Updated test config to work with TS2021

.github/workflows/lint.yml

@@ -70,7 +70,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v2
-      - uses: bufbuild/buf-setup-action@v1.7.0
+      - uses: bufbuild/buf-setup-action@v0.7.0
       - uses: bufbuild/buf-lint-action@v1
         with:
           input: "proto"

.github/workflows/release.yml

@@ -89,8 +89,6 @@ jobs:
           platforms: linux/amd64,linux/arm64
           cache-from: type=local,src=/tmp/.buildx-cache
           cache-to: type=local,dest=/tmp/.buildx-cache-new
-          build-args: |
-            VERSION=${{ steps.meta.outputs.version }}
       - name: Prepare cache for next build
         run: |
           rm -rf /tmp/.buildx-cache
@@ -155,8 +153,6 @@ jobs:
           platforms: linux/amd64,linux/arm64
           cache-from: type=local,src=/tmp/.buildx-cache-debug
           cache-to: type=local,dest=/tmp/.buildx-cache-debug-new
-          build-args: |
-            VERSION=${{ steps.meta-debug.outputs.version }}
       - name: Prepare cache for next build
         run: |
           rm -rf /tmp/.buildx-cache-debug
@@ -221,8 +217,6 @@ jobs:
           platforms: linux/amd64,linux/arm64
           cache-from: type=local,src=/tmp/.buildx-cache-alpine
           cache-to: type=local,dest=/tmp/.buildx-cache-alpine-new
-          build-args: |
-            VERSION=${{ steps.meta-alpine.outputs.version }}
       - name: Prepare cache for next build
         run: |
           rm -rf /tmp/.buildx-cache-alpine

.github/workflows/test-integration.yml

@@ -11,11 +11,6 @@ jobs:
         with:
           fetch-depth: 2
 
-      - name: Set Swap Space
-        uses: pierotofy/set-swap-space@master
-        with:
-          swap-size-gb: 10
-
       - name: Get changed files
         id: changed-files
         uses: tj-actions/changed-files@v14.1
@@ -30,29 +25,6 @@ jobs:
       - uses: cachix/install-nix-action@v16
         if: steps.changed-files.outputs.any_changed == 'true'
 
-      - name: Run CLI integration tests
+      - name: Run Integration tests
         if: steps.changed-files.outputs.any_changed == 'true'
-        uses: nick-fields/retry@v2
+        run: nix develop --command -- make test_integration
-        with:
-          timeout_minutes: 240
-          max_attempts: 5
-          retry_on: error
-          command: nix develop --command -- make test_integration_cli
-
-      - name: Run Embedded DERP server integration tests
-        if: steps.changed-files.outputs.any_changed == 'true'
-        uses: nick-fields/retry@v2
-        with:
-          timeout_minutes: 240
-          max_attempts: 5
-          retry_on: error
-          command: nix develop --command -- make test_integration_derp
-
-      - name: Run general integration tests
-        if: steps.changed-files.outputs.any_changed == 'true'
-        uses: nick-fields/retry@v2
-        with:
-          timeout_minutes: 240
-          max_attempts: 5
-          retry_on: error
-          command: nix develop --command -- make test_integration_general

.gitignore

@@ -31,5 +31,3 @@ test_output/
 # Nix build output
 result
 .direnv/
-
-integration_test/etc/config.dump.yaml

CHANGELOG.md

@@ -1,14 +1,6 @@
 # CHANGELOG
 
-## 0.17.0 (2022-xx-xx)
+## 0.16.0 (2022-xx-xx)
-
-- Updated dependencies (including the library that lacked armhf support) [#722](https://github.com/juanfont/headscale/pull/722)
-- Fix missing group expansion in function `excludeCorretlyTaggedNodes` [#563](https://github.com/juanfont/headscale/issues/563)
-- Improve registration protocol implementation and switch to NodeKey as main identifier [#725](https://github.com/juanfont/headscale/pull/725)
-
-## 0.16.0 (2022-07-25)
-
-**Note:** Take a backup of your database before upgrading.
 
 ### BREAKING
 
@@ -37,13 +29,6 @@
 - Use new ACL syntax [#618](https://github.com/juanfont/headscale/pull/618)
 - Add -c option to specify config file from command line [#285](https://github.com/juanfont/headscale/issues/285) [#612](https://github.com/juanfont/headscale/pull/601)
 - Add configuration option to allow Tailscale clients to use a random WireGuard port. [kb/1181/firewalls](https://tailscale.com/kb/1181/firewalls) [#624](https://github.com/juanfont/headscale/pull/624)
-- Improve obtuse UX regarding missing configuration (`ephemeral_node_inactivity_timeout` not set) [#639](https://github.com/juanfont/headscale/pull/639)
-- Fix nodes being shown as 'offline' in `tailscale status` [#648](https://github.com/juanfont/headscale/pull/648)
-- Improve shutdown behaviour [#651](https://github.com/juanfont/headscale/pull/651)
-- Drop Gin as web framework in Headscale [648](https://github.com/juanfont/headscale/pull/648) [677](https://github.com/juanfont/headscale/pull/677)
-- Make tailnet node updates check interval configurable [#675](https://github.com/juanfont/headscale/pull/675)
-- Fix regression with HTTP API [#684](https://github.com/juanfont/headscale/pull/684)
-- nodes ls now print both Hostname and Name(Issue [#647](https://github.com/juanfont/headscale/issues/647) PR [#687](https://github.com/juanfont/headscale/pull/687))
 
 ## 0.15.0 (2022-03-20)
 

Dockerfile

@@ -1,6 +1,5 @@
 # Builder image
 FROM docker.io/golang:1.18.0-bullseye AS build
-ARG VERSION=dev
 ENV GOPATH /go
 WORKDIR /go/src/headscale
 
@@ -9,7 +8,7 @@ RUN go mod download
 
 COPY . .
 
-RUN CGO_ENABLED=0 GOOS=linux go install -ldflags="-s -w -X github.com/juanfont/headscale/cmd/headscale/cli.Version=$VERSION" -a ./cmd/headscale
+RUN CGO_ENABLED=0 GOOS=linux go install -a ./cmd/headscale
 RUN strip /go/bin/headscale
 RUN test -e /go/bin/headscale
 

Dockerfile.alpine

@@ -1,6 +1,5 @@
 # Builder image
 FROM docker.io/golang:1.18.0-alpine AS build
-ARG VERSION=dev
 ENV GOPATH /go
 WORKDIR /go/src/headscale
 
@@ -10,7 +9,7 @@ RUN go mod download
 
 COPY . .
 
-RUN CGO_ENABLED=0 GOOS=linux go install -ldflags="-s -w -X github.com/juanfont/headscale/cmd/headscale/cli.Version=$VERSION" -a ./cmd/headscale
+RUN CGO_ENABLED=0 GOOS=linux go install -a ./cmd/headscale
 RUN strip /go/bin/headscale
 RUN test -e /go/bin/headscale
 

Dockerfile.debug

@@ -1,6 +1,5 @@
 # Builder image
 FROM docker.io/golang:1.18.0-bullseye AS build
-ARG VERSION=dev
 ENV GOPATH /go
 WORKDIR /go/src/headscale
 
@@ -9,7 +8,7 @@ RUN go mod download
 
 COPY . .
 
-RUN CGO_ENABLED=0 GOOS=linux go install -ldflags="-s -w -X github.com/juanfont/headscale/cmd/headscale/cli.Version=$VERSION" -a ./cmd/headscale
+RUN CGO_ENABLED=0 GOOS=linux go install -a ./cmd/headscale
 RUN test -e /go/bin/headscale
 
 # Debug image

Makefile

@@ -1,5 +1,5 @@
 # Calculate version
-version ?= $(shell git describe --always --tags --dirty)
+version = $(git describe --always --tags --dirty)
 
 rwildcard=$(foreach d,$(wildcard $1*),$(call rwildcard,$d/,$2) $(filter $(subst *,%,$2),$d))
 
@@ -24,16 +24,14 @@ dev: lint test build
 test:
 	@go test -coverprofile=coverage.out ./...
 
-test_integration: test_integration_cli test_integration_derp test_integration_general
+test_integration:
+	go test -failfast -tags integration -timeout 30m -count=1 ./...
 
 test_integration_cli:
-	go test -failfast -tags integration_cli,integration -timeout 30m -count=1 ./...
+	go test -tags integration -v integration_cli_test.go integration_common_test.go
 
 test_integration_derp:
-	go test -failfast -tags integration_derp,integration -timeout 30m -count=1 ./...
+	go test -tags integration -v integration_embedded_derp_test.go integration_common_test.go
-
-test_integration_general:
-	go test -failfast -tags integration_general,integration -timeout 30m -count=1 ./...
 
 coverprofile_func:
 	go tool cover -func=coverage.out

README.md

@@ -67,15 +67,15 @@ one of the maintainers.
 
 ## Client OS support
 
-| OS      | Supports headscale                                        |
+| OS      | Supports headscale                                                                                                |
-| ------- | --------------------------------------------------------- |
+| ------- | ----------------------------------------------------------------------------------------------------------------- |
-| Linux   | Yes                                                       |
+| Linux   | Yes                                                                                                               |
-| OpenBSD | Yes                                                       |
+| OpenBSD | Yes                                                                                                               |
-| FreeBSD | Yes                                                       |
+| FreeBSD | Yes                                                                                                               |
-| macOS   | Yes (see `/apple` on your headscale for more information) |
+| macOS   | Yes (see `/apple` on your headscale for more information)                                                         |
-| Windows | Yes [docs](./docs/windows-client.md)                      |
+| Windows | Yes [docs](./docs/windows-client.md)                                                                              |
-| Android | Yes [docs](./docs/android-client.md)                      |
+| Android | [You need to compile the client yourself](https://github.com/juanfont/headscale/issues/58#issuecomment-885255270) |
-| iOS     | Not yet                                                   |
+| iOS     | Not yet                                                                                                           |
 
 ## Running headscale
 
@@ -188,13 +188,6 @@ make build
             <sub style="font-size:14px"><b>Ward Vandewege</b></sub>
         </a>
     </td>
-    <td align="center" style="word-wrap: break-word; width: 150.0; height: 150.0">
-        <a href=https://github.com/huskyii>
-            <img src=https://avatars.githubusercontent.com/u/5499746?v=4 width="100;"  style="border-radius:50%;align-items:center;justify-content:center;overflow:hidden;padding-top:10px" alt=Jiang Zhu/>
-            <br />
-            <sub style="font-size:14px"><b>Jiang Zhu</b></sub>
-        </a>
-    </td>
     <td align="center" style="word-wrap: break-word; width: 150.0; height: 150.0">
         <a href=https://github.com/reynico>
             <img src=https://avatars.githubusercontent.com/u/715768?v=4 width="100;"  style="border-radius:50%;align-items:center;justify-content:center;overflow:hidden;padding-top:10px" alt=Nico/>
@@ -202,8 +195,6 @@ make build
             <sub style="font-size:14px"><b>Nico</b></sub>
         </a>
     </td>
-</tr>
-<tr>
     <td align="center" style="word-wrap: break-word; width: 150.0; height: 150.0">
         <a href=https://github.com/e-zk>
             <img src=https://avatars.githubusercontent.com/u/58356365?v=4 width="100;"  style="border-radius:50%;align-items:center;justify-content:center;overflow:hidden;padding-top:10px" alt=e-zk/>
@@ -211,6 +202,8 @@ make build
             <sub style="font-size:14px"><b>e-zk</b></sub>
         </a>
     </td>
+</tr>
+<tr>
     <td align="center" style="word-wrap: break-word; width: 150.0; height: 150.0">
         <a href=https://github.com/arch4ngel>
             <img src=https://avatars.githubusercontent.com/u/11574161?v=4 width="100;"  style="border-radius:50%;align-items:center;justify-content:center;overflow:hidden;padding-top:10px" alt=Justin Angel/>
@@ -225,6 +218,13 @@ make build
             <sub style="font-size:14px"><b>Alessandro (Ale) Segala</b></sub>
         </a>
     </td>
+    <td align="center" style="word-wrap: break-word; width: 150.0; height: 150.0">
+        <a href=https://github.com/huskyii>
+            <img src=https://avatars.githubusercontent.com/u/5499746?v=4 width="100;"  style="border-radius:50%;align-items:center;justify-content:center;overflow:hidden;padding-top:10px" alt=Jiang Zhu/>
+            <br />
+            <sub style="font-size:14px"><b>Jiang Zhu</b></sub>
+        </a>
+    </td>
     <td align="center" style="word-wrap: break-word; width: 150.0; height: 150.0">
         <a href=https://github.com/unreality>
             <img src=https://avatars.githubusercontent.com/u/352522?v=4 width="100;"  style="border-radius:50%;align-items:center;justify-content:center;overflow:hidden;padding-top:10px" alt=unreality/>
@@ -269,13 +269,6 @@ make build
             <sub style="font-size:14px"><b>Aaron Bieber</b></sub>
         </a>
     </td>
-    <td align="center" style="word-wrap: break-word; width: 150.0; height: 150.0">
-        <a href=https://github.com/iSchluff>
-            <img src=https://avatars.githubusercontent.com/u/1429641?v=4 width="100;"  style="border-radius:50%;align-items:center;justify-content:center;overflow:hidden;padding-top:10px" alt=Anton Schubert/>
-            <br />
-            <sub style="font-size:14px"><b>Anton Schubert</b></sub>
-        </a>
-    </td>
     <td align="center" style="word-wrap: break-word; width: 150.0; height: 150.0">
         <a href=https://github.com/fdelucchijr>
             <img src=https://avatars.githubusercontent.com/u/69133647?v=4 width="100;"  style="border-radius:50%;align-items:center;justify-content:center;overflow:hidden;padding-top:10px" alt=Fernando De Lucchi/>
@@ -283,15 +276,6 @@ make build
             <sub style="font-size:14px"><b>Fernando De Lucchi</b></sub>
         </a>
     </td>
-    <td align="center" style="word-wrap: break-word; width: 150.0; height: 150.0">
-        <a href=https://github.com/GrigoriyMikhalkin>
-            <img src=https://avatars.githubusercontent.com/u/3637857?v=4 width="100;"  style="border-radius:50%;align-items:center;justify-content:center;overflow:hidden;padding-top:10px" alt=GrigoriyMikhalkin/>
-            <br />
-            <sub style="font-size:14px"><b>GrigoriyMikhalkin</b></sub>
-        </a>
-    </td>
-</tr>
-<tr>
     <td align="center" style="word-wrap: break-word; width: 150.0; height: 150.0">
         <a href=https://github.com/hdhoang>
             <img src=https://avatars.githubusercontent.com/u/12537?v=4 width="100;"  style="border-radius:50%;align-items:center;justify-content:center;overflow:hidden;padding-top:10px" alt=Hoàng Đức Hiếu/>
@@ -306,6 +290,8 @@ make build
             <sub style="font-size:14px"><b>bravechamp</b></sub>
         </a>
     </td>
+</tr>
+<tr>
     <td align="center" style="word-wrap: break-word; width: 150.0; height: 150.0">
         <a href=https://github.com/deonthomasgy>
             <img src=https://avatars.githubusercontent.com/u/150036?v=4 width="100;"  style="border-radius:50%;align-items:center;justify-content:center;overflow:hidden;padding-top:10px" alt=Deon Thomas/>
@@ -313,13 +299,6 @@ make build
             <sub style="font-size:14px"><b>Deon Thomas</b></sub>
         </a>
     </td>
-    <td align="center" style="word-wrap: break-word; width: 150.0; height: 150.0">
-        <a href=https://github.com/ChibangLW>
-            <img src=https://avatars.githubusercontent.com/u/22293464?v=4 width="100;"  style="border-radius:50%;align-items:center;justify-content:center;overflow:hidden;padding-top:10px" alt=ChibangLW/>
-            <br />
-            <sub style="font-size:14px"><b>ChibangLW</b></sub>
-        </a>
-    </td>
     <td align="center" style="word-wrap: break-word; width: 150.0; height: 150.0">
         <a href=https://github.com/mevansam>
             <img src=https://avatars.githubusercontent.com/u/403630?v=4 width="100;"  style="border-radius:50%;align-items:center;justify-content:center;overflow:hidden;padding-top:10px" alt=Mevan Samaratunga/>
@@ -334,8 +313,6 @@ make build
             <sub style="font-size:14px"><b>Michael G.</b></sub>
         </a>
     </td>
-</tr>
-<tr>
     <td align="center" style="word-wrap: break-word; width: 150.0; height: 150.0">
         <a href=https://github.com/ptman>
             <img src=https://avatars.githubusercontent.com/u/24669?v=4 width="100;"  style="border-radius:50%;align-items:center;justify-content:center;overflow:hidden;padding-top:10px" alt=Paul Tötterman/>
@@ -343,13 +320,6 @@ make build
             <sub style="font-size:14px"><b>Paul Tötterman</b></sub>
         </a>
     </td>
-    <td align="center" style="word-wrap: break-word; width: 150.0; height: 150.0">
-        <a href=https://github.com/samson4649>
-            <img src=https://avatars.githubusercontent.com/u/12725953?v=4 width="100;"  style="border-radius:50%;align-items:center;justify-content:center;overflow:hidden;padding-top:10px" alt=Samuel Lock/>
-            <br />
-            <sub style="font-size:14px"><b>Samuel Lock</b></sub>
-        </a>
-    </td>
     <td align="center" style="word-wrap: break-word; width: 150.0; height: 150.0">
         <a href=https://github.com/majst01>
             <img src=https://avatars.githubusercontent.com/u/410110?v=4 width="100;"  style="border-radius:50%;align-items:center;justify-content:center;overflow:hidden;padding-top:10px" alt=Stefan Majer/>
@@ -357,6 +327,15 @@ make build
             <sub style="font-size:14px"><b>Stefan Majer</b></sub>
         </a>
     </td>
+    <td align="center" style="word-wrap: break-word; width: 150.0; height: 150.0">
+        <a href=https://github.com/iSchluff>
+            <img src=https://avatars.githubusercontent.com/u/1429641?v=4 width="100;"  style="border-radius:50%;align-items:center;justify-content:center;overflow:hidden;padding-top:10px" alt=Anton Schubert/>
+            <br />
+            <sub style="font-size:14px"><b>Anton Schubert</b></sub>
+        </a>
+    </td>
+</tr>
+<tr>
     <td align="center" style="word-wrap: break-word; width: 150.0; height: 150.0">
         <a href=https://github.com/artemklevtsov>
             <img src=https://avatars.githubusercontent.com/u/603798?v=4 width="100;"  style="border-radius:50%;align-items:center;justify-content:center;overflow:hidden;padding-top:10px" alt=Artem Klevtsov/>
@@ -378,8 +357,6 @@ make build
             <sub style="font-size:14px"><b>Pavlos Vinieratos</b></sub>
         </a>
     </td>
-</tr>
-<tr>
     <td align="center" style="word-wrap: break-word; width: 150.0; height: 150.0">
         <a href=https://github.com/SilverBut>
             <img src=https://avatars.githubusercontent.com/u/6560655?v=4 width="100;"  style="border-radius:50%;align-items:center;justify-content:center;overflow:hidden;padding-top:10px" alt=Silver Bullet/>
@@ -401,6 +378,8 @@ make build
             <sub style="font-size:14px"><b>thomas</b></sub>
         </a>
     </td>
+</tr>
+<tr>
     <td align="center" style="word-wrap: break-word; width: 150.0; height: 150.0">
         <a href=https://github.com/aberoham>
             <img src=https://avatars.githubusercontent.com/u/586805?v=4 width="100;"  style="border-radius:50%;align-items:center;justify-content:center;overflow:hidden;padding-top:10px" alt=Abraham Ingersoll/>
@@ -422,8 +401,6 @@ make build
             <sub style="font-size:14px"><b>Aofei Sheng</b></sub>
         </a>
     </td>
-</tr>
-<tr>
     <td align="center" style="word-wrap: break-word; width: 150.0; height: 150.0">
         <a href=https://github.com/awoimbee>
             <img src=https://avatars.githubusercontent.com/u/22431493?v=4 width="100;"  style="border-radius:50%;align-items:center;justify-content:center;overflow:hidden;padding-top:10px" alt=Arthur Woimbée/>
@@ -445,6 +422,8 @@ make build
             <sub style="font-size:14px"><b> Carson Yang</b></sub>
         </a>
     </td>
+</tr>
+<tr>
     <td align="center" style="word-wrap: break-word; width: 150.0; height: 150.0">
         <a href=https://github.com/kundel>
             <img src=https://avatars.githubusercontent.com/u/10158899?v=4 width="100;"  style="border-radius:50%;align-items:center;justify-content:center;overflow:hidden;padding-top:10px" alt=kundel/>
@@ -466,8 +445,6 @@ make build
             <sub style="font-size:14px"><b>Felix Yan</b></sub>
         </a>
     </td>
-</tr>
-<tr>
     <td align="center" style="word-wrap: break-word; width: 150.0; height: 150.0">
         <a href=https://github.com/JJGadgets>
             <img src=https://avatars.githubusercontent.com/u/5709019?v=4 width="100;"  style="border-radius:50%;align-items:center;justify-content:center;overflow:hidden;padding-top:10px" alt=JJGadgets/>
@@ -489,6 +466,8 @@ make build
             <sub style="font-size:14px"><b>Jim Tittsler</b></sub>
         </a>
     </td>
+</tr>
+<tr>
     <td align="center" style="word-wrap: break-word; width: 150.0; height: 150.0">
         <a href=https://github.com/piec>
             <img src=https://avatars.githubusercontent.com/u/781471?v=4 width="100;"  style="border-radius:50%;align-items:center;justify-content:center;overflow:hidden;padding-top:10px" alt=Pierre Carru/>
@@ -510,8 +489,6 @@ make build
             <sub style="font-size:14px"><b>WhiteSource Renovate</b></sub>
         </a>
     </td>
-</tr>
-<tr>
     <td align="center" style="word-wrap: break-word; width: 150.0; height: 150.0">
         <a href=https://github.com/ryanfowler>
             <img src=https://avatars.githubusercontent.com/u/2668821?v=4 width="100;"  style="border-radius:50%;align-items:center;justify-content:center;overflow:hidden;padding-top:10px" alt=Ryan Fowler/>
@@ -533,6 +510,8 @@ make build
             <sub style="font-size:14px"><b>Tanner</b></sub>
         </a>
     </td>
+</tr>
+<tr>
     <td align="center" style="word-wrap: break-word; width: 150.0; height: 150.0">
         <a href=https://github.com/Teteros>
             <img src=https://avatars.githubusercontent.com/u/5067989?v=4 width="100;"  style="border-radius:50%;align-items:center;justify-content:center;overflow:hidden;padding-top:10px" alt=Teteros/>
@@ -554,8 +533,6 @@ make build
             <sub style="font-size:14px"><b>Tianon Gravi</b></sub>
         </a>
     </td>
-</tr>
-<tr>
     <td align="center" style="word-wrap: break-word; width: 150.0; height: 150.0">
         <a href=https://github.com/woudsma>
             <img src=https://avatars.githubusercontent.com/u/6162978?v=4 width="100;"  style="border-radius:50%;align-items:center;justify-content:center;overflow:hidden;padding-top:10px" alt=Tjerk Woudsma/>
@@ -577,11 +554,13 @@ make build
             <sub style="font-size:14px"><b>Zakhar Bessarab</b></sub>
         </a>
     </td>
+</tr>
+<tr>
     <td align="center" style="word-wrap: break-word; width: 150.0; height: 150.0">
         <a href=https://github.com/Bpazy>
-            <img src=https://avatars.githubusercontent.com/u/9838749?v=4 width="100;"  style="border-radius:50%;align-items:center;justify-content:center;overflow:hidden;padding-top:10px" alt=Ziyuan Han/>
+            <img src=https://avatars.githubusercontent.com/u/9838749?v=4 width="100;"  style="border-radius:50%;align-items:center;justify-content:center;overflow:hidden;padding-top:10px" alt=ZiYuan/>
             <br />
-            <sub style="font-size:14px"><b>Ziyuan Han</b></sub>
+            <sub style="font-size:14px"><b>ZiYuan</b></sub>
         </a>
     </td>
     <td align="center" style="word-wrap: break-word; width: 150.0; height: 150.0">
@@ -598,8 +577,6 @@ make build
             <sub style="font-size:14px"><b>henning mueller</b></sub>
         </a>
     </td>
-</tr>
-<tr>
     <td align="center" style="word-wrap: break-word; width: 150.0; height: 150.0">
         <a href=https://github.com/ignoramous>
             <img src=https://avatars.githubusercontent.com/u/852289?v=4 width="100;"  style="border-radius:50%;align-items:center;justify-content:center;overflow:hidden;padding-top:10px" alt=ignoramous/>
@@ -621,6 +598,8 @@ make build
             <sub style="font-size:14px"><b>pernila</b></sub>
         </a>
     </td>
+</tr>
+<tr>
     <td align="center" style="word-wrap: break-word; width: 150.0; height: 150.0">
         <a href=https://github.com/Wakeful-Cloud>
             <img src=https://avatars.githubusercontent.com/u/38930607?v=4 width="100;"  style="border-radius:50%;align-items:center;justify-content:center;overflow:hidden;padding-top:10px" alt=Wakeful-Cloud/>

acls.go

@@ -37,7 +37,7 @@ const (
 	expectedTokenItems = 2
 )
 
-// For some reason golang.org/x/net/internal/iana is an internal package.
+// For some reason golang.org/x/net/internal/iana is an internal package
 const (
 	protocolICMP     = 1   // Internet Control Message
 	protocolIGMP     = 2   // Internet Group Management
@@ -162,12 +162,7 @@ func (h *Headscale) generateACLRules() ([]tailcfg.FilterRule, error) {
 
 		destPorts := []tailcfg.NetPortRange{}
 		for innerIndex, dest := range acl.Destinations {
-			dests, err := h.generateACLPolicyDest(
+			dests, err := h.generateACLPolicyDest(machines, *h.aclPolicy, dest, needsWildcard)
-				machines,
-				*h.aclPolicy,
-				dest,
-				needsWildcard,
-			)
 			if err != nil {
 				log.Error().
 					Msgf("Error parsing ACL %d, Destination %d", index, innerIndex)
@@ -260,12 +255,7 @@ func (h *Headscale) generateACLPolicyDest(
 func parseProtocol(protocol string) ([]int, bool, error) {
 	switch protocol {
 	case "":
-		return []int{
+		return []int{protocolICMP, protocolIPv6ICMP, protocolTCP, protocolUDP}, false, nil
-			protocolICMP,
-			protocolIPv6ICMP,
-			protocolTCP,
-			protocolUDP,
-		}, false, nil
 	case "igmp":
 		return []int{protocolIGMP}, true, nil
 	case "ipv4", "ip-in-ip":
@@ -294,9 +284,7 @@ func parseProtocol(protocol string) ([]int, bool, error) {
 		if err != nil {
 			return nil, false, err
 		}
-		needsWildcard := protocolNumber != protocolTCP &&
+		needsWildcard := protocolNumber != protocolTCP && protocolNumber != protocolUDP && protocolNumber != protocolSCTP
-			protocolNumber != protocolUDP &&
-			protocolNumber != protocolSCTP
 
 		return []int{protocolNumber}, needsWildcard, nil
 	}
@@ -379,7 +367,7 @@ func expandAlias(
 
 	// if alias is a namespace
 	nodes := filterMachinesByNamespace(machines, alias)
-	nodes = excludeCorrectlyTaggedNodes(aclPolicy, nodes, alias, stripEmailDomain)
+	nodes = excludeCorrectlyTaggedNodes(aclPolicy, nodes, alias)
 
 	for _, n := range nodes {
 		ips = append(ips, n.IPAddresses.ToStringSlice()...)
@@ -417,13 +405,10 @@ func excludeCorrectlyTaggedNodes(
 	aclPolicy ACLPolicy,
 	nodes []Machine,
 	namespace string,
-	stripEmailDomain bool,
 ) []Machine {
 	out := []Machine{}
 	tags := []string{}
-	for tag := range aclPolicy.TagOwners {
+	for tag, ns := range aclPolicy.TagOwners {
-		owners, _ := expandTagOwners(aclPolicy, namespace, stripEmailDomain)
-		ns := append(owners, namespace)
 		if contains(ns, namespace) {
 			tags = append(tags, tag)
 		}

acls_test.go

@@ -62,11 +62,7 @@ func (s *Suite) TestBasicRule(c *check.C) {
 func (s *Suite) TestInvalidAction(c *check.C) {
 	app.aclPolicy = &ACLPolicy{
 		ACLs: []ACL{
-			{
+			{Action: "invalidAction", Sources: []string{"*"}, Destinations: []string{"*:*"}},
-				Action:       "invalidAction",
-				Sources:      []string{"*"},
-				Destinations: []string{"*:*"},
-			},
 		},
 	}
 	err := app.UpdateACLRules()
@@ -81,11 +77,7 @@ func (s *Suite) TestInvalidGroupInGroup(c *check.C) {
 			"group:error": []string{"foo", "group:test"},
 		},
 		ACLs: []ACL{
-			{
+			{Action: "accept", Sources: []string{"group:error"}, Destinations: []string{"*:*"}},
-				Action:       "accept",
-				Sources:      []string{"group:error"},
-				Destinations: []string{"*:*"},
-			},
 		},
 	}
 	err := app.UpdateACLRules()
@@ -96,11 +88,7 @@ func (s *Suite) TestInvalidTagOwners(c *check.C) {
 	// this ACL is wrong because no tagOwners own the requested tag for the server
 	app.aclPolicy = &ACLPolicy{
 		ACLs: []ACL{
-			{
+			{Action: "accept", Sources: []string{"tag:foo"}, Destinations: []string{"*:*"}},
-				Action:       "accept",
-				Sources:      []string{"tag:foo"},
-				Destinations: []string{"*:*"},
-			},
 		},
 	}
 	err := app.UpdateACLRules()
@@ -143,11 +131,7 @@ func (s *Suite) TestValidExpandTagOwnersInSources(c *check.C) {
 		Groups:    Groups{"group:test": []string{"user1", "user2"}},
 		TagOwners: TagOwners{"tag:test": []string{"user3", "group:test"}},
 		ACLs: []ACL{
-			{
+			{Action: "accept", Sources: []string{"tag:test"}, Destinations: []string{"*:*"}},
-				Action:       "accept",
-				Sources:      []string{"tag:test"},
-				Destinations: []string{"*:*"},
-			},
 		},
 	}
 	err = app.UpdateACLRules()
@@ -193,11 +177,7 @@ func (s *Suite) TestValidExpandTagOwnersInDestinations(c *check.C) {
 		Groups:    Groups{"group:test": []string{"user1", "user2"}},
 		TagOwners: TagOwners{"tag:test": []string{"user3", "group:test"}},
 		ACLs: []ACL{
-			{
+			{Action: "accept", Sources: []string{"*"}, Destinations: []string{"tag:test:*"}},
-				Action:       "accept",
-				Sources:      []string{"*"},
-				Destinations: []string{"tag:test:*"},
-			},
 		},
 	}
 	err = app.UpdateACLRules()
@@ -242,11 +222,7 @@ func (s *Suite) TestInvalidTagValidNamespace(c *check.C) {
 	app.aclPolicy = &ACLPolicy{
 		TagOwners: TagOwners{"tag:test": []string{"user1"}},
 		ACLs: []ACL{
-			{
+			{Action: "accept", Sources: []string{"user1"}, Destinations: []string{"*:*"}},
-				Action:       "accept",
-				Sources:      []string{"user1"},
-				Destinations: []string{"*:*"},
-			},
 		},
 	}
 	err = app.UpdateACLRules()
@@ -1225,10 +1201,9 @@ func Test_expandAlias(t *testing.T) {
 
 func Test_excludeCorrectlyTaggedNodes(t *testing.T) {
 	type args struct {
-		aclPolicy        ACLPolicy
+		aclPolicy ACLPolicy
-		nodes            []Machine
+		nodes     []Machine
-		namespace        string
+		namespace string
-		stripEmailDomain bool
 	}
 	tests := []struct {
 		name    string
@@ -1272,59 +1247,7 @@ func Test_excludeCorrectlyTaggedNodes(t *testing.T) {
 						Namespace: Namespace{Name: "joe"},
 					},
 				},
-				namespace:        "joe",
+				namespace: "joe",
-				stripEmailDomain: true,
-			},
-			want: []Machine{
-				{
-					IPAddresses: MachineAddresses{netaddr.MustParseIP("100.64.0.4")},
-					Namespace:   Namespace{Name: "joe"},
-				},
-			},
-		},
-		{
-			name: "exclude nodes with valid tags, and owner is in a group",
-			args: args{
-				aclPolicy: ACLPolicy{
-					Groups: Groups{
-						"group:accountant": []string{"joe", "bar"},
-					},
-					TagOwners: TagOwners{
-						"tag:accountant-webserver": []string{"group:accountant"},
-					},
-				},
-				nodes: []Machine{
-					{
-						IPAddresses: MachineAddresses{
-							netaddr.MustParseIP("100.64.0.1"),
-						},
-						Namespace: Namespace{Name: "joe"},
-						HostInfo: HostInfo{
-							OS:          "centos",
-							Hostname:    "foo",
-							RequestTags: []string{"tag:accountant-webserver"},
-						},
-					},
-					{
-						IPAddresses: MachineAddresses{
-							netaddr.MustParseIP("100.64.0.2"),
-						},
-						Namespace: Namespace{Name: "joe"},
-						HostInfo: HostInfo{
-							OS:          "centos",
-							Hostname:    "foo",
-							RequestTags: []string{"tag:accountant-webserver"},
-						},
-					},
-					{
-						IPAddresses: MachineAddresses{
-							netaddr.MustParseIP("100.64.0.4"),
-						},
-						Namespace: Namespace{Name: "joe"},
-					},
-				},
-				namespace:        "joe",
-				stripEmailDomain: true,
 			},
 			want: []Machine{
 				{
@@ -1365,8 +1288,7 @@ func Test_excludeCorrectlyTaggedNodes(t *testing.T) {
 						Namespace: Namespace{Name: "joe"},
 					},
 				},
-				namespace:        "joe",
+				namespace: "joe",
-				stripEmailDomain: true,
 			},
 			want: []Machine{
 				{
@@ -1411,8 +1333,7 @@ func Test_excludeCorrectlyTaggedNodes(t *testing.T) {
 						Namespace: Namespace{Name: "joe"},
 					},
 				},
-				namespace:        "joe",
+				namespace: "joe",
-				stripEmailDomain: true,
 			},
 			want: []Machine{
 				{
@@ -1452,7 +1373,6 @@ func Test_excludeCorrectlyTaggedNodes(t *testing.T) {
 				test.args.aclPolicy,
 				test.args.nodes,
 				test.args.namespace,
-				test.args.stripEmailDomain,
 			)
 			if !reflect.DeepEqual(got, test.want) {
 				t.Errorf("excludeCorrectlyTaggedNodes() = %v, want %v", got, test.want)

acls_types.go

@@ -21,9 +21,9 @@ type ACLPolicy struct {
 // ACL is a basic rule for the ACL Policy.
 type ACL struct {
 	Action       string   `json:"action" yaml:"action"`
-	Protocol     string   `json:"proto"  yaml:"proto"`
+	Protocol     string   `json:"proto" yaml:"proto"`
-	Sources      []string `json:"src"    yaml:"src"`
+	Sources      []string `json:"src"  yaml:"src"`
-	Destinations []string `json:"dst"    yaml:"dst"`
+	Destinations []string `json:"dst"  yaml:"dst"`
 }
 
 // Groups references a series of alias in the ACL rules.
@@ -37,8 +37,8 @@ type TagOwners map[string][]string
 
 // ACLTest is not implemented, but should be use to check if a certain rule is allowed.
 type ACLTest struct {
-	Source string   `json:"src"            yaml:"src"`
+	Source string   `json:"src"           yaml:"src"`
-	Accept []string `json:"accept"         yaml:"accept"`
+	Accept []string `json:"accept"          yaml:"accept"`
 	Deny   []string `json:"deny,omitempty" yaml:"deny,omitempty"`
 }
 

api.go

@@ -9,10 +9,11 @@ import (
 	"html/template"
 	"io"
 	"net/http"
+	"strconv"
 	"strings"
 	"time"
 
-	"github.com/gorilla/mux"
+	"github.com/gin-gonic/gin"
 	"github.com/klauspost/compress/zstd"
 	"github.com/rs/zerolog/log"
 	"gorm.io/gorm"
@@ -21,8 +22,6 @@ import (
 )
 
 const (
-	// TODO(juan): remove this once https://github.com/juanfont/headscale/issues/727 is fixed.
-	registrationHoldoff                      = time.Second * 5
 	reservedResponseHeaderSize               = 4
 	RegisterMethodAuthKey                    = "authkey"
 	RegisterMethodOIDC                       = "oidc"
@@ -30,61 +29,45 @@ const (
 	ErrRegisterMethodCLIDoesNotSupportExpire = Error(
 		"machines registered with CLI does not support expire",
 	)
+
+	// The CapabilityVersion is used by Tailscale clients to indicate
+	// their codebase version. Tailscale clients can communicate over TS2021
+	// from CapabilityVersion 28.
+	// See https://github.com/tailscale/tailscale/blob/main/tailcfg/tailcfg.go
+	NoiseCapabilityVersion = 28
 )
 
-func (h *Headscale) HealthHandler(
-	writer http.ResponseWriter,
-	req *http.Request,
-) {
-	respond := func(err error) {
-		writer.Header().Set("Content-Type", "application/health+json; charset=utf-8")
-
-		res := struct {
-			Status string `json:"status"`
-		}{
-			Status: "pass",
-		}
-
-		if err != nil {
-			writer.WriteHeader(http.StatusInternalServerError)
-			log.Error().Caller().Err(err).Msg("health check failed")
-			res.Status = "fail"
-		}
-
-		buf, err := json.Marshal(res)
-		if err != nil {
-			log.Error().Caller().Err(err).Msg("marshal failed")
-		}
-		_, err = writer.Write(buf)
-		if err != nil {
-			log.Error().Caller().Err(err).Msg("write failed")
-		}
-	}
-
-	if err := h.pingDB(); err != nil {
-		respond(err)
-
-		return
-	}
-
-	respond(nil)
-}
-
 // KeyHandler provides the Headscale pub key
 // Listens in /key.
-func (h *Headscale) KeyHandler(
+func (h *Headscale) KeyHandler(ctx *gin.Context) {
-	writer http.ResponseWriter,
+	// New Tailscale clients send a 'v' parameter to indicate the CurrentCapabilityVersion
-	req *http.Request,
+	clientCapabilityStr := ctx.Query("v")
-) {
+	if clientCapabilityStr != "" {
-	writer.Header().Set("Content-Type", "text/plain; charset=utf-8")
+		clientCapabilityVersion, err := strconv.Atoi(clientCapabilityStr)
-	writer.WriteHeader(http.StatusOK)
+		if err != nil {
-	_, err := writer.Write([]byte(MachinePublicKeyStripPrefix(h.privateKey.Public())))
+			ctx.String(http.StatusBadRequest, "Invalid version")
-	if err != nil {
+
-		log.Error().
+			return
-			Caller().
+		}
-			Err(err).
+
-			Msg("Failed to write response")
+		if clientCapabilityVersion >= NoiseCapabilityVersion {
+			// Tailscale has a different key for the TS2021 protocol
+			resp := tailcfg.OverTLSPublicKeyResponse{
+				LegacyPublicKey: h.privateKey.Public(),
+				PublicKey:       h.noisePrivateKey.Public(),
+			}
+			ctx.JSON(http.StatusOK, resp)
+
+			return
+		}
 	}
+
+	// Old clients don't send a 'v' parameter, so we send the legacy public key
+	ctx.Data(
+		http.StatusOK,
+		"text/plain; charset=utf-8",
+		[]byte(MachinePublicKeyStripPrefix(h.privateKey.Public())),
+	)
 }
 
 type registerWebAPITemplateConfig struct {
@@ -109,80 +92,38 @@ var registerWebAPITemplate = template.Must(
 `))
 
 // RegisterWebAPI shows a simple message in the browser to point to the CLI
-// Listens in /register/:nkey.
+// Listens in /register.
-//
+func (h *Headscale) RegisterWebAPI(ctx *gin.Context) {
-// This is not part of the Tailscale control API, as we could send whatever URL
+	machineKeyStr := ctx.Query("key")
-// in the RegisterResponse.AuthURL field.
+	if machineKeyStr == "" {
-func (h *Headscale) RegisterWebAPI(
+		ctx.String(http.StatusBadRequest, "Wrong params")
-	writer http.ResponseWriter,
-	req *http.Request,
-) {
-	vars := mux.Vars(req)
-	nodeKeyStr, ok := vars["nkey"]
-	if !ok || nodeKeyStr == "" {
-		writer.Header().Set("Content-Type", "text/plain; charset=utf-8")
-		writer.WriteHeader(http.StatusBadRequest)
-		_, err := writer.Write([]byte("Wrong params"))
-		if err != nil {
-			log.Error().
-				Caller().
-				Err(err).
-				Msg("Failed to write response")
-		}
 
 		return
 	}
 
 	var content bytes.Buffer
 	if err := registerWebAPITemplate.Execute(&content, registerWebAPITemplateConfig{
-		Key: nodeKeyStr,
+		Key: machineKeyStr,
 	}); err != nil {
 		log.Error().
 			Str("func", "RegisterWebAPI").
 			Err(err).
 			Msg("Could not render register web API template")
-		writer.Header().Set("Content-Type", "text/plain; charset=utf-8")
+		ctx.Data(
-		writer.WriteHeader(http.StatusInternalServerError)
+			http.StatusInternalServerError,
-		_, err = writer.Write([]byte("Could not render register web API template"))
+			"text/html; charset=utf-8",
-		if err != nil {
+			[]byte("Could not render register web API template"),
-			log.Error().
+		)
-				Caller().
-				Err(err).
-				Msg("Failed to write response")
-		}
-
-		return
 	}
 
-	writer.Header().Set("Content-Type", "text/html; charset=utf-8")
+	ctx.Data(http.StatusOK, "text/html; charset=utf-8", content.Bytes())
-	writer.WriteHeader(http.StatusOK)
-	_, err := writer.Write(content.Bytes())
-	if err != nil {
-		log.Error().
-			Caller().
-			Err(err).
-			Msg("Failed to write response")
-	}
 }
 
 // RegistrationHandler handles the actual registration process of a machine
-// Endpoint /machine/:mkey.
+// Endpoint /machine/:id.
-func (h *Headscale) RegistrationHandler(
+func (h *Headscale) RegistrationHandler(ctx *gin.Context) {
-	writer http.ResponseWriter,
+	body, _ := io.ReadAll(ctx.Request.Body)
-	req *http.Request,
+	machineKeyStr := ctx.Param("id")
-) {
-	vars := mux.Vars(req)
-	machineKeyStr, ok := vars["mkey"]
-	if !ok || machineKeyStr == "" {
-		log.Error().
-			Str("handler", "RegistrationHandler").
-			Msg("No machine ID in request")
-		http.Error(writer, "No machine ID in request", http.StatusBadRequest)
-
-		return
-	}
-
-	body, _ := io.ReadAll(req.Body)
 
 	var machineKey key.MachinePublic
 	err := machineKey.UnmarshalText([]byte(MachinePublicKeyEnsurePrefix(machineKeyStr)))
@@ -192,19 +133,19 @@ func (h *Headscale) RegistrationHandler(
 			Err(err).
 			Msg("Cannot parse machine key")
 		machineRegistrations.WithLabelValues("unknown", "web", "error", "unknown").Inc()
-		http.Error(writer, "Cannot parse machine key", http.StatusBadRequest)
+		ctx.String(http.StatusInternalServerError, "Sad!")
 
 		return
 	}
-	registerRequest := tailcfg.RegisterRequest{}
+	req := tailcfg.RegisterRequest{}
-	err = decode(body, &registerRequest, &machineKey, h.privateKey)
+	err = decode(body, &req, &machineKey, h.privateKey)
 	if err != nil {
 		log.Error().
 			Caller().
 			Err(err).
 			Msg("Cannot decode message")
 		machineRegistrations.WithLabelValues("unknown", "web", "error", "unknown").Inc()
-		http.Error(writer, "Cannot decode message", http.StatusBadRequest)
+		ctx.String(http.StatusInternalServerError, "Very sad!")
 
 		return
 	}
@@ -212,59 +153,23 @@ func (h *Headscale) RegistrationHandler(
 	now := time.Now().UTC()
 	machine, err := h.GetMachineByMachineKey(machineKey)
 	if errors.Is(err, gorm.ErrRecordNotFound) {
+		log.Info().Str("machine", req.Hostinfo.Hostname).Msg("New machine")
+
 		machineKeyStr := MachinePublicKeyStripPrefix(machineKey)
 
 		// If the machine has AuthKey set, handle registration via PreAuthKeys
-		if registerRequest.Auth.AuthKey != "" {
+		if req.Auth.AuthKey != "" {
-			h.handleAuthKey(writer, req, machineKey, registerRequest)
+			h.handleAuthKey(ctx, machineKey, req)
 
 			return
 		}
 
-		// Check if the node is waiting for interactive login.
+		givenName, err := h.GenerateGivenName(req.Hostinfo.Hostname)
-		//
-		// TODO(juan): We could use this field to improve our protocol implementation,
-		// and hold the request until the client closes it, or the interactive
-		// login is completed (i.e., the user registers the machine).
-		// This is not implemented yet, as it is no strictly required. The only side-effect
-		// is that the client will hammer headscale with requests until it gets a
-		// successful RegisterResponse.
-		if registerRequest.Followup != "" {
-			if _, ok := h.registrationCache.Get(NodePublicKeyStripPrefix(registerRequest.NodeKey)); ok {
-				log.Debug().
-					Caller().
-					Str("machine", registerRequest.Hostinfo.Hostname).
-					Str("node_key", registerRequest.NodeKey.ShortString()).
-					Str("node_key_old", registerRequest.OldNodeKey.ShortString()).
-					Str("follow_up", registerRequest.Followup).
-					Msg("Machine is waiting for interactive login")
-
-				ticker := time.NewTicker(registrationHoldoff)
-				select {
-				case <-req.Context().Done():
-					return
-				case <-ticker.C:
-					h.handleMachineRegistrationNew(writer, req, machineKey, registerRequest)
-
-					return
-				}
-			}
-		}
-
-		log.Info().
-			Caller().
-			Str("machine", registerRequest.Hostinfo.Hostname).
-			Str("node_key", registerRequest.NodeKey.ShortString()).
-			Str("node_key_old", registerRequest.OldNodeKey.ShortString()).
-			Str("follow_up", registerRequest.Followup).
-			Msg("New machine not yet in the database")
-
-		givenName, err := h.GenerateGivenName(registerRequest.Hostinfo.Hostname)
 		if err != nil {
 			log.Error().
 				Caller().
 				Str("func", "RegistrationHandler").
-				Str("hostinfo.name", registerRequest.Hostinfo.Hostname).
+				Str("hostinfo.name", req.Hostinfo.Hostname).
 				Err(err)
 
 			return
@@ -276,29 +181,29 @@ func (h *Headscale) RegistrationHandler(
 		// happens
 		newMachine := Machine{
 			MachineKey: machineKeyStr,
-			Hostname:   registerRequest.Hostinfo.Hostname,
+			Hostname:   req.Hostinfo.Hostname,
 			GivenName:  givenName,
-			NodeKey:    NodePublicKeyStripPrefix(registerRequest.NodeKey),
+			NodeKey:    NodePublicKeyStripPrefix(req.NodeKey),
 			LastSeen:   &now,
 			Expiry:     &time.Time{},
 		}
 
-		if !registerRequest.Expiry.IsZero() {
+		if !req.Expiry.IsZero() {
 			log.Trace().
 				Caller().
-				Str("machine", registerRequest.Hostinfo.Hostname).
+				Str("machine", req.Hostinfo.Hostname).
-				Time("expiry", registerRequest.Expiry).
+				Time("expiry", req.Expiry).
 				Msg("Non-zero expiry time requested")
-			newMachine.Expiry = &registerRequest.Expiry
+			newMachine.Expiry = &req.Expiry
 		}
 
 		h.registrationCache.Set(
-			newMachine.NodeKey,
+			machineKeyStr,
 			newMachine,
 			registerCacheExpiration,
 		)
 
-		h.handleMachineRegistrationNew(writer, req, machineKey, registerRequest)
+		h.handleMachineRegistrationNew(ctx, machineKey, req)
 
 		return
 	}
@@ -310,12 +215,11 @@ func (h *Headscale) RegistrationHandler(
 		// - Trying to log out (sending a expiry in the past)
 		// - A valid, registered machine, looking for the node map
 		// - Expired machine wanting to reauthenticate
-		if machine.NodeKey == NodePublicKeyStripPrefix(registerRequest.NodeKey) {
+		if machine.NodeKey == NodePublicKeyStripPrefix(req.NodeKey) {
 			// The client sends an Expiry in the past if the client is requesting to expire the key (aka logout)
 			//   https://github.com/tailscale/tailscale/blob/main/tailcfg/tailcfg.go#L648
-			if !registerRequest.Expiry.IsZero() &&
+			if !req.Expiry.IsZero() && req.Expiry.UTC().Before(now) {
-				registerRequest.Expiry.UTC().Before(now) {
+				h.handleMachineLogOut(ctx, machineKey, *machine)
-				h.handleMachineLogOut(writer, req, machineKey, *machine)
 
 				return
 			}
@@ -323,28 +227,22 @@ func (h *Headscale) RegistrationHandler(
 			// If machine is not expired, and is register, we have a already accepted this machine,
 			// let it proceed with a valid registration
 			if !machine.isExpired() {
-				h.handleMachineValidRegistration(writer, req, machineKey, *machine)
+				h.handleMachineValidRegistration(ctx, machineKey, *machine)
 
 				return
 			}
 		}
 
 		// The NodeKey we have matches OldNodeKey, which means this is a refresh after a key expiration
-		if machine.NodeKey == NodePublicKeyStripPrefix(registerRequest.OldNodeKey) &&
+		if machine.NodeKey == NodePublicKeyStripPrefix(req.OldNodeKey) &&
 			!machine.isExpired() {
-			h.handleMachineRefreshKey(
+			h.handleMachineRefreshKey(ctx, machineKey, req, *machine)
-				writer,
-				req,
-				machineKey,
-				registerRequest,
-				*machine,
-			)
 
 			return
 		}
 
 		// The machine has expired
-		h.handleMachineExpired(writer, req, machineKey, registerRequest, *machine)
+		h.handleMachineExpired(ctx, machineKey, req, *machine)
 
 		return
 	}
@@ -352,12 +250,12 @@ func (h *Headscale) RegistrationHandler(
 
 func (h *Headscale) getMapResponse(
 	machineKey key.MachinePublic,
-	mapRequest tailcfg.MapRequest,
+	req tailcfg.MapRequest,
 	machine *Machine,
 ) ([]byte, error) {
 	log.Trace().
 		Str("func", "getMapResponse").
-		Str("machine", mapRequest.Hostinfo.Hostname).
+		Str("machine", req.Hostinfo.Hostname).
 		Msg("Creating Map response")
 	node, err := machine.toNode(h.cfg.BaseDomain, h.cfg.DNSConfig, true)
 	if err != nil {
@@ -418,12 +316,12 @@ func (h *Headscale) getMapResponse(
 
 	log.Trace().
 		Str("func", "getMapResponse").
-		Str("machine", mapRequest.Hostinfo.Hostname).
+		Str("machine", req.Hostinfo.Hostname).
 		// Interface("payload", resp).
 		Msgf("Generated map response: %s", tailMapResponseToString(resp))
 
 	var respBody []byte
-	if mapRequest.Compress == "zstd" {
+	if req.Compress == "zstd" {
 		src, err := json.Marshal(resp)
 		if err != nil {
 			log.Error().
@@ -489,8 +387,7 @@ func (h *Headscale) getMapKeepAliveResponse(
 }
 
 func (h *Headscale) handleMachineLogOut(
-	writer http.ResponseWriter,
+	ctx *gin.Context,
-	req *http.Request,
 	machineKey key.MachinePublic,
 	machine Machine,
 ) {
@@ -500,17 +397,7 @@ func (h *Headscale) handleMachineLogOut(
 		Str("machine", machine.Hostname).
 		Msg("Client requested logout")
 
-	err := h.ExpireMachine(&machine)
+	h.ExpireMachine(&machine)
-	if err != nil {
-		log.Error().
-			Caller().
-			Str("func", "handleMachineLogOut").
-			Err(err).
-			Msg("Failed to expire machine")
-		http.Error(writer, "Internal server error", http.StatusInternalServerError)
-
-		return
-	}
 
 	resp.AuthURL = ""
 	resp.MachineAuthorized = false
@@ -521,25 +408,15 @@ func (h *Headscale) handleMachineLogOut(
 			Caller().
 			Err(err).
 			Msg("Cannot encode message")
-		http.Error(writer, "Internal server error", http.StatusInternalServerError)
+		ctx.String(http.StatusInternalServerError, "")
 
 		return
 	}
-
+	ctx.Data(http.StatusOK, "application/json; charset=utf-8", respBody)
-	writer.Header().Set("Content-Type", "application/json; charset=utf-8")
-	writer.WriteHeader(http.StatusOK)
-	_, err = writer.Write(respBody)
-	if err != nil {
-		log.Error().
-			Caller().
-			Err(err).
-			Msg("Failed to write response")
-	}
 }
 
 func (h *Headscale) handleMachineValidRegistration(
-	writer http.ResponseWriter,
+	ctx *gin.Context,
-	req *http.Request,
 	machineKey key.MachinePublic,
 	machine Machine,
 ) {
@@ -563,27 +440,17 @@ func (h *Headscale) handleMachineValidRegistration(
 			Msg("Cannot encode message")
 		machineRegistrations.WithLabelValues("update", "web", "error", machine.Namespace.Name).
 			Inc()
-		http.Error(writer, "Internal server error", http.StatusInternalServerError)
+		ctx.String(http.StatusInternalServerError, "")
 
 		return
 	}
 	machineRegistrations.WithLabelValues("update", "web", "success", machine.Namespace.Name).
 		Inc()
-
+	ctx.Data(http.StatusOK, "application/json; charset=utf-8", respBody)
-	writer.Header().Set("Content-Type", "application/json; charset=utf-8")
-	writer.WriteHeader(http.StatusOK)
-	_, err = writer.Write(respBody)
-	if err != nil {
-		log.Error().
-			Caller().
-			Err(err).
-			Msg("Failed to write response")
-	}
 }
 
 func (h *Headscale) handleMachineExpired(
-	writer http.ResponseWriter,
+	ctx *gin.Context,
-	req *http.Request,
 	machineKey key.MachinePublic,
 	registerRequest tailcfg.RegisterRequest,
 	machine Machine,
@@ -596,7 +463,7 @@ func (h *Headscale) handleMachineExpired(
 		Msg("Machine registration has expired. Sending a authurl to register")
 
 	if registerRequest.Auth.AuthKey != "" {
-		h.handleAuthKey(writer, req, machineKey, registerRequest)
+		h.handleAuthKey(ctx, machineKey, registerRequest)
 
 		return
 	}
@@ -617,27 +484,17 @@ func (h *Headscale) handleMachineExpired(
 			Msg("Cannot encode message")
 		machineRegistrations.WithLabelValues("reauth", "web", "error", machine.Namespace.Name).
 			Inc()
-		http.Error(writer, "Internal server error", http.StatusInternalServerError)
+		ctx.String(http.StatusInternalServerError, "")
 
 		return
 	}
 	machineRegistrations.WithLabelValues("reauth", "web", "success", machine.Namespace.Name).
 		Inc()
-
+	ctx.Data(http.StatusOK, "application/json; charset=utf-8", respBody)
-	writer.Header().Set("Content-Type", "application/json; charset=utf-8")
-	writer.WriteHeader(http.StatusOK)
-	_, err = writer.Write(respBody)
-	if err != nil {
-		log.Error().
-			Caller().
-			Err(err).
-			Msg("Failed to write response")
-	}
 }
 
 func (h *Headscale) handleMachineRefreshKey(
-	writer http.ResponseWriter,
+	ctx *gin.Context,
-	req *http.Request,
 	machineKey key.MachinePublic,
 	registerRequest tailcfg.RegisterRequest,
 	machine Machine,
@@ -654,7 +511,7 @@ func (h *Headscale) handleMachineRefreshKey(
 			Caller().
 			Err(err).
 			Msg("Failed to update machine key in the database")
-		http.Error(writer, "Internal server error", http.StatusInternalServerError)
+		ctx.String(http.StatusInternalServerError, "Internal server error")
 
 		return
 	}
@@ -667,25 +524,15 @@ func (h *Headscale) handleMachineRefreshKey(
 			Caller().
 			Err(err).
 			Msg("Cannot encode message")
-		http.Error(writer, "Internal server error", http.StatusInternalServerError)
+		ctx.String(http.StatusInternalServerError, "Internal server error")
 
 		return
 	}
-
+	ctx.Data(http.StatusOK, "application/json; charset=utf-8", respBody)
-	writer.Header().Set("Content-Type", "application/json; charset=utf-8")
-	writer.WriteHeader(http.StatusOK)
-	_, err = writer.Write(respBody)
-	if err != nil {
-		log.Error().
-			Caller().
-			Err(err).
-			Msg("Failed to write response")
-	}
 }
 
 func (h *Headscale) handleMachineRegistrationNew(
-	writer http.ResponseWriter,
+	ctx *gin.Context,
-	req *http.Request,
 	machineKey key.MachinePublic,
 	registerRequest tailcfg.RegisterRequest,
 ) {
@@ -694,15 +541,15 @@ func (h *Headscale) handleMachineRegistrationNew(
 	// The machine registration is new, redirect the client to the registration URL
 	log.Debug().
 		Str("machine", registerRequest.Hostinfo.Hostname).
-		Msg("The node seems to be new, sending auth url")
+		Msg("The node is sending us a new NodeKey, sending auth url")
 	if h.cfg.OIDC.Issuer != "" {
 		resp.AuthURL = fmt.Sprintf(
 			"%s/oidc/register/%s",
 			strings.TrimSuffix(h.cfg.ServerURL, "/"),
-			machineKey.String(),
+			NodePublicKeyStripPrefix(registerRequest.NodeKey),
 		)
 	} else {
-		resp.AuthURL = fmt.Sprintf("%s/register/%s",
+		resp.AuthURL = fmt.Sprintf("%s/register?key=%s",
 			strings.TrimSuffix(h.cfg.ServerURL, "/"), NodePublicKeyStripPrefix(registerRequest.NodeKey))
 	}
 
@@ -712,26 +559,16 @@ func (h *Headscale) handleMachineRegistrationNew(
 			Caller().
 			Err(err).
 			Msg("Cannot encode message")
-		http.Error(writer, "Internal server error", http.StatusInternalServerError)
+		ctx.String(http.StatusInternalServerError, "")
 
 		return
 	}
-
+	ctx.Data(http.StatusOK, "application/json; charset=utf-8", respBody)
-	writer.Header().Set("Content-Type", "application/json; charset=utf-8")
-	writer.WriteHeader(http.StatusOK)
-	_, err = writer.Write(respBody)
-	if err != nil {
-		log.Error().
-			Caller().
-			Err(err).
-			Msg("Failed to write response")
-	}
 }
 
 // TODO: check if any locks are needed around IP allocation.
 func (h *Headscale) handleAuthKey(
-	writer http.ResponseWriter,
+	ctx *gin.Context,
-	req *http.Request,
 	machineKey key.MachinePublic,
 	registerRequest tailcfg.RegisterRequest,
 ) {
@@ -760,23 +597,14 @@ func (h *Headscale) handleAuthKey(
 				Str("machine", registerRequest.Hostinfo.Hostname).
 				Err(err).
 				Msg("Cannot encode message")
-			http.Error(writer, "Internal server error", http.StatusInternalServerError)
+			ctx.String(http.StatusInternalServerError, "")
 			machineRegistrations.WithLabelValues("new", RegisterMethodAuthKey, "error", pak.Namespace.Name).
 				Inc()
 
 			return
 		}
 
-		writer.Header().Set("Content-Type", "application/json; charset=utf-8")
+		ctx.Data(http.StatusUnauthorized, "application/json; charset=utf-8", respBody)
-		writer.WriteHeader(http.StatusUnauthorized)
-		_, err = writer.Write(respBody)
-		if err != nil {
-			log.Error().
-				Caller().
-				Err(err).
-				Msg("Failed to write response")
-		}
-
 		log.Error().
 			Caller().
 			Str("func", "handleAuthKey").
@@ -813,16 +641,7 @@ func (h *Headscale) handleAuthKey(
 
 		machine.NodeKey = nodeKey
 		machine.AuthKeyID = uint(pak.ID)
-		err := h.RefreshMachine(machine, registerRequest.Expiry)
+		h.RefreshMachine(machine, registerRequest.Expiry)
-		if err != nil {
-			log.Error().
-				Caller().
-				Str("machine", machine.Hostname).
-				Err(err).
-				Msg("Failed to refresh machine")
-
-			return
-		}
 	} else {
 		now := time.Now().UTC()
 
@@ -859,24 +678,16 @@ func (h *Headscale) handleAuthKey(
 				Msg("could not register machine")
 			machineRegistrations.WithLabelValues("new", RegisterMethodAuthKey, "error", pak.Namespace.Name).
 				Inc()
-			http.Error(writer, "Internal server error", http.StatusInternalServerError)
+			ctx.String(
+				http.StatusInternalServerError,
+				"could not register machine",
+			)
 
 			return
 		}
 	}
 
-	err = h.UsePreAuthKey(pak)
+	h.UsePreAuthKey(pak)
-	if err != nil {
-		log.Error().
-			Caller().
-			Err(err).
-			Msg("Failed to use pre-auth key")
-		machineRegistrations.WithLabelValues("new", RegisterMethodAuthKey, "error", pak.Namespace.Name).
-			Inc()
-		http.Error(writer, "Internal server error", http.StatusInternalServerError)
-
-		return
-	}
 
 	resp.MachineAuthorized = true
 	resp.User = *pak.Namespace.toUser()
@@ -890,22 +701,13 @@ func (h *Headscale) handleAuthKey(
 			Msg("Cannot encode message")
 		machineRegistrations.WithLabelValues("new", RegisterMethodAuthKey, "error", pak.Namespace.Name).
 			Inc()
-		http.Error(writer, "Internal server error", http.StatusInternalServerError)
+		ctx.String(http.StatusInternalServerError, "Extremely sad!")
 
 		return
 	}
 	machineRegistrations.WithLabelValues("new", RegisterMethodAuthKey, "success", pak.Namespace.Name).
 		Inc()
-	writer.Header().Set("Content-Type", "application/json; charset=utf-8")
+	ctx.Data(http.StatusOK, "application/json; charset=utf-8", respBody)
-	writer.WriteHeader(http.StatusOK)
-	_, err = writer.Write(respBody)
-	if err != nil {
-		log.Error().
-			Caller().
-			Err(err).
-			Msg("Failed to write response")
-	}
-
 	log.Info().
 		Str("func", "handleAuthKey").
 		Str("machine", registerRequest.Hostinfo.Hostname).

api_key.go

@@ -14,7 +14,7 @@ const (
 	apiPrefixLength = 7
 	apiKeyLength    = 32
 
-	ErrAPIKeyFailedToParse = Error("Failed to parse ApiKey")
+	errAPIKeyFailedToParse = Error("Failed to parse ApiKey")
 )
 
 // APIKey describes the datamodel for API keys used to remotely authenticate with
@@ -116,7 +116,7 @@ func (h *Headscale) ExpireAPIKey(key *APIKey) error {
 func (h *Headscale) ValidateAPIKey(keyStr string) (bool, error) {
 	prefix, hash, found := strings.Cut(keyStr, ".")
 	if !found {
-		return false, ErrAPIKeyFailedToParse
+		return false, errAPIKeyFailedToParse
 	}
 
 	key, err := h.GetAPIKey(prefix)

app.go

@@ -17,16 +17,16 @@ import (
 	"time"
 
 	"github.com/coreos/go-oidc/v3/oidc"
-	"github.com/gorilla/mux"
+	"github.com/gin-gonic/gin"
 	grpc_middleware "github.com/grpc-ecosystem/go-grpc-middleware"
 	"github.com/grpc-ecosystem/grpc-gateway/v2/runtime"
 	v1 "github.com/juanfont/headscale/gen/go/headscale/v1"
 	"github.com/patrickmn/go-cache"
 	zerolog "github.com/philip-bui/grpc-zerolog"
-	"github.com/prometheus/client_golang/prometheus/promhttp"
 	"github.com/puzpuzpuz/xsync"
 	zl "github.com/rs/zerolog"
 	"github.com/rs/zerolog/log"
+	ginprometheus "github.com/zsais/go-gin-prometheus"
 	"golang.org/x/crypto/acme"
 	"golang.org/x/crypto/acme/autocert"
 	"golang.org/x/oauth2"
@@ -54,13 +54,12 @@ const (
 )
 
 const (
-	AuthPrefix          = "Bearer "
+	AuthPrefix         = "Bearer "
-	Postgres            = "postgres"
+	Postgres           = "postgres"
-	Sqlite              = "sqlite3"
+	Sqlite             = "sqlite3"
-	updateInterval      = 5000
+	updateInterval     = 5000
-	HTTPReadTimeout     = 30 * time.Second
+	HTTPReadTimeout    = 30 * time.Second
-	HTTPShutdownTimeout = 3 * time.Second
+	privateKeyFileMode = 0o600
-	privateKeyFileMode  = 0o600
 
 	registerCacheExpiration = time.Minute * 15
 	registerCacheCleanup    = time.Minute * 20
@@ -72,12 +71,15 @@ const (
 
 // Headscale represents the base app of the service.
 type Headscale struct {
-	cfg        *Config
+	cfg             *Config
-	db         *gorm.DB
+	db              *gorm.DB
-	dbString   string
+	dbString        string
-	dbType     string
+	dbType          string
-	dbDebug    bool
+	dbDebug         bool
-	privateKey *key.MachinePrivate
+	privateKey      *key.MachinePrivate
+	noisePrivateKey *key.MachinePrivate
+
+	noiseMux *http.ServeMux
 
 	DERPMap    *tailcfg.DERPMap
 	DERPServer *DERPServer
@@ -93,9 +95,6 @@ type Headscale struct {
 	registrationCache *cache.Cache
 
 	ipAllocationMutex sync.Mutex
-
-	shutdownChan       chan struct{}
-	pollNetMapStreamWG sync.WaitGroup
 }
 
 // Look up the TLS constant relative to user-supplied TLS client
@@ -120,11 +119,20 @@ func LookupTLSClientAuthMode(mode string) (tls.ClientAuthType, bool) {
 }
 
 func NewHeadscale(cfg *Config) (*Headscale, error) {
-	privKey, err := readOrCreatePrivateKey(cfg.PrivateKeyPath)
+	privateKey, err := readOrCreatePrivateKey(cfg.PrivateKeyPath)
 	if err != nil {
 		return nil, fmt.Errorf("failed to read or create private key: %w", err)
 	}
 
+	noisePrivateKey, err := readOrCreatePrivateKey(cfg.NoisePrivateKeyPath)
+	if err != nil {
+		return nil, fmt.Errorf("failed to read or create noise private key: %w", err)
+	}
+
+	if privateKey.Equal(*noisePrivateKey) {
+		return nil, fmt.Errorf("private key and noise private key are the same")
+	}
+
 	var dbString string
 	switch cfg.DBtype {
 	case Postgres:
@@ -148,13 +156,13 @@ func NewHeadscale(cfg *Config) (*Headscale, error) {
 	)
 
 	app := Headscale{
-		cfg:                cfg,
+		cfg:               cfg,
-		dbType:             cfg.DBtype,
+		dbType:            cfg.DBtype,
-		dbString:           dbString,
+		dbString:          dbString,
-		privateKey:         privKey,
+		privateKey:        privateKey,
-		aclRules:           tailcfg.FilterAllowAll, // default allowall
+		noisePrivateKey:   noisePrivateKey,
-		registrationCache:  registrationCache,
+		aclRules:          tailcfg.FilterAllowAll, // default allowall
-		pollNetMapStreamWG: sync.WaitGroup{},
+		registrationCache: registrationCache,
 	}
 
 	err = app.initDB()
@@ -331,74 +339,48 @@ func (h *Headscale) grpcAuthenticationInterceptor(ctx context.Context,
 	return handler(ctx, req)
 }
 
-func (h *Headscale) httpAuthenticationMiddleware(next http.Handler) http.Handler {
+func (h *Headscale) httpAuthenticationMiddleware(ctx *gin.Context) {
-	return http.HandlerFunc(func(
+	log.Trace().
-		writer http.ResponseWriter,
+		Caller().
-		req *http.Request,
+		Str("client_address", ctx.ClientIP()).
-	) {
+		Msg("HTTP authentication invoked")
-		log.Trace().
+
+	authHeader := ctx.GetHeader("authorization")
+
+	if !strings.HasPrefix(authHeader, AuthPrefix) {
+		log.Error().
 			Caller().
-			Str("client_address", req.RemoteAddr).
+			Str("client_address", ctx.ClientIP()).
-			Msg("HTTP authentication invoked")
+			Msg(`missing "Bearer " prefix in "Authorization" header`)
+		ctx.AbortWithStatus(http.StatusUnauthorized)
 
-		authHeader := req.Header.Get("authorization")
+		return
+	}
 
-		if !strings.HasPrefix(authHeader, AuthPrefix) {
+	valid, err := h.ValidateAPIKey(strings.TrimPrefix(authHeader, AuthPrefix))
-			log.Error().
+	if err != nil {
-				Caller().
+		log.Error().
-				Str("client_address", req.RemoteAddr).
+			Caller().
-				Msg(`missing "Bearer " prefix in "Authorization" header`)
+			Err(err).
-			writer.WriteHeader(http.StatusUnauthorized)
+			Str("client_address", ctx.ClientIP()).
-			_, err := writer.Write([]byte("Unauthorized"))
+			Msg("failed to validate token")
-			if err != nil {
-				log.Error().
-					Caller().
-					Err(err).
-					Msg("Failed to write response")
-			}
 
-			return
+		ctx.AbortWithStatus(http.StatusInternalServerError)
-		}
 
-		valid, err := h.ValidateAPIKey(strings.TrimPrefix(authHeader, AuthPrefix))
+		return
-		if err != nil {
+	}
-			log.Error().
-				Caller().
-				Err(err).
-				Str("client_address", req.RemoteAddr).
-				Msg("failed to validate token")
 
-			writer.WriteHeader(http.StatusInternalServerError)
+	if !valid {
-			_, err := writer.Write([]byte("Unauthorized"))
+		log.Info().
-			if err != nil {
+			Str("client_address", ctx.ClientIP()).
-				log.Error().
+			Msg("invalid token")
-					Caller().
-					Err(err).
-					Msg("Failed to write response")
-			}
 
-			return
+		ctx.AbortWithStatus(http.StatusUnauthorized)
-		}
 
-		if !valid {
+		return
-			log.Info().
+	}
-				Str("client_address", req.RemoteAddr).
-				Msg("invalid token")
 
-			writer.WriteHeader(http.StatusUnauthorized)
+	ctx.Next()
-			_, err := writer.Write([]byte("Unauthorized"))
-			if err != nil {
-				log.Error().
-					Caller().
-					Err(err).
-					Msg("Failed to write response")
-			}
-
-			return
-		}
-
-		next.ServeHTTP(writer, req)
-	})
 }
 
 // ensureUnixSocketIsAbsent will check if the given path for headscales unix socket is clear
@@ -412,38 +394,62 @@ func (h *Headscale) ensureUnixSocketIsAbsent() error {
 	return os.Remove(h.cfg.UnixSocket)
 }
 
-func (h *Headscale) createRouter(grpcMux *runtime.ServeMux) *mux.Router {
+func (h *Headscale) createPrometheusRouter() *gin.Engine {
-	router := mux.NewRouter()
+	promRouter := gin.Default()
 
-	router.HandleFunc("/health", h.HealthHandler).Methods(http.MethodGet)
+	prometheus := ginprometheus.NewPrometheus("gin")
-	router.HandleFunc("/key", h.KeyHandler).Methods(http.MethodGet)
+	prometheus.Use(promRouter)
-	router.HandleFunc("/register/{nkey}", h.RegisterWebAPI).Methods(http.MethodGet)
+
-	router.HandleFunc("/machine/{mkey}/map", h.PollNetMapHandler).Methods(http.MethodPost)
+	return promRouter
-	router.HandleFunc("/machine/{mkey}", h.RegistrationHandler).Methods(http.MethodPost)
+}
-	router.HandleFunc("/oidc/register/{nkey}", h.RegisterOIDC).Methods(http.MethodGet)
+
-	router.HandleFunc("/oidc/callback", h.OIDCCallback).Methods(http.MethodGet)
+func (h *Headscale) createRouter(grpcMux *runtime.ServeMux) *gin.Engine {
-	router.HandleFunc("/apple", h.AppleConfigMessage).Methods(http.MethodGet)
+	router := gin.Default()
-	router.HandleFunc("/apple/{platform}", h.ApplePlatformConfig).Methods(http.MethodGet)
+
-	router.HandleFunc("/windows", h.WindowsConfigMessage).Methods(http.MethodGet)
+	router.POST(ts2021UpgradePath, h.NoiseUpgradeHandler)
-	router.HandleFunc("/windows/tailscale.reg", h.WindowsRegConfig).Methods(http.MethodGet)
+	router.GET(
-	router.HandleFunc("/swagger", SwaggerUI).Methods(http.MethodGet)
+		"/health",
-	router.HandleFunc("/swagger/v1/openapiv2.json", SwaggerAPIv1).Methods(http.MethodGet)
+		func(c *gin.Context) { c.JSON(http.StatusOK, gin.H{"healthy": "ok"}) },
+	)
+	router.GET("/key", h.KeyHandler)
+	router.GET("/register", h.RegisterWebAPI)
+	router.POST("/machine/:id/map", h.PollNetMapHandler)
+	router.POST("/machine/:id", h.RegistrationHandler)
+	router.GET("/oidc/register/:nkey", h.RegisterOIDC)
+	router.GET("/oidc/callback", h.OIDCCallback)
+	router.GET("/apple", h.AppleConfigMessage)
+	router.GET("/apple/:platform", h.ApplePlatformConfig)
+	router.GET("/windows", h.WindowsConfigMessage)
+	router.GET("/windows/tailscale.reg", h.WindowsRegConfig)
+	router.GET("/swagger", SwaggerUI)
+	router.GET("/swagger/v1/openapiv2.json", SwaggerAPIv1)
 
 	if h.cfg.DERP.ServerEnabled {
-		router.HandleFunc("/derp", h.DERPHandler)
+		router.Any("/derp", h.DERPHandler)
-		router.HandleFunc("/derp/probe", h.DERPProbeHandler)
+		router.Any("/derp/probe", h.DERPProbeHandler)
-		router.HandleFunc("/bootstrap-dns", h.DERPBootstrapDNSHandler)
+		router.Any("/bootstrap-dns", h.DERPBootstrapDNSHandler)
 	}
 
-	apiRouter := router.PathPrefix("/api").Subrouter()
+	api := router.Group("/api")
-	apiRouter.Use(h.httpAuthenticationMiddleware)
+	api.Use(h.httpAuthenticationMiddleware)
-	apiRouter.PathPrefix("/v1/").HandlerFunc(grpcMux.ServeHTTP)
+	{
+		api.Any("/v1/*any", gin.WrapF(grpcMux.ServeHTTP))
+	}
 
-	router.PathPrefix("/").HandlerFunc(stdoutHandler)
+	router.NoRoute(stdoutHandler)
 
 	return router
 }
 
+func (h *Headscale) createNoiseMux() *http.ServeMux {
+	mux := http.NewServeMux()
+
+	mux.HandleFunc("/machine/register", h.NoiseRegistrationHandler)
+	mux.HandleFunc("/machine/map", h.NoisePollNetMapHandler)
+
+	return mux
+}
+
 // Serve launches a GIN server with the Headscale API.
 func (h *Headscale) Serve() error {
 	var err error
@@ -555,8 +561,6 @@ func (h *Headscale) Serve() error {
 	// https://github.com/soheilhy/cmux/issues/68
 	// https://github.com/soheilhy/cmux/issues/91
 
-	var grpcServer *grpc.Server
-	var grpcListener net.Listener
 	if tlsConfig != nil || h.cfg.GRPCAllowInsecure {
 		log.Info().Msgf("Enabling remote gRPC at %s", h.cfg.GRPCAddr)
 
@@ -577,12 +581,12 @@ func (h *Headscale) Serve() error {
 			log.Warn().Msg("gRPC is running without security")
 		}
 
-		grpcServer = grpc.NewServer(grpcOptions...)
+		grpcServer := grpc.NewServer(grpcOptions...)
 
 		v1.RegisterHeadscaleServiceServer(grpcServer, newHeadscaleV1APIServer(h))
 		reflection.Register(grpcServer)
 
-		grpcListener, err = net.Listen("tcp", h.cfg.GRPCAddr)
+		grpcListener, err := net.Listen("tcp", h.cfg.GRPCAddr)
 		if err != nil {
 			return fmt.Errorf("failed to bind to TCP address: %w", err)
 		}
@@ -598,8 +602,14 @@ func (h *Headscale) Serve() error {
 	// HTTP setup
 	//
 
+	// This is the regular router that we expose
+	// over our main Addr. It also serves the legacy Tailcale API
 	router := h.createRouter(grpcGatewayMux)
 
+	// This router is served only over the Noise connection,
+	// and exposes only the new API
+	h.noiseMux = h.createNoiseMux()
+
 	httpServer := &http.Server{
 		Addr:        h.cfg.Addr,
 		Handler:     router,
@@ -627,12 +637,11 @@ func (h *Headscale) Serve() error {
 	log.Info().
 		Msgf("listening and serving HTTP on: %s", h.cfg.Addr)
 
-	promMux := http.NewServeMux()
+	promRouter := h.createPrometheusRouter()
-	promMux.Handle("/metrics", promhttp.Handler())
 
 	promHTTPServer := &http.Server{
 		Addr:         h.cfg.MetricsAddr,
-		Handler:      promMux,
+		Handler:      promRouter,
 		ReadTimeout:  HTTPReadTimeout,
 		WriteTimeout: 0,
 	}
@@ -650,7 +659,6 @@ func (h *Headscale) Serve() error {
 		Msgf("listening and serving metrics on: %s", h.cfg.MetricsAddr)
 
 	// Handle common process-killing signals so we can gracefully shut down:
-	h.shutdownChan = make(chan struct{})
 	sigc := make(chan os.Signal, 1)
 	signal.Notify(sigc,
 		syscall.SIGHUP,
@@ -658,7 +666,7 @@ func (h *Headscale) Serve() error {
 		syscall.SIGTERM,
 		syscall.SIGQUIT,
 		syscall.SIGHUP)
-	sigFunc := func(c chan os.Signal) {
+	go func(c chan os.Signal) {
 		// Wait for a SIGINT or SIGKILL:
 		for {
 			sig := <-c
@@ -668,7 +676,7 @@ func (h *Headscale) Serve() error {
 					Str("signal", sig.String()).
 					Msg("Received SIGHUP, reloading ACL and Config")
 
-				// TODO(kradalby): Reload config on SIGHUP
+					// TODO(kradalby): Reload config on SIGHUP
 
 				if h.cfg.ACL.PolicyPath != "" {
 					aclPath := AbsolutePathFromConfigPath(h.cfg.ACL.PolicyPath)
@@ -688,27 +696,11 @@ func (h *Headscale) Serve() error {
 					Str("signal", sig.String()).
 					Msg("Received signal to stop, shutting down gracefully")
 
-				close(h.shutdownChan)
-				h.pollNetMapStreamWG.Wait()
-
 				// Gracefully shut down servers
-				ctx, cancel := context.WithTimeout(
+				promHTTPServer.Shutdown(ctx)
-					context.Background(),
+				httpServer.Shutdown(ctx)
-					HTTPShutdownTimeout,
-				)
-				if err := promHTTPServer.Shutdown(ctx); err != nil {
-					log.Error().Err(err).Msg("Failed to shutdown prometheus http")
-				}
-				if err := httpServer.Shutdown(ctx); err != nil {
-					log.Error().Err(err).Msg("Failed to shutdown http")
-				}
 				grpcSocket.GracefulStop()
 
-				if grpcServer != nil {
-					grpcServer.GracefulStop()
-					grpcListener.Close()
-				}
-
 				// Close network listeners
 				promHTTPListener.Close()
 				httpListener.Close()
@@ -717,30 +709,11 @@ func (h *Headscale) Serve() error {
 				// Stop listening (and unlink the socket if unix type):
 				socketListener.Close()
 
-				// Close db connections
-				db, err := h.db.DB()
-				if err != nil {
-					log.Error().Err(err).Msg("Failed to get db handle")
-				}
-				err = db.Close()
-				if err != nil {
-					log.Error().Err(err).Msg("Failed to close db")
-				}
-
-				log.Info().
-					Msg("Headscale stopped")
-
 				// And we're done:
-				cancel()
 				os.Exit(0)
 			}
 		}
-	}
+	}(sigc)
-	errorGroup.Go(func() error {
-		sigFunc(sigc)
-
-		return nil
-	})
 
 	return errorGroup.Wait()
 }
@@ -764,16 +737,20 @@ func (h *Headscale) getTLSSettings() (*tls.Config, error) {
 		}
 
 		switch h.cfg.TLS.LetsEncrypt.ChallengeType {
-		case tlsALPN01ChallengeType:
+		case "TLS-ALPN-01":
 			// Configuration via autocert with TLS-ALPN-01 (https://tools.ietf.org/html/rfc8737)
 			// The RFC requires that the validation is done on port 443; in other words, headscale
 			// must be reachable on port 443.
 			return certManager.TLSConfig(), nil
 
-		case http01ChallengeType:
+		case "HTTP-01":
 			// Configuration via autocert with HTTP-01. This requires listening on
 			// port 80 for the certificate validation in addition to the headscale
 			// service, which can be configured to run on any other port.
+			httpRouter := gin.Default()
+			httpRouter.POST(ts2021UpgradePath, h.NoiseUpgradeHandler)
+			httpRouter.NoRoute(gin.WrapF(h.redirect))
+
 			go func() {
 				log.Fatal().
 					Caller().
@@ -822,10 +799,7 @@ func (h *Headscale) setLastStateChangeToNow(namespaces ...string) {
 	if len(namespaces) == 0 {
 		namespaces, err = h.ListNamespacesStr()
 		if err != nil {
-			log.Error().
+			log.Error().Caller().Err(err).Msg("failed to fetch all namespaces, failing to update last changed state.")
-				Caller().
-				Err(err).
-				Msg("failed to fetch all namespaces, failing to update last changed state.")
 		}
 	}
 
@@ -870,16 +844,13 @@ func (h *Headscale) getLastStateChange(namespaces ...string) time.Time {
 	}
 }
 
-func stdoutHandler(
+func stdoutHandler(ctx *gin.Context) {
-	writer http.ResponseWriter,
+	body, _ := io.ReadAll(ctx.Request.Body)
-	req *http.Request,
-) {
-	body, _ := io.ReadAll(req.Body)
 
 	log.Trace().
-		Interface("header", req.Header).
+		Interface("header", ctx.Request.Header).
-		Interface("proto", req.Proto).
+		Interface("proto", ctx.Request.Proto).
-		Interface("url", req.URL).
+		Interface("url", ctx.Request.URL).
 		Bytes("body", body).
 		Msg("Request did not match")
 }

app_test.go

@@ -1,6 +1,7 @@
 package headscale
 
 import (
+	"io/ioutil"
 	"os"
 	"testing"
 
@@ -34,7 +35,7 @@ func (s *Suite) ResetDB(c *check.C) {
 		os.RemoveAll(tmpDir)
 	}
 	var err error
-	tmpDir, err = os.MkdirTemp("", "autoygg-client-test")
+	tmpDir, err = ioutil.TempDir("", "autoygg-client-test")
 	if err != nil {
 		c.Fatal(err)
 	}

cmd/headscale/cli/api_key.go

@@ -134,9 +134,7 @@ If you loose a key, create a new one and revoke (expire) the old one.`,
 
 		expiration := time.Now().UTC().Add(time.Duration(duration))
 
-		log.Trace().
+		log.Trace().Dur("expiration", time.Duration(duration)).Msg("expiration has been set")
-			Dur("expiration", time.Duration(duration)).
-			Msg("expiration has been set")
 
 		request.Expiration = timestamppb.New(expiration)
 

cmd/headscale/cli/nodes.go

@@ -108,7 +108,7 @@ var registerNodeCmd = &cobra.Command{
 		if err != nil {
 			ErrorOutput(
 				err,
-				fmt.Sprintf("Error getting node key from flag: %s", err),
+				fmt.Sprintf("Error getting machine key from flag: %s", err),
 				output,
 			)
 
@@ -465,7 +465,6 @@ func nodesToPtables(
 ) (pterm.TableData, error) {
 	tableHeader := []string{
 		"ID",
-		"Hostname",
 		"Name",
 		"NodeKey",
 		"Namespace",
@@ -567,7 +566,6 @@ func nodesToPtables(
 		nodeData := []string{
 			strconv.FormatUint(machine.Id, headscale.Base10),
 			machine.Name,
-			machine.GetGivenName(),
 			nodeKey.ShortString(),
 			namespace,
 			strings.Join([]string{IPV4Address, IPV6Address}, ", "),

cmd/headscale/cli/preauthkeys.go

@@ -164,9 +164,7 @@ var createPreAuthKeyCmd = &cobra.Command{
 
 		expiration := time.Now().UTC().Add(time.Duration(duration))
 
-		log.Trace().
+		log.Trace().Dur("expiration", time.Duration(duration)).Msg("expiration has been set")
-			Dur("expiration", time.Duration(duration)).
-			Msg("expiration has been set")
 
 		request.Expiration = timestamppb.New(expiration)
 

cmd/headscale/cli/utils.go

@@ -7,10 +7,12 @@ import (
 	"fmt"
 	"os"
 	"reflect"
+	"time"
 
 	"github.com/juanfont/headscale"
 	v1 "github.com/juanfont/headscale/gen/go/headscale/v1"
 	"github.com/rs/zerolog/log"
+	"github.com/spf13/viper"
 	"google.golang.org/grpc"
 	"google.golang.org/grpc/credentials"
 	"google.golang.org/grpc/credentials/insecure"
@@ -24,10 +26,22 @@ const (
 func getHeadscaleApp() (*headscale.Headscale, error) {
 	cfg, err := headscale.GetHeadscaleConfig()
 	if err != nil {
-		return nil, fmt.Errorf(
+		return nil, fmt.Errorf("failed to load configuration while creating headscale instance: %w", err)
-			"failed to load configuration while creating headscale instance: %w",
+	}
-			err,
+
+	// Minimum inactivity time out is keepalive timeout (60s) plus a few seconds
+	// to avoid races
+	minInactivityTimeout, _ := time.ParseDuration("65s")
+	if viper.GetDuration("ephemeral_node_inactivity_timeout") <= minInactivityTimeout {
+		// TODO: Find a better way to return this text
+		//nolint
+		err := fmt.Errorf(
+			"ephemeral_node_inactivity_timeout (%s) is set too low, must be more than %s",
+			viper.GetString("ephemeral_node_inactivity_timeout"),
+			minInactivityTimeout,
 		)
+
+		return nil, err
 	}
 
 	app, err := headscale.NewHeadscale(cfg)
@@ -58,7 +72,6 @@ func getHeadscaleCLIClient() (context.Context, v1.HeadscaleServiceClient, *grpc.
 			Err(err).
 			Caller().
 			Msgf("Failed to load configuration")
-		os.Exit(-1) // we get here if logging is suppressed (i.e., json output)
 	}
 
 	log.Debug().
@@ -120,7 +133,6 @@ func getHeadscaleCLIClient() (context.Context, v1.HeadscaleServiceClient, *grpc.
 	conn, err := grpc.DialContext(ctx, address, grpcOptions...)
 	if err != nil {
 		log.Fatal().Caller().Err(err).Msgf("Could not connect: %v", err)
-		os.Exit(-1) // we get here if logging is suppressed (i.e., json output)
 	}
 
 	client := v1.NewHeadscaleServiceClient(conn)

cmd/headscale/headscale_test.go

@@ -2,6 +2,7 @@ package main
 
 import (
 	"io/fs"
+	"io/ioutil"
 	"os"
 	"path/filepath"
 	"strings"
@@ -27,7 +28,7 @@ func (s *Suite) TearDownSuite(c *check.C) {
 }
 
 func (*Suite) TestConfigFileLoading(c *check.C) {
-	tmpDir, err := os.MkdirTemp("", "headscale")
+	tmpDir, err := ioutil.TempDir("", "headscale")
 	if err != nil {
 		c.Fatal(err)
 	}
@@ -72,7 +73,7 @@ func (*Suite) TestConfigFileLoading(c *check.C) {
 }
 
 func (*Suite) TestConfigLoading(c *check.C) {
-	tmpDir, err := os.MkdirTemp("", "headscale")
+	tmpDir, err := ioutil.TempDir("", "headscale")
 	if err != nil {
 		c.Fatal(err)
 	}
@@ -116,7 +117,7 @@ func (*Suite) TestConfigLoading(c *check.C) {
 }
 
 func (*Suite) TestDNSConfigLoading(c *check.C) {
-	tmpDir, err := os.MkdirTemp("", "headscale")
+	tmpDir, err := ioutil.TempDir("", "headscale")
 	if err != nil {
 		c.Fatal(err)
 	}
@@ -151,14 +152,14 @@ func (*Suite) TestDNSConfigLoading(c *check.C) {
 func writeConfig(c *check.C, tmpDir string, configYaml []byte) {
 	// Populate a custom config file
 	configFile := filepath.Join(tmpDir, "config.yaml")
-	err := os.WriteFile(configFile, configYaml, 0o600)
+	err := ioutil.WriteFile(configFile, configYaml, 0o600)
 	if err != nil {
 		c.Fatalf("Couldn't write file %s", configFile)
 	}
 }
 
 func (*Suite) TestTLSConfigValidation(c *check.C) {
-	tmpDir, err := os.MkdirTemp("", "headscale")
+	tmpDir, err := ioutil.TempDir("", "headscale")
 	if err != nil {
 		c.Fatal(err)
 	}

config-example.yaml

@@ -41,6 +41,13 @@ grpc_allow_insecure: false
 # autogenerated if it's missing
 private_key_path: /var/lib/headscale/private.key
 
+# The Noise private key is used to encrypt the
+# traffic between headscale and Tailscale clients when
+# using the new Noise-based TS2021 protocol.
+# The noise private key file which will be
+# autogenerated if it's missing
+noise_private_key_path: /var/lib/headscale/noise_private.key
+
 # List of IP prefixes to allocate tailaddresses from.
 # Each prefix consists of either an IPv4 or IPv6 address,
 # and the associated prefix length, delimited by a slash.
@@ -103,12 +110,6 @@ disable_check_updates: false
 # Time before an inactive ephemeral node is deleted?
 ephemeral_node_inactivity_timeout: 30m
 
-# Period to check for node updates in the tailnet. A value too low will severily affect
-# CPU consumption of Headscale. A value too high (over 60s) will cause problems
-# to the nodes, as they won't get updates or keep alive messages in time.
-# In case of doubts, do not touch the default 10s.
-node_update_check_interval: 10s
-
 # SQLite config
 db_type: sqlite3
 db_path: /var/lib/headscale/db.sqlite

config.go

@@ -18,11 +18,6 @@ import (
 	"tailscale.com/types/dnstype"
 )
 
-const (
-	tlsALPN01ChallengeType = "TLS-ALPN-01"
-	http01ChallengeType    = "HTTP-01"
-)
-
 // Config contains the initial Headscale configuration.
 type Config struct {
 	ServerURL                      string
@@ -31,9 +26,9 @@ type Config struct {
 	GRPCAddr                       string
 	GRPCAllowInsecure              bool
 	EphemeralNodeInactivityTimeout time.Duration
-	NodeUpdateCheckInterval        time.Duration
 	IPPrefixes                     []netaddr.IPPrefix
 	PrivateKeyPath                 string
+	NoisePrivateKeyPath            string
 	BaseDomain                     string
 	LogLevel                       zerolog.Level
 	DisableUpdateCheck             bool
@@ -141,7 +136,7 @@ func LoadConfig(path string, isFile bool) error {
 	viper.AutomaticEnv()
 
 	viper.SetDefault("tls_letsencrypt_cache_dir", "/var/www/.cache")
-	viper.SetDefault("tls_letsencrypt_challenge_type", http01ChallengeType)
+	viper.SetDefault("tls_letsencrypt_challenge_type", "HTTP-01")
 	viper.SetDefault("tls_client_auth_mode", "relaxed")
 
 	viper.SetDefault("log_level", "info")
@@ -166,13 +161,7 @@ func LoadConfig(path string, isFile bool) error {
 	viper.SetDefault("logtail.enabled", false)
 	viper.SetDefault("randomize_client_port", false)
 
-	viper.SetDefault("ephemeral_node_inactivity_timeout", "120s")
-
-	viper.SetDefault("node_update_check_interval", "10s")
-
 	if err := viper.ReadInConfig(); err != nil {
-		log.Warn().Err(err).Msg("Failed to read configuration from disk")
-
 		return fmt.Errorf("fatal error reading config file: %w", err)
 	}
 
@@ -184,15 +173,15 @@ func LoadConfig(path string, isFile bool) error {
 	}
 
 	if (viper.GetString("tls_letsencrypt_hostname") != "") &&
-		(viper.GetString("tls_letsencrypt_challenge_type") == tlsALPN01ChallengeType) &&
+		(viper.GetString("tls_letsencrypt_challenge_type") == "TLS-ALPN-01") &&
 		(!strings.HasSuffix(viper.GetString("listen_addr"), ":443")) {
 		// this is only a warning because there could be something sitting in front of headscale that redirects the traffic (e.g. an iptables rule)
 		log.Warn().
 			Msg("Warning: when using tls_letsencrypt_hostname with TLS-ALPN-01 as challenge type, headscale must be reachable on port 443, i.e. listen_addr should probably end in :443")
 	}
 
-	if (viper.GetString("tls_letsencrypt_challenge_type") != http01ChallengeType) &&
+	if (viper.GetString("tls_letsencrypt_challenge_type") != "HTTP-01") &&
-		(viper.GetString("tls_letsencrypt_challenge_type") != tlsALPN01ChallengeType) {
+		(viper.GetString("tls_letsencrypt_challenge_type") != "TLS-ALPN-01") {
 		errorText += "Fatal config error: the only supported values for tls_letsencrypt_challenge_type are HTTP-01 and TLS-ALPN-01\n"
 	}
 
@@ -214,26 +203,6 @@ func LoadConfig(path string, isFile bool) error {
 			EnforcedClientAuth)
 	}
 
-	// Minimum inactivity time out is keepalive timeout (60s) plus a few seconds
-	// to avoid races
-	minInactivityTimeout, _ := time.ParseDuration("65s")
-	if viper.GetDuration("ephemeral_node_inactivity_timeout") <= minInactivityTimeout {
-		errorText += fmt.Sprintf(
-			"Fatal config error: ephemeral_node_inactivity_timeout (%s) is set too low, must be more than %s",
-			viper.GetString("ephemeral_node_inactivity_timeout"),
-			minInactivityTimeout,
-		)
-	}
-
-	maxNodeUpdateCheckInterval, _ := time.ParseDuration("60s")
-	if viper.GetDuration("node_update_check_interval") > maxNodeUpdateCheckInterval {
-		errorText += fmt.Sprintf(
-			"Fatal config error: node_update_check_interval (%s) is set too high, must be less than %s",
-			viper.GetString("node_update_check_interval"),
-			maxNodeUpdateCheckInterval,
-		)
-	}
-
 	if errorText != "" {
 		//nolint
 		return errors.New(strings.TrimSuffix(errorText, "\n"))
@@ -487,6 +456,9 @@ func GetHeadscaleConfig() (*Config, error) {
 		PrivateKeyPath: AbsolutePathFromConfigPath(
 			viper.GetString("private_key_path"),
 		),
+		NoisePrivateKeyPath: AbsolutePathFromConfigPath(
+			viper.GetString("noise_private_key_path"),
+		),
 		BaseDomain: baseDomain,
 
 		DERP: derpConfig,
@@ -495,10 +467,6 @@ func GetHeadscaleConfig() (*Config, error) {
 			"ephemeral_node_inactivity_timeout",
 		),
 
-		NodeUpdateCheckInterval: viper.GetDuration(
-			"node_update_check_interval",
-		),
-
 		DBtype: viper.GetString("db_type"),
 		DBpath: AbsolutePathFromConfigPath(viper.GetString("db_path")),
 		DBhost: viper.GetString("db_host"),

db.go

@@ -1,7 +1,6 @@
 package headscale
 
 import (
-	"context"
 	"database/sql/driver"
 	"encoding/json"
 	"errors"
@@ -90,7 +89,7 @@ func (h *Headscale) initDB() error {
 			log.Error().Err(err).Msg("Error accessing db")
 		}
 
-		for item, machine := range machines {
+		for _, machine := range machines {
 			if machine.GivenName == "" {
 				normalizedHostname, err := NormalizeToFQDNRules(
 					machine.Hostname,
@@ -104,7 +103,7 @@ func (h *Headscale) initDB() error {
 						Msg("Failed to normalize machine hostname in DB migration")
 				}
 
-				err = h.RenameMachine(&machines[item], normalizedHostname)
+				err = h.RenameMachine(&machine, normalizedHostname)
 				if err != nil {
 					log.Error().
 						Caller().
@@ -112,6 +111,7 @@ func (h *Headscale) initDB() error {
 						Err(err).
 						Msg("Failed to save normalized machine name in DB migration")
 				}
+
 			}
 		}
 	}
@@ -221,17 +221,6 @@ func (h *Headscale) setValue(key string, value string) error {
 	return nil
 }
 
-func (h *Headscale) pingDB() error {
-	ctx, cancel := context.WithTimeout(context.Background(), time.Second)
-	defer cancel()
-	db, err := h.db.DB()
-	if err != nil {
-		return err
-	}
-
-	return db.PingContext(ctx)
-}
-
 // This is a "wrapper" type around tailscales
 // Hostinfo to allow us to add database "serialization"
 // methods. This allows us to use a typed values throughout
@@ -248,7 +237,7 @@ func (hi *HostInfo) Scan(destination interface{}) error {
 		return json.Unmarshal([]byte(value), hi)
 
 	default:
-		return fmt.Errorf("%w: unexpected data type %T", ErrMachineAddressesInvalid, destination)
+		return fmt.Errorf("%w: unexpected data type %T", errMachineAddressesInvalid, destination)
 	}
 }
 
@@ -270,7 +259,7 @@ func (i *IPPrefixes) Scan(destination interface{}) error {
 		return json.Unmarshal([]byte(value), i)
 
 	default:
-		return fmt.Errorf("%w: unexpected data type %T", ErrMachineAddressesInvalid, destination)
+		return fmt.Errorf("%w: unexpected data type %T", errMachineAddressesInvalid, destination)
 	}
 }
 
@@ -292,7 +281,7 @@ func (i *StringList) Scan(destination interface{}) error {
 		return json.Unmarshal([]byte(value), i)
 
 	default:
-		return fmt.Errorf("%w: unexpected data type %T", ErrMachineAddressesInvalid, destination)
+		return fmt.Errorf("%w: unexpected data type %T", errMachineAddressesInvalid, destination)
 	}
 }
 

derp.go

@@ -4,6 +4,7 @@ import (
 	"context"
 	"encoding/json"
 	"io"
+	"io/ioutil"
 	"net/http"
 	"net/url"
 	"os"
@@ -49,7 +50,7 @@ func loadDERPMapFromURL(addr url.URL) (*tailcfg.DERPMap, error) {
 	}
 
 	defer resp.Body.Close()
-	body, err := io.ReadAll(resp.Body)
+	body, err := ioutil.ReadAll(resp.Body)
 	if err != nil {
 		return nil, err
 	}
@@ -151,7 +152,16 @@ func (h *Headscale) scheduledDERPMapUpdateWorker(cancelChan <-chan struct{}) {
 				h.DERPMap.Regions[h.DERPServer.region.RegionID] = &h.DERPServer.region
 			}
 
-			h.setLastStateChangeToNow()
+			namespaces, err := h.ListNamespaces()
+			if err != nil {
+				log.Error().
+					Err(err).
+					Msg("Failed to fetch namespaces")
+			}
+
+			for _, namespace := range namespaces {
+				h.setLastStateChangeToNow(namespace.Name)
+			}
 		}
 	}
 }

derp_server.go

@@ -2,7 +2,6 @@ package headscale
 
 import (
 	"context"
-	"encoding/json"
 	"fmt"
 	"net"
 	"net/http"
@@ -11,6 +10,7 @@ import (
 	"strings"
 	"time"
 
+	"github.com/gin-gonic/gin"
 	"github.com/rs/zerolog/log"
 	"tailscale.com/derp"
 	"tailscale.com/net/stun"
@@ -30,7 +30,6 @@ type DERPServer struct {
 }
 
 func (h *Headscale) NewDERPServer() (*DERPServer, error) {
-	log.Trace().Caller().Msg("Creating new embedded DERP server")
 	server := derp.NewServer(key.NodePrivate(*h.privateKey), log.Info().Msgf)
 	region, err := h.generateRegionLocalDERP()
 	if err != nil {
@@ -88,48 +87,30 @@ func (h *Headscale) generateRegionLocalDERP() (tailcfg.DERPRegion, error) {
 	}
 	localDERPregion.Nodes[0].STUNPort = portSTUN
 
-	log.Info().Caller().Msgf("DERP region: %+v", localDERPregion)
-
 	return localDERPregion, nil
 }
 
-func (h *Headscale) DERPHandler(
+func (h *Headscale) DERPHandler(ctx *gin.Context) {
-	writer http.ResponseWriter,
+	log.Trace().Caller().Msgf("/derp request from %v", ctx.ClientIP())
-	req *http.Request,
+	up := strings.ToLower(ctx.Request.Header.Get("Upgrade"))
-) {
-	log.Trace().Caller().Msgf("/derp request from %v", req.RemoteAddr)
-	up := strings.ToLower(req.Header.Get("Upgrade"))
 	if up != "websocket" && up != "derp" {
 		if up != "" {
 			log.Warn().Caller().Msgf("Weird websockets connection upgrade: %q", up)
 		}
-		writer.Header().Set("Content-Type", "text/plain")
+		ctx.String(http.StatusUpgradeRequired, "DERP requires connection upgrade")
-		writer.WriteHeader(http.StatusUpgradeRequired)
-		_, err := writer.Write([]byte("DERP requires connection upgrade"))
-		if err != nil {
-			log.Error().
-				Caller().
-				Err(err).
-				Msg("Failed to write response")
-		}
 
 		return
 	}
 
-	fastStart := req.Header.Get(fastStartHeader) == "1"
+	fastStart := ctx.Request.Header.Get(fastStartHeader) == "1"
 
-	hijacker, ok := writer.(http.Hijacker)
+	hijacker, ok := ctx.Writer.(http.Hijacker)
 	if !ok {
 		log.Error().Caller().Msg("DERP requires Hijacker interface from Gin")
-		writer.Header().Set("Content-Type", "text/plain")
+		ctx.String(
-		writer.WriteHeader(http.StatusInternalServerError)
+			http.StatusInternalServerError,
-		_, err := writer.Write([]byte("HTTP does not support general TCP support"))
+			"HTTP does not support general TCP support",
-		if err != nil {
+		)
-			log.Error().
-				Caller().
-				Err(err).
-				Msg("Failed to write response")
-		}
 
 		return
 	}
@@ -137,19 +118,13 @@ func (h *Headscale) DERPHandler(
 	netConn, conn, err := hijacker.Hijack()
 	if err != nil {
 		log.Error().Caller().Err(err).Msgf("Hijack failed")
-		writer.Header().Set("Content-Type", "text/plain")
+		ctx.String(
-		writer.WriteHeader(http.StatusInternalServerError)
+			http.StatusInternalServerError,
-		_, err = writer.Write([]byte("HTTP does not support general TCP support"))
+			"HTTP does not support general TCP support",
-		if err != nil {
+		)
-			log.Error().
-				Caller().
-				Err(err).
-				Msg("Failed to write response")
-		}
 
 		return
 	}
-	log.Trace().Caller().Msgf("Hijacked connection from %v", req.RemoteAddr)
 
 	if !fastStart {
 		pubKey := h.privateKey.Public()
@@ -168,23 +143,12 @@ func (h *Headscale) DERPHandler(
 
 // DERPProbeHandler is the endpoint that js/wasm clients hit to measure
 // DERP latency, since they can't do UDP STUN queries.
-func (h *Headscale) DERPProbeHandler(
+func (h *Headscale) DERPProbeHandler(ctx *gin.Context) {
-	writer http.ResponseWriter,
+	switch ctx.Request.Method {
-	req *http.Request,
-) {
-	switch req.Method {
 	case "HEAD", "GET":
-		writer.Header().Set("Access-Control-Allow-Origin", "*")
+		ctx.Writer.Header().Set("Access-Control-Allow-Origin", "*")
-		writer.WriteHeader(http.StatusOK)
 	default:
-		writer.WriteHeader(http.StatusMethodNotAllowed)
+		ctx.String(http.StatusMethodNotAllowed, "bogus probe method")
-		_, err := writer.Write([]byte("bogus probe method"))
-		if err != nil {
-			log.Error().
-				Caller().
-				Err(err).
-				Msg("Failed to write response")
-		}
 	}
 }
 
@@ -195,18 +159,15 @@ func (h *Headscale) DERPProbeHandler(
 // The initial implementation is here https://github.com/tailscale/tailscale/pull/1406
 // They have a cache, but not clear if that is really necessary at Headscale, uh, scale.
 // An example implementation is found here https://derp.tailscale.com/bootstrap-dns
-func (h *Headscale) DERPBootstrapDNSHandler(
+func (h *Headscale) DERPBootstrapDNSHandler(ctx *gin.Context) {
-	writer http.ResponseWriter,
-	req *http.Request,
-) {
 	dnsEntries := make(map[string][]net.IP)
 
 	resolvCtx, cancel := context.WithTimeout(context.Background(), time.Minute)
 	defer cancel()
-	var resolver net.Resolver
+	var r net.Resolver
 	for _, region := range h.DERPMap.Regions {
 		for _, node := range region.Nodes { // we don't care if we override some nodes
-			addrs, err := resolver.LookupIP(resolvCtx, "ip", node.HostName)
+			addrs, err := r.LookupIP(resolvCtx, "ip", node.HostName)
 			if err != nil {
 				log.Trace().
 					Caller().
@@ -218,15 +179,7 @@ func (h *Headscale) DERPBootstrapDNSHandler(
 			dnsEntries[node.HostName] = addrs
 		}
 	}
-	writer.Header().Set("Content-Type", "application/json")
+	ctx.JSON(http.StatusOK, dnsEntries)
-	writer.WriteHeader(http.StatusOK)
-	err := json.NewEncoder(writer).Encode(dnsEntries)
-	if err != nil {
-		log.Error().
-			Caller().
-			Err(err).
-			Msg("Failed to write response")
-	}
 }
 
 // ServeSTUN starts a STUN server on the configured addr.

docs/acls.md

@@ -36,7 +36,7 @@ ACLs could be written either on [huJSON](https://github.com/tailscale/hujson)
 or YAML. Check the [test ACLs](../tests/acls) for further information.
 
 When registering the servers we will need to add the flag
-`--advertise-tags=tag:<tag1>,tag:<tag2>`, and the user (namespace) that is
+`--advertised-tags=tag:<tag1>,tag:<tag2>`, and the user (namespace) that is
 registering the server should be allowed to do it. Since anyone can add tags to
 a server they can register, the check of the tags is done on headscale server
 and only valid tags are applied. A tag is valid if the namespace that is

docs/android-client.md

@@ -1,19 +0,0 @@
-# Connecting an Android client
-
-## Goal
-
-This documentation has the goal of showing how a user can use the official Android [Tailscale](https://tailscale.com) client with `headscale`.
-
-## Installation
-
-Install the official Tailscale Android client from the [Google Play Store](https://play.google.com/store/apps/details?id=com.tailscale.ipn) or [F-Droid](https://f-droid.org/packages/com.tailscale.ipn/).
-
-Ensure that the installed version is at least 1.30.0, as that is the first release to support custom URLs.
-
-## Configuring the headscale URL
-
-After opening the app, the kebab menu icon (three dots) on the top bar on the right must be repeatedly opened and closed until the _Change server_ option appears in the menu. This is where you can enter your headscale URL.
-
-A screen recording of this process can be seen in the `tailscale-android` PR which implemented this functionality: <https://github.com/tailscale/tailscale-android/pull/55>
-
-After saving and restarting the app, selecting the regular _Sign in_ option (non-SSO) should open up the headscale authentication page.

flake.nix

@@ -24,7 +24,7 @@
 
               # When updating go.mod or go.sum, a new sha will need to be calculated,
               # update this if you have a mismatch after doing a change to thos files.
-              vendorSha256 = "sha256-RzmnAh81BN4tbzAGzJbb6CMuws8kuPJDw7aPkRRnSS8=";
+              vendorSha256 = "sha256-j/hI6vP92UmcexFfzCe5fkGE8QUdQdNajSxMGib175Q=";
 
               ldflags = [ "-s" "-w" "-X github.com/juanfont/headscale/cmd/headscale/cli.Version=v${version}" ];
             };

go.mod

@@ -3,65 +3,68 @@ module github.com/juanfont/headscale
 go 1.18
 
 require (
-	github.com/AlecAivazis/survey/v2 v2.3.5
+	github.com/AlecAivazis/survey/v2 v2.3.4
 	github.com/ccding/go-stun/stun v0.0.0-20200514191101-4dc67bcdb029
-	github.com/coreos/go-oidc/v3 v3.2.0
+	github.com/coreos/go-oidc/v3 v3.1.0
 	github.com/deckarep/golang-set/v2 v2.1.0
 	github.com/efekarakus/termcolor v1.0.1
-	github.com/glebarez/sqlite v1.4.6
+	github.com/gin-gonic/gin v1.7.7
+	github.com/glebarez/sqlite v1.4.3
 	github.com/gofrs/uuid v4.2.0+incompatible
-	github.com/gorilla/mux v1.8.0
 	github.com/grpc-ecosystem/go-grpc-middleware v1.3.0
-	github.com/grpc-ecosystem/grpc-gateway/v2 v2.11.2
+	github.com/grpc-ecosystem/grpc-gateway/v2 v2.10.0
-	github.com/klauspost/compress v1.15.9
+	github.com/klauspost/compress v1.15.4
-	github.com/ory/dockertest/v3 v3.9.1
+	github.com/ory/dockertest/v3 v3.8.1
 	github.com/patrickmn/go-cache v2.1.0+incompatible
 	github.com/philip-bui/grpc-zerolog v1.0.1
-	github.com/prometheus/client_golang v1.13.0
+	github.com/prometheus/client_golang v1.12.1
-	github.com/prometheus/common v0.37.0
+	github.com/prometheus/common v0.32.1
-	github.com/pterm/pterm v0.12.45
+	github.com/pterm/pterm v0.12.41
-	github.com/puzpuzpuz/xsync v1.4.2
+	github.com/puzpuzpuz/xsync v1.2.1
-	github.com/rs/zerolog v1.27.0
+	github.com/rs/zerolog v1.26.1
-	github.com/spf13/cobra v1.5.0
+	github.com/spf13/cobra v1.4.0
-	github.com/spf13/viper v1.12.0
+	github.com/spf13/viper v1.11.0
-	github.com/stretchr/testify v1.8.0
+	github.com/stretchr/testify v1.7.1
-	github.com/tailscale/hujson v0.0.0-20220630195928-54599719472f
+	github.com/tailscale/hujson v0.0.0-20220506202205-92b4b88a9e17
 	github.com/tcnksm/go-latest v0.0.0-20170313132115-e3007ae9052e
-	golang.org/x/crypto v0.0.0-20220722155217-630584e8d5aa
+	github.com/zsais/go-gin-prometheus v0.1.0
-	golang.org/x/oauth2 v0.0.0-20220808172628-8227340efae7
+	golang.org/x/crypto v0.0.0-20220427172511-eb4f295cb31f
-	golang.org/x/sync v0.0.0-20220722155255-886fb9371eb4
+	golang.org/x/oauth2 v0.0.0-20220411215720-9780585627b5
-	google.golang.org/genproto v0.0.0-20220808204814-fd01256a5276
+	golang.org/x/sync v0.0.0-20220513210516-0976fa681c29
-	google.golang.org/grpc v1.48.0
+	google.golang.org/genproto v0.0.0-20220422154200-b37d22cd5731
-	google.golang.org/protobuf v1.28.1
+	google.golang.org/grpc v1.46.0
+	google.golang.org/protobuf v1.28.0
 	gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c
 	gopkg.in/yaml.v2 v2.4.0
-	gopkg.in/yaml.v3 v3.0.1
+	gopkg.in/yaml.v3 v3.0.0-20210107192922-496545a6307b
-	gorm.io/driver/postgres v1.3.8
+	gorm.io/driver/postgres v1.3.5
-	gorm.io/gorm v1.23.8
+	gorm.io/gorm v1.23.4
-	inet.af/netaddr v0.0.0-20220617031823-097006376321
+	inet.af/netaddr v0.0.0-20211027220019-c74959edd3b6
-	tailscale.com v1.28.0
+	tailscale.com v1.26.0
 )
 
 require (
-	atomicgo.dev/cursor v0.1.1 // indirect
-	atomicgo.dev/keyboard v0.2.8 // indirect
 	github.com/Azure/go-ansiterm v0.0.0-20170929234023-d6e3b3328b78 // indirect
 	github.com/Microsoft/go-winio v0.5.2 // indirect
 	github.com/Nvveen/Gotty v0.0.0-20120604004816-cd527374f1e5 // indirect
 	github.com/akutz/memconn v0.1.0 // indirect
 	github.com/alexbrainman/sspi v0.0.0-20210105120005-909beea2cc74 // indirect
+	github.com/atomicgo/cursor v0.0.1 // indirect
 	github.com/beorn7/perks v1.0.1 // indirect
-	github.com/cenkalti/backoff/v4 v4.1.3 // indirect
+	github.com/cenkalti/backoff/v4 v4.1.2 // indirect
 	github.com/cespare/xxhash/v2 v2.1.2 // indirect
-	github.com/containerd/console v1.0.3 // indirect
+	github.com/containerd/continuity v0.0.0-20190827140505-75bee3e2ccb6 // indirect
-	github.com/containerd/continuity v0.3.0 // indirect
 	github.com/davecgh/go-spew v1.1.1 // indirect
 	github.com/docker/cli v20.10.16+incompatible // indirect
 	github.com/docker/docker v20.10.16+incompatible // indirect
 	github.com/docker/go-connections v0.4.0 // indirect
 	github.com/docker/go-units v0.4.0 // indirect
-	github.com/fsnotify/fsnotify v1.5.4 // indirect
+	github.com/fsnotify/fsnotify v1.5.1 // indirect
-	github.com/glebarez/go-sqlite v1.17.3 // indirect
+	github.com/gin-contrib/sse v0.1.0 // indirect
+	github.com/glebarez/go-sqlite v1.16.0 // indirect
+	github.com/go-playground/locales v0.13.0 // indirect
+	github.com/go-playground/universal-translator v0.17.0 // indirect
+	github.com/go-playground/validator/v10 v10.4.1 // indirect
 	github.com/gogo/protobuf v1.3.2 // indirect
 	github.com/golang/protobuf v1.5.2 // indirect
 	github.com/google/go-cmp v0.5.8 // indirect
@@ -75,21 +78,22 @@ require (
 	github.com/imdario/mergo v0.3.12 // indirect
 	github.com/inconshreveable/mousetrap v1.0.0 // indirect
 	github.com/jackc/chunkreader/v2 v2.0.1 // indirect
-	github.com/jackc/pgconn v1.12.1 // indirect
+	github.com/jackc/pgconn v1.12.0 // indirect
 	github.com/jackc/pgio v1.0.0 // indirect
 	github.com/jackc/pgpassfile v1.0.0 // indirect
 	github.com/jackc/pgproto3/v2 v2.3.0 // indirect
 	github.com/jackc/pgservicefile v0.0.0-20200714003250-2b9c44734f2b // indirect
 	github.com/jackc/pgtype v1.11.0 // indirect
-	github.com/jackc/pgx/v4 v4.16.1 // indirect
+	github.com/jackc/pgx/v4 v4.16.0 // indirect
 	github.com/jinzhu/inflection v1.0.0 // indirect
 	github.com/jinzhu/now v1.1.4 // indirect
 	github.com/josharian/native v1.0.0 // indirect
 	github.com/jsimonetti/rtnetlink v1.1.2-0.20220408201609-d380b505068b // indirect
+	github.com/json-iterator/go v1.1.12 // indirect
 	github.com/kballard/go-shellquote v0.0.0-20180428030007-95032a82bc51 // indirect
 	github.com/kr/pretty v0.3.0 // indirect
 	github.com/kr/text v0.2.0 // indirect
-	github.com/lithammer/fuzzysearch v1.1.5 // indirect
+	github.com/leodido/go-urn v1.2.0 // indirect
 	github.com/magiconair/properties v1.8.6 // indirect
 	github.com/mattn/go-colorable v0.1.12 // indirect
 	github.com/mattn/go-isatty v0.0.14 // indirect
@@ -99,35 +103,38 @@ require (
 	github.com/mdlayher/socket v0.2.3 // indirect
 	github.com/mgutz/ansi v0.0.0-20170206155736-9520e82c474b // indirect
 	github.com/mitchellh/go-ps v1.0.0 // indirect
-	github.com/mitchellh/mapstructure v1.5.0 // indirect
+	github.com/mitchellh/mapstructure v1.4.3 // indirect
 	github.com/moby/term v0.0.0-20201216013528-df9cb8a40635 // indirect
+	github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd // indirect
+	github.com/modern-go/reflect2 v1.0.2 // indirect
 	github.com/opencontainers/go-digest v1.0.0 // indirect
 	github.com/opencontainers/image-spec v1.0.3-0.20220114050600-8b9d41f48198 // indirect
-	github.com/opencontainers/runc v1.1.2 // indirect
+	github.com/opencontainers/runc v1.0.2 // indirect
-	github.com/pelletier/go-toml v1.9.5 // indirect
+	github.com/pelletier/go-toml v1.9.4 // indirect
-	github.com/pelletier/go-toml/v2 v2.0.1 // indirect
+	github.com/pelletier/go-toml/v2 v2.0.0-beta.8 // indirect
 	github.com/pkg/errors v0.9.1 // indirect
 	github.com/pmezard/go-difflib v1.0.0 // indirect
 	github.com/prometheus/client_model v0.2.0 // indirect
-	github.com/prometheus/procfs v0.8.0 // indirect
+	github.com/prometheus/procfs v0.7.3 // indirect
 	github.com/remyoudompheng/bigfft v0.0.0-20200410134404-eec4a21b6bb0 // indirect
 	github.com/rivo/uniseg v0.2.0 // indirect
 	github.com/rogpeppe/go-internal v1.8.1-0.20211023094830-115ce09fd6b4 // indirect
 	github.com/sirupsen/logrus v1.8.1 // indirect
 	github.com/spf13/afero v1.8.2 // indirect
-	github.com/spf13/cast v1.5.0 // indirect
+	github.com/spf13/cast v1.4.1 // indirect
 	github.com/spf13/jwalterweatherman v1.1.0 // indirect
 	github.com/spf13/pflag v1.0.5 // indirect
-	github.com/subosito/gotenv v1.3.0 // indirect
+	github.com/subosito/gotenv v1.2.0 // indirect
+	github.com/ugorji/go/codec v1.1.7 // indirect
 	github.com/xeipuuv/gojsonpointer v0.0.0-20180127040702-4e3ac2762d5f // indirect
 	github.com/xeipuuv/gojsonreference v0.0.0-20180127040603-bd5ef7bd5415 // indirect
 	github.com/xeipuuv/gojsonschema v1.2.0 // indirect
 	github.com/xo/terminfo v0.0.0-20210125001918-ca9a967f8778 // indirect
 	go4.org/intern v0.0.0-20211027215823-ae77deb06f29 // indirect
 	go4.org/mem v0.0.0-20210711025021-927187094b94 // indirect
-	go4.org/unsafe/assume-no-moving-gc v0.0.0-20220617031537-928513b29760 // indirect
+	go4.org/unsafe/assume-no-moving-gc v0.0.0-20211027215541-db492cf91b37 // indirect
-	golang.org/x/net v0.0.0-20220624214902-1bab6f366d9e // indirect
+	golang.org/x/net v0.0.0-20220516155154-20f960328961 // indirect
-	golang.org/x/sys v0.0.0-20220610221304-9f5ed59c137d // indirect
+	golang.org/x/sys v0.0.0-20220513210249-45d2b4557a2a // indirect
 	golang.org/x/term v0.0.0-20220411215600-e5f449aeb171 // indirect
 	golang.org/x/text v0.3.7 // indirect
 	golang.org/x/time v0.0.0-20211116232009-f0f3c7e86c11 // indirect
@@ -135,8 +142,8 @@ require (
 	google.golang.org/appengine v1.6.7 // indirect
 	gopkg.in/ini.v1 v1.66.4 // indirect
 	gopkg.in/square/go-jose.v2 v2.5.1 // indirect
-	modernc.org/libc v1.16.8 // indirect
+	modernc.org/libc v1.14.12 // indirect
 	modernc.org/mathutil v1.4.1 // indirect
-	modernc.org/memory v1.1.1 // indirect
+	modernc.org/memory v1.0.7 // indirect
-	modernc.org/sqlite v1.17.3 // indirect
+	modernc.org/sqlite v1.16.0 // indirect
 )

go.sum

@@ -1,8 +1,4 @@
 4d63.com/gochecknoglobals v0.1.0/go.mod h1:wfdC5ZjKSPr7CybKEcgJhUOgeAQW1+7WcyK8OvUilfo=
-atomicgo.dev/cursor v0.1.1 h1:0t9sxQomCTRh5ug+hAMCs59x/UmC9QL6Ci5uosINKD4=
-atomicgo.dev/cursor v0.1.1/go.mod h1:Lr4ZJB3U7DfPPOkbH7/6TOtJ4vFGHlgj1nc+n900IpU=
-atomicgo.dev/keyboard v0.2.8 h1:Di09BitwZgdTV1hPyX/b9Cqxi8HVuJQwWivnZUEqlj4=
-atomicgo.dev/keyboard v0.2.8/go.mod h1:BC4w9g00XkxH/f1HXhW2sXmJFOCWbKn9xrOunSFtExQ=
 bitbucket.org/creachadair/shell v0.0.6/go.mod h1:8Qqi/cYk7vPnsOePHroKXDJYmb5x7ENhtiFtfZq8K+M=
 cloud.google.com/go v0.26.0/go.mod h1:aQUYkXzVsufM+DwF1aE+0xfcU+56JwCaLick0ClmMTw=
 cloud.google.com/go v0.34.0/go.mod h1:aQUYkXzVsufM+DwF1aE+0xfcU+56JwCaLick0ClmMTw=
@@ -56,8 +52,8 @@ cloud.google.com/go/storage v1.10.0/go.mod h1:FLPqc6j+Ki4BU591ie1oL6qBQGu2Bl/tZ9
 cloud.google.com/go/storage v1.14.0/go.mod h1:GrKmX003DSIwi9o29oFT7YDnHYwZoctc3fOKtUw0Xmo=
 contrib.go.opencensus.io/exporter/stackdriver v0.13.4/go.mod h1:aXENhDJ1Y4lIg4EUaVTwzvYETVNZk10Pu26tevFKLUc=
 dmitri.shuralyov.com/gpu/mtl v0.0.0-20190408044501-666a987793e9/go.mod h1:H6x//7gZCb22OMCxBHrMx7a5I7Hp++hsVxbQ4BYO7hU=
-github.com/AlecAivazis/survey/v2 v2.3.5 h1:A8cYupsAZkjaUmhtTYv3sSqc7LO5mp1XDfqe5E/9wRQ=
+github.com/AlecAivazis/survey/v2 v2.3.4 h1:pchTU9rsLUSvWEl2Aq9Pv3k0IE2fkqtGxazskAMd9Ng=
-github.com/AlecAivazis/survey/v2 v2.3.5/go.mod h1:4AuI9b7RjAR+G7v9+C4YSlX/YL3K3cWNXgWXOhllqvI=
+github.com/AlecAivazis/survey/v2 v2.3.4/go.mod h1:hrV6Y/kQCLhIZXGcriDCUBtB3wnN7156gMXJ3+b23xM=
 github.com/Antonboom/errname v0.1.5/go.mod h1:DugbBstvPFQbv/5uLcRRzfrNqKE9tVdVCqWCLp6Cifo=
 github.com/Antonboom/nilnil v0.1.0/go.mod h1:PhHLvRPSghY5Y7mX4TW+BHZQYo1A8flE5H20D3IPZBo=
 github.com/Azure/go-ansiterm v0.0.0-20170929234023-d6e3b3328b78 h1:w+iIsaOQNcT7OZ575w+acHgRric5iCyQh+xv+KJ4HB8=
@@ -72,8 +68,8 @@ github.com/MarvinJWendt/testza v0.2.8/go.mod h1:nwIcjmr0Zz+Rcwfh3/4UhBp7ePKVhuBE
 github.com/MarvinJWendt/testza v0.2.10/go.mod h1:pd+VWsoGUiFtq+hRKSU1Bktnn+DMCSrDrXDpX2bG66k=
 github.com/MarvinJWendt/testza v0.2.12/go.mod h1:JOIegYyV7rX+7VZ9r77L/eH6CfJHHzXjB69adAhzZkI=
 github.com/MarvinJWendt/testza v0.3.0/go.mod h1:eFcL4I0idjtIx8P9C6KkAuLgATNKpX4/2oUqKc6bF2c=
-github.com/MarvinJWendt/testza v0.4.2 h1:Vbw9GkSB5erJI2BPnBL9SVGV9myE+XmUSFahBGUhW2Q=
+github.com/MarvinJWendt/testza v0.3.5 h1:g9krITRRlIsF1eO9sUKXtiTw670gZIIk6T08Keeo1nM=
-github.com/MarvinJWendt/testza v0.4.2/go.mod h1:mSdhXiKH8sg/gQehJ63bINcCKp7RtYewEjXsvsVUPbE=
+github.com/MarvinJWendt/testza v0.3.5/go.mod h1:ExbTpWmA1z2E9HSskvrNcwApoX4F9bID692s10nuHRY=
 github.com/Masterminds/goutils v1.1.0/go.mod h1:8cTjp+g8YejhMuvIA5y2vz3BpJxksy863GQaJW2MFNU=
 github.com/Masterminds/semver v1.4.2/go.mod h1:MB6lktGJrhw8PrUyiEoblNEGEQ+RzHPF078ddwwvV3Y=
 github.com/Masterminds/semver v1.5.0 h1:H65muMkzWKEuNDnfl9d70GUjFniHKHRbFPGBuZ3QEww=
@@ -82,6 +78,7 @@ github.com/Masterminds/semver/v3 v3.1.1 h1:hLg3sBzpNErnxhQtUy/mmLR2I9foDujNK030I
 github.com/Masterminds/semver/v3 v3.1.1/go.mod h1:VPu/7SZ7ePZ3QOrcuXROw5FAcLl4a0cBrbBpGY/8hQs=
 github.com/Masterminds/sprig v2.15.0+incompatible/go.mod h1:y6hNFY5UBTIWBxnzTeuNhlNS5hqE0NB0E6fgfo2Br3o=
 github.com/Masterminds/sprig v2.22.0+incompatible/go.mod h1:y6hNFY5UBTIWBxnzTeuNhlNS5hqE0NB0E6fgfo2Br3o=
+github.com/Microsoft/go-winio v0.5.1/go.mod h1:JPGBdM1cNvN/6ISo+n8V5iA4v8pBzdOpzfwIujj1a84=
 github.com/Microsoft/go-winio v0.5.2 h1:a9IhgEQBCUEk6QCdml9CiJGhAws+YwffDHEMp1VMrpA=
 github.com/Microsoft/go-winio v0.5.2/go.mod h1:WpS1mjBmmwHBEWmogvA2mj8546UReBk4v8QkMxJ6pZY=
 github.com/Netflix/go-expect v0.0.0-20220104043353-73e0943537d2 h1:+vx7roKuyA63nhn5WAunQHLTznkw5W8b1Xc0dNjp83s=
@@ -113,6 +110,7 @@ github.com/armon/go-radix v0.0.0-20180808171621-7fddfc383310/go.mod h1:ufUuZ+zHj
 github.com/armon/go-radix v1.0.0/go.mod h1:ufUuZ+zHj4x4TnLV4JWEpy2hxWSpsRywHrMgIH9cCH8=
 github.com/ashanbrown/forbidigo v1.2.0/go.mod h1:vVW7PEdqEFqapJe95xHkTfB1+XvZXBFg8t0sG2FIxmI=
 github.com/ashanbrown/makezero v0.0.0-20210520155254-b6261585ddde/go.mod h1:oG9Dnez7/ESBqc4EdrdNlryeo7d0KcW1ftXHm7nU/UU=
+github.com/atomicgo/cursor v0.0.1 h1:xdogsqa6YYlLfM+GyClC/Lchf7aiMerFiZQn7soTOoU=
 github.com/atomicgo/cursor v0.0.1/go.mod h1:cBON2QmmrysudxNBFthvMtN32r3jxVRIvzkUiF/RuIk=
 github.com/aws/aws-sdk-go v1.23.20/go.mod h1:KmX6BPdI08NWTb3/sm4ZGu5ShLoqVDhKgpiN924inxo=
 github.com/aws/aws-sdk-go v1.25.37/go.mod h1:KmX6BPdI08NWTb3/sm4ZGu5ShLoqVDhKgpiN924inxo=
@@ -122,6 +120,7 @@ github.com/beorn7/perks v1.0.0/go.mod h1:KWe93zE9D1o94FZ5RNwFwVgaQK1VOXiVxmqh+Ce
 github.com/beorn7/perks v1.0.1 h1:VlbKKnNfV8bJzeqoa4cOKqO6bYr3WgKZxO8Z16+hsOM=
 github.com/beorn7/perks v1.0.1/go.mod h1:G2ZrVWU2WbWT9wwq4/hrbKbnv/1ERSJQ0ibhJ6rlkpw=
 github.com/bgentry/speakeasy v0.1.0/go.mod h1:+zsyZBPWlz7T6j88CTgSN5bM796AkVf0kBD4zp0CCIs=
+github.com/bits-and-blooms/bitset v1.2.0/go.mod h1:gIdJ4wp64HaoK2YrL1Q5/N7Y16edYb8uY+O0FJTyyDA=
 github.com/bketelsen/crypt v0.0.4/go.mod h1:aI6NrJ0pMGgvZKL1iVgXLnfIFJtfV+bKCoqOes/6LfM=
 github.com/bkielbasa/cyclop v1.2.0/go.mod h1:qOI0yy6A7dYC4Zgsa72Ppm9kONl0RoIlPbzot9mhmeI=
 github.com/blizzy78/varnamelen v0.3.0/go.mod h1:hbwRdBvoBqxk34XyQ6HA0UH3G0/1TKuv5AC4eaBT0Ec=
@@ -130,8 +129,8 @@ github.com/breml/bidichk v0.1.1/go.mod h1:zbfeitpevDUGI7V91Uzzuwrn4Vls8MoBMrwtt7
 github.com/butuzov/ireturn v0.1.1/go.mod h1:Wh6Zl3IMtTpaIKbmwzqi6olnM9ptYQxxVacMsOEFPoc=
 github.com/ccding/go-stun/stun v0.0.0-20200514191101-4dc67bcdb029 h1:POmUHfxXdeyM8Aomg4tKDcwATCFuW+cYLkj6pwsw9pc=
 github.com/ccding/go-stun/stun v0.0.0-20200514191101-4dc67bcdb029/go.mod h1:Rpr5n9cGHYdM3S3IK8ROSUUUYjQOu+MSUCZDcJbYWi8=
-github.com/cenkalti/backoff/v4 v4.1.3 h1:cFAlzYUlVYDysBEH2T5hyJZMh3+5+WCBvSnK6Q8UtC4=
+github.com/cenkalti/backoff/v4 v4.1.2 h1:6Yo7N8UP2K6LWZnW94DLVSSrbobcWdVzAYOisuDPIFo=
-github.com/cenkalti/backoff/v4 v4.1.3/go.mod h1:scbssz8iZGpm3xbr14ovlUdkxfGXNInqkPWOWmG2CLw=
+github.com/cenkalti/backoff/v4 v4.1.2/go.mod h1:scbssz8iZGpm3xbr14ovlUdkxfGXNInqkPWOWmG2CLw=
 github.com/census-instrumentation/opencensus-proto v0.2.1/go.mod h1:f6KPmirojxKA12rnyqOA5BBL4O983OfeGPqjHWSTneU=
 github.com/cespare/xxhash v1.1.0/go.mod h1:XrSqR1VqqWfGrhpAt58auRo0WTKS1nRRg3ghfAqPWnc=
 github.com/cespare/xxhash/v2 v2.1.1/go.mod h1:VGX0DQ3Q6kWi7AoAeZDth3/j3BFtOZR5XLFGgcrjCOs=
@@ -139,11 +138,11 @@ github.com/cespare/xxhash/v2 v2.1.2 h1:YRXhKfTDauu4ajMg1TPgFO5jnlC2HCbmLXMcTG5cb
 github.com/cespare/xxhash/v2 v2.1.2/go.mod h1:VGX0DQ3Q6kWi7AoAeZDth3/j3BFtOZR5XLFGgcrjCOs=
 github.com/charithe/durationcheck v0.0.9/go.mod h1:SSbRIBVfMjCi/kEB6K65XEA83D6prSM8ap1UCpNKtgg=
 github.com/chavacava/garif v0.0.0-20210405164556-e8a0a408d6af/go.mod h1:Qjyv4H3//PWVzTeCezG2b9IRn6myJxJSr4TD/xo6ojU=
-github.com/checkpoint-restore/go-criu/v5 v5.3.0/go.mod h1:E/eQpaFtUKGOOSEBZgmKAcn+zUUwWxqcaKZlF54wK8E=
+github.com/checkpoint-restore/go-criu/v5 v5.0.0/go.mod h1:cfwC0EG7HMUenopBsUf9d89JlCLQIfgVcNsNN0t6T2M=
 github.com/chzyer/logex v1.1.10/go.mod h1:+Ywpsq7O8HXn0nuIou7OrIPyXbp3wmkHB+jjWRnGsAI=
 github.com/chzyer/readline v0.0.0-20180603132655-2972be24d48e/go.mod h1:nSuG5e5PlCu98SY8svDHJxuZscDgtXS6KTTbou5AhLI=
 github.com/chzyer/test v0.0.0-20180213035817-a1ea475d72b1/go.mod h1:Q3SI9o4m/ZMnBNeIyt5eFwwo7qiLfzFZmjNmxjkiQlU=
-github.com/cilium/ebpf v0.7.0/go.mod h1:/oI2+1shJiTGAMgl6/RgJr36Eo1jzrRcAWbcXO2usCA=
+github.com/cilium/ebpf v0.6.2/go.mod h1:4tRaxcgiL706VnOzHOdBlY8IEAIdxINsQBcU4xJJXRs=
 github.com/cilium/ebpf v0.8.1 h1:bLSSEbBLqGPXxls55pGr5qWZaTqcmfDJHhou7t254ao=
 github.com/cilium/ebpf v0.8.1/go.mod h1:f5zLIM0FSNuAkSyLAN7X+Hy6yznlF1mNiWUMfxMtrgk=
 github.com/client9/misspell v0.3.4/go.mod h1:qj6jICC3Q7zFZvVWo7KLAzC3yx5G7kyvSDkc90ppPyw=
@@ -152,20 +151,20 @@ github.com/cncf/udpa/go v0.0.0-20200629203442-efcf912fb354/go.mod h1:WmhPx2Nbnht
 github.com/cncf/udpa/go v0.0.0-20201120205902-5459f2c99403/go.mod h1:WmhPx2Nbnhtbo57+VJT5O0JRkEi1Wbu0z5j0R8u5Hbk=
 github.com/cncf/udpa/go v0.0.0-20210930031921-04548b0d99d4/go.mod h1:6pvJx4me5XPnfI9Z40ddWsdw2W/uZgQLFXToKeRcDiI=
 github.com/cncf/xds/go v0.0.0-20210312221358-fbca930ec8ed/go.mod h1:eXthEFrGJvWHgFFCl3hGmgk+/aYT6PnTQLykKQRLhEs=
+github.com/cncf/xds/go v0.0.0-20210805033703-aa0b78936158/go.mod h1:eXthEFrGJvWHgFFCl3hGmgk+/aYT6PnTQLykKQRLhEs=
 github.com/cncf/xds/go v0.0.0-20210922020428-25de7278fc84/go.mod h1:eXthEFrGJvWHgFFCl3hGmgk+/aYT6PnTQLykKQRLhEs=
 github.com/cncf/xds/go v0.0.0-20211001041855-01bcc9b48dfe/go.mod h1:eXthEFrGJvWHgFFCl3hGmgk+/aYT6PnTQLykKQRLhEs=
 github.com/cncf/xds/go v0.0.0-20211011173535-cb28da3451f1/go.mod h1:eXthEFrGJvWHgFFCl3hGmgk+/aYT6PnTQLykKQRLhEs=
 github.com/cockroachdb/apd v1.1.0 h1:3LFP3629v+1aKXU5Q37mxmRxX/pIu1nijXydLShEq5I=
 github.com/cockroachdb/apd v1.1.0/go.mod h1:8Sl8LxpKi29FqWXR16WEFZRNSz3SoPzUzeMeY4+DwBQ=
 github.com/cockroachdb/datadriven v0.0.0-20190809214429-80d97fb3cbaa/go.mod h1:zn76sxSg3SzpJ0PPJaLDCu+Bu0Lg3sKTORVIj19EIF8=
-github.com/containerd/console v1.0.3 h1:lIr7SlA5PxZyMV30bDW0MGbiOPXwc63yRuCP0ARubLw=
+github.com/containerd/console v1.0.2/go.mod h1:ytZPjGgY2oeTkAONYafi2kSj0aYggsf8acV1PGKCbzQ=
-github.com/containerd/console v1.0.3/go.mod h1:7LqA/THxQ86k76b8c/EMSiaJ3h1eZkMkXar0TQ1gf3U=
+github.com/containerd/continuity v0.0.0-20190827140505-75bee3e2ccb6 h1:NmTXa/uVnDyp0TY5MKi197+3HWcnYWfnHGyaFthlnGw=
-github.com/containerd/continuity v0.3.0 h1:nisirsYROK15TAMVukJOUyGJjz4BNQJBVsNvAXZJ/eg=
+github.com/containerd/continuity v0.0.0-20190827140505-75bee3e2ccb6/go.mod h1:GL3xCUCBDV3CZiTSEKksMWbLE66hEyuu9qyDOOqM47Y=
-github.com/containerd/continuity v0.3.0/go.mod h1:wJEAIwKOm/pBZuBd0JmeTvnLquTB1Ag8espWhkykbPM=
 github.com/coreos/etcd v3.3.10+incompatible/go.mod h1:uF7uidLiAD3TWHmW31ZFd/JWoc32PjwdhPthX9715RE=
 github.com/coreos/go-etcd v2.0.0+incompatible/go.mod h1:Jez6KQU2B/sWsbdaef3ED8NzMklzPG4d5KIOhIy30Tk=
-github.com/coreos/go-oidc/v3 v3.2.0 h1:2eR2MGR7thBXSQ2YbODlF0fcmgtliLCfr9iX6RW11fc=
+github.com/coreos/go-oidc/v3 v3.1.0 h1:6avEvcdvTa1qYsOZ6I5PRkSYHzpTNWgKYmaJfaYbrRw=
-github.com/coreos/go-oidc/v3 v3.2.0/go.mod h1:rEJ/idjfUyfkBit1eI1fvyr+64/g9dcKpAm8MJMesvo=
+github.com/coreos/go-oidc/v3 v3.1.0/go.mod h1:rEJ/idjfUyfkBit1eI1fvyr+64/g9dcKpAm8MJMesvo=
 github.com/coreos/go-semver v0.2.0/go.mod h1:nnelYz7RCh+5ahJtPPxZlU+153eP4D4r3EedlOD2RNk=
 github.com/coreos/go-semver v0.3.0/go.mod h1:nnelYz7RCh+5ahJtPPxZlU+153eP4D4r3EedlOD2RNk=
 github.com/coreos/go-systemd v0.0.0-20180511133405-39ca1b05acc7/go.mod h1:F5haX7vjVVG0kc13fIWeqUViNPyEJxv/OmvnBo0Yme4=
@@ -173,19 +172,18 @@ github.com/coreos/go-systemd v0.0.0-20190321100706-95778dfbb74e/go.mod h1:F5haX7
 github.com/coreos/go-systemd v0.0.0-20190620071333-e64a0ec8b42a/go.mod h1:F5haX7vjVVG0kc13fIWeqUViNPyEJxv/OmvnBo0Yme4=
 github.com/coreos/go-systemd v0.0.0-20190719114852-fd7a80b32e1f/go.mod h1:F5haX7vjVVG0kc13fIWeqUViNPyEJxv/OmvnBo0Yme4=
 github.com/coreos/go-systemd/v22 v22.3.2/go.mod h1:Y58oyj3AT4RCenI/lSvhwexgC+NSVTIJ3seZv2GcEnc=
-github.com/coreos/go-systemd/v22 v22.3.3-0.20220203105225-a9a7ef127534/go.mod h1:Y58oyj3AT4RCenI/lSvhwexgC+NSVTIJ3seZv2GcEnc=
 github.com/coreos/pkg v0.0.0-20160727233714-3ac0863d7acf/go.mod h1:E3G3o1h8I7cfcXa63jLwjI0eiQQMgzzUDFVpN/nH/eA=
 github.com/coreos/pkg v0.0.0-20180928190104-399ea9e2e55f/go.mod h1:E3G3o1h8I7cfcXa63jLwjI0eiQQMgzzUDFVpN/nH/eA=
 github.com/cpuguy83/go-md2man v1.0.10/go.mod h1:SmD6nW6nTyfqj6ABTjUi3V3JVMnlJmwcJI5acqYI6dE=
 github.com/cpuguy83/go-md2man/v2 v2.0.0-20190314233015-f79a8a8ca69d/go.mod h1:maD7wRr/U5Z6m/iR4s+kqSMx2CaBsrgA7czyZG/E6dU=
 github.com/cpuguy83/go-md2man/v2 v2.0.0/go.mod h1:maD7wRr/U5Z6m/iR4s+kqSMx2CaBsrgA7czyZG/E6dU=
-github.com/cpuguy83/go-md2man/v2 v2.0.2/go.mod h1:tgQtvFlXSQOSOSIRvRPT7W67SCa46tRHOmNcaadrF8o=
+github.com/cpuguy83/go-md2man/v2 v2.0.1/go.mod h1:tgQtvFlXSQOSOSIRvRPT7W67SCa46tRHOmNcaadrF8o=
 github.com/creack/pty v1.1.7/go.mod h1:lj5s0c3V2DBrqTV7llrYr5NG6My20zk30Fl46Y7DoTY=
 github.com/creack/pty v1.1.9/go.mod h1:oKZEueFk5CKHvIhNR5MUki03XCEU+Q6VDXinZuGJ33E=
 github.com/creack/pty v1.1.11/go.mod h1:oKZEueFk5CKHvIhNR5MUki03XCEU+Q6VDXinZuGJ33E=
 github.com/creack/pty v1.1.17 h1:QeVUsEDNrLBW4tMgZHvxy18sKtr6VI492kBhUfhDJNI=
 github.com/creack/pty v1.1.17/go.mod h1:MOBLtS5ELjhRRrroQr9kyvTxUAFNvYEK993ew/Vr4O4=
-github.com/cyphar/filepath-securejoin v0.2.3/go.mod h1:aPGpWjXOXUn2NCNjFvBE6aRxGGx79pTxQpKOJNYHHl4=
+github.com/cyphar/filepath-securejoin v0.2.2/go.mod h1:FpkQEhXnPnOthhzymB7CGsFk2G9VLXONKD9G7QGMM+4=
 github.com/daixiang0/gci v0.2.9/go.mod h1:+4dZ7TISfSmqfAGv59ePaHfNzgGtIkHAhhdKggP1JAc=
 github.com/davecgh/go-spew v0.0.0-20161028175848-04cdfd42973b/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
 github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
@@ -195,8 +193,10 @@ github.com/deckarep/golang-set/v2 v2.1.0 h1:g47V4Or+DUdzbs8FxCCmgb6VYd+ptPAngjM6
 github.com/deckarep/golang-set/v2 v2.1.0/go.mod h1:VAky9rY/yGXJOLEDv3OMci+7wtDpOF4IN+y82NBOac4=
 github.com/denis-tingajkin/go-header v0.4.2/go.mod h1:eLRHAVXzE5atsKAnNRDB90WHCFFnBUn4RN0nRcs1LJA=
 github.com/dgrijalva/jwt-go v3.2.0+incompatible/go.mod h1:E3ru+11k8xSBh+hMPgOLZmtrrCbhqsmaPHjLKYnJCaQ=
+github.com/docker/cli v20.10.11+incompatible/go.mod h1:JLrzqnKDaYBop7H2jaqPtU4hHvMKP+vjCwu2uszcLI8=
 github.com/docker/cli v20.10.16+incompatible h1:aLQ8XowgKpR3/IysPj8qZQJBVQ+Qws61icFuZl6iKYs=
 github.com/docker/cli v20.10.16+incompatible/go.mod h1:JLrzqnKDaYBop7H2jaqPtU4hHvMKP+vjCwu2uszcLI8=
+github.com/docker/docker v20.10.7+incompatible/go.mod h1:eEKB0N0r5NX/I1kEveEz05bcu8tLC/8azJZsviup8Sk=
 github.com/docker/docker v20.10.16+incompatible h1:2Db6ZR/+FUR3hqPMwnogOPHFn405crbpxvWzKovETOQ=
 github.com/docker/docker v20.10.16+incompatible/go.mod h1:eEKB0N0r5NX/I1kEveEz05bcu8tLC/8azJZsviup8Sk=
 github.com/docker/go-connections v0.4.0 h1:El9xVISelRB7BuFusrZozjnkIM5YnzCViNKohAFqRJQ=
@@ -215,6 +215,7 @@ github.com/envoyproxy/go-control-plane v0.9.7/go.mod h1:cwu0lG7PUMfa9snN8LXBig5y
 github.com/envoyproxy/go-control-plane v0.9.9-0.20201210154907-fd9021fe5dad/go.mod h1:cXg6YxExXjJnVBQHBLXeUAgxn2UodCpnH306RInaBQk=
 github.com/envoyproxy/go-control-plane v0.9.9-0.20210217033140-668b12f5399d/go.mod h1:cXg6YxExXjJnVBQHBLXeUAgxn2UodCpnH306RInaBQk=
 github.com/envoyproxy/go-control-plane v0.9.9-0.20210512163311-63b5d3c536b0/go.mod h1:hliV/p42l8fGbc6Y9bQ70uLwIvmJyVE5k4iMKlh8wCQ=
+github.com/envoyproxy/go-control-plane v0.9.10-0.20210907150352-cf90f659a021/go.mod h1:AFq3mo9L8Lqqiid3OhADV3RfLJnjiw63cSpi+fDTRC0=
 github.com/envoyproxy/go-control-plane v0.10.2-0.20220325020618-49ff273808a1/go.mod h1:KJwIaB5Mv44NWtYuAOFCVOjcI94vtpEz2JU/D2v6IjE=
 github.com/envoyproxy/protoc-gen-validate v0.0.14/go.mod h1:iSmxcyjqTsJpI2R4NaDN7+kN2VEUnK/pcBlmesArF7c=
 github.com/envoyproxy/protoc-gen-validate v0.1.0/go.mod h1:iSmxcyjqTsJpI2R4NaDN7+kN2VEUnK/pcBlmesArF7c=
@@ -226,20 +227,23 @@ github.com/fatih/color v1.10.0/go.mod h1:ELkj/draVOlAH/xkhN6mQ50Qd0MPOk5AAr3maGE
 github.com/fatih/color v1.13.0/go.mod h1:kLAiJbzzSOZDVNGyDpeOxJ47H46qBXwg5ILebYFFOfk=
 github.com/fatih/structtag v1.2.0/go.mod h1:mBJUNpUnHmRKrKlQQlmCrh5PuhftFbNv8Ys4/aAZl94=
 github.com/frankban/quicktest v1.11.3/go.mod h1:wRf/ReqHper53s+kmmSZizM8NamnL3IM0I9ntUbOk+k=
+github.com/frankban/quicktest v1.14.0 h1:+cqqvzZV87b4adx/5ayVOaYZ2CrvM4ejQvUdBzPPUss=
 github.com/frankban/quicktest v1.14.0/go.mod h1:NeW+ay9A/U67EYXNFA1nPE8e/tnQv/09mUdL/ijj8og=
-github.com/frankban/quicktest v1.14.3 h1:FJKSZTDHjyhriyC81FLQ0LY93eSai0ZyR/ZIkd3ZUKE=
 github.com/fsnotify/fsnotify v1.4.7/go.mod h1:jwhsz4b93w/PPRr/qN1Yymfu8t87LnFCMoQvtojpjFo=
 github.com/fsnotify/fsnotify v1.4.9/go.mod h1:znqG4EE+3YCdAaPaxE2ZRY/06pZUdp0tY4IgpuI1SZQ=
+github.com/fsnotify/fsnotify v1.5.1 h1:mZcQUHVQUQWoPXXtuf9yuEXKudkV2sx1E06UadKWpgI=
 github.com/fsnotify/fsnotify v1.5.1/go.mod h1:T3375wBYaZdLLcVNkcVbzGHY7f1l/uK5T5Ai1i3InKU=
-github.com/fsnotify/fsnotify v1.5.4 h1:jRbGcIw6P2Meqdwuo0H1p6JVLbL5DHKAKlYndzMwVZI=
-github.com/fsnotify/fsnotify v1.5.4/go.mod h1:OVB6XrOHzAwXMpEM7uPOzcehqUV2UqJxmVXmkdnm1bU=
 github.com/fullstorydev/grpcurl v1.6.0/go.mod h1:ZQ+ayqbKMJNhzLmbpCiurTVlaK2M/3nqZCxaQ2Ze/sM=
 github.com/fzipp/gocyclo v0.3.1/go.mod h1:DJHO6AUmbdqj2ET4Z9iArSuwWgYDRryYt2wASxc7x3E=
 github.com/ghodss/yaml v1.0.0/go.mod h1:4dBDuWmgqj2HViK6kFavaiC9ZROes6MMH2rRYeMEF04=
-github.com/glebarez/go-sqlite v1.17.3 h1:Rji9ROVSTTfjuWD6j5B+8DtkNvPILoUC3xRhkQzGxvk=
+github.com/gin-contrib/sse v0.1.0 h1:Y/yl/+YNO8GZSjAhjMsSuLt29uWRFHdHYUb5lYOV9qE=
-github.com/glebarez/go-sqlite v1.17.3/go.mod h1:Hg+PQuhUy98XCxWEJEaWob8x7lhJzhNYF1nZbUiRGIY=
+github.com/gin-contrib/sse v0.1.0/go.mod h1:RHrZQHXnP2xjPF+u1gW/2HnVO7nvIa9PG3Gm+fLHvGI=
-github.com/glebarez/sqlite v1.4.6 h1:D5uxD2f6UJ82cHnVtO2TZ9pqsLyto3fpDKHIk2OsR8A=
+github.com/gin-gonic/gin v1.7.7 h1:3DoBmSbJbZAWqXJC3SLjAPfutPJJRN1U5pALB7EeTTs=
-github.com/glebarez/sqlite v1.4.6/go.mod h1:WYEtEFjhADPaPJqL/PGlbQQGINBA3eUAfDNbKFJf/zA=
+github.com/gin-gonic/gin v1.7.7/go.mod h1:axIBovoeJpVj8S3BwE0uPMTeReE4+AfFtqpqaZ1qq1U=
+github.com/glebarez/go-sqlite v1.16.0 h1:h28rHued+hGof3fNLksBcLwz/a71fiGZ/eIJHK0SsLI=
+github.com/glebarez/go-sqlite v1.16.0/go.mod h1:i8/JtqoqzBAFkrUTxbQFkQ05odCOds3j7NlDaXjqiPY=
+github.com/glebarez/sqlite v1.4.3 h1:ZABNo+2YIau8F8sZ7Qh/1h/ZnlSUMHFGD4zJKPval7A=
+github.com/glebarez/sqlite v1.4.3/go.mod h1:FcJlwP9scnxlQ5zxyl0+bn/qFjYcqG4eRvKYhs39QAQ=
 github.com/go-critic/go-critic v0.6.1/go.mod h1:SdNCfU0yF3UBjtaZGw6586/WocupMOJuiqgom5DsQxM=
 github.com/go-gl/glfw v0.0.0-20190409004039-e6da0acd62b1/go.mod h1:vR7hzQXu2zJy9AVAgeJqvqgH9Q5CA+iKCZ2gyEVpxRU=
 github.com/go-gl/glfw/v3.3/glfw v0.0.0-20191125211704-12ad95a8df72/go.mod h1:tQ2UAYgL5IevRw8kRxooKSPJfGvJ9fJQFa0TUsXzTg8=
@@ -247,17 +251,22 @@ github.com/go-gl/glfw/v3.3/glfw v0.0.0-20200222043503-6f7a984d4dc4/go.mod h1:tQ2
 github.com/go-kit/kit v0.8.0/go.mod h1:xBxKIO96dXMWWy0MnWVtmwkA9/13aqxPnvrjFYMA2as=
 github.com/go-kit/kit v0.9.0/go.mod h1:xBxKIO96dXMWWy0MnWVtmwkA9/13aqxPnvrjFYMA2as=
 github.com/go-kit/log v0.1.0/go.mod h1:zbhenjAZHb184qTLMA9ZjW7ThYL0H2mk7Q6pNt4vbaY=
-github.com/go-kit/log v0.2.0/go.mod h1:NwTd00d/i8cPZ3xOwwiv2PO5MOcx78fFErGNcVmBjv0=
 github.com/go-logfmt/logfmt v0.3.0/go.mod h1:Qt1PoO58o5twSAckw1HlFXLmHsOX5/0LbT9GBnD5lWE=
 github.com/go-logfmt/logfmt v0.4.0/go.mod h1:3RMwSq7FuexP4Kalkev3ejPJsZTpXXBr9+V4qmtdjCk=
 github.com/go-logfmt/logfmt v0.5.0/go.mod h1:wCYkCAKZfumFQihp8CzCvQ3paCTfi41vtzG1KdI/P7A=
-github.com/go-logfmt/logfmt v0.5.1/go.mod h1:WYhtIu8zTZfxdn5+rREduYbwxfcBr/Vr6KEVveWlfTs=
 github.com/go-ole/go-ole v1.2.5/go.mod h1:pprOEPIfldk/42T2oK7lQ4v4JSDwmV0As9GaiUsvbm0=
 github.com/go-ole/go-ole v1.2.6/go.mod h1:pprOEPIfldk/42T2oK7lQ4v4JSDwmV0As9GaiUsvbm0=
+github.com/go-playground/assert/v2 v2.0.1 h1:MsBgLAaY856+nPRTKrp3/OZK38U/wa0CcBYNjji3q3A=
+github.com/go-playground/assert/v2 v2.0.1/go.mod h1:VDjEfimB/XKnb+ZQfWdccd7VUvScMdVu0Titje2rxJ4=
+github.com/go-playground/locales v0.13.0 h1:HyWk6mgj5qFqCT5fjGBuRArbVDfE4hi8+e8ceBS/t7Q=
+github.com/go-playground/locales v0.13.0/go.mod h1:taPMhCMXrRLJO55olJkUXHZBHCxTMfnGwq/HNwmWNS8=
+github.com/go-playground/universal-translator v0.17.0 h1:icxd5fm+REJzpZx7ZfpaD876Lmtgy7VtROAbHHXk8no=
+github.com/go-playground/universal-translator v0.17.0/go.mod h1:UkSxE5sNxxRwHyU+Scu5vgOQjsIJAF8j9muTVoKLVtA=
+github.com/go-playground/validator/v10 v10.4.1 h1:pH2c5ADXtd66mxoE0Zm9SUhxE20r7aM3F26W0hOn+GE=
+github.com/go-playground/validator/v10 v10.4.1/go.mod h1:nlOn6nFhuKACm19sB/8EGNn9GlaMV7XkbRSipzJ0Ii4=
 github.com/go-redis/redis v6.15.8+incompatible/go.mod h1:NAIEuMOZ/fxfXJIrKDQDz8wamY7mA7PouImQ2Jvg6kA=
 github.com/go-sql-driver/mysql v1.4.0/go.mod h1:zAC/RDZ24gD3HViQzih4MyKcchzm+sOG5ZlKdlhCg5w=
 github.com/go-sql-driver/mysql v1.5.0/go.mod h1:DCzpHaOWr8IXmIStZouvnhqoel9Qv2LBy8hT2VhHyBg=
-github.com/go-sql-driver/mysql v1.6.0 h1:BCTh4TKNUYmOmMUcQ3IipzF5prigylS7XXjEkfCHuOE=
 github.com/go-stack/stack v1.8.0/go.mod h1:v0f6uXyyMGvRgIKkXu+yp6POWl0qKG85gN/melR3HDY=
 github.com/go-task/slim-sprig v0.0.0-20210107165309-348f09dbbbc0/go.mod h1:fyg7847qk6SyHyPtNmDHnmrv/HOrqktSC+C9fM+CJOE=
 github.com/go-toolsmith/astcast v1.0.0/go.mod h1:mt2OdQTeAQcY4DQgPSArJjHCcOwlX+Wl/kwN+LbLGQ4=
@@ -274,7 +283,6 @@ github.com/go-toolsmith/typep v1.0.2/go.mod h1:JSQCQMUPdRlMZFswiq3TGpNp1GMktqkR2
 github.com/go-xmlfmt/xmlfmt v0.0.0-20191208150333-d5b6f63a941b/go.mod h1:aUCEOzzezBEjDBbFBoSiya/gduyIiWYRP6CnSFIV8AM=
 github.com/gobwas/glob v0.2.3/go.mod h1:d3Ez4x06l9bZtSvzIay5+Yzi0fmZzPgnTbPcKjJAkT8=
 github.com/godbus/dbus/v5 v5.0.4/go.mod h1:xhWf0FNVPg57R7Z0UbKHbJfkEywrmjJnf7w5xrFpKfA=
-github.com/godbus/dbus/v5 v5.0.6/go.mod h1:xhWf0FNVPg57R7Z0UbKHbJfkEywrmjJnf7w5xrFpKfA=
 github.com/gofrs/flock v0.8.1/go.mod h1:F1TvTiK9OcQqauNUHlbJvyl9Qa1QvF/gOUDKA14jxHU=
 github.com/gofrs/uuid v4.0.0+incompatible/go.mod h1:b2aQJv3Z4Fp6yNu3cdSllBxTCLRxnplIgP/c0N/04lM=
 github.com/gofrs/uuid v4.2.0+incompatible h1:yyYWMnhkhrKwwr8gAOcOCYxOOscHgDS9yZgBrnJfGa0=
@@ -395,7 +403,6 @@ github.com/gopherjs/gopherjs v0.0.0-20181017120253-0766667cb4d1/go.mod h1:wJfORR
 github.com/gordonklaus/ineffassign v0.0.0-20200309095847-7953dde2c7bf/go.mod h1:cuNKsD1zp2v6XfE/orVX2QE1LC+i254ceGcVeDT3pTU=
 github.com/gordonklaus/ineffassign v0.0.0-20210225214923-2e10b2664254/go.mod h1:M9mZEtGIsR1oDaZagNPNG9iq9n2HrhZ17dsXk73V3Lw=
 github.com/gorhill/cronexpr v0.0.0-20180427100037-88b0669f7d75/go.mod h1:g2644b03hfBX9Ov0ZBDgXXens4rxSxmqFBbhvKv2yVA=
-github.com/gorilla/mux v1.8.0 h1:i40aqfkR1h2SlN9hojwV5ZA91wcXFOvkdNIeFDP5koI=
 github.com/gorilla/mux v1.8.0/go.mod h1:DVbg23sWSpFRCP0SfiEN6jmj59UnW/n46BH5rLB71So=
 github.com/gorilla/websocket v0.0.0-20170926233335-4201258b820c/go.mod h1:E7qHFY5m1UJ88s3WnNqhKjPHQ0heANvMoAMk2YaljkQ=
 github.com/gorilla/websocket v1.4.1/go.mod h1:YR8l580nyteQvAITg2hZ9XVh4b55+EU/adAjf1fMHhE=
@@ -420,8 +427,8 @@ github.com/grpc-ecosystem/go-grpc-prometheus v1.2.0/go.mod h1:8NvIoxWQoOIhqOTXgf
 github.com/grpc-ecosystem/grpc-gateway v1.9.5/go.mod h1:vNeuVxBJEsws4ogUvrchl83t/GYV9WGTSLVdBhOQFDY=
 github.com/grpc-ecosystem/grpc-gateway v1.12.1/go.mod h1:8XEsbTttt/W+VvjtQhLACqCisSPWTxCZ7sBRjU6iH9c=
 github.com/grpc-ecosystem/grpc-gateway v1.16.0/go.mod h1:BDjrQk3hbvj6Nolgz8mAMFbcEtjT1g+wF4CSlocrBnw=
-github.com/grpc-ecosystem/grpc-gateway/v2 v2.11.2 h1:BqHID5W5qnMkug0Z8UmL8tN0gAy4jQ+B4WFt8cCgluU=
+github.com/grpc-ecosystem/grpc-gateway/v2 v2.10.0 h1:ESEyqQqXXFIcImj/BE8oKEX37Zsuceb2cZI+EL/zNCY=
-github.com/grpc-ecosystem/grpc-gateway/v2 v2.11.2/go.mod h1:ZbS3MZTZq/apAfAEHGoB5HbsQQstoqP92SjAqtQ9zeg=
+github.com/grpc-ecosystem/grpc-gateway/v2 v2.10.0/go.mod h1:XnLCLFp3tjoZJszVKjfpyAK6J8sYIcQXWQxmqLWF21I=
 github.com/hashicorp/consul/api v1.1.0/go.mod h1:VmuI/Lkw1nC05EYQWNKwWGbkg+FbDBtguAZLlVdkD9Q=
 github.com/hashicorp/consul/api v1.10.1/go.mod h1:XjsvQN+RJGWI2TWy1/kqaE16HrR2J/FWgkYjdZQsX9M=
 github.com/hashicorp/consul/sdk v0.1.1/go.mod h1:VKf9jXwCTEY1QZP2MOLRhb5i/I/ssyNV1vwHyQBF0x8=
@@ -479,8 +486,8 @@ github.com/jackc/pgconn v0.0.0-20190831204454-2fabfa3c18b7/go.mod h1:ZJKsE/KZfsU
 github.com/jackc/pgconn v1.8.0/go.mod h1:1C2Pb36bGIP9QHGBYCjnyhqu7Rv3sGshaQUvmfGIB/o=
 github.com/jackc/pgconn v1.9.0/go.mod h1:YctiPyvzfU11JFxoXokUOOKQXQmDMoJL9vJzHH8/2JY=
 github.com/jackc/pgconn v1.9.1-0.20210724152538-d89c8390a530/go.mod h1:4z2w8XhRbP1hYxkpTuBjTS3ne3J48K83+u0zoyvg2pI=
-github.com/jackc/pgconn v1.12.1 h1:rsDFzIpRk7xT4B8FufgpCCeyjdNpKyghZeSefViE5W8=
+github.com/jackc/pgconn v1.12.0 h1:/RvQ24k3TnNdfBSW0ou9EOi5jx2cX7zfE8n2nLKuiP0=
-github.com/jackc/pgconn v1.12.1/go.mod h1:ZkhRC59Llhrq3oSfrikvwQ5NaxYExr6twkdkMLaKono=
+github.com/jackc/pgconn v1.12.0/go.mod h1:ZkhRC59Llhrq3oSfrikvwQ5NaxYExr6twkdkMLaKono=
 github.com/jackc/pgio v1.0.0 h1:g12B9UwVnzGhueNavwioyEEpAmqMe1E/BN9ES+8ovkE=
 github.com/jackc/pgio v1.0.0/go.mod h1:oP+2QK2wFfUWgr+gxjoBH9KGBb31Eio69xUb0w5bYf8=
 github.com/jackc/pgmock v0.0.0-20190831213851-13a1b77aafa2/go.mod h1:fGZlG77KXmcq05nJLRkk0+p82V8B8Dw8KN2/V9c/OAE=
@@ -510,8 +517,8 @@ github.com/jackc/pgx/v4 v4.0.0-20190420224344-cc3461e65d96/go.mod h1:mdxmSJJuR08
 github.com/jackc/pgx/v4 v4.0.0-20190421002000-1b8f0016e912/go.mod h1:no/Y67Jkk/9WuGR0JG/JseM9irFbnEPbuWV2EELPNuM=
 github.com/jackc/pgx/v4 v4.0.0-pre1.0.20190824185557-6972a5742186/go.mod h1:X+GQnOEnf1dqHGpw7JmHqHc1NxDoalibchSk9/RWuDc=
 github.com/jackc/pgx/v4 v4.12.1-0.20210724153913-640aa07df17c/go.mod h1:1QD0+tgSXP7iUjYm9C1NxKhny7lq6ee99u/z+IHFcgs=
-github.com/jackc/pgx/v4 v4.16.1 h1:JzTglcal01DrghUqt+PmzWsZx/Yh7SC/CTQmSBMTd0Y=
+github.com/jackc/pgx/v4 v4.16.0 h1:4k1tROTJctHotannFYzu77dY3bgtMRymQP7tXQjqpPk=
-github.com/jackc/pgx/v4 v4.16.1/go.mod h1:SIhx0D5hoADaiXZVyv+3gSm3LCIIINTVO0PficsvWGQ=
+github.com/jackc/pgx/v4 v4.16.0/go.mod h1:N0A9sFdWzkw/Jy1lwoiB64F2+ugFZi987zRxcPez/wI=
 github.com/jackc/puddle v0.0.0-20190413234325-e4ced69a3a2b/go.mod h1:m4B5Dj62Y0fbyuIc15OsIqK0+JU8nkqQjsgx7dvjSWk=
 github.com/jackc/puddle v0.0.0-20190608224051-11cab39313c9/go.mod h1:m4B5Dj62Y0fbyuIc15OsIqK0+JU8nkqQjsgx7dvjSWk=
 github.com/jackc/puddle v1.1.3/go.mod h1:m4B5Dj62Y0fbyuIc15OsIqK0+JU8nkqQjsgx7dvjSWk=
@@ -538,8 +545,10 @@ github.com/jsimonetti/rtnetlink v1.1.2-0.20220408201609-d380b505068b h1:Yws7RV6k
 github.com/jsimonetti/rtnetlink v1.1.2-0.20220408201609-d380b505068b/go.mod h1:TzDCVOZKUa79z6iXbbXqhtAflVgUKaFkZ21M5tK5tzY=
 github.com/json-iterator/go v1.1.6/go.mod h1:+SdeFBvtyEkXs7REEP0seUULqWtbJapLOCVDaaPEHmU=
 github.com/json-iterator/go v1.1.7/go.mod h1:KdQUCv79m/52Kvf8AW2vK1V8akMuk1QjK/uOdHXbAo4=
+github.com/json-iterator/go v1.1.9/go.mod h1:KdQUCv79m/52Kvf8AW2vK1V8akMuk1QjK/uOdHXbAo4=
 github.com/json-iterator/go v1.1.10/go.mod h1:KdQUCv79m/52Kvf8AW2vK1V8akMuk1QjK/uOdHXbAo4=
 github.com/json-iterator/go v1.1.11/go.mod h1:KdQUCv79m/52Kvf8AW2vK1V8akMuk1QjK/uOdHXbAo4=
+github.com/json-iterator/go v1.1.12 h1:PV8peI4a0ysnczrg+LtxykD8LfKY9ML6u2jnxaEnrnM=
 github.com/json-iterator/go v1.1.12/go.mod h1:e30LSqwooZae/UwlEbR2852Gd8hjQvJoHmT4TnhNGBo=
 github.com/jstemmer/go-junit-report v0.0.0-20190106144839-af01ea7f8024/go.mod h1:6v2b51hI/fHJwM22ozAgKL4VKDeJcHhJFhtBdhmNjmU=
 github.com/jstemmer/go-junit-report v0.9.1/go.mod h1:Brl9GWCQeLvo8nXZwPNNblvFj/XSXhF0NWZEnDohbsk=
@@ -558,8 +567,8 @@ github.com/kisielk/errcheck v1.6.0/go.mod h1:pFxgyoBC7bSaBwPgfKdkLd5X25qrDl4LWUI
 github.com/kisielk/gotool v1.0.0/go.mod h1:XhKaO+MFFWcvkIS/tQcRk01m1F5IRFswLeQ+oQHNcck=
 github.com/klauspost/compress v1.13.4/go.mod h1:8dP1Hq4DHOhN9w426knH3Rhby4rFm6D8eO+e+Dq5Gzg=
 github.com/klauspost/compress v1.13.5/go.mod h1:/3/Vjq9QcHkK5uEr5lBEmyoZ1iFhe47etQ6QUkpK6sk=
-github.com/klauspost/compress v1.15.9 h1:wKRjX6JRtDdrE9qwa4b/Cip7ACOshUI4smpCQanqjSY=
+github.com/klauspost/compress v1.15.4 h1:1kn4/7MepF/CHmYub99/nNX8az0IJjfSOU/jbnTVfqQ=
-github.com/klauspost/compress v1.15.9/go.mod h1:PhcZ0MbTNciWF3rruxRgKxI5NkcHHrHUDtV4Yw2GlzU=
+github.com/klauspost/compress v1.15.4/go.mod h1:PhcZ0MbTNciWF3rruxRgKxI5NkcHHrHUDtV4Yw2GlzU=
 github.com/klauspost/cpuid/v2 v2.0.9/go.mod h1:FInQzS24/EEf25PyTYn52gqo7WaD8xa0213Md/qVLRg=
 github.com/klauspost/cpuid/v2 v2.0.10/go.mod h1:g2LTdtYhdyuGPqyWyv7qRAmj1WBqxuObKfj5c0PQa7c=
 github.com/klauspost/cpuid/v2 v2.0.12 h1:p9dKCg8i4gmOxtv35DvrYoWqYzQrvEVdjQ762Y0OqZE=
@@ -585,7 +594,10 @@ github.com/kylelemons/godebug v1.1.0/go.mod h1:9/0rRGxNHcop5bhtWyNeEfOS8JIWk580+
 github.com/kyoh86/exportloopref v0.1.8/go.mod h1:1tUcJeiioIs7VWe5gcOObrux3lb66+sBqGZrRkMwPgg=
 github.com/ldez/gomoddirectives v0.2.2/go.mod h1:cpgBogWITnCfRq2qGoDkKMEVSaarhdBr6g8G04uz6d0=
 github.com/ldez/tagliatelle v0.2.0/go.mod h1:8s6WJQwEYHbKZDsp/LjArytKOG8qaMrKQQ3mFukHs88=
+github.com/leodido/go-urn v1.2.0 h1:hpXL4XnriNwQ/ABnpepYM/1vCLWNDfUNts8dX3xTG6Y=
+github.com/leodido/go-urn v1.2.0/go.mod h1:+8+nEpDfqqsY+g338gtMEUOtuK+4dEMhiQEgxpxOKII=
 github.com/letsencrypt/pkcs11key/v4 v4.0.0/go.mod h1:EFUvBDay26dErnNb70Nd0/VW3tJiIbETBPTl9ATXQag=
+github.com/lib/pq v0.0.0-20180327071824-d34b9ff171c2/go.mod h1:5WUZQaWbwv1U+lTReE5YruASi9Al49XbQIvNi/34Woo=
 github.com/lib/pq v1.0.0/go.mod h1:5WUZQaWbwv1U+lTReE5YruASi9Al49XbQIvNi/34Woo=
 github.com/lib/pq v1.1.0/go.mod h1:5WUZQaWbwv1U+lTReE5YruASi9Al49XbQIvNi/34Woo=
 github.com/lib/pq v1.2.0/go.mod h1:5WUZQaWbwv1U+lTReE5YruASi9Al49XbQIvNi/34Woo=
@@ -594,8 +606,6 @@ github.com/lib/pq v1.9.0/go.mod h1:AlVN5x4E4T544tWzH6hKfbfQvm3HdbOxrmggDNAPY9o=
 github.com/lib/pq v1.10.2/go.mod h1:AlVN5x4E4T544tWzH6hKfbfQvm3HdbOxrmggDNAPY9o=
 github.com/lib/pq v1.10.3 h1:v9QZf2Sn6AmjXtQeFpdoq/eaNtYP6IN+7lcrygsIAtg=
 github.com/lib/pq v1.10.3/go.mod h1:AlVN5x4E4T544tWzH6hKfbfQvm3HdbOxrmggDNAPY9o=
-github.com/lithammer/fuzzysearch v1.1.5 h1:Ag7aKU08wp0R9QCfF4GoGST9HbmAIeLP7xwMrOBEp1c=
-github.com/lithammer/fuzzysearch v1.1.5/go.mod h1:1R1LRNk7yKid1BaQkmuLQaHruxcC4HmAH30Dh61Ih1Q=
 github.com/logrusorgru/aurora v0.0.0-20181002194514-a7b3b318ed4e/go.mod h1:7rIyQOR62GCctdiQpZ/zOJlFyk6y+94wXzv6RNZgaR4=
 github.com/lufia/plan9stats v0.0.0-20211012122336-39d0f177ccd0/go.mod h1:zJYVVT2jmtg6P3p1VtQj7WsuWi/y4VnjVBn7F8KPB3I=
 github.com/lxn/walk v0.0.0-20210112085537-c389da54e794/go.mod h1:E23UucZGqpuUANJooIbHWCufXvOcT6E7Stq81gU+CSQ=
@@ -667,17 +677,19 @@ github.com/mitchellh/mapstructure v0.0.0-20160808181253-ca63d7c062ee/go.mod h1:F
 github.com/mitchellh/mapstructure v1.1.2/go.mod h1:FVVH3fgwuzCH5S8UJGiWEs2h04kUh9fWfEaFds41c1Y=
 github.com/mitchellh/mapstructure v1.4.1/go.mod h1:bFUtVrKA4DC2yAKiSyO/QUcy7e+RRV2QTWOzhPopBRo=
 github.com/mitchellh/mapstructure v1.4.2/go.mod h1:bFUtVrKA4DC2yAKiSyO/QUcy7e+RRV2QTWOzhPopBRo=
-github.com/mitchellh/mapstructure v1.5.0 h1:jeMsZIYE/09sWLaz43PL7Gy6RuMjD2eJVyuac5Z2hdY=
+github.com/mitchellh/mapstructure v1.4.3 h1:OVowDSCllw/YjdLkam3/sm7wEtOy59d8ndGgCcyj8cs=
-github.com/mitchellh/mapstructure v1.5.0/go.mod h1:bFUtVrKA4DC2yAKiSyO/QUcy7e+RRV2QTWOzhPopBRo=
+github.com/mitchellh/mapstructure v1.4.3/go.mod h1:bFUtVrKA4DC2yAKiSyO/QUcy7e+RRV2QTWOzhPopBRo=
 github.com/mitchellh/reflectwalk v1.0.0/go.mod h1:mSTlrgnPZtwu0c4WaC2kGObEpuNDbx0jmZXqmk4esnw=
 github.com/mitchellh/reflectwalk v1.0.1/go.mod h1:mSTlrgnPZtwu0c4WaC2kGObEpuNDbx0jmZXqmk4esnw=
-github.com/moby/sys/mountinfo v0.5.0/go.mod h1:3bMD3Rg+zkqx8MRYPi7Pyb0Ie97QEBmdxbhnCLlSvSU=
+github.com/moby/sys/mountinfo v0.4.1/go.mod h1:rEr8tzG/lsIZHBtN/JjGG+LMYx9eXgW2JI+6q0qou+A=
 github.com/moby/term v0.0.0-20201216013528-df9cb8a40635 h1:rzf0wL0CHVc8CEsgyygG0Mn9CNCCPZqOPaz8RiiHYQk=
 github.com/moby/term v0.0.0-20201216013528-df9cb8a40635/go.mod h1:FBS0z0QWA44HXygs7VXDUOGoN/1TV3RuWkLO04am3wc=
 github.com/modern-go/concurrent v0.0.0-20180228061459-e0a39a4cb421/go.mod h1:6dJC0mAP4ikYIbvyc7fijjWJddQyLn8Ig3JB5CqoB9Q=
+github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd h1:TRLaZ9cD/w8PVh93nsPXa1VrQ6jlwL5oN8l14QlcNfg=
 github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd/go.mod h1:6dJC0mAP4ikYIbvyc7fijjWJddQyLn8Ig3JB5CqoB9Q=
 github.com/modern-go/reflect2 v0.0.0-20180701023420-4b7aa43c6742/go.mod h1:bx2lNnkwVCuqBIxFjflWJWanXIb3RllmbCylyMrvgv0=
 github.com/modern-go/reflect2 v1.0.1/go.mod h1:bx2lNnkwVCuqBIxFjflWJWanXIb3RllmbCylyMrvgv0=
+github.com/modern-go/reflect2 v1.0.2 h1:xBagoLtFs94CBntxluKeaWgTMpvLxC4ur3nMaC9Gz0M=
 github.com/modern-go/reflect2 v1.0.2/go.mod h1:yWuevngMOJpCy52FWWMvUC8ws7m/LJsjYzDa0/r8luk=
 github.com/mohae/deepcopy v0.0.0-20170929034955-c48cc78d4826/go.mod h1:TaXosZuwdSHYgviHp1DAtfrULt5eUgsSMsZf+YrPgl8=
 github.com/moricho/tparallel v0.2.1/go.mod h1:fXEIZxG2vdfl0ZF8b42f5a78EhjjD5mX8qUplsoSU4k=
@@ -707,17 +719,19 @@ github.com/onsi/ginkgo v1.16.4/go.mod h1:dX+/inL/fNMqNlz0e9LfyB9TswhZpCVdJM/Z6Vv
 github.com/onsi/gomega v1.7.1/go.mod h1:XdKZgCCFLUoM/7CFJVPcG8C1xQ1AJ0vpAezJrB7JYyY=
 github.com/onsi/gomega v1.10.1/go.mod h1:iN09h71vgCQne3DLsj+A5owkum+a2tYe+TOCB1ybHNo=
 github.com/onsi/gomega v1.16.0/go.mod h1:HnhC7FXeEQY45zxNK3PPoIUhzk/80Xly9PcubAlGdZY=
+github.com/opencontainers/go-digest v1.0.0-rc1/go.mod h1:cMLVZDEM3+U2I4VmLI6N8jQYUd2OVphdqWwCJHrFt2s=
 github.com/opencontainers/go-digest v1.0.0 h1:apOUWs51W5PlhuyGyz9FCeeBIOUDA/6nW8Oi/yOhh5U=
 github.com/opencontainers/go-digest v1.0.0/go.mod h1:0JzlMkj0TRzQZfJkVvzbP0HBR3IKzErnv2BNG4W4MAM=
+github.com/opencontainers/image-spec v1.0.2/go.mod h1:BtxoFyWECRxE4U/7sNtV5W15zMzWCbyJoFRP3s7yZA0=
 github.com/opencontainers/image-spec v1.0.3-0.20220114050600-8b9d41f48198 h1:+czc/J8SlhPKLOtVLMQc+xDCFBT73ZStMsRhSsUhsSg=
 github.com/opencontainers/image-spec v1.0.3-0.20220114050600-8b9d41f48198/go.mod h1:j4h1pJW6ZcJTgMZWP3+7RlG3zTaP02aDZ/Qw0sppK7Q=
-github.com/opencontainers/runc v1.1.2 h1:2VSZwLx5k/BfsBxMMipG/LYUnmqOD/BPkIVgQUcTlLw=
+github.com/opencontainers/runc v1.0.2 h1:opHZMaswlyxz1OuGpBE53Dwe4/xF7EZTY0A2L/FpCOg=
-github.com/opencontainers/runc v1.1.2/go.mod h1:Tj1hFw6eFWp/o33uxGf5yF2BX5yz2Z6iptFpuvbbKqc=
+github.com/opencontainers/runc v1.0.2/go.mod h1:aTaHFFwQXuA71CiyxOdFFIorAoemI04suvGRQFzWTD0=
 github.com/opencontainers/runtime-spec v1.0.3-0.20210326190908-1c3f411f0417/go.mod h1:jwyrGlmzljRJv/Fgzds9SsS/C5hL+LL3ko9hs6T5lQ0=
-github.com/opencontainers/selinux v1.10.0/go.mod h1:2i0OySw99QjzBBQByd1Gr9gSjvuho1lHsJxIJ3gGbJI=
+github.com/opencontainers/selinux v1.8.2/go.mod h1:MUIHuUEvKB1wtJjQdOyYRgOnLD2xAPP8dBsCoU0KuF8=
 github.com/opentracing/opentracing-go v1.1.0/go.mod h1:UkNAQd3GIcIGf0SeVgPpRdFStlNbqXla1AfSYxPUl2o=
-github.com/ory/dockertest/v3 v3.9.1 h1:v4dkG+dlu76goxMiTT2j8zV7s4oPPEppKT8K8p2f1kY=
+github.com/ory/dockertest/v3 v3.8.1 h1:vU/8d1We4qIad2YM0kOwRVtnyue7ExvacPiw1yDm17g=
-github.com/ory/dockertest/v3 v3.9.1/go.mod h1:42Ir9hmvaAPm0Mgibk6mBPi7SFvTXxEcnztDYOJ//uM=
+github.com/ory/dockertest/v3 v3.8.1/go.mod h1:wSRQ3wmkz+uSARYMk7kVJFDBGm8x5gSxIhI7NDc+BAQ=
 github.com/otiai10/copy v1.2.0/go.mod h1:rrF5dJ5F0t/EWSYODDu4j9/vEeYHMkc8jt0zJChqQWw=
 github.com/otiai10/curr v0.0.0-20150429015615-9b4961190c95/go.mod h1:9qAhocn7zKJG+0mI8eUu6xqkFDYS2kb2saOteoSB3cE=
 github.com/otiai10/curr v1.0.0/go.mod h1:LskTG5wDwr8Rs+nNQ+1LlxRjAtTZZjtJW4rMXl6j4vs=
@@ -729,11 +743,10 @@ github.com/patrickmn/go-cache v2.1.0+incompatible/go.mod h1:3Qf8kWWT7OJRJbdiICTK
 github.com/pborman/uuid v1.2.0/go.mod h1:X/NO0urCmaxf9VXbdlT7C2Yzkj2IKimNn4k+gtPdI/k=
 github.com/pelletier/go-toml v1.2.0/go.mod h1:5z9KED0ma1S8pY6P1sdut58dfprrGBbd/94hg7ilaic=
 github.com/pelletier/go-toml v1.9.3/go.mod h1:u1nR/EPcESfeI/szUZKdtJ0xRNbUoANCkoOuaOx1Y+c=
+github.com/pelletier/go-toml v1.9.4 h1:tjENF6MfZAg8e4ZmZTeWaWiT2vXtsoO6+iuOjFhECwM=
 github.com/pelletier/go-toml v1.9.4/go.mod h1:u1nR/EPcESfeI/szUZKdtJ0xRNbUoANCkoOuaOx1Y+c=
-github.com/pelletier/go-toml v1.9.5 h1:4yBQzkHv+7BHq2PQUZF3Mx0IYxG7LsP222s7Agd3ve8=
+github.com/pelletier/go-toml/v2 v2.0.0-beta.8 h1:dy81yyLYJDwMTifq24Oi/IslOslRrDSb3jwDggjz3Z0=
-github.com/pelletier/go-toml v1.9.5/go.mod h1:u1nR/EPcESfeI/szUZKdtJ0xRNbUoANCkoOuaOx1Y+c=
+github.com/pelletier/go-toml/v2 v2.0.0-beta.8/go.mod h1:r9LEWfGN8R5k0VXJ+0BkIe7MYkRdwZOjgMj2KwnJFUo=
-github.com/pelletier/go-toml/v2 v2.0.1 h1:8e3L2cCQzLFi2CR4g7vGFuFxX7Jl1kKX8gW+iV0GUKU=
-github.com/pelletier/go-toml/v2 v2.0.1/go.mod h1:r9LEWfGN8R5k0VXJ+0BkIe7MYkRdwZOjgMj2KwnJFUo=
 github.com/peterbourgon/diskv v2.0.1+incompatible/go.mod h1:uqqh8zWWbv1HBMNONnaR/tNboyR3/BZd58JJSHlUSCU=
 github.com/phayes/checkstyle v0.0.0-20170904204023-bfd46e6a821d/go.mod h1:3OzsM7FXDQlpCiw2j81fOmAwQLnZnLGXVKUzeKQXIAw=
 github.com/philip-bui/grpc-zerolog v1.0.1 h1:EMacvLRUd2O1K0eWod27ZP5CY1iTNkhBDLSN+Q4JEvA=
@@ -755,9 +768,8 @@ github.com/prometheus/client_golang v0.9.1/go.mod h1:7SWBe2y4D6OKWSNQJUaRYU/AaXP
 github.com/prometheus/client_golang v1.0.0/go.mod h1:db9x61etRT2tGnBNRi70OPL5FsnadC4Ky3P0J6CfImo=
 github.com/prometheus/client_golang v1.7.1/go.mod h1:PY5Wy2awLA44sXw4AOSfFBetzPP4j5+D6mVACh+pe2M=
 github.com/prometheus/client_golang v1.11.0/go.mod h1:Z6t4BnS23TR94PD6BsDNk8yVqroYurpAkEiz0P2BEV0=
+github.com/prometheus/client_golang v1.12.1 h1:ZiaPsmm9uiBeaSMRznKsCDNtPCS0T3JVDGF+06gjBzk=
 github.com/prometheus/client_golang v1.12.1/go.mod h1:3Z9XVyYiZYEO+YQWt3RD2R3jrbd179Rt297l4aS6nDY=
-github.com/prometheus/client_golang v1.13.0 h1:b71QUfeo5M8gq2+evJdTPfZhYMAU0uKPkyPJ7TPsloU=
-github.com/prometheus/client_golang v1.13.0/go.mod h1:vTeo+zgvILHsnnj/39Ou/1fPN5nJFOEMgftOUOmlvYQ=
 github.com/prometheus/client_model v0.0.0-20180712105110-5c3871d89910/go.mod h1:MbSGuTsp3dbXC40dX6PRTWyKYBIrTGTE9sqQNg2J8bo=
 github.com/prometheus/client_model v0.0.0-20190129233127-fd36f4220a90/go.mod h1:xMI15A0UPsDsEKsMN9yxemIoYk6Tm2C1GtYGdfGttqA=
 github.com/prometheus/client_model v0.0.0-20190812154241-14fe0d1b01d4/go.mod h1:xMI15A0UPsDsEKsMN9yxemIoYk6Tm2C1GtYGdfGttqA=
@@ -766,16 +778,14 @@ github.com/prometheus/client_model v0.2.0/go.mod h1:xMI15A0UPsDsEKsMN9yxemIoYk6T
 github.com/prometheus/common v0.4.1/go.mod h1:TNfzLD0ON7rHzMJeJkieUDPYmFC7Snx/y86RQel1bk4=
 github.com/prometheus/common v0.10.0/go.mod h1:Tlit/dnDKsSWFlCLTWaA1cyBgKHSMdTB80sz/V91rCo=
 github.com/prometheus/common v0.26.0/go.mod h1:M7rCNAaPfAosfx8veZJCuw84e35h3Cfd9VFqTh1DIvc=
+github.com/prometheus/common v0.32.1 h1:hWIdL3N2HoUx3B8j3YN9mWor0qhY/NlEKZEaXxuIRh4=
 github.com/prometheus/common v0.32.1/go.mod h1:vu+V0TpY+O6vW9J44gczi3Ap/oXXR10b+M/gUGO4Hls=
-github.com/prometheus/common v0.37.0 h1:ccBbHCgIiT9uSoFY0vX8H3zsNR5eLt17/RQLUvn8pXE=
-github.com/prometheus/common v0.37.0/go.mod h1:phzohg0JFMnBEFGxTDbfu3QyL5GI8gTQJFhYO5B3mfA=
 github.com/prometheus/procfs v0.0.0-20181005140218-185b4288413d/go.mod h1:c3At6R/oaqEKCNdg8wHV1ftS6bRYblBhIjjI8uT2IGk=
 github.com/prometheus/procfs v0.0.2/go.mod h1:TjEm7ze935MbeOT/UhFTIMYKhuLP4wbCsTZCD3I8kEA=
 github.com/prometheus/procfs v0.1.3/go.mod h1:lV6e/gmhEcM9IjHGsFOCxxuZ+z1YqCvr4OA4YeYWdaU=
 github.com/prometheus/procfs v0.6.0/go.mod h1:cz+aTbrPOrUb4q7XlbU9ygM+/jj0fzG6c1xBZuNvfVA=
+github.com/prometheus/procfs v0.7.3 h1:4jVXhlkAyzOScmCkXBTOLRLTz8EeU+eyjrwB/EPq0VU=
 github.com/prometheus/procfs v0.7.3/go.mod h1:cz+aTbrPOrUb4q7XlbU9ygM+/jj0fzG6c1xBZuNvfVA=
-github.com/prometheus/procfs v0.8.0 h1:ODq8ZFEaYeCaZOJlZZdJA2AbQR98dSHSM1KW/You5mo=
-github.com/prometheus/procfs v0.8.0/go.mod h1:z7EfXMXOkbkqb9IINtpCn86r/to3BnA0uaxHdg830/4=
 github.com/pseudomuto/protoc-gen-doc v1.3.2/go.mod h1:y5+P6n3iGrbKG+9O04V5ld71in3v/bX88wUwgt+U8EA=
 github.com/pseudomuto/protokit v0.2.0/go.mod h1:2PdH30hxVHsup8KpBTOXTBeMVhJZVio3Q8ViKSAXT0Q=
 github.com/pterm/pterm v0.12.27/go.mod h1:PhQ89w4i95rhgE+xedAoqous6K9X+r6aSOI2eFF7DZI=
@@ -785,10 +795,10 @@ github.com/pterm/pterm v0.12.31/go.mod h1:32ZAWZVXD7ZfG0s8qqHXePte42kdz8ECtRyEej
 github.com/pterm/pterm v0.12.33/go.mod h1:x+h2uL+n7CP/rel9+bImHD5lF3nM9vJj80k9ybiiTTE=
 github.com/pterm/pterm v0.12.36/go.mod h1:NjiL09hFhT/vWjQHSj1athJpx6H8cjpHXNAK5bUw8T8=
 github.com/pterm/pterm v0.12.40/go.mod h1:ffwPLwlbXxP+rxT0GsgDTzS3y3rmpAO1NMjUkGTYf8s=
-github.com/pterm/pterm v0.12.45 h1:5HATKLTDjl9D74b0x7yiHzFI7OADlSXK3yHrJNhRwZE=
+github.com/pterm/pterm v0.12.41 h1:e2BRfFo1H9nL8GY0S3ImbZqfZ/YimOk9XtkhoobKJVs=
-github.com/pterm/pterm v0.12.45/go.mod h1:hJgLlBafm45w/Hr0dKXxY//POD7CgowhePaG1sdPNBg=
+github.com/pterm/pterm v0.12.41/go.mod h1:LW/G4J2A42XlTaPTAGRPvbBfF4UXvHWhC6SN7ueU4jU=
-github.com/puzpuzpuz/xsync v1.4.2 h1:3SmMNFuNaSHy1xsGGR8edy3Rzv0Ix3dOirPWtAnXvKk=
+github.com/puzpuzpuz/xsync v1.2.1 h1:faRb6HT9XN3IAhnE7IP0TnPpokPK42qFKXkhQVkWNwM=
-github.com/puzpuzpuz/xsync v1.4.2/go.mod h1:K98BYhX3k1dQ2M63t1YNVDanbwUPmBCAhNmVrrxfiGg=
+github.com/puzpuzpuz/xsync v1.2.1/go.mod h1:K98BYhX3k1dQ2M63t1YNVDanbwUPmBCAhNmVrrxfiGg=
 github.com/quasilyte/go-consistent v0.0.0-20190521200055-c6f3937de18c/go.mod h1:5STLWrekHfjyYwxBRVRXNOSewLJ3PWfDJd1VyTS21fI=
 github.com/quasilyte/go-ruleguard v0.3.1-0.20210203134552-1b5a410e1cc8/go.mod h1:KsAh3x0e7Fkpgs+Q9pNLS5XpFSvYCEVl5gP9Pp1xp30=
 github.com/quasilyte/go-ruleguard v0.3.13/go.mod h1:Ul8wwdqR6kBVOCt2dipDBkE+T6vAV/iixkrKuRTN1oQ=
@@ -813,8 +823,8 @@ github.com/rs/xid v1.2.1/go.mod h1:+uKXf+4Djp6Md1KODXJxgGQPKngRmWyn10oCKFzNHOQ=
 github.com/rs/xid v1.3.0/go.mod h1:trrq9SKmegXys3aeAKXMUTdJsYXVwGY3RLcfgqegfbg=
 github.com/rs/zerolog v1.13.0/go.mod h1:YbFCdg8HfsridGWAh22vktObvhZbQsZXe4/zB0OKkWU=
 github.com/rs/zerolog v1.15.0/go.mod h1:xYTKnLHcpfU2225ny5qZjxnj9NvkumZYjJHlAThCjNc=
-github.com/rs/zerolog v1.27.0 h1:1T7qCieN22GVc8S4Q2yuexzBb1EqjbgjSH9RohbMjKs=
+github.com/rs/zerolog v1.26.1 h1:/ihwxqH+4z8UxyI70wM1z9yCvkWcfz/a3mj48k/Zngc=
-github.com/rs/zerolog v1.27.0/go.mod h1:7frBqO0oezxmnO7GF86FY++uy8I0Tk/If5ni1G9Qc0U=
+github.com/rs/zerolog v1.26.1/go.mod h1:/wSSJWX7lVrsOwlbyTRSOJvqRlc+WjWlfes+CiJ+tmc=
 github.com/russross/blackfriday v1.5.2/go.mod h1:JO/DiYxRf+HjHt06OyowR9PTA263kcR/rfWxYHBV53g=
 github.com/russross/blackfriday v1.6.0/go.mod h1:ti0ldHuxg49ri4ksnFxlkCfN+hvslNlmVHqNRXXJNAY=
 github.com/russross/blackfriday/v2 v2.0.1/go.mod h1:+Rmxgy9KzJVeS9/2gXHxylqXiyQDYRxCVz55jmeOWTM=
@@ -826,7 +836,7 @@ github.com/sagikazarmark/crypt v0.1.0/go.mod h1:B/mN0msZuINBtQ1zZLEQcegFJJf9vnYI
 github.com/sanposhiho/wastedassign/v2 v2.0.6/go.mod h1:KyZ0MWTwxxBmfwn33zh3k1dmsbF2ud9pAAGfoLfjhtI=
 github.com/satori/go.uuid v1.2.0/go.mod h1:dA0hQrYB0VpLJoorglMZABFdXlWrHn1NEOzdhQKdks0=
 github.com/sean-/seed v0.0.0-20170313163322-e2103e2c3529/go.mod h1:DxrIzT+xaE7yg65j358z/aeFdxmN0P9QXhEzd20vsDc=
-github.com/seccomp/libseccomp-golang v0.9.2-0.20210429002308-3879420cc921/go.mod h1:JA8cRccbGaA1s33RQf7Y1+q9gHmZX1yB/z9WDN1C6fg=
+github.com/seccomp/libseccomp-golang v0.9.1/go.mod h1:GbW5+tmTXfcxTToHLXlScSlAvWlF4P2Ca7zGrPiEpWo=
 github.com/securego/gosec/v2 v2.9.1/go.mod h1:oDcDLcatOJxkCGaCaq8lua1jTnYf6Sou4wdiJ1n4iHc=
 github.com/sergi/go-diff v1.1.0/go.mod h1:STckp+ISIX8hZLjrqAeVduY0gWCT9IjLuqbuNXdaHfM=
 github.com/sergi/go-diff v1.2.0 h1:XU+rvMAioB0UC3q1MFrIQy4Vo5/4VsRDQQXHsEya6xQ=
@@ -859,14 +869,13 @@ github.com/spf13/afero v1.8.2 h1:xehSyVa0YnHWsJ49JFljMpg1HX19V6NDZ1fkm1Xznbo=
 github.com/spf13/afero v1.8.2/go.mod h1:CtAatgMJh6bJEIs48Ay/FOnkljP3WeGUG0MC1RfAqwo=
 github.com/spf13/cast v1.3.0/go.mod h1:Qx5cxh0v+4UWYiBimWS+eyWzqEqokIECu5etghLkUJE=
 github.com/spf13/cast v1.3.1/go.mod h1:Qx5cxh0v+4UWYiBimWS+eyWzqEqokIECu5etghLkUJE=
+github.com/spf13/cast v1.4.1 h1:s0hze+J0196ZfEMTs80N7UlFt0BDuQ7Q+JDnHiMWKdA=
 github.com/spf13/cast v1.4.1/go.mod h1:Qx5cxh0v+4UWYiBimWS+eyWzqEqokIECu5etghLkUJE=
-github.com/spf13/cast v1.5.0 h1:rj3WzYc11XZaIZMPKmwP96zkFEnnAmV8s6XbB2aY32w=
-github.com/spf13/cast v1.5.0/go.mod h1:SpXXQ5YoyJw6s3/6cMTQuxvgRl3PCJiyaX9p6b155UU=
 github.com/spf13/cobra v0.0.3/go.mod h1:1l0Ry5zgKvJasoi3XT1TypsSe7PqH0Sj9dhYf7v3XqQ=
 github.com/spf13/cobra v0.0.5/go.mod h1:3K3wKZymM7VvHMDS9+Akkh4K60UwM26emMESw8tLCHU=
 github.com/spf13/cobra v1.2.1/go.mod h1:ExllRjgxM/piMAM+3tAZvg8fsklGAf3tPfi+i8t68Nk=
-github.com/spf13/cobra v1.5.0 h1:X+jTBEBqF0bHN+9cSMgmfuvv2VHJ9ezmFNf9Y/XstYU=
+github.com/spf13/cobra v1.4.0 h1:y+wJpx64xcgO1V+RcnwW0LEHxTKRi2ZDPSBjWnrg88Q=
-github.com/spf13/cobra v1.5.0/go.mod h1:dWXEIy2H428czQCjInthrTRUg7yKbok+2Qi/yBIJoUM=
+github.com/spf13/cobra v1.4.0/go.mod h1:Wo4iy3BUC+X2Fybo0PDqwJIv3dNRiZLHQymsfxlB84g=
 github.com/spf13/jwalterweatherman v1.0.0/go.mod h1:cQK4TGJAtQXfYWX+Ddv3mKDzgVb68N+wFjFa4jdeBTo=
 github.com/spf13/jwalterweatherman v1.1.0 h1:ue6voC5bR5F8YxI5S67j9i582FU4Qvo2bmqnqMYADFk=
 github.com/spf13/jwalterweatherman v1.1.0/go.mod h1:aNWZUN0dPAAO/Ljvb5BEdw96iTZ0EXowPYD95IqWIGo=
@@ -877,14 +886,13 @@ github.com/spf13/pflag v1.0.5/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An
 github.com/spf13/viper v1.3.2/go.mod h1:ZiWeW+zYFKm7srdB9IoDzzZXaJaI5eL9QjNiN/DMA2s=
 github.com/spf13/viper v1.8.1/go.mod h1:o0Pch8wJ9BVSWGQMbra6iw0oQ5oktSIBaujf1rJH9Ns=
 github.com/spf13/viper v1.9.0/go.mod h1:+i6ajR7OX2XaiBkrcZJFK21htRk7eDeLg7+O6bhUPP4=
-github.com/spf13/viper v1.12.0 h1:CZ7eSOd3kZoaYDLbXnmzgQI5RlciuXBMA+18HwHRfZQ=
+github.com/spf13/viper v1.11.0 h1:7OX/1FS6n7jHD1zGrZTM7WtY13ZELRyosK4k93oPr44=
-github.com/spf13/viper v1.12.0/go.mod h1:b6COn30jlNxbm/V2IqWiNWkJ+vZNiMNksliPCiuKtSI=
+github.com/spf13/viper v1.11.0/go.mod h1:djo0X/bA5+tYVoCn+C7cAYJGcVn/qYLFTG8gdUsX7Zk=
 github.com/ssgreg/nlreturn/v2 v2.2.1/go.mod h1:E/iiPB78hV7Szg2YfRgyIrk1AD6JVMTRkkxBiELzh2I=
 github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
 github.com/stretchr/objx v0.1.1/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
 github.com/stretchr/objx v0.2.0/go.mod h1:qt09Ya8vawLte6SNmTgCsAVtYtaKzEcn8ATUoHMkEqE=
-github.com/stretchr/objx v0.4.0 h1:M2gUjqZET1qApGOWNSnZ49BAIMX4F/1plDv3+l31EJ4=
+github.com/stretchr/objx v0.3.0 h1:NGXK3lHquSN08v5vWalVI/L8XU9hdzE/G6xsrze47As=
-github.com/stretchr/objx v0.4.0/go.mod h1:YvHI0jy2hoMjB+UWwv71VJQ9isScKT/TqJzVSSt89Yw=
 github.com/stretchr/testify v0.0.0-20170130113145-4d4bfba8f1d1/go.mod h1:a8OnRcib4nhh0OaRAV+Yts87kKdq0PP7pXfy6kDkUVs=
 github.com/stretchr/testify v1.1.4/go.mod h1:a8OnRcib4nhh0OaRAV+Yts87kKdq0PP7pXfy6kDkUVs=
 github.com/stretchr/testify v1.2.2/go.mod h1:a8OnRcib4nhh0OaRAV+Yts87kKdq0PP7pXfy6kDkUVs=
@@ -893,16 +901,14 @@ github.com/stretchr/testify v1.4.0/go.mod h1:j7eGeouHqKxXV5pUuKE4zz7dFj8WfuZ+81P
 github.com/stretchr/testify v1.5.1/go.mod h1:5W2xD1RspED5o8YsWQXVCued0rvSQ+mT+I5cxcmMvtA=
 github.com/stretchr/testify v1.6.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
 github.com/stretchr/testify v1.7.0/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
+github.com/stretchr/testify v1.7.1 h1:5TQK59W5E3v0r2duFAb7P95B6hEeOyEnHRa8MjYSMTY=
 github.com/stretchr/testify v1.7.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
-github.com/stretchr/testify v1.8.0 h1:pSgiaMZlXftHpm5L7V1+rVB+AZJydKsMxsQBIJw4PKk=
+github.com/subosito/gotenv v1.2.0 h1:Slr1R9HxAlEKefgq5jn9U+DnETlIUa6HfgEzj0g5d7s=
-github.com/stretchr/testify v1.8.0/go.mod h1:yNjHg4UonilssWZ8iaSj1OCr/vHnekPRkoO+kdMU+MU=
 github.com/subosito/gotenv v1.2.0/go.mod h1:N0PQaV/YGNqwC0u51sEeR/aUtSLEXKX9iv69rRypqCw=
-github.com/subosito/gotenv v1.3.0 h1:mjC+YW8QpAdXibNi+vNWgzmgBH4+5l5dCXv8cNysBLI=
-github.com/subosito/gotenv v1.3.0/go.mod h1:YzJjq/33h7nrwdY+iHMhEOEEbW0ovIz0tB6t6PwAXzs=
 github.com/sylvia7788/contextcheck v1.0.4/go.mod h1:vuPKJMQ7MQ91ZTqfdyreNKwZjyUg6KO+IebVyQDedZQ=
 github.com/syndtr/gocapability v0.0.0-20200815063812-42c35b437635/go.mod h1:hkRG7XYTFWNJGYcbNJQlaLq0fg1yr4J4t/NcTQtrfww=
-github.com/tailscale/hujson v0.0.0-20220630195928-54599719472f h1:n4r/sJ92cBSBHK8n9lR1XLFr0OiTVeGfN5TR+9LaN7E=
+github.com/tailscale/hujson v0.0.0-20220506202205-92b4b88a9e17 h1:QaQrUggZ7U2lE3HhoPx6bDK7fO385FR7pHRYSPEv70Q=
-github.com/tailscale/hujson v0.0.0-20220630195928-54599719472f/go.mod h1:DFSS3NAGHthKo1gTlmEcSBiZrRJXi28rLNd/1udP1c8=
+github.com/tailscale/hujson v0.0.0-20220506202205-92b4b88a9e17/go.mod h1:DFSS3NAGHthKo1gTlmEcSBiZrRJXi28rLNd/1udP1c8=
 github.com/tcnksm/go-latest v0.0.0-20170313132115-e3007ae9052e h1:IWllFTiDjjLIf2oeKxpIUmtiDV5sn71VgeQgg6vcE7k=
 github.com/tcnksm/go-latest v0.0.0-20170313132115-e3007ae9052e/go.mod h1:d7u6HkTYKSv5m6MCKkOQlHwaShTMl3HjqSGW3XtVhXM=
 github.com/tdakkota/asciicheck v0.0.0-20200416200610-e657995f937b/go.mod h1:yHp0ai0Z9gUljN3o0xMhYJnH/IcvkdTBOX2fmJ93JEM=
@@ -918,7 +924,10 @@ github.com/tmc/grpc-websocket-proxy v0.0.0-20200427203606-3cfed13b9966/go.mod h1
 github.com/tomarrell/wrapcheck/v2 v2.4.0/go.mod h1:68bQ/eJg55BROaRTbMjC7vuhL2OgfoG8bLp9ZyoBfyY=
 github.com/tomasen/realip v0.0.0-20180522021738-f0c99a92ddce/go.mod h1:o8v6yHRoik09Xen7gje4m9ERNah1d1PPsVq1VEx9vE4=
 github.com/tommy-muehle/go-mnd/v2 v2.4.0/go.mod h1:WsUAkMJMYww6l/ufffCD3m+P7LEvr8TnZn9lwVDlgzw=
+github.com/ugorji/go v1.1.7/go.mod h1:kZn38zHttfInRq0xu/PH0az30d+z6vm202qpg1oXVMw=
 github.com/ugorji/go/codec v0.0.0-20181204163529-d75b2dcb6bc8/go.mod h1:VFNgLljTbGfSG7qAOspJ7OScBnGdDN/yBr0sguwnwf0=
+github.com/ugorji/go/codec v1.1.7 h1:2SvQaVZ1ouYrrKKwoSk2pzd4A9evlKJb9oTL+OaLUSs=
+github.com/ugorji/go/codec v1.1.7/go.mod h1:Ax+UKWsSmolVDwsd+7N3ZtXu+yMGCf907BLYF3GoBXY=
 github.com/ultraware/funlen v0.0.3/go.mod h1:Dp4UiAus7Wdb9KUZsYWZEWiRzGuM2kXM1lPbfaF6xhA=
 github.com/ultraware/whitespace v0.0.4/go.mod h1:aVMh/gQve5Maj9hQ/hg+F75lr/X5A89uZnzAmWSineA=
 github.com/urfave/cli v1.20.0/go.mod h1:70zkFmudgCuE/ngEzBv17Jvp/497gISqfk5gWijbERA=
@@ -952,6 +961,8 @@ github.com/yuin/goldmark v1.2.1/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9dec
 github.com/yuin/goldmark v1.3.5/go.mod h1:mwnBkeHKe2W/ZEtQ+71ViKU8L12m81fl3OWwC1Zlc8k=
 github.com/yuin/goldmark v1.4.0/go.mod h1:mwnBkeHKe2W/ZEtQ+71ViKU8L12m81fl3OWwC1Zlc8k=
 github.com/zenazn/goji v0.9.0/go.mod h1:7S9M489iMyHBNxwZnk9/EHS098H4/F6TATF2mIxtB1Q=
+github.com/zsais/go-gin-prometheus v0.1.0 h1:bkLv1XCdzqVgQ36ScgRi09MA2UC1t3tAB6nsfErsGO4=
+github.com/zsais/go-gin-prometheus v0.1.0/go.mod h1:Slirjzuz8uM8Cw0jmPNqbneoqcUtY2GGjn2bEd4NRLY=
 go.etcd.io/bbolt v1.3.3/go.mod h1:IbVyRI1SCnLcuJnV2u8VeU0CEYM7e686BmAb1XKL+uU=
 go.etcd.io/bbolt v1.3.4/go.mod h1:G5EMThwa9y8QZGBClrRx5EY+Yw9kAhnjy3bSjsnlVTQ=
 go.etcd.io/etcd v0.0.0-20200513171258-e048e166ab9c/go.mod h1:xCI7ZzBfRuGgBXyXO6yfWfDmlWd35khcWpUa4L0xI/k=
@@ -986,9 +997,8 @@ go4.org/intern v0.0.0-20211027215823-ae77deb06f29 h1:UXLjNohABv4S58tHmeuIZDO6e3m
 go4.org/intern v0.0.0-20211027215823-ae77deb06f29/go.mod h1:cS2ma+47FKrLPdXFpr7CuxiTW3eyJbWew4qx0qtQWDA=
 go4.org/mem v0.0.0-20210711025021-927187094b94 h1:OAAkygi2Js191AJP1Ds42MhJRgeofeKGjuoUqNp1QC4=
 go4.org/mem v0.0.0-20210711025021-927187094b94/go.mod h1:reUoABIJ9ikfM5sgtSF3Wushcza7+WeD01VB9Lirh3g=
+go4.org/unsafe/assume-no-moving-gc v0.0.0-20211027215541-db492cf91b37 h1:Tx9kY6yUkLge/pFG7IEMwDZy6CS2ajFc9TvQdPCW0uA=
 go4.org/unsafe/assume-no-moving-gc v0.0.0-20211027215541-db492cf91b37/go.mod h1:FftLjUGFEDu5k8lt0ddY+HcrH/qU/0qk+H8j9/nTl3E=
-go4.org/unsafe/assume-no-moving-gc v0.0.0-20220617031537-928513b29760 h1:FyBZqvoA/jbNzuAWLQE2kG820zMAkcilx6BMjGbL/E4=
-go4.org/unsafe/assume-no-moving-gc v0.0.0-20220617031537-928513b29760/go.mod h1:FftLjUGFEDu5k8lt0ddY+HcrH/qU/0qk+H8j9/nTl3E=
 golang.org/x/crypto v0.0.0-20180501155221-613d6eafa307/go.mod h1:6SG95UA2DQfeDnfUPMdvaQW0Q7yPrPDi9nlGo2tz2b4=
 golang.org/x/crypto v0.0.0-20180904163835-0709b304e793/go.mod h1:6SG95UA2DQfeDnfUPMdvaQW0Q7yPrPDi9nlGo2tz2b4=
 golang.org/x/crypto v0.0.0-20181029021203-45a5f77698d3/go.mod h1:6SG95UA2DQfeDnfUPMdvaQW0Q7yPrPDi9nlGo2tz2b4=
@@ -1011,8 +1021,9 @@ golang.org/x/crypto v0.0.0-20210711020723-a769d52b0f97/go.mod h1:GvvjBRRGRdwPK5y
 golang.org/x/crypto v0.0.0-20210817164053-32db794688a5/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc=
 golang.org/x/crypto v0.0.0-20210921155107-089bfa567519/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc=
 golang.org/x/crypto v0.0.0-20211108221036-ceb1ce70b4fa/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc=
-golang.org/x/crypto v0.0.0-20220722155217-630584e8d5aa h1:zuSxTR4o9y82ebqCUJYNGJbGPo6sKVl54f/TVDObg1c=
+golang.org/x/crypto v0.0.0-20211215165025-cf75a172585e/go.mod h1:P+XmwS30IXTQdn5tA2iutPOUgjI07+tq3H3K9MVA1s8=
-golang.org/x/crypto v0.0.0-20220722155217-630584e8d5aa/go.mod h1:IxCIyHEi3zRg3s0A5j5BB6A9Jmi73HwBIUl50j+osU4=
+golang.org/x/crypto v0.0.0-20220427172511-eb4f295cb31f h1:OeJjE6G4dgCY4PIXvIRQbE8+RX+uXZyGhUy/ksMGJoc=
+golang.org/x/crypto v0.0.0-20220427172511-eb4f295cb31f/go.mod h1:IxCIyHEi3zRg3s0A5j5BB6A9Jmi73HwBIUl50j+osU4=
 golang.org/x/exp v0.0.0-20190121172915-509febef88a4/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA=
 golang.org/x/exp v0.0.0-20190306152737-a1d7652674e8/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA=
 golang.org/x/exp v0.0.0-20190510132918-efd6b22b2522/go.mod h1:ZjyILWgesfNpC6sMxTJOJm9Kp84zZh5NQWvqDGG3Qr8=
@@ -1105,9 +1116,8 @@ golang.org/x/net v0.0.0-20210805182204-aaa1db679c0d/go.mod h1:9nx3DQGgdP8bBQD5qx
 golang.org/x/net v0.0.0-20210903162142-ad29c8ab022f/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y=
 golang.org/x/net v0.0.0-20210928044308-7d9f5e0b762b/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y=
 golang.org/x/net v0.0.0-20220127200216-cd36cc0744dd/go.mod h1:CfG3xpIq0wQ8r1q4Su4UZFWDARRcnwPjda9FqA0JpMk=
-golang.org/x/net v0.0.0-20220225172249-27dd8689420f/go.mod h1:CfG3xpIq0wQ8r1q4Su4UZFWDARRcnwPjda9FqA0JpMk=
+golang.org/x/net v0.0.0-20220516155154-20f960328961 h1:+W/iTMPG0EL7aW+/atntZwZrvSRIj3m3yX414dSULUU=
-golang.org/x/net v0.0.0-20220624214902-1bab6f366d9e h1:TsQ7F31D3bUCLeqPT0u+yjp1guoArKaNKmCr22PYgTQ=
+golang.org/x/net v0.0.0-20220516155154-20f960328961/go.mod h1:CfG3xpIq0wQ8r1q4Su4UZFWDARRcnwPjda9FqA0JpMk=
-golang.org/x/net v0.0.0-20220624214902-1bab6f366d9e/go.mod h1:XRhObCWvk6IyKnWLug+ECip1KBveYUHfp+8e9klMJ9c=
 golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U=
 golang.org/x/oauth2 v0.0.0-20190226205417-e64efc72b421/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw=
 golang.org/x/oauth2 v0.0.0-20190604053449-0f29369cfe45/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw=
@@ -1124,9 +1134,8 @@ golang.org/x/oauth2 v0.0.0-20210514164344-f6687ab2804c/go.mod h1:KelEdhl1UZF7XfJ
 golang.org/x/oauth2 v0.0.0-20210628180205-a41e5a781914/go.mod h1:KelEdhl1UZF7XfJ4dDtk6s++YSgaE7mD/BuKKDLBl4A=
 golang.org/x/oauth2 v0.0.0-20210805134026-6f1e6394065a/go.mod h1:KelEdhl1UZF7XfJ4dDtk6s++YSgaE7mD/BuKKDLBl4A=
 golang.org/x/oauth2 v0.0.0-20210819190943-2bc19b11175f/go.mod h1:KelEdhl1UZF7XfJ4dDtk6s++YSgaE7mD/BuKKDLBl4A=
-golang.org/x/oauth2 v0.0.0-20220223155221-ee480838109b/go.mod h1:DAh4E804XQdzx2j+YRIaUnCqCV2RuMz24cGBJ5QYIrc=
+golang.org/x/oauth2 v0.0.0-20220411215720-9780585627b5 h1:OSnWWcOd/CtWQC2cYSBgbTSJv3ciqd8r54ySIW2y3RE=
-golang.org/x/oauth2 v0.0.0-20220808172628-8227340efae7 h1:dtndE8FcEta75/4kHF3AbpuWzV6f1LjnLrM4pe2SZrw=
+golang.org/x/oauth2 v0.0.0-20220411215720-9780585627b5/go.mod h1:DAh4E804XQdzx2j+YRIaUnCqCV2RuMz24cGBJ5QYIrc=
-golang.org/x/oauth2 v0.0.0-20220808172628-8227340efae7/go.mod h1:h4gKUeWbJ4rQPri7E0u6Gs4e9Ri2zaLxzw5DI5XGrYg=
 golang.org/x/sync v0.0.0-20180314180146-1d60e4601c6f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20181108010431-42b317875d0f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20181221193216-37e7f081c4d4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
@@ -1139,8 +1148,8 @@ golang.org/x/sync v0.0.0-20200625203802-6e8e738ad208/go.mod h1:RxMgew5VJxzue5/jJ
 golang.org/x/sync v0.0.0-20201020160332-67f06af15bc9/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20201207232520-09787c993a3a/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20210220032951-036812b2e83c/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
-golang.org/x/sync v0.0.0-20220722155255-886fb9371eb4 h1:uVc8UZUe6tr40fFVnUP5Oj+veunVezqYl9z7DYw9xzw=
+golang.org/x/sync v0.0.0-20220513210516-0976fa681c29 h1:w8s32wxx3sY+OjLlv9qltkLU5yvJzxjjgiHWLjdIcw4=
-golang.org/x/sync v0.0.0-20220722155255-886fb9371eb4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
+golang.org/x/sync v0.0.0-20220513210516-0976fa681c29/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sys v0.0.0-20180823144017-11551d06cbcc/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20180830151530-49385e6e1522/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20180905080454-ebe1bf3edb33/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
@@ -1197,9 +1206,11 @@ golang.org/x/sys v0.0.0-20200625212154-ddb9806d33ae/go.mod h1:h1NjWce9XRLGQEsW7w
 golang.org/x/sys v0.0.0-20200803210538-64077c9b5642/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20200831180312-196b9ba8737a/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20200905004654-be1d3432aa8f/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20200909081042-eff7692f9009/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20200930185726-fdedc70b468f/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20201018230417-eeed37f84f13/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20201119102817-f84b799fce68/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20201126233918-771906719818/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20201201145000-ef89a241ccb3/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20210104204734-6f8348627aad/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20210112080510-489259a85091/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
@@ -1214,6 +1225,7 @@ golang.org/x/sys v0.0.0-20210330210617-4fbd30eecc44/go.mod h1:h1NjWce9XRLGQEsW7w
 golang.org/x/sys v0.0.0-20210403161142-5e06dd20ab57/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20210423082822-04245dca01da/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20210423185535-09eb48e85fd7/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20210426230700-d19ff857e887/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20210510120138-977fb7262007/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20210514084401-e8d321eab015/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20210603081109-ebe580a85c40/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
@@ -1225,23 +1237,20 @@ golang.org/x/sys v0.0.0-20210806184541-e5e7981a1069/go.mod h1:oPkhp1MJrh7nUepCBc
 golang.org/x/sys v0.0.0-20210809222454-d867a43fc93e/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20210816074244-15123e1e1f71/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20210823070655-63515b42dcdf/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.0.0-20210902050250-f475640dd07b/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20210906170528-6f6e22806c34/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20210915083310-ed5796bab164/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20210917161153-d61c044b1678/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20210927094055-39ccf1dd6fa6/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20211007075335-d3039528d8ac/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20211013075003-97ac67df715c/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.0.0-20211025201205-69cdffdb9359/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.0.0-20211116061358-0a5406a5449c/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20211216021012-1d35b9e2eb4e/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20220114195835-da31bd327af9/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20220128215802-99c3d69c2c27/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20220319134239-a9b59b0215f8/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20220405052023-b1e9470b6e64/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.0.0-20220412211240-33da011f77ad/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.0.0-20220513210249-45d2b4557a2a h1:N2T1jUrTQE9Re6TFF5PhvEHXHCguynGhKjWVsIUt5cY=
-golang.org/x/sys v0.0.0-20220422013727-9388b58f7150/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.0.0-20220513210249-45d2b4557a2a/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.0.0-20220610221304-9f5ed59c137d h1:Zu/JngovGLVi6t2J3nmAf3AoTDwuzw85YZ3b9o4yU7s=
-golang.org/x/sys v0.0.0-20220610221304-9f5ed59c137d/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/term v0.0.0-20201117132131-f5c789dd3221/go.mod h1:Nr5EML6q2oocZ2LXRh80K7BxOlk5/8JxuGnuhpl+muw=
 golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
 golang.org/x/term v0.0.0-20210220032956-6a3ed077a48d/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
@@ -1481,8 +1490,8 @@ google.golang.org/genproto v0.0.0-20210805201207-89edb61ffb67/go.mod h1:ob2IJxKr
 google.golang.org/genproto v0.0.0-20210813162853-db860fec028c/go.mod h1:cFeNkxwySK631ADgubI+/XFU/xp8FD5KIVV4rj8UC5w=
 google.golang.org/genproto v0.0.0-20210821163610-241b8fcbd6c8/go.mod h1:eFjDcFEctNawg4eG61bRv87N7iHBWyVhJu7u1kqDUXY=
 google.golang.org/genproto v0.0.0-20210828152312-66f60bf46e71/go.mod h1:eFjDcFEctNawg4eG61bRv87N7iHBWyVhJu7u1kqDUXY=
-google.golang.org/genproto v0.0.0-20220808204814-fd01256a5276 h1:7PEE9xCtufpGJzrqweakEEnTh7YFELmnKm/ee+5jmfQ=
+google.golang.org/genproto v0.0.0-20220422154200-b37d22cd5731 h1:nquqdM9+ps0JZcIiI70+tqoaIFS5Ql4ZuK8UXnz3HfE=
-google.golang.org/genproto v0.0.0-20220808204814-fd01256a5276/go.mod h1:dbqgFATTzChvnt+ujMdZwITVAJHFtfyN1qUhDqEiIlk=
+google.golang.org/genproto v0.0.0-20220422154200-b37d22cd5731/go.mod h1:8w6bsBMX6yCPbAVTeqQHvzxW0EIFigd5lZyahWgyfDo=
 google.golang.org/grpc v1.8.0/go.mod h1:yo6s7OP7yaDglbqo1J04qKzAhqBH6lvTonzMVmEdcZw=
 google.golang.org/grpc v1.19.0/go.mod h1:mqu4LbDTu4XGKhr4mRzUsmM4RtVoemTSY81AxZiDr8c=
 google.golang.org/grpc v1.20.1/go.mod h1:10oTOabMzJvdu6/UiuZezV6QK5dSlG84ov/aaiqXj38=
@@ -1512,8 +1521,9 @@ google.golang.org/grpc v1.38.0/go.mod h1:NREThFqKR1f3iQ6oBuvc5LadQuXVGo9rkm5ZGrQ
 google.golang.org/grpc v1.39.0/go.mod h1:PImNr+rS9TWYb2O4/emRugxiyHZ5JyHW5F+RPnDzfrE=
 google.golang.org/grpc v1.39.1/go.mod h1:PImNr+rS9TWYb2O4/emRugxiyHZ5JyHW5F+RPnDzfrE=
 google.golang.org/grpc v1.40.0/go.mod h1:ogyxbiOoUXAkP+4+xa6PZSE9DZgIHtSpzjDTB9KAK34=
-google.golang.org/grpc v1.48.0 h1:rQOsyJ/8+ufEDJd/Gdsz7HG220Mh9HAhFHRGnIjda0w=
+google.golang.org/grpc v1.45.0/go.mod h1:lN7owxKUQEqMfSyQikvvk5tf/6zMPsrK+ONuO11+0rQ=
-google.golang.org/grpc v1.48.0/go.mod h1:vN9eftEi1UMyUsIF80+uQXhHjbXYbm0uXoFCACuMGWk=
+google.golang.org/grpc v1.46.0 h1:oCjezcn6g6A75TGoKYBPgKmVBLexhYLM6MebdrPApP8=
+google.golang.org/grpc v1.46.0/go.mod h1:vN9eftEi1UMyUsIF80+uQXhHjbXYbm0uXoFCACuMGWk=
 google.golang.org/grpc/cmd/protoc-gen-go-grpc v1.1.0/go.mod h1:6Kw0yEErY5E/yWrBtf03jp27GLLJujG4z/JK95pnjjw=
 google.golang.org/protobuf v0.0.0-20200109180630-ec00e32a8dfd/go.mod h1:DFci5gLYBciE7Vtevhsrf46CRTquxDuWsQurQQe4oz8=
 google.golang.org/protobuf v0.0.0-20200221191635-4d8936d0db64/go.mod h1:kwYJMbMJ01Woi6D6+Kah6886xMZcty6N08ah7+eCXa0=
@@ -1528,8 +1538,8 @@ google.golang.org/protobuf v1.25.0/go.mod h1:9JNX74DMeImyA3h4bdi1ymwjUzf21/xIlba
 google.golang.org/protobuf v1.26.0-rc.1/go.mod h1:jlhhOSvTdKEhbULTjvd4ARK9grFBp09yW+WbY/TyQbw=
 google.golang.org/protobuf v1.26.0/go.mod h1:9q0QmTI4eRPtz6boOQmLYwt+qCgq0jsYwAQnmE0givc=
 google.golang.org/protobuf v1.27.1/go.mod h1:9q0QmTI4eRPtz6boOQmLYwt+qCgq0jsYwAQnmE0givc=
-google.golang.org/protobuf v1.28.1 h1:d0NfwRgPtno5B1Wa6L2DAG+KivqkdutMf1UhdNx175w=
+google.golang.org/protobuf v1.28.0 h1:w43yiav+6bVFTBQFZX0r7ipe9JQ1QsbMgHwbBziscLw=
-google.golang.org/protobuf v1.28.1/go.mod h1:HV8QOd/L58Z+nl8r43ehVNZIU/HEI6OcFqwMG9pJV4I=
+google.golang.org/protobuf v1.28.0/go.mod h1:HV8QOd/L58Z+nl8r43ehVNZIU/HEI6OcFqwMG9pJV4I=
 gopkg.in/alecthomas/kingpin.v2 v2.2.6/go.mod h1:FMv+mEhP44yOT+4EoQTLFTRgOQ1FBLkstjWtayDeSgw=
 gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
 gopkg.in/check.v1 v1.0.0-20180628173108-788fd7840127/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
@@ -1564,16 +1574,15 @@ gopkg.in/yaml.v2 v2.3.0/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
 gopkg.in/yaml.v2 v2.4.0 h1:D8xgwECY7CYvx+Y2n4sBz93Jn9JRvxdiyyo8CTfuKaY=
 gopkg.in/yaml.v2 v2.4.0/go.mod h1:RDklbk79AGWmwhnvt/jBztapEOGDOx6ZbXqjP6csGnQ=
 gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
+gopkg.in/yaml.v3 v3.0.0-20210107192922-496545a6307b h1:h8qDotaEPuJATrMmW04NCwg7v22aHH28wwpauUhK9Oo=
 gopkg.in/yaml.v3 v3.0.0-20210107192922-496545a6307b/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
-gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA=
+gorm.io/driver/postgres v1.3.5 h1:oVLmefGqBTlgeEVG6LKnH6krOlo4TZ3Q/jIK21KUMlw=
-gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
+gorm.io/driver/postgres v1.3.5/go.mod h1:EGCWefLFQSVFrHGy4J8EtiHCWX5Q8t0yz2Jt9aKkGzU=
-gorm.io/driver/postgres v1.3.8 h1:8bEphSAB69t3odsCR4NDzt581iZEWQuRM27Cg6KgfPY=
+gorm.io/gorm v1.23.4 h1:1BKWM67O6CflSLcwGQR7ccfmC4ebOxQrTfOQGRE9wjg=
-gorm.io/driver/postgres v1.3.8/go.mod h1:qB98Aj6AhRO/oyu/jmZsi/YM9g6UzVCjMxO/6frFvcA=
+gorm.io/gorm v1.23.4/go.mod h1:l2lP/RyAtc1ynaTjFksBde/O8v9oOGIApu2/xRitmZk=
-gorm.io/gorm v1.23.6/go.mod h1:l2lP/RyAtc1ynaTjFksBde/O8v9oOGIApu2/xRitmZk=
-gorm.io/gorm v1.23.8 h1:h8sGJ+biDgBA1AD1Ha9gFCx7h8npU7AsLdlkX0n2TpE=
-gorm.io/gorm v1.23.8/go.mod h1:l2lP/RyAtc1ynaTjFksBde/O8v9oOGIApu2/xRitmZk=
 gotest.tools/v3 v3.0.2/go.mod h1:3SzNCllyD9/Y+b5r9JIKQ474KzkZyqLqEfYqMsX94Bk=
-gotest.tools/v3 v3.2.0 h1:I0DwBVMGAx26dttAj1BtJLAkVGncrkkUXfJLC4Flt/I=
+gotest.tools/v3 v3.0.3 h1:4AuOwCGf4lLR9u3YOe2awrHygurzhO/HeQ6laiA6Sx0=
+gotest.tools/v3 v3.0.3/go.mod h1:Z7Lb0S5l+klDB31fvDQX8ss/FlKDxtlFlw3Oa8Ymbl8=
 honnef.co/go/tools v0.0.0-20190102054323-c2f93a96b099/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4=
 honnef.co/go/tools v0.0.0-20190106161140-3f1c8253044a/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4=
 honnef.co/go/tools v0.0.0-20190418001031-e561f6794a2a/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4=
@@ -1582,34 +1591,140 @@ honnef.co/go/tools v0.0.1-2019.2.3/go.mod h1:a3bituU0lyd329TUQxRnasdCoJDkEUEAqEt
 honnef.co/go/tools v0.0.1-2020.1.3/go.mod h1:X/FiERA/W4tHapMX5mGpAtMSVEeEUOyHaw9vFzvIQ3k=
 honnef.co/go/tools v0.0.1-2020.1.4/go.mod h1:X/FiERA/W4tHapMX5mGpAtMSVEeEUOyHaw9vFzvIQ3k=
 honnef.co/go/tools v0.2.1/go.mod h1:lPVVZ2BS5TfnjLyizF7o7hv7j9/L+8cZY2hLyjP9cGY=
-inet.af/netaddr v0.0.0-20220617031823-097006376321 h1:B4dC8ySKTQXasnjDTMsoCMf1sQG4WsMej0WXaHxunmU=
+inet.af/netaddr v0.0.0-20211027220019-c74959edd3b6 h1:acCzuUSQ79tGsM/O50VRFySfMm19IoMKL+sZztZkCxw=
-inet.af/netaddr v0.0.0-20220617031823-097006376321/go.mod h1:OIezDfdzOgFhuw4HuWapWq2e9l0H9tK4F1j+ETRtF3k=
+inet.af/netaddr v0.0.0-20211027220019-c74959edd3b6/go.mod h1:y3MGhcFMlh0KZPMuXXow8mpjxxAk3yoDNsp4cQz54i8=
 lukechampine.com/uint128 v1.1.1/go.mod h1:c4eWIwlEGaxC/+H1VguhU4PHXNWDCDMUlWdIWl2j1gk=
-modernc.org/cc/v3 v3.36.0/go.mod h1:NFUHyPn4ekoC/JHeZFfZurN6ixxawE1BnVonP/oahEI=
+modernc.org/cc/v3 v3.33.6/go.mod h1:iPJg1pkwXqAV16SNgFBVYmggfMg6xhs+2oiO0vclK3g=
-modernc.org/ccgo/v3 v3.0.0-20220428102840-41399a37e894/go.mod h1:eI31LL8EwEBKPpNpA4bU1/i+sKOwOrQy8D87zWUcRZc=
+modernc.org/cc/v3 v3.33.9/go.mod h1:iPJg1pkwXqAV16SNgFBVYmggfMg6xhs+2oiO0vclK3g=
-modernc.org/ccgo/v3 v3.0.0-20220430103911-bc99d88307be/go.mod h1:bwdAnOoaIt8Ax9YdWGjxWsdkPcZyRPHqrOvJxaKAKGw=
+modernc.org/cc/v3 v3.33.11/go.mod h1:iPJg1pkwXqAV16SNgFBVYmggfMg6xhs+2oiO0vclK3g=
-modernc.org/ccgo/v3 v3.16.4/go.mod h1:tGtX0gE9Jn7hdZFeU88slbTh1UtCYKusWOoCJuvkWsQ=
+modernc.org/cc/v3 v3.34.0/go.mod h1:iPJg1pkwXqAV16SNgFBVYmggfMg6xhs+2oiO0vclK3g=
-modernc.org/ccgo/v3 v3.16.6/go.mod h1:tGtX0gE9Jn7hdZFeU88slbTh1UtCYKusWOoCJuvkWsQ=
+modernc.org/cc/v3 v3.35.0/go.mod h1:iPJg1pkwXqAV16SNgFBVYmggfMg6xhs+2oiO0vclK3g=
+modernc.org/cc/v3 v3.35.4/go.mod h1:iPJg1pkwXqAV16SNgFBVYmggfMg6xhs+2oiO0vclK3g=
+modernc.org/cc/v3 v3.35.5/go.mod h1:iPJg1pkwXqAV16SNgFBVYmggfMg6xhs+2oiO0vclK3g=
+modernc.org/cc/v3 v3.35.7/go.mod h1:iPJg1pkwXqAV16SNgFBVYmggfMg6xhs+2oiO0vclK3g=
+modernc.org/cc/v3 v3.35.8/go.mod h1:iPJg1pkwXqAV16SNgFBVYmggfMg6xhs+2oiO0vclK3g=
+modernc.org/cc/v3 v3.35.10/go.mod h1:iPJg1pkwXqAV16SNgFBVYmggfMg6xhs+2oiO0vclK3g=
+modernc.org/cc/v3 v3.35.15/go.mod h1:iPJg1pkwXqAV16SNgFBVYmggfMg6xhs+2oiO0vclK3g=
+modernc.org/cc/v3 v3.35.16/go.mod h1:iPJg1pkwXqAV16SNgFBVYmggfMg6xhs+2oiO0vclK3g=
+modernc.org/cc/v3 v3.35.17/go.mod h1:iPJg1pkwXqAV16SNgFBVYmggfMg6xhs+2oiO0vclK3g=
+modernc.org/cc/v3 v3.35.18/go.mod h1:iPJg1pkwXqAV16SNgFBVYmggfMg6xhs+2oiO0vclK3g=
+modernc.org/cc/v3 v3.35.20/go.mod h1:iPJg1pkwXqAV16SNgFBVYmggfMg6xhs+2oiO0vclK3g=
+modernc.org/cc/v3 v3.35.22/go.mod h1:iPJg1pkwXqAV16SNgFBVYmggfMg6xhs+2oiO0vclK3g=
+modernc.org/cc/v3 v3.35.24/go.mod h1:NFUHyPn4ekoC/JHeZFfZurN6ixxawE1BnVonP/oahEI=
+modernc.org/ccgo/v3 v3.9.5/go.mod h1:umuo2EP2oDSBnD3ckjaVUXMrmeAw8C8OSICVa0iFf60=
+modernc.org/ccgo/v3 v3.10.0/go.mod h1:c0yBmkRFi7uW4J7fwx/JiijwOjeAeR2NoSaRVFPmjMw=
+modernc.org/ccgo/v3 v3.11.0/go.mod h1:dGNposbDp9TOZ/1KBxghxtUp/bzErD0/0QW4hhSaBMI=
+modernc.org/ccgo/v3 v3.11.1/go.mod h1:lWHxfsn13L3f7hgGsGlU28D9eUOf6y3ZYHKoPaKU0ag=
+modernc.org/ccgo/v3 v3.11.3/go.mod h1:0oHunRBMBiXOKdaglfMlRPBALQqsfrCKXgw9okQ3GEw=
+modernc.org/ccgo/v3 v3.12.4/go.mod h1:Bk+m6m2tsooJchP/Yk5ji56cClmN6R1cqc9o/YtbgBQ=
+modernc.org/ccgo/v3 v3.12.6/go.mod h1:0Ji3ruvpFPpz+yu+1m0wk68pdr/LENABhTrDkMDWH6c=
+modernc.org/ccgo/v3 v3.12.8/go.mod h1:Hq9keM4ZfjCDuDXxaHptpv9N24JhgBZmUG5q60iLgUo=
+modernc.org/ccgo/v3 v3.12.11/go.mod h1:0jVcmyDwDKDGWbcrzQ+xwJjbhZruHtouiBEvDfoIsdg=
+modernc.org/ccgo/v3 v3.12.14/go.mod h1:GhTu1k0YCpJSuWwtRAEHAol5W7g1/RRfS4/9hc9vF5I=
+modernc.org/ccgo/v3 v3.12.18/go.mod h1:jvg/xVdWWmZACSgOiAhpWpwHWylbJaSzayCqNOJKIhs=
+modernc.org/ccgo/v3 v3.12.20/go.mod h1:aKEdssiu7gVgSy/jjMastnv/q6wWGRbszbheXgWRHc8=
+modernc.org/ccgo/v3 v3.12.21/go.mod h1:ydgg2tEprnyMn159ZO/N4pLBqpL7NOkJ88GT5zNU2dE=
+modernc.org/ccgo/v3 v3.12.22/go.mod h1:nyDVFMmMWhMsgQw+5JH6B6o4MnZ+UQNw1pp52XYFPRk=
+modernc.org/ccgo/v3 v3.12.25/go.mod h1:UaLyWI26TwyIT4+ZFNjkyTbsPsY3plAEB6E7L/vZV3w=
+modernc.org/ccgo/v3 v3.12.29/go.mod h1:FXVjG7YLf9FetsS2OOYcwNhcdOLGt8S9bQ48+OP75cE=
+modernc.org/ccgo/v3 v3.12.36/go.mod h1:uP3/Fiezp/Ga8onfvMLpREq+KUjUmYMxXPO8tETHtA8=
+modernc.org/ccgo/v3 v3.12.38/go.mod h1:93O0G7baRST1vNj4wnZ49b1kLxt0xCW5Hsa2qRaZPqc=
+modernc.org/ccgo/v3 v3.12.43/go.mod h1:k+DqGXd3o7W+inNujK15S5ZYuPoWYLpF5PYougCmthU=
+modernc.org/ccgo/v3 v3.12.46/go.mod h1:UZe6EvMSqOxaJ4sznY7b23/k13R8XNlyWsO5bAmSgOE=
+modernc.org/ccgo/v3 v3.12.47/go.mod h1:m8d6p0zNps187fhBwzY/ii6gxfjob1VxWb919Nk1HUk=
+modernc.org/ccgo/v3 v3.12.50/go.mod h1:bu9YIwtg+HXQxBhsRDE+cJjQRuINuT9PUK4orOco/JI=
+modernc.org/ccgo/v3 v3.12.51/go.mod h1:gaIIlx4YpmGO2bLye04/yeblmvWEmE4BBBls4aJXFiE=
+modernc.org/ccgo/v3 v3.12.53/go.mod h1:8xWGGTFkdFEWBEsUmi+DBjwu/WLy3SSOrqEmKUjMeEg=
+modernc.org/ccgo/v3 v3.12.54/go.mod h1:yANKFTm9llTFVX1FqNKHE0aMcQb1fuPJx6p8AcUx+74=
+modernc.org/ccgo/v3 v3.12.55/go.mod h1:rsXiIyJi9psOwiBkplOaHye5L4MOOaCjHg1Fxkj7IeU=
+modernc.org/ccgo/v3 v3.12.56/go.mod h1:ljeFks3faDseCkr60JMpeDb2GSO3TKAmrzm7q9YOcMU=
+modernc.org/ccgo/v3 v3.12.57/go.mod h1:hNSF4DNVgBl8wYHpMvPqQWDQx8luqxDnNGCMM4NFNMc=
+modernc.org/ccgo/v3 v3.12.60/go.mod h1:k/Nn0zdO1xHVWjPYVshDeWKqbRWIfif5dtsIOCUVMqM=
+modernc.org/ccgo/v3 v3.12.66/go.mod h1:jUuxlCFZTUZLMV08s7B1ekHX5+LIAurKTTaugUr/EhQ=
+modernc.org/ccgo/v3 v3.12.67/go.mod h1:Bll3KwKvGROizP2Xj17GEGOTrlvB1XcVaBrC90ORO84=
+modernc.org/ccgo/v3 v3.12.73/go.mod h1:hngkB+nUUqzOf3iqsM48Gf1FZhY599qzVg1iX+BT3cQ=
+modernc.org/ccgo/v3 v3.12.81/go.mod h1:p2A1duHoBBg1mFtYvnhAnQyI6vL0uw5PGYLSIgF6rYY=
+modernc.org/ccgo/v3 v3.12.84/go.mod h1:ApbflUfa5BKadjHynCficldU1ghjen84tuM5jRynB7w=
+modernc.org/ccgo/v3 v3.12.86/go.mod h1:dN7S26DLTgVSni1PVA3KxxHTcykyDurf3OgUzNqTSrU=
+modernc.org/ccgo/v3 v3.12.90/go.mod h1:obhSc3CdivCRpYZmrvO88TXlW0NvoSVvdh/ccRjJYko=
+modernc.org/ccgo/v3 v3.12.92/go.mod h1:5yDdN7ti9KWPi5bRVWPl8UNhpEAtCjuEE7ayQnzzqHA=
+modernc.org/ccgo/v3 v3.13.1/go.mod h1:aBYVOUfIlcSnrsRVU8VRS35y2DIfpgkmVkYZ0tpIXi4=
+modernc.org/ccgo/v3 v3.15.9/go.mod h1:md59wBwDT2LznX/OTCPoVS6KIsdRgY8xqQwBV+hkTH0=
+modernc.org/ccgo/v3 v3.15.10/go.mod h1:wQKxoFn0ynxMuCLfFD09c8XPUCc8obfchoVR9Cn0fI8=
+modernc.org/ccgo/v3 v3.15.12/go.mod h1:VFePOWoCd8uDGRJpq/zfJ29D0EVzMSyID8LCMWYbX6I=
+modernc.org/ccgo/v3 v3.15.14/go.mod h1:144Sz2iBCKogb9OKwsu7hQEub3EVgOlyI8wMUPGKUXQ=
+modernc.org/ccgo/v3 v3.15.15/go.mod h1:z5qltXjU4PJl0pE5nhYQCvA9DhPHiWsl5GWl89+NSYE=
+modernc.org/ccgo/v3 v3.15.16/go.mod h1:XbKRMeMWMdq712Tr5ECgATYMrzJ+g9zAZEj2ktzBe24=
+modernc.org/ccgo/v3 v3.15.17/go.mod h1:bofnFkpRFf5gLY+mBZIyTW6FEcp26xi2lgOFk2Rlvs0=
+modernc.org/ccgo/v3 v3.15.18/go.mod h1:/2lv3WjHyanEr2sAPdGKRC38n6f0werut9BRXUjjX+A=
+modernc.org/ccorpus v1.11.1/go.mod h1:2gEUTrWqdpH2pXsmTM1ZkjeSrUWDpjMu2T6m29L/ErQ=
 modernc.org/ccorpus v1.11.6/go.mod h1:2gEUTrWqdpH2pXsmTM1ZkjeSrUWDpjMu2T6m29L/ErQ=
 modernc.org/httpfs v1.0.6/go.mod h1:7dosgurJGp0sPaRanU53W4xZYKh14wfzX420oZADeHM=
-modernc.org/libc v0.0.0-20220428101251-2d5f3daf273b/go.mod h1:p7Mg4+koNjc8jkqwcoFBJx7tXkpj00G77X7A72jXPXA=
+modernc.org/libc v1.9.8/go.mod h1:U1eq8YWr/Kc1RWCMFUWEdkTg8OTcfLw2kY8EDwl039w=
-modernc.org/libc v1.16.0/go.mod h1:N4LD6DBE9cf+Dzf9buBlzVJndKr/iJHG97vGLHYnb5A=
+modernc.org/libc v1.9.11/go.mod h1:NyF3tsA5ArIjJ83XB0JlqhjTabTCHm9aX4XMPHyQn0Q=
-modernc.org/libc v1.16.1/go.mod h1:JjJE0eu4yeK7tab2n4S1w8tlWd9MxXLRzheaRnAKymU=
+modernc.org/libc v1.11.0/go.mod h1:2lOfPmj7cz+g1MrPNmX65QCzVxgNq2C5o0jdLY2gAYg=
-modernc.org/libc v1.16.7/go.mod h1:hYIV5VZczAmGZAnG15Vdngn5HSF5cSkbvfz2B7GRuVU=
+modernc.org/libc v1.11.2/go.mod h1:ioIyrl3ETkugDO3SGZ+6EOKvlP3zSOycUETe4XM4n8M=
-modernc.org/libc v1.16.8 h1:Ux98PaOMvolgoFX/YwusFOHBnanXdGRmWgI8ciI2z4o=
+modernc.org/libc v1.11.5/go.mod h1:k3HDCP95A6U111Q5TmG3nAyUcp3kR5YFZTeDS9v8vSU=
-modernc.org/libc v1.16.8/go.mod h1:hYIV5VZczAmGZAnG15Vdngn5HSF5cSkbvfz2B7GRuVU=
+modernc.org/libc v1.11.6/go.mod h1:ddqmzR6p5i4jIGK1d/EiSw97LBcE3dK24QEwCFvgNgE=
+modernc.org/libc v1.11.11/go.mod h1:lXEp9QOOk4qAYOtL3BmMve99S5Owz7Qyowzvg6LiZso=
+modernc.org/libc v1.11.13/go.mod h1:ZYawJWlXIzXy2Pzghaf7YfM8OKacP3eZQI81PDLFdY8=
+modernc.org/libc v1.11.16/go.mod h1:+DJquzYi+DMRUtWI1YNxrlQO6TcA5+dRRiq8HWBWRC8=
+modernc.org/libc v1.11.19/go.mod h1:e0dgEame6mkydy19KKaVPBeEnyJB4LGNb0bBH1EtQ3I=
+modernc.org/libc v1.11.24/go.mod h1:FOSzE0UwookyT1TtCJrRkvsOrX2k38HoInhw+cSCUGk=
+modernc.org/libc v1.11.26/go.mod h1:SFjnYi9OSd2W7f4ct622o/PAYqk7KHv6GS8NZULIjKY=
+modernc.org/libc v1.11.27/go.mod h1:zmWm6kcFXt/jpzeCgfvUNswM0qke8qVwxqZrnddlDiE=
+modernc.org/libc v1.11.28/go.mod h1:Ii4V0fTFcbq3qrv3CNn+OGHAvzqMBvC7dBNyC4vHZlg=
+modernc.org/libc v1.11.31/go.mod h1:FpBncUkEAtopRNJj8aRo29qUiyx5AvAlAxzlx9GNaVM=
+modernc.org/libc v1.11.34/go.mod h1:+Tzc4hnb1iaX/SKAutJmfzES6awxfU1BPvrrJO0pYLg=
+modernc.org/libc v1.11.37/go.mod h1:dCQebOwoO1046yTrfUE5nX1f3YpGZQKNcITUYWlrAWo=
+modernc.org/libc v1.11.39/go.mod h1:mV8lJMo2S5A31uD0k1cMu7vrJbSA3J3waQJxpV4iqx8=
+modernc.org/libc v1.11.42/go.mod h1:yzrLDU+sSjLE+D4bIhS7q1L5UwXDOw99PLSX0BlZvSQ=
+modernc.org/libc v1.11.44/go.mod h1:KFq33jsma7F5WXiYelU8quMJasCCTnHK0mkri4yPHgA=
+modernc.org/libc v1.11.45/go.mod h1:Y192orvfVQQYFzCNsn+Xt0Hxt4DiO4USpLNXBlXg/tM=
+modernc.org/libc v1.11.47/go.mod h1:tPkE4PzCTW27E6AIKIR5IwHAQKCAtudEIeAV1/SiyBg=
+modernc.org/libc v1.11.49/go.mod h1:9JrJuK5WTtoTWIFQ7QjX2Mb/bagYdZdscI3xrvHbXjE=
+modernc.org/libc v1.11.51/go.mod h1:R9I8u9TS+meaWLdbfQhq2kFknTW0O3aw3kEMqDDxMaM=
+modernc.org/libc v1.11.53/go.mod h1:5ip5vWYPAoMulkQ5XlSJTy12Sz5U6blOQiYasilVPsU=
+modernc.org/libc v1.11.54/go.mod h1:S/FVnskbzVUrjfBqlGFIPA5m7UwB3n9fojHhCNfSsnw=
+modernc.org/libc v1.11.55/go.mod h1:j2A5YBRm6HjNkoSs/fzZrSxCuwWqcMYTDPLNx0URn3M=
+modernc.org/libc v1.11.56/go.mod h1:pakHkg5JdMLt2OgRadpPOTnyRXm/uzu+Yyg/LSLdi18=
+modernc.org/libc v1.11.58/go.mod h1:ns94Rxv0OWyoQrDqMFfWwka2BcaF6/61CqJRK9LP7S8=
+modernc.org/libc v1.11.71/go.mod h1:DUOmMYe+IvKi9n6Mycyx3DbjfzSKrdr/0Vgt3j7P5gw=
+modernc.org/libc v1.11.75/go.mod h1:dGRVugT6edz361wmD9gk6ax1AbDSe0x5vji0dGJiPT0=
+modernc.org/libc v1.11.82/go.mod h1:NF+Ek1BOl2jeC7lw3a7Jj5PWyHPwWD4aq3wVKxqV1fI=
+modernc.org/libc v1.11.86/go.mod h1:ePuYgoQLmvxdNT06RpGnaDKJmDNEkV7ZPKI2jnsvZoE=
+modernc.org/libc v1.11.87/go.mod h1:Qvd5iXTeLhI5PS0XSyqMY99282y+3euapQFxM7jYnpY=
+modernc.org/libc v1.11.88/go.mod h1:h3oIVe8dxmTcchcFuCcJ4nAWaoiwzKCdv82MM0oiIdQ=
+modernc.org/libc v1.11.98/go.mod h1:ynK5sbjsU77AP+nn61+k+wxUGRx9rOFcIqWYYMaDZ4c=
+modernc.org/libc v1.11.101/go.mod h1:wLLYgEiY2D17NbBOEp+mIJJJBGSiy7fLL4ZrGGZ+8jI=
+modernc.org/libc v1.12.0/go.mod h1:2MH3DaF/gCU8i/UBiVE1VFRos4o523M7zipmwH8SIgQ=
+modernc.org/libc v1.14.1/go.mod h1:npFeGWjmZTjFeWALQLrvklVmAxv4m80jnG3+xI8FdJk=
+modernc.org/libc v1.14.2/go.mod h1:MX1GBLnRLNdvmK9azU9LCxZ5lMyhrbEMK8rG3X/Fe34=
+modernc.org/libc v1.14.3/go.mod h1:GPIvQVOVPizzlqyRX3l756/3ppsAgg1QgPxjr5Q4agQ=
+modernc.org/libc v1.14.6/go.mod h1:2PJHINagVxO4QW/5OQdRrvMYo+bm5ClpUFfyXCYl9ak=
+modernc.org/libc v1.14.7/go.mod h1:f8xfWXW8LW41qb4X5+huVQo5dcfPlq7Cbny2TDheMv0=
+modernc.org/libc v1.14.8/go.mod h1:9+JCLb1MWSY23smyOpIPbd5ED+rSS/ieiDWUpdyO3mo=
+modernc.org/libc v1.14.10/go.mod h1:y1MtIWhwpJFpLYm6grAThtuXJKEsY6xkdZmXbRngIdo=
+modernc.org/libc v1.14.11/go.mod h1:l5/Mz/GrZwOqzwRHA3abgSCnSeJzzTl+Ify0bAwKbAw=
+modernc.org/libc v1.14.12 h1:pUBZTYoISfbb4pCf4PECENpbvwDBxeKc+/dS9LyOWFM=
+modernc.org/libc v1.14.12/go.mod h1:fJdoe23MHu2ruPQkFPPqCpToDi5cckzsbmkI6Ez0LqQ=
+modernc.org/mathutil v1.1.1/go.mod h1:mZW8CKdRPY1v87qxC/wUdX5O1qDzXMP5TH3wjfpga6E=
 modernc.org/mathutil v1.2.2/go.mod h1:mZW8CKdRPY1v87qxC/wUdX5O1qDzXMP5TH3wjfpga6E=
+modernc.org/mathutil v1.4.0/go.mod h1:mZW8CKdRPY1v87qxC/wUdX5O1qDzXMP5TH3wjfpga6E=
 modernc.org/mathutil v1.4.1 h1:ij3fYGe8zBF4Vu+g0oT7mB06r8sqGWKuJu1yXeR4by8=
 modernc.org/mathutil v1.4.1/go.mod h1:mZW8CKdRPY1v87qxC/wUdX5O1qDzXMP5TH3wjfpga6E=
-modernc.org/memory v1.1.1 h1:bDOL0DIDLQv7bWhP3gMvIrnoFw+Eo6F7a2QK9HPDiFU=
+modernc.org/memory v1.0.4/go.mod h1:nV2OApxradM3/OVbs2/0OsP6nPfakXpi50C7dcoHXlc=
-modernc.org/memory v1.1.1/go.mod h1:/0wo5ibyrQiaoUoH7f9D8dnglAmILJ5/cxZlRECf+Nw=
+modernc.org/memory v1.0.5/go.mod h1:B7OYswTRnfGg+4tDH1t1OeUNnsy2viGTdME4tzd+IjM=
+modernc.org/memory v1.0.6/go.mod h1:/0wo5ibyrQiaoUoH7f9D8dnglAmILJ5/cxZlRECf+Nw=
+modernc.org/memory v1.0.7 h1:UE3cxTRFa5tfUibAV7Jqq8P7zRY0OlJg+yWVIIaluEE=
+modernc.org/memory v1.0.7/go.mod h1:/0wo5ibyrQiaoUoH7f9D8dnglAmILJ5/cxZlRECf+Nw=
 modernc.org/opt v0.1.1/go.mod h1:WdSiB5evDcignE70guQKxYUl14mgWtbClRi5wmkkTX0=
-modernc.org/sqlite v1.17.3 h1:iE+coC5g17LtByDYDWKpR6m2Z9022YrSh3bumwOnIrI=
+modernc.org/sqlite v1.16.0 h1:DdvOGaWN0y+X7t2L7RUD63gcwbVjYZjcBZnA68g44EI=
-modernc.org/sqlite v1.17.3/go.mod h1:10hPVYar9C0kfXuTWGz8s0XtB8uAGymUy51ZzStYe3k=
+modernc.org/sqlite v1.16.0/go.mod h1:Jwe13ItpESZ+78K5WS6+AjXsUg+JvirsjN3iIDO4C8k=
 modernc.org/strutil v1.1.1/go.mod h1:DE+MQQ/hjKBZS2zNInV5hhcipt5rLPWkmpbGeW5mmdw=
-modernc.org/tcl v1.13.1/go.mod h1:XOLfOwzhkljL4itZkK6T72ckMgvj0BDsnKNdZVUOecw=
+modernc.org/tcl v1.11.2/go.mod h1:BRzgpajcGdS2qTxniOx9c/dcxjlbA7p12eJNmiriQYo=
 modernc.org/token v1.0.0/go.mod h1:UGzOrNV1mAFSEB63lOFHIpNRUVMvYTc6yu1SMY/XTDM=
-modernc.org/z v1.5.1/go.mod h1:eWFB510QWW5Th9YGZT81s+LwvaAs3Q2yr4sP0rmLkv8=
+modernc.org/z v1.3.2/go.mod h1:PEU2oK2OEA1CfzDTd+8E908qEXhC9s0MfyKp5LZsd+k=
 mvdan.cc/gofumpt v0.1.1/go.mod h1:yXG1r1WqZVKWbVRtBWKWX9+CxGYfA51nSomhM0woR48=
 mvdan.cc/interfacer v0.0.0-20180901003855-c20040233aed/go.mod h1:Xkxe497xwlCKkIaQYRfC7CSLworTXY9RMqwhhCm+8Nc=
 mvdan.cc/lint v0.0.0-20170908181259-adc824a0674b/go.mod h1:2odslEg/xrtNQqCYg2/jCoyKnw3vv5biOc3JnIcYfL4=
@@ -1618,5 +1733,5 @@ rsc.io/binaryregexp v0.2.0/go.mod h1:qTv7/COck+e2FymRvadv62gMdZztPaShugOCi3I+8D8
 rsc.io/quote/v3 v3.1.0/go.mod h1:yEA65RcK8LyAZtP9Kv3t0HmxON59tX3rD+tICJqUlj0=
 rsc.io/sampler v1.3.0/go.mod h1:T1hPZKmBbMNahiBKFy5HrXp6adAjACjK9JXDnKaTXpA=
 sigs.k8s.io/yaml v1.1.0/go.mod h1:UJmg0vDUVViEyp3mgSv9WPwZCDxu4rQW1olrI1uml+o=
-tailscale.com v1.28.0 h1:eW5bJMqw6eu7YUjBcgJY94uIcm5Zv+xpyTxxa7ztZOM=
+tailscale.com v1.26.0 h1:P52fXdVSBjeMvlCSZew8roeFTzO+dv0MQwTrVnLEKdw=
-tailscale.com v1.28.0/go.mod h1:T9uKhlkxVPdSu1Qvp882evcS/hQ1+TAyZ7sJ/VACGRI=
+tailscale.com v1.26.0/go.mod h1:fEHdIssBhv1Ax889L8TNPDlECCcDpqYm/M+wwVbFFvw=

grpcv1.go

@@ -3,7 +3,6 @@ package headscale
 
 import (
 	"context"
-	"fmt"
 	"strings"
 	"time"
 
@@ -159,7 +158,7 @@ func (api headscaleV1APIServer) RegisterMachine(
 ) (*v1.RegisterMachineResponse, error) {
 	log.Trace().
 		Str("namespace", request.GetNamespace()).
-		Str("node_key", request.GetKey()).
+		Str("machine_key", request.GetKey()).
 		Msg("Registering machine")
 
 	machine, err := api.h.RegisterMachineFromAuthCallback(
@@ -196,11 +195,13 @@ func (api headscaleV1APIServer) SetTags(
 	}
 
 	for _, tag := range request.GetTags() {
-		err := validateTag(tag)
+		if strings.Index(tag, "tag:") != 0 {
-		if err != nil {
 			return &v1.SetTagsResponse{
-				Machine: nil,
+					Machine: nil,
-			}, status.Error(codes.InvalidArgument, err.Error())
+				}, status.Error(
+					codes.InvalidArgument,
+					"Invalid tag detected. Each tag must start with the string 'tag:'",
+				)
 		}
 	}
 
@@ -219,19 +220,6 @@ func (api headscaleV1APIServer) SetTags(
 	return &v1.SetTagsResponse{Machine: machine.toProto()}, nil
 }
 
-func validateTag(tag string) error {
-	if strings.Index(tag, "tag:") != 0 {
-		return fmt.Errorf("tag must start with the string 'tag:'")
-	}
-	if strings.ToLower(tag) != tag {
-		return fmt.Errorf("tag should be lowercase")
-	}
-	if len(strings.Fields(tag)) > 1 {
-		return fmt.Errorf("tag should not contains space")
-	}
-	return nil
-}
-
 func (api headscaleV1APIServer) DeleteMachine(
 	ctx context.Context,
 	request *v1.DeleteMachineRequest,

grpcv1_test.go

@@ -1,42 +0,0 @@
-package headscale
-
-import "testing"
-
-func Test_validateTag(t *testing.T) {
-	type args struct {
-		tag string
-	}
-	tests := []struct {
-		name    string
-		args    args
-		wantErr bool
-	}{
-		{
-			name:    "valid tag",
-			args:    args{tag: "tag:test"},
-			wantErr: false,
-		},
-		{
-			name:    "tag without tag prefix",
-			args:    args{tag: "test"},
-			wantErr: true,
-		},
-		{
-			name:    "uppercase tag",
-			args:    args{tag: "tag:tEST"},
-			wantErr: true,
-		},
-		{
-			name:    "tag that contains space",
-			args:    args{tag: "tag:this is a spaced tag"},
-			wantErr: true,
-		},
-	}
-	for _, tt := range tests {
-		t.Run(tt.name, func(t *testing.T) {
-			if err := validateTag(tt.args.tag); (err != nil) != tt.wantErr {
-				t.Errorf("validateTag() error = %v, wantErr %v", err, tt.wantErr)
-			}
-		})
-	}
-}

integration_cli_test.go

@@ -1,4 +1,5 @@
-//go:build integration_cli
+//go:build integration
+// +build integration
 
 package headscale
 
@@ -39,13 +40,13 @@ func (s *IntegrationCLITestSuite) SetupTest() {
 	if ppool, err := dockertest.NewPool(""); err == nil {
 		s.pool = *ppool
 	} else {
-		s.FailNow(fmt.Sprintf("Could not connect to docker: %s", err), "")
+		log.Fatalf("Could not connect to docker: %s", err)
 	}
 
 	if pnetwork, err := s.pool.CreateNetwork("headscale-test"); err == nil {
 		s.network = *pnetwork
 	} else {
-		s.FailNow(fmt.Sprintf("Could not create network: %s", err), "")
+		log.Fatalf("Could not create network: %s", err)
 	}
 
 	headscaleBuildOptions := &dockertest.BuildOptions{
@@ -55,7 +56,7 @@ func (s *IntegrationCLITestSuite) SetupTest() {
 
 	currentPath, err := os.Getwd()
 	if err != nil {
-		s.FailNow(fmt.Sprintf("Could not determine current path: %s", err), "")
+		log.Fatalf("Could not determine current path: %s", err)
 	}
 
 	headscaleOptions := &dockertest.RunOptions{
@@ -67,33 +68,21 @@ func (s *IntegrationCLITestSuite) SetupTest() {
 		Cmd:      []string{"headscale", "serve"},
 	}
 
-	err = s.pool.RemoveContainerByName(headscaleHostname)
+	fmt.Println("Creating headscale container")
-	if err != nil {
-		s.FailNow(
-			fmt.Sprintf(
-				"Could not remove existing container before building test: %s",
-				err,
-			),
-			"",
-		)
-	}
-
-	fmt.Println("Creating headscale container for CLI tests")
 	if pheadscale, err := s.pool.BuildAndRunWithBuildOptions(headscaleBuildOptions, headscaleOptions, DockerRestartPolicy); err == nil {
 		s.headscale = *pheadscale
 	} else {
-		s.FailNow(fmt.Sprintf("Could not start headscale container: %s", err), "")
+		log.Fatalf("Could not start headscale container: %s", err)
 	}
-	fmt.Println("Created headscale container for CLI tests")
+	fmt.Println("Created headscale container")
 
-	fmt.Println("Waiting for headscale to be ready for CLI tests")
+	fmt.Println("Waiting for headscale to be ready")
 	hostEndpoint := fmt.Sprintf("localhost:%s", s.headscale.GetPort("8080/tcp"))
 
 	if err := s.pool.Retry(func() error {
 		url := fmt.Sprintf("http://%s/health", hostEndpoint)
 		resp, err := http.Get(url)
 		if err != nil {
-			fmt.Printf("headscale for CLI test is not ready: %s\n", err)
 			return err
 		}
 		if resp.StatusCode != http.StatusOK {
@@ -108,7 +97,7 @@ func (s *IntegrationCLITestSuite) SetupTest() {
 		// https://github.com/stretchr/testify/issues/849
 		return // fmt.Errorf("Could not connect to headscale: %s", err)
 	}
-	fmt.Println("headscale container is ready for CLI tests")
+	fmt.Println("headscale container is ready")
 }
 
 func (s *IntegrationCLITestSuite) TearDownTest() {
@@ -631,7 +620,7 @@ func (s *IntegrationCLITestSuite) TestNodeTagCommand() {
 	var errorOutput errOutput
 	err = json.Unmarshal([]byte(wrongTagResult), &errorOutput)
 	assert.Nil(s.T(), err)
-	assert.Contains(s.T(), errorOutput.Error, "tag must start with the string 'tag:'")
+	assert.Contains(s.T(), errorOutput.Error, "Invalid tag detected")
 
 	// Test list all nodes after added seconds
 	listAllResult, err := ExecuteCommand(

integration_common_test.go

@@ -1,14 +1,12 @@
 //go:build integration
+// +build integration
 
 package headscale
 
 import (
 	"bytes"
 	"encoding/json"
-	"errors"
 	"fmt"
-	"os"
-	"strconv"
 	"strings"
 	"time"
 
@@ -18,22 +16,16 @@ import (
 	"inet.af/netaddr"
 )
 
-const (
+const DOCKER_EXECUTE_TIMEOUT = 10 * time.Second
-	headscaleHostname      = "headscale-derp"
-	DOCKER_EXECUTE_TIMEOUT = 10 * time.Second
-)
 
 var (
-	errEnvVarEmpty = errors.New("getenv: environment variable empty")
-
 	IpPrefix4 = netaddr.MustParseIPPrefix("100.64.0.0/10")
 	IpPrefix6 = netaddr.MustParseIPPrefix("fd7a:115c:a1e0::/48")
 
 	tailscaleVersions = []string{
-		// "head",
+		"head",
-		// "unstable",
+		"unstable",
-		"1.28.0",
+		"1.26.0",
-		"1.26.2",
 		"1.24.2",
 		"1.22.2",
 		"1.20.4",
@@ -227,6 +219,7 @@ func getIPs(
 func getDNSNames(
 	headscale *dockertest.Resource,
 ) ([]string, error) {
+
 	listAllResult, err := ExecuteCommand(
 		headscale,
 		[]string{
@@ -260,6 +253,7 @@ func getDNSNames(
 func getMagicFQDN(
 	headscale *dockertest.Resource,
 ) ([]string, error) {
+
 	listAllResult, err := ExecuteCommand(
 		headscale,
 		[]string{
@@ -284,34 +278,8 @@ func getMagicFQDN(
 	hostnames := make([]string, len(listAll))
 
 	for index := range listAll {
-		hostnames[index] = fmt.Sprintf(
+		hostnames[index] = fmt.Sprintf("%s.%s.headscale.net", listAll[index].GetGivenName(), listAll[index].GetNamespace().GetName())
-			"%s.%s.headscale.net",
-			listAll[index].GetGivenName(),
-			listAll[index].GetNamespace().GetName(),
-		)
 	}
 
 	return hostnames, nil
 }
-
-func GetEnvStr(key string) (string, error) {
-	v := os.Getenv(key)
-	if v == "" {
-		return v, errEnvVarEmpty
-	}
-
-	return v, nil
-}
-
-func GetEnvBool(key string) (bool, error) {
-	s, err := GetEnvStr(key)
-	if err != nil {
-		return false, err
-	}
-	v, err := strconv.ParseBool(s)
-	if err != nil {
-		return false, err
-	}
-
-	return v, nil
-}

integration_embedded_derp_test.go

@@ -1,4 +1,4 @@
-//go:build integration_derp
+//go:build integration
 
 package headscale
 
@@ -8,6 +8,7 @@ import (
 	"crypto/tls"
 	"encoding/json"
 	"fmt"
+	"io/ioutil"
 	"log"
 	"net/http"
 	"os"
@@ -27,8 +28,9 @@ import (
 )
 
 const (
-	namespaceName   = "derpnamespace"
+	headscaleHostname = "headscale-derp"
-	totalContainers = 3
+	namespaceName     = "derpnamespace"
+	totalContainers   = 3
 )
 
 type IntegrationDERPTestSuite struct {
@@ -38,50 +40,41 @@ type IntegrationDERPTestSuite struct {
 	pool      dockertest.Pool
 	networks  map[int]dockertest.Network // so we keep the containers isolated
 	headscale dockertest.Resource
-	saveLogs  bool
 
 	tailscales    map[string]dockertest.Resource
 	joinWaitGroup sync.WaitGroup
 }
 
 func TestDERPIntegrationTestSuite(t *testing.T) {
-	saveLogs, err := GetEnvBool("HEADSCALE_INTEGRATION_SAVE_LOG")
-	if err != nil {
-		saveLogs = false
-	}
-
 	s := new(IntegrationDERPTestSuite)
 
 	s.tailscales = make(map[string]dockertest.Resource)
 	s.networks = make(map[int]dockertest.Network)
-	s.saveLogs = saveLogs
 
 	suite.Run(t, s)
 
 	// HandleStats, which allows us to check if we passed and save logs
 	// is called after TearDown, so we cannot tear down containers before
 	// we have potentially saved the logs.
-	if s.saveLogs {
+	for _, tailscale := range s.tailscales {
-		for _, tailscale := range s.tailscales {
+		if err := s.pool.Purge(&tailscale); err != nil {
-			if err := s.pool.Purge(&tailscale); err != nil {
-				log.Printf("Could not purge resource: %s\n", err)
-			}
-		}
-
-		if !s.stats.Passed() {
-			err := s.saveLog(&s.headscale, "test_output")
-			if err != nil {
-				log.Printf("Could not save log: %s\n", err)
-			}
-		}
-		if err := s.pool.Purge(&s.headscale); err != nil {
 			log.Printf("Could not purge resource: %s\n", err)
 		}
+	}
 
-		for _, network := range s.networks {
+	if !s.stats.Passed() {
-			if err := network.Close(); err != nil {
+		err := s.saveLog(&s.headscale, "test_output")
-				log.Printf("Could not close network: %s\n", err)
+		if err != nil {
-			}
+			log.Printf("Could not save log: %s\n", err)
+		}
+	}
+	if err := s.pool.Purge(&s.headscale); err != nil {
+		log.Printf("Could not purge resource: %s\n", err)
+	}
+
+	for _, network := range s.networks {
+		if err := network.Close(); err != nil {
+			log.Printf("Could not close network: %s\n", err)
 		}
 	}
 }
@@ -90,14 +83,14 @@ func (s *IntegrationDERPTestSuite) SetupSuite() {
 	if ppool, err := dockertest.NewPool(""); err == nil {
 		s.pool = *ppool
 	} else {
-		s.FailNow(fmt.Sprintf("Could not connect to docker: %s", err), "")
+		log.Fatalf("Could not connect to docker: %s", err)
 	}
 
 	for i := 0; i < totalContainers; i++ {
 		if pnetwork, err := s.pool.CreateNetwork(fmt.Sprintf("headscale-derp-%d", i)); err == nil {
 			s.networks[i] = *pnetwork
 		} else {
-			s.FailNow(fmt.Sprintf("Could not create network: %s", err), "")
+			log.Fatalf("Could not create network: %s", err)
 		}
 	}
 
@@ -108,7 +101,7 @@ func (s *IntegrationDERPTestSuite) SetupSuite() {
 
 	currentPath, err := os.Getwd()
 	if err != nil {
-		s.FailNow(fmt.Sprintf("Could not determine current path: %s", err), "")
+		log.Fatalf("Could not determine current path: %s", err)
 	}
 
 	headscaleOptions := &dockertest.RunOptions{
@@ -127,26 +120,15 @@ func (s *IntegrationDERPTestSuite) SetupSuite() {
 		},
 	}
 
-	err = s.pool.RemoveContainerByName(headscaleHostname)
+	log.Println("Creating headscale container")
-	if err != nil {
-		s.FailNow(
-			fmt.Sprintf(
-				"Could not remove existing container before building test: %s",
-				err,
-			),
-			"",
-		)
-	}
-
-	log.Println("Creating headscale container for DERP integration tests")
 	if pheadscale, err := s.pool.BuildAndRunWithBuildOptions(headscaleBuildOptions, headscaleOptions, DockerRestartPolicy); err == nil {
 		s.headscale = *pheadscale
 	} else {
-		s.FailNow(fmt.Sprintf("Could not start headscale container: %s", err), "")
+		log.Fatalf("Could not start headscale container: %s", err)
 	}
-	log.Println("Created headscale container for embedded DERP tests")
+	log.Println("Created headscale container to test DERP")
 
-	log.Println("Creating tailscale containers for embedded DERP tests")
+	log.Println("Creating tailscale containers")
 
 	for i := 0; i < totalContainers; i++ {
 		version := tailscaleVersions[i%len(tailscaleVersions)]
@@ -158,7 +140,7 @@ func (s *IntegrationDERPTestSuite) SetupSuite() {
 		s.tailscales[hostname] = *container
 	}
 
-	log.Println("Waiting for headscale to be ready for embedded DERP tests")
+	log.Println("Waiting for headscale to be ready")
 	hostEndpoint := fmt.Sprintf("localhost:%s", s.headscale.GetPort("8443/tcp"))
 
 	if err := s.pool.Retry(func() error {
@@ -168,7 +150,6 @@ func (s *IntegrationDERPTestSuite) SetupSuite() {
 		client := &http.Client{Transport: insecureTransport}
 		resp, err := client.Get(url)
 		if err != nil {
-			fmt.Printf("headscale for embedded DERP tests is not ready: %s\n", err)
 			return err
 		}
 
@@ -184,7 +165,7 @@ func (s *IntegrationDERPTestSuite) SetupSuite() {
 		// https://github.com/stretchr/testify/issues/849
 		return // fmt.Errorf("Could not connect to headscale: %s", err)
 	}
-	log.Println("headscale container is ready for embedded DERP tests")
+	log.Println("headscale container is ready")
 
 	log.Printf("Creating headscale namespace: %s\n", namespaceName)
 	result, err := ExecuteCommand(
@@ -309,23 +290,6 @@ func (s *IntegrationDERPTestSuite) tailscaleContainer(
 }
 
 func (s *IntegrationDERPTestSuite) TearDownSuite() {
-	if !s.saveLogs {
-		for _, tailscale := range s.tailscales {
-			if err := s.pool.Purge(&tailscale); err != nil {
-				log.Printf("Could not purge resource: %s\n", err)
-			}
-		}
-
-		if err := s.pool.Purge(&s.headscale); err != nil {
-			log.Printf("Could not purge resource: %s\n", err)
-		}
-
-		for _, network := range s.networks {
-			if err := network.Close(); err != nil {
-				log.Printf("Could not close network: %s\n", err)
-			}
-		}
-	}
 }
 
 func (s *IntegrationDERPTestSuite) HandleStats(
@@ -367,7 +331,7 @@ func (s *IntegrationDERPTestSuite) saveLog(
 
 	log.Printf("Saving logs for %s to %s\n", resource.Container.Name, basePath)
 
-	err = os.WriteFile(
+	err = ioutil.WriteFile(
 		path.Join(basePath, resource.Container.Name+".stdout.log"),
 		[]byte(stdout.String()),
 		0o644,
@@ -376,7 +340,7 @@ func (s *IntegrationDERPTestSuite) saveLog(
 		return err
 	}
 
-	err = os.WriteFile(
+	err = ioutil.WriteFile(
 		path.Join(basePath, resource.Container.Name+".stderr.log"),
 		[]byte(stdout.String()),
 		0o644,

integration_test.go

@@ -1,4 +1,5 @@
-//go:build integration_general
+//go:build integration
+// +build integration
 
 package headscale
 
@@ -8,6 +9,7 @@ import (
 	"encoding/json"
 	"errors"
 	"fmt"
+	"io/ioutil"
 	"log"
 	"net/http"
 	"os"
@@ -34,7 +36,6 @@ type IntegrationTestSuite struct {
 	pool      dockertest.Pool
 	network   dockertest.Network
 	headscale dockertest.Resource
-	saveLogs  bool
 
 	namespaces map[string]TestNamespace
 
@@ -42,11 +43,6 @@ type IntegrationTestSuite struct {
 }
 
 func TestIntegrationTestSuite(t *testing.T) {
-	saveLogs, err := GetEnvBool("HEADSCALE_INTEGRATION_SAVE_LOG")
-	if err != nil {
-		saveLogs = false
-	}
-
 	s := new(IntegrationTestSuite)
 
 	s.namespaces = map[string]TestNamespace{
@@ -59,35 +55,32 @@ func TestIntegrationTestSuite(t *testing.T) {
 			tailscales: make(map[string]dockertest.Resource),
 		},
 	}
-	s.saveLogs = saveLogs
 
 	suite.Run(t, s)
 
 	// HandleStats, which allows us to check if we passed and save logs
 	// is called after TearDown, so we cannot tear down containers before
 	// we have potentially saved the logs.
-	if s.saveLogs {
+	for _, scales := range s.namespaces {
-		for _, scales := range s.namespaces {
+		for _, tailscale := range scales.tailscales {
-			for _, tailscale := range scales.tailscales {
+			if err := s.pool.Purge(&tailscale); err != nil {
-				if err := s.pool.Purge(&tailscale); err != nil {
+				log.Printf("Could not purge resource: %s\n", err)
-					log.Printf("Could not purge resource: %s\n", err)
-				}
 			}
 		}
+	}
 
-		if !s.stats.Passed() {
+	if !s.stats.Passed() {
-			err := s.saveLog(&s.headscale, "test_output")
+		err := s.saveLog(&s.headscale, "test_output")
-			if err != nil {
+		if err != nil {
-				log.Printf("Could not save log: %s\n", err)
+			log.Printf("Could not save log: %s\n", err)
-			}
-		}
-		if err := s.pool.Purge(&s.headscale); err != nil {
-			log.Printf("Could not purge resource: %s\n", err)
 		}
+	}
+	if err := s.pool.Purge(&s.headscale); err != nil {
+		log.Printf("Could not purge resource: %s\n", err)
+	}
 
-		if err := s.network.Close(); err != nil {
+	if err := s.network.Close(); err != nil {
-			log.Printf("Could not close network: %s\n", err)
+		log.Printf("Could not close network: %s\n", err)
-		}
 	}
 }
 
@@ -123,7 +116,7 @@ func (s *IntegrationTestSuite) saveLog(
 
 	log.Printf("Saving logs for %s to %s\n", resource.Container.Name, basePath)
 
-	err = os.WriteFile(
+	err = ioutil.WriteFile(
 		path.Join(basePath, resource.Container.Name+".stdout.log"),
 		[]byte(stdout.String()),
 		0o644,
@@ -132,7 +125,7 @@ func (s *IntegrationTestSuite) saveLog(
 		return err
 	}
 
-	err = os.WriteFile(
+	err = ioutil.WriteFile(
 		path.Join(basePath, resource.Container.Name+".stderr.log"),
 		[]byte(stdout.String()),
 		0o644,
@@ -216,13 +209,13 @@ func (s *IntegrationTestSuite) SetupSuite() {
 	if ppool, err := dockertest.NewPool(""); err == nil {
 		s.pool = *ppool
 	} else {
-		s.FailNow(fmt.Sprintf("Could not connect to docker: %s", err), "")
+		log.Fatalf("Could not connect to docker: %s", err)
 	}
 
 	if pnetwork, err := s.pool.CreateNetwork("headscale-test"); err == nil {
 		s.network = *pnetwork
 	} else {
-		s.FailNow(fmt.Sprintf("Could not create network: %s", err), "")
+		log.Fatalf("Could not create network: %s", err)
 	}
 
 	headscaleBuildOptions := &dockertest.BuildOptions{
@@ -232,7 +225,7 @@ func (s *IntegrationTestSuite) SetupSuite() {
 
 	currentPath, err := os.Getwd()
 	if err != nil {
-		s.FailNow(fmt.Sprintf("Could not determine current path: %s", err), "")
+		log.Fatalf("Could not determine current path: %s", err)
 	}
 
 	headscaleOptions := &dockertest.RunOptions{
@@ -244,26 +237,15 @@ func (s *IntegrationTestSuite) SetupSuite() {
 		Cmd:      []string{"headscale", "serve"},
 	}
 
-	err = s.pool.RemoveContainerByName(headscaleHostname)
+	log.Println("Creating headscale container")
-	if err != nil {
-		s.FailNow(
-			fmt.Sprintf(
-				"Could not remove existing container before building test: %s",
-				err,
-			),
-			"",
-		)
-	}
-
-	log.Println("Creating headscale container for core integration tests")
 	if pheadscale, err := s.pool.BuildAndRunWithBuildOptions(headscaleBuildOptions, headscaleOptions, DockerRestartPolicy); err == nil {
 		s.headscale = *pheadscale
 	} else {
-		s.FailNow(fmt.Sprintf("Could not start headscale container for core integration tests: %s", err), "")
+		log.Fatalf("Could not start headscale container: %s", err)
 	}
-	log.Println("Created headscale container for core integration tests")
+	log.Println("Created headscale container")
 
-	log.Println("Creating tailscale containers for core integration tests")
+	log.Println("Creating tailscale containers")
 	for namespace, scales := range s.namespaces {
 		for i := 0; i < scales.count; i++ {
 			version := tailscaleVersions[i%len(tailscaleVersions)]
@@ -277,7 +259,7 @@ func (s *IntegrationTestSuite) SetupSuite() {
 		}
 	}
 
-	log.Println("Waiting for headscale to be ready for core integration tests")
+	log.Println("Waiting for headscale to be ready")
 	hostEndpoint := fmt.Sprintf("localhost:%s", s.headscale.GetPort("8080/tcp"))
 
 	if err := s.pool.Retry(func() error {
@@ -285,7 +267,6 @@ func (s *IntegrationTestSuite) SetupSuite() {
 
 		resp, err := http.Get(url)
 		if err != nil {
-			fmt.Printf("headscale for core integration test is not ready: %s\n", err)
 			return err
 		}
 
@@ -301,7 +282,7 @@ func (s *IntegrationTestSuite) SetupSuite() {
 		// https://github.com/stretchr/testify/issues/849
 		return // fmt.Errorf("Could not connect to headscale: %s", err)
 	}
-	log.Println("headscale container is ready for core integration tests")
+	log.Println("headscale container is ready")
 
 	for namespace, scales := range s.namespaces {
 		log.Printf("Creating headscale namespace: %s\n", namespace)
@@ -357,23 +338,6 @@ func (s *IntegrationTestSuite) SetupSuite() {
 }
 
 func (s *IntegrationTestSuite) TearDownSuite() {
-	if !s.saveLogs {
-		for _, scales := range s.namespaces {
-			for _, tailscale := range scales.tailscales {
-				if err := s.pool.Purge(&tailscale); err != nil {
-					log.Printf("Could not purge resource: %s\n", err)
-				}
-			}
-		}
-
-		if err := s.pool.Purge(&s.headscale); err != nil {
-			log.Printf("Could not purge resource: %s\n", err)
-		}
-
-		if err := s.network.Close(); err != nil {
-			log.Printf("Could not close network: %s\n", err)
-		}
-	}
 }
 
 func (s *IntegrationTestSuite) HandleStats(

integration_test/etc/alt-config.dump.gold.yaml

@@ -20,7 +20,6 @@ dns_config:
   nameservers:
     - 1.1.1.1
 ephemeral_node_inactivity_timeout: 30m
-node_update_check_interval: 10s
 grpc_allow_insecure: false
 grpc_listen_addr: :50443
 ip_prefixes:
@@ -38,6 +37,7 @@ oidc:
     - email
   strip_email_domain: true
 private_key_path: private.key
+noise_private_key_path: noise_private.key
 server_url: http://headscale:18080
 tls_client_auth_mode: relaxed
 tls_letsencrypt_cache_dir: /var/www/.cache

integration_test/etc/alt-config.yaml

@@ -2,7 +2,6 @@ log_level: trace
 acl_policy_path: ""
 db_type: sqlite3
 ephemeral_node_inactivity_timeout: 30m
-node_update_check_interval: 10s
 ip_prefixes:
   - fd7a:115c:a1e0::/48
   - 100.64.0.0/10
@@ -14,6 +13,7 @@ dns_config:
     - 1.1.1.1
 db_path: /tmp/integration_test_db.sqlite3
 private_key_path: private.key
+noise_private_key_path: noise_private.key
 listen_addr: 0.0.0.0:18080
 metrics_listen_addr: 127.0.0.1:19090
 server_url: http://headscale:18080

integration_test/etc/config.dump.gold.yaml

@@ -20,7 +20,6 @@ dns_config:
   nameservers:
     - 1.1.1.1
 ephemeral_node_inactivity_timeout: 30m
-node_update_check_interval: 10s
 grpc_allow_insecure: false
 grpc_listen_addr: :50443
 ip_prefixes:
@@ -38,6 +37,7 @@ oidc:
     - email
   strip_email_domain: true
 private_key_path: private.key
+noise_private_key_path: noise_private.key
 server_url: http://headscale:8080
 tls_client_auth_mode: relaxed
 tls_letsencrypt_cache_dir: /var/www/.cache

integration_test/etc/config.yaml

@@ -2,7 +2,6 @@ log_level: trace
 acl_policy_path: ""
 db_type: sqlite3
 ephemeral_node_inactivity_timeout: 30m
-node_update_check_interval: 10s
 ip_prefixes:
   - fd7a:115c:a1e0::/48
   - 100.64.0.0/10

integration_test/etc_embedded_derp/config.yaml

@@ -2,7 +2,6 @@ log_level: trace
 acl_policy_path: ""
 db_type: sqlite3
 ephemeral_node_inactivity_timeout: 30m
-node_update_check_interval: 10s
 ip_prefixes:
   - fd7a:115c:a1e0::/48
   - 100.64.0.0/10
@@ -14,8 +13,9 @@ dns_config:
     - 1.1.1.1
 db_path: /tmp/integration_test_db.sqlite3
 private_key_path: private.key
-listen_addr: 0.0.0.0:8443
+noise_private_key_path: noise_private.key
-server_url: https://headscale:8443
+listen_addr: 0.0.0.0:443
+server_url: https://headscale:443
 tls_cert_path: "/etc/headscale/tls/server.crt"
 tls_key_path: "/etc/headscale/tls/server.key"
 tls_client_auth_mode: disabled

machine.go

@@ -18,16 +18,15 @@ import (
 )
 
 const (
-	ErrMachineNotFound                  = Error("machine not found")
+	errMachineNotFound                  = Error("machine not found")
-	ErrMachineRouteIsNotAvailable       = Error("route is not available on machine")
+	errMachineRouteIsNotAvailable       = Error("route is not available on machine")
-	ErrMachineAddressesInvalid          = Error("failed to parse machine addresses")
+	errMachineAddressesInvalid          = Error("failed to parse machine addresses")
-	ErrMachineNotFoundRegistrationCache = Error(
+	errMachineNotFoundRegistrationCache = Error(
 		"machine not found in registration cache",
 	)
-	ErrCouldNotConvertMachineInterface = Error("failed to convert machine interface")
+	errCouldNotConvertMachineInterface = Error("failed to convert machine interface")
-	ErrHostnameTooLong                 = Error("Hostname too long")
+	errHostnameTooLong                 = Error("Hostname too long")
 	MachineGivenNameHashLength         = 8
-	MachineGivenNameTrimSize           = 2
 )
 
 const (
@@ -112,7 +111,7 @@ func (ma *MachineAddresses) Scan(destination interface{}) error {
 		return nil
 
 	default:
-		return fmt.Errorf("%w: unexpected data type %T", ErrMachineAddressesInvalid, destination)
+		return fmt.Errorf("%w: unexpected data type %T", errMachineAddressesInvalid, destination)
 	}
 }
 
@@ -337,7 +336,7 @@ func (h *Headscale) GetMachine(namespace string, name string) (*Machine, error)
 		}
 	}
 
-	return nil, ErrMachineNotFound
+	return nil, errMachineNotFound
 }
 
 // GetMachineByID finds a Machine by ID and returns the Machine struct.
@@ -362,13 +361,13 @@ func (h *Headscale) GetMachineByMachineKey(
 	return &m, nil
 }
 
-// GetMachineByNodeKey finds a Machine by its current NodeKey.
+// GetMachineByNodeKeys finds a Machine by its current NodeKey or the old one, and returns the Machine struct.
-func (h *Headscale) GetMachineByNodeKey(
+func (h *Headscale) GetMachineByNodeKeys(
-	nodeKey key.NodePublic,
+	nodeKey key.NodePublic, oldNodeKey key.NodePublic,
 ) (*Machine, error) {
 	machine := Machine{}
-	if result := h.db.Preload("Namespace").First(&machine, "node_key = ?",
+	if result := h.db.Preload("Namespace").First(&machine, "node_key = ? OR node_key = ?",
-		NodePublicKeyStripPrefix(nodeKey)); result.Error != nil {
+		NodePublicKeyStripPrefix(nodeKey), NodePublicKeyStripPrefix(oldNodeKey)); result.Error != nil {
 		return nil, result.Error
 	}
 
@@ -387,13 +386,7 @@ func (h *Headscale) UpdateMachineFromDatabase(machine *Machine) error {
 
 // SetTags takes a Machine struct pointer and update the forced tags.
 func (h *Headscale) SetTags(machine *Machine, tags []string) error {
-	newTags := []string{}
+	machine.ForcedTags = tags
-	for _, tag := range tags {
-		if !contains(newTags, tag) {
-			newTags = append(newTags, tag)
-		}
-	}
-	machine.ForcedTags = newTags
 	if err := h.UpdateACLRules(); err != nil && !errors.Is(err, errEmptyPolicy) {
 		return err
 	}
@@ -587,11 +580,14 @@ func (machine Machine) toNode(
 	}
 
 	var machineKey key.MachinePublic
-	err = machineKey.UnmarshalText(
+	if machine.MachineKey != "" {
-		[]byte(MachinePublicKeyEnsurePrefix(machine.MachineKey)),
+		// MachineKey is only used in the legacy protocol
-	)
+		err = machineKey.UnmarshalText(
-	if err != nil {
+			[]byte(MachinePublicKeyEnsurePrefix(machine.MachineKey)),
-		return nil, fmt.Errorf("failed to parse machine public key: %w", err)
+		)
+		if err != nil {
+			return nil, fmt.Errorf("failed to parse machine public key: %w", err)
+		}
 	}
 
 	var discoKey key.DiscoPublic
@@ -648,7 +644,7 @@ func (machine Machine) toNode(
 			return nil, fmt.Errorf(
 				"hostname %q is too long it cannot except 255 ASCII chars: %w",
 				hostname,
-				ErrHostnameTooLong,
+				errHostnameTooLong,
 			)
 		}
 	} else {
@@ -657,10 +653,6 @@ func (machine Machine) toNode(
 
 	hostInfo := machine.GetHostInfo()
 
-	// A node is Online if it is connected to the control server,
-	// and we now we update LastSeen every keepAliveInterval duration at least.
-	online := machine.LastSeen.After(time.Now().Add(-keepAliveInterval))
-
 	node := tailcfg.Node{
 		ID: tailcfg.NodeID(machine.ID), // this is the actual ID
 		StableID: tailcfg.StableNodeID(
@@ -677,7 +669,6 @@ func (machine Machine) toNode(
 		Endpoints:  machine.Endpoints,
 		DERP:       derp,
 
-		Online:   &online,
 		Hostinfo: hostInfo.View(),
 		Created:  machine.CreatedAt,
 		LastSeen: machine.LastSeen,
@@ -798,11 +789,11 @@ func (h *Headscale) RegisterMachineFromAuthCallback(
 
 			return machine, err
 		} else {
-			return nil, ErrCouldNotConvertMachineInterface
+			return nil, errCouldNotConvertMachineInterface
 		}
 	}
 
-	return nil, ErrMachineNotFoundRegistrationCache
+	return nil, errMachineNotFoundRegistrationCache
 }
 
 // RegisterMachine is executed from the CLI to register a new Machine using its MachineKey.
@@ -810,7 +801,7 @@ func (h *Headscale) RegisterMachine(machine Machine,
 ) (*Machine, error) {
 	log.Trace().
 		Caller().
-		Str("machine_key", machine.MachineKey).
+		Str("node_key", machine.NodeKey).
 		Msg("Registering machine")
 
 	log.Trace().
@@ -890,7 +881,7 @@ func (h *Headscale) EnableRoutes(machine *Machine, routeStrs ...string) error {
 			return fmt.Errorf(
 				"route (%s) is not available on node %s: %w",
 				machine.Hostname,
-				newRoute, ErrMachineRouteIsNotAvailable,
+				newRoute, errMachineRouteIsNotAvailable,
 			)
 		}
 	}
@@ -918,7 +909,7 @@ func (machine *Machine) RoutesToProto() *v1.Routes {
 func (h *Headscale) GenerateGivenName(suppliedName string) (string, error) {
 	// If a hostname is or will be longer than 63 chars after adding the hash,
 	// it needs to be trimmed.
-	trimmedHostnameLength := labelHostnameLength - MachineGivenNameHashLength - MachineGivenNameTrimSize
+	trimmedHostnameLength := labelHostnameLength - MachineGivenNameHashLength - 2
 
 	normalizedHostname, err := NormalizeToFQDNRules(
 		suppliedName,

machine_test.go

@@ -11,6 +11,7 @@ import (
 	"gopkg.in/check.v1"
 	"inet.af/netaddr"
 	"tailscale.com/tailcfg"
+	"tailscale.com/types/key"
 )
 
 func (s *Suite) TestGetMachine(c *check.C) {
@@ -65,6 +66,35 @@ func (s *Suite) TestGetMachineByID(c *check.C) {
 	c.Assert(err, check.IsNil)
 }
 
+func (s *Suite) TestGetMachineByNodeKeys(c *check.C) {
+	namespace, err := app.CreateNamespace("test")
+	c.Assert(err, check.IsNil)
+
+	pak, err := app.CreatePreAuthKey(namespace.Name, false, false, nil)
+	c.Assert(err, check.IsNil)
+
+	_, err = app.GetMachineByID(0)
+	c.Assert(err, check.NotNil)
+
+	nodeKey := key.NewNode()
+	oldNodeKey := key.NewNode()
+
+	machine := Machine{
+		ID:             0,
+		MachineKey:     "foo",
+		NodeKey:        NodePublicKeyStripPrefix(nodeKey.Public()),
+		DiscoKey:       "faa",
+		Hostname:       "testmachine",
+		NamespaceID:    namespace.ID,
+		RegisterMethod: RegisterMethodAuthKey,
+		AuthKeyID:      uint(pak.ID),
+	}
+	app.db.Save(&machine)
+
+	_, err = app.GetMachineByNodeKeys(nodeKey.Public(), oldNodeKey.Public())
+	c.Assert(err, check.IsNil)
+}
+
 func (s *Suite) TestDeleteMachine(c *check.C) {
 	namespace, err := app.CreateNamespace("test")
 	c.Assert(err, check.IsNil)
@@ -188,16 +218,8 @@ func (s *Suite) TestGetACLFilteredPeers(c *check.C) {
 		Hosts:     map[string]netaddr.IPPrefix{},
 		TagOwners: map[string][]string{},
 		ACLs: []ACL{
-			{
+			{Action: "accept", Sources: []string{"admin"}, Destinations: []string{"*:*"}},
-				Action:       "accept",
+			{Action: "accept", Sources: []string{"test"}, Destinations: []string{"test:*"}},
-				Sources:      []string{"admin"},
-				Destinations: []string{"*:*"},
-			},
-			{
-				Action:       "accept",
-				Sources:      []string{"test"},
-				Destinations: []string{"test:*"},
-			},
 		},
 		Tests: []ACLTest{},
 	}
@@ -257,12 +279,10 @@ func (s *Suite) TestExpireMachine(c *check.C) {
 
 	machineFromDB, err := app.GetMachine("test", "testmachine")
 	c.Assert(err, check.IsNil)
-	c.Assert(machineFromDB, check.NotNil)
 
 	c.Assert(machineFromDB.isExpired(), check.Equals, false)
 
-	err = app.ExpireMachine(machineFromDB)
+	app.ExpireMachine(machineFromDB)
-	c.Assert(err, check.IsNil)
 
 	c.Assert(machineFromDB.isExpired(), check.Equals, true)
 }
@@ -288,49 +308,6 @@ func (s *Suite) TestSerdeAddressStrignSlice(c *check.C) {
 	}
 }
 
-func (s *Suite) TestSetTags(c *check.C) {
-	namespace, err := app.CreateNamespace("test")
-	c.Assert(err, check.IsNil)
-
-	pak, err := app.CreatePreAuthKey(namespace.Name, false, false, nil)
-	c.Assert(err, check.IsNil)
-
-	_, err = app.GetMachine("test", "testmachine")
-	c.Assert(err, check.NotNil)
-
-	machine := &Machine{
-		ID:             0,
-		MachineKey:     "foo",
-		NodeKey:        "bar",
-		DiscoKey:       "faa",
-		Hostname:       "testmachine",
-		NamespaceID:    namespace.ID,
-		RegisterMethod: RegisterMethodAuthKey,
-		AuthKeyID:      uint(pak.ID),
-	}
-	app.db.Save(machine)
-
-	// assign simple tags
-	sTags := []string{"tag:test", "tag:foo"}
-	err = app.SetTags(machine, sTags)
-	c.Assert(err, check.IsNil)
-	machine, err = app.GetMachine("test", "testmachine")
-	c.Assert(err, check.IsNil)
-	c.Assert(machine.ForcedTags, check.DeepEquals, StringList(sTags))
-
-	// assign duplicat tags, expect no errors but no doubles in DB
-	eTags := []string{"tag:bar", "tag:test", "tag:unknown", "tag:test"}
-	err = app.SetTags(machine, eTags)
-	c.Assert(err, check.IsNil)
-	machine, err = app.GetMachine("test", "testmachine")
-	c.Assert(err, check.IsNil)
-	c.Assert(
-		machine.ForcedTags,
-		check.DeepEquals,
-		StringList([]string{"tag:bar", "tag:test", "tag:unknown"}),
-	)
-}
-
 func Test_getTags(t *testing.T) {
 	type args struct {
 		aclPolicy        *ACLPolicy
@@ -971,7 +948,6 @@ func TestHeadscale_GenerateGivenName(t *testing.T) {
 					err,
 					tt.wantErr,
 				)
-
 				return
 			}
 

namespaces.go

@@ -16,10 +16,10 @@ import (
 )
 
 const (
-	ErrNamespaceExists          = Error("Namespace already exists")
+	errNamespaceExists          = Error("Namespace already exists")
-	ErrNamespaceNotFound        = Error("Namespace not found")
+	errNamespaceNotFound        = Error("Namespace not found")
-	ErrNamespaceNotEmptyOfNodes = Error("Namespace not empty: node(s) found")
+	errNamespaceNotEmptyOfNodes = Error("Namespace not empty: node(s) found")
-	ErrInvalidNamespaceName     = Error("Invalid namespace name")
+	errInvalidNamespaceName     = Error("Invalid namespace name")
 )
 
 const (
@@ -47,7 +47,7 @@ func (h *Headscale) CreateNamespace(name string) (*Namespace, error) {
 	}
 	namespace := Namespace{}
 	if err := h.db.Where("name = ?", name).First(&namespace).Error; err == nil {
-		return nil, ErrNamespaceExists
+		return nil, errNamespaceExists
 	}
 	namespace.Name = name
 	if err := h.db.Create(&namespace).Error; err != nil {
@@ -67,7 +67,7 @@ func (h *Headscale) CreateNamespace(name string) (*Namespace, error) {
 func (h *Headscale) DestroyNamespace(name string) error {
 	namespace, err := h.GetNamespace(name)
 	if err != nil {
-		return ErrNamespaceNotFound
+		return errNamespaceNotFound
 	}
 
 	machines, err := h.ListMachinesInNamespace(name)
@@ -75,7 +75,7 @@ func (h *Headscale) DestroyNamespace(name string) error {
 		return err
 	}
 	if len(machines) > 0 {
-		return ErrNamespaceNotEmptyOfNodes
+		return errNamespaceNotEmptyOfNodes
 	}
 
 	keys, err := h.ListPreAuthKeys(name)
@@ -110,9 +110,9 @@ func (h *Headscale) RenameNamespace(oldName, newName string) error {
 	}
 	_, err = h.GetNamespace(newName)
 	if err == nil {
-		return ErrNamespaceExists
+		return errNamespaceExists
 	}
-	if !errors.Is(err, ErrNamespaceNotFound) {
+	if !errors.Is(err, errNamespaceNotFound) {
 		return err
 	}
 
@@ -132,7 +132,7 @@ func (h *Headscale) GetNamespace(name string) (*Namespace, error) {
 		result.Error,
 		gorm.ErrRecordNotFound,
 	) {
-		return nil, ErrNamespaceNotFound
+		return nil, errNamespaceNotFound
 	}
 
 	return &namespace, nil
@@ -272,7 +272,7 @@ func NormalizeToFQDNRules(name string, stripEmailDomain bool) (string, error) {
 			return "", fmt.Errorf(
 				"label %v is more than 63 chars: %w",
 				elt,
-				ErrInvalidNamespaceName,
+				errInvalidNamespaceName,
 			)
 		}
 	}
@@ -285,21 +285,21 @@ func CheckForFQDNRules(name string) error {
 		return fmt.Errorf(
 			"DNS segment must not be over 63 chars. %v doesn't comply with this rule: %w",
 			name,
-			ErrInvalidNamespaceName,
+			errInvalidNamespaceName,
 		)
 	}
 	if strings.ToLower(name) != name {
 		return fmt.Errorf(
 			"DNS segment should be lowercase. %v doesn't comply with this rule: %w",
 			name,
-			ErrInvalidNamespaceName,
+			errInvalidNamespaceName,
 		)
 	}
 	if invalidCharsInNamespaceRegex.MatchString(name) {
 		return fmt.Errorf(
 			"DNS segment should only be composed of lowercase ASCII letters numbers, hyphen and dots. %v doesn't comply with theses rules: %w",
 			name,
-			ErrInvalidNamespaceName,
+			errInvalidNamespaceName,
 		)
 	}
 

namespaces_test.go

@@ -26,7 +26,7 @@ func (s *Suite) TestCreateAndDestroyNamespace(c *check.C) {
 
 func (s *Suite) TestDestroyNamespaceErrors(c *check.C) {
 	err := app.DestroyNamespace("test")
-	c.Assert(err, check.Equals, ErrNamespaceNotFound)
+	c.Assert(err, check.Equals, errNamespaceNotFound)
 
 	namespace, err := app.CreateNamespace("test")
 	c.Assert(err, check.IsNil)
@@ -60,7 +60,7 @@ func (s *Suite) TestDestroyNamespaceErrors(c *check.C) {
 	app.db.Save(&machine)
 
 	err = app.DestroyNamespace("test")
-	c.Assert(err, check.Equals, ErrNamespaceNotEmptyOfNodes)
+	c.Assert(err, check.Equals, errNamespaceNotEmptyOfNodes)
 }
 
 func (s *Suite) TestRenameNamespace(c *check.C) {
@@ -76,20 +76,20 @@ func (s *Suite) TestRenameNamespace(c *check.C) {
 	c.Assert(err, check.IsNil)
 
 	_, err = app.GetNamespace("test")
-	c.Assert(err, check.Equals, ErrNamespaceNotFound)
+	c.Assert(err, check.Equals, errNamespaceNotFound)
 
 	_, err = app.GetNamespace("test-renamed")
 	c.Assert(err, check.IsNil)
 
 	err = app.RenameNamespace("test-does-not-exit", "test")
-	c.Assert(err, check.Equals, ErrNamespaceNotFound)
+	c.Assert(err, check.Equals, errNamespaceNotFound)
 
 	namespaceTest2, err := app.CreateNamespace("test2")
 	c.Assert(err, check.IsNil)
 	c.Assert(namespaceTest2.Name, check.Equals, "test2")
 
 	err = app.RenameNamespace("test2", "test-renamed")
-	c.Assert(err, check.Equals, ErrNamespaceExists)
+	c.Assert(err, check.Equals, errNamespaceExists)
 }
 
 func (s *Suite) TestGetMapResponseUserProfiles(c *check.C) {
@@ -402,7 +402,7 @@ func (s *Suite) TestSetMachineNamespace(c *check.C) {
 	c.Assert(machine.Namespace.Name, check.Equals, newNamespace.Name)
 
 	err = app.SetMachineNamespace(&machine, "non-existing-namespace")
-	c.Assert(err, check.Equals, ErrNamespaceNotFound)
+	c.Assert(err, check.Equals, errNamespaceNotFound)
 
 	err = app.SetMachineNamespace(&machine, newNamespace.Name)
 	c.Assert(err, check.IsNil)

noise.go

@@ -0,0 +1,125 @@
+package headscale
+
+import (
+	"encoding/base64"
+	"net/http"
+
+	"github.com/gin-gonic/gin"
+	"github.com/rs/zerolog/log"
+	"golang.org/x/net/http2"
+	"golang.org/x/net/http2/h2c"
+	"tailscale.com/control/controlbase"
+	"tailscale.com/net/netutil"
+)
+
+const (
+	errWrongConnectionUpgrade = Error("wrong connection upgrade")
+	errCannotHijack           = Error("cannot hijack connection")
+	errNoiseHandshakeFailed   = Error("noise handshake failed")
+)
+
+const (
+	// ts2021UpgradePath is the path that the server listens on for the WebSockets upgrade.
+	ts2021UpgradePath = "/ts2021"
+
+	// upgradeHeader is the value of the Upgrade HTTP header used to
+	// indicate the Tailscale control protocol.
+	upgradeHeaderValue = "tailscale-control-protocol"
+
+	// handshakeHeaderName is the HTTP request header that can
+	// optionally contain base64-encoded initial handshake
+	// payload, to save an RTT.
+	handshakeHeaderName = "X-Tailscale-Handshake"
+)
+
+// NoiseUpgradeHandler is to upgrade the connection and hijack the net.Conn
+// in order to use the Noise-based TS2021 protocol. Listens in /ts2021.
+func (h *Headscale) NoiseUpgradeHandler(ctx *gin.Context) {
+	log.Trace().Caller().Msgf("Noise upgrade handler for client %s", ctx.ClientIP())
+
+	// Under normal circumpstances, we should be able to use the controlhttp.AcceptHTTP()
+	// function to do this - kindly left there by the Tailscale authors for us to use.
+	// (https://github.com/tailscale/tailscale/blob/main/control/controlhttp/server.go)
+	//
+	// However, Gin seems to be doing something funny/different with its writer (see AcceptHTTP code).
+	// This causes problems when the upgrade headers are sent in AcceptHTTP.
+	// So have getNoiseConnection() that is essentially an AcceptHTTP but using the native Gin methods.
+	noiseConn, err := h.getNoiseConnection(ctx)
+	if err != nil {
+		log.Error().Err(err).Msg("noise upgrade failed")
+		ctx.AbortWithError(http.StatusInternalServerError, err)
+
+		return
+	}
+
+	server := http.Server{}
+	server.Handler = h2c.NewHandler(h.noiseMux, &http2.Server{})
+	server.Serve(netutil.NewOneConnListener(noiseConn, nil))
+}
+
+// getNoiseConnection is basically AcceptHTTP from tailscale, but more _alla_ Gin
+// TODO(juan): Figure out why we need to do this at all.
+func (h *Headscale) getNoiseConnection(ctx *gin.Context) (*controlbase.Conn, error) {
+	next := ctx.GetHeader("Upgrade")
+	if next == "" {
+		ctx.String(http.StatusBadRequest, "missing next protocol")
+
+		return nil, errWrongConnectionUpgrade
+	}
+	if next != upgradeHeaderValue {
+		ctx.String(http.StatusBadRequest, "unknown next protocol")
+
+		return nil, errWrongConnectionUpgrade
+	}
+
+	initB64 := ctx.GetHeader(handshakeHeaderName)
+	if initB64 == "" {
+		ctx.String(http.StatusBadRequest, "missing Tailscale handshake header")
+
+		return nil, errWrongConnectionUpgrade
+	}
+	init, err := base64.StdEncoding.DecodeString(initB64)
+	if err != nil {
+		ctx.String(http.StatusBadRequest, "invalid tailscale handshake header")
+
+		return nil, errWrongConnectionUpgrade
+	}
+
+	hijacker, ok := ctx.Writer.(http.Hijacker)
+	if !ok {
+		log.Error().Caller().Err(err).Msgf("Hijack failed")
+		ctx.String(http.StatusInternalServerError, "HTTP does not support general TCP support")
+
+		return nil, errCannotHijack
+	}
+
+	// This is what changes from the original AcceptHTTP() function.
+	ctx.Header("Upgrade", upgradeHeaderValue)
+	ctx.Header("Connection", "upgrade")
+	ctx.Status(http.StatusSwitchingProtocols)
+	ctx.Writer.WriteHeaderNow()
+	// end
+
+	netConn, conn, err := hijacker.Hijack()
+	if err != nil {
+		log.Error().Caller().Err(err).Msgf("Hijack failed")
+		ctx.String(http.StatusInternalServerError, "HTTP does not support general TCP support")
+
+		return nil, errCannotHijack
+	}
+	if err := conn.Flush(); err != nil {
+		netConn.Close()
+
+		return nil, errCannotHijack
+	}
+	netConn = netutil.NewDrainBufConn(netConn, conn.Reader)
+
+	nc, err := controlbase.Server(ctx.Request.Context(), netConn, *h.noisePrivateKey, init)
+	if err != nil {
+		netConn.Close()
+
+		return nil, errNoiseHandshakeFailed
+	}
+
+	return nc, nil
+}

noise_api.go

@@ -0,0 +1,389 @@
+package headscale
+
+import (
+	"encoding/json"
+	"errors"
+	"fmt"
+	"io"
+	"net/http"
+	"strings"
+	"time"
+
+	"github.com/rs/zerolog/log"
+	"gorm.io/gorm"
+	"tailscale.com/tailcfg"
+)
+
+func (h *Headscale) NoiseRegistrationHandler(
+	w http.ResponseWriter,
+	r *http.Request,
+) {
+	log.Trace().Caller().Msgf("Noise registration handler for client %s", r.RemoteAddr)
+	if r.Method != http.MethodPost {
+		http.Error(w, "Wrong method", http.StatusMethodNotAllowed)
+		return
+	}
+	body, _ := io.ReadAll(r.Body)
+	req := tailcfg.RegisterRequest{}
+	if err := json.Unmarshal(body, &req); err != nil {
+		log.Error().
+			Caller().
+			Err(err).
+			Msg("Cannot parse RegisterRequest")
+		machineRegistrations.WithLabelValues("unknown", "web", "error", "unknown").Inc()
+		http.Error(w, "Internal error", http.StatusInternalServerError)
+
+		return
+	}
+
+	log.Info().Caller().
+		Str("nodekey", req.NodeKey.ShortString()).
+		Str("oldnodekey", req.OldNodeKey.ShortString()).Msg("Nodekys!")
+
+	now := time.Now().UTC()
+	machine, err := h.GetMachineByNodeKeys(req.NodeKey, req.OldNodeKey)
+	if errors.Is(err, gorm.ErrRecordNotFound) {
+		log.Info().Str("machine", req.Hostinfo.Hostname).Msg("New machine via Noise")
+
+		// If the machine has AuthKey set, handle registration via PreAuthKeys
+		if req.Auth.AuthKey != "" {
+			h.handleNoiseAuthKey(w, r, req)
+
+			return
+		}
+
+		givenName, err := h.GenerateGivenName(req.Hostinfo.Hostname)
+		if err != nil {
+			log.Error().
+				Caller().
+				Str("func", "RegistrationHandler").
+				Str("hostinfo.name", req.Hostinfo.Hostname).
+				Err(err)
+
+			return
+		}
+
+		// The machine did not have a key to authenticate, which means
+		// that we rely on a method that calls back some how (OpenID or CLI)
+		// We create the machine and then keep it around until a callback
+		// happens
+		newMachine := Machine{
+			MachineKey: "",
+			Hostname:   req.Hostinfo.Hostname,
+			GivenName:  givenName,
+			NodeKey:    NodePublicKeyStripPrefix(req.NodeKey),
+			LastSeen:   &now,
+			Expiry:     &time.Time{},
+		}
+
+		if !req.Expiry.IsZero() {
+			log.Trace().
+				Caller().
+				Str("machine", req.Hostinfo.Hostname).
+				Time("expiry", req.Expiry).
+				Msg("Non-zero expiry time requested")
+			newMachine.Expiry = &req.Expiry
+		}
+
+		h.registrationCache.Set(
+			NodePublicKeyStripPrefix(req.NodeKey),
+			newMachine,
+			registerCacheExpiration,
+		)
+
+		h.handleNoiseMachineRegistrationNew(w, r, req)
+
+		return
+	}
+
+	// The machine is already registered, so we need to pass through reauth or key update.
+	if machine != nil {
+		// If the NodeKey stored in headscale is the same as the key presented in a registration
+		// request, then we have a node that is either:
+		// - Trying to log out (sending a expiry in the past)
+		// - A valid, registered machine, looking for the node map
+		// - Expired machine wanting to reauthenticate
+		if machine.NodeKey == NodePublicKeyStripPrefix(req.NodeKey) {
+			// The client sends an Expiry in the past if the client is requesting to expire the key (aka logout)
+			//   https://github.com/tailscale/tailscale/blob/main/tailcfg/tailcfg.go#L648
+			if !req.Expiry.IsZero() && req.Expiry.UTC().Before(now) {
+				h.handleNoiseNodeLogOut(w, r, *machine)
+
+				return
+			}
+
+			// If machine is not expired, and is register, we have a already accepted this machine,
+			// let it proceed with a valid registration
+			if !machine.isExpired() {
+				h.handleNoiseNodeValidRegistration(w, r, *machine)
+
+				return
+			}
+		}
+
+		// The NodeKey we have matches OldNodeKey, which means this is a refresh after a key expiration
+		if machine.NodeKey == NodePublicKeyStripPrefix(req.OldNodeKey) &&
+			!machine.isExpired() {
+			h.handleNoiseNodeRefreshKey(w, r, req, *machine)
+
+			return
+		}
+
+		// The node has expired
+		h.handleNoiseNodeExpired(w, r, req, *machine)
+
+		return
+	}
+}
+
+func (h *Headscale) handleNoiseAuthKey(
+	w http.ResponseWriter,
+	r *http.Request,
+	registerRequest tailcfg.RegisterRequest,
+) {
+	log.Debug().
+		Caller().
+		Str("machine", registerRequest.Hostinfo.Hostname).
+		Msgf("Processing auth key for %s over Noise", registerRequest.Hostinfo.Hostname)
+	resp := tailcfg.RegisterResponse{}
+
+	pak, err := h.checkKeyValidity(registerRequest.Auth.AuthKey)
+	if err != nil {
+		log.Error().
+			Caller().
+			Str("machine", registerRequest.Hostinfo.Hostname).
+			Err(err).
+			Msg("Failed authentication via AuthKey")
+		resp.MachineAuthorized = false
+
+		w.Header().Set("Content-Type", "application/json")
+		w.WriteHeader(http.StatusUnauthorized)
+		json.NewEncoder(w).Encode(resp)
+
+		log.Error().
+			Caller().
+			Str("machine", registerRequest.Hostinfo.Hostname).
+			Msg("Failed authentication via AuthKey over Noise")
+
+		if pak != nil {
+			machineRegistrations.WithLabelValues("new", RegisterMethodAuthKey, "error", pak.Namespace.Name).
+				Inc()
+		} else {
+			machineRegistrations.WithLabelValues("new", RegisterMethodAuthKey, "error", "unknown").Inc()
+		}
+
+		return
+	}
+
+	log.Debug().
+		Caller().
+		Str("machine", registerRequest.Hostinfo.Hostname).
+		Msg("Authentication key was valid, proceeding to acquire IP addresses")
+
+	nodeKey := NodePublicKeyStripPrefix(registerRequest.NodeKey)
+
+	// retrieve machine information if it exist
+	// The error is not important, because if it does not
+	// exist, then this is a new machine and we will move
+	// on to registration.
+	machine, _ := h.GetMachineByNodeKeys(registerRequest.NodeKey, registerRequest.OldNodeKey)
+	if machine != nil {
+		log.Trace().
+			Caller().
+			Str("machine", machine.Hostname).
+			Msg("machine already registered, refreshing with new auth key")
+
+		machine.NodeKey = nodeKey
+		machine.AuthKeyID = uint(pak.ID)
+		h.RefreshMachine(machine, registerRequest.Expiry)
+	} else {
+		now := time.Now().UTC()
+
+		givenName, err := h.GenerateGivenName(registerRequest.Hostinfo.Hostname)
+		if err != nil {
+			log.Error().
+				Caller().
+				Str("func", "RegistrationHandler").
+				Str("hostinfo.name", registerRequest.Hostinfo.Hostname).
+				Err(err)
+
+			return
+		}
+
+		machineToRegister := Machine{
+			Hostname:       registerRequest.Hostinfo.Hostname,
+			GivenName:      givenName,
+			NamespaceID:    pak.Namespace.ID,
+			MachineKey:     "",
+			RegisterMethod: RegisterMethodAuthKey,
+			Expiry:         &registerRequest.Expiry,
+			NodeKey:        nodeKey,
+			LastSeen:       &now,
+			AuthKeyID:      uint(pak.ID),
+		}
+
+		machine, err = h.RegisterMachine(
+			machineToRegister,
+		)
+		if err != nil {
+			log.Error().
+				Caller().
+				Err(err).
+				Msg("could not register machine")
+			machineRegistrations.WithLabelValues("new", RegisterMethodAuthKey, "error", pak.Namespace.Name).
+				Inc()
+			http.Error(w, "Internal error", http.StatusInternalServerError)
+
+			return
+		}
+	}
+
+	h.UsePreAuthKey(pak)
+
+	resp.MachineAuthorized = true
+	resp.User = *pak.Namespace.toUser()
+
+	machineRegistrations.WithLabelValues("new", RegisterMethodAuthKey, "success", pak.Namespace.Name).
+		Inc()
+
+	w.Header().Set("Content-Type", "application/json")
+	w.WriteHeader(http.StatusOK)
+	json.NewEncoder(w).Encode(resp)
+
+	log.Info().
+		Caller().
+		Str("machine", registerRequest.Hostinfo.Hostname).
+		Str("ips", strings.Join(machine.IPAddresses.ToStringSlice(), ", ")).
+		Msg("Successfully authenticated via AuthKey on Noise")
+}
+
+func (h *Headscale) handleNoiseNodeValidRegistration(
+	w http.ResponseWriter,
+	r *http.Request,
+	machine Machine,
+) {
+	resp := tailcfg.RegisterResponse{}
+
+	// The machine registration is valid, respond with redirect to /map
+	log.Debug().
+		Str("machine", machine.Hostname).
+		Msg("Client is registered and we have the current NodeKey. All clear to /map")
+
+	resp.AuthURL = ""
+	resp.MachineAuthorized = true
+	resp.User = *machine.Namespace.toUser()
+	resp.Login = *machine.Namespace.toLogin()
+
+	machineRegistrations.WithLabelValues("update", "web", "success", machine.Namespace.Name).
+		Inc()
+	w.Header().Set("Content-Type", "application/json")
+	w.WriteHeader(http.StatusOK)
+	json.NewEncoder(w).Encode(resp)
+}
+
+func (h *Headscale) handleNoiseMachineRegistrationNew(
+	w http.ResponseWriter,
+	r *http.Request,
+	registerRequest tailcfg.RegisterRequest,
+) {
+	resp := tailcfg.RegisterResponse{}
+
+	// The machine registration is new, redirect the client to the registration URL
+	log.Debug().
+		Str("machine", registerRequest.Hostinfo.Hostname).
+		Msg("The node is sending us a new NodeKey, sending auth url")
+	if h.cfg.OIDC.Issuer != "" {
+		resp.AuthURL = fmt.Sprintf(
+			"%s/oidc/register/%s",
+			strings.TrimSuffix(h.cfg.ServerURL, "/"),
+			NodePublicKeyStripPrefix(registerRequest.NodeKey),
+		)
+	} else {
+		resp.AuthURL = fmt.Sprintf("%s/register?key=%s",
+			strings.TrimSuffix(h.cfg.ServerURL, "/"), NodePublicKeyStripPrefix(registerRequest.NodeKey))
+	}
+
+	w.Header().Set("Content-Type", "application/json")
+	w.WriteHeader(http.StatusOK)
+	json.NewEncoder(w).Encode(resp)
+}
+
+func (h *Headscale) handleNoiseNodeLogOut(
+	w http.ResponseWriter,
+	r *http.Request,
+	machine Machine,
+) {
+	resp := tailcfg.RegisterResponse{}
+
+	log.Info().
+		Str("machine", machine.Hostname).
+		Msg("Client requested logout")
+
+	h.ExpireMachine(&machine)
+
+	resp.AuthURL = ""
+	resp.MachineAuthorized = false
+	resp.User = *machine.Namespace.toUser()
+
+	w.Header().Set("Content-Type", "application/json")
+	w.WriteHeader(http.StatusOK)
+	json.NewEncoder(w).Encode(resp)
+}
+
+func (h *Headscale) handleNoiseNodeRefreshKey(
+	w http.ResponseWriter,
+	r *http.Request,
+	registerRequest tailcfg.RegisterRequest,
+	machine Machine,
+) {
+	resp := tailcfg.RegisterResponse{}
+
+	log.Debug().
+		Str("machine", machine.Hostname).
+		Msg("We have the OldNodeKey in the database. This is a key refresh")
+	machine.NodeKey = NodePublicKeyStripPrefix(registerRequest.NodeKey)
+	h.db.Save(&machine)
+
+	resp.AuthURL = ""
+	resp.User = *machine.Namespace.toUser()
+
+	w.Header().Set("Content-Type", "application/json")
+	w.WriteHeader(http.StatusOK)
+	json.NewEncoder(w).Encode(resp)
+}
+
+func (h *Headscale) handleNoiseNodeExpired(
+	w http.ResponseWriter,
+	r *http.Request,
+	registerRequest tailcfg.RegisterRequest,
+	machine Machine,
+) {
+	resp := tailcfg.RegisterResponse{}
+
+	// The client has registered before, but has expired
+	log.Debug().
+		Caller().
+		Str("machine", machine.Hostname).
+		Msg("Machine registration has expired. Sending a authurl to register")
+
+	if registerRequest.Auth.AuthKey != "" {
+		h.handleNoiseAuthKey(w, r, registerRequest)
+
+		return
+	}
+
+	if h.cfg.OIDC.Issuer != "" {
+		resp.AuthURL = fmt.Sprintf("%s/oidc/register/%s",
+			strings.TrimSuffix(h.cfg.ServerURL, "/"), machine.NodeKey)
+	} else {
+		resp.AuthURL = fmt.Sprintf("%s/register?key=%s",
+			strings.TrimSuffix(h.cfg.ServerURL, "/"), machine.NodeKey)
+	}
+
+	machineRegistrations.WithLabelValues("reauth", "web", "success", machine.Namespace.Name).
+		Inc()
+
+	w.Header().Set("Content-Type", "application/json")
+	w.WriteHeader(http.StatusOK)
+	json.NewEncoder(w).Encode(resp)
+}

noise_poll.go

@@ -0,0 +1,737 @@
+package headscale
+
+import (
+	"context"
+	"encoding/binary"
+	"encoding/json"
+	"errors"
+	"fmt"
+	"io"
+	"net/http"
+	"time"
+
+	"github.com/klauspost/compress/zstd"
+	"github.com/rs/zerolog/log"
+	"gorm.io/gorm"
+	"tailscale.com/tailcfg"
+	"tailscale.com/types/key"
+)
+
+// NoisePollNetMapHandler takes care of /machine/:id/map using the Noise protocol
+//
+// This is the busiest endpoint, as it keeps the HTTP long poll that updates
+// the clients when something in the network changes.
+//
+// The clients POST stuff like HostInfo and their Endpoints here, but
+// only after their first request (marked with the ReadOnly field).
+//
+// At this moment the updates are sent in a quite horrendous way, but they kinda work.
+func (h *Headscale) NoisePollNetMapHandler(
+	w http.ResponseWriter,
+	r *http.Request,
+) {
+	log.Trace().
+		Str("handler", "NoisePollNetMap").
+		Msg("PollNetMapHandler called")
+	body, _ := io.ReadAll(r.Body)
+
+	req := tailcfg.MapRequest{}
+	if err := json.Unmarshal(body, &req); err != nil {
+		log.Error().
+			Caller().
+			Err(err).
+			Msg("Cannot parse MapRequest")
+		http.Error(w, "Internal error", http.StatusInternalServerError)
+
+		return
+	}
+
+	machine, err := h.GetMachineByNodeKeys(req.NodeKey, key.NodePublic{})
+	if err != nil {
+		if errors.Is(err, gorm.ErrRecordNotFound) {
+			log.Warn().
+				Str("handler", "NoisePollNetMap").
+				Msgf("Ignoring request, cannot find machine with key %s", req.NodeKey.String())
+			http.Error(w, "Internal error", http.StatusNotFound)
+
+			return
+		}
+		log.Error().
+			Str("handler", "NoisePollNetMap").
+			Msgf("Failed to fetch machine from the database with node key: %s", req.NodeKey.String())
+		http.Error(w, "Internal error", http.StatusInternalServerError)
+
+		return
+	}
+	log.Trace().
+		Str("handler", "NoisePollNetMap").
+		Str("machine", machine.Hostname).
+		Msg("Found machine in database")
+
+	machine.Hostname = req.Hostinfo.Hostname
+	machine.HostInfo = HostInfo(*req.Hostinfo)
+	machine.DiscoKey = DiscoPublicKeyStripPrefix(req.DiscoKey)
+	now := time.Now().UTC()
+
+	// update ACLRules with peer informations (to update server tags if necessary)
+	if h.aclPolicy != nil {
+		err = h.UpdateACLRules()
+		if err != nil {
+			log.Error().
+				Caller().
+				Str("func", "handleAuthKey").
+				Str("machine", machine.Hostname).
+				Err(err)
+		}
+	}
+
+	// From Tailscale client:
+	//
+	// ReadOnly is whether the client just wants to fetch the MapResponse,
+	// without updating their Endpoints. The Endpoints field will be ignored and
+	// LastSeen will not be updated and peers will not be notified of changes.
+	//
+	// The intended use is for clients to discover the DERP map at start-up
+	// before their first real endpoint update.
+	if !req.ReadOnly {
+		machine.Endpoints = req.Endpoints
+		machine.LastSeen = &now
+	}
+
+	if err := h.db.Updates(machine).Error; err != nil {
+		if err != nil {
+			log.Error().
+				Str("handler", "NoisePollNetMap").
+				Str("machine", machine.Hostname).
+				Err(err).
+				Msg("Failed to persist/update machine in the database")
+			http.Error(w, "Internal error", http.StatusInternalServerError)
+
+			return
+		}
+	}
+
+	resp, err := h.getNoiseMapResponse(req, machine)
+	if err != nil {
+		log.Error().
+			Str("handler", "NoisePollNetMap").
+			Str("machine", machine.Hostname).
+			Err(err).
+			Msg("Failed to get Map response")
+		http.Error(w, "Internal error", http.StatusInternalServerError)
+
+		return
+	}
+
+	// We update our peers if the client is not sending ReadOnly in the MapRequest
+	// so we don't distribute its initial request (it comes with
+	// empty endpoints to peers)
+
+	// Details on the protocol can be found in https://github.com/tailscale/tailscale/blob/main/tailcfg/tailcfg.go#L696
+	log.Debug().
+		Str("handler", "NoisePollNetMap").
+		Str("machine", machine.Hostname).
+		Bool("readOnly", req.ReadOnly).
+		Bool("omitPeers", req.OmitPeers).
+		Bool("stream", req.Stream).
+		Msg("Noise client map request processed")
+
+	if req.ReadOnly {
+		log.Info().
+			Str("handler", "NoisePollNetMap").
+			Str("machine", machine.Hostname).
+			Msg("Client is starting up. Probably interested in a DERP map")
+		// w.Header().Set("Content-Type", "application/json")
+		// w.WriteHeader(http.StatusOK)
+		_, err = w.Write(resp)
+		if err != nil {
+			log.Warn().Msgf("Could not send JSON response: %s", err)
+		}
+		if f, ok := w.(http.Flusher); ok {
+			f.Flush()
+		}
+
+		log.Info().Msgf("Noise client map response sent for %s (len %d)", machine.Hostname, len(resp))
+		return
+	}
+
+	// There has been an update to _any_ of the nodes that the other nodes would
+	// need to know about
+	h.setLastStateChangeToNow(machine.Namespace.Name)
+
+	// The request is not ReadOnly, so we need to set up channels for updating
+	// peers via longpoll
+
+	// Only create update channel if it has not been created
+	log.Trace().
+		Str("handler", "NoisePollNetMap").
+		Str("machine", machine.Hostname).
+		Msg("Loading or creating update channel")
+
+	const chanSize = 8
+	updateChan := make(chan struct{}, chanSize)
+
+	pollDataChan := make(chan []byte, chanSize)
+	defer closeChanWithLog(pollDataChan, machine.Hostname, "pollDataChan")
+
+	keepAliveChan := make(chan []byte)
+
+	if req.OmitPeers && !req.Stream {
+		log.Info().
+			Str("handler", "NoisePollNetMap").
+			Str("machine", machine.Hostname).
+			Msg("Client sent endpoint update and is ok with a response without peer list")
+
+		w.Write(resp)
+		if f, ok := w.(http.Flusher); ok {
+			f.Flush()
+		}
+
+		// It sounds like we should update the nodes when we have received a endpoint update
+		// even tho the comments in the tailscale code dont explicitly say so.
+		updateRequestsFromNode.WithLabelValues(machine.Namespace.Name, machine.Hostname, "endpoint-update").
+			Inc()
+		updateChan <- struct{}{}
+
+		return
+	} else if req.OmitPeers && req.Stream {
+		log.Warn().
+			Str("handler", "NoisePollNetMap").
+			Str("machine", machine.Hostname).
+			Msg("Ignoring request, don't know how to handle it")
+		http.Error(w, "Internal error", http.StatusBadRequest)
+
+		return
+	}
+
+	log.Info().
+		Str("handler", "NoisePollNetMap").
+		Str("machine", machine.Hostname).
+		Msg("Client is ready to access the tailnet")
+	log.Info().
+		Str("handler", "NoisePollNetMap").
+		Str("machine", machine.Hostname).
+		Msg("Sending initial map")
+	pollDataChan <- resp
+
+	log.Info().
+		Str("handler", "NoisePollNetMap").
+		Str("machine", machine.Hostname).
+		Msg("Notifying peers")
+	updateRequestsFromNode.WithLabelValues(machine.Namespace.Name, machine.Hostname, "full-update").
+		Inc()
+	updateChan <- struct{}{}
+
+	h.NoisePollNetMapStream(
+		w,
+		r,
+		machine,
+		req,
+		pollDataChan,
+		keepAliveChan,
+		updateChan,
+	)
+
+	log.Trace().
+		Str("handler", "NoisePollNetMap").
+		Str("machine", machine.Hostname).
+		Msg("Finished stream, closing PollNetMap session")
+}
+
+// PollNetMapStream takes care of /machine/:id/map
+// stream logic, ensuring we communicate updates and data
+// to the connected clients.
+func (h *Headscale) NoisePollNetMapStream(
+	w http.ResponseWriter,
+	r *http.Request,
+	machine *Machine,
+	mapRequest tailcfg.MapRequest,
+	pollDataChan chan []byte,
+	keepAliveChan chan []byte,
+	updateChan chan struct{},
+) {
+	ctx := context.WithValue(context.Background(), machineNameContextKey, machine.Hostname)
+
+	ctx, cancel := context.WithCancel(ctx)
+	defer cancel()
+
+	go h.noiseScheduledPollWorker(
+		ctx,
+		updateChan,
+		keepAliveChan,
+		mapRequest,
+		machine,
+	)
+
+	for {
+		log.Trace().
+			Str("handler", "NoisePollNetMapStream").
+			Str("machine", machine.Hostname).
+			Msg("Waiting for data to stream...")
+
+		log.Trace().
+			Str("handler", "NoisePollNetMapStream").
+			Str("machine", machine.Hostname).
+			Msgf("pollData is %#v, keepAliveChan is %#v, updateChan is %#v", pollDataChan, keepAliveChan, updateChan)
+
+		select {
+		case data := <-pollDataChan:
+			log.Trace().
+				Str("handler", "NoisePollNetMapStream").
+				Str("machine", machine.Hostname).
+				Str("channel", "pollData").
+				Int("bytes", len(data)).
+				Msg("Sending data received via pollData channel")
+			_, err := w.Write(data)
+			if err != nil {
+				log.Error().
+					Str("handler", "NoisePollNetMapStream").
+					Str("machine", machine.Hostname).
+					Str("channel", "pollData").
+					Err(err).
+					Msg("Cannot write data")
+
+				break
+			}
+			if f, ok := w.(http.Flusher); ok {
+				f.Flush()
+			}
+			log.Trace().
+				Str("handler", "NoisePollNetMapStream").
+				Str("machine", machine.Hostname).
+				Str("channel", "pollData").
+				Int("bytes", len(data)).
+				Msg("Data from pollData channel written successfully")
+				// TODO(kradalby): Abstract away all the database calls, this can cause race conditions
+				// when an outdated machine object is kept alive, e.g. db is update from
+				// command line, but then overwritten.
+			err = h.UpdateMachineFromDatabase(machine)
+			if err != nil {
+				log.Error().
+					Str("handler", "NoisePollNetMapStream").
+					Str("machine", machine.Hostname).
+					Str("channel", "pollData").
+					Err(err).
+					Msg("Cannot update machine from database")
+
+				// client has been removed from database
+				// since the stream opened, terminate connection.
+				break
+			}
+			now := time.Now().UTC()
+			machine.LastSeen = &now
+
+			lastStateUpdate.WithLabelValues(machine.Namespace.Name, machine.Hostname).
+				Set(float64(now.Unix()))
+			machine.LastSuccessfulUpdate = &now
+
+			err = h.TouchMachine(machine)
+			if err != nil {
+				log.Error().
+					Str("handler", "NoisePollNetMapStream").
+					Str("machine", machine.Hostname).
+					Str("channel", "pollData").
+					Err(err).
+					Msg("Cannot update machine LastSuccessfulUpdate")
+			} else {
+				log.Trace().
+					Str("handler", "NoisePollNetMapStream").
+					Str("machine", machine.Hostname).
+					Str("channel", "pollData").
+					Int("bytes", len(data)).
+					Msg("Machine entry in database updated successfully after sending pollData")
+			}
+
+			break
+
+		case data := <-keepAliveChan:
+			log.Trace().
+				Str("handler", "NoisePollNetMapStream").
+				Str("machine", machine.Hostname).
+				Str("channel", "keepAlive").
+				Int("bytes", len(data)).
+				Msg("Sending keep alive message")
+
+			_, err := w.Write(data)
+			if f, ok := w.(http.Flusher); ok {
+				f.Flush()
+			}
+
+			if err != nil {
+				log.Error().
+					Str("handler", "NoisePollNetMapStream").
+					Str("machine", machine.Hostname).
+					Str("channel", "keepAlive").
+					Err(err).
+					Msg("Cannot write keep alive message")
+
+				break
+			}
+			log.Trace().
+				Str("handler", "NoisePollNetMapStream").
+				Str("machine", machine.Hostname).
+				Str("channel", "keepAlive").
+				Int("bytes", len(data)).
+				Msg("Keep alive sent successfully")
+				// TODO(kradalby): Abstract away all the database calls, this can cause race conditions
+				// when an outdated machine object is kept alive, e.g. db is update from
+				// command line, but then overwritten.
+			err = h.UpdateMachineFromDatabase(machine)
+			if err != nil {
+				log.Error().
+					Str("handler", "NoisePollNetMapStream").
+					Str("machine", machine.Hostname).
+					Str("channel", "keepAlive").
+					Err(err).
+					Msg("Cannot update machine from database")
+
+				// client has been removed from database
+				// since the stream opened, terminate connection.
+				break
+			}
+			now := time.Now().UTC()
+			machine.LastSeen = &now
+			err = h.TouchMachine(machine)
+			if err != nil {
+				log.Error().
+					Str("handler", "NoisePollNetMapStream").
+					Str("machine", machine.Hostname).
+					Str("channel", "keepAlive").
+					Err(err).
+					Msg("Cannot update machine LastSeen")
+			} else {
+				log.Trace().
+					Str("handler", "NoisePollNetMapStream").
+					Str("machine", machine.Hostname).
+					Str("channel", "keepAlive").
+					Int("bytes", len(data)).
+					Msg("Machine updated successfully after sending keep alive")
+			}
+
+			break
+
+		case <-updateChan:
+			log.Trace().
+				Str("handler", "NoisePollNetMapStream").
+				Str("machine", machine.Hostname).
+				Str("channel", "update").
+				Msg("Received a request for update")
+			updateRequestsReceivedOnChannel.WithLabelValues(machine.Namespace.Name, machine.Hostname).
+				Inc()
+			if h.isOutdated(machine) {
+				var lastUpdate time.Time
+				if machine.LastSuccessfulUpdate != nil {
+					lastUpdate = *machine.LastSuccessfulUpdate
+				}
+				log.Debug().
+					Str("handler", "NoisePollNetMapStream").
+					Str("machine", machine.Hostname).
+					Time("last_successful_update", lastUpdate).
+					Time("last_state_change", h.getLastStateChange(machine.Namespace.Name)).
+					Msgf("There has been updates since the last successful update to %s", machine.Hostname)
+				data, err := h.getNoiseMapResponse(mapRequest, machine)
+				if err != nil {
+					log.Error().
+						Str("handler", "NoisePollNetMapStream").
+						Str("machine", machine.Hostname).
+						Str("channel", "update").
+						Err(err).
+						Msg("Could not get the map update")
+				}
+				_, err = w.Write(data)
+				if err != nil {
+					log.Error().
+						Str("handler", "NoisePollNetMapStream").
+						Str("machine", machine.Hostname).
+						Str("channel", "update").
+						Err(err).
+						Msg("Could not write the map response")
+					updateRequestsSentToNode.WithLabelValues(machine.Namespace.Name, machine.Hostname, "failed").
+						Inc()
+
+					break
+				}
+
+				if f, ok := w.(http.Flusher); ok {
+					f.Flush()
+				}
+
+				log.Trace().
+					Str("handler", "NoisePollNetMapStream").
+					Str("machine", machine.Hostname).
+					Str("channel", "update").
+					Msg("Updated Map has been sent")
+				updateRequestsSentToNode.WithLabelValues(machine.Namespace.Name, machine.Hostname, "success").
+					Inc()
+
+				// Keep track of the last successful update,
+				// we sometimes end in a state were the update
+				// is not picked up by a client and we use this
+				// to determine if we should "force" an update.
+				// TODO(kradalby): Abstract away all the database calls, this can cause race conditions
+				// when an outdated machine object is kept alive, e.g. db is update from
+				// command line, but then overwritten.
+				err = h.UpdateMachineFromDatabase(machine)
+				if err != nil {
+					log.Error().
+						Str("handler", "NoisePollNetMapStream").
+						Str("machine", machine.Hostname).
+						Str("channel", "update").
+						Err(err).
+						Msg("Cannot update machine from database")
+
+					// client has been removed from database
+					// since the stream opened, terminate connection.
+					break
+				}
+				now := time.Now().UTC()
+
+				lastStateUpdate.WithLabelValues(machine.Namespace.Name, machine.Hostname).
+					Set(float64(now.Unix()))
+				machine.LastSuccessfulUpdate = &now
+
+				err = h.TouchMachine(machine)
+				if err != nil {
+					log.Error().
+						Str("handler", "NoisePollNetMapStream").
+						Str("machine", machine.Hostname).
+						Str("channel", "update").
+						Err(err).
+						Msg("Cannot update machine LastSuccessfulUpdate")
+				}
+			} else {
+				var lastUpdate time.Time
+				if machine.LastSuccessfulUpdate != nil {
+					lastUpdate = *machine.LastSuccessfulUpdate
+				}
+				log.Trace().
+					Str("handler", "NoisePollNetMapStream").
+					Str("machine", machine.Hostname).
+					Time("last_successful_update", lastUpdate).
+					Time("last_state_change", h.getLastStateChange(machine.Namespace.Name)).
+					Msgf("%s is up to date", machine.Hostname)
+			}
+
+			break
+
+		case <-ctx.Done():
+			log.Info().
+				Str("handler", "NoisePollNetMapStream").
+				Str("machine", machine.Hostname).
+				Msg("The client has closed the connection")
+				// TODO: Abstract away all the database calls, this can cause race conditions
+				// when an outdated machine object is kept alive, e.g. db is update from
+				// command line, but then overwritten.
+			err := h.UpdateMachineFromDatabase(machine)
+			if err != nil {
+				log.Error().
+					Str("handler", "NoisePollNetMapStream").
+					Str("machine", machine.Hostname).
+					Str("channel", "Done").
+					Err(err).
+					Msg("Cannot update machine from database")
+
+				// client has been removed from database
+				// since the stream opened, terminate connection.
+				break
+			}
+			now := time.Now().UTC()
+			machine.LastSeen = &now
+			err = h.TouchMachine(machine)
+			if err != nil {
+				log.Error().
+					Str("handler", "NoisePollNetMapStream").
+					Str("machine", machine.Hostname).
+					Str("channel", "Done").
+					Err(err).
+					Msg("Cannot update machine LastSeen")
+			}
+
+			break
+		}
+	}
+}
+
+func (h *Headscale) noiseScheduledPollWorker(
+	ctx context.Context,
+	updateChan chan struct{},
+	keepAliveChan chan []byte,
+	mapRequest tailcfg.MapRequest,
+	machine *Machine,
+) {
+	keepAliveTicker := time.NewTicker(keepAliveInterval)
+	updateCheckerTicker := time.NewTicker(updateCheckInterval)
+
+	defer closeChanWithLog(
+		updateChan,
+		fmt.Sprint(ctx.Value(machineNameContextKey)),
+		"updateChan",
+	)
+	defer closeChanWithLog(
+		keepAliveChan,
+		fmt.Sprint(ctx.Value(machineNameContextKey)),
+		"updateChan",
+	)
+
+	for {
+		select {
+		case <-ctx.Done():
+			return
+
+		case <-keepAliveTicker.C:
+			data, err := h.getNoiseMapKeepAliveResponse(mapRequest)
+			if err != nil {
+				log.Error().
+					Str("func", "keepAlive").
+					Err(err).
+					Msg("Error generating the keep alive msg")
+
+				return
+			}
+
+			log.Debug().
+				Str("func", "keepAlive").
+				Str("machine", machine.Hostname).
+				Msg("Sending keepalive")
+			keepAliveChan <- data
+
+		case <-updateCheckerTicker.C:
+			log.Debug().
+				Str("func", "scheduledPollWorker").
+				Str("machine", machine.Hostname).
+				Msg("Sending update request")
+			updateRequestsFromNode.WithLabelValues(machine.Namespace.Name, machine.Hostname, "scheduled-update").
+				Inc()
+			updateChan <- struct{}{}
+		}
+	}
+}
+
+func (h *Headscale) getNoiseMapKeepAliveResponse(req tailcfg.MapRequest) ([]byte, error) {
+	resp := tailcfg.MapResponse{
+		KeepAlive: true,
+	}
+
+	// The TS2021 protocol does not rely anymore on the machine key to
+	// encrypt in a NaCl box the map response. We just send it back
+	// unencrypted via the encrypted Noise channel.
+	// declare the incoming size on the first 4 bytes
+	respBody, err := json.Marshal(resp)
+	if err != nil {
+		log.Error().
+			Caller().
+			Err(err).
+			Msg("Cannot marshal map response")
+	}
+
+	var srcCompressed []byte
+	if req.Compress == "zstd" {
+		encoder, _ := zstd.NewWriter(nil)
+		srcCompressed = encoder.EncodeAll(respBody, nil)
+	} else {
+		srcCompressed = respBody
+	}
+
+	data := make([]byte, reservedResponseHeaderSize)
+	binary.LittleEndian.PutUint32(data, uint32(len(srcCompressed)))
+	data = append(data, srcCompressed...)
+
+	return data, nil
+}
+
+func (h *Headscale) getNoiseMapResponse(
+	req tailcfg.MapRequest,
+	machine *Machine,
+) ([]byte, error) {
+	log.Trace().
+		Str("func", "getNoiseMapResponse").
+		Str("machine", req.Hostinfo.Hostname).
+		Msg("Creating Map response")
+	node, err := machine.toNode(h.cfg.BaseDomain, h.cfg.DNSConfig, true)
+	if err != nil {
+		log.Error().
+			Caller().
+			Str("func", "getNoiseMapResponse").
+			Err(err).
+			Msg("Cannot convert to node")
+
+		return nil, err
+	}
+
+	peers, err := h.getValidPeers(machine)
+	if err != nil {
+		log.Error().
+			Caller().
+			Str("func", "getNoiseMapResponse").
+			Err(err).
+			Msg("Cannot fetch peers")
+
+		return nil, err
+	}
+
+	profiles := getMapResponseUserProfiles(*machine, peers)
+
+	nodePeers, err := peers.toNodes(h.cfg.BaseDomain, h.cfg.DNSConfig, true)
+	if err != nil {
+		log.Error().
+			Caller().
+			Str("func", "getNoiseMapResponse").
+			Err(err).
+			Msg("Failed to convert peers to Tailscale nodes")
+
+		return nil, err
+	}
+
+	dnsConfig := getMapResponseDNSConfig(
+		h.cfg.DNSConfig,
+		h.cfg.BaseDomain,
+		*machine,
+		peers,
+	)
+
+	resp := tailcfg.MapResponse{
+		KeepAlive:    false,
+		Node:         node,
+		Peers:        nodePeers,
+		DNSConfig:    dnsConfig,
+		Domain:       h.cfg.BaseDomain,
+		PacketFilter: h.aclRules,
+		DERPMap:      h.DERPMap,
+		UserProfiles: profiles,
+		Debug: &tailcfg.Debug{
+			DisableLogTail:      !h.cfg.LogTail.Enabled,
+			RandomizeClientPort: h.cfg.RandomizeClientPort,
+		},
+	}
+
+	log.Trace().
+		Str("func", "getNoiseMapResponse").
+		Str("machine", req.Hostinfo.Hostname).
+		Msgf("Generated map response: %s", tailMapResponseToString(resp))
+
+	// The TS2021 protocol does not rely anymore on the machine key to
+	// encrypt in a NaCl box the map response. We just send it back
+	// unencrypted via the encrypted Noise channel.
+	// declare the incoming size on the first 4 bytes
+	respBody, err := json.Marshal(resp)
+	if err != nil {
+		log.Error().
+			Caller().
+			Err(err).
+			Msg("Cannot marshal map response")
+	}
+
+	var srcCompressed []byte
+	if req.Compress == "zstd" {
+		encoder, _ := zstd.NewWriter(nil)
+		srcCompressed = encoder.EncodeAll(respBody, nil)
+	} else {
+		srcCompressed = respBody
+	}
+
+	data := make([]byte, reservedResponseHeaderSize)
+	binary.LittleEndian.PutUint32(data, uint32(len(srcCompressed)))
+	data = append(data, srcCompressed...)
+
+	return data, nil
+}

oidc.go

@@ -13,7 +13,7 @@ import (
 	"time"
 
 	"github.com/coreos/go-oidc/v3/oidc"
-	"github.com/gorilla/mux"
+	"github.com/gin-gonic/gin"
 	"github.com/rs/zerolog/log"
 	"golang.org/x/oauth2"
 	"tailscale.com/types/key"
@@ -21,13 +21,6 @@ import (
 
 const (
 	randomByteSize = 16
-
-	errEmptyOIDCCallbackParams = Error("empty OIDC callback params")
-	errNoOIDCIDToken           = Error("could not extract ID Token for OIDC callback")
-	errOIDCAllowedDomains      = Error("authenticated principal does not match any allowed domain")
-	errOIDCAllowedUsers        = Error("authenticated principal does not match any allowed user")
-	errOIDCInvalidMachineState = Error("requested machine state key expired before authorisation completed")
-	errOIDCNodeKeyMissing      = Error("could not get node key from cache")
 )
 
 type IDTokenClaims struct {
@@ -68,19 +61,12 @@ func (h *Headscale) initOIDC() error {
 }
 
 // RegisterOIDC redirects to the OIDC provider for authentication
-// Puts NodeKey in cache so the callback can retrieve it using the oidc state param
+// Puts machine key in cache so the callback can retrieve it using the oidc state param
 // Listens in /oidc/register/:nKey.
-func (h *Headscale) RegisterOIDC(
+func (h *Headscale) RegisterOIDC(ctx *gin.Context) {
-	writer http.ResponseWriter,
+	nodeKeyStr := ctx.Param("nkey")
-	req *http.Request,
+	if nodeKeyStr == "" {
-) {
+		ctx.String(http.StatusBadRequest, "Wrong params")
-	vars := mux.Vars(req)
-	nodeKeyStr, ok := vars["nkey"]
-	if !ok || nodeKeyStr == "" {
-		log.Error().
-			Caller().
-			Msg("Missing node key in URL")
-		http.Error(writer, "Missing node key in URL", http.StatusBadRequest)
 
 		return
 	}
@@ -95,14 +81,14 @@ func (h *Headscale) RegisterOIDC(
 		log.Error().
 			Caller().
 			Msg("could not read 16 bytes from rand")
-		http.Error(writer, "Internal server error", http.StatusInternalServerError)
+		ctx.String(http.StatusInternalServerError, "could not read 16 bytes from rand")
 
 		return
 	}
 
 	stateStr := hex.EncodeToString(randomBlob)[:32]
 
-	// place the node key into the state cache, so it can be retrieved later
+	// place the machine key into the state cache, so it can be retrieved later
 	h.registrationCache.Set(stateStr, nodeKeyStr, registerCacheExpiration)
 
 	// Add any extra parameter provided in the configuration to the Authorize Endpoint request
@@ -115,7 +101,7 @@ func (h *Headscale) RegisterOIDC(
 	authURL := h.oauth2Config.AuthCodeURL(stateStr, extras...)
 	log.Debug().Msgf("Redirecting to %s for authentication", authURL)
 
-	http.Redirect(writer, req, authURL, http.StatusFound)
+	ctx.Redirect(http.StatusFound, authURL)
 }
 
 type oidcCallbackTemplateConfig struct {
@@ -135,131 +121,29 @@ var oidcCallbackTemplate = template.Must(
 )
 
 // OIDCCallback handles the callback from the OIDC endpoint
-// Retrieves the nkey from the state cache and adds the machine to the users email namespace
+// Retrieves the mkey from the state cache and adds the machine to the users email namespace
 // TODO: A confirmation page for new machines should be added to avoid phishing vulnerabilities
 // TODO: Add groups information from OIDC tokens into machine HostInfo
 // Listens in /oidc/callback.
-func (h *Headscale) OIDCCallback(
+func (h *Headscale) OIDCCallback(ctx *gin.Context) {
-	writer http.ResponseWriter,
+	code := ctx.Query("code")
-	req *http.Request,
+	state := ctx.Query("state")
-) {
-	code, state, err := validateOIDCCallbackParams(writer, req)
-	if err != nil {
-		return
-	}
-
-	rawIDToken, err := h.getIDTokenForOIDCCallback(writer, code, state)
-	if err != nil {
-		return
-	}
-
-	idToken, err := h.verifyIDTokenForOIDCCallback(writer, rawIDToken)
-	if err != nil {
-		return
-	}
-
-	// TODO: we can use userinfo at some point to grab additional information about the user (groups membership, etc)
-	// userInfo, err := oidcProvider.UserInfo(context.Background(), oauth2.StaticTokenSource(oauth2Token))
-	// if err != nil {
-	// 	c.String(http.StatusBadRequest, fmt.Sprintf("Failed to retrieve userinfo"))
-	// 	return
-	// }
-
-	claims, err := extractIDTokenClaims(writer, idToken)
-	if err != nil {
-		return
-	}
-
-	if err := validateOIDCAllowedDomains(writer, h.cfg.OIDC.AllowedDomains, claims); err != nil {
-		return
-	}
-
-	if err := validateOIDCAllowedUsers(writer, h.cfg.OIDC.AllowedUsers, claims); err != nil {
-		return
-	}
-
-	nodeKey, machineExists, err := h.validateMachineForOIDCCallback(writer, state, claims)
-	if err != nil || machineExists {
-		return
-	}
-
-	namespaceName, err := getNamespaceName(writer, claims, h.cfg.OIDC.StripEmaildomain)
-	if err != nil {
-		return
-	}
-
-	// register the machine if it's new
-	log.Debug().Msg("Registering new machine after successful callback")
-
-	namespace, err := h.findOrCreateNewNamespaceForOIDCCallback(writer, namespaceName)
-	if err != nil {
-		return
-	}
-
-	if err := h.registerMachineForOIDCCallback(writer, namespace, nodeKey); err != nil {
-		return
-	}
-
-	content, err := renderOIDCCallbackTemplate(writer, claims)
-	if err != nil {
-		return
-	}
-
-	writer.Header().Set("Content-Type", "text/html; charset=utf-8")
-	writer.WriteHeader(http.StatusOK)
-	if _, err := writer.Write(content.Bytes()); err != nil {
-		log.Error().
-			Caller().
-			Err(err).
-			Msg("Failed to write response")
-	}
-}
-
-func validateOIDCCallbackParams(
-	writer http.ResponseWriter,
-	req *http.Request,
-) (string, string, error) {
-	code := req.URL.Query().Get("code")
-	state := req.URL.Query().Get("state")
 
 	if code == "" || state == "" {
-		writer.Header().Set("Content-Type", "text/plain; charset=utf-8")
+		ctx.String(http.StatusBadRequest, "Wrong params")
-		writer.WriteHeader(http.StatusBadRequest)
-		_, err := writer.Write([]byte("Wrong params"))
-		if err != nil {
-			log.Error().
-				Caller().
-				Err(err).
-				Msg("Failed to write response")
-		}
 
-		return "", "", errEmptyOIDCCallbackParams
+		return
 	}
 
-	return code, state, nil
-}
-
-func (h *Headscale) getIDTokenForOIDCCallback(
-	writer http.ResponseWriter,
-	code, state string,
-) (string, error) {
 	oauth2Token, err := h.oauth2Config.Exchange(context.Background(), code)
 	if err != nil {
 		log.Error().
 			Err(err).
 			Caller().
 			Msg("Could not exchange code for token")
-		writer.Header().Set("Content-Type", "text/plain; charset=utf-8")
+		ctx.String(http.StatusBadRequest, "Could not exchange code for token")
-		writer.WriteHeader(http.StatusBadRequest)
-		_, werr := writer.Write([]byte("Could not exchange code for token"))
-		if werr != nil {
-			log.Error().
-				Caller().
-				Err(werr).
-				Msg("Failed to write response")
-		}
 
-		return "", err
+		return
 	}
 
 	log.Trace().
@@ -270,197 +154,109 @@ func (h *Headscale) getIDTokenForOIDCCallback(
 
 	rawIDToken, rawIDTokenOK := oauth2Token.Extra("id_token").(string)
 	if !rawIDTokenOK {
-		writer.Header().Set("Content-Type", "text/plain; charset=utf-8")
+		ctx.String(http.StatusBadRequest, "Could not extract ID Token")
-		writer.WriteHeader(http.StatusBadRequest)
-		_, err := writer.Write([]byte("Could not extract ID Token"))
-		if err != nil {
-			log.Error().
-				Caller().
-				Err(err).
-				Msg("Failed to write response")
-		}
 
-		return "", errNoOIDCIDToken
+		return
 	}
 
-	return rawIDToken, nil
-}
-
-func (h *Headscale) verifyIDTokenForOIDCCallback(
-	writer http.ResponseWriter,
-	rawIDToken string,
-) (*oidc.IDToken, error) {
 	verifier := h.oidcProvider.Verifier(&oidc.Config{ClientID: h.cfg.OIDC.ClientID})
+
 	idToken, err := verifier.Verify(context.Background(), rawIDToken)
 	if err != nil {
 		log.Error().
 			Err(err).
 			Caller().
 			Msg("failed to verify id token")
-		writer.Header().Set("Content-Type", "text/plain; charset=utf-8")
+		ctx.String(http.StatusBadRequest, "Failed to verify id token")
-		writer.WriteHeader(http.StatusBadRequest)
-		_, werr := writer.Write([]byte("Failed to verify id token"))
-		if werr != nil {
-			log.Error().
-				Caller().
-				Err(werr).
-				Msg("Failed to write response")
-		}
 
-		return nil, err
+		return
 	}
 
-	return idToken, nil
+	// TODO: we can use userinfo at some point to grab additional information about the user (groups membership, etc)
-}
+	// userInfo, err := oidcProvider.UserInfo(context.Background(), oauth2.StaticTokenSource(oauth2Token))
+	// if err != nil {
+	// 	c.String(http.StatusBadRequest, fmt.Sprintf("Failed to retrieve userinfo"))
+	// 	return
+	// }
 
-func extractIDTokenClaims(
+	// Extract custom claims
-	writer http.ResponseWriter,
-	idToken *oidc.IDToken,
-) (*IDTokenClaims, error) {
 	var claims IDTokenClaims
-	if err := idToken.Claims(claims); err != nil {
+	if err = idToken.Claims(&claims); err != nil {
 		log.Error().
 			Err(err).
 			Caller().
 			Msg("Failed to decode id token claims")
-		writer.Header().Set("Content-Type", "text/plain; charset=utf-8")
+		ctx.String(
-		writer.WriteHeader(http.StatusBadRequest)
+			http.StatusBadRequest,
-		_, werr := writer.Write([]byte("Failed to decode id token claims"))
+			"Failed to decode id token claims",
-		if werr != nil {
+		)
-			log.Error().
-				Caller().
-				Err(werr).
-				Msg("Failed to write response")
-		}
 
-		return nil, err
+		return
 	}
 
-	return &claims, nil
+	// If AllowedDomains is provided, check that the authenticated principal ends with @<alloweddomain>.
-}
+	if len(h.cfg.OIDC.AllowedDomains) > 0 {
-
-// validateOIDCAllowedDomains checks that if AllowedDomains is provided,
-// that the authenticated principal ends with @<alloweddomain>.
-func validateOIDCAllowedDomains(
-	writer http.ResponseWriter,
-	allowedDomains []string,
-	claims *IDTokenClaims,
-) error {
-	if len(allowedDomains) > 0 {
 		if at := strings.LastIndex(claims.Email, "@"); at < 0 ||
-			!IsStringInSlice(allowedDomains, claims.Email[at+1:]) {
+			!IsStringInSlice(h.cfg.OIDC.AllowedDomains, claims.Email[at+1:]) {
 			log.Error().Msg("authenticated principal does not match any allowed domain")
-			writer.Header().Set("Content-Type", "text/plain; charset=utf-8")
+			ctx.String(
-			writer.WriteHeader(http.StatusBadRequest)
+				http.StatusBadRequest,
-			_, err := writer.Write([]byte("unauthorized principal (domain mismatch)"))
+				"unauthorized principal (domain mismatch)",
-			if err != nil {
+			)
-				log.Error().
-					Caller().
-					Err(err).
-					Msg("Failed to write response")
-			}
 
-			return errOIDCAllowedDomains
+			return
 		}
 	}
 
-	return nil
+	// If AllowedUsers is provided, check that the authenticated princial is part of that list.
-}
+	if len(h.cfg.OIDC.AllowedUsers) > 0 &&
-
+		!IsStringInSlice(h.cfg.OIDC.AllowedUsers, claims.Email) {
-// validateOIDCAllowedUsers checks that if AllowedUsers is provided,
-// that the authenticated principal is part of that list.
-func validateOIDCAllowedUsers(
-	writer http.ResponseWriter,
-	allowedUsers []string,
-	claims *IDTokenClaims,
-) error {
-	if len(allowedUsers) > 0 &&
-		!IsStringInSlice(allowedUsers, claims.Email) {
 		log.Error().Msg("authenticated principal does not match any allowed user")
-		writer.Header().Set("Content-Type", "text/plain; charset=utf-8")
+		ctx.String(http.StatusBadRequest, "unauthorized principal (user mismatch)")
-		writer.WriteHeader(http.StatusBadRequest)
-		_, err := writer.Write([]byte("unauthorized principal (user mismatch)"))
-		if err != nil {
-			log.Error().
-				Caller().
-				Err(err).
-				Msg("Failed to write response")
-		}
 
-		return errOIDCAllowedUsers
+		return
 	}
 
-	return nil
+	// retrieve nodekey from state cache
-}
+	nodeKeyIf, nodeKeyFound := h.registrationCache.Get(state)
 
-// validateMachine retrieves machine information if it exist
+	if !nodeKeyFound {
-// The error is not important, because if it does not
-// exist, then this is a new machine and we will move
-// on to registration.
-func (h *Headscale) validateMachineForOIDCCallback(
-	writer http.ResponseWriter,
-	state string,
-	claims *IDTokenClaims,
-) (*key.NodePublic, bool, error) {
-	// retrieve machinekey from state cache
-	machineKeyIf, machineKeyFound := h.registrationCache.Get(state)
-	if !machineKeyFound {
 		log.Error().
 			Msg("requested machine state key expired before authorisation completed")
-		writer.Header().Set("Content-Type", "text/plain; charset=utf-8")
+		ctx.String(http.StatusBadRequest, "state has expired")
-		writer.WriteHeader(http.StatusBadRequest)
-		_, err := writer.Write([]byte("state has expired"))
-		if err != nil {
-			log.Error().
-				Caller().
-				Err(err).
-				Msg("Failed to write response")
-		}
 
-		return nil, false, errOIDCInvalidMachineState
+		return
 	}
 
+	nodeKeyFromCache, nodeKeyOK := nodeKeyIf.(string)
+
 	var nodeKey key.NodePublic
-	nodeKeyFromCache, nodeKeyOK := machineKeyIf.(string)
+	err = nodeKey.UnmarshalText(
-	err := nodeKey.UnmarshalText(
+		[]byte(MachinePublicKeyEnsurePrefix(nodeKeyFromCache)),
-		[]byte(NodePublicKeyEnsurePrefix(nodeKeyFromCache)),
 	)
 	if err != nil {
 		log.Error().
 			Msg("could not parse node public key")
-		writer.Header().Set("Content-Type", "text/plain; charset=utf-8")
+		ctx.String(http.StatusBadRequest, "could not parse public key")
-		writer.WriteHeader(http.StatusBadRequest)
-		_, werr := writer.Write([]byte("could not parse public key"))
-		if werr != nil {
-			log.Error().
-				Caller().
-				Err(werr).
-				Msg("Failed to write response")
-		}
 
-		return nil, false, err
+		return
 	}
 
 	if !nodeKeyOK {
 		log.Error().Msg("could not get node key from cache")
-		writer.Header().Set("Content-Type", "text/plain; charset=utf-8")
+		ctx.String(
-		writer.WriteHeader(http.StatusInternalServerError)
+			http.StatusInternalServerError,
-		_, err := writer.Write([]byte("could not get node key from cache"))
+			"could not get machine key from cache",
-		if err != nil {
+		)
-			log.Error().
-				Caller().
-				Err(err).
-				Msg("Failed to write response")
-		}
 
-		return nil, false, errOIDCNodeKeyMissing
+		return
 	}
 
 	// retrieve machine information if it exist
 	// The error is not important, because if it does not
 	// exist, then this is a new machine and we will move
 	// on to registration.
-	machine, _ := h.GetMachineByNodeKey(nodeKey)
+	machine, _ := h.GetMachineByNodeKeys(nodeKey, key.NodePublic{})
 
 	if machine != nil {
 		log.Trace().
@@ -468,20 +264,7 @@ func (h *Headscale) validateMachineForOIDCCallback(
 			Str("machine", machine.Hostname).
 			Msg("machine already registered, reauthenticating")
 
-		err := h.RefreshMachine(machine, time.Time{})
+		h.RefreshMachine(machine, time.Time{})
-		if err != nil {
-			log.Error().
-				Caller().
-				Err(err).
-				Msg("Failed to refresh machine")
-			http.Error(
-				writer,
-				"Failed to refresh machine",
-				http.StatusInternalServerError,
-			)
-
-			return nil, true, err
-		}
 
 		var content bytes.Buffer
 		if err := oidcCallbackTemplate.Execute(&content, oidcCallbackTemplateConfig{
@@ -493,69 +276,37 @@ func (h *Headscale) validateMachineForOIDCCallback(
 				Str("type", "reauthenticate").
 				Err(err).
 				Msg("Could not render OIDC callback template")
-
+			ctx.Data(
-			writer.Header().Set("Content-Type", "text/plain; charset=utf-8")
+				http.StatusInternalServerError,
-			writer.WriteHeader(http.StatusInternalServerError)
+				"text/html; charset=utf-8",
-			_, werr := writer.Write([]byte("Could not render OIDC callback template"))
+				[]byte("Could not render OIDC callback template"),
-			if werr != nil {
+			)
-				log.Error().
-					Caller().
-					Err(werr).
-					Msg("Failed to write response")
-			}
-
-			return nil, true, err
 		}
 
-		writer.Header().Set("Content-Type", "text/html; charset=utf-8")
+		ctx.Data(http.StatusOK, "text/html; charset=utf-8", content.Bytes())
-		writer.WriteHeader(http.StatusOK)
-		_, err = writer.Write(content.Bytes())
-		if err != nil {
-			log.Error().
-				Caller().
-				Err(err).
-				Msg("Failed to write response")
-		}
 
-		return nil, true, nil
+		return
 	}
 
-	return &nodeKey, false, nil
-}
-
-func getNamespaceName(
-	writer http.ResponseWriter,
-	claims *IDTokenClaims,
-	stripEmaildomain bool,
-) (string, error) {
 	namespaceName, err := NormalizeToFQDNRules(
 		claims.Email,
-		stripEmaildomain,
+		h.cfg.OIDC.StripEmaildomain,
 	)
 	if err != nil {
 		log.Error().Err(err).Caller().Msgf("couldn't normalize email")
-		writer.Header().Set("Content-Type", "text/plain; charset=utf-8")
+		ctx.String(
-		writer.WriteHeader(http.StatusInternalServerError)
+			http.StatusInternalServerError,
-		_, werr := writer.Write([]byte("couldn't normalize email"))
+			"couldn't normalize email",
-		if werr != nil {
+		)
-			log.Error().
-				Caller().
-				Err(werr).
-				Msg("Failed to write response")
-		}
 
-		return "", err
+		return
 	}
 
-	return namespaceName, nil
+	// register the machine if it's new
-}
+	log.Debug().Msg("Registering new machine after successful callback")
 
-func (h *Headscale) findOrCreateNewNamespaceForOIDCCallback(
-	writer http.ResponseWriter,
-	namespaceName string,
-) (*Namespace, error) {
 	namespace, err := h.GetNamespace(namespaceName)
-	if errors.Is(err, ErrNamespaceNotFound) {
+	if errors.Is(err, errNamespaceNotFound) {
 		namespace, err = h.CreateNamespace(namespaceName)
 
 		if err != nil {
@@ -563,17 +314,12 @@ func (h *Headscale) findOrCreateNewNamespaceForOIDCCallback(
 				Err(err).
 				Caller().
 				Msgf("could not create new namespace '%s'", namespaceName)
-			writer.Header().Set("Content-Type", "text/plain; charset=utf-8")
+			ctx.String(
-			writer.WriteHeader(http.StatusInternalServerError)
+				http.StatusInternalServerError,
-			_, werr := writer.Write([]byte("could not create namespace"))
+				"could not create new namespace",
-			if werr != nil {
+			)
-				log.Error().
-					Caller().
-					Err(werr).
-					Msg("Failed to write response")
-			}
 
-			return nil, err
+			return
 		}
 	} else if err != nil {
 		log.Error().
@@ -581,58 +327,34 @@ func (h *Headscale) findOrCreateNewNamespaceForOIDCCallback(
 			Err(err).
 			Str("namespace", namespaceName).
 			Msg("could not find or create namespace")
-		writer.Header().Set("Content-Type", "text/plain; charset=utf-8")
+		ctx.String(
-		writer.WriteHeader(http.StatusInternalServerError)
+			http.StatusInternalServerError,
-		_, werr := writer.Write([]byte("could not find or create namespace"))
+			"could not find or create namespace",
-		if werr != nil {
+		)
-			log.Error().
-				Caller().
-				Err(werr).
-				Msg("Failed to write response")
-		}
 
-		return nil, err
+		return
 	}
 
-	return namespace, nil
+	nodeKeyStr := NodePublicKeyStripPrefix(nodeKey)
-}
 
-func (h *Headscale) registerMachineForOIDCCallback(
+	_, err = h.RegisterMachineFromAuthCallback(
-	writer http.ResponseWriter,
-	namespace *Namespace,
-	nodeKey *key.NodePublic,
-) error {
-	nodeKeyStr := NodePublicKeyStripPrefix(*nodeKey)
-
-	if _, err := h.RegisterMachineFromAuthCallback(
 		nodeKeyStr,
 		namespace.Name,
 		RegisterMethodOIDC,
-	); err != nil {
+	)
+	if err != nil {
 		log.Error().
 			Caller().
 			Err(err).
 			Msg("could not register machine")
-		writer.Header().Set("Content-Type", "text/plain; charset=utf-8")
+		ctx.String(
-		writer.WriteHeader(http.StatusInternalServerError)
+			http.StatusInternalServerError,
-		_, werr := writer.Write([]byte("could not register machine"))
+			"could not register machine",
-		if werr != nil {
+		)
-			log.Error().
-				Caller().
-				Err(werr).
-				Msg("Failed to write response")
-		}
 
-		return err
+		return
 	}
 
-	return nil
-}
-
-func renderOIDCCallbackTemplate(
-	writer http.ResponseWriter,
-	claims *IDTokenClaims,
-) (*bytes.Buffer, error) {
 	var content bytes.Buffer
 	if err := oidcCallbackTemplate.Execute(&content, oidcCallbackTemplateConfig{
 		User: claims.Email,
@@ -643,19 +365,12 @@ func renderOIDCCallbackTemplate(
 			Str("type", "authenticate").
 			Err(err).
 			Msg("Could not render OIDC callback template")
-
+		ctx.Data(
-		writer.Header().Set("Content-Type", "text/plain; charset=utf-8")
+			http.StatusInternalServerError,
-		writer.WriteHeader(http.StatusInternalServerError)
+			"text/html; charset=utf-8",
-		_, werr := writer.Write([]byte("Could not render OIDC callback template"))
+			[]byte("Could not render OIDC callback template"),
-		if werr != nil {
+		)
-			log.Error().
-				Caller().
-				Err(werr).
-				Msg("Failed to write response")
-		}
-
-		return nil, err
 	}
 
-	return &content, nil
+	ctx.Data(http.StatusOK, "text/html; charset=utf-8", content.Bytes())
 }

platform_config.go

@@ -6,16 +6,13 @@ import (
 	"net/http"
 	textTemplate "text/template"
 
+	"github.com/gin-gonic/gin"
 	"github.com/gofrs/uuid"
-	"github.com/gorilla/mux"
 	"github.com/rs/zerolog/log"
 )
 
 // WindowsConfigMessage shows a simple message in the browser for how to configure the Windows Tailscale client.
-func (h *Headscale) WindowsConfigMessage(
+func (h *Headscale) WindowsConfigMessage(ctx *gin.Context) {
-	writer http.ResponseWriter,
-	req *http.Request,
-) {
 	winTemplate := template.Must(template.New("windows").Parse(`
 <html>
 	<body>
@@ -66,36 +63,20 @@ REG ADD "HKLM\Software\Tailscale IPN" /v LoginURL /t REG_SZ /d "{{.URL}}"</code>
 			Str("handler", "WindowsRegConfig").
 			Err(err).
 			Msg("Could not render Windows index template")
-
+		ctx.Data(
-		writer.Header().Set("Content-Type", "text/plain; charset=utf-8")
+			http.StatusInternalServerError,
-		writer.WriteHeader(http.StatusInternalServerError)
+			"text/html; charset=utf-8",
-		_, err := writer.Write([]byte("Could not render Windows index template"))
+			[]byte("Could not render Windows index template"),
-		if err != nil {
+		)
-			log.Error().
-				Caller().
-				Err(err).
-				Msg("Failed to write response")
-		}
 
 		return
 	}
 
-	writer.Header().Set("Content-Type", "text/html; charset=utf-8")
+	ctx.Data(http.StatusOK, "text/html; charset=utf-8", payload.Bytes())
-	writer.WriteHeader(http.StatusOK)
-	_, err := writer.Write(payload.Bytes())
-	if err != nil {
-		log.Error().
-			Caller().
-			Err(err).
-			Msg("Failed to write response")
-	}
 }
 
 // WindowsRegConfig generates and serves a .reg file configured with the Headscale server address.
-func (h *Headscale) WindowsRegConfig(
+func (h *Headscale) WindowsRegConfig(ctx *gin.Context) {
-	writer http.ResponseWriter,
-	req *http.Request,
-) {
 	config := WindowsRegistryConfig{
 		URL: h.cfg.ServerURL,
 	}
@@ -106,36 +87,24 @@ func (h *Headscale) WindowsRegConfig(
 			Str("handler", "WindowsRegConfig").
 			Err(err).
 			Msg("Could not render Apple macOS template")
-
+		ctx.Data(
-		writer.Header().Set("Content-Type", "text/plain; charset=utf-8")
+			http.StatusInternalServerError,
-		writer.WriteHeader(http.StatusInternalServerError)
+			"text/html; charset=utf-8",
-		_, err := writer.Write([]byte("Could not render Windows registry template"))
+			[]byte("Could not render Windows registry template"),
-		if err != nil {
+		)
-			log.Error().
-				Caller().
-				Err(err).
-				Msg("Failed to write response")
-		}
 
 		return
 	}
 
-	writer.Header().Set("Content-Type", "text/x-ms-regedit; charset=utf-8")
+	ctx.Data(
-	writer.WriteHeader(http.StatusOK)
+		http.StatusOK,
-	_, err := writer.Write(content.Bytes())
+		"text/x-ms-regedit; charset=utf-8",
-	if err != nil {
+		content.Bytes(),
-		log.Error().
+	)
-			Caller().
-			Err(err).
-			Msg("Failed to write response")
-	}
 }
 
 // AppleConfigMessage shows a simple message in the browser to point the user to the iOS/MacOS profile and instructions for how to install it.
-func (h *Headscale) AppleConfigMessage(
+func (h *Headscale) AppleConfigMessage(ctx *gin.Context) {
-	writer http.ResponseWriter,
-	req *http.Request,
-) {
 	appleTemplate := template.Must(template.New("apple").Parse(`
 <html>
 	<body>
@@ -196,45 +165,20 @@ func (h *Headscale) AppleConfigMessage(
 			Str("handler", "AppleMobileConfig").
 			Err(err).
 			Msg("Could not render Apple index template")
-
+		ctx.Data(
-		writer.Header().Set("Content-Type", "text/plain; charset=utf-8")
+			http.StatusInternalServerError,
-		writer.WriteHeader(http.StatusInternalServerError)
+			"text/html; charset=utf-8",
-		_, err := writer.Write([]byte("Could not render Apple index template"))
+			[]byte("Could not render Apple index template"),
-		if err != nil {
+		)
-			log.Error().
-				Caller().
-				Err(err).
-				Msg("Failed to write response")
-		}
 
 		return
 	}
 
-	writer.Header().Set("Content-Type", "text/html; charset=utf-8")
+	ctx.Data(http.StatusOK, "text/html; charset=utf-8", payload.Bytes())
-	writer.WriteHeader(http.StatusOK)
-	_, err := writer.Write(payload.Bytes())
-	if err != nil {
-		log.Error().
-			Caller().
-			Err(err).
-			Msg("Failed to write response")
-	}
 }
 
-func (h *Headscale) ApplePlatformConfig(
+func (h *Headscale) ApplePlatformConfig(ctx *gin.Context) {
-	writer http.ResponseWriter,
+	platform := ctx.Param("platform")
-	req *http.Request,
-) {
-	vars := mux.Vars(req)
-	platform, ok := vars["platform"]
-	if !ok {
-		log.Error().
-			Str("handler", "ApplePlatformConfig").
-			Msg("No platform specified")
-		http.Error(writer, "No platform specified", http.StatusBadRequest)
-
-		return
-	}
 
 	id, err := uuid.NewV4()
 	if err != nil {
@@ -242,16 +186,11 @@ func (h *Headscale) ApplePlatformConfig(
 			Str("handler", "ApplePlatformConfig").
 			Err(err).
 			Msg("Failed not create UUID")
-
+		ctx.Data(
-		writer.Header().Set("Content-Type", "text/plain; charset=utf-8")
+			http.StatusInternalServerError,
-		writer.WriteHeader(http.StatusInternalServerError)
+			"text/html; charset=utf-8",
-		_, err := writer.Write([]byte("Failed to create UUID"))
+			[]byte("Failed to create UUID"),
-		if err != nil {
+		)
-			log.Error().
-				Caller().
-				Err(err).
-				Msg("Failed to write response")
-		}
 
 		return
 	}
@@ -262,16 +201,11 @@ func (h *Headscale) ApplePlatformConfig(
 			Str("handler", "ApplePlatformConfig").
 			Err(err).
 			Msg("Failed not create UUID")
-
+		ctx.Data(
-		writer.Header().Set("Content-Type", "text/plain; charset=utf-8")
+			http.StatusInternalServerError,
-		writer.WriteHeader(http.StatusInternalServerError)
+			"text/html; charset=utf-8",
-		_, err := writer.Write([]byte("Failed to create content UUID"))
+			[]byte("Failed to create UUID"),
-		if err != nil {
+		)
-			log.Error().
-				Caller().
-				Err(err).
-				Msg("Failed to write response")
-		}
 
 		return
 	}
@@ -290,16 +224,11 @@ func (h *Headscale) ApplePlatformConfig(
 				Str("handler", "ApplePlatformConfig").
 				Err(err).
 				Msg("Could not render Apple macOS template")
-
+			ctx.Data(
-			writer.Header().Set("Content-Type", "text/plain; charset=utf-8")
+				http.StatusInternalServerError,
-			writer.WriteHeader(http.StatusInternalServerError)
+				"text/html; charset=utf-8",
-			_, err := writer.Write([]byte("Could not render Apple macOS template"))
+				[]byte("Could not render Apple macOS template"),
-			if err != nil {
+			)
-				log.Error().
-					Caller().
-					Err(err).
-					Msg("Failed to write response")
-			}
 
 			return
 		}
@@ -309,31 +238,20 @@ func (h *Headscale) ApplePlatformConfig(
 				Str("handler", "ApplePlatformConfig").
 				Err(err).
 				Msg("Could not render Apple iOS template")
-
+			ctx.Data(
-			writer.Header().Set("Content-Type", "text/plain; charset=utf-8")
+				http.StatusInternalServerError,
-			writer.WriteHeader(http.StatusInternalServerError)
+				"text/html; charset=utf-8",
-			_, err := writer.Write([]byte("Could not render Apple iOS template"))
+				[]byte("Could not render Apple iOS template"),
-			if err != nil {
+			)
-				log.Error().
-					Caller().
-					Err(err).
-					Msg("Failed to write response")
-			}
 
 			return
 		}
 	default:
-		writer.Header().Set("Content-Type", "text/plain; charset=utf-8")
+		ctx.Data(
-		writer.WriteHeader(http.StatusBadRequest)
+			http.StatusOK,
-		_, err := writer.Write(
+			"text/html; charset=utf-8",
 			[]byte("Invalid platform, only ios and macos is supported"),
 		)
-		if err != nil {
-			log.Error().
-				Caller().
-				Err(err).
-				Msg("Failed to write response")
-		}
 
 		return
 	}
@@ -350,30 +268,20 @@ func (h *Headscale) ApplePlatformConfig(
 			Str("handler", "ApplePlatformConfig").
 			Err(err).
 			Msg("Could not render Apple platform template")
-
+		ctx.Data(
-		writer.Header().Set("Content-Type", "text/plain; charset=utf-8")
+			http.StatusInternalServerError,
-		writer.WriteHeader(http.StatusInternalServerError)
+			"text/html; charset=utf-8",
-		_, err := writer.Write([]byte("Could not render Apple platform template"))
+			[]byte("Could not render Apple platform template"),
-		if err != nil {
+		)
-			log.Error().
-				Caller().
-				Err(err).
-				Msg("Failed to write response")
-		}
 
 		return
 	}
 
-	writer.Header().
+	ctx.Data(
-		Set("Content-Type", "application/x-apple-aspen-config; charset=utf-8")
+		http.StatusOK,
-	writer.WriteHeader(http.StatusOK)
+		"application/x-apple-aspen-config; charset=utf-8",
-	_, err = writer.Write(content.Bytes())
+		content.Bytes(),
-	if err != nil {
+	)
-		log.Error().
-			Caller().
-			Err(err).
-			Msg("Failed to write response")
-	}
 }
 
 type WindowsRegistryConfig struct {

poll.go

@@ -8,7 +8,7 @@ import (
 	"net/http"
 	"time"
 
-	"github.com/gorilla/mux"
+	"github.com/gin-gonic/gin"
 	"github.com/rs/zerolog/log"
 	"gorm.io/gorm"
 	"tailscale.com/tailcfg"
@@ -16,7 +16,8 @@ import (
 )
 
 const (
-	keepAliveInterval = 60 * time.Second
+	keepAliveInterval   = 60 * time.Second
+	updateCheckInterval = 10 * time.Second
 )
 
 type contextKey string
@@ -32,25 +33,13 @@ const machineNameContextKey = contextKey("machineName")
 // only after their first request (marked with the ReadOnly field).
 //
 // At this moment the updates are sent in a quite horrendous way, but they kinda work.
-func (h *Headscale) PollNetMapHandler(
+func (h *Headscale) PollNetMapHandler(ctx *gin.Context) {
-	writer http.ResponseWriter,
-	req *http.Request,
-) {
-	vars := mux.Vars(req)
-	machineKeyStr, ok := vars["mkey"]
-	if !ok || machineKeyStr == "" {
-		log.Error().
-			Str("handler", "PollNetMap").
-			Msg("No machine key in request")
-		http.Error(writer, "No machine key in request", http.StatusBadRequest)
-
-		return
-	}
 	log.Trace().
 		Str("handler", "PollNetMap").
-		Str("id", machineKeyStr).
+		Str("id", ctx.Param("id")).
 		Msg("PollNetMapHandler called")
-	body, _ := io.ReadAll(req.Body)
+	body, _ := io.ReadAll(ctx.Request.Body)
+	machineKeyStr := ctx.Param("id")
 
 	var machineKey key.MachinePublic
 	err := machineKey.UnmarshalText([]byte(MachinePublicKeyEnsurePrefix(machineKeyStr)))
@@ -59,19 +48,18 @@ func (h *Headscale) PollNetMapHandler(
 			Str("handler", "PollNetMap").
 			Err(err).
 			Msg("Cannot parse client key")
-
+		ctx.String(http.StatusBadRequest, "")
-		http.Error(writer, "Cannot parse client key", http.StatusBadRequest)
 
 		return
 	}
-	mapRequest := tailcfg.MapRequest{}
+	req := tailcfg.MapRequest{}
-	err = decode(body, &mapRequest, &machineKey, h.privateKey)
+	err = decode(body, &req, &machineKey, h.privateKey)
 	if err != nil {
 		log.Error().
 			Str("handler", "PollNetMap").
 			Err(err).
 			Msg("Cannot decode message")
-		http.Error(writer, "Cannot decode message", http.StatusBadRequest)
+		ctx.String(http.StatusBadRequest, "")
 
 		return
 	}
@@ -82,27 +70,26 @@ func (h *Headscale) PollNetMapHandler(
 			log.Warn().
 				Str("handler", "PollNetMap").
 				Msgf("Ignoring request, cannot find machine with key %s", machineKey.String())
-
+			ctx.String(http.StatusUnauthorized, "")
-			http.Error(writer, "", http.StatusUnauthorized)
 
 			return
 		}
 		log.Error().
 			Str("handler", "PollNetMap").
 			Msgf("Failed to fetch machine from the database with Machine key: %s", machineKey.String())
-		http.Error(writer, "", http.StatusInternalServerError)
+		ctx.String(http.StatusInternalServerError, "")
 
 		return
 	}
 	log.Trace().
 		Str("handler", "PollNetMap").
-		Str("id", machineKeyStr).
+		Str("id", ctx.Param("id")).
 		Str("machine", machine.Hostname).
 		Msg("Found machine in database")
 
-	machine.Hostname = mapRequest.Hostinfo.Hostname
+	machine.Hostname = req.Hostinfo.Hostname
-	machine.HostInfo = HostInfo(*mapRequest.Hostinfo)
+	machine.HostInfo = HostInfo(*req.Hostinfo)
-	machine.DiscoKey = DiscoPublicKeyStripPrefix(mapRequest.DiscoKey)
+	machine.DiscoKey = DiscoPublicKeyStripPrefix(req.DiscoKey)
 	now := time.Now().UTC()
 
 	// update ACLRules with peer informations (to update server tags if necessary)
@@ -124,8 +111,8 @@ func (h *Headscale) PollNetMapHandler(
 	//
 	// The intended use is for clients to discover the DERP map at start-up
 	// before their first real endpoint update.
-	if !mapRequest.ReadOnly {
+	if !req.ReadOnly {
-		machine.Endpoints = mapRequest.Endpoints
+		machine.Endpoints = req.Endpoints
 		machine.LastSeen = &now
 	}
 
@@ -133,25 +120,25 @@ func (h *Headscale) PollNetMapHandler(
 		if err != nil {
 			log.Error().
 				Str("handler", "PollNetMap").
-				Str("id", machineKeyStr).
+				Str("id", ctx.Param("id")).
 				Str("machine", machine.Hostname).
 				Err(err).
 				Msg("Failed to persist/update machine in the database")
-			http.Error(writer, "", http.StatusInternalServerError)
+			ctx.String(http.StatusInternalServerError, ":(")
 
 			return
 		}
 	}
 
-	data, err := h.getMapResponse(machineKey, mapRequest, machine)
+	data, err := h.getMapResponse(machineKey, req, machine)
 	if err != nil {
 		log.Error().
 			Str("handler", "PollNetMap").
-			Str("id", machineKeyStr).
+			Str("id", ctx.Param("id")).
 			Str("machine", machine.Hostname).
 			Err(err).
 			Msg("Failed to get Map response")
-		http.Error(writer, "", http.StatusInternalServerError)
+		ctx.String(http.StatusInternalServerError, ":(")
 
 		return
 	}
@@ -163,28 +150,19 @@ func (h *Headscale) PollNetMapHandler(
 	// Details on the protocol can be found in https://github.com/tailscale/tailscale/blob/main/tailcfg/tailcfg.go#L696
 	log.Debug().
 		Str("handler", "PollNetMap").
-		Str("id", machineKeyStr).
+		Str("id", ctx.Param("id")).
 		Str("machine", machine.Hostname).
-		Bool("readOnly", mapRequest.ReadOnly).
+		Bool("readOnly", req.ReadOnly).
-		Bool("omitPeers", mapRequest.OmitPeers).
+		Bool("omitPeers", req.OmitPeers).
-		Bool("stream", mapRequest.Stream).
+		Bool("stream", req.Stream).
 		Msg("Client map request processed")
 
-	if mapRequest.ReadOnly {
+	if req.ReadOnly {
 		log.Info().
 			Str("handler", "PollNetMap").
 			Str("machine", machine.Hostname).
 			Msg("Client is starting up. Probably interested in a DERP map")
-
+		ctx.Data(http.StatusOK, "application/json; charset=utf-8", data)
-		writer.Header().Set("Content-Type", "application/json; charset=utf-8")
-		writer.WriteHeader(http.StatusOK)
-		_, err := writer.Write(data)
-		if err != nil {
-			log.Error().
-				Caller().
-				Err(err).
-				Msg("Failed to write response")
-		}
 
 		return
 	}
@@ -199,7 +177,7 @@ func (h *Headscale) PollNetMapHandler(
 	// Only create update channel if it has not been created
 	log.Trace().
 		Str("handler", "PollNetMap").
-		Str("id", machineKeyStr).
+		Str("id", ctx.Param("id")).
 		Str("machine", machine.Hostname).
 		Msg("Loading or creating update channel")
 
@@ -211,20 +189,13 @@ func (h *Headscale) PollNetMapHandler(
 
 	keepAliveChan := make(chan []byte)
 
-	if mapRequest.OmitPeers && !mapRequest.Stream {
+	if req.OmitPeers && !req.Stream {
 		log.Info().
 			Str("handler", "PollNetMap").
 			Str("machine", machine.Hostname).
 			Msg("Client sent endpoint update and is ok with a response without peer list")
-		writer.Header().Set("Content-Type", "application/json; charset=utf-8")
+		ctx.Data(http.StatusOK, "application/json; charset=utf-8", data)
-		writer.WriteHeader(http.StatusOK)
+
-		_, err := writer.Write(data)
-		if err != nil {
-			log.Error().
-				Caller().
-				Err(err).
-				Msg("Failed to write response")
-		}
 		// It sounds like we should update the nodes when we have received a endpoint update
 		// even tho the comments in the tailscale code dont explicitly say so.
 		updateRequestsFromNode.WithLabelValues(machine.Namespace.Name, machine.Hostname, "endpoint-update").
@@ -232,12 +203,12 @@ func (h *Headscale) PollNetMapHandler(
 		updateChan <- struct{}{}
 
 		return
-	} else if mapRequest.OmitPeers && mapRequest.Stream {
+	} else if req.OmitPeers && req.Stream {
 		log.Warn().
 			Str("handler", "PollNetMap").
 			Str("machine", machine.Hostname).
 			Msg("Ignoring request, don't know how to handle it")
-		http.Error(writer, "", http.StatusBadRequest)
+		ctx.String(http.StatusBadRequest, "")
 
 		return
 	}
@@ -261,10 +232,9 @@ func (h *Headscale) PollNetMapHandler(
 	updateChan <- struct{}{}
 
 	h.PollNetMapStream(
-		writer,
+		ctx,
-		req,
 		machine,
-		mapRequest,
+		req,
 		machineKey,
 		pollDataChan,
 		keepAliveChan,
@@ -272,7 +242,7 @@ func (h *Headscale) PollNetMapHandler(
 	)
 	log.Trace().
 		Str("handler", "PollNetMap").
-		Str("id", machineKeyStr).
+		Str("id", ctx.Param("id")).
 		Str("machine", machine.Hostname).
 		Msg("Finished stream, closing PollNetMap session")
 }
@@ -281,8 +251,7 @@ func (h *Headscale) PollNetMapHandler(
 // stream logic, ensuring we communicate updates and data
 // to the connected clients.
 func (h *Headscale) PollNetMapStream(
-	writer http.ResponseWriter,
+	ctx *gin.Context,
-	req *http.Request,
 	machine *Machine,
 	mapRequest tailcfg.MapRequest,
 	machineKey key.MachinePublic,
@@ -290,34 +259,51 @@ func (h *Headscale) PollNetMapStream(
 	keepAliveChan chan []byte,
 	updateChan chan struct{},
 ) {
-	h.pollNetMapStreamWG.Add(1)
+	{
-	defer h.pollNetMapStreamWG.Done()
+		machine, err := h.GetMachineByMachineKey(machineKey)
+		if err != nil {
+			if errors.Is(err, gorm.ErrRecordNotFound) {
+				log.Warn().
+					Str("handler", "PollNetMap").
+					Msgf("Ignoring request, cannot find machine with key %s", machineKey.String())
+				ctx.String(http.StatusUnauthorized, "")
 
-	ctx := context.WithValue(req.Context(), machineNameContextKey, machine.Hostname)
+				return
+			}
+			log.Error().
+				Str("handler", "PollNetMap").
+				Msgf("Failed to fetch machine from the database with Machine key: %s", machineKey.String())
+			ctx.String(http.StatusInternalServerError, "")
 
-	ctx, cancel := context.WithCancel(ctx)
+			return
-	defer cancel()
+		}
 
-	go h.scheduledPollWorker(
+		ctx := context.WithValue(ctx.Request.Context(), machineNameContextKey, machine.Hostname)
-		ctx,
-		updateChan,
-		keepAliveChan,
-		machineKey,
-		mapRequest,
-		machine,
-	)
 
-	log.Trace().
+		ctx, cancel := context.WithCancel(ctx)
-		Str("handler", "PollNetMapStream").
+		defer cancel()
-		Str("machine", machine.Hostname).
-		Msg("Waiting for data to stream...")
 
-	log.Trace().
+		go h.scheduledPollWorker(
-		Str("handler", "PollNetMapStream").
+			ctx,
-		Str("machine", machine.Hostname).
+			updateChan,
-		Msgf("pollData is %#v, keepAliveChan is %#v, updateChan is %#v", pollDataChan, keepAliveChan, updateChan)
+			keepAliveChan,
+			machineKey,
+			mapRequest,
+			machine,
+		)
+	}
+
+	ctx.Stream(func(writer io.Writer) bool {
+		log.Trace().
+			Str("handler", "PollNetMapStream").
+			Str("machine", machine.Hostname).
+			Msg("Waiting for data to stream...")
+
+		log.Trace().
+			Str("handler", "PollNetMapStream").
+			Str("machine", machine.Hostname).
+			Msgf("pollData is %#v, keepAliveChan is %#v, updateChan is %#v", pollDataChan, keepAliveChan, updateChan)
 
-	for {
 		select {
 		case data := <-pollDataChan:
 			log.Trace().
@@ -335,21 +321,8 @@ func (h *Headscale) PollNetMapStream(
 					Err(err).
 					Msg("Cannot write data")
 
-				return
+				return false
 			}
-
-			flusher, ok := writer.(http.Flusher)
-			if !ok {
-				log.Error().
-					Caller().
-					Str("handler", "PollNetMapStream").
-					Str("machine", machine.Hostname).
-					Str("channel", "pollData").
-					Msg("Cannot cast writer to http.Flusher")
-			} else {
-				flusher.Flush()
-			}
-
 			log.Trace().
 				Str("handler", "PollNetMapStream").
 				Str("machine", machine.Hostname).
@@ -370,7 +343,7 @@ func (h *Headscale) PollNetMapStream(
 
 				// client has been removed from database
 				// since the stream opened, terminate connection.
-				return
+				return false
 			}
 			now := time.Now().UTC()
 			machine.LastSeen = &now
@@ -387,16 +360,16 @@ func (h *Headscale) PollNetMapStream(
 					Str("channel", "pollData").
 					Err(err).
 					Msg("Cannot update machine LastSuccessfulUpdate")
-
+			} else {
-				return
+				log.Trace().
+					Str("handler", "PollNetMapStream").
+					Str("machine", machine.Hostname).
+					Str("channel", "pollData").
+					Int("bytes", len(data)).
+					Msg("Machine entry in database updated successfully after sending pollData")
 			}
 
-			log.Trace().
+			return true
-				Str("handler", "PollNetMapStream").
-				Str("machine", machine.Hostname).
-				Str("channel", "pollData").
-				Int("bytes", len(data)).
-				Msg("Machine entry in database updated successfully after sending data")
 
 		case data := <-keepAliveChan:
 			log.Trace().
@@ -414,20 +387,8 @@ func (h *Headscale) PollNetMapStream(
 					Err(err).
 					Msg("Cannot write keep alive message")
 
-				return
+				return false
 			}
-			flusher, ok := writer.(http.Flusher)
-			if !ok {
-				log.Error().
-					Caller().
-					Str("handler", "PollNetMapStream").
-					Str("machine", machine.Hostname).
-					Str("channel", "keepAlive").
-					Msg("Cannot cast writer to http.Flusher")
-			} else {
-				flusher.Flush()
-			}
-
 			log.Trace().
 				Str("handler", "PollNetMapStream").
 				Str("machine", machine.Hostname).
@@ -448,7 +409,7 @@ func (h *Headscale) PollNetMapStream(
 
 				// client has been removed from database
 				// since the stream opened, terminate connection.
-				return
+				return false
 			}
 			now := time.Now().UTC()
 			machine.LastSeen = &now
@@ -460,16 +421,16 @@ func (h *Headscale) PollNetMapStream(
 					Str("channel", "keepAlive").
 					Err(err).
 					Msg("Cannot update machine LastSeen")
-
+			} else {
-				return
+				log.Trace().
+					Str("handler", "PollNetMapStream").
+					Str("machine", machine.Hostname).
+					Str("channel", "keepAlive").
+					Int("bytes", len(data)).
+					Msg("Machine updated successfully after sending keep alive")
 			}
 
-			log.Trace().
+			return true
-				Str("handler", "PollNetMapStream").
-				Str("machine", machine.Hostname).
-				Str("channel", "keepAlive").
-				Int("bytes", len(data)).
-				Msg("Machine updated successfully after sending keep alive")
 
 		case <-updateChan:
 			log.Trace().
@@ -479,7 +440,6 @@ func (h *Headscale) PollNetMapStream(
 				Msg("Received a request for update")
 			updateRequestsReceivedOnChannel.WithLabelValues(machine.Namespace.Name, machine.Hostname).
 				Inc()
-
 			if h.isOutdated(machine) {
 				var lastUpdate time.Time
 				if machine.LastSuccessfulUpdate != nil {
@@ -499,8 +459,6 @@ func (h *Headscale) PollNetMapStream(
 						Str("channel", "update").
 						Err(err).
 						Msg("Could not get the map update")
-
-					return
 				}
 				_, err = writer.Write(data)
 				if err != nil {
@@ -513,21 +471,8 @@ func (h *Headscale) PollNetMapStream(
 					updateRequestsSentToNode.WithLabelValues(machine.Namespace.Name, machine.Hostname, "failed").
 						Inc()
 
-					return
+					return false
 				}
-
-				flusher, ok := writer.(http.Flusher)
-				if !ok {
-					log.Error().
-						Caller().
-						Str("handler", "PollNetMapStream").
-						Str("machine", machine.Hostname).
-						Str("channel", "update").
-						Msg("Cannot cast writer to http.Flusher")
-				} else {
-					flusher.Flush()
-				}
-
 				log.Trace().
 					Str("handler", "PollNetMapStream").
 					Str("machine", machine.Hostname).
@@ -554,7 +499,7 @@ func (h *Headscale) PollNetMapStream(
 
 					// client has been removed from database
 					// since the stream opened, terminate connection.
-					return
+					return false
 				}
 				now := time.Now().UTC()
 
@@ -570,8 +515,6 @@ func (h *Headscale) PollNetMapStream(
 						Str("channel", "update").
 						Err(err).
 						Msg("Cannot update machine LastSuccessfulUpdate")
-
-					return
 				}
 			} else {
 				var lastUpdate time.Time
@@ -586,7 +529,9 @@ func (h *Headscale) PollNetMapStream(
 					Msgf("%s is up to date", machine.Hostname)
 			}
 
-		case <-ctx.Done():
+			return true
+
+		case <-ctx.Request.Context().Done():
 			log.Info().
 				Str("handler", "PollNetMapStream").
 				Str("machine", machine.Hostname).
@@ -605,7 +550,7 @@ func (h *Headscale) PollNetMapStream(
 
 				// client has been removed from database
 				// since the stream opened, terminate connection.
-				return
+				return false
 			}
 			now := time.Now().UTC()
 			machine.LastSeen = &now
@@ -619,18 +564,9 @@ func (h *Headscale) PollNetMapStream(
 					Msg("Cannot update machine LastSeen")
 			}
 
-			// The connection has been closed, so we can stop polling.
+			return false
-			return
-
-		case <-h.shutdownChan:
-			log.Info().
-				Str("handler", "PollNetMapStream").
-				Str("machine", machine.Hostname).
-				Msg("The long-poll handler is shutting down")
-
-			return
 		}
-	}
+	})
 }
 
 func (h *Headscale) scheduledPollWorker(
@@ -642,7 +578,7 @@ func (h *Headscale) scheduledPollWorker(
 	machine *Machine,
 ) {
 	keepAliveTicker := time.NewTicker(keepAliveInterval)
-	updateCheckerTicker := time.NewTicker(h.cfg.NodeUpdateCheckInterval)
+	updateCheckerTicker := time.NewTicker(updateCheckInterval)
 
 	defer closeChanWithLog(
 		updateChan,

preauth_keys.go

@@ -14,10 +14,10 @@ import (
 )
 
 const (
-	ErrPreAuthKeyNotFound          = Error("AuthKey not found")
+	errPreAuthKeyNotFound          = Error("AuthKey not found")
-	ErrPreAuthKeyExpired           = Error("AuthKey expired")
+	errPreAuthKeyExpired           = Error("AuthKey expired")
-	ErrSingleUseAuthKeyHasBeenUsed = Error("AuthKey has already been used")
+	errSingleUseAuthKeyHasBeenUsed = Error("AuthKey has already been used")
-	ErrNamespaceMismatch           = Error("namespace mismatch")
+	errNamespaceMismatch           = Error("namespace mismatch")
 )
 
 // PreAuthKey describes a pre-authorization key usable in a particular namespace.
@@ -92,7 +92,7 @@ func (h *Headscale) GetPreAuthKey(namespace string, key string) (*PreAuthKey, er
 	}
 
 	if pak.Namespace.Name != namespace {
-		return nil, ErrNamespaceMismatch
+		return nil, errNamespaceMismatch
 	}
 
 	return pak, nil
@@ -135,11 +135,11 @@ func (h *Headscale) checkKeyValidity(k string) (*PreAuthKey, error) {
 		result.Error,
 		gorm.ErrRecordNotFound,
 	) {
-		return nil, ErrPreAuthKeyNotFound
+		return nil, errPreAuthKeyNotFound
 	}
 
 	if pak.Expiration != nil && pak.Expiration.Before(time.Now()) {
-		return nil, ErrPreAuthKeyExpired
+		return nil, errPreAuthKeyExpired
 	}
 
 	if pak.Reusable || pak.Ephemeral { // we don't need to check if has been used before
@@ -152,7 +152,7 @@ func (h *Headscale) checkKeyValidity(k string) (*PreAuthKey, error) {
 	}
 
 	if len(machines) != 0 || pak.Used {
-		return nil, ErrSingleUseAuthKeyHasBeenUsed
+		return nil, errSingleUseAuthKeyHasBeenUsed
 	}
 
 	return &pak, nil

preauth_keys_test.go

@@ -44,13 +44,13 @@ func (*Suite) TestExpiredPreAuthKey(c *check.C) {
 	c.Assert(err, check.IsNil)
 
 	key, err := app.checkKeyValidity(pak.Key)
-	c.Assert(err, check.Equals, ErrPreAuthKeyExpired)
+	c.Assert(err, check.Equals, errPreAuthKeyExpired)
 	c.Assert(key, check.IsNil)
 }
 
 func (*Suite) TestPreAuthKeyDoesNotExist(c *check.C) {
 	key, err := app.checkKeyValidity("potatoKey")
-	c.Assert(err, check.Equals, ErrPreAuthKeyNotFound)
+	c.Assert(err, check.Equals, errPreAuthKeyNotFound)
 	c.Assert(key, check.IsNil)
 }
 
@@ -86,7 +86,7 @@ func (*Suite) TestAlreadyUsedKey(c *check.C) {
 	app.db.Save(&machine)
 
 	key, err := app.checkKeyValidity(pak.Key)
-	c.Assert(err, check.Equals, ErrSingleUseAuthKeyHasBeenUsed)
+	c.Assert(err, check.Equals, errSingleUseAuthKeyHasBeenUsed)
 	c.Assert(key, check.IsNil)
 }
 
@@ -174,7 +174,7 @@ func (*Suite) TestExpirePreauthKey(c *check.C) {
 	c.Assert(pak.Expiration, check.NotNil)
 
 	key, err := app.checkKeyValidity(pak.Key)
-	c.Assert(err, check.Equals, ErrPreAuthKeyExpired)
+	c.Assert(err, check.Equals, errPreAuthKeyExpired)
 	c.Assert(key, check.IsNil)
 }
 
@@ -188,5 +188,5 @@ func (*Suite) TestNotReusableMarkedAsUsed(c *check.C) {
 	app.db.Save(&pak)
 
 	_, err = app.checkKeyValidity(pak.Key)
-	c.Assert(err, check.Equals, ErrSingleUseAuthKeyHasBeenUsed)
+	c.Assert(err, check.Equals, errSingleUseAuthKeyHasBeenUsed)
 }

routes.go

@@ -7,7 +7,7 @@ import (
 )
 
 const (
-	ErrRouteIsNotAvailable = Error("route is not available")
+	errRouteIsNotAvailable = Error("route is not available")
 )
 
 // Deprecated: use machine function instead
@@ -106,7 +106,7 @@ func (h *Headscale) EnableNodeRoute(
 	}
 
 	if !available {
-		return ErrRouteIsNotAvailable
+		return errRouteIsNotAvailable
 	}
 
 	machine.EnabledRoutes = enabledRoutes

routes_test.go

@@ -28,7 +28,7 @@ func (s *Suite) TestGetRoutes(c *check.C) {
 		MachineKey:     "foo",
 		NodeKey:        "bar",
 		DiscoKey:       "faa",
-		Hostname:       "test_get_route_machine",
+		Hostname:           "test_get_route_machine",
 		NamespaceID:    namespace.ID,
 		RegisterMethod: RegisterMethodAuthKey,
 		AuthKeyID:      uint(pak.ID),
@@ -79,7 +79,7 @@ func (s *Suite) TestGetEnableRoutes(c *check.C) {
 		MachineKey:     "foo",
 		NodeKey:        "bar",
 		DiscoKey:       "faa",
-		Hostname:       "test_enable_route_machine",
+		Hostname:           "test_enable_route_machine",
 		NamespaceID:    namespace.ID,
 		RegisterMethod: RegisterMethodAuthKey,
 		AuthKeyID:      uint(pak.ID),

swagger.go

@@ -6,16 +6,14 @@ import (
 	"html/template"
 	"net/http"
 
+	"github.com/gin-gonic/gin"
 	"github.com/rs/zerolog/log"
 )
 
 //go:embed gen/openapiv2/headscale/v1/headscale.swagger.json
 var apiV1JSON []byte
 
-func SwaggerUI(
+func SwaggerUI(ctx *gin.Context) {
-	writer http.ResponseWriter,
-	req *http.Request,
-) {
 	swaggerTemplate := template.Must(template.New("swagger").Parse(`
 <html>
 	<head>
@@ -54,41 +52,18 @@ func SwaggerUI(
 			Caller().
 			Err(err).
 			Msg("Could not render Swagger")
-
+		ctx.Data(
-		writer.Header().Set("Content-Type", "text/plain; charset=utf-8")
+			http.StatusInternalServerError,
-		writer.WriteHeader(http.StatusInternalServerError)
+			"text/html; charset=utf-8",
-		_, err := writer.Write([]byte("Could not render Swagger"))
+			[]byte("Could not render Swagger"),
-		if err != nil {
+		)
-			log.Error().
-				Caller().
-				Err(err).
-				Msg("Failed to write response")
-		}
 
 		return
 	}
 
-	writer.Header().Set("Content-Type", "text/html; charset=utf-8")
+	ctx.Data(http.StatusOK, "text/html; charset=utf-8", payload.Bytes())
-	writer.WriteHeader(http.StatusOK)
-	_, err := writer.Write(payload.Bytes())
-	if err != nil {
-		log.Error().
-			Caller().
-			Err(err).
-			Msg("Failed to write response")
-	}
 }
 
-func SwaggerAPIv1(
+func SwaggerAPIv1(ctx *gin.Context) {
-	writer http.ResponseWriter,
+	ctx.Data(http.StatusOK, "application/json; charset=utf-8", apiV1JSON)
-	req *http.Request,
-) {
-	writer.Header().Set("Content-Type", "application/json; charset=utf-88")
-	writer.WriteHeader(http.StatusOK)
-	if _, err := writer.Write(apiV1JSON); err != nil {
-		log.Error().
-			Caller().
-			Err(err).
-			Msg("Failed to write response")
-	}
 }

utils.go

@@ -27,8 +27,8 @@ import (
 )
 
 const (
-	ErrCannotDecryptResponse = Error("cannot decrypt response")
+	errCannotDecryptReponse = Error("cannot decrypt response")
-	ErrCouldNotAllocateIP    = Error("could not find any suitable IP")
+	errCouldNotAllocateIP   = Error("could not find any suitable IP")
 
 	// These constants are copied from the upstream tailscale.com/types/key
 	// library, because they are not exported.
@@ -120,7 +120,7 @@ func decode(
 
 	decrypted, ok := privKey.OpenFrom(*pubKey, msg)
 	if !ok {
-		return ErrCannotDecryptResponse
+		return errCannotDecryptReponse
 	}
 
 	if err := json.Unmarshal(decrypted, output); err != nil {
@@ -181,7 +181,7 @@ func (h *Headscale) getAvailableIP(ipPrefix netaddr.IPPrefix) (*netaddr.IP, erro
 
 	for {
 		if !ipPrefix.Contains(ip) {
-			return nil, ErrCouldNotAllocateIP
+			return nil, errCouldNotAllocateIP
 		}
 
 		switch {
@@ -324,18 +324,12 @@ func GenerateRandomStringURLSafe(n int) (string, error) {
 // It will return an error if the system's secure random
 // number generator fails to function correctly, in which
 // case the caller should not continue.
-func GenerateRandomStringDNSSafe(size int) (string, error) {
+func GenerateRandomStringDNSSafe(n int) (string, error) {
-	var str string
+	str, err := GenerateRandomStringURLSafe(n)
-	var err error
-	for len(str) < size {
-		str, err = GenerateRandomStringURLSafe(size)
-		if err != nil {
-			return "", err
-		}
-		str = strings.ToLower(strings.ReplaceAll(strings.ReplaceAll(str, "_", ""), "-", ""))
-	}
 
-	return str[:size], nil
+	str = strings.ToLower(strings.ReplaceAll(strings.ReplaceAll(str, "_", ""), "-", ""))
+
+	return str[:n], err
 }
 
 func IsStringInSlice(slice []string, str string) bool {

utils_test.go

@@ -34,7 +34,7 @@ func (s *Suite) TestGetUsedIps(c *check.C) {
 		MachineKey:     "foo",
 		NodeKey:        "bar",
 		DiscoKey:       "faa",
-		Hostname:       "testmachine",
+		Hostname:           "testmachine",
 		NamespaceID:    namespace.ID,
 		RegisterMethod: RegisterMethodAuthKey,
 		AuthKeyID:      uint(pak.ID),
@@ -82,7 +82,7 @@ func (s *Suite) TestGetMultiIp(c *check.C) {
 			MachineKey:     "foo",
 			NodeKey:        "bar",
 			DiscoKey:       "faa",
-			Hostname:       "testmachine",
+			Hostname:           "testmachine",
 			NamespaceID:    namespace.ID,
 			RegisterMethod: RegisterMethodAuthKey,
 			AuthKeyID:      uint(pak.ID),
@@ -172,7 +172,7 @@ func (s *Suite) TestGetAvailableIpMachineWithoutIP(c *check.C) {
 		MachineKey:     "foo",
 		NodeKey:        "bar",
 		DiscoKey:       "faa",
-		Hostname:       "testmachine",
+		Hostname:           "testmachine",
 		NamespaceID:    namespace.ID,
 		RegisterMethod: RegisterMethodAuthKey,
 		AuthKeyID:      uint(pak.ID),
@@ -185,15 +185,3 @@ func (s *Suite) TestGetAvailableIpMachineWithoutIP(c *check.C) {
 	c.Assert(len(ips2), check.Equals, 1)
 	c.Assert(ips2[0].String(), check.Equals, expected.String())
 }
-
-func (s *Suite) TestGenerateRandomStringDNSSafe(c *check.C) {
-	for i := 0; i < 100000; i++ {
-		str, err := GenerateRandomStringDNSSafe(8)
-		if err != nil {
-			c.Error(err)
-		}
-		if len(str) != 8 {
-			c.Error("invalid length", len(str), str)
-		}
-	}
-}