Clean apt

Added changelog for 0.22.3
Add ca-certificates to Dockerfile
2025-08-25 06:27:27 +00:00 · 2023-05-12 10:09:36 +02:00 · 2023-05-12 10:09:36 +02:00 · 2023-05-12 09:24:55 +02:00 · 2023-05-10 20:47:51 +02:00 · 2023-05-10 20:47:51 +02:00
169 changed files with 5119 additions and 4685 deletions
--- a/.github/ISSUE_TEMPLATE/bug_report.md
+++ b/.github/ISSUE_TEMPLATE/bug_report.md
@@ -6,19 +6,24 @@ labels: ["bug"]
 assignees: ""
 ---

-<!-- Headscale is a multinational community across the globe. Our common language is English. Please consider raising the bug report in this language. -->
+<!--
+Before posting a bug report, discuss the behaviour you are expecting with the Discord community
+to make sure that it is truly a bug.
+The issue tracker is not the place to ask for support or how to set up Headscale.

-**Bug description**
+Bug reports without the sufficient information will be closed.
+
+Headscale is a multinational community across the globe. Our language is English.
+All bug reports needs to be in English.
+-->
+
+## Bug description

 <!-- A clear and concise description of what the bug is. Describe the expected bahavior
  and how it is currently different. If you are unsure if it is a bug, consider discussing
  it on our Discord server first. -->

-**To Reproduce**
-
-<!-- Steps to reproduce the behavior. -->
-
-**Context info**
+## Environment

 <!-- Please add relevant information about your system. For example:
 - Version of headscale used
@@ -28,3 +33,20 @@ assignees: ""
 - The relevant config parameters you used
 - Log output
 -->
+
+- OS:
+- Headscale version:
+- Tailscale version:
+
+<!--
+We do not support running Headscale in a container nor behind a (reverse) proxy.
+If either of these are true for your environment, ask the community in Discord
+instead of filing a bug report.
+-->
+
+- [ ] Headscale is behind a (reverse) proxy
+- [ ] Headscale runs in a container
+
+## To Reproduce
+
+<!-- Steps to reproduce the behavior. -->
--- a/.github/ISSUE_TEMPLATE/feature_request.md
+++ b/.github/ISSUE_TEMPLATE/feature_request.md
@@ -6,12 +6,21 @@ labels: ["enhancement"]
 assignees: ""
 ---

-<!-- Headscale is a multinational community across the globe. Our common language is English. Please consider raising the feature request in this language. -->
+<!--
+We typically have a clear roadmap for what we want to improve and reserve the right
+to close feature requests that does not fit in the roadmap, or fit with the scope
+of the project, or we actually want to implement ourselves.

-**Feature request**
+Headscale is a multinational community across the globe. Our language is English.
+All bug reports needs to be in English.
+-->

-<!-- A clear and precise description of what new or changed feature you want. -->
+## Why

-<!-- Please include the reason, why you would need the feature. E.g. what problem
+<!-- Include the reason, why you would need the feature. E.g. what problem
  does it solve? Or which workflow is currently frustrating and will be improved by
  this? -->
+
+## Description
+
+<!-- A clear and precise description of what new or changed feature you want. -->
--- a/.github/ISSUE_TEMPLATE/other_issue.md
+++ b/.github/ISSUE_TEMPLATE/other_issue.md
@@ -1,30 +0,0 @@
---
-name: "Other issue"
-about: "Report a different issue"
-title: ""
-labels: ["bug"]
-assignees: ""
---
-
-<!-- Headscale is a multinational community across the globe. Our common language is English. Please consider raising the issue in this language. -->
-
-<!-- If you have a question, please consider using our Discord for asking questions -->
-
-**Issue description**
-
-<!-- Please add your issue description. -->
-
-**To Reproduce**
-
-<!-- Steps to reproduce the behavior. -->
-
-**Context info**
-
-<!-- Please add relevant information about your system. For example:
- Version of headscale used
- Version of tailscale client
- OS (e.g. Linux, Mac, Cygwin, WSL, etc.) and version
- Kernel version
- The relevant config parameters you used
- Log output
-->
--- a/.github/pull_request_template.md
+++ b/.github/pull_request_template.md
@@ -1,3 +1,15 @@
+<!--
+Headscale is "Open Source, acknowledged contribution", this means that any
+contribution will have to be discussed with the Maintainers before being submitted.
+
+This model has been chosen to reduce the risk of burnout by limiting the
+maintenance overhead of reviewing and validating third-party code.
+
+Headscale is open to code contributions for bug fixes without discussion.
+
+If you find mistakes in the documentation, please submit a fix to the documentation.
+-->
+
 <!-- Please tick if the following things apply. You… -->

 - [ ] read the [CONTRIBUTING guidelines](README.md#contributing)
--- a/.github/renovate.json
+++ b/.github/renovate.json
@@ -6,31 +6,27 @@
  "onboarding": false,
  "extends": ["config:base", ":rebaseStalePrs"],
  "ignorePresets": [":prHourlyLimit2"],
-  "enabledManagers": ["dockerfile", "gomod", "github-actions","regex" ],
+  "enabledManagers": ["dockerfile", "gomod", "github-actions", "regex"],
  "includeForks": true,
  "repositories": ["juanfont/headscale"],
  "platform": "github",
  "packageRules": [
    {
-        "matchDatasources": ["go"],
-        "groupName": "Go modules",
-        "groupSlug": "gomod",
-        "separateMajorMinor": false
+      "matchDatasources": ["go"],
+      "groupName": "Go modules",
+      "groupSlug": "gomod",
+      "separateMajorMinor": false
    },
    {
-        "matchDatasources": ["docker"],
-        "groupName": "Dockerfiles",
-        "groupSlug": "dockerfiles"
-    } 
+      "matchDatasources": ["docker"],
+      "groupName": "Dockerfiles",
+      "groupSlug": "dockerfiles"
+    }
  ],
  "regexManagers": [
    {
-      "fileMatch": [
-          ".github/workflows/.*.yml$"
-      ],
-      "matchStrings": [
-        "\\s*go-version:\\s*\"?(?<currentValue>.*?)\"?\\n"
-      ],
+      "fileMatch": [".github/workflows/.*.yml$"],
+      "matchStrings": ["\\s*go-version:\\s*\"?(?<currentValue>.*?)\"?\\n"],
      "datasourceTemplate": "golang-version",
      "depNameTemplate": "actions/go-version"
    }
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -19,6 +19,6 @@ jobs:
      - uses: cachix/install-nix-action@v16

      - name: Run goreleaser
-        run: nix develop --command -- goreleaser release --rm-dist
+        run: nix develop --command -- goreleaser release --clean
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
--- a/.github/workflows/test-integration-cli.yml
+++ b/.github/workflows/test-integration-cli.yml
@@ -1,35 +0,0 @@
-name: Integration Test CLI
-
-on: [pull_request]
-
-jobs:
-  integration-test-cli:
-    runs-on: ubuntu-latest
-
-    steps:
-      - uses: actions/checkout@v3
-        with:
-          fetch-depth: 2
-
-      - name: Set Swap Space
-        uses: pierotofy/set-swap-space@master
-        with:
-          swap-size-gb: 10
-
-      - name: Get changed files
-        id: changed-files
-        uses: tj-actions/changed-files@v34
-        with:
-          files: |
-            *.nix
-            go.*
-            **/*.go
-            integration_test/
-            config-example.yaml
-
-      - uses: cachix/install-nix-action@v16
-        if: steps.changed-files.outputs.any_changed == 'true'
-
-      - name: Run CLI integration tests
-        if: steps.changed-files.outputs.any_changed == 'true'
-        run: nix develop --command -- make test_integration_cli
--- a/.github/workflows/test-integration-derp.yml
+++ b/.github/workflows/test-integration-derp.yml
@@ -1,35 +0,0 @@
-name: Integration Test DERP
-
-on: [pull_request]
-
-jobs:
-  integration-test-derp:
-    runs-on: ubuntu-latest
-
-    steps:
-      - uses: actions/checkout@v3
-        with:
-          fetch-depth: 2
-
-      - name: Set Swap Space
-        uses: pierotofy/set-swap-space@master
-        with:
-          swap-size-gb: 10
-
-      - name: Get changed files
-        id: changed-files
-        uses: tj-actions/changed-files@v34
-        with:
-          files: |
-            *.nix
-            go.*
-            **/*.go
-            integration_test/
-            config-example.yaml
-
-      - uses: cachix/install-nix-action@v16
-        if: steps.changed-files.outputs.any_changed == 'true'
-
-      - name: Run Embedded DERP server integration tests
-        if: steps.changed-files.outputs.any_changed == 'true'
-        run: nix develop --command -- make test_integration_derp
--- a/.github/workflows/test-integration-v2-TestACLAllowStarDst.yaml
+++ b/.github/workflows/test-integration-v2-TestACLAllowStarDst.yaml
@@ -43,7 +43,7 @@ jobs:
              --volume /var/run/docker.sock:/var/run/docker.sock \
              --volume $PWD/control_logs:/tmp/control \
              golang:1 \
-                go test ./... \
+                go run gotest.tools/gotestsum@latest -- ./... \
                  -tags ts2019 \
                  -failfast \
                  -timeout 120m \
@@ -55,3 +55,9 @@ jobs:
        with:
          name: logs
          path: "control_logs/*.log"
+
+      - uses: actions/upload-artifact@v3
+        if: always() && steps.changed-files.outputs.any_changed == 'true'
+        with:
+          name: pprof
+          path: "control_logs/*.pprof.tar"
--- a/.github/workflows/test-integration-v2-TestACLAllowUser80Dst.yaml
+++ b/.github/workflows/test-integration-v2-TestACLAllowUser80Dst.yaml
@@ -43,7 +43,7 @@ jobs:
              --volume /var/run/docker.sock:/var/run/docker.sock \
              --volume $PWD/control_logs:/tmp/control \
              golang:1 \
-                go test ./... \
+                go run gotest.tools/gotestsum@latest -- ./... \
                  -tags ts2019 \
                  -failfast \
                  -timeout 120m \
@@ -55,3 +55,9 @@ jobs:
        with:
          name: logs
          path: "control_logs/*.log"
+
+      - uses: actions/upload-artifact@v3
+        if: always() && steps.changed-files.outputs.any_changed == 'true'
+        with:
+          name: pprof
+          path: "control_logs/*.pprof.tar"
--- a/.github/workflows/test-integration-v2-TestACLAllowUserDst.yaml
+++ b/.github/workflows/test-integration-v2-TestACLAllowUserDst.yaml
@@ -43,7 +43,7 @@ jobs:
              --volume /var/run/docker.sock:/var/run/docker.sock \
              --volume $PWD/control_logs:/tmp/control \
              golang:1 \
-                go test ./... \
+                go run gotest.tools/gotestsum@latest -- ./... \
                  -tags ts2019 \
                  -failfast \
                  -timeout 120m \
@@ -55,3 +55,9 @@ jobs:
        with:
          name: logs
          path: "control_logs/*.log"
+
+      - uses: actions/upload-artifact@v3
+        if: always() && steps.changed-files.outputs.any_changed == 'true'
+        with:
+          name: pprof
+          path: "control_logs/*.pprof.tar"
--- a/.github/workflows/test-integration-v2-TestACLDenyAllPort80.yaml
+++ b/.github/workflows/test-integration-v2-TestACLDenyAllPort80.yaml
@@ -43,7 +43,7 @@ jobs:
              --volume /var/run/docker.sock:/var/run/docker.sock \
              --volume $PWD/control_logs:/tmp/control \
              golang:1 \
-                go test ./... \
+                go run gotest.tools/gotestsum@latest -- ./... \
                  -tags ts2019 \
                  -failfast \
                  -timeout 120m \
@@ -55,3 +55,9 @@ jobs:
        with:
          name: logs
          path: "control_logs/*.log"
+
+      - uses: actions/upload-artifact@v3
+        if: always() && steps.changed-files.outputs.any_changed == 'true'
+        with:
+          name: pprof
+          path: "control_logs/*.pprof.tar"
--- a/.github/workflows/test-integration-v2-TestACLDevice1CanAccessDevice2.yaml
+++ b/.github/workflows/test-integration-v2-TestACLDevice1CanAccessDevice2.yaml
@@ -0,0 +1,63 @@
+# DO NOT EDIT, generated with cmd/gh-action-integration-generator/main.go
+# To regenerate, run "go generate" in cmd/gh-action-integration-generator/
+
+name: Integration Test v2 - TestACLDevice1CanAccessDevice2
+
+on: [pull_request]
+
+concurrency:
+  group: ${{ github.workflow }}-$${{ github.head_ref || github.run_id }}
+  cancel-in-progress: true
+
+jobs:
+  test:
+    runs-on: ubuntu-latest
+
+    steps:
+      - uses: actions/checkout@v3
+        with:
+          fetch-depth: 2
+
+      - name: Get changed files
+        id: changed-files
+        uses: tj-actions/changed-files@v34
+        with:
+          files: |
+            *.nix
+            go.*
+            **/*.go
+            integration_test/
+            config-example.yaml
+
+      - uses: cachix/install-nix-action@v18
+        if: ${{ env.ACT }} || steps.changed-files.outputs.any_changed == 'true'
+
+      - name: Run general integration tests
+        if: steps.changed-files.outputs.any_changed == 'true'
+        run: |
+            nix develop --command -- docker run \
+              --tty --rm \
+              --volume ~/.cache/hs-integration-go:/go \
+              --name headscale-test-suite \
+              --volume $PWD:$PWD -w $PWD/integration \
+              --volume /var/run/docker.sock:/var/run/docker.sock \
+              --volume $PWD/control_logs:/tmp/control \
+              golang:1 \
+                go run gotest.tools/gotestsum@latest -- ./... \
+                  -tags ts2019 \
+                  -failfast \
+                  -timeout 120m \
+                  -parallel 1 \
+                  -run "^TestACLDevice1CanAccessDevice2$"
+
+      - uses: actions/upload-artifact@v3
+        if: always() && steps.changed-files.outputs.any_changed == 'true'
+        with:
+          name: logs
+          path: "control_logs/*.log"
+
+      - uses: actions/upload-artifact@v3
+        if: always() && steps.changed-files.outputs.any_changed == 'true'
+        with:
+          name: pprof
+          path: "control_logs/*.pprof.tar"
--- a/.github/workflows/test-integration-v2-TestACLHostsInNetMapTable.yaml
+++ b/.github/workflows/test-integration-v2-TestACLHostsInNetMapTable.yaml
@@ -43,7 +43,7 @@ jobs:
              --volume /var/run/docker.sock:/var/run/docker.sock \
              --volume $PWD/control_logs:/tmp/control \
              golang:1 \
-                go test ./... \
+                go run gotest.tools/gotestsum@latest -- ./... \
                  -tags ts2019 \
                  -failfast \
                  -timeout 120m \
@@ -55,3 +55,9 @@ jobs:
        with:
          name: logs
          path: "control_logs/*.log"
+
+      - uses: actions/upload-artifact@v3
+        if: always() && steps.changed-files.outputs.any_changed == 'true'
+        with:
+          name: pprof
+          path: "control_logs/*.pprof.tar"
--- a/.github/workflows/test-integration-v2-TestACLNamedHostsCanReach.yaml
+++ b/.github/workflows/test-integration-v2-TestACLNamedHostsCanReach.yaml
@@ -0,0 +1,63 @@
+# DO NOT EDIT, generated with cmd/gh-action-integration-generator/main.go
+# To regenerate, run "go generate" in cmd/gh-action-integration-generator/
+
+name: Integration Test v2 - TestACLNamedHostsCanReach
+
+on: [pull_request]
+
+concurrency:
+  group: ${{ github.workflow }}-$${{ github.head_ref || github.run_id }}
+  cancel-in-progress: true
+
+jobs:
+  test:
+    runs-on: ubuntu-latest
+
+    steps:
+      - uses: actions/checkout@v3
+        with:
+          fetch-depth: 2
+
+      - name: Get changed files
+        id: changed-files
+        uses: tj-actions/changed-files@v34
+        with:
+          files: |
+            *.nix
+            go.*
+            **/*.go
+            integration_test/
+            config-example.yaml
+
+      - uses: cachix/install-nix-action@v18
+        if: ${{ env.ACT }} || steps.changed-files.outputs.any_changed == 'true'
+
+      - name: Run general integration tests
+        if: steps.changed-files.outputs.any_changed == 'true'
+        run: |
+            nix develop --command -- docker run \
+              --tty --rm \
+              --volume ~/.cache/hs-integration-go:/go \
+              --name headscale-test-suite \
+              --volume $PWD:$PWD -w $PWD/integration \
+              --volume /var/run/docker.sock:/var/run/docker.sock \
+              --volume $PWD/control_logs:/tmp/control \
+              golang:1 \
+                go run gotest.tools/gotestsum@latest -- ./... \
+                  -tags ts2019 \
+                  -failfast \
+                  -timeout 120m \
+                  -parallel 1 \
+                  -run "^TestACLNamedHostsCanReach$"
+
+      - uses: actions/upload-artifact@v3
+        if: always() && steps.changed-files.outputs.any_changed == 'true'
+        with:
+          name: logs
+          path: "control_logs/*.log"
+
+      - uses: actions/upload-artifact@v3
+        if: always() && steps.changed-files.outputs.any_changed == 'true'
+        with:
+          name: pprof
+          path: "control_logs/*.pprof.tar"
--- a/.github/workflows/test-integration-v2-TestACLNamedHostsCanReachBySubnet.yaml
+++ b/.github/workflows/test-integration-v2-TestACLNamedHostsCanReachBySubnet.yaml
@@ -0,0 +1,63 @@
+# DO NOT EDIT, generated with cmd/gh-action-integration-generator/main.go
+# To regenerate, run "go generate" in cmd/gh-action-integration-generator/
+
+name: Integration Test v2 - TestACLNamedHostsCanReachBySubnet
+
+on: [pull_request]
+
+concurrency:
+  group: ${{ github.workflow }}-$${{ github.head_ref || github.run_id }}
+  cancel-in-progress: true
+
+jobs:
+  test:
+    runs-on: ubuntu-latest
+
+    steps:
+      - uses: actions/checkout@v3
+        with:
+          fetch-depth: 2
+
+      - name: Get changed files
+        id: changed-files
+        uses: tj-actions/changed-files@v34
+        with:
+          files: |
+            *.nix
+            go.*
+            **/*.go
+            integration_test/
+            config-example.yaml
+
+      - uses: cachix/install-nix-action@v18
+        if: ${{ env.ACT }} || steps.changed-files.outputs.any_changed == 'true'
+
+      - name: Run general integration tests
+        if: steps.changed-files.outputs.any_changed == 'true'
+        run: |
+            nix develop --command -- docker run \
+              --tty --rm \
+              --volume ~/.cache/hs-integration-go:/go \
+              --name headscale-test-suite \
+              --volume $PWD:$PWD -w $PWD/integration \
+              --volume /var/run/docker.sock:/var/run/docker.sock \
+              --volume $PWD/control_logs:/tmp/control \
+              golang:1 \
+                go run gotest.tools/gotestsum@latest -- ./... \
+                  -tags ts2019 \
+                  -failfast \
+                  -timeout 120m \
+                  -parallel 1 \
+                  -run "^TestACLNamedHostsCanReachBySubnet$"
+
+      - uses: actions/upload-artifact@v3
+        if: always() && steps.changed-files.outputs.any_changed == 'true'
+        with:
+          name: logs
+          path: "control_logs/*.log"
+
+      - uses: actions/upload-artifact@v3
+        if: always() && steps.changed-files.outputs.any_changed == 'true'
+        with:
+          name: pprof
+          path: "control_logs/*.pprof.tar"
--- a/.github/workflows/test-integration-v2-TestAuthKeyLogoutAndRelogin.yaml
+++ b/.github/workflows/test-integration-v2-TestAuthKeyLogoutAndRelogin.yaml
@@ -43,7 +43,7 @@ jobs:
              --volume /var/run/docker.sock:/var/run/docker.sock \
              --volume $PWD/control_logs:/tmp/control \
              golang:1 \
-                go test ./... \
+                go run gotest.tools/gotestsum@latest -- ./... \
                  -tags ts2019 \
                  -failfast \
                  -timeout 120m \
@@ -55,3 +55,9 @@ jobs:
        with:
          name: logs
          path: "control_logs/*.log"
+
+      - uses: actions/upload-artifact@v3
+        if: always() && steps.changed-files.outputs.any_changed == 'true'
+        with:
+          name: pprof
+          path: "control_logs/*.pprof.tar"
--- a/.github/workflows/test-integration-v2-TestAuthWebFlowAuthenticationPingAll.yaml
+++ b/.github/workflows/test-integration-v2-TestAuthWebFlowAuthenticationPingAll.yaml
@@ -43,7 +43,7 @@ jobs:
              --volume /var/run/docker.sock:/var/run/docker.sock \
              --volume $PWD/control_logs:/tmp/control \
              golang:1 \
-                go test ./... \
+                go run gotest.tools/gotestsum@latest -- ./... \
                  -tags ts2019 \
                  -failfast \
                  -timeout 120m \
@@ -55,3 +55,9 @@ jobs:
        with:
          name: logs
          path: "control_logs/*.log"
+
+      - uses: actions/upload-artifact@v3
+        if: always() && steps.changed-files.outputs.any_changed == 'true'
+        with:
+          name: pprof
+          path: "control_logs/*.pprof.tar"
--- a/.github/workflows/test-integration-v2-TestAuthWebFlowLogoutAndRelogin.yaml
+++ b/.github/workflows/test-integration-v2-TestAuthWebFlowLogoutAndRelogin.yaml
@@ -43,7 +43,7 @@ jobs:
              --volume /var/run/docker.sock:/var/run/docker.sock \
              --volume $PWD/control_logs:/tmp/control \
              golang:1 \
-                go test ./... \
+                go run gotest.tools/gotestsum@latest -- ./... \
                  -tags ts2019 \
                  -failfast \
                  -timeout 120m \
@@ -55,3 +55,9 @@ jobs:
        with:
          name: logs
          path: "control_logs/*.log"
+
+      - uses: actions/upload-artifact@v3
+        if: always() && steps.changed-files.outputs.any_changed == 'true'
+        with:
+          name: pprof
+          path: "control_logs/*.pprof.tar"
--- a/.github/workflows/test-integration-v2-TestCreateTailscale.yaml
+++ b/.github/workflows/test-integration-v2-TestCreateTailscale.yaml
@@ -43,7 +43,7 @@ jobs:
              --volume /var/run/docker.sock:/var/run/docker.sock \
              --volume $PWD/control_logs:/tmp/control \
              golang:1 \
-                go test ./... \
+                go run gotest.tools/gotestsum@latest -- ./... \
                  -tags ts2019 \
                  -failfast \
                  -timeout 120m \
@@ -55,3 +55,9 @@ jobs:
        with:
          name: logs
          path: "control_logs/*.log"
+
+      - uses: actions/upload-artifact@v3
+        if: always() && steps.changed-files.outputs.any_changed == 'true'
+        with:
+          name: pprof
+          path: "control_logs/*.pprof.tar"
--- a/.github/workflows/test-integration-v2-TestDERPServerScenario.yaml
+++ b/.github/workflows/test-integration-v2-TestDERPServerScenario.yaml
@@ -0,0 +1,63 @@
+# DO NOT EDIT, generated with cmd/gh-action-integration-generator/main.go
+# To regenerate, run "go generate" in cmd/gh-action-integration-generator/
+
+name: Integration Test v2 - TestDERPServerScenario
+
+on: [pull_request]
+
+concurrency:
+  group: ${{ github.workflow }}-$${{ github.head_ref || github.run_id }}
+  cancel-in-progress: true
+
+jobs:
+  test:
+    runs-on: ubuntu-latest
+
+    steps:
+      - uses: actions/checkout@v3
+        with:
+          fetch-depth: 2
+
+      - name: Get changed files
+        id: changed-files
+        uses: tj-actions/changed-files@v34
+        with:
+          files: |
+            *.nix
+            go.*
+            **/*.go
+            integration_test/
+            config-example.yaml
+
+      - uses: cachix/install-nix-action@v18
+        if: ${{ env.ACT }} || steps.changed-files.outputs.any_changed == 'true'
+
+      - name: Run general integration tests
+        if: steps.changed-files.outputs.any_changed == 'true'
+        run: |
+            nix develop --command -- docker run \
+              --tty --rm \
+              --volume ~/.cache/hs-integration-go:/go \
+              --name headscale-test-suite \
+              --volume $PWD:$PWD -w $PWD/integration \
+              --volume /var/run/docker.sock:/var/run/docker.sock \
+              --volume $PWD/control_logs:/tmp/control \
+              golang:1 \
+                go run gotest.tools/gotestsum@latest -- ./... \
+                  -tags ts2019 \
+                  -failfast \
+                  -timeout 120m \
+                  -parallel 1 \
+                  -run "^TestDERPServerScenario$"
+
+      - uses: actions/upload-artifact@v3
+        if: always() && steps.changed-files.outputs.any_changed == 'true'
+        with:
+          name: logs
+          path: "control_logs/*.log"
+
+      - uses: actions/upload-artifact@v3
+        if: always() && steps.changed-files.outputs.any_changed == 'true'
+        with:
+          name: pprof
+          path: "control_logs/*.pprof.tar"
--- a/.github/workflows/test-integration-v2-TestEnablingRoutes.yaml
+++ b/.github/workflows/test-integration-v2-TestEnablingRoutes.yaml
@@ -43,7 +43,7 @@ jobs:
              --volume /var/run/docker.sock:/var/run/docker.sock \
              --volume $PWD/control_logs:/tmp/control \
              golang:1 \
-                go test ./... \
+                go run gotest.tools/gotestsum@latest -- ./... \
                  -tags ts2019 \
                  -failfast \
                  -timeout 120m \
@@ -55,3 +55,9 @@ jobs:
        with:
          name: logs
          path: "control_logs/*.log"
+
+      - uses: actions/upload-artifact@v3
+        if: always() && steps.changed-files.outputs.any_changed == 'true'
+        with:
+          name: pprof
+          path: "control_logs/*.pprof.tar"
--- a/.github/workflows/test-integration-v2-TestEphemeral.yaml
+++ b/.github/workflows/test-integration-v2-TestEphemeral.yaml
@@ -43,7 +43,7 @@ jobs:
              --volume /var/run/docker.sock:/var/run/docker.sock \
              --volume $PWD/control_logs:/tmp/control \
              golang:1 \
-                go test ./... \
+                go run gotest.tools/gotestsum@latest -- ./... \
                  -tags ts2019 \
                  -failfast \
                  -timeout 120m \
@@ -55,3 +55,9 @@ jobs:
        with:
          name: logs
          path: "control_logs/*.log"
+
+      - uses: actions/upload-artifact@v3
+        if: always() && steps.changed-files.outputs.any_changed == 'true'
+        with:
+          name: pprof
+          path: "control_logs/*.pprof.tar"
--- a/.github/workflows/test-integration-v2-TestExpireNode.yaml
+++ b/.github/workflows/test-integration-v2-TestExpireNode.yaml
@@ -43,7 +43,7 @@ jobs:
              --volume /var/run/docker.sock:/var/run/docker.sock \
              --volume $PWD/control_logs:/tmp/control \
              golang:1 \
-                go test ./... \
+                go run gotest.tools/gotestsum@latest -- ./... \
                  -tags ts2019 \
                  -failfast \
                  -timeout 120m \
@@ -55,3 +55,9 @@ jobs:
        with:
          name: logs
          path: "control_logs/*.log"
+
+      - uses: actions/upload-artifact@v3
+        if: always() && steps.changed-files.outputs.any_changed == 'true'
+        with:
+          name: pprof
+          path: "control_logs/*.pprof.tar"
--- a/.github/workflows/test-integration-v2-TestHeadscale.yaml
+++ b/.github/workflows/test-integration-v2-TestHeadscale.yaml
@@ -43,7 +43,7 @@ jobs:
              --volume /var/run/docker.sock:/var/run/docker.sock \
              --volume $PWD/control_logs:/tmp/control \
              golang:1 \
-                go test ./... \
+                go run gotest.tools/gotestsum@latest -- ./... \
                  -tags ts2019 \
                  -failfast \
                  -timeout 120m \
@@ -55,3 +55,9 @@ jobs:
        with:
          name: logs
          path: "control_logs/*.log"
+
+      - uses: actions/upload-artifact@v3
+        if: always() && steps.changed-files.outputs.any_changed == 'true'
+        with:
+          name: pprof
+          path: "control_logs/*.pprof.tar"
--- a/.github/workflows/test-integration-v2-TestOIDCAuthenticationPingAll.yaml
+++ b/.github/workflows/test-integration-v2-TestOIDCAuthenticationPingAll.yaml
@@ -43,7 +43,7 @@ jobs:
              --volume /var/run/docker.sock:/var/run/docker.sock \
              --volume $PWD/control_logs:/tmp/control \
              golang:1 \
-                go test ./... \
+                go run gotest.tools/gotestsum@latest -- ./... \
                  -tags ts2019 \
                  -failfast \
                  -timeout 120m \
@@ -55,3 +55,9 @@ jobs:
        with:
          name: logs
          path: "control_logs/*.log"
+
+      - uses: actions/upload-artifact@v3
+        if: always() && steps.changed-files.outputs.any_changed == 'true'
+        with:
+          name: pprof
+          path: "control_logs/*.pprof.tar"
--- a/.github/workflows/test-integration-v2-TestOIDCExpireNodesBasedOnTokenExpiry.yaml
+++ b/.github/workflows/test-integration-v2-TestOIDCExpireNodesBasedOnTokenExpiry.yaml
@@ -43,7 +43,7 @@ jobs:
              --volume /var/run/docker.sock:/var/run/docker.sock \
              --volume $PWD/control_logs:/tmp/control \
              golang:1 \
-                go test ./... \
+                go run gotest.tools/gotestsum@latest -- ./... \
                  -tags ts2019 \
                  -failfast \
                  -timeout 120m \
@@ -55,3 +55,9 @@ jobs:
        with:
          name: logs
          path: "control_logs/*.log"
+
+      - uses: actions/upload-artifact@v3
+        if: always() && steps.changed-files.outputs.any_changed == 'true'
+        with:
+          name: pprof
+          path: "control_logs/*.pprof.tar"
--- a/.github/workflows/test-integration-v2-TestPingAllByHostname.yaml
+++ b/.github/workflows/test-integration-v2-TestPingAllByHostname.yaml
@@ -43,7 +43,7 @@ jobs:
              --volume /var/run/docker.sock:/var/run/docker.sock \
              --volume $PWD/control_logs:/tmp/control \
              golang:1 \
-                go test ./... \
+                go run gotest.tools/gotestsum@latest -- ./... \
                  -tags ts2019 \
                  -failfast \
                  -timeout 120m \
@@ -55,3 +55,9 @@ jobs:
        with:
          name: logs
          path: "control_logs/*.log"
+
+      - uses: actions/upload-artifact@v3
+        if: always() && steps.changed-files.outputs.any_changed == 'true'
+        with:
+          name: pprof
+          path: "control_logs/*.pprof.tar"
--- a/.github/workflows/test-integration-v2-TestPingAllByIP.yaml
+++ b/.github/workflows/test-integration-v2-TestPingAllByIP.yaml
@@ -43,7 +43,7 @@ jobs:
              --volume /var/run/docker.sock:/var/run/docker.sock \
              --volume $PWD/control_logs:/tmp/control \
              golang:1 \
-                go test ./... \
+                go run gotest.tools/gotestsum@latest -- ./... \
                  -tags ts2019 \
                  -failfast \
                  -timeout 120m \
@@ -55,3 +55,9 @@ jobs:
        with:
          name: logs
          path: "control_logs/*.log"
+
+      - uses: actions/upload-artifact@v3
+        if: always() && steps.changed-files.outputs.any_changed == 'true'
+        with:
+          name: pprof
+          path: "control_logs/*.pprof.tar"
--- a/.github/workflows/test-integration-v2-TestPreAuthKeyCommand.yaml
+++ b/.github/workflows/test-integration-v2-TestPreAuthKeyCommand.yaml
@@ -43,7 +43,7 @@ jobs:
              --volume /var/run/docker.sock:/var/run/docker.sock \
              --volume $PWD/control_logs:/tmp/control \
              golang:1 \
-                go test ./... \
+                go run gotest.tools/gotestsum@latest -- ./... \
                  -tags ts2019 \
                  -failfast \
                  -timeout 120m \
@@ -55,3 +55,9 @@ jobs:
        with:
          name: logs
          path: "control_logs/*.log"
+
+      - uses: actions/upload-artifact@v3
+        if: always() && steps.changed-files.outputs.any_changed == 'true'
+        with:
+          name: pprof
+          path: "control_logs/*.pprof.tar"
--- a/.github/workflows/test-integration-v2-TestPreAuthKeyCommandReusableEphemeral.yaml
+++ b/.github/workflows/test-integration-v2-TestPreAuthKeyCommandReusableEphemeral.yaml
@@ -43,7 +43,7 @@ jobs:
              --volume /var/run/docker.sock:/var/run/docker.sock \
              --volume $PWD/control_logs:/tmp/control \
              golang:1 \
-                go test ./... \
+                go run gotest.tools/gotestsum@latest -- ./... \
                  -tags ts2019 \
                  -failfast \
                  -timeout 120m \
@@ -55,3 +55,9 @@ jobs:
        with:
          name: logs
          path: "control_logs/*.log"
+
+      - uses: actions/upload-artifact@v3
+        if: always() && steps.changed-files.outputs.any_changed == 'true'
+        with:
+          name: pprof
+          path: "control_logs/*.pprof.tar"
--- a/.github/workflows/test-integration-v2-TestPreAuthKeyCommandWithoutExpiry.yaml
+++ b/.github/workflows/test-integration-v2-TestPreAuthKeyCommandWithoutExpiry.yaml
@@ -43,7 +43,7 @@ jobs:
              --volume /var/run/docker.sock:/var/run/docker.sock \
              --volume $PWD/control_logs:/tmp/control \
              golang:1 \
-                go test ./... \
+                go run gotest.tools/gotestsum@latest -- ./... \
                  -tags ts2019 \
                  -failfast \
                  -timeout 120m \
@@ -55,3 +55,9 @@ jobs:
        with:
          name: logs
          path: "control_logs/*.log"
+
+      - uses: actions/upload-artifact@v3
+        if: always() && steps.changed-files.outputs.any_changed == 'true'
+        with:
+          name: pprof
+          path: "control_logs/*.pprof.tar"
--- a/.github/workflows/test-integration-v2-TestResolveMagicDNS.yaml
+++ b/.github/workflows/test-integration-v2-TestResolveMagicDNS.yaml
@@ -43,7 +43,7 @@ jobs:
              --volume /var/run/docker.sock:/var/run/docker.sock \
              --volume $PWD/control_logs:/tmp/control \
              golang:1 \
-                go test ./... \
+                go run gotest.tools/gotestsum@latest -- ./... \
                  -tags ts2019 \
                  -failfast \
                  -timeout 120m \
@@ -55,3 +55,9 @@ jobs:
        with:
          name: logs
          path: "control_logs/*.log"
+
+      - uses: actions/upload-artifact@v3
+        if: always() && steps.changed-files.outputs.any_changed == 'true'
+        with:
+          name: pprof
+          path: "control_logs/*.pprof.tar"
--- a/.github/workflows/test-integration-v2-TestSSHIsBlockedInACL.yaml
+++ b/.github/workflows/test-integration-v2-TestSSHIsBlockedInACL.yaml
@@ -43,7 +43,7 @@ jobs:
              --volume /var/run/docker.sock:/var/run/docker.sock \
              --volume $PWD/control_logs:/tmp/control \
              golang:1 \
-                go test ./... \
+                go run gotest.tools/gotestsum@latest -- ./... \
                  -tags ts2019 \
                  -failfast \
                  -timeout 120m \
@@ -55,3 +55,9 @@ jobs:
        with:
          name: logs
          path: "control_logs/*.log"
+
+      - uses: actions/upload-artifact@v3
+        if: always() && steps.changed-files.outputs.any_changed == 'true'
+        with:
+          name: pprof
+          path: "control_logs/*.pprof.tar"
--- a/.github/workflows/test-integration-v2-TestSSHMultipleUsersAllToAll.yaml
+++ b/.github/workflows/test-integration-v2-TestSSHMultipleUsersAllToAll.yaml
@@ -43,7 +43,7 @@ jobs:
              --volume /var/run/docker.sock:/var/run/docker.sock \
              --volume $PWD/control_logs:/tmp/control \
              golang:1 \
-                go test ./... \
+                go run gotest.tools/gotestsum@latest -- ./... \
                  -tags ts2019 \
                  -failfast \
                  -timeout 120m \
@@ -55,3 +55,9 @@ jobs:
        with:
          name: logs
          path: "control_logs/*.log"
+
+      - uses: actions/upload-artifact@v3
+        if: always() && steps.changed-files.outputs.any_changed == 'true'
+        with:
+          name: pprof
+          path: "control_logs/*.pprof.tar"
--- a/.github/workflows/test-integration-v2-TestSSHNoSSHConfigured.yaml
+++ b/.github/workflows/test-integration-v2-TestSSHNoSSHConfigured.yaml
@@ -43,7 +43,7 @@ jobs:
              --volume /var/run/docker.sock:/var/run/docker.sock \
              --volume $PWD/control_logs:/tmp/control \
              golang:1 \
-                go test ./... \
+                go run gotest.tools/gotestsum@latest -- ./... \
                  -tags ts2019 \
                  -failfast \
                  -timeout 120m \
@@ -55,3 +55,9 @@ jobs:
        with:
          name: logs
          path: "control_logs/*.log"
+
+      - uses: actions/upload-artifact@v3
+        if: always() && steps.changed-files.outputs.any_changed == 'true'
+        with:
+          name: pprof
+          path: "control_logs/*.pprof.tar"
--- a/.github/workflows/test-integration-v2-TestSSHOneUserAllToAll.yaml
+++ b/.github/workflows/test-integration-v2-TestSSHOneUserAllToAll.yaml
@@ -43,7 +43,7 @@ jobs:
              --volume /var/run/docker.sock:/var/run/docker.sock \
              --volume $PWD/control_logs:/tmp/control \
              golang:1 \
-                go test ./... \
+                go run gotest.tools/gotestsum@latest -- ./... \
                  -tags ts2019 \
                  -failfast \
                  -timeout 120m \
@@ -55,3 +55,9 @@ jobs:
        with:
          name: logs
          path: "control_logs/*.log"
+
+      - uses: actions/upload-artifact@v3
+        if: always() && steps.changed-files.outputs.any_changed == 'true'
+        with:
+          name: pprof
+          path: "control_logs/*.pprof.tar"
--- a/.github/workflows/test-integration-v2-TestSSUserOnlyIsolation.yaml
+++ b/.github/workflows/test-integration-v2-TestSSUserOnlyIsolation.yaml
@@ -43,7 +43,7 @@ jobs:
              --volume /var/run/docker.sock:/var/run/docker.sock \
              --volume $PWD/control_logs:/tmp/control \
              golang:1 \
-                go test ./... \
+                go run gotest.tools/gotestsum@latest -- ./... \
                  -tags ts2019 \
                  -failfast \
                  -timeout 120m \
@@ -55,3 +55,9 @@ jobs:
        with:
          name: logs
          path: "control_logs/*.log"
+
+      - uses: actions/upload-artifact@v3
+        if: always() && steps.changed-files.outputs.any_changed == 'true'
+        with:
+          name: pprof
+          path: "control_logs/*.pprof.tar"
--- a/.github/workflows/test-integration-v2-TestTaildrop.yaml
+++ b/.github/workflows/test-integration-v2-TestTaildrop.yaml
@@ -43,7 +43,7 @@ jobs:
              --volume /var/run/docker.sock:/var/run/docker.sock \
              --volume $PWD/control_logs:/tmp/control \
              golang:1 \
-                go test ./... \
+                go run gotest.tools/gotestsum@latest -- ./... \
                  -tags ts2019 \
                  -failfast \
                  -timeout 120m \
@@ -55,3 +55,9 @@ jobs:
        with:
          name: logs
          path: "control_logs/*.log"
+
+      - uses: actions/upload-artifact@v3
+        if: always() && steps.changed-files.outputs.any_changed == 'true'
+        with:
+          name: pprof
+          path: "control_logs/*.pprof.tar"
--- a/.github/workflows/test-integration-v2-TestTailscaleNodesJoiningHeadcale.yaml
+++ b/.github/workflows/test-integration-v2-TestTailscaleNodesJoiningHeadcale.yaml
@@ -43,7 +43,7 @@ jobs:
              --volume /var/run/docker.sock:/var/run/docker.sock \
              --volume $PWD/control_logs:/tmp/control \
              golang:1 \
-                go test ./... \
+                go run gotest.tools/gotestsum@latest -- ./... \
                  -tags ts2019 \
                  -failfast \
                  -timeout 120m \
@@ -55,3 +55,9 @@ jobs:
        with:
          name: logs
          path: "control_logs/*.log"
+
+      - uses: actions/upload-artifact@v3
+        if: always() && steps.changed-files.outputs.any_changed == 'true'
+        with:
+          name: pprof
+          path: "control_logs/*.pprof.tar"
--- a/.github/workflows/test-integration-v2-TestUserCommand.yaml
+++ b/.github/workflows/test-integration-v2-TestUserCommand.yaml
@@ -43,7 +43,7 @@ jobs:
              --volume /var/run/docker.sock:/var/run/docker.sock \
              --volume $PWD/control_logs:/tmp/control \
              golang:1 \
-                go test ./... \
+                go run gotest.tools/gotestsum@latest -- ./... \
                  -tags ts2019 \
                  -failfast \
                  -timeout 120m \
@@ -55,3 +55,9 @@ jobs:
        with:
          name: logs
          path: "control_logs/*.log"
+
+      - uses: actions/upload-artifact@v3
+        if: always() && steps.changed-files.outputs.any_changed == 'true'
+        with:
+          name: pprof
+          path: "control_logs/*.pprof.tar"
--- a/.gitignore
+++ b/.gitignore
@@ -1,3 +1,5 @@
+ignored/
+
 # Binaries for programs and plugins
 *.exe
 *.exe~
@@ -12,7 +14,7 @@
 *.out

 # Dependency directories (remove the comment below to include it)
-# vendor/
+vendor/

 dist/
 /headscale
--- a/.goreleaser.yml
+++ b/.goreleaser.yml
@@ -2,6 +2,7 @@
 before:
  hooks:
    - go mod tidy -compat=1.20
+    - go mod vendor

 release:
  prerelease: auto
@@ -31,19 +32,16 @@ builds:

 archives:
  - id: golang-cross
-    builds:
-      - darwin-amd64
-      - darwin-arm64
-      - freebsd-amd64
-      - linux-386
-      - linux-amd64
-      - linux-arm64
-      - linux-arm-5
-      - linux-arm-6
-      - linux-arm-7
-    name_template: "{{ .ProjectName }}_{{ .Version }}_{{ .Os }}_{{ .Arch }}"
+    name_template: '{{ .ProjectName }}_{{ .Version }}_{{ .Os }}_{{ .Arch }}{{ with .Arm }}v{{ . }}{{ end }}{{ with .Mips }}_{{ . }}{{ end }}{{ if not (eq .Amd64 "v1") }}{{ .Amd64 }}{{ end }}'
    format: binary

+source:
+  enabled: true
+  name_template: "{{ .ProjectName }}_{{ .Version }}"
+  format: tar.gz
+  files:
+    - "vendor/"
+
 nfpms:
  # Configure nFPM for .deb and .rpm releases
  #
@@ -65,7 +63,7 @@ nfpms:
    bindir: /usr/bin
    formats:
      - deb
-      - rpm
+      # - rpm
    contents:
      - src: ./config-example.yaml
        dst: /etc/headscale/config.yaml
@@ -73,7 +71,7 @@ nfpms:
        file_info:
          mode: 0644
      - src: ./docs/packaging/headscale.systemd.service
-        dst: /etc/systemd/system/headscale.service
+        dst: /usr/lib/systemd/system/headscale.service
      - dst: /var/lib/headscale
        type: dir
      - dst: /var/run/headscale
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -1,12 +1,46 @@
 # CHANGELOG

-## 0.22.0 (2023-XX-XX)
+## 0.23.0 (2023-XX-XX)
+
+### BREAKING
+
+- Code reorganisation, a lot of code has moved, please review the following PRs accordingly [#1444](https://github.com/juanfont/headscale/pull/1444)

 ### Changes

- Add `.deb` and `.rpm` packages to release process [#1297](https://github.com/juanfont/headscale/pull/1297)
+## 0.22.3 (2023-05-12)
+
+### Changes
+
+- Added missing ca-certificates in Docker image [#1463](https://github.com/juanfont/headscale/pull/1463)
+
+## 0.22.2 (2023-05-10)
+
+### Changes
+
+- Add environment flags to enable pprof (profiling) [#1382](https://github.com/juanfont/headscale/pull/1382)
+  - Profiles are continously generated in our integration tests.
+- Fix systemd service file location in `.deb` packages [#1391](https://github.com/juanfont/headscale/pull/1391)
+- Improvements on Noise implementation [#1379](https://github.com/juanfont/headscale/pull/1379)
+- Replace node filter logic, ensuring nodes with access can see eachother [#1381](https://github.com/juanfont/headscale/pull/1381)
+- Disable (or delete) both exit routes at the same time [#1428](https://github.com/juanfont/headscale/pull/1428)
+- Ditch distroless for Docker image, create default socket dir in `/var/run/headscale` [#1450](https://github.com/juanfont/headscale/pull/1450)
+
+## 0.22.1 (2023-04-20)
+
+### Changes
+
+- Fix issue where systemd could not bind to port 80 [#1365](https://github.com/juanfont/headscale/pull/1365)
+
+## 0.22.0 (2023-04-20)
+
+### Changes
+
+- Add `.deb` packages to release process [#1297](https://github.com/juanfont/headscale/pull/1297)
+- Update and simplify the documentation to use new `.deb` packages [#1349](https://github.com/juanfont/headscale/pull/1349)
 - Add 32-bit Arm platforms to release process [#1297](https://github.com/juanfont/headscale/pull/1297)
 - Fix longstanding bug that would prevent "\*" from working properly in ACLs (issue [#699](https://github.com/juanfont/headscale/issues/699)) [#1279](https://github.com/juanfont/headscale/pull/1279)
+- Fix issue where IPv6 could not be used in, or while using ACLs (part of [#809](https://github.com/juanfont/headscale/issues/809)) [#1339](https://github.com/juanfont/headscale/pull/1339)
 - Target Go 1.20 and Tailscale 1.38 for Headscale [#1323](https://github.com/juanfont/headscale/pull/1323)

 ## 0.21.0 (2023-03-20)
--- a/9
+++ b/9
@@ -14,10 +14,17 @@ RUN strip /go/bin/headscale
 RUN test -e /go/bin/headscale

 # Production image
-FROM gcr.io/distroless/base-debian11
+FROM docker.io/debian:bullseye-slim
+
+RUN apt-get update \
+    && apt-get install -y ca-certificates \
+    && rm -rf /var/lib/apt/lists/* \
+    && apt-get clean

 COPY --from=build /go/bin/headscale /bin/headscale
 ENV TZ UTC

+RUN mkdir -p /var/run/headscale
+
 EXPOSE 8080/tcp
 CMD ["headscale"]
--- a/Dockerfile.debug
+++ b/Dockerfile.debug
@@ -18,6 +18,8 @@ FROM docker.io/golang:1.20.0-bullseye
 COPY --from=build /go/bin/headscale /bin/headscale
 ENV TZ UTC

+RUN mkdir -p /var/run/headscale
+
 # Need to reset the entrypoint or everything will run as a busybox script
 ENTRYPOINT []
 EXPOSE 8080/tcp
--- a/Dockerfile.tailscale
+++ b/Dockerfile.tailscale
@@ -1,19 +1,16 @@
-FROM ubuntu:latest
+FROM ubuntu:22.04

 ARG TAILSCALE_VERSION=*
 ARG TAILSCALE_CHANNEL=stable

 RUN apt-get update \
-    && apt-get install -y gnupg curl ssh \
-    && curl -fsSL https://pkgs.tailscale.com/${TAILSCALE_CHANNEL}/ubuntu/focal.gpg | apt-key add - \
+    && apt-get install -y gnupg curl ssh dnsutils ca-certificates \
+    && adduser --shell=/bin/bash ssh-it-user
+
+# Tailscale is deliberately split into a second stage so we can cash utils as a seperate layer.
+RUN curl -fsSL https://pkgs.tailscale.com/${TAILSCALE_CHANNEL}/ubuntu/focal.gpg | apt-key add - \
    && curl -fsSL https://pkgs.tailscale.com/${TAILSCALE_CHANNEL}/ubuntu/focal.list | tee /etc/apt/sources.list.d/tailscale.list \
    && apt-get update \
-    && apt-get install -y ca-certificates tailscale=${TAILSCALE_VERSION} dnsutils \
+    && apt-get install -y tailscale=${TAILSCALE_VERSION} \
+    && apt-get clean \
    && rm -rf /var/lib/apt/lists/*
-
-RUN adduser --shell=/bin/bash ssh-it-user
-
-ADD integration_test/etc_embedded_derp/tls/server.crt /usr/local/share/ca-certificates/
-RUN chmod 644 /usr/local/share/ca-certificates/server.crt
-
-RUN update-ca-certificates
--- a/Dockerfile.tailscale-HEAD
+++ b/Dockerfile.tailscale-HEAD
@@ -1,7 +1,7 @@
 FROM golang:latest

 RUN apt-get update \
-    && apt-get install -y ca-certificates dnsutils git iptables ssh \
+    && apt-get install -y dnsutils git iptables ssh ca-certificates \
    && rm -rf /var/lib/apt/lists/*

 RUN useradd --shell=/bin/bash --create-home ssh-it-user
@@ -10,15 +10,8 @@ RUN git clone https://github.com/tailscale/tailscale.git

 WORKDIR /go/tailscale

-RUN git checkout main
-
-RUN sh build_dist.sh tailscale.com/cmd/tailscale
-RUN sh build_dist.sh tailscale.com/cmd/tailscaled
-
-RUN cp tailscale /usr/local/bin/
-RUN cp tailscaled /usr/local/bin/
-
-ADD integration_test/etc_embedded_derp/tls/server.crt /usr/local/share/ca-certificates/
-RUN chmod 644 /usr/local/share/ca-certificates/server.crt
-
-RUN update-ca-certificates
+RUN git checkout main \
+    && sh build_dist.sh tailscale.com/cmd/tailscale \
+    && sh build_dist.sh tailscale.com/cmd/tailscaled \
+    && cp tailscale /usr/local/bin/ \
+    && cp tailscaled /usr/local/bin/
--- a/43
+++ b/43
@@ -24,31 +24,9 @@ build:
 dev: lint test build

 test:
-	@go test $(TAGS) -short -coverprofile=coverage.out ./...
+	gotestsum -- $(TAGS) -short -coverprofile=coverage.out ./...

-test_integration: test_integration_cli test_integration_derp test_integration_v2_general
-
-test_integration_cli:
-	docker network rm $$(docker network ls --filter name=headscale --quiet) || true
-	docker network create headscale-test || true
-	docker run -t --rm \
-		--network headscale-test \
-		-v ~/.cache/hs-integration-go:/go \
-		-v $$PWD:$$PWD -w $$PWD \
-		-v /var/run/docker.sock:/var/run/docker.sock golang:1 \
-		go test $(TAGS) -failfast -timeout 30m -count=1 -run IntegrationCLI ./...
-
-test_integration_derp:
-	docker network rm $$(docker network ls --filter name=headscale --quiet) || true
-	docker network create headscale-test || true
-	docker run -t --rm \
-		--network headscale-test \
-		-v ~/.cache/hs-integration-go:/go \
-		-v $$PWD:$$PWD -w $$PWD \
-		-v /var/run/docker.sock:/var/run/docker.sock golang:1 \
-		go test $(TAGS) -failfast -timeout 30m -count=1 -run IntegrationDERP ./...
-
-test_integration_v2_general:
+test_integration:
 	docker run \
 		-t --rm \
 		-v ~/.cache/hs-integration-go:/go \
@@ -56,13 +34,7 @@ test_integration_v2_general:
 		-v $$PWD:$$PWD -w $$PWD/integration \
 		-v /var/run/docker.sock:/var/run/docker.sock \
 		golang:1 \
-		go test $(TAGS) -failfast ./... -timeout 120m -parallel 8
-
-coverprofile_func:
-	go tool cover -func=coverage.out
-
-coverprofile_html:
-	go tool cover -html=coverage.out
+		go run gotest.tools/gotestsum@latest -- $(TAGS) -failfast ./... -timeout 120m -parallel 8

 lint:
 	golangci-lint run --fix --timeout 10m
@@ -80,11 +52,4 @@ compress: build

 generate:
 	rm -rf gen
-	go run github.com/bufbuild/buf/cmd/buf generate proto
-
-install-protobuf-plugins:
-	go install \
-		github.com/grpc-ecosystem/grpc-gateway/v2/protoc-gen-grpc-gateway \
-		github.com/grpc-ecosystem/grpc-gateway/v2/protoc-gen-openapiv2 \
-		google.golang.org/protobuf/cmd/protoc-gen-go \
-		google.golang.org/grpc/cmd/protoc-gen-go-grpc
+	buf generate proto
--- a/README.md
+++ b/README.md
@@ -32,22 +32,18 @@ organisation.

 ## Design goal

-`headscale` aims to implement a self-hosted, open source alternative to the Tailscale
-control server. `headscale` has a narrower scope and an instance of `headscale`
-implements a _single_ Tailnet, which is typically what a single organisation, or
-home/personal setup would use.
+Headscale aims to implement a self-hosted, open source alternative to the Tailscale
+control server.
+Headscale's goal is to provide self-hosters and hobbyists with an open-source
+server they can use for their projects and labs.
+It implements a narrow scope, a single Tailnet, suitable for a personal use, or a small
+open-source organisation.

-`headscale` uses terms that maps to Tailscale's control server, consult the
-[glossary](./docs/glossary.md) for explainations.
-
-## Support
+## Supporting Headscale

 If you like `headscale` and find it useful, there is a sponsorship and donation
 buttons available in the repo.

-If you would like to sponsor features, bugs or prioritisation, reach out to
-one of the maintainers.
-
 ## Features

 - Full "base" support of Tailscale's features
@@ -79,16 +75,10 @@ one of the maintainers.

 ## Running headscale

-Please have a look at the documentation under [`docs/`](docs/).
+**Please note that we do not support nor encourage the use of reverse proxies
+and container to run Headscale.**

-## Graphical Control Panels
-
-Headscale provides an API for complete management of your Tailnet.
-These are community projects not directly affiliated with the Headscale project.
-
-| Name            | Repository Link                                      | Description                                            | Status |
-| --------------- | ---------------------------------------------------- | ------------------------------------------------------ | ------ |
-| headscale-webui | [Github](https://github.com/ifargle/headscale-webui) | A simple Headscale web UI for small-scale deployments. | Alpha  |
+Please have a look at the [`documentation`](https://headscale.net/).

 ## Talks

@@ -97,11 +87,23 @@ These are community projects not directly affiliated with the Headscale project.

 ## Disclaimer

-1. We have nothing to do with Tailscale, or Tailscale Inc.
+1. This project is not associated with Tailscale Inc.
 2. The purpose of Headscale is maintaining a working, self-hosted Tailscale control panel.

 ## Contributing

+Headscale is "Open Source, acknowledged contribution", this means that any
+contribution will have to be discussed with the Maintainers before being submitted.
+
+This model has been chosen to reduce the risk of burnout by limiting the
+maintenance overhead of reviewing and validating third-party code.
+
+Headscale is open to code contributions for bug fixes without discussion.
+
+If you find mistakes in the documentation, please submit a fix to the documentation.
+
+### Requirements
+
 To contribute to headscale you would need the lastest version of [Go](https://golang.org)
 and [Buf](https://buf.build)(Protobuf generator).

@@ -109,8 +111,6 @@ We recommend using [Nix](https://nixos.org/) to setup a development environment.
 be done with `nix develop`, which will install the tools and give you a shell.
 This guarantees that you will have the same dev env as `headscale` maintainers.

-PRs and suggestions are welcome.
-
 ### Code style

 To ensure we have some consistency with a growing number of contributions,
--- a/cmd/build-docker-img/main.go
+++ b/cmd/build-docker-img/main.go
@@ -0,0 +1,47 @@
+package main
+
+import (
+	"log"
+
+	"github.com/juanfont/headscale/integration"
+	"github.com/juanfont/headscale/integration/tsic"
+	"github.com/ory/dockertest/v3"
+)
+
+func main() {
+	log.Printf("creating docker pool")
+	pool, err := dockertest.NewPool("")
+	if err != nil {
+		log.Fatalf("could not connect to docker: %s", err)
+	}
+
+	log.Printf("creating docker network")
+	network, err := pool.CreateNetwork("docker-integration-net")
+	if err != nil {
+		log.Fatalf("failed to create or get network: %s", err)
+	}
+
+	for _, version := range integration.TailscaleVersions {
+		log.Printf("creating container image for Tailscale (%s)", version)
+
+		tsClient, err := tsic.New(
+			pool,
+			version,
+			network,
+		)
+		if err != nil {
+			log.Fatalf("failed to create tailscale node: %s", err)
+		}
+
+		err = tsClient.Shutdown()
+		if err != nil {
+			log.Fatalf("failed to shut down container: %s", err)
+		}
+	}
+
+	network.Close()
+	err = pool.RemoveNetwork(network)
+	if err != nil {
+		log.Fatalf("failed to remove network: %s", err)
+	}
+}
--- a/cmd/gh-action-integration-generator/main.go
+++ b/cmd/gh-action-integration-generator/main.go
@@ -64,7 +64,7 @@ jobs:
              --volume /var/run/docker.sock:/var/run/docker.sock \
              --volume $PWD/control_logs:/tmp/control \
              golang:1 \
-                go test ./... \
+                go run gotest.tools/gotestsum@latest -- ./... \
                  -tags ts2019 \
                  -failfast \
                  -timeout 120m \
@@ -76,6 +76,12 @@ jobs:
        with:
          name: logs
          path: "control_logs/*.log"
+
+      - uses: actions/upload-artifact@v3
+        if: always() && steps.changed-files.outputs.any_changed == 'true'
+        with:
+          name: pprof
+          path: "control_logs/*.pprof.tar"
 `),
 	)
 )
--- a/cmd/headscale/cli/api_key.go
+++ b/cmd/headscale/cli/api_key.go
@@ -5,8 +5,8 @@ import (
 	"strconv"
 	"time"

-	"github.com/juanfont/headscale"
 	v1 "github.com/juanfont/headscale/gen/go/headscale/v1"
+	"github.com/juanfont/headscale/hscontrol"
 	"github.com/prometheus/common/model"
 	"github.com/pterm/pterm"
 	"github.com/rs/zerolog/log"
@@ -83,7 +83,7 @@ var listAPIKeys = &cobra.Command{
 			}

 			tableData = append(tableData, []string{
-				strconv.FormatUint(key.GetId(), headscale.Base10),
+				strconv.FormatUint(key.GetId(), hscontrol.Base10),
 				key.GetPrefix(),
 				expiration,
 				key.GetCreatedAt().AsTime().Format(HeadscaleDateTimeFormat),
--- a/cmd/headscale/cli/debug.go
+++ b/cmd/headscale/cli/debug.go
@@ -3,8 +3,8 @@ package cli
 import (
 	"fmt"

-	"github.com/juanfont/headscale"
 	v1 "github.com/juanfont/headscale/gen/go/headscale/v1"
+	"github.com/juanfont/headscale/hscontrol"
 	"github.com/rs/zerolog/log"
 	"github.com/spf13/cobra"
 	"google.golang.org/grpc/status"
@@ -93,7 +93,7 @@ var createNodeCmd = &cobra.Command{

 			return
 		}
-		if !headscale.NodePublicKeyRegex.Match([]byte(machineKey)) {
+		if !hscontrol.NodePublicKeyRegex.Match([]byte(machineKey)) {
 			err = errPreAuthKeyMalformed
 			ErrorOutput(
 				err,
--- a/cmd/headscale/cli/nodes.go
+++ b/cmd/headscale/cli/nodes.go
@@ -9,8 +9,8 @@ import (
 	"time"

 	survey "github.com/AlecAivazis/survey/v2"
-	"github.com/juanfont/headscale"
 	v1 "github.com/juanfont/headscale/gen/go/headscale/v1"
+	"github.com/juanfont/headscale/hscontrol"
 	"github.com/pterm/pterm"
 	"github.com/spf13/cobra"
 	"google.golang.org/grpc/status"
@@ -529,7 +529,7 @@ func nodesToPtables(

 		var machineKey key.MachinePublic
 		err := machineKey.UnmarshalText(
-			[]byte(headscale.MachinePublicKeyEnsurePrefix(machine.MachineKey)),
+			[]byte(hscontrol.MachinePublicKeyEnsurePrefix(machine.MachineKey)),
 		)
 		if err != nil {
 			machineKey = key.MachinePublic{}
@@ -537,7 +537,7 @@ func nodesToPtables(

 		var nodeKey key.NodePublic
 		err = nodeKey.UnmarshalText(
-			[]byte(headscale.NodePublicKeyEnsurePrefix(machine.NodeKey)),
+			[]byte(hscontrol.NodePublicKeyEnsurePrefix(machine.NodeKey)),
 		)
 		if err != nil {
 			return nil, err
@@ -596,7 +596,7 @@ func nodesToPtables(
 		}

 		nodeData := []string{
-			strconv.FormatUint(machine.Id, headscale.Base10),
+			strconv.FormatUint(machine.Id, hscontrol.Base10),
 			machine.Name,
 			machine.GetGivenName(),
 			machineKey.ShortString(),
--- a/cmd/headscale/cli/root.go
+++ b/cmd/headscale/cli/root.go
@@ -5,7 +5,7 @@ import (
 	"os"
 	"runtime"

-	"github.com/juanfont/headscale"
+	"github.com/juanfont/headscale/hscontrol"
 	"github.com/rs/zerolog"
 	"github.com/rs/zerolog/log"
 	"github.com/spf13/cobra"
@@ -38,18 +38,18 @@ func initConfig() {
 		cfgFile = os.Getenv("HEADSCALE_CONFIG")
 	}
 	if cfgFile != "" {
-		err := headscale.LoadConfig(cfgFile, true)
+		err := hscontrol.LoadConfig(cfgFile, true)
 		if err != nil {
 			log.Fatal().Caller().Err(err).Msgf("Error loading config file %s", cfgFile)
 		}
 	} else {
-		err := headscale.LoadConfig("", false)
+		err := hscontrol.LoadConfig("", false)
 		if err != nil {
 			log.Fatal().Caller().Err(err).Msgf("Error loading config")
 		}
 	}

-	cfg, err := headscale.GetHeadscaleConfig()
+	cfg, err := hscontrol.GetHeadscaleConfig()
 	if err != nil {
 		log.Fatal().Caller().Err(err)
 	}
@@ -64,7 +64,7 @@ func initConfig() {
 		zerolog.SetGlobalLevel(zerolog.Disabled)
 	}

-	if cfg.Log.Format == headscale.JSONLogFormat {
+	if cfg.Log.Format == hscontrol.JSONLogFormat {
 		log.Logger = log.Output(os.Stdout)
 	}

--- a/cmd/headscale/cli/routes.go
+++ b/cmd/headscale/cli/routes.go
@@ -6,8 +6,8 @@ import (
 	"net/netip"
 	"strconv"

-	"github.com/juanfont/headscale"
 	v1 "github.com/juanfont/headscale/gen/go/headscale/v1"
+	"github.com/juanfont/headscale/hscontrol"
 	"github.com/pterm/pterm"
 	"github.com/spf13/cobra"
 	"google.golang.org/grpc/status"
@@ -277,7 +277,7 @@ func routesToPtables(routes []*v1.Route) pterm.TableData {

 			continue
 		}
-		if prefix == headscale.ExitRouteV4 || prefix == headscale.ExitRouteV6 {
+		if prefix == hscontrol.ExitRouteV4 || prefix == hscontrol.ExitRouteV6 {
 			isPrimaryStr = "-"
 		} else {
 			isPrimaryStr = strconv.FormatBool(route.IsPrimary)
--- a/cmd/headscale/cli/users.go
+++ b/cmd/headscale/cli/users.go
@@ -4,8 +4,8 @@ import (
 	"fmt"

 	survey "github.com/AlecAivazis/survey/v2"
-	"github.com/juanfont/headscale"
 	v1 "github.com/juanfont/headscale/gen/go/headscale/v1"
+	"github.com/juanfont/headscale/hscontrol"
 	"github.com/pterm/pterm"
 	"github.com/rs/zerolog/log"
 	"github.com/spf13/cobra"
@@ -21,7 +21,7 @@ func init() {
 }

 const (
-	errMissingParameter = headscale.Error("missing parameters")
+	errMissingParameter = hscontrol.Error("missing parameters")
 )

 var userCmd = &cobra.Command{
--- a/cmd/headscale/cli/utils.go
+++ b/cmd/headscale/cli/utils.go
@@ -8,8 +8,8 @@ import (
 	"os"
 	"reflect"

-	"github.com/juanfont/headscale"
 	v1 "github.com/juanfont/headscale/gen/go/headscale/v1"
+	"github.com/juanfont/headscale/hscontrol"
 	"github.com/rs/zerolog/log"
 	"google.golang.org/grpc"
 	"google.golang.org/grpc/credentials"
@@ -22,8 +22,8 @@ const (
 	SocketWritePermissions  = 0o666
 )

-func getHeadscaleApp() (*headscale.Headscale, error) {
-	cfg, err := headscale.GetHeadscaleConfig()
+func getHeadscaleApp() (*hscontrol.Headscale, error) {
+	cfg, err := hscontrol.GetHeadscaleConfig()
 	if err != nil {
 		return nil, fmt.Errorf(
 			"failed to load configuration while creating headscale instance: %w",
@@ -31,7 +31,7 @@ func getHeadscaleApp() (*headscale.Headscale, error) {
 		)
 	}

-	app, err := headscale.NewHeadscale(cfg)
+	app, err := hscontrol.NewHeadscale(cfg)
 	if err != nil {
 		return nil, err
 	}
@@ -39,8 +39,8 @@ func getHeadscaleApp() (*headscale.Headscale, error) {
 	// We are doing this here, as in the future could be cool to have it also hot-reload

 	if cfg.ACL.PolicyPath != "" {
-		aclPath := headscale.AbsolutePathFromConfigPath(cfg.ACL.PolicyPath)
-		err = app.LoadACLPolicy(aclPath)
+		aclPath := hscontrol.AbsolutePathFromConfigPath(cfg.ACL.PolicyPath)
+		err = app.LoadACLPolicyFromPath(aclPath)
 		if err != nil {
 			log.Fatal().
 				Str("path", aclPath).
@@ -53,7 +53,7 @@ func getHeadscaleApp() (*headscale.Headscale, error) {
 }

 func getHeadscaleCLIClient() (context.Context, v1.HeadscaleServiceClient, *grpc.ClientConn, context.CancelFunc) {
-	cfg, err := headscale.GetHeadscaleConfig()
+	cfg, err := hscontrol.GetHeadscaleConfig()
 	if err != nil {
 		log.Fatal().
 			Err(err).
@@ -74,7 +74,7 @@ func getHeadscaleCLIClient() (context.Context, v1.HeadscaleServiceClient, *grpc.

 	address := cfg.CLI.Address

-	// If the address is not set, we assume that we are on the server hosting headscale.
+	// If the address is not set, we assume that we are on the server hosting hscontrol.
 	if address == "" {
 		log.Debug().
 			Str("socket", cfg.UnixSocket).
@@ -98,7 +98,7 @@ func getHeadscaleCLIClient() (context.Context, v1.HeadscaleServiceClient, *grpc.
 		grpcOptions = append(
 			grpcOptions,
 			grpc.WithTransportCredentials(insecure.NewCredentials()),
-			grpc.WithContextDialer(headscale.GrpcSocketDialer),
+			grpc.WithContextDialer(hscontrol.GrpcSocketDialer),
 		)
 	} else {
 		// If we are not connecting to a local server, require an API key for authentication
--- a/cmd/headscale/headscale.go
+++ b/cmd/headscale/headscale.go
@@ -6,11 +6,25 @@ import (

 	"github.com/efekarakus/termcolor"
 	"github.com/juanfont/headscale/cmd/headscale/cli"
+	"github.com/pkg/profile"
 	"github.com/rs/zerolog"
 	"github.com/rs/zerolog/log"
 )

 func main() {
+	if _, enableProfile := os.LookupEnv("HEADSCALE_PROFILING_ENABLED"); enableProfile {
+		if profilePath, ok := os.LookupEnv("HEADSCALE_PROFILING_PATH"); ok {
+			err := os.MkdirAll(profilePath, os.ModePerm)
+			if err != nil {
+				log.Fatal().Err(err).Msg("failed to create profiling directory")
+			}
+
+			defer profile.Start(profile.ProfilePath(profilePath)).Stop()
+		} else {
+			defer profile.Start().Stop()
+		}
+	}
+
 	var colors bool
 	switch l := termcolor.SupportLevel(os.Stderr); l {
 	case termcolor.Level16M:
--- a/cmd/headscale/headscale_test.go
+++ b/cmd/headscale/headscale_test.go
@@ -7,7 +7,7 @@ import (
 	"strings"
 	"testing"

-	"github.com/juanfont/headscale"
+	"github.com/juanfont/headscale/hscontrol"
 	"github.com/spf13/viper"
 	"gopkg.in/check.v1"
 )
@@ -50,7 +50,7 @@ func (*Suite) TestConfigFileLoading(c *check.C) {
 	}

 	// Load example config, it should load without validation errors
-	err = headscale.LoadConfig(cfgFile, true)
+	err = hscontrol.LoadConfig(cfgFile, true)
 	c.Assert(err, check.IsNil)

 	// Test that config file was interpreted correctly
@@ -64,7 +64,7 @@ func (*Suite) TestConfigFileLoading(c *check.C) {
 	c.Assert(viper.GetString("tls_letsencrypt_challenge_type"), check.Equals, "HTTP-01")
 	c.Assert(viper.GetStringSlice("dns_config.nameservers")[0], check.Equals, "1.1.1.1")
 	c.Assert(
-		headscale.GetFileMode("unix_socket_permission"),
+		hscontrol.GetFileMode("unix_socket_permission"),
 		check.Equals,
 		fs.FileMode(0o770),
 	)
@@ -93,7 +93,7 @@ func (*Suite) TestConfigLoading(c *check.C) {
 	}

 	// Load example config, it should load without validation errors
-	err = headscale.LoadConfig(tmpDir, false)
+	err = hscontrol.LoadConfig(tmpDir, false)
 	c.Assert(err, check.IsNil)

 	// Test that config file was interpreted correctly
@@ -107,7 +107,7 @@ func (*Suite) TestConfigLoading(c *check.C) {
 	c.Assert(viper.GetString("tls_letsencrypt_challenge_type"), check.Equals, "HTTP-01")
 	c.Assert(viper.GetStringSlice("dns_config.nameservers")[0], check.Equals, "1.1.1.1")
 	c.Assert(
-		headscale.GetFileMode("unix_socket_permission"),
+		hscontrol.GetFileMode("unix_socket_permission"),
 		check.Equals,
 		fs.FileMode(0o770),
 	)
@@ -137,10 +137,10 @@ func (*Suite) TestDNSConfigLoading(c *check.C) {
 	}

 	// Load example config, it should load without validation errors
-	err = headscale.LoadConfig(tmpDir, false)
+	err = hscontrol.LoadConfig(tmpDir, false)
 	c.Assert(err, check.IsNil)

-	dnsConfig, baseDomain := headscale.GetDNSConfig()
+	dnsConfig, baseDomain := hscontrol.GetDNSConfig()

 	c.Assert(dnsConfig.Nameservers[0].String(), check.Equals, "1.1.1.1")
 	c.Assert(dnsConfig.Resolvers[0].Addr, check.Equals, "1.1.1.1")
@@ -172,7 +172,7 @@ noise:
 	writeConfig(c, tmpDir, configYaml)

 	// Check configuration validation errors (1)
-	err = headscale.LoadConfig(tmpDir, false)
+	err = hscontrol.LoadConfig(tmpDir, false)
 	c.Assert(err, check.NotNil)
 	// check.Matches can not handle multiline strings
 	tmp := strings.ReplaceAll(err.Error(), "\n", "***")
@@ -201,6 +201,6 @@ tls_letsencrypt_hostname: example.com
 tls_letsencrypt_challenge_type: TLS-ALPN-01
 `)
 	writeConfig(c, tmpDir, configYaml)
-	err = headscale.LoadConfig(tmpDir, false)
+	err = hscontrol.LoadConfig(tmpDir, false)
 	c.Assert(err, check.IsNil)
 }
--- a/config-example.yaml
+++ b/config-example.yaml
@@ -58,11 +58,12 @@ noise:
 # List of IP prefixes to allocate tailaddresses from.
 # Each prefix consists of either an IPv4 or IPv6 address,
 # and the associated prefix length, delimited by a slash.
-# While this looks like it can take arbitrary values, it
-# needs to be within IP ranges supported by the Tailscale
-# client.
+# It must be within IP ranges supported by the Tailscale
+# client - i.e., subnets of 100.64.0.0/10 and fd7a:115c:a1e0::/48.
+# See below:
 # IPv6: https://github.com/tailscale/tailscale/blob/22ebb25e833264f58d7c3f534a8b166894a89536/net/tsaddr/tsaddr.go#LL81C52-L81C71
 # IPv4: https://github.com/tailscale/tailscale/blob/22ebb25e833264f58d7c3f534a8b166894a89536/net/tsaddr/tsaddr.go#L33
+# Any other range is NOT supported, and it will cause unexpected issues.
 ip_prefixes:
  - fd7a:115c:a1e0::/48
  - 100.64.0.0/10
--- a/docs/exit-node.md
+++ b/docs/exit-node.md
@@ -14,6 +14,8 @@ If the node is already registered, it can advertise exit capabilities like this:
 $ sudo tailscale set --advertise-exit-node
 ```

+To use a node as an exit node, IP forwarding must be enabled on the node. Check the official [Tailscale documentation](https://tailscale.com/kb/1019/subnets/?tab=linux#enable-ip-forwarding) for how to enable IP fowarding.
+
 ## On the control server

 ```console
--- a/docs/faq.md
+++ b/docs/faq.md
@@ -0,0 +1,53 @@
+---
+hide:
+  - navigation
+---
+
+# Frequently Asked Questions
+
+## What is the design goal of headscale?
+
+`headscale` aims to implement a self-hosted, open source alternative to the [Tailscale](https://tailscale.com/)
+control server.
+`headscale`'s goal is to provide self-hosters and hobbyists with an open-source
+server they can use for their projects and labs.
+It implements a narrow scope, a _single_ Tailnet, suitable for a personal use, or a small
+open-source organisation.
+
+## How can I contribute?
+
+Headscale is "Open Source, acknowledged contribution", this means that any
+contribution will have to be discussed with the Maintainers before being submitted.
+
+Headscale is open to code contributions for bug fixes without discussion.
+
+If you find mistakes in the documentation, please also submit a fix to the documentation.
+
+## Why is 'acknowledged contribution' the chosen model?
+
+Both maintainers have full-time jobs and families, and we want to avoid burnout. We also want to avoid frustration from contributors when their PRs are not accepted.
+
+We are more than happy to exchange emails, or to have dedicated calls before a PR is submitted.
+
+## When/Why is Feature X going to be implemented?
+
+We don't know. We might be working on it. If you want to help, please send us a PR.
+
+Please be aware that there are a number of reasons why we might not accept specific contributions:
+
+- It is not possible to implement the feature in a way that makes sense in a self-hosted environment.
+- Given that we are reverse-engineering Tailscale to satify our own curiosity, we might be interested in implementing the feature ourselves.
+- You are not sending unit and integration tests with it.
+
+## Do you support Y method of deploying Headscale?
+
+We currently support deploying `headscale` using our binaries and the DEB packages. Both can be found in the
+[GitHub releases page](https://github.com/juanfont/headscale/releases).
+
+In addition to that, there are semi-official RPM packages by the Fedora infra team https://copr.fedorainfracloud.org/coprs/jonathanspw/headscale/
+
+For convenience, we also build Docker images with `headscale`. But **please be aware that we don't officially support deploying `headscale` using Docker**. We have a [Discord channel](https://discord.com/channels/896711691637780480/1070619770942148618) where you can ask for Docker-specific help to the community.
+
+## Why is my reverse proxy not working with Headscale?
+
+We don't know. We don't use reverse proxies with `headscale` ourselves, so we don't have any experience with them. We have [community documentation](https://headscale.net/reverse-proxy/) on how to configure various reverse proxies, and a dedicated [Discord channel](https://discord.com/channels/896711691637780480/1070619818346164324) where you can ask for help to the community.
--- a/docs/index.md
+++ b/docs/index.md
@@ -4,9 +4,40 @@ hide:
  - toc
 ---

-# headscale documentation
+# headscale

-This site contains the official and community contributed documentation for `headscale`.
+`headscale` is an open source, self-hosted implementation of the Tailscale control server.

-If you are having trouble with following the documentation or get unexpected results,
-please ask on [Discord](https://discord.gg/c84AZQhmpx) instead of opening an Issue.
+This page contains the documentation for the latest version of headscale. Please also check our [FAQ](/faq/).
+
+Join our [Discord](https://discord.gg/c84AZQhmpx) server for a chat and community support.
+
+## Design goal
+
+Headscale aims to implement a self-hosted, open source alternative to the Tailscale
+control server.
+Headscale's goal is to provide self-hosters and hobbyists with an open-source
+server they can use for their projects and labs.
+It implements a narrower scope, a single Tailnet, suitable for a personal use, or a small
+open-source organisation.
+
+## Supporting headscale
+
+If you like `headscale` and find it useful, there is a sponsorship and donation
+buttons available in the repo.
+
+## Contributing
+
+Headscale is "Open Source, acknowledged contribution", this means that any
+contribution will have to be discussed with the Maintainers before being submitted.
+
+This model has been chosen to reduce the risk of burnout by limiting the
+maintenance overhead of reviewing and validating third-party code.
+
+Headscale is open to code contributions for bug fixes without discussion.
+
+If you find mistakes in the documentation, please submit a fix to the documentation.
+
+## About
+
+`headscale` is maintained by [Kristoffer Dalby](https://kradalby.no/) and [Juan Font](https://font.eu).
--- a/docs/packaging/headscale.systemd.service
+++ b/docs/packaging/headscale.systemd.service
@@ -16,7 +16,7 @@ WorkingDirectory=/var/lib/headscale
 ReadWritePaths=/var/lib/headscale /var/run

 AmbientCapabilities=CAP_NET_BIND_SERVICE CAP_CHOWN
-CapabilityBoundingSet=CAP_CHOWN
+CapabilityBoundingSet=CAP_NET_BIND_SERVICE CAP_CHOWN
 LockPersonality=true
 NoNewPrivileges=true
 PrivateDevices=true
--- a/docs/packaging/postinstall.sh
+++ b/docs/packaging/postinstall.sh
@@ -64,6 +64,7 @@ summary() {
 	echo ""
 	echo " Please follow the next steps to start the software:"
 	echo ""
+	echo "    sudo systemctl enable headscale"
 	echo "    sudo systemctl start headscale"
 	echo ""
 	echo " Configuration settings can be adjusted here:"
--- a/docs/running-headscale-linux-manual.md
+++ b/docs/running-headscale-linux-manual.md
@@ -0,0 +1,198 @@
+# Running headscale on Linux
+
+## Note: Outdated and "advanced"
+
+This documentation is considered the "legacy"/advanced/manual version of the documentation, you most likely do not
+want to use this documentation and rather look at the distro specific documentation (TODO LINK)[].
+
+## Goal
+
+This documentation has the goal of showing a user how-to set up and run `headscale` on Linux.
+In additional to the "get up and running section", there is an optional [SystemD section](#running-headscale-in-the-background-with-systemd)
+describing how to make `headscale` run properly in a server environment.
+
+## Configure and run `headscale`
+
+1. Download the latest [`headscale` binary from GitHub's release page](https://github.com/juanfont/headscale/releases):
+
+```shell
+wget --output-document=/usr/local/bin/headscale \
+   https://github.com/juanfont/headscale/releases/download/v<HEADSCALE VERSION>/headscale_<HEADSCALE VERSION>_linux_<ARCH>
+```
+
+2. Make `headscale` executable:
+
+```shell
+chmod +x /usr/local/bin/headscale
+```
+
+3. Prepare a directory to hold `headscale` configuration and the [SQLite](https://www.sqlite.org/) database:
+
+```shell
+# Directory for configuration
+
+mkdir -p /etc/headscale
+
+# Directory for Database, and other variable data (like certificates)
+mkdir -p /var/lib/headscale
+# or if you create a headscale user:
+useradd \
+	--create-home \
+	--home-dir /var/lib/headscale/ \
+	--system \
+	--user-group \
+	--shell /usr/bin/nologin \
+	headscale
+```
+
+4. Create an empty SQLite database:
+
+```shell
+touch /var/lib/headscale/db.sqlite
+```
+
+5. Create a `headscale` configuration:
+
+```shell
+touch /etc/headscale/config.yaml
+```
+
+**(Strongly Recommended)** Download a copy of the [example configuration][config-example.yaml](https://github.com/juanfont/headscale/blob/main/config-example.yaml) from the headscale repository.
+
+6. Start the headscale server:
+
+```shell
+headscale serve
+```
+
+This command will start `headscale` in the current terminal session.
+
+---
+
+To continue the tutorial, open a new terminal and let it run in the background.
+Alternatively use terminal emulators like [tmux](https://github.com/tmux/tmux) or [screen](https://www.gnu.org/software/screen/).
+
+To run `headscale` in the background, please follow the steps in the [SystemD section](#running-headscale-in-the-background-with-systemd) before continuing.
+
+7. Verify `headscale` is running:
+
+Verify `headscale` is available:
+
+```shell
+curl http://127.0.0.1:9090/metrics
+```
+
+8. Create a user ([tailnet](https://tailscale.com/kb/1136/tailnet/)):
+
+```shell
+headscale users create myfirstuser
+```
+
+### Register a machine (normal login)
+
+On a client machine, execute the `tailscale` login command:
+
+```shell
+tailscale up --login-server YOUR_HEADSCALE_URL
+```
+
+Register the machine:
+
+```shell
+headscale --user myfirstuser nodes register --key <YOUR_MACHINE_KEY>
+```
+
+### Register machine using a pre authenticated key
+
+Generate a key using the command line:
+
+```shell
+headscale --user myfirstuser preauthkeys create --reusable --expiration 24h
+```
+
+This will return a pre-authenticated key that can be used to connect a node to `headscale` during the `tailscale` command:
+
+```shell
+tailscale up --login-server <YOUR_HEADSCALE_URL> --authkey <YOUR_AUTH_KEY>
+```
+
+## Running `headscale` in the background with SystemD
+
+:warning: **Deprecated**: This part is very outdated and you should use the [pre-packaged Headscale for this](./running-headscale-linux.md
+
+This section demonstrates how to run `headscale` as a service in the background with [SystemD](https://www.freedesktop.org/wiki/Software/systemd/).
+This should work on most modern Linux distributions.
+
+1. Create a SystemD service configuration at `/etc/systemd/system/headscale.service` containing:
+
+```systemd
+[Unit]
+Description=headscale controller
+After=syslog.target
+After=network.target
+
+[Service]
+Type=simple
+User=headscale
+Group=headscale
+ExecStart=/usr/local/bin/headscale serve
+Restart=always
+RestartSec=5
+
+# Optional security enhancements
+NoNewPrivileges=yes
+PrivateTmp=yes
+ProtectSystem=strict
+ProtectHome=yes
+WorkingDirectory=/var/lib/headscale
+ReadWritePaths=/var/lib/headscale /var/run/headscale
+AmbientCapabilities=CAP_NET_BIND_SERVICE
+RuntimeDirectory=headscale
+
+[Install]
+WantedBy=multi-user.target
+```
+
+Note that when running as the headscale user ensure that, either you add your current user to the headscale group:
+
+```shell
+usermod -a -G headscale current_user
+```
+
+or run all headscale commands as the headscale user:
+
+```shell
+su - headscale
+```
+
+2. In `/etc/headscale/config.yaml`, override the default `headscale` unix socket with path that is writable by the `headscale` user or group:
+
+```yaml
+unix_socket: /var/run/headscale/headscale.sock
+```
+
+3. Reload SystemD to load the new configuration file:
+
+```shell
+systemctl daemon-reload
+```
+
+4. Enable and start the new `headscale` service:
+
+```shell
+systemctl enable --now headscale
+```
+
+5. Verify the headscale service:
+
+```shell
+systemctl status headscale
+```
+
+Verify `headscale` is available:
+
+```shell
+curl http://127.0.0.1:9090/metrics
+```
+
+`headscale` will now run in the background and start at boot.
--- a/docs/running-headscale-linux.md
+++ b/docs/running-headscale-linux.md
@@ -1,83 +1,65 @@
 # Running headscale on Linux

+## Requirements
+
+- Ubuntu 20.04 or newer, Debian 11 or newer.
+
 ## Goal

-This documentation has the goal of showing a user how-to set up and run `headscale` on Linux.
-In additional to the "get up and running section", there is an optional [SystemD section](#running-headscale-in-the-background-with-systemd)
-describing how to make `headscale` run properly in a server environment.
+Get Headscale up and running.

-## Configure and run `headscale`
+This includes running Headscale with SystemD.

-1. Download the latest [`headscale` binary from GitHub's release page](https://github.com/juanfont/headscale/releases):
+## Migrating from manual install
+
+If you are migrating from the old manual install, the best thing would be to remove
+the files installed by following [the guide in reverse](./running-headscale-linux-manual.md).
+
+You should _not_ delete the database (`/var/headscale/db.sqlite`) and the
+configuration (`/etc/headscale/config.yaml`).
+
+## Installation
+
+1. Download the lastest Headscale package for your platform (`.deb` for Ubuntu and Debian) from [Headscale's releases page](https://github.com/juanfont/headscale/releases):

 ```shell
-wget --output-document=/usr/local/bin/headscale \
-   https://github.com/juanfont/headscale/releases/download/v<HEADSCALE VERSION>/headscale_<HEADSCALE VERSION>_linux_<ARCH>
+wget --output-document=headscale.deb \
+  https://github.com/juanfont/headscale/releases/download/v<HEADSCALE VERSION>/headscale_<HEADSCALE VERSION>_linux_<ARCH>.deb
 ```

-2. Make `headscale` executable:
+2. Install Headscale:

 ```shell
-chmod +x /usr/local/bin/headscale
+sudo dpkg --install headscale.deb
 ```

-3. Prepare a directory to hold `headscale` configuration and the [SQLite](https://www.sqlite.org/) database:
+3. Enable Headscale service, this will start Headscale at boot:

 ```shell
-# Directory for configuration
-
-mkdir -p /etc/headscale
-
-# Directory for Database, and other variable data (like certificates)
-mkdir -p /var/lib/headscale
-# or if you create a headscale user:
-useradd \
-	--create-home \
-	--home-dir /var/lib/headscale/ \
-	--system \
-	--user-group \
-	--shell /usr/bin/nologin \
-	headscale
+sudo systemctl enable headscale
 ```

-4. Create an empty SQLite database:
+4. Configure Headscale by editing the configuration file:

 ```shell
-touch /var/lib/headscale/db.sqlite
+nano /etc/headscale/config.yaml
 ```

-5. Create a `headscale` configuration:
+5. Start Headscale:

 ```shell
-touch /etc/headscale/config.yaml
+sudo systemctl start headscale
 ```

-**(Strongly Recommended)** Download a copy of the [example configuration][config-example.yaml](https://github.com/juanfont/headscale/blob/main/config-example.yaml) from the headscale repository.
-
-6. Start the headscale server:
+6. Check that Headscale is running as intended:

 ```shell
-headscale serve
+systemctl status headscale
 ```

-This command will start `headscale` in the current terminal session.
+## Using Headscale

---
-
-To continue the tutorial, open a new terminal and let it run in the background.
-Alternatively use terminal emulators like [tmux](https://github.com/tmux/tmux) or [screen](https://www.gnu.org/software/screen/).
-
-To run `headscale` in the background, please follow the steps in the [SystemD section](#running-headscale-in-the-background-with-systemd) before continuing.
-
-7. Verify `headscale` is running:
-
-Verify `headscale` is available:
-
-```shell
-curl http://127.0.0.1:9090/metrics
-```
-
-8. Create a user ([tailnet](https://tailscale.com/kb/1136/tailnet/)):
+### Create a user

 ```shell
 headscale users create myfirstuser
@@ -85,16 +67,16 @@ headscale users create myfirstuser

 ### Register a machine (normal login)

-On a client machine, execute the `tailscale` login command:
+On a client machine, run the `tailscale` login command:

 ```shell
-tailscale up --login-server YOUR_HEADSCALE_URL
+tailscale up --login-server <YOUR_HEADSCALE_URL>
 ```

 Register the machine:

 ```shell
-headscale --user myfirstuser nodes register --key <YOU_+MACHINE_KEY>
+headscale --user myfirstuser nodes register --key <YOUR_MACHINE_KEY>
 ```

 ### Register machine using a pre authenticated key
@@ -105,87 +87,9 @@ Generate a key using the command line:
 headscale --user myfirstuser preauthkeys create --reusable --expiration 24h
 ```

-This will return a pre-authenticated key that can be used to connect a node to `headscale` during the `tailscale` command:
+This will return a pre-authenticated key that is used to
+connect a node to `headscale` during the `tailscale` command:

 ```shell
 tailscale up --login-server <YOUR_HEADSCALE_URL> --authkey <YOUR_AUTH_KEY>
 ```
-
-## Running `headscale` in the background with SystemD
-
-This section demonstrates how to run `headscale` as a service in the background with [SystemD](https://www.freedesktop.org/wiki/Software/systemd/).
-This should work on most modern Linux distributions.
-
-1. Create a SystemD service configuration at `/etc/systemd/system/headscale.service` containing:
-
-```systemd
-[Unit]
-Description=headscale controller
-After=syslog.target
-After=network.target
-
-[Service]
-Type=simple
-User=headscale
-Group=headscale
-ExecStart=/usr/local/bin/headscale serve
-Restart=always
-RestartSec=5
-
-# Optional security enhancements
-NoNewPrivileges=yes
-PrivateTmp=yes
-ProtectSystem=strict
-ProtectHome=yes
-WorkingDirectory=/var/lib/headscale
-ReadWritePaths=/var/lib/headscale /var/run/headscale
-AmbientCapabilities=CAP_NET_BIND_SERVICE
-RuntimeDirectory=headscale
-
-[Install]
-WantedBy=multi-user.target
-```
-
-Note that when running as the headscale user ensure that, either you add your current user to the headscale group:
-
-```shell
-usermod -a -G headscale current_user
-```
-
-or run all headscale commands as the headscale user:
-
-```shell
-su - headscale
-```
-
-2. In `/etc/headscale/config.yaml`, override the default `headscale` unix socket with path that is writable by the `headscale` user or group:
-
-```yaml
-unix_socket: /var/run/headscale/headscale.sock
-```
-
-3. Reload SystemD to load the new configuration file:
-
-```shell
-systemctl daemon-reload
-```
-
-4. Enable and start the new `headscale` service:
-
-```shell
-systemctl enable --now headscale
-```
-
-5. Verify the headscale service:
-
-```shell
-systemctl status headscale
-```
-
-Verify `headscale` is available:
-
-```shell
-curl http://127.0.0.1:9090/metrics
-```
-
-`headscale` will now run in the background and start at boot.
--- a/docs/web-ui.md
+++ b/docs/web-ui.md
@@ -0,0 +1,14 @@
+# Headscale web interface
+
+!!! warning "Community contributions"
+
+    This page contains community contributions. The projects listed here are not
+    maintained by the Headscale authors and are written by community members.
+
+| Name            | Repository Link                                         | Description                                                               | Status |
+| --------------- | ------------------------------------------------------- | ------------------------------------------------------------------------- | ------ |
+| headscale-webui | [Github](https://github.com/ifargle/headscale-webui)    | A simple Headscale web UI for small-scale deployments.                    | Alpha  |
+| headscale-ui    | [Github](https://github.com/gurucomputing/headscale-ui) | A web frontend for the headscale Tailscale-compatible coordination server | Alpha  |
+| HeadscaleUi     | [GitHub](https://github.com/simcu/headscale-ui)         | A static headscale admin ui, no backend enviroment required               | Alpha  |
+
+You can ask for support on our dedicated [Discord channel](https://discord.com/channels/896711691637780480/1105842846386356294).
--- a/flake.lock
+++ b/flake.lock
@@ -1,12 +1,15 @@
 {
  "nodes": {
    "flake-utils": {
+      "inputs": {
+        "systems": "systems"
+      },
      "locked": {
-        "lastModified": 1680776469,
-        "narHash": "sha256-3CXUDK/3q/kieWtdsYpDOBJw3Gw4Af6x+2EiSnIkNQw=",
+        "lastModified": 1681202837,
+        "narHash": "sha256-H+Rh19JDwRtpVPAWp64F+rlEtxUWBAQW28eAi3SRSzg=",
        "owner": "numtide",
        "repo": "flake-utils",
-        "rev": "411e8764155aa9354dbcd6d5faaeb97e9e3dce24",
+        "rev": "cfacdce06f30d2b68473a46042957675eebb3401",
        "type": "github"
      },
      "original": {
@@ -17,11 +20,11 @@
    },
    "nixpkgs": {
      "locked": {
-        "lastModified": 1680789907,
-        "narHash": "sha256-0AOMkabjbOauxspnqfzqgLKhB2gSh3sLkz1p/jIckcs=",
+        "lastModified": 1681753173,
+        "narHash": "sha256-MrGmzZWLUqh2VstoikKLFFIELXm/lsf/G9U9zR96VD4=",
        "owner": "NixOS",
        "repo": "nixpkgs",
-        "rev": "9de84cd029054adc54fdc6442e121fbc5ac33baf",
+        "rev": "0a4206a51b386e5cda731e8ac78d76ad924c7125",
        "type": "github"
      },
      "original": {
@@ -36,6 +39,21 @@
        "flake-utils": "flake-utils",
        "nixpkgs": "nixpkgs"
      }
+    },
+    "systems": {
+      "locked": {
+        "lastModified": 1681028828,
+        "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
+        "owner": "nix-systems",
+        "repo": "default",
+        "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nix-systems",
+        "repo": "default",
+        "type": "github"
+      }
    }
  },
  "root": "root",
--- a/flake.nix
+++ b/flake.nix
@@ -36,7 +36,7 @@

            # When updating go.mod or go.sum, a new sha will need to be calculated,
            # update this if you have a mismatch after doing a change to thos files.
-            vendorSha256 = "sha256-+JxS4Q6rTpdBwms2nkVDY/Kluv2qu2T0BaOIjfeX85M=";
+            vendorSha256 = "sha256-IOkbbFtE6+tNKnglE/8ZuNxhPSnloqM2sLgTvagMmnc=";

            ldflags = [ "-s" "-w" "-X github.com/juanfont/headscale/cmd/headscale/cli.Version=v${version}" ];
          };
@@ -99,6 +99,11 @@
            goreleaser
            nfpm
            gotestsum
+            gotests
+
+            # 'dot' is needed for pprof graphs
+            # go tool pprof -http=: <source>
+            graphviz

            # Protobuf dependencies
            protobuf
@@ -129,6 +134,14 @@

          shellHook = ''
            export GOFLAGS=-tags="ts2019"
+            export PATH="$PWD/result/bin:$PATH"
+
+            mkdir -p ./ignored
+            export HEADSCALE_PRIVATE_KEY_PATH="./ignored/private.key"
+            export HEADSCALE_NOISE_PRIVATE_KEY_PATH="./ignored/noise_private.key"
+            export HEADSCALE_DB_PATH="./ignored/db.sqlite"
+            export HEADSCALE_TLS_LETSENCRYPT_CACHE_DIR="./ignored/cache"
+            export HEADSCALE_UNIX_SOCKET="./ignored/headscale.sock"
          '';
        };

--- a/gen/go/headscale/v1/apikey.pb.go
+++ b/gen/go/headscale/v1/apikey.pb.go
@@ -1,6 +1,6 @@
 // Code generated by protoc-gen-go. DO NOT EDIT.
 // versions:
-// 	protoc-gen-go v1.28.1
+// 	protoc-gen-go v1.29.1
 // 	protoc        (unknown)
 // source: headscale/v1/apikey.proto

--- a/gen/go/headscale/v1/device.pb.go
+++ b/gen/go/headscale/v1/device.pb.go
@@ -1,6 +1,6 @@
 // Code generated by protoc-gen-go. DO NOT EDIT.
 // versions:
-// 	protoc-gen-go v1.28.1
+// 	protoc-gen-go v1.29.1
 // 	protoc        (unknown)
 // source: headscale/v1/device.proto

--- a/gen/go/headscale/v1/headscale.pb.go
+++ b/gen/go/headscale/v1/headscale.pb.go
@@ -1,6 +1,6 @@
 // Code generated by protoc-gen-go. DO NOT EDIT.
 // versions:
-// 	protoc-gen-go v1.28.1
+// 	protoc-gen-go v1.29.1
 // 	protoc        (unknown)
 // source: headscale/v1/headscale.proto

--- a/gen/go/headscale/v1/headscale_grpc.pb.go
+++ b/gen/go/headscale/v1/headscale_grpc.pb.go
@@ -1,6 +1,6 @@
 // Code generated by protoc-gen-go-grpc. DO NOT EDIT.
 // versions:
-// - protoc-gen-go-grpc v1.2.0
+// - protoc-gen-go-grpc v1.3.0
 // - protoc             (unknown)
 // source: headscale/v1/headscale.proto

@@ -18,6 +18,34 @@ import (
 // Requires gRPC-Go v1.32.0 or later.
 const _ = grpc.SupportPackageIsVersion7

+const (
+	HeadscaleService_GetUser_FullMethodName            = "/headscale.v1.HeadscaleService/GetUser"
+	HeadscaleService_CreateUser_FullMethodName         = "/headscale.v1.HeadscaleService/CreateUser"
+	HeadscaleService_RenameUser_FullMethodName         = "/headscale.v1.HeadscaleService/RenameUser"
+	HeadscaleService_DeleteUser_FullMethodName         = "/headscale.v1.HeadscaleService/DeleteUser"
+	HeadscaleService_ListUsers_FullMethodName          = "/headscale.v1.HeadscaleService/ListUsers"
+	HeadscaleService_CreatePreAuthKey_FullMethodName   = "/headscale.v1.HeadscaleService/CreatePreAuthKey"
+	HeadscaleService_ExpirePreAuthKey_FullMethodName   = "/headscale.v1.HeadscaleService/ExpirePreAuthKey"
+	HeadscaleService_ListPreAuthKeys_FullMethodName    = "/headscale.v1.HeadscaleService/ListPreAuthKeys"
+	HeadscaleService_DebugCreateMachine_FullMethodName = "/headscale.v1.HeadscaleService/DebugCreateMachine"
+	HeadscaleService_GetMachine_FullMethodName         = "/headscale.v1.HeadscaleService/GetMachine"
+	HeadscaleService_SetTags_FullMethodName            = "/headscale.v1.HeadscaleService/SetTags"
+	HeadscaleService_RegisterMachine_FullMethodName    = "/headscale.v1.HeadscaleService/RegisterMachine"
+	HeadscaleService_DeleteMachine_FullMethodName      = "/headscale.v1.HeadscaleService/DeleteMachine"
+	HeadscaleService_ExpireMachine_FullMethodName      = "/headscale.v1.HeadscaleService/ExpireMachine"
+	HeadscaleService_RenameMachine_FullMethodName      = "/headscale.v1.HeadscaleService/RenameMachine"
+	HeadscaleService_ListMachines_FullMethodName       = "/headscale.v1.HeadscaleService/ListMachines"
+	HeadscaleService_MoveMachine_FullMethodName        = "/headscale.v1.HeadscaleService/MoveMachine"
+	HeadscaleService_GetRoutes_FullMethodName          = "/headscale.v1.HeadscaleService/GetRoutes"
+	HeadscaleService_EnableRoute_FullMethodName        = "/headscale.v1.HeadscaleService/EnableRoute"
+	HeadscaleService_DisableRoute_FullMethodName       = "/headscale.v1.HeadscaleService/DisableRoute"
+	HeadscaleService_GetMachineRoutes_FullMethodName   = "/headscale.v1.HeadscaleService/GetMachineRoutes"
+	HeadscaleService_DeleteRoute_FullMethodName        = "/headscale.v1.HeadscaleService/DeleteRoute"
+	HeadscaleService_CreateApiKey_FullMethodName       = "/headscale.v1.HeadscaleService/CreateApiKey"
+	HeadscaleService_ExpireApiKey_FullMethodName       = "/headscale.v1.HeadscaleService/ExpireApiKey"
+	HeadscaleService_ListApiKeys_FullMethodName        = "/headscale.v1.HeadscaleService/ListApiKeys"
+)
+
 // HeadscaleServiceClient is the client API for HeadscaleService service.
 //
 // For semantics around ctx use and closing/ending streaming RPCs, please refer to https://pkg.go.dev/google.golang.org/grpc/?tab=doc#ClientConn.NewStream.
@@ -64,7 +92,7 @@ func NewHeadscaleServiceClient(cc grpc.ClientConnInterface) HeadscaleServiceClie

 func (c *headscaleServiceClient) GetUser(ctx context.Context, in *GetUserRequest, opts ...grpc.CallOption) (*GetUserResponse, error) {
 	out := new(GetUserResponse)
-	err := c.cc.Invoke(ctx, "/headscale.v1.HeadscaleService/GetUser", in, out, opts...)
+	err := c.cc.Invoke(ctx, HeadscaleService_GetUser_FullMethodName, in, out, opts...)
 	if err != nil {
 		return nil, err
 	}
@@ -73,7 +101,7 @@ func (c *headscaleServiceClient) GetUser(ctx context.Context, in *GetUserRequest

 func (c *headscaleServiceClient) CreateUser(ctx context.Context, in *CreateUserRequest, opts ...grpc.CallOption) (*CreateUserResponse, error) {
 	out := new(CreateUserResponse)
-	err := c.cc.Invoke(ctx, "/headscale.v1.HeadscaleService/CreateUser", in, out, opts...)
+	err := c.cc.Invoke(ctx, HeadscaleService_CreateUser_FullMethodName, in, out, opts...)
 	if err != nil {
 		return nil, err
 	}
@@ -82,7 +110,7 @@ func (c *headscaleServiceClient) CreateUser(ctx context.Context, in *CreateUserR

 func (c *headscaleServiceClient) RenameUser(ctx context.Context, in *RenameUserRequest, opts ...grpc.CallOption) (*RenameUserResponse, error) {
 	out := new(RenameUserResponse)
-	err := c.cc.Invoke(ctx, "/headscale.v1.HeadscaleService/RenameUser", in, out, opts...)
+	err := c.cc.Invoke(ctx, HeadscaleService_RenameUser_FullMethodName, in, out, opts...)
 	if err != nil {
 		return nil, err
 	}
@@ -91,7 +119,7 @@ func (c *headscaleServiceClient) RenameUser(ctx context.Context, in *RenameUserR

 func (c *headscaleServiceClient) DeleteUser(ctx context.Context, in *DeleteUserRequest, opts ...grpc.CallOption) (*DeleteUserResponse, error) {
 	out := new(DeleteUserResponse)
-	err := c.cc.Invoke(ctx, "/headscale.v1.HeadscaleService/DeleteUser", in, out, opts...)
+	err := c.cc.Invoke(ctx, HeadscaleService_DeleteUser_FullMethodName, in, out, opts...)
 	if err != nil {
 		return nil, err
 	}
@@ -100,7 +128,7 @@ func (c *headscaleServiceClient) DeleteUser(ctx context.Context, in *DeleteUserR

 func (c *headscaleServiceClient) ListUsers(ctx context.Context, in *ListUsersRequest, opts ...grpc.CallOption) (*ListUsersResponse, error) {
 	out := new(ListUsersResponse)
-	err := c.cc.Invoke(ctx, "/headscale.v1.HeadscaleService/ListUsers", in, out, opts...)
+	err := c.cc.Invoke(ctx, HeadscaleService_ListUsers_FullMethodName, in, out, opts...)
 	if err != nil {
 		return nil, err
 	}
@@ -109,7 +137,7 @@ func (c *headscaleServiceClient) ListUsers(ctx context.Context, in *ListUsersReq

 func (c *headscaleServiceClient) CreatePreAuthKey(ctx context.Context, in *CreatePreAuthKeyRequest, opts ...grpc.CallOption) (*CreatePreAuthKeyResponse, error) {
 	out := new(CreatePreAuthKeyResponse)
-	err := c.cc.Invoke(ctx, "/headscale.v1.HeadscaleService/CreatePreAuthKey", in, out, opts...)
+	err := c.cc.Invoke(ctx, HeadscaleService_CreatePreAuthKey_FullMethodName, in, out, opts...)
 	if err != nil {
 		return nil, err
 	}
@@ -118,7 +146,7 @@ func (c *headscaleServiceClient) CreatePreAuthKey(ctx context.Context, in *Creat

 func (c *headscaleServiceClient) ExpirePreAuthKey(ctx context.Context, in *ExpirePreAuthKeyRequest, opts ...grpc.CallOption) (*ExpirePreAuthKeyResponse, error) {
 	out := new(ExpirePreAuthKeyResponse)
-	err := c.cc.Invoke(ctx, "/headscale.v1.HeadscaleService/ExpirePreAuthKey", in, out, opts...)
+	err := c.cc.Invoke(ctx, HeadscaleService_ExpirePreAuthKey_FullMethodName, in, out, opts...)
 	if err != nil {
 		return nil, err
 	}
@@ -127,7 +155,7 @@ func (c *headscaleServiceClient) ExpirePreAuthKey(ctx context.Context, in *Expir

 func (c *headscaleServiceClient) ListPreAuthKeys(ctx context.Context, in *ListPreAuthKeysRequest, opts ...grpc.CallOption) (*ListPreAuthKeysResponse, error) {
 	out := new(ListPreAuthKeysResponse)
-	err := c.cc.Invoke(ctx, "/headscale.v1.HeadscaleService/ListPreAuthKeys", in, out, opts...)
+	err := c.cc.Invoke(ctx, HeadscaleService_ListPreAuthKeys_FullMethodName, in, out, opts...)
 	if err != nil {
 		return nil, err
 	}
@@ -136,7 +164,7 @@ func (c *headscaleServiceClient) ListPreAuthKeys(ctx context.Context, in *ListPr

 func (c *headscaleServiceClient) DebugCreateMachine(ctx context.Context, in *DebugCreateMachineRequest, opts ...grpc.CallOption) (*DebugCreateMachineResponse, error) {
 	out := new(DebugCreateMachineResponse)
-	err := c.cc.Invoke(ctx, "/headscale.v1.HeadscaleService/DebugCreateMachine", in, out, opts...)
+	err := c.cc.Invoke(ctx, HeadscaleService_DebugCreateMachine_FullMethodName, in, out, opts...)
 	if err != nil {
 		return nil, err
 	}
@@ -145,7 +173,7 @@ func (c *headscaleServiceClient) DebugCreateMachine(ctx context.Context, in *Deb

 func (c *headscaleServiceClient) GetMachine(ctx context.Context, in *GetMachineRequest, opts ...grpc.CallOption) (*GetMachineResponse, error) {
 	out := new(GetMachineResponse)
-	err := c.cc.Invoke(ctx, "/headscale.v1.HeadscaleService/GetMachine", in, out, opts...)
+	err := c.cc.Invoke(ctx, HeadscaleService_GetMachine_FullMethodName, in, out, opts...)
 	if err != nil {
 		return nil, err
 	}
@@ -154,7 +182,7 @@ func (c *headscaleServiceClient) GetMachine(ctx context.Context, in *GetMachineR

 func (c *headscaleServiceClient) SetTags(ctx context.Context, in *SetTagsRequest, opts ...grpc.CallOption) (*SetTagsResponse, error) {
 	out := new(SetTagsResponse)
-	err := c.cc.Invoke(ctx, "/headscale.v1.HeadscaleService/SetTags", in, out, opts...)
+	err := c.cc.Invoke(ctx, HeadscaleService_SetTags_FullMethodName, in, out, opts...)
 	if err != nil {
 		return nil, err
 	}
@@ -163,7 +191,7 @@ func (c *headscaleServiceClient) SetTags(ctx context.Context, in *SetTagsRequest

 func (c *headscaleServiceClient) RegisterMachine(ctx context.Context, in *RegisterMachineRequest, opts ...grpc.CallOption) (*RegisterMachineResponse, error) {
 	out := new(RegisterMachineResponse)
-	err := c.cc.Invoke(ctx, "/headscale.v1.HeadscaleService/RegisterMachine", in, out, opts...)
+	err := c.cc.Invoke(ctx, HeadscaleService_RegisterMachine_FullMethodName, in, out, opts...)
 	if err != nil {
 		return nil, err
 	}
@@ -172,7 +200,7 @@ func (c *headscaleServiceClient) RegisterMachine(ctx context.Context, in *Regist

 func (c *headscaleServiceClient) DeleteMachine(ctx context.Context, in *DeleteMachineRequest, opts ...grpc.CallOption) (*DeleteMachineResponse, error) {
 	out := new(DeleteMachineResponse)
-	err := c.cc.Invoke(ctx, "/headscale.v1.HeadscaleService/DeleteMachine", in, out, opts...)
+	err := c.cc.Invoke(ctx, HeadscaleService_DeleteMachine_FullMethodName, in, out, opts...)
 	if err != nil {
 		return nil, err
 	}
@@ -181,7 +209,7 @@ func (c *headscaleServiceClient) DeleteMachine(ctx context.Context, in *DeleteMa

 func (c *headscaleServiceClient) ExpireMachine(ctx context.Context, in *ExpireMachineRequest, opts ...grpc.CallOption) (*ExpireMachineResponse, error) {
 	out := new(ExpireMachineResponse)
-	err := c.cc.Invoke(ctx, "/headscale.v1.HeadscaleService/ExpireMachine", in, out, opts...)
+	err := c.cc.Invoke(ctx, HeadscaleService_ExpireMachine_FullMethodName, in, out, opts...)
 	if err != nil {
 		return nil, err
 	}
@@ -190,7 +218,7 @@ func (c *headscaleServiceClient) ExpireMachine(ctx context.Context, in *ExpireMa

 func (c *headscaleServiceClient) RenameMachine(ctx context.Context, in *RenameMachineRequest, opts ...grpc.CallOption) (*RenameMachineResponse, error) {
 	out := new(RenameMachineResponse)
-	err := c.cc.Invoke(ctx, "/headscale.v1.HeadscaleService/RenameMachine", in, out, opts...)
+	err := c.cc.Invoke(ctx, HeadscaleService_RenameMachine_FullMethodName, in, out, opts...)
 	if err != nil {
 		return nil, err
 	}
@@ -199,7 +227,7 @@ func (c *headscaleServiceClient) RenameMachine(ctx context.Context, in *RenameMa

 func (c *headscaleServiceClient) ListMachines(ctx context.Context, in *ListMachinesRequest, opts ...grpc.CallOption) (*ListMachinesResponse, error) {
 	out := new(ListMachinesResponse)
-	err := c.cc.Invoke(ctx, "/headscale.v1.HeadscaleService/ListMachines", in, out, opts...)
+	err := c.cc.Invoke(ctx, HeadscaleService_ListMachines_FullMethodName, in, out, opts...)
 	if err != nil {
 		return nil, err
 	}
@@ -208,7 +236,7 @@ func (c *headscaleServiceClient) ListMachines(ctx context.Context, in *ListMachi

 func (c *headscaleServiceClient) MoveMachine(ctx context.Context, in *MoveMachineRequest, opts ...grpc.CallOption) (*MoveMachineResponse, error) {
 	out := new(MoveMachineResponse)
-	err := c.cc.Invoke(ctx, "/headscale.v1.HeadscaleService/MoveMachine", in, out, opts...)
+	err := c.cc.Invoke(ctx, HeadscaleService_MoveMachine_FullMethodName, in, out, opts...)
 	if err != nil {
 		return nil, err
 	}
@@ -217,7 +245,7 @@ func (c *headscaleServiceClient) MoveMachine(ctx context.Context, in *MoveMachin

 func (c *headscaleServiceClient) GetRoutes(ctx context.Context, in *GetRoutesRequest, opts ...grpc.CallOption) (*GetRoutesResponse, error) {
 	out := new(GetRoutesResponse)
-	err := c.cc.Invoke(ctx, "/headscale.v1.HeadscaleService/GetRoutes", in, out, opts...)
+	err := c.cc.Invoke(ctx, HeadscaleService_GetRoutes_FullMethodName, in, out, opts...)
 	if err != nil {
 		return nil, err
 	}
@@ -226,7 +254,7 @@ func (c *headscaleServiceClient) GetRoutes(ctx context.Context, in *GetRoutesReq

 func (c *headscaleServiceClient) EnableRoute(ctx context.Context, in *EnableRouteRequest, opts ...grpc.CallOption) (*EnableRouteResponse, error) {
 	out := new(EnableRouteResponse)
-	err := c.cc.Invoke(ctx, "/headscale.v1.HeadscaleService/EnableRoute", in, out, opts...)
+	err := c.cc.Invoke(ctx, HeadscaleService_EnableRoute_FullMethodName, in, out, opts...)
 	if err != nil {
 		return nil, err
 	}
@@ -235,7 +263,7 @@ func (c *headscaleServiceClient) EnableRoute(ctx context.Context, in *EnableRout

 func (c *headscaleServiceClient) DisableRoute(ctx context.Context, in *DisableRouteRequest, opts ...grpc.CallOption) (*DisableRouteResponse, error) {
 	out := new(DisableRouteResponse)
-	err := c.cc.Invoke(ctx, "/headscale.v1.HeadscaleService/DisableRoute", in, out, opts...)
+	err := c.cc.Invoke(ctx, HeadscaleService_DisableRoute_FullMethodName, in, out, opts...)
 	if err != nil {
 		return nil, err
 	}
@@ -244,7 +272,7 @@ func (c *headscaleServiceClient) DisableRoute(ctx context.Context, in *DisableRo

 func (c *headscaleServiceClient) GetMachineRoutes(ctx context.Context, in *GetMachineRoutesRequest, opts ...grpc.CallOption) (*GetMachineRoutesResponse, error) {
 	out := new(GetMachineRoutesResponse)
-	err := c.cc.Invoke(ctx, "/headscale.v1.HeadscaleService/GetMachineRoutes", in, out, opts...)
+	err := c.cc.Invoke(ctx, HeadscaleService_GetMachineRoutes_FullMethodName, in, out, opts...)
 	if err != nil {
 		return nil, err
 	}
@@ -253,7 +281,7 @@ func (c *headscaleServiceClient) GetMachineRoutes(ctx context.Context, in *GetMa

 func (c *headscaleServiceClient) DeleteRoute(ctx context.Context, in *DeleteRouteRequest, opts ...grpc.CallOption) (*DeleteRouteResponse, error) {
 	out := new(DeleteRouteResponse)
-	err := c.cc.Invoke(ctx, "/headscale.v1.HeadscaleService/DeleteRoute", in, out, opts...)
+	err := c.cc.Invoke(ctx, HeadscaleService_DeleteRoute_FullMethodName, in, out, opts...)
 	if err != nil {
 		return nil, err
 	}
@@ -262,7 +290,7 @@ func (c *headscaleServiceClient) DeleteRoute(ctx context.Context, in *DeleteRout

 func (c *headscaleServiceClient) CreateApiKey(ctx context.Context, in *CreateApiKeyRequest, opts ...grpc.CallOption) (*CreateApiKeyResponse, error) {
 	out := new(CreateApiKeyResponse)
-	err := c.cc.Invoke(ctx, "/headscale.v1.HeadscaleService/CreateApiKey", in, out, opts...)
+	err := c.cc.Invoke(ctx, HeadscaleService_CreateApiKey_FullMethodName, in, out, opts...)
 	if err != nil {
 		return nil, err
 	}
@@ -271,7 +299,7 @@ func (c *headscaleServiceClient) CreateApiKey(ctx context.Context, in *CreateApi

 func (c *headscaleServiceClient) ExpireApiKey(ctx context.Context, in *ExpireApiKeyRequest, opts ...grpc.CallOption) (*ExpireApiKeyResponse, error) {
 	out := new(ExpireApiKeyResponse)
-	err := c.cc.Invoke(ctx, "/headscale.v1.HeadscaleService/ExpireApiKey", in, out, opts...)
+	err := c.cc.Invoke(ctx, HeadscaleService_ExpireApiKey_FullMethodName, in, out, opts...)
 	if err != nil {
 		return nil, err
 	}
@@ -280,7 +308,7 @@ func (c *headscaleServiceClient) ExpireApiKey(ctx context.Context, in *ExpireApi

 func (c *headscaleServiceClient) ListApiKeys(ctx context.Context, in *ListApiKeysRequest, opts ...grpc.CallOption) (*ListApiKeysResponse, error) {
 	out := new(ListApiKeysResponse)
-	err := c.cc.Invoke(ctx, "/headscale.v1.HeadscaleService/ListApiKeys", in, out, opts...)
+	err := c.cc.Invoke(ctx, HeadscaleService_ListApiKeys_FullMethodName, in, out, opts...)
 	if err != nil {
 		return nil, err
 	}
@@ -426,7 +454,7 @@ func _HeadscaleService_GetUser_Handler(srv interface{}, ctx context.Context, dec
 	}
 	info := &grpc.UnaryServerInfo{
 		Server:     srv,
-		FullMethod: "/headscale.v1.HeadscaleService/GetUser",
+		FullMethod: HeadscaleService_GetUser_FullMethodName,
 	}
 	handler := func(ctx context.Context, req interface{}) (interface{}, error) {
 		return srv.(HeadscaleServiceServer).GetUser(ctx, req.(*GetUserRequest))
@@ -444,7 +472,7 @@ func _HeadscaleService_CreateUser_Handler(srv interface{}, ctx context.Context,
 	}
 	info := &grpc.UnaryServerInfo{
 		Server:     srv,
-		FullMethod: "/headscale.v1.HeadscaleService/CreateUser",
+		FullMethod: HeadscaleService_CreateUser_FullMethodName,
 	}
 	handler := func(ctx context.Context, req interface{}) (interface{}, error) {
 		return srv.(HeadscaleServiceServer).CreateUser(ctx, req.(*CreateUserRequest))
@@ -462,7 +490,7 @@ func _HeadscaleService_RenameUser_Handler(srv interface{}, ctx context.Context,
 	}
 	info := &grpc.UnaryServerInfo{
 		Server:     srv,
-		FullMethod: "/headscale.v1.HeadscaleService/RenameUser",
+		FullMethod: HeadscaleService_RenameUser_FullMethodName,
 	}
 	handler := func(ctx context.Context, req interface{}) (interface{}, error) {
 		return srv.(HeadscaleServiceServer).RenameUser(ctx, req.(*RenameUserRequest))
@@ -480,7 +508,7 @@ func _HeadscaleService_DeleteUser_Handler(srv interface{}, ctx context.Context,
 	}
 	info := &grpc.UnaryServerInfo{
 		Server:     srv,
-		FullMethod: "/headscale.v1.HeadscaleService/DeleteUser",
+		FullMethod: HeadscaleService_DeleteUser_FullMethodName,
 	}
 	handler := func(ctx context.Context, req interface{}) (interface{}, error) {
 		return srv.(HeadscaleServiceServer).DeleteUser(ctx, req.(*DeleteUserRequest))
@@ -498,7 +526,7 @@ func _HeadscaleService_ListUsers_Handler(srv interface{}, ctx context.Context, d
 	}
 	info := &grpc.UnaryServerInfo{
 		Server:     srv,
-		FullMethod: "/headscale.v1.HeadscaleService/ListUsers",
+		FullMethod: HeadscaleService_ListUsers_FullMethodName,
 	}
 	handler := func(ctx context.Context, req interface{}) (interface{}, error) {
 		return srv.(HeadscaleServiceServer).ListUsers(ctx, req.(*ListUsersRequest))
@@ -516,7 +544,7 @@ func _HeadscaleService_CreatePreAuthKey_Handler(srv interface{}, ctx context.Con
 	}
 	info := &grpc.UnaryServerInfo{
 		Server:     srv,
-		FullMethod: "/headscale.v1.HeadscaleService/CreatePreAuthKey",
+		FullMethod: HeadscaleService_CreatePreAuthKey_FullMethodName,
 	}
 	handler := func(ctx context.Context, req interface{}) (interface{}, error) {
 		return srv.(HeadscaleServiceServer).CreatePreAuthKey(ctx, req.(*CreatePreAuthKeyRequest))
@@ -534,7 +562,7 @@ func _HeadscaleService_ExpirePreAuthKey_Handler(srv interface{}, ctx context.Con
 	}
 	info := &grpc.UnaryServerInfo{
 		Server:     srv,
-		FullMethod: "/headscale.v1.HeadscaleService/ExpirePreAuthKey",
+		FullMethod: HeadscaleService_ExpirePreAuthKey_FullMethodName,
 	}
 	handler := func(ctx context.Context, req interface{}) (interface{}, error) {
 		return srv.(HeadscaleServiceServer).ExpirePreAuthKey(ctx, req.(*ExpirePreAuthKeyRequest))
@@ -552,7 +580,7 @@ func _HeadscaleService_ListPreAuthKeys_Handler(srv interface{}, ctx context.Cont
 	}
 	info := &grpc.UnaryServerInfo{
 		Server:     srv,
-		FullMethod: "/headscale.v1.HeadscaleService/ListPreAuthKeys",
+		FullMethod: HeadscaleService_ListPreAuthKeys_FullMethodName,
 	}
 	handler := func(ctx context.Context, req interface{}) (interface{}, error) {
 		return srv.(HeadscaleServiceServer).ListPreAuthKeys(ctx, req.(*ListPreAuthKeysRequest))
@@ -570,7 +598,7 @@ func _HeadscaleService_DebugCreateMachine_Handler(srv interface{}, ctx context.C
 	}
 	info := &grpc.UnaryServerInfo{
 		Server:     srv,
-		FullMethod: "/headscale.v1.HeadscaleService/DebugCreateMachine",
+		FullMethod: HeadscaleService_DebugCreateMachine_FullMethodName,
 	}
 	handler := func(ctx context.Context, req interface{}) (interface{}, error) {
 		return srv.(HeadscaleServiceServer).DebugCreateMachine(ctx, req.(*DebugCreateMachineRequest))
@@ -588,7 +616,7 @@ func _HeadscaleService_GetMachine_Handler(srv interface{}, ctx context.Context,
 	}
 	info := &grpc.UnaryServerInfo{
 		Server:     srv,
-		FullMethod: "/headscale.v1.HeadscaleService/GetMachine",
+		FullMethod: HeadscaleService_GetMachine_FullMethodName,
 	}
 	handler := func(ctx context.Context, req interface{}) (interface{}, error) {
 		return srv.(HeadscaleServiceServer).GetMachine(ctx, req.(*GetMachineRequest))
@@ -606,7 +634,7 @@ func _HeadscaleService_SetTags_Handler(srv interface{}, ctx context.Context, dec
 	}
 	info := &grpc.UnaryServerInfo{
 		Server:     srv,
-		FullMethod: "/headscale.v1.HeadscaleService/SetTags",
+		FullMethod: HeadscaleService_SetTags_FullMethodName,
 	}
 	handler := func(ctx context.Context, req interface{}) (interface{}, error) {
 		return srv.(HeadscaleServiceServer).SetTags(ctx, req.(*SetTagsRequest))
@@ -624,7 +652,7 @@ func _HeadscaleService_RegisterMachine_Handler(srv interface{}, ctx context.Cont
 	}
 	info := &grpc.UnaryServerInfo{
 		Server:     srv,
-		FullMethod: "/headscale.v1.HeadscaleService/RegisterMachine",
+		FullMethod: HeadscaleService_RegisterMachine_FullMethodName,
 	}
 	handler := func(ctx context.Context, req interface{}) (interface{}, error) {
 		return srv.(HeadscaleServiceServer).RegisterMachine(ctx, req.(*RegisterMachineRequest))
@@ -642,7 +670,7 @@ func _HeadscaleService_DeleteMachine_Handler(srv interface{}, ctx context.Contex
 	}
 	info := &grpc.UnaryServerInfo{
 		Server:     srv,
-		FullMethod: "/headscale.v1.HeadscaleService/DeleteMachine",
+		FullMethod: HeadscaleService_DeleteMachine_FullMethodName,
 	}
 	handler := func(ctx context.Context, req interface{}) (interface{}, error) {
 		return srv.(HeadscaleServiceServer).DeleteMachine(ctx, req.(*DeleteMachineRequest))
@@ -660,7 +688,7 @@ func _HeadscaleService_ExpireMachine_Handler(srv interface{}, ctx context.Contex
 	}
 	info := &grpc.UnaryServerInfo{
 		Server:     srv,
-		FullMethod: "/headscale.v1.HeadscaleService/ExpireMachine",
+		FullMethod: HeadscaleService_ExpireMachine_FullMethodName,
 	}
 	handler := func(ctx context.Context, req interface{}) (interface{}, error) {
 		return srv.(HeadscaleServiceServer).ExpireMachine(ctx, req.(*ExpireMachineRequest))
@@ -678,7 +706,7 @@ func _HeadscaleService_RenameMachine_Handler(srv interface{}, ctx context.Contex
 	}
 	info := &grpc.UnaryServerInfo{
 		Server:     srv,
-		FullMethod: "/headscale.v1.HeadscaleService/RenameMachine",
+		FullMethod: HeadscaleService_RenameMachine_FullMethodName,
 	}
 	handler := func(ctx context.Context, req interface{}) (interface{}, error) {
 		return srv.(HeadscaleServiceServer).RenameMachine(ctx, req.(*RenameMachineRequest))
@@ -696,7 +724,7 @@ func _HeadscaleService_ListMachines_Handler(srv interface{}, ctx context.Context
 	}
 	info := &grpc.UnaryServerInfo{
 		Server:     srv,
-		FullMethod: "/headscale.v1.HeadscaleService/ListMachines",
+		FullMethod: HeadscaleService_ListMachines_FullMethodName,
 	}
 	handler := func(ctx context.Context, req interface{}) (interface{}, error) {
 		return srv.(HeadscaleServiceServer).ListMachines(ctx, req.(*ListMachinesRequest))
@@ -714,7 +742,7 @@ func _HeadscaleService_MoveMachine_Handler(srv interface{}, ctx context.Context,
 	}
 	info := &grpc.UnaryServerInfo{
 		Server:     srv,
-		FullMethod: "/headscale.v1.HeadscaleService/MoveMachine",
+		FullMethod: HeadscaleService_MoveMachine_FullMethodName,
 	}
 	handler := func(ctx context.Context, req interface{}) (interface{}, error) {
 		return srv.(HeadscaleServiceServer).MoveMachine(ctx, req.(*MoveMachineRequest))
@@ -732,7 +760,7 @@ func _HeadscaleService_GetRoutes_Handler(srv interface{}, ctx context.Context, d
 	}
 	info := &grpc.UnaryServerInfo{
 		Server:     srv,
-		FullMethod: "/headscale.v1.HeadscaleService/GetRoutes",
+		FullMethod: HeadscaleService_GetRoutes_FullMethodName,
 	}
 	handler := func(ctx context.Context, req interface{}) (interface{}, error) {
 		return srv.(HeadscaleServiceServer).GetRoutes(ctx, req.(*GetRoutesRequest))
@@ -750,7 +778,7 @@ func _HeadscaleService_EnableRoute_Handler(srv interface{}, ctx context.Context,
 	}
 	info := &grpc.UnaryServerInfo{
 		Server:     srv,
-		FullMethod: "/headscale.v1.HeadscaleService/EnableRoute",
+		FullMethod: HeadscaleService_EnableRoute_FullMethodName,
 	}
 	handler := func(ctx context.Context, req interface{}) (interface{}, error) {
 		return srv.(HeadscaleServiceServer).EnableRoute(ctx, req.(*EnableRouteRequest))
@@ -768,7 +796,7 @@ func _HeadscaleService_DisableRoute_Handler(srv interface{}, ctx context.Context
 	}
 	info := &grpc.UnaryServerInfo{
 		Server:     srv,
-		FullMethod: "/headscale.v1.HeadscaleService/DisableRoute",
+		FullMethod: HeadscaleService_DisableRoute_FullMethodName,
 	}
 	handler := func(ctx context.Context, req interface{}) (interface{}, error) {
 		return srv.(HeadscaleServiceServer).DisableRoute(ctx, req.(*DisableRouteRequest))
@@ -786,7 +814,7 @@ func _HeadscaleService_GetMachineRoutes_Handler(srv interface{}, ctx context.Con
 	}
 	info := &grpc.UnaryServerInfo{
 		Server:     srv,
-		FullMethod: "/headscale.v1.HeadscaleService/GetMachineRoutes",
+		FullMethod: HeadscaleService_GetMachineRoutes_FullMethodName,
 	}
 	handler := func(ctx context.Context, req interface{}) (interface{}, error) {
 		return srv.(HeadscaleServiceServer).GetMachineRoutes(ctx, req.(*GetMachineRoutesRequest))
@@ -804,7 +832,7 @@ func _HeadscaleService_DeleteRoute_Handler(srv interface{}, ctx context.Context,
 	}
 	info := &grpc.UnaryServerInfo{
 		Server:     srv,
-		FullMethod: "/headscale.v1.HeadscaleService/DeleteRoute",
+		FullMethod: HeadscaleService_DeleteRoute_FullMethodName,
 	}
 	handler := func(ctx context.Context, req interface{}) (interface{}, error) {
 		return srv.(HeadscaleServiceServer).DeleteRoute(ctx, req.(*DeleteRouteRequest))
@@ -822,7 +850,7 @@ func _HeadscaleService_CreateApiKey_Handler(srv interface{}, ctx context.Context
 	}
 	info := &grpc.UnaryServerInfo{
 		Server:     srv,
-		FullMethod: "/headscale.v1.HeadscaleService/CreateApiKey",
+		FullMethod: HeadscaleService_CreateApiKey_FullMethodName,
 	}
 	handler := func(ctx context.Context, req interface{}) (interface{}, error) {
 		return srv.(HeadscaleServiceServer).CreateApiKey(ctx, req.(*CreateApiKeyRequest))
@@ -840,7 +868,7 @@ func _HeadscaleService_ExpireApiKey_Handler(srv interface{}, ctx context.Context
 	}
 	info := &grpc.UnaryServerInfo{
 		Server:     srv,
-		FullMethod: "/headscale.v1.HeadscaleService/ExpireApiKey",
+		FullMethod: HeadscaleService_ExpireApiKey_FullMethodName,
 	}
 	handler := func(ctx context.Context, req interface{}) (interface{}, error) {
 		return srv.(HeadscaleServiceServer).ExpireApiKey(ctx, req.(*ExpireApiKeyRequest))
@@ -858,7 +886,7 @@ func _HeadscaleService_ListApiKeys_Handler(srv interface{}, ctx context.Context,
 	}
 	info := &grpc.UnaryServerInfo{
 		Server:     srv,
-		FullMethod: "/headscale.v1.HeadscaleService/ListApiKeys",
+		FullMethod: HeadscaleService_ListApiKeys_FullMethodName,
 	}
 	handler := func(ctx context.Context, req interface{}) (interface{}, error) {
 		return srv.(HeadscaleServiceServer).ListApiKeys(ctx, req.(*ListApiKeysRequest))
--- a/gen/go/headscale/v1/machine.pb.go
+++ b/gen/go/headscale/v1/machine.pb.go
@@ -1,6 +1,6 @@
 // Code generated by protoc-gen-go. DO NOT EDIT.
 // versions:
-// 	protoc-gen-go v1.28.1
+// 	protoc-gen-go v1.29.1
 // 	protoc        (unknown)
 // source: headscale/v1/machine.proto

--- a/gen/go/headscale/v1/preauthkey.pb.go
+++ b/gen/go/headscale/v1/preauthkey.pb.go
@@ -1,6 +1,6 @@
 // Code generated by protoc-gen-go. DO NOT EDIT.
 // versions:
-// 	protoc-gen-go v1.28.1
+// 	protoc-gen-go v1.29.1
 // 	protoc        (unknown)
 // source: headscale/v1/preauthkey.proto

--- a/gen/go/headscale/v1/routes.pb.go
+++ b/gen/go/headscale/v1/routes.pb.go
@@ -1,6 +1,6 @@
 // Code generated by protoc-gen-go. DO NOT EDIT.
 // versions:
-// 	protoc-gen-go v1.28.1
+// 	protoc-gen-go v1.29.1
 // 	protoc        (unknown)
 // source: headscale/v1/routes.proto

--- a/gen/go/headscale/v1/user.pb.go
+++ b/gen/go/headscale/v1/user.pb.go
@@ -1,6 +1,6 @@
 // Code generated by protoc-gen-go. DO NOT EDIT.
 // versions:
-// 	protoc-gen-go v1.28.1
+// 	protoc-gen-go v1.29.1
 // 	protoc        (unknown)
 // source: headscale/v1/user.proto

--- a/go.mod
+++ b/go.mod
@@ -4,7 +4,6 @@ go 1.20

 require (
 	github.com/AlecAivazis/survey/v2 v2.3.6
-	github.com/ccding/go-stun/stun v0.0.0-20200514191101-4dc67bcdb029
 	github.com/cenkalti/backoff/v4 v4.2.0
 	github.com/coreos/go-oidc/v3 v3.5.0
 	github.com/davecgh/go-spew v1.1.1
@@ -12,6 +11,7 @@ require (
 	github.com/efekarakus/termcolor v1.0.1
 	github.com/glebarez/sqlite v1.7.0
 	github.com/gofrs/uuid/v5 v5.0.0
+	github.com/google/go-cmp v0.5.9
 	github.com/gorilla/mux v1.8.0
 	github.com/grpc-ecosystem/go-grpc-middleware v1.4.0
 	github.com/grpc-ecosystem/grpc-gateway/v2 v2.15.2
@@ -20,6 +20,7 @@ require (
 	github.com/ory/dockertest/v3 v3.9.1
 	github.com/patrickmn/go-cache v2.1.0+incompatible
 	github.com/philip-bui/grpc-zerolog v1.0.1
+	github.com/pkg/profile v1.7.0
 	github.com/prometheus/client_golang v1.14.0
 	github.com/prometheus/common v0.42.0
 	github.com/pterm/pterm v0.12.58
@@ -64,6 +65,7 @@ require (
 	github.com/docker/go-connections v0.4.0 // indirect
 	github.com/docker/go-units v0.5.0 // indirect
 	github.com/dustin/go-humanize v1.0.1 // indirect
+	github.com/felixge/fgprof v0.9.3 // indirect
 	github.com/fsnotify/fsnotify v1.6.0 // indirect
 	github.com/fxamacker/cbor/v2 v2.4.0 // indirect
 	github.com/glebarez/go-sqlite v1.20.3 // indirect
@@ -72,9 +74,9 @@ require (
 	github.com/golang-jwt/jwt v3.2.2+incompatible // indirect
 	github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da // indirect
 	github.com/golang/protobuf v1.5.3 // indirect
-	github.com/google/go-cmp v0.5.9 // indirect
 	github.com/google/go-github v17.0.0+incompatible // indirect
 	github.com/google/go-querystring v1.1.0 // indirect
+	github.com/google/pprof v0.0.0-20221118152302-e6195bd50e26 // indirect
 	github.com/google/shlex v0.0.0-20191202100458-e7afc7fbc510 // indirect
 	github.com/google/uuid v1.3.0 // indirect
 	github.com/gookit/color v1.5.3 // indirect
@@ -141,6 +143,7 @@ require (
 	gopkg.in/ini.v1 v1.67.0 // indirect
 	gopkg.in/square/go-jose.v2 v2.6.0 // indirect
 	gopkg.in/yaml.v2 v2.4.0 // indirect
+	gotest.tools/v3 v3.4.0 // indirect
 	modernc.org/libc v1.22.2 // indirect
 	modernc.org/mathutil v1.5.0 // indirect
 	modernc.org/memory v1.5.0 // indirect
--- a/go.sum
+++ b/go.sum
@@ -74,8 +74,6 @@ github.com/atomicgo/cursor v0.0.1/go.mod h1:cBON2QmmrysudxNBFthvMtN32r3jxVRIvzkU
 github.com/benbjohnson/clock v1.1.0/go.mod h1:J11/hYXuz8f4ySSvYwY0FKfm+ezbsZBKZxNJlLklBHA=
 github.com/beorn7/perks v1.0.1 h1:VlbKKnNfV8bJzeqoa4cOKqO6bYr3WgKZxO8Z16+hsOM=
 github.com/beorn7/perks v1.0.1/go.mod h1:G2ZrVWU2WbWT9wwq4/hrbKbnv/1ERSJQ0ibhJ6rlkpw=
-github.com/ccding/go-stun/stun v0.0.0-20200514191101-4dc67bcdb029 h1:POmUHfxXdeyM8Aomg4tKDcwATCFuW+cYLkj6pwsw9pc=
-github.com/ccding/go-stun/stun v0.0.0-20200514191101-4dc67bcdb029/go.mod h1:Rpr5n9cGHYdM3S3IK8ROSUUUYjQOu+MSUCZDcJbYWi8=
 github.com/cenkalti/backoff/v4 v4.2.0 h1:HN5dHm3WBOgndBH6E8V0q2jIYIR3s9yglV8k/+MN3u4=
 github.com/cenkalti/backoff/v4 v4.2.0/go.mod h1:Y3VNntkOUPxTVeUxJ/G5vcM//AlwfmyYozVcomhLiZE=
 github.com/census-instrumentation/opencensus-proto v0.2.1/go.mod h1:f6KPmirojxKA12rnyqOA5BBL4O983OfeGPqjHWSTneU=
@@ -129,6 +127,8 @@ github.com/envoyproxy/go-control-plane v0.9.4/go.mod h1:6rpuAdCZL397s3pYoYcLgu1m
 github.com/envoyproxy/go-control-plane v0.9.7/go.mod h1:cwu0lG7PUMfa9snN8LXBig5ynNVH9qI8YYLbd1fK2po=
 github.com/envoyproxy/go-control-plane v0.9.9-0.20201210154907-fd9021fe5dad/go.mod h1:cXg6YxExXjJnVBQHBLXeUAgxn2UodCpnH306RInaBQk=
 github.com/envoyproxy/protoc-gen-validate v0.1.0/go.mod h1:iSmxcyjqTsJpI2R4NaDN7+kN2VEUnK/pcBlmesArF7c=
+github.com/felixge/fgprof v0.9.3 h1:VvyZxILNuCiUCSXtPtYmmtGvb65nqXh2QFWc0Wpf2/g=
+github.com/felixge/fgprof v0.9.3/go.mod h1:RdbpDgzqYVh/T9fPELJyV7EYJuHB55UTEULNun8eiPw=
 github.com/frankban/quicktest v1.11.3/go.mod h1:wRf/ReqHper53s+kmmSZizM8NamnL3IM0I9ntUbOk+k=
 github.com/frankban/quicktest v1.14.3 h1:FJKSZTDHjyhriyC81FLQ0LY93eSai0ZyR/ZIkd3ZUKE=
 github.com/fsnotify/fsnotify v1.6.0 h1:n+5WquG0fcWoWp6xPWfHdbskMCQaFnG6PfBrh1Ky4HY=
@@ -238,7 +238,9 @@ github.com/google/pprof v0.0.0-20200708004538-1a94d8640e99/go.mod h1:ZgVRPoUq/hf
 github.com/google/pprof v0.0.0-20201023163331-3e6fc7fc9c4c/go.mod h1:kpwsk12EmLew5upagYY7GY0pfYCcupk39gWOCRROcvE=
 github.com/google/pprof v0.0.0-20201203190320-1bf35d6f28c2/go.mod h1:kpwsk12EmLew5upagYY7GY0pfYCcupk39gWOCRROcvE=
 github.com/google/pprof v0.0.0-20201218002935-b9804c9f04c2/go.mod h1:kpwsk12EmLew5upagYY7GY0pfYCcupk39gWOCRROcvE=
+github.com/google/pprof v0.0.0-20211214055906-6f57359322fd/go.mod h1:KgnwoLYCZ8IQu3XUZ8Nc/bM9CCZFOyjUNOSygVozoDg=
 github.com/google/pprof v0.0.0-20221118152302-e6195bd50e26 h1:Xim43kblpZXfIBQsbuBVKCudVG457BR2GZFIz3uw3hQ=
+github.com/google/pprof v0.0.0-20221118152302-e6195bd50e26/go.mod h1:dDKJzRmX4S37WGHujM7tX//fmj1uioxKzKxz3lo4HJo=
 github.com/google/renameio v0.1.0/go.mod h1:KWCgfxg9yswjAJkECMjeO8J8rahYeXnNhOm40UhjYkI=
 github.com/google/shlex v0.0.0-20191202100458-e7afc7fbc510 h1:El6M4kTTCOh6aBiKaUGG7oYTSPP8MxqL4YI3kZKwcP4=
 github.com/google/shlex v0.0.0-20191202100458-e7afc7fbc510/go.mod h1:pupxD2MaaD3pAXIBCelhxNneeOaAeabZDe5s4K6zSpQ=
@@ -272,6 +274,7 @@ github.com/hinshun/vt10x v0.0.0-20220119200601-820417d04eec h1:qv2VnGeEQHchGaZ/u
 github.com/hinshun/vt10x v0.0.0-20220119200601-820417d04eec/go.mod h1:Q48J4R4DvxnHolD5P8pOtXigYlRuPLGl6moFx3ulM68=
 github.com/ianlancetaylor/demangle v0.0.0-20181102032728-5e5cf60278f6/go.mod h1:aSSvb/t6k1mPoxDqO4vJh6VOCGPwU4O0C2/Eqndh1Sc=
 github.com/ianlancetaylor/demangle v0.0.0-20200824232613-28f6c0f3b639/go.mod h1:aSSvb/t6k1mPoxDqO4vJh6VOCGPwU4O0C2/Eqndh1Sc=
+github.com/ianlancetaylor/demangle v0.0.0-20210905161508-09a460cdf81d/go.mod h1:aYm2/VgdVmcIU8iMfdMvDMsRAQjcfZSKFby6HOFvi/w=
 github.com/imdario/mergo v0.3.13 h1:lFzP57bqS/wsqKssCGmtLAb8A0wKjLGrve2q3PPVcBk=
 github.com/imdario/mergo v0.3.13/go.mod h1:4lJ1jqUDcsbIECGy0RUJAXNIhg+6ocWgb1ALK2O4oXg=
 github.com/inconshreveable/mousetrap v1.1.0 h1:wN+x4NVGpMsO7ErUn/mUI3vEoE6Jt13X2s0bqwp9tc8=
@@ -384,6 +387,8 @@ github.com/pkg/diff v0.0.0-20210226163009-20ebb0f2a09e/go.mod h1:pJLUxLENpZxwdsK
 github.com/pkg/errors v0.8.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
 github.com/pkg/errors v0.9.1 h1:FEBLx1zS214owpjy7qsBeixbURkuhQAwrK5UwLGTwt4=
 github.com/pkg/errors v0.9.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
+github.com/pkg/profile v1.7.0 h1:hnbDkaNWPCLMO9wGLdBFTIZvzDrDfBM2072E1S9gJkA=
+github.com/pkg/profile v1.7.0/go.mod h1:8Uer0jas47ZQMJ7VD+OHknK4YDY07LPUC6dEvqDjvNo=
 github.com/pkg/sftp v1.13.1/go.mod h1:3HaPG6Dq1ILlpPZRO0HVMrsydcdLt6HRDccSgb87qRg=
 github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM=
 github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
@@ -669,6 +674,7 @@ golang.org/x/sys v0.0.0-20210616094352-59db8d763f22/go.mod h1:oPkhp1MJrh7nUepCBc
 golang.org/x/sys v0.0.0-20210630005230-0f9fa26af87c/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20210906170528-6f6e22806c34/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20210927094055-39ccf1dd6fa6/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.0.0-20211007075335-d3039528d8ac/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20211013075003-97ac67df715c/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20211025201205-69cdffdb9359/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20211116061358-0a5406a5449c/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
@@ -894,7 +900,8 @@ gorm.io/driver/postgres v1.4.8/go.mod h1:O9MruWGNLUBUWVYfWuBClpf3HeGjOoybY0SNmCs
 gorm.io/gorm v1.24.2/go.mod h1:DVrVomtaYTbqs7gB/x2uVvqnXzv0nqjB396B8cG4dBA=
 gorm.io/gorm v1.24.6 h1:wy98aq9oFEetsc4CAbKD2SoBCdMzsbSIvSUUFJuHi5s=
 gorm.io/gorm v1.24.6/go.mod h1:L4uxeKpfBml98NYqVqwAdmV1a2nBtAec/cf3fpucW/k=
-gotest.tools/v3 v3.2.0 h1:I0DwBVMGAx26dttAj1BtJLAkVGncrkkUXfJLC4Flt/I=
+gotest.tools/v3 v3.4.0 h1:ZazjZUfuVeZGLAmlKKuyv3IKP5orXcwtOwDQH6YVr6o=
+gotest.tools/v3 v3.4.0/go.mod h1:CtbdzLSsqVhDgMtKsx03ird5YTGB3ar27v0u/yKBW5g=
 honnef.co/go/tools v0.0.0-20190102054323-c2f93a96b099/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4=
 honnef.co/go/tools v0.0.0-20190106161140-3f1c8253044a/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4=
 honnef.co/go/tools v0.0.0-20190418001031-e561f6794a2a/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4=
--- a/hscontrol/acls.go
+++ b/hscontrol/acls.go
@@ -1,4 +1,4 @@
-package headscale
+package hscontrol

 import (
 	"encoding/json"
@@ -59,8 +59,8 @@ const (

 var featureEnableSSH = envknob.RegisterBool("HEADSCALE_EXPERIMENTAL_FEATURE_SSH")

-// LoadACLPolicy loads the ACL policy from the specify path, and generates the ACL rules.
-func (h *Headscale) LoadACLPolicy(path string) error {
+// LoadACLPolicyFromPath loads the ACL policy from the specify path, and generates the ACL rules.
+func (h *Headscale) LoadACLPolicyFromPath(path string) error {
 	log.Debug().
 		Str("func", "LoadACLPolicy").
 		Str("path", path).
@@ -72,37 +72,42 @@ func (h *Headscale) LoadACLPolicy(path string) error {
 	}
 	defer policyFile.Close()

-	var policy ACLPolicy
 	policyBytes, err := io.ReadAll(policyFile)
 	if err != nil {
 		return err
 	}

+	log.Debug().
+		Str("path", path).
+		Bytes("file", policyBytes).
+		Msg("Loading ACLs")
+
 	switch filepath.Ext(path) {
 	case ".yml", ".yaml":
-		log.Debug().
-			Str("path", path).
-			Bytes("file", policyBytes).
-			Msg("Loading ACLs from YAML")
+		return h.LoadACLPolicyFromBytes(policyBytes, "yaml")
+	}

-		err := yaml.Unmarshal(policyBytes, &policy)
+	return h.LoadACLPolicyFromBytes(policyBytes, "hujson")
+}
+
+func (h *Headscale) LoadACLPolicyFromBytes(acl []byte, format string) error {
+	var policy ACLPolicy
+	switch format {
+	case "yaml":
+		err := yaml.Unmarshal(acl, &policy)
 		if err != nil {
 			return err
 		}

-		log.Trace().
-			Interface("policy", policy).
-			Msg("Loaded policy from YAML")
-
 	default:
-		ast, err := hujson.Parse(policyBytes)
+		ast, err := hujson.Parse(acl)
 		if err != nil {
 			return err
 		}

 		ast.Standardize()
-		policyBytes = ast.Pack()
-		err = json.Unmarshal(policyBytes, &policy)
+		acl = ast.Pack()
+		err = json.Unmarshal(acl, &policy)
 		if err != nil {
 			return err
 		}
@@ -127,21 +132,14 @@ func (h *Headscale) UpdateACLRules() error {
 		return errEmptyPolicy
 	}

-	rules, err := generateACLRules(machines, *h.aclPolicy, h.cfg.OIDC.StripEmaildomain)
+	rules, err := h.aclPolicy.generateFilterRules(machines, h.cfg.OIDC.StripEmaildomain)
 	if err != nil {
 		return err
 	}
+
 	log.Trace().Interface("ACL", rules).Msg("ACL rules generated")
 	h.aclRules = rules

-	// Precompute a map of which sources can reach each destination, this is
-	// to provide quicker lookup when we calculate the peerlist for the map
-	// response to nodes.
-	aclPeerCacheMap := generateACLPeerCacheMap(rules)
-	h.aclPeerCacheMapRW.Lock()
-	h.aclPeerCacheMap = aclPeerCacheMap
-	h.aclPeerCacheMapRW.Unlock()
-
 	if featureEnableSSH() {
 		sshRules, err := h.generateSSHRules()
 		if err != nil {
@@ -159,91 +157,28 @@ func (h *Headscale) UpdateACLRules() error {
 	return nil
 }

-// generateACLPeerCacheMap takes a list of Tailscale filter rules and generates a map
-// of which Sources ("*" and IPs) can access destinations. This is to speed up the
-// process of generating MapResponses when deciding which Peers to inform nodes about.
-func generateACLPeerCacheMap(rules []tailcfg.FilterRule) map[string]map[string]struct{} {
-	aclCachePeerMap := make(map[string]map[string]struct{})
-	for _, rule := range rules {
-		for _, srcIP := range rule.SrcIPs {
-			for _, ip := range expandACLPeerAddr(srcIP) {
-				if data, ok := aclCachePeerMap[ip]; ok {
-					for _, dstPort := range rule.DstPorts {
-						for _, dstIP := range expandACLPeerAddr(dstPort.IP) {
-							data[dstIP] = struct{}{}
-						}
-					}
-				} else {
-					dstPortsMap := make(map[string]struct{}, len(rule.DstPorts))
-					for _, dstPort := range rule.DstPorts {
-						for _, dstIP := range expandACLPeerAddr(dstPort.IP) {
-							dstPortsMap[dstIP] = struct{}{}
-						}
-					}
-					aclCachePeerMap[ip] = dstPortsMap
-				}
-			}
-		}
-	}
-
-	log.Trace().Interface("ACL Cache Map", aclCachePeerMap).Msg("ACL Peer Cache Map generated")
-
-	return aclCachePeerMap
-}
-
-// expandACLPeerAddr takes a "tailcfg.FilterRule" "IP" and expands it into
-// something our cache logic can look up, which is "*" or single IP addresses.
-// This is probably quite inefficient, but it is a result of
-// "make it work, then make it fast", and a lot of the ACL stuff does not
-// work, but people have tried to make it fast.
-func expandACLPeerAddr(srcIP string) []string {
-	if ip, err := netip.ParseAddr(srcIP); err == nil {
-		return []string{ip.String()}
-	}
-
-	if cidr, err := netip.ParsePrefix(srcIP); err == nil {
-		addrs := []string{}
-
-		ipRange := netipx.RangeOfPrefix(cidr)
-
-		from := ipRange.From()
-		too := ipRange.To()
-
-		if from == too {
-			return []string{from.String()}
-		}
-
-		for from != too && from.Less(too) {
-			addrs = append(addrs, from.String())
-			from = from.Next()
-		}
-		addrs = append(addrs, too.String()) // Add the last IP address in the range
-
-		return addrs
-	}
-
-	// probably "*" or other string based "IP"
-	return []string{srcIP}
-}
-
-func generateACLRules(
+// generateFilterRules takes a set of machines and an ACLPolicy and generates a
+// set of Tailscale compatible FilterRules used to allow traffic on clients.
+func (pol *ACLPolicy) generateFilterRules(
 	machines []Machine,
-	aclPolicy ACLPolicy,
-	stripEmaildomain bool,
+	stripEmailDomain bool,
 ) ([]tailcfg.FilterRule, error) {
 	rules := []tailcfg.FilterRule{}

-	for index, acl := range aclPolicy.ACLs {
+	for index, acl := range pol.ACLs {
 		if acl.Action != "accept" {
 			return nil, errInvalidAction
 		}

 		srcIPs := []string{}
-		for innerIndex, src := range acl.Sources {
-			srcs, err := generateACLPolicySrc(machines, aclPolicy, src, stripEmaildomain)
+		for srcIndex, src := range acl.Sources {
+			srcs, err := pol.getIPsFromSource(src, machines, stripEmailDomain)
 			if err != nil {
 				log.Error().
-					Msgf("Error parsing ACL %d, Source %d", index, innerIndex)
+					Interface("src", src).
+					Int("ACL index", index).
+					Int("Src index", srcIndex).
+					Msgf("Error parsing ACL")

 				return nil, err
 			}
@@ -259,17 +194,19 @@ func generateACLRules(
 		}

 		destPorts := []tailcfg.NetPortRange{}
-		for innerIndex, dest := range acl.Destinations {
-			dests, err := generateACLPolicyDest(
-				machines,
-				aclPolicy,
+		for destIndex, dest := range acl.Destinations {
+			dests, err := pol.getNetPortRangeFromDestination(
 				dest,
+				machines,
 				needsWildcard,
-				stripEmaildomain,
+				stripEmailDomain,
 			)
 			if err != nil {
 				log.Error().
-					Msgf("Error parsing ACL %d, Destination %d", index, innerIndex)
+					Interface("dest", dest).
+					Int("ACL index", index).
+					Int("dest index", destIndex).
+					Msgf("Error parsing ACL")

 				return nil, err
 			}
@@ -340,22 +277,41 @@ func (h *Headscale) generateSSHRules() ([]*tailcfg.SSHRule, error) {

 		principals := make([]*tailcfg.SSHPrincipal, 0, len(sshACL.Sources))
 		for innerIndex, rawSrc := range sshACL.Sources {
-			expandedSrcs, err := expandAlias(
-				machines,
-				*h.aclPolicy,
-				rawSrc,
-				h.cfg.OIDC.StripEmaildomain,
-			)
-			if err != nil {
-				log.Error().
-					Msgf("Error parsing SSH %d, Source %d", index, innerIndex)
-
-				return nil, err
-			}
-			for _, expandedSrc := range expandedSrcs {
+			if isWildcard(rawSrc) {
 				principals = append(principals, &tailcfg.SSHPrincipal{
-					NodeIP: expandedSrc,
+					Any: true,
 				})
+			} else if isGroup(rawSrc) {
+				users, err := h.aclPolicy.getUsersInGroup(rawSrc, h.cfg.OIDC.StripEmaildomain)
+				if err != nil {
+					log.Error().
+						Msgf("Error parsing SSH %d, Source %d", index, innerIndex)
+
+					return nil, err
+				}
+
+				for _, user := range users {
+					principals = append(principals, &tailcfg.SSHPrincipal{
+						UserLogin: user,
+					})
+				}
+			} else {
+				expandedSrcs, err := h.aclPolicy.expandAlias(
+					machines,
+					rawSrc,
+					h.cfg.OIDC.StripEmaildomain,
+				)
+				if err != nil {
+					log.Error().
+						Msgf("Error parsing SSH %d, Source %d", index, innerIndex)
+
+					return nil, err
+				}
+				for _, expandedSrc := range expandedSrcs.Prefixes() {
+					principals = append(principals, &tailcfg.SSHPrincipal{
+						NodeIP: expandedSrc.Addr().String(),
+					})
+				}
 			}
 		}

@@ -364,10 +320,9 @@ func (h *Headscale) generateSSHRules() ([]*tailcfg.SSHRule, error) {
 			userMap[user] = "="
 		}
 		rules = append(rules, &tailcfg.SSHRule{
-			RuleExpires: nil,
-			Principals:  principals,
-			SSHUsers:    userMap,
-			Action:      &action,
+			Principals: principals,
+			SSHUsers:   userMap,
+			Action:     &action,
 		})
 	}

@@ -391,31 +346,69 @@ func sshCheckAction(duration string) (*tailcfg.SSHAction, error) {
 	}, nil
 }

-func generateACLPolicySrc(
-	machines []Machine,
-	aclPolicy ACLPolicy,
+// getIPsFromSource returns a set of Source IPs that would be associated
+// with the given src alias.
+func (pol *ACLPolicy) getIPsFromSource(
 	src string,
+	machines []Machine,
 	stripEmaildomain bool,
 ) ([]string, error) {
-	return expandAlias(machines, aclPolicy, src, stripEmaildomain)
+	ipSet, err := pol.expandAlias(machines, src, stripEmaildomain)
+	if err != nil {
+		return []string{}, err
+	}
+
+	prefixes := []string{}
+
+	for _, prefix := range ipSet.Prefixes() {
+		prefixes = append(prefixes, prefix.String())
+	}
+
+	return prefixes, nil
 }

-func generateACLPolicyDest(
-	machines []Machine,
-	aclPolicy ACLPolicy,
+// getNetPortRangeFromDestination returns a set of tailcfg.NetPortRange
+// which are associated with the dest alias.
+func (pol *ACLPolicy) getNetPortRangeFromDestination(
 	dest string,
+	machines []Machine,
 	needsWildcard bool,
 	stripEmaildomain bool,
 ) ([]tailcfg.NetPortRange, error) {
-	tokens := strings.Split(dest, ":")
+	var tokens []string
+
+	log.Trace().Str("destination", dest).Msg("generating policy destination")
+
+	// Check if there is a IPv4/6:Port combination, IPv6 has more than
+	// three ":".
+	tokens = strings.Split(dest, ":")
 	if len(tokens) < expectedTokenItems || len(tokens) > 3 {
-		return nil, errInvalidPortFormat
+		port := tokens[len(tokens)-1]
+
+		maybeIPv6Str := strings.TrimSuffix(dest, ":"+port)
+		log.Trace().Str("maybeIPv6Str", maybeIPv6Str).Msg("")
+
+		if maybeIPv6, err := netip.ParseAddr(maybeIPv6Str); err != nil && !maybeIPv6.Is6() {
+			log.Trace().Err(err).Msg("trying to parse as IPv6")
+
+			return nil, fmt.Errorf(
+				"failed to parse destination, tokens %v: %w",
+				tokens,
+				errInvalidPortFormat,
+			)
+		} else {
+			tokens = []string{maybeIPv6Str, port}
+		}
 	}

+	log.Trace().Strs("tokens", tokens).Msg("generating policy destination")
+
 	var alias string
 	// We can have here stuff like:
 	// git-server:*
 	// 192.168.1.0/24:22
+	// fd7a:115c:a1e0::2:22
+	// fd7a:115c:a1e0::2/128:22
 	// tag:montreal-webserver:80,443
 	// tag:api-server:443
 	// example-host-1:*
@@ -425,9 +418,8 @@ func generateACLPolicyDest(
 		alias = fmt.Sprintf("%s:%s", tokens[0], tokens[1])
 	}

-	expanded, err := expandAlias(
+	expanded, err := pol.expandAlias(
 		machines,
-		aclPolicy,
 		alias,
 		stripEmaildomain,
 	)
@@ -440,11 +432,11 @@ func generateACLPolicyDest(
 	}

 	dests := []tailcfg.NetPortRange{}
-	for _, d := range expanded {
-		for _, p := range *ports {
+	for _, dest := range expanded.Prefixes() {
+		for _, port := range *ports {
 			pr := tailcfg.NetPortRange{
-				IP:    d,
-				Ports: p,
+				IP:    dest.String(),
+				Ports: port,
 			}
 			dests = append(dests, pr)
 		}
@@ -508,115 +500,67 @@ func parseProtocol(protocol string) ([]int, bool, error) {
 // - a group
 // - a tag
 // - a host
+// - an ip
+// - a cidr
 // and transform these in IPAddresses.
-func expandAlias(
-	machines []Machine,
-	aclPolicy ACLPolicy,
+func (pol *ACLPolicy) expandAlias(
+	machines Machines,
 	alias string,
 	stripEmailDomain bool,
-) ([]string, error) {
-	ips := []string{}
-	if alias == "*" {
-		return []string{"*"}, nil
+) (*netipx.IPSet, error) {
+	if isWildcard(alias) {
+		return parseIPSet("*", nil)
 	}

+	build := netipx.IPSetBuilder{}
+
 	log.Debug().
 		Str("alias", alias).
 		Msg("Expanding")

-	if strings.HasPrefix(alias, "group:") {
-		users, err := expandGroup(aclPolicy, alias, stripEmailDomain)
-		if err != nil {
-			return ips, err
-		}
-		for _, n := range users {
-			nodes := filterMachinesByUser(machines, n)
-			for _, node := range nodes {
-				ips = append(ips, node.IPAddresses.ToStringSlice()...)
-			}
-		}
-
-		return ips, nil
+	// if alias is a group
+	if isGroup(alias) {
+		return pol.getIPsFromGroup(alias, machines, stripEmailDomain)
 	}

-	if strings.HasPrefix(alias, "tag:") {
-		// check for forced tags
-		for _, machine := range machines {
-			if contains(machine.ForcedTags, alias) {
-				ips = append(ips, machine.IPAddresses.ToStringSlice()...)
-			}
-		}
-
-		// find tag owners
-		owners, err := expandTagOwners(aclPolicy, alias, stripEmailDomain)
-		if err != nil {
-			if errors.Is(err, errInvalidTag) {
-				if len(ips) == 0 {
-					return ips, fmt.Errorf(
-						"%w. %v isn't owned by a TagOwner and no forced tags are defined",
-						errInvalidTag,
-						alias,
-					)
-				}
-
-				return ips, nil
-			} else {
-				return ips, err
-			}
-		}
-
-		// filter out machines per tag owner
-		for _, user := range owners {
-			machines := filterMachinesByUser(machines, user)
-			for _, machine := range machines {
-				hi := machine.GetHostInfo()
-				if contains(hi.RequestTags, alias) {
-					ips = append(ips, machine.IPAddresses.ToStringSlice()...)
-				}
-			}
-		}
-
-		return ips, nil
+	// if alias is a tag
+	if isTag(alias) {
+		return pol.getIPsFromTag(alias, machines, stripEmailDomain)
 	}

 	// if alias is a user
-	nodes := filterMachinesByUser(machines, alias)
-	nodes = excludeCorrectlyTaggedNodes(aclPolicy, nodes, alias, stripEmailDomain)
-
-	for _, n := range nodes {
-		ips = append(ips, n.IPAddresses.ToStringSlice()...)
-	}
-	if len(ips) > 0 {
-		return ips, nil
+	if ips, err := pol.getIPsForUser(alias, machines, stripEmailDomain); ips != nil {
+		return ips, err
 	}

 	// if alias is an host
-	if h, ok := aclPolicy.Hosts[alias]; ok {
-		return []string{h.String()}, nil
+	// Note, this is recursive.
+	if h, ok := pol.Hosts[alias]; ok {
+		log.Trace().Str("host", h.String()).Msg("expandAlias got hosts entry")
+
+		return pol.expandAlias(machines, h.String(), stripEmailDomain)
 	}

 	// if alias is an IP
-	ip, err := netip.ParseAddr(alias)
-	if err == nil {
-		return []string{ip.String()}, nil
+	if ip, err := netip.ParseAddr(alias); err == nil {
+		return pol.getIPsFromSingleIP(ip, machines)
 	}

-	// if alias is an CIDR
-	cidr, err := netip.ParsePrefix(alias)
-	if err == nil {
-		return []string{cidr.String()}, nil
+	// if alias is an IP Prefix (CIDR)
+	if prefix, err := netip.ParsePrefix(alias); err == nil {
+		return pol.getIPsFromIPPrefix(prefix, machines)
 	}

 	log.Warn().Msgf("No IPs found with the alias %v", alias)

-	return ips, nil
+	return build.IPSet()
 }

 // excludeCorrectlyTaggedNodes will remove from the list of input nodes the ones
 // that are correctly tagged since they should not be listed as being in the user
 // we assume in this function that we only have nodes from 1 user.
 func excludeCorrectlyTaggedNodes(
-	aclPolicy ACLPolicy,
+	aclPolicy *ACLPolicy,
 	nodes []Machine,
 	user string,
 	stripEmailDomain bool,
@@ -624,7 +568,7 @@ func excludeCorrectlyTaggedNodes(
 	out := []Machine{}
 	tags := []string{}
 	for tag := range aclPolicy.TagOwners {
-		owners, _ := expandTagOwners(aclPolicy, user, stripEmailDomain)
+		owners, _ := getTagOwners(aclPolicy, user, stripEmailDomain)
 		ns := append(owners, user)
 		if contains(ns, user) {
 			tags = append(tags, tag)
@@ -654,7 +598,7 @@ func excludeCorrectlyTaggedNodes(
 }

 func expandPorts(portsStr string, needsWildcard bool) (*[]tailcfg.PortRange, error) {
-	if portsStr == "*" {
+	if isWildcard(portsStr) {
 		return &[]tailcfg.PortRange{
 			{First: portRangeBegin, Last: portRangeEnd},
 		}, nil
@@ -666,6 +610,7 @@ func expandPorts(portsStr string, needsWildcard bool) (*[]tailcfg.PortRange, err

 	ports := []tailcfg.PortRange{}
 	for _, portStr := range strings.Split(portsStr, ",") {
+		log.Trace().Msgf("parsing portstring: %s", portStr)
 		rang := strings.Split(portStr, "-")
 		switch len(rang) {
 		case 1:
@@ -711,15 +656,15 @@ func filterMachinesByUser(machines []Machine, user string) []Machine {
 	return out
 }

-// expandTagOwners will return a list of user. An owner can be either a user or a group
+// getTagOwners will return a list of user. An owner can be either a user or a group
 // a group cannot be composed of groups.
-func expandTagOwners(
-	aclPolicy ACLPolicy,
+func getTagOwners(
+	pol *ACLPolicy,
 	tag string,
 	stripEmailDomain bool,
 ) ([]string, error) {
 	var owners []string
-	ows, ok := aclPolicy.TagOwners[tag]
+	ows, ok := pol.TagOwners[tag]
 	if !ok {
 		return []string{}, fmt.Errorf(
 			"%w. %v isn't owned by a TagOwner. Please add one first. https://tailscale.com/kb/1018/acls/#tag-owners",
@@ -728,8 +673,8 @@ func expandTagOwners(
 		)
 	}
 	for _, owner := range ows {
-		if strings.HasPrefix(owner, "group:") {
-			gs, err := expandGroup(aclPolicy, owner, stripEmailDomain)
+		if isGroup(owner) {
+			gs, err := pol.getUsersInGroup(owner, stripEmailDomain)
 			if err != nil {
 				return []string{}, err
 			}
@@ -742,15 +687,15 @@ func expandTagOwners(
 	return owners, nil
 }

-// expandGroup will return the list of user inside the group
+// getUsersInGroup will return the list of user inside the group
 // after some validation.
-func expandGroup(
-	aclPolicy ACLPolicy,
+func (pol *ACLPolicy) getUsersInGroup(
 	group string,
 	stripEmailDomain bool,
 ) ([]string, error) {
-	outGroups := []string{}
-	aclGroups, ok := aclPolicy.Groups[group]
+	users := []string{}
+	log.Trace().Caller().Interface("pol", pol).Msg("test")
+	aclGroups, ok := pol.Groups[group]
 	if !ok {
 		return []string{}, fmt.Errorf(
 			"group %v isn't registered. %w",
@@ -759,7 +704,7 @@ func expandGroup(
 		)
 	}
 	for _, group := range aclGroups {
-		if strings.HasPrefix(group, "group:") {
+		if isGroup(group) {
 			return []string{}, fmt.Errorf(
 				"%w. A group cannot be composed of groups. https://tailscale.com/kb/1018/acls/#groups",
 				errInvalidGroup,
@@ -773,8 +718,151 @@ func expandGroup(
 				errInvalidGroup,
 			)
 		}
-		outGroups = append(outGroups, grp)
+		users = append(users, grp)
 	}

-	return outGroups, nil
+	return users, nil
+}
+
+func (pol *ACLPolicy) getIPsFromGroup(
+	group string,
+	machines Machines,
+	stripEmailDomain bool,
+) (*netipx.IPSet, error) {
+	build := netipx.IPSetBuilder{}
+
+	users, err := pol.getUsersInGroup(group, stripEmailDomain)
+	if err != nil {
+		return &netipx.IPSet{}, err
+	}
+	for _, user := range users {
+		filteredMachines := filterMachinesByUser(machines, user)
+		for _, machine := range filteredMachines {
+			machine.IPAddresses.AppendToIPSet(&build)
+		}
+	}
+
+	return build.IPSet()
+}
+
+func (pol *ACLPolicy) getIPsFromTag(
+	alias string,
+	machines Machines,
+	stripEmailDomain bool,
+) (*netipx.IPSet, error) {
+	build := netipx.IPSetBuilder{}
+
+	// check for forced tags
+	for _, machine := range machines {
+		if contains(machine.ForcedTags, alias) {
+			machine.IPAddresses.AppendToIPSet(&build)
+		}
+	}
+
+	// find tag owners
+	owners, err := getTagOwners(pol, alias, stripEmailDomain)
+	if err != nil {
+		if errors.Is(err, errInvalidTag) {
+			ipSet, _ := build.IPSet()
+			if len(ipSet.Prefixes()) == 0 {
+				return ipSet, fmt.Errorf(
+					"%w. %v isn't owned by a TagOwner and no forced tags are defined",
+					errInvalidTag,
+					alias,
+				)
+			}
+
+			return build.IPSet()
+		} else {
+			return nil, err
+		}
+	}
+
+	// filter out machines per tag owner
+	for _, user := range owners {
+		machines := filterMachinesByUser(machines, user)
+		for _, machine := range machines {
+			hi := machine.GetHostInfo()
+			if contains(hi.RequestTags, alias) {
+				machine.IPAddresses.AppendToIPSet(&build)
+			}
+		}
+	}
+
+	return build.IPSet()
+}
+
+func (pol *ACLPolicy) getIPsForUser(
+	user string,
+	machines Machines,
+	stripEmailDomain bool,
+) (*netipx.IPSet, error) {
+	build := netipx.IPSetBuilder{}
+
+	filteredMachines := filterMachinesByUser(machines, user)
+	filteredMachines = excludeCorrectlyTaggedNodes(pol, filteredMachines, user, stripEmailDomain)
+
+	// shortcurcuit if we have no machines to get ips from.
+	if len(filteredMachines) == 0 {
+		return nil, nil //nolint
+	}
+
+	for _, machine := range filteredMachines {
+		machine.IPAddresses.AppendToIPSet(&build)
+	}
+
+	return build.IPSet()
+}
+
+func (pol *ACLPolicy) getIPsFromSingleIP(
+	ip netip.Addr,
+	machines Machines,
+) (*netipx.IPSet, error) {
+	log.Trace().Str("ip", ip.String()).Msg("expandAlias got ip")
+
+	matches := machines.FilterByIP(ip)
+
+	build := netipx.IPSetBuilder{}
+	build.Add(ip)
+
+	for _, machine := range matches {
+		machine.IPAddresses.AppendToIPSet(&build)
+	}
+
+	return build.IPSet()
+}
+
+func (pol *ACLPolicy) getIPsFromIPPrefix(
+	prefix netip.Prefix,
+	machines Machines,
+) (*netipx.IPSet, error) {
+	log.Trace().Str("prefix", prefix.String()).Msg("expandAlias got prefix")
+	build := netipx.IPSetBuilder{}
+	build.AddPrefix(prefix)
+
+	// This is suboptimal and quite expensive, but if we only add the prefix, we will miss all the relevant IPv6
+	// addresses for the hosts that belong to tailscale. This doesnt really affect stuff like subnet routers.
+	for _, machine := range machines {
+		for _, ip := range machine.IPAddresses {
+			// log.Trace().
+			// 	Msgf("checking if machine ip (%s) is part of prefix (%s): %v, is single ip prefix (%v), addr: %s", ip.String(), prefix.String(), prefix.Contains(ip), prefix.IsSingleIP(), prefix.Addr().String())
+			if prefix.Contains(ip) {
+				machine.IPAddresses.AppendToIPSet(&build)
+			}
+		}
+	}
+
+	return build.IPSet()
+}
+
+func isWildcard(str string) bool {
+	return str == "*"
+}
+
+func isGroup(str string) bool {
+	return strings.HasPrefix(str, "group:")
+}
+
+func isTag(str string) bool {
+	return strings.HasPrefix(str, "tag:")
 }
--- a/hscontrol/acls_test.go
+++ b/hscontrol/acls_test.go
--- a/hscontrol/acls_types.go
+++ b/hscontrol/acls_types.go
@@ -1,4 +1,4 @@
-package headscale
+package hscontrol

 import (
 	"encoding/json"
@@ -111,8 +111,8 @@ func (hosts *Hosts) UnmarshalYAML(data []byte) error {
 }

 // IsZero is perhaps a bit naive here.
-func (policy ACLPolicy) IsZero() bool {
-	if len(policy.Groups) == 0 && len(policy.Hosts) == 0 && len(policy.ACLs) == 0 {
+func (pol ACLPolicy) IsZero() bool {
+	if len(pol.Groups) == 0 && len(pol.Hosts) == 0 && len(pol.ACLs) == 0 {
 		return true
 	}

--- a/hscontrol/api.go
+++ b/hscontrol/api.go
@@ -1,4 +1,4 @@
-package headscale
+package hscontrol

 import (
 	"bytes"
--- a/hscontrol/api_common.go
+++ b/hscontrol/api_common.go
@@ -1,4 +1,4 @@
-package headscale
+package hscontrol

 import (
 	"time"
--- a/hscontrol/api_key.go
+++ b/hscontrol/api_key.go
@@ -1,4 +1,4 @@
-package headscale
+package hscontrol

 import (
 	"fmt"
--- a/hscontrol/api_key_test.go
+++ b/hscontrol/api_key_test.go
@@ -1,4 +1,4 @@
-package headscale
+package hscontrol

 import (
 	"time"
--- a/hscontrol/app.go
+++ b/hscontrol/app.go
@@ -1,4 +1,4 @@
-package headscale
+package hscontrol

 import (
 	"context"
@@ -21,6 +21,7 @@ import (
 	"github.com/gorilla/mux"
 	grpcMiddleware "github.com/grpc-ecosystem/go-grpc-middleware"
 	"github.com/grpc-ecosystem/grpc-gateway/v2/runtime"
+	"github.com/juanfont/headscale"
 	v1 "github.com/juanfont/headscale/gen/go/headscale/v1"
 	"github.com/patrickmn/go-cache"
 	zerolog "github.com/philip-bui/grpc-zerolog"
@@ -84,11 +85,9 @@ type Headscale struct {
 	DERPMap    *tailcfg.DERPMap
 	DERPServer *DERPServer

-	aclPolicy         *ACLPolicy
-	aclRules          []tailcfg.FilterRule
-	aclPeerCacheMapRW sync.RWMutex
-	aclPeerCacheMap   map[string]map[string]struct{}
-	sshPolicy         *tailcfg.SSHPolicy
+	aclPolicy *ACLPolicy
+	aclRules  []tailcfg.FilterRule
+	sshPolicy *tailcfg.SSHPolicy

 	lastStateChange *xsync.MapOf[string, time.Time]

@@ -509,8 +508,10 @@ func (h *Headscale) createRouter(grpcMux *runtime.ServeMux) *mux.Router {
 	router.HandleFunc("/windows", h.WindowsConfigMessage).Methods(http.MethodGet)
 	router.HandleFunc("/windows/tailscale.reg", h.WindowsRegConfig).
 		Methods(http.MethodGet)
-	router.HandleFunc("/swagger", SwaggerUI).Methods(http.MethodGet)
-	router.HandleFunc("/swagger/v1/openapiv2.json", SwaggerAPIv1).
+
+	// TODO(kristoffer): move swagger into a package
+	router.HandleFunc("/swagger", headscale.SwaggerUI).Methods(http.MethodGet)
+	router.HandleFunc("/swagger/v1/openapiv2.json", headscale.SwaggerAPIv1).
 		Methods(http.MethodGet)

 	if h.cfg.DERP.ServerEnabled {
@@ -760,7 +761,7 @@ func (h *Headscale) Serve() error {

 				if h.cfg.ACL.PolicyPath != "" {
 					aclPath := AbsolutePathFromConfigPath(h.cfg.ACL.PolicyPath)
-					err := h.LoadACLPolicy(aclPath)
+					err := h.LoadACLPolicyFromPath(aclPath)
 					if err != nil {
 						log.Error().Err(err).Msg("Failed to reload ACL policy")
 					}
@@ -820,7 +821,6 @@ func (h *Headscale) Serve() error {

 				// And we're done:
 				cancel()
-				os.Exit(0)
 			}
 		}
 	}
--- a/hscontrol/app_test.go
+++ b/hscontrol/app_test.go
@@ -1,4 +1,4 @@
-package headscale
+package hscontrol

 import (
 	"net/netip"
--- a/hscontrol/config.go
+++ b/hscontrol/config.go
@@ -1,4 +1,4 @@
-package headscale
+package hscontrol

 import (
 	"errors"
@@ -16,6 +16,7 @@ import (
 	"github.com/rs/zerolog/log"
 	"github.com/spf13/viper"
 	"go4.org/netipx"
+	"tailscale.com/net/tsaddr"
 	"tailscale.com/tailcfg"
 	"tailscale.com/types/dnstype"
 )
@@ -174,7 +175,7 @@ func LoadConfig(path string, isFile bool) error {
 	viper.SetDefault("derp.server.enabled", false)
 	viper.SetDefault("derp.server.stun.enabled", true)

-	viper.SetDefault("unix_socket", "/var/run/headscale.sock")
+	viper.SetDefault("unix_socket", "/var/run/headscale/headscale.sock")
 	viper.SetDefault("unix_socket_permission", "0o770")

 	viper.SetDefault("grpc_listen_addr", ":50443")
@@ -515,6 +516,29 @@ func GetHeadscaleConfig() (*Config, error) {
 		if err != nil {
 			panic(fmt.Errorf("failed to parse ip_prefixes[%d]: %w", i, err))
 		}
+
+		if prefix.Addr().Is4() {
+			builder := netipx.IPSetBuilder{}
+			builder.AddPrefix(tsaddr.CGNATRange())
+			ipSet, _ := builder.IPSet()
+			if !ipSet.ContainsPrefix(prefix) {
+				log.Warn().
+					Msgf("Prefix %s is not in the %s range. This is an unsupported configuration.",
+						prefixInConfig, tsaddr.CGNATRange())
+			}
+		}
+
+		if prefix.Addr().Is6() {
+			builder := netipx.IPSetBuilder{}
+			builder.AddPrefix(tsaddr.TailscaleULARange())
+			ipSet, _ := builder.IPSet()
+			if !ipSet.ContainsPrefix(prefix) {
+				log.Warn().
+					Msgf("Prefix %s is not in the %s range. This is an unsupported configuration.",
+						prefixInConfig, tsaddr.TailscaleULARange())
+			}
+		}
+
 		parsedPrefixes = append(parsedPrefixes, prefix)
 	}

--- a/hscontrol/db.go
+++ b/hscontrol/db.go
@@ -1,4 +1,4 @@
-package headscale
+package hscontrol

 import (
 	"context"
--- a/hscontrol/derp.go
+++ b/hscontrol/derp.go
@@ -1,4 +1,4 @@
-package headscale
+package hscontrol

 import (
 	"context"
--- a/hscontrol/derp_server.go
+++ b/hscontrol/derp_server.go
@@ -1,4 +1,4 @@
-package headscale
+package hscontrol

 import (
 	"context"
--- a/hscontrol/dns.go
+++ b/hscontrol/dns.go
@@ -1,4 +1,4 @@
-package headscale
+package hscontrol

 import (
 	"fmt"
--- a/hscontrol/dns_test.go
+++ b/hscontrol/dns_test.go
@@ -1,4 +1,4 @@
-package headscale
+package hscontrol

 import (
 	"fmt"
--- a/hscontrol/grpcv1.go
+++ b/hscontrol/grpcv1.go
@@ -1,5 +1,5 @@
 // nolint
-package headscale
+package hscontrol

 import (
 	"context"
--- a/hscontrol/grpcv1_test.go
+++ b/hscontrol/grpcv1_test.go
@@ -1,4 +1,4 @@
-package headscale
+package hscontrol

 import "testing"

--- a/hscontrol/handler_legacy.go
+++ b/hscontrol/handler_legacy.go
@@ -1,6 +1,6 @@
 //go:build ts2019

-package headscale
+package hscontrol

 import (
 	"net/http"
--- a/Show More
+++ b/Show More
Author	SHA1	Message	Date
Juan Font	b01f1f1867	Clean apt	2023-05-12 10:09:36 +02:00
Juan Font	c027ef0f6c	Added changelog for 0.22.3	2023-05-12 10:09:36 +02:00
Six	db97a7ab10	Add ca-certificates to Dockerfile	2023-05-12 09:24:55 +02:00
Kristoffer Dalby	252342a0a5	update nix hash Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com>	2023-05-10 20:47:51 +02:00
Kristoffer Dalby	cdf3c47d63	changelog Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com>	2023-05-10 20:47:51 +02:00
Kristoffer Dalby	61a2915f17	port reminder of integrationv1 test to v2 Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com>	2023-05-10 20:47:51 +02:00
Kristoffer Dalby	a16f0c9f60	clean up unused legacy stuff Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com>	2023-05-10 20:47:51 +02:00
Kristoffer Dalby	52ad138c32	update dependency path for integration Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com>	2023-05-10 20:47:51 +02:00
Kristoffer Dalby	d2413d0a2f	move swagger to root for now Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com>	2023-05-10 20:47:51 +02:00
Kristoffer Dalby	51dc0d5784	update dependency path for cmd Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com>	2023-05-10 20:47:51 +02:00
Kristoffer Dalby	2d365c8c9c	inline old acl hujson tests Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com>	2023-05-10 20:47:51 +02:00
Kristoffer Dalby	f2c1d1b8f9	regenerate gen Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com>	2023-05-10 20:47:51 +02:00
Kristoffer Dalby	2d6356fa13	move templates Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com>	2023-05-10 20:47:51 +02:00
Kristoffer Dalby	3bfc598ccc	move generated files Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com>	2023-05-10 20:47:51 +02:00
Kristoffer Dalby	3683d3e82f	rename package name to hscontrol Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com>	2023-05-10 20:47:51 +02:00
Kristoffer Dalby	4a7921ead5	move all go files from root to hscontrol Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com>	2023-05-10 20:47:51 +02:00
Juan Font	22e397e0b6	Use common path in unix_socket default setting	2023-05-10 18:18:04 +02:00
Juan Font	c7db99d6ca	Update changelog + prepare for 0.22.2	2023-05-10 18:18:04 +02:00
Juan Font	f73354b4f4	Create default sock path in Docker	2023-05-10 18:18:04 +02:00
Juan Font	4c8f8c6a1c	Ditch distroless for Docker image distroless has proven a mantenance burden for us, and it has caused headaches for user when trying to debug issues in the container. And in 2023, 20MB of extra disk space are neglectible.	2023-05-10 18:18:04 +02:00
Juan Font	997e93455d	Added web ui section Added discord	2023-05-10 16:16:12 +02:00
Juan Font	9f381256c4	Update config.go	2023-05-10 14:25:13 +02:00
Juan Font	f60c5a1398	Fix socket location in config.go	2023-05-10 14:25:13 +02:00
Juan Font	5706f84cb0	Revert "Revert unix_socket to default value" This reverts commit `ca54fb9f56`.	2023-05-10 14:25:13 +02:00
Juan Font	9478c288f6	Added missing file	2023-05-10 10:26:21 +02:00
Juan Font	6043ec87cf	Update mkdocs.yml	2023-05-10 09:49:13 +02:00
Juan Font	dcf2439c61	Improved website More docs	2023-05-10 09:49:13 +02:00
Kristoffer Dalby	ba45d7dbd3	update readme and templates to clarify scope (#1437 ) Co-authored-by: Juan Font <juanfontalonso@gmail.com>	2023-05-10 08:03:13 +01:00
Juan Font	bab4e14828	Further clarification on unsupported ranges in config example	2023-05-08 12:47:08 +02:00
Juan Font	526e568e1e	Update changelog	2023-05-07 15:27:30 +02:00
Juan Font	02ab0df2de	Disable and Delete route must affect both exit routes (IPv4 and IPv6) Fixed linting	2023-05-07 15:27:30 +02:00
Juan Font	7338775de7	Give a warning when users have set an unsupported prefix Fix minor log issue Removed debug meessage	2023-05-07 13:14:32 +02:00
Sebastian Muszytowski	00c514608e	Add IP forwarding requirement to documentation I propose to add the information, that IP forwarding needs to be enabled in order to use a node as an exit-node.	2023-05-06 21:48:59 +02:00
Maja Bojarska	6c5723a463	Update CHANGELOG.md Co-authored-by: Juan Font <juanfontalonso@gmail.com>	2023-05-04 22:54:32 +02:00
Maja Bojarska	57fd5cf310	Update CHANGELOG.md	2023-05-04 22:54:32 +02:00
Maja Bojarska	f113cc7846	Add missing GH releases page link	2023-05-04 22:54:32 +02:00
ohdearaugustin	ca54fb9f56	Revert unix_socket to default value	2023-05-03 20:16:04 +02:00
Kristoffer Dalby	735b185e7f	use IPSet in acls instead of string slice Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com>	2023-05-03 18:43:57 +02:00
Kristoffer Dalby	1a7ae11697	Add basic testcases for Machine.canAccess Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com>	2023-05-03 18:43:57 +02:00
Kristoffer Dalby	644be822d5	move matcher to separate file Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com>	2023-05-03 18:43:57 +02:00
Kristoffer Dalby	56b63c6e10	use netipx.IPSet for matcher Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com>	2023-05-03 18:43:57 +02:00
Kristoffer Dalby	ccedf276ab	add a filter case with really large destination set #1372 Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com>	2023-05-03 18:43:57 +02:00
Kristoffer Dalby	10320a5f1f	lint and nolint tailscale borrowed func Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com>	2023-05-03 18:43:57 +02:00
Kristoffer Dalby	ecd62fb785	remove terrible filter code Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com>	2023-05-03 18:43:57 +02:00
Kristoffer Dalby	0d24e878d0	update flake hash Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com>	2023-05-03 18:43:57 +02:00
Kristoffer Dalby	889d5a1b29	testing without that horrible filtercode Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com>	2023-05-03 18:43:57 +02:00
Kristoffer Dalby	1700a747f6	outline tests for full filter generate Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com>	2023-05-03 18:43:57 +02:00
Kristoffer Dalby	200e3b88cc	make generateFilterRule a pol struct func Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com>	2023-05-03 18:43:57 +02:00
Kristoffer Dalby	5bbbe437df	clear up the acl function naming Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com>	2023-05-03 18:43:57 +02:00
Kristoffer Dalby	6de53e2f8d	simplify expandAlias function, move seperate logic out Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com>	2023-05-03 18:43:57 +02:00
Kristoffer Dalby	b23a9153df	trim dockerfiles, script to rebuild test images (#1403 )	2023-05-02 10:51:30 +01:00
Juan Font	80772033ee	Improvements on Noise implementation (#1379 )	2023-05-02 08:15:33 +02:00
Juan Font	a2b760834f	Fix extra space	2023-04-30 23:28:16 +02:00
loprima-l	493bcfcf18	Update mkdocs.yml Co-authored-by: Juan Font <juanfontalonso@gmail.com>	2023-04-30 23:28:16 +02:00
loprima-l	df72508089	Fix : Change master branch to main This fix should change the edit branch to main in the documentation	2023-04-30 23:28:16 +02:00
loprima-l	0f8d8fc2d8	Fix : Updating the doc path Updating the doc path to be the doc website url as it's a better documentation tool	2023-04-30 22:56:38 +02:00
Jonathan Wright	744e5a11b6	Update CHANGELOG.md Co-authored-by: Juan Font <juanfontalonso@gmail.com>	2023-04-30 18:25:43 +02:00
Jonathan Wright	3ea1750ea0	Update CHANGELOG.md	2023-04-30 18:25:43 +02:00
Jonathan Wright	a45777d22e	Put systemd service file in proper location	2023-04-30 18:25:43 +02:00
Kristoffer Dalby	56dd734300	Add go profiling flag, and enable on integration tests (#1382 )	2023-04-27 16:57:11 +02:00
Philipp Krivanec	d0113732fe	optimize generateACLPeerCacheMap (#1377 )	2023-04-26 06:02:54 +02:00
Kristoffer Dalby	6215eb6471	update flake hash (#1376 )	2023-04-24 15:52:15 +02:00
Juan Font	1d2b4bca8a	Remove legacy DERP tests	2023-04-24 12:35:29 +02:00
Juan Font	96f9680afd	Reuse Ping function for DERP ping	2023-04-24 12:17:24 +02:00
Juan Font	b465592c07	Do not use host networking in embedded DERP tests fixed linting	2023-04-24 12:17:24 +02:00
Juan Font	991ff25362	Added workflow for embedded derp	2023-04-24 12:17:24 +02:00
Juan Font	eacd687dbf	Added DERP integration tests Linting fixes Set listen addr to :8443	2023-04-24 12:17:24 +02:00
Juan Font	549f5a164d	Expand surface of hsic for better TLS support	2023-04-24 12:17:24 +02:00
Juan Font	bb07aec82c	Expand tsic to offer PingViaDerp	2023-04-24 12:17:24 +02:00
Kristoffer Dalby	a5afe4bd06	Add more capabilities for systemd Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com>	2023-04-20 15:53:19 +02:00
Kristoffer Dalby	a71cc81fe7	fix Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com>	2023-04-20 12:05:57 +02:00
Kristoffer Dalby	679305c3e4	Add version to binary release Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com>	2023-04-20 12:05:57 +02:00
Kristoffer Dalby	c0680f34f1	fix issue where binaries are not released Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com>	2023-04-20 11:10:27 +02:00
Kristoffer Dalby	64ebe6b0c8	change date in changelog Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com>	2023-04-20 08:13:38 +02:00
Kristoffer Dalby	e6b26499f7	release source code with vendored dependencies Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com>	2023-04-20 08:13:38 +02:00
Kristoffer Dalby	977eb1dee3	Update flakes, add some quality of life improvements (#1346 )	2023-04-20 07:56:53 +02:00
Kristoffer Dalby	b2e2b02210	set release date Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com>	2023-04-19 20:47:31 +02:00
Kristoffer Dalby	2abff4bb08	update changelog for #1339 Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com>	2023-04-19 20:45:27 +02:00
Kristoffer Dalby	54c00645d1	update changelog Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com>	2023-04-19 20:04:58 +02:00
Kristoffer Dalby	cad5ce0ebd	lint fix Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com>	2023-04-19 20:04:58 +02:00
Kristoffer Dalby	b12a167fa2	remove rpm, might add back later Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com>	2023-04-19 20:04:58 +02:00
Kristoffer Dalby	667295e15e	add new documentation on how to install on debian/ubuntu Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com>	2023-04-19 20:04:58 +02:00
Kristoffer Dalby	bea52678e3	move current linux documentation into "manual" Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com>	2023-04-19 20:04:58 +02:00
Kristoffer Dalby	307cfc3304	add systemd enable to postinstall script Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com>	2023-04-19 20:04:58 +02:00
Kristoffer Dalby	5e74ca9414	Fix IPv6 in ACLs (#1339 )	2023-04-16 12:26:35 +02:00
Juan Font	9836b097a4	Make sure all clients of a user are ready (#1335 )	2023-04-12 09:25:51 +02:00