testing.T) {
 					},
 					{
 						IPAddresses: MachineAddresses{
-							netaddr.MustParseIP("100.64.0.4"),
+							netip.MustParseAddr("100.64.0.4"),
 						},
 						Namespace: Namespace{Name: "joe"},
 					},
 				},
-				namespace: "joe",
+				namespace:        "joe",
+				stripEmailDomain: true,
 			},
 			want: []Machine{
 				{
-					IPAddresses: MachineAddresses{netaddr.MustParseIP("100.64.0.4")},
+					IPAddresses: MachineAddresses{netip.MustParseAddr("100.64.0.4")},
+					Namespace:   Namespace{Name: "joe"},
+				},
+			},
+		},
+		{
+			name: "exclude nodes with valid tags, and owner is in a group",
+			args: args{
+				aclPolicy: ACLPolicy{
+					Groups: Groups{
+						"group:accountant": []string{"joe", "bar"},
+					},
+					TagOwners: TagOwners{
+						"tag:accountant-webserver": []string{"group:accountant"},
+					},
+				},
+				nodes: []Machine{
+					{
+						IPAddresses: MachineAddresses{
+							netip.MustParseAddr("100.64.0.1"),
+						},
+						Namespace: Namespace{Name: "joe"},
+						HostInfo: HostInfo{
+							OS:          "centos",
+							Hostname:    "foo",
+							RequestTags: []string{"tag:accountant-webserver"},
+						},
+					},
+					{
+						IPAddresses: MachineAddresses{
+							netip.MustParseAddr("100.64.0.2"),
+						},
+						Namespace: Namespace{Name: "joe"},
+						HostInfo: HostInfo{
+							OS:          "centos",
+							Hostname:    "foo",
+							RequestTags: []string{"tag:accountant-webserver"},
+						},
+					},
+					{
+						IPAddresses: MachineAddresses{
+							netip.MustParseAddr("100.64.0.4"),
+						},
+						Namespace: Namespace{Name: "joe"},
+					},
+				},
+				namespace:        "joe",
+				stripEmailDomain: true,
+			},
+			want: []Machine{
+				{
+					IPAddresses: MachineAddresses{netip.MustParseAddr("100.64.0.4")},
 					Namespace:   Namespace{Name: "joe"},
 				},
 			},
@@ -1236,7 +1341,7 @@ func Test_excludeCorrectlyTaggedNodes(t *testing.T) {
 				nodes: []Machine{
 					{
 						IPAddresses: MachineAddresses{
-							netaddr.MustParseIP("100.64.0.1"),
+							netip.MustParseAddr("100.64.0.1"),
 						},
 						Namespace: Namespace{Name: "joe"},
 						HostInfo: HostInfo{
@@ -1247,23 +1352,24 @@ func Test_excludeCorrectlyTaggedNodes(t *testing.T) {
 					},
 					{
 						IPAddresses: MachineAddresses{
-							netaddr.MustParseIP("100.64.0.2"),
+							netip.MustParseAddr("100.64.0.2"),
 						},
 						Namespace:  Namespace{Name: "joe"},
 						ForcedTags: []string{"tag:accountant-webserver"},
 					},
 					{
 						IPAddresses: MachineAddresses{
-							netaddr.MustParseIP("100.64.0.4"),
+							netip.MustParseAddr("100.64.0.4"),
 						},
 						Namespace: Namespace{Name: "joe"},
 					},
 				},
-				namespace: "joe",
+				namespace:        "joe",
+				stripEmailDomain: true,
 			},
 			want: []Machine{
 				{
-					IPAddresses: MachineAddresses{netaddr.MustParseIP("100.64.0.4")},
+					IPAddresses: MachineAddresses{netip.MustParseAddr("100.64.0.4")},
 					Namespace:   Namespace{Name: "joe"},
 				},
 			},
@@ -1277,7 +1383,7 @@ func Test_excludeCorrectlyTaggedNodes(t *testing.T) {
 				nodes: []Machine{
 					{
 						IPAddresses: MachineAddresses{
-							netaddr.MustParseIP("100.64.0.1"),
+							netip.MustParseAddr("100.64.0.1"),
 						},
 						Namespace: Namespace{Name: "joe"},
 						HostInfo: HostInfo{
@@ -1288,7 +1394,7 @@ func Test_excludeCorrectlyTaggedNodes(t *testing.T) {
 					},
 					{
 						IPAddresses: MachineAddresses{
-							netaddr.MustParseIP("100.64.0.2"),
+							netip.MustParseAddr("100.64.0.2"),
 						},
 						Namespace: Namespace{Name: "joe"},
 						HostInfo: HostInfo{
@@ -1299,17 +1405,18 @@ func Test_excludeCorrectlyTaggedNodes(t *testing.T) {
 					},
 					{
 						IPAddresses: MachineAddresses{
-							netaddr.MustParseIP("100.64.0.4"),
+							netip.MustParseAddr("100.64.0.4"),
 						},
 						Namespace: Namespace{Name: "joe"},
 					},
 				},
-				namespace: "joe",
+				namespace:        "joe",
+				stripEmailDomain: true,
 			},
 			want: []Machine{
 				{
 					IPAddresses: MachineAddresses{
-						netaddr.MustParseIP("100.64.0.1"),
+						netip.MustParseAddr("100.64.0.1"),
 					},
 					Namespace: Namespace{Name: "joe"},
 					HostInfo: HostInfo{
@@ -1320,7 +1427,7 @@ func Test_excludeCorrectlyTaggedNodes(t *testing.T) {
 				},
 				{
 					IPAddresses: MachineAddresses{
-						netaddr.MustParseIP("100.64.0.2"),
+						netip.MustParseAddr("100.64.0.2"),
 					},
 					Namespace: Namespace{Name: "joe"},
 					HostInfo: HostInfo{
@@ -1331,7 +1438,7 @@ func Test_excludeCorrectlyTaggedNodes(t *testing.T) {
 				},
 				{
 					IPAddresses: MachineAddresses{
-						netaddr.MustParseIP("100.64.0.4"),
+						netip.MustParseAddr("100.64.0.4"),
 					},
 					Namespace: Namespace{Name: "joe"},
 				},
@@ -1344,6 +1451,7 @@ func Test_excludeCorrectlyTaggedNodes(t *testing.T) {
 				test.args.aclPolicy,
 				test.args.nodes,
 				test.args.namespace,
+				test.args.stripEmailDomain,
 			)
 			if !reflect.DeepEqual(got, test.want) {
 				t.Errorf("excludeCorrectlyTaggedNodes() = %v, want %v", got, test.want)

acls_types.go

@@ -2,46 +2,55 @@ package headscale
 
 import (
 	"encoding/json"
+	"net/netip"
 	"strings"
 
 	"github.com/tailscale/hujson"
 	"gopkg.in/yaml.v3"
-	"inet.af/netaddr"
 )
 
 // ACLPolicy represents a Tailscale ACL Policy.
 type ACLPolicy struct {
-	Groups    Groups    `json:"Groups"    yaml:"Groups"`
-	Hosts     Hosts     `json:"Hosts"     yaml:"Hosts"`
-	TagOwners TagOwners `json:"TagOwners" yaml:"TagOwners"`
-	ACLs      []ACL     `json:"ACLs"      yaml:"ACLs"`
-	Tests     []ACLTest `json:"Tests"     yaml:"Tests"`
+	Groups        Groups        `json:"groups"        yaml:"groups"`
+	Hosts         Hosts         `json:"hosts"         yaml:"hosts"`
+	TagOwners     TagOwners     `json:"tagOwners"     yaml:"tagOwners"`
+	ACLs          []ACL         `json:"acls"          yaml:"acls"`
+	Tests         []ACLTest     `json:"tests"         yaml:"tests"`
+	AutoApprovers AutoApprovers `json:"autoApprovers" yaml:"autoApprovers"`
 }
 
 // ACL is a basic rule for the ACL Policy.
 type ACL struct {
-	Action string   `json:"Action" yaml:"Action"`
-	Users  []string `json:"Users"  yaml:"Users"`
-	Ports  []string `json:"Ports"  yaml:"Ports"`
+	Action       string   `json:"action" yaml:"action"`
+	Protocol     string   `json:"proto"  yaml:"proto"`
+	Sources      []string `json:"src"    yaml:"src"`
+	Destinations []string `json:"dst"    yaml:"dst"`
 }
 
 // Groups references a series of alias in the ACL rules.
 type Groups map[string][]string
 
 // Hosts are alias for IP addresses or subnets.
-type Hosts map[string]netaddr.IPPrefix
+type Hosts map[string]netip.Prefix
 
 // TagOwners specify what users (namespaces?) are allow to use certain tags.
 type TagOwners map[string][]string
 
 // ACLTest is not implemented, but should be use to check if a certain rule is allowed.
 type ACLTest struct {
-	User  string   `json:"User"           yaml:"User"`
-	Allow []string `json:"Allow"          yaml:"Allow"`
-	Deny  []string `json:"Deny,omitempty" yaml:"Deny,omitempty"`
+	Source string   `json:"src"            yaml:"src"`
+	Accept []string `json:"accept"         yaml:"accept"`
+	Deny   []string `json:"deny,omitempty" yaml:"deny,omitempty"`
 }
 
-// UnmarshalJSON allows to parse the Hosts directly into netaddr objects.
+// AutoApprovers specify which users (namespaces?), groups or tags have their advertised routes
+// or exit node status automatically enabled.
+type AutoApprovers struct {
+	Routes   map[string][]string `json:"routes"   yaml:"routes"`
+	ExitNode []string            `json:"exitNode" yaml:"exitNode"`
+}
+
+// UnmarshalJSON allows to parse the Hosts directly into netip objects.
 func (hosts *Hosts) UnmarshalJSON(data []byte) error {
 	newHosts := Hosts{}
 	hostIPPrefixMap := make(map[string]string)
@@ -59,7 +68,7 @@ func (hosts *Hosts) UnmarshalJSON(data []byte) error {
 		if !strings.Contains(prefixStr, "/") {
 			prefixStr += "/32"
 		}
-		prefix, err := netaddr.ParseIPPrefix(prefixStr)
+		prefix, err := netip.ParsePrefix(prefixStr)
 		if err != nil {
 			return err
 		}
@@ -70,7 +79,7 @@ func (hosts *Hosts) UnmarshalJSON(data []byte) error {
 	return nil
 }
 
-// UnmarshalYAML allows to parse the Hosts directly into netaddr objects.
+// UnmarshalYAML allows to parse the Hosts directly into netip objects.
 func (hosts *Hosts) UnmarshalYAML(data []byte) error {
 	newHosts := Hosts{}
 	hostIPPrefixMap := make(map[string]string)
@@ -80,7 +89,7 @@ func (hosts *Hosts) UnmarshalYAML(data []byte) error {
 		return err
 	}
 	for host, prefixStr := range hostIPPrefixMap {
-		prefix, err := netaddr.ParseIPPrefix(prefixStr)
+		prefix, err := netip.ParsePrefix(prefixStr)
 		if err != nil {
 			return err
 		}
@@ -99,3 +108,28 @@ func (policy ACLPolicy) IsZero() bool {
 
 	return false
 }
+
+// Returns the list of autoApproving namespaces, groups or tags for a given IPPrefix.
+func (autoApprovers *AutoApprovers) GetRouteApprovers(
+	prefix netip.Prefix,
+) ([]string, error) {
+	if prefix.Bits() == 0 {
+		return autoApprovers.ExitNode, nil // 0.0.0.0/0, ::/0 or equivalent
+	}
+
+	approverAliases := []string{}
+
+	for autoApprovedPrefix, autoApproverAliases := range autoApprovers.Routes {
+		autoApprovedPrefix, err := netip.ParsePrefix(autoApprovedPrefix)
+		if err != nil {
+			return nil, err
+		}
+
+		if prefix.Bits() >= autoApprovedPrefix.Bits() &&
+			autoApprovedPrefix.Contains(prefix.Masked().Addr()) {
+			approverAliases = append(approverAliases, autoApproverAliases...)
+		}
+	}
+
+	return approverAliases, nil
+}

api.go

@@ -2,25 +2,19 @@ package headscale
 
 import (
 	"bytes"
-	"encoding/binary"
 	"encoding/json"
-	"errors"
-	"fmt"
 	"html/template"
-	"io"
 	"net/http"
-	"strings"
 	"time"
 
-	"github.com/gin-gonic/gin"
-	"github.com/klauspost/compress/zstd"
+	"github.com/gorilla/mux"
 	"github.com/rs/zerolog/log"
-	"gorm.io/gorm"
-	"tailscale.com/tailcfg"
 	"tailscale.com/types/key"
 )
 
 const (
+	// TODO(juan): remove this once https://github.com/juanfont/headscale/issues/727 is fixed.
+	registrationHoldoff                      = time.Second * 5
 	reservedResponseHeaderSize               = 4
 	RegisterMethodAuthKey                    = "authkey"
 	RegisterMethodOIDC                       = "oidc"
@@ -30,14 +24,42 @@ const (
 	)
 )
 
-// KeyHandler provides the Headscale pub key
-// Listens in /key.
-func (h *Headscale) KeyHandler(ctx *gin.Context) {
-	ctx.Data(
-		http.StatusOK,
-		"text/plain; charset=utf-8",
-		[]byte(MachinePublicKeyStripPrefix(h.privateKey.Public())),
-	)
+func (h *Headscale) HealthHandler(
+	writer http.ResponseWriter,
+	req *http.Request,
+) {
+	respond := func(err error) {
+		writer.Header().Set("Content-Type", "application/health+json; charset=utf-8")
+
+		res := struct {
+			Status string `json:"status"`
+		}{
+			Status: "pass",
+		}
+
+		if err != nil {
+			writer.WriteHeader(http.StatusInternalServerError)
+			log.Error().Caller().Err(err).Msg("health check failed")
+			res.Status = "fail"
+		}
+
+		buf, err := json.Marshal(res)
+		if err != nil {
+			log.Error().Caller().Err(err).Msg("marshal failed")
+		}
+		_, err = writer.Write(buf)
+		if err != nil {
+			log.Error().Caller().Err(err).Msg("write failed")
+		}
+	}
+
+	if err := h.pingDB(req.Context()); err != nil {
+		respond(err)
+
+		return
+	}
+
+	respond(nil)
 }
 
 type registerWebAPITemplateConfig struct {
@@ -62,624 +84,85 @@ var registerWebAPITemplate = template.Must(
 `))
 
 // RegisterWebAPI shows a simple message in the browser to point to the CLI
-// Listens in /register.
-func (h *Headscale) RegisterWebAPI(ctx *gin.Context) {
-	machineKeyStr := ctx.Query("key")
-	if machineKeyStr == "" {
-		ctx.String(http.StatusBadRequest, "Wrong params")
+// Listens in /register/:nkey.
+//
+// This is not part of the Tailscale control API, as we could send whatever URL
+// in the RegisterResponse.AuthURL field.
+func (h *Headscale) RegisterWebAPI(
+	writer http.ResponseWriter,
+	req *http.Request,
+) {
+	vars := mux.Vars(req)
+	nodeKeyStr, ok := vars["nkey"]
+
+	if !NodePublicKeyRegex.Match([]byte(nodeKeyStr)) {
+		log.Warn().Str("node_key", nodeKeyStr).Msg("Invalid node key passed to registration url")
+
+		writer.Header().Set("Content-Type", "text/plain; charset=utf-8")
+		writer.WriteHeader(http.StatusUnauthorized)
+		_, err := writer.Write([]byte("Unauthorized"))
+		if err != nil {
+			log.Error().
+				Caller().
+				Err(err).
+				Msg("Failed to write response")
+		}
+
+		return
+	}
+
+	// We need to make sure we dont open for XSS style injections, if the parameter that
+	// is passed as a key is not parsable/validated as a NodePublic key, then fail to render
+	// the template and log an error.
+	var nodeKey key.NodePublic
+	err := nodeKey.UnmarshalText(
+		[]byte(NodePublicKeyEnsurePrefix(nodeKeyStr)),
+	)
+
+	if !ok || nodeKeyStr == "" || err != nil {
+		log.Warn().Err(err).Msg("Failed to parse incoming nodekey")
+
+		writer.Header().Set("Content-Type", "text/plain; charset=utf-8")
+		writer.WriteHeader(http.StatusBadRequest)
+		_, err := writer.Write([]byte("Wrong params"))
+		if err != nil {
+			log.Error().
+				Caller().
+				Err(err).
+				Msg("Failed to write response")
+		}
 
 		return
 	}
 
 	var content bytes.Buffer
 	if err := registerWebAPITemplate.Execute(&content, registerWebAPITemplateConfig{
-		Key: machineKeyStr,
+		Key: nodeKeyStr,
 	}); err != nil {
 		log.Error().
 			Str("func", "RegisterWebAPI").
 			Err(err).
 			Msg("Could not render register web API template")
-		ctx.Data(
-			http.StatusInternalServerError,
-			"text/html; charset=utf-8",
-			[]byte("Could not render register web API template"),
-		)
-	}
-
-	ctx.Data(http.StatusOK, "text/html; charset=utf-8", content.Bytes())
-}
-
-// RegistrationHandler handles the actual registration process of a machine
-// Endpoint /machine/:id.
-func (h *Headscale) RegistrationHandler(ctx *gin.Context) {
-	body, _ := io.ReadAll(ctx.Request.Body)
-	machineKeyStr := ctx.Param("id")
-
-	var machineKey key.MachinePublic
-	err := machineKey.UnmarshalText([]byte(MachinePublicKeyEnsurePrefix(machineKeyStr)))
-	if err != nil {
-		log.Error().
-			Caller().
-			Err(err).
-			Msg("Cannot parse machine key")
-		machineRegistrations.WithLabelValues("unknown", "web", "error", "unknown").Inc()
-		ctx.String(http.StatusInternalServerError, "Sad!")
-
-		return
-	}
-	req := tailcfg.RegisterRequest{}
-	err = decode(body, &req, &machineKey, h.privateKey)
-	if err != nil {
-		log.Error().
-			Caller().
-			Err(err).
-			Msg("Cannot decode message")
-		machineRegistrations.WithLabelValues("unknown", "web", "error", "unknown").Inc()
-		ctx.String(http.StatusInternalServerError, "Very sad!")
-
-		return
-	}
-
-	now := time.Now().UTC()
-	machine, err := h.GetMachineByMachineKey(machineKey)
-	if errors.Is(err, gorm.ErrRecordNotFound) {
-		log.Info().Str("machine", req.Hostinfo.Hostname).Msg("New machine")
-
-		machineKeyStr := MachinePublicKeyStripPrefix(machineKey)
-
-		// If the machine has AuthKey set, handle registration via PreAuthKeys
-		if req.Auth.AuthKey != "" {
-			h.handleAuthKey(ctx, machineKey, req)
-
-			return
-		}
-
-		givenName, err := h.GenerateGivenName(req.Hostinfo.Hostname)
-		if err != nil {
-			log.Error().
-				Caller().
-				Str("func", "RegistrationHandler").
-				Str("hostinfo.name", req.Hostinfo.Hostname).
-				Err(err)
-
-			return
-		}
-
-		// The machine did not have a key to authenticate, which means
-		// that we rely on a method that calls back some how (OpenID or CLI)
-		// We create the machine and then keep it around until a callback
-		// happens
-		newMachine := Machine{
-			MachineKey: machineKeyStr,
-			Hostname:   req.Hostinfo.Hostname,
-			GivenName:  givenName,
-			NodeKey:    NodePublicKeyStripPrefix(req.NodeKey),
-			LastSeen:   &now,
-			Expiry:     &time.Time{},
-		}
-
-		if !req.Expiry.IsZero() {
-			log.Trace().
-				Caller().
-				Str("machine", req.Hostinfo.Hostname).
-				Time("expiry", req.Expiry).
-				Msg("Non-zero expiry time requested")
-			newMachine.Expiry = &req.Expiry
-		}
-
-		h.registrationCache.Set(
-			machineKeyStr,
-			newMachine,
-			registerCacheExpiration,
-		)
-
-		h.handleMachineRegistrationNew(ctx, machineKey, req)
-
-		return
-	}
-
-	// The machine is already registered, so we need to pass through reauth or key update.
-	if machine != nil {
-		// If the NodeKey stored in headscale is the same as the key presented in a registration
-		// request, then we have a node that is either:
-		// - Trying to log out (sending a expiry in the past)
-		// - A valid, registered machine, looking for the node map
-		// - Expired machine wanting to reauthenticate
-		if machine.NodeKey == NodePublicKeyStripPrefix(req.NodeKey) {
-			// The client sends an Expiry in the past if the client is requesting to expire the key (aka logout)
-			//   https://github.com/tailscale/tailscale/blob/main/tailcfg/tailcfg.go#L648
-			if !req.Expiry.IsZero() && req.Expiry.UTC().Before(now) {
-				h.handleMachineLogOut(ctx, machineKey, *machine)
-
-				return
-			}
-
-			// If machine is not expired, and is register, we have a already accepted this machine,
-			// let it proceed with a valid registration
-			if !machine.isExpired() {
-				h.handleMachineValidRegistration(ctx, machineKey, *machine)
-
-				return
-			}
-		}
-
-		// The NodeKey we have matches OldNodeKey, which means this is a refresh after a key expiration
-		if machine.NodeKey == NodePublicKeyStripPrefix(req.OldNodeKey) &&
-			!machine.isExpired() {
-			h.handleMachineRefreshKey(ctx, machineKey, req, *machine)
-
-			return
-		}
-
-		// The machine has expired
-		h.handleMachineExpired(ctx, machineKey, req, *machine)
-
-		return
-	}
-}
-
-func (h *Headscale) getMapResponse(
-	machineKey key.MachinePublic,
-	req tailcfg.MapRequest,
-	machine *Machine,
-) ([]byte, error) {
-	log.Trace().
-		Str("func", "getMapResponse").
-		Str("machine", req.Hostinfo.Hostname).
-		Msg("Creating Map response")
-	node, err := machine.toNode(h.cfg.BaseDomain, h.cfg.DNSConfig, true)
-	if err != nil {
-		log.Error().
-			Caller().
-			Str("func", "getMapResponse").
-			Err(err).
-			Msg("Cannot convert to node")
-
-		return nil, err
-	}
-
-	peers, err := h.getValidPeers(machine)
-	if err != nil {
-		log.Error().
-			Caller().
-			Str("func", "getMapResponse").
-			Err(err).
-			Msg("Cannot fetch peers")
-
-		return nil, err
-	}
-
-	profiles := getMapResponseUserProfiles(*machine, peers)
-
-	nodePeers, err := peers.toNodes(h.cfg.BaseDomain, h.cfg.DNSConfig, true)
-	if err != nil {
-		log.Error().
-			Caller().
-			Str("func", "getMapResponse").
-			Err(err).
-			Msg("Failed to convert peers to Tailscale nodes")
-
-		return nil, err
-	}
-
-	dnsConfig := getMapResponseDNSConfig(
-		h.cfg.DNSConfig,
-		h.cfg.BaseDomain,
-		*machine,
-		peers,
-	)
-
-	resp := tailcfg.MapResponse{
-		KeepAlive:    false,
-		Node:         node,
-		Peers:        nodePeers,
-		DNSConfig:    dnsConfig,
-		Domain:       h.cfg.BaseDomain,
-		PacketFilter: h.aclRules,
-		DERPMap:      h.DERPMap,
-		UserProfiles: profiles,
-		Debug: &tailcfg.Debug{
-			DisableLogTail: !h.cfg.LogTail.Enabled,
-		},
-	}
-
-	log.Trace().
-		Str("func", "getMapResponse").
-		Str("machine", req.Hostinfo.Hostname).
-		// Interface("payload", resp).
-		Msgf("Generated map response: %s", tailMapResponseToString(resp))
-
-	var respBody []byte
-	if req.Compress == "zstd" {
-		src, err := json.Marshal(resp)
-		if err != nil {
-			log.Error().
-				Caller().
-				Str("func", "getMapResponse").
-				Err(err).
-				Msg("Failed to marshal response for the client")
-
-			return nil, err
-		}
-
-		encoder, _ := zstd.NewWriter(nil)
-		srcCompressed := encoder.EncodeAll(src, nil)
-		respBody = h.privateKey.SealTo(machineKey, srcCompressed)
-	} else {
-		respBody, err = encode(resp, &machineKey, h.privateKey)
-		if err != nil {
-			return nil, err
-		}
-	}
-	// declare the incoming size on the first 4 bytes
-	data := make([]byte, reservedResponseHeaderSize)
-	binary.LittleEndian.PutUint32(data, uint32(len(respBody)))
-	data = append(data, respBody...)
-
-	return data, nil
-}
-
-func (h *Headscale) getMapKeepAliveResponse(
-	machineKey key.MachinePublic,
-	mapRequest tailcfg.MapRequest,
-) ([]byte, error) {
-	mapResponse := tailcfg.MapResponse{
-		KeepAlive: true,
-	}
-	var respBody []byte
-	var err error
-	if mapRequest.Compress == "zstd" {
-		src, err := json.Marshal(mapResponse)
-		if err != nil {
-			log.Error().
-				Caller().
-				Str("func", "getMapKeepAliveResponse").
-				Err(err).
-				Msg("Failed to marshal keepalive response for the client")
-
-			return nil, err
-		}
-		encoder, _ := zstd.NewWriter(nil)
-		srcCompressed := encoder.EncodeAll(src, nil)
-		respBody = h.privateKey.SealTo(machineKey, srcCompressed)
-	} else {
-		respBody, err = encode(mapResponse, &machineKey, h.privateKey)
-		if err != nil {
-			return nil, err
-		}
-	}
-	data := make([]byte, reservedResponseHeaderSize)
-	binary.LittleEndian.PutUint32(data, uint32(len(respBody)))
-	data = append(data, respBody...)
-
-	return data, nil
-}
-
-func (h *Headscale) handleMachineLogOut(
-	ctx *gin.Context,
-	machineKey key.MachinePublic,
-	machine Machine,
-) {
-	resp := tailcfg.RegisterResponse{}
-
-	log.Info().
-		Str("machine", machine.Hostname).
-		Msg("Client requested logout")
-
-	h.ExpireMachine(&machine)
-
-	resp.AuthURL = ""
-	resp.MachineAuthorized = false
-	resp.User = *machine.Namespace.toUser()
-	respBody, err := encode(resp, &machineKey, h.privateKey)
-	if err != nil {
-		log.Error().
-			Caller().
-			Err(err).
-			Msg("Cannot encode message")
-		ctx.String(http.StatusInternalServerError, "")
-
-		return
-	}
-	ctx.Data(http.StatusOK, "application/json; charset=utf-8", respBody)
-}
-
-func (h *Headscale) handleMachineValidRegistration(
-	ctx *gin.Context,
-	machineKey key.MachinePublic,
-	machine Machine,
-) {
-	resp := tailcfg.RegisterResponse{}
-
-	// The machine registration is valid, respond with redirect to /map
-	log.Debug().
-		Str("machine", machine.Hostname).
-		Msg("Client is registered and we have the current NodeKey. All clear to /map")
-
-	resp.AuthURL = ""
-	resp.MachineAuthorized = true
-	resp.User = *machine.Namespace.toUser()
-	resp.Login = *machine.Namespace.toLogin()
-
-	respBody, err := encode(resp, &machineKey, h.privateKey)
-	if err != nil {
-		log.Error().
-			Caller().
-			Err(err).
-			Msg("Cannot encode message")
-		machineRegistrations.WithLabelValues("update", "web", "error", machine.Namespace.Name).
-			Inc()
-		ctx.String(http.StatusInternalServerError, "")
-
-		return
-	}
-	machineRegistrations.WithLabelValues("update", "web", "success", machine.Namespace.Name).
-		Inc()
-	ctx.Data(http.StatusOK, "application/json; charset=utf-8", respBody)
-}
-
-func (h *Headscale) handleMachineExpired(
-	ctx *gin.Context,
-	machineKey key.MachinePublic,
-	registerRequest tailcfg.RegisterRequest,
-	machine Machine,
-) {
-	resp := tailcfg.RegisterResponse{}
-
-	// The client has registered before, but has expired
-	log.Debug().
-		Str("machine", machine.Hostname).
-		Msg("Machine registration has expired. Sending a authurl to register")
-
-	if registerRequest.Auth.AuthKey != "" {
-		h.handleAuthKey(ctx, machineKey, registerRequest)
-
-		return
-	}
-
-	if h.cfg.OIDC.Issuer != "" {
-		resp.AuthURL = fmt.Sprintf("%s/oidc/register/%s",
-			strings.TrimSuffix(h.cfg.ServerURL, "/"), machineKey.String())
-	} else {
-		resp.AuthURL = fmt.Sprintf("%s/register?key=%s",
-			strings.TrimSuffix(h.cfg.ServerURL, "/"), machineKey.String())
-	}
-
-	respBody, err := encode(resp, &machineKey, h.privateKey)
-	if err != nil {
-		log.Error().
-			Caller().
-			Err(err).
-			Msg("Cannot encode message")
-		machineRegistrations.WithLabelValues("reauth", "web", "error", machine.Namespace.Name).
-			Inc()
-		ctx.String(http.StatusInternalServerError, "")
-
-		return
-	}
-	machineRegistrations.WithLabelValues("reauth", "web", "success", machine.Namespace.Name).
-		Inc()
-	ctx.Data(http.StatusOK, "application/json; charset=utf-8", respBody)
-}
-
-func (h *Headscale) handleMachineRefreshKey(
-	ctx *gin.Context,
-	machineKey key.MachinePublic,
-	registerRequest tailcfg.RegisterRequest,
-	machine Machine,
-) {
-	resp := tailcfg.RegisterResponse{}
-
-	log.Debug().
-		Str("machine", machine.Hostname).
-		Msg("We have the OldNodeKey in the database. This is a key refresh")
-	machine.NodeKey = NodePublicKeyStripPrefix(registerRequest.NodeKey)
-
-	if err := h.db.Save(&machine).Error; err != nil {
-		log.Error().
-			Caller().
-			Err(err).
-			Msg("Failed to update machine key in the database")
-		ctx.String(http.StatusInternalServerError, "Internal server error")
-
-		return
-	}
-
-	resp.AuthURL = ""
-	resp.User = *machine.Namespace.toUser()
-	respBody, err := encode(resp, &machineKey, h.privateKey)
-	if err != nil {
-		log.Error().
-			Caller().
-			Err(err).
-			Msg("Cannot encode message")
-		ctx.String(http.StatusInternalServerError, "Internal server error")
-
-		return
-	}
-	ctx.Data(http.StatusOK, "application/json; charset=utf-8", respBody)
-}
-
-func (h *Headscale) handleMachineRegistrationNew(
-	ctx *gin.Context,
-	machineKey key.MachinePublic,
-	registerRequest tailcfg.RegisterRequest,
-) {
-	resp := tailcfg.RegisterResponse{}
-
-	// The machine registration is new, redirect the client to the registration URL
-	log.Debug().
-		Str("machine", registerRequest.Hostinfo.Hostname).
-		Msg("The node is sending us a new NodeKey, sending auth url")
-	if h.cfg.OIDC.Issuer != "" {
-		resp.AuthURL = fmt.Sprintf(
-			"%s/oidc/register/%s",
-			strings.TrimSuffix(h.cfg.ServerURL, "/"),
-			machineKey.String(),
-		)
-	} else {
-		resp.AuthURL = fmt.Sprintf("%s/register?key=%s",
-			strings.TrimSuffix(h.cfg.ServerURL, "/"), MachinePublicKeyStripPrefix(machineKey))
-	}
-
-	respBody, err := encode(resp, &machineKey, h.privateKey)
-	if err != nil {
-		log.Error().
-			Caller().
-			Err(err).
-			Msg("Cannot encode message")
-		ctx.String(http.StatusInternalServerError, "")
-
-		return
-	}
-	ctx.Data(http.StatusOK, "application/json; charset=utf-8", respBody)
-}
-
-// TODO: check if any locks are needed around IP allocation.
-func (h *Headscale) handleAuthKey(
-	ctx *gin.Context,
-	machineKey key.MachinePublic,
-	registerRequest tailcfg.RegisterRequest,
-) {
-	machineKeyStr := MachinePublicKeyStripPrefix(machineKey)
-
-	log.Debug().
-		Str("func", "handleAuthKey").
-		Str("machine", registerRequest.Hostinfo.Hostname).
-		Msgf("Processing auth key for %s", registerRequest.Hostinfo.Hostname)
-	resp := tailcfg.RegisterResponse{}
-
-	pak, err := h.checkKeyValidity(registerRequest.Auth.AuthKey)
-	if err != nil {
-		log.Error().
-			Caller().
-			Str("func", "handleAuthKey").
-			Str("machine", registerRequest.Hostinfo.Hostname).
-			Err(err).
-			Msg("Failed authentication via AuthKey")
-		resp.MachineAuthorized = false
-		respBody, err := encode(resp, &machineKey, h.privateKey)
-		if err != nil {
-			log.Error().
-				Caller().
-				Str("func", "handleAuthKey").
-				Str("machine", registerRequest.Hostinfo.Hostname).
-				Err(err).
-				Msg("Cannot encode message")
-			ctx.String(http.StatusInternalServerError, "")
-			machineRegistrations.WithLabelValues("new", RegisterMethodAuthKey, "error", pak.Namespace.Name).
-				Inc()
-
-			return
-		}
-
-		ctx.Data(http.StatusUnauthorized, "application/json; charset=utf-8", respBody)
-		log.Error().
-			Caller().
-			Str("func", "handleAuthKey").
-			Str("machine", registerRequest.Hostinfo.Hostname).
-			Msg("Failed authentication via AuthKey")
-
-		if pak != nil {
-			machineRegistrations.WithLabelValues("new", RegisterMethodAuthKey, "error", pak.Namespace.Name).
-				Inc()
-		} else {
-			machineRegistrations.WithLabelValues("new", RegisterMethodAuthKey, "error", "unknown").Inc()
-		}
-
-		return
-	}
-
-	log.Debug().
-		Str("func", "handleAuthKey").
-		Str("machine", registerRequest.Hostinfo.Hostname).
-		Msg("Authentication key was valid, proceeding to acquire IP addresses")
-
-	nodeKey := NodePublicKeyStripPrefix(registerRequest.NodeKey)
-
-	// retrieve machine information if it exist
-	// The error is not important, because if it does not
-	// exist, then this is a new machine and we will move
-	// on to registration.
-	machine, _ := h.GetMachineByMachineKey(machineKey)
-	if machine != nil {
-		log.Trace().
-			Caller().
-			Str("machine", machine.Hostname).
-			Msg("machine already registered, refreshing with new auth key")
-
-		machine.NodeKey = nodeKey
-		machine.AuthKeyID = uint(pak.ID)
-		h.RefreshMachine(machine, registerRequest.Expiry)
-	} else {
-		now := time.Now().UTC()
-
-		givenName, err := h.GenerateGivenName(registerRequest.Hostinfo.Hostname)
-		if err != nil {
-			log.Error().
-				Caller().
-				Str("func", "RegistrationHandler").
-				Str("hostinfo.name", registerRequest.Hostinfo.Hostname).
-				Err(err)
-
-			return
-		}
-
-		machineToRegister := Machine{
-			Hostname:       registerRequest.Hostinfo.Hostname,
-			GivenName:      givenName,
-			NamespaceID:    pak.Namespace.ID,
-			MachineKey:     machineKeyStr,
-			RegisterMethod: RegisterMethodAuthKey,
-			Expiry:         &registerRequest.Expiry,
-			NodeKey:        nodeKey,
-			LastSeen:       &now,
-			AuthKeyID:      uint(pak.ID),
-		}
-
-		machine, err = h.RegisterMachine(
-			machineToRegister,
-		)
+		writer.Header().Set("Content-Type", "text/plain; charset=utf-8")
+		writer.WriteHeader(http.StatusInternalServerError)
+		_, err = writer.Write([]byte("Could not render register web API template"))
 		if err != nil {
 			log.Error().
 				Caller().
 				Err(err).
-				Msg("could not register machine")
-			machineRegistrations.WithLabelValues("new", RegisterMethodAuthKey, "error", pak.Namespace.Name).
-				Inc()
-			ctx.String(
-				http.StatusInternalServerError,
-				"could not register machine",
-			)
-
-			return
+				Msg("Failed to write response")
 		}
-	}
-
-	h.UsePreAuthKey(pak)
-
-	resp.MachineAuthorized = true
-	resp.User = *pak.Namespace.toUser()
-	respBody, err := encode(resp, &machineKey, h.privateKey)
-	if err != nil {
-		log.Error().
-			Caller().
-			Str("func", "handleAuthKey").
-			Str("machine", registerRequest.Hostinfo.Hostname).
-			Err(err).
-			Msg("Cannot encode message")
-		machineRegistrations.WithLabelValues("new", RegisterMethodAuthKey, "error", pak.Namespace.Name).
-			Inc()
-		ctx.String(http.StatusInternalServerError, "Extremely sad!")
 
 		return
 	}
-	machineRegistrations.WithLabelValues("new", RegisterMethodAuthKey, "success", pak.Namespace.Name).
-		Inc()
-	ctx.Data(http.StatusOK, "application/json; charset=utf-8", respBody)
-	log.Info().
-		Str("func", "handleAuthKey").
-		Str("machine", registerRequest.Hostinfo.Hostname).
-		Str("ips", strings.Join(machine.IPAddresses.ToStringSlice(), ", ")).
-		Msg("Successfully authenticated via AuthKey")
+
+	writer.Header().Set("Content-Type", "text/html; charset=utf-8")
+	writer.WriteHeader(http.StatusOK)
+	_, err = writer.Write(content.Bytes())
+	if err != nil {
+		log.Error().
+			Caller().
+			Err(err).
+			Msg("Failed to write response")
+	}
 }

api_common.go

@@ -0,0 +1,80 @@
+package headscale
+
+import (
+	"github.com/rs/zerolog/log"
+	"tailscale.com/tailcfg"
+)
+
+func (h *Headscale) generateMapResponse(
+	mapRequest tailcfg.MapRequest,
+	machine *Machine,
+) (*tailcfg.MapResponse, error) {
+	log.Trace().
+		Str("func", "generateMapResponse").
+		Str("machine", mapRequest.Hostinfo.Hostname).
+		Msg("Creating Map response")
+	node, err := machine.toNode(h.cfg.BaseDomain, h.cfg.DNSConfig)
+	if err != nil {
+		log.Error().
+			Caller().
+			Str("func", "generateMapResponse").
+			Err(err).
+			Msg("Cannot convert to node")
+
+		return nil, err
+	}
+
+	peers, err := h.getValidPeers(machine)
+	if err != nil {
+		log.Error().
+			Caller().
+			Str("func", "generateMapResponse").
+			Err(err).
+			Msg("Cannot fetch peers")
+
+		return nil, err
+	}
+
+	profiles := getMapResponseUserProfiles(*machine, peers)
+
+	nodePeers, err := peers.toNodes(h.cfg.BaseDomain, h.cfg.DNSConfig)
+	if err != nil {
+		log.Error().
+			Caller().
+			Str("func", "generateMapResponse").
+			Err(err).
+			Msg("Failed to convert peers to Tailscale nodes")
+
+		return nil, err
+	}
+
+	dnsConfig := getMapResponseDNSConfig(
+		h.cfg.DNSConfig,
+		h.cfg.BaseDomain,
+		*machine,
+		peers,
+	)
+
+	resp := tailcfg.MapResponse{
+		KeepAlive:    false,
+		Node:         node,
+		Peers:        nodePeers,
+		DNSConfig:    dnsConfig,
+		Domain:       h.cfg.BaseDomain,
+		PacketFilter: h.aclRules,
+		DERPMap:      h.DERPMap,
+		UserProfiles: profiles,
+		Debug: &tailcfg.Debug{
+			DisableLogTail:      !h.cfg.LogTail.Enabled,
+			RandomizeClientPort: h.cfg.RandomizeClientPort,
+		},
+	}
+
+	log.Trace().
+		Str("func", "generateMapResponse").
+		Str("machine", mapRequest.Hostinfo.Hostname).
+		// Interface("payload", resp).
+		Msgf("Generated map response: %s", tailMapResponseToString(resp))
+
+	return &resp, nil
+}

api_key.go

@@ -13,9 +13,8 @@ import (
 const (
 	apiPrefixLength = 7
 	apiKeyLength    = 32
-	apiKeyParts     = 2
 
-	errAPIKeyFailedToParse = Error("Failed to parse ApiKey")
+	ErrAPIKeyFailedToParse = Error("Failed to parse ApiKey")
 )
 
 // APIKey describes the datamodel for API keys used to remotely authenticate with
@@ -115,9 +114,9 @@ func (h *Headscale) ExpireAPIKey(key *APIKey) error {
 }
 
 func (h *Headscale) ValidateAPIKey(keyStr string) (bool, error) {
-	prefix, hash, err := splitAPIKey(keyStr)
-	if err != nil {
-		return false, fmt.Errorf("failed to validate api key: %w", err)
+	prefix, hash, found := strings.Cut(keyStr, ".")
+	if !found {
+		return false, ErrAPIKeyFailedToParse
 	}
 
 	key, err := h.GetAPIKey(prefix)
@@ -136,15 +135,6 @@ func (h *Headscale) ValidateAPIKey(keyStr string) (bool, error) {
 	return true, nil
 }
 
-func splitAPIKey(key string) (string, string, error) {
-	parts := strings.Split(key, ".")
-	if len(parts) != apiKeyParts {
-		return "", "", errAPIKeyFailedToParse
-	}
-
-	return parts[0], parts[1], nil
-}
-
 func (key *APIKey) toProto() *v1.ApiKey {
 	protoKey := v1.ApiKey{
 		Id:     key.ID,

app.go

@@ -17,16 +17,16 @@ import (
 	"time"
 
 	"github.com/coreos/go-oidc/v3/oidc"
-	"github.com/gin-gonic/gin"
-	grpc_middleware "github.com/grpc-ecosystem/go-grpc-middleware"
+	"github.com/gorilla/mux"
+	grpcMiddleware "github.com/grpc-ecosystem/go-grpc-middleware"
 	"github.com/grpc-ecosystem/grpc-gateway/v2/runtime"
 	v1 "github.com/juanfont/headscale/gen/go/headscale/v1"
 	"github.com/patrickmn/go-cache"
 	zerolog "github.com/philip-bui/grpc-zerolog"
-	"github.com/puzpuzpuz/xsync"
+	"github.com/prometheus/client_golang/prometheus/promhttp"
+	"github.com/puzpuzpuz/xsync/v2"
 	zl "github.com/rs/zerolog"
 	"github.com/rs/zerolog/log"
-	ginprometheus "github.com/zsais/go-gin-prometheus"
 	"golang.org/x/crypto/acme"
 	"golang.org/x/crypto/acme/autocert"
 	"golang.org/x/oauth2"
@@ -54,12 +54,13 @@ const (
 )
 
 const (
-	AuthPrefix         = "Bearer "
-	Postgres           = "postgres"
-	Sqlite             = "sqlite3"
-	updateInterval     = 5000
-	HTTPReadTimeout    = 30 * time.Second
-	privateKeyFileMode = 0o600
+	AuthPrefix          = "Bearer "
+	Postgres            = "postgres"
+	Sqlite              = "sqlite3"
+	updateInterval      = 5000
+	HTTPReadTimeout     = 30 * time.Second
+	HTTPShutdownTimeout = 3 * time.Second
+	privateKeyFileMode  = 0o600
 
 	registerCacheExpiration = time.Minute * 15
 	registerCacheCleanup    = time.Minute * 20
@@ -71,12 +72,15 @@ const (
 
 // Headscale represents the base app of the service.
 type Headscale struct {
-	cfg        *Config
-	db         *gorm.DB
-	dbString   string
-	dbType     string
-	dbDebug    bool
-	privateKey *key.MachinePrivate
+	cfg             *Config
+	db              *gorm.DB
+	dbString        string
+	dbType          string
+	dbDebug         bool
+	privateKey      *key.MachinePrivate
+	noisePrivateKey *key.MachinePrivate
+
+	noiseMux *mux.Router
 
 	DERPMap    *tailcfg.DERPMap
 	DERPServer *DERPServer
@@ -84,7 +88,7 @@ type Headscale struct {
 	aclPolicy *ACLPolicy
 	aclRules  []tailcfg.FilterRule
 
-	lastStateChange *xsync.MapOf[time.Time]
+	lastStateChange *xsync.MapOf[string, time.Time]
 
 	oidcProvider *oidc.Provider
 	oauth2Config *oauth2.Config
@@ -92,6 +96,9 @@ type Headscale struct {
 	registrationCache *cache.Cache
 
 	ipAllocationMutex sync.Mutex
+
+	shutdownChan       chan struct{}
+	pollNetMapStreamWG sync.WaitGroup
 }
 
 // Look up the TLS constant relative to user-supplied TLS client
@@ -116,22 +123,42 @@ func LookupTLSClientAuthMode(mode string) (tls.ClientAuthType, bool) {
 }
 
 func NewHeadscale(cfg *Config) (*Headscale, error) {
-	privKey, err := readOrCreatePrivateKey(cfg.PrivateKeyPath)
+	privateKey, err := readOrCreatePrivateKey(cfg.PrivateKeyPath)
 	if err != nil {
 		return nil, fmt.Errorf("failed to read or create private key: %w", err)
 	}
 
+	// TS2021 requires to have a different key from the legacy protocol.
+	noisePrivateKey, err := readOrCreatePrivateKey(cfg.NoisePrivateKeyPath)
+	if err != nil {
+		return nil, fmt.Errorf("failed to read or create Noise protocol private key: %w", err)
+	}
+
+	if privateKey.Equal(*noisePrivateKey) {
+		return nil, fmt.Errorf("private key and noise private key are the same: %w", err)
+	}
+
 	var dbString string
 	switch cfg.DBtype {
 	case Postgres:
 		dbString = fmt.Sprintf(
-			"host=%s port=%d dbname=%s user=%s password=%s sslmode=disable",
+			"host=%s dbname=%s user=%s",
 			cfg.DBhost,
-			cfg.DBport,
 			cfg.DBname,
 			cfg.DBuser,
-			cfg.DBpass,
 		)
+
+		if !cfg.DBssl {
+			dbString += " sslmode=disable"
+		}
+
+		if cfg.DBport != 0 {
+			dbString += fmt.Sprintf(" port=%d", cfg.DBport)
+		}
+
+		if cfg.DBpass != "" {
+			dbString += fmt.Sprintf(" password=%s", cfg.DBpass)
+		}
 	case Sqlite:
 		dbString = cfg.DBpath
 	default:
@@ -144,12 +171,14 @@ func NewHeadscale(cfg *Config) (*Headscale, error) {
 	)
 
 	app := Headscale{
-		cfg:               cfg,
-		dbType:            cfg.DBtype,
-		dbString:          dbString,
-		privateKey:        privKey,
-		aclRules:          tailcfg.FilterAllowAll, // default allowall
-		registrationCache: registrationCache,
+		cfg:                cfg,
+		dbType:             cfg.DBtype,
+		dbString:           dbString,
+		privateKey:         privateKey,
+		noisePrivateKey:    noisePrivateKey,
+		aclRules:           tailcfg.FilterAllowAll, // default allowall
+		registrationCache:  registrationCache,
+		pollNetMapStreamWG: sync.WaitGroup{},
 	}
 
 	err = app.initDB()
@@ -160,7 +189,11 @@ func NewHeadscale(cfg *Config) (*Headscale, error) {
 	if cfg.OIDC.Issuer != "" {
 		err = app.initOIDC()
 		if err != nil {
-			return nil, err
+			if cfg.OIDC.OnlyStartIfOIDCIsAvailable {
+				return nil, err
+			} else {
+				log.Warn().Err(err).Msg("failed to set up OIDC provider, falling back to CLI based authentication")
+			}
 		}
 	}
 
@@ -168,7 +201,7 @@ func NewHeadscale(cfg *Config) (*Headscale, error) {
 		magicDNSDomains := generateMagicDNSRootDomains(app.cfg.IPPrefixes)
 		// we might have routes already from Split DNS
 		if app.cfg.DNSConfig.Routes == nil {
-			app.cfg.DNSConfig.Routes = make(map[string][]dnstype.Resolver)
+			app.cfg.DNSConfig.Routes = make(map[string][]*dnstype.Resolver)
 		}
 		for _, d := range magicDNSDomains {
 			app.cfg.DNSConfig.Routes[d.WithoutTrailingDot()] = nil
@@ -242,7 +275,7 @@ func (h *Headscale) expireEphemeralNodesWorker() {
 		}
 
 		if expiredFound {
-			h.setLastStateChangeToNow(namespace.Name)
+			h.setLastStateChangeToNow()
 		}
 	}
 }
@@ -326,48 +359,74 @@ func (h *Headscale) grpcAuthenticationInterceptor(ctx context.Context,
 	return handler(ctx, req)
 }
 
-func (h *Headscale) httpAuthenticationMiddleware(ctx *gin.Context) {
-	log.Trace().
-		Caller().
-		Str("client_address", ctx.ClientIP()).
-		Msg("HTTP authentication invoked")
-
-	authHeader := ctx.GetHeader("authorization")
-
-	if !strings.HasPrefix(authHeader, AuthPrefix) {
-		log.Error().
+func (h *Headscale) httpAuthenticationMiddleware(next http.Handler) http.Handler {
+	return http.HandlerFunc(func(
+		writer http.ResponseWriter,
+		req *http.Request,
+	) {
+		log.Trace().
 			Caller().
-			Str("client_address", ctx.ClientIP()).
-			Msg(`missing "Bearer " prefix in "Authorization" header`)
-		ctx.AbortWithStatus(http.StatusUnauthorized)
+			Str("client_address", req.RemoteAddr).
+			Msg("HTTP authentication invoked")
 
-		return
-	}
+		authHeader := req.Header.Get("authorization")
 
-	valid, err := h.ValidateAPIKey(strings.TrimPrefix(authHeader, AuthPrefix))
-	if err != nil {
-		log.Error().
-			Caller().
-			Err(err).
-			Str("client_address", ctx.ClientIP()).
-			Msg("failed to validate token")
+		if !strings.HasPrefix(authHeader, AuthPrefix) {
+			log.Error().
+				Caller().
+				Str("client_address", req.RemoteAddr).
+				Msg(`missing "Bearer " prefix in "Authorization" header`)
+			writer.WriteHeader(http.StatusUnauthorized)
+			_, err := writer.Write([]byte("Unauthorized"))
+			if err != nil {
+				log.Error().
+					Caller().
+					Err(err).
+					Msg("Failed to write response")
+			}
 
-		ctx.AbortWithStatus(http.StatusInternalServerError)
+			return
+		}
 
-		return
-	}
+		valid, err := h.ValidateAPIKey(strings.TrimPrefix(authHeader, AuthPrefix))
+		if err != nil {
+			log.Error().
+				Caller().
+				Err(err).
+				Str("client_address", req.RemoteAddr).
+				Msg("failed to validate token")
 
-	if !valid {
-		log.Info().
-			Str("client_address", ctx.ClientIP()).
-			Msg("invalid token")
+			writer.WriteHeader(http.StatusInternalServerError)
+			_, err := writer.Write([]byte("Unauthorized"))
+			if err != nil {
+				log.Error().
+					Caller().
+					Err(err).
+					Msg("Failed to write response")
+			}
 
-		ctx.AbortWithStatus(http.StatusUnauthorized)
+			return
+		}
 
-		return
-	}
+		if !valid {
+			log.Info().
+				Str("client_address", req.RemoteAddr).
+				Msg("invalid token")
 
-	ctx.Next()
+			writer.WriteHeader(http.StatusUnauthorized)
+			_, err := writer.Write([]byte("Unauthorized"))
+			if err != nil {
+				log.Error().
+					Caller().
+					Err(err).
+					Msg("Failed to write response")
+			}
+
+			return
+		}
+
+		next.ServeHTTP(writer, req)
+	})
 }
 
 // ensureUnixSocketIsAbsent will check if the given path for headscales unix socket is clear
@@ -381,48 +440,49 @@ func (h *Headscale) ensureUnixSocketIsAbsent() error {
 	return os.Remove(h.cfg.UnixSocket)
 }
 
-func (h *Headscale) createPrometheusRouter() *gin.Engine {
-	promRouter := gin.Default()
+func (h *Headscale) createRouter(grpcMux *runtime.ServeMux) *mux.Router {
+	router := mux.NewRouter()
 
-	prometheus := ginprometheus.NewPrometheus("gin")
-	prometheus.Use(promRouter)
+	router.HandleFunc(ts2021UpgradePath, h.NoiseUpgradeHandler).Methods(http.MethodPost)
 
-	return promRouter
-}
+	router.HandleFunc("/health", h.HealthHandler).Methods(http.MethodGet)
+	router.HandleFunc("/key", h.KeyHandler).Methods(http.MethodGet)
+	router.HandleFunc("/register/{nkey}", h.RegisterWebAPI).Methods(http.MethodGet)
+	h.addLegacyHandlers(router)
 
-func (h *Headscale) createRouter(grpcMux *runtime.ServeMux) *gin.Engine {
-	router := gin.Default()
-
-	router.GET(
-		"/health",
-		func(c *gin.Context) { c.JSON(http.StatusOK, gin.H{"healthy": "ok"}) },
-	)
-	router.GET("/key", h.KeyHandler)
-	router.GET("/register", h.RegisterWebAPI)
-	router.POST("/machine/:id/map", h.PollNetMapHandler)
-	router.POST("/machine/:id", h.RegistrationHandler)
-	router.GET("/oidc/register/:mkey", h.RegisterOIDC)
-	router.GET("/oidc/callback", h.OIDCCallback)
-	router.GET("/apple", h.AppleConfigMessage)
-	router.GET("/apple/:platform", h.ApplePlatformConfig)
-	router.GET("/windows", h.WindowsConfigMessage)
-	router.GET("/windows/tailscale.reg", h.WindowsRegConfig)
-	router.GET("/swagger", SwaggerUI)
-	router.GET("/swagger/v1/openapiv2.json", SwaggerAPIv1)
+	router.HandleFunc("/oidc/register/{nkey}", h.RegisterOIDC).Methods(http.MethodGet)
+	router.HandleFunc("/oidc/callback", h.OIDCCallback).Methods(http.MethodGet)
+	router.HandleFunc("/apple", h.AppleConfigMessage).Methods(http.MethodGet)
+	router.HandleFunc("/apple/{platform}", h.ApplePlatformConfig).
+		Methods(http.MethodGet)
+	router.HandleFunc("/windows", h.WindowsConfigMessage).Methods(http.MethodGet)
+	router.HandleFunc("/windows/tailscale.reg", h.WindowsRegConfig).
+		Methods(http.MethodGet)
+	router.HandleFunc("/swagger", SwaggerUI).Methods(http.MethodGet)
+	router.HandleFunc("/swagger/v1/openapiv2.json", SwaggerAPIv1).
+		Methods(http.MethodGet)
 
 	if h.cfg.DERP.ServerEnabled {
-		router.Any("/derp", h.DERPHandler)
-		router.Any("/derp/probe", h.DERPProbeHandler)
-		router.Any("/bootstrap-dns", h.DERPBootstrapDNSHandler)
+		router.HandleFunc("/derp", h.DERPHandler)
+		router.HandleFunc("/derp/probe", h.DERPProbeHandler)
+		router.HandleFunc("/bootstrap-dns", h.DERPBootstrapDNSHandler)
 	}
 
-	api := router.Group("/api")
-	api.Use(h.httpAuthenticationMiddleware)
-	{
-		api.Any("/v1/*any", gin.WrapF(grpcMux.ServeHTTP))
-	}
+	apiRouter := router.PathPrefix("/api").Subrouter()
+	apiRouter.Use(h.httpAuthenticationMiddleware)
+	apiRouter.PathPrefix("/v1/").HandlerFunc(grpcMux.ServeHTTP)
 
-	router.NoRoute(stdoutHandler)
+	router.PathPrefix("/").HandlerFunc(stdoutHandler)
+
+	return router
+}
+
+func (h *Headscale) createNoiseMux() *mux.Router {
+	router := mux.NewRouter()
+
+	router.HandleFunc("/machine/register", h.NoiseRegistrationHandler).
+		Methods(http.MethodPost)
+	router.HandleFunc("/machine/map", h.NoisePollNetMapHandler)
 
 	return router
 }
@@ -538,12 +598,14 @@ func (h *Headscale) Serve() error {
 	// https://github.com/soheilhy/cmux/issues/68
 	// https://github.com/soheilhy/cmux/issues/91
 
+	var grpcServer *grpc.Server
+	var grpcListener net.Listener
 	if tlsConfig != nil || h.cfg.GRPCAllowInsecure {
 		log.Info().Msgf("Enabling remote gRPC at %s", h.cfg.GRPCAddr)
 
 		grpcOptions := []grpc.ServerOption{
 			grpc.UnaryInterceptor(
-				grpc_middleware.ChainUnaryServer(
+				grpcMiddleware.ChainUnaryServer(
 					h.grpcAuthenticationInterceptor,
 					zerolog.NewUnaryServerInterceptor(),
 				),
@@ -558,12 +620,12 @@ func (h *Headscale) Serve() error {
 			log.Warn().Msg("gRPC is running without security")
 		}
 
-		grpcServer := grpc.NewServer(grpcOptions...)
+		grpcServer = grpc.NewServer(grpcOptions...)
 
 		v1.RegisterHeadscaleServiceServer(grpcServer, newHeadscaleV1APIServer(h))
 		reflection.Register(grpcServer)
 
-		grpcListener, err := net.Listen("tcp", h.cfg.GRPCAddr)
+		grpcListener, err = net.Listen("tcp", h.cfg.GRPCAddr)
 		if err != nil {
 			return fmt.Errorf("failed to bind to TCP address: %w", err)
 		}
@@ -578,9 +640,16 @@ func (h *Headscale) Serve() error {
 	//
 	// HTTP setup
 	//
-
+	// This is the regular router that we expose
+	// over our main Addr. It also serves the legacy Tailcale API
 	router := h.createRouter(grpcGatewayMux)
 
+	// This router is served only over the Noise connection, and exposes only the new API.
+	//
+	// The HTTP2 server that exposes this router is created for
+	// a single hijacked connection from /ts2021, using netutil.NewOneConnListener
+	h.noiseMux = h.createNoiseMux()
+
 	httpServer := &http.Server{
 		Addr:        h.cfg.Addr,
 		Handler:     router,
@@ -608,11 +677,12 @@ func (h *Headscale) Serve() error {
 	log.Info().
 		Msgf("listening and serving HTTP on: %s", h.cfg.Addr)
 
-	promRouter := h.createPrometheusRouter()
+	promMux := http.NewServeMux()
+	promMux.Handle("/metrics", promhttp.Handler())
 
 	promHTTPServer := &http.Server{
 		Addr:         h.cfg.MetricsAddr,
-		Handler:      promRouter,
+		Handler:      promMux,
 		ReadTimeout:  HTTPReadTimeout,
 		WriteTimeout: 0,
 	}
@@ -630,6 +700,7 @@ func (h *Headscale) Serve() error {
 		Msgf("listening and serving metrics on: %s", h.cfg.MetricsAddr)
 
 	// Handle common process-killing signals so we can gracefully shut down:
+	h.shutdownChan = make(chan struct{})
 	sigc := make(chan os.Signal, 1)
 	signal.Notify(sigc,
 		syscall.SIGHUP,
@@ -637,7 +708,7 @@ func (h *Headscale) Serve() error {
 		syscall.SIGTERM,
 		syscall.SIGQUIT,
 		syscall.SIGHUP)
-	go func(c chan os.Signal) {
+	sigFunc := func(c chan os.Signal) {
 		// Wait for a SIGINT or SIGKILL:
 		for {
 			sig := <-c
@@ -647,7 +718,7 @@ func (h *Headscale) Serve() error {
 					Str("signal", sig.String()).
 					Msg("Received SIGHUP, reloading ACL and Config")
 
-					// TODO(kradalby): Reload config on SIGHUP
+				// TODO(kradalby): Reload config on SIGHUP
 
 				if h.cfg.ACL.PolicyPath != "" {
 					aclPath := AbsolutePathFromConfigPath(h.cfg.ACL.PolicyPath)
@@ -657,7 +728,9 @@ func (h *Headscale) Serve() error {
 					}
 					log.Info().
 						Str("path", aclPath).
-						Msg("ACL policy successfully reloaded")
+						Msg("ACL policy successfully reloaded, notifying nodes of change")
+
+					h.setLastStateChangeToNow()
 				}
 
 			default:
@@ -665,11 +738,27 @@ func (h *Headscale) Serve() error {
 					Str("signal", sig.String()).
 					Msg("Received signal to stop, shutting down gracefully")
 
+				close(h.shutdownChan)
+				h.pollNetMapStreamWG.Wait()
+
 				// Gracefully shut down servers
-				promHTTPServer.Shutdown(ctx)
-				httpServer.Shutdown(ctx)
+				ctx, cancel := context.WithTimeout(
+					context.Background(),
+					HTTPShutdownTimeout,
+				)
+				if err := promHTTPServer.Shutdown(ctx); err != nil {
+					log.Error().Err(err).Msg("Failed to shutdown prometheus http")
+				}
+				if err := httpServer.Shutdown(ctx); err != nil {
+					log.Error().Err(err).Msg("Failed to shutdown http")
+				}
 				grpcSocket.GracefulStop()
 
+				if grpcServer != nil {
+					grpcServer.GracefulStop()
+					grpcListener.Close()
+				}
+
 				// Close network listeners
 				promHTTPListener.Close()
 				httpListener.Close()
@@ -678,11 +767,30 @@ func (h *Headscale) Serve() error {
 				// Stop listening (and unlink the socket if unix type):
 				socketListener.Close()
 
+				// Close db connections
+				db, err := h.db.DB()
+				if err != nil {
+					log.Error().Err(err).Msg("Failed to get db handle")
+				}
+				err = db.Close()
+				if err != nil {
+					log.Error().Err(err).Msg("Failed to close db")
+				}
+
+				log.Info().
+					Msg("Headscale stopped")
+
 				// And we're done:
+				cancel()
 				os.Exit(0)
 			}
 		}
-	}(sigc)
+	}
+	errorGroup.Go(func() error {
+		sigFunc(sigc)
+
+		return nil
+	})
 
 	return errorGroup.Wait()
 }
@@ -706,20 +814,28 @@ func (h *Headscale) getTLSSettings() (*tls.Config, error) {
 		}
 
 		switch h.cfg.TLS.LetsEncrypt.ChallengeType {
-		case "TLS-ALPN-01":
+		case tlsALPN01ChallengeType:
 			// Configuration via autocert with TLS-ALPN-01 (https://tools.ietf.org/html/rfc8737)
 			// The RFC requires that the validation is done on port 443; in other words, headscale
 			// must be reachable on port 443.
 			return certManager.TLSConfig(), nil
 
-		case "HTTP-01":
+		case http01ChallengeType:
 			// Configuration via autocert with HTTP-01. This requires listening on
 			// port 80 for the certificate validation in addition to the headscale
 			// service, which can be configured to run on any other port.
+
+			server := &http.Server{
+				Addr:        h.cfg.TLS.LetsEncrypt.Listen,
+				Handler:     certManager.HTTPHandler(http.HandlerFunc(h.redirect)),
+				ReadTimeout: HTTPReadTimeout,
+			}
+
 			go func() {
+				err := server.ListenAndServe()
 				log.Fatal().
 					Caller().
-					Err(http.ListenAndServe(h.cfg.TLS.LetsEncrypt.Listen, certManager.HTTPHandler(http.HandlerFunc(h.redirect)))).
+					Err(err).
 					Msg("failed to set up a HTTP server")
 			}()
 
@@ -756,23 +872,36 @@ func (h *Headscale) getTLSSettings() (*tls.Config, error) {
 	}
 }
 
-func (h *Headscale) setLastStateChangeToNow(namespace string) {
+func (h *Headscale) setLastStateChangeToNow() {
+	var err error
+
 	now := time.Now().UTC()
-	lastStateUpdate.WithLabelValues("", "headscale").Set(float64(now.Unix()))
-	if h.lastStateChange == nil {
-		h.lastStateChange = xsync.NewMapOf[time.Time]()
+
+	namespaces, err := h.ListNamespaces()
+	if err != nil {
+		log.Error().
+			Caller().
+			Err(err).
+			Msg("failed to fetch all namespaces, failing to update last changed state.")
+	}
+
+	for _, namespace := range namespaces {
+		lastStateUpdate.WithLabelValues(namespace.Name, "headscale").Set(float64(now.Unix()))
+		if h.lastStateChange == nil {
+			h.lastStateChange = xsync.NewMapOf[time.Time]()
+		}
+		h.lastStateChange.Store(namespace.Name, now)
 	}
-	h.lastStateChange.Store(namespace, now)
 }
 
-func (h *Headscale) getLastStateChange(namespaces ...string) time.Time {
+func (h *Headscale) getLastStateChange(namespaces ...Namespace) time.Time {
 	times := []time.Time{}
 
 	// getLastStateChange takes a list of namespaces as a "filter", if no namespaces
 	// are past, then use the entier list of namespaces and look for the last update
 	if len(namespaces) > 0 {
 		for _, namespace := range namespaces {
-			if lastChange, ok := h.lastStateChange.Load(namespace); ok {
+			if lastChange, ok := h.lastStateChange.Load(namespace.Name); ok {
 				times = append(times, lastChange)
 			}
 		}
@@ -797,13 +926,16 @@ func (h *Headscale) getLastStateChange(namespaces ...string) time.Time {
 	}
 }
 
-func stdoutHandler(ctx *gin.Context) {
-	body, _ := io.ReadAll(ctx.Request.Body)
+func stdoutHandler(
+	writer http.ResponseWriter,
+	req *http.Request,
+) {
+	body, _ := io.ReadAll(req.Body)
 
 	log.Trace().
-		Interface("header", ctx.Request.Header).
-		Interface("proto", ctx.Request.Proto).
-		Interface("url", ctx.Request.URL).
+		Interface("header", req.Header).
+		Interface("proto", req.Proto).
+		Interface("url", req.URL).
 		Bytes("body", body).
 		Msg("Request did not match")
 }

app_test.go

@@ -1,12 +1,11 @@
 package headscale
 
 import (
-	"io/ioutil"
+	"net/netip"
 	"os"
 	"testing"
 
 	"gopkg.in/check.v1"
-	"inet.af/netaddr"
 )
 
 func Test(t *testing.T) {
@@ -35,13 +34,13 @@ func (s *Suite) ResetDB(c *check.C) {
 		os.RemoveAll(tmpDir)
 	}
 	var err error
-	tmpDir, err = ioutil.TempDir("", "autoygg-client-test")
+	tmpDir, err = os.MkdirTemp("", "autoygg-client-test")
 	if err != nil {
 		c.Fatal(err)
 	}
 	cfg := Config{
-		IPPrefixes: []netaddr.IPPrefix{
-			netaddr.MustParseIPPrefix("10.27.0.0/23"),
+		IPPrefixes: []netip.Prefix{
+			netip.MustParsePrefix("10.27.0.0/23"),
 		},
 	}
 

cmd/headscale/cli/api_key.go

@@ -134,7 +134,9 @@ If you loose a key, create a new one and revoke (expire) the old one.`,
 
 		expiration := time.Now().UTC().Add(time.Duration(duration))
 
-		log.Trace().Dur("expiration", time.Duration(duration)).Msg("expiration has been set")
+		log.Trace().
+			Dur("expiration", time.Duration(duration)).
+			Msg("expiration has been set")
 
 		request.Expiration = timestamppb.New(expiration)
 

cmd/headscale/cli/debug.go

@@ -3,6 +3,7 @@ package cli
 import (
 	"fmt"
 
+	"github.com/juanfont/headscale"
 	v1 "github.com/juanfont/headscale/gen/go/headscale/v1"
 	"github.com/rs/zerolog/log"
 	"github.com/spf13/cobra"
@@ -10,8 +11,7 @@ import (
 )
 
 const (
-	keyLength             = 64
-	errPreAuthKeyTooShort = Error("key too short, must be 64 hexadecimal characters")
+	errPreAuthKeyMalformed = Error("key is malformed. expected 64 hex characters with `nodekey` prefix")
 )
 
 // Error is used to compare errors as per https://dave.cheney.net/2016/04/07/constant-errors
@@ -87,8 +87,8 @@ var createNodeCmd = &cobra.Command{
 
 			return
 		}
-		if len(machineKey) != keyLength {
-			err = errPreAuthKeyTooShort
+		if !headscale.NodePublicKeyRegex.Match([]byte(machineKey)) {
+			err = errPreAuthKeyMalformed
 			ErrorOutput(
 				err,
 				fmt.Sprintf("Error: %s", err),

cmd/headscale/cli/dump_config.go

@@ -0,0 +1,28 @@
+package cli
+
+import (
+	"fmt"
+
+	"github.com/spf13/cobra"
+	"github.com/spf13/viper"
+)
+
+func init() {
+	rootCmd.AddCommand(dumpConfigCmd)
+}
+
+var dumpConfigCmd = &cobra.Command{
+	Use:    "dumpConfig",
+	Short:  "dump current config to /etc/headscale/config.dump.yaml, integration test only",
+	Hidden: true,
+	Args: func(cmd *cobra.Command, args []string) error {
+		return nil
+	},
+	Run: func(cmd *cobra.Command, args []string) {
+		err := viper.WriteConfigAs("/etc/headscale/config.dump.yaml")
+		if err != nil {
+			//nolint
+			fmt.Println("Failed to dump config")
+		}
+	},
+}

cmd/headscale/cli/mockoidc.go

@@ -0,0 +1,104 @@
+package cli
+
+import (
+	"fmt"
+	"net"
+	"os"
+	"strconv"
+	"time"
+
+	"github.com/oauth2-proxy/mockoidc"
+	"github.com/rs/zerolog/log"
+	"github.com/spf13/cobra"
+)
+
+const (
+	errMockOidcClientIDNotDefined     = Error("MOCKOIDC_CLIENT_ID not defined")
+	errMockOidcClientSecretNotDefined = Error("MOCKOIDC_CLIENT_SECRET not defined")
+	errMockOidcPortNotDefined         = Error("MOCKOIDC_PORT not defined")
+	accessTTL                         = 10 * time.Minute
+	refreshTTL                        = 60 * time.Minute
+)
+
+func init() {
+	rootCmd.AddCommand(mockOidcCmd)
+}
+
+var mockOidcCmd = &cobra.Command{
+	Use:   "mockoidc",
+	Short: "Runs a mock OIDC server for testing",
+	Long:  "This internal command runs a OpenID Connect for testing purposes",
+	Run: func(cmd *cobra.Command, args []string) {
+		err := mockOIDC()
+		if err != nil {
+			log.Error().Err(err).Msgf("Error running mock OIDC server")
+			os.Exit(1)
+		}
+	},
+}
+
+func mockOIDC() error {
+	clientID := os.Getenv("MOCKOIDC_CLIENT_ID")
+	if clientID == "" {
+		return errMockOidcClientIDNotDefined
+	}
+	clientSecret := os.Getenv("MOCKOIDC_CLIENT_SECRET")
+	if clientSecret == "" {
+		return errMockOidcClientSecretNotDefined
+	}
+	addrStr := os.Getenv("MOCKOIDC_ADDR")
+	if addrStr == "" {
+		return errMockOidcPortNotDefined
+	}
+	portStr := os.Getenv("MOCKOIDC_PORT")
+	if portStr == "" {
+		return errMockOidcPortNotDefined
+	}
+
+	port, err := strconv.Atoi(portStr)
+	if err != nil {
+		return err
+	}
+
+	mock, err := getMockOIDC(clientID, clientSecret)
+	if err != nil {
+		return err
+	}
+
+	listener, err := net.Listen("tcp", fmt.Sprintf("%s:%d", addrStr, port))
+	if err != nil {
+		return err
+	}
+
+	err = mock.Start(listener, nil)
+	if err != nil {
+		return err
+	}
+	log.Info().Msgf("Mock OIDC server listening on %s", listener.Addr().String())
+	log.Info().Msgf("Issuer: %s", mock.Issuer())
+	c := make(chan struct{})
+	<-c
+
+	return nil
+}
+
+func getMockOIDC(clientID string, clientSecret string) (*mockoidc.MockOIDC, error) {
+	keypair, err := mockoidc.NewKeypair(nil)
+	if err != nil {
+		return nil, err
+	}
+
+	mock := mockoidc.MockOIDC{
+		ClientID:                      clientID,
+		ClientSecret:                  clientSecret,
+		AccessTTL:                     accessTTL,
+		RefreshTTL:                    refreshTTL,
+		CodeChallengeMethodsSupported: []string{"plain", "S256"},
+		Keypair:                       keypair,
+		SessionStore:                  mockoidc.NewSessionStore(),
+		UserQueue:                     &mockoidc.UserQueue{},
+		ErrorQueue:                    &mockoidc.ErrorQueue{},
+	}
+
+	return &mock, nil
+}

cmd/headscale/cli/nodes.go

@@ -3,6 +3,7 @@ package cli
 import (
 	"fmt"
 	"log"
+	"net/netip"
 	"strconv"
 	"strings"
 	"time"
@@ -13,7 +14,6 @@ import (
 	"github.com/pterm/pterm"
 	"github.com/spf13/cobra"
 	"google.golang.org/grpc/status"
-	"inet.af/netaddr"
 	"tailscale.com/types/key"
 )
 
@@ -108,7 +108,7 @@ var registerNodeCmd = &cobra.Command{
 		if err != nil {
 			ErrorOutput(
 				err,
-				fmt.Sprintf("Error getting machine key from flag: %s", err),
+				fmt.Sprintf("Error getting node key from flag: %s", err),
 				output,
 			)
 
@@ -134,7 +134,9 @@ var registerNodeCmd = &cobra.Command{
 			return
 		}
 
-		SuccessOutput(response.Machine, "Machine register", output)
+		SuccessOutput(
+			response.Machine,
+			fmt.Sprintf("Machine %s registered", response.Machine.GivenName), output)
 	},
 }
 
@@ -465,6 +467,7 @@ func nodesToPtables(
 ) (pterm.TableData, error) {
 	tableHeader := []string{
 		"ID",
+		"Hostname",
 		"Name",
 		"NodeKey",
 		"Namespace",
@@ -556,7 +559,7 @@ func nodesToPtables(
 		var IPV4Address string
 		var IPV6Address string
 		for _, addr := range machine.IpAddresses {
-			if netaddr.MustParseIP(addr).Is4() {
+			if netip.MustParseAddr(addr).Is4() {
 				IPV4Address = addr
 			} else {
 				IPV6Address = addr
@@ -566,6 +569,7 @@ func nodesToPtables(
 		nodeData := []string{
 			strconv.FormatUint(machine.Id, headscale.Base10),
 			machine.Name,
+			machine.GetGivenName(),
 			nodeKey.ShortString(),
 			namespace,
 			strings.Join([]string{IPV4Address, IPV6Address}, ", "),

cmd/headscale/cli/preauthkeys.go

@@ -3,6 +3,7 @@ package cli
 import (
 	"fmt"
 	"strconv"
+	"strings"
 	"time"
 
 	v1 "github.com/juanfont/headscale/gen/go/headscale/v1"
@@ -33,6 +34,8 @@ func init() {
 		Bool("ephemeral", false, "Preauthkey for ephemeral nodes")
 	createPreAuthKeyCmd.Flags().
 		StringP("expiration", "e", DefaultPreAuthKeyExpiry, "Human-readable expiration of the key (e.g. 30m, 24h)")
+	createPreAuthKeyCmd.Flags().
+		StringSlice("tags", []string{}, "Tags to automatically assign to node")
 }
 
 var preauthkeysCmd = &cobra.Command{
@@ -81,7 +84,16 @@ var listPreAuthKeys = &cobra.Command{
 		}
 
 		tableData := pterm.TableData{
-			{"ID", "Key", "Reusable", "Ephemeral", "Used", "Expiration", "Created"},
+			{
+				"ID",
+				"Key",
+				"Reusable",
+				"Ephemeral",
+				"Used",
+				"Expiration",
+				"Created",
+				"Tags",
+			},
 		}
 		for _, key := range response.PreAuthKeys {
 			expiration := "-"
@@ -96,6 +108,14 @@ var listPreAuthKeys = &cobra.Command{
 				reusable = fmt.Sprintf("%v", key.GetReusable())
 			}
 
+			aclTags := ""
+
+			for _, tag := range key.AclTags {
+				aclTags += "," + tag
+			}
+
+			aclTags = strings.TrimLeft(aclTags, ",")
+
 			tableData = append(tableData, []string{
 				key.GetId(),
 				key.GetKey(),
@@ -104,6 +124,7 @@ var listPreAuthKeys = &cobra.Command{
 				strconv.FormatBool(key.GetUsed()),
 				expiration,
 				key.GetCreatedAt().AsTime().Format("2006-01-02 15:04:05"),
+				aclTags,
 			})
 
 		}
@@ -136,6 +157,7 @@ var createPreAuthKeyCmd = &cobra.Command{
 
 		reusable, _ := cmd.Flags().GetBool("reusable")
 		ephemeral, _ := cmd.Flags().GetBool("ephemeral")
+		tags, _ := cmd.Flags().GetStringSlice("tags")
 
 		log.Trace().
 			Bool("reusable", reusable).
@@ -147,6 +169,7 @@ var createPreAuthKeyCmd = &cobra.Command{
 			Namespace: namespace,
 			Reusable:  reusable,
 			Ephemeral: ephemeral,
+			AclTags:   tags,
 		}
 
 		durationStr, _ := cmd.Flags().GetString("expiration")
@@ -164,7 +187,9 @@ var createPreAuthKeyCmd = &cobra.Command{
 
 		expiration := time.Now().UTC().Add(time.Duration(duration))
 
-		log.Trace().Dur("expiration", time.Duration(duration)).Msg("expiration has been set")
+		log.Trace().
+			Dur("expiration", time.Duration(duration)).
+			Msg("expiration has been set")
 
 		request.Expiration = timestamppb.New(expiration)
 

cmd/headscale/cli/root.go

@@ -3,17 +3,86 @@ package cli
 import (
 	"fmt"
 	"os"
+	"runtime"
 
+	"github.com/juanfont/headscale"
+	"github.com/rs/zerolog"
+	"github.com/rs/zerolog/log"
 	"github.com/spf13/cobra"
+	"github.com/tcnksm/go-latest"
 )
 
+var cfgFile string = ""
+
 func init() {
+	if len(os.Args) > 1 && (os.Args[1] == "version" || os.Args[1] == "mockoidc") {
+		return
+	}
+
+	cobra.OnInitialize(initConfig)
+	rootCmd.PersistentFlags().
+		StringVarP(&cfgFile, "config", "c", "", "config file (default is /etc/headscale/config.yaml)")
 	rootCmd.PersistentFlags().
 		StringP("output", "o", "", "Output format. Empty for human-readable, 'json', 'json-line' or 'yaml'")
 	rootCmd.PersistentFlags().
 		Bool("force", false, "Disable prompts and forces the execution")
 }
 
+func initConfig() {
+	if cfgFile == "" {
+		cfgFile = os.Getenv("HEADSCALE_CONFIG")
+	}
+	if cfgFile != "" {
+		err := headscale.LoadConfig(cfgFile, true)
+		if err != nil {
+			log.Fatal().Caller().Err(err).Msgf("Error loading config file %s", cfgFile)
+		}
+	} else {
+		err := headscale.LoadConfig("", false)
+		if err != nil {
+			log.Fatal().Caller().Err(err).Msgf("Error loading config")
+		}
+	}
+
+	cfg, err := headscale.GetHeadscaleConfig()
+	if err != nil {
+		log.Fatal().Caller().Err(err)
+	}
+
+	machineOutput := HasMachineOutputFlag()
+
+	zerolog.SetGlobalLevel(cfg.Log.Level)
+
+	// If the user has requested a "machine" readable format,
+	// then disable login so the output remains valid.
+	if machineOutput {
+		zerolog.SetGlobalLevel(zerolog.Disabled)
+	}
+
+	if cfg.Log.Format == headscale.JSONLogFormat {
+		log.Logger = log.Output(os.Stdout)
+	}
+
+	if !cfg.DisableUpdateCheck && !machineOutput {
+		if (runtime.GOOS == "linux" || runtime.GOOS == "darwin") &&
+			Version != "dev" {
+			githubTag := &latest.GithubTag{
+				Owner:      "juanfont",
+				Repository: "headscale",
+			}
+			res, err := latest.Check(githubTag, Version)
+			if err == nil && res.Outdated {
+				//nolint
+				fmt.Printf(
+					"An updated version of Headscale has been found (%s vs. your current %s). Check it out https://github.com/juanfont/headscale/releases\n",
+					res.Current,
+					Version,
+				)
+			}
+		}
+	}
+}
+
 var rootCmd = &cobra.Command{
 	Use:   "headscale",
 	Short: "headscale - a Tailscale control server",

cmd/headscale/cli/utils.go

@@ -7,12 +7,10 @@ import (
 	"fmt"
 	"os"
 	"reflect"
-	"time"
 
 	"github.com/juanfont/headscale"
 	v1 "github.com/juanfont/headscale/gen/go/headscale/v1"
 	"github.com/rs/zerolog/log"
-	"github.com/spf13/viper"
 	"google.golang.org/grpc"
 	"google.golang.org/grpc/credentials"
 	"google.golang.org/grpc/credentials/insecure"
@@ -21,27 +19,16 @@ import (
 
 const (
 	HeadscaleDateTimeFormat = "2006-01-02 15:04:05"
+	SocketWritePermissions  = 0o666
 )
 
 func getHeadscaleApp() (*headscale.Headscale, error) {
 	cfg, err := headscale.GetHeadscaleConfig()
 	if err != nil {
-		return nil, fmt.Errorf("failed to load configuration while creating headscale instance: %w", err)
-	}
-
-	// Minimum inactivity time out is keepalive timeout (60s) plus a few seconds
-	// to avoid races
-	minInactivityTimeout, _ := time.ParseDuration("65s")
-	if viper.GetDuration("ephemeral_node_inactivity_timeout") <= minInactivityTimeout {
-		// TODO: Find a better way to return this text
-		//nolint
-		err := fmt.Errorf(
-			"ephemeral_node_inactivity_timeout (%s) is set too low, must be more than %s",
-			viper.GetString("ephemeral_node_inactivity_timeout"),
-			minInactivityTimeout,
+		return nil, fmt.Errorf(
+			"failed to load configuration while creating headscale instance: %w",
+			err,
 		)
-
-		return nil, err
 	}
 
 	app, err := headscale.NewHeadscale(cfg)
@@ -72,6 +59,7 @@ func getHeadscaleCLIClient() (context.Context, v1.HeadscaleServiceClient, *grpc.
 			Err(err).
 			Caller().
 			Msgf("Failed to load configuration")
+		os.Exit(-1) // we get here if logging is suppressed (i.e., json output)
 	}
 
 	log.Debug().
@@ -94,6 +82,19 @@ func getHeadscaleCLIClient() (context.Context, v1.HeadscaleServiceClient, *grpc.
 
 		address = cfg.UnixSocket
 
+		// Try to give the user better feedback if we cannot write to the headscale
+		// socket.
+		socket, err := os.OpenFile(cfg.UnixSocket, os.O_WRONLY, SocketWritePermissions) //nolint
+		if err != nil {
+			if os.IsPermission(err) {
+				log.Fatal().
+					Err(err).
+					Str("socket", cfg.UnixSocket).
+					Msgf("Unable to read/write to headscale socket, do you have the correct permissions?")
+			}
+		}
+		socket.Close()
+
 		grpcOptions = append(
 			grpcOptions,
 			grpc.WithTransportCredentials(insecure.NewCredentials()),
@@ -133,6 +134,7 @@ func getHeadscaleCLIClient() (context.Context, v1.HeadscaleServiceClient, *grpc.
 	conn, err := grpc.DialContext(ctx, address, grpcOptions...)
 	if err != nil {
 		log.Fatal().Caller().Err(err).Msgf("Could not connect: %v", err)
+		os.Exit(-1) // we get here if logging is suppressed (i.e., json output)
 	}
 
 	client := v1.NewHeadscaleServiceClient(conn)

cmd/headscale/headscale.go

@@ -1,17 +1,13 @@
 package main
 
 import (
-	"fmt"
 	"os"
-	"runtime"
 	"time"
 
 	"github.com/efekarakus/termcolor"
-	"github.com/juanfont/headscale"
 	"github.com/juanfont/headscale/cmd/headscale/cli"
 	"github.com/rs/zerolog"
 	"github.com/rs/zerolog/log"
-	"github.com/tcnksm/go-latest"
 )
 
 func main() {
@@ -43,39 +39,5 @@ func main() {
 		NoColor:    !colors,
 	})
 
-	cfg, err := headscale.GetHeadscaleConfig()
-	if err != nil {
-		log.Fatal().Caller().Err(err)
-	}
-
-	machineOutput := cli.HasMachineOutputFlag()
-
-	zerolog.SetGlobalLevel(cfg.LogLevel)
-
-	// If the user has requested a "machine" readable format,
-	// then disable login so the output remains valid.
-	if machineOutput {
-		zerolog.SetGlobalLevel(zerolog.Disabled)
-	}
-
-	if !cfg.DisableUpdateCheck && !machineOutput {
-		if (runtime.GOOS == "linux" || runtime.GOOS == "darwin") &&
-			cli.Version != "dev" {
-			githubTag := &latest.GithubTag{
-				Owner:      "juanfont",
-				Repository: "headscale",
-			}
-			res, err := latest.Check(githubTag, cli.Version)
-			if err == nil && res.Outdated {
-				//nolint
-				fmt.Printf(
-					"An updated version of Headscale has been found (%s vs. your current %s). Check it out https://github.com/juanfont/headscale/releases\n",
-					res.Current,
-					cli.Version,
-				)
-			}
-		}
-	}
-
 	cli.Execute()
 }

cmd/headscale/headscale_test.go

@@ -2,7 +2,6 @@ package main
 
 import (
 	"io/fs"
-	"io/ioutil"
 	"os"
 	"path/filepath"
 	"strings"
@@ -27,8 +26,8 @@ func (s *Suite) SetUpSuite(c *check.C) {
 func (s *Suite) TearDownSuite(c *check.C) {
 }
 
-func (*Suite) TestConfigLoading(c *check.C) {
-	tmpDir, err := ioutil.TempDir("", "headscale")
+func (*Suite) TestConfigFileLoading(c *check.C) {
+	tmpDir, err := os.MkdirTemp("", "headscale")
 	if err != nil {
 		c.Fatal(err)
 	}
@@ -39,17 +38,19 @@ func (*Suite) TestConfigLoading(c *check.C) {
 		c.Fatal(err)
 	}
 
+	cfgFile := filepath.Join(tmpDir, "config.yaml")
+
 	// Symlink the example config file
 	err = os.Symlink(
 		filepath.Clean(path+"/../../config-example.yaml"),
-		filepath.Join(tmpDir, "config.yaml"),
+		cfgFile,
 	)
 	if err != nil {
 		c.Fatal(err)
 	}
 
 	// Load example config, it should load without validation errors
-	err = headscale.LoadConfig(tmpDir)
+	err = headscale.LoadConfig(cfgFile, true)
 	c.Assert(err, check.IsNil)
 
 	// Test that config file was interpreted correctly
@@ -70,8 +71,8 @@ func (*Suite) TestConfigLoading(c *check.C) {
 	c.Assert(viper.GetBool("logtail.enabled"), check.Equals, false)
 }
 
-func (*Suite) TestDNSConfigLoading(c *check.C) {
-	tmpDir, err := ioutil.TempDir("", "headscale")
+func (*Suite) TestConfigLoading(c *check.C) {
+	tmpDir, err := os.MkdirTemp("", "headscale")
 	if err != nil {
 		c.Fatal(err)
 	}
@@ -92,7 +93,51 @@ func (*Suite) TestDNSConfigLoading(c *check.C) {
 	}
 
 	// Load example config, it should load without validation errors
-	err = headscale.LoadConfig(tmpDir)
+	err = headscale.LoadConfig(tmpDir, false)
+	c.Assert(err, check.IsNil)
+
+	// Test that config file was interpreted correctly
+	c.Assert(viper.GetString("server_url"), check.Equals, "http://127.0.0.1:8080")
+	c.Assert(viper.GetString("listen_addr"), check.Equals, "0.0.0.0:8080")
+	c.Assert(viper.GetString("metrics_listen_addr"), check.Equals, "127.0.0.1:9090")
+	c.Assert(viper.GetString("db_type"), check.Equals, "sqlite3")
+	c.Assert(viper.GetString("db_path"), check.Equals, "/var/lib/headscale/db.sqlite")
+	c.Assert(viper.GetString("tls_letsencrypt_hostname"), check.Equals, "")
+	c.Assert(viper.GetString("tls_letsencrypt_listen"), check.Equals, ":http")
+	c.Assert(viper.GetString("tls_letsencrypt_challenge_type"), check.Equals, "HTTP-01")
+	c.Assert(viper.GetStringSlice("dns_config.nameservers")[0], check.Equals, "1.1.1.1")
+	c.Assert(
+		headscale.GetFileMode("unix_socket_permission"),
+		check.Equals,
+		fs.FileMode(0o770),
+	)
+	c.Assert(viper.GetBool("logtail.enabled"), check.Equals, false)
+	c.Assert(viper.GetBool("randomize_client_port"), check.Equals, false)
+}
+
+func (*Suite) TestDNSConfigLoading(c *check.C) {
+	tmpDir, err := os.MkdirTemp("", "headscale")
+	if err != nil {
+		c.Fatal(err)
+	}
+	defer os.RemoveAll(tmpDir)
+
+	path, err := os.Getwd()
+	if err != nil {
+		c.Fatal(err)
+	}
+
+	// Symlink the example config file
+	err = os.Symlink(
+		filepath.Clean(path+"/../../config-example.yaml"),
+		filepath.Join(tmpDir, "config.yaml"),
+	)
+	if err != nil {
+		c.Fatal(err)
+	}
+
+	// Load example config, it should load without validation errors
+	err = headscale.LoadConfig(tmpDir, false)
 	c.Assert(err, check.IsNil)
 
 	dnsConfig, baseDomain := headscale.GetDNSConfig()
@@ -106,26 +151,28 @@ func (*Suite) TestDNSConfigLoading(c *check.C) {
 func writeConfig(c *check.C, tmpDir string, configYaml []byte) {
 	// Populate a custom config file
 	configFile := filepath.Join(tmpDir, "config.yaml")
-	err := ioutil.WriteFile(configFile, configYaml, 0o600)
+	err := os.WriteFile(configFile, configYaml, 0o600)
 	if err != nil {
 		c.Fatalf("Couldn't write file %s", configFile)
 	}
 }
 
 func (*Suite) TestTLSConfigValidation(c *check.C) {
-	tmpDir, err := ioutil.TempDir("", "headscale")
+	tmpDir, err := os.MkdirTemp("", "headscale")
 	if err != nil {
 		c.Fatal(err)
 	}
 	// defer os.RemoveAll(tmpDir)
-
-	configYaml := []byte(
-		"---\ntls_letsencrypt_hostname: \"example.com\"\ntls_letsencrypt_challenge_type: \"\"\ntls_cert_path: \"abc.pem\"",
-	)
+	configYaml := []byte(`---
+tls_letsencrypt_hostname: example.com
+tls_letsencrypt_challenge_type: ""
+tls_cert_path: abc.pem
+noise:
+  private_key_path: noise_private.key`)
 	writeConfig(c, tmpDir, configYaml)
 
 	// Check configuration validation errors (1)
-	err = headscale.LoadConfig(tmpDir)
+	err = headscale.LoadConfig(tmpDir, false)
 	c.Assert(err, check.NotNil)
 	// check.Matches can not handle multiline strings
 	tmp := strings.ReplaceAll(err.Error(), "\n", "***")
@@ -146,10 +193,14 @@ func (*Suite) TestTLSConfigValidation(c *check.C) {
 	)
 
 	// Check configuration validation errors (2)
-	configYaml = []byte(
-		"---\nserver_url: \"http://127.0.0.1:8080\"\ntls_letsencrypt_hostname: \"example.com\"\ntls_letsencrypt_challenge_type: \"TLS-ALPN-01\"",
-	)
+	configYaml = []byte(`---
+noise:
+  private_key_path: noise_private.key
+server_url: http://127.0.0.1:8080
+tls_letsencrypt_hostname: example.com
+tls_letsencrypt_challenge_type: TLS-ALPN-01
+`)
 	writeConfig(c, tmpDir, configYaml)
-	err = headscale.LoadConfig(tmpDir)
+	err = headscale.LoadConfig(tmpDir, false)
 	c.Assert(err, check.IsNil)
 }

config-example.yaml

@@ -35,12 +35,20 @@ grpc_listen_addr: 0.0.0.0:50443
 # are doing.
 grpc_allow_insecure: false
 
-# Private key used encrypt the traffic between headscale
+# Private key used to encrypt the traffic between headscale
 # and Tailscale clients.
-# The private key file which will be
-# autogenerated if it's missing
+# The private key file will be autogenerated if it's missing.
 private_key_path: /var/lib/headscale/private.key
 
+# The Noise section includes specific configuration for the
+# TS2021 Noise protocol
+noise:
+  # The Noise private key is used to encrypt the
+  # traffic between headscale and Tailscale clients when
+  # using the new Noise-based protocol. It must be different
+  # from the legacy private key.
+  private_key_path: /var/lib/headscale/noise_private.key
+
 # List of IP prefixes to allocate tailaddresses from.
 # Each prefix consists of either an IPv4 or IPv6 address,
 # and the associated prefix length, delimited by a slash.
@@ -69,7 +77,7 @@ derp:
     region_code: "headscale"
     region_name: "Headscale Embedded DERP"
 
-    # Listens in UDP at the configured address for STUN connections to help on NAT traversal.
+    # Listens over UDP at the configured address for STUN connections - to help with NAT traversal.
     # When the embedded DERP server is enabled stun_listen_addr MUST be defined.
     #
     # For more details on how this works, check this great article: https://tailscale.com/blog/how-tailscale-works/
@@ -103,17 +111,25 @@ disable_check_updates: false
 # Time before an inactive ephemeral node is deleted?
 ephemeral_node_inactivity_timeout: 30m
 
+# Period to check for node updates within the tailnet. A value too low will severely affect
+# CPU consumption of Headscale. A value too high (over 60s) will cause problems
+# for the nodes, as they won't get updates or keep alive messages frequently enough.
+# In case of doubts, do not touch the default 10s.
+node_update_check_interval: 10s
+
 # SQLite config
 db_type: sqlite3
 db_path: /var/lib/headscale/db.sqlite
 
 # # Postgres config
+# If using a Unix socket to connect to Postgres, set the socket path in the 'host' field and leave 'port' blank.
 # db_type: postgres
 # db_host: localhost
 # db_port: 5432
 # db_name: headscale
 # db_user: foo
 # db_pass: bar
+# db_ssl: false
 
 ### TLS configuration
 #
@@ -147,7 +163,7 @@ tls_letsencrypt_cache_dir: /var/lib/headscale/cache
 # See [docs/tls.md](docs/tls.md) for more information
 tls_letsencrypt_challenge_type: HTTP-01
 # When HTTP-01 challenge is chosen, letsencrypt must set up a
-# verification endpoint, and it will be listning on:
+# verification endpoint, and it will be listening on:
 # :http = port 80
 tls_letsencrypt_listen: ":http"
 
@@ -155,7 +171,10 @@ tls_letsencrypt_listen: ":http"
 tls_cert_path: ""
 tls_key_path: ""
 
-log_level: info
+log:
+  # Output formatting for logs: text or json
+  format: text
+  level: info
 
 # Path to a file containg ACL policies.
 # ACLs can be defined as YAML or HUJSON.
@@ -172,6 +191,9 @@ acl_policy_path: ""
 # - https://tailscale.com/blog/2021-09-private-dns-with-magicdns/
 #
 dns_config:
+  # Whether to prefer using Headscale provided DNS or use local.
+  override_local_dns: true
+
   # List of DNS servers to expose to clients.
   nameservers:
     - 1.1.1.1
@@ -210,6 +232,7 @@ unix_socket_permission: "0770"
 # help us test it.
 # OpenID Connect
 # oidc:
+#   only_start_if_oidc_is_available: true
 #   issuer: "https://your-oidc.issuer.com/path"
 #   client_id: "your-oidc-client-id"
 #   client_secret: "your-oidc-client-secret"
@@ -244,3 +267,8 @@ logtail:
   # As there is currently no support for overriding the log server in headscale, this is
   # disabled by default. Enabling this will make your clients send logs to Tailscale Inc.
   enabled: false
+
+# Enabling this option makes devices prefer a random port for WireGuard traffic over the
+# default static port 41641. This option is intended as a workaround for some buggy
+# firewall devices. See https://tailscale.com/kb/1181/firewalls/ for more information.
+randomize_client_port: false

config.go

@@ -5,6 +5,7 @@ import (
 	"errors"
 	"fmt"
 	"io/fs"
+	"net/netip"
 	"net/url"
 	"strings"
 	"time"
@@ -13,11 +14,19 @@ import (
 	"github.com/rs/zerolog"
 	"github.com/rs/zerolog/log"
 	"github.com/spf13/viper"
-	"inet.af/netaddr"
+	"go4.org/netipx"
 	"tailscale.com/tailcfg"
 	"tailscale.com/types/dnstype"
 )
 
+const (
+	tlsALPN01ChallengeType = "TLS-ALPN-01"
+	http01ChallengeType    = "HTTP-01"
+
+	JSONLogFormat = "json"
+	TextLogFormat = "text"
+)
+
 // Config contains the initial Headscale configuration.
 type Config struct {
 	ServerURL                      string
@@ -26,10 +35,12 @@ type Config struct {
 	GRPCAddr                       string
 	GRPCAllowInsecure              bool
 	EphemeralNodeInactivityTimeout time.Duration
-	IPPrefixes                     []netaddr.IPPrefix
+	NodeUpdateCheckInterval        time.Duration
+	IPPrefixes                     []netip.Prefix
 	PrivateKeyPath                 string
+	NoisePrivateKeyPath            string
 	BaseDomain                     string
-	LogLevel                       zerolog.Level
+	Log                            LogConfig
 	DisableUpdateCheck             bool
 
 	DERP DERPConfig
@@ -41,6 +52,7 @@ type Config struct {
 	DBname string
 	DBuser string
 	DBpass string
+	DBssl  bool
 
 	TLS TLSConfig
 
@@ -54,7 +66,8 @@ type Config struct {
 
 	OIDC OIDCConfig
 
-	LogTail LogTailConfig
+	LogTail             LogTailConfig
+	RandomizeClientPort bool
 
 	CLI CLIConfig
 
@@ -77,14 +90,15 @@ type LetsEncryptConfig struct {
 }
 
 type OIDCConfig struct {
-	Issuer           string
-	ClientID         string
-	ClientSecret     string
-	Scope            []string
-	ExtraParams      map[string]string
-	AllowedDomains   []string
-	AllowedUsers     []string
-	StripEmaildomain bool
+	OnlyStartIfOIDCIsAvailable bool
+	Issuer                     string
+	ClientID                   string
+	ClientSecret               string
+	Scope                      []string
+	ExtraParams                map[string]string
+	AllowedDomains             []string
+	AllowedUsers               []string
+	StripEmaildomain           bool
 }
 
 type DERPConfig struct {
@@ -114,15 +128,24 @@ type ACLConfig struct {
 	PolicyPath string
 }
 
-func LoadConfig(path string) error {
-	viper.SetConfigName("config")
-	if path == "" {
-		viper.AddConfigPath("/etc/headscale/")
-		viper.AddConfigPath("$HOME/.headscale")
-		viper.AddConfigPath(".")
+type LogConfig struct {
+	Format string
+	Level  zerolog.Level
+}
+
+func LoadConfig(path string, isFile bool) error {
+	if isFile {
+		viper.SetConfigFile(path)
 	} else {
-		// For testing
-		viper.AddConfigPath(path)
+		viper.SetConfigName("config")
+		if path == "" {
+			viper.AddConfigPath("/etc/headscale/")
+			viper.AddConfigPath("$HOME/.headscale")
+			viper.AddConfigPath(".")
+		} else {
+			// For testing
+			viper.AddConfigPath(path)
+		}
 	}
 
 	viper.SetEnvPrefix("headscale")
@@ -130,12 +153,14 @@ func LoadConfig(path string) error {
 	viper.AutomaticEnv()
 
 	viper.SetDefault("tls_letsencrypt_cache_dir", "/var/www/.cache")
-	viper.SetDefault("tls_letsencrypt_challenge_type", "HTTP-01")
+	viper.SetDefault("tls_letsencrypt_challenge_type", http01ChallengeType)
 	viper.SetDefault("tls_client_auth_mode", "relaxed")
 
-	viper.SetDefault("log_level", "info")
+	viper.SetDefault("log.level", "info")
+	viper.SetDefault("log.format", TextLogFormat)
 
 	viper.SetDefault("dns_config", nil)
+	viper.SetDefault("dns_config.override_local_dns", true)
 
 	viper.SetDefault("derp.server.enabled", false)
 	viper.SetDefault("derp.server.stun.enabled", true)
@@ -151,10 +176,18 @@ func LoadConfig(path string) error {
 
 	viper.SetDefault("oidc.scope", []string{oidc.ScopeOpenID, "profile", "email"})
 	viper.SetDefault("oidc.strip_email_domain", true)
+	viper.SetDefault("oidc.only_start_if_oidc_is_available", true)
 
 	viper.SetDefault("logtail.enabled", false)
+	viper.SetDefault("randomize_client_port", false)
+
+	viper.SetDefault("ephemeral_node_inactivity_timeout", "120s")
+
+	viper.SetDefault("node_update_check_interval", "10s")
 
 	if err := viper.ReadInConfig(); err != nil {
+		log.Warn().Err(err).Msg("Failed to read configuration from disk")
+
 		return fmt.Errorf("fatal error reading config file: %w", err)
 	}
 
@@ -165,16 +198,20 @@ func LoadConfig(path string) error {
 		errorText += "Fatal config error: set either tls_letsencrypt_hostname or tls_cert_path/tls_key_path, not both\n"
 	}
 
+	if !viper.IsSet("noise") || viper.GetString("noise.private_key_path") == "" {
+		errorText += "Fatal config error: headscale now requires a new `noise.private_key_path` field in the config file for the Tailscale v2 protocol\n"
+	}
+
 	if (viper.GetString("tls_letsencrypt_hostname") != "") &&
-		(viper.GetString("tls_letsencrypt_challenge_type") == "TLS-ALPN-01") &&
+		(viper.GetString("tls_letsencrypt_challenge_type") == tlsALPN01ChallengeType) &&
 		(!strings.HasSuffix(viper.GetString("listen_addr"), ":443")) {
 		// this is only a warning because there could be something sitting in front of headscale that redirects the traffic (e.g. an iptables rule)
 		log.Warn().
 			Msg("Warning: when using tls_letsencrypt_hostname with TLS-ALPN-01 as challenge type, headscale must be reachable on port 443, i.e. listen_addr should probably end in :443")
 	}
 
-	if (viper.GetString("tls_letsencrypt_challenge_type") != "HTTP-01") &&
-		(viper.GetString("tls_letsencrypt_challenge_type") != "TLS-ALPN-01") {
+	if (viper.GetString("tls_letsencrypt_challenge_type") != http01ChallengeType) &&
+		(viper.GetString("tls_letsencrypt_challenge_type") != tlsALPN01ChallengeType) {
 		errorText += "Fatal config error: the only supported values for tls_letsencrypt_challenge_type are HTTP-01 and TLS-ALPN-01\n"
 	}
 
@@ -196,6 +233,26 @@ func LoadConfig(path string) error {
 			EnforcedClientAuth)
 	}
 
+	// Minimum inactivity time out is keepalive timeout (60s) plus a few seconds
+	// to avoid races
+	minInactivityTimeout, _ := time.ParseDuration("65s")
+	if viper.GetDuration("ephemeral_node_inactivity_timeout") <= minInactivityTimeout {
+		errorText += fmt.Sprintf(
+			"Fatal config error: ephemeral_node_inactivity_timeout (%s) is set too low, must be more than %s",
+			viper.GetString("ephemeral_node_inactivity_timeout"),
+			minInactivityTimeout,
+		)
+	}
+
+	maxNodeUpdateCheckInterval, _ := time.ParseDuration("60s")
+	if viper.GetDuration("node_update_check_interval") > maxNodeUpdateCheckInterval {
+		errorText += fmt.Sprintf(
+			"Fatal config error: node_update_check_interval (%s) is set too high, must be less than %s",
+			viper.GetString("node_update_check_interval"),
+			maxNodeUpdateCheckInterval,
+		)
+	}
+
 	if errorText != "" {
 		//nolint
 		return errors.New(strings.TrimSuffix(errorText, "\n"))
@@ -289,18 +346,48 @@ func GetACLConfig() ACLConfig {
 	}
 }
 
+func GetLogConfig() LogConfig {
+	logLevelStr := viper.GetString("log.level")
+	logLevel, err := zerolog.ParseLevel(logLevelStr)
+	if err != nil {
+		logLevel = zerolog.DebugLevel
+	}
+
+	logFormatOpt := viper.GetString("log.format")
+	var logFormat string
+	switch logFormatOpt {
+	case "json":
+		logFormat = JSONLogFormat
+	case "text":
+		logFormat = TextLogFormat
+	case "":
+		logFormat = TextLogFormat
+	default:
+		log.Error().
+			Str("func", "GetLogConfig").
+			Msgf("Could not parse log format: %s. Valid choices are 'json' or 'text'", logFormatOpt)
+	}
+
+	return LogConfig{
+		Format: logFormat,
+		Level:  logLevel,
+	}
+}
+
 func GetDNSConfig() (*tailcfg.DNSConfig, string) {
 	if viper.IsSet("dns_config") {
 		dnsConfig := &tailcfg.DNSConfig{}
 
+		overrideLocalDNS := viper.GetBool("dns_config.override_local_dns")
+
 		if viper.IsSet("dns_config.nameservers") {
 			nameserversStr := viper.GetStringSlice("dns_config.nameservers")
 
-			nameservers := make([]netaddr.IP, len(nameserversStr))
-			resolvers := make([]dnstype.Resolver, len(nameserversStr))
+			nameservers := make([]netip.Addr, len(nameserversStr))
+			resolvers := make([]*dnstype.Resolver, len(nameserversStr))
 
 			for index, nameserverStr := range nameserversStr {
-				nameserver, err := netaddr.ParseIP(nameserverStr)
+				nameserver, err := netip.ParseAddr(nameserverStr)
 				if err != nil {
 					log.Error().
 						Str("func", "getDNSConfig").
@@ -309,35 +396,40 @@ func GetDNSConfig() (*tailcfg.DNSConfig, string) {
 				}
 
 				nameservers[index] = nameserver
-				resolvers[index] = dnstype.Resolver{
+				resolvers[index] = &dnstype.Resolver{
 					Addr: nameserver.String(),
 				}
 			}
 
 			dnsConfig.Nameservers = nameservers
-			dnsConfig.Resolvers = resolvers
+
+			if overrideLocalDNS {
+				dnsConfig.Resolvers = resolvers
+			} else {
+				dnsConfig.FallbackResolvers = resolvers
+			}
 		}
 
 		if viper.IsSet("dns_config.restricted_nameservers") {
 			if len(dnsConfig.Nameservers) > 0 {
-				dnsConfig.Routes = make(map[string][]dnstype.Resolver)
+				dnsConfig.Routes = make(map[string][]*dnstype.Resolver)
 				restrictedDNS := viper.GetStringMapStringSlice(
 					"dns_config.restricted_nameservers",
 				)
 				for domain, restrictedNameservers := range restrictedDNS {
 					restrictedResolvers := make(
-						[]dnstype.Resolver,
+						[]*dnstype.Resolver,
 						len(restrictedNameservers),
 					)
 					for index, nameserverStr := range restrictedNameservers {
-						nameserver, err := netaddr.ParseIP(nameserverStr)
+						nameserver, err := netip.ParseAddr(nameserverStr)
 						if err != nil {
 							log.Error().
 								Str("func", "getDNSConfig").
 								Err(err).
 								Msgf("Could not parse restricted nameserver IP: %s", nameserverStr)
 						}
-						restrictedResolvers[index] = dnstype.Resolver{
+						restrictedResolvers[index] = &dnstype.Resolver{
 							Addr: nameserver.String(),
 						}
 					}
@@ -350,17 +442,17 @@ func GetDNSConfig() (*tailcfg.DNSConfig, string) {
 		}
 
 		if viper.IsSet("dns_config.domains") {
-			dnsConfig.Domains = viper.GetStringSlice("dns_config.domains")
+			domains := viper.GetStringSlice("dns_config.domains")
+			if len(dnsConfig.Nameservers) > 0 {
+				dnsConfig.Domains = domains
+			} else if domains != nil {
+				log.Warn().
+					Msg("Warning: dns_config.domains is set, but no nameservers are configured. Ignoring domains.")
+			}
 		}
 
 		if viper.IsSet("dns_config.magic_dns") {
-			magicDNS := viper.GetBool("dns_config.magic_dns")
-			if len(dnsConfig.Nameservers) > 0 {
-				dnsConfig.Proxied = magicDNS
-			} else if magicDNS {
-				log.Warn().
-					Msg("Warning: dns_config.magic_dns is set, but no nameservers are configured. Ignoring magic_dns.")
-			}
+			dnsConfig.Proxied = viper.GetBool("dns_config.magic_dns")
 		}
 
 		var baseDomain string
@@ -377,54 +469,28 @@ func GetDNSConfig() (*tailcfg.DNSConfig, string) {
 }
 
 func GetHeadscaleConfig() (*Config, error) {
-	err := LoadConfig("")
-	if err != nil {
-		return nil, err
-	}
-
 	dnsConfig, baseDomain := GetDNSConfig()
 	derpConfig := GetDERPConfig()
 	logConfig := GetLogTailConfig()
+	randomizeClientPort := viper.GetBool("randomize_client_port")
 
 	configuredPrefixes := viper.GetStringSlice("ip_prefixes")
-	parsedPrefixes := make([]netaddr.IPPrefix, 0, len(configuredPrefixes)+1)
-
-	logLevelStr := viper.GetString("log_level")
-	logLevel, err := zerolog.ParseLevel(logLevelStr)
-	if err != nil {
-		logLevel = zerolog.DebugLevel
-	}
-
-	legacyPrefixField := viper.GetString("ip_prefix")
-	if len(legacyPrefixField) > 0 {
-		log.
-			Warn().
-			Msgf(
-				"%s, %s",
-				"use of 'ip_prefix' for configuration is deprecated",
-				"please see 'ip_prefixes' in the shipped example.",
-			)
-		legacyPrefix, err := netaddr.ParseIPPrefix(legacyPrefixField)
-		if err != nil {
-			panic(fmt.Errorf("failed to parse ip_prefix: %w", err))
-		}
-		parsedPrefixes = append(parsedPrefixes, legacyPrefix)
-	}
+	parsedPrefixes := make([]netip.Prefix, 0, len(configuredPrefixes)+1)
 
 	for i, prefixInConfig := range configuredPrefixes {
-		prefix, err := netaddr.ParseIPPrefix(prefixInConfig)
+		prefix, err := netip.ParsePrefix(prefixInConfig)
 		if err != nil {
 			panic(fmt.Errorf("failed to parse ip_prefixes[%d]: %w", i, err))
 		}
 		parsedPrefixes = append(parsedPrefixes, prefix)
 	}
 
-	prefixes := make([]netaddr.IPPrefix, 0, len(parsedPrefixes))
+	prefixes := make([]netip.Prefix, 0, len(parsedPrefixes))
 	{
 		// dedup
 		normalizedPrefixes := make(map[string]int, len(parsedPrefixes))
 		for i, p := range parsedPrefixes {
-			normalized, _ := p.Range().Prefix()
+			normalized, _ := netipx.RangeOfPrefix(p).Prefix()
 			normalizedPrefixes[normalized.String()] = i
 		}
 
@@ -435,7 +501,7 @@ func GetHeadscaleConfig() (*Config, error) {
 	}
 
 	if len(prefixes) < 1 {
-		prefixes = append(prefixes, netaddr.MustParseIPPrefix("100.64.0.0/10"))
+		prefixes = append(prefixes, netip.MustParsePrefix("100.64.0.0/10"))
 		log.Warn().
 			Msgf("'ip_prefixes' not configured, falling back to default: %v", prefixes)
 	}
@@ -447,12 +513,14 @@ func GetHeadscaleConfig() (*Config, error) {
 		GRPCAddr:           viper.GetString("grpc_listen_addr"),
 		GRPCAllowInsecure:  viper.GetBool("grpc_allow_insecure"),
 		DisableUpdateCheck: viper.GetBool("disable_check_updates"),
-		LogLevel:           logLevel,
 
 		IPPrefixes: prefixes,
 		PrivateKeyPath: AbsolutePathFromConfigPath(
 			viper.GetString("private_key_path"),
 		),
+		NoisePrivateKeyPath: AbsolutePathFromConfigPath(
+			viper.GetString("noise.private_key_path"),
+		),
 		BaseDomain: baseDomain,
 
 		DERP: derpConfig,
@@ -461,6 +529,10 @@ func GetHeadscaleConfig() (*Config, error) {
 			"ephemeral_node_inactivity_timeout",
 		),
 
+		NodeUpdateCheckInterval: viper.GetDuration(
+			"node_update_check_interval",
+		),
+
 		DBtype: viper.GetString("db_type"),
 		DBpath: AbsolutePathFromConfigPath(viper.GetString("db_path")),
 		DBhost: viper.GetString("db_host"),
@@ -468,6 +540,7 @@ func GetHeadscaleConfig() (*Config, error) {
 		DBname: viper.GetString("db_name"),
 		DBuser: viper.GetString("db_user"),
 		DBpass: viper.GetString("db_pass"),
+		DBssl:  viper.GetBool("db_ssl"),
 
 		TLS: GetTLSConfig(),
 
@@ -480,6 +553,9 @@ func GetHeadscaleConfig() (*Config, error) {
 		UnixSocketPermission: GetFileMode("unix_socket_permission"),
 
 		OIDC: OIDCConfig{
+			OnlyStartIfOIDCIsAvailable: viper.GetBool(
+				"oidc.only_start_if_oidc_is_available",
+			),
 			Issuer:           viper.GetString("oidc.issuer"),
 			ClientID:         viper.GetString("oidc.client_id"),
 			ClientSecret:     viper.GetString("oidc.client_secret"),
@@ -490,7 +566,8 @@ func GetHeadscaleConfig() (*Config, error) {
 			StripEmaildomain: viper.GetBool("oidc.strip_email_domain"),
 		},
 
-		LogTail: logConfig,
+		LogTail:             logConfig,
+		RandomizeClientPort: randomizeClientPort,
 
 		CLI: CLIConfig{
 			Address:  viper.GetString("cli.address"),
@@ -500,5 +577,7 @@ func GetHeadscaleConfig() (*Config, error) {
 		},
 
 		ACL: GetACLConfig(),
+
+		Log: GetLogConfig(),
 	}, nil
 }

db.go

@@ -1,10 +1,12 @@
 package headscale
 
 import (
+	"context"
 	"database/sql/driver"
 	"encoding/json"
 	"errors"
 	"fmt"
+	"net/netip"
 	"time"
 
 	"github.com/glebarez/sqlite"
@@ -12,7 +14,6 @@ import (
 	"gorm.io/driver/postgres"
 	"gorm.io/gorm"
 	"gorm.io/gorm/logger"
-	"inet.af/netaddr"
 	"tailscale.com/tailcfg"
 )
 
@@ -89,7 +90,7 @@ func (h *Headscale) initDB() error {
 			log.Error().Err(err).Msg("Error accessing db")
 		}
 
-		for _, machine := range machines {
+		for item, machine := range machines {
 			if machine.GivenName == "" {
 				normalizedHostname, err := NormalizeToFQDNRules(
 					machine.Hostname,
@@ -103,7 +104,7 @@ func (h *Headscale) initDB() error {
 						Msg("Failed to normalize machine hostname in DB migration")
 				}
 
-				err = h.RenameMachine(&machine, normalizedHostname)
+				err = h.RenameMachine(&machines[item], normalizedHostname)
 				if err != nil {
 					log.Error().
 						Caller().
@@ -111,7 +112,6 @@ func (h *Headscale) initDB() error {
 						Err(err).
 						Msg("Failed to save normalized machine name in DB migration")
 				}
-
 			}
 		}
 	}
@@ -131,6 +131,11 @@ func (h *Headscale) initDB() error {
 		return err
 	}
 
+	err = db.AutoMigrate(&PreAuthKeyACLTag{})
+	if err != nil {
+		return err
+	}
+
 	_ = db.Migrator().DropTable("shared_machines")
 
 	err = db.AutoMigrate(&APIKey{})
@@ -221,6 +226,17 @@ func (h *Headscale) setValue(key string, value string) error {
 	return nil
 }
 
+func (h *Headscale) pingDB(ctx context.Context) error {
+	ctx, cancel := context.WithTimeout(ctx, time.Second)
+	defer cancel()
+	db, err := h.db.DB()
+	if err != nil {
+		return err
+	}
+
+	return db.PingContext(ctx)
+}
+
 // This is a "wrapper" type around tailscales
 // Hostinfo to allow us to add database "serialization"
 // methods. This allows us to use a typed values throughout
@@ -237,7 +253,7 @@ func (hi *HostInfo) Scan(destination interface{}) error {
 		return json.Unmarshal([]byte(value), hi)
 
 	default:
-		return fmt.Errorf("%w: unexpected data type %T", errMachineAddressesInvalid, destination)
+		return fmt.Errorf("%w: unexpected data type %T", ErrMachineAddressesInvalid, destination)
 	}
 }
 
@@ -248,7 +264,7 @@ func (hi HostInfo) Value() (driver.Value, error) {
 	return string(bytes), err
 }
 
-type IPPrefixes []netaddr.IPPrefix
+type IPPrefixes []netip.Prefix
 
 func (i *IPPrefixes) Scan(destination interface{}) error {
 	switch value := destination.(type) {
@@ -259,7 +275,7 @@ func (i *IPPrefixes) Scan(destination interface{}) error {
 		return json.Unmarshal([]byte(value), i)
 
 	default:
-		return fmt.Errorf("%w: unexpected data type %T", errMachineAddressesInvalid, destination)
+		return fmt.Errorf("%w: unexpected data type %T", ErrMachineAddressesInvalid, destination)
 	}
 }
 
@@ -281,7 +297,7 @@ func (i *StringList) Scan(destination interface{}) error {
 		return json.Unmarshal([]byte(value), i)
 
 	default:
-		return fmt.Errorf("%w: unexpected data type %T", errMachineAddressesInvalid, destination)
+		return fmt.Errorf("%w: unexpected data type %T", ErrMachineAddressesInvalid, destination)
 	}
 }
 

derp.go

@@ -4,7 +4,6 @@ import (
 	"context"
 	"encoding/json"
 	"io"
-	"io/ioutil"
 	"net/http"
 	"net/url"
 	"os"
@@ -35,7 +34,7 @@ func loadDERPMapFromURL(addr url.URL) (*tailcfg.DERPMap, error) {
 	ctx, cancel := context.WithTimeout(context.Background(), HTTPReadTimeout)
 	defer cancel()
 
-	req, err := http.NewRequestWithContext(ctx, "GET", addr.String(), nil)
+	req, err := http.NewRequestWithContext(ctx, http.MethodGet, addr.String(), nil)
 	if err != nil {
 		return nil, err
 	}
@@ -50,7 +49,7 @@ func loadDERPMapFromURL(addr url.URL) (*tailcfg.DERPMap, error) {
 	}
 
 	defer resp.Body.Close()
-	body, err := ioutil.ReadAll(resp.Body)
+	body, err := io.ReadAll(resp.Body)
 	if err != nil {
 		return nil, err
 	}
@@ -152,16 +151,7 @@ func (h *Headscale) scheduledDERPMapUpdateWorker(cancelChan <-chan struct{}) {
 				h.DERPMap.Regions[h.DERPServer.region.RegionID] = &h.DERPServer.region
 			}
 
-			namespaces, err := h.ListNamespaces()
-			if err != nil {
-				log.Error().
-					Err(err).
-					Msg("Failed to fetch namespaces")
-			}
-
-			for _, namespace := range namespaces {
-				h.setLastStateChangeToNow(namespace.Name)
-			}
+			h.setLastStateChangeToNow()
 		}
 	}
 }

derp_server.go

@@ -2,15 +2,16 @@ package headscale
 
 import (
 	"context"
+	"encoding/json"
 	"fmt"
 	"net"
 	"net/http"
+	"net/netip"
 	"net/url"
 	"strconv"
 	"strings"
 	"time"
 
-	"github.com/gin-gonic/gin"
 	"github.com/rs/zerolog/log"
 	"tailscale.com/derp"
 	"tailscale.com/net/stun"
@@ -30,6 +31,7 @@ type DERPServer struct {
 }
 
 func (h *Headscale) NewDERPServer() (*DERPServer, error) {
+	log.Trace().Caller().Msg("Creating new embedded DERP server")
 	server := derp.NewServer(key.NodePrivate(*h.privateKey), log.Info().Msgf)
 	region, err := h.generateRegionLocalDERP()
 	if err != nil {
@@ -87,30 +89,51 @@ func (h *Headscale) generateRegionLocalDERP() (tailcfg.DERPRegion, error) {
 	}
 	localDERPregion.Nodes[0].STUNPort = portSTUN
 
+	log.Info().Caller().Msgf("DERP region: %+v", localDERPregion)
+
 	return localDERPregion, nil
 }
 
-func (h *Headscale) DERPHandler(ctx *gin.Context) {
-	log.Trace().Caller().Msgf("/derp request from %v", ctx.ClientIP())
-	up := strings.ToLower(ctx.Request.Header.Get("Upgrade"))
-	if up != "websocket" && up != "derp" {
-		if up != "" {
-			log.Warn().Caller().Msgf("Weird websockets connection upgrade: %q", up)
+func (h *Headscale) DERPHandler(
+	writer http.ResponseWriter,
+	req *http.Request,
+) {
+	log.Trace().Caller().Msgf("/derp request from %v", req.RemoteAddr)
+	upgrade := strings.ToLower(req.Header.Get("Upgrade"))
+
+	if upgrade != "websocket" && upgrade != "derp" {
+		if upgrade != "" {
+			log.Warn().
+				Caller().
+				Msg("No Upgrade header in DERP server request. If headscale is behind a reverse proxy, make sure it is configured to pass WebSockets through.")
+		}
+		writer.Header().Set("Content-Type", "text/plain")
+		writer.WriteHeader(http.StatusUpgradeRequired)
+		_, err := writer.Write([]byte("DERP requires connection upgrade"))
+		if err != nil {
+			log.Error().
+				Caller().
+				Err(err).
+				Msg("Failed to write response")
 		}
-		ctx.String(http.StatusUpgradeRequired, "DERP requires connection upgrade")
 
 		return
 	}
 
-	fastStart := ctx.Request.Header.Get(fastStartHeader) == "1"
+	fastStart := req.Header.Get(fastStartHeader) == "1"
 
-	hijacker, ok := ctx.Writer.(http.Hijacker)
+	hijacker, ok := writer.(http.Hijacker)
 	if !ok {
 		log.Error().Caller().Msg("DERP requires Hijacker interface from Gin")
-		ctx.String(
-			http.StatusInternalServerError,
-			"HTTP does not support general TCP support",
-		)
+		writer.Header().Set("Content-Type", "text/plain")
+		writer.WriteHeader(http.StatusInternalServerError)
+		_, err := writer.Write([]byte("HTTP does not support general TCP support"))
+		if err != nil {
+			log.Error().
+				Caller().
+				Err(err).
+				Msg("Failed to write response")
+		}
 
 		return
 	}
@@ -118,17 +141,23 @@ func (h *Headscale) DERPHandler(ctx *gin.Context) {
 	netConn, conn, err := hijacker.Hijack()
 	if err != nil {
 		log.Error().Caller().Err(err).Msgf("Hijack failed")
-		ctx.String(
-			http.StatusInternalServerError,
-			"HTTP does not support general TCP support",
-		)
+		writer.Header().Set("Content-Type", "text/plain")
+		writer.WriteHeader(http.StatusInternalServerError)
+		_, err = writer.Write([]byte("HTTP does not support general TCP support"))
+		if err != nil {
+			log.Error().
+				Caller().
+				Err(err).
+				Msg("Failed to write response")
+		}
 
 		return
 	}
+	log.Trace().Caller().Msgf("Hijacked connection from %v", req.RemoteAddr)
 
 	if !fastStart {
 		pubKey := h.privateKey.Public()
-		pubKeyStr := pubKey.UntypedHexString() // nolint
+		pubKeyStr := pubKey.UntypedHexString() //nolint
 		fmt.Fprintf(conn, "HTTP/1.1 101 Switching Protocols\r\n"+
 			"Upgrade: DERP\r\n"+
 			"Connection: Upgrade\r\n"+
@@ -138,17 +167,28 @@ func (h *Headscale) DERPHandler(ctx *gin.Context) {
 			pubKeyStr)
 	}
 
-	h.DERPServer.tailscaleDERP.Accept(netConn, conn, netConn.RemoteAddr().String())
+	h.DERPServer.tailscaleDERP.Accept(req.Context(), netConn, conn, netConn.RemoteAddr().String())
 }
 
 // DERPProbeHandler is the endpoint that js/wasm clients hit to measure
 // DERP latency, since they can't do UDP STUN queries.
-func (h *Headscale) DERPProbeHandler(ctx *gin.Context) {
-	switch ctx.Request.Method {
-	case "HEAD", "GET":
-		ctx.Writer.Header().Set("Access-Control-Allow-Origin", "*")
+func (h *Headscale) DERPProbeHandler(
+	writer http.ResponseWriter,
+	req *http.Request,
+) {
+	switch req.Method {
+	case http.MethodHead, http.MethodGet:
+		writer.Header().Set("Access-Control-Allow-Origin", "*")
+		writer.WriteHeader(http.StatusOK)
 	default:
-		ctx.String(http.StatusMethodNotAllowed, "bogus probe method")
+		writer.WriteHeader(http.StatusMethodNotAllowed)
+		_, err := writer.Write([]byte("bogus probe method"))
+		if err != nil {
+			log.Error().
+				Caller().
+				Err(err).
+				Msg("Failed to write response")
+		}
 	}
 }
 
@@ -159,15 +199,18 @@ func (h *Headscale) DERPProbeHandler(ctx *gin.Context) {
 // The initial implementation is here https://github.com/tailscale/tailscale/pull/1406
 // They have a cache, but not clear if that is really necessary at Headscale, uh, scale.
 // An example implementation is found here https://derp.tailscale.com/bootstrap-dns
-func (h *Headscale) DERPBootstrapDNSHandler(ctx *gin.Context) {
+func (h *Headscale) DERPBootstrapDNSHandler(
+	writer http.ResponseWriter,
+	req *http.Request,
+) {
 	dnsEntries := make(map[string][]net.IP)
 
-	resolvCtx, cancel := context.WithTimeout(context.Background(), time.Minute)
+	resolvCtx, cancel := context.WithTimeout(req.Context(), time.Minute)
 	defer cancel()
-	var r net.Resolver
+	var resolver net.Resolver
 	for _, region := range h.DERPMap.Regions {
 		for _, node := range region.Nodes { // we don't care if we override some nodes
-			addrs, err := r.LookupIP(resolvCtx, "ip", node.HostName)
+			addrs, err := resolver.LookupIP(resolvCtx, "ip", node.HostName)
 			if err != nil {
 				log.Trace().
 					Caller().
@@ -179,7 +222,15 @@ func (h *Headscale) DERPBootstrapDNSHandler(ctx *gin.Context) {
 			dnsEntries[node.HostName] = addrs
 		}
 	}
-	ctx.JSON(http.StatusOK, dnsEntries)
+	writer.Header().Set("Content-Type", "application/json")
+	writer.WriteHeader(http.StatusOK)
+	err := json.NewEncoder(writer).Encode(dnsEntries)
+	if err != nil {
+		log.Error().
+			Caller().
+			Err(err).
+			Msg("Failed to write response")
+	}
 }
 
 // ServeSTUN starts a STUN server on the configured addr.
@@ -229,7 +280,8 @@ func serverSTUNListener(ctx context.Context, packetConn *net.UDPConn) {
 			continue
 		}
 
-		res := stun.Response(txid, udpAddr.IP, uint16(udpAddr.Port))
+		addr, _ := netip.AddrFromSlice(udpAddr.IP)
+		res := stun.Response(txid, netip.AddrPortFrom(addr, uint16(udpAddr.Port)))
 		_, err = packetConn.WriteTo(res, udpAddr)
 		if err != nil {
 			log.Trace().Caller().Err(err).Msgf("Issue writing to UDP")

dns.go

@@ -2,10 +2,11 @@ package headscale
 
 import (
 	"fmt"
+	"net/netip"
 	"strings"
 
 	mapset "github.com/deckarep/golang-set/v2"
-	"inet.af/netaddr"
+	"go4.org/netipx"
 	"tailscale.com/tailcfg"
 	"tailscale.com/util/dnsname"
 )
@@ -39,11 +40,11 @@ const (
 
 // From the netmask we can find out the wildcard bits (the bits that are not set in the netmask).
 // This allows us to then calculate the subnets included in the subsequent class block and generate the entries.
-func generateMagicDNSRootDomains(ipPrefixes []netaddr.IPPrefix) []dnsname.FQDN {
+func generateMagicDNSRootDomains(ipPrefixes []netip.Prefix) []dnsname.FQDN {
 	fqdns := make([]dnsname.FQDN, 0, len(ipPrefixes))
 	for _, ipPrefix := range ipPrefixes {
-		var generateDNSRoot func(netaddr.IPPrefix) []dnsname.FQDN
-		switch ipPrefix.IP().BitLen() {
+		var generateDNSRoot func(netip.Prefix) []dnsname.FQDN
+		switch ipPrefix.Addr().BitLen() {
 		case ipv4AddressLength:
 			generateDNSRoot = generateIPv4DNSRootDomain
 
@@ -54,7 +55,7 @@ func generateMagicDNSRootDomains(ipPrefixes []netaddr.IPPrefix) []dnsname.FQDN {
 			panic(
 				fmt.Sprintf(
 					"unsupported IP version with address length %d",
-					ipPrefix.IP().BitLen(),
+					ipPrefix.Addr().BitLen(),
 				),
 			)
 		}
@@ -65,9 +66,9 @@ func generateMagicDNSRootDomains(ipPrefixes []netaddr.IPPrefix) []dnsname.FQDN {
 	return fqdns
 }
 
-func generateIPv4DNSRootDomain(ipPrefix netaddr.IPPrefix) []dnsname.FQDN {
+func generateIPv4DNSRootDomain(ipPrefix netip.Prefix) []dnsname.FQDN {
 	// Conversion to the std lib net.IPnet, a bit easier to operate
-	netRange := ipPrefix.IPNet()
+	netRange := netipx.PrefixIPNet(ipPrefix)
 	maskBits, _ := netRange.Mask.Size()
 
 	// lastOctet is the last IP byte covered by the mask
@@ -101,11 +102,11 @@ func generateIPv4DNSRootDomain(ipPrefix netaddr.IPPrefix) []dnsname.FQDN {
 	return fqdns
 }
 
-func generateIPv6DNSRootDomain(ipPrefix netaddr.IPPrefix) []dnsname.FQDN {
+func generateIPv6DNSRootDomain(ipPrefix netip.Prefix) []dnsname.FQDN {
 	const nibbleLen = 4
 
-	maskBits, _ := ipPrefix.IPNet().Mask.Size()
-	expanded := ipPrefix.IP().StringExpanded()
+	maskBits, _ := netipx.PrefixIPNet(ipPrefix).Mask.Size()
+	expanded := ipPrefix.Addr().StringExpanded()
 	nibbleStr := strings.Map(func(r rune) rune {
 		if r == ':' {
 			return -1

dns_test.go

@@ -2,16 +2,16 @@ package headscale
 
 import (
 	"fmt"
+	"net/netip"
 
 	"gopkg.in/check.v1"
-	"inet.af/netaddr"
 	"tailscale.com/tailcfg"
 	"tailscale.com/types/dnstype"
 )
 
 func (s *Suite) TestMagicDNSRootDomains100(c *check.C) {
-	prefixes := []netaddr.IPPrefix{
-		netaddr.MustParseIPPrefix("100.64.0.0/10"),
+	prefixes := []netip.Prefix{
+		netip.MustParsePrefix("100.64.0.0/10"),
 	}
 	domains := generateMagicDNSRootDomains(prefixes)
 
@@ -47,8 +47,8 @@ func (s *Suite) TestMagicDNSRootDomains100(c *check.C) {
 }
 
 func (s *Suite) TestMagicDNSRootDomains172(c *check.C) {
-	prefixes := []netaddr.IPPrefix{
-		netaddr.MustParseIPPrefix("172.16.0.0/16"),
+	prefixes := []netip.Prefix{
+		netip.MustParsePrefix("172.16.0.0/16"),
 	}
 	domains := generateMagicDNSRootDomains(prefixes)
 
@@ -75,8 +75,8 @@ func (s *Suite) TestMagicDNSRootDomains172(c *check.C) {
 
 // Happens when netmask is a multiple of 4 bits (sounds likely).
 func (s *Suite) TestMagicDNSRootDomainsIPv6Single(c *check.C) {
-	prefixes := []netaddr.IPPrefix{
-		netaddr.MustParseIPPrefix("fd7a:115c:a1e0::/48"),
+	prefixes := []netip.Prefix{
+		netip.MustParsePrefix("fd7a:115c:a1e0::/48"),
 	}
 	domains := generateMagicDNSRootDomains(prefixes)
 
@@ -89,8 +89,8 @@ func (s *Suite) TestMagicDNSRootDomainsIPv6Single(c *check.C) {
 }
 
 func (s *Suite) TestMagicDNSRootDomainsIPv6SingleMultiple(c *check.C) {
-	prefixes := []netaddr.IPPrefix{
-		netaddr.MustParseIPPrefix("fd7a:115c:a1e0::/50"),
+	prefixes := []netip.Prefix{
+		netip.MustParsePrefix("fd7a:115c:a1e0::/50"),
 	}
 	domains := generateMagicDNSRootDomains(prefixes)
 
@@ -126,6 +126,7 @@ func (s *Suite) TestDNSConfigMapResponseWithMagicDNS(c *check.C) {
 		false,
 		false,
 		nil,
+		nil,
 	)
 	c.Assert(err, check.IsNil)
 
@@ -134,6 +135,7 @@ func (s *Suite) TestDNSConfigMapResponseWithMagicDNS(c *check.C) {
 		false,
 		false,
 		nil,
+		nil,
 	)
 	c.Assert(err, check.IsNil)
 
@@ -142,6 +144,7 @@ func (s *Suite) TestDNSConfigMapResponseWithMagicDNS(c *check.C) {
 		false,
 		false,
 		nil,
+		nil,
 	)
 	c.Assert(err, check.IsNil)
 
@@ -150,6 +153,7 @@ func (s *Suite) TestDNSConfigMapResponseWithMagicDNS(c *check.C) {
 		false,
 		false,
 		nil,
+		nil,
 	)
 	c.Assert(err, check.IsNil)
 
@@ -161,11 +165,11 @@ func (s *Suite) TestDNSConfigMapResponseWithMagicDNS(c *check.C) {
 		MachineKey:     "686824e749f3b7f2a5927ee6c1e422aee5292592d9179a271ed7b3e659b44a66",
 		NodeKey:        "686824e749f3b7f2a5927ee6c1e422aee5292592d9179a271ed7b3e659b44a66",
 		DiscoKey:       "686824e749f3b7f2a5927ee6c1e422aee5292592d9179a271ed7b3e659b44a66",
-		Hostname:           "test_get_shared_nodes_1",
+		Hostname:       "test_get_shared_nodes_1",
 		NamespaceID:    namespaceShared1.ID,
 		Namespace:      *namespaceShared1,
 		RegisterMethod: RegisterMethodAuthKey,
-		IPAddresses:    []netaddr.IP{netaddr.MustParseIP("100.64.0.1")},
+		IPAddresses:    []netip.Addr{netip.MustParseAddr("100.64.0.1")},
 		AuthKeyID:      uint(preAuthKeyInShared1.ID),
 	}
 	app.db.Save(machineInShared1)
@@ -178,11 +182,11 @@ func (s *Suite) TestDNSConfigMapResponseWithMagicDNS(c *check.C) {
 		MachineKey:     "dec46ef9dc45c7d2f03bfcd5a640d9e24e3cc68ce3d9da223867c9bc6d5e9863",
 		NodeKey:        "dec46ef9dc45c7d2f03bfcd5a640d9e24e3cc68ce3d9da223867c9bc6d5e9863",
 		DiscoKey:       "dec46ef9dc45c7d2f03bfcd5a640d9e24e3cc68ce3d9da223867c9bc6d5e9863",
-		Hostname:           "test_get_shared_nodes_2",
+		Hostname:       "test_get_shared_nodes_2",
 		NamespaceID:    namespaceShared2.ID,
 		Namespace:      *namespaceShared2,
 		RegisterMethod: RegisterMethodAuthKey,
-		IPAddresses:    []netaddr.IP{netaddr.MustParseIP("100.64.0.2")},
+		IPAddresses:    []netip.Addr{netip.MustParseAddr("100.64.0.2")},
 		AuthKeyID:      uint(preAuthKeyInShared2.ID),
 	}
 	app.db.Save(machineInShared2)
@@ -195,11 +199,11 @@ func (s *Suite) TestDNSConfigMapResponseWithMagicDNS(c *check.C) {
 		MachineKey:     "dec46ef9dc45c7d2f03bfcd5a640d9e24e3cc68ce3d9da223867c9bc6d5e9863",
 		NodeKey:        "dec46ef9dc45c7d2f03bfcd5a640d9e24e3cc68ce3d9da223867c9bc6d5e9863",
 		DiscoKey:       "dec46ef9dc45c7d2f03bfcd5a640d9e24e3cc68ce3d9da223867c9bc6d5e9863",
-		Hostname:           "test_get_shared_nodes_3",
+		Hostname:       "test_get_shared_nodes_3",
 		NamespaceID:    namespaceShared3.ID,
 		Namespace:      *namespaceShared3,
 		RegisterMethod: RegisterMethodAuthKey,
-		IPAddresses:    []netaddr.IP{netaddr.MustParseIP("100.64.0.3")},
+		IPAddresses:    []netip.Addr{netip.MustParseAddr("100.64.0.3")},
 		AuthKeyID:      uint(preAuthKeyInShared3.ID),
 	}
 	app.db.Save(machineInShared3)
@@ -212,18 +216,18 @@ func (s *Suite) TestDNSConfigMapResponseWithMagicDNS(c *check.C) {
 		MachineKey:     "dec46ef9dc45c7d2f03bfcd5a640d9e24e3cc68ce3d9da223867c9bc6d5e9863",
 		NodeKey:        "dec46ef9dc45c7d2f03bfcd5a640d9e24e3cc68ce3d9da223867c9bc6d5e9863",
 		DiscoKey:       "dec46ef9dc45c7d2f03bfcd5a640d9e24e3cc68ce3d9da223867c9bc6d5e9863",
-		Hostname:           "test_get_shared_nodes_4",
+		Hostname:       "test_get_shared_nodes_4",
 		NamespaceID:    namespaceShared1.ID,
 		Namespace:      *namespaceShared1,
 		RegisterMethod: RegisterMethodAuthKey,
-		IPAddresses:    []netaddr.IP{netaddr.MustParseIP("100.64.0.4")},
+		IPAddresses:    []netip.Addr{netip.MustParseAddr("100.64.0.4")},
 		AuthKeyID:      uint(PreAuthKey2InShared1.ID),
 	}
 	app.db.Save(machine2InShared1)
 
 	baseDomain := "foobar.headscale.net"
 	dnsConfigOrig := tailcfg.DNSConfig{
-		Routes:  make(map[string][]dnstype.Resolver),
+		Routes:  make(map[string][]*dnstype.Resolver),
 		Domains: []string{baseDomain},
 		Proxied: true,
 	}
@@ -269,6 +273,7 @@ func (s *Suite) TestDNSConfigMapResponseWithoutMagicDNS(c *check.C) {
 		false,
 		false,
 		nil,
+		nil,
 	)
 	c.Assert(err, check.IsNil)
 
@@ -277,6 +282,7 @@ func (s *Suite) TestDNSConfigMapResponseWithoutMagicDNS(c *check.C) {
 		false,
 		false,
 		nil,
+		nil,
 	)
 	c.Assert(err, check.IsNil)
 
@@ -285,6 +291,7 @@ func (s *Suite) TestDNSConfigMapResponseWithoutMagicDNS(c *check.C) {
 		false,
 		false,
 		nil,
+		nil,
 	)
 	c.Assert(err, check.IsNil)
 
@@ -293,6 +300,7 @@ func (s *Suite) TestDNSConfigMapResponseWithoutMagicDNS(c *check.C) {
 		false,
 		false,
 		nil,
+		nil,
 	)
 	c.Assert(err, check.IsNil)
 
@@ -304,11 +312,11 @@ func (s *Suite) TestDNSConfigMapResponseWithoutMagicDNS(c *check.C) {
 		MachineKey:     "686824e749f3b7f2a5927ee6c1e422aee5292592d9179a271ed7b3e659b44a66",
 		NodeKey:        "686824e749f3b7f2a5927ee6c1e422aee5292592d9179a271ed7b3e659b44a66",
 		DiscoKey:       "686824e749f3b7f2a5927ee6c1e422aee5292592d9179a271ed7b3e659b44a66",
-		Hostname:           "test_get_shared_nodes_1",
+		Hostname:       "test_get_shared_nodes_1",
 		NamespaceID:    namespaceShared1.ID,
 		Namespace:      *namespaceShared1,
 		RegisterMethod: RegisterMethodAuthKey,
-		IPAddresses:    []netaddr.IP{netaddr.MustParseIP("100.64.0.1")},
+		IPAddresses:    []netip.Addr{netip.MustParseAddr("100.64.0.1")},
 		AuthKeyID:      uint(preAuthKeyInShared1.ID),
 	}
 	app.db.Save(machineInShared1)
@@ -321,11 +329,11 @@ func (s *Suite) TestDNSConfigMapResponseWithoutMagicDNS(c *check.C) {
 		MachineKey:     "dec46ef9dc45c7d2f03bfcd5a640d9e24e3cc68ce3d9da223867c9bc6d5e9863",
 		NodeKey:        "dec46ef9dc45c7d2f03bfcd5a640d9e24e3cc68ce3d9da223867c9bc6d5e9863",
 		DiscoKey:       "dec46ef9dc45c7d2f03bfcd5a640d9e24e3cc68ce3d9da223867c9bc6d5e9863",
-		Hostname:           "test_get_shared_nodes_2",
+		Hostname:       "test_get_shared_nodes_2",
 		NamespaceID:    namespaceShared2.ID,
 		Namespace:      *namespaceShared2,
 		RegisterMethod: RegisterMethodAuthKey,
-		IPAddresses:    []netaddr.IP{netaddr.MustParseIP("100.64.0.2")},
+		IPAddresses:    []netip.Addr{netip.MustParseAddr("100.64.0.2")},
 		AuthKeyID:      uint(preAuthKeyInShared2.ID),
 	}
 	app.db.Save(machineInShared2)
@@ -338,11 +346,11 @@ func (s *Suite) TestDNSConfigMapResponseWithoutMagicDNS(c *check.C) {
 		MachineKey:     "dec46ef9dc45c7d2f03bfcd5a640d9e24e3cc68ce3d9da223867c9bc6d5e9863",
 		NodeKey:        "dec46ef9dc45c7d2f03bfcd5a640d9e24e3cc68ce3d9da223867c9bc6d5e9863",
 		DiscoKey:       "dec46ef9dc45c7d2f03bfcd5a640d9e24e3cc68ce3d9da223867c9bc6d5e9863",
-		Hostname:           "test_get_shared_nodes_3",
+		Hostname:       "test_get_shared_nodes_3",
 		NamespaceID:    namespaceShared3.ID,
 		Namespace:      *namespaceShared3,
 		RegisterMethod: RegisterMethodAuthKey,
-		IPAddresses:    []netaddr.IP{netaddr.MustParseIP("100.64.0.3")},
+		IPAddresses:    []netip.Addr{netip.MustParseAddr("100.64.0.3")},
 		AuthKeyID:      uint(preAuthKeyInShared3.ID),
 	}
 	app.db.Save(machineInShared3)
@@ -355,18 +363,18 @@ func (s *Suite) TestDNSConfigMapResponseWithoutMagicDNS(c *check.C) {
 		MachineKey:     "dec46ef9dc45c7d2f03bfcd5a640d9e24e3cc68ce3d9da223867c9bc6d5e9863",
 		NodeKey:        "dec46ef9dc45c7d2f03bfcd5a640d9e24e3cc68ce3d9da223867c9bc6d5e9863",
 		DiscoKey:       "dec46ef9dc45c7d2f03bfcd5a640d9e24e3cc68ce3d9da223867c9bc6d5e9863",
-		Hostname:           "test_get_shared_nodes_4",
+		Hostname:       "test_get_shared_nodes_4",
 		NamespaceID:    namespaceShared1.ID,
 		Namespace:      *namespaceShared1,
 		RegisterMethod: RegisterMethodAuthKey,
-		IPAddresses:    []netaddr.IP{netaddr.MustParseIP("100.64.0.4")},
+		IPAddresses:    []netip.Addr{netip.MustParseAddr("100.64.0.4")},
 		AuthKeyID:      uint(preAuthKey2InShared1.ID),
 	}
 	app.db.Save(machine2InShared1)
 
 	baseDomain := "foobar.headscale.net"
 	dnsConfigOrig := tailcfg.DNSConfig{
-		Routes:  make(map[string][]dnstype.Resolver),
+		Routes:  make(map[string][]*dnstype.Resolver),
 		Domains: []string{baseDomain},
 		Proxied: false,
 	}

docs/README.md

@@ -27,6 +27,8 @@ written by community members. It is _not_ verified by `headscale` developers.
 **It might be outdated and it might miss necessary steps**.
 
 - [Running headscale in a container](running-headscale-container.md)
+- [Running headscale on OpenBSD](running-headscale-openbsd.md)
+- [Running headscale behind a reverse proxy](reverse-proxy.md)
 
 ## Misc
 

docs/acls.md

@@ -33,10 +33,10 @@ Note: Namespaces will be created automatically when users authenticate with the
 Headscale server.
 
 ACLs could be written either on [huJSON](https://github.com/tailscale/hujson)
-or Yaml. Check the [test ACLs](../tests/acls) for further information.
+or YAML. Check the [test ACLs](../tests/acls) for further information.
 
 When registering the servers we will need to add the flag
-`--advertised-tags=tag:<tag1>,tag:<tag2>`, and the user (namespace) that is
+`--advertise-tags=tag:<tag1>,tag:<tag2>`, and the user (namespace) that is
 registering the server should be allowed to do it. Since anyone can add tags to
 a server they can register, the check of the tags is done on headscale server
 and only valid tags are applied. A tag is valid if the namespace that is
@@ -83,8 +83,8 @@ Here are the ACL's to implement the same permissions as above:
     // boss have access to all servers
     {
       "action": "accept",
-      "users": ["group:boss"],
-      "ports": [
+      "src": ["group:boss"],
+      "dst": [
         "tag:prod-databases:*",
         "tag:prod-app-servers:*",
         "tag:internal:*",
@@ -93,11 +93,12 @@ Here are the ACL's to implement the same permissions as above:
       ]
     },
 
-    // admin have only access to administrative ports of the servers
+    // admin have only access to administrative ports of the servers, in tcp/22
     {
       "action": "accept",
-      "users": ["group:admin"],
-      "ports": [
+      "src": ["group:admin"],
+      "proto": "tcp",
+      "dst": [
         "tag:prod-databases:22",
         "tag:prod-app-servers:22",
         "tag:internal:22",
@@ -106,12 +107,26 @@ Here are the ACL's to implement the same permissions as above:
       ]
     },
 
+    // we also allow admin to ping the servers
+    {
+      "action": "accept",
+      "src": ["group:admin"],
+      "proto": "icmp",
+      "dst": [
+        "tag:prod-databases:*",
+        "tag:prod-app-servers:*",
+        "tag:internal:*",
+        "tag:dev-databases:*",
+        "tag:dev-app-servers:*"
+      ]
+    },
+
     // developers have access to databases servers and application servers on all ports
     // they can only view the applications servers in prod and have no access to databases servers in production
     {
       "action": "accept",
-      "users": ["group:dev"],
-      "ports": [
+      "src": ["group:dev"],
+      "dst": [
         "tag:dev-databases:*",
         "tag:dev-app-servers:*",
         "tag:prod-app-servers:80,443"
@@ -124,37 +139,38 @@ Here are the ACL's to implement the same permissions as above:
     // https://github.com/juanfont/headscale/issues/502
     {
       "action": "accept",
-      "users": ["group:dev"],
-      "ports": ["10.20.0.0/16:443,5432", "router.internal:0"]
+      "src": ["group:dev"],
+      "dst": ["10.20.0.0/16:443,5432", "router.internal:0"]
     },
 
-    // servers should be able to talk to database. Database should not be able to initiate connections to
+    // servers should be able to talk to database in tcp/5432. Database should not be able to initiate connections to
     // applications servers
     {
       "action": "accept",
-      "users": ["tag:dev-app-servers"],
-      "ports": ["tag:dev-databases:5432"]
+      "src": ["tag:dev-app-servers"],
+      "proto": "tcp",
+      "dst": ["tag:dev-databases:5432"]
     },
     {
       "action": "accept",
-      "users": ["tag:prod-app-servers"],
-      "ports": ["tag:prod-databases:5432"]
+      "src": ["tag:prod-app-servers"],
+      "dst": ["tag:prod-databases:5432"]
     },
 
     // interns have access to dev-app-servers only in reading mode
     {
       "action": "accept",
-      "users": ["group:intern"],
-      "ports": ["tag:dev-app-servers:80,443"]
+      "src": ["group:intern"],
+      "dst": ["tag:dev-app-servers:80,443"]
     },
 
     // We still have to allow internal namespaces communications since nothing guarantees that each user have
     // their own namespaces.
-    { "action": "accept", "users": ["boss"], "ports": ["boss:*"] },
-    { "action": "accept", "users": ["dev1"], "ports": ["dev1:*"] },
-    { "action": "accept", "users": ["dev2"], "ports": ["dev2:*"] },
-    { "action": "accept", "users": ["admin1"], "ports": ["admin1:*"] },
-    { "action": "accept", "users": ["intern1"], "ports": ["intern1:*"] }
+    { "action": "accept", "src": ["boss"], "dst": ["boss:*"] },
+    { "action": "accept", "src": ["dev1"], "dst": ["dev1:*"] },
+    { "action": "accept", "src": ["dev2"], "dst": ["dev2:*"] },
+    { "action": "accept", "src": ["admin1"], "dst": ["admin1:*"] },
+    { "action": "accept", "src": ["intern1"], "dst": ["intern1:*"] }
   ]
 }
 ```

docs/android-client.md

@@ -0,0 +1,19 @@
+# Connecting an Android client
+
+## Goal
+
+This documentation has the goal of showing how a user can use the official Android [Tailscale](https://tailscale.com) client with `headscale`.
+
+## Installation
+
+Install the official Tailscale Android client from the [Google Play Store](https://play.google.com/store/apps/details?id=com.tailscale.ipn) or [F-Droid](https://f-droid.org/packages/com.tailscale.ipn/).
+
+Ensure that the installed version is at least 1.30.0, as that is the first release to support custom URLs.
+
+## Configuring the headscale URL
+
+After opening the app, the kebab menu icon (three dots) on the top bar on the right must be repeatedly opened and closed until the _Change server_ option appears in the menu. This is where you can enter your headscale URL.
+
+A screen recording of this process can be seen in the `tailscale-android` PR which implemented this functionality: <https://github.com/tailscale/tailscale-android/pull/55>
+
+After saving and restarting the app, selecting the regular _Sign in_ option (non-SSO) should open up the headscale authentication page.

docs/reverse-proxy.md

@@ -0,0 +1,100 @@
+# Running headscale behind a reverse proxy
+
+Running headscale behind a reverse proxy is useful when running multiple applications on the same server, and you want to reuse the same external IP and port - usually tcp/443 for HTTPS.
+
+### WebSockets
+
+The reverse proxy MUST be configured to support WebSockets, as it is needed for clients running Tailscale v1.30+.
+
+WebSockets support is required when using the headscale embedded DERP server. In this case, you will also need to expose the UDP port used for STUN (by default, udp/3478). Please check our [config-example.yaml](https://github.com/juanfont/headscale/blob/main/config-example.yaml).
+
+### TLS
+
+Headscale can be configured not to use TLS, leaving it to the reverse proxy to handle. Add the following configuration values to your headscale config file.
+
+```yaml
+server_url: https://<YOUR_SERVER_NAME> # This should be the FQDN at which headscale will be served
+listen_addr: 0.0.0.0:8080
+metrics_listen_addr: 0.0.0.0:9090
+tls_cert_path: ""
+tls_key_path: ""
+```
+
+## nginx
+
+The following example configuration can be used in your nginx setup, substituting values as necessary. `<IP:PORT>` should be the IP address and port where headscale is running. In most cases, this will be `http://localhost:8080`.
+
+```Nginx
+map $http_upgrade $connection_upgrade {
+    default      keep-alive;
+    'websocket'  upgrade;
+    ''           close;
+}
+
+server {
+    listen 80;
+	listen [::]:80;
+
+	listen 443      ssl http2;
+	listen [::]:443 ssl http2;
+
+    server_name <YOUR_SERVER_NAME>;
+
+    ssl_certificate <PATH_TO_CERT>;
+    ssl_certificate_key <PATH_CERT_KEY>;
+    ssl_protocols TLSv1.2 TLSv1.3;
+
+    location / {
+        proxy_pass http://<IP:PORT>;
+        proxy_http_version 1.1;
+        proxy_set_header Upgrade $http_upgrade;
+        proxy_set_header Connection $connection_upgrade;
+        proxy_set_header Host $server_name;
+        proxy_redirect http:// https://;
+        proxy_buffering off;
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Proto $http_x_forwarded_proto;
+        add_header Strict-Transport-Security "max-age=15552000; includeSubDomains" always;
+    }
+}
+```
+
+## istio/envoy
+
+If you using [Istio](https://istio.io/) ingressgateway or [Envoy](https://www.envoyproxy.io/) as reverse proxy, there are some tips for you. If not set, you may see some debug log in proxy as below:
+
+```log
+Sending local reply with details upgrade_failed
+```
+
+### Envoy
+
+You need add a new upgrade_type named `tailscale-control-protocol`. [see detail](https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/filters/network/http_connection_manager/v3/http_connection_manager.proto#extensions-filters-network-http-connection-manager-v3-httpconnectionmanager-upgradeconfig)
+
+### Istio
+
+Same as envoy, we can use `EnvoyFilter` to add upgrade_type.
+
+```yaml
+apiVersion: networking.istio.io/v1alpha3
+kind: EnvoyFilter
+metadata:
+  name: headscale-behind-istio-ingress
+  namespace: istio-system
+spec:
+  configPatches:
+    - applyTo: NETWORK_FILTER
+      match:
+        listener:
+          filterChain:
+            filter:
+              name: envoy.filters.network.http_connection_manager
+      patch:
+        operation: MERGE
+        value:
+          typed_config:
+            "@type": type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager
+            upgrade_configs:
+              - upgrade_type: tailscale-control-protocol
+```

docs/running-headscale-container.md

@@ -48,11 +48,15 @@ Modify the config file to your preferences before launching Docker container.
 Here are some settings that you likely want:
 
 ```yaml
-server_url: http://your-host-name:8080 # Change to your hostname or host IP
+# Change to your hostname or host IP
+server_url: http://your-host-name:8080
 # Listen to 0.0.0.0 so it's accessible outside the container
 metrics_listen_addr: 0.0.0.0:9090
 # The default /var/lib/headscale path is not writable in the container
 private_key_path: /etc/headscale/private.key
+# The default /var/lib/headscale path is not writable in the container
+noise:
+  private_key_path: /etc/headscale/noise_private.key
 # The default /var/lib/headscale path is not writable  in the container
 db_path: /etc/headscale/db.sqlite
 ```
@@ -63,7 +67,6 @@ db_path: /etc/headscale/db.sqlite
 docker run \
   --name headscale \
   --detach \
-  --rm \
   --volume $(pwd)/config:/etc/headscale/ \
   --publish 127.0.0.1:8080:8080 \
   --publish 127.0.0.1:9090:9090 \

docs/running-headscale-openbsd.md

@@ -0,0 +1,206 @@
+# Running headscale on OpenBSD
+
+## Goal
+
+This documentation has the goal of showing a user how-to install and run `headscale` on OpenBSD 7.1.
+In additional to the "get up and running section", there is an optional [rc.d section](#running-headscale-in-the-background-with-rcd)
+describing how to make `headscale` run properly in a server environment.
+
+## Install `headscale`
+
+1. Install from ports (Not Recommend)
+
+   As of OpenBSD 7.1, there's a headscale in ports collection, however, it's severely outdated(v0.12.4).
+   You can install it via `pkg_add headscale`.
+
+2. Install from source on OpenBSD 7.1
+
+```shell
+# Install prerequistes
+# 1. go v1.19+: headscale newer than 0.17 needs go 1.19+ to compile
+# 2. gmake: Makefile in the headscale repo is written in GNU make syntax
+pkg_add -D snap go
+pkg_add gmake
+
+git clone https://github.com/juanfont/headscale.git
+
+cd headscale
+
+# optionally checkout a release
+# option a. you can find offical relase at https://github.com/juanfont/headscale/releases/latest
+# option b. get latest tag, this may be a beta release
+latestTag=$(git describe --tags `git rev-list --tags --max-count=1`)
+
+git checkout $latestTag
+
+gmake build
+
+# make it executable
+chmod a+x headscale
+
+# copy it to /usr/local/sbin
+cp headscale /usr/local/sbin
+```
+
+3. Install from source via cross compile
+
+```shell
+# Install prerequistes
+# 1. go v1.19+: headscale newer than 0.17 needs go 1.19+ to compile
+# 2. gmake: Makefile in the headscale repo is written in GNU make syntax
+
+git clone https://github.com/juanfont/headscale.git
+
+cd headscale
+
+# optionally checkout a release
+# option a. you can find offical relase at https://github.com/juanfont/headscale/releases/latest
+# option b. get latest tag, this may be a beta release
+latestTag=$(git describe --tags `git rev-list --tags --max-count=1`)
+
+git checkout $latestTag
+
+make build GOOS=openbsd
+
+# copy headscale to openbsd machine and put it in /usr/local/sbin
+```
+
+## Configure and run `headscale`
+
+1. Prepare a directory to hold `headscale` configuration and the [SQLite](https://www.sqlite.org/) database:
+
+```shell
+# Directory for configuration
+
+mkdir -p /etc/headscale
+
+# Directory for Database, and other variable data (like certificates)
+mkdir -p /var/lib/headscale
+```
+
+2. Create an empty SQLite database:
+
+```shell
+touch /var/lib/headscale/db.sqlite
+```
+
+3. Create a `headscale` configuration:
+
+```shell
+touch /etc/headscale/config.yaml
+```
+
+It is **strongly recommended** to copy and modify the [example configuration](../config-example.yaml)
+from the [headscale repository](../)
+
+4. Start the headscale server:
+
+```shell
+headscale serve
+```
+
+This command will start `headscale` in the current terminal session.
+
+---
+
+To continue the tutorial, open a new terminal and let it run in the background.
+Alternatively use terminal emulators like [tmux](https://github.com/tmux/tmux).
+
+To run `headscale` in the background, please follow the steps in the [rc.d section](#running-headscale-in-the-background-with-rcd) before continuing.
+
+5. Verify `headscale` is running:
+
+Verify `headscale` is available:
+
+```shell
+curl http://127.0.0.1:9090/metrics
+```
+
+6. Create a namespace ([tailnet](https://tailscale.com/kb/1136/tailnet/)):
+
+```shell
+headscale namespaces create myfirstnamespace
+```
+
+### Register a machine (normal login)
+
+On a client machine, execute the `tailscale` login command:
+
+```shell
+tailscale up --login-server YOUR_HEADSCALE_URL
+```
+
+Register the machine:
+
+```shell
+headscale --namespace myfirstnamespace nodes register --key <YOU_+MACHINE_KEY>
+```
+
+### Register machine using a pre authenticated key
+
+Generate a key using the command line:
+
+```shell
+headscale --namespace myfirstnamespace preauthkeys create --reusable --expiration 24h
+```
+
+This will return a pre-authenticated key that can be used to connect a node to `headscale` during the `tailscale` command:
+
+```shell
+tailscale up --login-server <YOUR_HEADSCALE_URL> --authkey <YOUR_AUTH_KEY>
+```
+
+## Running `headscale` in the background with rc.d
+
+This section demonstrates how to run `headscale` as a service in the background with [rc.d](https://man.openbsd.org/rc.d).
+
+1. Create a rc.d service at `/etc/rc.d/headscale` containing:
+
+```shell
+#!/bin/ksh
+
+daemon="/usr/local/sbin/headscale"
+daemon_logger="daemon.info"
+daemon_user="root"
+daemon_flags="serve"
+daemon_timeout=60
+
+. /etc/rc.d/rc.subr
+
+rc_bg=YES
+rc_reload=NO
+
+rc_cmd $1
+```
+
+2. `/etc/rc.d/headscale` needs execute permission:
+
+```shell
+chmod a+x /etc/rc.d/headscale
+```
+
+3. Start `headscale` service:
+
+```shell
+rcctl start headscale
+```
+
+4. Make `headscale` service start at boot:
+
+```shell
+rcctl enable headscale
+```
+
+5. Verify the headscale service:
+
+```shell
+rcctl check headscale
+```
+
+Verify `headscale` is available:
+
+```shell
+curl http://127.0.0.1:9090/metrics
+```
+
+`headscale` will now run in the background and start at boot.

flake.lock

@@ -2,11 +2,11 @@
   "nodes": {
     "flake-utils": {
       "locked": {
-        "lastModified": 1644229661,
-        "narHash": "sha256-1YdnJAsNy69bpcjuoKdOYQX0YxZBiCYZo4Twxerqv7k=",
+        "lastModified": 1659877975,
+        "narHash": "sha256-zllb8aq3YO3h8B/U0/J1WBgAL8EX5yWf5pMj3G0NAmc=",
         "owner": "numtide",
         "repo": "flake-utils",
-        "rev": "3cecb5b042f7f209c56ffd8371b2711a290ec797",
+        "rev": "c0e246b9b83f637f4681389ecabcb2681b4f3af0",
         "type": "github"
       },
       "original": {
@@ -17,16 +17,16 @@
     },
     "nixpkgs": {
       "locked": {
-        "lastModified": 1653733789,
-        "narHash": "sha256-VIYazYCWNvcFNns2XQkHx/mVmCZ3oebZv8W2LS1gLQE=",
+        "lastModified": 1666869603,
+        "narHash": "sha256-3V53or4Vpu4+LrGfGSh3T2V8+qf5RP6nRuex9GywkwE=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "d1086907f56c5a6c33c0c2e8dc9f42ef6988294f",
+        "rev": "2001e2b31c565bcdf7bc13062b8d7cfccaca05b8",
         "type": "github"
       },
       "original": {
         "owner": "NixOS",
-        "ref": "nixos-22.05",
+        "ref": "nixos-unstable",
         "repo": "nixpkgs",
         "type": "github"
       }

flake.nix

@@ -2,167 +2,178 @@
   description = "headscale - Open Source Tailscale Control server";
 
   inputs = {
-    nixpkgs.url = "github:NixOS/nixpkgs/nixos-22.05";
+    nixpkgs.url = "github:NixOS/nixpkgs/nixos-unstable";
     flake-utils.url = "github:numtide/flake-utils";
   };
 
-  outputs = { self, nixpkgs, flake-utils, ... }:
-    let
-      headscaleVersion = if (self ? shortRev) then self.shortRev else "dev";
-    in
+  outputs = {
+    self,
+    nixpkgs,
+    flake-utils,
+    ...
+  }: let
+    headscaleVersion =
+      if (self ? shortRev)
+      then self.shortRev
+      else "dev";
+  in
     {
-      overlay = final: prev:
-        let
-          pkgs = nixpkgs.legacyPackages.${prev.system};
-        in
-        rec {
-          headscale =
-            pkgs.buildGo118Module rec {
-              pname = "headscale";
-              version = headscaleVersion;
-              src = pkgs.lib.cleanSource self;
+      overlay = _: prev: let
+        pkgs = nixpkgs.legacyPackages.${prev.system};
+      in rec {
+        headscale = pkgs.buildGo119Module rec {
+          pname = "headscale";
+          version = headscaleVersion;
+          src = pkgs.lib.cleanSource self;
 
-              # When updating go.mod or go.sum, a new sha will need to be calculated,
-              # update this if you have a mismatch after doing a change to thos files.
-              vendorSha256 = "sha256-b6qPOO/NmcXsAsSRWZlYXZKyRAF++DsL4TEZzRhQhME=";
+          tags = ["ts2019"];
 
-              ldflags = [ "-s" "-w" "-X github.com/juanfont/headscale/cmd/headscale/cli.Version=v${version}" ];
-            };
+          # Only run unit tests when testing a build
+          checkFlags = ["-short"];
 
-          golines =
-            pkgs.buildGoModule rec {
-              pname = "golines";
-              version = "0.9.0";
+          # When updating go.mod or go.sum, a new sha will need to be calculated,
+          # update this if you have a mismatch after doing a change to thos files.
+          vendorSha256 = "sha256-Cq0WipTQ+kGcvnfP0kjyvjyonl2OC9W7Tj0MCuB1lDU=";
 
-              src = pkgs.fetchFromGitHub {
-                owner = "segmentio";
-                repo = "golines";
-                rev = "v${version}";
-                sha256 = "sha256-BUXEg+4r9L/gqe4DhTlhN55P3jWt7ZyWFQycO6QePrw=";
-              };
-
-              vendorSha256 = "sha256-sEzWUeVk5GB0H41wrp12P8sBWRjg0FHUX6ABDEEBqK8=";
-
-              nativeBuildInputs = [ pkgs.installShellFiles ];
-            };
-
-          golangci-lint = prev.golangci-lint.override {
-            # Override https://github.com/NixOS/nixpkgs/pull/166801 which changed this
-            # to buildGo118Module because it does not build on Darwin.
-            inherit (prev) buildGoModule;
-          };
-
-          # golangci-lint =
-          #   pkgs.buildGo117Module rec {
-          #     pname = "golangci-lint";
-          #     version = "1.46.2";
-          #
-          #     src = pkgs.fetchFromGitHub {
-          #       owner = "golangci";
-          #       repo = "golangci-lint";
-          #       rev = "v${version}";
-          #       sha256 = "sha256-7sDAwWz+qoB/ngeH35tsJ5FZUfAQvQsU6kU9rUHIHMk=";
-          #     };
-          #
-          #     vendorSha256 = "sha256-w38OKN6HPoz37utG/2QSPMai55IRDXCIIymeMe6ogIU=";
-          #
-          #     nativeBuildInputs = [ pkgs.installShellFiles ];
-          #   };
-
-          protoc-gen-grpc-gateway =
-            pkgs.buildGoModule rec {
-              pname = "grpc-gateway";
-              version = "2.8.0";
-
-              src = pkgs.fetchFromGitHub {
-                owner = "grpc-ecosystem";
-                repo = "grpc-gateway";
-                rev = "v${version}";
-                sha256 = "sha256-8eBBBYJ+tBjB2fgPMX/ZlbN3eeS75e8TAZYOKXs6hcg=";
-              };
-
-              vendorSha256 = "sha256-AW2Gn/mlZyLMwF+NpK59eiOmQrYWW/9HPjbunYc9Ij4=";
-
-              nativeBuildInputs = [ pkgs.installShellFiles ];
-
-              subPackages = [ "protoc-gen-grpc-gateway" "protoc-gen-openapiv2" ];
-            };
+          ldflags = ["-s" "-w" "-X github.com/juanfont/headscale/cmd/headscale/cli.Version=v${version}"];
         };
-    } // flake-utils.lib.eachDefaultSystem
-      (system:
-        let
-          pkgs = import nixpkgs {
-            overlays = [ self.overlay ];
-            inherit system;
+
+        golines = pkgs.buildGoModule rec {
+          pname = "golines";
+          version = "0.11.0";
+
+          src = pkgs.fetchFromGitHub {
+            owner = "segmentio";
+            repo = "golines";
+            rev = "v${version}";
+            sha256 = "sha256-2K9KAg8iSubiTbujyFGN3yggrL+EDyeUCs9OOta/19A=";
           };
-          buildDeps = with pkgs; [ git go_1_18 gnumake ];
-          devDeps = with pkgs;
-            buildDeps ++ [
+
+          vendorSha256 = "sha256-rxYuzn4ezAxaeDhxd8qdOzt+CKYIh03A9zKNdzILq18=";
+
+          nativeBuildInputs = [pkgs.installShellFiles];
+        };
+
+        golangci-lint = prev.golangci-lint.override {
+          # Override https://github.com/NixOS/nixpkgs/pull/166801 which changed this
+          # to buildGo118Module because it does not build on Darwin.
+          inherit (prev) buildGoModule;
+        };
+
+        # golangci-lint =
+        #   pkgs.buildGo117Module rec {
+        #     pname = "golangci-lint";
+        #     version = "1.46.2";
+        #
+        #     src = pkgs.fetchFromGitHub {
+        #       owner = "golangci";
+        #       repo = "golangci-lint";
+        #       rev = "v${version}";
+        #       sha256 = "sha256-7sDAwWz+qoB/ngeH35tsJ5FZUfAQvQsU6kU9rUHIHMk=";
+        #     };
+        #
+        #     vendorSha256 = "sha256-w38OKN6HPoz37utG/2QSPMai55IRDXCIIymeMe6ogIU=";
+        #
+        #     nativeBuildInputs = [ pkgs.installShellFiles ];
+        #   };
+
+        protoc-gen-grpc-gateway = pkgs.buildGoModule rec {
+          pname = "grpc-gateway";
+          version = "2.8.0";
+
+          src = pkgs.fetchFromGitHub {
+            owner = "grpc-ecosystem";
+            repo = "grpc-gateway";
+            rev = "v${version}";
+            sha256 = "sha256-8eBBBYJ+tBjB2fgPMX/ZlbN3eeS75e8TAZYOKXs6hcg=";
+          };
+
+          vendorSha256 = "sha256-AW2Gn/mlZyLMwF+NpK59eiOmQrYWW/9HPjbunYc9Ij4=";
+
+          nativeBuildInputs = [pkgs.installShellFiles];
+
+          subPackages = ["protoc-gen-grpc-gateway" "protoc-gen-openapiv2"];
+        };
+      };
+    }
+    // flake-utils.lib.eachDefaultSystem
+    (system: let
+      pkgs = import nixpkgs {
+        overlays = [self.overlay];
+        inherit system;
+      };
+      buildDeps = with pkgs; [git go_1_19 gnumake];
+      devDeps = with pkgs;
+        buildDeps
+        ++ [
+          golangci-lint
+          golines
+          nodePackages.prettier
+
+          # Protobuf dependencies
+          protobuf
+          protoc-gen-go
+          protoc-gen-go-grpc
+          protoc-gen-grpc-gateway
+          buf
+          clang-tools # clang-format
+        ];
+
+      # Add entry to build a docker image with headscale
+      # caveat: only works on Linux
+      #
+      # Usage:
+      # nix build .#headscale-docker
+      # docker load < result
+      headscale-docker = pkgs.dockerTools.buildLayeredImage {
+        name = "headscale";
+        tag = headscaleVersion;
+        contents = [pkgs.headscale];
+        config.Entrypoint = [(pkgs.headscale + "/bin/headscale")];
+      };
+    in rec {
+      # `nix develop`
+      devShell = pkgs.mkShell {
+        buildInputs = devDeps;
+
+        shellHook = ''
+          export GOFLAGS=-tags="ts2019"
+        '';
+      };
+
+      # `nix build`
+      packages = with pkgs; {
+        inherit headscale;
+        inherit headscale-docker;
+      };
+
+      defaultPackage = pkgs.headscale;
+
+      # `nix run`
+      apps.headscale = flake-utils.lib.mkApp {
+        drv = packages.headscale;
+      };
+      defaultApp = apps.headscale;
+
+      checks = {
+        format =
+          pkgs.runCommand "check-format"
+          {
+            buildInputs = with pkgs; [
+              gnumake
+              nixpkgs-fmt
               golangci-lint
-              golines
               nodePackages.prettier
-
-              # Protobuf dependencies
-              protobuf
-              protoc-gen-go
-              protoc-gen-go-grpc
-              protoc-gen-grpc-gateway
-              buf
-              clang-tools # clang-format
+              golines
+              clang-tools
             ];
-
-
-          # Add entry to build a docker image with headscale
-          # caveat: only works on Linux
-          #
-          # Usage:
-          # nix build .#headscale-docker
-          # docker load < result
-          headscale-docker = pkgs.dockerTools.buildLayeredImage {
-            name = "headscale";
-            tag = headscaleVersion;
-            contents = [ pkgs.headscale ];
-            config.Entrypoint = [ (pkgs.headscale + "/bin/headscale") ];
-          };
-        in
-        rec {
-          # `nix develop`
-          devShell = pkgs.mkShell { buildInputs = devDeps; };
-
-          # `nix build`
-          packages = with pkgs; {
-            inherit headscale;
-            inherit headscale-docker;
-          };
-
-          defaultPackage = pkgs.headscale;
-
-          # `nix run`
-          apps.headscale = flake-utils.lib.mkApp {
-            drv = packages.headscale;
-          };
-          defaultApp = apps.headscale;
-
-          checks = {
-            format = pkgs.runCommand "check-format"
-              {
-                buildInputs = with pkgs; [
-                  gnumake
-                  nixpkgs-fmt
-                  golangci-lint
-                  nodePackages.prettier
-                  golines
-                  clang-tools
-                ];
-              } ''
-              ${pkgs.nixpkgs-fmt}/bin/nixpkgs-fmt ${./.}
-              ${pkgs.golangci-lint}/bin/golangci-lint run --fix --timeout 10m
-              ${pkgs.nodePackages.prettier}/bin/prettier --write '**/**.{ts,js,md,yaml,yml,sass,css,scss,html}'
-              ${pkgs.golines}/bin/golines --max-len=88 --base-formatter=gofumpt -w ${./.}
-              ${pkgs.clang-tools}/bin/clang-format -style="{BasedOnStyle: Google, IndentWidth: 4, AlignConsecutiveDeclarations: true, AlignConsecutiveAssignments: true, ColumnLimit: 0}" -i ${./.}
-            '';
-          };
-
-
-        });
+          } ''
+            ${pkgs.nixpkgs-fmt}/bin/nixpkgs-fmt ${./.}
+            ${pkgs.golangci-lint}/bin/golangci-lint run --fix --timeout 10m
+            ${pkgs.nodePackages.prettier}/bin/prettier --write '**/**.{ts,js,md,yaml,yml,sass,css,scss,html}'
+            ${pkgs.golines}/bin/golines --max-len=88 --base-formatter=gofumpt -w ${./.}
+            ${pkgs.clang-tools}/bin/clang-format -style="{BasedOnStyle: Google, IndentWidth: 4, AlignConsecutiveDeclarations: true, AlignConsecutiveAssignments: true, ColumnLimit: 0}" -i ${./.}
+          '';
+      };
+    });
 }

gen/go/headscale/v1/apikey.pb.go

@@ -1,6 +1,6 @@
 // Code generated by protoc-gen-go. DO NOT EDIT.
 // versions:
-// 	protoc-gen-go v1.27.1
+// 	protoc-gen-go v1.28.1
 // 	protoc        (unknown)
 // source: headscale/v1/apikey.proto
 

gen/go/headscale/v1/device.pb.go

@@ -1,6 +1,6 @@
 // Code generated by protoc-gen-go. DO NOT EDIT.
 // versions:
-// 	protoc-gen-go v1.27.1
+// 	protoc-gen-go v1.28.1
 // 	protoc        (unknown)
 // source: headscale/v1/device.proto
 

gen/go/headscale/v1/headscale.pb.go

@@ -1,6 +1,6 @@
 // Code generated by protoc-gen-go. DO NOT EDIT.
 // versions:
-// 	protoc-gen-go v1.27.1
+// 	protoc-gen-go v1.28.1
 // 	protoc        (unknown)
 // source: headscale/v1/headscale.proto
 

gen/go/headscale/v1/headscale_grpc.pb.go

@@ -1,4 +1,8 @@
 // Code generated by protoc-gen-go-grpc. DO NOT EDIT.
+// versions:
+// - protoc-gen-go-grpc v1.2.0
+// - protoc             (unknown)
+// source: headscale/v1/headscale.proto
 
 package v1
 

gen/go/headscale/v1/machine.pb.go

@@ -1,6 +1,6 @@
 // Code generated by protoc-gen-go. DO NOT EDIT.
 // versions:
-// 	protoc-gen-go v1.27.1
+// 	protoc-gen-go v1.28.1
 // 	protoc        (unknown)
 // source: headscale/v1/machine.proto
 

gen/go/headscale/v1/namespace.pb.go

@@ -1,6 +1,6 @@
 // Code generated by protoc-gen-go. DO NOT EDIT.
 // versions:
-// 	protoc-gen-go v1.27.1
+// 	protoc-gen-go v1.28.1
 // 	protoc        (unknown)
 // source: headscale/v1/namespace.proto
 

gen/go/headscale/v1/preauthkey.pb.go

@@ -1,6 +1,6 @@
 // Code generated by protoc-gen-go. DO NOT EDIT.
 // versions:
-// 	protoc-gen-go v1.27.1
+// 	protoc-gen-go v1.28.1
 // 	protoc        (unknown)
 // source: headscale/v1/preauthkey.proto
 
@@ -34,6 +34,7 @@ type PreAuthKey struct {
 	Used       bool                   `protobuf:"varint,6,opt,name=used,proto3" json:"used,omitempty"`
 	Expiration *timestamppb.Timestamp `protobuf:"bytes,7,opt,name=expiration,proto3" json:"expiration,omitempty"`
 	CreatedAt  *timestamppb.Timestamp `protobuf:"bytes,8,opt,name=created_at,json=createdAt,proto3" json:"created_at,omitempty"`
+	AclTags    []string               `protobuf:"bytes,9,rep,name=acl_tags,json=aclTags,proto3" json:"acl_tags,omitempty"`
 }
 
 func (x *PreAuthKey) Reset() {
@@ -124,6 +125,13 @@ func (x *PreAuthKey) GetCreatedAt() *timestamppb.Timestamp {
 	return nil
 }
 
+func (x *PreAuthKey) GetAclTags() []string {
+	if x != nil {
+		return x.AclTags
+	}
+	return nil
+}
+
 type CreatePreAuthKeyRequest struct {
 	state         protoimpl.MessageState
 	sizeCache     protoimpl.SizeCache
@@ -133,6 +141,7 @@ type CreatePreAuthKeyRequest struct {
 	Reusable   bool                   `protobuf:"varint,2,opt,name=reusable,proto3" json:"reusable,omitempty"`
 	Ephemeral  bool                   `protobuf:"varint,3,opt,name=ephemeral,proto3" json:"ephemeral,omitempty"`
 	Expiration *timestamppb.Timestamp `protobuf:"bytes,4,opt,name=expiration,proto3" json:"expiration,omitempty"`
+	AclTags    []string               `protobuf:"bytes,5,rep,name=acl_tags,json=aclTags,proto3" json:"acl_tags,omitempty"`
 }
 
 func (x *CreatePreAuthKeyRequest) Reset() {
@@ -195,6 +204,13 @@ func (x *CreatePreAuthKeyRequest) GetExpiration() *timestamppb.Timestamp {
 	return nil
 }
 
+func (x *CreatePreAuthKeyRequest) GetAclTags() []string {
+	if x != nil {
+		return x.AclTags
+	}
+	return nil
+}
+
 type CreatePreAuthKeyResponse struct {
 	state         protoimpl.MessageState
 	sizeCache     protoimpl.SizeCache
@@ -436,7 +452,7 @@ var file_headscale_v1_preauthkey_proto_rawDesc = []byte{
 	0x72, 0x65, 0x61, 0x75, 0x74, 0x68, 0x6b, 0x65, 0x79, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x12,
 	0x0c, 0x68, 0x65, 0x61, 0x64, 0x73, 0x63, 0x61, 0x6c, 0x65, 0x2e, 0x76, 0x31, 0x1a, 0x1f, 0x67,
 	0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2f, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x62, 0x75, 0x66, 0x2f, 0x74,
-	0x69, 0x6d, 0x65, 0x73, 0x74, 0x61, 0x6d, 0x70, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x22, 0x91,
+	0x69, 0x6d, 0x65, 0x73, 0x74, 0x61, 0x6d, 0x70, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x22, 0xac,
 	0x02, 0x0a, 0x0a, 0x50, 0x72, 0x65, 0x41, 0x75, 0x74, 0x68, 0x4b, 0x65, 0x79, 0x12, 0x1c, 0x0a,
 	0x09, 0x6e, 0x61, 0x6d, 0x65, 0x73, 0x70, 0x61, 0x63, 0x65, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09,
 	0x52, 0x09, 0x6e, 0x61, 0x6d, 0x65, 0x73, 0x70, 0x61, 0x63, 0x65, 0x12, 0x0e, 0x0a, 0x02, 0x69,
@@ -454,42 +470,45 @@ var file_headscale_v1_preauthkey_proto_rawDesc = []byte{
 	0x65, 0x64, 0x5f, 0x61, 0x74, 0x18, 0x08, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x1a, 0x2e, 0x67, 0x6f,
 	0x6f, 0x67, 0x6c, 0x65, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x62, 0x75, 0x66, 0x2e, 0x54, 0x69,
 	0x6d, 0x65, 0x73, 0x74, 0x61, 0x6d, 0x70, 0x52, 0x09, 0x63, 0x72, 0x65, 0x61, 0x74, 0x65, 0x64,
-	0x41, 0x74, 0x22, 0xad, 0x01, 0x0a, 0x17, 0x43, 0x72, 0x65, 0x61, 0x74, 0x65, 0x50, 0x72, 0x65,
-	0x41, 0x75, 0x74, 0x68, 0x4b, 0x65, 0x79, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x12, 0x1c,
-	0x0a, 0x09, 0x6e, 0x61, 0x6d, 0x65, 0x73, 0x70, 0x61, 0x63, 0x65, 0x18, 0x01, 0x20, 0x01, 0x28,
-	0x09, 0x52, 0x09, 0x6e, 0x61, 0x6d, 0x65, 0x73, 0x70, 0x61, 0x63, 0x65, 0x12, 0x1a, 0x0a, 0x08,
-	0x72, 0x65, 0x75, 0x73, 0x61, 0x62, 0x6c, 0x65, 0x18, 0x02, 0x20, 0x01, 0x28, 0x08, 0x52, 0x08,
-	0x72, 0x65, 0x75, 0x73, 0x61, 0x62, 0x6c, 0x65, 0x12, 0x1c, 0x0a, 0x09, 0x65, 0x70, 0x68, 0x65,
-	0x6d, 0x65, 0x72, 0x61, 0x6c, 0x18, 0x03, 0x20, 0x01, 0x28, 0x08, 0x52, 0x09, 0x65, 0x70, 0x68,
-	0x65, 0x6d, 0x65, 0x72, 0x61, 0x6c, 0x12, 0x3a, 0x0a, 0x0a, 0x65, 0x78, 0x70, 0x69, 0x72, 0x61,
-	0x74, 0x69, 0x6f, 0x6e, 0x18, 0x04, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x1a, 0x2e, 0x67, 0x6f, 0x6f,
-	0x67, 0x6c, 0x65, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x62, 0x75, 0x66, 0x2e, 0x54, 0x69, 0x6d,
-	0x65, 0x73, 0x74, 0x61, 0x6d, 0x70, 0x52, 0x0a, 0x65, 0x78, 0x70, 0x69, 0x72, 0x61, 0x74, 0x69,
-	0x6f, 0x6e, 0x22, 0x56, 0x0a, 0x18, 0x43, 0x72, 0x65, 0x61, 0x74, 0x65, 0x50, 0x72, 0x65, 0x41,
-	0x75, 0x74, 0x68, 0x4b, 0x65, 0x79, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x12, 0x3a,
-	0x0a, 0x0c, 0x70, 0x72, 0x65, 0x5f, 0x61, 0x75, 0x74, 0x68, 0x5f, 0x6b, 0x65, 0x79, 0x18, 0x01,
-	0x20, 0x01, 0x28, 0x0b, 0x32, 0x18, 0x2e, 0x68, 0x65, 0x61, 0x64, 0x73, 0x63, 0x61, 0x6c, 0x65,
-	0x2e, 0x76, 0x31, 0x2e, 0x50, 0x72, 0x65, 0x41, 0x75, 0x74, 0x68, 0x4b, 0x65, 0x79, 0x52, 0x0a,
-	0x70, 0x72, 0x65, 0x41, 0x75, 0x74, 0x68, 0x4b, 0x65, 0x79, 0x22, 0x49, 0x0a, 0x17, 0x45, 0x78,
-	0x70, 0x69, 0x72, 0x65, 0x50, 0x72, 0x65, 0x41, 0x75, 0x74, 0x68, 0x4b, 0x65, 0x79, 0x52, 0x65,
-	0x71, 0x75, 0x65, 0x73, 0x74, 0x12, 0x1c, 0x0a, 0x09, 0x6e, 0x61, 0x6d, 0x65, 0x73, 0x70, 0x61,
-	0x63, 0x65, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x09, 0x6e, 0x61, 0x6d, 0x65, 0x73, 0x70,
-	0x61, 0x63, 0x65, 0x12, 0x10, 0x0a, 0x03, 0x6b, 0x65, 0x79, 0x18, 0x02, 0x20, 0x01, 0x28, 0x09,
-	0x52, 0x03, 0x6b, 0x65, 0x79, 0x22, 0x1a, 0x0a, 0x18, 0x45, 0x78, 0x70, 0x69, 0x72, 0x65, 0x50,
-	0x72, 0x65, 0x41, 0x75, 0x74, 0x68, 0x4b, 0x65, 0x79, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73,
-	0x65, 0x22, 0x36, 0x0a, 0x16, 0x4c, 0x69, 0x73, 0x74, 0x50, 0x72, 0x65, 0x41, 0x75, 0x74, 0x68,
-	0x4b, 0x65, 0x79, 0x73, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x12, 0x1c, 0x0a, 0x09, 0x6e,
+	0x41, 0x74, 0x12, 0x19, 0x0a, 0x08, 0x61, 0x63, 0x6c, 0x5f, 0x74, 0x61, 0x67, 0x73, 0x18, 0x09,
+	0x20, 0x03, 0x28, 0x09, 0x52, 0x07, 0x61, 0x63, 0x6c, 0x54, 0x61, 0x67, 0x73, 0x22, 0xc8, 0x01,
+	0x0a, 0x17, 0x43, 0x72, 0x65, 0x61, 0x74, 0x65, 0x50, 0x72, 0x65, 0x41, 0x75, 0x74, 0x68, 0x4b,
+	0x65, 0x79, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x12, 0x1c, 0x0a, 0x09, 0x6e, 0x61, 0x6d,
+	0x65, 0x73, 0x70, 0x61, 0x63, 0x65, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x09, 0x6e, 0x61,
+	0x6d, 0x65, 0x73, 0x70, 0x61, 0x63, 0x65, 0x12, 0x1a, 0x0a, 0x08, 0x72, 0x65, 0x75, 0x73, 0x61,
+	0x62, 0x6c, 0x65, 0x18, 0x02, 0x20, 0x01, 0x28, 0x08, 0x52, 0x08, 0x72, 0x65, 0x75, 0x73, 0x61,
+	0x62, 0x6c, 0x65, 0x12, 0x1c, 0x0a, 0x09, 0x65, 0x70, 0x68, 0x65, 0x6d, 0x65, 0x72, 0x61, 0x6c,
+	0x18, 0x03, 0x20, 0x01, 0x28, 0x08, 0x52, 0x09, 0x65, 0x70, 0x68, 0x65, 0x6d, 0x65, 0x72, 0x61,
+	0x6c, 0x12, 0x3a, 0x0a, 0x0a, 0x65, 0x78, 0x70, 0x69, 0x72, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x18,
+	0x04, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x1a, 0x2e, 0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2e, 0x70,
+	0x72, 0x6f, 0x74, 0x6f, 0x62, 0x75, 0x66, 0x2e, 0x54, 0x69, 0x6d, 0x65, 0x73, 0x74, 0x61, 0x6d,
+	0x70, 0x52, 0x0a, 0x65, 0x78, 0x70, 0x69, 0x72, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x12, 0x19, 0x0a,
+	0x08, 0x61, 0x63, 0x6c, 0x5f, 0x74, 0x61, 0x67, 0x73, 0x18, 0x05, 0x20, 0x03, 0x28, 0x09, 0x52,
+	0x07, 0x61, 0x63, 0x6c, 0x54, 0x61, 0x67, 0x73, 0x22, 0x56, 0x0a, 0x18, 0x43, 0x72, 0x65, 0x61,
+	0x74, 0x65, 0x50, 0x72, 0x65, 0x41, 0x75, 0x74, 0x68, 0x4b, 0x65, 0x79, 0x52, 0x65, 0x73, 0x70,
+	0x6f, 0x6e, 0x73, 0x65, 0x12, 0x3a, 0x0a, 0x0c, 0x70, 0x72, 0x65, 0x5f, 0x61, 0x75, 0x74, 0x68,
+	0x5f, 0x6b, 0x65, 0x79, 0x18, 0x01, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x18, 0x2e, 0x68, 0x65, 0x61,
+	0x64, 0x73, 0x63, 0x61, 0x6c, 0x65, 0x2e, 0x76, 0x31, 0x2e, 0x50, 0x72, 0x65, 0x41, 0x75, 0x74,
+	0x68, 0x4b, 0x65, 0x79, 0x52, 0x0a, 0x70, 0x72, 0x65, 0x41, 0x75, 0x74, 0x68, 0x4b, 0x65, 0x79,
+	0x22, 0x49, 0x0a, 0x17, 0x45, 0x78, 0x70, 0x69, 0x72, 0x65, 0x50, 0x72, 0x65, 0x41, 0x75, 0x74,
+	0x68, 0x4b, 0x65, 0x79, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x12, 0x1c, 0x0a, 0x09, 0x6e,
 	0x61, 0x6d, 0x65, 0x73, 0x70, 0x61, 0x63, 0x65, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x09,
-	0x6e, 0x61, 0x6d, 0x65, 0x73, 0x70, 0x61, 0x63, 0x65, 0x22, 0x57, 0x0a, 0x17, 0x4c, 0x69, 0x73,
-	0x74, 0x50, 0x72, 0x65, 0x41, 0x75, 0x74, 0x68, 0x4b, 0x65, 0x79, 0x73, 0x52, 0x65, 0x73, 0x70,
-	0x6f, 0x6e, 0x73, 0x65, 0x12, 0x3c, 0x0a, 0x0d, 0x70, 0x72, 0x65, 0x5f, 0x61, 0x75, 0x74, 0x68,
-	0x5f, 0x6b, 0x65, 0x79, 0x73, 0x18, 0x01, 0x20, 0x03, 0x28, 0x0b, 0x32, 0x18, 0x2e, 0x68, 0x65,
-	0x61, 0x64, 0x73, 0x63, 0x61, 0x6c, 0x65, 0x2e, 0x76, 0x31, 0x2e, 0x50, 0x72, 0x65, 0x41, 0x75,
-	0x74, 0x68, 0x4b, 0x65, 0x79, 0x52, 0x0b, 0x70, 0x72, 0x65, 0x41, 0x75, 0x74, 0x68, 0x4b, 0x65,
-	0x79, 0x73, 0x42, 0x29, 0x5a, 0x27, 0x67, 0x69, 0x74, 0x68, 0x75, 0x62, 0x2e, 0x63, 0x6f, 0x6d,
-	0x2f, 0x6a, 0x75, 0x61, 0x6e, 0x66, 0x6f, 0x6e, 0x74, 0x2f, 0x68, 0x65, 0x61, 0x64, 0x73, 0x63,
-	0x61, 0x6c, 0x65, 0x2f, 0x67, 0x65, 0x6e, 0x2f, 0x67, 0x6f, 0x2f, 0x76, 0x31, 0x62, 0x06, 0x70,
-	0x72, 0x6f, 0x74, 0x6f, 0x33,
+	0x6e, 0x61, 0x6d, 0x65, 0x73, 0x70, 0x61, 0x63, 0x65, 0x12, 0x10, 0x0a, 0x03, 0x6b, 0x65, 0x79,
+	0x18, 0x02, 0x20, 0x01, 0x28, 0x09, 0x52, 0x03, 0x6b, 0x65, 0x79, 0x22, 0x1a, 0x0a, 0x18, 0x45,
+	0x78, 0x70, 0x69, 0x72, 0x65, 0x50, 0x72, 0x65, 0x41, 0x75, 0x74, 0x68, 0x4b, 0x65, 0x79, 0x52,
+	0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x22, 0x36, 0x0a, 0x16, 0x4c, 0x69, 0x73, 0x74, 0x50,
+	0x72, 0x65, 0x41, 0x75, 0x74, 0x68, 0x4b, 0x65, 0x79, 0x73, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73,
+	0x74, 0x12, 0x1c, 0x0a, 0x09, 0x6e, 0x61, 0x6d, 0x65, 0x73, 0x70, 0x61, 0x63, 0x65, 0x18, 0x01,
+	0x20, 0x01, 0x28, 0x09, 0x52, 0x09, 0x6e, 0x61, 0x6d, 0x65, 0x73, 0x70, 0x61, 0x63, 0x65, 0x22,
+	0x57, 0x0a, 0x17, 0x4c, 0x69, 0x73, 0x74, 0x50, 0x72, 0x65, 0x41, 0x75, 0x74, 0x68, 0x4b, 0x65,
+	0x79, 0x73, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x12, 0x3c, 0x0a, 0x0d, 0x70, 0x72,
+	0x65, 0x5f, 0x61, 0x75, 0x74, 0x68, 0x5f, 0x6b, 0x65, 0x79, 0x73, 0x18, 0x01, 0x20, 0x03, 0x28,
+	0x0b, 0x32, 0x18, 0x2e, 0x68, 0x65, 0x61, 0x64, 0x73, 0x63, 0x61, 0x6c, 0x65, 0x2e, 0x76, 0x31,
+	0x2e, 0x50, 0x72, 0x65, 0x41, 0x75, 0x74, 0x68, 0x4b, 0x65, 0x79, 0x52, 0x0b, 0x70, 0x72, 0x65,
+	0x41, 0x75, 0x74, 0x68, 0x4b, 0x65, 0x79, 0x73, 0x42, 0x29, 0x5a, 0x27, 0x67, 0x69, 0x74, 0x68,
+	0x75, 0x62, 0x2e, 0x63, 0x6f, 0x6d, 0x2f, 0x6a, 0x75, 0x61, 0x6e, 0x66, 0x6f, 0x6e, 0x74, 0x2f,
+	0x68, 0x65, 0x61, 0x64, 0x73, 0x63, 0x61, 0x6c, 0x65, 0x2f, 0x67, 0x65, 0x6e, 0x2f, 0x67, 0x6f,
+	0x2f, 0x76, 0x31, 0x62, 0x06, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x33,
 }
 
 var (

gen/go/headscale/v1/routes.pb.go

@@ -1,6 +1,6 @@
 // Code generated by protoc-gen-go. DO NOT EDIT.
 // versions:
-// 	protoc-gen-go v1.27.1
+// 	protoc-gen-go v1.28.1
 // 	protoc        (unknown)
 // source: headscale/v1/routes.proto
 

gen/openapiv2/headscale/v1/headscale.swagger.json

@@ -824,6 +824,12 @@
         "expiration": {
           "type": "string",
           "format": "date-time"
+        },
+        "aclTags": {
+          "type": "array",
+          "items": {
+            "type": "string"
+          }
         }
       }
     },
@@ -1102,6 +1108,12 @@
         "createdAt": {
           "type": "string",
           "format": "date-time"
+        },
+        "aclTags": {
+          "type": "array",
+          "items": {
+            "type": "string"
+          }
         }
       }
     },

go.mod

@@ -1,149 +1,150 @@
 module github.com/juanfont/headscale
 
-go 1.18
+go 1.19
 
 require (
-	github.com/AlecAivazis/survey/v2 v2.3.4
+	github.com/AlecAivazis/survey/v2 v2.3.6
 	github.com/ccding/go-stun/stun v0.0.0-20200514191101-4dc67bcdb029
-	github.com/coreos/go-oidc/v3 v3.1.0
+	github.com/cenkalti/backoff/v4 v4.1.3
+	github.com/coreos/go-oidc/v3 v3.4.0
 	github.com/deckarep/golang-set/v2 v2.1.0
 	github.com/efekarakus/termcolor v1.0.1
-	github.com/gin-gonic/gin v1.7.7
-	github.com/glebarez/sqlite v1.4.3
-	github.com/gofrs/uuid v4.2.0+incompatible
+	github.com/glebarez/sqlite v1.5.0
+	github.com/gofrs/uuid v4.3.0+incompatible
+	github.com/gorilla/mux v1.8.0
 	github.com/grpc-ecosystem/go-grpc-middleware v1.3.0
-	github.com/grpc-ecosystem/grpc-gateway/v2 v2.10.0
-	github.com/klauspost/compress v1.15.1
-	github.com/ory/dockertest/v3 v3.8.1
+	github.com/grpc-ecosystem/grpc-gateway/v2 v2.12.0
+	github.com/klauspost/compress v1.15.12
+	github.com/oauth2-proxy/mockoidc v0.0.0-20220308204021-b9169deeb282
+	github.com/ory/dockertest/v3 v3.9.1
 	github.com/patrickmn/go-cache v2.1.0+incompatible
 	github.com/philip-bui/grpc-zerolog v1.0.1
-	github.com/prometheus/client_golang v1.12.1
-	github.com/pterm/pterm v0.12.41
-	github.com/rs/zerolog v1.26.1
-	github.com/spf13/cobra v1.4.0
-	github.com/spf13/viper v1.11.0
-	github.com/stretchr/testify v1.7.1
-	github.com/tailscale/hujson v0.0.0-20220421170326-6583d0610064
+	github.com/prometheus/client_golang v1.13.0
+	github.com/prometheus/common v0.37.0
+	github.com/pterm/pterm v0.12.49
+	github.com/puzpuzpuz/xsync/v2 v2.0.2
+	github.com/rs/zerolog v1.28.0
+	github.com/spf13/cobra v1.6.1
+	github.com/spf13/viper v1.13.0
+	github.com/stretchr/testify v1.8.0
+	github.com/tailscale/hujson v0.0.0-20220630195928-54599719472f
 	github.com/tcnksm/go-latest v0.0.0-20170313132115-e3007ae9052e
-	github.com/zsais/go-gin-prometheus v0.1.0
-	golang.org/x/crypto v0.0.0-20220411220226-7b82a4e95df4
-	golang.org/x/oauth2 v0.0.0-20220411215720-9780585627b5
-	golang.org/x/sync v0.0.0-20210220032951-036812b2e83c
-	google.golang.org/genproto v0.0.0-20220422154200-b37d22cd5731
-	google.golang.org/grpc v1.46.0
-	google.golang.org/protobuf v1.28.0
+	go4.org/netipx v0.0.0-20220925034521-797b0c90d8ab
+	golang.org/x/crypto v0.1.0
+	golang.org/x/net v0.1.0
+	golang.org/x/oauth2 v0.1.0
+	golang.org/x/sync v0.1.0
+	google.golang.org/genproto v0.0.0-20221027153422-115e99e71e1c
+	google.golang.org/grpc v1.50.1
+	google.golang.org/protobuf v1.28.1
 	gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c
 	gopkg.in/yaml.v2 v2.4.0
-	gopkg.in/yaml.v3 v3.0.0-20210107192922-496545a6307b
-	gorm.io/driver/postgres v1.3.5
-	gorm.io/gorm v1.23.4
-	inet.af/netaddr v0.0.0-20211027220019-c74959edd3b6
-	tailscale.com v1.24.0
+	gopkg.in/yaml.v3 v3.0.1
+	gorm.io/driver/postgres v1.4.5
+	gorm.io/gorm v1.24.1-0.20221019064659-5dd2bb482755
+	tailscale.com v1.32.2
 )
 
 require (
-	github.com/Azure/go-ansiterm v0.0.0-20170929234023-d6e3b3328b78 // indirect
-	github.com/Microsoft/go-winio v0.5.1 // indirect
+	atomicgo.dev/cursor v0.1.1 // indirect
+	atomicgo.dev/keyboard v0.2.8 // indirect
+	filippo.io/edwards25519 v1.0.0 // indirect
+	github.com/Azure/go-ansiterm v0.0.0-20210617225240-d185dfc1b5a1 // indirect
+	github.com/Microsoft/go-winio v0.6.0 // indirect
 	github.com/Nvveen/Gotty v0.0.0-20120604004816-cd527374f1e5 // indirect
 	github.com/akutz/memconn v0.1.0 // indirect
 	github.com/alexbrainman/sspi v0.0.0-20210105120005-909beea2cc74 // indirect
-	github.com/atomicgo/cursor v0.0.1 // indirect
 	github.com/beorn7/perks v1.0.1 // indirect
-	github.com/cenkalti/backoff/v4 v4.1.2 // indirect
 	github.com/cespare/xxhash/v2 v2.1.2 // indirect
-	github.com/containerd/continuity v0.0.0-20190827140505-75bee3e2ccb6 // indirect
+	github.com/containerd/console v1.0.3 // indirect
+	github.com/containerd/continuity v0.3.0 // indirect
 	github.com/davecgh/go-spew v1.1.1 // indirect
-	github.com/docker/cli v20.10.11+incompatible // indirect
-	github.com/docker/docker v20.10.7+incompatible // indirect
+	github.com/docker/cli v20.10.21+incompatible // indirect
+	github.com/docker/docker v20.10.21+incompatible // indirect
 	github.com/docker/go-connections v0.4.0 // indirect
-	github.com/docker/go-units v0.4.0 // indirect
-	github.com/fsnotify/fsnotify v1.5.1 // indirect
-	github.com/gin-contrib/sse v0.1.0 // indirect
-	github.com/glebarez/go-sqlite v1.16.0 // indirect
-	github.com/go-playground/locales v0.13.0 // indirect
-	github.com/go-playground/universal-translator v0.17.0 // indirect
-	github.com/go-playground/validator/v10 v10.4.1 // indirect
+	github.com/docker/go-units v0.5.0 // indirect
+	github.com/fsnotify/fsnotify v1.6.0 // indirect
+	github.com/fxamacker/cbor/v2 v2.4.0 // indirect
+	github.com/glebarez/go-sqlite v1.19.2 // indirect
 	github.com/gogo/protobuf v1.3.2 // indirect
+	github.com/golang-jwt/jwt v3.2.2+incompatible // indirect
+	github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da // indirect
 	github.com/golang/protobuf v1.5.2 // indirect
-	github.com/google/go-cmp v0.5.7 // indirect
+	github.com/google/go-cmp v0.5.9 // indirect
 	github.com/google/go-github v17.0.0+incompatible // indirect
 	github.com/google/go-querystring v1.1.0 // indirect
 	github.com/google/shlex v0.0.0-20191202100458-e7afc7fbc510 // indirect
 	github.com/google/uuid v1.3.0 // indirect
-	github.com/gookit/color v1.5.0 // indirect
-	github.com/hashicorp/go-version v1.4.0 // indirect
+	github.com/gookit/color v1.5.2 // indirect
+	github.com/hashicorp/go-version v1.6.0 // indirect
 	github.com/hashicorp/hcl v1.0.0 // indirect
-	github.com/imdario/mergo v0.3.12 // indirect
-	github.com/inconshreveable/mousetrap v1.0.0 // indirect
+	github.com/hdevalence/ed25519consensus v0.1.0 // indirect
+	github.com/imdario/mergo v0.3.13 // indirect
+	github.com/inconshreveable/mousetrap v1.0.1 // indirect
 	github.com/jackc/chunkreader/v2 v2.0.1 // indirect
-	github.com/jackc/pgconn v1.12.0 // indirect
+	github.com/jackc/pgconn v1.13.0 // indirect
 	github.com/jackc/pgio v1.0.0 // indirect
 	github.com/jackc/pgpassfile v1.0.0 // indirect
-	github.com/jackc/pgproto3/v2 v2.3.0 // indirect
+	github.com/jackc/pgproto3/v2 v2.3.1 // indirect
 	github.com/jackc/pgservicefile v0.0.0-20200714003250-2b9c44734f2b // indirect
-	github.com/jackc/pgtype v1.11.0 // indirect
-	github.com/jackc/pgx/v4 v4.16.0 // indirect
+	github.com/jackc/pgtype v1.12.0 // indirect
+	github.com/jackc/pgx/v4 v4.17.2 // indirect
 	github.com/jinzhu/inflection v1.0.0 // indirect
-	github.com/jinzhu/now v1.1.4 // indirect
+	github.com/jinzhu/now v1.1.5 // indirect
 	github.com/josharian/native v1.0.0 // indirect
-	github.com/jsimonetti/rtnetlink v1.1.2-0.20220408201609-d380b505068b // indirect
-	github.com/json-iterator/go v1.1.12 // indirect
+	github.com/jsimonetti/rtnetlink v1.2.3 // indirect
 	github.com/kballard/go-shellquote v0.0.0-20180428030007-95032a82bc51 // indirect
 	github.com/kr/pretty v0.3.0 // indirect
 	github.com/kr/text v0.2.0 // indirect
-	github.com/leodido/go-urn v1.2.0 // indirect
+	github.com/lithammer/fuzzysearch v1.1.5 // indirect
 	github.com/magiconair/properties v1.8.6 // indirect
-	github.com/mattn/go-colorable v0.1.12 // indirect
-	github.com/mattn/go-isatty v0.0.14 // indirect
-	github.com/mattn/go-runewidth v0.0.13 // indirect
-	github.com/matttproud/golang_protobuf_extensions v1.0.1 // indirect
-	github.com/mdlayher/netlink v1.6.0 // indirect
+	github.com/mattn/go-colorable v0.1.13 // indirect
+	github.com/mattn/go-isatty v0.0.16 // indirect
+	github.com/mattn/go-runewidth v0.0.14 // indirect
+	github.com/matttproud/golang_protobuf_extensions v1.0.4 // indirect
+	github.com/mdlayher/netlink v1.6.2 // indirect
 	github.com/mdlayher/socket v0.2.3 // indirect
-	github.com/mgutz/ansi v0.0.0-20170206155736-9520e82c474b // indirect
+	github.com/mgutz/ansi v0.0.0-20200706080929-d51e80ef957d // indirect
 	github.com/mitchellh/go-ps v1.0.0 // indirect
-	github.com/mitchellh/mapstructure v1.4.3 // indirect
-	github.com/moby/term v0.0.0-20201216013528-df9cb8a40635 // indirect
-	github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd // indirect
-	github.com/modern-go/reflect2 v1.0.2 // indirect
-	github.com/opencontainers/go-digest v1.0.0-rc1 // indirect
-	github.com/opencontainers/image-spec v1.0.2 // indirect
-	github.com/opencontainers/runc v1.0.2 // indirect
-	github.com/pelletier/go-toml v1.9.4 // indirect
-	github.com/pelletier/go-toml/v2 v2.0.0-beta.8 // indirect
+	github.com/mitchellh/mapstructure v1.5.0 // indirect
+	github.com/moby/term v0.0.0-20220808134915-39b0c02b01ae // indirect
+	github.com/opencontainers/go-digest v1.0.0 // indirect
+	github.com/opencontainers/image-spec v1.1.0-rc2 // indirect
+	github.com/opencontainers/runc v1.1.4 // indirect
+	github.com/pelletier/go-toml v1.9.5 // indirect
+	github.com/pelletier/go-toml/v2 v2.0.5 // indirect
 	github.com/pkg/errors v0.9.1 // indirect
 	github.com/pmezard/go-difflib v1.0.0 // indirect
-	github.com/prometheus/client_model v0.2.0 // indirect
-	github.com/prometheus/common v0.32.1 // indirect
-	github.com/prometheus/procfs v0.7.3 // indirect
-	github.com/puzpuzpuz/xsync v1.2.1 // indirect
-	github.com/remyoudompheng/bigfft v0.0.0-20200410134404-eec4a21b6bb0 // indirect
-	github.com/rivo/uniseg v0.2.0 // indirect
+	github.com/prometheus/client_model v0.3.0 // indirect
+	github.com/prometheus/procfs v0.8.0 // indirect
+	github.com/remyoudompheng/bigfft v0.0.0-20220927061507-ef77025ab5aa // indirect
+	github.com/rivo/uniseg v0.4.2 // indirect
 	github.com/rogpeppe/go-internal v1.8.1-0.20211023094830-115ce09fd6b4 // indirect
-	github.com/sirupsen/logrus v1.8.1 // indirect
-	github.com/spf13/afero v1.8.2 // indirect
-	github.com/spf13/cast v1.4.1 // indirect
+	github.com/sirupsen/logrus v1.9.0 // indirect
+	github.com/spf13/afero v1.9.2 // indirect
+	github.com/spf13/cast v1.5.0 // indirect
 	github.com/spf13/jwalterweatherman v1.1.0 // indirect
 	github.com/spf13/pflag v1.0.5 // indirect
-	github.com/subosito/gotenv v1.2.0 // indirect
-	github.com/ugorji/go/codec v1.1.7 // indirect
-	github.com/xeipuuv/gojsonpointer v0.0.0-20180127040702-4e3ac2762d5f // indirect
+	github.com/subosito/gotenv v1.4.1 // indirect
+	github.com/x448/float16 v0.8.4 // indirect
+	github.com/xeipuuv/gojsonpointer v0.0.0-20190905194746-02993c407bfb // indirect
 	github.com/xeipuuv/gojsonreference v0.0.0-20180127040603-bd5ef7bd5415 // indirect
 	github.com/xeipuuv/gojsonschema v1.2.0 // indirect
-	github.com/xo/terminfo v0.0.0-20210125001918-ca9a967f8778 // indirect
-	go4.org/intern v0.0.0-20211027215823-ae77deb06f29 // indirect
-	go4.org/mem v0.0.0-20210711025021-927187094b94 // indirect
-	go4.org/unsafe/assume-no-moving-gc v0.0.0-20211027215541-db492cf91b37 // indirect
-	golang.org/x/net v0.0.0-20220412020605-290c469a71a5 // indirect
-	golang.org/x/sys v0.0.0-20220412211240-33da011f77ad // indirect
-	golang.org/x/term v0.0.0-20220411215600-e5f449aeb171 // indirect
-	golang.org/x/text v0.3.7 // indirect
-	golang.org/x/time v0.0.0-20211116232009-f0f3c7e86c11 // indirect
-	golang.zx2c4.com/wireguard/windows v0.4.10 // indirect
+	github.com/xo/terminfo v0.0.0-20220910002029-abceb7e1c41e // indirect
+	go4.org/mem v0.0.0-20220726221520-4f986261bf13 // indirect
+	golang.org/x/mod v0.6.0 // indirect
+	golang.org/x/sys v0.1.0 // indirect
+	golang.org/x/term v0.1.0 // indirect
+	golang.org/x/text v0.4.0 // indirect
+	golang.org/x/time v0.1.0 // indirect
+	golang.org/x/tools v0.2.0 // indirect
+	golang.zx2c4.com/wireguard/windows v0.5.3 // indirect
 	google.golang.org/appengine v1.6.7 // indirect
-	gopkg.in/ini.v1 v1.66.4 // indirect
-	gopkg.in/square/go-jose.v2 v2.5.1 // indirect
-	modernc.org/libc v1.14.12 // indirect
-	modernc.org/mathutil v1.4.1 // indirect
-	modernc.org/memory v1.0.7 // indirect
-	modernc.org/sqlite v1.16.0 // indirect
+	gopkg.in/ini.v1 v1.67.0 // indirect
+	gopkg.in/square/go-jose.v2 v2.6.0 // indirect
+	modernc.org/libc v1.21.4 // indirect
+	modernc.org/mathutil v1.5.0 // indirect
+	modernc.org/memory v1.4.0 // indirect
+	modernc.org/sqlite v1.19.3 // indirect
+	nhooyr.io/websocket v1.8.7 // indirect
 )

grpcv1.go

@@ -1,8 +1,9 @@
-//nolint
+// nolint
 package headscale
 
 import (
 	"context"
+	"fmt"
 	"strings"
 	"time"
 
@@ -11,6 +12,7 @@ import (
 	"google.golang.org/grpc/codes"
 	"google.golang.org/grpc/status"
 	"tailscale.com/tailcfg"
+	"tailscale.com/types/key"
 )
 
 type headscaleV1APIServer struct { // v1.HeadscaleServiceServer
@@ -105,11 +107,21 @@ func (api headscaleV1APIServer) CreatePreAuthKey(
 		expiration = request.GetExpiration().AsTime()
 	}
 
+	for _, tag := range request.AclTags {
+		err := validateTag(tag)
+		if err != nil {
+			return &v1.CreatePreAuthKeyResponse{
+				PreAuthKey: nil,
+			}, status.Error(codes.InvalidArgument, err.Error())
+		}
+	}
+
 	preAuthKey, err := api.h.CreatePreAuthKey(
 		request.GetNamespace(),
 		request.GetReusable(),
 		request.GetEphemeral(),
 		&expiration,
+		request.AclTags,
 	)
 	if err != nil {
 		return nil, err
@@ -158,7 +170,7 @@ func (api headscaleV1APIServer) RegisterMachine(
 ) (*v1.RegisterMachineResponse, error) {
 	log.Trace().
 		Str("namespace", request.GetNamespace()).
-		Str("machine_key", request.GetKey()).
+		Str("node_key", request.GetKey()).
 		Msg("Registering machine")
 
 	machine, err := api.h.RegisterMachineFromAuthCallback(
@@ -195,13 +207,11 @@ func (api headscaleV1APIServer) SetTags(
 	}
 
 	for _, tag := range request.GetTags() {
-		if strings.Index(tag, "tag:") != 0 {
+		err := validateTag(tag)
+		if err != nil {
 			return &v1.SetTagsResponse{
-					Machine: nil,
-				}, status.Error(
-					codes.InvalidArgument,
-					"Invalid tag detected. Each tag must start with the string 'tag:'",
-				)
+				Machine: nil,
+			}, status.Error(codes.InvalidArgument, err.Error())
 		}
 	}
 
@@ -220,6 +230,19 @@ func (api headscaleV1APIServer) SetTags(
 	return &v1.SetTagsResponse{Machine: machine.toProto()}, nil
 }
 
+func validateTag(tag string) error {
+	if strings.Index(tag, "tag:") != 0 {
+		return fmt.Errorf("tag must start with the string 'tag:'")
+	}
+	if strings.ToLower(tag) != tag {
+		return fmt.Errorf("tag should be lowercase")
+	}
+	if len(strings.Fields(tag)) > 1 {
+		return fmt.Errorf("tag should not contains space")
+	}
+	return nil
+}
+
 func (api headscaleV1APIServer) DeleteMachine(
 	ctx context.Context,
 	request *v1.DeleteMachineRequest,
@@ -457,7 +480,7 @@ func (api headscaleV1APIServer) DebugCreateMachine(
 		Hostname:    "DebugTestMachine",
 	}
 
-	givenName, err := api.h.GenerateGivenName(request.GetName())
+	givenName, err := api.h.GenerateGivenName(request.GetKey(), request.GetName())
 	if err != nil {
 		return nil, err
 	}
@@ -474,9 +497,14 @@ func (api headscaleV1APIServer) DebugCreateMachine(
 
 		HostInfo: HostInfo(hostinfo),
 	}
+	nodeKey := key.NodePublic{}
+	err = nodeKey.UnmarshalText([]byte(request.GetKey()))
+	if err != nil {
+		log.Panic().Msg("can not add machine for debug. invalid node key")
+	}
 
 	api.h.registrationCache.Set(
-		request.GetKey(),
+		NodePublicKeyStripPrefix(nodeKey),
 		newMachine,
 		registerCacheExpiration,
 	)

grpcv1_test.go

@@ -0,0 +1,42 @@
+package headscale
+
+import "testing"
+
+func Test_validateTag(t *testing.T) {
+	type args struct {
+		tag string
+	}
+	tests := []struct {
+		name    string
+		args    args
+		wantErr bool
+	}{
+		{
+			name:    "valid tag",
+			args:    args{tag: "tag:test"},
+			wantErr: false,
+		},
+		{
+			name:    "tag without tag prefix",
+			args:    args{tag: "test"},
+			wantErr: true,
+		},
+		{
+			name:    "uppercase tag",
+			args:    args{tag: "tag:tEST"},
+			wantErr: true,
+		},
+		{
+			name:    "tag that contains space",
+			args:    args{tag: "tag:this is a spaced tag"},
+			wantErr: true,
+		},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			if err := validateTag(tt.args.tag); (err != nil) != tt.wantErr {
+				t.Errorf("validateTag() error = %v, wantErr %v", err, tt.wantErr)
+			}
+		})
+	}
+}

handler_legacy.go

@@ -0,0 +1,15 @@
+//go:build ts2019
+
+package headscale
+
+import (
+	"net/http"
+
+	"github.com/gorilla/mux"
+)
+
+func (h *Headscale) addLegacyHandlers(router *mux.Router) {
+	router.HandleFunc("/machine/{mkey}/map", h.PollNetMapHandler).
+		Methods(http.MethodPost)
+	router.HandleFunc("/machine/{mkey}", h.RegistrationHandler).Methods(http.MethodPost)
+}

handler_placeholder.go

@@ -0,0 +1,8 @@
+//go:build !ts2019
+
+package headscale
+
+import "github.com/gorilla/mux"
+
+func (h *Headscale) addLegacyHandlers(router *mux.Router) {
+}

integration/auth_web_flow_test.go

@@ -0,0 +1,204 @@
+package integration
+
+import (
+	"context"
+	"errors"
+	"fmt"
+	"io"
+	"log"
+	"net/http"
+	"net/url"
+	"strings"
+	"testing"
+
+	"github.com/juanfont/headscale/integration/hsic"
+)
+
+var errParseAuthPage = errors.New("failed to parse auth page")
+
+type AuthWebFlowScenario struct {
+	*Scenario
+}
+
+func TestAuthWebFlowAuthenticationPingAll(t *testing.T) {
+	IntegrationSkip(t)
+
+	baseScenario, err := NewScenario()
+	if err != nil {
+		t.Errorf("failed to create scenario: %s", err)
+	}
+
+	scenario := AuthWebFlowScenario{
+		Scenario: baseScenario,
+	}
+
+	spec := map[string]int{
+		"namespace1": len(TailscaleVersions),
+		"namespace2": len(TailscaleVersions),
+	}
+
+	err = scenario.CreateHeadscaleEnv(spec, hsic.WithTestName("webauthping"))
+	if err != nil {
+		t.Errorf("failed to create headscale environment: %s", err)
+	}
+
+	allClients, err := scenario.ListTailscaleClients()
+	if err != nil {
+		t.Errorf("failed to get clients: %s", err)
+	}
+
+	allIps, err := scenario.ListTailscaleClientsIPs()
+	if err != nil {
+		t.Errorf("failed to get clients: %s", err)
+	}
+
+	err = scenario.WaitForTailscaleSync()
+	if err != nil {
+		t.Errorf("failed wait for tailscale clients to be in sync: %s", err)
+	}
+
+	success := 0
+
+	for _, client := range allClients {
+		for _, ip := range allIps {
+			err := client.Ping(ip.String())
+			if err != nil {
+				t.Errorf("failed to ping %s from %s: %s", ip, client.Hostname(), err)
+			} else {
+				success++
+			}
+		}
+	}
+
+	t.Logf("%d successful pings out of %d", success, len(allClients)*len(allIps))
+
+	err = scenario.Shutdown()
+	if err != nil {
+		t.Errorf("failed to tear down scenario: %s", err)
+	}
+}
+
+func (s *AuthWebFlowScenario) CreateHeadscaleEnv(
+	namespaces map[string]int,
+	opts ...hsic.Option,
+) error {
+	headscale, err := s.Headscale(opts...)
+	if err != nil {
+		return err
+	}
+
+	err = headscale.WaitForReady()
+	if err != nil {
+		return err
+	}
+
+	for namespaceName, clientCount := range namespaces {
+		log.Printf("creating namespace %s with %d clients", namespaceName, clientCount)
+		err = s.CreateNamespace(namespaceName)
+		if err != nil {
+			return err
+		}
+
+		err = s.CreateTailscaleNodesInNamespace(namespaceName, "all", clientCount)
+		if err != nil {
+			return err
+		}
+
+		err = s.runTailscaleUp(namespaceName, headscale.GetEndpoint())
+		if err != nil {
+			return err
+		}
+	}
+
+	return nil
+}
+
+func (s *AuthWebFlowScenario) runTailscaleUp(
+	namespaceStr, loginServer string,
+) error {
+	log.Printf("running tailscale up for namespace %s", namespaceStr)
+	if namespace, ok := s.namespaces[namespaceStr]; ok {
+		for _, client := range namespace.Clients {
+			namespace.joinWaitGroup.Add(1)
+
+			go func(c TailscaleClient) {
+				defer namespace.joinWaitGroup.Done()
+
+				// TODO(juanfont): error handle this
+				loginURL, err := c.UpWithLoginURL(loginServer)
+				if err != nil {
+					log.Printf("failed to run tailscale up: %s", err)
+				}
+
+				err = s.runHeadscaleRegister(namespaceStr, loginURL)
+				if err != nil {
+					log.Printf("failed to register client: %s", err)
+				}
+
+				err = c.WaitForReady()
+				if err != nil {
+					log.Printf("error waiting for client %s to be ready: %s", c.Hostname(), err)
+				}
+			}(client)
+		}
+		namespace.joinWaitGroup.Wait()
+
+		return nil
+	}
+
+	return fmt.Errorf("failed to up tailscale node: %w", errNoNamespaceAvailable)
+}
+
+func (s *AuthWebFlowScenario) runHeadscaleRegister(namespaceStr string, loginURL *url.URL) error {
+	headscale, err := s.Headscale()
+	if err != nil {
+		return err
+	}
+
+	log.Printf("loginURL: %s", loginURL)
+	loginURL.Host = fmt.Sprintf("%s:8080", headscale.GetIP())
+	loginURL.Scheme = "http"
+
+	httpClient := &http.Client{}
+	ctx := context.Background()
+	req, _ := http.NewRequestWithContext(ctx, http.MethodGet, loginURL.String(), nil)
+	resp, err := httpClient.Do(req)
+	if err != nil {
+		return err
+	}
+
+	body, err := io.ReadAll(resp.Body)
+	if err != nil {
+		return err
+	}
+
+	defer resp.Body.Close()
+
+	// see api.go HTML template
+	codeSep := strings.Split(string(body), "</code>")
+	if len(codeSep) != 2 {
+		return errParseAuthPage
+	}
+
+	keySep := strings.Split(codeSep[0], "key ")
+	if len(keySep) != 2 {
+		return errParseAuthPage
+	}
+	key := keySep[1]
+	log.Printf("registering node %s", key)
+
+	if headscale, err := s.Headscale(); err == nil {
+		_, err = headscale.Execute(
+			[]string{"headscale", "-n", namespaceStr, "nodes", "register", "--key", key},
+		)
+		if err != nil {
+			log.Printf("failed to register node: %s", err)
+
+			return err
+		}
+
+		return nil
+	}
+
+	return fmt.Errorf("failed to find headscale: %w", errNoHeadscaleAvailable)
+}

integration/cli_test.go

@@ -0,0 +1,390 @@
+package integration
+
+import (
+	"encoding/json"
+	"sort"
+	"testing"
+	"time"
+
+	v1 "github.com/juanfont/headscale/gen/go/headscale/v1"
+	"github.com/juanfont/headscale/integration/hsic"
+	"github.com/stretchr/testify/assert"
+)
+
+func executeAndUnmarshal[T any](headscale ControlServer, command []string, result T) error {
+	str, err := headscale.Execute(command)
+	if err != nil {
+		return err
+	}
+
+	err = json.Unmarshal([]byte(str), result)
+	if err != nil {
+		return err
+	}
+
+	return nil
+}
+
+func TestNamespaceCommand(t *testing.T) {
+	IntegrationSkip(t)
+	t.Parallel()
+
+	scenario, err := NewScenario()
+	assert.NoError(t, err)
+
+	spec := map[string]int{
+		"namespace1": 0,
+		"namespace2": 0,
+	}
+
+	err = scenario.CreateHeadscaleEnv(spec, hsic.WithTestName("clins"))
+	assert.NoError(t, err)
+
+	headscale, err := scenario.Headscale()
+	assert.NoError(t, err)
+
+	var listNamespaces []v1.Namespace
+	err = executeAndUnmarshal(headscale,
+		[]string{
+			"headscale",
+			"namespaces",
+			"list",
+			"--output",
+			"json",
+		},
+		&listNamespaces,
+	)
+	assert.NoError(t, err)
+
+	result := []string{listNamespaces[0].Name, listNamespaces[1].Name}
+	sort.Strings(result)
+
+	assert.Equal(
+		t,
+		[]string{"namespace1", "namespace2"},
+		result,
+	)
+
+	_, err = headscale.Execute(
+		[]string{
+			"headscale",
+			"namespaces",
+			"rename",
+			"--output",
+			"json",
+			"namespace2",
+			"newname",
+		},
+	)
+	assert.NoError(t, err)
+
+	var listAfterRenameNamespaces []v1.Namespace
+	err = executeAndUnmarshal(headscale,
+		[]string{
+			"headscale",
+			"namespaces",
+			"list",
+			"--output",
+			"json",
+		},
+		&listAfterRenameNamespaces,
+	)
+	assert.NoError(t, err)
+
+	result = []string{listAfterRenameNamespaces[0].Name, listAfterRenameNamespaces[1].Name}
+	sort.Strings(result)
+
+	assert.Equal(
+		t,
+		[]string{"namespace1", "newname"},
+		result,
+	)
+
+	err = scenario.Shutdown()
+	assert.NoError(t, err)
+}
+
+func TestPreAuthKeyCommand(t *testing.T) {
+	IntegrationSkip(t)
+	t.Parallel()
+
+	namespace := "preauthkeyspace"
+	count := 3
+
+	scenario, err := NewScenario()
+	assert.NoError(t, err)
+
+	spec := map[string]int{
+		namespace: 0,
+	}
+
+	err = scenario.CreateHeadscaleEnv(spec, hsic.WithTestName("clipak"))
+	assert.NoError(t, err)
+
+	headscale, err := scenario.Headscale()
+	assert.NoError(t, err)
+
+	keys := make([]*v1.PreAuthKey, count)
+	assert.NoError(t, err)
+
+	for index := 0; index < count; index++ {
+		var preAuthKey v1.PreAuthKey
+		err := executeAndUnmarshal(
+			headscale,
+			[]string{
+				"headscale",
+				"preauthkeys",
+				"--namespace",
+				namespace,
+				"create",
+				"--reusable",
+				"--expiration",
+				"24h",
+				"--output",
+				"json",
+				"--tags",
+				"tag:test1,tag:test2",
+			},
+			&preAuthKey,
+		)
+		assert.NoError(t, err)
+
+		keys[index] = &preAuthKey
+	}
+
+	assert.Len(t, keys, 3)
+
+	var listedPreAuthKeys []v1.PreAuthKey
+	err = executeAndUnmarshal(
+		headscale,
+		[]string{
+			"headscale",
+			"preauthkeys",
+			"--namespace",
+			namespace,
+			"list",
+			"--output",
+			"json",
+		},
+		&listedPreAuthKeys,
+	)
+	assert.NoError(t, err)
+
+	// There is one key created by "scenario.CreateHeadscaleEnv"
+	assert.Len(t, listedPreAuthKeys, 4)
+
+	assert.Equal(
+		t,
+		[]string{keys[0].Id, keys[1].Id, keys[2].Id},
+		[]string{listedPreAuthKeys[1].Id, listedPreAuthKeys[2].Id, listedPreAuthKeys[3].Id},
+	)
+
+	assert.NotEmpty(t, listedPreAuthKeys[1].Key)
+	assert.NotEmpty(t, listedPreAuthKeys[2].Key)
+	assert.NotEmpty(t, listedPreAuthKeys[3].Key)
+
+	assert.True(t, listedPreAuthKeys[1].Expiration.AsTime().After(time.Now()))
+	assert.True(t, listedPreAuthKeys[2].Expiration.AsTime().After(time.Now()))
+	assert.True(t, listedPreAuthKeys[3].Expiration.AsTime().After(time.Now()))
+
+	assert.True(
+		t,
+		listedPreAuthKeys[1].Expiration.AsTime().Before(time.Now().Add(time.Hour*26)),
+	)
+	assert.True(
+		t,
+		listedPreAuthKeys[2].Expiration.AsTime().Before(time.Now().Add(time.Hour*26)),
+	)
+	assert.True(
+		t,
+		listedPreAuthKeys[3].Expiration.AsTime().Before(time.Now().Add(time.Hour*26)),
+	)
+
+	for index := range listedPreAuthKeys {
+		if index == 0 {
+			continue
+		}
+
+		assert.Equal(t, listedPreAuthKeys[index].AclTags, []string{"tag:test1", "tag:test2"})
+	}
+
+	// Test key expiry
+	_, err = headscale.Execute(
+		[]string{
+			"headscale",
+			"preauthkeys",
+			"--namespace",
+			namespace,
+			"expire",
+			listedPreAuthKeys[1].Key,
+		},
+	)
+	assert.NoError(t, err)
+
+	var listedPreAuthKeysAfterExpire []v1.PreAuthKey
+	err = executeAndUnmarshal(
+		headscale,
+		[]string{
+			"headscale",
+			"preauthkeys",
+			"--namespace",
+			namespace,
+			"list",
+			"--output",
+			"json",
+		},
+		&listedPreAuthKeysAfterExpire,
+	)
+	assert.NoError(t, err)
+
+	assert.True(t, listedPreAuthKeysAfterExpire[1].Expiration.AsTime().Before(time.Now()))
+	assert.True(t, listedPreAuthKeysAfterExpire[2].Expiration.AsTime().After(time.Now()))
+	assert.True(t, listedPreAuthKeysAfterExpire[3].Expiration.AsTime().After(time.Now()))
+
+	err = scenario.Shutdown()
+	assert.NoError(t, err)
+}
+
+func TestPreAuthKeyCommandWithoutExpiry(t *testing.T) {
+	IntegrationSkip(t)
+	t.Parallel()
+
+	namespace := "pre-auth-key-without-exp-namespace"
+
+	scenario, err := NewScenario()
+	assert.NoError(t, err)
+
+	spec := map[string]int{
+		namespace: 0,
+	}
+
+	err = scenario.CreateHeadscaleEnv(spec, hsic.WithTestName("clipaknaexp"))
+	assert.NoError(t, err)
+
+	headscale, err := scenario.Headscale()
+	assert.NoError(t, err)
+
+	var preAuthKey v1.PreAuthKey
+	err = executeAndUnmarshal(
+		headscale,
+		[]string{
+			"headscale",
+			"preauthkeys",
+			"--namespace",
+			namespace,
+			"create",
+			"--reusable",
+			"--output",
+			"json",
+		},
+		&preAuthKey,
+	)
+	assert.NoError(t, err)
+
+	var listedPreAuthKeys []v1.PreAuthKey
+	err = executeAndUnmarshal(
+		headscale,
+		[]string{
+			"headscale",
+			"preauthkeys",
+			"--namespace",
+			namespace,
+			"list",
+			"--output",
+			"json",
+		},
+		&listedPreAuthKeys,
+	)
+	assert.NoError(t, err)
+
+	// There is one key created by "scenario.CreateHeadscaleEnv"
+	assert.Len(t, listedPreAuthKeys, 2)
+
+	assert.True(t, listedPreAuthKeys[1].Expiration.AsTime().After(time.Now()))
+	assert.True(
+		t,
+		listedPreAuthKeys[1].Expiration.AsTime().Before(time.Now().Add(time.Minute*70)),
+	)
+
+	err = scenario.Shutdown()
+	assert.NoError(t, err)
+}
+
+func TestPreAuthKeyCommandReusableEphemeral(t *testing.T) {
+	IntegrationSkip(t)
+	t.Parallel()
+
+	namespace := "pre-auth-key-reus-ephm-namespace"
+
+	scenario, err := NewScenario()
+	assert.NoError(t, err)
+
+	spec := map[string]int{
+		namespace: 0,
+	}
+
+	err = scenario.CreateHeadscaleEnv(spec, hsic.WithTestName("clipakresueeph"))
+	assert.NoError(t, err)
+
+	headscale, err := scenario.Headscale()
+	assert.NoError(t, err)
+
+	var preAuthReusableKey v1.PreAuthKey
+	err = executeAndUnmarshal(
+		headscale,
+		[]string{
+			"headscale",
+			"preauthkeys",
+			"--namespace",
+			namespace,
+			"create",
+			"--reusable=true",
+			"--output",
+			"json",
+		},
+		&preAuthReusableKey,
+	)
+	assert.NoError(t, err)
+
+	var preAuthEphemeralKey v1.PreAuthKey
+	err = executeAndUnmarshal(
+		headscale,
+		[]string{
+			"headscale",
+			"preauthkeys",
+			"--namespace",
+			namespace,
+			"create",
+			"--ephemeral=true",
+			"--output",
+			"json",
+		},
+		&preAuthEphemeralKey,
+	)
+	assert.NoError(t, err)
+
+	assert.True(t, preAuthEphemeralKey.GetEphemeral())
+	assert.False(t, preAuthEphemeralKey.GetReusable())
+
+	var listedPreAuthKeys []v1.PreAuthKey
+	err = executeAndUnmarshal(
+		headscale,
+		[]string{
+			"headscale",
+			"preauthkeys",
+			"--namespace",
+			namespace,
+			"list",
+			"--output",
+			"json",
+		},
+		&listedPreAuthKeys,
+	)
+	assert.NoError(t, err)
+
+	// There is one key created by "scenario.CreateHeadscaleEnv"
+	assert.Len(t, listedPreAuthKeys, 3)
+
+	err = scenario.Shutdown()
+	assert.NoError(t, err)
+}

integration/control.go

@@ -0,0 +1,19 @@
+package integration
+
+import (
+	v1 "github.com/juanfont/headscale/gen/go/headscale/v1"
+)
+
+type ControlServer interface {
+	Shutdown() error
+	Execute(command []string) (string, error)
+	GetHealthEndpoint() string
+	GetEndpoint() string
+	WaitForReady() error
+	CreateNamespace(namespace string) error
+	CreateAuthKey(namespace string) (*v1.PreAuthKey, error)
+	ListMachinesInNamespace(namespace string) ([]*v1.Machine, error)
+	GetCert() []byte
+	GetHostname() string
+	GetIP() string
+}

integration/dockertestutil/config.go

@@ -0,0 +1,40 @@
+package dockertestutil
+
+import (
+	"os"
+
+	"github.com/ory/dockertest/v3/docker"
+)
+
+func IsRunningInContainer() bool {
+	if _, err := os.Stat("/.dockerenv"); err != nil {
+		return false
+	}
+
+	return true
+}
+
+func DockerRestartPolicy(config *docker.HostConfig) {
+	// set AutoRemove to true so that stopped container goes away by itself on error *immediately*.
+	// when set to false, containers remain until the end of the integration test.
+	config.AutoRemove = false
+	config.RestartPolicy = docker.RestartPolicy{
+		Name: "no",
+	}
+}
+
+func DockerAllowLocalIPv6(config *docker.HostConfig) {
+	if config.Sysctls == nil {
+		config.Sysctls = make(map[string]string, 1)
+	}
+	config.Sysctls["net.ipv6.conf.all.disable_ipv6"] = "0"
+}
+
+func DockerAllowNetworkAdministration(config *docker.HostConfig) {
+	config.CapAdd = append(config.CapAdd, "NET_ADMIN")
+	config.Mounts = append(config.Mounts, docker.HostMount{
+		Type:   "bind",
+		Source: "/dev/net/tun",
+		Target: "/dev/net/tun",
+	})
+}

integration/dockertestutil/execute.go

@@ -0,0 +1,94 @@
+package dockertestutil
+
+import (
+	"bytes"
+	"errors"
+	"fmt"
+	"time"
+
+	"github.com/ory/dockertest/v3"
+)
+
+const dockerExecuteTimeout = time.Second * 10
+
+var (
+	ErrDockertestCommandFailed  = errors.New("dockertest command failed")
+	ErrDockertestCommandTimeout = errors.New("dockertest command timed out")
+)
+
+type ExecuteCommandConfig struct {
+	timeout time.Duration
+}
+
+type ExecuteCommandOption func(*ExecuteCommandConfig) error
+
+func ExecuteCommandTimeout(timeout time.Duration) ExecuteCommandOption {
+	return ExecuteCommandOption(func(conf *ExecuteCommandConfig) error {
+		conf.timeout = timeout
+
+		return nil
+	})
+}
+
+func ExecuteCommand(
+	resource *dockertest.Resource,
+	cmd []string,
+	env []string,
+	options ...ExecuteCommandOption,
+) (string, string, error) {
+	var stdout bytes.Buffer
+	var stderr bytes.Buffer
+
+	execConfig := ExecuteCommandConfig{
+		timeout: dockerExecuteTimeout,
+	}
+
+	for _, opt := range options {
+		if err := opt(&execConfig); err != nil {
+			return "", "", fmt.Errorf("execute-command/options: %w", err)
+		}
+	}
+
+	type result struct {
+		exitCode int
+		err      error
+	}
+
+	resultChan := make(chan result, 1)
+
+	// Run your long running function in it's own goroutine and pass back it's
+	// response into our channel.
+	go func() {
+		exitCode, err := resource.Exec(
+			cmd,
+			dockertest.ExecOptions{
+				Env:    append(env, "HEADSCALE_LOG_LEVEL=disabled"),
+				StdOut: &stdout,
+				StdErr: &stderr,
+			},
+		)
+		resultChan <- result{exitCode, err}
+	}()
+
+	// Listen on our channel AND a timeout channel - which ever happens first.
+	select {
+	case res := <-resultChan:
+		if res.err != nil {
+			return stdout.String(), stderr.String(), res.err
+		}
+
+		if res.exitCode != 0 {
+			// Uncomment for debugging
+			// log.Println("Command: ", cmd)
+			// log.Println("stdout: ", stdout.String())
+			// log.Println("stderr: ", stderr.String())
+
+			return stdout.String(), stderr.String(), ErrDockertestCommandFailed
+		}
+
+		return stdout.String(), stderr.String(), nil
+	case <-time.After(execConfig.timeout):
+
+		return stdout.String(), stderr.String(), ErrDockertestCommandTimeout
+	}
+}

integration/dockertestutil/network.go

@@ -0,0 +1,62 @@
+package dockertestutil
+
+import (
+	"errors"
+
+	"github.com/ory/dockertest/v3"
+	"github.com/ory/dockertest/v3/docker"
+)
+
+var ErrContainerNotFound = errors.New("container not found")
+
+func GetFirstOrCreateNetwork(pool *dockertest.Pool, name string) (*dockertest.Network, error) {
+	networks, err := pool.NetworksByName(name)
+	if err != nil || len(networks) == 0 {
+		if _, err := pool.CreateNetwork(name); err == nil {
+			// Create does not give us an updated version of the resource, so we need to
+			// get it again.
+			networks, err := pool.NetworksByName(name)
+			if err != nil {
+				return nil, err
+			}
+
+			return &networks[0], nil
+		}
+	}
+
+	return &networks[0], nil
+}
+
+func AddContainerToNetwork(
+	pool *dockertest.Pool,
+	network *dockertest.Network,
+	testContainer string,
+) error {
+	containers, err := pool.Client.ListContainers(docker.ListContainersOptions{
+		All: true,
+		Filters: map[string][]string{
+			"name": {testContainer},
+		},
+	})
+	if err != nil {
+		return err
+	}
+
+	err = pool.Client.ConnectNetwork(network.Network.ID, docker.NetworkConnectionOptions{
+		Container: containers[0].ID,
+	})
+	if err != nil {
+		return err
+	}
+
+	// TODO(kradalby): This doesnt work reliably, but calling the exact same functions
+	// seem to work fine...
+	// if container, ok := pool.ContainerByName("/" + testContainer); ok {
+	// 	err := container.ConnectToNetwork(network)
+	// 	if err != nil {
+	// 		return err
+	// 	}
+	// }
+
+	return nil
+}

integration/general_test.go

@@ -0,0 +1,341 @@
+package integration
+
+import (
+	"fmt"
+	"strings"
+	"testing"
+	"time"
+
+	"github.com/juanfont/headscale/integration/hsic"
+	"github.com/rs/zerolog/log"
+)
+
+func TestPingAllByIP(t *testing.T) {
+	IntegrationSkip(t)
+
+	scenario, err := NewScenario()
+	if err != nil {
+		t.Errorf("failed to create scenario: %s", err)
+	}
+
+	spec := map[string]int{
+		"namespace1": len(TailscaleVersions),
+		"namespace2": len(TailscaleVersions),
+	}
+
+	err = scenario.CreateHeadscaleEnv(spec, hsic.WithTestName("pingallbyip"))
+	if err != nil {
+		t.Errorf("failed to create headscale environment: %s", err)
+	}
+
+	allClients, err := scenario.ListTailscaleClients()
+	if err != nil {
+		t.Errorf("failed to get clients: %s", err)
+	}
+
+	allIps, err := scenario.ListTailscaleClientsIPs()
+	if err != nil {
+		t.Errorf("failed to get clients: %s", err)
+	}
+
+	err = scenario.WaitForTailscaleSync()
+	if err != nil {
+		t.Errorf("failed wait for tailscale clients to be in sync: %s", err)
+	}
+
+	success := 0
+
+	for _, client := range allClients {
+		for _, ip := range allIps {
+			err := client.Ping(ip.String())
+			if err != nil {
+				t.Errorf("failed to ping %s from %s: %s", ip, client.Hostname(), err)
+			} else {
+				success++
+			}
+		}
+	}
+
+	t.Logf("%d successful pings out of %d", success, len(allClients)*len(allIps))
+
+	err = scenario.Shutdown()
+	if err != nil {
+		t.Errorf("failed to tear down scenario: %s", err)
+	}
+}
+
+func TestPingAllByHostname(t *testing.T) {
+	IntegrationSkip(t)
+
+	scenario, err := NewScenario()
+	if err != nil {
+		t.Errorf("failed to create scenario: %s", err)
+	}
+
+	spec := map[string]int{
+		// Omit 1.16.2 (-1) because it does not have the FQDN field
+		"namespace3": len(TailscaleVersions) - 1,
+		"namespace4": len(TailscaleVersions) - 1,
+	}
+
+	err = scenario.CreateHeadscaleEnv(spec, hsic.WithTestName("pingallbyname"))
+	if err != nil {
+		t.Errorf("failed to create headscale environment: %s", err)
+	}
+
+	allClients, err := scenario.ListTailscaleClients()
+	if err != nil {
+		t.Errorf("failed to get clients: %s", err)
+	}
+
+	err = scenario.WaitForTailscaleSync()
+	if err != nil {
+		t.Errorf("failed wait for tailscale clients to be in sync: %s", err)
+	}
+
+	allHostnames, err := scenario.ListTailscaleClientsFQDNs()
+	if err != nil {
+		t.Errorf("failed to get FQDNs: %s", err)
+	}
+
+	success := 0
+
+	for _, client := range allClients {
+		for _, hostname := range allHostnames {
+			err := client.Ping(hostname)
+			if err != nil {
+				t.Errorf("failed to ping %s from %s: %s", hostname, client.Hostname(), err)
+			} else {
+				success++
+			}
+		}
+	}
+
+	t.Logf("%d successful pings out of %d", success, len(allClients)*len(allClients))
+
+	err = scenario.Shutdown()
+	if err != nil {
+		t.Errorf("failed to tear down scenario: %s", err)
+	}
+}
+
+func TestTaildrop(t *testing.T) {
+	IntegrationSkip(t)
+
+	retry := func(times int, sleepInverval time.Duration, doWork func() error) error {
+		var err error
+		for attempts := 0; attempts < times; attempts++ {
+			err = doWork()
+			if err == nil {
+				return nil
+			}
+			time.Sleep(sleepInverval)
+		}
+
+		return err
+	}
+
+	scenario, err := NewScenario()
+	if err != nil {
+		t.Errorf("failed to create scenario: %s", err)
+	}
+
+	spec := map[string]int{
+		// Omit 1.16.2 (-1) because it does not have the FQDN field
+		"taildrop": len(TailscaleVersions) - 1,
+	}
+
+	err = scenario.CreateHeadscaleEnv(spec, hsic.WithTestName("taildrop"))
+	if err != nil {
+		t.Errorf("failed to create headscale environment: %s", err)
+	}
+
+	allClients, err := scenario.ListTailscaleClients()
+	if err != nil {
+		t.Errorf("failed to get clients: %s", err)
+	}
+
+	err = scenario.WaitForTailscaleSync()
+	if err != nil {
+		t.Errorf("failed wait for tailscale clients to be in sync: %s", err)
+	}
+
+	// This will essentially fetch and cache all the FQDNs
+	_, err = scenario.ListTailscaleClientsFQDNs()
+	if err != nil {
+		t.Errorf("failed to get FQDNs: %s", err)
+	}
+
+	for _, client := range allClients {
+		command := []string{"touch", fmt.Sprintf("/tmp/file_from_%s", client.Hostname())}
+
+		if _, _, err := client.Execute(command); err != nil {
+			t.Errorf("failed to create taildrop file on %s, err: %s", client.Hostname(), err)
+		}
+
+		for _, peer := range allClients {
+			if client.Hostname() == peer.Hostname() {
+				continue
+			}
+
+			// It is safe to ignore this error as we handled it when caching it
+			peerFQDN, _ := peer.FQDN()
+
+			t.Run(fmt.Sprintf("%s-%s", client.Hostname(), peer.Hostname()), func(t *testing.T) {
+				command := []string{
+					"tailscale", "file", "cp",
+					fmt.Sprintf("/tmp/file_from_%s", client.Hostname()),
+					fmt.Sprintf("%s:", peerFQDN),
+				}
+
+				err := retry(10, 1*time.Second, func() error {
+					t.Logf(
+						"Sending file from %s to %s\n",
+						client.Hostname(),
+						peer.Hostname(),
+					)
+					_, _, err := client.Execute(command)
+
+					return err
+				})
+				if err != nil {
+					t.Errorf(
+						"failed to send taildrop file on %s, err: %s",
+						client.Hostname(),
+						err,
+					)
+				}
+			})
+		}
+	}
+
+	for _, client := range allClients {
+		command := []string{
+			"tailscale", "file",
+			"get",
+			"/tmp/",
+		}
+		if _, _, err := client.Execute(command); err != nil {
+			t.Errorf("failed to get taildrop file on %s, err: %s", client.Hostname(), err)
+		}
+
+		for _, peer := range allClients {
+			if client.Hostname() == peer.Hostname() {
+				continue
+			}
+
+			t.Run(fmt.Sprintf("%s-%s", client.Hostname(), peer.Hostname()), func(t *testing.T) {
+				command := []string{
+					"ls",
+					fmt.Sprintf("/tmp/file_from_%s", peer.Hostname()),
+				}
+				log.Printf(
+					"Checking file in %s from %s\n",
+					client.Hostname(),
+					peer.Hostname(),
+				)
+
+				result, _, err := client.Execute(command)
+				if err != nil {
+					t.Errorf("failed to execute command to ls taildrop: %s", err)
+				}
+
+				log.Printf("Result for %s: %s\n", peer.Hostname(), result)
+				if fmt.Sprintf("/tmp/file_from_%s\n", peer.Hostname()) != result {
+					t.Errorf(
+						"taildrop result is not correct %s, wanted %s",
+						result,
+						fmt.Sprintf("/tmp/file_from_%s\n", peer.Hostname()),
+					)
+				}
+			})
+		}
+	}
+
+	err = scenario.Shutdown()
+	if err != nil {
+		t.Errorf("failed to tear down scenario: %s", err)
+	}
+}
+
+func TestResolveMagicDNS(t *testing.T) {
+	IntegrationSkip(t)
+
+	scenario, err := NewScenario()
+	if err != nil {
+		t.Errorf("failed to create scenario: %s", err)
+	}
+
+	spec := map[string]int{
+		// Omit 1.16.2 (-1) because it does not have the FQDN field
+		"magicdns1": len(TailscaleVersions) - 1,
+		"magicdns2": len(TailscaleVersions) - 1,
+	}
+
+	err = scenario.CreateHeadscaleEnv(spec, hsic.WithTestName("magicdns"))
+	if err != nil {
+		t.Errorf("failed to create headscale environment: %s", err)
+	}
+
+	allClients, err := scenario.ListTailscaleClients()
+	if err != nil {
+		t.Errorf("failed to get clients: %s", err)
+	}
+
+	err = scenario.WaitForTailscaleSync()
+	if err != nil {
+		t.Errorf("failed wait for tailscale clients to be in sync: %s", err)
+	}
+
+	// Poor mans cache
+	_, err = scenario.ListTailscaleClientsFQDNs()
+	if err != nil {
+		t.Errorf("failed to get FQDNs: %s", err)
+	}
+
+	_, err = scenario.ListTailscaleClientsIPs()
+	if err != nil {
+		t.Errorf("failed to get IPs: %s", err)
+	}
+
+	for _, client := range allClients {
+		for _, peer := range allClients {
+			// It is safe to ignore this error as we handled it when caching it
+			peerFQDN, _ := peer.FQDN()
+
+			command := []string{
+				"tailscale",
+				"ip", peerFQDN,
+			}
+			result, _, err := client.Execute(command)
+			if err != nil {
+				t.Errorf(
+					"failed to execute resolve/ip command %s from %s: %s",
+					peerFQDN,
+					client.Hostname(),
+					err,
+				)
+			}
+
+			ips, err := peer.IPs()
+			if err != nil {
+				t.Errorf(
+					"failed to get ips for %s: %s",
+					peer.Hostname(),
+					err,
+				)
+			}
+
+			for _, ip := range ips {
+				if !strings.Contains(result, ip.String()) {
+					t.Errorf("ip %s is not found in \n%s\n", ip.String(), result)
+				}
+			}
+		}
+	}
+
+	err = scenario.Shutdown()
+	if err != nil {
+		t.Errorf("failed to tear down scenario: %s", err)
+	}
+}

integration/hsic/config.go

@@ -0,0 +1,97 @@
+package hsic
+
+// const (
+// 	defaultEphemeralNodeInactivityTimeout = time.Second * 30
+// 	defaultNodeUpdateCheckInterval        = time.Second * 10
+// )
+
+// TODO(kradalby): This approach doesnt work because we cannot
+// serialise our config object to YAML or JSON.
+// func DefaultConfig() headscale.Config {
+// 	derpMap, _ := url.Parse("https://controlplane.tailscale.com/derpmap/default")
+//
+// 	config := headscale.Config{
+// 		Log: headscale.LogConfig{
+// 			Level: zerolog.TraceLevel,
+// 		},
+// 		ACL:                            headscale.GetACLConfig(),
+// 		DBtype:                         "sqlite3",
+// 		EphemeralNodeInactivityTimeout: defaultEphemeralNodeInactivityTimeout,
+// 		NodeUpdateCheckInterval:        defaultNodeUpdateCheckInterval,
+// 		IPPrefixes: []netip.Prefix{
+// 			netip.MustParsePrefix("fd7a:115c:a1e0::/48"),
+// 			netip.MustParsePrefix("100.64.0.0/10"),
+// 		},
+// 		DNSConfig: &tailcfg.DNSConfig{
+// 			Proxied: true,
+// 			Nameservers: []netip.Addr{
+// 				netip.MustParseAddr("127.0.0.11"),
+// 				netip.MustParseAddr("1.1.1.1"),
+// 			},
+// 			Resolvers: []*dnstype.Resolver{
+// 				{
+// 					Addr: "127.0.0.11",
+// 				},
+// 				{
+// 					Addr: "1.1.1.1",
+// 				},
+// 			},
+// 		},
+// 		BaseDomain: "headscale.net",
+//
+// 		DBpath: "/tmp/integration_test_db.sqlite3",
+//
+// 		PrivateKeyPath:      "/tmp/integration_private.key",
+// 		NoisePrivateKeyPath: "/tmp/noise_integration_private.key",
+// 		Addr:                "0.0.0.0:8080",
+// 		MetricsAddr:         "127.0.0.1:9090",
+// 		ServerURL:           "http://headscale:8080",
+//
+// 		DERP: headscale.DERPConfig{
+// 			URLs: []url.URL{
+// 				*derpMap,
+// 			},
+// 			AutoUpdate:      false,
+// 			UpdateFrequency: 1 * time.Minute,
+// 		},
+// 	}
+//
+// 	return config
+// }
+
+// TODO: Reuse the actual configuration object above.
+func DefaultConfigYAML() string {
+	yaml := `
+log:
+  level: trace
+acl_policy_path: ""
+db_type: sqlite3
+db_path: /tmp/integration_test_db.sqlite3
+ephemeral_node_inactivity_timeout: 30m
+node_update_check_interval: 10s
+ip_prefixes:
+  - fd7a:115c:a1e0::/48
+  - 100.64.0.0/10
+dns_config:
+  base_domain: headscale.net
+  magic_dns: true
+  domains: []
+  nameservers:
+    - 127.0.0.11
+    - 1.1.1.1
+private_key_path: /tmp/private.key
+noise:
+  private_key_path: /tmp/noise_private.key
+listen_addr: 0.0.0.0:8080
+metrics_listen_addr: 127.0.0.1:9090
+server_url: http://headscale:8080
+
+derp:
+  urls:
+    - https://controlplane.tailscale.com/derpmap/default
+  auto_update_enabled: false
+  update_frequency: 1m
+`
+
+	return yaml
+}

integration/hsic/hsic.go

@@ -0,0 +1,454 @@
+package hsic
+
+import (
+	"bytes"
+	"crypto/rand"
+	"crypto/rsa"
+	"crypto/tls"
+	"crypto/x509"
+	"crypto/x509/pkix"
+	"encoding/json"
+	"encoding/pem"
+	"errors"
+	"fmt"
+	"log"
+	"math/big"
+	"net"
+	"net/http"
+	"time"
+
+	"github.com/juanfont/headscale"
+	v1 "github.com/juanfont/headscale/gen/go/headscale/v1"
+	"github.com/juanfont/headscale/integration/dockertestutil"
+	"github.com/juanfont/headscale/integration/integrationutil"
+	"github.com/ory/dockertest/v3"
+)
+
+const (
+	hsicHashLength       = 6
+	dockerContextPath    = "../."
+	aclPolicyPath        = "/etc/headscale/acl.hujson"
+	tlsCertPath          = "/etc/headscale/tls.cert"
+	tlsKeyPath           = "/etc/headscale/tls.key"
+	headscaleDefaultPort = 8080
+)
+
+var errHeadscaleStatusCodeNotOk = errors.New("headscale status code not ok")
+
+type HeadscaleInContainer struct {
+	hostname string
+
+	pool      *dockertest.Pool
+	container *dockertest.Resource
+	network   *dockertest.Network
+
+	// optional config
+	port      int
+	aclPolicy *headscale.ACLPolicy
+	env       []string
+	tlsCert   []byte
+	tlsKey    []byte
+}
+
+type Option = func(c *HeadscaleInContainer)
+
+func WithACLPolicy(acl *headscale.ACLPolicy) Option {
+	return func(hsic *HeadscaleInContainer) {
+		// TODO(kradalby): Move somewhere appropriate
+		hsic.env = append(hsic.env, fmt.Sprintf("HEADSCALE_ACL_POLICY_PATH=%s", aclPolicyPath))
+
+		hsic.aclPolicy = acl
+	}
+}
+
+func WithTLS() Option {
+	return func(hsic *HeadscaleInContainer) {
+		cert, key, err := createCertificate()
+		if err != nil {
+			log.Fatalf("failed to create certificates for headscale test: %s", err)
+		}
+
+		// TODO(kradalby): Move somewhere appropriate
+		hsic.env = append(hsic.env, fmt.Sprintf("HEADSCALE_TLS_CERT_PATH=%s", tlsCertPath))
+		hsic.env = append(hsic.env, fmt.Sprintf("HEADSCALE_TLS_KEY_PATH=%s", tlsKeyPath))
+		hsic.env = append(hsic.env, "HEADSCALE_TLS_CLIENT_AUTH_MODE=disabled")
+
+		hsic.tlsCert = cert
+		hsic.tlsKey = key
+	}
+}
+
+func WithConfigEnv(configEnv map[string]string) Option {
+	return func(hsic *HeadscaleInContainer) {
+		env := []string{}
+
+		for key, value := range configEnv {
+			env = append(env, fmt.Sprintf("%s=%s", key, value))
+		}
+
+		hsic.env = env
+	}
+}
+
+func WithPort(port int) Option {
+	return func(hsic *HeadscaleInContainer) {
+		hsic.port = port
+	}
+}
+
+func WithTestName(testName string) Option {
+	return func(hsic *HeadscaleInContainer) {
+		hash, _ := headscale.GenerateRandomStringDNSSafe(hsicHashLength)
+
+		hostname := fmt.Sprintf("hs-%s-%s", testName, hash)
+		hsic.hostname = hostname
+	}
+}
+
+func New(
+	pool *dockertest.Pool,
+	network *dockertest.Network,
+	opts ...Option,
+) (*HeadscaleInContainer, error) {
+	hash, err := headscale.GenerateRandomStringDNSSafe(hsicHashLength)
+	if err != nil {
+		return nil, err
+	}
+
+	hostname := fmt.Sprintf("hs-%s", hash)
+
+	hsic := &HeadscaleInContainer{
+		hostname: hostname,
+		port:     headscaleDefaultPort,
+
+		pool:    pool,
+		network: network,
+	}
+
+	for _, opt := range opts {
+		opt(hsic)
+	}
+
+	log.Println("NAME: ", hsic.hostname)
+
+	portProto := fmt.Sprintf("%d/tcp", hsic.port)
+
+	headscaleBuildOptions := &dockertest.BuildOptions{
+		Dockerfile: "Dockerfile.debug",
+		ContextDir: dockerContextPath,
+	}
+
+	runOptions := &dockertest.RunOptions{
+		Name:         hsic.hostname,
+		ExposedPorts: []string{portProto},
+		Networks:     []*dockertest.Network{network},
+		// Cmd:          []string{"headscale", "serve"},
+		// TODO(kradalby): Get rid of this hack, we currently need to give us some
+		// to inject the headscale configuration further down.
+		Entrypoint: []string{"/bin/bash", "-c", "/bin/sleep 3 ; headscale serve"},
+		Env:        hsic.env,
+	}
+
+	// dockertest isnt very good at handling containers that has already
+	// been created, this is an attempt to make sure this container isnt
+	// present.
+	err = pool.RemoveContainerByName(hsic.hostname)
+	if err != nil {
+		return nil, err
+	}
+
+	container, err := pool.BuildAndRunWithBuildOptions(
+		headscaleBuildOptions,
+		runOptions,
+		dockertestutil.DockerRestartPolicy,
+		dockertestutil.DockerAllowLocalIPv6,
+		dockertestutil.DockerAllowNetworkAdministration,
+	)
+	if err != nil {
+		return nil, fmt.Errorf("could not start headscale container: %w", err)
+	}
+	log.Printf("Created %s container\n", hsic.hostname)
+
+	hsic.container = container
+
+	err = hsic.WriteFile("/etc/headscale/config.yaml", []byte(DefaultConfigYAML()))
+	if err != nil {
+		return nil, fmt.Errorf("failed to write headscale config to container: %w", err)
+	}
+
+	if hsic.aclPolicy != nil {
+		data, err := json.Marshal(hsic.aclPolicy)
+		if err != nil {
+			return nil, fmt.Errorf("failed to marshal ACL Policy to JSON: %w", err)
+		}
+
+		err = hsic.WriteFile(aclPolicyPath, data)
+		if err != nil {
+			return nil, fmt.Errorf("failed to write ACL policy to container: %w", err)
+		}
+	}
+
+	if hsic.hasTLS() {
+		err = hsic.WriteFile(tlsCertPath, hsic.tlsCert)
+		if err != nil {
+			return nil, fmt.Errorf("failed to write TLS certificate to container: %w", err)
+		}
+
+		err = hsic.WriteFile(tlsKeyPath, hsic.tlsKey)
+		if err != nil {
+			return nil, fmt.Errorf("failed to write TLS key to container: %w", err)
+		}
+	}
+
+	return hsic, nil
+}
+
+func (t *HeadscaleInContainer) hasTLS() bool {
+	return len(t.tlsCert) != 0 && len(t.tlsKey) != 0
+}
+
+func (t *HeadscaleInContainer) Shutdown() error {
+	return t.pool.Purge(t.container)
+}
+
+func (t *HeadscaleInContainer) Execute(
+	command []string,
+) (string, error) {
+	stdout, stderr, err := dockertestutil.ExecuteCommand(
+		t.container,
+		command,
+		[]string{},
+	)
+	if err != nil {
+		log.Printf("command stderr: %s\n", stderr)
+
+		if stdout != "" {
+			log.Printf("command stdout: %s\n", stdout)
+		}
+
+		return "", err
+	}
+
+	return stdout, nil
+}
+
+func (t *HeadscaleInContainer) GetIP() string {
+	return t.container.GetIPInNetwork(t.network)
+}
+
+func (t *HeadscaleInContainer) GetPort() string {
+	return fmt.Sprintf("%d", t.port)
+}
+
+func (t *HeadscaleInContainer) GetHealthEndpoint() string {
+	return fmt.Sprintf("%s/health", t.GetEndpoint())
+}
+
+func (t *HeadscaleInContainer) GetEndpoint() string {
+	hostEndpoint := fmt.Sprintf("%s:%d",
+		t.GetIP(),
+		t.port)
+
+	if t.hasTLS() {
+		return fmt.Sprintf("https://%s", hostEndpoint)
+	}
+
+	return fmt.Sprintf("http://%s", hostEndpoint)
+}
+
+func (t *HeadscaleInContainer) GetCert() []byte {
+	return t.tlsCert
+}
+
+func (t *HeadscaleInContainer) GetHostname() string {
+	return t.hostname
+}
+
+func (t *HeadscaleInContainer) WaitForReady() error {
+	url := t.GetHealthEndpoint()
+
+	log.Printf("waiting for headscale to be ready at %s", url)
+
+	client := &http.Client{}
+
+	if t.hasTLS() {
+		insecureTransport := http.DefaultTransport.(*http.Transport).Clone()      //nolint
+		insecureTransport.TLSClientConfig = &tls.Config{InsecureSkipVerify: true} //nolint
+		client = &http.Client{Transport: insecureTransport}
+	}
+
+	return t.pool.Retry(func() error {
+		resp, err := client.Get(url) //nolint
+		if err != nil {
+			log.Printf("ready err: %s", err)
+
+			return fmt.Errorf("headscale is not ready: %w", err)
+		}
+
+		if resp.StatusCode != http.StatusOK {
+			return errHeadscaleStatusCodeNotOk
+		}
+
+		return nil
+	})
+}
+
+func (t *HeadscaleInContainer) CreateNamespace(
+	namespace string,
+) error {
+	command := []string{"headscale", "namespaces", "create", namespace}
+
+	_, _, err := dockertestutil.ExecuteCommand(
+		t.container,
+		command,
+		[]string{},
+	)
+	if err != nil {
+		return err
+	}
+
+	return nil
+}
+
+func (t *HeadscaleInContainer) CreateAuthKey(
+	namespace string,
+) (*v1.PreAuthKey, error) {
+	command := []string{
+		"headscale",
+		"--namespace",
+		namespace,
+		"preauthkeys",
+		"create",
+		"--reusable",
+		"--expiration",
+		"24h",
+		"--output",
+		"json",
+	}
+
+	result, _, err := dockertestutil.ExecuteCommand(
+		t.container,
+		command,
+		[]string{},
+	)
+	if err != nil {
+		return nil, fmt.Errorf("failed to execute create auth key command: %w", err)
+	}
+
+	var preAuthKey v1.PreAuthKey
+	err = json.Unmarshal([]byte(result), &preAuthKey)
+	if err != nil {
+		return nil, fmt.Errorf("failed to unmarshal auth key: %w", err)
+	}
+
+	return &preAuthKey, nil
+}
+
+func (t *HeadscaleInContainer) ListMachinesInNamespace(
+	namespace string,
+) ([]*v1.Machine, error) {
+	command := []string{"headscale", "--namespace", namespace, "nodes", "list", "--output", "json"}
+
+	result, _, err := dockertestutil.ExecuteCommand(
+		t.container,
+		command,
+		[]string{},
+	)
+	if err != nil {
+		return nil, fmt.Errorf("failed to execute list node command: %w", err)
+	}
+
+	var nodes []*v1.Machine
+	err = json.Unmarshal([]byte(result), &nodes)
+	if err != nil {
+		return nil, fmt.Errorf("failed to unmarshal nodes: %w", err)
+	}
+
+	return nodes, nil
+}
+
+func (t *HeadscaleInContainer) WriteFile(path string, data []byte) error {
+	return integrationutil.WriteFileToContainer(t.pool, t.container, path, data)
+}
+
+//nolint
+func createCertificate() ([]byte, []byte, error) {
+	// From:
+	// https://shaneutt.com/blog/golang-ca-and-signed-cert-go/
+
+	ca := &x509.Certificate{
+		SerialNumber: big.NewInt(2019),
+		Subject: pkix.Name{
+			Organization: []string{"Headscale testing INC"},
+			Country:      []string{"NL"},
+			Locality:     []string{"Leiden"},
+		},
+		NotBefore: time.Now(),
+		NotAfter:  time.Now().Add(30 * time.Minute),
+		IsCA:      true,
+		ExtKeyUsage: []x509.ExtKeyUsage{
+			x509.ExtKeyUsageClientAuth,
+			x509.ExtKeyUsageServerAuth,
+		},
+		KeyUsage:              x509.KeyUsageDigitalSignature | x509.KeyUsageCertSign,
+		BasicConstraintsValid: true,
+	}
+
+	caPrivKey, err := rsa.GenerateKey(rand.Reader, 4096)
+	if err != nil {
+		return nil, nil, err
+	}
+
+	cert := &x509.Certificate{
+		SerialNumber: big.NewInt(1658),
+		Subject: pkix.Name{
+			Organization: []string{"Headscale testing INC"},
+			Country:      []string{"NL"},
+			Locality:     []string{"Leiden"},
+		},
+		IPAddresses:  []net.IP{net.IPv4(127, 0, 0, 1), net.IPv6loopback},
+		NotBefore:    time.Now(),
+		NotAfter:     time.Now().Add(30 * time.Minute),
+		SubjectKeyId: []byte{1, 2, 3, 4, 6},
+		ExtKeyUsage:  []x509.ExtKeyUsage{x509.ExtKeyUsageClientAuth, x509.ExtKeyUsageServerAuth},
+		KeyUsage:     x509.KeyUsageDigitalSignature,
+	}
+
+	certPrivKey, err := rsa.GenerateKey(rand.Reader, 4096)
+	if err != nil {
+		return nil, nil, err
+	}
+
+	certBytes, err := x509.CreateCertificate(
+		rand.Reader,
+		cert,
+		ca,
+		&certPrivKey.PublicKey,
+		caPrivKey,
+	)
+	if err != nil {
+		return nil, nil, err
+	}
+
+	certPEM := new(bytes.Buffer)
+
+	err = pem.Encode(certPEM, &pem.Block{
+		Type:  "CERTIFICATE",
+		Bytes: certBytes,
+	})
+	if err != nil {
+		return nil, nil, err
+	}
+
+	certPrivKeyPEM := new(bytes.Buffer)
+
+	err = pem.Encode(certPrivKeyPEM, &pem.Block{
+		Type:  "RSA PRIVATE KEY",
+		Bytes: x509.MarshalPKCS1PrivateKey(certPrivKey),
+	})
+	if err != nil {
+		return nil, nil, err
+	}
+
+	return certPEM.Bytes(), certPrivKeyPEM.Bytes(), nil
+}

integration/integrationutil/util.go

@@ -0,0 +1,77 @@
+package integrationutil
+
+import (
+	"archive/tar"
+	"bytes"
+	"fmt"
+	"io"
+	"log"
+	"path/filepath"
+
+	"github.com/juanfont/headscale/integration/dockertestutil"
+	"github.com/ory/dockertest/v3"
+	"github.com/ory/dockertest/v3/docker"
+)
+
+func WriteFileToContainer(
+	pool *dockertest.Pool,
+	container *dockertest.Resource,
+	path string,
+	data []byte,
+) error {
+	dirPath, fileName := filepath.Split(path)
+
+	file := bytes.NewReader(data)
+
+	buf := bytes.NewBuffer([]byte{})
+
+	tarWriter := tar.NewWriter(buf)
+
+	header := &tar.Header{
+		Name: fileName,
+		Size: file.Size(),
+		// Mode:    int64(stat.Mode()),
+		// ModTime: stat.ModTime(),
+	}
+
+	err := tarWriter.WriteHeader(header)
+	if err != nil {
+		return fmt.Errorf("failed write file header to tar: %w", err)
+	}
+
+	_, err = io.Copy(tarWriter, file)
+	if err != nil {
+		return fmt.Errorf("failed to copy file to tar: %w", err)
+	}
+
+	err = tarWriter.Close()
+	if err != nil {
+		return fmt.Errorf("failed to close tar: %w", err)
+	}
+
+	log.Printf("tar: %s", buf.String())
+
+	// Ensure the directory is present inside the container
+	_, _, err = dockertestutil.ExecuteCommand(
+		container,
+		[]string{"mkdir", "-p", dirPath},
+		[]string{},
+	)
+	if err != nil {
+		return fmt.Errorf("failed to ensure directory: %w", err)
+	}
+
+	err = pool.Client.UploadToContainer(
+		container.Container.ID,
+		docker.UploadToContainerOptions{
+			NoOverwriteDirNonDir: false,
+			Path:                 dirPath,
+			InputStream:          bytes.NewReader(buf.Bytes()),
+		},
+	)
+	if err != nil {
+		return err
+	}
+
+	return nil
+}

integration/scenario.go

@@ -0,0 +1,461 @@
+package integration
+
+import (
+	"errors"
+	"fmt"
+	"log"
+	"net/netip"
+	"os"
+	"sync"
+	"time"
+
+	"github.com/juanfont/headscale"
+	v1 "github.com/juanfont/headscale/gen/go/headscale/v1"
+	"github.com/juanfont/headscale/integration/dockertestutil"
+	"github.com/juanfont/headscale/integration/hsic"
+	"github.com/juanfont/headscale/integration/tsic"
+	"github.com/ory/dockertest/v3"
+	"github.com/puzpuzpuz/xsync/v2"
+)
+
+const (
+	scenarioHashLength = 6
+	maxWait            = 60 * time.Second
+)
+
+var (
+	errNoHeadscaleAvailable = errors.New("no headscale available")
+	errNoNamespaceAvailable = errors.New("no namespace available")
+
+	// Tailscale started adding TS2021 support in CapabilityVersion>=28 (v1.24.0), but
+	// proper support in Headscale was only added for CapabilityVersion>=39 clients (v1.30.0).
+	tailscaleVersions2021 = []string{
+		"head",
+		"unstable",
+		"1.32.1",
+		"1.30.2",
+	}
+
+	tailscaleVersions2019 = []string{
+		"1.28.0",
+		"1.26.2",
+		"1.24.2",
+		"1.22.2",
+		"1.20.4",
+		"1.18.2",
+		"1.16.2",
+	}
+
+	// tailscaleVersionsUnavailable = []string{
+	// 	// These versions seem to fail when fetching from apt.
+	// 	"1.14.6",
+	// 	"1.12.4",
+	// 	"1.10.2",
+	// 	"1.8.7",
+	// }.
+
+	TailscaleVersions = append(
+		tailscaleVersions2021,
+		tailscaleVersions2019...,
+	)
+)
+
+type Namespace struct {
+	Clients map[string]TailscaleClient
+
+	createWaitGroup sync.WaitGroup
+	joinWaitGroup   sync.WaitGroup
+	syncWaitGroup   sync.WaitGroup
+}
+
+// TODO(kradalby): make control server configurable, test correctness with Tailscale SaaS.
+type Scenario struct {
+	// TODO(kradalby): support multiple headcales for later, currently only
+	// use one.
+	controlServers *xsync.MapOf[string, ControlServer]
+
+	namespaces map[string]*Namespace
+
+	pool    *dockertest.Pool
+	network *dockertest.Network
+
+	headscaleLock sync.Mutex
+}
+
+func NewScenario() (*Scenario, error) {
+	hash, err := headscale.GenerateRandomStringDNSSafe(scenarioHashLength)
+	if err != nil {
+		return nil, err
+	}
+
+	pool, err := dockertest.NewPool("")
+	if err != nil {
+		return nil, fmt.Errorf("could not connect to docker: %w", err)
+	}
+
+	pool.MaxWait = maxWait
+
+	networkName := fmt.Sprintf("hs-%s", hash)
+	if overrideNetworkName := os.Getenv("HEADSCALE_TEST_NETWORK_NAME"); overrideNetworkName != "" {
+		networkName = overrideNetworkName
+	}
+
+	network, err := dockertestutil.GetFirstOrCreateNetwork(pool, networkName)
+	if err != nil {
+		return nil, fmt.Errorf("failed to create or get network: %w", err)
+	}
+
+	// We run the test suite in a docker container that calls a couple of endpoints for
+	// readiness checks, this ensures that we can run the tests with individual networks
+	// and have the client reach the different containers
+	err = dockertestutil.AddContainerToNetwork(pool, network, "headscale-test-suite")
+	if err != nil {
+		return nil, fmt.Errorf("failed to add test suite container to network: %w", err)
+	}
+
+	return &Scenario{
+		controlServers: xsync.NewMapOf[ControlServer](),
+		namespaces:     make(map[string]*Namespace),
+
+		pool:    pool,
+		network: network,
+	}, nil
+}
+
+func (s *Scenario) Shutdown() error {
+	s.controlServers.Range(func(_ string, control ControlServer) bool {
+		err := control.Shutdown()
+		if err != nil {
+			log.Printf(
+				"Failed to shut down control: %s",
+				fmt.Errorf("failed to tear down control: %w", err),
+			)
+		}
+
+		return true
+	})
+
+	for namespaceName, namespace := range s.namespaces {
+		for _, client := range namespace.Clients {
+			log.Printf("removing client %s in namespace %s", client.Hostname(), namespaceName)
+			err := client.Shutdown()
+			if err != nil {
+				return fmt.Errorf("failed to tear down client: %w", err)
+			}
+		}
+	}
+
+	if err := s.pool.RemoveNetwork(s.network); err != nil {
+		return fmt.Errorf("failed to remove network: %w", err)
+	}
+
+	// TODO(kradalby): This seem redundant to the previous call
+	// if err := s.network.Close(); err != nil {
+	// 	return fmt.Errorf("failed to tear down network: %w", err)
+	// }
+
+	return nil
+}
+
+func (s *Scenario) Namespaces() []string {
+	namespaces := make([]string, 0)
+	for namespace := range s.namespaces {
+		namespaces = append(namespaces, namespace)
+	}
+
+	return namespaces
+}
+
+/// Headscale related stuff
+// Note: These functions assume that there is a _single_ headscale instance for now
+
+// TODO(kradalby): make port and headscale configurable, multiple instances support?
+func (s *Scenario) Headscale(opts ...hsic.Option) (ControlServer, error) {
+	s.headscaleLock.Lock()
+	defer s.headscaleLock.Unlock()
+
+	if headscale, ok := s.controlServers.Load("headscale"); ok {
+		return headscale, nil
+	}
+
+	headscale, err := hsic.New(s.pool, s.network, opts...)
+	if err != nil {
+		return nil, fmt.Errorf("failed to create headscale container: %w", err)
+	}
+
+	err = headscale.WaitForReady()
+	if err != nil {
+		return nil, fmt.Errorf("failed reach headscale container: %w", err)
+	}
+
+	s.controlServers.Store("headscale", headscale)
+
+	return headscale, nil
+}
+
+func (s *Scenario) CreatePreAuthKey(namespace string) (*v1.PreAuthKey, error) {
+	if headscale, err := s.Headscale(); err == nil {
+		key, err := headscale.CreateAuthKey(namespace)
+		if err != nil {
+			return nil, fmt.Errorf("failed to create namespace: %w", err)
+		}
+
+		return key, nil
+	}
+
+	return nil, fmt.Errorf("failed to create namespace: %w", errNoHeadscaleAvailable)
+}
+
+func (s *Scenario) CreateNamespace(namespace string) error {
+	if headscale, err := s.Headscale(); err == nil {
+		err := headscale.CreateNamespace(namespace)
+		if err != nil {
+			return fmt.Errorf("failed to create namespace: %w", err)
+		}
+
+		s.namespaces[namespace] = &Namespace{
+			Clients: make(map[string]TailscaleClient),
+		}
+
+		return nil
+	}
+
+	return fmt.Errorf("failed to create namespace: %w", errNoHeadscaleAvailable)
+}
+
+/// Client related stuff
+
+func (s *Scenario) CreateTailscaleNodesInNamespace(
+	namespaceStr string,
+	requestedVersion string,
+	count int,
+) error {
+	if namespace, ok := s.namespaces[namespaceStr]; ok {
+		for i := 0; i < count; i++ {
+			version := requestedVersion
+			if requestedVersion == "all" {
+				version = TailscaleVersions[i%len(TailscaleVersions)]
+			}
+
+			headscale, err := s.Headscale()
+			if err != nil {
+				return fmt.Errorf("failed to create tailscale node: %w", err)
+			}
+
+			cert := headscale.GetCert()
+			hostname := headscale.GetHostname()
+
+			namespace.createWaitGroup.Add(1)
+
+			go func() {
+				defer namespace.createWaitGroup.Done()
+
+				// TODO(kradalby): error handle this
+				tsClient, err := tsic.New(
+					s.pool,
+					version,
+					s.network,
+					tsic.WithHeadscaleTLS(cert),
+					tsic.WithHeadscaleName(hostname),
+				)
+				if err != nil {
+					// return fmt.Errorf("failed to add tailscale node: %w", err)
+					log.Printf("failed to create tailscale node: %s", err)
+				}
+
+				err = tsClient.WaitForReady()
+				if err != nil {
+					// return fmt.Errorf("failed to add tailscale node: %w", err)
+					log.Printf("failed to wait for tailscaled: %s", err)
+				}
+
+				namespace.Clients[tsClient.Hostname()] = tsClient
+			}()
+		}
+		namespace.createWaitGroup.Wait()
+
+		return nil
+	}
+
+	return fmt.Errorf("failed to add tailscale node: %w", errNoNamespaceAvailable)
+}
+
+func (s *Scenario) RunTailscaleUp(
+	namespaceStr, loginServer, authKey string,
+) error {
+	if namespace, ok := s.namespaces[namespaceStr]; ok {
+		for _, client := range namespace.Clients {
+			namespace.joinWaitGroup.Add(1)
+
+			go func(c TailscaleClient) {
+				defer namespace.joinWaitGroup.Done()
+
+				// TODO(kradalby): error handle this
+				_ = c.Up(loginServer, authKey)
+			}(client)
+
+			err := client.WaitForReady()
+			if err != nil {
+				log.Printf("error waiting for client %s to be ready: %s", client.Hostname(), err)
+			}
+		}
+
+		namespace.joinWaitGroup.Wait()
+
+		return nil
+	}
+
+	return fmt.Errorf("failed to up tailscale node: %w", errNoNamespaceAvailable)
+}
+
+func (s *Scenario) CountTailscale() int {
+	count := 0
+
+	for _, namespace := range s.namespaces {
+		count += len(namespace.Clients)
+	}
+
+	return count
+}
+
+func (s *Scenario) WaitForTailscaleSync() error {
+	tsCount := s.CountTailscale()
+
+	for _, namespace := range s.namespaces {
+		for _, client := range namespace.Clients {
+			namespace.syncWaitGroup.Add(1)
+
+			go func(c TailscaleClient) {
+				defer namespace.syncWaitGroup.Done()
+
+				// TODO(kradalby): error handle this
+				_ = c.WaitForPeers(tsCount)
+			}(client)
+		}
+		namespace.syncWaitGroup.Wait()
+	}
+
+	return nil
+}
+
+// CreateHeadscaleEnv is a conventient method returning a set up Headcale
+// test environment with nodes of all versions, joined to the server with X
+// namespaces.
+func (s *Scenario) CreateHeadscaleEnv(namespaces map[string]int, opts ...hsic.Option) error {
+	headscale, err := s.Headscale(opts...)
+	if err != nil {
+		return err
+	}
+
+	for namespaceName, clientCount := range namespaces {
+		err = s.CreateNamespace(namespaceName)
+		if err != nil {
+			return err
+		}
+
+		err = s.CreateTailscaleNodesInNamespace(namespaceName, "all", clientCount)
+		if err != nil {
+			return err
+		}
+
+		key, err := s.CreatePreAuthKey(namespaceName)
+		if err != nil {
+			return err
+		}
+
+		err = s.RunTailscaleUp(namespaceName, headscale.GetEndpoint(), key.GetKey())
+		if err != nil {
+			return err
+		}
+	}
+
+	return nil
+}
+
+func (s *Scenario) GetIPs(namespace string) ([]netip.Addr, error) {
+	var ips []netip.Addr
+	if ns, ok := s.namespaces[namespace]; ok {
+		for _, client := range ns.Clients {
+			clientIps, err := client.IPs()
+			if err != nil {
+				return ips, fmt.Errorf("failed to get ips: %w", err)
+			}
+			ips = append(ips, clientIps...)
+		}
+
+		return ips, nil
+	}
+
+	return ips, fmt.Errorf("failed to get ips: %w", errNoNamespaceAvailable)
+}
+
+func (s *Scenario) GetClients(namespace string) ([]TailscaleClient, error) {
+	var clients []TailscaleClient
+	if ns, ok := s.namespaces[namespace]; ok {
+		for _, client := range ns.Clients {
+			clients = append(clients, client)
+		}
+
+		return clients, nil
+	}
+
+	return clients, fmt.Errorf("failed to get clients: %w", errNoNamespaceAvailable)
+}
+
+func (s *Scenario) ListTailscaleClients(namespaces ...string) ([]TailscaleClient, error) {
+	var allClients []TailscaleClient
+
+	if len(namespaces) == 0 {
+		namespaces = s.Namespaces()
+	}
+
+	for _, namespace := range namespaces {
+		clients, err := s.GetClients(namespace)
+		if err != nil {
+			return nil, err
+		}
+
+		allClients = append(allClients, clients...)
+	}
+
+	return allClients, nil
+}
+
+func (s *Scenario) ListTailscaleClientsIPs(namespaces ...string) ([]netip.Addr, error) {
+	var allIps []netip.Addr
+
+	if len(namespaces) == 0 {
+		namespaces = s.Namespaces()
+	}
+
+	for _, namespace := range namespaces {
+		ips, err := s.GetIPs(namespace)
+		if err != nil {
+			return nil, err
+		}
+
+		allIps = append(allIps, ips...)
+	}
+
+	return allIps, nil
+}
+
+func (s *Scenario) ListTailscaleClientsFQDNs(namespaces ...string) ([]string, error) {
+	allFQDNs := make([]string, 0)
+
+	clients, err := s.ListTailscaleClients(namespaces...)
+	if err != nil {
+		return nil, err
+	}
+
+	for _, client := range clients {
+		fqdn, err := client.FQDN()
+		if err != nil {
+			return nil, err
+		}
+
+		allFQDNs = append(allFQDNs, fqdn)
+	}
+
+	return allFQDNs, nil
+}

integration/scenario_test.go

@@ -0,0 +1,189 @@
+package integration
+
+import (
+	"testing"
+
+	"github.com/juanfont/headscale/integration/dockertestutil"
+)
+
+// This file is intendet to "test the test framework", by proxy it will also test
+// some Headcsale/Tailscale stuff, but mostly in very simple ways.
+
+func IntegrationSkip(t *testing.T) {
+	t.Helper()
+
+	if !dockertestutil.IsRunningInContainer() {
+		t.Skip("not running in docker, skipping")
+	}
+
+	if testing.Short() {
+		t.Skip("skipping integration tests due to short flag")
+	}
+}
+
+func TestHeadscale(t *testing.T) {
+	IntegrationSkip(t)
+
+	var err error
+
+	namespace := "test-space"
+
+	scenario, err := NewScenario()
+	if err != nil {
+		t.Errorf("failed to create scenario: %s", err)
+	}
+
+	t.Run("start-headscale", func(t *testing.T) {
+		headscale, err := scenario.Headscale()
+		if err != nil {
+			t.Errorf("failed to create start headcale: %s", err)
+		}
+
+		err = headscale.WaitForReady()
+		if err != nil {
+			t.Errorf("headscale failed to become ready: %s", err)
+		}
+	})
+
+	t.Run("create-namespace", func(t *testing.T) {
+		err := scenario.CreateNamespace(namespace)
+		if err != nil {
+			t.Errorf("failed to create namespace: %s", err)
+		}
+
+		if _, ok := scenario.namespaces[namespace]; !ok {
+			t.Errorf("namespace is not in scenario")
+		}
+	})
+
+	t.Run("create-auth-key", func(t *testing.T) {
+		_, err := scenario.CreatePreAuthKey(namespace)
+		if err != nil {
+			t.Errorf("failed to create preauthkey: %s", err)
+		}
+	})
+
+	err = scenario.Shutdown()
+	if err != nil {
+		t.Errorf("failed to tear down scenario: %s", err)
+	}
+}
+
+func TestCreateTailscale(t *testing.T) {
+	IntegrationSkip(t)
+
+	namespace := "only-create-containers"
+
+	scenario, err := NewScenario()
+	if err != nil {
+		t.Errorf("failed to create scenario: %s", err)
+	}
+
+	scenario.namespaces[namespace] = &Namespace{
+		Clients: make(map[string]TailscaleClient),
+	}
+
+	t.Run("create-tailscale", func(t *testing.T) {
+		err := scenario.CreateTailscaleNodesInNamespace(namespace, "all", 3)
+		if err != nil {
+			t.Errorf("failed to add tailscale nodes: %s", err)
+		}
+
+		if clients := len(scenario.namespaces[namespace].Clients); clients != 3 {
+			t.Errorf("wrong number of tailscale clients: %d != %d", clients, 3)
+		}
+
+		// TODO(kradalby): Test "all" version logic
+	})
+
+	err = scenario.Shutdown()
+	if err != nil {
+		t.Errorf("failed to tear down scenario: %s", err)
+	}
+}
+
+func TestTailscaleNodesJoiningHeadcale(t *testing.T) {
+	IntegrationSkip(t)
+
+	var err error
+
+	namespace := "join-node-test"
+
+	count := 1
+
+	scenario, err := NewScenario()
+	if err != nil {
+		t.Errorf("failed to create scenario: %s", err)
+	}
+
+	t.Run("start-headscale", func(t *testing.T) {
+		headscale, err := scenario.Headscale()
+		if err != nil {
+			t.Errorf("failed to create start headcale: %s", err)
+		}
+
+		err = headscale.WaitForReady()
+		if err != nil {
+			t.Errorf("headscale failed to become ready: %s", err)
+		}
+	})
+
+	t.Run("create-namespace", func(t *testing.T) {
+		err := scenario.CreateNamespace(namespace)
+		if err != nil {
+			t.Errorf("failed to create namespace: %s", err)
+		}
+
+		if _, ok := scenario.namespaces[namespace]; !ok {
+			t.Errorf("namespace is not in scenario")
+		}
+	})
+
+	t.Run("create-tailscale", func(t *testing.T) {
+		err := scenario.CreateTailscaleNodesInNamespace(namespace, "1.30.2", count)
+		if err != nil {
+			t.Errorf("failed to add tailscale nodes: %s", err)
+		}
+
+		if clients := len(scenario.namespaces[namespace].Clients); clients != count {
+			t.Errorf("wrong number of tailscale clients: %d != %d", clients, count)
+		}
+	})
+
+	t.Run("join-headscale", func(t *testing.T) {
+		key, err := scenario.CreatePreAuthKey(namespace)
+		if err != nil {
+			t.Errorf("failed to create preauthkey: %s", err)
+		}
+
+		headscale, err := scenario.Headscale()
+		if err != nil {
+			t.Errorf("failed to create start headcale: %s", err)
+		}
+
+		err = scenario.RunTailscaleUp(
+			namespace,
+			headscale.GetEndpoint(),
+			key.GetKey(),
+		)
+		if err != nil {
+			t.Errorf("failed to login: %s", err)
+		}
+	})
+
+	t.Run("get-ips", func(t *testing.T) {
+		ips, err := scenario.GetIPs(namespace)
+		if err != nil {
+			t.Errorf("failed to get tailscale ips: %s", err)
+		}
+
+		if len(ips) != count*2 {
+			t.Errorf("got the wrong amount of tailscale ips, %d != %d", len(ips), count*2)
+		}
+	})
+
+	err = scenario.Shutdown()
+	if err != nil {
+		t.Errorf("failed to tear down scenario: %s", err)
+	}
+}

integration/tailscale.go

@@ -0,0 +1,23 @@
+package integration
+
+import (
+	"net/netip"
+	"net/url"
+
+	"tailscale.com/ipn/ipnstate"
+)
+
+type TailscaleClient interface {
+	Hostname() string
+	Shutdown() error
+	Version() string
+	Execute(command []string) (string, string, error)
+	Up(loginServer, authKey string) error
+	UpWithLoginURL(loginServer string) (*url.URL, error)
+	IPs() ([]netip.Addr, error)
+	FQDN() (string, error)
+	Status() (*ipnstate.Status, error)
+	WaitForReady() error
+	WaitForPeers(expected int) error
+	Ping(hostnameOrIP string) error
+}

integration/tsic/tsic.go

@@ -0,0 +1,430 @@
+package tsic
+
+import (
+	"encoding/json"
+	"errors"
+	"fmt"
+	"log"
+	"net/netip"
+	"net/url"
+	"strings"
+
+	"github.com/cenkalti/backoff/v4"
+	"github.com/juanfont/headscale"
+	"github.com/juanfont/headscale/integration/dockertestutil"
+	"github.com/juanfont/headscale/integration/integrationutil"
+	"github.com/ory/dockertest/v3"
+	"github.com/ory/dockertest/v3/docker"
+	"tailscale.com/ipn/ipnstate"
+)
+
+const (
+	tsicHashLength    = 6
+	dockerContextPath = "../."
+	headscaleCertPath = "/usr/local/share/ca-certificates/headscale.crt"
+)
+
+var (
+	errTailscalePingFailed             = errors.New("ping failed")
+	errTailscaleNotLoggedIn            = errors.New("tailscale not logged in")
+	errTailscaleWrongPeerCount         = errors.New("wrong peer count")
+	errTailscaleCannotUpWithoutAuthkey = errors.New("cannot up without authkey")
+	errTailscaleNotConnected           = errors.New("tailscale not connected")
+)
+
+type TailscaleInContainer struct {
+	version  string
+	hostname string
+
+	pool      *dockertest.Pool
+	container *dockertest.Resource
+	network   *dockertest.Network
+
+	// "cache"
+	ips  []netip.Addr
+	fqdn string
+
+	// optional config
+	headscaleCert     []byte
+	headscaleHostname string
+}
+
+type Option = func(c *TailscaleInContainer)
+
+func WithHeadscaleTLS(cert []byte) Option {
+	return func(tsic *TailscaleInContainer) {
+		tsic.headscaleCert = cert
+	}
+}
+
+func WithOrCreateNetwork(network *dockertest.Network) Option {
+	return func(tsic *TailscaleInContainer) {
+		if network != nil {
+			tsic.network = network
+
+			return
+		}
+
+		network, err := dockertestutil.GetFirstOrCreateNetwork(
+			tsic.pool,
+			fmt.Sprintf("%s-network", tsic.hostname),
+		)
+		if err != nil {
+			log.Fatalf("failed to create network: %s", err)
+		}
+
+		tsic.network = network
+	}
+}
+
+func WithHeadscaleName(hsName string) Option {
+	return func(tsic *TailscaleInContainer) {
+		tsic.headscaleHostname = hsName
+	}
+}
+
+func New(
+	pool *dockertest.Pool,
+	version string,
+	network *dockertest.Network,
+	opts ...Option,
+) (*TailscaleInContainer, error) {
+	hash, err := headscale.GenerateRandomStringDNSSafe(tsicHashLength)
+	if err != nil {
+		return nil, err
+	}
+
+	hostname := fmt.Sprintf("ts-%s-%s", strings.ReplaceAll(version, ".", "-"), hash)
+
+	tsic := &TailscaleInContainer{
+		version:  version,
+		hostname: hostname,
+
+		pool:    pool,
+		network: network,
+	}
+
+	for _, opt := range opts {
+		opt(tsic)
+	}
+
+	tailscaleOptions := &dockertest.RunOptions{
+		Name:     hostname,
+		Networks: []*dockertest.Network{network},
+		// Cmd: []string{
+		// 	"tailscaled", "--tun=tsdev",
+		// },
+		Entrypoint: []string{
+			"/bin/bash",
+			"-c",
+			"/bin/sleep 3 ; update-ca-certificates ; tailscaled --tun=tsdev",
+		},
+	}
+
+	if tsic.headscaleHostname != "" {
+		tailscaleOptions.ExtraHosts = []string{
+			"host.docker.internal:host-gateway",
+			fmt.Sprintf("%s:host-gateway", tsic.headscaleHostname),
+		}
+	}
+
+	// dockertest isnt very good at handling containers that has already
+	// been created, this is an attempt to make sure this container isnt
+	// present.
+	err = pool.RemoveContainerByName(hostname)
+	if err != nil {
+		return nil, err
+	}
+
+	container, err := pool.BuildAndRunWithBuildOptions(
+		createTailscaleBuildOptions(version),
+		tailscaleOptions,
+		dockertestutil.DockerRestartPolicy,
+		dockertestutil.DockerAllowLocalIPv6,
+		dockertestutil.DockerAllowNetworkAdministration,
+	)
+	if err != nil {
+		return nil, fmt.Errorf("could not start tailscale container: %w", err)
+	}
+	log.Printf("Created %s container\n", hostname)
+
+	tsic.container = container
+
+	if tsic.hasTLS() {
+		err = tsic.WriteFile(headscaleCertPath, tsic.headscaleCert)
+		if err != nil {
+			return nil, fmt.Errorf("failed to write TLS certificate to container: %w", err)
+		}
+	}
+
+	return tsic, nil
+}
+
+func (t *TailscaleInContainer) hasTLS() bool {
+	return len(t.headscaleCert) != 0
+}
+
+func (t *TailscaleInContainer) Shutdown() error {
+	return t.pool.Purge(t.container)
+}
+
+func (t *TailscaleInContainer) Hostname() string {
+	return t.hostname
+}
+
+func (t *TailscaleInContainer) Version() string {
+	return t.version
+}
+
+func (t *TailscaleInContainer) Execute(
+	command []string,
+) (string, string, error) {
+	stdout, stderr, err := dockertestutil.ExecuteCommand(
+		t.container,
+		command,
+		[]string{},
+	)
+	if err != nil {
+		log.Printf("command stderr: %s\n", stderr)
+
+		if stdout != "" {
+			log.Printf("command stdout: %s\n", stdout)
+		}
+
+		if strings.Contains(stderr, "NeedsLogin") {
+			return stdout, stderr, errTailscaleNotLoggedIn
+		}
+
+		return stdout, stderr, err
+	}
+
+	return stdout, stderr, nil
+}
+
+func (t *TailscaleInContainer) Up(
+	loginServer, authKey string,
+) error {
+	command := []string{
+		"tailscale",
+		"up",
+		"-login-server",
+		loginServer,
+		"--authkey",
+		authKey,
+		"--hostname",
+		t.hostname,
+	}
+
+	if _, _, err := t.Execute(command); err != nil {
+		return fmt.Errorf("failed to join tailscale client: %w", err)
+	}
+
+	return nil
+}
+
+func (t *TailscaleInContainer) UpWithLoginURL(
+	loginServer string,
+) (*url.URL, error) {
+	command := []string{
+		"tailscale",
+		"up",
+		"-login-server",
+		loginServer,
+		"--hostname",
+		t.hostname,
+	}
+
+	_, stderr, err := t.Execute(command)
+	if errors.Is(err, errTailscaleNotLoggedIn) {
+		return nil, errTailscaleCannotUpWithoutAuthkey
+	}
+
+	urlStr := strings.ReplaceAll(stderr, "\nTo authenticate, visit:\n\n\t", "")
+	urlStr = strings.TrimSpace(urlStr)
+
+	// parse URL
+	loginURL, err := url.Parse(urlStr)
+	if err != nil {
+		log.Printf("Could not parse login URL: %s", err)
+		log.Printf("Original join command result: %s", stderr)
+
+		return nil, err
+	}
+
+	return loginURL, nil
+}
+
+func (t *TailscaleInContainer) IPs() ([]netip.Addr, error) {
+	if t.ips != nil && len(t.ips) != 0 {
+		return t.ips, nil
+	}
+
+	ips := make([]netip.Addr, 0)
+
+	command := []string{
+		"tailscale",
+		"ip",
+	}
+
+	result, _, err := t.Execute(command)
+	if err != nil {
+		return []netip.Addr{}, fmt.Errorf("failed to join tailscale client: %w", err)
+	}
+
+	for _, address := range strings.Split(result, "\n") {
+		address = strings.TrimSuffix(address, "\n")
+		if len(address) < 1 {
+			continue
+		}
+		ip, err := netip.ParseAddr(address)
+		if err != nil {
+			return nil, err
+		}
+		ips = append(ips, ip)
+	}
+
+	return ips, nil
+}
+
+func (t *TailscaleInContainer) Status() (*ipnstate.Status, error) {
+	command := []string{
+		"tailscale",
+		"status",
+		"--json",
+	}
+
+	result, _, err := t.Execute(command)
+	if err != nil {
+		return nil, fmt.Errorf("failed to execute tailscale status command: %w", err)
+	}
+
+	var status ipnstate.Status
+	err = json.Unmarshal([]byte(result), &status)
+	if err != nil {
+		return nil, fmt.Errorf("failed to unmarshal tailscale status: %w", err)
+	}
+
+	return &status, err
+}
+
+func (t *TailscaleInContainer) FQDN() (string, error) {
+	if t.fqdn != "" {
+		return t.fqdn, nil
+	}
+
+	status, err := t.Status()
+	if err != nil {
+		return "", fmt.Errorf("failed to get FQDN: %w", err)
+	}
+
+	return status.Self.DNSName, nil
+}
+
+func (t *TailscaleInContainer) WaitForReady() error {
+	return t.pool.Retry(func() error {
+		status, err := t.Status()
+		if err != nil {
+			return fmt.Errorf("failed to fetch tailscale status: %w", err)
+		}
+
+		if status.CurrentTailnet != nil {
+			return nil
+		}
+
+		return errTailscaleNotConnected
+	})
+}
+
+func (t *TailscaleInContainer) WaitForPeers(expected int) error {
+	return t.pool.Retry(func() error {
+		status, err := t.Status()
+		if err != nil {
+			return fmt.Errorf("failed to fetch tailscale status: %w", err)
+		}
+
+		if peers := status.Peers(); len(peers) != expected {
+			return errTailscaleWrongPeerCount
+		}
+
+		return nil
+	})
+}
+
+// TODO(kradalby): Make multiping, go routine magic.
+func (t *TailscaleInContainer) Ping(hostnameOrIP string) error {
+	return t.pool.Retry(func() error {
+		command := []string{
+			"tailscale", "ping",
+			"--timeout=1s",
+			"--c=10",
+			"--until-direct=true",
+			hostnameOrIP,
+		}
+
+		result, _, err := t.Execute(command)
+		if err != nil {
+			log.Printf(
+				"failed to run ping command from %s to %s, err: %s",
+				t.Hostname(),
+				hostnameOrIP,
+				err,
+			)
+
+			return err
+		}
+
+		if !strings.Contains(result, "pong") && !strings.Contains(result, "is local") {
+			return backoff.Permanent(errTailscalePingFailed)
+		}
+
+		return nil
+	})
+}
+
+func (t *TailscaleInContainer) WriteFile(path string, data []byte) error {
+	return integrationutil.WriteFileToContainer(t.pool, t.container, path, data)
+}
+
+func createTailscaleBuildOptions(version string) *dockertest.BuildOptions {
+	var tailscaleBuildOptions *dockertest.BuildOptions
+	switch version {
+	case "head":
+		tailscaleBuildOptions = &dockertest.BuildOptions{
+			Dockerfile: "Dockerfile.tailscale-HEAD",
+			ContextDir: dockerContextPath,
+			BuildArgs:  []docker.BuildArg{},
+		}
+	case "unstable":
+		tailscaleBuildOptions = &dockertest.BuildOptions{
+			Dockerfile: "Dockerfile.tailscale",
+			ContextDir: dockerContextPath,
+			BuildArgs: []docker.BuildArg{
+				{
+					Name:  "TAILSCALE_VERSION",
+					Value: "*", // Installs the latest version https://askubuntu.com/a/824926
+				},
+				{
+					Name:  "TAILSCALE_CHANNEL",
+					Value: "unstable",
+				},
+			},
+		}
+	default:
+		tailscaleBuildOptions = &dockertest.BuildOptions{
+			Dockerfile: "Dockerfile.tailscale",
+			ContextDir: dockerContextPath,
+			BuildArgs: []docker.BuildArg{
+				{
+					Name:  "TAILSCALE_VERSION",
+					Value: version,
+				},
+				{
+					Name:  "TAILSCALE_CHANNEL",
+					Value: "stable",
+				},
+			},
+		}
+	}
+
+	return tailscaleBuildOptions
+}

integration_cli_test.go

@@ -1,6 +1,4 @@
-//go:build integration
-// +build integration
-
+// nolint
 package headscale
 
 import (
@@ -14,6 +12,7 @@ import (
 
 	v1 "github.com/juanfont/headscale/gen/go/headscale/v1"
 	"github.com/ory/dockertest/v3"
+	"github.com/ory/dockertest/v3/docker"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/suite"
 )
@@ -28,7 +27,11 @@ type IntegrationCLITestSuite struct {
 	env       []string
 }
 
-func TestCLIIntegrationTestSuite(t *testing.T) {
+func TestIntegrationCLITestSuite(t *testing.T) {
+	if testing.Short() {
+		t.Skip("skipping integration tests due to short flag")
+	}
+
 	s := new(IntegrationCLITestSuite)
 
 	suite.Run(t, s)
@@ -40,14 +43,14 @@ func (s *IntegrationCLITestSuite) SetupTest() {
 	if ppool, err := dockertest.NewPool(""); err == nil {
 		s.pool = *ppool
 	} else {
-		log.Fatalf("Could not connect to docker: %s", err)
+		s.FailNow(fmt.Sprintf("Could not connect to docker: %s", err), "")
 	}
 
-	if pnetwork, err := s.pool.CreateNetwork("headscale-test"); err == nil {
-		s.network = *pnetwork
-	} else {
-		log.Fatalf("Could not create network: %s", err)
+	network, err := GetFirstOrCreateNetwork(&s.pool, headscaleNetwork)
+	if err != nil {
+		s.FailNow(fmt.Sprintf("Failed to create or get network: %s", err), "")
 	}
+	s.network = network
 
 	headscaleBuildOptions := &dockertest.BuildOptions{
 		Dockerfile: "Dockerfile",
@@ -56,7 +59,7 @@ func (s *IntegrationCLITestSuite) SetupTest() {
 
 	currentPath, err := os.Getwd()
 	if err != nil {
-		log.Fatalf("Could not determine current path: %s", err)
+		s.FailNow(fmt.Sprintf("Could not determine current path: %s", err), "")
 	}
 
 	headscaleOptions := &dockertest.RunOptions{
@@ -64,25 +67,43 @@ func (s *IntegrationCLITestSuite) SetupTest() {
 		Mounts: []string{
 			fmt.Sprintf("%s/integration_test/etc:/etc/headscale", currentPath),
 		},
-		Networks: []*dockertest.Network{&s.network},
-		Cmd:      []string{"headscale", "serve"},
+		Cmd:          []string{"headscale", "serve"},
+		Networks:     []*dockertest.Network{&s.network},
+		ExposedPorts: []string{"8080/tcp"},
+		PortBindings: map[docker.Port][]docker.PortBinding{
+			"8080/tcp": {{HostPort: "8080"}},
+		},
 	}
 
-	fmt.Println("Creating headscale container")
+	err = s.pool.RemoveContainerByName(headscaleHostname)
+	if err != nil {
+		s.FailNow(
+			fmt.Sprintf(
+				"Could not remove existing container before building test: %s",
+				err,
+			),
+			"",
+		)
+	}
+
+	fmt.Println("Creating headscale container for CLI tests")
 	if pheadscale, err := s.pool.BuildAndRunWithBuildOptions(headscaleBuildOptions, headscaleOptions, DockerRestartPolicy); err == nil {
 		s.headscale = *pheadscale
 	} else {
-		log.Fatalf("Could not start headscale container: %s", err)
+		s.FailNow(fmt.Sprintf("Could not start headscale container: %s", err), "")
 	}
-	fmt.Println("Created headscale container")
+	fmt.Println("Created headscale container for CLI tests")
 
-	fmt.Println("Waiting for headscale to be ready")
-	hostEndpoint := fmt.Sprintf("localhost:%s", s.headscale.GetPort("8080/tcp"))
+	fmt.Println("Waiting for headscale to be ready for CLI tests")
+	hostEndpoint := fmt.Sprintf("%s:%s",
+		s.headscale.GetIPInNetwork(&s.network),
+		s.headscale.GetPort("8080/tcp"))
 
 	if err := s.pool.Retry(func() error {
 		url := fmt.Sprintf("http://%s/health", hostEndpoint)
 		resp, err := http.Get(url)
 		if err != nil {
+			fmt.Printf("headscale for CLI test is not ready: %s\n", err)
 			return err
 		}
 		if resp.StatusCode != http.StatusOK {
@@ -97,7 +118,7 @@ func (s *IntegrationCLITestSuite) SetupTest() {
 		// https://github.com/stretchr/testify/issues/849
 		return // fmt.Errorf("Could not connect to headscale: %s", err)
 	}
-	fmt.Println("headscale container is ready")
+	fmt.Println("headscale container is ready for CLI tests")
 }
 
 func (s *IntegrationCLITestSuite) TearDownTest() {
@@ -118,7 +139,7 @@ func (s *IntegrationCLITestSuite) HandleStats(
 }
 
 func (s *IntegrationCLITestSuite) createNamespace(name string) (*v1.Namespace, error) {
-	result, err := ExecuteCommand(
+	result, _, err := ExecuteCommand(
 		&s.headscale,
 		[]string{
 			"headscale",
@@ -161,7 +182,7 @@ func (s *IntegrationCLITestSuite) TestNamespaceCommand() {
 	assert.Equal(s.T(), names[2], namespaces[2].Name)
 
 	// Test list namespaces
-	listResult, err := ExecuteCommand(
+	listResult, _, err := ExecuteCommand(
 		&s.headscale,
 		[]string{
 			"headscale",
@@ -183,7 +204,7 @@ func (s *IntegrationCLITestSuite) TestNamespaceCommand() {
 	assert.Equal(s.T(), names[2], listedNamespaces[2].Name)
 
 	// Test rename namespace
-	renameResult, err := ExecuteCommand(
+	renameResult, _, err := ExecuteCommand(
 		&s.headscale,
 		[]string{
 			"headscale",
@@ -205,7 +226,7 @@ func (s *IntegrationCLITestSuite) TestNamespaceCommand() {
 	assert.Equal(s.T(), renamedNamespace.Name, "newname")
 
 	// Test list after rename namespaces
-	listAfterRenameResult, err := ExecuteCommand(
+	listAfterRenameResult, _, err := ExecuteCommand(
 		&s.headscale,
 		[]string{
 			"headscale",
@@ -236,7 +257,7 @@ func (s *IntegrationCLITestSuite) TestPreAuthKeyCommand() {
 	assert.Nil(s.T(), err)
 
 	for i := 0; i < count; i++ {
-		preAuthResult, err := ExecuteCommand(
+		preAuthResult, _, err := ExecuteCommand(
 			&s.headscale,
 			[]string{
 				"headscale",
@@ -249,6 +270,8 @@ func (s *IntegrationCLITestSuite) TestPreAuthKeyCommand() {
 				"24h",
 				"--output",
 				"json",
+				"--tags",
+				"tag:test1,tag:test2",
 			},
 			[]string{},
 		)
@@ -264,7 +287,7 @@ func (s *IntegrationCLITestSuite) TestPreAuthKeyCommand() {
 	assert.Len(s.T(), keys, 5)
 
 	// Test list of keys
-	listResult, err := ExecuteCommand(
+	listResult, _, err := ExecuteCommand(
 		&s.headscale,
 		[]string{
 			"headscale",
@@ -322,9 +345,14 @@ func (s *IntegrationCLITestSuite) TestPreAuthKeyCommand() {
 		listedPreAuthKeys[4].Expiration.AsTime().Before(time.Now().Add(time.Hour*26)),
 	)
 
+	// Test that tags are present
+	for i := 0; i < count; i++ {
+		assert.Equal(s.T(), listedPreAuthKeys[i].AclTags, []string{"tag:test1", "tag:test2"})
+	}
+
 	// Expire three keys
 	for i := 0; i < 3; i++ {
-		_, err := ExecuteCommand(
+		_, _, err := ExecuteCommand(
 			&s.headscale,
 			[]string{
 				"headscale",
@@ -340,7 +368,7 @@ func (s *IntegrationCLITestSuite) TestPreAuthKeyCommand() {
 	}
 
 	// Test list pre auth keys after expire
-	listAfterExpireResult, err := ExecuteCommand(
+	listAfterExpireResult, _, err := ExecuteCommand(
 		&s.headscale,
 		[]string{
 			"headscale",
@@ -385,7 +413,7 @@ func (s *IntegrationCLITestSuite) TestPreAuthKeyCommandWithoutExpiry() {
 	namespace, err := s.createNamespace("pre-auth-key-without-exp-namespace")
 	assert.Nil(s.T(), err)
 
-	preAuthResult, err := ExecuteCommand(
+	preAuthResult, _, err := ExecuteCommand(
 		&s.headscale,
 		[]string{
 			"headscale",
@@ -406,7 +434,7 @@ func (s *IntegrationCLITestSuite) TestPreAuthKeyCommandWithoutExpiry() {
 	assert.Nil(s.T(), err)
 
 	// Test list of keys
-	listResult, err := ExecuteCommand(
+	listResult, _, err := ExecuteCommand(
 		&s.headscale,
 		[]string{
 			"headscale",
@@ -438,7 +466,7 @@ func (s *IntegrationCLITestSuite) TestPreAuthKeyCommandReusableEphemeral() {
 	namespace, err := s.createNamespace("pre-auth-key-reus-ephm-namespace")
 	assert.Nil(s.T(), err)
 
-	preAuthReusableResult, err := ExecuteCommand(
+	preAuthReusableResult, _, err := ExecuteCommand(
 		&s.headscale,
 		[]string{
 			"headscale",
@@ -461,7 +489,7 @@ func (s *IntegrationCLITestSuite) TestPreAuthKeyCommandReusableEphemeral() {
 	assert.True(s.T(), preAuthReusableKey.GetReusable())
 	assert.False(s.T(), preAuthReusableKey.GetEphemeral())
 
-	preAuthEphemeralResult, err := ExecuteCommand(
+	preAuthEphemeralResult, _, err := ExecuteCommand(
 		&s.headscale,
 		[]string{
 			"headscale",
@@ -503,7 +531,7 @@ func (s *IntegrationCLITestSuite) TestPreAuthKeyCommandReusableEphemeral() {
 	// assert.NotNil(s.T(), err)
 
 	// Test list of keys
-	listResult, err := ExecuteCommand(
+	listResult, _, err := ExecuteCommand(
 		&s.headscale,
 		[]string{
 			"headscale",
@@ -530,14 +558,14 @@ func (s *IntegrationCLITestSuite) TestNodeTagCommand() {
 	assert.Nil(s.T(), err)
 
 	machineKeys := []string{
-		"9b2ffa7e08cc421a3d2cca9012280f6a236fd0de0b4ce005b30a98ad930306fe",
-		"6abd00bb5fdda622db51387088c68e97e71ce58e7056aa54f592b6a8219d524c",
+		"nodekey:9b2ffa7e08cc421a3d2cca9012280f6a236fd0de0b4ce005b30a98ad930306fe",
+		"nodekey:6abd00bb5fdda622db51387088c68e97e71ce58e7056aa54f592b6a8219d524c",
 	}
 	machines := make([]*v1.Machine, len(machineKeys))
 	assert.Nil(s.T(), err)
 
 	for index, machineKey := range machineKeys {
-		_, err := ExecuteCommand(
+		_, _, err := ExecuteCommand(
 			&s.headscale,
 			[]string{
 				"headscale",
@@ -556,7 +584,7 @@ func (s *IntegrationCLITestSuite) TestNodeTagCommand() {
 		)
 		assert.Nil(s.T(), err)
 
-		machineResult, err := ExecuteCommand(
+		machineResult, _, err := ExecuteCommand(
 			&s.headscale,
 			[]string{
 				"headscale",
@@ -581,7 +609,7 @@ func (s *IntegrationCLITestSuite) TestNodeTagCommand() {
 	}
 	assert.Len(s.T(), machines, len(machineKeys))
 
-	addTagResult, err := ExecuteCommand(
+	addTagResult, _, err := ExecuteCommand(
 		&s.headscale,
 		[]string{
 			"headscale",
@@ -601,7 +629,7 @@ func (s *IntegrationCLITestSuite) TestNodeTagCommand() {
 	assert.Equal(s.T(), []string{"tag:test"}, machine.ForcedTags)
 
 	// try to set a wrong tag and retrieve the error
-	wrongTagResult, err := ExecuteCommand(
+	wrongTagResult, _, err := ExecuteCommand(
 		&s.headscale,
 		[]string{
 			"headscale",
@@ -620,10 +648,10 @@ func (s *IntegrationCLITestSuite) TestNodeTagCommand() {
 	var errorOutput errOutput
 	err = json.Unmarshal([]byte(wrongTagResult), &errorOutput)
 	assert.Nil(s.T(), err)
-	assert.Contains(s.T(), errorOutput.Error, "Invalid tag detected")
+	assert.Contains(s.T(), errorOutput.Error, "tag must start with the string 'tag:'")
 
 	// Test list all nodes after added seconds
-	listAllResult, err := ExecuteCommand(
+	listAllResult, _, err := ExecuteCommand(
 		&s.headscale,
 		[]string{
 			"headscale",
@@ -663,17 +691,17 @@ func (s *IntegrationCLITestSuite) TestNodeCommand() {
 
 	// Randomly generated machine keys
 	machineKeys := []string{
-		"9b2ffa7e08cc421a3d2cca9012280f6a236fd0de0b4ce005b30a98ad930306fe",
-		"6abd00bb5fdda622db51387088c68e97e71ce58e7056aa54f592b6a8219d524c",
-		"f08305b4ee4250b95a70f3b7504d048d75d899993c624a26d422c67af0422507",
-		"8bc13285cee598acf76b1824a6f4490f7f2e3751b201e28aeb3b07fe81d5b4a1",
-		"cf7b0fd05da556fdc3bab365787b506fd82d64a70745db70e00e86c1b1c03084",
+		"nodekey:9b2ffa7e08cc421a3d2cca9012280f6a236fd0de0b4ce005b30a98ad930306fe",
+		"nodekey:6abd00bb5fdda622db51387088c68e97e71ce58e7056aa54f592b6a8219d524c",
+		"nodekey:f08305b4ee4250b95a70f3b7504d048d75d899993c624a26d422c67af0422507",
+		"nodekey:8bc13285cee598acf76b1824a6f4490f7f2e3751b201e28aeb3b07fe81d5b4a1",
+		"nodekey:cf7b0fd05da556fdc3bab365787b506fd82d64a70745db70e00e86c1b1c03084",
 	}
 	machines := make([]*v1.Machine, len(machineKeys))
 	assert.Nil(s.T(), err)
 
 	for index, machineKey := range machineKeys {
-		_, err := ExecuteCommand(
+		_, _, err := ExecuteCommand(
 			&s.headscale,
 			[]string{
 				"headscale",
@@ -692,7 +720,7 @@ func (s *IntegrationCLITestSuite) TestNodeCommand() {
 		)
 		assert.Nil(s.T(), err)
 
-		machineResult, err := ExecuteCommand(
+		machineResult, _, err := ExecuteCommand(
 			&s.headscale,
 			[]string{
 				"headscale",
@@ -719,7 +747,7 @@ func (s *IntegrationCLITestSuite) TestNodeCommand() {
 	assert.Len(s.T(), machines, len(machineKeys))
 
 	// Test list all nodes after added seconds
-	listAllResult, err := ExecuteCommand(
+	listAllResult, _, err := ExecuteCommand(
 		&s.headscale,
 		[]string{
 			"headscale",
@@ -751,14 +779,14 @@ func (s *IntegrationCLITestSuite) TestNodeCommand() {
 	assert.Equal(s.T(), "machine-5", listAll[4].Name)
 
 	otherNamespaceMachineKeys := []string{
-		"b5b444774186d4217adcec407563a1223929465ee2c68a4da13af0d0185b4f8e",
-		"dc721977ac7415aafa87f7d4574cbe07c6b171834a6d37375782bdc1fb6b3584",
+		"nodekey:b5b444774186d4217adcec407563a1223929465ee2c68a4da13af0d0185b4f8e",
+		"nodekey:dc721977ac7415aafa87f7d4574cbe07c6b171834a6d37375782bdc1fb6b3584",
 	}
 	otherNamespaceMachines := make([]*v1.Machine, len(otherNamespaceMachineKeys))
 	assert.Nil(s.T(), err)
 
 	for index, machineKey := range otherNamespaceMachineKeys {
-		_, err := ExecuteCommand(
+		_, _, err := ExecuteCommand(
 			&s.headscale,
 			[]string{
 				"headscale",
@@ -777,7 +805,7 @@ func (s *IntegrationCLITestSuite) TestNodeCommand() {
 		)
 		assert.Nil(s.T(), err)
 
-		machineResult, err := ExecuteCommand(
+		machineResult, _, err := ExecuteCommand(
 			&s.headscale,
 			[]string{
 				"headscale",
@@ -804,7 +832,7 @@ func (s *IntegrationCLITestSuite) TestNodeCommand() {
 	assert.Len(s.T(), otherNamespaceMachines, len(otherNamespaceMachineKeys))
 
 	// Test list all nodes after added otherNamespace
-	listAllWithotherNamespaceResult, err := ExecuteCommand(
+	listAllWithotherNamespaceResult, _, err := ExecuteCommand(
 		&s.headscale,
 		[]string{
 			"headscale",
@@ -834,7 +862,7 @@ func (s *IntegrationCLITestSuite) TestNodeCommand() {
 	assert.Equal(s.T(), "otherNamespace-machine-2", listAllWithotherNamespace[6].Name)
 
 	// Test list all nodes after added otherNamespace
-	listOnlyotherNamespaceMachineNamespaceResult, err := ExecuteCommand(
+	listOnlyotherNamespaceMachineNamespaceResult, _, err := ExecuteCommand(
 		&s.headscale,
 		[]string{
 			"headscale",
@@ -873,7 +901,7 @@ func (s *IntegrationCLITestSuite) TestNodeCommand() {
 	)
 
 	// Delete a machines
-	_, err = ExecuteCommand(
+	_, _, err = ExecuteCommand(
 		&s.headscale,
 		[]string{
 			"headscale",
@@ -891,7 +919,7 @@ func (s *IntegrationCLITestSuite) TestNodeCommand() {
 	assert.Nil(s.T(), err)
 
 	// Test: list main namespace after machine is deleted
-	listOnlyMachineNamespaceAfterDeleteResult, err := ExecuteCommand(
+	listOnlyMachineNamespaceAfterDeleteResult, _, err := ExecuteCommand(
 		&s.headscale,
 		[]string{
 			"headscale",
@@ -922,17 +950,17 @@ func (s *IntegrationCLITestSuite) TestNodeExpireCommand() {
 
 	// Randomly generated machine keys
 	machineKeys := []string{
-		"9b2ffa7e08cc421a3d2cca9012280f6a236fd0de0b4ce005b30a98ad930306fe",
-		"6abd00bb5fdda622db51387088c68e97e71ce58e7056aa54f592b6a8219d524c",
-		"f08305b4ee4250b95a70f3b7504d048d75d899993c624a26d422c67af0422507",
-		"8bc13285cee598acf76b1824a6f4490f7f2e3751b201e28aeb3b07fe81d5b4a1",
-		"cf7b0fd05da556fdc3bab365787b506fd82d64a70745db70e00e86c1b1c03084",
+		"nodekey:9b2ffa7e08cc421a3d2cca9012280f6a236fd0de0b4ce005b30a98ad930306fe",
+		"nodekey:6abd00bb5fdda622db51387088c68e97e71ce58e7056aa54f592b6a8219d524c",
+		"nodekey:f08305b4ee4250b95a70f3b7504d048d75d899993c624a26d422c67af0422507",
+		"nodekey:8bc13285cee598acf76b1824a6f4490f7f2e3751b201e28aeb3b07fe81d5b4a1",
+		"nodekey:cf7b0fd05da556fdc3bab365787b506fd82d64a70745db70e00e86c1b1c03084",
 	}
 	machines := make([]*v1.Machine, len(machineKeys))
 	assert.Nil(s.T(), err)
 
 	for index, machineKey := range machineKeys {
-		_, err := ExecuteCommand(
+		_, _, err := ExecuteCommand(
 			&s.headscale,
 			[]string{
 				"headscale",
@@ -951,7 +979,7 @@ func (s *IntegrationCLITestSuite) TestNodeExpireCommand() {
 		)
 		assert.Nil(s.T(), err)
 
-		machineResult, err := ExecuteCommand(
+		machineResult, _, err := ExecuteCommand(
 			&s.headscale,
 			[]string{
 				"headscale",
@@ -977,7 +1005,7 @@ func (s *IntegrationCLITestSuite) TestNodeExpireCommand() {
 
 	assert.Len(s.T(), machines, len(machineKeys))
 
-	listAllResult, err := ExecuteCommand(
+	listAllResult, _, err := ExecuteCommand(
 		&s.headscale,
 		[]string{
 			"headscale",
@@ -1003,7 +1031,7 @@ func (s *IntegrationCLITestSuite) TestNodeExpireCommand() {
 	assert.True(s.T(), listAll[4].Expiry.AsTime().IsZero())
 
 	for i := 0; i < 3; i++ {
-		_, err := ExecuteCommand(
+		_, _, err := ExecuteCommand(
 			&s.headscale,
 			[]string{
 				"headscale",
@@ -1017,7 +1045,7 @@ func (s *IntegrationCLITestSuite) TestNodeExpireCommand() {
 		assert.Nil(s.T(), err)
 	}
 
-	listAllAfterExpiryResult, err := ExecuteCommand(
+	listAllAfterExpiryResult, _, err := ExecuteCommand(
 		&s.headscale,
 		[]string{
 			"headscale",
@@ -1049,17 +1077,17 @@ func (s *IntegrationCLITestSuite) TestNodeRenameCommand() {
 
 	// Randomly generated machine keys
 	machineKeys := []string{
-		"cf7b0fd05da556fdc3bab365787b506fd82d64a70745db70e00e86c1b1c03084",
-		"8bc13285cee598acf76b1824a6f4490f7f2e3751b201e28aeb3b07fe81d5b4a1",
-		"f08305b4ee4250b95a70f3b7504d048d75d899993c624a26d422c67af0422507",
-		"6abd00bb5fdda622db51387088c68e97e71ce58e7056aa54f592b6a8219d524c",
-		"9b2ffa7e08cc421a3d2cca9012280f6a236fd0de0b4ce005b30a98ad930306fe",
+		"nodekey:cf7b0fd05da556fdc3bab365787b506fd82d64a70745db70e00e86c1b1c03084",
+		"nodekey:8bc13285cee598acf76b1824a6f4490f7f2e3751b201e28aeb3b07fe81d5b4a1",
+		"nodekey:f08305b4ee4250b95a70f3b7504d048d75d899993c624a26d422c67af0422507",
+		"nodekey:6abd00bb5fdda622db51387088c68e97e71ce58e7056aa54f592b6a8219d524c",
+		"nodekey:9b2ffa7e08cc421a3d2cca9012280f6a236fd0de0b4ce005b30a98ad930306fe",
 	}
 	machines := make([]*v1.Machine, len(machineKeys))
 	assert.Nil(s.T(), err)
 
 	for index, machineKey := range machineKeys {
-		_, err := ExecuteCommand(
+		_, _, err := ExecuteCommand(
 			&s.headscale,
 			[]string{
 				"headscale",
@@ -1078,7 +1106,7 @@ func (s *IntegrationCLITestSuite) TestNodeRenameCommand() {
 		)
 		assert.Nil(s.T(), err)
 
-		machineResult, err := ExecuteCommand(
+		machineResult, _, err := ExecuteCommand(
 			&s.headscale,
 			[]string{
 				"headscale",
@@ -1104,7 +1132,7 @@ func (s *IntegrationCLITestSuite) TestNodeRenameCommand() {
 
 	assert.Len(s.T(), machines, len(machineKeys))
 
-	listAllResult, err := ExecuteCommand(
+	listAllResult, _, err := ExecuteCommand(
 		&s.headscale,
 		[]string{
 			"headscale",
@@ -1130,7 +1158,7 @@ func (s *IntegrationCLITestSuite) TestNodeRenameCommand() {
 	assert.Contains(s.T(), listAll[4].GetGivenName(), "machine-5")
 
 	for i := 0; i < 3; i++ {
-		_, err := ExecuteCommand(
+		_, _, err := ExecuteCommand(
 			&s.headscale,
 			[]string{
 				"headscale",
@@ -1145,7 +1173,7 @@ func (s *IntegrationCLITestSuite) TestNodeRenameCommand() {
 		assert.Nil(s.T(), err)
 	}
 
-	listAllAfterRenameResult, err := ExecuteCommand(
+	listAllAfterRenameResult, _, err := ExecuteCommand(
 		&s.headscale,
 		[]string{
 			"headscale",
@@ -1171,7 +1199,7 @@ func (s *IntegrationCLITestSuite) TestNodeRenameCommand() {
 	assert.Contains(s.T(), listAllAfterRename[4].GetGivenName(), "machine-5")
 
 	// Test failure for too long names
-	result, err := ExecuteCommand(
+	result, _, err := ExecuteCommand(
 		&s.headscale,
 		[]string{
 			"headscale",
@@ -1186,7 +1214,7 @@ func (s *IntegrationCLITestSuite) TestNodeRenameCommand() {
 	assert.Nil(s.T(), err)
 	assert.Contains(s.T(), result, "not be over 63 chars")
 
-	listAllAfterRenameAttemptResult, err := ExecuteCommand(
+	listAllAfterRenameAttemptResult, _, err := ExecuteCommand(
 		&s.headscale,
 		[]string{
 			"headscale",
@@ -1220,9 +1248,9 @@ func (s *IntegrationCLITestSuite) TestRouteCommand() {
 	assert.Nil(s.T(), err)
 
 	// Randomly generated machine keys
-	machineKey := "9b2ffa7e08cc421a3d2cca9012280f6a236fd0de0b4ce005b30a98ad930306fe"
+	machineKey := "nodekey:9b2ffa7e08cc421a3d2cca9012280f6a236fd0de0b4ce005b30a98ad930306fe"
 
-	_, err = ExecuteCommand(
+	_, _, err = ExecuteCommand(
 		&s.headscale,
 		[]string{
 			"headscale",
@@ -1245,7 +1273,7 @@ func (s *IntegrationCLITestSuite) TestRouteCommand() {
 	)
 	assert.Nil(s.T(), err)
 
-	machineResult, err := ExecuteCommand(
+	machineResult, _, err := ExecuteCommand(
 		&s.headscale,
 		[]string{
 			"headscale",
@@ -1269,7 +1297,7 @@ func (s *IntegrationCLITestSuite) TestRouteCommand() {
 	assert.Equal(s.T(), uint64(1), machine.Id)
 	assert.Equal(s.T(), "route-machine", machine.Name)
 
-	listAllResult, err := ExecuteCommand(
+	listAllResult, _, err := ExecuteCommand(
 		&s.headscale,
 		[]string{
 			"headscale",
@@ -1294,7 +1322,7 @@ func (s *IntegrationCLITestSuite) TestRouteCommand() {
 
 	assert.Empty(s.T(), listAll.EnabledRoutes)
 
-	enableTwoRoutesResult, err := ExecuteCommand(
+	enableTwoRoutesResult, _, err := ExecuteCommand(
 		&s.headscale,
 		[]string{
 			"headscale",
@@ -1326,7 +1354,7 @@ func (s *IntegrationCLITestSuite) TestRouteCommand() {
 	assert.Contains(s.T(), enableTwoRoutes.EnabledRoutes, "192.168.1.0/24")
 
 	// Enable only one route, effectively disabling one of the routes
-	enableOneRouteResult, err := ExecuteCommand(
+	enableOneRouteResult, _, err := ExecuteCommand(
 		&s.headscale,
 		[]string{
 			"headscale",
@@ -1355,7 +1383,7 @@ func (s *IntegrationCLITestSuite) TestRouteCommand() {
 	assert.Contains(s.T(), enableOneRoute.EnabledRoutes, "10.0.0.0/8")
 
 	// Enable only one route, effectively disabling one of the routes
-	failEnableNonAdvertisedRoute, err := ExecuteCommand(
+	failEnableNonAdvertisedRoute, _, err := ExecuteCommand(
 		&s.headscale,
 		[]string{
 			"headscale",
@@ -1379,7 +1407,7 @@ func (s *IntegrationCLITestSuite) TestRouteCommand() {
 	)
 
 	// Enable all routes on host
-	enableAllRouteResult, err := ExecuteCommand(
+	enableAllRouteResult, _, err := ExecuteCommand(
 		&s.headscale,
 		[]string{
 			"headscale",
@@ -1414,7 +1442,7 @@ func (s *IntegrationCLITestSuite) TestApiKeyCommand() {
 	keys := make([]string, count)
 
 	for i := 0; i < count; i++ {
-		apiResult, err := ExecuteCommand(
+		apiResult, _, err := ExecuteCommand(
 			&s.headscale,
 			[]string{
 				"headscale",
@@ -1440,7 +1468,7 @@ func (s *IntegrationCLITestSuite) TestApiKeyCommand() {
 	assert.Len(s.T(), keys, 5)
 
 	// Test list of keys
-	listResult, err := ExecuteCommand(
+	listResult, _, err := ExecuteCommand(
 		&s.headscale,
 		[]string{
 			"headscale",
@@ -1502,7 +1530,7 @@ func (s *IntegrationCLITestSuite) TestApiKeyCommand() {
 
 	// Expire three keys
 	for i := 0; i < 3; i++ {
-		_, err := ExecuteCommand(
+		_, _, err := ExecuteCommand(
 			&s.headscale,
 			[]string{
 				"headscale",
@@ -1519,7 +1547,7 @@ func (s *IntegrationCLITestSuite) TestApiKeyCommand() {
 	}
 
 	// Test list pre auth keys after expire
-	listAfterExpireResult, err := ExecuteCommand(
+	listAfterExpireResult, _, err := ExecuteCommand(
 		&s.headscale,
 		[]string{
 			"headscale",
@@ -1560,9 +1588,9 @@ func (s *IntegrationCLITestSuite) TestNodeMoveCommand() {
 	assert.Nil(s.T(), err)
 
 	// Randomly generated machine key
-	machineKey := "688411b767663479632d44140f08a9fde87383adc7cdeb518f62ce28a17ef0aa"
+	machineKey := "nodekey:688411b767663479632d44140f08a9fde87383adc7cdeb518f62ce28a17ef0aa"
 
-	_, err = ExecuteCommand(
+	_, _, err = ExecuteCommand(
 		&s.headscale,
 		[]string{
 			"headscale",
@@ -1581,7 +1609,7 @@ func (s *IntegrationCLITestSuite) TestNodeMoveCommand() {
 	)
 	assert.Nil(s.T(), err)
 
-	machineResult, err := ExecuteCommand(
+	machineResult, _, err := ExecuteCommand(
 		&s.headscale,
 		[]string{
 			"headscale",
@@ -1608,7 +1636,7 @@ func (s *IntegrationCLITestSuite) TestNodeMoveCommand() {
 
 	machineId := fmt.Sprintf("%d", machine.Id)
 
-	moveToNewNSResult, err := ExecuteCommand(
+	moveToNewNSResult, _, err := ExecuteCommand(
 		&s.headscale,
 		[]string{
 			"headscale",
@@ -1630,7 +1658,7 @@ func (s *IntegrationCLITestSuite) TestNodeMoveCommand() {
 
 	assert.Equal(s.T(), machine.Namespace, newNamespace)
 
-	listAllNodesResult, err := ExecuteCommand(
+	listAllNodesResult, _, err := ExecuteCommand(
 		&s.headscale,
 		[]string{
 			"headscale",
@@ -1653,7 +1681,7 @@ func (s *IntegrationCLITestSuite) TestNodeMoveCommand() {
 	assert.Equal(s.T(), allNodes[0].Namespace, machine.Namespace)
 	assert.Equal(s.T(), allNodes[0].Namespace, newNamespace)
 
-	moveToNonExistingNSResult, err := ExecuteCommand(
+	moveToNonExistingNSResult, _, err := ExecuteCommand(
 		&s.headscale,
 		[]string{
 			"headscale",
@@ -1677,7 +1705,7 @@ func (s *IntegrationCLITestSuite) TestNodeMoveCommand() {
 	)
 	assert.Equal(s.T(), machine.Namespace, newNamespace)
 
-	moveToOldNSResult, err := ExecuteCommand(
+	moveToOldNSResult, _, err := ExecuteCommand(
 		&s.headscale,
 		[]string{
 			"headscale",
@@ -1699,7 +1727,7 @@ func (s *IntegrationCLITestSuite) TestNodeMoveCommand() {
 
 	assert.Equal(s.T(), machine.Namespace, oldNamespace)
 
-	moveToSameNSResult, err := ExecuteCommand(
+	moveToSameNSResult, _, err := ExecuteCommand(
 		&s.headscale,
 		[]string{
 			"headscale",
@@ -1721,3 +1749,81 @@ func (s *IntegrationCLITestSuite) TestNodeMoveCommand() {
 
 	assert.Equal(s.T(), machine.Namespace, oldNamespace)
 }
+
+func (s *IntegrationCLITestSuite) TestLoadConfigFromCommand() {
+	// TODO: make sure defaultConfig is not same as altConfig
+	defaultConfig, err := os.ReadFile("integration_test/etc/config.dump.gold.yaml")
+	assert.Nil(s.T(), err)
+	altConfig, err := os.ReadFile("integration_test/etc/alt-config.dump.gold.yaml")
+	assert.Nil(s.T(), err)
+	altEnvConfig, err := os.ReadFile("integration_test/etc/alt-env-config.dump.gold.yaml")
+	assert.Nil(s.T(), err)
+
+	_, _, err = ExecuteCommand(
+		&s.headscale,
+		[]string{
+			"headscale",
+			"dumpConfig",
+		},
+		[]string{},
+	)
+	assert.Nil(s.T(), err)
+
+	defaultDumpConfig, err := os.ReadFile("integration_test/etc/config.dump.yaml")
+	assert.Nil(s.T(), err)
+
+	assert.YAMLEq(s.T(), string(defaultConfig), string(defaultDumpConfig))
+
+	_, _, err = ExecuteCommand(
+		&s.headscale,
+		[]string{
+			"headscale",
+			"-c",
+			"/etc/headscale/alt-config.yaml",
+			"dumpConfig",
+		},
+		[]string{},
+	)
+	assert.Nil(s.T(), err)
+
+	altDumpConfig, err := os.ReadFile("integration_test/etc/config.dump.yaml")
+	assert.Nil(s.T(), err)
+
+	assert.YAMLEq(s.T(), string(altConfig), string(altDumpConfig))
+
+	_, _, err = ExecuteCommand(
+		&s.headscale,
+		[]string{
+			"headscale",
+			"dumpConfig",
+		},
+		[]string{
+			"HEADSCALE_CONFIG=/etc/headscale/alt-env-config.yaml",
+		},
+	)
+	assert.Nil(s.T(), err)
+
+	altEnvDumpConfig, err := os.ReadFile("integration_test/etc/config.dump.yaml")
+	assert.Nil(s.T(), err)
+
+	assert.YAMLEq(s.T(), string(altEnvConfig), string(altEnvDumpConfig))
+
+	_, _, err = ExecuteCommand(
+		&s.headscale,
+		[]string{
+			"headscale",
+			"-c",
+			"/etc/headscale/alt-config.yaml",
+			"dumpConfig",
+		},
+		[]string{
+			"HEADSCALE_CONFIG=/etc/headscale/alt-env-config.yaml",
+		},
+	)
+	assert.Nil(s.T(), err)
+
+	altDumpConfig, err = os.ReadFile("integration_test/etc/config.dump.yaml")
+	assert.Nil(s.T(), err)
+
+	assert.YAMLEq(s.T(), string(altConfig), string(altDumpConfig))
+}

integration_common_test.go

@@ -1,31 +1,42 @@
-//go:build integration
-// +build integration
-
+//nolint
 package headscale
 
 import (
 	"bytes"
 	"encoding/json"
+	"errors"
 	"fmt"
+	"net/netip"
+	"os"
+	"strconv"
 	"strings"
 	"time"
 
 	v1 "github.com/juanfont/headscale/gen/go/headscale/v1"
 	"github.com/ory/dockertest/v3"
 	"github.com/ory/dockertest/v3/docker"
-	"inet.af/netaddr"
 )
 
-const DOCKER_EXECUTE_TIMEOUT = 10 * time.Second
+const (
+	headscaleNetwork       = "headscale-test"
+	headscaleHostname      = "headscale"
+	DOCKER_EXECUTE_TIMEOUT = 10 * time.Second
+)
 
 var (
-	IpPrefix4 = netaddr.MustParseIPPrefix("100.64.0.0/10")
-	IpPrefix6 = netaddr.MustParseIPPrefix("fd7a:115c:a1e0::/48")
+	errEnvVarEmpty = errors.New("getenv: environment variable empty")
+
+	IpPrefix4 = netip.MustParsePrefix("100.64.0.0/10")
+	IpPrefix6 = netip.MustParsePrefix("fd7a:115c:a1e0::/48")
 
 	tailscaleVersions = []string{
 		"head",
 		"unstable",
-		"1.24.0",
+		"1.32.0",
+		"1.30.2",
+		"1.28.0",
+		"1.26.2",
+		"1.24.2",
 		"1.22.2",
 		"1.20.4",
 		"1.18.2",
@@ -58,7 +69,7 @@ func ExecuteCommand(
 	cmd []string,
 	env []string,
 	options ...ExecuteCommandOption,
-) (string, error) {
+) (string, string, error) {
 	var stdout bytes.Buffer
 	var stderr bytes.Buffer
 
@@ -68,7 +79,7 @@ func ExecuteCommand(
 
 	for _, opt := range options {
 		if err := opt(&execConfig); err != nil {
-			return "", fmt.Errorf("execute-command/options: %w", err)
+			return "", "", fmt.Errorf("execute-command/options: %w", err)
 		}
 	}
 
@@ -97,7 +108,7 @@ func ExecuteCommand(
 	select {
 	case res := <-resultChan:
 		if res.err != nil {
-			return "", res.err
+			return stdout.String(), stderr.String(), res.err
 		}
 
 		if res.exitCode != 0 {
@@ -105,13 +116,19 @@ func ExecuteCommand(
 			fmt.Println("stdout: ", stdout.String())
 			fmt.Println("stderr: ", stderr.String())
 
-			return "", fmt.Errorf("command failed with: %s", stderr.String())
+			return stdout.String(), stderr.String(), fmt.Errorf(
+				"command failed with: %s",
+				stderr.String(),
+			)
 		}
 
-		return stdout.String(), nil
+		return stdout.String(), stderr.String(), nil
 	case <-time.After(execConfig.timeout):
 
-		return "", fmt.Errorf("command timed out after %s", execConfig.timeout)
+		return stdout.String(), stderr.String(), fmt.Errorf(
+			"command timed out after %s",
+			execConfig.timeout,
+		)
 	}
 }
 
@@ -185,12 +202,12 @@ func getDockerBuildOptions(version string) *dockertest.BuildOptions {
 
 func getIPs(
 	tailscales map[string]dockertest.Resource,
-) (map[string][]netaddr.IP, error) {
-	ips := make(map[string][]netaddr.IP)
+) (map[string][]netip.Addr, error) {
+	ips := make(map[string][]netip.Addr)
 	for hostname, tailscale := range tailscales {
 		command := []string{"tailscale", "ip"}
 
-		result, err := ExecuteCommand(
+		result, _, err := ExecuteCommand(
 			&tailscale,
 			command,
 			[]string{},
@@ -204,7 +221,7 @@ func getIPs(
 			if len(address) < 1 {
 				continue
 			}
-			ip, err := netaddr.ParseIP(address)
+			ip, err := netip.ParseAddr(address)
 			if err != nil {
 				return nil, err
 			}
@@ -218,8 +235,7 @@ func getIPs(
 func getDNSNames(
 	headscale *dockertest.Resource,
 ) ([]string, error) {
-
-	listAllResult, err := ExecuteCommand(
+	listAllResult, _, err := ExecuteCommand(
 		headscale,
 		[]string{
 			"headscale",
@@ -252,8 +268,7 @@ func getDNSNames(
 func getMagicFQDN(
 	headscale *dockertest.Resource,
 ) ([]string, error) {
-
-	listAllResult, err := ExecuteCommand(
+	listAllResult, _, err := ExecuteCommand(
 		headscale,
 		[]string{
 			"headscale",
@@ -277,8 +292,52 @@ func getMagicFQDN(
 	hostnames := make([]string, len(listAll))
 
 	for index := range listAll {
-		hostnames[index] = fmt.Sprintf("%s.%s.headscale.net", listAll[index].GetGivenName(), listAll[index].GetNamespace().GetName())
+		hostnames[index] = fmt.Sprintf(
+			"%s.%s.headscale.net",
+			listAll[index].GetGivenName(),
+			listAll[index].GetNamespace().GetName(),
+		)
 	}
 
 	return hostnames, nil
 }
+
+func GetEnvStr(key string) (string, error) {
+	v := os.Getenv(key)
+	if v == "" {
+		return v, errEnvVarEmpty
+	}
+
+	return v, nil
+}
+
+func GetEnvBool(key string) (bool, error) {
+	s, err := GetEnvStr(key)
+	if err != nil {
+		return false, err
+	}
+	v, err := strconv.ParseBool(s)
+	if err != nil {
+		return false, err
+	}
+
+	return v, nil
+}
+
+func GetFirstOrCreateNetwork(pool *dockertest.Pool, name string) (dockertest.Network, error) {
+	networks, err := pool.NetworksByName(name)
+	if err != nil || len(networks) == 0 {
+		if _, err := pool.CreateNetwork(name); err == nil {
+			// Create does not give us an updated version of the resource, so we need to
+			// get it again.
+			networks, err := pool.NetworksByName(name)
+			if err != nil {
+				return dockertest.Network{}, err
+			}
+
+			return networks[0], nil
+		}
+	}
+
+	return networks[0], nil
+}

integration_embedded_derp_test.go

@@ -1,5 +1,4 @@
-//go:build integration
-
+//nolint
 package headscale
 
 import (
@@ -8,7 +7,6 @@ import (
 	"crypto/tls"
 	"encoding/json"
 	"fmt"
-	"io/ioutil"
 	"log"
 	"net/http"
 	"os"
@@ -18,63 +16,76 @@ import (
 	"testing"
 	"time"
 
+	"github.com/ccding/go-stun/stun"
 	v1 "github.com/juanfont/headscale/gen/go/headscale/v1"
 	"github.com/ory/dockertest/v3"
 	"github.com/ory/dockertest/v3/docker"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/suite"
-
-	"github.com/ccding/go-stun/stun"
 )
 
 const (
-	headscaleHostname = "headscale-derp"
-	namespaceName     = "derpnamespace"
-	totalContainers   = 3
+	headscaleDerpHostname = "headscale-derp"
+	namespaceName         = "derpnamespace"
+	totalContainers       = 3
 )
 
 type IntegrationDERPTestSuite struct {
 	suite.Suite
 	stats *suite.SuiteInformation
 
-	pool      dockertest.Pool
-	networks  map[int]dockertest.Network // so we keep the containers isolated
-	headscale dockertest.Resource
+	pool              dockertest.Pool
+	network           dockertest.Network
+	containerNetworks map[int]dockertest.Network // so we keep the containers isolated
+	headscale         dockertest.Resource
+	saveLogs          bool
 
 	tailscales    map[string]dockertest.Resource
 	joinWaitGroup sync.WaitGroup
 }
 
-func TestDERPIntegrationTestSuite(t *testing.T) {
+func TestIntegrationDERPTestSuite(t *testing.T) {
+	if testing.Short() {
+		t.Skip("skipping integration tests due to short flag")
+	}
+
+	saveLogs, err := GetEnvBool("HEADSCALE_INTEGRATION_SAVE_LOG")
+	if err != nil {
+		saveLogs = false
+	}
+
 	s := new(IntegrationDERPTestSuite)
 
 	s.tailscales = make(map[string]dockertest.Resource)
-	s.networks = make(map[int]dockertest.Network)
+	s.containerNetworks = make(map[int]dockertest.Network)
+	s.saveLogs = saveLogs
 
 	suite.Run(t, s)
 
 	// HandleStats, which allows us to check if we passed and save logs
 	// is called after TearDown, so we cannot tear down containers before
 	// we have potentially saved the logs.
-	for _, tailscale := range s.tailscales {
-		if err := s.pool.Purge(&tailscale); err != nil {
+	if s.saveLogs {
+		for _, tailscale := range s.tailscales {
+			if err := s.pool.Purge(&tailscale); err != nil {
+				log.Printf("Could not purge resource: %s\n", err)
+			}
+		}
+
+		if !s.stats.Passed() {
+			err := s.saveLog(&s.headscale, "test_output")
+			if err != nil {
+				log.Printf("Could not save log: %s\n", err)
+			}
+		}
+		if err := s.pool.Purge(&s.headscale); err != nil {
 			log.Printf("Could not purge resource: %s\n", err)
 		}
-	}
 
-	if !s.stats.Passed() {
-		err := s.saveLog(&s.headscale, "test_output")
-		if err != nil {
-			log.Printf("Could not save log: %s\n", err)
-		}
-	}
-	if err := s.pool.Purge(&s.headscale); err != nil {
-		log.Printf("Could not purge resource: %s\n", err)
-	}
-
-	for _, network := range s.networks {
-		if err := network.Close(); err != nil {
-			log.Printf("Could not close network: %s\n", err)
+		for _, network := range s.containerNetworks {
+			if err := network.Close(); err != nil {
+				log.Printf("Could not close network: %s\n", err)
+			}
 		}
 	}
 }
@@ -83,14 +94,20 @@ func (s *IntegrationDERPTestSuite) SetupSuite() {
 	if ppool, err := dockertest.NewPool(""); err == nil {
 		s.pool = *ppool
 	} else {
-		log.Fatalf("Could not connect to docker: %s", err)
+		s.FailNow(fmt.Sprintf("Could not connect to docker: %s", err), "")
 	}
 
+	network, err := GetFirstOrCreateNetwork(&s.pool, headscaleNetwork)
+	if err != nil {
+		s.FailNow(fmt.Sprintf("Failed to create or get network: %s", err), "")
+	}
+	s.network = network
+
 	for i := 0; i < totalContainers; i++ {
 		if pnetwork, err := s.pool.CreateNetwork(fmt.Sprintf("headscale-derp-%d", i)); err == nil {
-			s.networks[i] = *pnetwork
+			s.containerNetworks[i] = *pnetwork
 		} else {
-			log.Fatalf("Could not create network: %s", err)
+			s.FailNow(fmt.Sprintf("Could not create network: %s", err), "")
 		}
 	}
 
@@ -101,11 +118,11 @@ func (s *IntegrationDERPTestSuite) SetupSuite() {
 
 	currentPath, err := os.Getwd()
 	if err != nil {
-		log.Fatalf("Could not determine current path: %s", err)
+		s.FailNow(fmt.Sprintf("Could not determine current path: %s", err), "")
 	}
 
 	headscaleOptions := &dockertest.RunOptions{
-		Name: headscaleHostname,
+		Name: headscaleDerpHostname,
 		Mounts: []string{
 			fmt.Sprintf(
 				"%s/integration_test/etc_embedded_derp:/etc/headscale",
@@ -113,6 +130,7 @@ func (s *IntegrationDERPTestSuite) SetupSuite() {
 			),
 		},
 		Cmd:          []string{"headscale", "serve"},
+		Networks:     []*dockertest.Network{&s.network},
 		ExposedPorts: []string{"8443/tcp", "3478/udp"},
 		PortBindings: map[docker.Port][]docker.PortBinding{
 			"8443/tcp": {{HostPort: "8443"}},
@@ -120,28 +138,41 @@ func (s *IntegrationDERPTestSuite) SetupSuite() {
 		},
 	}
 
-	log.Println("Creating headscale container")
+	err = s.pool.RemoveContainerByName(headscaleDerpHostname)
+	if err != nil {
+		s.FailNow(
+			fmt.Sprintf(
+				"Could not remove existing container before building test: %s",
+				err,
+			),
+			"",
+		)
+	}
+
+	log.Println("Creating headscale container for DERP integration tests")
 	if pheadscale, err := s.pool.BuildAndRunWithBuildOptions(headscaleBuildOptions, headscaleOptions, DockerRestartPolicy); err == nil {
 		s.headscale = *pheadscale
 	} else {
-		log.Fatalf("Could not start headscale container: %s", err)
+		s.FailNow(fmt.Sprintf("Could not start headscale container: %s", err), "")
 	}
-	log.Println("Created headscale container to test DERP")
+	log.Println("Created headscale container for embedded DERP tests")
 
-	log.Println("Creating tailscale containers")
+	log.Println("Creating tailscale containers for embedded DERP tests")
 
 	for i := 0; i < totalContainers; i++ {
 		version := tailscaleVersions[i%len(tailscaleVersions)]
 		hostname, container := s.tailscaleContainer(
 			fmt.Sprint(i),
 			version,
-			s.networks[i],
+			s.containerNetworks[i],
 		)
 		s.tailscales[hostname] = *container
 	}
 
-	log.Println("Waiting for headscale to be ready")
-	hostEndpoint := fmt.Sprintf("localhost:%s", s.headscale.GetPort("8443/tcp"))
+	log.Println("Waiting for headscale to be ready for embedded DERP tests")
+	hostEndpoint := fmt.Sprintf("%s:%s",
+		s.headscale.GetIPInNetwork(&s.network),
+		s.headscale.GetPort("8443/tcp"))
 
 	if err := s.pool.Retry(func() error {
 		url := fmt.Sprintf("https://%s/health", hostEndpoint)
@@ -150,6 +181,7 @@ func (s *IntegrationDERPTestSuite) SetupSuite() {
 		client := &http.Client{Transport: insecureTransport}
 		resp, err := client.Get(url)
 		if err != nil {
+			fmt.Printf("headscale for embedded DERP tests is not ready: %s\n", err)
 			return err
 		}
 
@@ -165,10 +197,10 @@ func (s *IntegrationDERPTestSuite) SetupSuite() {
 		// https://github.com/stretchr/testify/issues/849
 		return // fmt.Errorf("Could not connect to headscale: %s", err)
 	}
-	log.Println("headscale container is ready")
+	log.Println("headscale container is ready for embedded DERP tests")
 
 	log.Printf("Creating headscale namespace: %s\n", namespaceName)
-	result, err := ExecuteCommand(
+	result, _, err := ExecuteCommand(
 		&s.headscale,
 		[]string{"headscale", "namespaces", "create", namespaceName},
 		[]string{},
@@ -177,7 +209,7 @@ func (s *IntegrationDERPTestSuite) SetupSuite() {
 	assert.Nil(s.T(), err)
 
 	log.Printf("Creating pre auth key for %s\n", namespaceName)
-	preAuthResult, err := ExecuteCommand(
+	preAuthResult, _, err := ExecuteCommand(
 		&s.headscale,
 		[]string{
 			"headscale",
@@ -240,7 +272,7 @@ func (s *IntegrationDERPTestSuite) Join(
 
 	log.Println("Join command:", command)
 	log.Printf("Running join command for %s\n", hostname)
-	_, err := ExecuteCommand(
+	_, _, err := ExecuteCommand(
 		&tailscale,
 		command,
 		[]string{},
@@ -290,6 +322,23 @@ func (s *IntegrationDERPTestSuite) tailscaleContainer(
 }
 
 func (s *IntegrationDERPTestSuite) TearDownSuite() {
+	if !s.saveLogs {
+		for _, tailscale := range s.tailscales {
+			if err := s.pool.Purge(&tailscale); err != nil {
+				log.Printf("Could not purge resource: %s\n", err)
+			}
+		}
+
+		if err := s.pool.Purge(&s.headscale); err != nil {
+			log.Printf("Could not purge resource: %s\n", err)
+		}
+
+		for _, network := range s.containerNetworks {
+			if err := network.Close(); err != nil {
+				log.Printf("Could not close network: %s\n", err)
+			}
+		}
+	}
 }
 
 func (s *IntegrationDERPTestSuite) HandleStats(
@@ -331,7 +380,7 @@ func (s *IntegrationDERPTestSuite) saveLog(
 
 	log.Printf("Saving logs for %s to %s\n", resource.Container.Name, basePath)
 
-	err = ioutil.WriteFile(
+	err = os.WriteFile(
 		path.Join(basePath, resource.Container.Name+".stdout.log"),
 		[]byte(stdout.String()),
 		0o644,
@@ -340,7 +389,7 @@ func (s *IntegrationDERPTestSuite) saveLog(
 		return err
 	}
 
-	err = ioutil.WriteFile(
+	err = os.WriteFile(
 		path.Join(basePath, resource.Container.Name+".stderr.log"),
 		[]byte(stdout.String()),
 		0o644,
@@ -378,7 +427,7 @@ func (s *IntegrationDERPTestSuite) TestPingAllPeersByHostname() {
 					peername,
 				)
 				log.Println(command)
-				result, err := ExecuteCommand(
+				result, _, err := ExecuteCommand(
 					&tailscale,
 					command,
 					[]string{},
@@ -392,7 +441,9 @@ func (s *IntegrationDERPTestSuite) TestPingAllPeersByHostname() {
 }
 
 func (s *IntegrationDERPTestSuite) TestDERPSTUN() {
-	headscaleSTUNAddr := fmt.Sprintf("localhost:%s", s.headscale.GetPort("3478/udp"))
+	headscaleSTUNAddr := fmt.Sprintf("%s:%s",
+		s.headscale.GetIPInNetwork(&s.network),
+		s.headscale.GetPort("3478/udp"))
 	client := stun.NewClient()
 	client.SetVerbose(true)
 	client.SetVVerbose(true)

integration_oidc_test.go

@@ -0,0 +1,558 @@
+// nolint
+package headscale
+
+import (
+	"bytes"
+	"context"
+	"crypto/tls"
+	"fmt"
+	"io"
+	"log"
+	"net/http"
+	"net/url"
+	"os"
+	"path"
+	"strings"
+	"sync"
+	"testing"
+	"time"
+
+	"github.com/ory/dockertest/v3"
+	"github.com/ory/dockertest/v3/docker"
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/suite"
+)
+
+const (
+	oidcHeadscaleHostname = "headscale-oidc"
+	oidcMockHostname      = "headscale-mock-oidc"
+	oidcNamespaceName     = "oidcnamespace"
+	totalOidcContainers   = 3
+)
+
+type IntegrationOIDCTestSuite struct {
+	suite.Suite
+	stats *suite.SuiteInformation
+
+	pool      dockertest.Pool
+	network   dockertest.Network
+	headscale dockertest.Resource
+	mockOidc  dockertest.Resource
+	saveLogs  bool
+
+	tailscales    map[string]dockertest.Resource
+	joinWaitGroup sync.WaitGroup
+}
+
+func TestIntegrationOIDCTestSuite(t *testing.T) {
+	if testing.Short() {
+		t.Skip("skipping integration tests due to short flag")
+	}
+
+	saveLogs, err := GetEnvBool("HEADSCALE_INTEGRATION_SAVE_LOG")
+	if err != nil {
+		saveLogs = false
+	}
+
+	s := new(IntegrationOIDCTestSuite)
+
+	s.tailscales = make(map[string]dockertest.Resource)
+	s.saveLogs = saveLogs
+
+	suite.Run(t, s)
+
+	// HandleStats, which allows us to check if we passed and save logs
+	// is called after TearDown, so we cannot tear down containers before
+	// we have potentially saved the logs.
+	if s.saveLogs {
+		for _, tailscale := range s.tailscales {
+			if err := s.pool.Purge(&tailscale); err != nil {
+				log.Printf("Could not purge resource: %s\n", err)
+			}
+		}
+
+		if !s.stats.Passed() {
+			err := s.saveLog(&s.headscale, "test_output")
+			if err != nil {
+				log.Printf("Could not save log: %s\n", err)
+			}
+		}
+
+		if err := s.pool.Purge(&s.mockOidc); err != nil {
+			log.Printf("Could not purge resource: %s\n", err)
+		}
+
+		if err := s.pool.Purge(&s.headscale); err != nil {
+			t.Logf("Could not purge resource: %s\n", err)
+		}
+
+		if err := s.network.Close(); err != nil {
+			log.Printf("Could not close network: %s\n", err)
+		}
+	}
+}
+
+func (s *IntegrationOIDCTestSuite) SetupSuite() {
+	if ppool, err := dockertest.NewPool(""); err == nil {
+		s.pool = *ppool
+	} else {
+		s.FailNow(fmt.Sprintf("Could not connect to docker: %s", err), "")
+	}
+
+	network, err := GetFirstOrCreateNetwork(&s.pool, headscaleNetwork)
+	if err != nil {
+		s.FailNow(fmt.Sprintf("Failed to create or get network: %s", err), "")
+	}
+	s.network = network
+
+	log.Printf("Network config: %v", s.network.Network.IPAM.Config[0])
+
+	s.Suite.T().Log("Setting up mock OIDC")
+	mockOidcOptions := &dockertest.RunOptions{
+		Name:         oidcMockHostname,
+		Cmd:          []string{"headscale", "mockoidc"},
+		ExposedPorts: []string{"10000/tcp"},
+		PortBindings: map[docker.Port][]docker.PortBinding{
+			"10000/tcp": {{HostPort: "10000"}},
+		},
+		Networks: []*dockertest.Network{&s.network},
+		Env: []string{
+			fmt.Sprintf("MOCKOIDC_ADDR=%s", oidcMockHostname),
+			"MOCKOIDC_PORT=10000",
+			"MOCKOIDC_CLIENT_ID=superclient",
+			"MOCKOIDC_CLIENT_SECRET=supersecret",
+		},
+	}
+
+	headscaleBuildOptions := &dockertest.BuildOptions{
+		Dockerfile: "Dockerfile.debug",
+		ContextDir: ".",
+	}
+
+	err = s.pool.RemoveContainerByName(oidcMockHostname)
+	if err != nil {
+		s.FailNow(
+			fmt.Sprintf(
+				"Could not remove existing container before building test: %s",
+				err,
+			),
+			"",
+		)
+	}
+
+	if pmockoidc, err := s.pool.BuildAndRunWithBuildOptions(
+		headscaleBuildOptions,
+		mockOidcOptions,
+		DockerRestartPolicy); err == nil {
+		s.mockOidc = *pmockoidc
+	} else {
+		s.FailNow(fmt.Sprintf("Could not start mockOIDC container: %s", err), "")
+	}
+
+	s.Suite.T().Logf("Waiting for headscale mock oidc to be ready for tests")
+	hostEndpoint := fmt.Sprintf(
+		"%s:%s",
+		s.mockOidc.GetIPInNetwork(&s.network),
+		s.mockOidc.GetPort("10000/tcp"),
+	)
+
+	if err := s.pool.Retry(func() error {
+		url := fmt.Sprintf("http://%s/oidc/.well-known/openid-configuration", hostEndpoint)
+		resp, err := http.Get(url)
+		if err != nil {
+			log.Printf("headscale mock OIDC tests is not ready: %s\n", err)
+			return err
+		}
+
+		if resp.StatusCode != http.StatusOK {
+			return fmt.Errorf("status code not OK")
+		}
+
+		return nil
+	}); err != nil {
+		// TODO(kradalby): If we cannot access headscale, or any other fatal error during
+		// test setup, we need to abort and tear down. However, testify does not seem to
+		// support that at the moment:
+		// https://github.com/stretchr/testify/issues/849
+		return // fmt.Errorf("Could not connect to headscale: %s", err)
+	}
+	s.Suite.T().Log("headscale-mock-oidc container is ready for embedded OIDC tests")
+
+	oidcCfg := fmt.Sprintf(`
+oidc:
+  issuer: http://%s:10000/oidc
+  client_id: superclient
+  client_secret: supersecret
+  strip_email_domain: true`, s.mockOidc.GetIPInNetwork(&s.network))
+
+	currentPath, err := os.Getwd()
+	if err != nil {
+		s.FailNow(fmt.Sprintf("Could not determine current path: %s", err), "")
+	}
+
+	baseConfig, err := os.ReadFile(
+		path.Join(currentPath, "integration_test/etc_oidc/base_config.yaml"))
+	if err != nil {
+		s.FailNow(fmt.Sprintf("Could not read base config: %s", err), "")
+	}
+	config := string(baseConfig) + oidcCfg
+
+	log.Println(config)
+
+	configPath := path.Join(currentPath, "integration_test/etc_oidc/config.yaml")
+	err = os.WriteFile(configPath, []byte(config), 0o644)
+	if err != nil {
+		s.FailNow(fmt.Sprintf("Could not write config: %s", err), "")
+	}
+
+	headscaleOptions := &dockertest.RunOptions{
+		Name:     oidcHeadscaleHostname,
+		Networks: []*dockertest.Network{&s.network},
+		Mounts: []string{
+			path.Join(currentPath,
+				"integration_test/etc_oidc:/etc/headscale",
+			),
+		},
+		Cmd:          []string{"headscale", "serve"},
+		ExposedPorts: []string{"8443/tcp", "3478/udp"},
+		PortBindings: map[docker.Port][]docker.PortBinding{
+			"8443/tcp": {{HostPort: "8443"}},
+			"3478/udp": {{HostPort: "3478"}},
+		},
+	}
+
+	err = s.pool.RemoveContainerByName(oidcHeadscaleHostname)
+	if err != nil {
+		s.FailNow(
+			fmt.Sprintf(
+				"Could not remove existing container before building test: %s",
+				err,
+			),
+			"",
+		)
+	}
+
+	s.Suite.T().Logf("Creating headscale container for OIDC integration tests")
+	if pheadscale, err := s.pool.BuildAndRunWithBuildOptions(headscaleBuildOptions, headscaleOptions, DockerRestartPolicy); err == nil {
+		s.headscale = *pheadscale
+	} else {
+		s.FailNow(fmt.Sprintf("Could not start headscale container: %s", err), "")
+	}
+	s.Suite.T().Logf("Created headscale container for embedded OIDC tests")
+
+	s.Suite.T().Logf("Creating tailscale containers for embedded OIDC tests")
+
+	for i := 0; i < totalOidcContainers; i++ {
+		version := tailscaleVersions[i%len(tailscaleVersions)]
+		hostname, container := s.tailscaleContainer(
+			fmt.Sprint(i),
+			version,
+		)
+		s.tailscales[hostname] = *container
+	}
+
+	s.Suite.T().Logf("Waiting for headscale to be ready for embedded OIDC tests")
+	hostMockEndpoint := fmt.Sprintf(
+		"%s:%s",
+		s.headscale.GetIPInNetwork(&s.network),
+		s.headscale.GetPort("8443/tcp"),
+	)
+
+	if err := s.pool.Retry(func() error {
+		url := fmt.Sprintf("https://%s/health", hostMockEndpoint)
+		insecureTransport := http.DefaultTransport.(*http.Transport).Clone()
+		insecureTransport.TLSClientConfig = &tls.Config{InsecureSkipVerify: true}
+		client := &http.Client{Transport: insecureTransport}
+		resp, err := client.Get(url)
+		if err != nil {
+			log.Printf("headscale for embedded OIDC tests is not ready: %s\n", err)
+			return err
+		}
+
+		if resp.StatusCode != http.StatusOK {
+			return fmt.Errorf("status code not OK")
+		}
+
+		return nil
+	}); err != nil {
+		// TODO(kradalby): If we cannot access headscale, or any other fatal error during
+		// test setup, we need to abort and tear down. However, testify does not seem to
+		// support that at the moment:
+		// https://github.com/stretchr/testify/issues/849
+		return // fmt.Errorf("Could not connect to headscale: %s", err)
+	}
+	s.Suite.T().Log("headscale container is ready for embedded OIDC tests")
+
+	s.Suite.T().Logf("Creating headscale namespace: %s\n", oidcNamespaceName)
+	result, _, err := ExecuteCommand(
+		&s.headscale,
+		[]string{"headscale", "namespaces", "create", oidcNamespaceName},
+		[]string{},
+	)
+	log.Println("headscale create namespace result: ", result)
+	assert.Nil(s.T(), err)
+
+	headscaleEndpoint := fmt.Sprintf(
+		"https://headscale:%s",
+		s.headscale.GetPort("8443/tcp"),
+	)
+
+	log.Printf(
+		"Joining tailscale containers to headscale at %s\n",
+		headscaleEndpoint,
+	)
+	for hostname, tailscale := range s.tailscales {
+		s.joinWaitGroup.Add(1)
+		go s.AuthenticateOIDC(headscaleEndpoint, hostname, tailscale)
+
+		// TODO(juan): Workaround for https://github.com/juanfont/headscale/issues/814
+		time.Sleep(1 * time.Second)
+	}
+
+	s.joinWaitGroup.Wait()
+
+	// The nodes need a bit of time to get their updated maps from headscale
+	// TODO: See if we can have a more deterministic wait here.
+	time.Sleep(60 * time.Second)
+}
+
+func (s *IntegrationOIDCTestSuite) AuthenticateOIDC(
+	endpoint, hostname string,
+	tailscale dockertest.Resource,
+) {
+	defer s.joinWaitGroup.Done()
+
+	loginURL, err := s.joinOIDC(endpoint, hostname, tailscale)
+	if err != nil {
+		s.FailNow(fmt.Sprintf("Could not join OIDC node: %s", err), "")
+	}
+
+	insecureTransport := &http.Transport{
+		TLSClientConfig: &tls.Config{InsecureSkipVerify: true},
+	}
+	client := &http.Client{Transport: insecureTransport}
+	resp, err := client.Get(loginURL.String())
+	assert.Nil(s.T(), err)
+
+	log.Printf("auth body, err: %#v, %s", resp, err)
+
+	body, err := io.ReadAll(resp.Body)
+	assert.Nil(s.T(), err)
+
+	if err != nil {
+		s.FailNow(fmt.Sprintf("Could not read login page: %s", err), "")
+	}
+
+	log.Printf("Login page for %s: %s", hostname, string(body))
+}
+
+func (s *IntegrationOIDCTestSuite) joinOIDC(
+	endpoint, hostname string,
+	tailscale dockertest.Resource,
+) (*url.URL, error) {
+	command := []string{
+		"tailscale",
+		"up",
+		"-login-server",
+		endpoint,
+		"--hostname",
+		hostname,
+	}
+
+	log.Println("Join command:", command)
+	log.Printf("Running join command for %s\n", hostname)
+	_, stderr, _ := ExecuteCommand(
+		&tailscale,
+		command,
+		[]string{},
+	)
+
+	// This piece of code just gets the login URL out of the stderr of the tailscale client.
+	// See https://github.com/tailscale/tailscale/blob/main/cmd/tailscale/cli/up.go#L584.
+	urlStr := strings.ReplaceAll(stderr, "\nTo authenticate, visit:\n\n\t", "")
+	urlStr = strings.TrimSpace(urlStr)
+
+	// parse URL
+	loginUrl, err := url.Parse(urlStr)
+	if err != nil {
+		log.Printf("Could not parse login URL: %s", err)
+		log.Printf("Original join command result: %s", stderr)
+		return nil, err
+	}
+
+	return loginUrl, nil
+}
+
+func (s *IntegrationOIDCTestSuite) tailscaleContainer(
+	identifier, version string,
+) (string, *dockertest.Resource) {
+	tailscaleBuildOptions := getDockerBuildOptions(version)
+
+	hostname := fmt.Sprintf(
+		"tailscale-%s-%s",
+		strings.Replace(version, ".", "-", -1),
+		identifier,
+	)
+	tailscaleOptions := &dockertest.RunOptions{
+		Name:     hostname,
+		Networks: []*dockertest.Network{&s.network},
+		Cmd: []string{
+			"tailscaled", "--tun=tsdev",
+		},
+
+		// expose the host IP address, so we can access it from inside the container
+		ExtraHosts: []string{
+			"host.docker.internal:host-gateway",
+			"headscale:host-gateway",
+		},
+	}
+
+	pts, err := s.pool.BuildAndRunWithBuildOptions(
+		tailscaleBuildOptions,
+		tailscaleOptions,
+		DockerRestartPolicy,
+		DockerAllowLocalIPv6,
+		DockerAllowNetworkAdministration,
+	)
+	if err != nil {
+		s.FailNow(
+			fmt.Sprintf(
+				"Could not start tailscale container version %s: %s",
+				version,
+				err,
+			),
+		)
+	}
+	log.Printf("Created %s container\n", hostname)
+
+	return hostname, pts
+}
+
+func (s *IntegrationOIDCTestSuite) TearDownSuite() {
+	if !s.saveLogs {
+		for _, tailscale := range s.tailscales {
+			if err := s.pool.Purge(&tailscale); err != nil {
+				log.Printf("Could not purge resource: %s\n", err)
+			}
+		}
+
+		if err := s.pool.Purge(&s.headscale); err != nil {
+			log.Printf("Could not purge resource: %s\n", err)
+		}
+
+		if err := s.pool.Purge(&s.mockOidc); err != nil {
+			log.Printf("Could not purge resource: %s\n", err)
+		}
+
+		if err := s.network.Close(); err != nil {
+			log.Printf("Could not close network: %s\n", err)
+		}
+	}
+}
+
+func (s *IntegrationOIDCTestSuite) HandleStats(
+	suiteName string,
+	stats *suite.SuiteInformation,
+) {
+	s.stats = stats
+}
+
+func (s *IntegrationOIDCTestSuite) saveLog(
+	resource *dockertest.Resource,
+	basePath string,
+) error {
+	err := os.MkdirAll(basePath, os.ModePerm)
+	if err != nil {
+		return err
+	}
+
+	var stdout bytes.Buffer
+	var stderr bytes.Buffer
+
+	err = s.pool.Client.Logs(
+		docker.LogsOptions{
+			Context:      context.TODO(),
+			Container:    resource.Container.ID,
+			OutputStream: &stdout,
+			ErrorStream:  &stderr,
+			Tail:         "all",
+			RawTerminal:  false,
+			Stdout:       true,
+			Stderr:       true,
+			Follow:       false,
+			Timestamps:   false,
+		},
+	)
+	if err != nil {
+		return err
+	}
+
+	log.Printf("Saving logs for %s to %s\n", resource.Container.Name, basePath)
+
+	err = os.WriteFile(
+		path.Join(basePath, resource.Container.Name+".stdout.log"),
+		[]byte(stdout.String()),
+		0o644,
+	)
+	if err != nil {
+		return err
+	}
+
+	err = os.WriteFile(
+		path.Join(basePath, resource.Container.Name+".stderr.log"),
+		[]byte(stdout.String()),
+		0o644,
+	)
+	if err != nil {
+		return err
+	}
+
+	return nil
+}
+
+func (s *IntegrationOIDCTestSuite) TestPingAllPeersByAddress() {
+	for hostname, tailscale := range s.tailscales {
+		ips, err := getIPs(s.tailscales)
+		assert.Nil(s.T(), err)
+		for peername, peerIPs := range ips {
+			for i, ip := range peerIPs {
+				// We currently cant ping ourselves, so skip that.
+				if peername == hostname {
+					continue
+				}
+				s.T().
+					Run(fmt.Sprintf("%s-%s-%d", hostname, peername, i), func(t *testing.T) {
+						// We are only interested in "direct ping" which means what we
+						// might need a couple of more attempts before reaching the node.
+						command := []string{
+							"tailscale", "ping",
+							"--timeout=1s",
+							"--c=10",
+							"--until-direct=true",
+							ip.String(),
+						}
+
+						log.Printf(
+							"Pinging from %s to %s (%s)\n",
+							hostname,
+							peername,
+							ip,
+						)
+						stdout, stderr, err := ExecuteCommand(
+							&tailscale,
+							command,
+							[]string{},
+						)
+						assert.Nil(t, err)
+						log.Printf(
+							"result for %s: stdout: %s, stderr: %s\n",
+							hostname,
+							stdout,
+							stderr,
+						)
+						assert.Contains(t, stdout, "pong")
+					})
+			}
+		}
+	}
+}

integration_test.go

@@ -1,723 +0,0 @@
-//go:build integration
-// +build integration
-
-package headscale
-
-import (
-	"bytes"
-	"context"
-	"encoding/json"
-	"errors"
-	"fmt"
-	"io/ioutil"
-	"log"
-	"net/http"
-	"os"
-	"path"
-	"strings"
-	"sync"
-	"testing"
-	"time"
-
-	v1 "github.com/juanfont/headscale/gen/go/headscale/v1"
-	"github.com/ory/dockertest/v3"
-	"github.com/ory/dockertest/v3/docker"
-	"github.com/stretchr/testify/assert"
-	"github.com/stretchr/testify/suite"
-	"inet.af/netaddr"
-	"tailscale.com/client/tailscale/apitype"
-	"tailscale.com/ipn/ipnstate"
-)
-
-type IntegrationTestSuite struct {
-	suite.Suite
-	stats *suite.SuiteInformation
-
-	pool      dockertest.Pool
-	network   dockertest.Network
-	headscale dockertest.Resource
-
-	namespaces map[string]TestNamespace
-
-	joinWaitGroup sync.WaitGroup
-}
-
-func TestIntegrationTestSuite(t *testing.T) {
-	s := new(IntegrationTestSuite)
-
-	s.namespaces = map[string]TestNamespace{
-		"thisspace": {
-			count:      10,
-			tailscales: make(map[string]dockertest.Resource),
-		},
-		"otherspace": {
-			count:      2,
-			tailscales: make(map[string]dockertest.Resource),
-		},
-	}
-
-	suite.Run(t, s)
-
-	// HandleStats, which allows us to check if we passed and save logs
-	// is called after TearDown, so we cannot tear down containers before
-	// we have potentially saved the logs.
-	for _, scales := range s.namespaces {
-		for _, tailscale := range scales.tailscales {
-			if err := s.pool.Purge(&tailscale); err != nil {
-				log.Printf("Could not purge resource: %s\n", err)
-			}
-		}
-	}
-
-	if !s.stats.Passed() {
-		err := s.saveLog(&s.headscale, "test_output")
-		if err != nil {
-			log.Printf("Could not save log: %s\n", err)
-		}
-	}
-	if err := s.pool.Purge(&s.headscale); err != nil {
-		log.Printf("Could not purge resource: %s\n", err)
-	}
-
-	if err := s.network.Close(); err != nil {
-		log.Printf("Could not close network: %s\n", err)
-	}
-}
-
-func (s *IntegrationTestSuite) saveLog(
-	resource *dockertest.Resource,
-	basePath string,
-) error {
-	err := os.MkdirAll(basePath, os.ModePerm)
-	if err != nil {
-		return err
-	}
-
-	var stdout bytes.Buffer
-	var stderr bytes.Buffer
-
-	err = s.pool.Client.Logs(
-		docker.LogsOptions{
-			Context:      context.TODO(),
-			Container:    resource.Container.ID,
-			OutputStream: &stdout,
-			ErrorStream:  &stderr,
-			Tail:         "all",
-			RawTerminal:  false,
-			Stdout:       true,
-			Stderr:       true,
-			Follow:       false,
-			Timestamps:   false,
-		},
-	)
-	if err != nil {
-		return err
-	}
-
-	log.Printf("Saving logs for %s to %s\n", resource.Container.Name, basePath)
-
-	err = ioutil.WriteFile(
-		path.Join(basePath, resource.Container.Name+".stdout.log"),
-		[]byte(stdout.String()),
-		0o644,
-	)
-	if err != nil {
-		return err
-	}
-
-	err = ioutil.WriteFile(
-		path.Join(basePath, resource.Container.Name+".stderr.log"),
-		[]byte(stdout.String()),
-		0o644,
-	)
-	if err != nil {
-		return err
-	}
-
-	return nil
-}
-
-func (s *IntegrationTestSuite) Join(
-	endpoint, key, hostname string,
-	tailscale dockertest.Resource,
-) {
-	defer s.joinWaitGroup.Done()
-
-	command := []string{
-		"tailscale",
-		"up",
-		"-login-server",
-		endpoint,
-		"--authkey",
-		key,
-		"--hostname",
-		hostname,
-	}
-
-	log.Println("Join command:", command)
-	log.Printf("Running join command for %s\n", hostname)
-	_, err := ExecuteCommand(
-		&tailscale,
-		command,
-		[]string{},
-	)
-	assert.Nil(s.T(), err)
-	log.Printf("%s joined\n", hostname)
-}
-
-func (s *IntegrationTestSuite) tailscaleContainer(
-	namespace, identifier, version string,
-) (string, *dockertest.Resource) {
-	tailscaleBuildOptions := getDockerBuildOptions(version)
-
-	hostname := fmt.Sprintf(
-		"%s-tailscale-%s-%s",
-		namespace,
-		strings.Replace(version, ".", "-", -1),
-		identifier,
-	)
-	tailscaleOptions := &dockertest.RunOptions{
-		Name:     hostname,
-		Networks: []*dockertest.Network{&s.network},
-		Cmd: []string{
-			"tailscaled", "--tun=tsdev",
-		},
-	}
-
-	pts, err := s.pool.BuildAndRunWithBuildOptions(
-		tailscaleBuildOptions,
-		tailscaleOptions,
-		DockerRestartPolicy,
-		DockerAllowLocalIPv6,
-		DockerAllowNetworkAdministration,
-	)
-	if err != nil {
-		log.Fatalf("Could not start tailscale container version %s: %s", version, err)
-	}
-	log.Printf("Created %s container\n", hostname)
-
-	return hostname, pts
-}
-
-func (s *IntegrationTestSuite) SetupSuite() {
-	var err error
-	app = Headscale{
-		dbType:   "sqlite3",
-		dbString: "integration_test_db.sqlite3",
-	}
-
-	if ppool, err := dockertest.NewPool(""); err == nil {
-		s.pool = *ppool
-	} else {
-		log.Fatalf("Could not connect to docker: %s", err)
-	}
-
-	if pnetwork, err := s.pool.CreateNetwork("headscale-test"); err == nil {
-		s.network = *pnetwork
-	} else {
-		log.Fatalf("Could not create network: %s", err)
-	}
-
-	headscaleBuildOptions := &dockertest.BuildOptions{
-		Dockerfile: "Dockerfile",
-		ContextDir: ".",
-	}
-
-	currentPath, err := os.Getwd()
-	if err != nil {
-		log.Fatalf("Could not determine current path: %s", err)
-	}
-
-	headscaleOptions := &dockertest.RunOptions{
-		Name: "headscale",
-		Mounts: []string{
-			fmt.Sprintf("%s/integration_test/etc:/etc/headscale", currentPath),
-		},
-		Networks: []*dockertest.Network{&s.network},
-		Cmd:      []string{"headscale", "serve"},
-	}
-
-	log.Println("Creating headscale container")
-	if pheadscale, err := s.pool.BuildAndRunWithBuildOptions(headscaleBuildOptions, headscaleOptions, DockerRestartPolicy); err == nil {
-		s.headscale = *pheadscale
-	} else {
-		log.Fatalf("Could not start headscale container: %s", err)
-	}
-	log.Println("Created headscale container")
-
-	log.Println("Creating tailscale containers")
-	for namespace, scales := range s.namespaces {
-		for i := 0; i < scales.count; i++ {
-			version := tailscaleVersions[i%len(tailscaleVersions)]
-
-			hostname, container := s.tailscaleContainer(
-				namespace,
-				fmt.Sprint(i),
-				version,
-			)
-			scales.tailscales[hostname] = *container
-		}
-	}
-
-	log.Println("Waiting for headscale to be ready")
-	hostEndpoint := fmt.Sprintf("localhost:%s", s.headscale.GetPort("8080/tcp"))
-
-	if err := s.pool.Retry(func() error {
-		url := fmt.Sprintf("http://%s/health", hostEndpoint)
-
-		resp, err := http.Get(url)
-		if err != nil {
-			return err
-		}
-
-		if resp.StatusCode != http.StatusOK {
-			return fmt.Errorf("status code not OK")
-		}
-
-		return nil
-	}); err != nil {
-		// TODO(kradalby): If we cannot access headscale, or any other fatal error during
-		// test setup, we need to abort and tear down. However, testify does not seem to
-		// support that at the moment:
-		// https://github.com/stretchr/testify/issues/849
-		return // fmt.Errorf("Could not connect to headscale: %s", err)
-	}
-	log.Println("headscale container is ready")
-
-	for namespace, scales := range s.namespaces {
-		log.Printf("Creating headscale namespace: %s\n", namespace)
-		result, err := ExecuteCommand(
-			&s.headscale,
-			[]string{"headscale", "namespaces", "create", namespace},
-			[]string{},
-		)
-		log.Println("headscale create namespace result: ", result)
-		assert.Nil(s.T(), err)
-
-		log.Printf("Creating pre auth key for %s\n", namespace)
-		preAuthResult, err := ExecuteCommand(
-			&s.headscale,
-			[]string{
-				"headscale",
-				"--namespace",
-				namespace,
-				"preauthkeys",
-				"create",
-				"--reusable",
-				"--expiration",
-				"24h",
-				"--output",
-				"json",
-			},
-			[]string{"LOG_LEVEL=error"},
-		)
-		assert.Nil(s.T(), err)
-
-		var preAuthKey v1.PreAuthKey
-		err = json.Unmarshal([]byte(preAuthResult), &preAuthKey)
-		assert.Nil(s.T(), err)
-		assert.True(s.T(), preAuthKey.Reusable)
-
-		headscaleEndpoint := "http://headscale:8080"
-
-		log.Printf(
-			"Joining tailscale containers to headscale at %s\n",
-			headscaleEndpoint,
-		)
-		for hostname, tailscale := range scales.tailscales {
-			s.joinWaitGroup.Add(1)
-			go s.Join(headscaleEndpoint, preAuthKey.Key, hostname, tailscale)
-		}
-
-		s.joinWaitGroup.Wait()
-	}
-
-	// The nodes need a bit of time to get their updated maps from headscale
-	// TODO: See if we can have a more deterministic wait here.
-	time.Sleep(60 * time.Second)
-}
-
-func (s *IntegrationTestSuite) TearDownSuite() {
-}
-
-func (s *IntegrationTestSuite) HandleStats(
-	suiteName string,
-	stats *suite.SuiteInformation,
-) {
-	s.stats = stats
-}
-
-func (s *IntegrationTestSuite) TestListNodes() {
-	for namespace, scales := range s.namespaces {
-		log.Println("Listing nodes")
-		result, err := ExecuteCommand(
-			&s.headscale,
-			[]string{"headscale", "--namespace", namespace, "nodes", "list"},
-			[]string{},
-		)
-		assert.Nil(s.T(), err)
-
-		log.Printf("List nodes: \n%s\n", result)
-
-		// Chck that the correct count of host is present in node list
-		lines := strings.Split(result, "\n")
-		assert.Equal(s.T(), len(scales.tailscales), len(lines)-2)
-
-		for hostname := range scales.tailscales {
-			assert.Contains(s.T(), result, hostname)
-		}
-	}
-}
-
-func (s *IntegrationTestSuite) TestGetIpAddresses() {
-	for _, scales := range s.namespaces {
-		ips, err := getIPs(scales.tailscales)
-		assert.Nil(s.T(), err)
-
-		for hostname := range scales.tailscales {
-			ips := ips[hostname]
-			for _, ip := range ips {
-				s.T().Run(hostname, func(t *testing.T) {
-					assert.NotNil(t, ip)
-
-					log.Printf("IP for %s: %s\n", hostname, ip)
-
-					// c.Assert(ip.Valid(), check.IsTrue)
-					assert.True(t, ip.Is4() || ip.Is6())
-					switch {
-					case ip.Is4():
-						assert.True(t, IpPrefix4.Contains(ip))
-					case ip.Is6():
-						assert.True(t, IpPrefix6.Contains(ip))
-					}
-				})
-			}
-		}
-	}
-}
-
-// TODO(kradalby): fix this test
-// We need some way to import ipnstate.Status from multiple go packages.
-// Currently it will only work with 1.18.x since that is the last
-// version we have in go.mod
-// func (s *IntegrationTestSuite) TestStatus() {
-//	for _, scales := range s.namespaces {
-//		ips, err := getIPs(scales.tailscales)
-//		assert.Nil(s.T(), err)
-//
-//		for hostname, tailscale := range scales.tailscales {
-//			s.T().Run(hostname, func(t *testing.T) {
-//				command := []string{"tailscale", "status", "--json"}
-//
-//				log.Printf("Getting status for %s\n", hostname)
-//				result, err := ExecuteCommand(
-//					&tailscale,
-//					command,
-//					[]string{},
-//				)
-//				assert.Nil(t, err)
-//
-//				var status ipnstate.Status
-//				err = json.Unmarshal([]byte(result), &status)
-//				assert.Nil(s.T(), err)
-//
-//				// TODO(kradalby): Replace this check with peer length of SAME namespace
-//				// Check if we have as many nodes in status
-//				// as we have IPs/tailscales
-//				// lines := strings.Split(result, "\n")
-//				// assert.Equal(t, len(ips), len(lines)-1)
-//				// assert.Equal(t, len(scales.tailscales), len(lines)-1)
-//
-//				peerIps := getIPsfromIPNstate(status)
-//
-//				// Check that all hosts is present in all hosts status
-//				for ipHostname, ip := range ips {
-//					if hostname != ipHostname {
-//						assert.Contains(t, peerIps, ip)
-//					}
-//				}
-//			})
-//		}
-//	}
-// }
-
-func getIPsfromIPNstate(status ipnstate.Status) []netaddr.IP {
-	ips := make([]netaddr.IP, 0)
-
-	for _, peer := range status.Peer {
-		ips = append(ips, peer.TailscaleIPs...)
-	}
-
-	return ips
-}
-
-// TODO: Adopt test for cross communication between namespaces
-func (s *IntegrationTestSuite) TestPingAllPeersByAddress() {
-	for _, scales := range s.namespaces {
-		ips, err := getIPs(scales.tailscales)
-		assert.Nil(s.T(), err)
-
-		for hostname, tailscale := range scales.tailscales {
-			for peername, peerIPs := range ips {
-				for i, ip := range peerIPs {
-					// We currently cant ping ourselves, so skip that.
-					if peername == hostname {
-						continue
-					}
-					s.T().
-						Run(fmt.Sprintf("%s-%s-%d", hostname, peername, i), func(t *testing.T) {
-							// We are only interested in "direct ping" which means what we
-							// might need a couple of more attempts before reaching the node.
-							command := []string{
-								"tailscale", "ping",
-								"--timeout=1s",
-								"--c=10",
-								"--until-direct=true",
-								ip.String(),
-							}
-
-							log.Printf(
-								"Pinging from %s to %s (%s)\n",
-								hostname,
-								peername,
-								ip,
-							)
-							result, err := ExecuteCommand(
-								&tailscale,
-								command,
-								[]string{},
-							)
-							assert.Nil(t, err)
-							log.Printf("Result for %s: %s\n", hostname, result)
-							assert.Contains(t, result, "pong")
-						})
-				}
-			}
-		}
-	}
-}
-
-func (s *IntegrationTestSuite) TestTailDrop() {
-	for _, scales := range s.namespaces {
-		ips, err := getIPs(scales.tailscales)
-		assert.Nil(s.T(), err)
-
-		retry := func(times int, sleepInverval time.Duration, doWork func() error) (err error) {
-			for attempts := 0; attempts < times; attempts++ {
-				err = doWork()
-				if err == nil {
-					return
-				}
-				time.Sleep(sleepInverval)
-			}
-
-			return
-		}
-
-		for hostname, tailscale := range scales.tailscales {
-			command := []string{"touch", fmt.Sprintf("/tmp/file_from_%s", hostname)}
-			_, err := ExecuteCommand(
-				&tailscale,
-				command,
-				[]string{},
-			)
-			assert.Nil(s.T(), err)
-			for peername := range ips {
-				if peername == hostname {
-					continue
-				}
-				s.T().Run(fmt.Sprintf("%s-%s", hostname, peername), func(t *testing.T) {
-					command := []string{
-						"tailscale", "file", "cp",
-						fmt.Sprintf("/tmp/file_from_%s", hostname),
-						fmt.Sprintf("%s:", ips[peername][1]),
-					}
-					retry(10, 1*time.Second, func() error {
-						log.Printf(
-							"Sending file from %s to %s\n",
-							hostname,
-							peername,
-						)
-						_, err := ExecuteCommand(
-							&tailscale,
-							command,
-							[]string{},
-							ExecuteCommandTimeout(60*time.Second),
-						)
-						return err
-					})
-					assert.Nil(t, err)
-				})
-			}
-		}
-
-		for hostname, tailscale := range scales.tailscales {
-			command := []string{
-				"tailscale", "file",
-				"get",
-				"/tmp/",
-			}
-			_, err := ExecuteCommand(
-				&tailscale,
-				command,
-				[]string{},
-			)
-			assert.Nil(s.T(), err)
-			for peername, ip := range ips {
-				if peername == hostname {
-					continue
-				}
-				s.T().Run(fmt.Sprintf("%s-%s", hostname, peername), func(t *testing.T) {
-					command := []string{
-						"ls",
-						fmt.Sprintf("/tmp/file_from_%s", peername),
-					}
-					log.Printf(
-						"Checking file in %s (%s) from %s (%s)\n",
-						hostname,
-						ips[hostname][1],
-						peername,
-						ip,
-					)
-					result, err := ExecuteCommand(
-						&tailscale,
-						command,
-						[]string{},
-					)
-					assert.Nil(t, err)
-					log.Printf("Result for %s: %s\n", peername, result)
-					assert.Equal(
-						t,
-						fmt.Sprintf("/tmp/file_from_%s\n", peername),
-						result,
-					)
-				})
-			}
-		}
-	}
-}
-
-func (s *IntegrationTestSuite) TestPingAllPeersByHostname() {
-	hostnames, err := getMagicFQDN(&s.headscale)
-	assert.Nil(s.T(), err)
-
-	log.Printf("Resolved hostnames: %#v", hostnames)
-	for _, scales := range s.namespaces {
-		for hostname, tailscale := range scales.tailscales {
-			for _, peername := range hostnames {
-				if strings.Contains(peername, hostname) {
-					continue
-				}
-
-				s.T().Run(fmt.Sprintf("%s-%s", hostname, peername), func(t *testing.T) {
-					command := []string{
-						"tailscale", "ping",
-						"--timeout=10s",
-						"--c=20",
-						"--until-direct=true",
-						peername,
-					}
-
-					log.Printf(
-						"Pinging using hostname from %s to %s\n",
-						hostname,
-						peername,
-					)
-					result, err := ExecuteCommand(
-						&tailscale,
-						command,
-						[]string{},
-					)
-					assert.Nil(t, err)
-					log.Printf("Result for %s: %s\n", hostname, result)
-					assert.Contains(t, result, "pong")
-				})
-			}
-		}
-	}
-}
-
-func (s *IntegrationTestSuite) TestMagicDNS() {
-	hostnames, err := getMagicFQDN(&s.headscale)
-	assert.Nil(s.T(), err)
-
-	log.Printf("Resolved hostnames: %#v", hostnames)
-
-	for _, scales := range s.namespaces {
-		ips, err := getIPs(scales.tailscales)
-		assert.Nil(s.T(), err)
-
-		for hostname, tailscale := range scales.tailscales {
-			for _, peername := range hostnames {
-				if strings.Contains(peername, hostname) {
-					continue
-				}
-
-				s.T().Run(fmt.Sprintf("%s-%s", hostname, peername), func(t *testing.T) {
-					command := []string{
-						"tailscale", "ip", peername,
-					}
-
-					log.Printf(
-						"Resolving name %s from %s\n",
-						peername,
-						hostname,
-					)
-					result, err := ExecuteCommand(
-						&tailscale,
-						command,
-						[]string{},
-					)
-					assert.Nil(t, err)
-					log.Printf("Result for %s: %s\n", hostname, result)
-
-					peerBaseName := peername[:len(peername)-MachineGivenNameHashLength-1]
-					expectedAddresses := ips[peerBaseName]
-					for _, ip := range expectedAddresses {
-						assert.Contains(t, result, ip.String())
-					}
-				})
-			}
-		}
-	}
-}
-
-func getAPIURLs(
-	tailscales map[string]dockertest.Resource,
-) (map[netaddr.IP]string, error) {
-	fts := make(map[netaddr.IP]string)
-	for _, tailscale := range tailscales {
-		command := []string{
-			"curl",
-			"--unix-socket",
-			"/run/tailscale/tailscaled.sock",
-			"http://localhost/localapi/v0/file-targets",
-		}
-		result, err := ExecuteCommand(
-			&tailscale,
-			command,
-			[]string{},
-		)
-		if err != nil {
-			return nil, err
-		}
-
-		var pft []apitype.FileTarget
-		if err := json.Unmarshal([]byte(result), &pft); err != nil {
-			return nil, fmt.Errorf("invalid JSON: %w", err)
-		}
-		for _, ft := range pft {
-			n := ft.Node
-			for _, a := range n.Addresses { // just add all the addresses
-				if _, ok := fts[a.IP()]; !ok {
-					if ft.PeerAPIURL == "" {
-						return nil, errors.New("api url is empty")
-					}
-					fts[a.IP()] = ft.PeerAPIURL
-				}
-			}
-		}
-	}
-
-	return fts, nil
-}

integration_test/etc/alt-config.dump.gold.yaml

@@ -0,0 +1,54 @@
+acl_policy_path: ""
+cli:
+  insecure: false
+  timeout: 5s
+db_path: /tmp/integration_test_db.sqlite3
+db_type: sqlite3
+derp:
+  auto_update_enabled: false
+  server:
+    enabled: false
+    stun:
+      enabled: true
+  update_frequency: 1m
+  urls:
+    - https://controlplane.tailscale.com/derpmap/default
+dns_config:
+  override_local_dns: true
+  base_domain: headscale.net
+  domains: []
+  magic_dns: true
+  nameservers:
+    - 127.0.0.11
+    - 1.1.1.1
+ephemeral_node_inactivity_timeout: 30m
+node_update_check_interval: 10s
+grpc_allow_insecure: false
+grpc_listen_addr: :50443
+ip_prefixes:
+  - fd7a:115c:a1e0::/48
+  - 100.64.0.0/10
+listen_addr: 0.0.0.0:18080
+log:
+  level: disabled
+  format: text
+logtail:
+  enabled: false
+metrics_listen_addr: 127.0.0.1:19090
+oidc:
+  only_start_if_oidc_is_available: true
+  scope:
+    - openid
+    - profile
+    - email
+  strip_email_domain: true
+private_key_path: private.key
+noise:
+  private_key_path: noise_private.key
+server_url: http://headscale:18080
+tls_client_auth_mode: relaxed
+tls_letsencrypt_cache_dir: /var/www/.cache
+tls_letsencrypt_challenge_type: HTTP-01
+unix_socket: /var/run/headscale.sock
+unix_socket_permission: "0o770"
+randomize_client_port: false

integration_test/etc/alt-config.yaml

@@ -0,0 +1,30 @@
+log:
+  level: trace
+acl_policy_path: ""
+db_type: sqlite3
+ephemeral_node_inactivity_timeout: 30m
+node_update_check_interval: 10s
+ip_prefixes:
+  - fd7a:115c:a1e0::/48
+  - 100.64.0.0/10
+dns_config:
+  override_local_dns: true
+  base_domain: headscale.net
+  magic_dns: true
+  domains: []
+  nameservers:
+    - 127.0.0.11
+    - 1.1.1.1
+db_path: /tmp/integration_test_db.sqlite3
+private_key_path: private.key
+noise:
+  private_key_path: noise_private.key
+listen_addr: 0.0.0.0:18080
+metrics_listen_addr: 127.0.0.1:19090
+server_url: http://headscale:18080
+
+derp:
+  urls:
+    - https://controlplane.tailscale.com/derpmap/default
+  auto_update_enabled: false
+  update_frequency: 1m

integration_test/etc/alt-env-config.dump.gold.yaml

@@ -0,0 +1,53 @@
+acl_policy_path: ""
+cli:
+  insecure: false
+  timeout: 5s
+db_path: /tmp/integration_test_db.sqlite3
+db_type: sqlite3
+derp:
+  auto_update_enabled: false
+  server:
+    enabled: false
+    stun:
+      enabled: true
+  update_frequency: 1m
+  urls:
+    - https://controlplane.tailscale.com/derpmap/default
+dns_config:
+  override_local_dns: true
+  base_domain: headscale.net
+  domains: []
+  magic_dns: true
+  nameservers:
+    - 1.1.1.1
+ephemeral_node_inactivity_timeout: 30m
+node_update_check_interval: 30s
+grpc_allow_insecure: false
+grpc_listen_addr: :50443
+ip_prefixes:
+  - fd7a:115c:a1e0::/48
+  - 100.64.0.0/10
+listen_addr: 0.0.0.0:18080
+log:
+  level: disabled
+  format: text
+logtail:
+  enabled: false
+metrics_listen_addr: 127.0.0.1:19090
+oidc:
+  only_start_if_oidc_is_available: true
+  scope:
+    - openid
+    - profile
+    - email
+  strip_email_domain: true
+private_key_path: private.key
+noise:
+  private_key_path: noise_private.key
+server_url: http://headscale:18080
+tls_client_auth_mode: relaxed
+tls_letsencrypt_cache_dir: /var/www/.cache
+tls_letsencrypt_challenge_type: HTTP-01
+unix_socket: /var/run/headscale.sock
+unix_socket_permission: "0o770"
+randomize_client_port: false

integration_test/etc/alt-env-config.yaml

@@ -0,0 +1,29 @@
+log:
+  level: trace
+acl_policy_path: ""
+db_type: sqlite3
+ephemeral_node_inactivity_timeout: 30m
+node_update_check_interval: 30s
+ip_prefixes:
+  - fd7a:115c:a1e0::/48
+  - 100.64.0.0/10
+dns_config:
+  override_local_dns: true
+  base_domain: headscale.net
+  magic_dns: true
+  domains: []
+  nameservers:
+    - 1.1.1.1
+db_path: /tmp/integration_test_db.sqlite3
+private_key_path: private.key
+noise:
+  private_key_path: noise_private.key
+listen_addr: 0.0.0.0:18080
+metrics_listen_addr: 127.0.0.1:19090
+server_url: http://headscale:18080
+
+derp:
+  urls:
+    - https://controlplane.tailscale.com/derpmap/default
+  auto_update_enabled: false
+  update_frequency: 1m

integration_test/etc/config.dump.gold.yaml

@@ -0,0 +1,54 @@
+acl_policy_path: ""
+cli:
+  insecure: false
+  timeout: 5s
+db_path: /tmp/integration_test_db.sqlite3
+db_type: sqlite3
+derp:
+  auto_update_enabled: false
+  server:
+    enabled: false
+    stun:
+      enabled: true
+  update_frequency: 1m
+  urls:
+    - https://controlplane.tailscale.com/derpmap/default
+dns_config:
+  override_local_dns: true
+  base_domain: headscale.net
+  domains: []
+  magic_dns: true
+  nameservers:
+    - 127.0.0.11
+    - 1.1.1.1
+ephemeral_node_inactivity_timeout: 30m
+node_update_check_interval: 10s
+grpc_allow_insecure: false
+grpc_listen_addr: :50443
+ip_prefixes:
+  - fd7a:115c:a1e0::/48
+  - 100.64.0.0/10
+listen_addr: 0.0.0.0:8080
+log:
+  format: text
+  level: disabled
+logtail:
+  enabled: false
+metrics_listen_addr: 127.0.0.1:9090
+oidc:
+  only_start_if_oidc_is_available: true
+  scope:
+    - openid
+    - profile
+    - email
+  strip_email_domain: true
+private_key_path: private.key
+noise:
+  private_key_path: noise_private.key
+server_url: http://headscale:8080
+tls_client_auth_mode: relaxed
+tls_letsencrypt_cache_dir: /var/www/.cache
+tls_letsencrypt_challenge_type: HTTP-01
+unix_socket: /var/run/headscale.sock
+unix_socket_permission: "0o770"
+randomize_client_port: false

integration_test/etc/config.yaml

@@ -1,18 +1,24 @@
-log_level: trace
+log:
+  level: trace
 acl_policy_path: ""
 db_type: sqlite3
 ephemeral_node_inactivity_timeout: 30m
+node_update_check_interval: 10s
 ip_prefixes:
   - fd7a:115c:a1e0::/48
   - 100.64.0.0/10
 dns_config:
+  override_local_dns: true
   base_domain: headscale.net
   magic_dns: true
   domains: []
   nameservers:
+    - 127.0.0.11
     - 1.1.1.1
 db_path: /tmp/integration_test_db.sqlite3
 private_key_path: private.key
+noise:
+  private_key_path: noise_private.key
 listen_addr: 0.0.0.0:8080
 metrics_listen_addr: 127.0.0.1:9090
 server_url: http://headscale:8080