remove signatures

Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com>
Initial work on nfpm
2025-08-21 05:17:29 +00:00 · 2023-04-06 12:02:27 +02:00 · 2023-04-06 11:58:48 +02:00
200 changed files with 5006 additions and 5640 deletions
--- a/.github/ISSUE_TEMPLATE/bug_report.md
+++ b/.github/ISSUE_TEMPLATE/bug_report.md
@@ -6,24 +6,19 @@ labels: ["bug"]
 assignees: ""
 ---

-<!--
-Before posting a bug report, discuss the behaviour you are expecting with the Discord community
-to make sure that it is truly a bug.
-The issue tracker is not the place to ask for support or how to set up Headscale.
+<!-- Headscale is a multinational community across the globe. Our common language is English. Please consider raising the bug report in this language. -->

-Bug reports without the sufficient information will be closed.
-
-Headscale is a multinational community across the globe. Our language is English.
-All bug reports needs to be in English.
-->
-
-## Bug description
+**Bug description**

 <!-- A clear and concise description of what the bug is. Describe the expected bahavior
  and how it is currently different. If you are unsure if it is a bug, consider discussing
  it on our Discord server first. -->

-## Environment
+**To Reproduce**
+
+<!-- Steps to reproduce the behavior. -->
+
+**Context info**

 <!-- Please add relevant information about your system. For example:
 - Version of headscale used
@@ -33,20 +28,3 @@ All bug reports needs to be in English.
 - The relevant config parameters you used
 - Log output
 -->
-
- OS:
- Headscale version:
- Tailscale version:
-
-<!--
-We do not support running Headscale in a container nor behind a (reverse) proxy.
-If either of these are true for your environment, ask the community in Discord
-instead of filing a bug report.
-->
-
- [ ] Headscale is behind a (reverse) proxy
- [ ] Headscale runs in a container
-
-## To Reproduce
-
-<!-- Steps to reproduce the behavior. -->
--- a/.github/ISSUE_TEMPLATE/feature_request.md
+++ b/.github/ISSUE_TEMPLATE/feature_request.md
@@ -6,21 +6,12 @@ labels: ["enhancement"]
 assignees: ""
 ---

-<!--
-We typically have a clear roadmap for what we want to improve and reserve the right
-to close feature requests that does not fit in the roadmap, or fit with the scope
-of the project, or we actually want to implement ourselves.
+<!-- Headscale is a multinational community across the globe. Our common language is English. Please consider raising the feature request in this language. -->

-Headscale is a multinational community across the globe. Our language is English.
-All bug reports needs to be in English.
-->
-
-## Why
-
-<!-- Include the reason, why you would need the feature. E.g. what problem
-  does it solve? Or which workflow is currently frustrating and will be improved by
-  this? -->
-
-## Description
+**Feature request**

 <!-- A clear and precise description of what new or changed feature you want. -->
+
+<!-- Please include the reason, why you would need the feature. E.g. what problem
+  does it solve? Or which workflow is currently frustrating and will be improved by
+  this? -->
--- a/.github/ISSUE_TEMPLATE/other_issue.md
+++ b/.github/ISSUE_TEMPLATE/other_issue.md
@@ -0,0 +1,30 @@
+---
+name: "Other issue"
+about: "Report a different issue"
+title: ""
+labels: ["bug"]
+assignees: ""
+---
+
+<!-- Headscale is a multinational community across the globe. Our common language is English. Please consider raising the issue in this language. -->
+
+<!-- If you have a question, please consider using our Discord for asking questions -->
+
+**Issue description**
+
+<!-- Please add your issue description. -->
+
+**To Reproduce**
+
+<!-- Steps to reproduce the behavior. -->
+
+**Context info**
+
+<!-- Please add relevant information about your system. For example:
+- Version of headscale used
+- Version of tailscale client
+- OS (e.g. Linux, Mac, Cygwin, WSL, etc.) and version
+- Kernel version
+- The relevant config parameters you used
+- Log output
+-->
--- a/.github/pull_request_template.md
+++ b/.github/pull_request_template.md
@@ -1,15 +1,3 @@
-<!--
-Headscale is "Open Source, acknowledged contribution", this means that any
-contribution will have to be discussed with the Maintainers before being submitted.
-
-This model has been chosen to reduce the risk of burnout by limiting the
-maintenance overhead of reviewing and validating third-party code.
-
-Headscale is open to code contributions for bug fixes without discussion.
-
-If you find mistakes in the documentation, please submit a fix to the documentation.
-->
-
 <!-- Please tick if the following things apply. You… -->

 - [ ] read the [CONTRIBUTING guidelines](README.md#contributing)
--- a/.github/renovate.json
+++ b/.github/renovate.json
@@ -6,27 +6,31 @@
  "onboarding": false,
  "extends": ["config:base", ":rebaseStalePrs"],
  "ignorePresets": [":prHourlyLimit2"],
-  "enabledManagers": ["dockerfile", "gomod", "github-actions", "regex"],
+  "enabledManagers": ["dockerfile", "gomod", "github-actions","regex" ],
  "includeForks": true,
  "repositories": ["juanfont/headscale"],
  "platform": "github",
  "packageRules": [
    {
-      "matchDatasources": ["go"],
-      "groupName": "Go modules",
-      "groupSlug": "gomod",
-      "separateMajorMinor": false
+        "matchDatasources": ["go"],
+        "groupName": "Go modules",
+        "groupSlug": "gomod",
+        "separateMajorMinor": false
    },
    {
-      "matchDatasources": ["docker"],
-      "groupName": "Dockerfiles",
-      "groupSlug": "dockerfiles"
-    }
+        "matchDatasources": ["docker"],
+        "groupName": "Dockerfiles",
+        "groupSlug": "dockerfiles"
+    } 
  ],
  "regexManagers": [
    {
-      "fileMatch": [".github/workflows/.*.yml$"],
-      "matchStrings": ["\\s*go-version:\\s*\"?(?<currentValue>.*?)\"?\\n"],
+      "fileMatch": [
+          ".github/workflows/.*.yml$"
+      ],
+      "matchStrings": [
+        "\\s*go-version:\\s*\"?(?<currentValue>.*?)\"?\\n"
+      ],
      "datasourceTemplate": "golang-version",
      "depNameTemplate": "actions/go-version"
    }
--- a/.github/workflows/docs.yml
+++ b/.github/workflows/docs.yml
@@ -1,45 +0,0 @@
-name: Build documentation
-on:
-  push:
-    branches:
-      - main
-  workflow_dispatch:
-
-permissions:
-  contents: read
-  pages: write
-  id-token: write
-
-jobs:
-  build:
-    runs-on: ubuntu-latest
-    steps:
-      - name: Checkout repository
-        uses: actions/checkout@v3
-      - name: Install python
-        uses: actions/setup-python@v4
-        with:
-          python-version: 3.x
-      - name: Setup cache
-        uses: actions/cache@v2
-        with:
-          key: ${{ github.ref }}
-          path: .cache
-      - name: Setup dependencies
-        run: pip install mkdocs-material pillow cairosvg mkdocs-minify-plugin
-      - name: Build docs
-        run: mkdocs build --strict
-      - name: Upload artifact
-        uses: actions/upload-pages-artifact@v1
-        with:
-          path: ./site
-  deploy:
-    environment:
-      name: github-pages
-      url: ${{ steps.deployment.outputs.page_url }}
-    runs-on: ubuntu-latest
-    needs: build
-    steps:
-      - name: Deploy to GitHub Pages
-        id: deployment
-        uses: actions/deploy-pages@v1
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -19,6 +19,6 @@ jobs:
      - uses: cachix/install-nix-action@v16

      - name: Run goreleaser
-        run: nix develop --command -- goreleaser release --clean
+        run: nix develop --command -- goreleaser release
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
--- a/.github/workflows/test-integration-cli.yml
+++ b/.github/workflows/test-integration-cli.yml
@@ -0,0 +1,35 @@
+name: Integration Test CLI
+
+on: [pull_request]
+
+jobs:
+  integration-test-cli:
+    runs-on: ubuntu-latest
+
+    steps:
+      - uses: actions/checkout@v3
+        with:
+          fetch-depth: 2
+
+      - name: Set Swap Space
+        uses: pierotofy/set-swap-space@master
+        with:
+          swap-size-gb: 10
+
+      - name: Get changed files
+        id: changed-files
+        uses: tj-actions/changed-files@v34
+        with:
+          files: |
+            *.nix
+            go.*
+            **/*.go
+            integration_test/
+            config-example.yaml
+
+      - uses: cachix/install-nix-action@v16
+        if: steps.changed-files.outputs.any_changed == 'true'
+
+      - name: Run CLI integration tests
+        if: steps.changed-files.outputs.any_changed == 'true'
+        run: nix develop --command -- make test_integration_cli
--- a/.github/workflows/test-integration-derp.yml
+++ b/.github/workflows/test-integration-derp.yml
@@ -0,0 +1,35 @@
+name: Integration Test DERP
+
+on: [pull_request]
+
+jobs:
+  integration-test-derp:
+    runs-on: ubuntu-latest
+
+    steps:
+      - uses: actions/checkout@v3
+        with:
+          fetch-depth: 2
+
+      - name: Set Swap Space
+        uses: pierotofy/set-swap-space@master
+        with:
+          swap-size-gb: 10
+
+      - name: Get changed files
+        id: changed-files
+        uses: tj-actions/changed-files@v34
+        with:
+          files: |
+            *.nix
+            go.*
+            **/*.go
+            integration_test/
+            config-example.yaml
+
+      - uses: cachix/install-nix-action@v16
+        if: steps.changed-files.outputs.any_changed == 'true'
+
+      - name: Run Embedded DERP server integration tests
+        if: steps.changed-files.outputs.any_changed == 'true'
+        run: nix develop --command -- make test_integration_derp
--- a/.github/workflows/test-integration-v2-TestACLAllowStarDst.yaml
+++ b/.github/workflows/test-integration-v2-TestACLAllowStarDst.yaml
@@ -43,7 +43,7 @@ jobs:
              --volume /var/run/docker.sock:/var/run/docker.sock \
              --volume $PWD/control_logs:/tmp/control \
              golang:1 \
-                go run gotest.tools/gotestsum@latest -- ./... \
+                go test ./... \
                  -tags ts2019 \
                  -failfast \
                  -timeout 120m \
@@ -55,9 +55,3 @@ jobs:
        with:
          name: logs
          path: "control_logs/*.log"
-
-      - uses: actions/upload-artifact@v3
-        if: always() && steps.changed-files.outputs.any_changed == 'true'
-        with:
-          name: pprof
-          path: "control_logs/*.pprof.tar"
--- a/.github/workflows/test-integration-v2-TestACLAllowUser80Dst.yaml
+++ b/.github/workflows/test-integration-v2-TestACLAllowUser80Dst.yaml
@@ -43,7 +43,7 @@ jobs:
              --volume /var/run/docker.sock:/var/run/docker.sock \
              --volume $PWD/control_logs:/tmp/control \
              golang:1 \
-                go run gotest.tools/gotestsum@latest -- ./... \
+                go test ./... \
                  -tags ts2019 \
                  -failfast \
                  -timeout 120m \
@@ -55,9 +55,3 @@ jobs:
        with:
          name: logs
          path: "control_logs/*.log"
-
-      - uses: actions/upload-artifact@v3
-        if: always() && steps.changed-files.outputs.any_changed == 'true'
-        with:
-          name: pprof
-          path: "control_logs/*.pprof.tar"
--- a/.github/workflows/test-integration-v2-TestACLAllowUserDst.yaml
+++ b/.github/workflows/test-integration-v2-TestACLAllowUserDst.yaml
@@ -43,7 +43,7 @@ jobs:
              --volume /var/run/docker.sock:/var/run/docker.sock \
              --volume $PWD/control_logs:/tmp/control \
              golang:1 \
-                go run gotest.tools/gotestsum@latest -- ./... \
+                go test ./... \
                  -tags ts2019 \
                  -failfast \
                  -timeout 120m \
@@ -55,9 +55,3 @@ jobs:
        with:
          name: logs
          path: "control_logs/*.log"
-
-      - uses: actions/upload-artifact@v3
-        if: always() && steps.changed-files.outputs.any_changed == 'true'
-        with:
-          name: pprof
-          path: "control_logs/*.pprof.tar"
--- a/.github/workflows/test-integration-v2-TestACLDenyAllPort80.yaml
+++ b/.github/workflows/test-integration-v2-TestACLDenyAllPort80.yaml
@@ -43,7 +43,7 @@ jobs:
              --volume /var/run/docker.sock:/var/run/docker.sock \
              --volume $PWD/control_logs:/tmp/control \
              golang:1 \
-                go run gotest.tools/gotestsum@latest -- ./... \
+                go test ./... \
                  -tags ts2019 \
                  -failfast \
                  -timeout 120m \
@@ -55,9 +55,3 @@ jobs:
        with:
          name: logs
          path: "control_logs/*.log"
-
-      - uses: actions/upload-artifact@v3
-        if: always() && steps.changed-files.outputs.any_changed == 'true'
-        with:
-          name: pprof
-          path: "control_logs/*.pprof.tar"
--- a/.github/workflows/test-integration-v2-TestACLDevice1CanAccessDevice2.yaml
+++ b/.github/workflows/test-integration-v2-TestACLDevice1CanAccessDevice2.yaml
@@ -1,63 +0,0 @@
-# DO NOT EDIT, generated with cmd/gh-action-integration-generator/main.go
-# To regenerate, run "go generate" in cmd/gh-action-integration-generator/
-
-name: Integration Test v2 - TestACLDevice1CanAccessDevice2
-
-on: [pull_request]
-
-concurrency:
-  group: ${{ github.workflow }}-$${{ github.head_ref || github.run_id }}
-  cancel-in-progress: true
-
-jobs:
-  test:
-    runs-on: ubuntu-latest
-
-    steps:
-      - uses: actions/checkout@v3
-        with:
-          fetch-depth: 2
-
-      - name: Get changed files
-        id: changed-files
-        uses: tj-actions/changed-files@v34
-        with:
-          files: |
-            *.nix
-            go.*
-            **/*.go
-            integration_test/
-            config-example.yaml
-
-      - uses: cachix/install-nix-action@v18
-        if: ${{ env.ACT }} || steps.changed-files.outputs.any_changed == 'true'
-
-      - name: Run general integration tests
-        if: steps.changed-files.outputs.any_changed == 'true'
-        run: |
-            nix develop --command -- docker run \
-              --tty --rm \
-              --volume ~/.cache/hs-integration-go:/go \
-              --name headscale-test-suite \
-              --volume $PWD:$PWD -w $PWD/integration \
-              --volume /var/run/docker.sock:/var/run/docker.sock \
-              --volume $PWD/control_logs:/tmp/control \
-              golang:1 \
-                go run gotest.tools/gotestsum@latest -- ./... \
-                  -tags ts2019 \
-                  -failfast \
-                  -timeout 120m \
-                  -parallel 1 \
-                  -run "^TestACLDevice1CanAccessDevice2$"
-
-      - uses: actions/upload-artifact@v3
-        if: always() && steps.changed-files.outputs.any_changed == 'true'
-        with:
-          name: logs
-          path: "control_logs/*.log"
-
-      - uses: actions/upload-artifact@v3
-        if: always() && steps.changed-files.outputs.any_changed == 'true'
-        with:
-          name: pprof
-          path: "control_logs/*.pprof.tar"
--- a/.github/workflows/test-integration-v2-TestACLHostsInNetMapTable.yaml
+++ b/.github/workflows/test-integration-v2-TestACLHostsInNetMapTable.yaml
@@ -43,7 +43,7 @@ jobs:
              --volume /var/run/docker.sock:/var/run/docker.sock \
              --volume $PWD/control_logs:/tmp/control \
              golang:1 \
-                go run gotest.tools/gotestsum@latest -- ./... \
+                go test ./... \
                  -tags ts2019 \
                  -failfast \
                  -timeout 120m \
@@ -55,9 +55,3 @@ jobs:
        with:
          name: logs
          path: "control_logs/*.log"
-
-      - uses: actions/upload-artifact@v3
-        if: always() && steps.changed-files.outputs.any_changed == 'true'
-        with:
-          name: pprof
-          path: "control_logs/*.pprof.tar"
--- a/.github/workflows/test-integration-v2-TestACLNamedHostsCanReach.yaml
+++ b/.github/workflows/test-integration-v2-TestACLNamedHostsCanReach.yaml
@@ -1,63 +0,0 @@
-# DO NOT EDIT, generated with cmd/gh-action-integration-generator/main.go
-# To regenerate, run "go generate" in cmd/gh-action-integration-generator/
-
-name: Integration Test v2 - TestACLNamedHostsCanReach
-
-on: [pull_request]
-
-concurrency:
-  group: ${{ github.workflow }}-$${{ github.head_ref || github.run_id }}
-  cancel-in-progress: true
-
-jobs:
-  test:
-    runs-on: ubuntu-latest
-
-    steps:
-      - uses: actions/checkout@v3
-        with:
-          fetch-depth: 2
-
-      - name: Get changed files
-        id: changed-files
-        uses: tj-actions/changed-files@v34
-        with:
-          files: |
-            *.nix
-            go.*
-            **/*.go
-            integration_test/
-            config-example.yaml
-
-      - uses: cachix/install-nix-action@v18
-        if: ${{ env.ACT }} || steps.changed-files.outputs.any_changed == 'true'
-
-      - name: Run general integration tests
-        if: steps.changed-files.outputs.any_changed == 'true'
-        run: |
-            nix develop --command -- docker run \
-              --tty --rm \
-              --volume ~/.cache/hs-integration-go:/go \
-              --name headscale-test-suite \
-              --volume $PWD:$PWD -w $PWD/integration \
-              --volume /var/run/docker.sock:/var/run/docker.sock \
-              --volume $PWD/control_logs:/tmp/control \
-              golang:1 \
-                go run gotest.tools/gotestsum@latest -- ./... \
-                  -tags ts2019 \
-                  -failfast \
-                  -timeout 120m \
-                  -parallel 1 \
-                  -run "^TestACLNamedHostsCanReach$"
-
-      - uses: actions/upload-artifact@v3
-        if: always() && steps.changed-files.outputs.any_changed == 'true'
-        with:
-          name: logs
-          path: "control_logs/*.log"
-
-      - uses: actions/upload-artifact@v3
-        if: always() && steps.changed-files.outputs.any_changed == 'true'
-        with:
-          name: pprof
-          path: "control_logs/*.pprof.tar"
--- a/.github/workflows/test-integration-v2-TestACLNamedHostsCanReachBySubnet.yaml
+++ b/.github/workflows/test-integration-v2-TestACLNamedHostsCanReachBySubnet.yaml
@@ -1,63 +0,0 @@
-# DO NOT EDIT, generated with cmd/gh-action-integration-generator/main.go
-# To regenerate, run "go generate" in cmd/gh-action-integration-generator/
-
-name: Integration Test v2 - TestACLNamedHostsCanReachBySubnet
-
-on: [pull_request]
-
-concurrency:
-  group: ${{ github.workflow }}-$${{ github.head_ref || github.run_id }}
-  cancel-in-progress: true
-
-jobs:
-  test:
-    runs-on: ubuntu-latest
-
-    steps:
-      - uses: actions/checkout@v3
-        with:
-          fetch-depth: 2
-
-      - name: Get changed files
-        id: changed-files
-        uses: tj-actions/changed-files@v34
-        with:
-          files: |
-            *.nix
-            go.*
-            **/*.go
-            integration_test/
-            config-example.yaml
-
-      - uses: cachix/install-nix-action@v18
-        if: ${{ env.ACT }} || steps.changed-files.outputs.any_changed == 'true'
-
-      - name: Run general integration tests
-        if: steps.changed-files.outputs.any_changed == 'true'
-        run: |
-            nix develop --command -- docker run \
-              --tty --rm \
-              --volume ~/.cache/hs-integration-go:/go \
-              --name headscale-test-suite \
-              --volume $PWD:$PWD -w $PWD/integration \
-              --volume /var/run/docker.sock:/var/run/docker.sock \
-              --volume $PWD/control_logs:/tmp/control \
-              golang:1 \
-                go run gotest.tools/gotestsum@latest -- ./... \
-                  -tags ts2019 \
-                  -failfast \
-                  -timeout 120m \
-                  -parallel 1 \
-                  -run "^TestACLNamedHostsCanReachBySubnet$"
-
-      - uses: actions/upload-artifact@v3
-        if: always() && steps.changed-files.outputs.any_changed == 'true'
-        with:
-          name: logs
-          path: "control_logs/*.log"
-
-      - uses: actions/upload-artifact@v3
-        if: always() && steps.changed-files.outputs.any_changed == 'true'
-        with:
-          name: pprof
-          path: "control_logs/*.pprof.tar"
--- a/.github/workflows/test-integration-v2-TestAuthKeyLogoutAndRelogin.yaml
+++ b/.github/workflows/test-integration-v2-TestAuthKeyLogoutAndRelogin.yaml
@@ -43,7 +43,7 @@ jobs:
              --volume /var/run/docker.sock:/var/run/docker.sock \
              --volume $PWD/control_logs:/tmp/control \
              golang:1 \
-                go run gotest.tools/gotestsum@latest -- ./... \
+                go test ./... \
                  -tags ts2019 \
                  -failfast \
                  -timeout 120m \
@@ -55,9 +55,3 @@ jobs:
        with:
          name: logs
          path: "control_logs/*.log"
-
-      - uses: actions/upload-artifact@v3
-        if: always() && steps.changed-files.outputs.any_changed == 'true'
-        with:
-          name: pprof
-          path: "control_logs/*.pprof.tar"
--- a/.github/workflows/test-integration-v2-TestAuthWebFlowAuthenticationPingAll.yaml
+++ b/.github/workflows/test-integration-v2-TestAuthWebFlowAuthenticationPingAll.yaml
@@ -43,7 +43,7 @@ jobs:
              --volume /var/run/docker.sock:/var/run/docker.sock \
              --volume $PWD/control_logs:/tmp/control \
              golang:1 \
-                go run gotest.tools/gotestsum@latest -- ./... \
+                go test ./... \
                  -tags ts2019 \
                  -failfast \
                  -timeout 120m \
@@ -55,9 +55,3 @@ jobs:
        with:
          name: logs
          path: "control_logs/*.log"
-
-      - uses: actions/upload-artifact@v3
-        if: always() && steps.changed-files.outputs.any_changed == 'true'
-        with:
-          name: pprof
-          path: "control_logs/*.pprof.tar"
--- a/.github/workflows/test-integration-v2-TestAuthWebFlowLogoutAndRelogin.yaml
+++ b/.github/workflows/test-integration-v2-TestAuthWebFlowLogoutAndRelogin.yaml
@@ -43,7 +43,7 @@ jobs:
              --volume /var/run/docker.sock:/var/run/docker.sock \
              --volume $PWD/control_logs:/tmp/control \
              golang:1 \
-                go run gotest.tools/gotestsum@latest -- ./... \
+                go test ./... \
                  -tags ts2019 \
                  -failfast \
                  -timeout 120m \
@@ -55,9 +55,3 @@ jobs:
        with:
          name: logs
          path: "control_logs/*.log"
-
-      - uses: actions/upload-artifact@v3
-        if: always() && steps.changed-files.outputs.any_changed == 'true'
-        with:
-          name: pprof
-          path: "control_logs/*.pprof.tar"
--- a/.github/workflows/test-integration-v2-TestCreateTailscale.yaml
+++ b/.github/workflows/test-integration-v2-TestCreateTailscale.yaml
@@ -43,7 +43,7 @@ jobs:
              --volume /var/run/docker.sock:/var/run/docker.sock \
              --volume $PWD/control_logs:/tmp/control \
              golang:1 \
-                go run gotest.tools/gotestsum@latest -- ./... \
+                go test ./... \
                  -tags ts2019 \
                  -failfast \
                  -timeout 120m \
@@ -55,9 +55,3 @@ jobs:
        with:
          name: logs
          path: "control_logs/*.log"
-
-      - uses: actions/upload-artifact@v3
-        if: always() && steps.changed-files.outputs.any_changed == 'true'
-        with:
-          name: pprof
-          path: "control_logs/*.pprof.tar"
--- a/.github/workflows/test-integration-v2-TestDERPServerScenario.yaml
+++ b/.github/workflows/test-integration-v2-TestDERPServerScenario.yaml
@@ -1,63 +0,0 @@
-# DO NOT EDIT, generated with cmd/gh-action-integration-generator/main.go
-# To regenerate, run "go generate" in cmd/gh-action-integration-generator/
-
-name: Integration Test v2 - TestDERPServerScenario
-
-on: [pull_request]
-
-concurrency:
-  group: ${{ github.workflow }}-$${{ github.head_ref || github.run_id }}
-  cancel-in-progress: true
-
-jobs:
-  test:
-    runs-on: ubuntu-latest
-
-    steps:
-      - uses: actions/checkout@v3
-        with:
-          fetch-depth: 2
-
-      - name: Get changed files
-        id: changed-files
-        uses: tj-actions/changed-files@v34
-        with:
-          files: |
-            *.nix
-            go.*
-            **/*.go
-            integration_test/
-            config-example.yaml
-
-      - uses: cachix/install-nix-action@v18
-        if: ${{ env.ACT }} || steps.changed-files.outputs.any_changed == 'true'
-
-      - name: Run general integration tests
-        if: steps.changed-files.outputs.any_changed == 'true'
-        run: |
-            nix develop --command -- docker run \
-              --tty --rm \
-              --volume ~/.cache/hs-integration-go:/go \
-              --name headscale-test-suite \
-              --volume $PWD:$PWD -w $PWD/integration \
-              --volume /var/run/docker.sock:/var/run/docker.sock \
-              --volume $PWD/control_logs:/tmp/control \
-              golang:1 \
-                go run gotest.tools/gotestsum@latest -- ./... \
-                  -tags ts2019 \
-                  -failfast \
-                  -timeout 120m \
-                  -parallel 1 \
-                  -run "^TestDERPServerScenario$"
-
-      - uses: actions/upload-artifact@v3
-        if: always() && steps.changed-files.outputs.any_changed == 'true'
-        with:
-          name: logs
-          path: "control_logs/*.log"
-
-      - uses: actions/upload-artifact@v3
-        if: always() && steps.changed-files.outputs.any_changed == 'true'
-        with:
-          name: pprof
-          path: "control_logs/*.pprof.tar"
--- a/.github/workflows/test-integration-v2-TestEnablingRoutes.yaml
+++ b/.github/workflows/test-integration-v2-TestEnablingRoutes.yaml
@@ -43,7 +43,7 @@ jobs:
              --volume /var/run/docker.sock:/var/run/docker.sock \
              --volume $PWD/control_logs:/tmp/control \
              golang:1 \
-                go run gotest.tools/gotestsum@latest -- ./... \
+                go test ./... \
                  -tags ts2019 \
                  -failfast \
                  -timeout 120m \
@@ -55,9 +55,3 @@ jobs:
        with:
          name: logs
          path: "control_logs/*.log"
-
-      - uses: actions/upload-artifact@v3
-        if: always() && steps.changed-files.outputs.any_changed == 'true'
-        with:
-          name: pprof
-          path: "control_logs/*.pprof.tar"
--- a/.github/workflows/test-integration-v2-TestEphemeral.yaml
+++ b/.github/workflows/test-integration-v2-TestEphemeral.yaml
@@ -43,7 +43,7 @@ jobs:
              --volume /var/run/docker.sock:/var/run/docker.sock \
              --volume $PWD/control_logs:/tmp/control \
              golang:1 \
-                go run gotest.tools/gotestsum@latest -- ./... \
+                go test ./... \
                  -tags ts2019 \
                  -failfast \
                  -timeout 120m \
@@ -55,9 +55,3 @@ jobs:
        with:
          name: logs
          path: "control_logs/*.log"
-
-      - uses: actions/upload-artifact@v3
-        if: always() && steps.changed-files.outputs.any_changed == 'true'
-        with:
-          name: pprof
-          path: "control_logs/*.pprof.tar"
--- a/.github/workflows/test-integration-v2-TestExpireNode.yaml
+++ b/.github/workflows/test-integration-v2-TestExpireNode.yaml
@@ -43,7 +43,7 @@ jobs:
              --volume /var/run/docker.sock:/var/run/docker.sock \
              --volume $PWD/control_logs:/tmp/control \
              golang:1 \
-                go run gotest.tools/gotestsum@latest -- ./... \
+                go test ./... \
                  -tags ts2019 \
                  -failfast \
                  -timeout 120m \
@@ -55,9 +55,3 @@ jobs:
        with:
          name: logs
          path: "control_logs/*.log"
-
-      - uses: actions/upload-artifact@v3
-        if: always() && steps.changed-files.outputs.any_changed == 'true'
-        with:
-          name: pprof
-          path: "control_logs/*.pprof.tar"
--- a/.github/workflows/test-integration-v2-TestHeadscale.yaml
+++ b/.github/workflows/test-integration-v2-TestHeadscale.yaml
@@ -43,7 +43,7 @@ jobs:
              --volume /var/run/docker.sock:/var/run/docker.sock \
              --volume $PWD/control_logs:/tmp/control \
              golang:1 \
-                go run gotest.tools/gotestsum@latest -- ./... \
+                go test ./... \
                  -tags ts2019 \
                  -failfast \
                  -timeout 120m \
@@ -55,9 +55,3 @@ jobs:
        with:
          name: logs
          path: "control_logs/*.log"
-
-      - uses: actions/upload-artifact@v3
-        if: always() && steps.changed-files.outputs.any_changed == 'true'
-        with:
-          name: pprof
-          path: "control_logs/*.pprof.tar"
--- a/.github/workflows/test-integration-v2-TestOIDCAuthenticationPingAll.yaml
+++ b/.github/workflows/test-integration-v2-TestOIDCAuthenticationPingAll.yaml
@@ -43,7 +43,7 @@ jobs:
              --volume /var/run/docker.sock:/var/run/docker.sock \
              --volume $PWD/control_logs:/tmp/control \
              golang:1 \
-                go run gotest.tools/gotestsum@latest -- ./... \
+                go test ./... \
                  -tags ts2019 \
                  -failfast \
                  -timeout 120m \
@@ -55,9 +55,3 @@ jobs:
        with:
          name: logs
          path: "control_logs/*.log"
-
-      - uses: actions/upload-artifact@v3
-        if: always() && steps.changed-files.outputs.any_changed == 'true'
-        with:
-          name: pprof
-          path: "control_logs/*.pprof.tar"
--- a/.github/workflows/test-integration-v2-TestOIDCExpireNodesBasedOnTokenExpiry.yaml
+++ b/.github/workflows/test-integration-v2-TestOIDCExpireNodesBasedOnTokenExpiry.yaml
@@ -43,7 +43,7 @@ jobs:
              --volume /var/run/docker.sock:/var/run/docker.sock \
              --volume $PWD/control_logs:/tmp/control \
              golang:1 \
-                go run gotest.tools/gotestsum@latest -- ./... \
+                go test ./... \
                  -tags ts2019 \
                  -failfast \
                  -timeout 120m \
@@ -55,9 +55,3 @@ jobs:
        with:
          name: logs
          path: "control_logs/*.log"
-
-      - uses: actions/upload-artifact@v3
-        if: always() && steps.changed-files.outputs.any_changed == 'true'
-        with:
-          name: pprof
-          path: "control_logs/*.pprof.tar"
--- a/.github/workflows/test-integration-v2-TestPingAllByHostname.yaml
+++ b/.github/workflows/test-integration-v2-TestPingAllByHostname.yaml
@@ -43,7 +43,7 @@ jobs:
              --volume /var/run/docker.sock:/var/run/docker.sock \
              --volume $PWD/control_logs:/tmp/control \
              golang:1 \
-                go run gotest.tools/gotestsum@latest -- ./... \
+                go test ./... \
                  -tags ts2019 \
                  -failfast \
                  -timeout 120m \
@@ -55,9 +55,3 @@ jobs:
        with:
          name: logs
          path: "control_logs/*.log"
-
-      - uses: actions/upload-artifact@v3
-        if: always() && steps.changed-files.outputs.any_changed == 'true'
-        with:
-          name: pprof
-          path: "control_logs/*.pprof.tar"
--- a/.github/workflows/test-integration-v2-TestPingAllByIP.yaml
+++ b/.github/workflows/test-integration-v2-TestPingAllByIP.yaml
@@ -43,7 +43,7 @@ jobs:
              --volume /var/run/docker.sock:/var/run/docker.sock \
              --volume $PWD/control_logs:/tmp/control \
              golang:1 \
-                go run gotest.tools/gotestsum@latest -- ./... \
+                go test ./... \
                  -tags ts2019 \
                  -failfast \
                  -timeout 120m \
@@ -55,9 +55,3 @@ jobs:
        with:
          name: logs
          path: "control_logs/*.log"
-
-      - uses: actions/upload-artifact@v3
-        if: always() && steps.changed-files.outputs.any_changed == 'true'
-        with:
-          name: pprof
-          path: "control_logs/*.pprof.tar"
--- a/.github/workflows/test-integration-v2-TestPreAuthKeyCommand.yaml
+++ b/.github/workflows/test-integration-v2-TestPreAuthKeyCommand.yaml
@@ -43,7 +43,7 @@ jobs:
              --volume /var/run/docker.sock:/var/run/docker.sock \
              --volume $PWD/control_logs:/tmp/control \
              golang:1 \
-                go run gotest.tools/gotestsum@latest -- ./... \
+                go test ./... \
                  -tags ts2019 \
                  -failfast \
                  -timeout 120m \
@@ -55,9 +55,3 @@ jobs:
        with:
          name: logs
          path: "control_logs/*.log"
-
-      - uses: actions/upload-artifact@v3
-        if: always() && steps.changed-files.outputs.any_changed == 'true'
-        with:
-          name: pprof
-          path: "control_logs/*.pprof.tar"
--- a/.github/workflows/test-integration-v2-TestPreAuthKeyCommandReusableEphemeral.yaml
+++ b/.github/workflows/test-integration-v2-TestPreAuthKeyCommandReusableEphemeral.yaml
@@ -43,7 +43,7 @@ jobs:
              --volume /var/run/docker.sock:/var/run/docker.sock \
              --volume $PWD/control_logs:/tmp/control \
              golang:1 \
-                go run gotest.tools/gotestsum@latest -- ./... \
+                go test ./... \
                  -tags ts2019 \
                  -failfast \
                  -timeout 120m \
@@ -55,9 +55,3 @@ jobs:
        with:
          name: logs
          path: "control_logs/*.log"
-
-      - uses: actions/upload-artifact@v3
-        if: always() && steps.changed-files.outputs.any_changed == 'true'
-        with:
-          name: pprof
-          path: "control_logs/*.pprof.tar"
--- a/.github/workflows/test-integration-v2-TestPreAuthKeyCommandWithoutExpiry.yaml
+++ b/.github/workflows/test-integration-v2-TestPreAuthKeyCommandWithoutExpiry.yaml
@@ -43,7 +43,7 @@ jobs:
              --volume /var/run/docker.sock:/var/run/docker.sock \
              --volume $PWD/control_logs:/tmp/control \
              golang:1 \
-                go run gotest.tools/gotestsum@latest -- ./... \
+                go test ./... \
                  -tags ts2019 \
                  -failfast \
                  -timeout 120m \
@@ -55,9 +55,3 @@ jobs:
        with:
          name: logs
          path: "control_logs/*.log"
-
-      - uses: actions/upload-artifact@v3
-        if: always() && steps.changed-files.outputs.any_changed == 'true'
-        with:
-          name: pprof
-          path: "control_logs/*.pprof.tar"
--- a/.github/workflows/test-integration-v2-TestResolveMagicDNS.yaml
+++ b/.github/workflows/test-integration-v2-TestResolveMagicDNS.yaml
@@ -43,7 +43,7 @@ jobs:
              --volume /var/run/docker.sock:/var/run/docker.sock \
              --volume $PWD/control_logs:/tmp/control \
              golang:1 \
-                go run gotest.tools/gotestsum@latest -- ./... \
+                go test ./... \
                  -tags ts2019 \
                  -failfast \
                  -timeout 120m \
@@ -55,9 +55,3 @@ jobs:
        with:
          name: logs
          path: "control_logs/*.log"
-
-      - uses: actions/upload-artifact@v3
-        if: always() && steps.changed-files.outputs.any_changed == 'true'
-        with:
-          name: pprof
-          path: "control_logs/*.pprof.tar"
--- a/.github/workflows/test-integration-v2-TestSSHIsBlockedInACL.yaml
+++ b/.github/workflows/test-integration-v2-TestSSHIsBlockedInACL.yaml
@@ -43,7 +43,7 @@ jobs:
              --volume /var/run/docker.sock:/var/run/docker.sock \
              --volume $PWD/control_logs:/tmp/control \
              golang:1 \
-                go run gotest.tools/gotestsum@latest -- ./... \
+                go test ./... \
                  -tags ts2019 \
                  -failfast \
                  -timeout 120m \
@@ -55,9 +55,3 @@ jobs:
        with:
          name: logs
          path: "control_logs/*.log"
-
-      - uses: actions/upload-artifact@v3
-        if: always() && steps.changed-files.outputs.any_changed == 'true'
-        with:
-          name: pprof
-          path: "control_logs/*.pprof.tar"
--- a/.github/workflows/test-integration-v2-TestSSHMultipleUsersAllToAll.yaml
+++ b/.github/workflows/test-integration-v2-TestSSHMultipleUsersAllToAll.yaml
@@ -43,7 +43,7 @@ jobs:
              --volume /var/run/docker.sock:/var/run/docker.sock \
              --volume $PWD/control_logs:/tmp/control \
              golang:1 \
-                go run gotest.tools/gotestsum@latest -- ./... \
+                go test ./... \
                  -tags ts2019 \
                  -failfast \
                  -timeout 120m \
@@ -55,9 +55,3 @@ jobs:
        with:
          name: logs
          path: "control_logs/*.log"
-
-      - uses: actions/upload-artifact@v3
-        if: always() && steps.changed-files.outputs.any_changed == 'true'
-        with:
-          name: pprof
-          path: "control_logs/*.pprof.tar"
--- a/.github/workflows/test-integration-v2-TestSSHNoSSHConfigured.yaml
+++ b/.github/workflows/test-integration-v2-TestSSHNoSSHConfigured.yaml
@@ -43,7 +43,7 @@ jobs:
              --volume /var/run/docker.sock:/var/run/docker.sock \
              --volume $PWD/control_logs:/tmp/control \
              golang:1 \
-                go run gotest.tools/gotestsum@latest -- ./... \
+                go test ./... \
                  -tags ts2019 \
                  -failfast \
                  -timeout 120m \
@@ -55,9 +55,3 @@ jobs:
        with:
          name: logs
          path: "control_logs/*.log"
-
-      - uses: actions/upload-artifact@v3
-        if: always() && steps.changed-files.outputs.any_changed == 'true'
-        with:
-          name: pprof
-          path: "control_logs/*.pprof.tar"
--- a/.github/workflows/test-integration-v2-TestSSHOneUserAllToAll.yaml
+++ b/.github/workflows/test-integration-v2-TestSSHOneUserAllToAll.yaml
@@ -43,7 +43,7 @@ jobs:
              --volume /var/run/docker.sock:/var/run/docker.sock \
              --volume $PWD/control_logs:/tmp/control \
              golang:1 \
-                go run gotest.tools/gotestsum@latest -- ./... \
+                go test ./... \
                  -tags ts2019 \
                  -failfast \
                  -timeout 120m \
@@ -55,9 +55,3 @@ jobs:
        with:
          name: logs
          path: "control_logs/*.log"
-
-      - uses: actions/upload-artifact@v3
-        if: always() && steps.changed-files.outputs.any_changed == 'true'
-        with:
-          name: pprof
-          path: "control_logs/*.pprof.tar"
--- a/.github/workflows/test-integration-v2-TestSSUserOnlyIsolation.yaml
+++ b/.github/workflows/test-integration-v2-TestSSUserOnlyIsolation.yaml
@@ -43,7 +43,7 @@ jobs:
              --volume /var/run/docker.sock:/var/run/docker.sock \
              --volume $PWD/control_logs:/tmp/control \
              golang:1 \
-                go run gotest.tools/gotestsum@latest -- ./... \
+                go test ./... \
                  -tags ts2019 \
                  -failfast \
                  -timeout 120m \
@@ -55,9 +55,3 @@ jobs:
        with:
          name: logs
          path: "control_logs/*.log"
-
-      - uses: actions/upload-artifact@v3
-        if: always() && steps.changed-files.outputs.any_changed == 'true'
-        with:
-          name: pprof
-          path: "control_logs/*.pprof.tar"
--- a/.github/workflows/test-integration-v2-TestTaildrop.yaml
+++ b/.github/workflows/test-integration-v2-TestTaildrop.yaml
@@ -43,7 +43,7 @@ jobs:
              --volume /var/run/docker.sock:/var/run/docker.sock \
              --volume $PWD/control_logs:/tmp/control \
              golang:1 \
-                go run gotest.tools/gotestsum@latest -- ./... \
+                go test ./... \
                  -tags ts2019 \
                  -failfast \
                  -timeout 120m \
@@ -55,9 +55,3 @@ jobs:
        with:
          name: logs
          path: "control_logs/*.log"
-
-      - uses: actions/upload-artifact@v3
-        if: always() && steps.changed-files.outputs.any_changed == 'true'
-        with:
-          name: pprof
-          path: "control_logs/*.pprof.tar"
--- a/.github/workflows/test-integration-v2-TestTailscaleNodesJoiningHeadcale.yaml
+++ b/.github/workflows/test-integration-v2-TestTailscaleNodesJoiningHeadcale.yaml
@@ -43,7 +43,7 @@ jobs:
              --volume /var/run/docker.sock:/var/run/docker.sock \
              --volume $PWD/control_logs:/tmp/control \
              golang:1 \
-                go run gotest.tools/gotestsum@latest -- ./... \
+                go test ./... \
                  -tags ts2019 \
                  -failfast \
                  -timeout 120m \
@@ -55,9 +55,3 @@ jobs:
        with:
          name: logs
          path: "control_logs/*.log"
-
-      - uses: actions/upload-artifact@v3
-        if: always() && steps.changed-files.outputs.any_changed == 'true'
-        with:
-          name: pprof
-          path: "control_logs/*.pprof.tar"
--- a/.github/workflows/test-integration-v2-TestUserCommand.yaml
+++ b/.github/workflows/test-integration-v2-TestUserCommand.yaml
@@ -43,7 +43,7 @@ jobs:
              --volume /var/run/docker.sock:/var/run/docker.sock \
              --volume $PWD/control_logs:/tmp/control \
              golang:1 \
-                go run gotest.tools/gotestsum@latest -- ./... \
+                go test ./... \
                  -tags ts2019 \
                  -failfast \
                  -timeout 120m \
@@ -55,9 +55,3 @@ jobs:
        with:
          name: logs
          path: "control_logs/*.log"
-
-      - uses: actions/upload-artifact@v3
-        if: always() && steps.changed-files.outputs.any_changed == 'true'
-        with:
-          name: pprof
-          path: "control_logs/*.pprof.tar"
--- a/.gitignore
+++ b/.gitignore
@@ -1,5 +1,3 @@
-ignored/
-
 # Binaries for programs and plugins
 *.exe
 *.exe~
@@ -14,9 +12,8 @@ ignored/
 *.out

 # Dependency directories (remove the comment below to include it)
-vendor/
+# vendor/

-dist/
 /headscale
 config.json
 config.yaml
@@ -37,7 +34,3 @@ result
 .direnv/

 integration_test/etc/config.dump.yaml
-
-# MkDocs
-.cache
-/site
--- a/.goreleaser.yml
+++ b/.goreleaser.yml
@@ -1,28 +1,21 @@
 ---
 before:
  hooks:
-    - go mod tidy -compat=1.20
-    - go mod vendor
+    - go mod tidy -compat=1.19

 release:
  prerelease: auto

 builds:
-  - id: headscale
+  - id: darwin-amd64
    main: ./cmd/headscale/headscale.go
    mod_timestamp: "{{ .CommitTimestamp }}"
    env:
      - CGO_ENABLED=0
-    targets:
-      - darwin_amd64
-      - darwin_arm64
-      - freebsd_amd64
-      - linux_386
-      - linux_amd64
-      - linux_arm64
-      - linux_arm_5
-      - linux_arm_6
-      - linux_arm_7
+    goos:
+      - darwin
+    goarch:
+      - amd64
    flags:
      - -mod=readonly
    ldflags:
@@ -30,56 +23,60 @@ builds:
    tags:
      - ts2019

+  - id: darwin-arm64
+    main: ./cmd/headscale/headscale.go
+    mod_timestamp: "{{ .CommitTimestamp }}"
+    env:
+      - CGO_ENABLED=0
+    goos:
+      - darwin
+    goarch:
+      - arm64
+    flags:
+      - -mod=readonly
+    ldflags:
+      - -s -w -X github.com/juanfont/headscale/cmd/headscale/cli.Version=v{{.Version}}
+    tags:
+      - ts2019
+
+  - id: linux-amd64
+    mod_timestamp: "{{ .CommitTimestamp }}"
+    env:
+      - CGO_ENABLED=0
+    goos:
+      - linux
+    goarch:
+      - amd64
+    main: ./cmd/headscale/headscale.go
+    ldflags:
+      - -s -w -X github.com/juanfont/headscale/cmd/headscale/cli.Version=v{{.Version}}
+    tags:
+      - ts2019
+
+  - id: linux-arm64
+    mod_timestamp: "{{ .CommitTimestamp }}"
+    env:
+      - CGO_ENABLED=0
+    goos:
+      - linux
+    goarch:
+      - arm64
+    main: ./cmd/headscale/headscale.go
+    ldflags:
+      - -s -w -X github.com/juanfont/headscale/cmd/headscale/cli.Version=v{{.Version}}
+    tags:
+      - ts2019
+
 archives:
  - id: golang-cross
-    name_template: '{{ .ProjectName }}_{{ .Version }}_{{ .Os }}_{{ .Arch }}{{ with .Arm }}v{{ . }}{{ end }}{{ with .Mips }}_{{ . }}{{ end }}{{ if not (eq .Amd64 "v1") }}{{ .Amd64 }}{{ end }}'
+    builds:
+      - darwin-amd64
+      - darwin-arm64
+      - linux-amd64
+      - linux-arm64
+    name_template: "{{ .ProjectName }}_{{ .Version }}_{{ .Os }}_{{ .Arch }}"
    format: binary

-source:
-  enabled: true
-  name_template: "{{ .ProjectName }}_{{ .Version }}"
-  format: tar.gz
-  files:
-    - "vendor/"
-
-nfpms:
-  # Configure nFPM for .deb and .rpm releases
-  #
-  # See https://nfpm.goreleaser.com/configuration/
-  # and https://goreleaser.com/customization/nfpm/
-  #
-  # Useful tools for debugging .debs:
-  # List file contents: dpkg -c dist/headscale...deb
-  # Package metadata: dpkg --info dist/headscale....deb
-  #
-  - builds:
-      - headscale
-    package_name: headscale
-    priority: optional
-    vendor: headscale
-    maintainer: Kristoffer Dalby <kristoffer@dalby.cc>
-    homepage: https://github.com/juanfont/headscale
-    license: BSD
-    bindir: /usr/bin
-    formats:
-      - deb
-      # - rpm
-    contents:
-      - src: ./config-example.yaml
-        dst: /etc/headscale/config.yaml
-        type: config|noreplace
-        file_info:
-          mode: 0644
-      - src: ./docs/packaging/headscale.systemd.service
-        dst: /usr/lib/systemd/system/headscale.service
-      - dst: /var/lib/headscale
-        type: dir
-      - dst: /var/run/headscale
-        type: dir
-    scripts:
-      postinstall: ./docs/packaging/postinstall.sh
-      postremove: ./docs/packaging/postremove.sh
-
 checksum:
  name_template: "checksums.txt"
 snapshot:
--- a/.nfpm.yaml
+++ b/.nfpm.yaml
@@ -0,0 +1,27 @@
+# this is the base "template" for the package
+name: headscale
+description: headscale coordination server for Tailscale
+arch: ${ARCH}
+version: ${VERSION}
+priority: optional
+vendor: Juan Font
+maintainer: Kristoffer Dalby <kristoffer@dalby.cc>
+homepage: https://github.com/juanfont/headscale
+license: BSD
+contents:
+  - src: ./build/headscale
+    dst: /usr/bin/headscale
+  - src: ./config-example.yaml
+    dst: /etc/headscale/config.yaml
+    type: config|noreplace
+    file_info:
+      mode: 0640
+  - src: ./docs/packaging/headscale.systemd.service
+    dst: /etc/systemd/system/headscale.service
+  - dst: /var/lib/headscale
+    type: dir
+  - dst: /var/run/headscale
+    type: dir
+scripts:
+  postinstall: ./docs/packaging/postinstall.sh
+  postremove: ./docs/packaging/postremove.sh
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -1,47 +1,10 @@
 # CHANGELOG

-## 0.23.0 (2023-XX-XX)
-
-### BREAKING
-
- Code reorganisation, a lot of code has moved, please review the following PRs accordingly [#1444](https://github.com/juanfont/headscale/pull/1444)
+## 0.22.0 (2023-XX-XX)

 ### Changes

-## 0.22.3 (2023-05-12)
-
-### Changes
-
- Added missing ca-certificates in Docker image [#1463](https://github.com/juanfont/headscale/pull/1463)
-
-## 0.22.2 (2023-05-10)
-
-### Changes
-
- Add environment flags to enable pprof (profiling) [#1382](https://github.com/juanfont/headscale/pull/1382)
-  - Profiles are continously generated in our integration tests.
- Fix systemd service file location in `.deb` packages [#1391](https://github.com/juanfont/headscale/pull/1391)
- Improvements on Noise implementation [#1379](https://github.com/juanfont/headscale/pull/1379)
- Replace node filter logic, ensuring nodes with access can see eachother [#1381](https://github.com/juanfont/headscale/pull/1381)
- Disable (or delete) both exit routes at the same time [#1428](https://github.com/juanfont/headscale/pull/1428)
- Ditch distroless for Docker image, create default socket dir in `/var/run/headscale` [#1450](https://github.com/juanfont/headscale/pull/1450)
-
-## 0.22.1 (2023-04-20)
-
-### Changes
-
- Fix issue where systemd could not bind to port 80 [#1365](https://github.com/juanfont/headscale/pull/1365)
-
-## 0.22.0 (2023-04-20)
-
-### Changes
-
- Add `.deb` packages to release process [#1297](https://github.com/juanfont/headscale/pull/1297)
- Update and simplify the documentation to use new `.deb` packages [#1349](https://github.com/juanfont/headscale/pull/1349)
- Add 32-bit Arm platforms to release process [#1297](https://github.com/juanfont/headscale/pull/1297)
 - Fix longstanding bug that would prevent "\*" from working properly in ACLs (issue [#699](https://github.com/juanfont/headscale/issues/699)) [#1279](https://github.com/juanfont/headscale/pull/1279)
- Fix issue where IPv6 could not be used in, or while using ACLs (part of [#809](https://github.com/juanfont/headscale/issues/809)) [#1339](https://github.com/juanfont/headscale/pull/1339)
- Target Go 1.20 and Tailscale 1.38 for Headscale [#1323](https://github.com/juanfont/headscale/pull/1323)

 ## 0.21.0 (2023-03-20)

--- a/11
+++ b/11
@@ -1,5 +1,5 @@
 # Builder image
-FROM docker.io/golang:1.20-bullseye AS build
+FROM docker.io/golang:1.19-bullseye AS build
 ARG VERSION=dev
 ENV GOPATH /go
 WORKDIR /go/src/headscale
@@ -14,17 +14,10 @@ RUN strip /go/bin/headscale
 RUN test -e /go/bin/headscale

 # Production image
-FROM docker.io/debian:bullseye-slim
-
-RUN apt-get update \
-    && apt-get install -y ca-certificates \
-    && rm -rf /var/lib/apt/lists/* \
-    && apt-get clean
+FROM gcr.io/distroless/base-debian11

 COPY --from=build /go/bin/headscale /bin/headscale
 ENV TZ UTC

-RUN mkdir -p /var/run/headscale
-
 EXPOSE 8080/tcp
 CMD ["headscale"]
--- a/Dockerfile.debug
+++ b/Dockerfile.debug
@@ -1,5 +1,5 @@
 # Builder image
-FROM docker.io/golang:1.20-bullseye AS build
+FROM docker.io/golang:1.19-bullseye AS build
 ARG VERSION=dev
 ENV GOPATH /go
 WORKDIR /go/src/headscale
@@ -13,13 +13,11 @@ RUN CGO_ENABLED=0 GOOS=linux go install -tags ts2019 -ldflags="-s -w -X github.c
 RUN test -e /go/bin/headscale

 # Debug image
-FROM docker.io/golang:1.20.0-bullseye
+FROM docker.io/golang:1.19.0-bullseye

 COPY --from=build /go/bin/headscale /bin/headscale
 ENV TZ UTC

-RUN mkdir -p /var/run/headscale
-
 # Need to reset the entrypoint or everything will run as a busybox script
 ENTRYPOINT []
 EXPOSE 8080/tcp
--- a/Dockerfile.tailscale
+++ b/Dockerfile.tailscale
@@ -1,16 +1,19 @@
-FROM ubuntu:22.04
+FROM ubuntu:latest

 ARG TAILSCALE_VERSION=*
 ARG TAILSCALE_CHANNEL=stable

 RUN apt-get update \
-    && apt-get install -y gnupg curl ssh dnsutils ca-certificates \
-    && adduser --shell=/bin/bash ssh-it-user
-
-# Tailscale is deliberately split into a second stage so we can cash utils as a seperate layer.
-RUN curl -fsSL https://pkgs.tailscale.com/${TAILSCALE_CHANNEL}/ubuntu/focal.gpg | apt-key add - \
+    && apt-get install -y gnupg curl ssh \
+    && curl -fsSL https://pkgs.tailscale.com/${TAILSCALE_CHANNEL}/ubuntu/focal.gpg | apt-key add - \
    && curl -fsSL https://pkgs.tailscale.com/${TAILSCALE_CHANNEL}/ubuntu/focal.list | tee /etc/apt/sources.list.d/tailscale.list \
    && apt-get update \
-    && apt-get install -y tailscale=${TAILSCALE_VERSION} \
-    && apt-get clean \
+    && apt-get install -y ca-certificates tailscale=${TAILSCALE_VERSION} dnsutils \
    && rm -rf /var/lib/apt/lists/*
+
+RUN adduser --shell=/bin/bash ssh-it-user
+
+ADD integration_test/etc_embedded_derp/tls/server.crt /usr/local/share/ca-certificates/
+RUN chmod 644 /usr/local/share/ca-certificates/server.crt
+
+RUN update-ca-certificates
--- a/Dockerfile.tailscale-HEAD
+++ b/Dockerfile.tailscale-HEAD
@@ -1,7 +1,7 @@
 FROM golang:latest

 RUN apt-get update \
-    && apt-get install -y dnsutils git iptables ssh ca-certificates \
+    && apt-get install -y ca-certificates dnsutils git iptables ssh \
    && rm -rf /var/lib/apt/lists/*

 RUN useradd --shell=/bin/bash --create-home ssh-it-user
@@ -10,8 +10,15 @@ RUN git clone https://github.com/tailscale/tailscale.git

 WORKDIR /go/tailscale

-RUN git checkout main \
-    && sh build_dist.sh tailscale.com/cmd/tailscale \
-    && sh build_dist.sh tailscale.com/cmd/tailscaled \
-    && cp tailscale /usr/local/bin/ \
-    && cp tailscaled /usr/local/bin/
+RUN git checkout main
+
+RUN sh build_dist.sh tailscale.com/cmd/tailscale
+RUN sh build_dist.sh tailscale.com/cmd/tailscaled
+
+RUN cp tailscale /usr/local/bin/
+RUN cp tailscaled /usr/local/bin/
+
+ADD integration_test/etc_embedded_derp/tls/server.crt /usr/local/share/ca-certificates/
+RUN chmod 644 /usr/local/share/ca-certificates/server.crt
+
+RUN update-ca-certificates
--- a/43
+++ b/43
@@ -24,9 +24,31 @@ build:
 dev: lint test build

 test:
-	gotestsum -- $(TAGS) -short -coverprofile=coverage.out ./...
+	@go test $(TAGS) -short -coverprofile=coverage.out ./...

-test_integration:
+test_integration: test_integration_cli test_integration_derp test_integration_v2_general
+
+test_integration_cli:
+	docker network rm $$(docker network ls --filter name=headscale --quiet) || true
+	docker network create headscale-test || true
+	docker run -t --rm \
+		--network headscale-test \
+		-v ~/.cache/hs-integration-go:/go \
+		-v $$PWD:$$PWD -w $$PWD \
+		-v /var/run/docker.sock:/var/run/docker.sock golang:1 \
+		go test $(TAGS) -failfast -timeout 30m -count=1 -run IntegrationCLI ./...
+
+test_integration_derp:
+	docker network rm $$(docker network ls --filter name=headscale --quiet) || true
+	docker network create headscale-test || true
+	docker run -t --rm \
+		--network headscale-test \
+		-v ~/.cache/hs-integration-go:/go \
+		-v $$PWD:$$PWD -w $$PWD \
+		-v /var/run/docker.sock:/var/run/docker.sock golang:1 \
+		go test $(TAGS) -failfast -timeout 30m -count=1 -run IntegrationDERP ./...
+
+test_integration_v2_general:
 	docker run \
 		-t --rm \
 		-v ~/.cache/hs-integration-go:/go \
@@ -34,7 +56,13 @@ test_integration:
 		-v $$PWD:$$PWD -w $$PWD/integration \
 		-v /var/run/docker.sock:/var/run/docker.sock \
 		golang:1 \
-		go run gotest.tools/gotestsum@latest -- $(TAGS) -failfast ./... -timeout 120m -parallel 8
+		go test $(TAGS) -failfast ./... -timeout 120m -parallel 8
+
+coverprofile_func:
+	go tool cover -func=coverage.out
+
+coverprofile_html:
+	go tool cover -html=coverage.out

 lint:
 	golangci-lint run --fix --timeout 10m
@@ -52,4 +80,11 @@ compress: build

 generate:
 	rm -rf gen
-	buf generate proto
+	go run github.com/bufbuild/buf/cmd/buf generate proto
+
+install-protobuf-plugins:
+	go install \
+		github.com/grpc-ecosystem/grpc-gateway/v2/protoc-gen-grpc-gateway \
+		github.com/grpc-ecosystem/grpc-gateway/v2/protoc-gen-openapiv2 \
+		google.golang.org/protobuf/cmd/protoc-gen-go \
+		google.golang.org/grpc/cmd/protoc-gen-go-grpc
--- a/README.md
+++ b/README.md
@@ -32,18 +32,22 @@ organisation.

 ## Design goal

-Headscale aims to implement a self-hosted, open source alternative to the Tailscale
-control server.
-Headscale's goal is to provide self-hosters and hobbyists with an open-source
-server they can use for their projects and labs.
-It implements a narrow scope, a single Tailnet, suitable for a personal use, or a small
-open-source organisation.
+`headscale` aims to implement a self-hosted, open source alternative to the Tailscale
+control server. `headscale` has a narrower scope and an instance of `headscale`
+implements a _single_ Tailnet, which is typically what a single organisation, or
+home/personal setup would use.

-## Supporting Headscale
+`headscale` uses terms that maps to Tailscale's control server, consult the
+[glossary](./docs/glossary.md) for explainations.
+
+## Support

 If you like `headscale` and find it useful, there is a sponsorship and donation
 buttons available in the repo.

+If you would like to sponsor features, bugs or prioritisation, reach out to
+one of the maintainers.
+
 ## Features

 - Full "base" support of Tailscale's features
@@ -75,10 +79,16 @@ buttons available in the repo.

 ## Running headscale

-**Please note that we do not support nor encourage the use of reverse proxies
-and container to run Headscale.**
+Please have a look at the documentation under [`docs/`](docs/).

-Please have a look at the [`documentation`](https://headscale.net/).
+## Graphical Control Panels
+
+Headscale provides an API for complete management of your Tailnet.
+These are community projects not directly affiliated with the Headscale project.
+
+| Name            | Repository Link                                      | Description                                            | Status |
+| --------------- | ---------------------------------------------------- | ------------------------------------------------------ | ------ |
+| headscale-webui | [Github](https://github.com/ifargle/headscale-webui) | A simple Headscale web UI for small-scale deployments. | Alpha  |

 ## Talks

@@ -87,23 +97,11 @@ Please have a look at the [`documentation`](https://headscale.net/).

 ## Disclaimer

-1. This project is not associated with Tailscale Inc.
+1. We have nothing to do with Tailscale, or Tailscale Inc.
 2. The purpose of Headscale is maintaining a working, self-hosted Tailscale control panel.

 ## Contributing

-Headscale is "Open Source, acknowledged contribution", this means that any
-contribution will have to be discussed with the Maintainers before being submitted.
-
-This model has been chosen to reduce the risk of burnout by limiting the
-maintenance overhead of reviewing and validating third-party code.
-
-Headscale is open to code contributions for bug fixes without discussion.
-
-If you find mistakes in the documentation, please submit a fix to the documentation.
-
-### Requirements
-
 To contribute to headscale you would need the lastest version of [Go](https://golang.org)
 and [Buf](https://buf.build)(Protobuf generator).

@@ -111,6 +109,8 @@ We recommend using [Nix](https://nixos.org/) to setup a development environment.
 be done with `nix develop`, which will install the tools and give you a shell.
 This guarantees that you will have the same dev env as `headscale` maintainers.

+PRs and suggestions are welcome.
+
 ### Code style

 To ensure we have some consistency with a growing number of contributions,
@@ -188,6 +188,13 @@ make build
            <sub style="font-size:14px"><b>Juan Font</b></sub>
        </a>
    </td>
+    <td align="center" style="word-wrap: break-word; width: 150.0; height: 150.0">
+        <a href=https://github.com/restanrm>
+            <img src=https://avatars.githubusercontent.com/u/4344371?v=4 width="100;"  style="border-radius:50%;align-items:center;justify-content:center;overflow:hidden;padding-top:10px" alt=Adrien Raffin-Caboisse/>
+            <br />
+            <sub style="font-size:14px"><b>Adrien Raffin-Caboisse</b></sub>
+        </a>
+    </td>
    <td align="center" style="word-wrap: break-word; width: 150.0; height: 150.0">
        <a href=https://github.com/cure>
            <img src=https://avatars.githubusercontent.com/u/149135?v=4 width="100;"  style="border-radius:50%;align-items:center;justify-content:center;overflow:hidden;padding-top:10px" alt=Ward Vandewege/>
@@ -209,6 +216,8 @@ make build
            <sub style="font-size:14px"><b>Benjamin Roberts</b></sub>
        </a>
    </td>
+</tr>
+<tr>
    <td align="center" style="word-wrap: break-word; width: 150.0; height: 150.0">
        <a href=https://github.com/reynico>
            <img src=https://avatars.githubusercontent.com/u/715768?v=4 width="100;"  style="border-radius:50%;align-items:center;justify-content:center;overflow:hidden;padding-top:10px" alt=Nico/>
@@ -216,8 +225,6 @@ make build
            <sub style="font-size:14px"><b>Nico</b></sub>
        </a>
    </td>
-</tr>
-<tr>
    <td align="center" style="word-wrap: break-word; width: 150.0; height: 150.0">
        <a href=https://github.com/evenh>
            <img src=https://avatars.githubusercontent.com/u/2701536?v=4 width="100;"  style="border-radius:50%;align-items:center;justify-content:center;overflow:hidden;padding-top:10px" alt=Even Holthe/>
@@ -253,13 +260,6 @@ make build
            <sub style="font-size:14px"><b>unreality</b></sub>
        </a>
    </td>
-    <td align="center" style="word-wrap: break-word; width: 150.0; height: 150.0">
-        <a href=https://github.com/mpldr>
-            <img src=https://avatars.githubusercontent.com/u/33086936?v=4 width="100;"  style="border-radius:50%;align-items:center;justify-content:center;overflow:hidden;padding-top:10px" alt=Moritz Poldrack/>
-            <br />
-            <sub style="font-size:14px"><b>Moritz Poldrack</b></sub>
-        </a>
-    </td>
 </tr>
 <tr>
    <td align="center" style="word-wrap: break-word; width: 150.0; height: 150.0">
@@ -270,10 +270,10 @@ make build
        </a>
    </td>
    <td align="center" style="word-wrap: break-word; width: 150.0; height: 150.0">
-        <a href=https://github.com/restanrm>
-            <img src=https://avatars.githubusercontent.com/u/4344371?v=4 width="100;"  style="border-radius:50%;align-items:center;justify-content:center;overflow:hidden;padding-top:10px" alt=Adrien Raffin-Caboisse/>
+        <a href=https://github.com/mpldr>
+            <img src=https://avatars.githubusercontent.com/u/33086936?v=4 width="100;"  style="border-radius:50%;align-items:center;justify-content:center;overflow:hidden;padding-top:10px" alt=Moritz Poldrack/>
            <br />
-            <sub style="font-size:14px"><b>Adrien Raffin-Caboisse</b></sub>
+            <sub style="font-size:14px"><b>Moritz Poldrack</b></sub>
        </a>
    </td>
    <td align="center" style="word-wrap: break-word; width: 150.0; height: 150.0">
@@ -350,13 +350,6 @@ make build
    </td>
 </tr>
 <tr>
-    <td align="center" style="word-wrap: break-word; width: 150.0; height: 150.0">
-        <a href=https://github.com/majst01>
-            <img src=https://avatars.githubusercontent.com/u/410110?v=4 width="100;"  style="border-radius:50%;align-items:center;justify-content:center;overflow:hidden;padding-top:10px" alt=Stefan Majer/>
-            <br />
-            <sub style="font-size:14px"><b>Stefan Majer</b></sub>
-        </a>
-    </td>
    <td align="center" style="word-wrap: break-word; width: 150.0; height: 150.0">
        <a href=https://github.com/fdelucchijr>
            <img src=https://avatars.githubusercontent.com/u/69133647?v=4 width="100;"  style="border-radius:50%;align-items:center;justify-content:center;overflow:hidden;padding-top:10px" alt=Fernando De Lucchi/>
@@ -371,6 +364,13 @@ make build
            <sub style="font-size:14px"><b>Orville Q. Song</b></sub>
        </a>
    </td>
+    <td align="center" style="word-wrap: break-word; width: 150.0; height: 150.0">
+        <a href=https://github.com/majst01>
+            <img src=https://avatars.githubusercontent.com/u/410110?v=4 width="100;"  style="border-radius:50%;align-items:center;justify-content:center;overflow:hidden;padding-top:10px" alt=Stefan Majer/>
+            <br />
+            <sub style="font-size:14px"><b>Stefan Majer</b></sub>
+        </a>
+    </td>
    <td align="center" style="word-wrap: break-word; width: 150.0; height: 150.0">
        <a href=https://github.com/hdhoang>
            <img src=https://avatars.githubusercontent.com/u/12537?v=4 width="100;"  style="border-radius:50%;align-items:center;justify-content:center;overflow:hidden;padding-top:10px" alt=hdhoang/>
@@ -385,15 +385,6 @@ make build
            <sub style="font-size:14px"><b>bravechamp</b></sub>
        </a>
    </td>
-    <td align="center" style="word-wrap: break-word; width: 150.0; height: 150.0">
-        <a href=https://github.com/bravechamp>
-            <img src=https://avatars.githubusercontent.com/u/48980452?v=4 width="100;"  style="border-radius:50%;align-items:center;justify-content:center;overflow:hidden;padding-top:10px" alt=bravechamp/>
-            <br />
-            <sub style="font-size:14px"><b>bravechamp</b></sub>
-        </a>
-    </td>
-</tr>
-<tr>
    <td align="center" style="word-wrap: break-word; width: 150.0; height: 150.0">
        <a href=https://github.com/deonthomasgy>
            <img src=https://avatars.githubusercontent.com/u/150036?v=4 width="100;"  style="border-radius:50%;align-items:center;justify-content:center;overflow:hidden;padding-top:10px" alt=Deon Thomas/>
@@ -401,6 +392,8 @@ make build
            <sub style="font-size:14px"><b>Deon Thomas</b></sub>
        </a>
    </td>
+</tr>
+<tr>
    <td align="center" style="word-wrap: break-word; width: 150.0; height: 150.0">
        <a href=https://github.com/madjam002>
            <img src=https://avatars.githubusercontent.com/u/679137?v=4 width="100;"  style="border-radius:50%;align-items:center;justify-content:center;overflow:hidden;padding-top:10px" alt=Jamie Greeff/>
@@ -436,8 +429,6 @@ make build
            <sub style="font-size:14px"><b>Paul Tötterman</b></sub>
        </a>
    </td>
-</tr>
-<tr>
    <td align="center" style="word-wrap: break-word; width: 150.0; height: 150.0">
        <a href=https://github.com/samson4649>
            <img src=https://avatars.githubusercontent.com/u/12725953?v=4 width="100;"  style="border-radius:50%;align-items:center;justify-content:center;overflow:hidden;padding-top:10px" alt=Samuel Lock/>
@@ -445,6 +436,8 @@ make build
            <sub style="font-size:14px"><b>Samuel Lock</b></sub>
        </a>
    </td>
+</tr>
+<tr>
    <td align="center" style="word-wrap: break-word; width: 150.0; height: 150.0">
        <a href=https://github.com/kevin1sMe>
            <img src=https://avatars.githubusercontent.com/u/6886076?v=4 width="100;"  style="border-radius:50%;align-items:center;justify-content:center;overflow:hidden;padding-top:10px" alt=kevinlin/>
@@ -480,8 +473,6 @@ make build
            <sub style="font-size:14px"><b>dbevacqua</b></sub>
        </a>
    </td>
-</tr>
-<tr>
    <td align="center" style="word-wrap: break-word; width: 150.0; height: 150.0">
        <a href=https://github.com/joshuataylor>
            <img src=https://avatars.githubusercontent.com/u/225131?v=4 width="100;"  style="border-radius:50%;align-items:center;justify-content:center;overflow:hidden;padding-top:10px" alt=Josh Taylor/>
@@ -489,6 +480,8 @@ make build
            <sub style="font-size:14px"><b>Josh Taylor</b></sub>
        </a>
    </td>
+</tr>
+<tr>
    <td align="center" style="word-wrap: break-word; width: 150.0; height: 150.0">
        <a href=https://github.com/CNLHC>
            <img src=https://avatars.githubusercontent.com/u/21005146?v=4 width="100;"  style="border-radius:50%;align-items:center;justify-content:center;overflow:hidden;padding-top:10px" alt=LiuHanCheng/>
@@ -524,8 +517,6 @@ make build
            <sub style="font-size:14px"><b>Steven Honson</b></sub>
        </a>
    </td>
-</tr>
-<tr>
    <td align="center" style="word-wrap: break-word; width: 150.0; height: 150.0">
        <a href=https://github.com/ratsclub>
            <img src=https://avatars.githubusercontent.com/u/25647735?v=4 width="100;"  style="border-radius:50%;align-items:center;justify-content:center;overflow:hidden;padding-top:10px" alt=Victor Freire/>
@@ -533,6 +524,15 @@ make build
            <sub style="font-size:14px"><b>Victor Freire</b></sub>
        </a>
    </td>
+</tr>
+<tr>
+    <td align="center" style="word-wrap: break-word; width: 150.0; height: 150.0">
+        <a href=https://github.com/lachy2849>
+            <img src=https://avatars.githubusercontent.com/u/98844035?v=4 width="100;"  style="border-radius:50%;align-items:center;justify-content:center;overflow:hidden;padding-top:10px" alt=lachy2849/>
+            <br />
+            <sub style="font-size:14px"><b>lachy2849</b></sub>
+        </a>
+    </td>
    <td align="center" style="word-wrap: break-word; width: 150.0; height: 150.0">
        <a href=https://github.com/t56k>
            <img src=https://avatars.githubusercontent.com/u/12165422?v=4 width="100;"  style="border-radius:50%;align-items:center;justify-content:center;overflow:hidden;padding-top:10px" alt=thomas/>
@@ -540,13 +540,6 @@ make build
            <sub style="font-size:14px"><b>thomas</b></sub>
        </a>
    </td>
-    <td align="center" style="word-wrap: break-word; width: 150.0; height: 150.0">
-        <a href=https://github.com/linsomniac>
-            <img src=https://avatars.githubusercontent.com/u/466380?v=4 width="100;"  style="border-radius:50%;align-items:center;justify-content:center;overflow:hidden;padding-top:10px" alt=Sean Reifschneider/>
-            <br />
-            <sub style="font-size:14px"><b>Sean Reifschneider</b></sub>
-        </a>
-    </td>
    <td align="center" style="word-wrap: break-word; width: 150.0; height: 150.0">
        <a href=https://github.com/aberoham>
            <img src=https://avatars.githubusercontent.com/u/586805?v=4 width="100;"  style="border-radius:50%;align-items:center;justify-content:center;overflow:hidden;padding-top:10px" alt=Abraham Ingersoll/>
@@ -568,8 +561,6 @@ make build
            <sub style="font-size:14px"><b>Andrei Pechkurov</b></sub>
        </a>
    </td>
-</tr>
-<tr>
    <td align="center" style="word-wrap: break-word; width: 150.0; height: 150.0">
        <a href=https://github.com/theryecatcher>
            <img src=https://avatars.githubusercontent.com/u/16442416?v=4 width="100;"  style="border-radius:50%;align-items:center;justify-content:center;overflow:hidden;padding-top:10px" alt=Anoop Sundaresh/>
@@ -577,6 +568,8 @@ make build
            <sub style="font-size:14px"><b>Anoop Sundaresh</b></sub>
        </a>
    </td>
+</tr>
+<tr>
    <td align="center" style="word-wrap: break-word; width: 150.0; height: 150.0">
        <a href=https://github.com/apognu>
            <img src=https://avatars.githubusercontent.com/u/3017182?v=4 width="100;"  style="border-radius:50%;align-items:center;justify-content:center;overflow:hidden;padding-top:10px" alt=Antoine POPINEAU/>
@@ -584,13 +577,6 @@ make build
            <sub style="font-size:14px"><b>Antoine POPINEAU</b></sub>
        </a>
    </td>
-    <td align="center" style="word-wrap: break-word; width: 150.0; height: 150.0">
-        <a href=https://github.com/tony1661>
-            <img src=https://avatars.githubusercontent.com/u/5287266?v=4 width="100;"  style="border-radius:50%;align-items:center;justify-content:center;overflow:hidden;padding-top:10px" alt=Antonio Fernandez/>
-            <br />
-            <sub style="font-size:14px"><b>Antonio Fernandez</b></sub>
-        </a>
-    </td>
    <td align="center" style="word-wrap: break-word; width: 150.0; height: 150.0">
        <a href=https://github.com/aofei>
            <img src=https://avatars.githubusercontent.com/u/5037285?v=4 width="100;"  style="border-radius:50%;align-items:center;justify-content:center;overflow:hidden;padding-top:10px" alt=Aofei Sheng/>
@@ -605,6 +591,13 @@ make build
            <sub style="font-size:14px"><b>Arnar</b></sub>
        </a>
    </td>
+    <td align="center" style="word-wrap: break-word; width: 150.0; height: 150.0">
+        <a href=https://github.com/awoimbee>
+            <img src=https://avatars.githubusercontent.com/u/22431493?v=4 width="100;"  style="border-radius:50%;align-items:center;justify-content:center;overflow:hidden;padding-top:10px" alt=Arthur Woimbée/>
+            <br />
+            <sub style="font-size:14px"><b>Arthur Woimbée</b></sub>
+        </a>
+    </td>
    <td align="center" style="word-wrap: break-word; width: 150.0; height: 150.0">
        <a href=https://github.com/avirut>
            <img src=https://avatars.githubusercontent.com/u/27095602?v=4 width="100;"  style="border-radius:50%;align-items:center;justify-content:center;overflow:hidden;padding-top:10px" alt=Avirut Mehta/>
@@ -612,8 +605,6 @@ make build
            <sub style="font-size:14px"><b>Avirut Mehta</b></sub>
        </a>
    </td>
-</tr>
-<tr>
    <td align="center" style="word-wrap: break-word; width: 150.0; height: 150.0">
        <a href=https://github.com/stensonb>
            <img src=https://avatars.githubusercontent.com/u/933389?v=4 width="100;"  style="border-radius:50%;align-items:center;justify-content:center;overflow:hidden;padding-top:10px" alt=Bryan Stenson/>
@@ -621,6 +612,8 @@ make build
            <sub style="font-size:14px"><b>Bryan Stenson</b></sub>
        </a>
    </td>
+</tr>
+<tr>
    <td align="center" style="word-wrap: break-word; width: 150.0; height: 150.0">
        <a href=https://github.com/yangchuansheng>
            <img src=https://avatars.githubusercontent.com/u/15308462?v=4 width="100;"  style="border-radius:50%;align-items:center;justify-content:center;overflow:hidden;padding-top:10px" alt= Carson Yang/>
@@ -656,15 +649,6 @@ make build
            <sub style="font-size:14px"><b>Felix Yan</b></sub>
        </a>
    </td>
-</tr>
-<tr>
-    <td align="center" style="word-wrap: break-word; width: 150.0; height: 150.0">
-        <a href=https://github.com/gabe565>
-            <img src=https://avatars.githubusercontent.com/u/7717888?v=4 width="100;"  style="border-radius:50%;align-items:center;justify-content:center;overflow:hidden;padding-top:10px" alt=Gabe Cook/>
-            <br />
-            <sub style="font-size:14px"><b>Gabe Cook</b></sub>
-        </a>
-    </td>
    <td align="center" style="word-wrap: break-word; width: 150.0; height: 150.0">
        <a href=https://github.com/JJGadgets>
            <img src=https://avatars.githubusercontent.com/u/5709019?v=4 width="100;"  style="border-radius:50%;align-items:center;justify-content:center;overflow:hidden;padding-top:10px" alt=JJGadgets/>
@@ -672,6 +656,8 @@ make build
            <sub style="font-size:14px"><b>JJGadgets</b></sub>
        </a>
    </td>
+</tr>
+<tr>
    <td align="center" style="word-wrap: break-word; width: 150.0; height: 150.0">
        <a href=https://github.com/hrtkpf>
            <img src=https://avatars.githubusercontent.com/u/42646788?v=4 width="100;"  style="border-radius:50%;align-items:center;justify-content:center;overflow:hidden;padding-top:10px" alt=hrtkpf/>
@@ -700,8 +686,6 @@ make build
            <sub style="font-size:14px"><b>John Axel Eriksson</b></sub>
        </a>
    </td>
-</tr>
-<tr>
    <td align="center" style="word-wrap: break-word; width: 150.0; height: 150.0">
        <a href=https://github.com/ShadowJonathan>
            <img src=https://avatars.githubusercontent.com/u/22740616?v=4 width="100;"  style="border-radius:50%;align-items:center;justify-content:center;overflow:hidden;padding-top:10px" alt=Jonathan de Jong/>
@@ -709,20 +693,6 @@ make build
            <sub style="font-size:14px"><b>Jonathan de Jong</b></sub>
        </a>
    </td>
-    <td align="center" style="word-wrap: break-word; width: 150.0; height: 150.0">
-        <a href=https://github.com/JulienFloris>
-            <img src=https://avatars.githubusercontent.com/u/20380255?v=4 width="100;"  style="border-radius:50%;align-items:center;justify-content:center;overflow:hidden;padding-top:10px" alt=Julien Zweverink/>
-            <br />
-            <sub style="font-size:14px"><b>Julien Zweverink</b></sub>
-        </a>
-    </td>
-    <td align="center" style="word-wrap: break-word; width: 150.0; height: 150.0">
-        <a href=https://github.com/win-t>
-            <img src=https://avatars.githubusercontent.com/u/1589120?v=4 width="100;"  style="border-radius:50%;align-items:center;justify-content:center;overflow:hidden;padding-top:10px" alt=Kurnia D Win/>
-            <br />
-            <sub style="font-size:14px"><b>Kurnia D Win</b></sub>
-        </a>
-    </td>
    <td align="center" style="word-wrap: break-word; width: 150.0; height: 150.0">
        <a href=https://github.com/foxtrot>
            <img src=https://avatars.githubusercontent.com/u/4153572?v=4 width="100;"  style="border-radius:50%;align-items:center;justify-content:center;overflow:hidden;padding-top:10px" alt=Marc/>
@@ -730,6 +700,8 @@ make build
            <sub style="font-size:14px"><b>Marc</b></sub>
        </a>
    </td>
+</tr>
+<tr>
    <td align="center" style="word-wrap: break-word; width: 150.0; height: 150.0">
        <a href=https://github.com/magf>
            <img src=https://avatars.githubusercontent.com/u/11992737?v=4 width="100;"  style="border-radius:50%;align-items:center;justify-content:center;overflow:hidden;padding-top:10px" alt=Maxim Gajdaj/>
@@ -744,8 +716,6 @@ make build
            <sub style="font-size:14px"><b>Michael Savage</b></sub>
        </a>
    </td>
-</tr>
-<tr>
    <td align="center" style="word-wrap: break-word; width: 150.0; height: 150.0">
        <a href=https://github.com/piec>
            <img src=https://avatars.githubusercontent.com/u/781471?v=4 width="100;"  style="border-radius:50%;align-items:center;justify-content:center;overflow:hidden;padding-top:10px" alt=Pierre Carru/>
@@ -774,6 +744,8 @@ make build
            <sub style="font-size:14px"><b>rcursaru</b></sub>
        </a>
    </td>
+</tr>
+<tr>
    <td align="center" style="word-wrap: break-word; width: 150.0; height: 150.0">
        <a href=https://github.com/renovate-bot>
            <img src=https://avatars.githubusercontent.com/u/25180681?v=4 width="100;"  style="border-radius:50%;align-items:center;justify-content:center;overflow:hidden;padding-top:10px" alt=Mend Renovate/>
@@ -788,8 +760,13 @@ make build
            <sub style="font-size:14px"><b>Ryan Fowler</b></sub>
        </a>
    </td>
-</tr>
-<tr>
+    <td align="center" style="word-wrap: break-word; width: 150.0; height: 150.0">
+        <a href=https://github.com/linsomniac>
+            <img src=https://avatars.githubusercontent.com/u/466380?v=4 width="100;"  style="border-radius:50%;align-items:center;justify-content:center;overflow:hidden;padding-top:10px" alt=Sean Reifschneider/>
+            <br />
+            <sub style="font-size:14px"><b>Sean Reifschneider</b></sub>
+        </a>
+    </td>
    <td align="center" style="word-wrap: break-word; width: 150.0; height: 150.0">
        <a href=https://github.com/shaananc>
            <img src=https://avatars.githubusercontent.com/u/2287839?v=4 width="100;"  style="border-radius:50%;align-items:center;justify-content:center;overflow:hidden;padding-top:10px" alt=Shaanan Cohney/>
@@ -811,6 +788,8 @@ make build
            <sub style="font-size:14px"><b>sophware</b></sub>
        </a>
    </td>
+</tr>
+<tr>
    <td align="center" style="word-wrap: break-word; width: 150.0; height: 150.0">
        <a href=https://github.com/m-tanner-dev0>
            <img src=https://avatars.githubusercontent.com/u/97977342?v=4 width="100;"  style="border-radius:50%;align-items:center;justify-content:center;overflow:hidden;padding-top:10px" alt=Tanner/>
@@ -825,15 +804,6 @@ make build
            <sub style="font-size:14px"><b>Teteros</b></sub>
        </a>
    </td>
-    <td align="center" style="word-wrap: break-word; width: 150.0; height: 150.0">
-        <a href=https://github.com/Teteros>
-            <img src=https://avatars.githubusercontent.com/u/5067989?v=4 width="100;"  style="border-radius:50%;align-items:center;justify-content:center;overflow:hidden;padding-top:10px" alt=Teteros/>
-            <br />
-            <sub style="font-size:14px"><b>Teteros</b></sub>
-        </a>
-    </td>
-</tr>
-<tr>
    <td align="center" style="word-wrap: break-word; width: 150.0; height: 150.0">
        <a href=https://github.com/gitter-badger>
            <img src=https://avatars.githubusercontent.com/u/8518239?v=4 width="100;"  style="border-radius:50%;align-items:center;justify-content:center;overflow:hidden;padding-top:10px" alt=The Gitter Badger/>
@@ -862,6 +832,8 @@ make build
            <sub style="font-size:14px"><b>Tjerk Woudsma</b></sub>
        </a>
    </td>
+</tr>
+<tr>
    <td align="center" style="word-wrap: break-word; width: 150.0; height: 150.0">
        <a href=https://github.com/y0ngb1n>
            <img src=https://avatars.githubusercontent.com/u/25719408?v=4 width="100;"  style="border-radius:50%;align-items:center;justify-content:center;overflow:hidden;padding-top:10px" alt=Yang Bin/>
@@ -876,8 +848,6 @@ make build
            <sub style="font-size:14px"><b>Yujie Xia</b></sub>
        </a>
    </td>
-</tr>
-<tr>
    <td align="center" style="word-wrap: break-word; width: 150.0; height: 150.0">
        <a href=https://github.com/newellz2>
            <img src=https://avatars.githubusercontent.com/u/52436542?v=4 width="100;"  style="border-radius:50%;align-items:center;justify-content:center;overflow:hidden;padding-top:10px" alt=Zachary Newell/>
@@ -906,6 +876,8 @@ make build
            <sub style="font-size:14px"><b>Ziyuan Han</b></sub>
        </a>
    </td>
+</tr>
+<tr>
    <td align="center" style="word-wrap: break-word; width: 150.0; height: 150.0">
        <a href=https://github.com/caelansar>
            <img src=https://avatars.githubusercontent.com/u/31852257?v=4 width="100;"  style="border-radius:50%;align-items:center;justify-content:center;overflow:hidden;padding-top:10px" alt=caelansar/>
@@ -920,8 +892,6 @@ make build
            <sub style="font-size:14px"><b>derelm</b></sub>
        </a>
    </td>
-</tr>
-<tr>
    <td align="center" style="word-wrap: break-word; width: 150.0; height: 150.0">
        <a href=https://github.com/dnaq>
            <img src=https://avatars.githubusercontent.com/u/1299717?v=4 width="100;"  style="border-radius:50%;align-items:center;justify-content:center;overflow:hidden;padding-top:10px" alt=dnaq/>
@@ -950,6 +920,8 @@ make build
            <sub style="font-size:14px"><b>jimyag</b></sub>
        </a>
    </td>
+</tr>
+<tr>
    <td align="center" style="word-wrap: break-word; width: 150.0; height: 150.0">
        <a href=https://github.com/magichuihui>
            <img src=https://avatars.githubusercontent.com/u/10866198?v=4 width="100;"  style="border-radius:50%;align-items:center;justify-content:center;overflow:hidden;padding-top:10px" alt=suhelen/>
@@ -964,8 +936,6 @@ make build
            <sub style="font-size:14px"><b>sharkonet</b></sub>
        </a>
    </td>
-</tr>
-<tr>
    <td align="center" style="word-wrap: break-word; width: 150.0; height: 150.0">
        <a href=https://github.com/ma6174>
            <img src=https://avatars.githubusercontent.com/u/1449133?v=4 width="100;"  style="border-radius:50%;align-items:center;justify-content:center;overflow:hidden;padding-top:10px" alt=ma6174/>
@@ -980,18 +950,11 @@ make build
            <sub style="font-size:14px"><b>manju-rn</b></sub>
        </a>
    </td>
-    <td align="center" style="word-wrap: break-word; width: 150.0; height: 150.0">
-        <a href=https://github.com/nicholas-yap>
-            <img src=https://avatars.githubusercontent.com/u/38109533?v=4 width="100;"  style="border-radius:50%;align-items:center;justify-content:center;overflow:hidden;padding-top:10px" alt=nicholas-yap/>
-            <br />
-            <sub style="font-size:14px"><b>nicholas-yap</b></sub>
-        </a>
-    </td>
    <td align="center" style="word-wrap: break-word; width: 150.0; height: 150.0">
        <a href=https://github.com/pernila>
-            <img src=https://avatars.githubusercontent.com/u/12460060?v=4 width="100;"  style="border-radius:50%;align-items:center;justify-content:center;overflow:hidden;padding-top:10px" alt=Tommi Pernila/>
+            <img src=https://avatars.githubusercontent.com/u/12460060?v=4 width="100;"  style="border-radius:50%;align-items:center;justify-content:center;overflow:hidden;padding-top:10px" alt=pernila/>
            <br />
-            <sub style="font-size:14px"><b>Tommi Pernila</b></sub>
+            <sub style="font-size:14px"><b>pernila</b></sub>
        </a>
    </td>
    <td align="center" style="word-wrap: break-word; width: 150.0; height: 150.0">
@@ -1001,6 +964,8 @@ make build
            <sub style="font-size:14px"><b>phpmalik</b></sub>
        </a>
    </td>
+</tr>
+<tr>
    <td align="center" style="word-wrap: break-word; width: 150.0; height: 150.0">
        <a href=https://github.com/Wakeful-Cloud>
            <img src=https://avatars.githubusercontent.com/u/38930607?v=4 width="100;"  style="border-radius:50%;align-items:center;justify-content:center;overflow:hidden;padding-top:10px" alt=Wakeful-Cloud/>
@@ -1008,8 +973,6 @@ make build
            <sub style="font-size:14px"><b>Wakeful-Cloud</b></sub>
        </a>
    </td>
-</tr>
-<tr>
    <td align="center" style="word-wrap: break-word; width: 150.0; height: 150.0">
        <a href=https://github.com/xpzouying>
            <img src=https://avatars.githubusercontent.com/u/3946563?v=4 width="100;"  style="border-radius:50%;align-items:center;justify-content:center;overflow:hidden;padding-top:10px" alt=zy/>
--- a/hscontrol/acls.go
+++ b/hscontrol/acls.go
@@ -1,4 +1,4 @@
-package hscontrol
+package headscale

 import (
 	"encoding/json"
@@ -59,8 +59,8 @@ const (

 var featureEnableSSH = envknob.RegisterBool("HEADSCALE_EXPERIMENTAL_FEATURE_SSH")

-// LoadACLPolicyFromPath loads the ACL policy from the specify path, and generates the ACL rules.
-func (h *Headscale) LoadACLPolicyFromPath(path string) error {
+// LoadACLPolicy loads the ACL policy from the specify path, and generates the ACL rules.
+func (h *Headscale) LoadACLPolicy(path string) error {
 	log.Debug().
 		Str("func", "LoadACLPolicy").
 		Str("path", path).
@@ -72,42 +72,37 @@ func (h *Headscale) LoadACLPolicyFromPath(path string) error {
 	}
 	defer policyFile.Close()

+	var policy ACLPolicy
 	policyBytes, err := io.ReadAll(policyFile)
 	if err != nil {
 		return err
 	}

-	log.Debug().
-		Str("path", path).
-		Bytes("file", policyBytes).
-		Msg("Loading ACLs")
-
 	switch filepath.Ext(path) {
 	case ".yml", ".yaml":
-		return h.LoadACLPolicyFromBytes(policyBytes, "yaml")
-	}
+		log.Debug().
+			Str("path", path).
+			Bytes("file", policyBytes).
+			Msg("Loading ACLs from YAML")

-	return h.LoadACLPolicyFromBytes(policyBytes, "hujson")
-}
-
-func (h *Headscale) LoadACLPolicyFromBytes(acl []byte, format string) error {
-	var policy ACLPolicy
-	switch format {
-	case "yaml":
-		err := yaml.Unmarshal(acl, &policy)
+		err := yaml.Unmarshal(policyBytes, &policy)
 		if err != nil {
 			return err
 		}

+		log.Trace().
+			Interface("policy", policy).
+			Msg("Loaded policy from YAML")
+
 	default:
-		ast, err := hujson.Parse(acl)
+		ast, err := hujson.Parse(policyBytes)
 		if err != nil {
 			return err
 		}

 		ast.Standardize()
-		acl = ast.Pack()
-		err = json.Unmarshal(acl, &policy)
+		policyBytes = ast.Pack()
+		err = json.Unmarshal(policyBytes, &policy)
 		if err != nil {
 			return err
 		}
@@ -132,14 +127,21 @@ func (h *Headscale) UpdateACLRules() error {
 		return errEmptyPolicy
 	}

-	rules, err := h.aclPolicy.generateFilterRules(machines, h.cfg.OIDC.StripEmaildomain)
+	rules, err := generateACLRules(machines, *h.aclPolicy, h.cfg.OIDC.StripEmaildomain)
 	if err != nil {
 		return err
 	}
-
 	log.Trace().Interface("ACL", rules).Msg("ACL rules generated")
 	h.aclRules = rules

+	// Precompute a map of which sources can reach each destination, this is
+	// to provide quicker lookup when we calculate the peerlist for the map
+	// response to nodes.
+	aclPeerCacheMap := generateACLPeerCacheMap(rules)
+	h.aclPeerCacheMapRW.Lock()
+	h.aclPeerCacheMap = aclPeerCacheMap
+	h.aclPeerCacheMapRW.Unlock()
+
 	if featureEnableSSH() {
 		sshRules, err := h.generateSSHRules()
 		if err != nil {
@@ -157,28 +159,91 @@ func (h *Headscale) UpdateACLRules() error {
 	return nil
 }

-// generateFilterRules takes a set of machines and an ACLPolicy and generates a
-// set of Tailscale compatible FilterRules used to allow traffic on clients.
-func (pol *ACLPolicy) generateFilterRules(
+// generateACLPeerCacheMap takes a list of Tailscale filter rules and generates a map
+// of which Sources ("*" and IPs) can access destinations. This is to speed up the
+// process of generating MapResponses when deciding which Peers to inform nodes about.
+func generateACLPeerCacheMap(rules []tailcfg.FilterRule) map[string]map[string]struct{} {
+	aclCachePeerMap := make(map[string]map[string]struct{})
+	for _, rule := range rules {
+		for _, srcIP := range rule.SrcIPs {
+			for _, ip := range expandACLPeerAddr(srcIP) {
+				if data, ok := aclCachePeerMap[ip]; ok {
+					for _, dstPort := range rule.DstPorts {
+						for _, dstIP := range expandACLPeerAddr(dstPort.IP) {
+							data[dstIP] = struct{}{}
+						}
+					}
+				} else {
+					dstPortsMap := make(map[string]struct{}, len(rule.DstPorts))
+					for _, dstPort := range rule.DstPorts {
+						for _, dstIP := range expandACLPeerAddr(dstPort.IP) {
+							dstPortsMap[dstIP] = struct{}{}
+						}
+					}
+					aclCachePeerMap[ip] = dstPortsMap
+				}
+			}
+		}
+	}
+
+	log.Trace().Interface("ACL Cache Map", aclCachePeerMap).Msg("ACL Peer Cache Map generated")
+
+	return aclCachePeerMap
+}
+
+// expandACLPeerAddr takes a "tailcfg.FilterRule" "IP" and expands it into
+// something our cache logic can look up, which is "*" or single IP addresses.
+// This is probably quite inefficient, but it is a result of
+// "make it work, then make it fast", and a lot of the ACL stuff does not
+// work, but people have tried to make it fast.
+func expandACLPeerAddr(srcIP string) []string {
+	if ip, err := netip.ParseAddr(srcIP); err == nil {
+		return []string{ip.String()}
+	}
+
+	if cidr, err := netip.ParsePrefix(srcIP); err == nil {
+		addrs := []string{}
+
+		ipRange := netipx.RangeOfPrefix(cidr)
+
+		from := ipRange.From()
+		too := ipRange.To()
+
+		if from == too {
+			return []string{from.String()}
+		}
+
+		for from != too && from.Less(too) {
+			addrs = append(addrs, from.String())
+			from = from.Next()
+		}
+		addrs = append(addrs, too.String()) // Add the last IP address in the range
+
+		return addrs
+	}
+
+	// probably "*" or other string based "IP"
+	return []string{srcIP}
+}
+
+func generateACLRules(
 	machines []Machine,
-	stripEmailDomain bool,
+	aclPolicy ACLPolicy,
+	stripEmaildomain bool,
 ) ([]tailcfg.FilterRule, error) {
 	rules := []tailcfg.FilterRule{}

-	for index, acl := range pol.ACLs {
+	for index, acl := range aclPolicy.ACLs {
 		if acl.Action != "accept" {
 			return nil, errInvalidAction
 		}

 		srcIPs := []string{}
-		for srcIndex, src := range acl.Sources {
-			srcs, err := pol.getIPsFromSource(src, machines, stripEmailDomain)
+		for innerIndex, src := range acl.Sources {
+			srcs, err := generateACLPolicySrc(machines, aclPolicy, src, stripEmaildomain)
 			if err != nil {
 				log.Error().
-					Interface("src", src).
-					Int("ACL index", index).
-					Int("Src index", srcIndex).
-					Msgf("Error parsing ACL")
+					Msgf("Error parsing ACL %d, Source %d", index, innerIndex)

 				return nil, err
 			}
@@ -194,19 +259,17 @@ func (pol *ACLPolicy) generateFilterRules(
 		}

 		destPorts := []tailcfg.NetPortRange{}
-		for destIndex, dest := range acl.Destinations {
-			dests, err := pol.getNetPortRangeFromDestination(
-				dest,
+		for innerIndex, dest := range acl.Destinations {
+			dests, err := generateACLPolicyDest(
 				machines,
+				aclPolicy,
+				dest,
 				needsWildcard,
-				stripEmailDomain,
+				stripEmaildomain,
 			)
 			if err != nil {
 				log.Error().
-					Interface("dest", dest).
-					Int("ACL index", index).
-					Int("dest index", destIndex).
-					Msgf("Error parsing ACL")
+					Msgf("Error parsing ACL %d, Destination %d", index, innerIndex)

 				return nil, err
 			}
@@ -277,41 +340,22 @@ func (h *Headscale) generateSSHRules() ([]*tailcfg.SSHRule, error) {

 		principals := make([]*tailcfg.SSHPrincipal, 0, len(sshACL.Sources))
 		for innerIndex, rawSrc := range sshACL.Sources {
-			if isWildcard(rawSrc) {
+			expandedSrcs, err := expandAlias(
+				machines,
+				*h.aclPolicy,
+				rawSrc,
+				h.cfg.OIDC.StripEmaildomain,
+			)
+			if err != nil {
+				log.Error().
+					Msgf("Error parsing SSH %d, Source %d", index, innerIndex)
+
+				return nil, err
+			}
+			for _, expandedSrc := range expandedSrcs {
 				principals = append(principals, &tailcfg.SSHPrincipal{
-					Any: true,
+					NodeIP: expandedSrc,
 				})
-			} else if isGroup(rawSrc) {
-				users, err := h.aclPolicy.getUsersInGroup(rawSrc, h.cfg.OIDC.StripEmaildomain)
-				if err != nil {
-					log.Error().
-						Msgf("Error parsing SSH %d, Source %d", index, innerIndex)
-
-					return nil, err
-				}
-
-				for _, user := range users {
-					principals = append(principals, &tailcfg.SSHPrincipal{
-						UserLogin: user,
-					})
-				}
-			} else {
-				expandedSrcs, err := h.aclPolicy.expandAlias(
-					machines,
-					rawSrc,
-					h.cfg.OIDC.StripEmaildomain,
-				)
-				if err != nil {
-					log.Error().
-						Msgf("Error parsing SSH %d, Source %d", index, innerIndex)
-
-					return nil, err
-				}
-				for _, expandedSrc := range expandedSrcs.Prefixes() {
-					principals = append(principals, &tailcfg.SSHPrincipal{
-						NodeIP: expandedSrc.Addr().String(),
-					})
-				}
 			}
 		}

@@ -320,9 +364,10 @@ func (h *Headscale) generateSSHRules() ([]*tailcfg.SSHRule, error) {
 			userMap[user] = "="
 		}
 		rules = append(rules, &tailcfg.SSHRule{
-			Principals: principals,
-			SSHUsers:   userMap,
-			Action:     &action,
+			RuleExpires: nil,
+			Principals:  principals,
+			SSHUsers:    userMap,
+			Action:      &action,
 		})
 	}

@@ -346,69 +391,31 @@ func sshCheckAction(duration string) (*tailcfg.SSHAction, error) {
 	}, nil
 }

-// getIPsFromSource returns a set of Source IPs that would be associated
-// with the given src alias.
-func (pol *ACLPolicy) getIPsFromSource(
-	src string,
+func generateACLPolicySrc(
 	machines []Machine,
+	aclPolicy ACLPolicy,
+	src string,
 	stripEmaildomain bool,
 ) ([]string, error) {
-	ipSet, err := pol.expandAlias(machines, src, stripEmaildomain)
-	if err != nil {
-		return []string{}, err
-	}
-
-	prefixes := []string{}
-
-	for _, prefix := range ipSet.Prefixes() {
-		prefixes = append(prefixes, prefix.String())
-	}
-
-	return prefixes, nil
+	return expandAlias(machines, aclPolicy, src, stripEmaildomain)
 }

-// getNetPortRangeFromDestination returns a set of tailcfg.NetPortRange
-// which are associated with the dest alias.
-func (pol *ACLPolicy) getNetPortRangeFromDestination(
-	dest string,
+func generateACLPolicyDest(
 	machines []Machine,
+	aclPolicy ACLPolicy,
+	dest string,
 	needsWildcard bool,
 	stripEmaildomain bool,
 ) ([]tailcfg.NetPortRange, error) {
-	var tokens []string
-
-	log.Trace().Str("destination", dest).Msg("generating policy destination")
-
-	// Check if there is a IPv4/6:Port combination, IPv6 has more than
-	// three ":".
-	tokens = strings.Split(dest, ":")
+	tokens := strings.Split(dest, ":")
 	if len(tokens) < expectedTokenItems || len(tokens) > 3 {
-		port := tokens[len(tokens)-1]
-
-		maybeIPv6Str := strings.TrimSuffix(dest, ":"+port)
-		log.Trace().Str("maybeIPv6Str", maybeIPv6Str).Msg("")
-
-		if maybeIPv6, err := netip.ParseAddr(maybeIPv6Str); err != nil && !maybeIPv6.Is6() {
-			log.Trace().Err(err).Msg("trying to parse as IPv6")
-
-			return nil, fmt.Errorf(
-				"failed to parse destination, tokens %v: %w",
-				tokens,
-				errInvalidPortFormat,
-			)
-		} else {
-			tokens = []string{maybeIPv6Str, port}
-		}
+		return nil, errInvalidPortFormat
 	}

-	log.Trace().Strs("tokens", tokens).Msg("generating policy destination")
-
 	var alias string
 	// We can have here stuff like:
 	// git-server:*
 	// 192.168.1.0/24:22
-	// fd7a:115c:a1e0::2:22
-	// fd7a:115c:a1e0::2/128:22
 	// tag:montreal-webserver:80,443
 	// tag:api-server:443
 	// example-host-1:*
@@ -418,8 +425,9 @@ func (pol *ACLPolicy) getNetPortRangeFromDestination(
 		alias = fmt.Sprintf("%s:%s", tokens[0], tokens[1])
 	}

-	expanded, err := pol.expandAlias(
+	expanded, err := expandAlias(
 		machines,
+		aclPolicy,
 		alias,
 		stripEmaildomain,
 	)
@@ -432,11 +440,11 @@ func (pol *ACLPolicy) getNetPortRangeFromDestination(
 	}

 	dests := []tailcfg.NetPortRange{}
-	for _, dest := range expanded.Prefixes() {
-		for _, port := range *ports {
+	for _, d := range expanded {
+		for _, p := range *ports {
 			pr := tailcfg.NetPortRange{
-				IP:    dest.String(),
-				Ports: port,
+				IP:    d,
+				Ports: p,
 			}
 			dests = append(dests, pr)
 		}
@@ -500,67 +508,115 @@ func parseProtocol(protocol string) ([]int, bool, error) {
 // - a group
 // - a tag
 // - a host
-// - an ip
-// - a cidr
 // and transform these in IPAddresses.
-func (pol *ACLPolicy) expandAlias(
-	machines Machines,
+func expandAlias(
+	machines []Machine,
+	aclPolicy ACLPolicy,
 	alias string,
 	stripEmailDomain bool,
-) (*netipx.IPSet, error) {
-	if isWildcard(alias) {
-		return parseIPSet("*", nil)
+) ([]string, error) {
+	ips := []string{}
+	if alias == "*" {
+		return []string{"*"}, nil
 	}

-	build := netipx.IPSetBuilder{}
-
 	log.Debug().
 		Str("alias", alias).
 		Msg("Expanding")

-	// if alias is a group
-	if isGroup(alias) {
-		return pol.getIPsFromGroup(alias, machines, stripEmailDomain)
+	if strings.HasPrefix(alias, "group:") {
+		users, err := expandGroup(aclPolicy, alias, stripEmailDomain)
+		if err != nil {
+			return ips, err
+		}
+		for _, n := range users {
+			nodes := filterMachinesByUser(machines, n)
+			for _, node := range nodes {
+				ips = append(ips, node.IPAddresses.ToStringSlice()...)
+			}
+		}
+
+		return ips, nil
 	}

-	// if alias is a tag
-	if isTag(alias) {
-		return pol.getIPsFromTag(alias, machines, stripEmailDomain)
+	if strings.HasPrefix(alias, "tag:") {
+		// check for forced tags
+		for _, machine := range machines {
+			if contains(machine.ForcedTags, alias) {
+				ips = append(ips, machine.IPAddresses.ToStringSlice()...)
+			}
+		}
+
+		// find tag owners
+		owners, err := expandTagOwners(aclPolicy, alias, stripEmailDomain)
+		if err != nil {
+			if errors.Is(err, errInvalidTag) {
+				if len(ips) == 0 {
+					return ips, fmt.Errorf(
+						"%w. %v isn't owned by a TagOwner and no forced tags are defined",
+						errInvalidTag,
+						alias,
+					)
+				}
+
+				return ips, nil
+			} else {
+				return ips, err
+			}
+		}
+
+		// filter out machines per tag owner
+		for _, user := range owners {
+			machines := filterMachinesByUser(machines, user)
+			for _, machine := range machines {
+				hi := machine.GetHostInfo()
+				if contains(hi.RequestTags, alias) {
+					ips = append(ips, machine.IPAddresses.ToStringSlice()...)
+				}
+			}
+		}
+
+		return ips, nil
 	}

 	// if alias is a user
-	if ips, err := pol.getIPsForUser(alias, machines, stripEmailDomain); ips != nil {
-		return ips, err
+	nodes := filterMachinesByUser(machines, alias)
+	nodes = excludeCorrectlyTaggedNodes(aclPolicy, nodes, alias, stripEmailDomain)
+
+	for _, n := range nodes {
+		ips = append(ips, n.IPAddresses.ToStringSlice()...)
+	}
+	if len(ips) > 0 {
+		return ips, nil
 	}

 	// if alias is an host
-	// Note, this is recursive.
-	if h, ok := pol.Hosts[alias]; ok {
-		log.Trace().Str("host", h.String()).Msg("expandAlias got hosts entry")
-
-		return pol.expandAlias(machines, h.String(), stripEmailDomain)
+	if h, ok := aclPolicy.Hosts[alias]; ok {
+		return []string{h.String()}, nil
 	}

 	// if alias is an IP
-	if ip, err := netip.ParseAddr(alias); err == nil {
-		return pol.getIPsFromSingleIP(ip, machines)
+	ip, err := netip.ParseAddr(alias)
+	if err == nil {
+		return []string{ip.String()}, nil
 	}

-	// if alias is an IP Prefix (CIDR)
-	if prefix, err := netip.ParsePrefix(alias); err == nil {
-		return pol.getIPsFromIPPrefix(prefix, machines)
+	// if alias is an CIDR
+	cidr, err := netip.ParsePrefix(alias)
+	if err == nil {
+		return []string{cidr.String()}, nil
 	}

 	log.Warn().Msgf("No IPs found with the alias %v", alias)

-	return build.IPSet()
+	return ips, nil
 }

 // excludeCorrectlyTaggedNodes will remove from the list of input nodes the ones
 // that are correctly tagged since they should not be listed as being in the user
 // we assume in this function that we only have nodes from 1 user.
 func excludeCorrectlyTaggedNodes(
-	aclPolicy *ACLPolicy,
+	aclPolicy ACLPolicy,
 	nodes []Machine,
 	user string,
 	stripEmailDomain bool,
@@ -568,7 +624,7 @@ func excludeCorrectlyTaggedNodes(
 	out := []Machine{}
 	tags := []string{}
 	for tag := range aclPolicy.TagOwners {
-		owners, _ := getTagOwners(aclPolicy, user, stripEmailDomain)
+		owners, _ := expandTagOwners(aclPolicy, user, stripEmailDomain)
 		ns := append(owners, user)
 		if contains(ns, user) {
 			tags = append(tags, tag)
@@ -598,7 +654,7 @@ func excludeCorrectlyTaggedNodes(
 }

 func expandPorts(portsStr string, needsWildcard bool) (*[]tailcfg.PortRange, error) {
-	if isWildcard(portsStr) {
+	if portsStr == "*" {
 		return &[]tailcfg.PortRange{
 			{First: portRangeBegin, Last: portRangeEnd},
 		}, nil
@@ -610,7 +666,6 @@ func expandPorts(portsStr string, needsWildcard bool) (*[]tailcfg.PortRange, err

 	ports := []tailcfg.PortRange{}
 	for _, portStr := range strings.Split(portsStr, ",") {
-		log.Trace().Msgf("parsing portstring: %s", portStr)
 		rang := strings.Split(portStr, "-")
 		switch len(rang) {
 		case 1:
@@ -656,15 +711,15 @@ func filterMachinesByUser(machines []Machine, user string) []Machine {
 	return out
 }

-// getTagOwners will return a list of user. An owner can be either a user or a group
+// expandTagOwners will return a list of user. An owner can be either a user or a group
 // a group cannot be composed of groups.
-func getTagOwners(
-	pol *ACLPolicy,
+func expandTagOwners(
+	aclPolicy ACLPolicy,
 	tag string,
 	stripEmailDomain bool,
 ) ([]string, error) {
 	var owners []string
-	ows, ok := pol.TagOwners[tag]
+	ows, ok := aclPolicy.TagOwners[tag]
 	if !ok {
 		return []string{}, fmt.Errorf(
 			"%w. %v isn't owned by a TagOwner. Please add one first. https://tailscale.com/kb/1018/acls/#tag-owners",
@@ -673,8 +728,8 @@ func getTagOwners(
 		)
 	}
 	for _, owner := range ows {
-		if isGroup(owner) {
-			gs, err := pol.getUsersInGroup(owner, stripEmailDomain)
+		if strings.HasPrefix(owner, "group:") {
+			gs, err := expandGroup(aclPolicy, owner, stripEmailDomain)
 			if err != nil {
 				return []string{}, err
 			}
@@ -687,15 +742,15 @@ func getTagOwners(
 	return owners, nil
 }

-// getUsersInGroup will return the list of user inside the group
+// expandGroup will return the list of user inside the group
 // after some validation.
-func (pol *ACLPolicy) getUsersInGroup(
+func expandGroup(
+	aclPolicy ACLPolicy,
 	group string,
 	stripEmailDomain bool,
 ) ([]string, error) {
-	users := []string{}
-	log.Trace().Caller().Interface("pol", pol).Msg("test")
-	aclGroups, ok := pol.Groups[group]
+	outGroups := []string{}
+	aclGroups, ok := aclPolicy.Groups[group]
 	if !ok {
 		return []string{}, fmt.Errorf(
 			"group %v isn't registered. %w",
@@ -704,7 +759,7 @@ func (pol *ACLPolicy) getUsersInGroup(
 		)
 	}
 	for _, group := range aclGroups {
-		if isGroup(group) {
+		if strings.HasPrefix(group, "group:") {
 			return []string{}, fmt.Errorf(
 				"%w. A group cannot be composed of groups. https://tailscale.com/kb/1018/acls/#groups",
 				errInvalidGroup,
@@ -718,151 +773,8 @@ func (pol *ACLPolicy) getUsersInGroup(
 				errInvalidGroup,
 			)
 		}
-		users = append(users, grp)
+		outGroups = append(outGroups, grp)
 	}

-	return users, nil
-}
-
-func (pol *ACLPolicy) getIPsFromGroup(
-	group string,
-	machines Machines,
-	stripEmailDomain bool,
-) (*netipx.IPSet, error) {
-	build := netipx.IPSetBuilder{}
-
-	users, err := pol.getUsersInGroup(group, stripEmailDomain)
-	if err != nil {
-		return &netipx.IPSet{}, err
-	}
-	for _, user := range users {
-		filteredMachines := filterMachinesByUser(machines, user)
-		for _, machine := range filteredMachines {
-			machine.IPAddresses.AppendToIPSet(&build)
-		}
-	}
-
-	return build.IPSet()
-}
-
-func (pol *ACLPolicy) getIPsFromTag(
-	alias string,
-	machines Machines,
-	stripEmailDomain bool,
-) (*netipx.IPSet, error) {
-	build := netipx.IPSetBuilder{}
-
-	// check for forced tags
-	for _, machine := range machines {
-		if contains(machine.ForcedTags, alias) {
-			machine.IPAddresses.AppendToIPSet(&build)
-		}
-	}
-
-	// find tag owners
-	owners, err := getTagOwners(pol, alias, stripEmailDomain)
-	if err != nil {
-		if errors.Is(err, errInvalidTag) {
-			ipSet, _ := build.IPSet()
-			if len(ipSet.Prefixes()) == 0 {
-				return ipSet, fmt.Errorf(
-					"%w. %v isn't owned by a TagOwner and no forced tags are defined",
-					errInvalidTag,
-					alias,
-				)
-			}
-
-			return build.IPSet()
-		} else {
-			return nil, err
-		}
-	}
-
-	// filter out machines per tag owner
-	for _, user := range owners {
-		machines := filterMachinesByUser(machines, user)
-		for _, machine := range machines {
-			hi := machine.GetHostInfo()
-			if contains(hi.RequestTags, alias) {
-				machine.IPAddresses.AppendToIPSet(&build)
-			}
-		}
-	}
-
-	return build.IPSet()
-}
-
-func (pol *ACLPolicy) getIPsForUser(
-	user string,
-	machines Machines,
-	stripEmailDomain bool,
-) (*netipx.IPSet, error) {
-	build := netipx.IPSetBuilder{}
-
-	filteredMachines := filterMachinesByUser(machines, user)
-	filteredMachines = excludeCorrectlyTaggedNodes(pol, filteredMachines, user, stripEmailDomain)
-
-	// shortcurcuit if we have no machines to get ips from.
-	if len(filteredMachines) == 0 {
-		return nil, nil //nolint
-	}
-
-	for _, machine := range filteredMachines {
-		machine.IPAddresses.AppendToIPSet(&build)
-	}
-
-	return build.IPSet()
-}
-
-func (pol *ACLPolicy) getIPsFromSingleIP(
-	ip netip.Addr,
-	machines Machines,
-) (*netipx.IPSet, error) {
-	log.Trace().Str("ip", ip.String()).Msg("expandAlias got ip")
-
-	matches := machines.FilterByIP(ip)
-
-	build := netipx.IPSetBuilder{}
-	build.Add(ip)
-
-	for _, machine := range matches {
-		machine.IPAddresses.AppendToIPSet(&build)
-	}
-
-	return build.IPSet()
-}
-
-func (pol *ACLPolicy) getIPsFromIPPrefix(
-	prefix netip.Prefix,
-	machines Machines,
-) (*netipx.IPSet, error) {
-	log.Trace().Str("prefix", prefix.String()).Msg("expandAlias got prefix")
-	build := netipx.IPSetBuilder{}
-	build.AddPrefix(prefix)
-
-	// This is suboptimal and quite expensive, but if we only add the prefix, we will miss all the relevant IPv6
-	// addresses for the hosts that belong to tailscale. This doesnt really affect stuff like subnet routers.
-	for _, machine := range machines {
-		for _, ip := range machine.IPAddresses {
-			// log.Trace().
-			// 	Msgf("checking if machine ip (%s) is part of prefix (%s): %v, is single ip prefix (%v), addr: %s", ip.String(), prefix.String(), prefix.Contains(ip), prefix.IsSingleIP(), prefix.Addr().String())
-			if prefix.Contains(ip) {
-				machine.IPAddresses.AppendToIPSet(&build)
-			}
-		}
-	}
-
-	return build.IPSet()
-}
-
-func isWildcard(str string) bool {
-	return str == "*"
-}
-
-func isGroup(str string) bool {
-	return strings.HasPrefix(str, "group:")
-}
-
-func isTag(str string) bool {
-	return strings.HasPrefix(str, "tag:")
+	return outGroups, nil
 }
--- a/hscontrol/acls_test.go
+++ b/hscontrol/acls_test.go
--- a/hscontrol/acls_types.go
+++ b/hscontrol/acls_types.go
@@ -1,4 +1,4 @@
-package hscontrol
+package headscale

 import (
 	"encoding/json"
@@ -111,8 +111,8 @@ func (hosts *Hosts) UnmarshalYAML(data []byte) error {
 }

 // IsZero is perhaps a bit naive here.
-func (pol ACLPolicy) IsZero() bool {
-	if len(pol.Groups) == 0 && len(pol.Hosts) == 0 && len(pol.ACLs) == 0 {
+func (policy ACLPolicy) IsZero() bool {
+	if len(policy.Groups) == 0 && len(policy.Hosts) == 0 && len(policy.ACLs) == 0 {
 		return true
 	}

--- a/hscontrol/api.go
+++ b/hscontrol/api.go
@@ -1,4 +1,4 @@
-package hscontrol
+package headscale

 import (
 	"bytes"
--- a/hscontrol/api_common.go
+++ b/hscontrol/api_common.go
@@ -1,4 +1,4 @@
-package hscontrol
+package headscale

 import (
 	"time"
--- a/hscontrol/api_key.go
+++ b/hscontrol/api_key.go
@@ -1,4 +1,4 @@
-package hscontrol
+package headscale

 import (
 	"fmt"
--- a/hscontrol/api_key_test.go
+++ b/hscontrol/api_key_test.go
@@ -1,4 +1,4 @@
-package hscontrol
+package headscale

 import (
 	"time"
--- a/hscontrol/app.go
+++ b/hscontrol/app.go
@@ -1,4 +1,4 @@
-package hscontrol
+package headscale

 import (
 	"context"
@@ -21,7 +21,6 @@ import (
 	"github.com/gorilla/mux"
 	grpcMiddleware "github.com/grpc-ecosystem/go-grpc-middleware"
 	"github.com/grpc-ecosystem/grpc-gateway/v2/runtime"
-	"github.com/juanfont/headscale"
 	v1 "github.com/juanfont/headscale/gen/go/headscale/v1"
 	"github.com/patrickmn/go-cache"
 	zerolog "github.com/philip-bui/grpc-zerolog"
@@ -85,9 +84,11 @@ type Headscale struct {
 	DERPMap    *tailcfg.DERPMap
 	DERPServer *DERPServer

-	aclPolicy *ACLPolicy
-	aclRules  []tailcfg.FilterRule
-	sshPolicy *tailcfg.SSHPolicy
+	aclPolicy         *ACLPolicy
+	aclRules          []tailcfg.FilterRule
+	aclPeerCacheMapRW sync.RWMutex
+	aclPeerCacheMap   map[string]map[string]struct{}
+	sshPolicy         *tailcfg.SSHPolicy

 	lastStateChange *xsync.MapOf[string, time.Time]

@@ -508,10 +509,8 @@ func (h *Headscale) createRouter(grpcMux *runtime.ServeMux) *mux.Router {
 	router.HandleFunc("/windows", h.WindowsConfigMessage).Methods(http.MethodGet)
 	router.HandleFunc("/windows/tailscale.reg", h.WindowsRegConfig).
 		Methods(http.MethodGet)
-
-	// TODO(kristoffer): move swagger into a package
-	router.HandleFunc("/swagger", headscale.SwaggerUI).Methods(http.MethodGet)
-	router.HandleFunc("/swagger/v1/openapiv2.json", headscale.SwaggerAPIv1).
+	router.HandleFunc("/swagger", SwaggerUI).Methods(http.MethodGet)
+	router.HandleFunc("/swagger/v1/openapiv2.json", SwaggerAPIv1).
 		Methods(http.MethodGet)

 	if h.cfg.DERP.ServerEnabled {
@@ -761,7 +760,7 @@ func (h *Headscale) Serve() error {

 				if h.cfg.ACL.PolicyPath != "" {
 					aclPath := AbsolutePathFromConfigPath(h.cfg.ACL.PolicyPath)
-					err := h.LoadACLPolicyFromPath(aclPath)
+					err := h.LoadACLPolicy(aclPath)
 					if err != nil {
 						log.Error().Err(err).Msg("Failed to reload ACL policy")
 					}
@@ -821,6 +820,7 @@ func (h *Headscale) Serve() error {

 				// And we're done:
 				cancel()
+				os.Exit(0)
 			}
 		}
 	}
--- a/hscontrol/app_test.go
+++ b/hscontrol/app_test.go
@@ -1,4 +1,4 @@
-package hscontrol
+package headscale

 import (
 	"net/netip"
--- a/cmd/build-docker-img/main.go
+++ b/cmd/build-docker-img/main.go
@@ -1,47 +0,0 @@
-package main
-
-import (
-	"log"
-
-	"github.com/juanfont/headscale/integration"
-	"github.com/juanfont/headscale/integration/tsic"
-	"github.com/ory/dockertest/v3"
-)
-
-func main() {
-	log.Printf("creating docker pool")
-	pool, err := dockertest.NewPool("")
-	if err != nil {
-		log.Fatalf("could not connect to docker: %s", err)
-	}
-
-	log.Printf("creating docker network")
-	network, err := pool.CreateNetwork("docker-integration-net")
-	if err != nil {
-		log.Fatalf("failed to create or get network: %s", err)
-	}
-
-	for _, version := range integration.TailscaleVersions {
-		log.Printf("creating container image for Tailscale (%s)", version)
-
-		tsClient, err := tsic.New(
-			pool,
-			version,
-			network,
-		)
-		if err != nil {
-			log.Fatalf("failed to create tailscale node: %s", err)
-		}
-
-		err = tsClient.Shutdown()
-		if err != nil {
-			log.Fatalf("failed to shut down container: %s", err)
-		}
-	}
-
-	network.Close()
-	err = pool.RemoveNetwork(network)
-	if err != nil {
-		log.Fatalf("failed to remove network: %s", err)
-	}
-}
--- a/cmd/gh-action-integration-generator/main.go
+++ b/cmd/gh-action-integration-generator/main.go
@@ -64,7 +64,7 @@ jobs:
              --volume /var/run/docker.sock:/var/run/docker.sock \
              --volume $PWD/control_logs:/tmp/control \
              golang:1 \
-                go run gotest.tools/gotestsum@latest -- ./... \
+                go test ./... \
                  -tags ts2019 \
                  -failfast \
                  -timeout 120m \
@@ -76,12 +76,6 @@ jobs:
        with:
          name: logs
          path: "control_logs/*.log"
-
-      - uses: actions/upload-artifact@v3
-        if: always() && steps.changed-files.outputs.any_changed == 'true'
-        with:
-          name: pprof
-          path: "control_logs/*.pprof.tar"
 `),
 	)
 )
--- a/cmd/headscale/cli/api_key.go
+++ b/cmd/headscale/cli/api_key.go
@@ -5,8 +5,8 @@ import (
 	"strconv"
 	"time"

+	"github.com/juanfont/headscale"
 	v1 "github.com/juanfont/headscale/gen/go/headscale/v1"
-	"github.com/juanfont/headscale/hscontrol"
 	"github.com/prometheus/common/model"
 	"github.com/pterm/pterm"
 	"github.com/rs/zerolog/log"
@@ -83,7 +83,7 @@ var listAPIKeys = &cobra.Command{
 			}

 			tableData = append(tableData, []string{
-				strconv.FormatUint(key.GetId(), hscontrol.Base10),
+				strconv.FormatUint(key.GetId(), headscale.Base10),
 				key.GetPrefix(),
 				expiration,
 				key.GetCreatedAt().AsTime().Format(HeadscaleDateTimeFormat),
--- a/cmd/headscale/cli/debug.go
+++ b/cmd/headscale/cli/debug.go
@@ -3,8 +3,8 @@ package cli
 import (
 	"fmt"

+	"github.com/juanfont/headscale"
 	v1 "github.com/juanfont/headscale/gen/go/headscale/v1"
-	"github.com/juanfont/headscale/hscontrol"
 	"github.com/rs/zerolog/log"
 	"github.com/spf13/cobra"
 	"google.golang.org/grpc/status"
@@ -93,7 +93,7 @@ var createNodeCmd = &cobra.Command{

 			return
 		}
-		if !hscontrol.NodePublicKeyRegex.Match([]byte(machineKey)) {
+		if !headscale.NodePublicKeyRegex.Match([]byte(machineKey)) {
 			err = errPreAuthKeyMalformed
 			ErrorOutput(
 				err,
--- a/cmd/headscale/cli/nodes.go
+++ b/cmd/headscale/cli/nodes.go
@@ -9,8 +9,8 @@ import (
 	"time"

 	survey "github.com/AlecAivazis/survey/v2"
+	"github.com/juanfont/headscale"
 	v1 "github.com/juanfont/headscale/gen/go/headscale/v1"
-	"github.com/juanfont/headscale/hscontrol"
 	"github.com/pterm/pterm"
 	"github.com/spf13/cobra"
 	"google.golang.org/grpc/status"
@@ -529,7 +529,7 @@ func nodesToPtables(

 		var machineKey key.MachinePublic
 		err := machineKey.UnmarshalText(
-			[]byte(hscontrol.MachinePublicKeyEnsurePrefix(machine.MachineKey)),
+			[]byte(headscale.MachinePublicKeyEnsurePrefix(machine.MachineKey)),
 		)
 		if err != nil {
 			machineKey = key.MachinePublic{}
@@ -537,7 +537,7 @@ func nodesToPtables(

 		var nodeKey key.NodePublic
 		err = nodeKey.UnmarshalText(
-			[]byte(hscontrol.NodePublicKeyEnsurePrefix(machine.NodeKey)),
+			[]byte(headscale.NodePublicKeyEnsurePrefix(machine.NodeKey)),
 		)
 		if err != nil {
 			return nil, err
@@ -596,7 +596,7 @@ func nodesToPtables(
 		}

 		nodeData := []string{
-			strconv.FormatUint(machine.Id, hscontrol.Base10),
+			strconv.FormatUint(machine.Id, headscale.Base10),
 			machine.Name,
 			machine.GetGivenName(),
 			machineKey.ShortString(),
--- a/cmd/headscale/cli/root.go
+++ b/cmd/headscale/cli/root.go
@@ -5,7 +5,7 @@ import (
 	"os"
 	"runtime"

-	"github.com/juanfont/headscale/hscontrol"
+	"github.com/juanfont/headscale"
 	"github.com/rs/zerolog"
 	"github.com/rs/zerolog/log"
 	"github.com/spf13/cobra"
@@ -38,18 +38,18 @@ func initConfig() {
 		cfgFile = os.Getenv("HEADSCALE_CONFIG")
 	}
 	if cfgFile != "" {
-		err := hscontrol.LoadConfig(cfgFile, true)
+		err := headscale.LoadConfig(cfgFile, true)
 		if err != nil {
 			log.Fatal().Caller().Err(err).Msgf("Error loading config file %s", cfgFile)
 		}
 	} else {
-		err := hscontrol.LoadConfig("", false)
+		err := headscale.LoadConfig("", false)
 		if err != nil {
 			log.Fatal().Caller().Err(err).Msgf("Error loading config")
 		}
 	}

-	cfg, err := hscontrol.GetHeadscaleConfig()
+	cfg, err := headscale.GetHeadscaleConfig()
 	if err != nil {
 		log.Fatal().Caller().Err(err)
 	}
@@ -64,7 +64,7 @@ func initConfig() {
 		zerolog.SetGlobalLevel(zerolog.Disabled)
 	}

-	if cfg.Log.Format == hscontrol.JSONLogFormat {
+	if cfg.Log.Format == headscale.JSONLogFormat {
 		log.Logger = log.Output(os.Stdout)
 	}

--- a/cmd/headscale/cli/routes.go
+++ b/cmd/headscale/cli/routes.go
@@ -6,8 +6,8 @@ import (
 	"net/netip"
 	"strconv"

+	"github.com/juanfont/headscale"
 	v1 "github.com/juanfont/headscale/gen/go/headscale/v1"
-	"github.com/juanfont/headscale/hscontrol"
 	"github.com/pterm/pterm"
 	"github.com/spf13/cobra"
 	"google.golang.org/grpc/status"
@@ -277,7 +277,7 @@ func routesToPtables(routes []*v1.Route) pterm.TableData {

 			continue
 		}
-		if prefix == hscontrol.ExitRouteV4 || prefix == hscontrol.ExitRouteV6 {
+		if prefix == headscale.ExitRouteV4 || prefix == headscale.ExitRouteV6 {
 			isPrimaryStr = "-"
 		} else {
 			isPrimaryStr = strconv.FormatBool(route.IsPrimary)
--- a/cmd/headscale/cli/users.go
+++ b/cmd/headscale/cli/users.go
@@ -4,8 +4,8 @@ import (
 	"fmt"

 	survey "github.com/AlecAivazis/survey/v2"
+	"github.com/juanfont/headscale"
 	v1 "github.com/juanfont/headscale/gen/go/headscale/v1"
-	"github.com/juanfont/headscale/hscontrol"
 	"github.com/pterm/pterm"
 	"github.com/rs/zerolog/log"
 	"github.com/spf13/cobra"
@@ -21,7 +21,7 @@ func init() {
 }

 const (
-	errMissingParameter = hscontrol.Error("missing parameters")
+	errMissingParameter = headscale.Error("missing parameters")
 )

 var userCmd = &cobra.Command{
--- a/cmd/headscale/cli/utils.go
+++ b/cmd/headscale/cli/utils.go
@@ -8,8 +8,8 @@ import (
 	"os"
 	"reflect"

+	"github.com/juanfont/headscale"
 	v1 "github.com/juanfont/headscale/gen/go/headscale/v1"
-	"github.com/juanfont/headscale/hscontrol"
 	"github.com/rs/zerolog/log"
 	"google.golang.org/grpc"
 	"google.golang.org/grpc/credentials"
@@ -22,8 +22,8 @@ const (
 	SocketWritePermissions  = 0o666
 )

-func getHeadscaleApp() (*hscontrol.Headscale, error) {
-	cfg, err := hscontrol.GetHeadscaleConfig()
+func getHeadscaleApp() (*headscale.Headscale, error) {
+	cfg, err := headscale.GetHeadscaleConfig()
 	if err != nil {
 		return nil, fmt.Errorf(
 			"failed to load configuration while creating headscale instance: %w",
@@ -31,7 +31,7 @@ func getHeadscaleApp() (*hscontrol.Headscale, error) {
 		)
 	}

-	app, err := hscontrol.NewHeadscale(cfg)
+	app, err := headscale.NewHeadscale(cfg)
 	if err != nil {
 		return nil, err
 	}
@@ -39,8 +39,8 @@ func getHeadscaleApp() (*hscontrol.Headscale, error) {
 	// We are doing this here, as in the future could be cool to have it also hot-reload

 	if cfg.ACL.PolicyPath != "" {
-		aclPath := hscontrol.AbsolutePathFromConfigPath(cfg.ACL.PolicyPath)
-		err = app.LoadACLPolicyFromPath(aclPath)
+		aclPath := headscale.AbsolutePathFromConfigPath(cfg.ACL.PolicyPath)
+		err = app.LoadACLPolicy(aclPath)
 		if err != nil {
 			log.Fatal().
 				Str("path", aclPath).
@@ -53,7 +53,7 @@ func getHeadscaleApp() (*hscontrol.Headscale, error) {
 }

 func getHeadscaleCLIClient() (context.Context, v1.HeadscaleServiceClient, *grpc.ClientConn, context.CancelFunc) {
-	cfg, err := hscontrol.GetHeadscaleConfig()
+	cfg, err := headscale.GetHeadscaleConfig()
 	if err != nil {
 		log.Fatal().
 			Err(err).
@@ -74,7 +74,7 @@ func getHeadscaleCLIClient() (context.Context, v1.HeadscaleServiceClient, *grpc.

 	address := cfg.CLI.Address

-	// If the address is not set, we assume that we are on the server hosting hscontrol.
+	// If the address is not set, we assume that we are on the server hosting headscale.
 	if address == "" {
 		log.Debug().
 			Str("socket", cfg.UnixSocket).
@@ -98,7 +98,7 @@ func getHeadscaleCLIClient() (context.Context, v1.HeadscaleServiceClient, *grpc.
 		grpcOptions = append(
 			grpcOptions,
 			grpc.WithTransportCredentials(insecure.NewCredentials()),
-			grpc.WithContextDialer(hscontrol.GrpcSocketDialer),
+			grpc.WithContextDialer(headscale.GrpcSocketDialer),
 		)
 	} else {
 		// If we are not connecting to a local server, require an API key for authentication
--- a/cmd/headscale/headscale.go
+++ b/cmd/headscale/headscale.go
@@ -6,25 +6,11 @@ import (

 	"github.com/efekarakus/termcolor"
 	"github.com/juanfont/headscale/cmd/headscale/cli"
-	"github.com/pkg/profile"
 	"github.com/rs/zerolog"
 	"github.com/rs/zerolog/log"
 )

 func main() {
-	if _, enableProfile := os.LookupEnv("HEADSCALE_PROFILING_ENABLED"); enableProfile {
-		if profilePath, ok := os.LookupEnv("HEADSCALE_PROFILING_PATH"); ok {
-			err := os.MkdirAll(profilePath, os.ModePerm)
-			if err != nil {
-				log.Fatal().Err(err).Msg("failed to create profiling directory")
-			}
-
-			defer profile.Start(profile.ProfilePath(profilePath)).Stop()
-		} else {
-			defer profile.Start().Stop()
-		}
-	}
-
 	var colors bool
 	switch l := termcolor.SupportLevel(os.Stderr); l {
 	case termcolor.Level16M:
--- a/cmd/headscale/headscale_test.go
+++ b/cmd/headscale/headscale_test.go
@@ -7,7 +7,7 @@ import (
 	"strings"
 	"testing"

-	"github.com/juanfont/headscale/hscontrol"
+	"github.com/juanfont/headscale"
 	"github.com/spf13/viper"
 	"gopkg.in/check.v1"
 )
@@ -50,7 +50,7 @@ func (*Suite) TestConfigFileLoading(c *check.C) {
 	}

 	// Load example config, it should load without validation errors
-	err = hscontrol.LoadConfig(cfgFile, true)
+	err = headscale.LoadConfig(cfgFile, true)
 	c.Assert(err, check.IsNil)

 	// Test that config file was interpreted correctly
@@ -58,13 +58,13 @@ func (*Suite) TestConfigFileLoading(c *check.C) {
 	c.Assert(viper.GetString("listen_addr"), check.Equals, "127.0.0.1:8080")
 	c.Assert(viper.GetString("metrics_listen_addr"), check.Equals, "127.0.0.1:9090")
 	c.Assert(viper.GetString("db_type"), check.Equals, "sqlite3")
-	c.Assert(viper.GetString("db_path"), check.Equals, "/var/lib/headscale/db.sqlite")
+	c.Assert(viper.GetString("db_path"), check.Equals, "./db.sqlite")
 	c.Assert(viper.GetString("tls_letsencrypt_hostname"), check.Equals, "")
 	c.Assert(viper.GetString("tls_letsencrypt_listen"), check.Equals, ":http")
 	c.Assert(viper.GetString("tls_letsencrypt_challenge_type"), check.Equals, "HTTP-01")
 	c.Assert(viper.GetStringSlice("dns_config.nameservers")[0], check.Equals, "1.1.1.1")
 	c.Assert(
-		hscontrol.GetFileMode("unix_socket_permission"),
+		headscale.GetFileMode("unix_socket_permission"),
 		check.Equals,
 		fs.FileMode(0o770),
 	)
@@ -93,7 +93,7 @@ func (*Suite) TestConfigLoading(c *check.C) {
 	}

 	// Load example config, it should load without validation errors
-	err = hscontrol.LoadConfig(tmpDir, false)
+	err = headscale.LoadConfig(tmpDir, false)
 	c.Assert(err, check.IsNil)

 	// Test that config file was interpreted correctly
@@ -101,13 +101,13 @@ func (*Suite) TestConfigLoading(c *check.C) {
 	c.Assert(viper.GetString("listen_addr"), check.Equals, "127.0.0.1:8080")
 	c.Assert(viper.GetString("metrics_listen_addr"), check.Equals, "127.0.0.1:9090")
 	c.Assert(viper.GetString("db_type"), check.Equals, "sqlite3")
-	c.Assert(viper.GetString("db_path"), check.Equals, "/var/lib/headscale/db.sqlite")
+	c.Assert(viper.GetString("db_path"), check.Equals, "./db.sqlite")
 	c.Assert(viper.GetString("tls_letsencrypt_hostname"), check.Equals, "")
 	c.Assert(viper.GetString("tls_letsencrypt_listen"), check.Equals, ":http")
 	c.Assert(viper.GetString("tls_letsencrypt_challenge_type"), check.Equals, "HTTP-01")
 	c.Assert(viper.GetStringSlice("dns_config.nameservers")[0], check.Equals, "1.1.1.1")
 	c.Assert(
-		hscontrol.GetFileMode("unix_socket_permission"),
+		headscale.GetFileMode("unix_socket_permission"),
 		check.Equals,
 		fs.FileMode(0o770),
 	)
@@ -137,10 +137,10 @@ func (*Suite) TestDNSConfigLoading(c *check.C) {
 	}

 	// Load example config, it should load without validation errors
-	err = hscontrol.LoadConfig(tmpDir, false)
+	err = headscale.LoadConfig(tmpDir, false)
 	c.Assert(err, check.IsNil)

-	dnsConfig, baseDomain := hscontrol.GetDNSConfig()
+	dnsConfig, baseDomain := headscale.GetDNSConfig()

 	c.Assert(dnsConfig.Nameservers[0].String(), check.Equals, "1.1.1.1")
 	c.Assert(dnsConfig.Resolvers[0].Addr, check.Equals, "1.1.1.1")
@@ -172,7 +172,7 @@ noise:
 	writeConfig(c, tmpDir, configYaml)

 	// Check configuration validation errors (1)
-	err = hscontrol.LoadConfig(tmpDir, false)
+	err = headscale.LoadConfig(tmpDir, false)
 	c.Assert(err, check.NotNil)
 	// check.Matches can not handle multiline strings
 	tmp := strings.ReplaceAll(err.Error(), "\n", "***")
@@ -201,6 +201,6 @@ tls_letsencrypt_hostname: example.com
 tls_letsencrypt_challenge_type: TLS-ALPN-01
 `)
 	writeConfig(c, tmpDir, configYaml)
-	err = hscontrol.LoadConfig(tmpDir, false)
+	err = headscale.LoadConfig(tmpDir, false)
 	c.Assert(err, check.IsNil)
 }
--- a/config-example.yaml
+++ b/config-example.yaml
@@ -44,7 +44,9 @@ grpc_allow_insecure: false
 # and Tailscale clients.
 # The private key file will be autogenerated if it's missing.
 #
-private_key_path: /var/lib/headscale/private.key
+# For production:
+# /var/lib/headscale/private.key
+private_key_path: ./private.key

 # The Noise section includes specific configuration for the
 # TS2021 Noise protocol
@@ -53,17 +55,19 @@ noise:
  # traffic between headscale and Tailscale clients when
  # using the new Noise-based protocol. It must be different
  # from the legacy private key.
-  private_key_path: /var/lib/headscale/noise_private.key
+  #
+  # For production:
+  # private_key_path: /var/lib/headscale/noise_private.key
+  private_key_path: ./noise_private.key

 # List of IP prefixes to allocate tailaddresses from.
 # Each prefix consists of either an IPv4 or IPv6 address,
 # and the associated prefix length, delimited by a slash.
-# It must be within IP ranges supported by the Tailscale
-# client - i.e., subnets of 100.64.0.0/10 and fd7a:115c:a1e0::/48.
-# See below:
+# While this looks like it can take arbitrary values, it
+# needs to be within IP ranges supported by the Tailscale
+# client.
 # IPv6: https://github.com/tailscale/tailscale/blob/22ebb25e833264f58d7c3f534a8b166894a89536/net/tsaddr/tsaddr.go#LL81C52-L81C71
 # IPv4: https://github.com/tailscale/tailscale/blob/22ebb25e833264f58d7c3f534a8b166894a89536/net/tsaddr/tsaddr.go#L33
-# Any other range is NOT supported, and it will cause unexpected issues.
 ip_prefixes:
  - fd7a:115c:a1e0::/48
  - 100.64.0.0/10
@@ -133,7 +137,8 @@ node_update_check_interval: 10s
 db_type: sqlite3

 # For production:
-db_path: /var/lib/headscale/db.sqlite
+# db_path: /var/lib/headscale/db.sqlite
+db_path: ./db.sqlite

 # # Postgres config
 # If using a Unix socket to connect to Postgres, set the socket path in the 'host' field and leave 'port' blank.
@@ -167,7 +172,8 @@ tls_letsencrypt_hostname: ""
 # Path to store certificates and metadata needed by
 # letsencrypt
 # For production:
-tls_letsencrypt_cache_dir: /var/lib/headscale/cache
+# tls_letsencrypt_cache_dir: /var/lib/headscale/cache
+tls_letsencrypt_cache_dir: ./cache

 # Type of ACME challenge to use, currently supported types:
 # HTTP-01 or TLS-ALPN-01
@@ -257,7 +263,8 @@ dns_config:

 # Unix socket used for the CLI to connect without authentication
 # Note: for production you will want to set this to something like:
-unix_socket: /var/run/headscale/headscale.sock
+# unix_socket: /var/run/headscale.sock
+unix_socket: ./headscale.sock
 unix_socket_permission: "0770"
 #
 # headscale supports experimental OpenID connect support,
--- a/hscontrol/config.go
+++ b/hscontrol/config.go
@@ -1,4 +1,4 @@
-package hscontrol
+package headscale

 import (
 	"errors"
@@ -16,7 +16,6 @@ import (
 	"github.com/rs/zerolog/log"
 	"github.com/spf13/viper"
 	"go4.org/netipx"
-	"tailscale.com/net/tsaddr"
 	"tailscale.com/tailcfg"
 	"tailscale.com/types/dnstype"
 )
@@ -175,7 +174,7 @@ func LoadConfig(path string, isFile bool) error {
 	viper.SetDefault("derp.server.enabled", false)
 	viper.SetDefault("derp.server.stun.enabled", true)

-	viper.SetDefault("unix_socket", "/var/run/headscale/headscale.sock")
+	viper.SetDefault("unix_socket", "/var/run/headscale.sock")
 	viper.SetDefault("unix_socket_permission", "0o770")

 	viper.SetDefault("grpc_listen_addr", ":50443")
@@ -516,29 +515,6 @@ func GetHeadscaleConfig() (*Config, error) {
 		if err != nil {
 			panic(fmt.Errorf("failed to parse ip_prefixes[%d]: %w", i, err))
 		}
-
-		if prefix.Addr().Is4() {
-			builder := netipx.IPSetBuilder{}
-			builder.AddPrefix(tsaddr.CGNATRange())
-			ipSet, _ := builder.IPSet()
-			if !ipSet.ContainsPrefix(prefix) {
-				log.Warn().
-					Msgf("Prefix %s is not in the %s range. This is an unsupported configuration.",
-						prefixInConfig, tsaddr.CGNATRange())
-			}
-		}
-
-		if prefix.Addr().Is6() {
-			builder := netipx.IPSetBuilder{}
-			builder.AddPrefix(tsaddr.TailscaleULARange())
-			ipSet, _ := builder.IPSet()
-			if !ipSet.ContainsPrefix(prefix) {
-				log.Warn().
-					Msgf("Prefix %s is not in the %s range. This is an unsupported configuration.",
-						prefixInConfig, tsaddr.TailscaleULARange())
-			}
-		}
-
 		parsedPrefixes = append(parsedPrefixes, prefix)
 	}

--- a/hscontrol/db.go
+++ b/hscontrol/db.go
@@ -1,4 +1,4 @@
-package hscontrol
+package headscale

 import (
 	"context"
--- a/hscontrol/derp.go
+++ b/hscontrol/derp.go
@@ -1,4 +1,4 @@
-package hscontrol
+package headscale

 import (
 	"context"
--- a/hscontrol/derp_server.go
+++ b/hscontrol/derp_server.go
@@ -1,4 +1,4 @@
-package hscontrol
+package headscale

 import (
 	"context"
--- a/hscontrol/dns.go
+++ b/hscontrol/dns.go
@@ -1,4 +1,4 @@
-package hscontrol
+package headscale

 import (
 	"fmt"
--- a/hscontrol/dns_test.go
+++ b/hscontrol/dns_test.go
@@ -1,4 +1,4 @@
-package hscontrol
+package headscale

 import (
 	"fmt"
--- a/docs/README.md
+++ b/docs/README.md
@@ -0,0 +1,56 @@
+# headscale documentation
+
+This page contains the official and community contributed documentation for `headscale`.
+
+If you are having trouble with following the documentation or get unexpected results,
+please ask on [Discord](https://discord.gg/c84AZQhmpx) instead of opening an Issue.
+
+## Official documentation
+
+### How-to
+
+- [Running headscale on Linux](running-headscale-linux.md)
+- [Control headscale remotely](remote-cli.md)
+- [Using a Windows client with headscale](windows-client.md)
+- [Configuring OIDC](oidc.md)
+
+### References
+
+- [Configuration](../config-example.yaml)
+- [Glossary](glossary.md)
+- [TLS](tls.md)
+
+## Community documentation
+
+Community documentation is not actively maintained by the headscale authors and is
+written by community members. It is _not_ verified by `headscale` developers.
+
+**It might be outdated and it might miss necessary steps**.
+
+- [Running headscale in a container](running-headscale-container.md)
+- [Running headscale on OpenBSD](running-headscale-openbsd.md)
+- [Running headscale behind a reverse proxy](reverse-proxy.md)
+- [Set Custom DNS records](dns-records.md)
+
+## Misc
+
+### Policy ACLs
+
+Headscale implements the same policy ACLs as Tailscale.com, adapted to the self-hosted environment.
+
+For instance, instead of referring to users when defining groups you must
+use users (which are the equivalent to user/logins in Tailscale.com).
+
+Please check https://tailscale.com/kb/1018/acls/, and `./tests/acls/` in this repo for working examples.
+
+When using ACL's the User borders are no longer applied. All machines
+whichever the User have the ability to communicate with other hosts as
+long as the ACL's permits this exchange.
+
+The [ACLs](acls.md) document should help understand a fictional case of setting
+up ACLs in a small company. All concepts presented in this document could be
+applied outside of business oriented usage.
+
+### Apple devices
+
+An endpoint with information on how to connect your Apple devices (currently macOS only) is available at `/apple` on your running instance.
--- a/docs/acls.md
+++ b/docs/acls.md
@@ -1,15 +1,4 @@
-Headscale implements the same policy ACLs as Tailscale.com, adapted to the self-hosted environment.
-
-For instance, instead of referring to users when defining groups you must
-use users (which are the equivalent to user/logins in Tailscale.com).
-
-Please check https://tailscale.com/kb/1018/acls/, and `./tests/acls/` in this repo for working examples.
-
-When using ACL's the User borders are no longer applied. All machines
-whichever the User have the ability to communicate with other hosts as
-long as the ACL's permits this exchange.
-
-## ACLs use case example
+# ACLs use case example

 Let's build an example use case for a small business (It may be the place where
 ACL's are the most useful).
--- a/docs/dns-records.md
+++ b/docs/dns-records.md
@@ -1,12 +1,5 @@
 # Setting custom DNS records

-!!! warning "Community documentation"
-
-    This page is not actively maintained by the headscale authors and is
-    written by community members. It is _not_ verified by `headscale` developers.
-
-    **It might be outdated and it might miss necessary steps**.
-
 ## Goal

 This documentation has the goal of showing how a user can set custom DNS records with `headscale`s magic dns.
--- a/docs/examples/README.md
+++ b/docs/examples/README.md
--- a/docs/examples/kustomize/.gitignore
+++ b/docs/examples/kustomize/.gitignore
--- a/docs/examples/kustomize/README.md
+++ b/docs/examples/kustomize/README.md
--- a/docs/examples/kustomize/base/configmap.yaml
+++ b/docs/examples/kustomize/base/configmap.yaml
--- a/docs/examples/kustomize/base/ingress.yaml
+++ b/docs/examples/kustomize/base/ingress.yaml
--- a/docs/examples/kustomize/base/kustomization.yaml
+++ b/docs/examples/kustomize/base/kustomization.yaml
--- a/docs/examples/kustomize/base/service.yaml
+++ b/docs/examples/kustomize/base/service.yaml
--- a/docs/examples/kustomize/headscale.bash
+++ b/docs/examples/kustomize/headscale.bash
--- a/docs/examples/kustomize/init.bash
+++ b/docs/examples/kustomize/init.bash
--- a/docs/examples/kustomize/install-cert-manager.bash
+++ b/docs/examples/kustomize/install-cert-manager.bash
--- a/docs/examples/kustomize/postgres/deployment.yaml
+++ b/docs/examples/kustomize/postgres/deployment.yaml
--- a/docs/examples/kustomize/postgres/kustomization.yaml
+++ b/docs/examples/kustomize/postgres/kustomization.yaml
--- a/docs/examples/kustomize/postgres/postgres-service.yaml
+++ b/docs/examples/kustomize/postgres/postgres-service.yaml
--- a/docs/examples/kustomize/postgres/postgres-statefulset.yaml
+++ b/docs/examples/kustomize/postgres/postgres-statefulset.yaml
--- a/docs/examples/kustomize/production-tls/ingress-patch.yaml
+++ b/docs/examples/kustomize/production-tls/ingress-patch.yaml
--- a/docs/examples/kustomize/production-tls/kustomization.yaml
+++ b/docs/examples/kustomize/production-tls/kustomization.yaml
--- a/docs/examples/kustomize/production-tls/production-issuer.yaml
+++ b/docs/examples/kustomize/production-tls/production-issuer.yaml
--- a/docs/examples/kustomize/sqlite/kustomization.yaml
+++ b/docs/examples/kustomize/sqlite/kustomization.yaml
--- a/Show More
+++ b/Show More
Author	SHA1	Message	Date
Kristoffer Dalby	82ef3f89e2	remove signatures Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com>	2023-04-06 12:02:27 +02:00
Kristoffer Dalby	d6224f2454	Initial work on nfpm Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com>	2023-04-06 11:58:48 +02:00