Do not explicitly set the protocols when ommited in ACL

Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com>

.github/workflows/build.yml

@@ -13,13 +13,13 @@ jobs:
     runs-on: ubuntu-latest
 
     steps:
-      - uses: actions/checkout@v2
+      - uses: actions/checkout@v3
         with:
           fetch-depth: 2
 
       - name: Get changed files
         id: changed-files
-        uses: tj-actions/changed-files@v14.1
+        uses: tj-actions/changed-files@v34
         with:
           files: |
             *.nix

.github/workflows/contributors.yml

@@ -9,7 +9,7 @@ jobs:
   add-contributors:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v2
+      - uses: actions/checkout@v3
       - name: Delete upstream contributor branch
         # Allow continue on failure to account for when the
         # upstream branch is deleted or does not exist.

.github/workflows/gh-actions-updater.yaml

@@ -0,0 +1,23 @@
+name: GitHub Actions Version Updater
+
+# Controls when the action will run.
+on:
+  schedule:
+    # Automatically run on every Sunday
+    - cron: "0 0 * * 0"
+
+jobs:
+  build:
+    runs-on: ubuntu-latest
+
+    steps:
+      - uses: actions/checkout@v2
+        with:
+          # [Required] Access token with `workflow` scope.
+          token: ${{ secrets.WORKFLOW_SECRET }}
+
+      - name: Run GitHub Actions Version Updater
+        uses: saadmk11/github-actions-version-updater@v0.7.1
+        with:
+          # [Required] Access token with `workflow` scope.
+          token: ${{ secrets.WORKFLOW_SECRET }}

.github/workflows/lint.yml

@@ -1,5 +1,5 @@
 ---
-name: CI
+name: Lint
 
 on: [push, pull_request]
 
@@ -7,13 +7,13 @@ jobs:
   golangci-lint:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v2
+      - uses: actions/checkout@v3
         with:
           fetch-depth: 2
 
       - name: Get changed files
         id: changed-files
-        uses: tj-actions/changed-files@v14.1
+        uses: tj-actions/changed-files@v34
         with:
           files: |
             *.nix

.github/workflows/release.yml

@@ -1,5 +1,5 @@
 ---
-name: release
+name: Release
 
 on:
   push:
@@ -9,27 +9,17 @@ on:
 
 jobs:
   goreleaser:
-    runs-on: ubuntu-18.04 # due to CGO we need to user an older version
+    runs-on: ubuntu-latest
     steps:
       - name: Checkout
-        uses: actions/checkout@v2
+        uses: actions/checkout@v3
         with:
           fetch-depth: 0
-      - name: Set up Go
-        uses: actions/setup-go@v2
-        with:
-          go-version: 1.19.0
 
-      - name: Install dependencies
-        run: |
-          sudo apt update
-          sudo apt install -y gcc-aarch64-linux-gnu
-      - name: Run GoReleaser
-        uses: goreleaser/goreleaser-action@v2
-        with:
-          distribution: goreleaser
-          version: latest
-          args: release --rm-dist
+      - uses: cachix/install-nix-action@v16
+
+      - name: Run goreleaser
+        run: nix develop --command -- goreleaser release --rm-dist
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
 
@@ -37,7 +27,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout
-        uses: actions/checkout@v2
+        uses: actions/checkout@v3
         with:
           fetch-depth: 0
       - name: Set up Docker Buildx
@@ -65,8 +55,8 @@ jobs:
             type=semver,pattern={{version}}
             type=semver,pattern={{major}}.{{minor}}
             type=semver,pattern={{major}}
-            type=raw,value=latest
             type=sha
+            type=raw,value=develop
       - name: Login to DockerHub
         uses: docker/login-action@v1
         with:
@@ -100,7 +90,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout
-        uses: actions/checkout@v2
+        uses: actions/checkout@v3
         with:
           fetch-depth: 0
       - name: Set up Docker Buildx
@@ -125,13 +115,13 @@ jobs:
             ${{ secrets.DOCKERHUB_USERNAME }}/headscale
             ghcr.io/${{ github.repository_owner }}/headscale
           flavor: |
-            latest=false
+            suffix=-debug,onlatest=true
           tags: |
-            type=semver,pattern={{version}}-debug
-            type=semver,pattern={{major}}.{{minor}}-debug
-            type=semver,pattern={{major}}-debug
-            type=raw,value=latest-debug
-            type=sha,suffix=-debug
+            type=semver,pattern={{version}}
+            type=semver,pattern={{major}}.{{minor}}
+            type=semver,pattern={{major}}
+            type=sha
+            type=raw,value=develop
       - name: Login to DockerHub
         uses: docker/login-action@v1
         with:
@@ -161,69 +151,3 @@ jobs:
         run: |
           rm -rf /tmp/.buildx-cache-debug
           mv /tmp/.buildx-cache-debug-new /tmp/.buildx-cache-debug
-
-  docker-alpine-release:
-    runs-on: ubuntu-latest
-    steps:
-      - name: Checkout
-        uses: actions/checkout@v2
-        with:
-          fetch-depth: 0
-      - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v1
-      - name: Set up QEMU for multiple platforms
-        uses: docker/setup-qemu-action@master
-        with:
-          platforms: arm64,amd64
-      - name: Cache Docker layers
-        uses: actions/cache@v2
-        with:
-          path: /tmp/.buildx-cache-alpine
-          key: ${{ runner.os }}-buildx-alpine-${{ github.sha }}
-          restore-keys: |
-            ${{ runner.os }}-buildx-alpine-
-      - name: Docker meta
-        id: meta-alpine
-        uses: docker/metadata-action@v3
-        with:
-          # list of Docker images to use as base name for tags
-          images: |
-            ${{ secrets.DOCKERHUB_USERNAME }}/headscale
-            ghcr.io/${{ github.repository_owner }}/headscale
-          flavor: |
-            latest=false
-          tags: |
-            type=semver,pattern={{version}}-alpine
-            type=semver,pattern={{major}}.{{minor}}-alpine
-            type=semver,pattern={{major}}-alpine
-            type=raw,value=latest-alpine
-            type=sha,suffix=-alpine
-      - name: Login to DockerHub
-        uses: docker/login-action@v1
-        with:
-          username: ${{ secrets.DOCKERHUB_USERNAME }}
-          password: ${{ secrets.DOCKERHUB_TOKEN }}
-      - name: Login to GHCR
-        uses: docker/login-action@v1
-        with:
-          registry: ghcr.io
-          username: ${{ github.repository_owner }}
-          password: ${{ secrets.GITHUB_TOKEN }}
-      - name: Build and push
-        id: docker_build
-        uses: docker/build-push-action@v2
-        with:
-          push: true
-          context: .
-          file: Dockerfile.alpine
-          tags: ${{ steps.meta-alpine.outputs.tags }}
-          labels: ${{ steps.meta-alpine.outputs.labels }}
-          platforms: linux/amd64,linux/arm64
-          cache-from: type=local,src=/tmp/.buildx-cache-alpine
-          cache-to: type=local,dest=/tmp/.buildx-cache-alpine-new
-          build-args: |
-            VERSION=${{ steps.meta-alpine.outputs.version }}
-      - name: Prepare cache for next build
-        run: |
-          rm -rf /tmp/.buildx-cache-alpine
-          mv /tmp/.buildx-cache-alpine-new /tmp/.buildx-cache-alpine

.github/workflows/renovatebot.yml

@@ -1,27 +0,0 @@
----
-name: Renovate
-on:
-  schedule:
-    - cron: "* * 5,20 * *" # Every 5th and 20th of the month
-  workflow_dispatch:
-jobs:
-  renovate:
-    runs-on: ubuntu-latest
-    steps:
-      - name: Get token
-        id: get_token
-        uses: machine-learning-apps/actions-app-token@master
-        with:
-          APP_PEM: ${{ secrets.RENOVATEBOT_SECRET }}
-          APP_ID: ${{ secrets.RENOVATEBOT_APP_ID }}
-
-      - name: Checkout
-        uses: actions/checkout@v2.0.0
-
-      - name: Self-hosted Renovate
-        uses: renovatebot/github-action@v31.81.3
-        with:
-          configurationFile: .github/renovate.json
-          token: "x-access-token:${{ steps.get_token.outputs.app_token }}"
-        # env:
-        #  LOG_LEVEL: "debug"

.github/workflows/test-integration-cli.yml

@@ -0,0 +1,35 @@
+name: Integration Test CLI
+
+on: [pull_request]
+
+jobs:
+  integration-test-cli:
+    runs-on: ubuntu-latest
+
+    steps:
+      - uses: actions/checkout@v3
+        with:
+          fetch-depth: 2
+
+      - name: Set Swap Space
+        uses: pierotofy/set-swap-space@master
+        with:
+          swap-size-gb: 10
+
+      - name: Get changed files
+        id: changed-files
+        uses: tj-actions/changed-files@v34
+        with:
+          files: |
+            *.nix
+            go.*
+            **/*.go
+            integration_test/
+            config-example.yaml
+
+      - uses: cachix/install-nix-action@v16
+        if: steps.changed-files.outputs.any_changed == 'true'
+
+      - name: Run CLI integration tests
+        if: steps.changed-files.outputs.any_changed == 'true'
+        run: nix develop --command -- make test_integration_cli

.github/workflows/test-integration-derp.yml

@@ -0,0 +1,35 @@
+name: Integration Test DERP
+
+on: [pull_request]
+
+jobs:
+  integration-test-derp:
+    runs-on: ubuntu-latest
+
+    steps:
+      - uses: actions/checkout@v3
+        with:
+          fetch-depth: 2
+
+      - name: Set Swap Space
+        uses: pierotofy/set-swap-space@master
+        with:
+          swap-size-gb: 10
+
+      - name: Get changed files
+        id: changed-files
+        uses: tj-actions/changed-files@v34
+        with:
+          files: |
+            *.nix
+            go.*
+            **/*.go
+            integration_test/
+            config-example.yaml
+
+      - uses: cachix/install-nix-action@v16
+        if: steps.changed-files.outputs.any_changed == 'true'
+
+      - name: Run Embedded DERP server integration tests
+        if: steps.changed-files.outputs.any_changed == 'true'
+        run: nix develop --command -- make test_integration_derp

.github/workflows/test-integration-v2-kradalby.yml

@@ -0,0 +1,27 @@
+name: Integration Test v2 - kradalby
+
+on: [pull_request]
+
+jobs:
+  integration-test-v2-kradalby:
+    runs-on: [self-hosted, linux, x64, nixos, docker]
+
+    steps:
+      - uses: actions/checkout@v3
+        with:
+          fetch-depth: 2
+
+      - name: Get changed files
+        id: changed-files
+        uses: tj-actions/changed-files@v34
+        with:
+          files: |
+            *.nix
+            go.*
+            **/*.go
+            integration_test/
+            config-example.yaml
+
+      - name: Run general integration tests
+        if: steps.changed-files.outputs.any_changed == 'true'
+        run: nix develop --command -- make test_integration_v2_general

.github/workflows/test-integration.yml

@@ -1,67 +0,0 @@
-name: CI
-
-on: [pull_request]
-
-jobs:
-  integration-test:
-    runs-on: ubuntu-latest
-
-    steps:
-      - uses: actions/checkout@v2
-        with:
-          fetch-depth: 2
-
-      - name: Set Swap Space
-        uses: pierotofy/set-swap-space@master
-        with:
-          swap-size-gb: 10
-
-      - name: Get changed files
-        id: changed-files
-        uses: tj-actions/changed-files@v14.1
-        with:
-          files: |
-            *.nix
-            go.*
-            **/*.go
-            integration_test/
-            config-example.yaml
-
-      - uses: cachix/install-nix-action@v16
-        if: steps.changed-files.outputs.any_changed == 'true'
-
-      - name: Run CLI integration tests
-        if: steps.changed-files.outputs.any_changed == 'true'
-        uses: nick-fields/retry@v2
-        with:
-          timeout_minutes: 240
-          max_attempts: 5
-          retry_on: error
-          command: nix develop --command -- make test_integration_cli
-
-      - name: Run Embedded DERP server integration tests
-        if: steps.changed-files.outputs.any_changed == 'true'
-        uses: nick-fields/retry@v2
-        with:
-          timeout_minutes: 240
-          max_attempts: 5
-          retry_on: error
-          command: nix develop --command -- make test_integration_derp
-
-      - name: Run OIDC integration tests
-        if: steps.changed-files.outputs.any_changed == 'true'
-        uses: nick-fields/retry@v2
-        with:
-          timeout_minutes: 240
-          max_attempts: 5
-          retry_on: error
-          command: nix develop --command -- make test_integration_oidc
-
-      - name: Run general integration tests
-        if: steps.changed-files.outputs.any_changed == 'true'
-        uses: nick-fields/retry@v2
-        with:
-          timeout_minutes: 240
-          max_attempts: 5
-          retry_on: error
-          command: nix develop --command -- make test_integration_general

.github/workflows/test.yml

@@ -1,4 +1,4 @@
-name: CI
+name: Tests
 
 on: [push, pull_request]
 
@@ -7,13 +7,13 @@ jobs:
     runs-on: ubuntu-latest
 
     steps:
-      - uses: actions/checkout@v2
+      - uses: actions/checkout@v3
         with:
           fetch-depth: 2
 
       - name: Get changed files
         id: changed-files
-        uses: tj-actions/changed-files@v14.1
+        uses: tj-actions/changed-files@v34
         with:
           files: |
             *.nix

.golangci.yaml

@@ -1,6 +1,8 @@
 ---
 run:
   timeout: 10m
+  build-tags:
+    - ts2019
 
 issues:
   skip-dirs:
@@ -26,6 +28,7 @@ linters:
     - ireturn
     - execinquery
     - exhaustruct
+    - nolintlint
 
     # We should strive to enable these:
     - wrapcheck
@@ -33,6 +36,9 @@ linters:
     - makezero
     - maintidx
 
+    # Limits the methods of an interface to 10. We have more in integration tests
+    - interfacebloat
+
     # We might want to enable this, but it might be a lot of work
     - cyclop
     - nestif

.goreleaser.yml

@@ -20,6 +20,8 @@ builds:
       - -mod=readonly
     ldflags:
       - -s -w -X github.com/juanfont/headscale/cmd/headscale/cli.Version=v{{.Version}}
+    tags:
+      - ts2019
 
   - id: darwin-arm64
     main: ./cmd/headscale/headscale.go
@@ -34,6 +36,8 @@ builds:
       - -mod=readonly
     ldflags:
       - -s -w -X github.com/juanfont/headscale/cmd/headscale/cli.Version=v{{.Version}}
+    tags:
+      - ts2019
 
   - id: linux-amd64
     mod_timestamp: "{{ .CommitTimestamp }}"
@@ -46,6 +50,8 @@ builds:
     main: ./cmd/headscale/headscale.go
     ldflags:
       - -s -w -X github.com/juanfont/headscale/cmd/headscale/cli.Version=v{{.Version}}
+    tags:
+      - ts2019
 
   - id: linux-arm64
     mod_timestamp: "{{ .CommitTimestamp }}"
@@ -58,6 +64,8 @@ builds:
     main: ./cmd/headscale/headscale.go
     ldflags:
       - -s -w -X github.com/juanfont/headscale/cmd/headscale/cli.Version=v{{.Version}}
+    tags:
+      - ts2019
 
 archives:
   - id: golang-cross

CHANGELOG.md

@@ -1,23 +1,52 @@
 # CHANGELOG
 
-## 0.17.0 (2022-XX-XX)
-
-### BREAKING
-
-- Log level option `log_level` was moved to a distinct `log` config section and renamed to `level` [#768](https://github.com/juanfont/headscale/pull/768)
+## 0.17.1 (2022-x-x)
 
 ### Changes
 
+- Correct typo on macOS standalone profile link [#1028](https://github.com/juanfont/headscale/pull/1028)
+
+## 0.17.0 (2022-11-26)
+
+### BREAKING
+
+- `noise.private_key_path` has been added and is required for the new noise protocol.
+- Log level option `log_level` was moved to a distinct `log` config section and renamed to `level` [#768](https://github.com/juanfont/headscale/pull/768)
+- Removed Alpine Linux container image [#962](https://github.com/juanfont/headscale/pull/962)
+
+### Important Changes
+
 - Added support for Tailscale TS2021 protocol [#738](https://github.com/juanfont/headscale/pull/738)
+- Add experimental support for [SSH ACL](https://tailscale.com/kb/1018/acls/#tailscale-ssh) (see docs for limitations) [#847](https://github.com/juanfont/headscale/pull/847)
+  - Please note that this support should be considered _partially_ implemented
+  - SSH ACLs status:
+    - Support `accept` and `check` (SSH can be enabled and used for connecting and authentication)
+    - Rejecting connections **are not supported**, meaning that if you enable SSH, then assume that _all_ `ssh` connections **will be allowed**.
+    - If you decied to try this feature, please carefully managed permissions by blocking port `22` with regular ACLs or do _not_ set `--ssh` on your clients.
+    - We are currently improving our testing of the SSH ACLs, help us get an overview by testing and giving feedback.
+  - This feature should be considered dangerous and it is disabled by default. Enable by setting `HEADSCALE_EXPERIMENTAL_FEATURE_SSH=1`.
+
+### Changes
+
 - Add ability to specify config location via env var `HEADSCALE_CONFIG` [#674](https://github.com/juanfont/headscale/issues/674)
 - Target Go 1.19 for Headscale [#778](https://github.com/juanfont/headscale/pull/778)
 - Target Tailscale v1.30.0 to build Headscale [#780](https://github.com/juanfont/headscale/pull/780)
 - Give a warning when running Headscale with reverse proxy improperly configured for WebSockets [#788](https://github.com/juanfont/headscale/pull/788)
 - Fix subnet routers with Primary Routes [#811](https://github.com/juanfont/headscale/pull/811)
 - Added support for JSON logs [#653](https://github.com/juanfont/headscale/issues/653)
+- Sanitise the node key passed to registration url [#823](https://github.com/juanfont/headscale/pull/823)
 - Add support for generating pre-auth keys with tags [#767](https://github.com/juanfont/headscale/pull/767)
 - Add support for evaluating `autoApprovers` ACL entries when a machine is registered [#763](https://github.com/juanfont/headscale/pull/763)
 - Add config flag to allow Headscale to start if OIDC provider is down [#829](https://github.com/juanfont/headscale/pull/829)
+- Fix prefix length comparison bug in AutoApprovers route evaluation [#862](https://github.com/juanfont/headscale/pull/862)
+- Random node DNS suffix only applied if names collide in namespace. [#766](https://github.com/juanfont/headscale/issues/766)
+- Remove `ip_prefix` configuration option and warning [#899](https://github.com/juanfont/headscale/pull/899)
+- Add `dns_config.override_local_dns` option [#905](https://github.com/juanfont/headscale/pull/905)
+- Fix some DNS config issues [#660](https://github.com/juanfont/headscale/issues/660)
+- Make it possible to disable TS2019 with build flag [#928](https://github.com/juanfont/headscale/pull/928)
+- Fix OIDC registration issues [#960](https://github.com/juanfont/headscale/pull/960) and [#971](https://github.com/juanfont/headscale/pull/971)
+- Add support for specifying NextDNS DNS-over-HTTPS resolver [#940](https://github.com/juanfont/headscale/pull/940)
+- Make more sslmode available for postgresql connection [#927](https://github.com/juanfont/headscale/pull/927)
 
 ## 0.16.4 (2022-08-21)
 

Dockerfile

@@ -1,5 +1,5 @@
 # Builder image
-FROM docker.io/golang:1.19.0-bullseye AS build
+FROM docker.io/golang:1.19-bullseye AS build
 ARG VERSION=dev
 ENV GOPATH /go
 WORKDIR /go/src/headscale
@@ -9,7 +9,7 @@ RUN go mod download
 
 COPY . .
 
-RUN CGO_ENABLED=0 GOOS=linux go install -ldflags="-s -w -X github.com/juanfont/headscale/cmd/headscale/cli.Version=$VERSION" -a ./cmd/headscale
+RUN CGO_ENABLED=0 GOOS=linux go install -tags ts2019 -ldflags="-s -w -X github.com/juanfont/headscale/cmd/headscale/cli.Version=$VERSION" -a ./cmd/headscale
 RUN strip /go/bin/headscale
 RUN test -e /go/bin/headscale
 

Dockerfile.alpine

@@ -1,24 +0,0 @@
-# Builder image
-FROM docker.io/golang:1.19.0-alpine AS build
-ARG VERSION=dev
-ENV GOPATH /go
-WORKDIR /go/src/headscale
-
-COPY go.mod go.sum /go/src/headscale/
-RUN apk add gcc musl-dev
-RUN go mod download
-
-COPY . .
-
-RUN CGO_ENABLED=0 GOOS=linux go install -ldflags="-s -w -X github.com/juanfont/headscale/cmd/headscale/cli.Version=$VERSION" -a ./cmd/headscale
-RUN strip /go/bin/headscale
-RUN test -e /go/bin/headscale
-
-# Production image
-FROM docker.io/alpine:latest
-
-COPY --from=build /go/bin/headscale /bin/headscale
-ENV TZ UTC
-
-EXPOSE 8080/tcp
-CMD ["headscale"]

Dockerfile.debug

@@ -1,5 +1,5 @@
 # Builder image
-FROM docker.io/golang:1.19.0-bullseye AS build
+FROM docker.io/golang:1.19-bullseye AS build
 ARG VERSION=dev
 ENV GOPATH /go
 WORKDIR /go/src/headscale
@@ -9,11 +9,11 @@ RUN go mod download
 
 COPY . .
 
-RUN CGO_ENABLED=0 GOOS=linux go install -ldflags="-s -w -X github.com/juanfont/headscale/cmd/headscale/cli.Version=$VERSION" -a ./cmd/headscale
+RUN CGO_ENABLED=0 GOOS=linux go install -tags ts2019 -ldflags="-s -w -X github.com/juanfont/headscale/cmd/headscale/cli.Version=$VERSION" -a ./cmd/headscale
 RUN test -e /go/bin/headscale
 
 # Debug image
-FROM gcr.io/distroless/base-debian11:debug
+FROM docker.io/golang:1.19.0-bullseye
 
 COPY --from=build /go/bin/headscale /bin/headscale
 ENV TZ UTC

Dockerfile.tailscale

@@ -4,14 +4,16 @@ ARG TAILSCALE_VERSION=*
 ARG TAILSCALE_CHANNEL=stable
 
 RUN apt-get update \
-    && apt-get install -y gnupg curl \
+    && apt-get install -y gnupg curl ssh \
     && curl -fsSL https://pkgs.tailscale.com/${TAILSCALE_CHANNEL}/ubuntu/focal.gpg | apt-key add - \
     && curl -fsSL https://pkgs.tailscale.com/${TAILSCALE_CHANNEL}/ubuntu/focal.list | tee /etc/apt/sources.list.d/tailscale.list \
     && apt-get update \
     && apt-get install -y ca-certificates tailscale=${TAILSCALE_VERSION} dnsutils \
     && rm -rf /var/lib/apt/lists/*
 
+RUN adduser --shell=/bin/bash ssh-it-user
+
 ADD integration_test/etc_embedded_derp/tls/server.crt /usr/local/share/ca-certificates/
-RUN chmod 644 /usr/local/share/ca-certificates/server.crt 
+RUN chmod 644 /usr/local/share/ca-certificates/server.crt
 
 RUN update-ca-certificates

Dockerfile.tailscale-HEAD

@@ -1,9 +1,10 @@
 FROM golang:latest
 
 RUN apt-get update \
-    && apt-get install -y ca-certificates dnsutils git iptables \
+    && apt-get install -y ca-certificates dnsutils git iptables ssh \
     && rm -rf /var/lib/apt/lists/*
 
+RUN useradd --shell=/bin/bash --create-home ssh-it-user
 
 RUN git clone https://github.com/tailscale/tailscale.git
 
@@ -18,6 +19,6 @@ RUN cp tailscale /usr/local/bin/
 RUN cp tailscaled /usr/local/bin/
 
 ADD integration_test/etc_embedded_derp/tls/server.crt /usr/local/share/ca-certificates/
-RUN chmod 644 /usr/local/share/ca-certificates/server.crt 
+RUN chmod 644 /usr/local/share/ca-certificates/server.crt
 
 RUN update-ca-certificates

Makefile

@@ -10,6 +10,8 @@ ifeq ($(filter $(GOOS), openbsd netbsd soloaris plan9), )
 else
 endif
 
+TAGS = -tags ts2019
+
 # GO_SOURCES = $(wildcard *.go)
 # PROTO_SOURCES = $(wildcard **/*.proto)
 GO_SOURCES = $(call rwildcard,,*.go)
@@ -17,26 +19,44 @@ PROTO_SOURCES = $(call rwildcard,,*.proto)
 
 
 build:
-	GOOS=$(GOOS) CGO_ENABLED=0 go build -trimpath $(pieflags) -mod=readonly -ldflags "-s -w -X github.com/juanfont/headscale/cmd/headscale/cli.Version=$(version)" cmd/headscale/headscale.go
+	nix build
 
 dev: lint test build
 
 test:
-	@go test -coverprofile=coverage.out ./...
+	@go test $(TAGS) -short -coverprofile=coverage.out ./...
 
-test_integration: test_integration_cli test_integration_derp test_integration_oidc test_integration_general
+test_integration: test_integration_cli test_integration_derp test_integration_oidc test_integration_v2_general
 
 test_integration_cli:
-	go test -failfast -tags integration_cli,integration -timeout 30m -count=1 ./...
+	docker network rm $$(docker network ls --filter name=headscale --quiet) || true
+	docker network create headscale-test || true
+	docker run -t --rm \
+		--network headscale-test \
+		-v ~/.cache/hs-integration-go:/go \
+		-v $$PWD:$$PWD -w $$PWD \
+		-v /var/run/docker.sock:/var/run/docker.sock golang:1 \
+		go test $(TAGS) -failfast -timeout 30m -count=1 -run IntegrationCLI ./...
 
 test_integration_derp:
-	go test -failfast -tags integration_derp,integration -timeout 30m -count=1 ./...
+	docker network rm $$(docker network ls --filter name=headscale --quiet) || true
+	docker network create headscale-test || true
+	docker run -t --rm \
+		--network headscale-test \
+		-v ~/.cache/hs-integration-go:/go \
+		-v $$PWD:$$PWD -w $$PWD \
+		-v /var/run/docker.sock:/var/run/docker.sock golang:1 \
+		go test $(TAGS) -failfast -timeout 30m -count=1 -run IntegrationDERP ./...
 
-test_integration_general:
-	go test -failfast -tags integration_general,integration -timeout 30m -count=1 ./...
-
-test_integration_oidc:
-	go test -failfast -tags integration_oidc,integration -timeout 30m -count=1 ./...
+test_integration_v2_general:
+	docker run \
+		-t --rm \
+		-v ~/.cache/hs-integration-go:/go \
+		--name headscale-test-suite \
+		-v $$PWD:$$PWD -w $$PWD/integration \
+		-v /var/run/docker.sock:/var/run/docker.sock \
+		golang:1 \
+		go test $(TAGS) -failfast ./... -timeout 120m -parallel 8
 
 coverprofile_func:
 	go tool cover -func=coverage.out

README.md

@@ -195,6 +195,15 @@ make build
             <sub style="font-size:14px"><b>Jiang Zhu</b></sub>
         </a>
     </td>
+    <td align="center" style="word-wrap: break-word; width: 150.0; height: 150.0">
+        <a href=https://github.com/tsujamin>
+            <img src=https://avatars.githubusercontent.com/u/2435619?v=4 width="100;"  style="border-radius:50%;align-items:center;justify-content:center;overflow:hidden;padding-top:10px" alt=Benjamin Roberts/>
+            <br />
+            <sub style="font-size:14px"><b>Benjamin Roberts</b></sub>
+        </a>
+    </td>
+</tr>
+<tr>
     <td align="center" style="word-wrap: break-word; width: 150.0; height: 150.0">
         <a href=https://github.com/reynico>
             <img src=https://avatars.githubusercontent.com/u/715768?v=4 width="100;"  style="border-radius:50%;align-items:center;justify-content:center;overflow:hidden;padding-top:10px" alt=Nico/>
@@ -202,8 +211,6 @@ make build
             <sub style="font-size:14px"><b>Nico</b></sub>
         </a>
     </td>
-</tr>
-<tr>
     <td align="center" style="word-wrap: break-word; width: 150.0; height: 150.0">
         <a href=https://github.com/e-zk>
             <img src=https://avatars.githubusercontent.com/u/58356365?v=4 width="100;"  style="border-radius:50%;align-items:center;justify-content:center;overflow:hidden;padding-top:10px" alt=e-zk/>
@@ -239,6 +246,8 @@ make build
             <sub style="font-size:14px"><b>ohdearaugustin</b></sub>
         </a>
     </td>
+</tr>
+<tr>
     <td align="center" style="word-wrap: break-word; width: 150.0; height: 150.0">
         <a href=https://github.com/mpldr>
             <img src=https://avatars.githubusercontent.com/u/33086936?v=4 width="100;"  style="border-radius:50%;align-items:center;justify-content:center;overflow:hidden;padding-top:10px" alt=Moritz Poldrack/>
@@ -246,8 +255,6 @@ make build
             <sub style="font-size:14px"><b>Moritz Poldrack</b></sub>
         </a>
     </td>
-</tr>
-<tr>
     <td align="center" style="word-wrap: break-word; width: 150.0; height: 150.0">
         <a href=https://github.com/GrigoriyMikhalkin>
             <img src=https://avatars.githubusercontent.com/u/3637857?v=4 width="100;"  style="border-radius:50%;align-items:center;justify-content:center;overflow:hidden;padding-top:10px" alt=GrigoriyMikhalkin/>
@@ -255,6 +262,20 @@ make build
             <sub style="font-size:14px"><b>GrigoriyMikhalkin</b></sub>
         </a>
     </td>
+    <td align="center" style="word-wrap: break-word; width: 150.0; height: 150.0">
+        <a href=https://github.com/mike-lloyd03>
+            <img src=https://avatars.githubusercontent.com/u/49411532?v=4 width="100;"  style="border-radius:50%;align-items:center;justify-content:center;overflow:hidden;padding-top:10px" alt=Mike Lloyd/>
+            <br />
+            <sub style="font-size:14px"><b>Mike Lloyd</b></sub>
+        </a>
+    </td>
+    <td align="center" style="word-wrap: break-word; width: 150.0; height: 150.0">
+        <a href=https://github.com/iSchluff>
+            <img src=https://avatars.githubusercontent.com/u/1429641?v=4 width="100;"  style="border-radius:50%;align-items:center;justify-content:center;overflow:hidden;padding-top:10px" alt=Anton Schubert/>
+            <br />
+            <sub style="font-size:14px"><b>Anton Schubert</b></sub>
+        </a>
+    </td>
     <td align="center" style="word-wrap: break-word; width: 150.0; height: 150.0">
         <a href=https://github.com/Niek>
             <img src=https://avatars.githubusercontent.com/u/213140?v=4 width="100;"  style="border-radius:50%;align-items:center;justify-content:center;overflow:hidden;padding-top:10px" alt=Niek van der Maas/>
@@ -269,6 +290,8 @@ make build
             <sub style="font-size:14px"><b>Eugen Biegler</b></sub>
         </a>
     </td>
+</tr>
+<tr>
     <td align="center" style="word-wrap: break-word; width: 150.0; height: 150.0">
         <a href=https://github.com/617a7a>
             <img src=https://avatars.githubusercontent.com/u/67651251?v=4 width="100;"  style="border-radius:50%;align-items:center;justify-content:center;overflow:hidden;padding-top:10px" alt=Azz/>
@@ -276,13 +299,6 @@ make build
             <sub style="font-size:14px"><b>Azz</b></sub>
         </a>
     </td>
-    <td align="center" style="word-wrap: break-word; width: 150.0; height: 150.0">
-        <a href=https://github.com/iSchluff>
-            <img src=https://avatars.githubusercontent.com/u/1429641?v=4 width="100;"  style="border-radius:50%;align-items:center;justify-content:center;overflow:hidden;padding-top:10px" alt=Anton Schubert/>
-            <br />
-            <sub style="font-size:14px"><b>Anton Schubert</b></sub>
-        </a>
-    </td>
     <td align="center" style="word-wrap: break-word; width: 150.0; height: 150.0">
         <a href=https://github.com/qbit>
             <img src=https://avatars.githubusercontent.com/u/68368?v=4 width="100;"  style="border-radius:50%;align-items:center;justify-content:center;overflow:hidden;padding-top:10px" alt=Aaron Bieber/>
@@ -290,8 +306,13 @@ make build
             <sub style="font-size:14px"><b>Aaron Bieber</b></sub>
         </a>
     </td>
-</tr>
-<tr>
+    <td align="center" style="word-wrap: break-word; width: 150.0; height: 150.0">
+        <a href=https://github.com/kazauwa>
+            <img src=https://avatars.githubusercontent.com/u/12330159?v=4 width="100;"  style="border-radius:50%;align-items:center;justify-content:center;overflow:hidden;padding-top:10px" alt=Igor Perepilitsyn/>
+            <br />
+            <sub style="font-size:14px"><b>Igor Perepilitsyn</b></sub>
+        </a>
+    </td>
     <td align="center" style="word-wrap: break-word; width: 150.0; height: 150.0">
         <a href=https://github.com/Aluxima>
             <img src=https://avatars.githubusercontent.com/u/16262531?v=4 width="100;"  style="border-radius:50%;align-items:center;justify-content:center;overflow:hidden;padding-top:10px" alt=Laurent Marchaud/>
@@ -307,10 +328,19 @@ make build
         </a>
     </td>
     <td align="center" style="word-wrap: break-word; width: 150.0; height: 150.0">
-        <a href=https://github.com/hdhoang>
-            <img src=https://avatars.githubusercontent.com/u/12537?v=4 width="100;"  style="border-radius:50%;align-items:center;justify-content:center;overflow:hidden;padding-top:10px" alt=Hoàng Đức Hiếu/>
+        <a href=https://github.com/OrvilleQ>
+            <img src=https://avatars.githubusercontent.com/u/21377465?v=4 width="100;"  style="border-radius:50%;align-items:center;justify-content:center;overflow:hidden;padding-top:10px" alt=Orville Q. Song/>
             <br />
-            <sub style="font-size:14px"><b>Hoàng Đức Hiếu</b></sub>
+            <sub style="font-size:14px"><b>Orville Q. Song</b></sub>
+        </a>
+    </td>
+</tr>
+<tr>
+    <td align="center" style="word-wrap: break-word; width: 150.0; height: 150.0">
+        <a href=https://github.com/hdhoang>
+            <img src=https://avatars.githubusercontent.com/u/12537?v=4 width="100;"  style="border-radius:50%;align-items:center;justify-content:center;overflow:hidden;padding-top:10px" alt=hdhoang/>
+            <br />
+            <sub style="font-size:14px"><b>hdhoang</b></sub>
         </a>
     </td>
     <td align="center" style="word-wrap: break-word; width: 150.0; height: 150.0">
@@ -327,6 +357,13 @@ make build
             <sub style="font-size:14px"><b>Deon Thomas</b></sub>
         </a>
     </td>
+    <td align="center" style="word-wrap: break-word; width: 150.0; height: 150.0">
+        <a href=https://github.com/madjam002>
+            <img src=https://avatars.githubusercontent.com/u/679137?v=4 width="100;"  style="border-radius:50%;align-items:center;justify-content:center;overflow:hidden;padding-top:10px" alt=Jamie Greeff/>
+            <br />
+            <sub style="font-size:14px"><b>Jamie Greeff</b></sub>
+        </a>
+    </td>
     <td align="center" style="word-wrap: break-word; width: 150.0; height: 150.0">
         <a href=https://github.com/ChibangLW>
             <img src=https://avatars.githubusercontent.com/u/22293464?v=4 width="100;"  style="border-radius:50%;align-items:center;justify-content:center;overflow:hidden;padding-top:10px" alt=ChibangLW/>
@@ -334,8 +371,6 @@ make build
             <sub style="font-size:14px"><b>ChibangLW</b></sub>
         </a>
     </td>
-</tr>
-<tr>
     <td align="center" style="word-wrap: break-word; width: 150.0; height: 150.0">
         <a href=https://github.com/mevansam>
             <img src=https://avatars.githubusercontent.com/u/403630?v=4 width="100;"  style="border-radius:50%;align-items:center;justify-content:center;overflow:hidden;padding-top:10px" alt=Mevan Samaratunga/>
@@ -343,6 +378,8 @@ make build
             <sub style="font-size:14px"><b>Mevan Samaratunga</b></sub>
         </a>
     </td>
+</tr>
+<tr>
     <td align="center" style="word-wrap: break-word; width: 150.0; height: 150.0">
         <a href=https://github.com/dragetd>
             <img src=https://avatars.githubusercontent.com/u/3639577?v=4 width="100;"  style="border-radius:50%;align-items:center;justify-content:center;overflow:hidden;padding-top:10px" alt=Michael G./>
@@ -371,6 +408,13 @@ make build
             <sub style="font-size:14px"><b>Stefan Majer</b></sub>
         </a>
     </td>
+    <td align="center" style="word-wrap: break-word; width: 150.0; height: 150.0">
+        <a href=https://github.com/kevin1sMe>
+            <img src=https://avatars.githubusercontent.com/u/6886076?v=4 width="100;"  style="border-radius:50%;align-items:center;justify-content:center;overflow:hidden;padding-top:10px" alt=kevinlin/>
+            <br />
+            <sub style="font-size:14px"><b>kevinlin</b></sub>
+        </a>
+    </td>
     <td align="center" style="word-wrap: break-word; width: 150.0; height: 150.0">
         <a href=https://github.com/artemklevtsov>
             <img src=https://avatars.githubusercontent.com/u/603798?v=4 width="100;"  style="border-radius:50%;align-items:center;justify-content:center;overflow:hidden;padding-top:10px" alt=Artem Klevtsov/>
@@ -387,6 +431,13 @@ make build
             <sub style="font-size:14px"><b>Casey Marshall</b></sub>
         </a>
     </td>
+    <td align="center" style="word-wrap: break-word; width: 150.0; height: 150.0">
+        <a href=https://github.com/CNLHC>
+            <img src=https://avatars.githubusercontent.com/u/21005146?v=4 width="100;"  style="border-radius:50%;align-items:center;justify-content:center;overflow:hidden;padding-top:10px" alt=LiuHanCheng/>
+            <br />
+            <sub style="font-size:14px"><b>LiuHanCheng</b></sub>
+        </a>
+    </td>
     <td align="center" style="word-wrap: break-word; width: 150.0; height: 150.0">
         <a href=https://github.com/pvinis>
             <img src=https://avatars.githubusercontent.com/u/100233?v=4 width="100;"  style="border-radius:50%;align-items:center;justify-content:center;overflow:hidden;padding-top:10px" alt=Pavlos Vinieratos/>
@@ -402,12 +453,21 @@ make build
         </a>
     </td>
     <td align="center" style="word-wrap: break-word; width: 150.0; height: 150.0">
-        <a href=https://github.com/vtrf>
+        <a href=https://github.com/snh>
+            <img src=https://avatars.githubusercontent.com/u/2051768?v=4 width="100;"  style="border-radius:50%;align-items:center;justify-content:center;overflow:hidden;padding-top:10px" alt=Steven Honson/>
+            <br />
+            <sub style="font-size:14px"><b>Steven Honson</b></sub>
+        </a>
+    </td>
+    <td align="center" style="word-wrap: break-word; width: 150.0; height: 150.0">
+        <a href=https://github.com/ratsclub>
             <img src=https://avatars.githubusercontent.com/u/25647735?v=4 width="100;"  style="border-radius:50%;align-items:center;justify-content:center;overflow:hidden;padding-top:10px" alt=Victor Freire/>
             <br />
             <sub style="font-size:14px"><b>Victor Freire</b></sub>
         </a>
     </td>
+</tr>
+<tr>
     <td align="center" style="word-wrap: break-word; width: 150.0; height: 150.0">
         <a href=https://github.com/lachy2849>
             <img src=https://avatars.githubusercontent.com/u/98844035?v=4 width="100;"  style="border-radius:50%;align-items:center;justify-content:center;overflow:hidden;padding-top:10px" alt=lachy2849/>
@@ -422,8 +482,6 @@ make build
             <sub style="font-size:14px"><b>thomas</b></sub>
         </a>
     </td>
-</tr>
-<tr>
     <td align="center" style="word-wrap: break-word; width: 150.0; height: 150.0">
         <a href=https://github.com/aberoham>
             <img src=https://avatars.githubusercontent.com/u/586805?v=4 width="100;"  style="border-radius:50%;align-items:center;justify-content:center;overflow:hidden;padding-top:10px" alt=Abraham Ingersoll/>
@@ -431,6 +489,13 @@ make build
             <sub style="font-size:14px"><b>Abraham Ingersoll</b></sub>
         </a>
     </td>
+    <td align="center" style="word-wrap: break-word; width: 150.0; height: 150.0">
+        <a href=https://github.com/puzpuzpuz>
+            <img src=https://avatars.githubusercontent.com/u/37772591?v=4 width="100;"  style="border-radius:50%;align-items:center;justify-content:center;overflow:hidden;padding-top:10px" alt=Andrei Pechkurov/>
+            <br />
+            <sub style="font-size:14px"><b>Andrei Pechkurov</b></sub>
+        </a>
+    </td>
     <td align="center" style="word-wrap: break-word; width: 150.0; height: 150.0">
         <a href=https://github.com/apognu>
             <img src=https://avatars.githubusercontent.com/u/3017182?v=4 width="100;"  style="border-radius:50%;align-items:center;justify-content:center;overflow:hidden;padding-top:10px" alt=Antoine POPINEAU/>
@@ -445,6 +510,15 @@ make build
             <sub style="font-size:14px"><b>Aofei Sheng</b></sub>
         </a>
     </td>
+</tr>
+<tr>
+    <td align="center" style="word-wrap: break-word; width: 150.0; height: 150.0">
+        <a href=https://github.com/arnarg>
+            <img src=https://avatars.githubusercontent.com/u/1291396?v=4 width="100;"  style="border-radius:50%;align-items:center;justify-content:center;overflow:hidden;padding-top:10px" alt=Arnar/>
+            <br />
+            <sub style="font-size:14px"><b>Arnar</b></sub>
+        </a>
+    </td>
     <td align="center" style="word-wrap: break-word; width: 150.0; height: 150.0">
         <a href=https://github.com/awoimbee>
             <img src=https://avatars.githubusercontent.com/u/22431493?v=4 width="100;"  style="border-radius:50%;align-items:center;justify-content:center;overflow:hidden;padding-top:10px" alt=Arthur Woimbée/>
@@ -466,8 +540,6 @@ make build
             <sub style="font-size:14px"><b> Carson Yang</b></sub>
         </a>
     </td>
-</tr>
-<tr>
     <td align="center" style="word-wrap: break-word; width: 150.0; height: 150.0">
         <a href=https://github.com/kundel>
             <img src=https://avatars.githubusercontent.com/u/10158899?v=4 width="100;"  style="border-radius:50%;align-items:center;justify-content:center;overflow:hidden;padding-top:10px" alt=kundel/>
@@ -482,6 +554,8 @@ make build
             <sub style="font-size:14px"><b>Felix Kronlage-Dammers</b></sub>
         </a>
     </td>
+</tr>
+<tr>
     <td align="center" style="word-wrap: break-word; width: 150.0; height: 150.0">
         <a href=https://github.com/felixonmars>
             <img src=https://avatars.githubusercontent.com/u/1006477?v=4 width="100;"  style="border-radius:50%;align-items:center;justify-content:center;overflow:hidden;padding-top:10px" alt=Felix Yan/>
@@ -496,13 +570,6 @@ make build
             <sub style="font-size:14px"><b>JJGadgets</b></sub>
         </a>
     </td>
-    <td align="center" style="word-wrap: break-word; width: 150.0; height: 150.0">
-        <a href=https://github.com/madjam002>
-            <img src=https://avatars.githubusercontent.com/u/679137?v=4 width="100;"  style="border-radius:50%;align-items:center;justify-content:center;overflow:hidden;padding-top:10px" alt=Jamie Greeff/>
-            <br />
-            <sub style="font-size:14px"><b>Jamie Greeff</b></sub>
-        </a>
-    </td>
     <td align="center" style="word-wrap: break-word; width: 150.0; height: 150.0">
         <a href=https://github.com/jimt>
             <img src=https://avatars.githubusercontent.com/u/180326?v=4 width="100;"  style="border-radius:50%;align-items:center;justify-content:center;overflow:hidden;padding-top:10px" alt=Jim Tittsler/>
@@ -510,8 +577,13 @@ make build
             <sub style="font-size:14px"><b>Jim Tittsler</b></sub>
         </a>
     </td>
-</tr>
-<tr>
+    <td align="center" style="word-wrap: break-word; width: 150.0; height: 150.0">
+        <a href=https://github.com/ShadowJonathan>
+            <img src=https://avatars.githubusercontent.com/u/22740616?v=4 width="100;"  style="border-radius:50%;align-items:center;justify-content:center;overflow:hidden;padding-top:10px" alt=Jonathan de Jong/>
+            <br />
+            <sub style="font-size:14px"><b>Jonathan de Jong</b></sub>
+        </a>
+    </td>
     <td align="center" style="word-wrap: break-word; width: 150.0; height: 150.0">
         <a href=https://github.com/piec>
             <img src=https://avatars.githubusercontent.com/u/781471?v=4 width="100;"  style="border-radius:50%;align-items:center;justify-content:center;overflow:hidden;padding-top:10px" alt=Pierre Carru/>
@@ -526,6 +598,8 @@ make build
             <sub style="font-size:14px"><b>Rasmus Moorats</b></sub>
         </a>
     </td>
+</tr>
+<tr>
     <td align="center" style="word-wrap: break-word; width: 150.0; height: 150.0">
         <a href=https://github.com/rcursaru>
             <img src=https://avatars.githubusercontent.com/u/16259641?v=4 width="100;"  style="border-radius:50%;align-items:center;justify-content:center;overflow:hidden;padding-top:10px" alt=rcursaru/>
@@ -535,9 +609,9 @@ make build
     </td>
     <td align="center" style="word-wrap: break-word; width: 150.0; height: 150.0">
         <a href=https://github.com/renovate-bot>
-            <img src=https://avatars.githubusercontent.com/u/25180681?v=4 width="100;"  style="border-radius:50%;align-items:center;justify-content:center;overflow:hidden;padding-top:10px" alt=WhiteSource Renovate/>
+            <img src=https://avatars.githubusercontent.com/u/25180681?v=4 width="100;"  style="border-radius:50%;align-items:center;justify-content:center;overflow:hidden;padding-top:10px" alt=Mend Renovate/>
             <br />
-            <sub style="font-size:14px"><b>WhiteSource Renovate</b></sub>
+            <sub style="font-size:14px"><b>Mend Renovate</b></sub>
         </a>
     </td>
     <td align="center" style="word-wrap: break-word; width: 150.0; height: 150.0">
@@ -554,8 +628,13 @@ make build
             <sub style="font-size:14px"><b>Shaanan Cohney</b></sub>
         </a>
     </td>
-</tr>
-<tr>
+    <td align="center" style="word-wrap: break-word; width: 150.0; height: 150.0">
+        <a href=https://github.com/stefanvanburen>
+            <img src=https://avatars.githubusercontent.com/u/622527?v=4 width="100;"  style="border-radius:50%;align-items:center;justify-content:center;overflow:hidden;padding-top:10px" alt=Stefan VanBuren/>
+            <br />
+            <sub style="font-size:14px"><b>Stefan VanBuren</b></sub>
+        </a>
+    </td>
     <td align="center" style="word-wrap: break-word; width: 150.0; height: 150.0">
         <a href=https://github.com/sophware>
             <img src=https://avatars.githubusercontent.com/u/41669?v=4 width="100;"  style="border-radius:50%;align-items:center;justify-content:center;overflow:hidden;padding-top:10px" alt=sophware/>
@@ -563,6 +642,8 @@ make build
             <sub style="font-size:14px"><b>sophware</b></sub>
         </a>
     </td>
+</tr>
+<tr>
     <td align="center" style="word-wrap: break-word; width: 150.0; height: 150.0">
         <a href=https://github.com/m-tanner-dev0>
             <img src=https://avatars.githubusercontent.com/u/97977342?v=4 width="100;"  style="border-radius:50%;align-items:center;justify-content:center;overflow:hidden;padding-top:10px" alt=Tanner/>
@@ -591,6 +672,13 @@ make build
             <sub style="font-size:14px"><b>Tianon Gravi</b></sub>
         </a>
     </td>
+    <td align="center" style="word-wrap: break-word; width: 150.0; height: 150.0">
+        <a href=https://github.com/thetillhoff>
+            <img src=https://avatars.githubusercontent.com/u/25052289?v=4 width="100;"  style="border-radius:50%;align-items:center;justify-content:center;overflow:hidden;padding-top:10px" alt=Till Hoffmann/>
+            <br />
+            <sub style="font-size:14px"><b>Till Hoffmann</b></sub>
+        </a>
+    </td>
     <td align="center" style="word-wrap: break-word; width: 150.0; height: 150.0">
         <a href=https://github.com/woudsma>
             <img src=https://avatars.githubusercontent.com/u/6162978?v=4 width="100;"  style="border-radius:50%;align-items:center;justify-content:center;overflow:hidden;padding-top:10px" alt=Tjerk Woudsma/>
@@ -621,6 +709,13 @@ make build
             <sub style="font-size:14px"><b>Zakhar Bessarab</b></sub>
         </a>
     </td>
+    <td align="center" style="word-wrap: break-word; width: 150.0; height: 150.0">
+        <a href=https://github.com/zhzy0077>
+            <img src=https://avatars.githubusercontent.com/u/8717471?v=4 width="100;"  style="border-radius:50%;align-items:center;justify-content:center;overflow:hidden;padding-top:10px" alt=Zhiyuan Zheng/>
+            <br />
+            <sub style="font-size:14px"><b>Zhiyuan Zheng</b></sub>
+        </a>
+    </td>
     <td align="center" style="word-wrap: break-word; width: 150.0; height: 150.0">
         <a href=https://github.com/Bpazy>
             <img src=https://avatars.githubusercontent.com/u/9838749?v=4 width="100;"  style="border-radius:50%;align-items:center;justify-content:center;overflow:hidden;padding-top:10px" alt=Ziyuan Han/>
@@ -635,6 +730,8 @@ make build
             <sub style="font-size:14px"><b>derelm</b></sub>
         </a>
     </td>
+</tr>
+<tr>
     <td align="center" style="word-wrap: break-word; width: 150.0; height: 150.0">
         <a href=https://github.com/nning>
             <img src=https://avatars.githubusercontent.com/u/557430?v=4 width="100;"  style="border-radius:50%;align-items:center;justify-content:center;overflow:hidden;padding-top:10px" alt=henning mueller/>
@@ -642,8 +739,6 @@ make build
             <sub style="font-size:14px"><b>henning mueller</b></sub>
         </a>
     </td>
-</tr>
-<tr>
     <td align="center" style="word-wrap: break-word; width: 150.0; height: 150.0">
         <a href=https://github.com/ignoramous>
             <img src=https://avatars.githubusercontent.com/u/852289?v=4 width="100;"  style="border-radius:50%;align-items:center;justify-content:center;overflow:hidden;padding-top:10px" alt=ignoramous/>
@@ -652,10 +747,24 @@ make build
         </a>
     </td>
     <td align="center" style="word-wrap: break-word; width: 150.0; height: 150.0">
-        <a href=https://github.com/lion24>
-            <img src=https://avatars.githubusercontent.com/u/1382102?v=4 width="100;"  style="border-radius:50%;align-items:center;justify-content:center;overflow:hidden;padding-top:10px" alt=lion24/>
+        <a href=https://github.com/magichuihui>
+            <img src=https://avatars.githubusercontent.com/u/10866198?v=4 width="100;"  style="border-radius:50%;align-items:center;justify-content:center;overflow:hidden;padding-top:10px" alt=suhelen/>
             <br />
-            <sub style="font-size:14px"><b>lion24</b></sub>
+            <sub style="font-size:14px"><b>suhelen</b></sub>
+        </a>
+    </td>
+    <td align="center" style="word-wrap: break-word; width: 150.0; height: 150.0">
+        <a href=https://github.com/lion24>
+            <img src=https://avatars.githubusercontent.com/u/1382102?v=4 width="100;"  style="border-radius:50%;align-items:center;justify-content:center;overflow:hidden;padding-top:10px" alt=sharkonet/>
+            <br />
+            <sub style="font-size:14px"><b>sharkonet</b></sub>
+        </a>
+    </td>
+    <td align="center" style="word-wrap: break-word; width: 150.0; height: 150.0">
+        <a href=https://github.com/manju-rn>
+            <img src=https://avatars.githubusercontent.com/u/26291847?v=4 width="100;"  style="border-radius:50%;align-items:center;justify-content:center;overflow:hidden;padding-top:10px" alt=manju-rn/>
+            <br />
+            <sub style="font-size:14px"><b>manju-rn</b></sub>
         </a>
     </td>
     <td align="center" style="word-wrap: break-word; width: 150.0; height: 150.0">
@@ -665,6 +774,15 @@ make build
             <sub style="font-size:14px"><b>pernila</b></sub>
         </a>
     </td>
+</tr>
+<tr>
+    <td align="center" style="word-wrap: break-word; width: 150.0; height: 150.0">
+        <a href=https://github.com/phpmalik>
+            <img src=https://avatars.githubusercontent.com/u/26834645?v=4 width="100;"  style="border-radius:50%;align-items:center;justify-content:center;overflow:hidden;padding-top:10px" alt=phpmalik/>
+            <br />
+            <sub style="font-size:14px"><b>phpmalik</b></sub>
+        </a>
+    </td>
     <td align="center" style="word-wrap: break-word; width: 150.0; height: 150.0">
         <a href=https://github.com/Wakeful-Cloud>
             <img src=https://avatars.githubusercontent.com/u/38930607?v=4 width="100;"  style="border-radius:50%;align-items:center;justify-content:center;overflow:hidden;padding-top:10px" alt=Wakeful-Cloud/>

acls.go

@@ -10,10 +10,12 @@ import (
 	"path/filepath"
 	"strconv"
 	"strings"
+	"time"
 
 	"github.com/rs/zerolog/log"
 	"github.com/tailscale/hujson"
 	"gopkg.in/yaml.v3"
+	"tailscale.com/envknob"
 	"tailscale.com/tailcfg"
 )
 
@@ -54,6 +56,8 @@ const (
 	ProtocolFC       = 133 // Fibre Channel
 )
 
+var featureEnableSSH = envknob.RegisterBool("HEADSCALE_EXPERIMENTAL_FEATURE_SSH")
+
 // LoadACLPolicy loads the ACL policy from the specify path, and generates the ACL rules.
 func (h *Headscale) LoadACLPolicy(path string) error {
 	log.Debug().
@@ -113,36 +117,50 @@ func (h *Headscale) LoadACLPolicy(path string) error {
 }
 
 func (h *Headscale) UpdateACLRules() error {
-	rules, err := h.generateACLRules()
+	machines, err := h.ListMachines()
+	if err != nil {
+		return err
+	}
+
+	if h.aclPolicy == nil {
+		return errEmptyPolicy
+	}
+
+	rules, err := generateACLRules(machines, *h.aclPolicy, h.cfg.OIDC.StripEmaildomain)
 	if err != nil {
 		return err
 	}
 	log.Trace().Interface("ACL", rules).Msg("ACL rules generated")
 	h.aclRules = rules
 
+	if featureEnableSSH() {
+		sshRules, err := h.generateSSHRules()
+		if err != nil {
+			return err
+		}
+		log.Trace().Interface("SSH", sshRules).Msg("SSH rules generated")
+		if h.sshPolicy == nil {
+			h.sshPolicy = &tailcfg.SSHPolicy{}
+		}
+		h.sshPolicy.Rules = sshRules
+	} else if h.aclPolicy != nil && len(h.aclPolicy.SSHs) > 0 {
+		log.Info().Msg("SSH ACLs has been defined, but HEADSCALE_EXPERIMENTAL_FEATURE_SSH is not enabled, this is a unstable feature, check docs before activating")
+	}
+
 	return nil
 }
 
-func (h *Headscale) generateACLRules() ([]tailcfg.FilterRule, error) {
+func generateACLRules(machines []Machine, aclPolicy ACLPolicy, stripEmaildomain bool) ([]tailcfg.FilterRule, error) {
 	rules := []tailcfg.FilterRule{}
 
-	if h.aclPolicy == nil {
-		return nil, errEmptyPolicy
-	}
-
-	machines, err := h.ListMachines()
-	if err != nil {
-		return nil, err
-	}
-
-	for index, acl := range h.aclPolicy.ACLs {
+	for index, acl := range aclPolicy.ACLs {
 		if acl.Action != "accept" {
 			return nil, errInvalidAction
 		}
 
 		srcIPs := []string{}
 		for innerIndex, src := range acl.Sources {
-			srcs, err := h.generateACLPolicySrcIP(machines, *h.aclPolicy, src)
+			srcs, err := generateACLPolicySrcIP(machines, aclPolicy, src, stripEmaildomain)
 			if err != nil {
 				log.Error().
 					Msgf("Error parsing ACL %d, Source %d", index, innerIndex)
@@ -162,11 +180,12 @@ func (h *Headscale) generateACLRules() ([]tailcfg.FilterRule, error) {
 
 		destPorts := []tailcfg.NetPortRange{}
 		for innerIndex, dest := range acl.Destinations {
-			dests, err := h.generateACLPolicyDest(
+			dests, err := generateACLPolicyDest(
 				machines,
-				*h.aclPolicy,
+				aclPolicy,
 				dest,
 				needsWildcard,
+				stripEmaildomain,
 			)
 			if err != nil {
 				log.Error().
@@ -187,19 +206,126 @@ func (h *Headscale) generateACLRules() ([]tailcfg.FilterRule, error) {
 	return rules, nil
 }
 
-func (h *Headscale) generateACLPolicySrcIP(
+func (h *Headscale) generateSSHRules() ([]*tailcfg.SSHRule, error) {
+	rules := []*tailcfg.SSHRule{}
+
+	if h.aclPolicy == nil {
+		return nil, errEmptyPolicy
+	}
+
+	machines, err := h.ListMachines()
+	if err != nil {
+		return nil, err
+	}
+
+	acceptAction := tailcfg.SSHAction{
+		Message:                  "",
+		Reject:                   false,
+		Accept:                   true,
+		SessionDuration:          0,
+		AllowAgentForwarding:     false,
+		HoldAndDelegate:          "",
+		AllowLocalPortForwarding: true,
+	}
+
+	rejectAction := tailcfg.SSHAction{
+		Message:                  "",
+		Reject:                   true,
+		Accept:                   false,
+		SessionDuration:          0,
+		AllowAgentForwarding:     false,
+		HoldAndDelegate:          "",
+		AllowLocalPortForwarding: false,
+	}
+
+	for index, sshACL := range h.aclPolicy.SSHs {
+		action := rejectAction
+		switch sshACL.Action {
+		case "accept":
+			action = acceptAction
+		case "check":
+			checkAction, err := sshCheckAction(sshACL.CheckPeriod)
+			if err != nil {
+				log.Error().
+					Msgf("Error parsing SSH %d, check action with unparsable duration '%s'", index, sshACL.CheckPeriod)
+			} else {
+				action = *checkAction
+			}
+		default:
+			log.Error().
+				Msgf("Error parsing SSH %d, unknown action '%s'", index, sshACL.Action)
+
+			return nil, err
+		}
+
+		principals := make([]*tailcfg.SSHPrincipal, 0, len(sshACL.Sources))
+		for innerIndex, rawSrc := range sshACL.Sources {
+			expandedSrcs, err := expandAlias(
+				machines,
+				*h.aclPolicy,
+				rawSrc,
+				h.cfg.OIDC.StripEmaildomain,
+			)
+			if err != nil {
+				log.Error().
+					Msgf("Error parsing SSH %d, Source %d", index, innerIndex)
+
+				return nil, err
+			}
+			for _, expandedSrc := range expandedSrcs {
+				principals = append(principals, &tailcfg.SSHPrincipal{
+					NodeIP: expandedSrc,
+				})
+			}
+		}
+
+		userMap := make(map[string]string, len(sshACL.Users))
+		for _, user := range sshACL.Users {
+			userMap[user] = "="
+		}
+		rules = append(rules, &tailcfg.SSHRule{
+			RuleExpires: nil,
+			Principals:  principals,
+			SSHUsers:    userMap,
+			Action:      &action,
+		})
+	}
+
+	return rules, nil
+}
+
+func sshCheckAction(duration string) (*tailcfg.SSHAction, error) {
+	sessionLength, err := time.ParseDuration(duration)
+	if err != nil {
+		return nil, err
+	}
+
+	return &tailcfg.SSHAction{
+		Message:                  "",
+		Reject:                   false,
+		Accept:                   true,
+		SessionDuration:          sessionLength,
+		AllowAgentForwarding:     false,
+		HoldAndDelegate:          "",
+		AllowLocalPortForwarding: true,
+	}, nil
+}
+
+func generateACLPolicySrcIP(
 	machines []Machine,
 	aclPolicy ACLPolicy,
 	src string,
+	stripEmaildomain bool,
 ) ([]string, error) {
-	return expandAlias(machines, aclPolicy, src, h.cfg.OIDC.StripEmaildomain)
+	return expandAlias(machines, aclPolicy, src, stripEmaildomain)
 }
 
-func (h *Headscale) generateACLPolicyDest(
+func generateACLPolicyDest(
 	machines []Machine,
 	aclPolicy ACLPolicy,
 	dest string,
 	needsWildcard bool,
+	stripEmaildomain bool,
 ) ([]tailcfg.NetPortRange, error) {
 	tokens := strings.Split(dest, ":")
 	if len(tokens) < expectedTokenItems || len(tokens) > 3 {
@@ -223,7 +349,7 @@ func (h *Headscale) generateACLPolicyDest(
 		machines,
 		aclPolicy,
 		alias,
-		h.cfg.OIDC.StripEmaildomain,
+		stripEmaildomain,
 	)
 	if err != nil {
 		return nil, err
@@ -260,12 +386,7 @@ func (h *Headscale) generateACLPolicyDest(
 func parseProtocol(protocol string) ([]int, bool, error) {
 	switch protocol {
 	case "":
-		return []int{
-			protocolICMP,
-			protocolIPv6ICMP,
-			protocolTCP,
-			protocolUDP,
-		}, false, nil
+		return nil, false, nil
 	case "igmp":
 		return []int{protocolIGMP}, true, nil
 	case "ipv4", "ip-in-ip":

acls_test.go

@@ -7,6 +7,7 @@ import (
 	"testing"
 
 	"gopkg.in/check.v1"
+	"tailscale.com/envknob"
 	"tailscale.com/tailcfg"
 )
 
@@ -53,7 +54,7 @@ func (s *Suite) TestBasicRule(c *check.C) {
 	err := app.LoadACLPolicy("./tests/acls/acl_policy_basic_1.hujson")
 	c.Assert(err, check.IsNil)
 
-	rules, err := app.generateACLRules()
+	rules, err := generateACLRules([]Machine{}, *app.aclPolicy, false)
 	c.Assert(err, check.IsNil)
 	c.Assert(rules, check.NotNil)
 }
@@ -73,6 +74,81 @@ func (s *Suite) TestInvalidAction(c *check.C) {
 	c.Assert(errors.Is(err, errInvalidAction), check.Equals, true)
 }
 
+func (s *Suite) TestSshRules(c *check.C) {
+	envknob.Setenv("HEADSCALE_EXPERIMENTAL_FEATURE_SSH", "1")
+
+	namespace, err := app.CreateNamespace("user1")
+	c.Assert(err, check.IsNil)
+
+	pak, err := app.CreatePreAuthKey(namespace.Name, false, false, nil, nil)
+	c.Assert(err, check.IsNil)
+
+	_, err = app.GetMachine("user1", "testmachine")
+	c.Assert(err, check.NotNil)
+	hostInfo := tailcfg.Hostinfo{
+		OS:          "centos",
+		Hostname:    "testmachine",
+		RequestTags: []string{"tag:test"},
+	}
+
+	machine := Machine{
+		ID:             0,
+		MachineKey:     "foo",
+		NodeKey:        "bar",
+		DiscoKey:       "faa",
+		Hostname:       "testmachine",
+		IPAddresses:    MachineAddresses{netip.MustParseAddr("100.64.0.1")},
+		NamespaceID:    namespace.ID,
+		RegisterMethod: RegisterMethodAuthKey,
+		AuthKeyID:      uint(pak.ID),
+		HostInfo:       HostInfo(hostInfo),
+	}
+	app.db.Save(&machine)
+
+	app.aclPolicy = &ACLPolicy{
+		Groups: Groups{
+			"group:test": []string{"user1"},
+		},
+		Hosts: Hosts{
+			"client": netip.PrefixFrom(netip.MustParseAddr("100.64.99.42"), 32),
+		},
+		ACLs: []ACL{
+			{
+				Action:       "accept",
+				Sources:      []string{"*"},
+				Destinations: []string{"*:*"},
+			},
+		},
+		SSHs: []SSH{
+			{
+				Action:       "accept",
+				Sources:      []string{"group:test"},
+				Destinations: []string{"client"},
+				Users:        []string{"autogroup:nonroot"},
+			},
+			{
+				Action:       "accept",
+				Sources:      []string{"*"},
+				Destinations: []string{"client"},
+				Users:        []string{"autogroup:nonroot"},
+			},
+		},
+	}
+
+	err = app.UpdateACLRules()
+
+	c.Assert(err, check.IsNil)
+	c.Assert(app.sshPolicy, check.NotNil)
+	c.Assert(app.sshPolicy.Rules, check.HasLen, 2)
+	c.Assert(app.sshPolicy.Rules[0].SSHUsers, check.HasLen, 1)
+	c.Assert(app.sshPolicy.Rules[0].Principals, check.HasLen, 1)
+	c.Assert(app.sshPolicy.Rules[0].Principals[0].NodeIP, check.Matches, "100.64.0.1")
+
+	c.Assert(app.sshPolicy.Rules[1].SSHUsers, check.HasLen, 1)
+	c.Assert(app.sshPolicy.Rules[1].Principals, check.HasLen, 1)
+	c.Assert(app.sshPolicy.Rules[1].Principals[0].NodeIP, check.Matches, "*")
+}
+
 func (s *Suite) TestInvalidGroupInGroup(c *check.C) {
 	// this ACL is wrong because the group in Sources sections doesn't exist
 	app.aclPolicy = &ACLPolicy{
@@ -335,7 +411,7 @@ func (s *Suite) TestPortRange(c *check.C) {
 	err := app.LoadACLPolicy("./tests/acls/acl_policy_basic_range.hujson")
 	c.Assert(err, check.IsNil)
 
-	rules, err := app.generateACLRules()
+	rules, err := generateACLRules([]Machine{}, *app.aclPolicy, false)
 	c.Assert(err, check.IsNil)
 	c.Assert(rules, check.NotNil)
 
@@ -349,7 +425,7 @@ func (s *Suite) TestProtocolParsing(c *check.C) {
 	err := app.LoadACLPolicy("./tests/acls/acl_policy_basic_protocols.hujson")
 	c.Assert(err, check.IsNil)
 
-	rules, err := app.generateACLRules()
+	rules, err := generateACLRules([]Machine{}, *app.aclPolicy, false)
 	c.Assert(err, check.IsNil)
 	c.Assert(rules, check.NotNil)
 
@@ -363,7 +439,7 @@ func (s *Suite) TestPortWildcard(c *check.C) {
 	err := app.LoadACLPolicy("./tests/acls/acl_policy_basic_wildcards.hujson")
 	c.Assert(err, check.IsNil)
 
-	rules, err := app.generateACLRules()
+	rules, err := generateACLRules([]Machine{}, *app.aclPolicy, false)
 	c.Assert(err, check.IsNil)
 	c.Assert(rules, check.NotNil)
 
@@ -379,7 +455,7 @@ func (s *Suite) TestPortWildcardYAML(c *check.C) {
 	err := app.LoadACLPolicy("./tests/acls/acl_policy_basic_wildcards.yaml")
 	c.Assert(err, check.IsNil)
 
-	rules, err := app.generateACLRules()
+	rules, err := generateACLRules([]Machine{}, *app.aclPolicy, false)
 	c.Assert(err, check.IsNil)
 	c.Assert(rules, check.NotNil)
 
@@ -419,7 +495,10 @@ func (s *Suite) TestPortNamespace(c *check.C) {
 	)
 	c.Assert(err, check.IsNil)
 
-	rules, err := app.generateACLRules()
+	machines, err := app.ListMachines()
+	c.Assert(err, check.IsNil)
+
+	rules, err := generateACLRules(machines, *app.aclPolicy, false)
 	c.Assert(err, check.IsNil)
 	c.Assert(rules, check.NotNil)
 
@@ -459,7 +538,10 @@ func (s *Suite) TestPortGroup(c *check.C) {
 	err = app.LoadACLPolicy("./tests/acls/acl_policy_basic_groups.hujson")
 	c.Assert(err, check.IsNil)
 
-	rules, err := app.generateACLRules()
+	machines, err := app.ListMachines()
+	c.Assert(err, check.IsNil)
+
+	rules, err := generateACLRules(machines, *app.aclPolicy, false)
 	c.Assert(err, check.IsNil)
 	c.Assert(rules, check.NotNil)
 

acls_types.go

@@ -17,6 +17,7 @@ type ACLPolicy struct {
 	ACLs          []ACL         `json:"acls"          yaml:"acls"`
 	Tests         []ACLTest     `json:"tests"         yaml:"tests"`
 	AutoApprovers AutoApprovers `json:"autoApprovers" yaml:"autoApprovers"`
+	SSHs          []SSH         `json:"ssh"           yaml:"ssh"`
 }
 
 // ACL is a basic rule for the ACL Policy.
@@ -50,6 +51,15 @@ type AutoApprovers struct {
 	ExitNode []string            `json:"exitNode" yaml:"exitNode"`
 }
 
+// SSH controls who can ssh into which machines.
+type SSH struct {
+	Action       string   `json:"action"                yaml:"action"`
+	Sources      []string `json:"src"                   yaml:"src"`
+	Destinations []string `json:"dst"                   yaml:"dst"`
+	Users        []string `json:"users"                 yaml:"users"`
+	CheckPeriod  string   `json:"checkPeriod,omitempty" yaml:"checkPeriod,omitempty"`
+}
+
 // UnmarshalJSON allows to parse the Hosts directly into netip objects.
 func (hosts *Hosts) UnmarshalJSON(data []byte) error {
 	newHosts := Hosts{}
@@ -125,7 +135,7 @@ func (autoApprovers *AutoApprovers) GetRouteApprovers(
 			return nil, err
 		}
 
-		if autoApprovedPrefix.Bits() >= prefix.Bits() &&
+		if prefix.Bits() >= autoApprovedPrefix.Bits() &&
 			autoApprovedPrefix.Contains(prefix.Masked().Addr()) {
 			approverAliases = append(approverAliases, autoApproverAliases...)
 		}

api.go

@@ -9,6 +9,7 @@ import (
 
 	"github.com/gorilla/mux"
 	"github.com/rs/zerolog/log"
+	"tailscale.com/types/key"
 )
 
 const (
@@ -93,7 +94,34 @@ func (h *Headscale) RegisterWebAPI(
 ) {
 	vars := mux.Vars(req)
 	nodeKeyStr, ok := vars["nkey"]
-	if !ok || nodeKeyStr == "" {
+
+	if !NodePublicKeyRegex.Match([]byte(nodeKeyStr)) {
+		log.Warn().Str("node_key", nodeKeyStr).Msg("Invalid node key passed to registration url")
+
+		writer.Header().Set("Content-Type", "text/plain; charset=utf-8")
+		writer.WriteHeader(http.StatusUnauthorized)
+		_, err := writer.Write([]byte("Unauthorized"))
+		if err != nil {
+			log.Error().
+				Caller().
+				Err(err).
+				Msg("Failed to write response")
+		}
+
+		return
+	}
+
+	// We need to make sure we dont open for XSS style injections, if the parameter that
+	// is passed as a key is not parsable/validated as a NodePublic key, then fail to render
+	// the template and log an error.
+	var nodeKey key.NodePublic
+	err := nodeKey.UnmarshalText(
+		[]byte(NodePublicKeyEnsurePrefix(nodeKeyStr)),
+	)
+
+	if !ok || nodeKeyStr == "" || err != nil {
+		log.Warn().Err(err).Msg("Failed to parse incoming nodekey")
+
 		writer.Header().Set("Content-Type", "text/plain; charset=utf-8")
 		writer.WriteHeader(http.StatusBadRequest)
 		_, err := writer.Write([]byte("Wrong params"))
@@ -130,7 +158,7 @@ func (h *Headscale) RegisterWebAPI(
 
 	writer.Header().Set("Content-Type", "text/html; charset=utf-8")
 	writer.WriteHeader(http.StatusOK)
-	_, err := writer.Write(content.Bytes())
+	_, err = writer.Write(content.Bytes())
 	if err != nil {
 		log.Error().
 			Caller().

api_common.go

@@ -35,7 +35,7 @@ func (h *Headscale) generateMapResponse(
 		return nil, err
 	}
 
-	profiles := getMapResponseUserProfiles(*machine, peers)
+	profiles := h.getMapResponseUserProfiles(*machine, peers)
 
 	nodePeers, err := peers.toNodes(h.cfg.BaseDomain, h.cfg.DNSConfig)
 	if err != nil {
@@ -62,6 +62,7 @@ func (h *Headscale) generateMapResponse(
 		DNSConfig:    dnsConfig,
 		Domain:       h.cfg.BaseDomain,
 		PacketFilter: h.aclRules,
+		SSHPolicy:    h.sshPolicy,
 		DERPMap:      h.DERPMap,
 		UserProfiles: profiles,
 		Debug: &tailcfg.Debug{

app.go

@@ -11,6 +11,7 @@ import (
 	"os"
 	"os/signal"
 	"sort"
+	"strconv"
 	"strings"
 	"sync"
 	"syscall"
@@ -24,7 +25,7 @@ import (
 	"github.com/patrickmn/go-cache"
 	zerolog "github.com/philip-bui/grpc-zerolog"
 	"github.com/prometheus/client_golang/prometheus/promhttp"
-	"github.com/puzpuzpuz/xsync"
+	"github.com/puzpuzpuz/xsync/v2"
 	zl "github.com/rs/zerolog"
 	"github.com/rs/zerolog/log"
 	"golang.org/x/crypto/acme"
@@ -51,12 +52,6 @@ const (
 	errUnsupportedLetsEncryptChallengeType = Error(
 		"unknown value for Lets Encrypt challenge type",
 	)
-
-	ErrFailedPrivateKey      = Error("failed to read or create private key")
-	ErrFailedNoisePrivateKey = Error(
-		"failed to read or create Noise protocol private key",
-	)
-	ErrSamePrivateKeys = Error("private key and noise private key are the same")
 )
 
 const (
@@ -93,8 +88,9 @@ type Headscale struct {
 
 	aclPolicy *ACLPolicy
 	aclRules  []tailcfg.FilterRule
+	sshPolicy *tailcfg.SSHPolicy
 
-	lastStateChange *xsync.MapOf[time.Time]
+	lastStateChange *xsync.MapOf[string, time.Time]
 
 	oidcProvider *oidc.Provider
 	oauth2Config *oauth2.Config
@@ -107,41 +103,20 @@ type Headscale struct {
 	pollNetMapStreamWG sync.WaitGroup
 }
 
-// Look up the TLS constant relative to user-supplied TLS client
-// authentication mode. If an unknown mode is supplied, the default
-// value, tls.RequireAnyClientCert, is returned. The returned boolean
-// indicates if the supplied mode was valid.
-func LookupTLSClientAuthMode(mode string) (tls.ClientAuthType, bool) {
-	switch mode {
-	case DisabledClientAuth:
-		// Client cert is _not_ required.
-		return tls.NoClientCert, true
-	case RelaxedClientAuth:
-		// Client cert required, but _not verified_.
-		return tls.RequireAnyClientCert, true
-	case EnforcedClientAuth:
-		// Client cert is _required and verified_.
-		return tls.RequireAndVerifyClientCert, true
-	default:
-		// Return the default when an unknown value is supplied.
-		return tls.RequireAnyClientCert, false
-	}
-}
-
 func NewHeadscale(cfg *Config) (*Headscale, error) {
 	privateKey, err := readOrCreatePrivateKey(cfg.PrivateKeyPath)
 	if err != nil {
-		return nil, ErrFailedPrivateKey
+		return nil, fmt.Errorf("failed to read or create private key: %w", err)
 	}
 
 	// TS2021 requires to have a different key from the legacy protocol.
 	noisePrivateKey, err := readOrCreatePrivateKey(cfg.NoisePrivateKeyPath)
 	if err != nil {
-		return nil, ErrFailedNoisePrivateKey
+		return nil, fmt.Errorf("failed to read or create Noise protocol private key: %w", err)
 	}
 
 	if privateKey.Equal(*noisePrivateKey) {
-		return nil, ErrSamePrivateKeys
+		return nil, fmt.Errorf("private key and noise private key are the same: %w", err)
 	}
 
 	var dbString string
@@ -154,8 +129,12 @@ func NewHeadscale(cfg *Config) (*Headscale, error) {
 			cfg.DBuser,
 		)
 
-		if !cfg.DBssl {
-			dbString += " sslmode=disable"
+		if sslEnabled, err := strconv.ParseBool(cfg.DBssl); err == nil {
+			if !sslEnabled {
+				dbString += " sslmode=disable"
+			}
+		} else {
+			dbString += fmt.Sprintf(" sslmode=%s", cfg.DBssl)
 		}
 
 		if cfg.DBport != 0 {
@@ -194,10 +173,12 @@ func NewHeadscale(cfg *Config) (*Headscale, error) {
 
 	if cfg.OIDC.Issuer != "" {
 		err = app.initOIDC()
-		if err != nil && cfg.OIDC.OnlyStartIfOIDCIsAvailable {
-			return nil, err
-		} else {
-			log.Warn().Err(err).Msg("failed to set up OIDC provider, falling back to CLI based authentication")
+		if err != nil {
+			if cfg.OIDC.OnlyStartIfOIDCIsAvailable {
+				return nil, err
+			} else {
+				log.Warn().Err(err).Msg("failed to set up OIDC provider, falling back to CLI based authentication")
+			}
 		}
 	}
 
@@ -452,9 +433,8 @@ func (h *Headscale) createRouter(grpcMux *runtime.ServeMux) *mux.Router {
 	router.HandleFunc("/health", h.HealthHandler).Methods(http.MethodGet)
 	router.HandleFunc("/key", h.KeyHandler).Methods(http.MethodGet)
 	router.HandleFunc("/register/{nkey}", h.RegisterWebAPI).Methods(http.MethodGet)
-	router.HandleFunc("/machine/{mkey}/map", h.PollNetMapHandler).
-		Methods(http.MethodPost)
-	router.HandleFunc("/machine/{mkey}", h.RegistrationHandler).Methods(http.MethodPost)
+	h.addLegacyHandlers(router)
+
 	router.HandleFunc("/oidc/register/{nkey}", h.RegisterOIDC).Methods(http.MethodGet)
 	router.HandleFunc("/oidc/callback", h.OIDCCallback).Methods(http.MethodGet)
 	router.HandleFunc("/apple", h.AppleConfigMessage).Methods(http.MethodGet)
@@ -860,12 +840,7 @@ func (h *Headscale) getTLSSettings() (*tls.Config, error) {
 			log.Warn().Msg("Listening with TLS but ServerURL does not start with https://")
 		}
 
-		log.Info().Msg(fmt.Sprintf(
-			"Client authentication (mTLS) is \"%s\". See the docs to learn about configuring this setting.",
-			h.cfg.TLS.ClientAuthMode))
-
 		tlsConfig := &tls.Config{
-			ClientAuth:   h.cfg.TLS.ClientAuthMode,
 			NextProtos:   []string{"http/1.1"},
 			Certificates: make([]tls.Certificate, 1),
 			MinVersion:   tls.VersionTLS12,
@@ -882,7 +857,7 @@ func (h *Headscale) setLastStateChangeToNow() {
 
 	now := time.Now().UTC()
 
-	namespaces, err := h.ListNamespacesStr()
+	namespaces, err := h.ListNamespaces()
 	if err != nil {
 		log.Error().
 			Caller().
@@ -891,22 +866,22 @@ func (h *Headscale) setLastStateChangeToNow() {
 	}
 
 	for _, namespace := range namespaces {
-		lastStateUpdate.WithLabelValues(namespace, "headscale").Set(float64(now.Unix()))
+		lastStateUpdate.WithLabelValues(namespace.Name, "headscale").Set(float64(now.Unix()))
 		if h.lastStateChange == nil {
 			h.lastStateChange = xsync.NewMapOf[time.Time]()
 		}
-		h.lastStateChange.Store(namespace, now)
+		h.lastStateChange.Store(namespace.Name, now)
 	}
 }
 
-func (h *Headscale) getLastStateChange(namespaces ...string) time.Time {
+func (h *Headscale) getLastStateChange(namespaces ...Namespace) time.Time {
 	times := []time.Time{}
 
 	// getLastStateChange takes a list of namespaces as a "filter", if no namespaces
 	// are past, then use the entier list of namespaces and look for the last update
 	if len(namespaces) > 0 {
 		for _, namespace := range namespaces {
-			if lastChange, ok := h.lastStateChange.Load(namespace); ok {
+			if lastChange, ok := h.lastStateChange.Load(namespace.Name); ok {
 				times = append(times, lastChange)
 			}
 		}

app_test.go

@@ -59,20 +59,3 @@ func (s *Suite) ResetDB(c *check.C) {
 	}
 	app.db = db
 }
-
-// Enusre an error is returned when an invalid auth mode
-// is supplied.
-func (s *Suite) TestInvalidClientAuthMode(c *check.C) {
-	_, isValid := LookupTLSClientAuthMode("invalid")
-	c.Assert(isValid, check.Equals, false)
-}
-
-// Ensure that all client auth modes return a nil error.
-func (s *Suite) TestAuthModes(c *check.C) {
-	modes := []string{"disabled", "relaxed", "enforced"}
-
-	for _, v := range modes {
-		_, isValid := LookupTLSClientAuthMode(v)
-		c.Assert(isValid, check.Equals, true)
-	}
-}

cmd/headscale/cli/debug.go

@@ -3,6 +3,7 @@ package cli
 import (
 	"fmt"
 
+	"github.com/juanfont/headscale"
 	v1 "github.com/juanfont/headscale/gen/go/headscale/v1"
 	"github.com/rs/zerolog/log"
 	"github.com/spf13/cobra"
@@ -10,8 +11,7 @@ import (
 )
 
 const (
-	keyLength             = 64
-	errPreAuthKeyTooShort = Error("key too short, must be 64 hexadecimal characters")
+	errPreAuthKeyMalformed = Error("key is malformed. expected 64 hex characters with `nodekey` prefix")
 )
 
 // Error is used to compare errors as per https://dave.cheney.net/2016/04/07/constant-errors
@@ -87,8 +87,8 @@ var createNodeCmd = &cobra.Command{
 
 			return
 		}
-		if len(machineKey) != keyLength {
-			err = errPreAuthKeyTooShort
+		if !headscale.NodePublicKeyRegex.Match([]byte(machineKey)) {
+			err = errPreAuthKeyMalformed
 			ErrorOutput(
 				err,
 				fmt.Sprintf("Error: %s", err),

cmd/headscale/cli/mockoidc.go

@@ -46,6 +46,10 @@ func mockOIDC() error {
 	if clientSecret == "" {
 		return errMockOidcClientSecretNotDefined
 	}
+	addrStr := os.Getenv("MOCKOIDC_ADDR")
+	if addrStr == "" {
+		return errMockOidcPortNotDefined
+	}
 	portStr := os.Getenv("MOCKOIDC_PORT")
 	if portStr == "" {
 		return errMockOidcPortNotDefined
@@ -61,7 +65,7 @@ func mockOIDC() error {
 		return err
 	}
 
-	listener, err := net.Listen("tcp", fmt.Sprintf("mockoidc:%d", port))
+	listener, err := net.Listen("tcp", fmt.Sprintf("%s:%d", addrStr, port))
 	if err != nil {
 		return err
 	}

cmd/headscale/cli/nodes.go

@@ -134,7 +134,9 @@ var registerNodeCmd = &cobra.Command{
 			return
 		}
 
-		SuccessOutput(response.Machine, "Machine register", output)
+		SuccessOutput(
+			response.Machine,
+			fmt.Sprintf("Machine %s registered", response.Machine.GivenName), output)
 	},
 }
 

cmd/headscale/cli/root.go

@@ -15,7 +15,7 @@ import (
 var cfgFile string = ""
 
 func init() {
-	if len(os.Args) > 1 && os.Args[1] == "version" || os.Args[1] == "mockoidc" {
+	if len(os.Args) > 1 && (os.Args[1] == "version" || os.Args[1] == "mockoidc" || os.Args[1] == "completion") {
 		return
 	}
 

cmd/headscale/cli/utils.go

@@ -19,6 +19,7 @@ import (
 
 const (
 	HeadscaleDateTimeFormat = "2006-01-02 15:04:05"
+	SocketWritePermissions  = 0o666
 )
 
 func getHeadscaleApp() (*headscale.Headscale, error) {
@@ -81,6 +82,19 @@ func getHeadscaleCLIClient() (context.Context, v1.HeadscaleServiceClient, *grpc.
 
 		address = cfg.UnixSocket
 
+		// Try to give the user better feedback if we cannot write to the headscale
+		// socket.
+		socket, err := os.OpenFile(cfg.UnixSocket, os.O_WRONLY, SocketWritePermissions) //nolint
+		if err != nil {
+			if os.IsPermission(err) {
+				log.Fatal().
+					Err(err).
+					Str("socket", cfg.UnixSocket).
+					Msgf("Unable to read/write to headscale socket, do you have the correct permissions?")
+			}
+		}
+		socket.Close()
+
 		grpcOptions = append(
 			grpcOptions,
 			grpc.WithTransportCredentials(insecure.NewCredentials()),

cmd/headscale/headscale_test.go

@@ -55,10 +55,10 @@ func (*Suite) TestConfigFileLoading(c *check.C) {
 
 	// Test that config file was interpreted correctly
 	c.Assert(viper.GetString("server_url"), check.Equals, "http://127.0.0.1:8080")
-	c.Assert(viper.GetString("listen_addr"), check.Equals, "0.0.0.0:8080")
+	c.Assert(viper.GetString("listen_addr"), check.Equals, "127.0.0.1:8080")
 	c.Assert(viper.GetString("metrics_listen_addr"), check.Equals, "127.0.0.1:9090")
 	c.Assert(viper.GetString("db_type"), check.Equals, "sqlite3")
-	c.Assert(viper.GetString("db_path"), check.Equals, "/var/lib/headscale/db.sqlite")
+	c.Assert(viper.GetString("db_path"), check.Equals, "./db.sqlite")
 	c.Assert(viper.GetString("tls_letsencrypt_hostname"), check.Equals, "")
 	c.Assert(viper.GetString("tls_letsencrypt_listen"), check.Equals, ":http")
 	c.Assert(viper.GetString("tls_letsencrypt_challenge_type"), check.Equals, "HTTP-01")
@@ -98,10 +98,10 @@ func (*Suite) TestConfigLoading(c *check.C) {
 
 	// Test that config file was interpreted correctly
 	c.Assert(viper.GetString("server_url"), check.Equals, "http://127.0.0.1:8080")
-	c.Assert(viper.GetString("listen_addr"), check.Equals, "0.0.0.0:8080")
+	c.Assert(viper.GetString("listen_addr"), check.Equals, "127.0.0.1:8080")
 	c.Assert(viper.GetString("metrics_listen_addr"), check.Equals, "127.0.0.1:9090")
 	c.Assert(viper.GetString("db_type"), check.Equals, "sqlite3")
-	c.Assert(viper.GetString("db_path"), check.Equals, "/var/lib/headscale/db.sqlite")
+	c.Assert(viper.GetString("db_path"), check.Equals, "./db.sqlite")
 	c.Assert(viper.GetString("tls_letsencrypt_hostname"), check.Equals, "")
 	c.Assert(viper.GetString("tls_letsencrypt_listen"), check.Equals, ":http")
 	c.Assert(viper.GetString("tls_letsencrypt_challenge_type"), check.Equals, "HTTP-01")

config-example.yaml

@@ -14,7 +14,9 @@ server_url: http://127.0.0.1:8080
 
 # Address to listen to / bind to on the server
 #
-listen_addr: 0.0.0.0:8080
+# For production:
+# listen_addr: 0.0.0.0:8080
+listen_addr: 127.0.0.1:8080
 
 # Address to listen to /metrics, you may want
 # to keep this endpoint private to your internal
@@ -27,7 +29,10 @@ metrics_listen_addr: 127.0.0.1:9090
 # remotely with the CLI
 # Note: Remote access _only_ works if you have
 # valid certificates.
-grpc_listen_addr: 0.0.0.0:50443
+#
+# For production:
+# grpc_listen_addr: 0.0.0.0:50443
+grpc_listen_addr: 127.0.0.1:50443
 
 # Allow the gRPC admin interface to run in INSECURE
 # mode. This is not recommended as the traffic will
@@ -35,20 +40,25 @@ grpc_listen_addr: 0.0.0.0:50443
 # are doing.
 grpc_allow_insecure: false
 
-# Private key used encrypt the traffic between headscale
+# Private key used to encrypt the traffic between headscale
 # and Tailscale clients.
-# The private key file which will be
-# autogenerated if it's missing
-private_key_path: /var/lib/headscale/private.key
+# The private key file will be autogenerated if it's missing.
+#
+# For production:
+# /var/lib/headscale/private.key
+private_key_path: ./private.key
 
 # The Noise section includes specific configuration for the
-# TS2021 Noise procotol
+# TS2021 Noise protocol
 noise:
   # The Noise private key is used to encrypt the
   # traffic between headscale and Tailscale clients when
   # using the new Noise-based protocol. It must be different
   # from the legacy private key.
-  private_key_path: /var/lib/headscale/noise_private.key
+  #
+  # For production:
+  # private_key_path: /var/lib/headscale/noise_private.key
+  private_key_path: ./noise_private.key
 
 # List of IP prefixes to allocate tailaddresses from.
 # Each prefix consists of either an IPv4 or IPv6 address,
@@ -78,7 +88,7 @@ derp:
     region_code: "headscale"
     region_name: "Headscale Embedded DERP"
 
-    # Listens in UDP at the configured address for STUN connections to help on NAT traversal.
+    # Listens over UDP at the configured address for STUN connections - to help with NAT traversal.
     # When the embedded DERP server is enabled stun_listen_addr MUST be defined.
     #
     # For more details on how this works, check this great article: https://tailscale.com/blog/how-tailscale-works/
@@ -112,15 +122,18 @@ disable_check_updates: false
 # Time before an inactive ephemeral node is deleted?
 ephemeral_node_inactivity_timeout: 30m
 
-# Period to check for node updates in the tailnet. A value too low will severily affect
+# Period to check for node updates within the tailnet. A value too low will severely affect
 # CPU consumption of Headscale. A value too high (over 60s) will cause problems
-# to the nodes, as they won't get updates or keep alive messages in time.
+# for the nodes, as they won't get updates or keep alive messages frequently enough.
 # In case of doubts, do not touch the default 10s.
 node_update_check_interval: 10s
 
 # SQLite config
 db_type: sqlite3
-db_path: /var/lib/headscale/db.sqlite
+
+# For production:
+# db_path: /var/lib/headscale/db.sqlite
+db_path: ./db.sqlite
 
 # # Postgres config
 # If using a Unix socket to connect to Postgres, set the socket path in the 'host' field and leave 'port' blank.
@@ -130,6 +143,9 @@ db_path: /var/lib/headscale/db.sqlite
 # db_name: headscale
 # db_user: foo
 # db_pass: bar
+
+# If other 'sslmode' is required instead of 'require(true)' and 'disabled(false)', set the 'sslmode' you need
+# in the 'db_ssl' field. Refers to https://www.postgresql.org/docs/current/libpq-ssl.html Table 34.1.
 # db_ssl: false
 
 ### TLS configuration
@@ -148,23 +164,18 @@ acme_email: ""
 # Domain name to request a TLS certificate for:
 tls_letsencrypt_hostname: ""
 
-# Client (Tailscale/Browser) authentication mode (mTLS)
-# Acceptable values:
-# - disabled: client authentication disabled
-# - relaxed: client certificate is required but not verified
-# - enforced: client certificate is required and verified
-tls_client_auth_mode: relaxed
-
 # Path to store certificates and metadata needed by
 # letsencrypt
-tls_letsencrypt_cache_dir: /var/lib/headscale/cache
+# For production:
+# tls_letsencrypt_cache_dir: /var/lib/headscale/cache
+tls_letsencrypt_cache_dir: ./cache
 
 # Type of ACME challenge to use, currently supported types:
 # HTTP-01 or TLS-ALPN-01
 # See [docs/tls.md](docs/tls.md) for more information
 tls_letsencrypt_challenge_type: HTTP-01
 # When HTTP-01 challenge is chosen, letsencrypt must set up a
-# verification endpoint, and it will be listning on:
+# verification endpoint, and it will be listening on:
 # :http = port 80
 tls_letsencrypt_listen: ":http"
 
@@ -192,10 +203,25 @@ acl_policy_path: ""
 # - https://tailscale.com/blog/2021-09-private-dns-with-magicdns/
 #
 dns_config:
+  # Whether to prefer using Headscale provided DNS or use local.
+  override_local_dns: true
+
   # List of DNS servers to expose to clients.
   nameservers:
     - 1.1.1.1
 
+  # NextDNS (see https://tailscale.com/kb/1218/nextdns/).
+  # "abc123" is example NextDNS ID, replace with yours.
+  #
+  # With metadata sharing:
+  # nameservers:
+  #   - https://dns.nextdns.io/abc123
+  #
+  # Without metadata sharing:
+  # nameservers:
+  #   - 2a07:a8c0::ab:c123
+  #   - 2a07:a8c1::ab:c123
+
   # Split DNS (see https://tailscale.com/kb/1054/dns/),
   # list of search domains and the DNS to query for each one.
   #
@@ -220,9 +246,9 @@ dns_config:
   base_domain: example.com
 
 # Unix socket used for the CLI to connect without authentication
-# Note: for local development, you probably want to change this to:
-# unix_socket: ./headscale.sock
-unix_socket: /var/run/headscale.sock
+# Note: for production you will want to set this to something like:
+# unix_socket: /var/run/headscale.sock
+unix_socket: ./headscale.sock
 unix_socket_permission: "0770"
 #
 # headscale supports experimental OpenID connect support,

config.go

@@ -1,7 +1,6 @@
 package headscale
 
 import (
-	"crypto/tls"
 	"errors"
 	"fmt"
 	"io/fs"
@@ -52,7 +51,7 @@ type Config struct {
 	DBname string
 	DBuser string
 	DBpass string
-	DBssl  bool
+	DBssl  string
 
 	TLS TLSConfig
 
@@ -75,9 +74,8 @@ type Config struct {
 }
 
 type TLSConfig struct {
-	CertPath       string
-	KeyPath        string
-	ClientAuthMode tls.ClientAuthType
+	CertPath string
+	KeyPath  string
 
 	LetsEncrypt LetsEncryptConfig
 }
@@ -154,12 +152,12 @@ func LoadConfig(path string, isFile bool) error {
 
 	viper.SetDefault("tls_letsencrypt_cache_dir", "/var/www/.cache")
 	viper.SetDefault("tls_letsencrypt_challenge_type", http01ChallengeType)
-	viper.SetDefault("tls_client_auth_mode", "relaxed")
 
 	viper.SetDefault("log.level", "info")
 	viper.SetDefault("log.format", TextLogFormat)
 
 	viper.SetDefault("dns_config", nil)
+	viper.SetDefault("dns_config.override_local_dns", true)
 
 	viper.SetDefault("derp.server.enabled", false)
 	viper.SetDefault("derp.server.stun.enabled", true)
@@ -184,6 +182,10 @@ func LoadConfig(path string, isFile bool) error {
 
 	viper.SetDefault("node_update_check_interval", "10s")
 
+	if IsCLIConfigured() {
+		return nil
+	}
+
 	if err := viper.ReadInConfig(); err != nil {
 		log.Warn().Err(err).Msg("Failed to read configuration from disk")
 
@@ -219,19 +221,6 @@ func LoadConfig(path string, isFile bool) error {
 		errorText += "Fatal config error: server_url must start with https:// or http://\n"
 	}
 
-	_, authModeValid := LookupTLSClientAuthMode(
-		viper.GetString("tls_client_auth_mode"),
-	)
-
-	if !authModeValid {
-		errorText += fmt.Sprintf(
-			"Invalid tls_client_auth_mode supplied: %s. Accepted values: %s, %s, %s.",
-			viper.GetString("tls_client_auth_mode"),
-			DisabledClientAuth,
-			RelaxedClientAuth,
-			EnforcedClientAuth)
-	}
-
 	// Minimum inactivity time out is keepalive timeout (60s) plus a few seconds
 	// to avoid races
 	minInactivityTimeout, _ := time.ParseDuration("65s")
@@ -261,10 +250,6 @@ func LoadConfig(path string, isFile bool) error {
 }
 
 func GetTLSConfig() TLSConfig {
-	tlsClientAuthMode, _ := LookupTLSClientAuthMode(
-		viper.GetString("tls_client_auth_mode"),
-	)
-
 	return TLSConfig{
 		LetsEncrypt: LetsEncryptConfig{
 			Hostname: viper.GetString("tls_letsencrypt_hostname"),
@@ -280,7 +265,6 @@ func GetTLSConfig() TLSConfig {
 		KeyPath: AbsolutePathFromConfigPath(
 			viper.GetString("tls_key_path"),
 		),
-		ClientAuthMode: tlsClientAuthMode,
 	}
 }
 
@@ -377,13 +361,26 @@ func GetDNSConfig() (*tailcfg.DNSConfig, string) {
 	if viper.IsSet("dns_config") {
 		dnsConfig := &tailcfg.DNSConfig{}
 
+		overrideLocalDNS := viper.GetBool("dns_config.override_local_dns")
+
 		if viper.IsSet("dns_config.nameservers") {
 			nameserversStr := viper.GetStringSlice("dns_config.nameservers")
 
-			nameservers := make([]netip.Addr, len(nameserversStr))
-			resolvers := make([]*dnstype.Resolver, len(nameserversStr))
+			nameservers := []netip.Addr{}
+			resolvers := []*dnstype.Resolver{}
 
-			for index, nameserverStr := range nameserversStr {
+			for _, nameserverStr := range nameserversStr {
+				// Search for explicit DNS-over-HTTPS resolvers
+				if strings.HasPrefix(nameserverStr, "https://") {
+					resolvers = append(resolvers, &dnstype.Resolver{
+						Addr: nameserverStr,
+					})
+
+					// This nameserver can not be parsed as an IP address
+					continue
+				}
+
+				// Parse nameserver as a regular IP
 				nameserver, err := netip.ParseAddr(nameserverStr)
 				if err != nil {
 					log.Error().
@@ -392,14 +389,19 @@ func GetDNSConfig() (*tailcfg.DNSConfig, string) {
 						Msgf("Could not parse nameserver IP: %s", nameserverStr)
 				}
 
-				nameservers[index] = nameserver
-				resolvers[index] = &dnstype.Resolver{
+				nameservers = append(nameservers, nameserver)
+				resolvers = append(resolvers, &dnstype.Resolver{
 					Addr: nameserver.String(),
-				}
+				})
 			}
 
 			dnsConfig.Nameservers = nameservers
-			dnsConfig.Resolvers = resolvers
+
+			if overrideLocalDNS {
+				dnsConfig.Resolvers = resolvers
+			} else {
+				dnsConfig.FallbackResolvers = resolvers
+			}
 		}
 
 		if viper.IsSet("dns_config.restricted_nameservers") {
@@ -434,17 +436,17 @@ func GetDNSConfig() (*tailcfg.DNSConfig, string) {
 		}
 
 		if viper.IsSet("dns_config.domains") {
-			dnsConfig.Domains = viper.GetStringSlice("dns_config.domains")
+			domains := viper.GetStringSlice("dns_config.domains")
+			if len(dnsConfig.Nameservers) > 0 {
+				dnsConfig.Domains = domains
+			} else if domains != nil {
+				log.Warn().
+					Msg("Warning: dns_config.domains is set, but no nameservers are configured. Ignoring domains.")
+			}
 		}
 
 		if viper.IsSet("dns_config.magic_dns") {
-			magicDNS := viper.GetBool("dns_config.magic_dns")
-			if len(dnsConfig.Nameservers) > 0 {
-				dnsConfig.Proxied = magicDNS
-			} else if magicDNS {
-				log.Warn().
-					Msg("Warning: dns_config.magic_dns is set, but no nameservers are configured. Ignoring magic_dns.")
-			}
+			dnsConfig.Proxied = viper.GetBool("dns_config.magic_dns")
 		}
 
 		var baseDomain string
@@ -461,6 +463,17 @@ func GetDNSConfig() (*tailcfg.DNSConfig, string) {
 }
 
 func GetHeadscaleConfig() (*Config, error) {
+	if IsCLIConfigured() {
+		return &Config{
+			CLI: CLIConfig{
+				Address:  viper.GetString("cli.address"),
+				APIKey:   viper.GetString("cli.api_key"),
+				Timeout:  viper.GetDuration("cli.timeout"),
+				Insecure: viper.GetBool("cli.insecure"),
+			},
+		}, nil
+	}
+
 	dnsConfig, baseDomain := GetDNSConfig()
 	derpConfig := GetDERPConfig()
 	logConfig := GetLogTailConfig()
@@ -469,22 +482,6 @@ func GetHeadscaleConfig() (*Config, error) {
 	configuredPrefixes := viper.GetStringSlice("ip_prefixes")
 	parsedPrefixes := make([]netip.Prefix, 0, len(configuredPrefixes)+1)
 
-	legacyPrefixField := viper.GetString("ip_prefix")
-	if len(legacyPrefixField) > 0 {
-		log.
-			Warn().
-			Msgf(
-				"%s, %s",
-				"use of 'ip_prefix' for configuration is deprecated",
-				"please see 'ip_prefixes' in the shipped example.",
-			)
-		legacyPrefix, err := netip.ParsePrefix(legacyPrefixField)
-		if err != nil {
-			panic(fmt.Errorf("failed to parse ip_prefix: %w", err))
-		}
-		parsedPrefixes = append(parsedPrefixes, legacyPrefix)
-	}
-
 	for i, prefixInConfig := range configuredPrefixes {
 		prefix, err := netip.ParsePrefix(prefixInConfig)
 		if err != nil {
@@ -548,7 +545,7 @@ func GetHeadscaleConfig() (*Config, error) {
 		DBname: viper.GetString("db_name"),
 		DBuser: viper.GetString("db_user"),
 		DBpass: viper.GetString("db_pass"),
-		DBssl:  viper.GetBool("db_ssl"),
+		DBssl:  viper.GetString("db_ssl"),
 
 		TLS: GetTLSConfig(),
 
@@ -577,6 +574,8 @@ func GetHeadscaleConfig() (*Config, error) {
 		LogTail:             logConfig,
 		RandomizeClientPort: randomizeClientPort,
 
+		ACL: GetACLConfig(),
+
 		CLI: CLIConfig{
 			Address:  viper.GetString("cli.address"),
 			APIKey:   viper.GetString("cli.api_key"),
@@ -584,8 +583,10 @@ func GetHeadscaleConfig() (*Config, error) {
 			Insecure: viper.GetBool("cli.insecure"),
 		},
 
-		ACL: GetACLConfig(),
-
 		Log: GetLogConfig(),
 	}, nil
 }
+
+func IsCLIConfigured() bool {
+	return viper.GetString("cli.address") != "" && viper.GetString("cli.api_key") != ""
+}

dns.go

@@ -3,11 +3,13 @@ package headscale
 import (
 	"fmt"
 	"net/netip"
+	"net/url"
 	"strings"
 
 	mapset "github.com/deckarep/golang-set/v2"
 	"go4.org/netipx"
 	"tailscale.com/tailcfg"
+	"tailscale.com/types/dnstype"
 	"tailscale.com/util/dnsname"
 )
 
@@ -20,6 +22,10 @@ const (
 	ipv6AddressLength = 128
 )
 
+const (
+	nextDNSDoHPrefix = "https://dns.nextdns.io"
+)
+
 // generateMagicDNSRootDomains generates a list of DNS entries to be included in `Routes` in `MapResponse`.
 // This list of reverse DNS entries instructs the OS on what subnets and domains the Tailscale embedded DNS
 // server (listening in 100.100.100.100 udp/53) should be used for.
@@ -152,16 +158,39 @@ func generateIPv6DNSRootDomain(ipPrefix netip.Prefix) []dnsname.FQDN {
 	return fqdns
 }
 
+// If any nextdns DoH resolvers are present in the list of resolvers it will
+// take metadata from the machine metadata and instruct tailscale to add it
+// to the requests. This makes it possible to identify from which device the
+// requests come in the NextDNS dashboard.
+//
+// This will produce a resolver like:
+// `https://dns.nextdns.io/<nextdns-id>?device_name=node-name&device_model=linux&device_ip=100.64.0.1`
+func addNextDNSMetadata(resolvers []*dnstype.Resolver, machine Machine) {
+	for _, resolver := range resolvers {
+		if strings.HasPrefix(resolver.Addr, nextDNSDoHPrefix) {
+			attrs := url.Values{
+				"device_name":  []string{machine.Hostname},
+				"device_model": []string{machine.HostInfo.OS},
+			}
+
+			if len(machine.IPAddresses) > 0 {
+				attrs.Add("device_ip", machine.IPAddresses[0].String())
+			}
+
+			resolver.Addr = fmt.Sprintf("%s?%s", resolver.Addr, attrs.Encode())
+		}
+	}
+}
+
 func getMapResponseDNSConfig(
 	dnsConfigOrig *tailcfg.DNSConfig,
 	baseDomain string,
 	machine Machine,
 	peers Machines,
 ) *tailcfg.DNSConfig {
-	var dnsConfig *tailcfg.DNSConfig
+	var dnsConfig *tailcfg.DNSConfig = dnsConfigOrig.Clone()
 	if dnsConfigOrig != nil && dnsConfigOrig.Proxied { // if MagicDNS is enabled
 		// Only inject the Search Domain of the current namespace - shared nodes should use their full FQDN
-		dnsConfig = dnsConfigOrig.Clone()
 		dnsConfig.Domains = append(
 			dnsConfig.Domains,
 			fmt.Sprintf(
@@ -184,5 +213,7 @@ func getMapResponseDNSConfig(
 		dnsConfig = dnsConfigOrig
 	}
 
+	addNextDNSMetadata(dnsConfig.Resolvers, machine)
+
 	return dnsConfig
 }

docs/proposals/002-better-routing.md

@@ -0,0 +1,48 @@
+# Better route management
+
+As of today, route management in Headscale is very basic and does not allow for much flexibility, including implementing subnet HA, 4via6 or more advanced features. We also have a number of bugs (e.g., routes exposed by ephemeral nodes)
+
+This proposal aims to improve the route management.
+
+## Current situation
+
+Routes advertised by the nodes are read from the Hostinfo struct. If approved from the the CLI or via autoApprovers, the route is added to the EnabledRoutes field in `Machine`.
+
+This means that the advertised routes are not persisted in the database, as Hostinfo is always replaced. In the same way, EnabledRoutes can get out of sync with the actual routes in the node.
+
+In case of colliding routes (i.e., subnets that are exposed from multiple nodes), we are currently just sending all of them in `PrimaryRoutes`... and hope for the best. (`PrimaryRoutes` is the field in `Node` used for subnet failover).
+
+## Proposal
+
+The core part is to create a new `Route` struct (and DB table), with the following fields:
+
+```go
+type Route struct {
+	ID          uint64 `gorm:"primary_key"`
+
+    Machine     *Machine
+    Prefix      IPPrefix
+
+    Advertised  bool
+    Enabled     bool
+    IsPrimary   bool
+
+
+    CreatedAt   *time.Time
+    UpdatedAt   *time.Time
+    DeletedAt   *time.Time
+}
+```
+
+- The `Advertised` field is set to true if the route is being advertised by the node. It is set to false if the route is removed. This way we can indicate if a later enabled route has stopped being advertised. A similar behaviour happens in the Tailscale.com control panel.
+
+- The `Enabled` field is set to true if the route is enabled - via CLI or autoApprovers.
+
+- `IsPrimary` indicates if Headscale has selected this route as the primary route for that particular subnet. This allows us to implement subnet failover. This would be fully automatic if there is more than subnet routers advertising the same network - which is the behaviour of Tailscale.com.
+
+## Stuff to bear in mind
+
+- We need to make sure to migrate the current `EnabledRoutes` of `Machine` into the new table.
+- When a node stops sharing a subnet, I reckon we should mark it both as not `Advertised` and not `Enabled`. Users should re-enable it if the node advertises it again.
+- If only one subnet router is advertising a subnet, we should mark it as primary.
+- Regarding subnet failover, the current behaviour of Tailscale.com is to perform the failover after 15 seconds from the node disconnecting from their control panel. I reckon we cannot do the same currently. Our maximum granularity is the keep alive period.

docs/reverse-proxy.md

@@ -59,3 +59,42 @@ server {
     }
 }
 ```
+
+## istio/envoy
+
+If you using [Istio](https://istio.io/) ingressgateway or [Envoy](https://www.envoyproxy.io/) as reverse proxy, there are some tips for you. If not set, you may see some debug log in proxy as below:
+
+```log
+Sending local reply with details upgrade_failed
+```
+
+### Envoy
+
+You need add a new upgrade_type named `tailscale-control-protocol`. [see detail](https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/filters/network/http_connection_manager/v3/http_connection_manager.proto#extensions-filters-network-http-connection-manager-v3-httpconnectionmanager-upgradeconfig)
+
+### Istio
+
+Same as envoy, we can use `EnvoyFilter` to add upgrade_type.
+
+```yaml
+apiVersion: networking.istio.io/v1alpha3
+kind: EnvoyFilter
+metadata:
+  name: headscale-behind-istio-ingress
+  namespace: istio-system
+spec:
+  configPatches:
+    - applyTo: NETWORK_FILTER
+      match:
+        listener:
+          filterChain:
+            filter:
+              name: envoy.filters.network.http_connection_manager
+      patch:
+        operation: MERGE
+        value:
+          typed_config:
+            "@type": type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager
+            upgrade_configs:
+              - upgrade_type: tailscale-control-protocol
+```

docs/running-headscale-container.md

@@ -48,15 +48,17 @@ Modify the config file to your preferences before launching Docker container.
 Here are some settings that you likely want:
 
 ```yaml
-server_url: http://your-host-name:8080 # Change to your hostname or host IP
+# Change to your hostname or host IP
+server_url: http://your-host-name:8080
 # Listen to 0.0.0.0 so it's accessible outside the container
 metrics_listen_addr: 0.0.0.0:9090
 # The default /var/lib/headscale path is not writable in the container
 private_key_path: /etc/headscale/private.key
 # The default /var/lib/headscale path is not writable in the container
 noise:
-  private_key_path: /var/lib/headscale/noise_private.key
+  private_key_path: /etc/headscale/noise_private.key
 # The default /var/lib/headscale path is not writable  in the container
+db_type: sqlite3
 db_path: /etc/headscale/db.sqlite
 ```
 

docs/tls.md

@@ -29,17 +29,3 @@ headscale can also be configured to expose its web service via TLS. To configure
 tls_cert_path: ""
 tls_key_path: ""
 ```
-
-### Configuring Mutual TLS Authentication (mTLS)
-
-mTLS is a method by which an HTTPS server authenticates clients, e.g. Tailscale, using TLS certificates. This can be configured by applying one of the following values to the `tls_client_auth_mode` setting in the configuration file.
-
-| Value               | Behavior                                                   |
-| ------------------- | ---------------------------------------------------------- |
-| `disabled`          | Disable mTLS.                                              |
-| `relaxed` (default) | A client certificate is required, but it is not verified.  |
-| `enforced`          | Requires clients to supply a certificate that is verified. |
-
-```yaml
-tls_client_auth_mode: ""
-```

flake.lock

@@ -2,11 +2,11 @@
   "nodes": {
     "flake-utils": {
       "locked": {
-        "lastModified": 1659877975,
-        "narHash": "sha256-zllb8aq3YO3h8B/U0/J1WBgAL8EX5yWf5pMj3G0NAmc=",
+        "lastModified": 1667395993,
+        "narHash": "sha256-nuEHfE/LcWyuSWnS8t12N1wc105Qtau+/OdUAjtQ0rA=",
         "owner": "numtide",
         "repo": "flake-utils",
-        "rev": "c0e246b9b83f637f4681389ecabcb2681b4f3af0",
+        "rev": "5aed5285a952e0b949eb3ba02c12fa4fcfef535f",
         "type": "github"
       },
       "original": {
@@ -17,11 +17,11 @@
     },
     "nixpkgs": {
       "locked": {
-        "lastModified": 1664106353,
-        "narHash": "sha256-HMJP80+DSxFySpWyuxz5+iNozS3+dVt0b4n6YMIU5/8=",
+        "lastModified": 1670064435,
+        "narHash": "sha256-+ELoY30UN+Pl3Yn7RWRPabykwebsVK/kYE9JsIsUMxQ=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "79d3ca08920364759c63fd3eb562e99c0c17044a",
+        "rev": "61a8a98e6d557e6dd7ed0cdb54c3a3e3bbc5e25c",
         "type": "github"
       },
       "original": {

flake.nix

@@ -26,25 +26,30 @@
           version = headscaleVersion;
           src = pkgs.lib.cleanSource self;
 
+          tags = ["ts2019"];
+
+          # Only run unit tests when testing a build
+          checkFlags = ["-short"];
+
           # When updating go.mod or go.sum, a new sha will need to be calculated,
           # update this if you have a mismatch after doing a change to thos files.
-          vendorSha256 = "sha256-DosFCSiQ5FURbIrt4NcPGkExc84t2MGMqe9XLxNHdIM=";
+          vendorSha256 = "sha256-Y1IK9Tx2sv0v27ZYtSxDP9keHQ7skctDOa+37pNGEC8=";
 
           ldflags = ["-s" "-w" "-X github.com/juanfont/headscale/cmd/headscale/cli.Version=v${version}"];
         };
 
         golines = pkgs.buildGoModule rec {
           pname = "golines";
-          version = "0.9.0";
+          version = "0.11.0";
 
           src = pkgs.fetchFromGitHub {
             owner = "segmentio";
             repo = "golines";
             rev = "v${version}";
-            sha256 = "sha256-BUXEg+4r9L/gqe4DhTlhN55P3jWt7ZyWFQycO6QePrw=";
+            sha256 = "sha256-2K9KAg8iSubiTbujyFGN3yggrL+EDyeUCs9OOta/19A=";
           };
 
-          vendorSha256 = "sha256-sEzWUeVk5GB0H41wrp12P8sBWRjg0FHUX6ABDEEBqK8=";
+          vendorSha256 = "sha256-rxYuzn4ezAxaeDhxd8qdOzt+CKYIh03A9zKNdzILq18=";
 
           nativeBuildInputs = [pkgs.installShellFiles];
         };
@@ -104,6 +109,7 @@
           golangci-lint
           golines
           nodePackages.prettier
+          goreleaser
 
           # Protobuf dependencies
           protobuf
@@ -128,7 +134,13 @@
       };
     in rec {
       # `nix develop`
-      devShell = pkgs.mkShell {buildInputs = devDeps;};
+      devShell = pkgs.mkShell {
+        buildInputs = devDeps;
+
+        shellHook = ''
+          export GOFLAGS=-tags="ts2019"
+        '';
+      };
 
       # `nix build`
       packages = with pkgs; {

go.mod

@@ -3,146 +3,148 @@ module github.com/juanfont/headscale
 go 1.19
 
 require (
-	github.com/AlecAivazis/survey/v2 v2.3.5
+	github.com/AlecAivazis/survey/v2 v2.3.6
 	github.com/ccding/go-stun/stun v0.0.0-20200514191101-4dc67bcdb029
-	github.com/coreos/go-oidc/v3 v3.3.0
+	github.com/cenkalti/backoff/v4 v4.2.0
+	github.com/coreos/go-oidc/v3 v3.4.0
 	github.com/deckarep/golang-set/v2 v2.1.0
 	github.com/efekarakus/termcolor v1.0.1
-	github.com/glebarez/sqlite v1.4.6
-	github.com/gofrs/uuid v4.2.0+incompatible
+	github.com/glebarez/sqlite v1.5.0
+	github.com/gofrs/uuid v4.3.1+incompatible
 	github.com/gorilla/mux v1.8.0
 	github.com/grpc-ecosystem/go-grpc-middleware v1.3.0
-	github.com/grpc-ecosystem/grpc-gateway/v2 v2.11.3
-	github.com/klauspost/compress v1.15.9
+	github.com/grpc-ecosystem/grpc-gateway/v2 v2.14.0
+	github.com/klauspost/compress v1.15.12
 	github.com/oauth2-proxy/mockoidc v0.0.0-20220308204021-b9169deeb282
 	github.com/ory/dockertest/v3 v3.9.1
 	github.com/patrickmn/go-cache v2.1.0+incompatible
 	github.com/philip-bui/grpc-zerolog v1.0.1
-	github.com/prometheus/client_golang v1.13.0
+	github.com/prometheus/client_golang v1.14.0
 	github.com/prometheus/common v0.37.0
-	github.com/pterm/pterm v0.12.45
-	github.com/puzpuzpuz/xsync v1.4.3
+	github.com/pterm/pterm v0.12.50
+	github.com/puzpuzpuz/xsync/v2 v2.4.0
 	github.com/rs/zerolog v1.28.0
-	github.com/spf13/cobra v1.5.0
-	github.com/spf13/viper v1.12.0
-	github.com/stretchr/testify v1.8.0
+	github.com/spf13/cobra v1.6.1
+	github.com/spf13/viper v1.14.0
+	github.com/stretchr/testify v1.8.1
 	github.com/tailscale/hujson v0.0.0-20220630195928-54599719472f
 	github.com/tcnksm/go-latest v0.0.0-20170313132115-e3007ae9052e
-	go4.org/netipx v0.0.0-20220812043211-3cc044ffd68d
-	golang.org/x/crypto v0.0.0-20220829220503-c86fa9a7ed90
-	golang.org/x/net v0.0.0-20220826154423-83b083e8dc8b
-	golang.org/x/oauth2 v0.0.0-20220822191816-0ebed06d0094
-	golang.org/x/sync v0.0.0-20220819030929-7fc1605a5dde
-	google.golang.org/genproto v0.0.0-20220902135211-223410557253
-	google.golang.org/grpc v1.49.0
+	go4.org/netipx v0.0.0-20220925034521-797b0c90d8ab
+	golang.org/x/crypto v0.3.0
+	golang.org/x/net v0.2.0
+	golang.org/x/oauth2 v0.2.0
+	golang.org/x/sync v0.1.0
+	google.golang.org/genproto v0.0.0-20221202195650-67e5cbc046fd
+	google.golang.org/grpc v1.51.0
 	google.golang.org/protobuf v1.28.1
 	gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c
 	gopkg.in/yaml.v2 v2.4.0
 	gopkg.in/yaml.v3 v3.0.1
-	gorm.io/driver/postgres v1.3.9
-	gorm.io/gorm v1.23.8
-	tailscale.com v1.30.0
+	gorm.io/driver/postgres v1.4.5
+	gorm.io/gorm v1.24.2
+	tailscale.com v1.32.3
 )
 
 require (
 	atomicgo.dev/cursor v0.1.1 // indirect
 	atomicgo.dev/keyboard v0.2.8 // indirect
-	filippo.io/edwards25519 v1.0.0-rc.1 // indirect
-	github.com/Azure/go-ansiterm v0.0.0-20170929234023-d6e3b3328b78 // indirect
-	github.com/Microsoft/go-winio v0.5.2 // indirect
+	filippo.io/edwards25519 v1.0.0 // indirect
+	github.com/Azure/go-ansiterm v0.0.0-20210617225240-d185dfc1b5a1 // indirect
+	github.com/Microsoft/go-winio v0.6.0 // indirect
 	github.com/Nvveen/Gotty v0.0.0-20120604004816-cd527374f1e5 // indirect
 	github.com/akutz/memconn v0.1.0 // indirect
 	github.com/alexbrainman/sspi v0.0.0-20210105120005-909beea2cc74 // indirect
 	github.com/beorn7/perks v1.0.1 // indirect
-	github.com/cenkalti/backoff/v4 v4.1.3 // indirect
-	github.com/cespare/xxhash/v2 v2.1.2 // indirect
+	github.com/cespare/xxhash/v2 v2.2.0 // indirect
 	github.com/containerd/console v1.0.3 // indirect
 	github.com/containerd/continuity v0.3.0 // indirect
 	github.com/davecgh/go-spew v1.1.1 // indirect
-	github.com/docker/cli v20.10.16+incompatible // indirect
-	github.com/docker/docker v20.10.16+incompatible // indirect
+	github.com/docker/cli v20.10.21+incompatible // indirect
+	github.com/docker/docker v20.10.21+incompatible // indirect
 	github.com/docker/go-connections v0.4.0 // indirect
-	github.com/docker/go-units v0.4.0 // indirect
-	github.com/fsnotify/fsnotify v1.5.4 // indirect
+	github.com/docker/go-units v0.5.0 // indirect
+	github.com/fsnotify/fsnotify v1.6.0 // indirect
 	github.com/fxamacker/cbor/v2 v2.4.0 // indirect
-	github.com/glebarez/go-sqlite v1.17.3 // indirect
+	github.com/glebarez/go-sqlite v1.19.5 // indirect
 	github.com/gogo/protobuf v1.3.2 // indirect
 	github.com/golang-jwt/jwt v3.2.2+incompatible // indirect
 	github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da // indirect
 	github.com/golang/protobuf v1.5.2 // indirect
-	github.com/google/go-cmp v0.5.8 // indirect
+	github.com/google/go-cmp v0.5.9 // indirect
 	github.com/google/go-github v17.0.0+incompatible // indirect
 	github.com/google/go-querystring v1.1.0 // indirect
 	github.com/google/shlex v0.0.0-20191202100458-e7afc7fbc510 // indirect
 	github.com/google/uuid v1.3.0 // indirect
-	github.com/gookit/color v1.5.0 // indirect
-	github.com/hashicorp/go-version v1.4.0 // indirect
+	github.com/gookit/color v1.5.2 // indirect
+	github.com/hashicorp/go-version v1.6.0 // indirect
 	github.com/hashicorp/hcl v1.0.0 // indirect
-	github.com/hdevalence/ed25519consensus v0.0.0-20220222234857-c00d1f31bab3 // indirect
-	github.com/imdario/mergo v0.3.12 // indirect
-	github.com/inconshreveable/mousetrap v1.0.0 // indirect
+	github.com/hdevalence/ed25519consensus v0.1.0 // indirect
+	github.com/imdario/mergo v0.3.13 // indirect
+	github.com/inconshreveable/mousetrap v1.1.0 // indirect
 	github.com/jackc/chunkreader/v2 v2.0.1 // indirect
-	github.com/jackc/pgconn v1.12.1 // indirect
+	github.com/jackc/pgconn v1.13.0 // indirect
 	github.com/jackc/pgio v1.0.0 // indirect
 	github.com/jackc/pgpassfile v1.0.0 // indirect
-	github.com/jackc/pgproto3/v2 v2.3.0 // indirect
+	github.com/jackc/pgproto3/v2 v2.3.1 // indirect
 	github.com/jackc/pgservicefile v0.0.0-20200714003250-2b9c44734f2b // indirect
-	github.com/jackc/pgtype v1.11.0 // indirect
-	github.com/jackc/pgx/v4 v4.16.1 // indirect
+	github.com/jackc/pgtype v1.13.0 // indirect
+	github.com/jackc/pgx/v4 v4.17.2 // indirect
 	github.com/jinzhu/inflection v1.0.0 // indirect
-	github.com/jinzhu/now v1.1.4 // indirect
+	github.com/jinzhu/now v1.1.5 // indirect
 	github.com/josharian/native v1.0.0 // indirect
-	github.com/jsimonetti/rtnetlink v1.1.2-0.20220408201609-d380b505068b // indirect
+	github.com/jsimonetti/rtnetlink v1.3.0 // indirect
 	github.com/kballard/go-shellquote v0.0.0-20180428030007-95032a82bc51 // indirect
 	github.com/kr/pretty v0.3.0 // indirect
 	github.com/kr/text v0.2.0 // indirect
 	github.com/lithammer/fuzzysearch v1.1.5 // indirect
 	github.com/magiconair/properties v1.8.6 // indirect
-	github.com/mattn/go-colorable v0.1.12 // indirect
-	github.com/mattn/go-isatty v0.0.14 // indirect
-	github.com/mattn/go-runewidth v0.0.13 // indirect
-	github.com/matttproud/golang_protobuf_extensions v1.0.1 // indirect
-	github.com/mdlayher/netlink v1.6.0 // indirect
-	github.com/mdlayher/socket v0.2.3 // indirect
-	github.com/mgutz/ansi v0.0.0-20170206155736-9520e82c474b // indirect
+	github.com/mattn/go-colorable v0.1.13 // indirect
+	github.com/mattn/go-isatty v0.0.16 // indirect
+	github.com/mattn/go-runewidth v0.0.14 // indirect
+	github.com/matttproud/golang_protobuf_extensions v1.0.4 // indirect
+	github.com/mdlayher/netlink v1.7.0 // indirect
+	github.com/mdlayher/socket v0.4.0 // indirect
+	github.com/mgutz/ansi v0.0.0-20200706080929-d51e80ef957d // indirect
 	github.com/mitchellh/go-ps v1.0.0 // indirect
 	github.com/mitchellh/mapstructure v1.5.0 // indirect
-	github.com/moby/term v0.0.0-20201216013528-df9cb8a40635 // indirect
+	github.com/moby/term v0.0.0-20221128092401-c43b287e0e0f // indirect
 	github.com/opencontainers/go-digest v1.0.0 // indirect
-	github.com/opencontainers/image-spec v1.0.3-0.20220114050600-8b9d41f48198 // indirect
-	github.com/opencontainers/runc v1.1.2 // indirect
+	github.com/opencontainers/image-spec v1.1.0-rc2 // indirect
+	github.com/opencontainers/runc v1.1.4 // indirect
 	github.com/pelletier/go-toml v1.9.5 // indirect
-	github.com/pelletier/go-toml/v2 v2.0.1 // indirect
+	github.com/pelletier/go-toml/v2 v2.0.6 // indirect
 	github.com/pkg/errors v0.9.1 // indirect
 	github.com/pmezard/go-difflib v1.0.0 // indirect
-	github.com/prometheus/client_model v0.2.0 // indirect
+	github.com/prometheus/client_model v0.3.0 // indirect
 	github.com/prometheus/procfs v0.8.0 // indirect
-	github.com/remyoudompheng/bigfft v0.0.0-20200410134404-eec4a21b6bb0 // indirect
-	github.com/rivo/uniseg v0.2.0 // indirect
+	github.com/remyoudompheng/bigfft v0.0.0-20220927061507-ef77025ab5aa // indirect
+	github.com/rivo/uniseg v0.4.3 // indirect
 	github.com/rogpeppe/go-internal v1.8.1-0.20211023094830-115ce09fd6b4 // indirect
-	github.com/sirupsen/logrus v1.8.1 // indirect
-	github.com/spf13/afero v1.8.2 // indirect
+	github.com/sirupsen/logrus v1.9.0 // indirect
+	github.com/spf13/afero v1.9.3 // indirect
 	github.com/spf13/cast v1.5.0 // indirect
 	github.com/spf13/jwalterweatherman v1.1.0 // indirect
 	github.com/spf13/pflag v1.0.5 // indirect
-	github.com/subosito/gotenv v1.3.0 // indirect
+	github.com/subosito/gotenv v1.4.1 // indirect
 	github.com/x448/float16 v0.8.4 // indirect
-	github.com/xeipuuv/gojsonpointer v0.0.0-20180127040702-4e3ac2762d5f // indirect
+	github.com/xeipuuv/gojsonpointer v0.0.0-20190905194746-02993c407bfb // indirect
 	github.com/xeipuuv/gojsonreference v0.0.0-20180127040603-bd5ef7bd5415 // indirect
 	github.com/xeipuuv/gojsonschema v1.2.0 // indirect
-	github.com/xo/terminfo v0.0.0-20210125001918-ca9a967f8778 // indirect
-	go4.org/mem v0.0.0-20210711025021-927187094b94 // indirect
-	golang.org/x/sys v0.0.0-20220728004956-3c1f35247d10 // indirect
-	golang.org/x/term v0.0.0-20220411215600-e5f449aeb171 // indirect
-	golang.org/x/text v0.3.7 // indirect
-	golang.org/x/time v0.0.0-20211116232009-f0f3c7e86c11 // indirect
-	golang.zx2c4.com/wireguard/windows v0.4.10 // indirect
+	github.com/xo/terminfo v0.0.0-20220910002029-abceb7e1c41e // indirect
+	go4.org/mem v0.0.0-20220726221520-4f986261bf13 // indirect
+	golang.org/x/mod v0.7.0 // indirect
+	golang.org/x/sys v0.3.0 // indirect
+	golang.org/x/term v0.2.0 // indirect
+	golang.org/x/text v0.5.0 // indirect
+	golang.org/x/time v0.3.0 // indirect
+	golang.org/x/tools v0.3.0 // indirect
+	golang.zx2c4.com/wireguard/windows v0.5.3 // indirect
 	google.golang.org/appengine v1.6.7 // indirect
-	gopkg.in/ini.v1 v1.66.4 // indirect
+	gopkg.in/ini.v1 v1.67.0 // indirect
 	gopkg.in/square/go-jose.v2 v2.6.0 // indirect
-	modernc.org/libc v1.16.8 // indirect
-	modernc.org/mathutil v1.4.1 // indirect
-	modernc.org/memory v1.1.1 // indirect
-	modernc.org/sqlite v1.17.3 // indirect
+	modernc.org/libc v1.21.5 // indirect
+	modernc.org/mathutil v1.5.0 // indirect
+	modernc.org/memory v1.5.0 // indirect
+	modernc.org/sqlite v1.20.0 // indirect
 	nhooyr.io/websocket v1.8.7 // indirect
 )

grpcv1.go

@@ -1,4 +1,4 @@
-//nolint
+// nolint
 package headscale
 
 import (
@@ -12,6 +12,7 @@ import (
 	"google.golang.org/grpc/codes"
 	"google.golang.org/grpc/status"
 	"tailscale.com/tailcfg"
+	"tailscale.com/types/key"
 )
 
 type headscaleV1APIServer struct { // v1.HeadscaleServiceServer
@@ -479,7 +480,7 @@ func (api headscaleV1APIServer) DebugCreateMachine(
 		Hostname:    "DebugTestMachine",
 	}
 
-	givenName, err := api.h.GenerateGivenName(request.GetName())
+	givenName, err := api.h.GenerateGivenName(request.GetKey(), request.GetName())
 	if err != nil {
 		return nil, err
 	}
@@ -496,9 +497,14 @@ func (api headscaleV1APIServer) DebugCreateMachine(
 
 		HostInfo: HostInfo(hostinfo),
 	}
+	nodeKey := key.NodePublic{}
+	err = nodeKey.UnmarshalText([]byte(request.GetKey()))
+	if err != nil {
+		log.Panic().Msg("can not add machine for debug. invalid node key")
+	}
 
 	api.h.registrationCache.Set(
-		request.GetKey(),
+		NodePublicKeyStripPrefix(nodeKey),
 		newMachine,
 		registerCacheExpiration,
 	)

handler_legacy.go

@@ -0,0 +1,15 @@
+//go:build ts2019
+
+package headscale
+
+import (
+	"net/http"
+
+	"github.com/gorilla/mux"
+)
+
+func (h *Headscale) addLegacyHandlers(router *mux.Router) {
+	router.HandleFunc("/machine/{mkey}/map", h.PollNetMapHandler).
+		Methods(http.MethodPost)
+	router.HandleFunc("/machine/{mkey}", h.RegistrationHandler).Methods(http.MethodPost)
+}

handler_placeholder.go

@@ -0,0 +1,8 @@
+//go:build !ts2019
+
+package headscale
+
+import "github.com/gorilla/mux"
+
+func (h *Headscale) addLegacyHandlers(router *mux.Router) {
+}

integration/auth_oidc_test.go

@@ -0,0 +1,302 @@
+package integration
+
+import (
+	"context"
+	"crypto/tls"
+	"errors"
+	"fmt"
+	"io"
+	"log"
+	"net"
+	"net/http"
+	"strconv"
+	"testing"
+
+	"github.com/juanfont/headscale"
+	"github.com/juanfont/headscale/integration/dockertestutil"
+	"github.com/juanfont/headscale/integration/hsic"
+	"github.com/ory/dockertest/v3"
+	"github.com/ory/dockertest/v3/docker"
+)
+
+const (
+	dockerContextPath      = "../."
+	hsicOIDCMockHashLength = 6
+	oidcServerPort         = 10000
+)
+
+var errStatusCodeNotOK = errors.New("status code not OK")
+
+type AuthOIDCScenario struct {
+	*Scenario
+
+	mockOIDC *dockertest.Resource
+}
+
+func TestOIDCAuthenticationPingAll(t *testing.T) {
+	IntegrationSkip(t)
+	t.Parallel()
+
+	baseScenario, err := NewScenario()
+	if err != nil {
+		t.Errorf("failed to create scenario: %s", err)
+	}
+
+	scenario := AuthOIDCScenario{
+		Scenario: baseScenario,
+	}
+
+	spec := map[string]int{
+		"namespace1": len(TailscaleVersions),
+	}
+
+	oidcConfig, err := scenario.runMockOIDC()
+	if err != nil {
+		t.Errorf("failed to run mock OIDC server: %s", err)
+	}
+
+	oidcMap := map[string]string{
+		"HEADSCALE_OIDC_ISSUER":             oidcConfig.Issuer,
+		"HEADSCALE_OIDC_CLIENT_ID":          oidcConfig.ClientID,
+		"HEADSCALE_OIDC_CLIENT_SECRET":      oidcConfig.ClientSecret,
+		"HEADSCALE_OIDC_STRIP_EMAIL_DOMAIN": fmt.Sprintf("%t", oidcConfig.StripEmaildomain),
+	}
+
+	err = scenario.CreateHeadscaleEnv(
+		spec,
+		hsic.WithTestName("oidcauthping"),
+		hsic.WithConfigEnv(oidcMap),
+		hsic.WithHostnameAsServerURL(),
+	)
+	if err != nil {
+		t.Errorf("failed to create headscale environment: %s", err)
+	}
+
+	allClients, err := scenario.ListTailscaleClients()
+	if err != nil {
+		t.Errorf("failed to get clients: %s", err)
+	}
+
+	allIps, err := scenario.ListTailscaleClientsIPs()
+	if err != nil {
+		t.Errorf("failed to get clients: %s", err)
+	}
+
+	err = scenario.WaitForTailscaleSync()
+	if err != nil {
+		t.Errorf("failed wait for tailscale clients to be in sync: %s", err)
+	}
+
+	success := 0
+
+	for _, client := range allClients {
+		for _, ip := range allIps {
+			err := client.Ping(ip.String())
+			if err != nil {
+				t.Errorf("failed to ping %s from %s: %s", ip, client.Hostname(), err)
+			} else {
+				success++
+			}
+		}
+	}
+
+	t.Logf("%d successful pings out of %d", success, len(allClients)*len(allIps))
+
+	err = scenario.Shutdown()
+	if err != nil {
+		t.Errorf("failed to tear down scenario: %s", err)
+	}
+}
+
+func (s *AuthOIDCScenario) CreateHeadscaleEnv(
+	namespaces map[string]int,
+	opts ...hsic.Option,
+) error {
+	headscale, err := s.Headscale(opts...)
+	if err != nil {
+		return err
+	}
+
+	err = headscale.WaitForReady()
+	if err != nil {
+		return err
+	}
+
+	for namespaceName, clientCount := range namespaces {
+		log.Printf("creating namespace %s with %d clients", namespaceName, clientCount)
+		err = s.CreateNamespace(namespaceName)
+		if err != nil {
+			return err
+		}
+
+		err = s.CreateTailscaleNodesInNamespace(namespaceName, "all", clientCount)
+		if err != nil {
+			return err
+		}
+
+		err = s.runTailscaleUp(namespaceName, headscale.GetEndpoint())
+		if err != nil {
+			return err
+		}
+	}
+
+	return nil
+}
+
+func (s *AuthOIDCScenario) runMockOIDC() (*headscale.OIDCConfig, error) {
+	hash, _ := headscale.GenerateRandomStringDNSSafe(hsicOIDCMockHashLength)
+
+	hostname := fmt.Sprintf("hs-oidcmock-%s", hash)
+
+	mockOidcOptions := &dockertest.RunOptions{
+		Name:         hostname,
+		Cmd:          []string{"headscale", "mockoidc"},
+		ExposedPorts: []string{"10000/tcp"},
+		PortBindings: map[docker.Port][]docker.PortBinding{
+			"10000/tcp": {{HostPort: "10000"}},
+		},
+		Networks: []*dockertest.Network{s.Scenario.network},
+		Env: []string{
+			fmt.Sprintf("MOCKOIDC_ADDR=%s", hostname),
+			"MOCKOIDC_PORT=10000",
+			"MOCKOIDC_CLIENT_ID=superclient",
+			"MOCKOIDC_CLIENT_SECRET=supersecret",
+		},
+	}
+
+	headscaleBuildOptions := &dockertest.BuildOptions{
+		Dockerfile: "Dockerfile.debug",
+		ContextDir: dockerContextPath,
+	}
+
+	err := s.pool.RemoveContainerByName(hostname)
+	if err != nil {
+		return nil, err
+	}
+
+	if pmockoidc, err := s.pool.BuildAndRunWithBuildOptions(
+		headscaleBuildOptions,
+		mockOidcOptions,
+		dockertestutil.DockerRestartPolicy); err == nil {
+		s.mockOIDC = pmockoidc
+	} else {
+		return nil, err
+	}
+
+	log.Println("Waiting for headscale mock oidc to be ready for tests")
+	hostEndpoint := fmt.Sprintf(
+		"%s:%s",
+		s.mockOIDC.GetIPInNetwork(s.network),
+		s.mockOIDC.GetPort(fmt.Sprintf("%d/tcp", oidcServerPort)),
+	)
+
+	if err := s.pool.Retry(func() error {
+		oidcConfigURL := fmt.Sprintf("http://%s/oidc/.well-known/openid-configuration", hostEndpoint)
+		httpClient := &http.Client{}
+		ctx := context.Background()
+		req, _ := http.NewRequestWithContext(ctx, http.MethodGet, oidcConfigURL, nil)
+		resp, err := httpClient.Do(req)
+		if err != nil {
+			log.Printf("headscale mock OIDC tests is not ready: %s\n", err)
+
+			return err
+		}
+		defer resp.Body.Close()
+
+		if resp.StatusCode != http.StatusOK {
+			return errStatusCodeNotOK
+		}
+
+		return nil
+	}); err != nil {
+		return nil, err
+	}
+
+	log.Printf("headscale mock oidc is ready for tests at %s", hostEndpoint)
+
+	return &headscale.OIDCConfig{
+		Issuer: fmt.Sprintf("http://%s/oidc",
+			net.JoinHostPort(s.mockOIDC.GetIPInNetwork(s.network), strconv.Itoa(oidcServerPort))),
+		ClientID:         "superclient",
+		ClientSecret:     "supersecret",
+		StripEmaildomain: true,
+	}, nil
+}
+
+func (s *AuthOIDCScenario) runTailscaleUp(
+	namespaceStr, loginServer string,
+) error {
+	headscale, err := s.Headscale()
+	if err != nil {
+		return err
+	}
+
+	log.Printf("running tailscale up for namespace %s", namespaceStr)
+	if namespace, ok := s.namespaces[namespaceStr]; ok {
+		for _, client := range namespace.Clients {
+			namespace.joinWaitGroup.Add(1)
+
+			go func(c TailscaleClient) {
+				defer namespace.joinWaitGroup.Done()
+
+				// TODO(juanfont): error handle this
+				loginURL, err := c.UpWithLoginURL(loginServer)
+				if err != nil {
+					log.Printf("failed to run tailscale up: %s", err)
+				}
+
+				loginURL.Host = fmt.Sprintf("%s:8080", headscale.GetIP())
+				loginURL.Scheme = "http"
+
+				insecureTransport := &http.Transport{
+					TLSClientConfig: &tls.Config{InsecureSkipVerify: true}, // nolint
+				}
+
+				log.Printf("%s login url: %s\n", c.Hostname(), loginURL.String())
+
+				httpClient := &http.Client{Transport: insecureTransport}
+				ctx := context.Background()
+				req, _ := http.NewRequestWithContext(ctx, http.MethodGet, loginURL.String(), nil)
+				resp, err := httpClient.Do(req)
+				if err != nil {
+					log.Printf("%s failed to get login url %s: %s", c.Hostname(), loginURL, err)
+
+					return
+				}
+
+				defer resp.Body.Close()
+
+				_, err = io.ReadAll(resp.Body)
+				if err != nil {
+					log.Printf("%s failed to read response body: %s", c.Hostname(), err)
+
+					return
+				}
+
+				log.Printf("Finished request for %s to join tailnet", c.Hostname())
+			}(client)
+
+			err = client.WaitForReady()
+			if err != nil {
+				log.Printf("error waiting for client %s to be ready: %s", client.Hostname(), err)
+			}
+
+			log.Printf("client %s is ready", client.Hostname())
+		}
+
+		namespace.joinWaitGroup.Wait()
+
+		return nil
+	}
+
+	return fmt.Errorf("failed to up tailscale node: %w", errNoNamespaceAvailable)
+}
+
+func (s *AuthOIDCScenario) Shutdown() error {
+	err := s.pool.Purge(s.mockOIDC)
+	if err != nil {
+		return err
+	}
+
+	return s.Scenario.Shutdown()
+}

integration/auth_web_flow_test.go

@@ -0,0 +1,205 @@
+package integration
+
+import (
+	"context"
+	"errors"
+	"fmt"
+	"io"
+	"log"
+	"net/http"
+	"net/url"
+	"strings"
+	"testing"
+
+	"github.com/juanfont/headscale/integration/hsic"
+)
+
+var errParseAuthPage = errors.New("failed to parse auth page")
+
+type AuthWebFlowScenario struct {
+	*Scenario
+}
+
+func TestAuthWebFlowAuthenticationPingAll(t *testing.T) {
+	IntegrationSkip(t)
+	t.Parallel()
+
+	baseScenario, err := NewScenario()
+	if err != nil {
+		t.Errorf("failed to create scenario: %s", err)
+	}
+
+	scenario := AuthWebFlowScenario{
+		Scenario: baseScenario,
+	}
+
+	spec := map[string]int{
+		"namespace1": len(TailscaleVersions),
+		"namespace2": len(TailscaleVersions),
+	}
+
+	err = scenario.CreateHeadscaleEnv(spec, hsic.WithTestName("webauthping"))
+	if err != nil {
+		t.Errorf("failed to create headscale environment: %s", err)
+	}
+
+	allClients, err := scenario.ListTailscaleClients()
+	if err != nil {
+		t.Errorf("failed to get clients: %s", err)
+	}
+
+	allIps, err := scenario.ListTailscaleClientsIPs()
+	if err != nil {
+		t.Errorf("failed to get clients: %s", err)
+	}
+
+	err = scenario.WaitForTailscaleSync()
+	if err != nil {
+		t.Errorf("failed wait for tailscale clients to be in sync: %s", err)
+	}
+
+	success := 0
+
+	for _, client := range allClients {
+		for _, ip := range allIps {
+			err := client.Ping(ip.String())
+			if err != nil {
+				t.Errorf("failed to ping %s from %s: %s", ip, client.Hostname(), err)
+			} else {
+				success++
+			}
+		}
+	}
+
+	t.Logf("%d successful pings out of %d", success, len(allClients)*len(allIps))
+
+	err = scenario.Shutdown()
+	if err != nil {
+		t.Errorf("failed to tear down scenario: %s", err)
+	}
+}
+
+func (s *AuthWebFlowScenario) CreateHeadscaleEnv(
+	namespaces map[string]int,
+	opts ...hsic.Option,
+) error {
+	headscale, err := s.Headscale(opts...)
+	if err != nil {
+		return err
+	}
+
+	err = headscale.WaitForReady()
+	if err != nil {
+		return err
+	}
+
+	for namespaceName, clientCount := range namespaces {
+		log.Printf("creating namespace %s with %d clients", namespaceName, clientCount)
+		err = s.CreateNamespace(namespaceName)
+		if err != nil {
+			return err
+		}
+
+		err = s.CreateTailscaleNodesInNamespace(namespaceName, "all", clientCount)
+		if err != nil {
+			return err
+		}
+
+		err = s.runTailscaleUp(namespaceName, headscale.GetEndpoint())
+		if err != nil {
+			return err
+		}
+	}
+
+	return nil
+}
+
+func (s *AuthWebFlowScenario) runTailscaleUp(
+	namespaceStr, loginServer string,
+) error {
+	log.Printf("running tailscale up for namespace %s", namespaceStr)
+	if namespace, ok := s.namespaces[namespaceStr]; ok {
+		for _, client := range namespace.Clients {
+			namespace.joinWaitGroup.Add(1)
+
+			go func(c TailscaleClient) {
+				defer namespace.joinWaitGroup.Done()
+
+				// TODO(juanfont): error handle this
+				loginURL, err := c.UpWithLoginURL(loginServer)
+				if err != nil {
+					log.Printf("failed to run tailscale up: %s", err)
+				}
+
+				err = s.runHeadscaleRegister(namespaceStr, loginURL)
+				if err != nil {
+					log.Printf("failed to register client: %s", err)
+				}
+			}(client)
+
+			err := client.WaitForReady()
+			if err != nil {
+				log.Printf("error waiting for client %s to be ready: %s", client.Hostname(), err)
+			}
+		}
+		namespace.joinWaitGroup.Wait()
+
+		return nil
+	}
+
+	return fmt.Errorf("failed to up tailscale node: %w", errNoNamespaceAvailable)
+}
+
+func (s *AuthWebFlowScenario) runHeadscaleRegister(namespaceStr string, loginURL *url.URL) error {
+	headscale, err := s.Headscale()
+	if err != nil {
+		return err
+	}
+
+	log.Printf("loginURL: %s", loginURL)
+	loginURL.Host = fmt.Sprintf("%s:8080", headscale.GetIP())
+	loginURL.Scheme = "http"
+
+	httpClient := &http.Client{}
+	ctx := context.Background()
+	req, _ := http.NewRequestWithContext(ctx, http.MethodGet, loginURL.String(), nil)
+	resp, err := httpClient.Do(req)
+	if err != nil {
+		return err
+	}
+
+	body, err := io.ReadAll(resp.Body)
+	if err != nil {
+		return err
+	}
+
+	defer resp.Body.Close()
+
+	// see api.go HTML template
+	codeSep := strings.Split(string(body), "</code>")
+	if len(codeSep) != 2 {
+		return errParseAuthPage
+	}
+
+	keySep := strings.Split(codeSep[0], "key ")
+	if len(keySep) != 2 {
+		return errParseAuthPage
+	}
+	key := keySep[1]
+	log.Printf("registering node %s", key)
+
+	if headscale, err := s.Headscale(); err == nil {
+		_, err = headscale.Execute(
+			[]string{"headscale", "-n", namespaceStr, "nodes", "register", "--key", key},
+		)
+		if err != nil {
+			log.Printf("failed to register node: %s", err)
+
+			return err
+		}
+
+		return nil
+	}
+
+	return fmt.Errorf("failed to find headscale: %w", errNoHeadscaleAvailable)
+}

integration/cli_test.go

@@ -0,0 +1,391 @@
+package integration
+
+import (
+	"encoding/json"
+	"sort"
+	"testing"
+	"time"
+
+	v1 "github.com/juanfont/headscale/gen/go/headscale/v1"
+	"github.com/juanfont/headscale/integration/hsic"
+	"github.com/juanfont/headscale/integration/tsic"
+	"github.com/stretchr/testify/assert"
+)
+
+func executeAndUnmarshal[T any](headscale ControlServer, command []string, result T) error {
+	str, err := headscale.Execute(command)
+	if err != nil {
+		return err
+	}
+
+	err = json.Unmarshal([]byte(str), result)
+	if err != nil {
+		return err
+	}
+
+	return nil
+}
+
+func TestNamespaceCommand(t *testing.T) {
+	IntegrationSkip(t)
+	t.Parallel()
+
+	scenario, err := NewScenario()
+	assert.NoError(t, err)
+
+	spec := map[string]int{
+		"namespace1": 0,
+		"namespace2": 0,
+	}
+
+	err = scenario.CreateHeadscaleEnv(spec, []tsic.Option{}, hsic.WithTestName("clins"))
+	assert.NoError(t, err)
+
+	headscale, err := scenario.Headscale()
+	assert.NoError(t, err)
+
+	var listNamespaces []v1.Namespace
+	err = executeAndUnmarshal(headscale,
+		[]string{
+			"headscale",
+			"namespaces",
+			"list",
+			"--output",
+			"json",
+		},
+		&listNamespaces,
+	)
+	assert.NoError(t, err)
+
+	result := []string{listNamespaces[0].Name, listNamespaces[1].Name}
+	sort.Strings(result)
+
+	assert.Equal(
+		t,
+		[]string{"namespace1", "namespace2"},
+		result,
+	)
+
+	_, err = headscale.Execute(
+		[]string{
+			"headscale",
+			"namespaces",
+			"rename",
+			"--output",
+			"json",
+			"namespace2",
+			"newname",
+		},
+	)
+	assert.NoError(t, err)
+
+	var listAfterRenameNamespaces []v1.Namespace
+	err = executeAndUnmarshal(headscale,
+		[]string{
+			"headscale",
+			"namespaces",
+			"list",
+			"--output",
+			"json",
+		},
+		&listAfterRenameNamespaces,
+	)
+	assert.NoError(t, err)
+
+	result = []string{listAfterRenameNamespaces[0].Name, listAfterRenameNamespaces[1].Name}
+	sort.Strings(result)
+
+	assert.Equal(
+		t,
+		[]string{"namespace1", "newname"},
+		result,
+	)
+
+	err = scenario.Shutdown()
+	assert.NoError(t, err)
+}
+
+func TestPreAuthKeyCommand(t *testing.T) {
+	IntegrationSkip(t)
+	t.Parallel()
+
+	namespace := "preauthkeyspace"
+	count := 3
+
+	scenario, err := NewScenario()
+	assert.NoError(t, err)
+
+	spec := map[string]int{
+		namespace: 0,
+	}
+
+	err = scenario.CreateHeadscaleEnv(spec, []tsic.Option{}, hsic.WithTestName("clipak"))
+	assert.NoError(t, err)
+
+	headscale, err := scenario.Headscale()
+	assert.NoError(t, err)
+
+	keys := make([]*v1.PreAuthKey, count)
+	assert.NoError(t, err)
+
+	for index := 0; index < count; index++ {
+		var preAuthKey v1.PreAuthKey
+		err := executeAndUnmarshal(
+			headscale,
+			[]string{
+				"headscale",
+				"preauthkeys",
+				"--namespace",
+				namespace,
+				"create",
+				"--reusable",
+				"--expiration",
+				"24h",
+				"--output",
+				"json",
+				"--tags",
+				"tag:test1,tag:test2",
+			},
+			&preAuthKey,
+		)
+		assert.NoError(t, err)
+
+		keys[index] = &preAuthKey
+	}
+
+	assert.Len(t, keys, 3)
+
+	var listedPreAuthKeys []v1.PreAuthKey
+	err = executeAndUnmarshal(
+		headscale,
+		[]string{
+			"headscale",
+			"preauthkeys",
+			"--namespace",
+			namespace,
+			"list",
+			"--output",
+			"json",
+		},
+		&listedPreAuthKeys,
+	)
+	assert.NoError(t, err)
+
+	// There is one key created by "scenario.CreateHeadscaleEnv"
+	assert.Len(t, listedPreAuthKeys, 4)
+
+	assert.Equal(
+		t,
+		[]string{keys[0].Id, keys[1].Id, keys[2].Id},
+		[]string{listedPreAuthKeys[1].Id, listedPreAuthKeys[2].Id, listedPreAuthKeys[3].Id},
+	)
+
+	assert.NotEmpty(t, listedPreAuthKeys[1].Key)
+	assert.NotEmpty(t, listedPreAuthKeys[2].Key)
+	assert.NotEmpty(t, listedPreAuthKeys[3].Key)
+
+	assert.True(t, listedPreAuthKeys[1].Expiration.AsTime().After(time.Now()))
+	assert.True(t, listedPreAuthKeys[2].Expiration.AsTime().After(time.Now()))
+	assert.True(t, listedPreAuthKeys[3].Expiration.AsTime().After(time.Now()))
+
+	assert.True(
+		t,
+		listedPreAuthKeys[1].Expiration.AsTime().Before(time.Now().Add(time.Hour*26)),
+	)
+	assert.True(
+		t,
+		listedPreAuthKeys[2].Expiration.AsTime().Before(time.Now().Add(time.Hour*26)),
+	)
+	assert.True(
+		t,
+		listedPreAuthKeys[3].Expiration.AsTime().Before(time.Now().Add(time.Hour*26)),
+	)
+
+	for index := range listedPreAuthKeys {
+		if index == 0 {
+			continue
+		}
+
+		assert.Equal(t, listedPreAuthKeys[index].AclTags, []string{"tag:test1", "tag:test2"})
+	}
+
+	// Test key expiry
+	_, err = headscale.Execute(
+		[]string{
+			"headscale",
+			"preauthkeys",
+			"--namespace",
+			namespace,
+			"expire",
+			listedPreAuthKeys[1].Key,
+		},
+	)
+	assert.NoError(t, err)
+
+	var listedPreAuthKeysAfterExpire []v1.PreAuthKey
+	err = executeAndUnmarshal(
+		headscale,
+		[]string{
+			"headscale",
+			"preauthkeys",
+			"--namespace",
+			namespace,
+			"list",
+			"--output",
+			"json",
+		},
+		&listedPreAuthKeysAfterExpire,
+	)
+	assert.NoError(t, err)
+
+	assert.True(t, listedPreAuthKeysAfterExpire[1].Expiration.AsTime().Before(time.Now()))
+	assert.True(t, listedPreAuthKeysAfterExpire[2].Expiration.AsTime().After(time.Now()))
+	assert.True(t, listedPreAuthKeysAfterExpire[3].Expiration.AsTime().After(time.Now()))
+
+	err = scenario.Shutdown()
+	assert.NoError(t, err)
+}
+
+func TestPreAuthKeyCommandWithoutExpiry(t *testing.T) {
+	IntegrationSkip(t)
+	t.Parallel()
+
+	namespace := "pre-auth-key-without-exp-namespace"
+
+	scenario, err := NewScenario()
+	assert.NoError(t, err)
+
+	spec := map[string]int{
+		namespace: 0,
+	}
+
+	err = scenario.CreateHeadscaleEnv(spec, []tsic.Option{}, hsic.WithTestName("clipaknaexp"))
+	assert.NoError(t, err)
+
+	headscale, err := scenario.Headscale()
+	assert.NoError(t, err)
+
+	var preAuthKey v1.PreAuthKey
+	err = executeAndUnmarshal(
+		headscale,
+		[]string{
+			"headscale",
+			"preauthkeys",
+			"--namespace",
+			namespace,
+			"create",
+			"--reusable",
+			"--output",
+			"json",
+		},
+		&preAuthKey,
+	)
+	assert.NoError(t, err)
+
+	var listedPreAuthKeys []v1.PreAuthKey
+	err = executeAndUnmarshal(
+		headscale,
+		[]string{
+			"headscale",
+			"preauthkeys",
+			"--namespace",
+			namespace,
+			"list",
+			"--output",
+			"json",
+		},
+		&listedPreAuthKeys,
+	)
+	assert.NoError(t, err)
+
+	// There is one key created by "scenario.CreateHeadscaleEnv"
+	assert.Len(t, listedPreAuthKeys, 2)
+
+	assert.True(t, listedPreAuthKeys[1].Expiration.AsTime().After(time.Now()))
+	assert.True(
+		t,
+		listedPreAuthKeys[1].Expiration.AsTime().Before(time.Now().Add(time.Minute*70)),
+	)
+
+	err = scenario.Shutdown()
+	assert.NoError(t, err)
+}
+
+func TestPreAuthKeyCommandReusableEphemeral(t *testing.T) {
+	IntegrationSkip(t)
+	t.Parallel()
+
+	namespace := "pre-auth-key-reus-ephm-namespace"
+
+	scenario, err := NewScenario()
+	assert.NoError(t, err)
+
+	spec := map[string]int{
+		namespace: 0,
+	}
+
+	err = scenario.CreateHeadscaleEnv(spec, []tsic.Option{}, hsic.WithTestName("clipakresueeph"))
+	assert.NoError(t, err)
+
+	headscale, err := scenario.Headscale()
+	assert.NoError(t, err)
+
+	var preAuthReusableKey v1.PreAuthKey
+	err = executeAndUnmarshal(
+		headscale,
+		[]string{
+			"headscale",
+			"preauthkeys",
+			"--namespace",
+			namespace,
+			"create",
+			"--reusable=true",
+			"--output",
+			"json",
+		},
+		&preAuthReusableKey,
+	)
+	assert.NoError(t, err)
+
+	var preAuthEphemeralKey v1.PreAuthKey
+	err = executeAndUnmarshal(
+		headscale,
+		[]string{
+			"headscale",
+			"preauthkeys",
+			"--namespace",
+			namespace,
+			"create",
+			"--ephemeral=true",
+			"--output",
+			"json",
+		},
+		&preAuthEphemeralKey,
+	)
+	assert.NoError(t, err)
+
+	assert.True(t, preAuthEphemeralKey.GetEphemeral())
+	assert.False(t, preAuthEphemeralKey.GetReusable())
+
+	var listedPreAuthKeys []v1.PreAuthKey
+	err = executeAndUnmarshal(
+		headscale,
+		[]string{
+			"headscale",
+			"preauthkeys",
+			"--namespace",
+			namespace,
+			"list",
+			"--output",
+			"json",
+		},
+		&listedPreAuthKeys,
+	)
+	assert.NoError(t, err)
+
+	// There is one key created by "scenario.CreateHeadscaleEnv"
+	assert.Len(t, listedPreAuthKeys, 3)
+
+	err = scenario.Shutdown()
+	assert.NoError(t, err)
+}

integration/control.go

@@ -0,0 +1,19 @@
+package integration
+
+import (
+	v1 "github.com/juanfont/headscale/gen/go/headscale/v1"
+)
+
+type ControlServer interface {
+	Shutdown() error
+	Execute(command []string) (string, error)
+	GetHealthEndpoint() string
+	GetEndpoint() string
+	WaitForReady() error
+	CreateNamespace(namespace string) error
+	CreateAuthKey(namespace string) (*v1.PreAuthKey, error)
+	ListMachinesInNamespace(namespace string) ([]*v1.Machine, error)
+	GetCert() []byte
+	GetHostname() string
+	GetIP() string
+}

integration/dockertestutil/config.go

@@ -0,0 +1,40 @@
+package dockertestutil
+
+import (
+	"os"
+
+	"github.com/ory/dockertest/v3/docker"
+)
+
+func IsRunningInContainer() bool {
+	if _, err := os.Stat("/.dockerenv"); err != nil {
+		return false
+	}
+
+	return true
+}
+
+func DockerRestartPolicy(config *docker.HostConfig) {
+	// set AutoRemove to true so that stopped container goes away by itself on error *immediately*.
+	// when set to false, containers remain until the end of the integration test.
+	config.AutoRemove = false
+	config.RestartPolicy = docker.RestartPolicy{
+		Name: "no",
+	}
+}
+
+func DockerAllowLocalIPv6(config *docker.HostConfig) {
+	if config.Sysctls == nil {
+		config.Sysctls = make(map[string]string, 1)
+	}
+	config.Sysctls["net.ipv6.conf.all.disable_ipv6"] = "0"
+}
+
+func DockerAllowNetworkAdministration(config *docker.HostConfig) {
+	config.CapAdd = append(config.CapAdd, "NET_ADMIN")
+	config.Mounts = append(config.Mounts, docker.HostMount{
+		Type:   "bind",
+		Source: "/dev/net/tun",
+		Target: "/dev/net/tun",
+	})
+}

integration/dockertestutil/execute.go

@@ -0,0 +1,94 @@
+package dockertestutil
+
+import (
+	"bytes"
+	"errors"
+	"fmt"
+	"time"
+
+	"github.com/ory/dockertest/v3"
+)
+
+const dockerExecuteTimeout = time.Second * 10
+
+var (
+	ErrDockertestCommandFailed  = errors.New("dockertest command failed")
+	ErrDockertestCommandTimeout = errors.New("dockertest command timed out")
+)
+
+type ExecuteCommandConfig struct {
+	timeout time.Duration
+}
+
+type ExecuteCommandOption func(*ExecuteCommandConfig) error
+
+func ExecuteCommandTimeout(timeout time.Duration) ExecuteCommandOption {
+	return ExecuteCommandOption(func(conf *ExecuteCommandConfig) error {
+		conf.timeout = timeout
+
+		return nil
+	})
+}
+
+func ExecuteCommand(
+	resource *dockertest.Resource,
+	cmd []string,
+	env []string,
+	options ...ExecuteCommandOption,
+) (string, string, error) {
+	var stdout bytes.Buffer
+	var stderr bytes.Buffer
+
+	execConfig := ExecuteCommandConfig{
+		timeout: dockerExecuteTimeout,
+	}
+
+	for _, opt := range options {
+		if err := opt(&execConfig); err != nil {
+			return "", "", fmt.Errorf("execute-command/options: %w", err)
+		}
+	}
+
+	type result struct {
+		exitCode int
+		err      error
+	}
+
+	resultChan := make(chan result, 1)
+
+	// Run your long running function in it's own goroutine and pass back it's
+	// response into our channel.
+	go func() {
+		exitCode, err := resource.Exec(
+			cmd,
+			dockertest.ExecOptions{
+				Env:    append(env, "HEADSCALE_LOG_LEVEL=disabled"),
+				StdOut: &stdout,
+				StdErr: &stderr,
+			},
+		)
+		resultChan <- result{exitCode, err}
+	}()
+
+	// Listen on our channel AND a timeout channel - which ever happens first.
+	select {
+	case res := <-resultChan:
+		if res.err != nil {
+			return stdout.String(), stderr.String(), res.err
+		}
+
+		if res.exitCode != 0 {
+			// Uncomment for debugging
+			// log.Println("Command: ", cmd)
+			// log.Println("stdout: ", stdout.String())
+			// log.Println("stderr: ", stderr.String())
+
+			return stdout.String(), stderr.String(), ErrDockertestCommandFailed
+		}
+
+		return stdout.String(), stderr.String(), nil
+	case <-time.After(execConfig.timeout):
+
+		return stdout.String(), stderr.String(), ErrDockertestCommandTimeout
+	}
+}

integration/dockertestutil/network.go

@@ -0,0 +1,62 @@
+package dockertestutil
+
+import (
+	"errors"
+
+	"github.com/ory/dockertest/v3"
+	"github.com/ory/dockertest/v3/docker"
+)
+
+var ErrContainerNotFound = errors.New("container not found")
+
+func GetFirstOrCreateNetwork(pool *dockertest.Pool, name string) (*dockertest.Network, error) {
+	networks, err := pool.NetworksByName(name)
+	if err != nil || len(networks) == 0 {
+		if _, err := pool.CreateNetwork(name); err == nil {
+			// Create does not give us an updated version of the resource, so we need to
+			// get it again.
+			networks, err := pool.NetworksByName(name)
+			if err != nil {
+				return nil, err
+			}
+
+			return &networks[0], nil
+		}
+	}
+
+	return &networks[0], nil
+}
+
+func AddContainerToNetwork(
+	pool *dockertest.Pool,
+	network *dockertest.Network,
+	testContainer string,
+) error {
+	containers, err := pool.Client.ListContainers(docker.ListContainersOptions{
+		All: true,
+		Filters: map[string][]string{
+			"name": {testContainer},
+		},
+	})
+	if err != nil {
+		return err
+	}
+
+	err = pool.Client.ConnectNetwork(network.Network.ID, docker.NetworkConnectionOptions{
+		Container: containers[0].ID,
+	})
+	if err != nil {
+		return err
+	}
+
+	// TODO(kradalby): This doesnt work reliably, but calling the exact same functions
+	// seem to work fine...
+	// if container, ok := pool.ContainerByName("/" + testContainer); ok {
+	// 	err := container.ConnectToNetwork(network)
+	// 	if err != nil {
+	// 		return err
+	// 	}
+	// }
+
+	return nil
+}

integration/general_test.go

@@ -0,0 +1,350 @@
+package integration
+
+import (
+	"fmt"
+	"strings"
+	"testing"
+	"time"
+
+	"github.com/juanfont/headscale/integration/hsic"
+	"github.com/juanfont/headscale/integration/tsic"
+	"github.com/rs/zerolog/log"
+)
+
+func TestPingAllByIP(t *testing.T) {
+	IntegrationSkip(t)
+	t.Parallel()
+
+	scenario, err := NewScenario()
+	if err != nil {
+		t.Errorf("failed to create scenario: %s", err)
+	}
+
+	spec := map[string]int{
+		"namespace1": len(TailscaleVersions),
+		"namespace2": len(TailscaleVersions),
+	}
+
+	err = scenario.CreateHeadscaleEnv(spec, []tsic.Option{}, hsic.WithTestName("pingallbyip"))
+	if err != nil {
+		t.Errorf("failed to create headscale environment: %s", err)
+	}
+
+	allClients, err := scenario.ListTailscaleClients()
+	if err != nil {
+		t.Errorf("failed to get clients: %s", err)
+	}
+
+	allIps, err := scenario.ListTailscaleClientsIPs()
+	if err != nil {
+		t.Errorf("failed to get clients: %s", err)
+	}
+
+	err = scenario.WaitForTailscaleSync()
+	if err != nil {
+		t.Errorf("failed wait for tailscale clients to be in sync: %s", err)
+	}
+
+	success := 0
+
+	for _, client := range allClients {
+		for _, ip := range allIps {
+			err := client.Ping(ip.String())
+			if err != nil {
+				t.Errorf("failed to ping %s from %s: %s", ip, client.Hostname(), err)
+			} else {
+				success++
+			}
+		}
+	}
+
+	t.Logf("%d successful pings out of %d", success, len(allClients)*len(allIps))
+
+	err = scenario.Shutdown()
+	if err != nil {
+		t.Errorf("failed to tear down scenario: %s", err)
+	}
+}
+
+func TestPingAllByHostname(t *testing.T) {
+	IntegrationSkip(t)
+	t.Parallel()
+
+	scenario, err := NewScenario()
+	if err != nil {
+		t.Errorf("failed to create scenario: %s", err)
+	}
+
+	spec := map[string]int{
+		// Omit 1.16.2 (-1) because it does not have the FQDN field
+		"namespace3": len(TailscaleVersions) - 1,
+		"namespace4": len(TailscaleVersions) - 1,
+	}
+
+	err = scenario.CreateHeadscaleEnv(spec, []tsic.Option{}, hsic.WithTestName("pingallbyname"))
+	if err != nil {
+		t.Errorf("failed to create headscale environment: %s", err)
+	}
+
+	allClients, err := scenario.ListTailscaleClients()
+	if err != nil {
+		t.Errorf("failed to get clients: %s", err)
+	}
+
+	err = scenario.WaitForTailscaleSync()
+	if err != nil {
+		t.Errorf("failed wait for tailscale clients to be in sync: %s", err)
+	}
+
+	allHostnames, err := scenario.ListTailscaleClientsFQDNs()
+	if err != nil {
+		t.Errorf("failed to get FQDNs: %s", err)
+	}
+
+	success := 0
+
+	for _, client := range allClients {
+		for _, hostname := range allHostnames {
+			err := client.Ping(hostname)
+			if err != nil {
+				t.Errorf("failed to ping %s from %s: %s", hostname, client.Hostname(), err)
+			} else {
+				success++
+			}
+		}
+	}
+
+	t.Logf("%d successful pings out of %d", success, len(allClients)*len(allClients))
+
+	err = scenario.Shutdown()
+	if err != nil {
+		t.Errorf("failed to tear down scenario: %s", err)
+	}
+}
+
+// If subtests are parallel, then they will start before setup is run.
+// This might mean we approach setup slightly wrong, but for now, ignore
+// the linter
+// nolint:tparallel
+func TestTaildrop(t *testing.T) {
+	IntegrationSkip(t)
+	t.Parallel()
+
+	retry := func(times int, sleepInverval time.Duration, doWork func() error) error {
+		var err error
+		for attempts := 0; attempts < times; attempts++ {
+			err = doWork()
+			if err == nil {
+				return nil
+			}
+			time.Sleep(sleepInverval)
+		}
+
+		return err
+	}
+
+	scenario, err := NewScenario()
+	if err != nil {
+		t.Errorf("failed to create scenario: %s", err)
+	}
+
+	spec := map[string]int{
+		// Omit 1.16.2 (-1) because it does not have the FQDN field
+		"taildrop": len(TailscaleVersions) - 1,
+	}
+
+	err = scenario.CreateHeadscaleEnv(spec, []tsic.Option{}, hsic.WithTestName("taildrop"))
+	if err != nil {
+		t.Errorf("failed to create headscale environment: %s", err)
+	}
+
+	allClients, err := scenario.ListTailscaleClients()
+	if err != nil {
+		t.Errorf("failed to get clients: %s", err)
+	}
+
+	err = scenario.WaitForTailscaleSync()
+	if err != nil {
+		t.Errorf("failed wait for tailscale clients to be in sync: %s", err)
+	}
+
+	// This will essentially fetch and cache all the FQDNs
+	_, err = scenario.ListTailscaleClientsFQDNs()
+	if err != nil {
+		t.Errorf("failed to get FQDNs: %s", err)
+	}
+
+	for _, client := range allClients {
+		command := []string{"touch", fmt.Sprintf("/tmp/file_from_%s", client.Hostname())}
+
+		if _, _, err := client.Execute(command); err != nil {
+			t.Errorf("failed to create taildrop file on %s, err: %s", client.Hostname(), err)
+		}
+
+		for _, peer := range allClients {
+			if client.Hostname() == peer.Hostname() {
+				continue
+			}
+
+			// It is safe to ignore this error as we handled it when caching it
+			peerFQDN, _ := peer.FQDN()
+
+			t.Run(fmt.Sprintf("%s-%s", client.Hostname(), peer.Hostname()), func(t *testing.T) {
+				command := []string{
+					"tailscale", "file", "cp",
+					fmt.Sprintf("/tmp/file_from_%s", client.Hostname()),
+					fmt.Sprintf("%s:", peerFQDN),
+				}
+
+				err := retry(10, 1*time.Second, func() error {
+					t.Logf(
+						"Sending file from %s to %s\n",
+						client.Hostname(),
+						peer.Hostname(),
+					)
+					_, _, err := client.Execute(command)
+
+					return err
+				})
+				if err != nil {
+					t.Errorf(
+						"failed to send taildrop file on %s, err: %s",
+						client.Hostname(),
+						err,
+					)
+				}
+			})
+		}
+	}
+
+	for _, client := range allClients {
+		command := []string{
+			"tailscale", "file",
+			"get",
+			"/tmp/",
+		}
+		if _, _, err := client.Execute(command); err != nil {
+			t.Errorf("failed to get taildrop file on %s, err: %s", client.Hostname(), err)
+		}
+
+		for _, peer := range allClients {
+			if client.Hostname() == peer.Hostname() {
+				continue
+			}
+
+			t.Run(fmt.Sprintf("%s-%s", client.Hostname(), peer.Hostname()), func(t *testing.T) {
+				command := []string{
+					"ls",
+					fmt.Sprintf("/tmp/file_from_%s", peer.Hostname()),
+				}
+				log.Printf(
+					"Checking file in %s from %s\n",
+					client.Hostname(),
+					peer.Hostname(),
+				)
+
+				result, _, err := client.Execute(command)
+				if err != nil {
+					t.Errorf("failed to execute command to ls taildrop: %s", err)
+				}
+
+				log.Printf("Result for %s: %s\n", peer.Hostname(), result)
+				if fmt.Sprintf("/tmp/file_from_%s\n", peer.Hostname()) != result {
+					t.Errorf(
+						"taildrop result is not correct %s, wanted %s",
+						result,
+						fmt.Sprintf("/tmp/file_from_%s\n", peer.Hostname()),
+					)
+				}
+			})
+		}
+	}
+
+	err = scenario.Shutdown()
+	if err != nil {
+		t.Errorf("failed to tear down scenario: %s", err)
+	}
+}
+
+func TestResolveMagicDNS(t *testing.T) {
+	IntegrationSkip(t)
+	t.Parallel()
+
+	scenario, err := NewScenario()
+	if err != nil {
+		t.Errorf("failed to create scenario: %s", err)
+	}
+
+	spec := map[string]int{
+		// Omit 1.16.2 (-1) because it does not have the FQDN field
+		"magicdns1": len(TailscaleVersions) - 1,
+		"magicdns2": len(TailscaleVersions) - 1,
+	}
+
+	err = scenario.CreateHeadscaleEnv(spec, []tsic.Option{}, hsic.WithTestName("magicdns"))
+	if err != nil {
+		t.Errorf("failed to create headscale environment: %s", err)
+	}
+
+	allClients, err := scenario.ListTailscaleClients()
+	if err != nil {
+		t.Errorf("failed to get clients: %s", err)
+	}
+
+	err = scenario.WaitForTailscaleSync()
+	if err != nil {
+		t.Errorf("failed wait for tailscale clients to be in sync: %s", err)
+	}
+
+	// Poor mans cache
+	_, err = scenario.ListTailscaleClientsFQDNs()
+	if err != nil {
+		t.Errorf("failed to get FQDNs: %s", err)
+	}
+
+	_, err = scenario.ListTailscaleClientsIPs()
+	if err != nil {
+		t.Errorf("failed to get IPs: %s", err)
+	}
+
+	for _, client := range allClients {
+		for _, peer := range allClients {
+			// It is safe to ignore this error as we handled it when caching it
+			peerFQDN, _ := peer.FQDN()
+
+			command := []string{
+				"tailscale",
+				"ip", peerFQDN,
+			}
+			result, _, err := client.Execute(command)
+			if err != nil {
+				t.Errorf(
+					"failed to execute resolve/ip command %s from %s: %s",
+					peerFQDN,
+					client.Hostname(),
+					err,
+				)
+			}
+
+			ips, err := peer.IPs()
+			if err != nil {
+				t.Errorf(
+					"failed to get ips for %s: %s",
+					peer.Hostname(),
+					err,
+				)
+			}
+
+			for _, ip := range ips {
+				if !strings.Contains(result, ip.String()) {
+					t.Errorf("ip %s is not found in \n%s\n", ip.String(), result)
+				}
+			}
+		}
+	}
+
+	err = scenario.Shutdown()
+	if err != nil {
+		t.Errorf("failed to tear down scenario: %s", err)
+	}
+}

integration/hsic/config.go

@@ -0,0 +1,97 @@
+package hsic
+
+// const (
+// 	defaultEphemeralNodeInactivityTimeout = time.Second * 30
+// 	defaultNodeUpdateCheckInterval        = time.Second * 10
+// )
+
+// TODO(kradalby): This approach doesnt work because we cannot
+// serialise our config object to YAML or JSON.
+// func DefaultConfig() headscale.Config {
+// 	derpMap, _ := url.Parse("https://controlplane.tailscale.com/derpmap/default")
+//
+// 	config := headscale.Config{
+// 		Log: headscale.LogConfig{
+// 			Level: zerolog.TraceLevel,
+// 		},
+// 		ACL:                            headscale.GetACLConfig(),
+// 		DBtype:                         "sqlite3",
+// 		EphemeralNodeInactivityTimeout: defaultEphemeralNodeInactivityTimeout,
+// 		NodeUpdateCheckInterval:        defaultNodeUpdateCheckInterval,
+// 		IPPrefixes: []netip.Prefix{
+// 			netip.MustParsePrefix("fd7a:115c:a1e0::/48"),
+// 			netip.MustParsePrefix("100.64.0.0/10"),
+// 		},
+// 		DNSConfig: &tailcfg.DNSConfig{
+// 			Proxied: true,
+// 			Nameservers: []netip.Addr{
+// 				netip.MustParseAddr("127.0.0.11"),
+// 				netip.MustParseAddr("1.1.1.1"),
+// 			},
+// 			Resolvers: []*dnstype.Resolver{
+// 				{
+// 					Addr: "127.0.0.11",
+// 				},
+// 				{
+// 					Addr: "1.1.1.1",
+// 				},
+// 			},
+// 		},
+// 		BaseDomain: "headscale.net",
+//
+// 		DBpath: "/tmp/integration_test_db.sqlite3",
+//
+// 		PrivateKeyPath:      "/tmp/integration_private.key",
+// 		NoisePrivateKeyPath: "/tmp/noise_integration_private.key",
+// 		Addr:                "0.0.0.0:8080",
+// 		MetricsAddr:         "127.0.0.1:9090",
+// 		ServerURL:           "http://headscale:8080",
+//
+// 		DERP: headscale.DERPConfig{
+// 			URLs: []url.URL{
+// 				*derpMap,
+// 			},
+// 			AutoUpdate:      false,
+// 			UpdateFrequency: 1 * time.Minute,
+// 		},
+// 	}
+//
+// 	return config
+// }
+
+// TODO: Reuse the actual configuration object above.
+func DefaultConfigYAML() string {
+	yaml := `
+log:
+  level: trace
+acl_policy_path: ""
+db_type: sqlite3
+db_path: /tmp/integration_test_db.sqlite3
+ephemeral_node_inactivity_timeout: 30m
+node_update_check_interval: 10s
+ip_prefixes:
+  - fd7a:115c:a1e0::/48
+  - 100.64.0.0/10
+dns_config:
+  base_domain: headscale.net
+  magic_dns: true
+  domains: []
+  nameservers:
+    - 127.0.0.11
+    - 1.1.1.1
+private_key_path: /tmp/private.key
+noise:
+  private_key_path: /tmp/noise_private.key
+listen_addr: 0.0.0.0:8080
+metrics_listen_addr: 127.0.0.1:9090
+server_url: http://headscale:8080
+
+derp:
+  urls:
+    - https://controlplane.tailscale.com/derpmap/default
+  auto_update_enabled: false
+  update_frequency: 1m
+`
+
+	return yaml
+}

integration/hsic/hsic.go

@@ -0,0 +1,458 @@
+package hsic
+
+import (
+	"bytes"
+	"crypto/rand"
+	"crypto/rsa"
+	"crypto/tls"
+	"crypto/x509"
+	"crypto/x509/pkix"
+	"encoding/json"
+	"encoding/pem"
+	"errors"
+	"fmt"
+	"log"
+	"math/big"
+	"net"
+	"net/http"
+	"time"
+
+	"github.com/juanfont/headscale"
+	v1 "github.com/juanfont/headscale/gen/go/headscale/v1"
+	"github.com/juanfont/headscale/integration/dockertestutil"
+	"github.com/juanfont/headscale/integration/integrationutil"
+	"github.com/ory/dockertest/v3"
+)
+
+const (
+	hsicHashLength       = 6
+	dockerContextPath    = "../."
+	aclPolicyPath        = "/etc/headscale/acl.hujson"
+	tlsCertPath          = "/etc/headscale/tls.cert"
+	tlsKeyPath           = "/etc/headscale/tls.key"
+	headscaleDefaultPort = 8080
+)
+
+var errHeadscaleStatusCodeNotOk = errors.New("headscale status code not ok")
+
+type HeadscaleInContainer struct {
+	hostname string
+
+	pool      *dockertest.Pool
+	container *dockertest.Resource
+	network   *dockertest.Network
+
+	// optional config
+	port      int
+	aclPolicy *headscale.ACLPolicy
+	env       []string
+	tlsCert   []byte
+	tlsKey    []byte
+}
+
+type Option = func(c *HeadscaleInContainer)
+
+func WithACLPolicy(acl *headscale.ACLPolicy) Option {
+	return func(hsic *HeadscaleInContainer) {
+		// TODO(kradalby): Move somewhere appropriate
+		hsic.env = append(hsic.env, fmt.Sprintf("HEADSCALE_ACL_POLICY_PATH=%s", aclPolicyPath))
+
+		hsic.aclPolicy = acl
+	}
+}
+
+func WithTLS() Option {
+	return func(hsic *HeadscaleInContainer) {
+		cert, key, err := createCertificate()
+		if err != nil {
+			log.Fatalf("failed to create certificates for headscale test: %s", err)
+		}
+
+		// TODO(kradalby): Move somewhere appropriate
+		hsic.env = append(hsic.env, fmt.Sprintf("HEADSCALE_TLS_CERT_PATH=%s", tlsCertPath))
+		hsic.env = append(hsic.env, fmt.Sprintf("HEADSCALE_TLS_KEY_PATH=%s", tlsKeyPath))
+
+		hsic.tlsCert = cert
+		hsic.tlsKey = key
+	}
+}
+
+func WithConfigEnv(configEnv map[string]string) Option {
+	return func(hsic *HeadscaleInContainer) {
+		for key, value := range configEnv {
+			hsic.env = append(hsic.env, fmt.Sprintf("%s=%s", key, value))
+		}
+	}
+}
+
+func WithPort(port int) Option {
+	return func(hsic *HeadscaleInContainer) {
+		hsic.port = port
+	}
+}
+
+func WithTestName(testName string) Option {
+	return func(hsic *HeadscaleInContainer) {
+		hash, _ := headscale.GenerateRandomStringDNSSafe(hsicHashLength)
+
+		hostname := fmt.Sprintf("hs-%s-%s", testName, hash)
+		hsic.hostname = hostname
+	}
+}
+
+func WithHostnameAsServerURL() Option {
+	return func(hsic *HeadscaleInContainer) {
+		hsic.env = append(
+			hsic.env,
+			fmt.Sprintf("HEADSCALE_SERVER_URL=http://%s:%d",
+				hsic.GetHostname(),
+				hsic.port,
+			))
+	}
+}
+
+func New(
+	pool *dockertest.Pool,
+	network *dockertest.Network,
+	opts ...Option,
+) (*HeadscaleInContainer, error) {
+	hash, err := headscale.GenerateRandomStringDNSSafe(hsicHashLength)
+	if err != nil {
+		return nil, err
+	}
+
+	hostname := fmt.Sprintf("hs-%s", hash)
+
+	hsic := &HeadscaleInContainer{
+		hostname: hostname,
+		port:     headscaleDefaultPort,
+
+		pool:    pool,
+		network: network,
+	}
+
+	for _, opt := range opts {
+		opt(hsic)
+	}
+
+	log.Println("NAME: ", hsic.hostname)
+
+	portProto := fmt.Sprintf("%d/tcp", hsic.port)
+
+	headscaleBuildOptions := &dockertest.BuildOptions{
+		Dockerfile: "Dockerfile.debug",
+		ContextDir: dockerContextPath,
+	}
+
+	runOptions := &dockertest.RunOptions{
+		Name:         hsic.hostname,
+		ExposedPorts: []string{portProto},
+		Networks:     []*dockertest.Network{network},
+		// Cmd:          []string{"headscale", "serve"},
+		// TODO(kradalby): Get rid of this hack, we currently need to give us some
+		// to inject the headscale configuration further down.
+		Entrypoint: []string{"/bin/bash", "-c", "/bin/sleep 3 ; headscale serve"},
+		Env:        hsic.env,
+	}
+
+	// dockertest isnt very good at handling containers that has already
+	// been created, this is an attempt to make sure this container isnt
+	// present.
+	err = pool.RemoveContainerByName(hsic.hostname)
+	if err != nil {
+		return nil, err
+	}
+
+	container, err := pool.BuildAndRunWithBuildOptions(
+		headscaleBuildOptions,
+		runOptions,
+		dockertestutil.DockerRestartPolicy,
+		dockertestutil.DockerAllowLocalIPv6,
+		dockertestutil.DockerAllowNetworkAdministration,
+	)
+	if err != nil {
+		return nil, fmt.Errorf("could not start headscale container: %w", err)
+	}
+	log.Printf("Created %s container\n", hsic.hostname)
+
+	hsic.container = container
+
+	err = hsic.WriteFile("/etc/headscale/config.yaml", []byte(DefaultConfigYAML()))
+	if err != nil {
+		return nil, fmt.Errorf("failed to write headscale config to container: %w", err)
+	}
+
+	if hsic.aclPolicy != nil {
+		data, err := json.Marshal(hsic.aclPolicy)
+		if err != nil {
+			return nil, fmt.Errorf("failed to marshal ACL Policy to JSON: %w", err)
+		}
+
+		err = hsic.WriteFile(aclPolicyPath, data)
+		if err != nil {
+			return nil, fmt.Errorf("failed to write ACL policy to container: %w", err)
+		}
+	}
+
+	if hsic.hasTLS() {
+		err = hsic.WriteFile(tlsCertPath, hsic.tlsCert)
+		if err != nil {
+			return nil, fmt.Errorf("failed to write TLS certificate to container: %w", err)
+		}
+
+		err = hsic.WriteFile(tlsKeyPath, hsic.tlsKey)
+		if err != nil {
+			return nil, fmt.Errorf("failed to write TLS key to container: %w", err)
+		}
+	}
+
+	return hsic, nil
+}
+
+func (t *HeadscaleInContainer) hasTLS() bool {
+	return len(t.tlsCert) != 0 && len(t.tlsKey) != 0
+}
+
+func (t *HeadscaleInContainer) Shutdown() error {
+	return t.pool.Purge(t.container)
+}
+
+func (t *HeadscaleInContainer) Execute(
+	command []string,
+) (string, error) {
+	stdout, stderr, err := dockertestutil.ExecuteCommand(
+		t.container,
+		command,
+		[]string{},
+	)
+	if err != nil {
+		log.Printf("command stderr: %s\n", stderr)
+
+		if stdout != "" {
+			log.Printf("command stdout: %s\n", stdout)
+		}
+
+		return "", err
+	}
+
+	return stdout, nil
+}
+
+func (t *HeadscaleInContainer) GetIP() string {
+	return t.container.GetIPInNetwork(t.network)
+}
+
+func (t *HeadscaleInContainer) GetPort() string {
+	return fmt.Sprintf("%d", t.port)
+}
+
+func (t *HeadscaleInContainer) GetHealthEndpoint() string {
+	return fmt.Sprintf("%s/health", t.GetEndpoint())
+}
+
+func (t *HeadscaleInContainer) GetEndpoint() string {
+	hostEndpoint := fmt.Sprintf("%s:%d",
+		t.GetIP(),
+		t.port)
+
+	if t.hasTLS() {
+		return fmt.Sprintf("https://%s", hostEndpoint)
+	}
+
+	return fmt.Sprintf("http://%s", hostEndpoint)
+}
+
+func (t *HeadscaleInContainer) GetCert() []byte {
+	return t.tlsCert
+}
+
+func (t *HeadscaleInContainer) GetHostname() string {
+	return t.hostname
+}
+
+func (t *HeadscaleInContainer) WaitForReady() error {
+	url := t.GetHealthEndpoint()
+
+	log.Printf("waiting for headscale to be ready at %s", url)
+
+	client := &http.Client{}
+
+	if t.hasTLS() {
+		insecureTransport := http.DefaultTransport.(*http.Transport).Clone()      //nolint
+		insecureTransport.TLSClientConfig = &tls.Config{InsecureSkipVerify: true} //nolint
+		client = &http.Client{Transport: insecureTransport}
+	}
+
+	return t.pool.Retry(func() error {
+		resp, err := client.Get(url) //nolint
+		if err != nil {
+			return fmt.Errorf("headscale is not ready: %w", err)
+		}
+
+		if resp.StatusCode != http.StatusOK {
+			return errHeadscaleStatusCodeNotOk
+		}
+
+		return nil
+	})
+}
+
+func (t *HeadscaleInContainer) CreateNamespace(
+	namespace string,
+) error {
+	command := []string{"headscale", "namespaces", "create", namespace}
+
+	_, _, err := dockertestutil.ExecuteCommand(
+		t.container,
+		command,
+		[]string{},
+	)
+	if err != nil {
+		return err
+	}
+
+	return nil
+}
+
+func (t *HeadscaleInContainer) CreateAuthKey(
+	namespace string,
+) (*v1.PreAuthKey, error) {
+	command := []string{
+		"headscale",
+		"--namespace",
+		namespace,
+		"preauthkeys",
+		"create",
+		"--reusable",
+		"--expiration",
+		"24h",
+		"--output",
+		"json",
+	}
+
+	result, _, err := dockertestutil.ExecuteCommand(
+		t.container,
+		command,
+		[]string{},
+	)
+	if err != nil {
+		return nil, fmt.Errorf("failed to execute create auth key command: %w", err)
+	}
+
+	var preAuthKey v1.PreAuthKey
+	err = json.Unmarshal([]byte(result), &preAuthKey)
+	if err != nil {
+		return nil, fmt.Errorf("failed to unmarshal auth key: %w", err)
+	}
+
+	return &preAuthKey, nil
+}
+
+func (t *HeadscaleInContainer) ListMachinesInNamespace(
+	namespace string,
+) ([]*v1.Machine, error) {
+	command := []string{"headscale", "--namespace", namespace, "nodes", "list", "--output", "json"}
+
+	result, _, err := dockertestutil.ExecuteCommand(
+		t.container,
+		command,
+		[]string{},
+	)
+	if err != nil {
+		return nil, fmt.Errorf("failed to execute list node command: %w", err)
+	}
+
+	var nodes []*v1.Machine
+	err = json.Unmarshal([]byte(result), &nodes)
+	if err != nil {
+		return nil, fmt.Errorf("failed to unmarshal nodes: %w", err)
+	}
+
+	return nodes, nil
+}
+
+func (t *HeadscaleInContainer) WriteFile(path string, data []byte) error {
+	return integrationutil.WriteFileToContainer(t.pool, t.container, path, data)
+}
+
+// nolint
+func createCertificate() ([]byte, []byte, error) {
+	// From:
+	// https://shaneutt.com/blog/golang-ca-and-signed-cert-go/
+
+	ca := &x509.Certificate{
+		SerialNumber: big.NewInt(2019),
+		Subject: pkix.Name{
+			Organization: []string{"Headscale testing INC"},
+			Country:      []string{"NL"},
+			Locality:     []string{"Leiden"},
+		},
+		NotBefore: time.Now(),
+		NotAfter:  time.Now().Add(30 * time.Minute),
+		IsCA:      true,
+		ExtKeyUsage: []x509.ExtKeyUsage{
+			x509.ExtKeyUsageClientAuth,
+			x509.ExtKeyUsageServerAuth,
+		},
+		KeyUsage:              x509.KeyUsageDigitalSignature | x509.KeyUsageCertSign,
+		BasicConstraintsValid: true,
+	}
+
+	caPrivKey, err := rsa.GenerateKey(rand.Reader, 4096)
+	if err != nil {
+		return nil, nil, err
+	}
+
+	cert := &x509.Certificate{
+		SerialNumber: big.NewInt(1658),
+		Subject: pkix.Name{
+			Organization: []string{"Headscale testing INC"},
+			Country:      []string{"NL"},
+			Locality:     []string{"Leiden"},
+		},
+		IPAddresses:  []net.IP{net.IPv4(127, 0, 0, 1), net.IPv6loopback},
+		NotBefore:    time.Now(),
+		NotAfter:     time.Now().Add(30 * time.Minute),
+		SubjectKeyId: []byte{1, 2, 3, 4, 6},
+		ExtKeyUsage:  []x509.ExtKeyUsage{x509.ExtKeyUsageClientAuth, x509.ExtKeyUsageServerAuth},
+		KeyUsage:     x509.KeyUsageDigitalSignature,
+	}
+
+	certPrivKey, err := rsa.GenerateKey(rand.Reader, 4096)
+	if err != nil {
+		return nil, nil, err
+	}
+
+	certBytes, err := x509.CreateCertificate(
+		rand.Reader,
+		cert,
+		ca,
+		&certPrivKey.PublicKey,
+		caPrivKey,
+	)
+	if err != nil {
+		return nil, nil, err
+	}
+
+	certPEM := new(bytes.Buffer)
+
+	err = pem.Encode(certPEM, &pem.Block{
+		Type:  "CERTIFICATE",
+		Bytes: certBytes,
+	})
+	if err != nil {
+		return nil, nil, err
+	}
+
+	certPrivKeyPEM := new(bytes.Buffer)
+
+	err = pem.Encode(certPrivKeyPEM, &pem.Block{
+		Type:  "RSA PRIVATE KEY",
+		Bytes: x509.MarshalPKCS1PrivateKey(certPrivKey),
+	})
+	if err != nil {
+		return nil, nil, err
+	}
+
+	return certPEM.Bytes(), certPrivKeyPEM.Bytes(), nil
+}

integration/integrationutil/util.go

@@ -0,0 +1,74 @@
+package integrationutil
+
+import (
+	"archive/tar"
+	"bytes"
+	"fmt"
+	"io"
+	"path/filepath"
+
+	"github.com/juanfont/headscale/integration/dockertestutil"
+	"github.com/ory/dockertest/v3"
+	"github.com/ory/dockertest/v3/docker"
+)
+
+func WriteFileToContainer(
+	pool *dockertest.Pool,
+	container *dockertest.Resource,
+	path string,
+	data []byte,
+) error {
+	dirPath, fileName := filepath.Split(path)
+
+	file := bytes.NewReader(data)
+
+	buf := bytes.NewBuffer([]byte{})
+
+	tarWriter := tar.NewWriter(buf)
+
+	header := &tar.Header{
+		Name: fileName,
+		Size: file.Size(),
+		// Mode:    int64(stat.Mode()),
+		// ModTime: stat.ModTime(),
+	}
+
+	err := tarWriter.WriteHeader(header)
+	if err != nil {
+		return fmt.Errorf("failed write file header to tar: %w", err)
+	}
+
+	_, err = io.Copy(tarWriter, file)
+	if err != nil {
+		return fmt.Errorf("failed to copy file to tar: %w", err)
+	}
+
+	err = tarWriter.Close()
+	if err != nil {
+		return fmt.Errorf("failed to close tar: %w", err)
+	}
+
+	// Ensure the directory is present inside the container
+	_, _, err = dockertestutil.ExecuteCommand(
+		container,
+		[]string{"mkdir", "-p", dirPath},
+		[]string{},
+	)
+	if err != nil {
+		return fmt.Errorf("failed to ensure directory: %w", err)
+	}
+
+	err = pool.Client.UploadToContainer(
+		container.Container.ID,
+		docker.UploadToContainerOptions{
+			NoOverwriteDirNonDir: false,
+			Path:                 dirPath,
+			InputStream:          bytes.NewReader(buf.Bytes()),
+		},
+	)
+	if err != nil {
+		return err
+	}
+
+	return nil
+}

integration/scenario.go

@@ -0,0 +1,470 @@
+package integration
+
+import (
+	"errors"
+	"fmt"
+	"log"
+	"net/netip"
+	"os"
+	"sync"
+	"time"
+
+	"github.com/juanfont/headscale"
+	v1 "github.com/juanfont/headscale/gen/go/headscale/v1"
+	"github.com/juanfont/headscale/integration/dockertestutil"
+	"github.com/juanfont/headscale/integration/hsic"
+	"github.com/juanfont/headscale/integration/tsic"
+	"github.com/ory/dockertest/v3"
+	"github.com/puzpuzpuz/xsync/v2"
+)
+
+const (
+	scenarioHashLength = 6
+	maxWait            = 60 * time.Second
+)
+
+var (
+	errNoHeadscaleAvailable = errors.New("no headscale available")
+	errNoNamespaceAvailable = errors.New("no namespace available")
+
+	// Tailscale started adding TS2021 support in CapabilityVersion>=28 (v1.24.0), but
+	// proper support in Headscale was only added for CapabilityVersion>=39 clients (v1.30.0).
+	tailscaleVersions2021 = []string{
+		"head",
+		"unstable",
+		"1.32.1",
+		"1.30.2",
+	}
+
+	tailscaleVersions2019 = []string{
+		"1.28.0",
+		"1.26.2",
+		"1.24.2",
+		"1.22.2",
+		"1.20.4",
+		"1.18.2",
+		"1.16.2",
+	}
+
+	// tailscaleVersionsUnavailable = []string{
+	// 	// These versions seem to fail when fetching from apt.
+	// 	"1.14.6",
+	// 	"1.12.4",
+	// 	"1.10.2",
+	// 	"1.8.7",
+	// }.
+
+	TailscaleVersions = append(
+		tailscaleVersions2021,
+		tailscaleVersions2019...,
+	)
+)
+
+type Namespace struct {
+	Clients map[string]TailscaleClient
+
+	createWaitGroup sync.WaitGroup
+	joinWaitGroup   sync.WaitGroup
+	syncWaitGroup   sync.WaitGroup
+}
+
+// TODO(kradalby): make control server configurable, test correctness with Tailscale SaaS.
+type Scenario struct {
+	// TODO(kradalby): support multiple headcales for later, currently only
+	// use one.
+	controlServers *xsync.MapOf[string, ControlServer]
+
+	namespaces map[string]*Namespace
+
+	pool    *dockertest.Pool
+	network *dockertest.Network
+
+	headscaleLock sync.Mutex
+}
+
+func NewScenario() (*Scenario, error) {
+	hash, err := headscale.GenerateRandomStringDNSSafe(scenarioHashLength)
+	if err != nil {
+		return nil, err
+	}
+
+	pool, err := dockertest.NewPool("")
+	if err != nil {
+		return nil, fmt.Errorf("could not connect to docker: %w", err)
+	}
+
+	pool.MaxWait = maxWait
+
+	networkName := fmt.Sprintf("hs-%s", hash)
+	if overrideNetworkName := os.Getenv("HEADSCALE_TEST_NETWORK_NAME"); overrideNetworkName != "" {
+		networkName = overrideNetworkName
+	}
+
+	network, err := dockertestutil.GetFirstOrCreateNetwork(pool, networkName)
+	if err != nil {
+		return nil, fmt.Errorf("failed to create or get network: %w", err)
+	}
+
+	// We run the test suite in a docker container that calls a couple of endpoints for
+	// readiness checks, this ensures that we can run the tests with individual networks
+	// and have the client reach the different containers
+	err = dockertestutil.AddContainerToNetwork(pool, network, "headscale-test-suite")
+	if err != nil {
+		return nil, fmt.Errorf("failed to add test suite container to network: %w", err)
+	}
+
+	return &Scenario{
+		controlServers: xsync.NewMapOf[ControlServer](),
+		namespaces:     make(map[string]*Namespace),
+
+		pool:    pool,
+		network: network,
+	}, nil
+}
+
+func (s *Scenario) Shutdown() error {
+	s.controlServers.Range(func(_ string, control ControlServer) bool {
+		err := control.Shutdown()
+		if err != nil {
+			log.Printf(
+				"Failed to shut down control: %s",
+				fmt.Errorf("failed to tear down control: %w", err),
+			)
+		}
+
+		return true
+	})
+
+	for namespaceName, namespace := range s.namespaces {
+		for _, client := range namespace.Clients {
+			log.Printf("removing client %s in namespace %s", client.Hostname(), namespaceName)
+			err := client.Shutdown()
+			if err != nil {
+				return fmt.Errorf("failed to tear down client: %w", err)
+			}
+		}
+	}
+
+	if err := s.pool.RemoveNetwork(s.network); err != nil {
+		return fmt.Errorf("failed to remove network: %w", err)
+	}
+
+	// TODO(kradalby): This seem redundant to the previous call
+	// if err := s.network.Close(); err != nil {
+	// 	return fmt.Errorf("failed to tear down network: %w", err)
+	// }
+
+	return nil
+}
+
+func (s *Scenario) Namespaces() []string {
+	namespaces := make([]string, 0)
+	for namespace := range s.namespaces {
+		namespaces = append(namespaces, namespace)
+	}
+
+	return namespaces
+}
+
+/// Headscale related stuff
+// Note: These functions assume that there is a _single_ headscale instance for now
+
+// TODO(kradalby): make port and headscale configurable, multiple instances support?
+func (s *Scenario) Headscale(opts ...hsic.Option) (ControlServer, error) {
+	s.headscaleLock.Lock()
+	defer s.headscaleLock.Unlock()
+
+	if headscale, ok := s.controlServers.Load("headscale"); ok {
+		return headscale, nil
+	}
+
+	headscale, err := hsic.New(s.pool, s.network, opts...)
+	if err != nil {
+		return nil, fmt.Errorf("failed to create headscale container: %w", err)
+	}
+
+	err = headscale.WaitForReady()
+	if err != nil {
+		return nil, fmt.Errorf("failed reach headscale container: %w", err)
+	}
+
+	s.controlServers.Store("headscale", headscale)
+
+	return headscale, nil
+}
+
+func (s *Scenario) CreatePreAuthKey(namespace string) (*v1.PreAuthKey, error) {
+	if headscale, err := s.Headscale(); err == nil {
+		key, err := headscale.CreateAuthKey(namespace)
+		if err != nil {
+			return nil, fmt.Errorf("failed to create namespace: %w", err)
+		}
+
+		return key, nil
+	}
+
+	return nil, fmt.Errorf("failed to create namespace: %w", errNoHeadscaleAvailable)
+}
+
+func (s *Scenario) CreateNamespace(namespace string) error {
+	if headscale, err := s.Headscale(); err == nil {
+		err := headscale.CreateNamespace(namespace)
+		if err != nil {
+			return fmt.Errorf("failed to create namespace: %w", err)
+		}
+
+		s.namespaces[namespace] = &Namespace{
+			Clients: make(map[string]TailscaleClient),
+		}
+
+		return nil
+	}
+
+	return fmt.Errorf("failed to create namespace: %w", errNoHeadscaleAvailable)
+}
+
+/// Client related stuff
+
+func (s *Scenario) CreateTailscaleNodesInNamespace(
+	namespaceStr string,
+	requestedVersion string,
+	count int,
+	opts ...tsic.Option,
+) error {
+	if namespace, ok := s.namespaces[namespaceStr]; ok {
+		for i := 0; i < count; i++ {
+			version := requestedVersion
+			if requestedVersion == "all" {
+				version = TailscaleVersions[i%len(TailscaleVersions)]
+			}
+
+			headscale, err := s.Headscale()
+			if err != nil {
+				return fmt.Errorf("failed to create tailscale node: %w", err)
+			}
+
+			cert := headscale.GetCert()
+			hostname := headscale.GetHostname()
+
+			namespace.createWaitGroup.Add(1)
+
+			opts = append(opts,
+				tsic.WithHeadscaleTLS(cert),
+				tsic.WithHeadscaleName(hostname),
+			)
+
+			go func() {
+				defer namespace.createWaitGroup.Done()
+
+				// TODO(kradalby): error handle this
+				tsClient, err := tsic.New(
+					s.pool,
+					version,
+					s.network,
+					opts...,
+				)
+				if err != nil {
+					// return fmt.Errorf("failed to add tailscale node: %w", err)
+					log.Printf("failed to create tailscale node: %s", err)
+				}
+
+				err = tsClient.WaitForReady()
+				if err != nil {
+					// return fmt.Errorf("failed to add tailscale node: %w", err)
+					log.Printf("failed to wait for tailscaled: %s", err)
+				}
+
+				namespace.Clients[tsClient.Hostname()] = tsClient
+			}()
+		}
+		namespace.createWaitGroup.Wait()
+
+		return nil
+	}
+
+	return fmt.Errorf("failed to add tailscale node: %w", errNoNamespaceAvailable)
+}
+
+func (s *Scenario) RunTailscaleUp(
+	namespaceStr, loginServer, authKey string,
+) error {
+	if namespace, ok := s.namespaces[namespaceStr]; ok {
+		for _, client := range namespace.Clients {
+			namespace.joinWaitGroup.Add(1)
+
+			go func(c TailscaleClient) {
+				defer namespace.joinWaitGroup.Done()
+
+				// TODO(kradalby): error handle this
+				_ = c.Up(loginServer, authKey)
+			}(client)
+
+			err := client.WaitForReady()
+			if err != nil {
+				log.Printf("error waiting for client %s to be ready: %s", client.Hostname(), err)
+			}
+		}
+
+		namespace.joinWaitGroup.Wait()
+
+		return nil
+	}
+
+	return fmt.Errorf("failed to up tailscale node: %w", errNoNamespaceAvailable)
+}
+
+func (s *Scenario) CountTailscale() int {
+	count := 0
+
+	for _, namespace := range s.namespaces {
+		count += len(namespace.Clients)
+	}
+
+	return count
+}
+
+func (s *Scenario) WaitForTailscaleSync() error {
+	tsCount := s.CountTailscale()
+
+	for _, namespace := range s.namespaces {
+		for _, client := range namespace.Clients {
+			namespace.syncWaitGroup.Add(1)
+
+			go func(c TailscaleClient) {
+				defer namespace.syncWaitGroup.Done()
+
+				// TODO(kradalby): error handle this
+				_ = c.WaitForPeers(tsCount)
+			}(client)
+		}
+		namespace.syncWaitGroup.Wait()
+	}
+
+	return nil
+}
+
+// CreateHeadscaleEnv is a conventient method returning a set up Headcale
+// test environment with nodes of all versions, joined to the server with X
+// namespaces.
+func (s *Scenario) CreateHeadscaleEnv(
+	namespaces map[string]int,
+	tsOpts []tsic.Option,
+	opts ...hsic.Option,
+) error {
+	headscale, err := s.Headscale(opts...)
+	if err != nil {
+		return err
+	}
+
+	for namespaceName, clientCount := range namespaces {
+		err = s.CreateNamespace(namespaceName)
+		if err != nil {
+			return err
+		}
+
+		err = s.CreateTailscaleNodesInNamespace(namespaceName, "all", clientCount, tsOpts...)
+		if err != nil {
+			return err
+		}
+
+		key, err := s.CreatePreAuthKey(namespaceName)
+		if err != nil {
+			return err
+		}
+
+		err = s.RunTailscaleUp(namespaceName, headscale.GetEndpoint(), key.GetKey())
+		if err != nil {
+			return err
+		}
+	}
+
+	return nil
+}
+
+func (s *Scenario) GetIPs(namespace string) ([]netip.Addr, error) {
+	var ips []netip.Addr
+	if ns, ok := s.namespaces[namespace]; ok {
+		for _, client := range ns.Clients {
+			clientIps, err := client.IPs()
+			if err != nil {
+				return ips, fmt.Errorf("failed to get ips: %w", err)
+			}
+			ips = append(ips, clientIps...)
+		}
+
+		return ips, nil
+	}
+
+	return ips, fmt.Errorf("failed to get ips: %w", errNoNamespaceAvailable)
+}
+
+func (s *Scenario) GetClients(namespace string) ([]TailscaleClient, error) {
+	var clients []TailscaleClient
+	if ns, ok := s.namespaces[namespace]; ok {
+		for _, client := range ns.Clients {
+			clients = append(clients, client)
+		}
+
+		return clients, nil
+	}
+
+	return clients, fmt.Errorf("failed to get clients: %w", errNoNamespaceAvailable)
+}
+
+func (s *Scenario) ListTailscaleClients(namespaces ...string) ([]TailscaleClient, error) {
+	var allClients []TailscaleClient
+
+	if len(namespaces) == 0 {
+		namespaces = s.Namespaces()
+	}
+
+	for _, namespace := range namespaces {
+		clients, err := s.GetClients(namespace)
+		if err != nil {
+			return nil, err
+		}
+
+		allClients = append(allClients, clients...)
+	}
+
+	return allClients, nil
+}
+
+func (s *Scenario) ListTailscaleClientsIPs(namespaces ...string) ([]netip.Addr, error) {
+	var allIps []netip.Addr
+
+	if len(namespaces) == 0 {
+		namespaces = s.Namespaces()
+	}
+
+	for _, namespace := range namespaces {
+		ips, err := s.GetIPs(namespace)
+		if err != nil {
+			return nil, err
+		}
+
+		allIps = append(allIps, ips...)
+	}
+
+	return allIps, nil
+}
+
+func (s *Scenario) ListTailscaleClientsFQDNs(namespaces ...string) ([]string, error) {
+	allFQDNs := make([]string, 0)
+
+	clients, err := s.ListTailscaleClients(namespaces...)
+	if err != nil {
+		return nil, err
+	}
+
+	for _, client := range clients {
+		fqdn, err := client.FQDN()
+		if err != nil {
+			return nil, err
+		}
+
+		allFQDNs = append(allFQDNs, fqdn)
+	}
+
+	return allFQDNs, nil
+}

integration/scenario_test.go

@@ -0,0 +1,204 @@
+package integration
+
+import (
+	"testing"
+
+	"github.com/juanfont/headscale/integration/dockertestutil"
+)
+
+// This file is intended to "test the test framework", by proxy it will also test
+// some Headcsale/Tailscale stuff, but mostly in very simple ways.
+
+func IntegrationSkip(t *testing.T) {
+	t.Helper()
+
+	if !dockertestutil.IsRunningInContainer() {
+		t.Skip("not running in docker, skipping")
+	}
+
+	if testing.Short() {
+		t.Skip("skipping integration tests due to short flag")
+	}
+}
+
+// If subtests are parallel, then they will start before setup is run.
+// This might mean we approach setup slightly wrong, but for now, ignore
+// the linter
+// nolint:tparallel
+func TestHeadscale(t *testing.T) {
+	IntegrationSkip(t)
+	t.Parallel()
+
+	var err error
+
+	namespace := "test-space"
+
+	scenario, err := NewScenario()
+	if err != nil {
+		t.Errorf("failed to create scenario: %s", err)
+	}
+
+	t.Run("start-headscale", func(t *testing.T) {
+		headscale, err := scenario.Headscale()
+		if err != nil {
+			t.Errorf("failed to create start headcale: %s", err)
+		}
+
+		err = headscale.WaitForReady()
+		if err != nil {
+			t.Errorf("headscale failed to become ready: %s", err)
+		}
+	})
+
+	t.Run("create-namespace", func(t *testing.T) {
+		err := scenario.CreateNamespace(namespace)
+		if err != nil {
+			t.Errorf("failed to create namespace: %s", err)
+		}
+
+		if _, ok := scenario.namespaces[namespace]; !ok {
+			t.Errorf("namespace is not in scenario")
+		}
+	})
+
+	t.Run("create-auth-key", func(t *testing.T) {
+		_, err := scenario.CreatePreAuthKey(namespace)
+		if err != nil {
+			t.Errorf("failed to create preauthkey: %s", err)
+		}
+	})
+
+	err = scenario.Shutdown()
+	if err != nil {
+		t.Errorf("failed to tear down scenario: %s", err)
+	}
+}
+
+// If subtests are parallel, then they will start before setup is run.
+// This might mean we approach setup slightly wrong, but for now, ignore
+// the linter
+// nolint:tparallel
+func TestCreateTailscale(t *testing.T) {
+	IntegrationSkip(t)
+	t.Parallel()
+
+	namespace := "only-create-containers"
+
+	scenario, err := NewScenario()
+	if err != nil {
+		t.Errorf("failed to create scenario: %s", err)
+	}
+
+	scenario.namespaces[namespace] = &Namespace{
+		Clients: make(map[string]TailscaleClient),
+	}
+
+	t.Run("create-tailscale", func(t *testing.T) {
+		err := scenario.CreateTailscaleNodesInNamespace(namespace, "all", 3)
+		if err != nil {
+			t.Errorf("failed to add tailscale nodes: %s", err)
+		}
+
+		if clients := len(scenario.namespaces[namespace].Clients); clients != 3 {
+			t.Errorf("wrong number of tailscale clients: %d != %d", clients, 3)
+		}
+
+		// TODO(kradalby): Test "all" version logic
+	})
+
+	err = scenario.Shutdown()
+	if err != nil {
+		t.Errorf("failed to tear down scenario: %s", err)
+	}
+}
+
+// If subtests are parallel, then they will start before setup is run.
+// This might mean we approach setup slightly wrong, but for now, ignore
+// the linter
+// nolint:tparallel
+func TestTailscaleNodesJoiningHeadcale(t *testing.T) {
+	IntegrationSkip(t)
+	t.Parallel()
+
+	var err error
+
+	namespace := "join-node-test"
+
+	count := 1
+
+	scenario, err := NewScenario()
+	if err != nil {
+		t.Errorf("failed to create scenario: %s", err)
+	}
+
+	t.Run("start-headscale", func(t *testing.T) {
+		headscale, err := scenario.Headscale()
+		if err != nil {
+			t.Errorf("failed to create start headcale: %s", err)
+		}
+
+		err = headscale.WaitForReady()
+		if err != nil {
+			t.Errorf("headscale failed to become ready: %s", err)
+		}
+	})
+
+	t.Run("create-namespace", func(t *testing.T) {
+		err := scenario.CreateNamespace(namespace)
+		if err != nil {
+			t.Errorf("failed to create namespace: %s", err)
+		}
+
+		if _, ok := scenario.namespaces[namespace]; !ok {
+			t.Errorf("namespace is not in scenario")
+		}
+	})
+
+	t.Run("create-tailscale", func(t *testing.T) {
+		err := scenario.CreateTailscaleNodesInNamespace(namespace, "1.30.2", count)
+		if err != nil {
+			t.Errorf("failed to add tailscale nodes: %s", err)
+		}
+
+		if clients := len(scenario.namespaces[namespace].Clients); clients != count {
+			t.Errorf("wrong number of tailscale clients: %d != %d", clients, count)
+		}
+	})
+
+	t.Run("join-headscale", func(t *testing.T) {
+		key, err := scenario.CreatePreAuthKey(namespace)
+		if err != nil {
+			t.Errorf("failed to create preauthkey: %s", err)
+		}
+
+		headscale, err := scenario.Headscale()
+		if err != nil {
+			t.Errorf("failed to create start headcale: %s", err)
+		}
+
+		err = scenario.RunTailscaleUp(
+			namespace,
+			headscale.GetEndpoint(),
+			key.GetKey(),
+		)
+		if err != nil {
+			t.Errorf("failed to login: %s", err)
+		}
+	})
+
+	t.Run("get-ips", func(t *testing.T) {
+		ips, err := scenario.GetIPs(namespace)
+		if err != nil {
+			t.Errorf("failed to get tailscale ips: %s", err)
+		}
+
+		if len(ips) != count*2 {
+			t.Errorf("got the wrong amount of tailscale ips, %d != %d", len(ips), count*2)
+		}
+	})
+
+	err = scenario.Shutdown()
+	if err != nil {
+		t.Errorf("failed to tear down scenario: %s", err)
+	}
+}

integration/ssh_test.go

@@ -0,0 +1,519 @@
+package integration
+
+import (
+	"fmt"
+	"strings"
+	"testing"
+	"time"
+
+	"github.com/juanfont/headscale"
+	"github.com/juanfont/headscale/integration/hsic"
+	"github.com/juanfont/headscale/integration/tsic"
+	"github.com/stretchr/testify/assert"
+)
+
+var retry = func(times int, sleepInterval time.Duration,
+	doWork func() (string, string, error),
+) (string, string, error) {
+	var result string
+	var stderr string
+	var err error
+
+	for attempts := 0; attempts < times; attempts++ {
+		tempResult, tempStderr, err := doWork()
+
+		result += tempResult
+		stderr += tempStderr
+
+		if err == nil {
+			return result, stderr, nil
+		}
+
+		// If we get a permission denied error, we can fail immediately
+		// since that is something we wont recover from by retrying.
+		if err != nil && strings.Contains(stderr, "Permission denied (tailscale)") {
+			return result, stderr, err
+		}
+
+		time.Sleep(sleepInterval)
+	}
+
+	return result, stderr, err
+}
+
+func TestSSHOneNamespaceAllToAll(t *testing.T) {
+	IntegrationSkip(t)
+	t.Parallel()
+
+	scenario, err := NewScenario()
+	if err != nil {
+		t.Errorf("failed to create scenario: %s", err)
+	}
+
+	spec := map[string]int{
+		"namespace1": len(TailscaleVersions) - 5,
+	}
+
+	err = scenario.CreateHeadscaleEnv(spec,
+		[]tsic.Option{tsic.WithSSH()},
+		hsic.WithACLPolicy(
+			&headscale.ACLPolicy{
+				Groups: map[string][]string{
+					"group:integration-test": {"namespace1"},
+				},
+				ACLs: []headscale.ACL{
+					{
+						Action:       "accept",
+						Sources:      []string{"*"},
+						Destinations: []string{"*:*"},
+					},
+				},
+				SSHs: []headscale.SSH{
+					{
+						Action:       "accept",
+						Sources:      []string{"group:integration-test"},
+						Destinations: []string{"group:integration-test"},
+						Users:        []string{"ssh-it-user"},
+					},
+				},
+			},
+		),
+		hsic.WithConfigEnv(map[string]string{
+			"HEADSCALE_EXPERIMENTAL_FEATURE_SSH": "1",
+		}),
+	)
+	if err != nil {
+		t.Errorf("failed to create headscale environment: %s", err)
+	}
+
+	allClients, err := scenario.ListTailscaleClients()
+	if err != nil {
+		t.Errorf("failed to get clients: %s", err)
+	}
+
+	err = scenario.WaitForTailscaleSync()
+	if err != nil {
+		t.Errorf("failed wait for tailscale clients to be in sync: %s", err)
+	}
+
+	_, err = scenario.ListTailscaleClientsFQDNs()
+	if err != nil {
+		t.Errorf("failed to get FQDNs: %s", err)
+	}
+
+	for _, client := range allClients {
+		for _, peer := range allClients {
+			if client.Hostname() == peer.Hostname() {
+				continue
+			}
+
+			assertSSHHostname(t, client, peer)
+		}
+	}
+
+	err = scenario.Shutdown()
+	if err != nil {
+		t.Errorf("failed to tear down scenario: %s", err)
+	}
+}
+
+func TestSSHMultipleNamespacesAllToAll(t *testing.T) {
+	IntegrationSkip(t)
+	t.Parallel()
+
+	scenario, err := NewScenario()
+	if err != nil {
+		t.Errorf("failed to create scenario: %s", err)
+	}
+
+	spec := map[string]int{
+		"namespace1": len(TailscaleVersions) - 5,
+		"namespace2": len(TailscaleVersions) - 5,
+	}
+
+	err = scenario.CreateHeadscaleEnv(spec,
+		[]tsic.Option{tsic.WithSSH()},
+		hsic.WithACLPolicy(
+			&headscale.ACLPolicy{
+				Groups: map[string][]string{
+					"group:integration-test": {"namespace1", "namespace2"},
+				},
+				ACLs: []headscale.ACL{
+					{
+						Action:       "accept",
+						Sources:      []string{"*"},
+						Destinations: []string{"*:*"},
+					},
+				},
+				SSHs: []headscale.SSH{
+					{
+						Action:       "accept",
+						Sources:      []string{"group:integration-test"},
+						Destinations: []string{"group:integration-test"},
+						Users:        []string{"ssh-it-user"},
+					},
+				},
+			},
+		),
+		hsic.WithConfigEnv(map[string]string{
+			"HEADSCALE_EXPERIMENTAL_FEATURE_SSH": "1",
+		}),
+	)
+	if err != nil {
+		t.Errorf("failed to create headscale environment: %s", err)
+	}
+
+	nsOneClients, err := scenario.ListTailscaleClients("namespace1")
+	if err != nil {
+		t.Errorf("failed to get clients: %s", err)
+	}
+
+	nsTwoClients, err := scenario.ListTailscaleClients("namespace2")
+	if err != nil {
+		t.Errorf("failed to get clients: %s", err)
+	}
+
+	err = scenario.WaitForTailscaleSync()
+	if err != nil {
+		t.Errorf("failed wait for tailscale clients to be in sync: %s", err)
+	}
+
+	_, err = scenario.ListTailscaleClientsFQDNs()
+	if err != nil {
+		t.Errorf("failed to get FQDNs: %s", err)
+	}
+
+	testInterNamespaceSSH := func(sourceClients []TailscaleClient, targetClients []TailscaleClient) {
+		for _, client := range sourceClients {
+			for _, peer := range targetClients {
+				assertSSHHostname(t, client, peer)
+			}
+		}
+	}
+
+	testInterNamespaceSSH(nsOneClients, nsTwoClients)
+	testInterNamespaceSSH(nsTwoClients, nsOneClients)
+
+	err = scenario.Shutdown()
+	if err != nil {
+		t.Errorf("failed to tear down scenario: %s", err)
+	}
+}
+
+func TestSSHNoSSHConfigured(t *testing.T) {
+	IntegrationSkip(t)
+	t.Parallel()
+
+	scenario, err := NewScenario()
+	if err != nil {
+		t.Errorf("failed to create scenario: %s", err)
+	}
+
+	spec := map[string]int{
+		"namespace1": len(TailscaleVersions) - 5,
+	}
+
+	err = scenario.CreateHeadscaleEnv(spec,
+		[]tsic.Option{tsic.WithSSH()},
+		hsic.WithACLPolicy(
+			&headscale.ACLPolicy{
+				Groups: map[string][]string{
+					"group:integration-test": {"namespace1"},
+				},
+				ACLs: []headscale.ACL{
+					{
+						Action:       "accept",
+						Sources:      []string{"*"},
+						Destinations: []string{"*:*"},
+					},
+				},
+				SSHs: []headscale.SSH{},
+			},
+		),
+		hsic.WithTestName("sshnoneconfigured"),
+		hsic.WithConfigEnv(map[string]string{
+			"HEADSCALE_EXPERIMENTAL_FEATURE_SSH": "1",
+		}),
+	)
+	if err != nil {
+		t.Errorf("failed to create headscale environment: %s", err)
+	}
+
+	allClients, err := scenario.ListTailscaleClients()
+	if err != nil {
+		t.Errorf("failed to get clients: %s", err)
+	}
+
+	err = scenario.WaitForTailscaleSync()
+	if err != nil {
+		t.Errorf("failed wait for tailscale clients to be in sync: %s", err)
+	}
+
+	_, err = scenario.ListTailscaleClientsFQDNs()
+	if err != nil {
+		t.Errorf("failed to get FQDNs: %s", err)
+	}
+
+	for _, client := range allClients {
+		for _, peer := range allClients {
+			if client.Hostname() == peer.Hostname() {
+				continue
+			}
+
+			assertSSHPermissionDenied(t, client, peer)
+		}
+	}
+
+	err = scenario.Shutdown()
+	if err != nil {
+		t.Errorf("failed to tear down scenario: %s", err)
+	}
+}
+
+func TestSSHIsBlockedInACL(t *testing.T) {
+	IntegrationSkip(t)
+	t.Parallel()
+
+	scenario, err := NewScenario()
+	if err != nil {
+		t.Errorf("failed to create scenario: %s", err)
+	}
+
+	spec := map[string]int{
+		"namespace1": len(TailscaleVersions) - 5,
+	}
+
+	err = scenario.CreateHeadscaleEnv(spec,
+		[]tsic.Option{tsic.WithSSH()},
+		hsic.WithACLPolicy(
+			&headscale.ACLPolicy{
+				Groups: map[string][]string{
+					"group:integration-test": {"namespace1"},
+				},
+				ACLs: []headscale.ACL{
+					{
+						Action:       "accept",
+						Sources:      []string{"*"},
+						Destinations: []string{"*:80"},
+					},
+				},
+				SSHs: []headscale.SSH{
+					{
+						Action:       "accept",
+						Sources:      []string{"group:integration-test"},
+						Destinations: []string{"group:integration-test"},
+						Users:        []string{"ssh-it-user"},
+					},
+				},
+			},
+		),
+		hsic.WithTestName("sshisblockedinacl"),
+		hsic.WithConfigEnv(map[string]string{
+			"HEADSCALE_EXPERIMENTAL_FEATURE_SSH": "1",
+		}),
+	)
+	if err != nil {
+		t.Errorf("failed to create headscale environment: %s", err)
+	}
+
+	allClients, err := scenario.ListTailscaleClients()
+	if err != nil {
+		t.Errorf("failed to get clients: %s", err)
+	}
+
+	err = scenario.WaitForTailscaleSync()
+	if err != nil {
+		t.Errorf("failed wait for tailscale clients to be in sync: %s", err)
+	}
+
+	_, err = scenario.ListTailscaleClientsFQDNs()
+	if err != nil {
+		t.Errorf("failed to get FQDNs: %s", err)
+	}
+
+	for _, client := range allClients {
+		for _, peer := range allClients {
+			if client.Hostname() == peer.Hostname() {
+				continue
+			}
+
+			assertSSHTimeout(t, client, peer)
+		}
+	}
+
+	err = scenario.Shutdown()
+	if err != nil {
+		t.Errorf("failed to tear down scenario: %s", err)
+	}
+}
+
+func TestSSNamespaceOnlyIsolation(t *testing.T) {
+	IntegrationSkip(t)
+	t.Parallel()
+
+	scenario, err := NewScenario()
+	if err != nil {
+		t.Errorf("failed to create scenario: %s", err)
+	}
+
+	spec := map[string]int{
+		"namespaceacl1": len(TailscaleVersions) - 5,
+		"namespaceacl2": len(TailscaleVersions) - 5,
+	}
+
+	err = scenario.CreateHeadscaleEnv(spec,
+		[]tsic.Option{tsic.WithSSH()},
+		hsic.WithACLPolicy(
+			&headscale.ACLPolicy{
+				Groups: map[string][]string{
+					"group:ssh1": {"namespaceacl1"},
+					"group:ssh2": {"namespaceacl2"},
+				},
+				ACLs: []headscale.ACL{
+					{
+						Action:       "accept",
+						Sources:      []string{"*"},
+						Destinations: []string{"*:*"},
+					},
+				},
+				SSHs: []headscale.SSH{
+					{
+						Action:       "accept",
+						Sources:      []string{"group:ssh1"},
+						Destinations: []string{"group:ssh1"},
+						Users:        []string{"ssh-it-user"},
+					},
+					{
+						Action:       "accept",
+						Sources:      []string{"group:ssh2"},
+						Destinations: []string{"group:ssh2"},
+						Users:        []string{"ssh-it-user"},
+					},
+				},
+			},
+		),
+		hsic.WithTestName("sshtwonamespaceaclblock"),
+		hsic.WithConfigEnv(map[string]string{
+			"HEADSCALE_EXPERIMENTAL_FEATURE_SSH": "1",
+		}),
+	)
+	if err != nil {
+		t.Errorf("failed to create headscale environment: %s", err)
+	}
+
+	ssh1Clients, err := scenario.ListTailscaleClients("namespaceacl1")
+	if err != nil {
+		t.Errorf("failed to get clients: %s", err)
+	}
+
+	ssh2Clients, err := scenario.ListTailscaleClients("namespaceacl2")
+	if err != nil {
+		t.Errorf("failed to get clients: %s", err)
+	}
+
+	err = scenario.WaitForTailscaleSync()
+	if err != nil {
+		t.Errorf("failed wait for tailscale clients to be in sync: %s", err)
+	}
+
+	_, err = scenario.ListTailscaleClientsFQDNs()
+	if err != nil {
+		t.Errorf("failed to get FQDNs: %s", err)
+	}
+
+	// TODO(kradalby,evenh): ACLs do currently not cover reject
+	// cases properly, and currently will accept all incomming connections
+	// as long as a rule is present.
+	//
+	// for _, client := range ssh1Clients {
+	// 	for _, peer := range ssh2Clients {
+	// 		if client.Hostname() == peer.Hostname() {
+	// 			continue
+	// 		}
+	//
+	// 		assertSSHPermissionDenied(t, client, peer)
+	// 	}
+	// }
+	//
+	// for _, client := range ssh2Clients {
+	// 	for _, peer := range ssh1Clients {
+	// 		if client.Hostname() == peer.Hostname() {
+	// 			continue
+	// 		}
+	//
+	// 		assertSSHPermissionDenied(t, client, peer)
+	// 	}
+	// }
+
+	for _, client := range ssh1Clients {
+		for _, peer := range ssh1Clients {
+			if client.Hostname() == peer.Hostname() {
+				continue
+			}
+
+			assertSSHHostname(t, client, peer)
+		}
+	}
+
+	for _, client := range ssh2Clients {
+		for _, peer := range ssh2Clients {
+			if client.Hostname() == peer.Hostname() {
+				continue
+			}
+
+			assertSSHHostname(t, client, peer)
+		}
+	}
+
+	err = scenario.Shutdown()
+	if err != nil {
+		t.Errorf("failed to tear down scenario: %s", err)
+	}
+}
+
+func doSSH(t *testing.T, client TailscaleClient, peer TailscaleClient) (string, string, error) {
+	t.Helper()
+
+	peerFQDN, _ := peer.FQDN()
+
+	command := []string{
+		"ssh", "-o StrictHostKeyChecking=no", "-o ConnectTimeout=1",
+		fmt.Sprintf("%s@%s", "ssh-it-user", peerFQDN),
+		"'hostname'",
+	}
+
+	return retry(10, 1*time.Second, func() (string, string, error) {
+		return client.Execute(command)
+	})
+}
+
+func assertSSHHostname(t *testing.T, client TailscaleClient, peer TailscaleClient) {
+	t.Helper()
+
+	result, _, err := doSSH(t, client, peer)
+	assert.NoError(t, err)
+
+	assert.Contains(t, peer.ID(), strings.ReplaceAll(result, "\n", ""))
+}
+
+func assertSSHPermissionDenied(t *testing.T, client TailscaleClient, peer TailscaleClient) {
+	t.Helper()
+
+	result, stderr, err := doSSH(t, client, peer)
+	assert.Error(t, err)
+
+	assert.Empty(t, result)
+
+	assert.Contains(t, stderr, "Permission denied (tailscale)")
+}
+
+func assertSSHTimeout(t *testing.T, client TailscaleClient, peer TailscaleClient) {
+	t.Helper()
+
+	result, stderr, err := doSSH(t, client, peer)
+	assert.NoError(t, err)
+
+	assert.Empty(t, result)
+
+	assert.Contains(t, stderr, "Connection timed out")
+}

integration/tailscale.go

@@ -0,0 +1,25 @@
+package integration
+
+import (
+	"net/netip"
+	"net/url"
+
+	"tailscale.com/ipn/ipnstate"
+)
+
+//nolint
+type TailscaleClient interface {
+	Hostname() string
+	Shutdown() error
+	Version() string
+	Execute(command []string) (string, string, error)
+	Up(loginServer, authKey string) error
+	UpWithLoginURL(loginServer string) (*url.URL, error)
+	IPs() ([]netip.Addr, error)
+	FQDN() (string, error)
+	Status() (*ipnstate.Status, error)
+	WaitForReady() error
+	WaitForPeers(expected int) error
+	Ping(hostnameOrIP string) error
+	ID() string
+}

integration/tsic/tsic.go

@@ -0,0 +1,445 @@
+package tsic
+
+import (
+	"encoding/json"
+	"errors"
+	"fmt"
+	"log"
+	"net/netip"
+	"net/url"
+	"strings"
+
+	"github.com/cenkalti/backoff/v4"
+	"github.com/juanfont/headscale"
+	"github.com/juanfont/headscale/integration/dockertestutil"
+	"github.com/juanfont/headscale/integration/integrationutil"
+	"github.com/ory/dockertest/v3"
+	"github.com/ory/dockertest/v3/docker"
+	"tailscale.com/ipn/ipnstate"
+)
+
+const (
+	tsicHashLength    = 6
+	dockerContextPath = "../."
+	headscaleCertPath = "/usr/local/share/ca-certificates/headscale.crt"
+)
+
+var (
+	errTailscalePingFailed             = errors.New("ping failed")
+	errTailscaleNotLoggedIn            = errors.New("tailscale not logged in")
+	errTailscaleWrongPeerCount         = errors.New("wrong peer count")
+	errTailscaleCannotUpWithoutAuthkey = errors.New("cannot up without authkey")
+	errTailscaleNotConnected           = errors.New("tailscale not connected")
+)
+
+type TailscaleInContainer struct {
+	version  string
+	hostname string
+
+	pool      *dockertest.Pool
+	container *dockertest.Resource
+	network   *dockertest.Network
+
+	// "cache"
+	ips  []netip.Addr
+	fqdn string
+
+	// optional config
+	headscaleCert     []byte
+	headscaleHostname string
+	withSSH           bool
+}
+
+type Option = func(c *TailscaleInContainer)
+
+func WithHeadscaleTLS(cert []byte) Option {
+	return func(tsic *TailscaleInContainer) {
+		tsic.headscaleCert = cert
+	}
+}
+
+func WithOrCreateNetwork(network *dockertest.Network) Option {
+	return func(tsic *TailscaleInContainer) {
+		if network != nil {
+			tsic.network = network
+
+			return
+		}
+
+		network, err := dockertestutil.GetFirstOrCreateNetwork(
+			tsic.pool,
+			fmt.Sprintf("%s-network", tsic.hostname),
+		)
+		if err != nil {
+			log.Fatalf("failed to create network: %s", err)
+		}
+
+		tsic.network = network
+	}
+}
+
+func WithHeadscaleName(hsName string) Option {
+	return func(tsic *TailscaleInContainer) {
+		tsic.headscaleHostname = hsName
+	}
+}
+
+func WithSSH() Option {
+	return func(tsic *TailscaleInContainer) {
+		tsic.withSSH = true
+	}
+}
+
+func New(
+	pool *dockertest.Pool,
+	version string,
+	network *dockertest.Network,
+	opts ...Option,
+) (*TailscaleInContainer, error) {
+	hash, err := headscale.GenerateRandomStringDNSSafe(tsicHashLength)
+	if err != nil {
+		return nil, err
+	}
+
+	hostname := fmt.Sprintf("ts-%s-%s", strings.ReplaceAll(version, ".", "-"), hash)
+
+	tsic := &TailscaleInContainer{
+		version:  version,
+		hostname: hostname,
+
+		pool:    pool,
+		network: network,
+	}
+
+	for _, opt := range opts {
+		opt(tsic)
+	}
+
+	tailscaleOptions := &dockertest.RunOptions{
+		Name:     hostname,
+		Networks: []*dockertest.Network{network},
+		// Cmd: []string{
+		// 	"tailscaled", "--tun=tsdev",
+		// },
+		Entrypoint: []string{
+			"/bin/bash",
+			"-c",
+			"/bin/sleep 3 ; update-ca-certificates ; tailscaled --tun=tsdev",
+		},
+	}
+
+	if tsic.headscaleHostname != "" {
+		tailscaleOptions.ExtraHosts = []string{
+			"host.docker.internal:host-gateway",
+			fmt.Sprintf("%s:host-gateway", tsic.headscaleHostname),
+		}
+	}
+
+	// dockertest isnt very good at handling containers that has already
+	// been created, this is an attempt to make sure this container isnt
+	// present.
+	err = pool.RemoveContainerByName(hostname)
+	if err != nil {
+		return nil, err
+	}
+
+	container, err := pool.BuildAndRunWithBuildOptions(
+		createTailscaleBuildOptions(version),
+		tailscaleOptions,
+		dockertestutil.DockerRestartPolicy,
+		dockertestutil.DockerAllowLocalIPv6,
+		dockertestutil.DockerAllowNetworkAdministration,
+	)
+	if err != nil {
+		return nil, fmt.Errorf("could not start tailscale container: %w", err)
+	}
+	log.Printf("Created %s container\n", hostname)
+
+	tsic.container = container
+
+	if tsic.hasTLS() {
+		err = tsic.WriteFile(headscaleCertPath, tsic.headscaleCert)
+		if err != nil {
+			return nil, fmt.Errorf("failed to write TLS certificate to container: %w", err)
+		}
+	}
+
+	return tsic, nil
+}
+
+func (t *TailscaleInContainer) hasTLS() bool {
+	return len(t.headscaleCert) != 0
+}
+
+func (t *TailscaleInContainer) Shutdown() error {
+	return t.pool.Purge(t.container)
+}
+
+func (t *TailscaleInContainer) Hostname() string {
+	return t.hostname
+}
+
+func (t *TailscaleInContainer) Version() string {
+	return t.version
+}
+
+func (t *TailscaleInContainer) ID() string {
+	return t.container.Container.ID
+}
+
+func (t *TailscaleInContainer) Execute(
+	command []string,
+) (string, string, error) {
+	stdout, stderr, err := dockertestutil.ExecuteCommand(
+		t.container,
+		command,
+		[]string{},
+	)
+	if err != nil {
+		log.Printf("command stderr: %s\n", stderr)
+
+		if stdout != "" {
+			log.Printf("command stdout: %s\n", stdout)
+		}
+
+		if strings.Contains(stderr, "NeedsLogin") {
+			return stdout, stderr, errTailscaleNotLoggedIn
+		}
+
+		return stdout, stderr, err
+	}
+
+	return stdout, stderr, nil
+}
+
+func (t *TailscaleInContainer) Up(
+	loginServer, authKey string,
+) error {
+	command := []string{
+		"tailscale",
+		"up",
+		"-login-server",
+		loginServer,
+		"--authkey",
+		authKey,
+		"--hostname",
+		t.hostname,
+	}
+
+	if t.withSSH {
+		command = append(command, "--ssh")
+	}
+
+	if _, _, err := t.Execute(command); err != nil {
+		return fmt.Errorf("failed to join tailscale client: %w", err)
+	}
+
+	return nil
+}
+
+func (t *TailscaleInContainer) UpWithLoginURL(
+	loginServer string,
+) (*url.URL, error) {
+	command := []string{
+		"tailscale",
+		"up",
+		"-login-server",
+		loginServer,
+		"--hostname",
+		t.hostname,
+	}
+
+	_, stderr, err := t.Execute(command)
+	if errors.Is(err, errTailscaleNotLoggedIn) {
+		return nil, errTailscaleCannotUpWithoutAuthkey
+	}
+
+	urlStr := strings.ReplaceAll(stderr, "\nTo authenticate, visit:\n\n\t", "")
+	urlStr = strings.TrimSpace(urlStr)
+
+	// parse URL
+	loginURL, err := url.Parse(urlStr)
+	if err != nil {
+		log.Printf("Could not parse login URL: %s", err)
+		log.Printf("Original join command result: %s", stderr)
+
+		return nil, err
+	}
+
+	return loginURL, nil
+}
+
+func (t *TailscaleInContainer) IPs() ([]netip.Addr, error) {
+	if t.ips != nil && len(t.ips) != 0 {
+		return t.ips, nil
+	}
+
+	ips := make([]netip.Addr, 0)
+
+	command := []string{
+		"tailscale",
+		"ip",
+	}
+
+	result, _, err := t.Execute(command)
+	if err != nil {
+		return []netip.Addr{}, fmt.Errorf("failed to join tailscale client: %w", err)
+	}
+
+	for _, address := range strings.Split(result, "\n") {
+		address = strings.TrimSuffix(address, "\n")
+		if len(address) < 1 {
+			continue
+		}
+		ip, err := netip.ParseAddr(address)
+		if err != nil {
+			return nil, err
+		}
+		ips = append(ips, ip)
+	}
+
+	return ips, nil
+}
+
+func (t *TailscaleInContainer) Status() (*ipnstate.Status, error) {
+	command := []string{
+		"tailscale",
+		"status",
+		"--json",
+	}
+
+	result, _, err := t.Execute(command)
+	if err != nil {
+		return nil, fmt.Errorf("failed to execute tailscale status command: %w", err)
+	}
+
+	var status ipnstate.Status
+	err = json.Unmarshal([]byte(result), &status)
+	if err != nil {
+		return nil, fmt.Errorf("failed to unmarshal tailscale status: %w", err)
+	}
+
+	return &status, err
+}
+
+func (t *TailscaleInContainer) FQDN() (string, error) {
+	if t.fqdn != "" {
+		return t.fqdn, nil
+	}
+
+	status, err := t.Status()
+	if err != nil {
+		return "", fmt.Errorf("failed to get FQDN: %w", err)
+	}
+
+	return status.Self.DNSName, nil
+}
+
+func (t *TailscaleInContainer) WaitForReady() error {
+	return t.pool.Retry(func() error {
+		status, err := t.Status()
+		if err != nil {
+			return fmt.Errorf("failed to fetch tailscale status: %w", err)
+		}
+
+		if status.CurrentTailnet != nil {
+			return nil
+		}
+
+		return errTailscaleNotConnected
+	})
+}
+
+func (t *TailscaleInContainer) WaitForPeers(expected int) error {
+	return t.pool.Retry(func() error {
+		status, err := t.Status()
+		if err != nil {
+			return fmt.Errorf("failed to fetch tailscale status: %w", err)
+		}
+
+		if peers := status.Peers(); len(peers) != expected {
+			return errTailscaleWrongPeerCount
+		}
+
+		return nil
+	})
+}
+
+// TODO(kradalby): Make multiping, go routine magic.
+func (t *TailscaleInContainer) Ping(hostnameOrIP string) error {
+	return t.pool.Retry(func() error {
+		command := []string{
+			"tailscale", "ping",
+			"--timeout=1s",
+			"--c=10",
+			"--until-direct=true",
+			hostnameOrIP,
+		}
+
+		result, _, err := t.Execute(command)
+		if err != nil {
+			log.Printf(
+				"failed to run ping command from %s to %s, err: %s",
+				t.Hostname(),
+				hostnameOrIP,
+				err,
+			)
+
+			return err
+		}
+
+		if !strings.Contains(result, "pong") && !strings.Contains(result, "is local") {
+			return backoff.Permanent(errTailscalePingFailed)
+		}
+
+		return nil
+	})
+}
+
+func (t *TailscaleInContainer) WriteFile(path string, data []byte) error {
+	return integrationutil.WriteFileToContainer(t.pool, t.container, path, data)
+}
+
+func createTailscaleBuildOptions(version string) *dockertest.BuildOptions {
+	var tailscaleBuildOptions *dockertest.BuildOptions
+	switch version {
+	case "head":
+		tailscaleBuildOptions = &dockertest.BuildOptions{
+			Dockerfile: "Dockerfile.tailscale-HEAD",
+			ContextDir: dockerContextPath,
+			BuildArgs:  []docker.BuildArg{},
+		}
+	case "unstable":
+		tailscaleBuildOptions = &dockertest.BuildOptions{
+			Dockerfile: "Dockerfile.tailscale",
+			ContextDir: dockerContextPath,
+			BuildArgs: []docker.BuildArg{
+				{
+					Name:  "TAILSCALE_VERSION",
+					Value: "*", // Installs the latest version https://askubuntu.com/a/824926
+				},
+				{
+					Name:  "TAILSCALE_CHANNEL",
+					Value: "unstable",
+				},
+			},
+		}
+	default:
+		tailscaleBuildOptions = &dockertest.BuildOptions{
+			Dockerfile: "Dockerfile.tailscale",
+			ContextDir: dockerContextPath,
+			BuildArgs: []docker.BuildArg{
+				{
+					Name:  "TAILSCALE_VERSION",
+					Value: version,
+				},
+				{
+					Name:  "TAILSCALE_CHANNEL",
+					Value: "stable",
+				},
+			},
+		}
+	}
+
+	return tailscaleBuildOptions
+}

integration_cli_test.go

@@ -1,5 +1,4 @@
-//go:build integration_cli
-
+// nolint
 package headscale
 
 import (
@@ -13,6 +12,7 @@ import (
 
 	v1 "github.com/juanfont/headscale/gen/go/headscale/v1"
 	"github.com/ory/dockertest/v3"
+	"github.com/ory/dockertest/v3/docker"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/suite"
 )
@@ -27,7 +27,11 @@ type IntegrationCLITestSuite struct {
 	env       []string
 }
 
-func TestCLIIntegrationTestSuite(t *testing.T) {
+func TestIntegrationCLITestSuite(t *testing.T) {
+	if testing.Short() {
+		t.Skip("skipping integration tests due to short flag")
+	}
+
 	s := new(IntegrationCLITestSuite)
 
 	suite.Run(t, s)
@@ -42,11 +46,11 @@ func (s *IntegrationCLITestSuite) SetupTest() {
 		s.FailNow(fmt.Sprintf("Could not connect to docker: %s", err), "")
 	}
 
-	if pnetwork, err := s.pool.CreateNetwork("headscale-test"); err == nil {
-		s.network = *pnetwork
-	} else {
-		s.FailNow(fmt.Sprintf("Could not create network: %s", err), "")
+	network, err := GetFirstOrCreateNetwork(&s.pool, headscaleNetwork)
+	if err != nil {
+		s.FailNow(fmt.Sprintf("Failed to create or get network: %s", err), "")
 	}
+	s.network = network
 
 	headscaleBuildOptions := &dockertest.BuildOptions{
 		Dockerfile: "Dockerfile",
@@ -63,8 +67,12 @@ func (s *IntegrationCLITestSuite) SetupTest() {
 		Mounts: []string{
 			fmt.Sprintf("%s/integration_test/etc:/etc/headscale", currentPath),
 		},
-		Networks: []*dockertest.Network{&s.network},
-		Cmd:      []string{"headscale", "serve"},
+		Cmd:          []string{"headscale", "serve"},
+		Networks:     []*dockertest.Network{&s.network},
+		ExposedPorts: []string{"8080/tcp"},
+		PortBindings: map[docker.Port][]docker.PortBinding{
+			"8080/tcp": {{HostPort: "8080"}},
+		},
 	}
 
 	err = s.pool.RemoveContainerByName(headscaleHostname)
@@ -87,7 +95,9 @@ func (s *IntegrationCLITestSuite) SetupTest() {
 	fmt.Println("Created headscale container for CLI tests")
 
 	fmt.Println("Waiting for headscale to be ready for CLI tests")
-	hostEndpoint := fmt.Sprintf("localhost:%s", s.headscale.GetPort("8080/tcp"))
+	hostEndpoint := fmt.Sprintf("%s:%s",
+		s.headscale.GetIPInNetwork(&s.network),
+		s.headscale.GetPort("8080/tcp"))
 
 	if err := s.pool.Retry(func() error {
 		url := fmt.Sprintf("http://%s/health", hostEndpoint)
@@ -548,8 +558,8 @@ func (s *IntegrationCLITestSuite) TestNodeTagCommand() {
 	assert.Nil(s.T(), err)
 
 	machineKeys := []string{
-		"9b2ffa7e08cc421a3d2cca9012280f6a236fd0de0b4ce005b30a98ad930306fe",
-		"6abd00bb5fdda622db51387088c68e97e71ce58e7056aa54f592b6a8219d524c",
+		"nodekey:9b2ffa7e08cc421a3d2cca9012280f6a236fd0de0b4ce005b30a98ad930306fe",
+		"nodekey:6abd00bb5fdda622db51387088c68e97e71ce58e7056aa54f592b6a8219d524c",
 	}
 	machines := make([]*v1.Machine, len(machineKeys))
 	assert.Nil(s.T(), err)
@@ -681,11 +691,11 @@ func (s *IntegrationCLITestSuite) TestNodeCommand() {
 
 	// Randomly generated machine keys
 	machineKeys := []string{
-		"9b2ffa7e08cc421a3d2cca9012280f6a236fd0de0b4ce005b30a98ad930306fe",
-		"6abd00bb5fdda622db51387088c68e97e71ce58e7056aa54f592b6a8219d524c",
-		"f08305b4ee4250b95a70f3b7504d048d75d899993c624a26d422c67af0422507",
-		"8bc13285cee598acf76b1824a6f4490f7f2e3751b201e28aeb3b07fe81d5b4a1",
-		"cf7b0fd05da556fdc3bab365787b506fd82d64a70745db70e00e86c1b1c03084",
+		"nodekey:9b2ffa7e08cc421a3d2cca9012280f6a236fd0de0b4ce005b30a98ad930306fe",
+		"nodekey:6abd00bb5fdda622db51387088c68e97e71ce58e7056aa54f592b6a8219d524c",
+		"nodekey:f08305b4ee4250b95a70f3b7504d048d75d899993c624a26d422c67af0422507",
+		"nodekey:8bc13285cee598acf76b1824a6f4490f7f2e3751b201e28aeb3b07fe81d5b4a1",
+		"nodekey:cf7b0fd05da556fdc3bab365787b506fd82d64a70745db70e00e86c1b1c03084",
 	}
 	machines := make([]*v1.Machine, len(machineKeys))
 	assert.Nil(s.T(), err)
@@ -769,8 +779,8 @@ func (s *IntegrationCLITestSuite) TestNodeCommand() {
 	assert.Equal(s.T(), "machine-5", listAll[4].Name)
 
 	otherNamespaceMachineKeys := []string{
-		"b5b444774186d4217adcec407563a1223929465ee2c68a4da13af0d0185b4f8e",
-		"dc721977ac7415aafa87f7d4574cbe07c6b171834a6d37375782bdc1fb6b3584",
+		"nodekey:b5b444774186d4217adcec407563a1223929465ee2c68a4da13af0d0185b4f8e",
+		"nodekey:dc721977ac7415aafa87f7d4574cbe07c6b171834a6d37375782bdc1fb6b3584",
 	}
 	otherNamespaceMachines := make([]*v1.Machine, len(otherNamespaceMachineKeys))
 	assert.Nil(s.T(), err)
@@ -940,11 +950,11 @@ func (s *IntegrationCLITestSuite) TestNodeExpireCommand() {
 
 	// Randomly generated machine keys
 	machineKeys := []string{
-		"9b2ffa7e08cc421a3d2cca9012280f6a236fd0de0b4ce005b30a98ad930306fe",
-		"6abd00bb5fdda622db51387088c68e97e71ce58e7056aa54f592b6a8219d524c",
-		"f08305b4ee4250b95a70f3b7504d048d75d899993c624a26d422c67af0422507",
-		"8bc13285cee598acf76b1824a6f4490f7f2e3751b201e28aeb3b07fe81d5b4a1",
-		"cf7b0fd05da556fdc3bab365787b506fd82d64a70745db70e00e86c1b1c03084",
+		"nodekey:9b2ffa7e08cc421a3d2cca9012280f6a236fd0de0b4ce005b30a98ad930306fe",
+		"nodekey:6abd00bb5fdda622db51387088c68e97e71ce58e7056aa54f592b6a8219d524c",
+		"nodekey:f08305b4ee4250b95a70f3b7504d048d75d899993c624a26d422c67af0422507",
+		"nodekey:8bc13285cee598acf76b1824a6f4490f7f2e3751b201e28aeb3b07fe81d5b4a1",
+		"nodekey:cf7b0fd05da556fdc3bab365787b506fd82d64a70745db70e00e86c1b1c03084",
 	}
 	machines := make([]*v1.Machine, len(machineKeys))
 	assert.Nil(s.T(), err)
@@ -1067,11 +1077,11 @@ func (s *IntegrationCLITestSuite) TestNodeRenameCommand() {
 
 	// Randomly generated machine keys
 	machineKeys := []string{
-		"cf7b0fd05da556fdc3bab365787b506fd82d64a70745db70e00e86c1b1c03084",
-		"8bc13285cee598acf76b1824a6f4490f7f2e3751b201e28aeb3b07fe81d5b4a1",
-		"f08305b4ee4250b95a70f3b7504d048d75d899993c624a26d422c67af0422507",
-		"6abd00bb5fdda622db51387088c68e97e71ce58e7056aa54f592b6a8219d524c",
-		"9b2ffa7e08cc421a3d2cca9012280f6a236fd0de0b4ce005b30a98ad930306fe",
+		"nodekey:cf7b0fd05da556fdc3bab365787b506fd82d64a70745db70e00e86c1b1c03084",
+		"nodekey:8bc13285cee598acf76b1824a6f4490f7f2e3751b201e28aeb3b07fe81d5b4a1",
+		"nodekey:f08305b4ee4250b95a70f3b7504d048d75d899993c624a26d422c67af0422507",
+		"nodekey:6abd00bb5fdda622db51387088c68e97e71ce58e7056aa54f592b6a8219d524c",
+		"nodekey:9b2ffa7e08cc421a3d2cca9012280f6a236fd0de0b4ce005b30a98ad930306fe",
 	}
 	machines := make([]*v1.Machine, len(machineKeys))
 	assert.Nil(s.T(), err)
@@ -1238,7 +1248,7 @@ func (s *IntegrationCLITestSuite) TestRouteCommand() {
 	assert.Nil(s.T(), err)
 
 	// Randomly generated machine keys
-	machineKey := "9b2ffa7e08cc421a3d2cca9012280f6a236fd0de0b4ce005b30a98ad930306fe"
+	machineKey := "nodekey:9b2ffa7e08cc421a3d2cca9012280f6a236fd0de0b4ce005b30a98ad930306fe"
 
 	_, _, err = ExecuteCommand(
 		&s.headscale,
@@ -1578,7 +1588,7 @@ func (s *IntegrationCLITestSuite) TestNodeMoveCommand() {
 	assert.Nil(s.T(), err)
 
 	// Randomly generated machine key
-	machineKey := "688411b767663479632d44140f08a9fde87383adc7cdeb518f62ce28a17ef0aa"
+	machineKey := "nodekey:688411b767663479632d44140f08a9fde87383adc7cdeb518f62ce28a17ef0aa"
 
 	_, _, err = ExecuteCommand(
 		&s.headscale,

integration_common_test.go

@@ -1,5 +1,4 @@
-//go:build integration
-
+//nolint
 package headscale
 
 import (
@@ -19,7 +18,8 @@ import (
 )
 
 const (
-	headscaleHostname      = "headscale-derp"
+	headscaleNetwork       = "headscale-test"
+	headscaleHostname      = "headscale"
 	DOCKER_EXECUTE_TIMEOUT = 10 * time.Second
 )
 
@@ -30,9 +30,10 @@ var (
 	IpPrefix6 = netip.MustParsePrefix("fd7a:115c:a1e0::/48")
 
 	tailscaleVersions = []string{
-		// "head",
-		// "unstable",
-		"1.30.0",
+		"head",
+		"unstable",
+		"1.32.0",
+		"1.30.2",
 		"1.28.0",
 		"1.26.2",
 		"1.24.2",
@@ -115,13 +116,19 @@ func ExecuteCommand(
 			fmt.Println("stdout: ", stdout.String())
 			fmt.Println("stderr: ", stderr.String())
 
-			return stdout.String(), stderr.String(), fmt.Errorf("command failed with: %s", stderr.String())
+			return stdout.String(), stderr.String(), fmt.Errorf(
+				"command failed with: %s",
+				stderr.String(),
+			)
 		}
 
 		return stdout.String(), stderr.String(), nil
 	case <-time.After(execConfig.timeout):
 
-		return stdout.String(), stderr.String(), fmt.Errorf("command timed out after %s", execConfig.timeout)
+		return stdout.String(), stderr.String(), fmt.Errorf(
+			"command timed out after %s",
+			execConfig.timeout,
+		)
 	}
 }
 
@@ -316,3 +323,21 @@ func GetEnvBool(key string) (bool, error) {
 
 	return v, nil
 }
+
+func GetFirstOrCreateNetwork(pool *dockertest.Pool, name string) (dockertest.Network, error) {
+	networks, err := pool.NetworksByName(name)
+	if err != nil || len(networks) == 0 {
+		if _, err := pool.CreateNetwork(name); err == nil {
+			// Create does not give us an updated version of the resource, so we need to
+			// get it again.
+			networks, err := pool.NetworksByName(name)
+			if err != nil {
+				return dockertest.Network{}, err
+			}
+
+			return networks[0], nil
+		}
+	}
+
+	return networks[0], nil
+}

integration_embedded_derp_test.go

@@ -1,5 +1,4 @@
-//go:build integration_derp
-
+//nolint
 package headscale
 
 import (
@@ -17,34 +16,39 @@ import (
 	"testing"
 	"time"
 
+	"github.com/ccding/go-stun/stun"
 	v1 "github.com/juanfont/headscale/gen/go/headscale/v1"
 	"github.com/ory/dockertest/v3"
 	"github.com/ory/dockertest/v3/docker"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/suite"
-
-	"github.com/ccding/go-stun/stun"
 )
 
 const (
-	namespaceName   = "derpnamespace"
-	totalContainers = 3
+	headscaleDerpHostname = "headscale-derp"
+	namespaceName         = "derpnamespace"
+	totalContainers       = 3
 )
 
 type IntegrationDERPTestSuite struct {
 	suite.Suite
 	stats *suite.SuiteInformation
 
-	pool      dockertest.Pool
-	networks  map[int]dockertest.Network // so we keep the containers isolated
-	headscale dockertest.Resource
-	saveLogs  bool
+	pool              dockertest.Pool
+	network           dockertest.Network
+	containerNetworks map[int]dockertest.Network // so we keep the containers isolated
+	headscale         dockertest.Resource
+	saveLogs          bool
 
 	tailscales    map[string]dockertest.Resource
 	joinWaitGroup sync.WaitGroup
 }
 
-func TestDERPIntegrationTestSuite(t *testing.T) {
+func TestIntegrationDERPTestSuite(t *testing.T) {
+	if testing.Short() {
+		t.Skip("skipping integration tests due to short flag")
+	}
+
 	saveLogs, err := GetEnvBool("HEADSCALE_INTEGRATION_SAVE_LOG")
 	if err != nil {
 		saveLogs = false
@@ -53,7 +57,7 @@ func TestDERPIntegrationTestSuite(t *testing.T) {
 	s := new(IntegrationDERPTestSuite)
 
 	s.tailscales = make(map[string]dockertest.Resource)
-	s.networks = make(map[int]dockertest.Network)
+	s.containerNetworks = make(map[int]dockertest.Network)
 	s.saveLogs = saveLogs
 
 	suite.Run(t, s)
@@ -78,7 +82,7 @@ func TestDERPIntegrationTestSuite(t *testing.T) {
 			log.Printf("Could not purge resource: %s\n", err)
 		}
 
-		for _, network := range s.networks {
+		for _, network := range s.containerNetworks {
 			if err := network.Close(); err != nil {
 				log.Printf("Could not close network: %s\n", err)
 			}
@@ -93,9 +97,15 @@ func (s *IntegrationDERPTestSuite) SetupSuite() {
 		s.FailNow(fmt.Sprintf("Could not connect to docker: %s", err), "")
 	}
 
+	network, err := GetFirstOrCreateNetwork(&s.pool, headscaleNetwork)
+	if err != nil {
+		s.FailNow(fmt.Sprintf("Failed to create or get network: %s", err), "")
+	}
+	s.network = network
+
 	for i := 0; i < totalContainers; i++ {
 		if pnetwork, err := s.pool.CreateNetwork(fmt.Sprintf("headscale-derp-%d", i)); err == nil {
-			s.networks[i] = *pnetwork
+			s.containerNetworks[i] = *pnetwork
 		} else {
 			s.FailNow(fmt.Sprintf("Could not create network: %s", err), "")
 		}
@@ -112,7 +122,7 @@ func (s *IntegrationDERPTestSuite) SetupSuite() {
 	}
 
 	headscaleOptions := &dockertest.RunOptions{
-		Name: headscaleHostname,
+		Name: headscaleDerpHostname,
 		Mounts: []string{
 			fmt.Sprintf(
 				"%s/integration_test/etc_embedded_derp:/etc/headscale",
@@ -120,6 +130,7 @@ func (s *IntegrationDERPTestSuite) SetupSuite() {
 			),
 		},
 		Cmd:          []string{"headscale", "serve"},
+		Networks:     []*dockertest.Network{&s.network},
 		ExposedPorts: []string{"8443/tcp", "3478/udp"},
 		PortBindings: map[docker.Port][]docker.PortBinding{
 			"8443/tcp": {{HostPort: "8443"}},
@@ -127,7 +138,7 @@ func (s *IntegrationDERPTestSuite) SetupSuite() {
 		},
 	}
 
-	err = s.pool.RemoveContainerByName(headscaleHostname)
+	err = s.pool.RemoveContainerByName(headscaleDerpHostname)
 	if err != nil {
 		s.FailNow(
 			fmt.Sprintf(
@@ -153,13 +164,15 @@ func (s *IntegrationDERPTestSuite) SetupSuite() {
 		hostname, container := s.tailscaleContainer(
 			fmt.Sprint(i),
 			version,
-			s.networks[i],
+			s.containerNetworks[i],
 		)
 		s.tailscales[hostname] = *container
 	}
 
 	log.Println("Waiting for headscale to be ready for embedded DERP tests")
-	hostEndpoint := fmt.Sprintf("localhost:%s", s.headscale.GetPort("8443/tcp"))
+	hostEndpoint := fmt.Sprintf("%s:%s",
+		s.headscale.GetIPInNetwork(&s.network),
+		s.headscale.GetPort("8443/tcp"))
 
 	if err := s.pool.Retry(func() error {
 		url := fmt.Sprintf("https://%s/health", hostEndpoint)
@@ -320,7 +333,7 @@ func (s *IntegrationDERPTestSuite) TearDownSuite() {
 			log.Printf("Could not purge resource: %s\n", err)
 		}
 
-		for _, network := range s.networks {
+		for _, network := range s.containerNetworks {
 			if err := network.Close(); err != nil {
 				log.Printf("Could not close network: %s\n", err)
 			}
@@ -428,7 +441,9 @@ func (s *IntegrationDERPTestSuite) TestPingAllPeersByHostname() {
 }
 
 func (s *IntegrationDERPTestSuite) TestDERPSTUN() {
-	headscaleSTUNAddr := fmt.Sprintf("localhost:%s", s.headscale.GetPort("3478/udp"))
+	headscaleSTUNAddr := fmt.Sprintf("%s:%s",
+		s.headscale.GetIPInNetwork(&s.network),
+		s.headscale.GetPort("3478/udp"))
 	client := stun.NewClient()
 	client.SetVerbose(true)
 	client.SetVVerbose(true)

integration_general_test.go

@@ -1,787 +0,0 @@
-//go:build integration_general
-
-package headscale
-
-import (
-	"bytes"
-	"context"
-	"encoding/json"
-	"errors"
-	"fmt"
-	"log"
-	"net/http"
-	"net/netip"
-	"os"
-	"path"
-	"strings"
-	"sync"
-	"testing"
-	"time"
-
-	v1 "github.com/juanfont/headscale/gen/go/headscale/v1"
-	"github.com/ory/dockertest/v3"
-	"github.com/ory/dockertest/v3/docker"
-	"github.com/stretchr/testify/assert"
-	"github.com/stretchr/testify/suite"
-	"tailscale.com/client/tailscale/apitype"
-	"tailscale.com/ipn/ipnstate"
-)
-
-type IntegrationTestSuite struct {
-	suite.Suite
-	stats *suite.SuiteInformation
-
-	pool      dockertest.Pool
-	network   dockertest.Network
-	headscale dockertest.Resource
-	saveLogs  bool
-
-	namespaces map[string]TestNamespace
-
-	joinWaitGroup sync.WaitGroup
-}
-
-func TestIntegrationTestSuite(t *testing.T) {
-	saveLogs, err := GetEnvBool("HEADSCALE_INTEGRATION_SAVE_LOG")
-	if err != nil {
-		saveLogs = false
-	}
-
-	s := new(IntegrationTestSuite)
-
-	s.namespaces = map[string]TestNamespace{
-		"thisspace": {
-			count:      10,
-			tailscales: make(map[string]dockertest.Resource),
-		},
-		"otherspace": {
-			count:      2,
-			tailscales: make(map[string]dockertest.Resource),
-		},
-	}
-	s.saveLogs = saveLogs
-
-	suite.Run(t, s)
-
-	// HandleStats, which allows us to check if we passed and save logs
-	// is called after TearDown, so we cannot tear down containers before
-	// we have potentially saved the logs.
-	if s.saveLogs {
-		for _, scales := range s.namespaces {
-			for _, tailscale := range scales.tailscales {
-				if err := s.pool.Purge(&tailscale); err != nil {
-					log.Printf("Could not purge resource: %s\n", err)
-				}
-			}
-		}
-
-		if !s.stats.Passed() {
-			err := s.saveLog(&s.headscale, "test_output")
-			if err != nil {
-				log.Printf("Could not save log: %s\n", err)
-			}
-		}
-		if err := s.pool.Purge(&s.headscale); err != nil {
-			log.Printf("Could not purge resource: %s\n", err)
-		}
-
-		if err := s.network.Close(); err != nil {
-			log.Printf("Could not close network: %s\n", err)
-		}
-	}
-}
-
-func (s *IntegrationTestSuite) saveLog(
-	resource *dockertest.Resource,
-	basePath string,
-) error {
-	err := os.MkdirAll(basePath, os.ModePerm)
-	if err != nil {
-		return err
-	}
-
-	var stdout bytes.Buffer
-	var stderr bytes.Buffer
-
-	err = s.pool.Client.Logs(
-		docker.LogsOptions{
-			Context:      context.TODO(),
-			Container:    resource.Container.ID,
-			OutputStream: &stdout,
-			ErrorStream:  &stderr,
-			Tail:         "all",
-			RawTerminal:  false,
-			Stdout:       true,
-			Stderr:       true,
-			Follow:       false,
-			Timestamps:   false,
-		},
-	)
-	if err != nil {
-		return err
-	}
-
-	log.Printf("Saving logs for %s to %s\n", resource.Container.Name, basePath)
-
-	err = os.WriteFile(
-		path.Join(basePath, resource.Container.Name+".stdout.log"),
-		[]byte(stdout.String()),
-		0o644,
-	)
-	if err != nil {
-		return err
-	}
-
-	err = os.WriteFile(
-		path.Join(basePath, resource.Container.Name+".stderr.log"),
-		[]byte(stdout.String()),
-		0o644,
-	)
-	if err != nil {
-		return err
-	}
-
-	return nil
-}
-
-func (s *IntegrationTestSuite) Join(
-	endpoint, key, hostname string,
-	tailscale dockertest.Resource,
-) {
-	defer s.joinWaitGroup.Done()
-
-	command := []string{
-		"tailscale",
-		"up",
-		"-login-server",
-		endpoint,
-		"--authkey",
-		key,
-		"--hostname",
-		hostname,
-	}
-
-	log.Println("Join command:", command)
-	log.Printf("Running join command for %s\n", hostname)
-	_, _, err := ExecuteCommand(
-		&tailscale,
-		command,
-		[]string{},
-	)
-	assert.Nil(s.T(), err)
-	log.Printf("%s joined\n", hostname)
-}
-
-func (s *IntegrationTestSuite) tailscaleContainer(
-	namespace, identifier, version string,
-) (string, *dockertest.Resource) {
-	tailscaleBuildOptions := getDockerBuildOptions(version)
-
-	hostname := fmt.Sprintf(
-		"%s-tailscale-%s-%s",
-		namespace,
-		strings.Replace(version, ".", "-", -1),
-		identifier,
-	)
-	tailscaleOptions := &dockertest.RunOptions{
-		Name:     hostname,
-		Networks: []*dockertest.Network{&s.network},
-		Cmd: []string{
-			"tailscaled", "--tun=tsdev",
-		},
-	}
-
-	pts, err := s.pool.BuildAndRunWithBuildOptions(
-		tailscaleBuildOptions,
-		tailscaleOptions,
-		DockerRestartPolicy,
-		DockerAllowLocalIPv6,
-		DockerAllowNetworkAdministration,
-	)
-	if err != nil {
-		log.Fatalf("Could not start tailscale container version %s: %s", version, err)
-	}
-	log.Printf("Created %s container\n", hostname)
-
-	return hostname, pts
-}
-
-func (s *IntegrationTestSuite) SetupSuite() {
-	var err error
-	app = Headscale{
-		dbType:   "sqlite3",
-		dbString: "integration_test_db.sqlite3",
-	}
-
-	if ppool, err := dockertest.NewPool(""); err == nil {
-		s.pool = *ppool
-	} else {
-		s.FailNow(fmt.Sprintf("Could not connect to docker: %s", err), "")
-	}
-
-	if pnetwork, err := s.pool.CreateNetwork("headscale-test"); err == nil {
-		s.network = *pnetwork
-	} else {
-		s.FailNow(fmt.Sprintf("Could not create network: %s", err), "")
-	}
-
-	headscaleBuildOptions := &dockertest.BuildOptions{
-		Dockerfile: "Dockerfile",
-		ContextDir: ".",
-	}
-
-	currentPath, err := os.Getwd()
-	if err != nil {
-		s.FailNow(fmt.Sprintf("Could not determine current path: %s", err), "")
-	}
-
-	headscaleOptions := &dockertest.RunOptions{
-		Name: "headscale",
-		Mounts: []string{
-			fmt.Sprintf("%s/integration_test/etc:/etc/headscale", currentPath),
-		},
-		Networks: []*dockertest.Network{&s.network},
-		Cmd:      []string{"headscale", "serve"},
-	}
-
-	err = s.pool.RemoveContainerByName(headscaleHostname)
-	if err != nil {
-		s.FailNow(
-			fmt.Sprintf(
-				"Could not remove existing container before building test: %s",
-				err,
-			),
-			"",
-		)
-	}
-
-	log.Println("Creating headscale container for core integration tests")
-	if pheadscale, err := s.pool.BuildAndRunWithBuildOptions(headscaleBuildOptions, headscaleOptions, DockerRestartPolicy); err == nil {
-		s.headscale = *pheadscale
-	} else {
-		s.FailNow(fmt.Sprintf("Could not start headscale container for core integration tests: %s", err), "")
-	}
-	log.Println("Created headscale container for core integration tests")
-
-	log.Println("Creating tailscale containers for core integration tests")
-	for namespace, scales := range s.namespaces {
-		for i := 0; i < scales.count; i++ {
-			version := tailscaleVersions[i%len(tailscaleVersions)]
-
-			hostname, container := s.tailscaleContainer(
-				namespace,
-				fmt.Sprint(i),
-				version,
-			)
-			scales.tailscales[hostname] = *container
-		}
-	}
-
-	log.Println("Waiting for headscale to be ready for core integration tests")
-	hostEndpoint := fmt.Sprintf("localhost:%s", s.headscale.GetPort("8080/tcp"))
-
-	if err := s.pool.Retry(func() error {
-		url := fmt.Sprintf("http://%s/health", hostEndpoint)
-
-		resp, err := http.Get(url)
-		if err != nil {
-			fmt.Printf("headscale for core integration test is not ready: %s\n", err)
-			return err
-		}
-
-		if resp.StatusCode != http.StatusOK {
-			return fmt.Errorf("status code not OK")
-		}
-
-		return nil
-	}); err != nil {
-		// TODO(kradalby): If we cannot access headscale, or any other fatal error during
-		// test setup, we need to abort and tear down. However, testify does not seem to
-		// support that at the moment:
-		// https://github.com/stretchr/testify/issues/849
-		return // fmt.Errorf("Could not connect to headscale: %s", err)
-	}
-	log.Println("headscale container is ready for core integration tests")
-
-	for namespace, scales := range s.namespaces {
-		log.Printf("Creating headscale namespace: %s\n", namespace)
-		result, _, err := ExecuteCommand(
-			&s.headscale,
-			[]string{"headscale", "namespaces", "create", namespace},
-			[]string{},
-		)
-		log.Println("headscale create namespace result: ", result)
-		assert.Nil(s.T(), err)
-
-		log.Printf("Creating pre auth key for %s\n", namespace)
-		preAuthResult, _, err := ExecuteCommand(
-			&s.headscale,
-			[]string{
-				"headscale",
-				"--namespace",
-				namespace,
-				"preauthkeys",
-				"create",
-				"--reusable",
-				"--expiration",
-				"24h",
-				"--output",
-				"json",
-			},
-			[]string{"LOG_LEVEL=error"},
-		)
-		assert.Nil(s.T(), err)
-
-		var preAuthKey v1.PreAuthKey
-		err = json.Unmarshal([]byte(preAuthResult), &preAuthKey)
-		assert.Nil(s.T(), err)
-		assert.True(s.T(), preAuthKey.Reusable)
-
-		headscaleEndpoint := "http://headscale:8080"
-
-		log.Printf(
-			"Joining tailscale containers to headscale at %s\n",
-			headscaleEndpoint,
-		)
-		for hostname, tailscale := range scales.tailscales {
-			s.joinWaitGroup.Add(1)
-			go s.Join(headscaleEndpoint, preAuthKey.Key, hostname, tailscale)
-		}
-
-		s.joinWaitGroup.Wait()
-	}
-
-	// The nodes need a bit of time to get their updated maps from headscale
-	// TODO: See if we can have a more deterministic wait here.
-	time.Sleep(60 * time.Second)
-}
-
-func (s *IntegrationTestSuite) TearDownSuite() {
-	if !s.saveLogs {
-		for _, scales := range s.namespaces {
-			for _, tailscale := range scales.tailscales {
-				if err := s.pool.Purge(&tailscale); err != nil {
-					log.Printf("Could not purge resource: %s\n", err)
-				}
-			}
-		}
-
-		if err := s.pool.Purge(&s.headscale); err != nil {
-			log.Printf("Could not purge resource: %s\n", err)
-		}
-
-		if err := s.network.Close(); err != nil {
-			log.Printf("Could not close network: %s\n", err)
-		}
-	}
-}
-
-func (s *IntegrationTestSuite) HandleStats(
-	suiteName string,
-	stats *suite.SuiteInformation,
-) {
-	s.stats = stats
-}
-
-func (s *IntegrationTestSuite) TestListNodes() {
-	for namespace, scales := range s.namespaces {
-		log.Println("Listing nodes")
-		result, _, err := ExecuteCommand(
-			&s.headscale,
-			[]string{"headscale", "--namespace", namespace, "nodes", "list"},
-			[]string{},
-		)
-		assert.Nil(s.T(), err)
-
-		log.Printf("List nodes: \n%s\n", result)
-
-		// Chck that the correct count of host is present in node list
-		lines := strings.Split(result, "\n")
-		assert.Equal(s.T(), len(scales.tailscales), len(lines)-2)
-
-		for hostname := range scales.tailscales {
-			assert.Contains(s.T(), result, hostname)
-		}
-	}
-}
-
-func (s *IntegrationTestSuite) TestGetIpAddresses() {
-	for _, scales := range s.namespaces {
-		ips, err := getIPs(scales.tailscales)
-		assert.Nil(s.T(), err)
-
-		for hostname := range scales.tailscales {
-			ips := ips[hostname]
-			for _, ip := range ips {
-				s.T().Run(hostname, func(t *testing.T) {
-					assert.NotNil(t, ip)
-
-					log.Printf("IP for %s: %s\n", hostname, ip)
-
-					// c.Assert(ip.Valid(), check.IsTrue)
-					assert.True(t, ip.Is4() || ip.Is6())
-					switch {
-					case ip.Is4():
-						assert.True(t, IpPrefix4.Contains(ip))
-					case ip.Is6():
-						assert.True(t, IpPrefix6.Contains(ip))
-					}
-				})
-			}
-		}
-	}
-}
-
-// TODO(kradalby): fix this test
-// We need some way to import ipnstate.Status from multiple go packages.
-// Currently it will only work with 1.18.x since that is the last
-// version we have in go.mod
-// func (s *IntegrationTestSuite) TestStatus() {
-//	for _, scales := range s.namespaces {
-//		ips, err := getIPs(scales.tailscales)
-//		assert.Nil(s.T(), err)
-//
-//		for hostname, tailscale := range scales.tailscales {
-//			s.T().Run(hostname, func(t *testing.T) {
-//				command := []string{"tailscale", "status", "--json"}
-//
-//				log.Printf("Getting status for %s\n", hostname)
-//				result, err := ExecuteCommand(
-//					&tailscale,
-//					command,
-//					[]string{},
-//				)
-//				assert.Nil(t, err)
-//
-//				var status ipnstate.Status
-//				err = json.Unmarshal([]byte(result), &status)
-//				assert.Nil(s.T(), err)
-//
-//				// TODO(kradalby): Replace this check with peer length of SAME namespace
-//				// Check if we have as many nodes in status
-//				// as we have IPs/tailscales
-//				// lines := strings.Split(result, "\n")
-//				// assert.Equal(t, len(ips), len(lines)-1)
-//				// assert.Equal(t, len(scales.tailscales), len(lines)-1)
-//
-//				peerIps := getIPsfromIPNstate(status)
-//
-//				// Check that all hosts is present in all hosts status
-//				for ipHostname, ip := range ips {
-//					if hostname != ipHostname {
-//						assert.Contains(t, peerIps, ip)
-//					}
-//				}
-//			})
-//		}
-//	}
-// }
-
-func getIPsfromIPNstate(status ipnstate.Status) []netip.Addr {
-	ips := make([]netip.Addr, 0)
-
-	for _, peer := range status.Peer {
-		ips = append(ips, peer.TailscaleIPs...)
-	}
-
-	return ips
-}
-
-// TODO: Adopt test for cross communication between namespaces
-func (s *IntegrationTestSuite) TestPingAllPeersByAddress() {
-	for _, scales := range s.namespaces {
-		ips, err := getIPs(scales.tailscales)
-		assert.Nil(s.T(), err)
-
-		for hostname, tailscale := range scales.tailscales {
-			for peername, peerIPs := range ips {
-				for i, ip := range peerIPs {
-					// We currently cant ping ourselves, so skip that.
-					if peername == hostname {
-						continue
-					}
-					s.T().
-						Run(fmt.Sprintf("%s-%s-%d", hostname, peername, i), func(t *testing.T) {
-							// We are only interested in "direct ping" which means what we
-							// might need a couple of more attempts before reaching the node.
-							command := []string{
-								"tailscale", "ping",
-								"--timeout=1s",
-								"--c=10",
-								"--until-direct=true",
-								ip.String(),
-							}
-
-							log.Printf(
-								"Pinging from %s to %s (%s)\n",
-								hostname,
-								peername,
-								ip,
-							)
-							result, _, err := ExecuteCommand(
-								&tailscale,
-								command,
-								[]string{},
-							)
-							assert.Nil(t, err)
-							log.Printf("Result for %s: %s\n", hostname, result)
-							assert.Contains(t, result, "pong")
-						})
-				}
-			}
-		}
-	}
-}
-
-func (s *IntegrationTestSuite) TestTailDrop() {
-	for _, scales := range s.namespaces {
-		ips, err := getIPs(scales.tailscales)
-		assert.Nil(s.T(), err)
-
-		retry := func(times int, sleepInverval time.Duration, doWork func() error) (err error) {
-			for attempts := 0; attempts < times; attempts++ {
-				err = doWork()
-				if err == nil {
-					return
-				}
-				time.Sleep(sleepInverval)
-			}
-
-			return
-		}
-
-		for hostname, tailscale := range scales.tailscales {
-			command := []string{"touch", fmt.Sprintf("/tmp/file_from_%s", hostname)}
-			_, _, err := ExecuteCommand(
-				&tailscale,
-				command,
-				[]string{},
-			)
-			assert.Nil(s.T(), err)
-			for peername := range ips {
-				if peername == hostname {
-					continue
-				}
-
-				var ip4 netip.Addr
-				for _, ip := range ips[peername] {
-					if ip.Is4() {
-						ip4 = ip
-						break
-					}
-				}
-				if ip4.IsUnspecified() {
-					panic("no ipv4 address found")
-				}
-
-				s.T().Run(fmt.Sprintf("%s-%s", hostname, peername), func(t *testing.T) {
-					command := []string{
-						"tailscale", "file", "cp",
-						fmt.Sprintf("/tmp/file_from_%s", hostname),
-						fmt.Sprintf("%s:", ip4),
-					}
-					err := retry(10, 1*time.Second, func() error {
-						log.Printf(
-							"Sending file from %s to %s\n",
-							hostname,
-							peername,
-						)
-						_, _, err := ExecuteCommand(
-							&tailscale,
-							command,
-							[]string{},
-							ExecuteCommandTimeout(60*time.Second),
-						)
-						return err
-					})
-
-					assert.Nil(t, err)
-				})
-			}
-		}
-
-		for hostname, tailscale := range scales.tailscales {
-			command := []string{
-				"tailscale", "file",
-				"get",
-				"/tmp/",
-			}
-			_, _, err := ExecuteCommand(
-				&tailscale,
-				command,
-				[]string{},
-			)
-			assert.Nil(s.T(), err)
-			for peername, ip := range ips {
-				if peername == hostname {
-					continue
-				}
-				s.T().Run(fmt.Sprintf("%s-%s", hostname, peername), func(t *testing.T) {
-					command := []string{
-						"ls",
-						fmt.Sprintf("/tmp/file_from_%s", peername),
-					}
-					log.Printf(
-						"Checking file in %s (%s) from %s (%s)\n",
-						hostname,
-						ips[hostname][1],
-						peername,
-						ip,
-					)
-					result, _, err := ExecuteCommand(
-						&tailscale,
-						command,
-						[]string{},
-					)
-					assert.Nil(t, err)
-					log.Printf("Result for %s: %s\n", peername, result)
-					assert.Equal(
-						t,
-						fmt.Sprintf("/tmp/file_from_%s\n", peername),
-						result,
-					)
-				})
-			}
-		}
-	}
-}
-
-func (s *IntegrationTestSuite) TestPingAllPeersByHostname() {
-	hostnames, err := getMagicFQDN(&s.headscale)
-	assert.Nil(s.T(), err)
-
-	log.Printf("Resolved hostnames: %#v", hostnames)
-	for _, scales := range s.namespaces {
-		for hostname, tailscale := range scales.tailscales {
-			for _, peername := range hostnames {
-				if strings.Contains(peername, hostname) {
-					continue
-				}
-
-				s.T().Run(fmt.Sprintf("%s-%s", hostname, peername), func(t *testing.T) {
-					command := []string{
-						"tailscale", "ping",
-						"--timeout=10s",
-						"--c=20",
-						"--until-direct=true",
-						peername,
-					}
-
-					log.Printf(
-						"Pinging using hostname from %s to %s\n",
-						hostname,
-						peername,
-					)
-					result, _, err := ExecuteCommand(
-						&tailscale,
-						command,
-						[]string{},
-					)
-					assert.Nil(t, err)
-					log.Printf("Result for %s: %s\n", hostname, result)
-					assert.Contains(t, result, "pong")
-				})
-			}
-		}
-	}
-}
-
-func (s *IntegrationTestSuite) TestMagicDNS() {
-	hostnames, err := getMagicFQDN(&s.headscale)
-	assert.Nil(s.T(), err)
-
-	log.Printf("Resolved hostnames: %#v", hostnames)
-
-	for _, scales := range s.namespaces {
-		ips, err := getIPs(scales.tailscales)
-		assert.Nil(s.T(), err)
-
-		retry := func(times int, sleepInverval time.Duration, doWork func() (string, error)) (result string, err error) {
-			for attempts := 0; attempts < times; attempts++ {
-				result, err = doWork()
-				if err == nil {
-					return
-				}
-				time.Sleep(sleepInverval)
-			}
-
-			return
-		}
-
-		for hostname, tailscale := range scales.tailscales {
-			for _, peername := range hostnames {
-				if strings.Contains(peername, hostname) {
-					continue
-				}
-
-				s.T().Run(fmt.Sprintf("%s-%s", hostname, peername), func(t *testing.T) {
-					command := []string{
-						"tailscale", "ip", peername,
-					}
-					result, err := retry(10, 1*time.Second, func() (string, error) {
-						log.Printf(
-							"Resolving name %s from %s\n",
-							peername,
-							hostname,
-						)
-						result, _, err := ExecuteCommand(
-							&tailscale,
-							command,
-							[]string{},
-						)
-						return result, err
-					})
-
-					assert.Nil(t, err)
-					log.Printf("Result for %s: %s\n", hostname, result)
-
-					peerBaseName := peername[:len(peername)-MachineGivenNameHashLength-1]
-					expectedAddresses := ips[peerBaseName]
-					for _, ip := range expectedAddresses {
-						assert.Contains(t, result, ip.String())
-					}
-				})
-			}
-		}
-	}
-}
-
-func getAPIURLs(
-	tailscales map[string]dockertest.Resource,
-) (map[netip.Addr]string, error) {
-	fts := make(map[netip.Addr]string)
-	for _, tailscale := range tailscales {
-		command := []string{
-			"curl",
-			"--unix-socket",
-			"/run/tailscale/tailscaled.sock",
-			"http://localhost/localapi/v0/file-targets",
-		}
-		result, _, err := ExecuteCommand(
-			&tailscale,
-			command,
-			[]string{},
-		)
-		if err != nil {
-			return nil, err
-		}
-
-		var pft []apitype.FileTarget
-		if err := json.Unmarshal([]byte(result), &pft); err != nil {
-			return nil, fmt.Errorf("invalid JSON: %w", err)
-		}
-		for _, ft := range pft {
-			n := ft.Node
-			for _, a := range n.Addresses { // just add all the addresses
-				if _, ok := fts[a.Addr()]; !ok {
-					if ft.PeerAPIURL == "" {
-						return nil, errors.New("api url is empty")
-					}
-					fts[a.Addr()] = ft.PeerAPIURL
-				}
-			}
-		}
-	}
-
-	return fts, nil
-}

integration_oidc_test.go

@@ -1,506 +0,0 @@
-//go:build integration_oidc
-
-package headscale
-
-import (
-	"bytes"
-	"context"
-	"crypto/tls"
-	"fmt"
-	"io"
-	"log"
-	"net/http"
-	"net/url"
-	"os"
-	"path"
-	"strings"
-	"sync"
-	"testing"
-	"time"
-
-	"github.com/ory/dockertest/v3"
-	"github.com/ory/dockertest/v3/docker"
-	"github.com/stretchr/testify/assert"
-	"github.com/stretchr/testify/suite"
-)
-
-const (
-	oidcHeadscaleHostname = "headscale"
-	oidcNamespaceName     = "oidcnamespace"
-	totalOidcContainers   = 3
-)
-
-type IntegrationOIDCTestSuite struct {
-	suite.Suite
-	stats *suite.SuiteInformation
-
-	pool      dockertest.Pool
-	network   dockertest.Network
-	headscale dockertest.Resource
-	mockOidc  dockertest.Resource
-	saveLogs  bool
-
-	tailscales    map[string]dockertest.Resource
-	joinWaitGroup sync.WaitGroup
-}
-
-func TestOIDCIntegrationTestSuite(t *testing.T) {
-	saveLogs, err := GetEnvBool("HEADSCALE_INTEGRATION_SAVE_LOG")
-	if err != nil {
-		saveLogs = false
-	}
-
-	s := new(IntegrationOIDCTestSuite)
-
-	s.tailscales = make(map[string]dockertest.Resource)
-	s.saveLogs = saveLogs
-
-	suite.Run(t, s)
-
-	// HandleStats, which allows us to check if we passed and save logs
-	// is called after TearDown, so we cannot tear down containers before
-	// we have potentially saved the logs.
-	if s.saveLogs {
-		for _, tailscale := range s.tailscales {
-			if err := s.pool.Purge(&tailscale); err != nil {
-				log.Printf("Could not purge resource: %s\n", err)
-			}
-		}
-
-		if !s.stats.Passed() {
-			err := s.saveLog(&s.headscale, "test_output")
-			if err != nil {
-				log.Printf("Could not save log: %s\n", err)
-			}
-		}
-
-		if err := s.pool.Purge(&s.mockOidc); err != nil {
-			log.Printf("Could not purge resource: %s\n", err)
-		}
-
-		if err := s.pool.Purge(&s.headscale); err != nil {
-			t.Logf("Could not purge resource: %s\n", err)
-		}
-
-		if err := s.network.Close(); err != nil {
-			log.Printf("Could not close network: %s\n", err)
-		}
-	}
-}
-
-func (s *IntegrationOIDCTestSuite) SetupSuite() {
-	if ppool, err := dockertest.NewPool(""); err == nil {
-		s.pool = *ppool
-	} else {
-		s.FailNow(fmt.Sprintf("Could not connect to docker: %s", err), "")
-	}
-
-	if pnetwork, err := s.pool.CreateNetwork("headscale-test"); err == nil {
-		s.network = *pnetwork
-	} else {
-		s.FailNow(fmt.Sprintf("Could not create network: %s", err), "")
-	}
-
-	// Create does not give us an updated version of the resource, so we need to
-	// get it again.
-	networks, err := s.pool.NetworksByName("headscale-test")
-	if err != nil {
-		s.FailNow(fmt.Sprintf("Could not get network: %s", err), "")
-	}
-	s.network = networks[0]
-
-	log.Printf("Network config: %v", s.network.Network.IPAM.Config[0])
-
-	s.Suite.T().Log("Setting up mock OIDC")
-	mockOidcOptions := &dockertest.RunOptions{
-		Name:         "mockoidc",
-		Hostname:     "mockoidc",
-		Cmd:          []string{"headscale", "mockoidc"},
-		ExposedPorts: []string{"10000/tcp"},
-		Networks:     []*dockertest.Network{&s.network},
-		PortBindings: map[docker.Port][]docker.PortBinding{
-			"10000/tcp": {{HostPort: "10000"}},
-		},
-		Env: []string{
-			"MOCKOIDC_PORT=10000",
-			"MOCKOIDC_CLIENT_ID=superclient",
-			"MOCKOIDC_CLIENT_SECRET=supersecret",
-		},
-	}
-
-	headscaleBuildOptions := &dockertest.BuildOptions{
-		Dockerfile: "Dockerfile.debug",
-		ContextDir: ".",
-	}
-
-	if pmockoidc, err := s.pool.BuildAndRunWithBuildOptions(
-		headscaleBuildOptions,
-		mockOidcOptions,
-		DockerRestartPolicy); err == nil {
-		s.mockOidc = *pmockoidc
-	} else {
-		s.FailNow(fmt.Sprintf("Could not start mockOIDC container: %s", err), "")
-	}
-
-	oidcCfg := fmt.Sprintf(`
-oidc:
-  issuer: http://%s:10000/oidc
-  client_id: superclient
-  client_secret: supersecret
-  strip_email_domain: true`, s.mockOidc.GetIPInNetwork(&s.network))
-
-	currentPath, err := os.Getwd()
-	if err != nil {
-		s.FailNow(fmt.Sprintf("Could not determine current path: %s", err), "")
-	}
-
-	baseConfig, err := os.ReadFile(
-		path.Join(currentPath, "integration_test/etc_oidc/base_config.yaml"))
-	if err != nil {
-		s.FailNow(fmt.Sprintf("Could not read base config: %s", err), "")
-	}
-	config := string(baseConfig) + oidcCfg
-
-	log.Println(config)
-
-	configPath := path.Join(currentPath, "integration_test/etc_oidc/config.yaml")
-	err = os.WriteFile(configPath, []byte(config), 0644)
-	if err != nil {
-		s.FailNow(fmt.Sprintf("Could not write config: %s", err), "")
-	}
-
-	headscaleOptions := &dockertest.RunOptions{
-		Name:     oidcHeadscaleHostname,
-		Networks: []*dockertest.Network{&s.network},
-		Mounts: []string{
-			path.Join(currentPath,
-				"integration_test/etc_oidc:/etc/headscale",
-			),
-		},
-		Cmd:          []string{"headscale", "serve"},
-		ExposedPorts: []string{"8443/tcp", "3478/udp"},
-		PortBindings: map[docker.Port][]docker.PortBinding{
-			"8443/tcp": {{HostPort: "8443"}},
-			"3478/udp": {{HostPort: "3478"}},
-		},
-	}
-
-	err = s.pool.RemoveContainerByName(oidcHeadscaleHostname)
-	if err != nil {
-		s.FailNow(
-			fmt.Sprintf(
-				"Could not remove existing container before building test: %s",
-				err,
-			),
-			"",
-		)
-	}
-
-	s.Suite.T().Logf("Creating headscale container for OIDC integration tests")
-	if pheadscale, err := s.pool.BuildAndRunWithBuildOptions(headscaleBuildOptions, headscaleOptions, DockerRestartPolicy); err == nil {
-		s.headscale = *pheadscale
-	} else {
-		s.FailNow(fmt.Sprintf("Could not start headscale container: %s", err), "")
-	}
-	s.Suite.T().Logf("Created headscale container for embedded OIDC tests")
-
-	s.Suite.T().Logf("Creating tailscale containers for embedded OIDC tests")
-
-	for i := 0; i < totalOidcContainers; i++ {
-		version := tailscaleVersions[i%len(tailscaleVersions)]
-		hostname, container := s.tailscaleContainer(
-			fmt.Sprint(i),
-			version,
-		)
-		s.tailscales[hostname] = *container
-	}
-
-	s.Suite.T().Logf("Waiting for headscale to be ready for embedded OIDC tests")
-	hostEndpoint := fmt.Sprintf("localhost:%s", s.headscale.GetPort("8443/tcp"))
-
-	if err := s.pool.Retry(func() error {
-		url := fmt.Sprintf("https://%s/health", hostEndpoint)
-		insecureTransport := http.DefaultTransport.(*http.Transport).Clone()
-		insecureTransport.TLSClientConfig = &tls.Config{InsecureSkipVerify: true}
-		client := &http.Client{Transport: insecureTransport}
-		resp, err := client.Get(url)
-		if err != nil {
-			log.Printf("headscale for embedded OIDC tests is not ready: %s\n", err)
-			return err
-		}
-
-		if resp.StatusCode != http.StatusOK {
-			return fmt.Errorf("status code not OK")
-		}
-
-		return nil
-	}); err != nil {
-		// TODO(kradalby): If we cannot access headscale, or any other fatal error during
-		// test setup, we need to abort and tear down. However, testify does not seem to
-		// support that at the moment:
-		// https://github.com/stretchr/testify/issues/849
-		return // fmt.Errorf("Could not connect to headscale: %s", err)
-	}
-	s.Suite.T().Log("headscale container is ready for embedded OIDC tests")
-
-	s.Suite.T().Logf("Creating headscale namespace: %s\n", oidcNamespaceName)
-	result, _, err := ExecuteCommand(
-		&s.headscale,
-		[]string{"headscale", "namespaces", "create", oidcNamespaceName},
-		[]string{},
-	)
-	log.Println("headscale create namespace result: ", result)
-	assert.Nil(s.T(), err)
-
-	headscaleEndpoint := fmt.Sprintf(
-		"https://headscale:%s",
-		s.headscale.GetPort("8443/tcp"),
-	)
-
-	log.Printf(
-		"Joining tailscale containers to headscale at %s\n",
-		headscaleEndpoint,
-	)
-	for hostname, tailscale := range s.tailscales {
-		s.joinWaitGroup.Add(1)
-		go s.AuthenticateOIDC(headscaleEndpoint, hostname, tailscale)
-
-		// TODO(juan): Workaround for https://github.com/juanfont/headscale/issues/814
-		time.Sleep(1 * time.Second)
-	}
-
-	s.joinWaitGroup.Wait()
-
-	// The nodes need a bit of time to get their updated maps from headscale
-	// TODO: See if we can have a more deterministic wait here.
-	time.Sleep(60 * time.Second)
-}
-
-func (s *IntegrationOIDCTestSuite) AuthenticateOIDC(
-	endpoint, hostname string,
-	tailscale dockertest.Resource,
-) {
-	defer s.joinWaitGroup.Done()
-
-	loginURL, err := s.joinOIDC(endpoint, hostname, tailscale)
-	if err != nil {
-		s.FailNow(fmt.Sprintf("Could not join OIDC node: %s", err), "")
-	}
-
-	insecureTransport := &http.Transport{
-		TLSClientConfig: &tls.Config{InsecureSkipVerify: true},
-	}
-	client := &http.Client{Transport: insecureTransport}
-	resp, err := client.Get(loginURL.String())
-	assert.Nil(s.T(), err)
-
-	body, err := io.ReadAll(resp.Body)
-	assert.Nil(s.T(), err)
-
-	if err != nil {
-		s.FailNow(fmt.Sprintf("Could not read login page: %s", err), "")
-	}
-
-	log.Printf("Login page for %s: %s", hostname, string(body))
-}
-
-func (s *IntegrationOIDCTestSuite) joinOIDC(
-	endpoint, hostname string,
-	tailscale dockertest.Resource,
-) (*url.URL, error) {
-
-	command := []string{
-		"tailscale",
-		"up",
-		"-login-server",
-		endpoint,
-		"--hostname",
-		hostname,
-	}
-
-	log.Println("Join command:", command)
-	log.Printf("Running join command for %s\n", hostname)
-	_, stderr, _ := ExecuteCommand(
-		&tailscale,
-		command,
-		[]string{},
-	)
-
-	// This piece of code just gets the login URL out of the stderr of the tailscale client.
-	// See https://github.com/tailscale/tailscale/blob/main/cmd/tailscale/cli/up.go#L584.
-	urlStr := strings.ReplaceAll(stderr, "\nTo authenticate, visit:\n\n\t", "")
-	urlStr = strings.TrimSpace(urlStr)
-
-	// parse URL
-	loginUrl, err := url.Parse(urlStr)
-	if err != nil {
-		log.Printf("Could not parse login URL: %s", err)
-		log.Printf("Original join command result: %s", stderr)
-		return nil, err
-	}
-
-	return loginUrl, nil
-}
-
-func (s *IntegrationOIDCTestSuite) tailscaleContainer(
-	identifier, version string,
-) (string, *dockertest.Resource) {
-	tailscaleBuildOptions := getDockerBuildOptions(version)
-
-	hostname := fmt.Sprintf(
-		"tailscale-%s-%s",
-		strings.Replace(version, ".", "-", -1),
-		identifier,
-	)
-	tailscaleOptions := &dockertest.RunOptions{
-		Name:     hostname,
-		Networks: []*dockertest.Network{&s.network},
-		Cmd: []string{
-			"tailscaled", "--tun=tsdev",
-		},
-
-		// expose the host IP address, so we can access it from inside the container
-		ExtraHosts: []string{
-			"host.docker.internal:host-gateway",
-			"headscale:host-gateway",
-		},
-	}
-
-	pts, err := s.pool.BuildAndRunWithBuildOptions(
-		tailscaleBuildOptions,
-		tailscaleOptions,
-		DockerRestartPolicy,
-		DockerAllowLocalIPv6,
-		DockerAllowNetworkAdministration,
-	)
-	if err != nil {
-		log.Fatalf("Could not start tailscale container version %s: %s", version, err)
-	}
-	log.Printf("Created %s container\n", hostname)
-
-	return hostname, pts
-}
-
-func (s *IntegrationOIDCTestSuite) TearDownSuite() {
-	if !s.saveLogs {
-		for _, tailscale := range s.tailscales {
-			if err := s.pool.Purge(&tailscale); err != nil {
-				log.Printf("Could not purge resource: %s\n", err)
-			}
-		}
-
-		if err := s.pool.Purge(&s.headscale); err != nil {
-			log.Printf("Could not purge resource: %s\n", err)
-		}
-
-		if err := s.pool.Purge(&s.mockOidc); err != nil {
-			log.Printf("Could not purge resource: %s\n", err)
-		}
-
-		if err := s.network.Close(); err != nil {
-			log.Printf("Could not close network: %s\n", err)
-		}
-	}
-}
-
-func (s *IntegrationOIDCTestSuite) HandleStats(
-	suiteName string,
-	stats *suite.SuiteInformation,
-) {
-	s.stats = stats
-}
-
-func (s *IntegrationOIDCTestSuite) saveLog(
-	resource *dockertest.Resource,
-	basePath string,
-) error {
-	err := os.MkdirAll(basePath, os.ModePerm)
-	if err != nil {
-		return err
-	}
-
-	var stdout bytes.Buffer
-	var stderr bytes.Buffer
-
-	err = s.pool.Client.Logs(
-		docker.LogsOptions{
-			Context:      context.TODO(),
-			Container:    resource.Container.ID,
-			OutputStream: &stdout,
-			ErrorStream:  &stderr,
-			Tail:         "all",
-			RawTerminal:  false,
-			Stdout:       true,
-			Stderr:       true,
-			Follow:       false,
-			Timestamps:   false,
-		},
-	)
-	if err != nil {
-		return err
-	}
-
-	log.Printf("Saving logs for %s to %s\n", resource.Container.Name, basePath)
-
-	err = os.WriteFile(
-		path.Join(basePath, resource.Container.Name+".stdout.log"),
-		[]byte(stdout.String()),
-		0o644,
-	)
-	if err != nil {
-		return err
-	}
-
-	err = os.WriteFile(
-		path.Join(basePath, resource.Container.Name+".stderr.log"),
-		[]byte(stdout.String()),
-		0o644,
-	)
-	if err != nil {
-		return err
-	}
-
-	return nil
-}
-
-func (s *IntegrationOIDCTestSuite) TestPingAllPeersByAddress() {
-	for hostname, tailscale := range s.tailscales {
-		ips, err := getIPs(s.tailscales)
-		assert.Nil(s.T(), err)
-		for peername, peerIPs := range ips {
-			for i, ip := range peerIPs {
-				// We currently cant ping ourselves, so skip that.
-				if peername == hostname {
-					continue
-				}
-				s.T().
-					Run(fmt.Sprintf("%s-%s-%d", hostname, peername, i), func(t *testing.T) {
-						// We are only interested in "direct ping" which means what we
-						// might need a couple of more attempts before reaching the node.
-						command := []string{
-							"tailscale", "ping",
-							"--timeout=1s",
-							"--c=10",
-							"--until-direct=true",
-							ip.String(),
-						}
-
-						log.Printf(
-							"Pinging from %s to %s (%s)\n",
-							hostname,
-							peername,
-							ip,
-						)
-						stdout, stderr, err := ExecuteCommand(
-							&tailscale,
-							command,
-							[]string{},
-						)
-						assert.Nil(t, err)
-						log.Printf("result for %s: stdout: %s, stderr: %s\n", hostname, stdout, stderr)
-						assert.Contains(t, stdout, "pong")
-					})
-			}
-		}
-	}
-}

integration_test/etc/alt-config.dump.gold.yaml

@@ -14,6 +14,7 @@ derp:
   urls:
     - https://controlplane.tailscale.com/derpmap/default
 dns_config:
+  override_local_dns: true
   base_domain: headscale.net
   domains: []
   magic_dns: true
@@ -45,7 +46,6 @@ private_key_path: private.key
 noise:
   private_key_path: noise_private.key
 server_url: http://headscale:18080
-tls_client_auth_mode: relaxed
 tls_letsencrypt_cache_dir: /var/www/.cache
 tls_letsencrypt_challenge_type: HTTP-01
 unix_socket: /var/run/headscale.sock

integration_test/etc/alt-config.yaml

@@ -8,6 +8,7 @@ ip_prefixes:
   - fd7a:115c:a1e0::/48
   - 100.64.0.0/10
 dns_config:
+  override_local_dns: true
   base_domain: headscale.net
   magic_dns: true
   domains: []

integration_test/etc/alt-env-config.dump.gold.yaml

@@ -14,6 +14,7 @@ derp:
   urls:
     - https://controlplane.tailscale.com/derpmap/default
 dns_config:
+  override_local_dns: true
   base_domain: headscale.net
   domains: []
   magic_dns: true
@@ -44,7 +45,6 @@ private_key_path: private.key
 noise:
   private_key_path: noise_private.key
 server_url: http://headscale:18080
-tls_client_auth_mode: relaxed
 tls_letsencrypt_cache_dir: /var/www/.cache
 tls_letsencrypt_challenge_type: HTTP-01
 unix_socket: /var/run/headscale.sock

integration_test/etc/alt-env-config.yaml

@@ -8,6 +8,7 @@ ip_prefixes:
   - fd7a:115c:a1e0::/48
   - 100.64.0.0/10
 dns_config:
+  override_local_dns: true
   base_domain: headscale.net
   magic_dns: true
   domains: []

integration_test/etc/config.dump.gold.yaml

@@ -14,6 +14,7 @@ derp:
   urls:
     - https://controlplane.tailscale.com/derpmap/default
 dns_config:
+  override_local_dns: true
   base_domain: headscale.net
   domains: []
   magic_dns: true
@@ -45,7 +46,6 @@ private_key_path: private.key
 noise:
   private_key_path: noise_private.key
 server_url: http://headscale:8080
-tls_client_auth_mode: relaxed
 tls_letsencrypt_cache_dir: /var/www/.cache
 tls_letsencrypt_challenge_type: HTTP-01
 unix_socket: /var/run/headscale.sock

integration_test/etc/config.yaml

@@ -8,6 +8,7 @@ ip_prefixes:
   - fd7a:115c:a1e0::/48
   - 100.64.0.0/10
 dns_config:
+  override_local_dns: true
   base_domain: headscale.net
   magic_dns: true
   domains: []

integration_test/etc_oidc/base_config.yaml

@@ -11,10 +11,9 @@ private_key_path: private.key
 noise:
   private_key_path: noise_private.key
 listen_addr: 0.0.0.0:8443
-server_url: https://localhost:8443
+server_url: https://headscale-oidc:8443
 tls_cert_path: "/etc/headscale/tls/server.crt"
 tls_key_path: "/etc/headscale/tls/server.key"
-tls_client_auth_mode: disabled
 derp:
   urls:
     - https://controlplane.tailscale.com/derpmap/default

machine.go

@@ -332,6 +332,15 @@ func (h *Headscale) ListMachines() ([]Machine, error) {
 	return machines, nil
 }
 
+func (h *Headscale) ListMachinesByGivenName(givenName string) ([]Machine, error) {
+	machines := []Machine{}
+	if err := h.db.Preload("AuthKey").Preload("AuthKey.Namespace").Preload("Namespace").Find(&machines).Where("given_name = ?", givenName).Error; err != nil {
+		return nil, err
+	}
+
+	return machines, nil
+}
+
 // GetMachine finds a Machine by name and namespace and returns the Machine struct.
 func (h *Headscale) GetMachine(namespace string, name string) (*Machine, error) {
 	machines, err := h.ListMachinesInNamespace(namespace)
@@ -348,6 +357,22 @@ func (h *Headscale) GetMachine(namespace string, name string) (*Machine, error)
 	return nil, ErrMachineNotFound
 }
 
+// GetMachineByGivenName finds a Machine by given name and namespace and returns the Machine struct.
+func (h *Headscale) GetMachineByGivenName(namespace string, givenName string) (*Machine, error) {
+	machines, err := h.ListMachinesInNamespace(namespace)
+	if err != nil {
+		return nil, err
+	}
+
+	for _, m := range machines {
+		if m.GivenName == givenName {
+			return &m, nil
+		}
+	}
+
+	return nil, ErrMachineNotFound
+}
+
 // GetMachineByID finds a Machine by ID and returns the Machine struct.
 func (h *Headscale) GetMachineByID(id uint64) (*Machine, error) {
 	m := Machine{}
@@ -719,7 +744,11 @@ func (machine Machine) toNode(
 
 		KeepAlive:         true,
 		MachineAuthorized: !machine.isExpired(),
-		Capabilities:      []string{tailcfg.CapabilityFileSharing},
+		Capabilities: []string{
+			tailcfg.CapabilityFileSharing,
+			tailcfg.CapabilityAdmin,
+			tailcfg.CapabilitySSH,
+		},
 	}
 
 	return &node, nil
@@ -814,7 +843,13 @@ func (h *Headscale) RegisterMachineFromAuthCallback(
 	namespaceName string,
 	registrationMethod string,
 ) (*Machine, error) {
-	if machineInterface, ok := h.registrationCache.Get(nodeKeyStr); ok {
+	nodeKey := key.NodePublic{}
+	err := nodeKey.UnmarshalText([]byte(nodeKeyStr))
+	if err != nil {
+		return nil, err
+	}
+
+	if machineInterface, ok := h.registrationCache.Get(NodePublicKeyStripPrefix(nodeKey)); ok {
 		if registrationMachine, ok := machineInterface.(Machine); ok {
 			namespace, err := h.GetNamespace(namespaceName)
 			if err != nil {
@@ -1018,11 +1053,7 @@ func (machine *Machine) RoutesToProto() *v1.Routes {
 	}
 }
 
-func (h *Headscale) GenerateGivenName(suppliedName string) (string, error) {
-	// If a hostname is or will be longer than 63 chars after adding the hash,
-	// it needs to be trimmed.
-	trimmedHostnameLength := labelHostnameLength - MachineGivenNameHashLength - MachineGivenNameTrimSize
-
+func (h *Headscale) generateGivenName(suppliedName string, randomSuffix bool) (string, error) {
 	normalizedHostname, err := NormalizeToFQDNRules(
 		suppliedName,
 		h.cfg.OIDC.StripEmaildomain,
@@ -1031,18 +1062,46 @@ func (h *Headscale) GenerateGivenName(suppliedName string) (string, error) {
 		return "", err
 	}
 
-	postfix, err := GenerateRandomStringDNSSafe(MachineGivenNameHashLength)
-	if err != nil {
-		return "", err
-	}
+	if randomSuffix {
+		// Trim if a hostname will be longer than 63 chars after adding the hash.
+		trimmedHostnameLength := labelHostnameLength - MachineGivenNameHashLength - MachineGivenNameTrimSize
+		if len(normalizedHostname) > trimmedHostnameLength {
+			normalizedHostname = normalizedHostname[:trimmedHostnameLength]
+		}
 
-	// Verify that that the new unique name is shorter than the maximum allowed
-	// DNS segment.
-	if len(normalizedHostname) <= trimmedHostnameLength {
-		normalizedHostname = fmt.Sprintf("%s-%s", normalizedHostname, postfix)
-	} else {
-		normalizedHostname = fmt.Sprintf("%s-%s", normalizedHostname[:trimmedHostnameLength], postfix)
+		suffix, err := GenerateRandomStringDNSSafe(MachineGivenNameHashLength)
+		if err != nil {
+			return "", err
+		}
+
+		normalizedHostname += "-" + suffix
 	}
 
 	return normalizedHostname, nil
 }
+
+func (h *Headscale) GenerateGivenName(machineKey string, suppliedName string) (string, error) {
+	givenName, err := h.generateGivenName(suppliedName, false)
+	if err != nil {
+		return "", err
+	}
+
+	// Tailscale rules (may differ) https://tailscale.com/kb/1098/machine-names/
+	machines, err := h.ListMachinesByGivenName(givenName)
+	if err != nil {
+		return "", err
+	}
+
+	for _, machine := range machines {
+		if machine.MachineKey != machineKey && machine.GivenName == givenName {
+			postfixedName, err := h.generateGivenName(suppliedName, true)
+			if err != nil {
+				return "", err
+			}
+
+			givenName = postfixedName
+		}
+	}
+
+	return givenName, nil
+}

machine_test.go

@@ -4,8 +4,8 @@ import (
 	"fmt"
 	"net/netip"
 	"reflect"
+	"regexp"
 	"strconv"
-	"strings"
 	"testing"
 	"time"
 
@@ -346,6 +346,50 @@ func (s *Suite) TestSerdeAddressStrignSlice(c *check.C) {
 	}
 }
 
+func (s *Suite) TestGenerateGivenName(c *check.C) {
+	namespace1, err := app.CreateNamespace("namespace-1")
+	c.Assert(err, check.IsNil)
+
+	pak, err := app.CreatePreAuthKey(namespace1.Name, false, false, nil, nil)
+	c.Assert(err, check.IsNil)
+
+	_, err = app.GetMachine("namespace-1", "testmachine")
+	c.Assert(err, check.NotNil)
+
+	machine := &Machine{
+		ID:             0,
+		MachineKey:     "machine-key-1",
+		NodeKey:        "node-key-1",
+		DiscoKey:       "disco-key-1",
+		Hostname:       "hostname-1",
+		GivenName:      "hostname-1",
+		NamespaceID:    namespace1.ID,
+		RegisterMethod: RegisterMethodAuthKey,
+		AuthKeyID:      uint(pak.ID),
+	}
+	app.db.Save(machine)
+
+	givenName, err := app.GenerateGivenName("machine-key-2", "hostname-2")
+	comment := check.Commentf("Same namespace, unique machines, unique hostnames, no conflict")
+	c.Assert(err, check.IsNil, comment)
+	c.Assert(givenName, check.Equals, "hostname-2", comment)
+
+	givenName, err = app.GenerateGivenName("machine-key-1", "hostname-1")
+	comment = check.Commentf("Same namespace, same machine, same hostname, no conflict")
+	c.Assert(err, check.IsNil, comment)
+	c.Assert(givenName, check.Equals, "hostname-1", comment)
+
+	givenName, err = app.GenerateGivenName("machine-key-2", "hostname-1")
+	comment = check.Commentf("Same namespace, unique machines, same hostname, conflict")
+	c.Assert(err, check.IsNil, comment)
+	c.Assert(givenName, check.Matches, fmt.Sprintf("^hostname-1-[a-z0-9]{%d}$", MachineGivenNameHashLength), comment)
+
+	givenName, err = app.GenerateGivenName("machine-key-2", "hostname-1")
+	comment = check.Commentf("Unique namespaces, unique machines, same hostname, conflict")
+	c.Assert(err, check.IsNil, comment)
+	c.Assert(givenName, check.Matches, fmt.Sprintf("^hostname-1-[a-z0-9]{%d}$", MachineGivenNameHashLength), comment)
+}
+
 func (s *Suite) TestSetTags(c *check.C) {
 	namespace, err := app.CreateNamespace("test")
 	c.Assert(err, check.IsNil)
@@ -917,15 +961,16 @@ func Test_getFilteredByACLPeers(t *testing.T) {
 	}
 }
 
-func TestHeadscale_GenerateGivenName(t *testing.T) {
+func TestHeadscale_generateGivenName(t *testing.T) {
 	type args struct {
 		suppliedName string
+		randomSuffix bool
 	}
 	tests := []struct {
 		name    string
 		h       *Headscale
 		args    args
-		want    string
+		want    *regexp.Regexp
 		wantErr bool
 	}{
 		{
@@ -939,8 +984,9 @@ func TestHeadscale_GenerateGivenName(t *testing.T) {
 			},
 			args: args{
 				suppliedName: "testmachine",
+				randomSuffix: false,
 			},
-			want:    "testmachine",
+			want:    regexp.MustCompile("^testmachine$"),
 			wantErr: false,
 		},
 		{
@@ -954,23 +1000,9 @@ func TestHeadscale_GenerateGivenName(t *testing.T) {
 			},
 			args: args{
 				suppliedName: "testmaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaachine",
+				randomSuffix: false,
 			},
-			want:    "testmaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaachine",
-			wantErr: false,
-		},
-		{
-			name: "machine name with 60 chars",
-			h: &Headscale{
-				cfg: &Config{
-					OIDC: OIDCConfig{
-						StripEmaildomain: true,
-					},
-				},
-			},
-			args: args{
-				suppliedName: "testmaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaachine1234567",
-			},
-			want:    "testmaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaachine",
+			want:    regexp.MustCompile("^testmaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaachine$"),
 			wantErr: false,
 		},
 		{
@@ -983,9 +1015,10 @@ func TestHeadscale_GenerateGivenName(t *testing.T) {
 				},
 			},
 			args: args{
-				suppliedName: "testmaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaachine1234567890",
+				suppliedName: "machineeee12345678901234567890123456789012345678901234567890123",
+				randomSuffix: false,
 			},
-			want:    "testmaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa",
+			want:    regexp.MustCompile("^machineeee12345678901234567890123456789012345678901234567890123$"),
 			wantErr: false,
 		},
 		{
@@ -998,10 +1031,11 @@ func TestHeadscale_GenerateGivenName(t *testing.T) {
 				},
 			},
 			args: args{
-				suppliedName: "testmaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaachine1234567891",
+				suppliedName: "machineeee123456789012345678901234567890123456789012345678901234",
+				randomSuffix: false,
 			},
-			want:    "testmaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa",
-			wantErr: false,
+			want:    nil,
+			wantErr: true,
 		},
 		{
 			name: "machine name with 73 chars",
@@ -1013,15 +1047,48 @@ func TestHeadscale_GenerateGivenName(t *testing.T) {
 				},
 			},
 			args: args{
-				suppliedName: "testmaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaachine12345678901234567890",
+				suppliedName: "machineeee123456789012345678901234567890123456789012345678901234567890123",
+				randomSuffix: false,
 			},
-			want:    "",
+			want:    nil,
 			wantErr: true,
 		},
+		{
+			name: "machine name with random suffix",
+			h: &Headscale{
+				cfg: &Config{
+					OIDC: OIDCConfig{
+						StripEmaildomain: true,
+					},
+				},
+			},
+			args: args{
+				suppliedName: "test",
+				randomSuffix: true,
+			},
+			want:    regexp.MustCompile(fmt.Sprintf("^test-[a-z0-9]{%d}$", MachineGivenNameHashLength)),
+			wantErr: false,
+		},
+		{
+			name: "machine name with 63 chars with random suffix",
+			h: &Headscale{
+				cfg: &Config{
+					OIDC: OIDCConfig{
+						StripEmaildomain: true,
+					},
+				},
+			},
+			args: args{
+				suppliedName: "machineeee12345678901234567890123456789012345678901234567890123",
+				randomSuffix: true,
+			},
+			want:    regexp.MustCompile(fmt.Sprintf("^machineeee1234567890123456789012345678901234567890123-[a-z0-9]{%d}$", MachineGivenNameHashLength)),
+			wantErr: false,
+		},
 	}
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
-			got, err := tt.h.GenerateGivenName(tt.args.suppliedName)
+			got, err := tt.h.generateGivenName(tt.args.suppliedName, tt.args.randomSuffix)
 			if (err != nil) != tt.wantErr {
 				t.Errorf(
 					"Headscale.GenerateGivenName() error = %v, wantErr %v",
@@ -1032,9 +1099,9 @@ func TestHeadscale_GenerateGivenName(t *testing.T) {
 				return
 			}
 
-			if tt.want != "" && strings.Contains(tt.want, got) {
+			if tt.want != nil && !tt.want.MatchString(got) {
 				t.Errorf(
-					"Headscale.GenerateGivenName() = %v, is not a substring of %v",
+					"Headscale.GenerateGivenName() = %v, does not match %v",
 					tt.want,
 					got,
 				)
@@ -1065,7 +1132,8 @@ func (s *Suite) TestAutoApproveRoutes(c *check.C) {
 
 	defaultRoute := netip.MustParsePrefix("0.0.0.0/0")
 	route1 := netip.MustParsePrefix("10.10.0.0/16")
-	route2 := netip.MustParsePrefix("10.11.0.0/16")
+	// Check if a subprefix of an autoapproved route is approved
+	route2 := netip.MustParsePrefix("10.11.0.0/24")
 
 	machine := Machine{
 		ID:             0,

namespaces.go

@@ -148,21 +148,6 @@ func (h *Headscale) ListNamespaces() ([]Namespace, error) {
 	return namespaces, nil
 }
 
-func (h *Headscale) ListNamespacesStr() ([]string, error) {
-	namespaces, err := h.ListNamespaces()
-	if err != nil {
-		return []string{}, err
-	}
-
-	namespaceStrs := make([]string, len(namespaces))
-
-	for index, namespace := range namespaces {
-		namespaceStrs[index] = namespace.Name
-	}
-
-	return namespaceStrs, nil
-}
-
 // ListMachinesInNamespace gets all the nodes in a given namespace.
 func (h *Headscale) ListMachinesInNamespace(name string) ([]Machine, error) {
 	err := CheckForFQDNRules(name)
@@ -226,7 +211,10 @@ func (n *Namespace) toLogin() *tailcfg.Login {
 	return &login
 }
 
-func getMapResponseUserProfiles(machine Machine, peers Machines) []tailcfg.UserProfile {
+func (h *Headscale) getMapResponseUserProfiles(
+	machine Machine,
+	peers Machines,
+) []tailcfg.UserProfile {
 	namespaceMap := make(map[string]Namespace)
 	namespaceMap[machine.Namespace.Name] = machine.Namespace
 	for _, peer := range peers {
@@ -235,11 +223,17 @@ func getMapResponseUserProfiles(machine Machine, peers Machines) []tailcfg.UserP
 
 	profiles := []tailcfg.UserProfile{}
 	for _, namespace := range namespaceMap {
+		displayName := namespace.Name
+
+		if h.cfg.BaseDomain != "" {
+			displayName = fmt.Sprintf("%s@%s", namespace.Name, h.cfg.BaseDomain)
+		}
+
 		profiles = append(profiles,
 			tailcfg.UserProfile{
 				ID:          tailcfg.UserID(namespace.ID),
 				LoginName:   namespace.Name,
-				DisplayName: namespace.Name,
+				DisplayName: displayName,
 			})
 	}
 

namespaces_test.go

@@ -209,7 +209,7 @@ func (s *Suite) TestGetMapResponseUserProfiles(c *check.C) {
 	peersOfMachine1InShared1, err := app.getPeers(machineInShared1)
 	c.Assert(err, check.IsNil)
 
-	userProfiles := getMapResponseUserProfiles(
+	userProfiles := app.getMapResponseUserProfiles(
 		*machineInShared1,
 		peersOfMachine1InShared1,
 	)

oidc.go

@@ -76,19 +76,54 @@ func (h *Headscale) RegisterOIDC(
 ) {
 	vars := mux.Vars(req)
 	nodeKeyStr, ok := vars["nkey"]
-	if !ok || nodeKeyStr == "" {
-		log.Error().
-			Caller().
-			Msg("Missing node key in URL")
-		http.Error(writer, "Missing node key in URL", http.StatusBadRequest)
+
+	log.Debug().
+		Caller().
+		Str("node_key", nodeKeyStr).
+		Bool("ok", ok).
+		Msg("Received oidc register call")
+
+	if !NodePublicKeyRegex.Match([]byte(nodeKeyStr)) {
+		log.Warn().Str("node_key", nodeKeyStr).Msg("Invalid node key passed to registration url")
+
+		writer.Header().Set("Content-Type", "text/plain; charset=utf-8")
+		writer.WriteHeader(http.StatusUnauthorized)
+		_, err := writer.Write([]byte("Unauthorized"))
+		if err != nil {
+			log.Error().
+				Caller().
+				Err(err).
+				Msg("Failed to write response")
+		}
 
 		return
 	}
 
-	log.Trace().
-		Caller().
-		Str("node_key", nodeKeyStr).
-		Msg("Received oidc register call")
+	// We need to make sure we dont open for XSS style injections, if the parameter that
+	// is passed as a key is not parsable/validated as a NodePublic key, then fail to render
+	// the template and log an error.
+	var nodeKey key.NodePublic
+	err := nodeKey.UnmarshalText(
+		[]byte(NodePublicKeyEnsurePrefix(nodeKeyStr)),
+	)
+
+	if !ok || nodeKeyStr == "" || err != nil {
+		log.Warn().
+			Err(err).
+			Msg("Failed to parse incoming nodekey in OIDC registration")
+
+		writer.Header().Set("Content-Type", "text/plain; charset=utf-8")
+		writer.WriteHeader(http.StatusBadRequest)
+		_, err := writer.Write([]byte("Wrong params"))
+		if err != nil {
+			log.Error().
+				Caller().
+				Err(err).
+				Msg("Failed to write response")
+		}
+
+		return
+	}
 
 	randomBlob := make([]byte, randomByteSize)
 	if _, err := rand.Read(randomBlob); err != nil {
@@ -103,7 +138,7 @@ func (h *Headscale) RegisterOIDC(
 	stateStr := hex.EncodeToString(randomBlob)[:32]
 
 	// place the node key into the state cache, so it can be retrieved later
-	h.registrationCache.Set(stateStr, nodeKeyStr, registerCacheExpiration)
+	h.registrationCache.Set(stateStr, NodePublicKeyStripPrefix(nodeKey), registerCacheExpiration)
 
 	// Add any extra parameter provided in the configuration to the Authorize Endpoint request
 	extras := make([]oauth2.AuthCodeOption, 0, len(h.cfg.OIDC.ExtraParams))
@@ -405,8 +440,8 @@ func (h *Headscale) validateMachineForOIDCCallback(
 	claims *IDTokenClaims,
 ) (*key.NodePublic, bool, error) {
 	// retrieve machinekey from state cache
-	machineKeyIf, machineKeyFound := h.registrationCache.Get(state)
-	if !machineKeyFound {
+	nodeKeyIf, nodeKeyFound := h.registrationCache.Get(state)
+	if !nodeKeyFound {
 		log.Error().
 			Msg("requested machine state key expired before authorisation completed")
 		writer.Header().Set("Content-Type", "text/plain; charset=utf-8")
@@ -419,20 +454,38 @@ func (h *Headscale) validateMachineForOIDCCallback(
 				Msg("Failed to write response")
 		}
 
-		return nil, false, errOIDCInvalidMachineState
+		return nil, false, errOIDCNodeKeyMissing
 	}
 
 	var nodeKey key.NodePublic
-	nodeKeyFromCache, nodeKeyOK := machineKeyIf.(string)
+	nodeKeyFromCache, nodeKeyOK := nodeKeyIf.(string)
+	if !nodeKeyOK {
+		log.Error().
+			Msg("requested machine state key is not a string")
+		writer.Header().Set("Content-Type", "text/plain; charset=utf-8")
+		writer.WriteHeader(http.StatusBadRequest)
+		_, err := writer.Write([]byte("state is invalid"))
+		if err != nil {
+			log.Error().
+				Caller().
+				Err(err).
+				Msg("Failed to write response")
+		}
+
+		return nil, false, errOIDCInvalidMachineState
+	}
+
 	err := nodeKey.UnmarshalText(
 		[]byte(NodePublicKeyEnsurePrefix(nodeKeyFromCache)),
 	)
 	if err != nil {
 		log.Error().
+			Str("nodeKey", nodeKeyFromCache).
+			Bool("nodeKeyOK", nodeKeyOK).
 			Msg("could not parse node public key")
 		writer.Header().Set("Content-Type", "text/plain; charset=utf-8")
 		writer.WriteHeader(http.StatusBadRequest)
-		_, werr := writer.Write([]byte("could not parse public key"))
+		_, werr := writer.Write([]byte("could not parse node public key"))
 		if werr != nil {
 			log.Error().
 				Caller().
@@ -443,21 +496,6 @@ func (h *Headscale) validateMachineForOIDCCallback(
 		return nil, false, err
 	}
 
-	if !nodeKeyOK {
-		log.Error().Msg("could not get node key from cache")
-		writer.Header().Set("Content-Type", "text/plain; charset=utf-8")
-		writer.WriteHeader(http.StatusInternalServerError)
-		_, err := writer.Write([]byte("could not get node key from cache"))
-		if err != nil {
-			log.Error().
-				Caller().
-				Err(err).
-				Msg("Failed to write response")
-		}
-
-		return nil, false, errOIDCNodeKeyMissing
-	}
-
 	// retrieve machine information if it exist
 	// The error is not important, because if it does not
 	// exist, then this is a new machine and we will move
@@ -604,10 +642,8 @@ func (h *Headscale) registerMachineForOIDCCallback(
 	namespace *Namespace,
 	nodeKey *key.NodePublic,
 ) error {
-	nodeKeyStr := NodePublicKeyStripPrefix(*nodeKey)
-
 	if _, err := h.RegisterMachineFromAuthCallback(
-		nodeKeyStr,
+		nodeKey.String(),
 		namespace.Name,
 		RegisterMethodOIDC,
 	); err != nil {

platform_config.go

@@ -2,6 +2,7 @@ package headscale
 
 import (
 	"bytes"
+	_ "embed"
 	"html/template"
 	"net/http"
 	textTemplate "text/template"
@@ -11,51 +12,18 @@ import (
 	"github.com/rs/zerolog/log"
 )
 
+//go:embed templates/apple.html
+var appleTemplate string
+
+//go:embed templates/windows.html
+var windowsTemplate string
+
 // WindowsConfigMessage shows a simple message in the browser for how to configure the Windows Tailscale client.
 func (h *Headscale) WindowsConfigMessage(
 	writer http.ResponseWriter,
 	req *http.Request,
 ) {
-	winTemplate := template.Must(template.New("windows").Parse(`
-<html>
-	<body>
-		<h1>headscale</h1>
-		<h2>Windows registry configuration</h2>
-		<p>
-		    This page provides Windows registry information for the official Windows Tailscale client.
-		<p>
-		<p>
-		    The registry file will configure Tailscale to use <code>{{.URL}}</code> as its control server.
-		<p>
-		<h3>Caution</h3>
-		<p>You should always download and inspect the registry file before installing it:</p>
-		<pre><code>curl {{.URL}}/windows/tailscale.reg</code></pre>
-
-		<h2>Installation</h2>
-		<p>Headscale can be set to the default server by running the registry file:</p>
-
-		<p>
-		    <a href="/windows/tailscale.reg" download="tailscale.reg">Windows registry file</a>
-		</p>
-
-		<ol>
-			<li>Download the registry file, then run it</li>
-			<li>Follow the prompts</li>
-			<li>Install and run the official windows Tailscale client</li>
-			<li>When the installation has finished, start Tailscale, and log in by clicking the icon in the system tray</li>
-		</ol>
-		<p>Or</p>
-		<p>Open command prompt with Administrator rights. Issue the following commands to add the required registry entries:</p>
-		<pre>
-<code>REG ADD "HKLM\Software\Tailscale IPN" /v UnattendedMode /t REG_SZ /d always
-REG ADD "HKLM\Software\Tailscale IPN" /v LoginURL /t REG_SZ /d "{{.URL}}"</code></pre>
-		<p>
-		    Restart Tailscale and log in.
-		<p>
-	</body>
-</html>
-`))
-
+	winTemplate := template.Must(template.New("windows").Parse(windowsTemplate))
 	config := map[string]interface{}{
 		"URL": h.cfg.ServerURL,
 	}
@@ -136,55 +104,7 @@ func (h *Headscale) AppleConfigMessage(
 	writer http.ResponseWriter,
 	req *http.Request,
 ) {
-	appleTemplate := template.Must(template.New("apple").Parse(`
-<html>
-	<body>
-		<h1>headscale</h1>
-		<h2>Apple configuration profiles</h2>
-		<p>
-		    This page provides <a href="https://support.apple.com/guide/mdm/mdm-overview-mdmbf9e668/web">configuration profiles</a> for the official Tailscale clients for <a href="https://apps.apple.com/us/app/tailscale/id1470499037?ls=1">iOS</a> and <a href="https://apps.apple.com/ca/app/tailscale/id1475387142?mt=12">macOS</a>.
-		</p>
-		<p>
-		    The profiles will configure Tailscale.app to use <code>{{.URL}}</code> as its control server.
-		</p>
-
-		<h3>Caution</h3>
-		<p>You should always download and inspect the profile before installing it:</p>
-		<!--
-		<pre><code>curl {{.URL}}/apple/ios</code></pre>
-		-->
-		<pre><code>curl {{.URL}}/apple/macos</code></pre>
-
-		<h2>Profiles</h2>
-
-		<!--
-		<h3>iOS</h3>
-		<p>
-		    <a href="/apple/ios" download="headscale_ios.mobileconfig">iOS profile</a>
-		</p>
-		-->
-
-		<h3>macOS</h3>
-		<p>Headscale can be set to the default server by installing a Headscale configuration profile:</p>
-		<p>
-		    <a href="/apple/macos" download="headscale_macos.mobileconfig">macOS profile</a>
-		</p>
-
-		<ol>
-		<li>Download the profile, then open it. When it has been opened, there should be a notification that a profile can be installed</li>
-		<li>Open System Preferences and go to "Profiles"</li>
-		<li>Find and install the Headscale profile</li>
-		<li>Restart Tailscale.app and log in</li>
-		</ol>
-
-		<p>Or</p>
-		<p>Use your terminal to configure the default setting for Tailscale by issuing:</p>
-		<code>defaults write io.tailscale.ipn.macos ControlURL {{.URL}}</code>
-
-		<p>Restart Tailscale.app and log in.</p>
-
-	</body>
-</html>`))
+	appleTemplate := template.Must(template.New("apple").Parse(appleTemplate))
 
 	config := map[string]interface{}{
 		"URL": h.cfg.ServerURL,
@@ -282,24 +202,33 @@ func (h *Headscale) ApplePlatformConfig(
 	}
 
 	var payload bytes.Buffer
+	handleMacError := func(ierr error) {
+		log.Error().
+			Str("handler", "ApplePlatformConfig").
+			Err(ierr).
+			Msg("Could not render Apple macOS template")
+
+		writer.Header().Set("Content-Type", "text/plain; charset=utf-8")
+		writer.WriteHeader(http.StatusInternalServerError)
+		_, err := writer.Write([]byte("Could not render Apple macOS template"))
+		if err != nil {
+			log.Error().
+				Caller().
+				Err(err).
+				Msg("Failed to write response")
+		}
+	}
 
 	switch platform {
-	case "macos":
-		if err := macosTemplate.Execute(&payload, platformConfig); err != nil {
-			log.Error().
-				Str("handler", "ApplePlatformConfig").
-				Err(err).
-				Msg("Could not render Apple macOS template")
+	case "macos-standalone":
+		if err := macosStandaloneTemplate.Execute(&payload, platformConfig); err != nil {
+			handleMacError(err)
 
-			writer.Header().Set("Content-Type", "text/plain; charset=utf-8")
-			writer.WriteHeader(http.StatusInternalServerError)
-			_, err := writer.Write([]byte("Could not render Apple macOS template"))
-			if err != nil {
-				log.Error().
-					Caller().
-					Err(err).
-					Msg("Failed to write response")
-			}
+			return
+		}
+	case "macos-app-store":
+		if err := macosAppStoreTemplate.Execute(&payload, platformConfig); err != nil {
+			handleMacError(err)
 
 			return
 		}
@@ -444,7 +373,7 @@ var iosTemplate = textTemplate.Must(textTemplate.New("iosTemplate").Parse(`
     </dict>
 `))
 
-var macosTemplate = template.Must(template.New("macosTemplate").Parse(`
+var macosAppStoreTemplate = template.Must(template.New("macosTemplate").Parse(`
     <dict>
         <key>PayloadType</key>
         <string>io.tailscale.ipn.macos</string>
@@ -456,7 +385,23 @@ var macosTemplate = template.Must(template.New("macosTemplate").Parse(`
         <integer>1</integer>
         <key>PayloadEnabled</key>
         <true/>
-
+        <key>ControlURL</key>
+        <string>{{.URL}}</string>
+    </dict>
+`))
+
+var macosStandaloneTemplate = template.Must(template.New("macosStandaloneTemplate").Parse(`
+    <dict>
+        <key>PayloadType</key>
+        <string>io.tailscale.ipn.macsys</string>
+        <key>PayloadUUID</key>
+        <string>{{.UUID}}</string>
+        <key>PayloadIdentifier</key>
+        <string>com.github.juanfont.headscale</string>
+        <key>PayloadVersion</key>
+        <integer>1</integer>
+        <key>PayloadEnabled</key>
+        <true/>
         <key>ControlURL</key>
         <string>{{.URL}}</string>
     </dict>

protocol_common.go

@@ -150,7 +150,10 @@ func (h *Headscale) handleRegisterCommon(
 			Bool("noise", machineKey.IsZero()).
 			Msg("New machine not yet in the database")
 
-		givenName, err := h.GenerateGivenName(registerRequest.Hostinfo.Hostname)
+		givenName, err := h.GenerateGivenName(
+			machineKey.String(),
+			registerRequest.Hostinfo.Hostname,
+		)
 		if err != nil {
 			log.Error().
 				Caller().
@@ -374,7 +377,7 @@ func (h *Headscale) handleAuthKeyCommon(
 	} else {
 		now := time.Now().UTC()
 
-		givenName, err := h.GenerateGivenName(registerRequest.Hostinfo.Hostname)
+		givenName, err := h.GenerateGivenName(MachinePublicKeyStripPrefix(machineKey), registerRequest.Hostinfo.Hostname)
 		if err != nil {
 			log.Error().
 				Caller().
@@ -432,6 +435,10 @@ func (h *Headscale) handleAuthKeyCommon(
 
 	resp.MachineAuthorized = true
 	resp.User = *pak.Namespace.toUser()
+	// Provide LoginName when registering with pre-auth key
+	// Otherwise it will need to exec `tailscale up` twice to fetch the *LoginName*
+	resp.Login = *pak.Namespace.toLogin()
+
 	respBody, err := h.marshalResponse(resp, machineKey)
 	if err != nil {
 		log.Error().
@@ -483,16 +490,17 @@ func (h *Headscale) handleNewMachineCommon(
 		Bool("noise", machineKey.IsZero()).
 		Str("machine", registerRequest.Hostinfo.Hostname).
 		Msg("The node seems to be new, sending auth url")
+
 	if h.oauth2Config != nil {
 		resp.AuthURL = fmt.Sprintf(
 			"%s/oidc/register/%s",
 			strings.TrimSuffix(h.cfg.ServerURL, "/"),
-			NodePublicKeyStripPrefix(registerRequest.NodeKey),
+			registerRequest.NodeKey,
 		)
 	} else {
 		resp.AuthURL = fmt.Sprintf("%s/register/%s",
 			strings.TrimSuffix(h.cfg.ServerURL, "/"),
-			NodePublicKeyStripPrefix(registerRequest.NodeKey))
+			registerRequest.NodeKey)
 	}
 
 	respBody, err := h.marshalResponse(resp, machineKey)
@@ -521,6 +529,7 @@ func (h *Headscale) handleNewMachineCommon(
 	log.Info().
 		Caller().
 		Bool("noise", machineKey.IsZero()).
+		Str("AuthURL", resp.AuthURL).
 		Str("machine", registerRequest.Hostinfo.Hostname).
 		Msg("Successfully sent auth url")
 }
@@ -719,11 +728,11 @@ func (h *Headscale) handleMachineExpiredCommon(
 	if h.oauth2Config != nil {
 		resp.AuthURL = fmt.Sprintf("%s/oidc/register/%s",
 			strings.TrimSuffix(h.cfg.ServerURL, "/"),
-			NodePublicKeyStripPrefix(registerRequest.NodeKey))
+			registerRequest.NodeKey)
 	} else {
 		resp.AuthURL = fmt.Sprintf("%s/register/%s",
 			strings.TrimSuffix(h.cfg.ServerURL, "/"),
-			NodePublicKeyStripPrefix(registerRequest.NodeKey))
+			registerRequest.NodeKey)
 	}
 
 	respBody, err := h.marshalResponse(resp, machineKey)

protocol_common_poll.go

@@ -449,9 +449,9 @@ func (h *Headscale) pollNetMapStream(
 					Bool("noise", isNoise).
 					Str("machine", machine.Hostname).
 					Time("last_successful_update", lastUpdate).
-					Time("last_state_change", h.getLastStateChange(machine.Namespace.Name)).
+					Time("last_state_change", h.getLastStateChange(machine.Namespace)).
 					Msgf("There has been updates since the last successful update to %s", machine.Hostname)
-				data, err := h.getMapResponseData(mapRequest, machine, false)
+				data, err := h.getMapResponseData(mapRequest, machine, isNoise)
 				if err != nil {
 					log.Error().
 						Str("handler", "PollNetMapStream").
@@ -549,7 +549,7 @@ func (h *Headscale) pollNetMapStream(
 					Bool("noise", isNoise).
 					Str("machine", machine.Hostname).
 					Time("last_successful_update", lastUpdate).
-					Time("last_state_change", h.getLastStateChange(machine.Namespace.Name)).
+					Time("last_state_change", h.getLastStateChange(machine.Namespace)).
 					Msgf("%s is up to date", machine.Hostname)
 			}
 
@@ -622,7 +622,7 @@ func (h *Headscale) scheduledPollWorker(
 	defer closeChanWithLog(
 		keepAliveChan,
 		fmt.Sprint(ctx.Value(machineNameContextKey)),
-		"updateChan",
+		"keepAliveChan",
 	)
 
 	for {

protocol_legacy.go

@@ -1,3 +1,5 @@
+//go:build ts2019
+
 package headscale
 
 import (

protocol_legacy_poll.go

@@ -1,3 +1,5 @@
+//go:build ts2019
+
 package headscale
 
 import (

templates/apple.html

@@ -0,0 +1,102 @@
+<!DOCTYPE html>
+<html lang="en">
+  <head>
+    <meta charset="UTF-8" />
+    <meta http-equiv="X-UA-Compatible" content="IE=edge" />
+    <meta name="viewport" content="width=device-width, initial-scale=1.0" />
+    <title>Document</title>
+  </head>
+
+  <body>
+    <h1>headscale</h1>
+    <h2>Apple configuration profiles</h2>
+    <p>
+      This page provides
+      <a href="https://support.apple.com/guide/mdm/mdm-overview-mdmbf9e668/web">
+        configuration profiles
+      </a>
+      for the official Tailscale clients for
+    </p>
+    <ul>
+      <li>
+        <a href="https://apps.apple.com/us/app/tailscale/id1470499037?ls=1"
+          >iOS</a
+        >
+      </li>
+      <li>
+        <a href="https://apps.apple.com/ca/app/tailscale/id1475387142?mt=12"
+          >macOS - AppStore Client</a
+        >.
+      </li>
+      <li>
+        <a href="https://pkgs.tailscale.com/stable/#macos"
+          >macOS - Standalone Client</a
+        >.
+      </li>
+    </ul>
+    <p>
+      The profiles will configure Tailscale.app to use <code>{{.URL}}</code> as
+      its control server.
+    </p>
+
+    <h3>Caution</h3>
+    <p>
+      You should always download and inspect the profile before installing it:
+    </p>
+    <!--
+		<pre><code>curl {{.URL}}/apple/ios</code></pre>
+		-->
+    <pre><code>curl {{.URL}}/apple/macos</code></pre>
+
+    <h2>Profiles</h2>
+
+    <!--
+		<h3>iOS</h3>
+		<p>
+		    <a href="/apple/ios" download="headscale_ios.mobileconfig">iOS profile</a>
+		</p>
+		-->
+
+    <h3>macOS</h3>
+    <p>
+      Headscale can be set to the default server by installing a Headscale
+      configuration profile:
+    </p>
+    <p>
+      <a href="/apple/macos-app-store" download="headscale_macos.mobileconfig"
+        >macOS AppStore profile</a
+      >
+      <a href="/apple/macos-standalone" download="headscale_macos.mobileconfig"
+        >macOS Standalone profile</a
+      >
+    </p>
+
+    <ol>
+      <li>
+        Download the profile, then open it. When it has been opened, there
+        should be a notification that a profile can be installed
+      </li>
+      <li>Open System Preferences and go to "Profiles"</li>
+      <li>Find and install the Headscale profile</li>
+      <li>Restart Tailscale.app and log in</li>
+    </ol>
+
+    <p>Or</p>
+    <p>
+      Use your terminal to configure the default setting for Tailscale by
+      issuing:
+    </p>
+    <ul>
+      <li>
+        for app store client:
+        <code>defaults write io.tailscale.ipn.macos ControlURL {{.URL}}</code>
+      </li>
+      <li>
+        for standalone client:
+        <code>defaults write io.tailscale.ipn.macsys ControlURL {{.URL}}</code>
+      </li>
+    </ul>
+
+    <p>Restart Tailscale.app and log in.</p>
+  </body>
+</html>

templates/windows.html

@@ -0,0 +1,64 @@
+<!DOCTYPE html>
+<html lang="en">
+  <head>
+    <meta charset="UTF-8" />
+    <meta http-equiv="X-UA-Compatible" content="IE=edge" />
+    <meta name="viewport" content="width=device-width, initial-scale=1.0" />
+    <title>Document</title>
+  </head>
+
+  <body>
+    <h1>headscale</h1>
+    <h2>Windows registry configuration</h2>
+    <p>
+      This page provides Windows registry information for the official Windows
+      Tailscale client.
+    </p>
+
+    <p></p>
+    <p>
+      The registry file will configure Tailscale to use <code>{{.URL}}</code> as
+      its control server.
+    </p>
+
+    <p></p>
+    <h3>Caution</h3>
+    <p>
+      You should always download and inspect the registry file before installing
+      it:
+    </p>
+    <pre><code>curl {{.URL}}/windows/tailscale.reg</code></pre>
+
+    <h2>Installation</h2>
+    <p>
+      Headscale can be set to the default server by running the registry file:
+    </p>
+
+    <p>
+      <a href="/windows/tailscale.reg" download="tailscale.reg"
+        >Windows registry file</a
+      >
+    </p>
+
+    <ol>
+      <li>Download the registry file, then run it</li>
+      <li>Follow the prompts</li>
+      <li>Install and run the official windows Tailscale client</li>
+      <li>
+        When the installation has finished, start Tailscale, and log in by
+        clicking the icon in the system tray
+      </li>
+    </ol>
+    <p>Or</p>
+    <p>
+      Open command prompt with Administrator rights. Issue the following
+      commands to add the required registry entries:
+    </p>
+    <pre>
+<code>REG ADD "HKLM\Software\Tailscale IPN" /v UnattendedMode /t REG_SZ /d always
+REG ADD "HKLM\Software\Tailscale IPN" /v LoginURL /t REG_SZ /d "{{.URL}}"</code></pre>
+    <p>Restart Tailscale and log in.</p>
+
+    <p></p>
+  </body>
+</html>

utils.go

@@ -17,6 +17,7 @@ import (
 	"os"
 	"path/filepath"
 	"reflect"
+	"regexp"
 	"strconv"
 	"strings"
 
@@ -64,6 +65,8 @@ const (
 	ZstdCompression = "zstd"
 )
 
+var NodePublicKeyRegex = regexp.MustCompile("nodekey:[a-fA-F0-9]+")
+
 func MachinePublicKeyStripPrefix(machineKey key.MachinePublic) string {
 	return strings.TrimPrefix(machineKey.String(), machinePublicHexPrefix)
 }
@@ -325,7 +328,9 @@ func GenerateRandomStringDNSSafe(size int) (string, error) {
 		if err != nil {
 			return "", err
 		}
-		str = strings.ToLower(strings.ReplaceAll(strings.ReplaceAll(str, "_", ""), "-", ""))
+		str = strings.ToLower(
+			strings.ReplaceAll(strings.ReplaceAll(str, "_", ""), "-", ""),
+		)
 	}
 
 	return str[:size], nil
@@ -342,7 +347,7 @@ func IsStringInSlice(slice []string, str string) bool {
 }
 
 func AbsolutePathFromConfigPath(path string) string {
-	// If a relative path is provided, prefix it with the the directory where
+	// If a relative path is provided, prefix it with the directory where
 	// the config file was found.
 	if (path != "") && !strings.HasPrefix(path, string(os.PathSeparator)) {
 		dir, _ := filepath.Split(viper.ConfigFileUsed())