oldest client supported, not latest (#2086)

* various doc updates in prep for 0.23

Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com>

* add note discouraging postgresql

Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com>

* Update docs/faq.md

Co-authored-by: coderabbitai[bot] <136622811+coderabbitai[bot]@users.noreply.github.com>

* remove entry for glossary in doc

Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com>

* fix typo

Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com>

---------

Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com>
Co-authored-by: coderabbitai[bot] <136622811+coderabbitai[bot]@users.noreply.github.com>

.coderabbit.yaml

@@ -0,0 +1,15 @@
+# yaml-language-server: $schema=https://coderabbit.ai/integrations/schema.v2.json
+language: "en-GB"
+early_access: false
+reviews:
+  profile: "chill"
+  request_changes_workflow: false
+  high_level_summary: true
+  poem: true
+  review_status: true
+  collapse_walkthrough: false
+  auto_review:
+    enabled: true
+    drafts: true
+chat:
+  auto_reply: true

.github/ISSUE_TEMPLATE/feature_request.yaml

@@ -25,9 +25,9 @@ body:
       description: Are you willing to contribute to the implementation of this feature?
       options:
         - label: I can write the design doc for this feature
-          required: true
+          required: false
         - label: I can contribute this feature
-          required: true
+          required: false
   - type: textarea
     attributes:
       label: How can it be implemented?

.github/workflows/test-integration.yaml

@@ -37,6 +37,9 @@ jobs:
           - TestNodeRenameCommand
           - TestNodeMoveCommand
           - TestPolicyCommand
+          - TestPolicyBrokenConfigCommand
+          - TestResolveMagicDNS
+          - TestValidateResolvConf
           - TestDERPServerScenario
           - TestPingAllByIP
           - TestPingAllByIPPublicDERP
@@ -45,7 +48,6 @@ jobs:
           - TestEphemeral2006DeletedTooQuickly
           - TestPingAllByHostname
           - TestTaildrop
-          - TestResolveMagicDNS
           - TestExpireNode
           - TestNodeOnlineStatus
           - TestPingAllByIPManyUpDown

.github/workflows/test.yml

@@ -34,4 +34,4 @@ jobs:
 
       - name: Run tests
         if: steps.changed-files.outputs.files == 'true'
-        run: nix develop --check
+        run: nix develop --command -- gotestsum

CHANGELOG.md

@@ -29,7 +29,7 @@ after improving the test harness as part of adopting [#1460](https://github.com/
   - Adds additional configuration for PostgreSQL for setting max open, idle connection and idle connection lifetime.
 - API: Machine is now Node [#1553](https://github.com/juanfont/headscale/pull/1553)
 - Remove support for older Tailscale clients [#1611](https://github.com/juanfont/headscale/pull/1611)
-  - The latest supported client is 1.38
+  - The oldest supported client is 1.42
 - Headscale checks that _at least_ one DERP is defined at start [#1564](https://github.com/juanfont/headscale/pull/1564)
   - If no DERP is configured, the server will fail to start, this can be because it cannot load the DERPMap from file or url.
 - Embedded DERP server requires a private key [#1611](https://github.com/juanfont/headscale/pull/1611)
@@ -43,9 +43,12 @@ after improving the test harness as part of adopting [#1460](https://github.com/
 - MagicDNS domains no longer contain usernames []()
   - This is in preperation to fix Headscales implementation of tags which currently does not correctly remove the link between a tagged device and a user. As tagged devices will not have a user, this will require a change to the DNS generation, removing the username, see [#1369](https://github.com/juanfont/headscale/issues/1369) for more information.
   - `use_username_in_magic_dns` can be used to turn this behaviour on again, but note that this option _will be removed_ when tags are fixed.
-  - This option brings Headscales behaviour in line with Tailscale.
+    - dns.base_domain can no longer be the same as (or part of) server_url.
+    - This option brings Headscales behaviour in line with Tailscale.
 - YAML files are no longer supported for headscale policy.  [#1792](https://github.com/juanfont/headscale/pull/1792)
   - HuJSON is now the only supported format for policy.
+- DNS configuration has been restructured [#2034](https://github.com/juanfont/headscale/pull/2034)
+  - Please review the new [config-example.yaml](./config-example.yaml) for the new structure.
 
 ### Changes
 

Dockerfile.debug

@@ -2,7 +2,7 @@
 # and are in no way endorsed by Headscale's maintainers as an
 # official nor supported release or distribution.
 
-FROM docker.io/golang:1.22-bookworm
+FROM docker.io/golang:1.23-bookworm
 ARG VERSION=dev
 ENV GOPATH /go
 WORKDIR /go/src/headscale

Dockerfile.tailscale-HEAD

@@ -4,7 +4,7 @@
 # This Dockerfile is more or less lifted from tailscale/tailscale
 # to ensure a similar build process when testing the HEAD of tailscale.
 
-FROM golang:1.22-alpine AS build-env
+FROM golang:1.23-alpine AS build-env
 
 WORKDIR /go/src
 

README.md

@@ -55,7 +55,6 @@ buttons available in the repo.
 - Taildrop (File Sharing)
 - [Access control lists](https://tailscale.com/kb/1018/acls/)
 - [MagicDNS](https://tailscale.com/kb/1081/magicdns)
-- Support for multiple IP ranges in the tailnet
 - Dual stack (IPv4 and IPv6)
 - Routing advertising (including exit nodes)
 - Ephemeral nodes

cmd/headscale/headscale_test.go

@@ -63,7 +63,6 @@ func (*Suite) TestConfigFileLoading(c *check.C) {
 	c.Assert(viper.GetString("tls_letsencrypt_hostname"), check.Equals, "")
 	c.Assert(viper.GetString("tls_letsencrypt_listen"), check.Equals, ":http")
 	c.Assert(viper.GetString("tls_letsencrypt_challenge_type"), check.Equals, "HTTP-01")
-	c.Assert(viper.GetStringSlice("dns_config.nameservers")[0], check.Equals, "1.1.1.1")
 	c.Assert(
 		util.GetFileMode("unix_socket_permission"),
 		check.Equals,
@@ -106,7 +105,6 @@ func (*Suite) TestConfigLoading(c *check.C) {
 	c.Assert(viper.GetString("tls_letsencrypt_hostname"), check.Equals, "")
 	c.Assert(viper.GetString("tls_letsencrypt_listen"), check.Equals, ":http")
 	c.Assert(viper.GetString("tls_letsencrypt_challenge_type"), check.Equals, "HTTP-01")
-	c.Assert(viper.GetStringSlice("dns_config.nameservers")[0], check.Equals, "1.1.1.1")
 	c.Assert(
 		util.GetFileMode("unix_socket_permission"),
 		check.Equals,
@@ -116,39 +114,6 @@ func (*Suite) TestConfigLoading(c *check.C) {
 	c.Assert(viper.GetBool("randomize_client_port"), check.Equals, false)
 }
 
-func (*Suite) TestDNSConfigLoading(c *check.C) {
-	tmpDir, err := os.MkdirTemp("", "headscale")
-	if err != nil {
-		c.Fatal(err)
-	}
-	defer os.RemoveAll(tmpDir)
-
-	path, err := os.Getwd()
-	if err != nil {
-		c.Fatal(err)
-	}
-
-	// Symlink the example config file
-	err = os.Symlink(
-		filepath.Clean(path+"/../../config-example.yaml"),
-		filepath.Join(tmpDir, "config.yaml"),
-	)
-	if err != nil {
-		c.Fatal(err)
-	}
-
-	// Load example config, it should load without validation errors
-	err = types.LoadConfig(tmpDir, false)
-	c.Assert(err, check.IsNil)
-
-	dnsConfig, baseDomain := types.GetDNSConfig()
-
-	c.Assert(dnsConfig.Nameservers[0].String(), check.Equals, "1.1.1.1")
-	c.Assert(dnsConfig.Resolvers[0].Addr, check.Equals, "1.1.1.1")
-	c.Assert(dnsConfig.Proxied, check.Equals, true)
-	c.Assert(baseDomain, check.Equals, "example.com")
-}
-
 func writeConfig(c *check.C, tmpDir string, configYaml []byte) {
 	// Populate a custom config file
 	configFile := filepath.Join(tmpDir, "config.yaml")

config-example.yaml

@@ -138,8 +138,28 @@ disable_check_updates: false
 ephemeral_node_inactivity_timeout: 30m
 
 database:
+  # Database type. Available options: sqlite, postgres
+  # Please not that using Postgres is highly discouraged as it is only supported for legacy reasons.
+  # All new development, testing and optimisations are done with SQLite in mind.
   type: sqlite
 
+  # Enable debug mode. This setting requires the log.level to be set to "debug" or "trace".
+  debug: false
+
+  # GORM configuration settings.
+  gorm:
+    # Enable prepared statements.
+    prepare_stmt: true
+
+    # Enable parameterized queries.
+    parameterized_queries: true
+
+    # Skip logging "record not found" errors.
+    skip_err_record_not_found: true
+
+    # Threshold for slow queries in milliseconds.
+    slow_threshold: 1000
+
   # SQLite config
   sqlite:
     path: /var/lib/headscale/db.sqlite
@@ -149,6 +169,8 @@ database:
     write_ahead_log: true
 
   # # Postgres config
+  # Please note that using Postgres is highly discouraged as it is only supported for legacy reasons.
+  # See database.type for more information.
   # postgres:
   #   # If using a Unix socket to connect to Postgres, set the socket path in the 'host' field and leave 'port' blank.
   #   host: localhost
@@ -211,9 +233,8 @@ policy:
   # The mode can be "file" or "database" that defines
   # where the ACL policies are stored and read from.
   mode: file
-  # If the mode is set to "file", the
-  # path to a file containing ACL policies.
-  # The file can be in YAML or HuJSON format.
+  # If the mode is set to "file", the path to a
+  # HuJSON file containing ACL policies.
   path: ""
 
 ## DNS
@@ -225,43 +246,60 @@ policy:
 # - https://tailscale.com/kb/1081/magicdns/
 # - https://tailscale.com/blog/2021-09-private-dns-with-magicdns/
 #
-dns_config:
-  # Whether to prefer using Headscale provided DNS or use local.
-  override_local_dns: true
+# Please note that for the DNS configuration to have any effect,
+# clients must have the `--accept-dns=true` option enabled. This is the
+# default for the Tailscale client. This option is enabled by default
+# in the Tailscale client.
+#
+# Setting _any_ of the configuration and `--accept-dns=true` on the
+# clients will integrate with the DNS manager on the client or
+# overwrite /etc/resolv.conf.
+# https://tailscale.com/kb/1235/resolv-conf
+#
+# If you want stop Headscale from managing the DNS configuration
+# all the fields under `dns` should be set to empty values.
+dns:
+  # Whether to use [MagicDNS](https://tailscale.com/kb/1081/magicdns/).
+  # Only works if there is at least a nameserver defined.
+  magic_dns: true
+
+  # Defines the base domain to create the hostnames for MagicDNS.
+  # This domain _must_ be different from the server_url domain.
+  # `base_domain` must be a FQDN, without the trailing dot.
+  # The FQDN of the hosts will be
+  # `hostname.base_domain` (e.g., _myhost.example.com_).
+  base_domain: example.com
 
   # List of DNS servers to expose to clients.
   nameservers:
-    - 1.1.1.1
+    global:
+      - 1.1.1.1
+      - 1.0.0.1
+      - 2606:4700:4700::1111
+      - 2606:4700:4700::1001
 
-  # NextDNS (see https://tailscale.com/kb/1218/nextdns/).
-  # "abc123" is example NextDNS ID, replace with yours.
-  #
-  # With metadata sharing:
-  # nameservers:
-  #   - https://dns.nextdns.io/abc123
-  #
-  # Without metadata sharing:
-  # nameservers:
-  #   - 2a07:a8c0::ab:c123
-  #   - 2a07:a8c1::ab:c123
+      # NextDNS (see https://tailscale.com/kb/1218/nextdns/).
+      # "abc123" is example NextDNS ID, replace with yours.
+      # - https://dns.nextdns.io/abc123
 
-  # Split DNS (see https://tailscale.com/kb/1054/dns/),
-  # list of search domains and the DNS to query for each one.
-  #
-  # restricted_nameservers:
-  #   foo.bar.com:
-  #     - 1.1.1.1
-  #   darp.headscale.net:
-  #     - 1.1.1.1
-  #     - 8.8.8.8
+    # Split DNS (see https://tailscale.com/kb/1054/dns/),
+    # a map of domains and which DNS server to use for each.
+    split:
+      {}
+      # foo.bar.com:
+      #   - 1.1.1.1
+      # darp.headscale.net:
+      #   - 1.1.1.1
+      #   - 8.8.8.8
 
-  # Search domains to inject.
-  domains: []
+  # Set custom DNS search domains. With MagicDNS enabled,
+  # your tailnet base_domain is always the first search domain.
+  search_domains: []
 
   # Extra DNS records
   # so far only A-records are supported (on the tailscale side)
   # See https://github.com/juanfont/headscale/blob/main/docs/dns-records.md#Limitations
-  # extra_records:
+  extra_records: []
   #   - name: "grafana.myvpn.example.com"
   #     type: "A"
   #     value: "100.64.0.3"
@@ -269,10 +307,6 @@ dns_config:
   #   # you can also put it in one line
   #   - { name: "prometheus.myvpn.example.com", type: "A", value: "100.64.0.3" }
 
-  # Whether to use [MagicDNS](https://tailscale.com/kb/1081/magicdns/).
-  # Only works if there is at least a nameserver defined.
-  magic_dns: true
-
   # DEPRECATED
   # Use the username as part of the DNS name for nodes, with this option enabled:
   # node1.username.example.com
@@ -282,12 +316,6 @@ dns_config:
   # while in upstream Tailscale, the username is not included.
   use_username_in_magic_dns: false
 
-  # Defines the base domain to create the hostnames for MagicDNS.
-  # `base_domain` must be a FQDNs, without the trailing dot.
-  # The FQDN of the hosts will be
-  # `hostname.user.base_domain` (e.g., _myhost.myuser.example.com_).
-  base_domain: example.com
-
 # Unix socket used for the CLI to connect without authentication
 # Note: for production you will want to set this to something like:
 unix_socket: /var/run/headscale/headscale.sock

docs/acls.md

@@ -43,8 +43,7 @@ servers.
 Note: Users will be created automatically when users authenticate with the
 Headscale server.
 
-ACLs could be written either on [huJSON](https://github.com/tailscale/hujson)
-or YAML. Check the [test ACLs](../tests/acls) for further information.
+ACLs have to be written in [huJSON](https://github.com/tailscale/hujson). Check the [test ACLs](../tests/acls) for further information.
 
 When registering the servers we will need to add the flag
 `--advertise-tags=tag:<tag1>,tag:<tag2>`, and the user that is

docs/faq.md

@@ -31,7 +31,7 @@ We are more than happy to exchange emails, or to have dedicated calls before a P
 
 ## When/Why is Feature X going to be implemented?
 
-We don't know. We might be working on it. If you want to help, please send us a PR.
+We don't know. We might be working on it. If you're interested in contributing, please post a feature request about it.
 
 Please be aware that there are a number of reasons why we might not accept specific contributions:
 

docs/glossary.md

@@ -1,6 +0,0 @@
-# Glossary
-
-| Term      | Description                                                                                                                                 |
-| --------- | ------------------------------------------------------------------------------------------------------------------------------------------- |
-| Machine   | A machine is a single entity connected to `headscale`, typically an installation of Tailscale. Also known as **Node**                       |
-| Namespace | A namespace was a logical grouping of machines "owned" by the same entity, in Tailscale, this is typically a User (This is now called user) |

docs/index.md

@@ -31,12 +31,7 @@ buttons available in the repo.
 Headscale is "Open Source, acknowledged contribution", this means that any
 contribution will have to be discussed with the Maintainers before being submitted.
 
-This model has been chosen to reduce the risk of burnout by limiting the
-maintenance overhead of reviewing and validating third-party code.
-
-Headscale is open to code contributions for bug fixes without discussion.
-
-If you find mistakes in the documentation, please submit a fix to the documentation.
+Please see [CONTRIBUTING.md](https://github.com/juanfont/headscale/blob/main/CONTRIBUTING.md) for more information.
 
 ## About
 

docs/running-headscale-container.md

@@ -42,36 +42,12 @@ not work with alternatives like [Podman](https://podman.io). The Docker image ca
         curl https://raw.githubusercontent.com/juanfont/headscale/main/config-example.yaml -o ./config/config.yaml
         ```
 
-    - **(Advanced)** If you would like to hand craft a config file **instead** of downloading the example config file, create a blank `headscale` configuration in the headscale directory to edit:
+    Modify the config file to your preferences before launching Docker container.
+    Here are some settings that you likely want:
 
-        ```shell
-        touch ./config/config.yaml
-        ```
-
-        Modify the config file to your preferences before launching Docker container.
-        Here are some settings that you likely want:
-
-        ```yaml
-        # Change to your hostname or host IP
-        server_url: http://your-host-name:8080
-        # Listen to 0.0.0.0 so it's accessible outside the container
-        metrics_listen_addr: 0.0.0.0:9090
-        # The default /var/lib/headscale path is not writable in the container
-        noise:
-          private_key_path: /etc/headscale/noise_private.key
-        # The default /var/lib/headscale path is not writable in the container
-        derp:
-          private_key_path: /etc/headscale/private.key
-        # The default /var/run/headscale path is not writable  in the container
-        unix_socket: /etc/headscale/headscale.sock
-        # The default /var/lib/headscale path is not writable  in the container
-        database.type: sqlite3
-        database.sqlite.path: /etc/headscale/db.sqlite
-        ```
-
-        Alternatively, you can mount `/var/lib` and `/var/run` from your host system by adding
-        `--volume $(pwd)/lib:/var/lib/headscale` and `--volume $(pwd)/run:/var/run/headscale`
-        in the next step.
+    Alternatively, you can mount `/var/lib` and `/var/run` from your host system by adding
+    `--volume $(pwd)/lib:/var/lib/headscale` and `--volume $(pwd)/run:/var/run/headscale`
+    in the next step.
 
 1. Start the headscale server while working in the host headscale directory:
 
@@ -95,7 +71,7 @@ not work with alternatives like [Podman](https://podman.io). The Docker image ca
 
       ```yaml
       version: "3.7"
-      
+
       services:
         headscale:
           image: headscale/headscale:0.22.3

flake.lock

@@ -20,11 +20,11 @@
     },
     "nixpkgs": {
       "locked": {
-        "lastModified": 1721466660,
-        "narHash": "sha256-pFSxgSZqZ3h+5Du0KvEL1ccDZBwu4zvOil1zzrPNb3c=",
+        "lastModified": 1724363052,
+        "narHash": "sha256-Nf/iQWamRVAwAPFccQMfm5Qcf+rLLnU1rWG3f9orDVE=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "6e14bbce7bea6c4efd7adfa88a40dac750d80100",
+        "rev": "5de1564aed415bf9d0f281461babc2d101dd49ff",
         "type": "github"
       },
       "original": {

flake.nix

@@ -21,7 +21,7 @@
       overlay = _: prev: let
         pkgs = nixpkgs.legacyPackages.${prev.system};
       in rec {
-        headscale = pkgs.buildGo122Module rec {
+        headscale = pkgs.buildGo123Module rec {
           pname = "headscale";
           version = headscaleVersion;
           src = pkgs.lib.cleanSource self;
@@ -31,7 +31,7 @@
 
           # When updating go.mod or go.sum, a new sha will need to be calculated,
           # update this if you have a mismatch after doing a change to thos files.
-          vendorHash = "sha256-EorT2AVwA3usly/LcNor6r5UIhLCdj3L4O4ilgTIC2o=";
+          vendorHash = "sha256-hmBRtMPqewg4oqu2bc9HtE3wdCdl5v9MoBOOCsjYlE8=";
 
           subPackages = ["cmd/headscale"];
 
@@ -63,7 +63,7 @@
         overlays = [self.overlay];
         inherit system;
       };
-      buildDeps = with pkgs; [git go_1_22 gnumake];
+      buildDeps = with pkgs; [git go_1_23 gnumake];
       devDeps = with pkgs;
         buildDeps
         ++ [

go.mod

@@ -1,8 +1,6 @@
 module github.com/juanfont/headscale
 
-go 1.22.0
-
-toolchain go1.22.2
+go 1.23.0
 
 require (
 	github.com/AlecAivazis/survey/v2 v2.3.7
@@ -23,23 +21,23 @@ require (
 	github.com/patrickmn/go-cache v2.1.0+incompatible
 	github.com/philip-bui/grpc-zerolog v1.0.1
 	github.com/pkg/profile v1.7.0
-	github.com/prometheus/client_golang v1.18.0
-	github.com/prometheus/common v0.46.0
+	github.com/prometheus/client_golang v1.19.1
+	github.com/prometheus/common v0.48.0
 	github.com/pterm/pterm v0.12.79
 	github.com/puzpuzpuz/xsync/v3 v3.1.0
 	github.com/rs/zerolog v1.32.0
 	github.com/samber/lo v1.39.0
 	github.com/sasha-s/go-deadlock v0.3.1
-	github.com/spf13/cobra v1.8.0
-	github.com/spf13/viper v1.18.2
+	github.com/spf13/cobra v1.8.1
+	github.com/spf13/viper v1.20.0-alpha.6
 	github.com/stretchr/testify v1.9.0
 	github.com/tailscale/hujson v0.0.0-20221223112325-20486734a56a
 	github.com/tailscale/tailsql v0.0.0-20240418235827-820559f382c1
 	github.com/tcnksm/go-latest v0.0.0-20170313132115-e3007ae9052e
 	go4.org/netipx v0.0.0-20231129151722-fdeea329fbba
-	golang.org/x/crypto v0.23.0
-	golang.org/x/exp v0.0.0-20240506185415-9bf2ced13842
-	golang.org/x/net v0.25.0
+	golang.org/x/crypto v0.25.0
+	golang.org/x/exp v0.0.0-20240719175910-8a7402abbf56
+	golang.org/x/net v0.27.0
 	golang.org/x/oauth2 v0.20.0
 	golang.org/x/sync v0.7.0
 	google.golang.org/genproto/googleapis/api v0.0.0-20240515191416-fc5f0ca64291
@@ -49,7 +47,7 @@ require (
 	gopkg.in/yaml.v3 v3.0.1
 	gorm.io/driver/postgres v1.5.7
 	gorm.io/gorm v1.25.10
-	tailscale.com v1.66.3
+	tailscale.com v1.72.1
 )
 
 require (
@@ -81,6 +79,7 @@ require (
 	github.com/bits-and-blooms/bitset v1.13.0 // indirect
 	github.com/cenkalti/backoff/v4 v4.3.0 // indirect
 	github.com/cespare/xxhash/v2 v2.2.0 // indirect
+	github.com/coder/websocket v1.8.12 // indirect
 	github.com/containerd/console v1.0.4 // indirect
 	github.com/containerd/continuity v0.4.3 // indirect
 	github.com/coreos/go-iptables v0.7.1-0.20240112124308-65c67c9f46e6 // indirect
@@ -88,19 +87,20 @@ require (
 	github.com/dblohm7/wingoes v0.0.0-20240123200102-b75a8a7d7eb0 // indirect
 	github.com/digitalocean/go-smbios v0.0.0-20180907143718-390a4f403a8e // indirect
 	github.com/docker/cli v26.1.3+incompatible // indirect
-	github.com/docker/docker v26.1.3+incompatible // indirect
+	github.com/docker/docker v26.1.4+incompatible // indirect
 	github.com/docker/go-connections v0.5.0 // indirect
 	github.com/docker/go-units v0.5.0 // indirect
 	github.com/dustin/go-humanize v1.0.1 // indirect
 	github.com/felixge/fgprof v0.9.4 // indirect
 	github.com/fsnotify/fsnotify v1.7.0 // indirect
-	github.com/fxamacker/cbor/v2 v2.5.0 // indirect
-	github.com/gaissmai/bart v0.4.1 // indirect
+	github.com/fxamacker/cbor/v2 v2.6.0 // indirect
+	github.com/gaissmai/bart v0.11.1 // indirect
 	github.com/glebarez/go-sqlite v1.22.0 // indirect
 	github.com/go-jose/go-jose/v3 v3.0.3 // indirect
 	github.com/go-jose/go-jose/v4 v4.0.1 // indirect
 	github.com/go-json-experiment/json v0.0.0-20231102232822-2e55bd4e08b0 // indirect
 	github.com/go-ole/go-ole v1.3.0 // indirect
+	github.com/go-viper/mapstructure/v2 v2.0.0 // indirect
 	github.com/godbus/dbus/v5 v5.1.1-0.20230522191255-76236955d466 // indirect
 	github.com/gogo/protobuf v1.3.2 // indirect
 	github.com/golang-jwt/jwt/v5 v5.2.1 // indirect
@@ -117,7 +117,6 @@ require (
 	github.com/gorilla/csrf v1.7.2 // indirect
 	github.com/gorilla/securecookie v1.1.2 // indirect
 	github.com/hashicorp/go-version v1.6.0 // indirect
-	github.com/hashicorp/hcl v1.0.0 // indirect
 	github.com/hdevalence/ed25519consensus v0.2.0 // indirect
 	github.com/illarion/gonotify v1.0.1 // indirect
 	github.com/inconshreveable/mousetrap v1.1.0 // indirect
@@ -137,7 +136,6 @@ require (
 	github.com/kr/text v0.2.0 // indirect
 	github.com/lib/pq v1.10.7 // indirect
 	github.com/lithammer/fuzzysearch v1.1.8 // indirect
-	github.com/magiconair/properties v1.8.7 // indirect
 	github.com/mattn/go-colorable v0.1.13 // indirect
 	github.com/mattn/go-isatty v0.0.20 // indirect
 	github.com/mattn/go-runewidth v0.0.15 // indirect
@@ -160,14 +158,14 @@ require (
 	github.com/pierrec/lz4/v4 v4.1.21 // indirect
 	github.com/pkg/errors v0.9.1 // indirect
 	github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2 // indirect
+	github.com/prometheus-community/pro-bing v0.4.0 // indirect
 	github.com/prometheus/client_model v0.5.0 // indirect
 	github.com/prometheus/procfs v0.12.0 // indirect
 	github.com/remyoudompheng/bigfft v0.0.0-20230129092748-24d4a6f8daec // indirect
 	github.com/rivo/uniseg v0.4.7 // indirect
 	github.com/rogpeppe/go-internal v1.12.0 // indirect
 	github.com/safchain/ethtool v0.3.0 // indirect
-	github.com/sagikazarmark/locafero v0.4.0 // indirect
-	github.com/sagikazarmark/slog-shim v0.1.0 // indirect
+	github.com/sagikazarmark/locafero v0.6.0 // indirect
 	github.com/sirupsen/logrus v1.9.3 // indirect
 	github.com/sourcegraph/conc v0.3.0 // indirect
 	github.com/spf13/afero v1.11.0 // indirect
@@ -176,14 +174,14 @@ require (
 	github.com/subosito/gotenv v1.6.0 // indirect
 	github.com/tailscale/certstore v0.1.1-0.20231202035212-d3fa0460f47e // indirect
 	github.com/tailscale/go-winio v0.0.0-20231025203758-c4f33415bf55 // indirect
-	github.com/tailscale/golang-x-crypto v0.0.0-20240108194725-7ce1f622c780 // indirect
+	github.com/tailscale/golang-x-crypto v0.0.0-20240604161659-3fde5e568aa4 // indirect
 	github.com/tailscale/goupnp v1.0.1-0.20210804011211-c64d0f06ea05 // indirect
 	github.com/tailscale/netlink v1.1.1-0.20211101221916-cabfb018fe85 // indirect
 	github.com/tailscale/peercred v0.0.0-20240214030740-b535050b2aa4 // indirect
 	github.com/tailscale/setec v0.0.0-20240314234648-9da8e7407257 // indirect
 	github.com/tailscale/squibble v0.0.0-20240418235321-9ee0eeb78185 // indirect
 	github.com/tailscale/web-client-prebuilt v0.0.0-20240226180453-5db17b287bf1 // indirect
-	github.com/tailscale/wireguard-go v0.0.0-20240429185444-03c5a0ccf754 // indirect
+	github.com/tailscale/wireguard-go v0.0.0-20240731203015-71393c576b98 // indirect
 	github.com/tcnksm/go-httpstat v0.2.0 // indirect
 	github.com/u-root/uio v0.0.0-20240118234441-a3c409a6018e // indirect
 	github.com/vishvananda/netlink v1.2.1-beta.2 // indirect
@@ -195,21 +193,19 @@ require (
 	github.com/xo/terminfo v0.0.0-20220910002029-abceb7e1c41e // indirect
 	go.uber.org/multierr v1.11.0 // indirect
 	go4.org/mem v0.0.0-20220726221520-4f986261bf13 // indirect
-	golang.org/x/mod v0.17.0 // indirect
-	golang.org/x/sys v0.20.0 // indirect
-	golang.org/x/term v0.20.0 // indirect
-	golang.org/x/text v0.15.0 // indirect
+	golang.org/x/mod v0.19.0 // indirect
+	golang.org/x/sys v0.22.0 // indirect
+	golang.org/x/term v0.22.0 // indirect
+	golang.org/x/text v0.16.0 // indirect
 	golang.org/x/time v0.5.0 // indirect
-	golang.org/x/tools v0.21.0 // indirect
+	golang.org/x/tools v0.23.0 // indirect
 	golang.zx2c4.com/wintun v0.0.0-20230126152724-0fa3db229ce2 // indirect
 	golang.zx2c4.com/wireguard/windows v0.5.3 // indirect
 	google.golang.org/genproto/googleapis/rpc v0.0.0-20240515191416-fc5f0ca64291 // indirect
-	gopkg.in/ini.v1 v1.67.0 // indirect
 	gopkg.in/yaml.v2 v2.4.0 // indirect
-	gvisor.dev/gvisor v0.0.0-20240306221502-ee1e1f6070e3 // indirect
+	gvisor.dev/gvisor v0.0.0-20240722211153-64c016c92987 // indirect
 	modernc.org/libc v1.50.6 // indirect
 	modernc.org/mathutil v1.6.0 // indirect
 	modernc.org/memory v1.8.0 // indirect
 	modernc.org/sqlite v1.29.9 // indirect
-	nhooyr.io/websocket v1.8.10 // indirect
 )

go.sum

@@ -99,10 +99,12 @@ github.com/chzyer/readline v0.0.0-20180603132655-2972be24d48e/go.mod h1:nSuG5e5P
 github.com/chzyer/readline v1.5.1/go.mod h1:Eh+b79XXUwfKfcPLepksvw2tcLE/Ct21YObkaSkeBlk=
 github.com/chzyer/test v0.0.0-20180213035817-a1ea475d72b1/go.mod h1:Q3SI9o4m/ZMnBNeIyt5eFwwo7qiLfzFZmjNmxjkiQlU=
 github.com/chzyer/test v1.0.0/go.mod h1:2JlltgoNkt4TW/z9V/IzDdFaMTM2JPIi26O1pF38GC8=
-github.com/cilium/ebpf v0.12.3 h1:8ht6F9MquybnY97at+VDZb3eQQr8ev79RueWeVaEcG4=
-github.com/cilium/ebpf v0.12.3/go.mod h1:TctK1ivibvI3znr66ljgi4hqOT8EYQjz1KWBfb1UVgM=
+github.com/cilium/ebpf v0.15.0 h1:7NxJhNiBT3NG8pZJ3c+yfrVdHY8ScgKD27sScgjLMMk=
+github.com/cilium/ebpf v0.15.0/go.mod h1:DHp1WyrLeiBh19Cf/tfiSMhqheEiK8fXFZ4No0P1Hso=
 github.com/client9/misspell v0.3.4/go.mod h1:qj6jICC3Q7zFZvVWo7KLAzC3yx5G7kyvSDkc90ppPyw=
 github.com/cncf/udpa/go v0.0.0-20191209042840-269d4d468f6f/go.mod h1:M8M6+tZqaGXZJjfX53e64911xZQV5JYwmTeXPW+k8Sc=
+github.com/coder/websocket v1.8.12 h1:5bUXkEPPIbewrnkU8LTCLVaxi4N4J8ahufH2vlo4NAo=
+github.com/coder/websocket v1.8.12/go.mod h1:LNVeNrXQZfe5qhS9ALED3uA+l5pPqvwXg3CKoDBB2gs=
 github.com/containerd/console v1.0.3/go.mod h1:7LqA/THxQ86k76b8c/EMSiaJ3h1eZkMkXar0TQ1gf3U=
 github.com/containerd/console v1.0.4 h1:F2g4+oChYvBTsASRTz8NP6iIAi97J3TtSAsLbIFn4ro=
 github.com/containerd/console v1.0.4/go.mod h1:YynlIjWYF8myEu6sdkwKIvGQq+cOckRm6So2avqoYAk=
@@ -113,13 +115,13 @@ github.com/coreos/go-iptables v0.7.1-0.20240112124308-65c67c9f46e6/go.mod h1:Qe8
 github.com/coreos/go-oidc/v3 v3.10.0 h1:tDnXHnLyiTVyT/2zLDGj09pFPkhND8Gl8lnTRhoEaJU=
 github.com/coreos/go-oidc/v3 v3.10.0/go.mod h1:5j11xcw0D3+SGxn6Z/WFADsgcWVMyNAlSQupk0KK3ac=
 github.com/coreos/go-systemd/v22 v22.5.0/go.mod h1:Y58oyj3AT4RCenI/lSvhwexgC+NSVTIJ3seZv2GcEnc=
-github.com/cpuguy83/go-md2man/v2 v2.0.3/go.mod h1:tgQtvFlXSQOSOSIRvRPT7W67SCa46tRHOmNcaadrF8o=
+github.com/cpuguy83/go-md2man/v2 v2.0.4/go.mod h1:tgQtvFlXSQOSOSIRvRPT7W67SCa46tRHOmNcaadrF8o=
 github.com/creachadair/mds v0.14.5 h1:2amuO4yCbQkaAyDoLO5iCbwbTRQZz4EpRhOejQbf4+8=
 github.com/creachadair/mds v0.14.5/go.mod h1:4vrFYUzTXMJpMBU+OA292I6IUxKWCCfZkgXg+/kBZMo=
 github.com/creack/pty v1.1.9/go.mod h1:oKZEueFk5CKHvIhNR5MUki03XCEU+Q6VDXinZuGJ33E=
 github.com/creack/pty v1.1.17/go.mod h1:MOBLtS5ELjhRRrroQr9kyvTxUAFNvYEK993ew/Vr4O4=
-github.com/creack/pty v1.1.21 h1:1/QdRyBaHHJP61QkWMXlOIBfsgdDeeKfK8SYVUWJKf0=
-github.com/creack/pty v1.1.21/go.mod h1:MOBLtS5ELjhRRrroQr9kyvTxUAFNvYEK993ew/Vr4O4=
+github.com/creack/pty v1.1.23 h1:4M6+isWdcStXEf15G/RbrMPOQj1dZ7HPZCGwE4kOeP0=
+github.com/creack/pty v1.1.23/go.mod h1:08sCNb52WyoAwi2QDyzUCTgcvVFhUzewun7wtTfvcwE=
 github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
 github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
 github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc h1:U9qPSI2PIWSS1VwoXQT9A3Wy9MM3WgvqSxFWenqJduM=
@@ -134,8 +136,8 @@ github.com/djherbis/times v1.6.0 h1:w2ctJ92J8fBvWPxugmXIv7Nz7Q3iDMKNx9v5ocVH20c=
 github.com/djherbis/times v1.6.0/go.mod h1:gOHeRAz2h+VJNZ5Gmc/o7iD9k4wW7NMVqieYCY99oc0=
 github.com/docker/cli v26.1.3+incompatible h1:bUpXT/N0kDE3VUHI2r5VMsYQgi38kYuoC0oL9yt3lqc=
 github.com/docker/cli v26.1.3+incompatible/go.mod h1:JLrzqnKDaYBop7H2jaqPtU4hHvMKP+vjCwu2uszcLI8=
-github.com/docker/docker v26.1.3+incompatible h1:lLCzRbrVZrljpVNobJu1J2FHk8V0s4BawoZippkc+xo=
-github.com/docker/docker v26.1.3+incompatible/go.mod h1:eEKB0N0r5NX/I1kEveEz05bcu8tLC/8azJZsviup8Sk=
+github.com/docker/docker v26.1.4+incompatible h1:vuTpXDuoga+Z38m1OZHzl7NKisKWaWlhjQk7IDPSLsU=
+github.com/docker/docker v26.1.4+incompatible/go.mod h1:eEKB0N0r5NX/I1kEveEz05bcu8tLC/8azJZsviup8Sk=
 github.com/docker/go-connections v0.5.0 h1:USnMq7hx7gwdVZq1L49hLXaFtUdTADjXGp+uj1Br63c=
 github.com/docker/go-connections v0.5.0/go.mod h1:ov60Kzw0kKElRwhNs9UlUHAE/F9Fe6GLaXnqyDdmEXc=
 github.com/docker/go-units v0.5.0 h1:69rxXcBk27SvSaaxTtLh/8llcHD8vYHT7WSdRZ/jvr4=
@@ -155,10 +157,10 @@ github.com/frankban/quicktest v1.14.6 h1:7Xjx+VpznH+oBnejlPUj8oUpdxnVs4f8XU8WnHk
 github.com/frankban/quicktest v1.14.6/go.mod h1:4ptaffx2x8+WTWXmUCuVU6aPUX1/Mz7zb5vbUoiM6w0=
 github.com/fsnotify/fsnotify v1.7.0 h1:8JEhPFa5W2WU7YfeZzPNqzMP6Lwt7L2715Ggo0nosvA=
 github.com/fsnotify/fsnotify v1.7.0/go.mod h1:40Bi/Hjc2AVfZrqy+aj+yEI+/bRxZnMJyTJwOpGvigM=
-github.com/fxamacker/cbor/v2 v2.5.0 h1:oHsG0V/Q6E/wqTS2O1Cozzsy69nqCiguo5Q1a1ADivE=
-github.com/fxamacker/cbor/v2 v2.5.0/go.mod h1:TA1xS00nchWmaBnEIxPSE5oHLuJBAVvqrtAnWBwBCVo=
-github.com/gaissmai/bart v0.4.1 h1:G1t58voWkNmT47lBDawH5QhtTDsdqRIO+ftq5x4P9Ls=
-github.com/gaissmai/bart v0.4.1/go.mod h1:KHeYECXQiBjTzQz/om2tqn3sZF1J7hw9m6z41ftj3fg=
+github.com/fxamacker/cbor/v2 v2.6.0 h1:sU6J2usfADwWlYDAFhZBQ6TnLFBHxgesMrQfQgk1tWA=
+github.com/fxamacker/cbor/v2 v2.6.0/go.mod h1:pxXPTn3joSm21Gbwsv0w9OSA2y1HFR9qXEeXQVeNoDQ=
+github.com/gaissmai/bart v0.11.1 h1:5Uv5XwsaFBRo4E5VBcb9TzY8B7zxFf+U7isDxqOrRfc=
+github.com/gaissmai/bart v0.11.1/go.mod h1:KHeYECXQiBjTzQz/om2tqn3sZF1J7hw9m6z41ftj3fg=
 github.com/github/fakeca v0.1.0 h1:Km/MVOFvclqxPM9dZBC4+QE564nU4gz4iZ0D9pMw28I=
 github.com/github/fakeca v0.1.0/go.mod h1:+bormgoGMMuamOscx7N91aOuUST7wdaJ2rNjeohylyo=
 github.com/glebarez/go-sqlite v1.22.0 h1:uAcMJhaA6r3LHMTFgP0SifzgXg46yJkgxqyuyec+ruQ=
@@ -180,6 +182,8 @@ github.com/go-ole/go-ole v1.3.0/go.mod h1:5LS6F96DhAwUc7C+1HLexzMXY1xGRSryjyPPKW
 github.com/go-sql-driver/mysql v1.6.0 h1:BCTh4TKNUYmOmMUcQ3IipzF5prigylS7XXjEkfCHuOE=
 github.com/go-sql-driver/mysql v1.6.0/go.mod h1:DCzpHaOWr8IXmIStZouvnhqoel9Qv2LBy8hT2VhHyBg=
 github.com/go-stack/stack v1.8.0/go.mod h1:v0f6uXyyMGvRgIKkXu+yp6POWl0qKG85gN/melR3HDY=
+github.com/go-viper/mapstructure/v2 v2.0.0 h1:dhn8MZ1gZ0mzeodTG3jt5Vj/o87xZKuNAprG2mQfMfc=
+github.com/go-viper/mapstructure/v2 v2.0.0/go.mod h1:oJDH3BJKyqBA2TXFhDsKDGDTlndYOZ6rGS0BRZIxGhM=
 github.com/gobwas/httphead v0.1.0/go.mod h1:O/RXo79gxV8G+RqlR/otEwx4Q36zl9rqC5u12GKvMCM=
 github.com/gobwas/pool v0.2.1/go.mod h1:q8bcK0KcYlCgd9e7WYLm9LpyS+YeLd8JVDW6WezmKEw=
 github.com/gobwas/ws v1.2.1/go.mod h1:hRKAFb8wOxFROYNsT1bqfWnhX+b5MFeJM9r2ZSwg/KY=
@@ -240,11 +244,8 @@ github.com/grpc-ecosystem/grpc-gateway/v2 v2.20.0 h1:bkypFPDjIYGfCYD5mRBvpqxfYX1
 github.com/grpc-ecosystem/grpc-gateway/v2 v2.20.0/go.mod h1:P+Lt/0by1T8bfcF3z737NnSbmxQAppXMRziHUxPOC8k=
 github.com/hashicorp/go-version v1.6.0 h1:feTTfFNnjP967rlCxM/I9g701jU+RN74YKx2mOkIeek=
 github.com/hashicorp/go-version v1.6.0/go.mod h1:fltr4n8CU8Ke44wwGCBoEymUuxUHl09ZGVZPK5anwXA=
-github.com/hashicorp/golang-lru v0.5.4 h1:YDjusn29QI/Das2iO9M0BHnIbxPeyuCHsjMW+lJfyTc=
 github.com/hashicorp/golang-lru/v2 v2.0.7 h1:a+bsQ5rvGLjzHuww6tVxozPZFVghXaHOwFs4luLUK2k=
 github.com/hashicorp/golang-lru/v2 v2.0.7/go.mod h1:QeFd9opnmA6QUJc5vARoKUSoFhyfM2/ZepoAG6RGpeM=
-github.com/hashicorp/hcl v1.0.0 h1:0Anlzjpi4vEasTeNFn2mLJgTSwt0+6sfsiTG8qcWGx4=
-github.com/hashicorp/hcl v1.0.0/go.mod h1:E5yfLk+7swimpb2L/Alb/PJmXilQ/rhwaUYs4T20WEQ=
 github.com/hdevalence/ed25519consensus v0.2.0 h1:37ICyZqdyj0lAZ8P4D1d1id3HqbbG1N3iBb1Tb4rdcU=
 github.com/hdevalence/ed25519consensus v0.2.0/go.mod h1:w3BHWjwJbFU29IRHL1Iqkw3sus+7FctEyM4RqDxYNzo=
 github.com/hinshun/vt10x v0.0.0-20220119200601-820417d04eec h1:qv2VnGeEQHchGaZ/u7lxST/RaJw+cv273q79D81Xbog=
@@ -312,8 +313,6 @@ github.com/lib/pq v1.10.7 h1:p7ZhMD+KsSRozJr34udlUrhboJwWAgCg34+/ZZNvZZw=
 github.com/lib/pq v1.10.7/go.mod h1:AlVN5x4E4T544tWzH6hKfbfQvm3HdbOxrmggDNAPY9o=
 github.com/lithammer/fuzzysearch v1.1.8 h1:/HIuJnjHuXS8bKaiTMeeDlW2/AyIWk2brx1V8LFgLN4=
 github.com/lithammer/fuzzysearch v1.1.8/go.mod h1:IdqeyBClc3FFqSzYq/MXESsS4S0FsZ5ajtkr5xPLts4=
-github.com/magiconair/properties v1.8.7 h1:IeQXZAiQcpL9mgcAe1Nu6cX9LLw6ExEHKjN0VQdvPDY=
-github.com/magiconair/properties v1.8.7/go.mod h1:Dhd985XPs7jluiymwWYZ0G4Z61jb3vdS329zhj2hYo0=
 github.com/mailru/easyjson v0.7.7/go.mod h1:xzfreul335JAWq5oZzymOObrkdz5UnU4kGfJJLY9Nlc=
 github.com/mattn/go-colorable v0.1.2/go.mod h1:U0ppj6V5qS13XJ6of8GYAs25YV2eR4EVcfRqFIhoBtE=
 github.com/mattn/go-colorable v0.1.13 h1:fFA4WZxdEF4tXPZVKMLwD8oUnCTTo08duU7wxecdEvA=
@@ -385,13 +384,15 @@ github.com/pkg/sftp v1.13.6/go.mod h1:tz1ryNURKu77RL+GuCzmoJYxQczL3wLNNpPWagdg4Q
 github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
 github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2 h1:Jamvg5psRIccs7FGNTlIRMkT8wgtp5eCXdBlqhYGL6U=
 github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
-github.com/prometheus/client_golang v1.18.0 h1:HzFfmkOzH5Q8L8G+kSJKUx5dtG87sewO+FoDDqP5Tbk=
-github.com/prometheus/client_golang v1.18.0/go.mod h1:T+GXkCk5wSJyOqMIzVgvvjFDlkOQntgjkJWKrN5txjA=
+github.com/prometheus-community/pro-bing v0.4.0 h1:YMbv+i08gQz97OZZBwLyvmmQEEzyfyrrjEaAchdy3R4=
+github.com/prometheus-community/pro-bing v0.4.0/go.mod h1:b7wRYZtCcPmt4Sz319BykUU241rWLe1VFXyiyWK/dH4=
+github.com/prometheus/client_golang v1.19.1 h1:wZWJDwK+NameRJuPGDhlnFgx8e8HN3XHQeLaYJFJBOE=
+github.com/prometheus/client_golang v1.19.1/go.mod h1:mP78NwGzrVks5S2H6ab8+ZZGJLZUq1hoULYBAYBw1Ho=
 github.com/prometheus/client_model v0.0.0-20190812154241-14fe0d1b01d4/go.mod h1:xMI15A0UPsDsEKsMN9yxemIoYk6Tm2C1GtYGdfGttqA=
 github.com/prometheus/client_model v0.5.0 h1:VQw1hfvPvk3Uv6Qf29VrPF32JB6rtbgI6cYPYQjL0Qw=
 github.com/prometheus/client_model v0.5.0/go.mod h1:dTiFglRmd66nLR9Pv9f0mZi7B7fk5Pm3gvsjB5tr+kI=
-github.com/prometheus/common v0.46.0 h1:doXzt5ybi1HBKpsZOL0sSkaNHJJqkyfEWZGGqqScV0Y=
-github.com/prometheus/common v0.46.0/go.mod h1:Tp0qkxpb9Jsg54QMe+EAmqXkSV7Evdy1BTn+g2pa/hQ=
+github.com/prometheus/common v0.48.0 h1:QO8U2CdOzSn1BBsmXJXduaaW+dY/5QLjfB8svtSzKKE=
+github.com/prometheus/common v0.48.0/go.mod h1:0/KsvlIEfPQCQ5I2iNSAWKPZziNCvRs5EC6ILDTlAPc=
 github.com/prometheus/procfs v0.12.0 h1:jluTpSng7V9hY0O2R9DzzJHYb2xULk9VTR1V1R/k6Bo=
 github.com/prometheus/procfs v0.12.0/go.mod h1:pcuDEFsWDnvcgNzo4EEweacyhjeA9Zk3cnaOZAZEfOo=
 github.com/pterm/pterm v0.12.27/go.mod h1:PhQ89w4i95rhgE+xedAoqous6K9X+r6aSOI2eFF7DZI=
@@ -419,10 +420,8 @@ github.com/rs/zerolog v1.32.0/go.mod h1:/7mN4D5sKwJLZQ2b/znpjC3/GQWY/xaDXUM0kKWR
 github.com/russross/blackfriday/v2 v2.1.0/go.mod h1:+Rmxgy9KzJVeS9/2gXHxylqXiyQDYRxCVz55jmeOWTM=
 github.com/safchain/ethtool v0.3.0 h1:gimQJpsI6sc1yIqP/y8GYgiXn/NjgvpM0RNoWLVVmP0=
 github.com/safchain/ethtool v0.3.0/go.mod h1:SA9BwrgyAqNo7M+uaL6IYbxpm5wk3L7Mm6ocLW+CJUs=
-github.com/sagikazarmark/locafero v0.4.0 h1:HApY1R9zGo4DBgr7dqsTH/JJxLTTsOt7u6keLGt6kNQ=
-github.com/sagikazarmark/locafero v0.4.0/go.mod h1:Pe1W6UlPYUk/+wc/6KFhbORCfqzgYEpgQ3O5fPuL3H4=
-github.com/sagikazarmark/slog-shim v0.1.0 h1:diDBnUNK9N/354PgrxMywXnAwEr1QZcOr6gto+ugjYE=
-github.com/sagikazarmark/slog-shim v0.1.0/go.mod h1:SrcSrq8aKtyuqEI1uvTDTK1arOWRIczQRv+GVI1AkeQ=
+github.com/sagikazarmark/locafero v0.6.0 h1:ON7AQg37yzcRPU69mt7gwhFEBwxI6P9T4Qu3N51bwOk=
+github.com/sagikazarmark/locafero v0.6.0/go.mod h1:77OmuIc6VTraTXKXIs/uvUxKGUXjE1GbemJYHqdNjX0=
 github.com/samber/lo v1.39.0 h1:4gTz1wUhNYLhFSKl6O+8peW0v2F4BCY034GRpU9WnuA=
 github.com/samber/lo v1.39.0/go.mod h1:+m/ZKRl6ClXCE2Lgf3MsQlWfh4bn1bz6CXEOxnEXnEA=
 github.com/sasha-s/go-deadlock v0.3.1 h1:sqv7fDNShgjcaxkO0JNcOAlr8B9+cV5Ey/OB71efZx0=
@@ -439,12 +438,12 @@ github.com/spf13/afero v1.11.0 h1:WJQKhtpdm3v2IzqG8VMqrr6Rf3UYpEF239Jy9wNepM8=
 github.com/spf13/afero v1.11.0/go.mod h1:GH9Y3pIexgf1MTIWtNGyogA5MwRIDXGUr+hbWNoBjkY=
 github.com/spf13/cast v1.6.0 h1:GEiTHELF+vaR5dhz3VqZfFSzZjYbgeKDpBxQVS4GYJ0=
 github.com/spf13/cast v1.6.0/go.mod h1:ancEpBxwJDODSW/UG4rDrAqiKolqNNh2DX3mk86cAdo=
-github.com/spf13/cobra v1.8.0 h1:7aJaZx1B85qltLMc546zn58BxxfZdR/W22ej9CFoEf0=
-github.com/spf13/cobra v1.8.0/go.mod h1:WXLWApfZ71AjXPya3WOlMsY9yMs7YeiHhFVlvLyhcho=
+github.com/spf13/cobra v1.8.1 h1:e5/vxKd/rZsfSJMUX1agtjeTDf+qv1/JdBF8gg5k9ZM=
+github.com/spf13/cobra v1.8.1/go.mod h1:wHxEcudfqmLYa8iTfL+OuZPbBZkmvliBWKIezN3kD9Y=
 github.com/spf13/pflag v1.0.5 h1:iy+VFUOCP1a+8yFto/drg2CJ5u0yRoB7fZw3DKv/JXA=
 github.com/spf13/pflag v1.0.5/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An2Bg=
-github.com/spf13/viper v1.18.2 h1:LUXCnvUvSM6FXAsj6nnfc8Q2tp1dIgUfY9Kc8GsSOiQ=
-github.com/spf13/viper v1.18.2/go.mod h1:EKmWIqdnk5lOcmR72yw6hS+8OPYcwD0jteitLMVB+yk=
+github.com/spf13/viper v1.20.0-alpha.6 h1:f65Cr/+2qk4GfHC0xqT/isoupQppwN5+VLRztUGTDbY=
+github.com/spf13/viper v1.20.0-alpha.6/go.mod h1:CGBZzv0c9fOUASm6rfus4wdeIjR/04NOLq1P4KRhX3k=
 github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
 github.com/stretchr/objx v0.1.1/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
 github.com/stretchr/objx v0.4.0/go.mod h1:YvHI0jy2hoMjB+UWwv71VJQ9isScKT/TqJzVSSt89Yw=
@@ -467,8 +466,8 @@ github.com/tailscale/certstore v0.1.1-0.20231202035212-d3fa0460f47e h1:PtWT87weP
 github.com/tailscale/certstore v0.1.1-0.20231202035212-d3fa0460f47e/go.mod h1:XrBNfAFN+pwoWuksbFS9Ccxnopa15zJGgXRFN90l3K4=
 github.com/tailscale/go-winio v0.0.0-20231025203758-c4f33415bf55 h1:Gzfnfk2TWrk8Jj4P4c1a3CtQyMaTVCznlkLZI++hok4=
 github.com/tailscale/go-winio v0.0.0-20231025203758-c4f33415bf55/go.mod h1:4k4QO+dQ3R5FofL+SanAUZe+/QfeK0+OIuwDIRu2vSg=
-github.com/tailscale/golang-x-crypto v0.0.0-20240108194725-7ce1f622c780 h1:U0J2CUrrTcc2wmr9tSLYEo+USfwNikRRsmxVLD4eZ7E=
-github.com/tailscale/golang-x-crypto v0.0.0-20240108194725-7ce1f622c780/go.mod h1:ikbF+YT089eInTp9f2vmvy4+ZVnW5hzX1q2WknxSprQ=
+github.com/tailscale/golang-x-crypto v0.0.0-20240604161659-3fde5e568aa4 h1:rXZGgEa+k2vJM8xT0PoSKfVXwFGPQ3z3CJfmnHJkZZw=
+github.com/tailscale/golang-x-crypto v0.0.0-20240604161659-3fde5e568aa4/go.mod h1:ikbF+YT089eInTp9f2vmvy4+ZVnW5hzX1q2WknxSprQ=
 github.com/tailscale/goupnp v1.0.1-0.20210804011211-c64d0f06ea05 h1:4chzWmimtJPxRs2O36yuGRW3f9SYV+bMTTvMBI0EKio=
 github.com/tailscale/goupnp v1.0.1-0.20210804011211-c64d0f06ea05/go.mod h1:PdCqy9JzfWMJf1H5UJW2ip33/d4YkoKN0r67yKH1mG8=
 github.com/tailscale/hujson v0.0.0-20221223112325-20486734a56a h1:SJy1Pu0eH1C29XwJucQo73FrleVK6t4kYz4NVhp34Yw=
@@ -487,10 +486,10 @@ github.com/tailscale/web-client-prebuilt v0.0.0-20240226180453-5db17b287bf1 h1:t
 github.com/tailscale/web-client-prebuilt v0.0.0-20240226180453-5db17b287bf1/go.mod h1:agQPE6y6ldqCOui2gkIh7ZMztTkIQKH049tv8siLuNQ=
 github.com/tailscale/wf v0.0.0-20240214030419-6fbb0a674ee6 h1:l10Gi6w9jxvinoiq15g8OToDdASBni4CyJOdHY1Hr8M=
 github.com/tailscale/wf v0.0.0-20240214030419-6fbb0a674ee6/go.mod h1:ZXRML051h7o4OcI0d3AaILDIad/Xw0IkXaHM17dic1Y=
-github.com/tailscale/wireguard-go v0.0.0-20240429185444-03c5a0ccf754 h1:iazWjqVHE6CbNam7WXRhi33Qad5o7a8LVYgVoILpZdI=
-github.com/tailscale/wireguard-go v0.0.0-20240429185444-03c5a0ccf754/go.mod h1:BOm5fXUBFM+m9woLNBoxI9TaBXXhGNP50LX/TGIvGb4=
-github.com/tailscale/xnet v0.0.0-20240117122442-62b9a7c569f9 h1:81P7rjnikHKTJ75EkjppvbwUfKHDHYk6LJpO5PZy8pA=
-github.com/tailscale/xnet v0.0.0-20240117122442-62b9a7c569f9/go.mod h1:orPd6JZXXRyuDusYilywte7k094d7dycXXU5YnWsrwg=
+github.com/tailscale/wireguard-go v0.0.0-20240731203015-71393c576b98 h1:RNpJrXfI5u6e+uzyIzvmnXbhmhdRkVf//90sMBH3lso=
+github.com/tailscale/wireguard-go v0.0.0-20240731203015-71393c576b98/go.mod h1:BOm5fXUBFM+m9woLNBoxI9TaBXXhGNP50LX/TGIvGb4=
+github.com/tailscale/xnet v0.0.0-20240729143630-8497ac4dab2e h1:zOGKqN5D5hHhiYUp091JqK7DPCqSARyUfduhGUY8Bek=
+github.com/tailscale/xnet v0.0.0-20240729143630-8497ac4dab2e/go.mod h1:orPd6JZXXRyuDusYilywte7k094d7dycXXU5YnWsrwg=
 github.com/tc-hib/winres v0.2.1 h1:YDE0FiP0VmtRaDn7+aaChp1KiF4owBiJa5l964l5ujA=
 github.com/tc-hib/winres v0.2.1/go.mod h1:C/JaNhH3KBvhNKVbvdlDWkbMDO9H4fKKDaN7/07SSuk=
 github.com/tcnksm/go-httpstat v0.2.0 h1:rP7T5e5U2HfmOBmZzGgGZjBQ5/GluWUylujl0tJ04I0=
@@ -538,15 +537,15 @@ golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8U
 golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=
 golang.org/x/crypto v0.0.0-20210921155107-089bfa567519/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc=
 golang.org/x/crypto v0.19.0/go.mod h1:Iy9bg/ha4yyC70EfRS8jz+B6ybOBKMaSxLj6P6oBDfU=
-golang.org/x/crypto v0.23.0 h1:dIJU/v2J8Mdglj/8rJ6UUOM3Zc9zLZxVZwwxMooUSAI=
-golang.org/x/crypto v0.23.0/go.mod h1:CKFgDieR+mRhux2Lsu27y0fO304Db0wZe70UKqHu0v8=
+golang.org/x/crypto v0.25.0 h1:ypSNr+bnYL2YhwoMt2zPxHFmbAN1KZs/njMG3hxUp30=
+golang.org/x/crypto v0.25.0/go.mod h1:T+wALwcMOSE0kXgUAnPAHqTLW+XHgcELELW8VaDgm/M=
 golang.org/x/exp v0.0.0-20190121172915-509febef88a4/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA=
-golang.org/x/exp v0.0.0-20240506185415-9bf2ced13842 h1:vr/HnozRka3pE4EsMEg1lgkXJkTFJCVUX+S/ZT6wYzM=
-golang.org/x/exp v0.0.0-20240506185415-9bf2ced13842/go.mod h1:XtvwrStGgqGPLc4cjQfWqZHG1YFdYs6swckp8vpsjnc=
+golang.org/x/exp v0.0.0-20240719175910-8a7402abbf56 h1:2dVuKD2vS7b0QIHQbpyTISPd0LeHDbnYEryqj5Q1ug8=
+golang.org/x/exp v0.0.0-20240719175910-8a7402abbf56/go.mod h1:M4RDyNAINzryxdtnbRXRL/OHtkFuWGRjvuhBJpk2IlY=
 golang.org/x/exp/typeparams v0.0.0-20240119083558-1b970713d09a h1:8qmSSA8Gz/1kTrCe0nqR0R3Gb/NDhykzWw2q2mWZydM=
 golang.org/x/exp/typeparams v0.0.0-20240119083558-1b970713d09a/go.mod h1:AbB0pIl9nAr9wVwH+Z2ZpaocVmF5I4GyWCDIsVjR0bk=
-golang.org/x/image v0.15.0 h1:kOELfmgrmJlw4Cdb7g/QGuB3CvDrXbqEIww/pNtNBm8=
-golang.org/x/image v0.15.0/go.mod h1:HUYqC05R2ZcZ3ejNQsIHQDQiwWM4JBqmm6MKANTp4LE=
+golang.org/x/image v0.18.0 h1:jGzIakQa/ZXI1I0Fxvaa9W7yP25TqT6cHIHn+6CqvSQ=
+golang.org/x/image v0.18.0/go.mod h1:4yyo5vMFQjVjUcVk4jEQcU9MGy/rulF5WvUILseCM2E=
 golang.org/x/lint v0.0.0-20181026193005-c67002cb31c3/go.mod h1:UVdnD1Gm6xHRNCYTkRU2/jEulfH38KcIWyp/GAMgvoE=
 golang.org/x/lint v0.0.0-20190227174305-5b3e6a55c961/go.mod h1:wehouNa3lNwaWXcvxsM5YxQ5yQlVC4a0KAMCusXpPoU=
 golang.org/x/lint v0.0.0-20190313153728-d0100b6bd8b3/go.mod h1:6SW0HCj/g11FgYtHlgUYUwCkIfeOF89ocIRzGO/8vkc=
@@ -555,8 +554,8 @@ golang.org/x/mod v0.2.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
 golang.org/x/mod v0.3.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
 golang.org/x/mod v0.6.0-dev.0.20220419223038-86c51ed26bb4/go.mod h1:jJ57K6gSWd91VN4djpZkiMVwK6gcyfeH4XE8wZrZaV4=
 golang.org/x/mod v0.8.0/go.mod h1:iBbtSCu2XBx23ZKBPSOrRkjjQPZFPuis4dIYUhu/chs=
-golang.org/x/mod v0.17.0 h1:zY54UmvipHiNd+pm+m0x9KhZ9hl1/7QNMyxXbc6ICqA=
-golang.org/x/mod v0.17.0/go.mod h1:hTbmBsO62+eylJbnUtE2MGJUyE7QWk4xUqPFrRgJ+7c=
+golang.org/x/mod v0.19.0 h1:fEdghXQSo20giMthA7cd28ZC+jts4amQ3YMXiP5oMQ8=
+golang.org/x/mod v0.19.0/go.mod h1:hTbmBsO62+eylJbnUtE2MGJUyE7QWk4xUqPFrRgJ+7c=
 golang.org/x/net v0.0.0-20180724234803-3673e40ba225/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
 golang.org/x/net v0.0.0-20180826012351-8a410e7b638d/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
 golang.org/x/net v0.0.0-20190213061140-3a22650c66bd/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
@@ -569,8 +568,8 @@ golang.org/x/net v0.0.0-20210226172049-e18ecbb05110/go.mod h1:m0MpNAwzfU5UDzcl9v
 golang.org/x/net v0.0.0-20220722155237-a158d28d115b/go.mod h1:XRhObCWvk6IyKnWLug+ECip1KBveYUHfp+8e9klMJ9c=
 golang.org/x/net v0.6.0/go.mod h1:2Tu9+aMcznHK/AK1HMvgo6xiTLG5rD5rZLDS+rp2Bjs=
 golang.org/x/net v0.10.0/go.mod h1:0qNGK6F8kojg2nk9dLZ2mShWaEBan6FAoqfSigmmuDg=
-golang.org/x/net v0.25.0 h1:d/OCCoBEUq33pjydKrGQhw7IlUPI2Oylr+8qLx49kac=
-golang.org/x/net v0.25.0/go.mod h1:JkAGAh7GEvH74S6FOH42FLoXpXbE/aqXSrIQjXgsiwM=
+golang.org/x/net v0.27.0 h1:5K3Njcw06/l2y9vpGCSdcxWOYHOUk3dVNGDXN+FvAys=
+golang.org/x/net v0.27.0/go.mod h1:dDi0PyhWNoiUOrAS8uXv/vnScO4wnHQO4mj9fn/RytE=
 golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U=
 golang.org/x/oauth2 v0.20.0 h1:4mQdhULixXKP1rwYBW0vAijoXnkTG0BLCDRzfe1idMo=
 golang.org/x/oauth2 v0.20.0/go.mod h1:XYTD2NtWslqkgxebSiOHnXEap4TF09sJSc7H1sXbhtI=
@@ -615,8 +614,8 @@ golang.org/x/sys v0.6.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.8.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.12.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.17.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
-golang.org/x/sys v0.20.0 h1:Od9JTbYCk261bKm4M/mw7AklTlFYIa0bIp9BgSm1S8Y=
-golang.org/x/sys v0.20.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
+golang.org/x/sys v0.22.0 h1:RI27ohtqKCnwULzJLqkv897zojh5/DwS/ENaMzUOaWI=
+golang.org/x/sys v0.22.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
 golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
 golang.org/x/term v0.0.0-20210220032956-6a3ed077a48d/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
 golang.org/x/term v0.0.0-20210615171337-6886f2dfbf5b/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8=
@@ -624,8 +623,8 @@ golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuX
 golang.org/x/term v0.5.0/go.mod h1:jMB1sMXY+tzblOD4FWmEbocvup2/aLOaQEp7JmGp78k=
 golang.org/x/term v0.8.0/go.mod h1:xPskH00ivmX89bAKVGSKKtLOWNx2+17Eiy94tnKShWo=
 golang.org/x/term v0.17.0/go.mod h1:lLRBjIVuehSbZlaOtGMbcMncT+aqLLLmKrsjNrUguwk=
-golang.org/x/term v0.20.0 h1:VnkxpohqXaOBYJtBmEppKUG6mXpi+4O6purfc2+sMhw=
-golang.org/x/term v0.20.0/go.mod h1:8UkIAJTvZgivsXaD6/pH6U9ecQzZ45awqEOzuCvwpFY=
+golang.org/x/term v0.22.0 h1:BbsgPEJULsl2fV/AT3v15Mjva5yXKQDyKf+TbDz7QJk=
+golang.org/x/term v0.22.0/go.mod h1:F3qCibpT5AMpCRfhfT53vVJwhLtIVHhB9XDjfFvnMI4=
 golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
 golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
 golang.org/x/text v0.3.7/go.mod h1:u+2+/6zg+i71rQMx5EYifcz6MCKuco9NR6JIITiCfzQ=
@@ -633,8 +632,8 @@ golang.org/x/text v0.4.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8=
 golang.org/x/text v0.7.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8=
 golang.org/x/text v0.9.0/go.mod h1:e1OnstbJyHTd6l/uOt8jFFHp6TRDWZR/bV3emEE/zU8=
 golang.org/x/text v0.14.0/go.mod h1:18ZOQIKpY8NJVqYksKHtTdi31H5itFRjB5/qKTNYzSU=
-golang.org/x/text v0.15.0 h1:h1V/4gjBv8v9cjcR6+AR5+/cIYK5N/WAgiv4xlsEtAk=
-golang.org/x/text v0.15.0/go.mod h1:18ZOQIKpY8NJVqYksKHtTdi31H5itFRjB5/qKTNYzSU=
+golang.org/x/text v0.16.0 h1:a94ExnEXNtEwYLGJSIUxnWoxoRz/ZcCsV63ROupILh4=
+golang.org/x/text v0.16.0/go.mod h1:GhwF1Be+LQoKShO3cGOHzqOgRrGaYc9AvblQOmPVHnI=
 golang.org/x/time v0.5.0 h1:o7cqy6amK/52YcAKIPlM3a+Fpj35zvRj2TP+e1xFSfk=
 golang.org/x/time v0.5.0/go.mod h1:3BpzKBy/shNhVucY/MWOyx10tF3SFh9QdLuxbVysPQM=
 golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
@@ -648,8 +647,8 @@ golang.org/x/tools v0.0.0-20200619180055-7c47624df98f/go.mod h1:EkVYQZoAsY45+roY
 golang.org/x/tools v0.0.0-20210106214847-113979e3529a/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA=
 golang.org/x/tools v0.1.12/go.mod h1:hNGJHUnrk76NpqgfD5Aqm5Crs+Hm0VOH/i9J2+nxYbc=
 golang.org/x/tools v0.6.0/go.mod h1:Xwgl3UAJ/d3gWutnCtw505GrjyAbvKui8lOU390QaIU=
-golang.org/x/tools v0.21.0 h1:qc0xYgIbsSDt9EyWz05J5wfa7LOVW0YTLOXrqdLAWIw=
-golang.org/x/tools v0.21.0/go.mod h1:aiJjzUbINMkxbQROHiO6hDPo2LHcIPhhQsa9DLh0yGk=
+golang.org/x/tools v0.23.0 h1:SGsXPZ+2l4JsgaCKkx+FQ9YZ5XEtA1GZYuoDjenLjvg=
+golang.org/x/tools v0.23.0/go.mod h1:pnu6ufv6vQkll6szChhK3C3L/ruaIv5eBeztNG8wtsI=
 golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
@@ -681,8 +680,6 @@ gopkg.in/check.v1 v1.0.0-20180628173108-788fd7840127/go.mod h1:Co6ibVJAznAaIkqp8
 gopkg.in/check.v1 v1.0.0-20190902080502-41f04d3bba15/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
 gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c h1:Hei/4ADfdWqJk1ZMxUNpqntNwaWcugrBjAiHlqqRiVk=
 gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c/go.mod h1:JHkPIbrfpd72SG/EVd6muEfDQjcINNoR0C8j2r3qZ4Q=
-gopkg.in/ini.v1 v1.67.0 h1:Dgnx+6+nfE+IfzjUEISNeydPJh9AXNNsWbGP9KzCsOA=
-gopkg.in/ini.v1 v1.67.0/go.mod h1:pNLf8WUiyNEtQjuu5G5vTm06TEv9tsIgeAvK8hOrP4k=
 gopkg.in/yaml.v2 v2.2.2/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
 gopkg.in/yaml.v2 v2.2.4/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
 gopkg.in/yaml.v2 v2.2.8/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
@@ -698,8 +695,8 @@ gorm.io/gorm v1.25.10 h1:dQpO+33KalOA+aFYGlK+EfxcI5MbO7EP2yYygwh9h+s=
 gorm.io/gorm v1.25.10/go.mod h1:hbnx/Oo0ChWMn1BIhpy1oYozzpM15i4YPuHDmfYtwg8=
 gotest.tools/v3 v3.4.0 h1:ZazjZUfuVeZGLAmlKKuyv3IKP5orXcwtOwDQH6YVr6o=
 gotest.tools/v3 v3.4.0/go.mod h1:CtbdzLSsqVhDgMtKsx03ird5YTGB3ar27v0u/yKBW5g=
-gvisor.dev/gvisor v0.0.0-20240306221502-ee1e1f6070e3 h1:/8/t5pz/mgdRXhYOIeqqYhFAQLE4DDGegc0Y4ZjyFJM=
-gvisor.dev/gvisor v0.0.0-20240306221502-ee1e1f6070e3/go.mod h1:NQHVAzMwvZ+Qe3ElSiHmq9RUm1MdNHpUZ52fiEqvn+0=
+gvisor.dev/gvisor v0.0.0-20240722211153-64c016c92987 h1:TU8z2Lh3Bbq77w0t1eG8yRlLcNHzZu3x6mhoH2Mk0c8=
+gvisor.dev/gvisor v0.0.0-20240722211153-64c016c92987/go.mod h1:sxc3Uvk/vHcd3tj7/DHVBoR5wvWT/MmRq2pj7HRJnwU=
 honnef.co/go/tools v0.0.0-20190102054323-c2f93a96b099/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4=
 honnef.co/go/tools v0.0.0-20190523083050-ea95bdfd59fc/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4=
 honnef.co/go/tools v0.4.7 h1:9MDAWxMoSnB6QoSqiVr7P5mtkT9pOc1kSxchzPCnqJs=
@@ -732,9 +729,7 @@ modernc.org/strutil v1.2.0 h1:agBi9dp1I+eOnxXeiZawM8F4LawKv4NzGWSaLfyeNZA=
 modernc.org/strutil v1.2.0/go.mod h1:/mdcBmfOibveCTBxUl5B5l6W+TTH1FXPLHZE6bTosX0=
 modernc.org/token v1.1.0 h1:Xl7Ap9dKaEs5kLoOQeQmPWevfnk/DM5qcLcYlA8ys6Y=
 modernc.org/token v1.1.0/go.mod h1:UGzOrNV1mAFSEB63lOFHIpNRUVMvYTc6yu1SMY/XTDM=
-nhooyr.io/websocket v1.8.10 h1:mv4p+MnGrLDcPlBoWsvPP7XCzTYMXP9F9eIGoKbgx7Q=
-nhooyr.io/websocket v1.8.10/go.mod h1:rN9OFWIUwuxg4fR5tELlYC04bXYowCP9GX47ivo2l+c=
 software.sslmate.com/src/go-pkcs12 v0.4.0 h1:H2g08FrTvSFKUj+D309j1DPfk5APnIdAQAB8aEykJ5k=
 software.sslmate.com/src/go-pkcs12 v0.4.0/go.mod h1:Qiz0EyvDRJjjxGyUQa2cCNZn/wMyzrRJ/qcDXOQazLI=
-tailscale.com v1.66.3 h1:jpWat+hiobTtCosSV/c8D6S/ubgROf/S59MaIBdM9pY=
-tailscale.com v1.66.3/go.mod h1:99BIV4U3UPw36Sva04xK2ZsEpVRUkY9jCdEDSAhaNGM=
+tailscale.com v1.72.1 h1:hk82jek36ph2S3Tfsh57NVWKEm/pZ9nfUonvlowpfaA=
+tailscale.com v1.72.1/go.mod h1:v7OHtg0KLAnhOVf81Z8WrjNefj238QbFhgkWJQoKxbs=

hscontrol/app.go

@@ -1001,6 +1001,32 @@ func (h *Headscale) loadACLPolicy() error {
 		if err != nil {
 			return fmt.Errorf("failed to load ACL policy from file: %w", err)
 		}
+
+		// Validate and reject configuration that would error when applied
+		// when creating a map response. This requires nodes, so there is still
+		// a scenario where they might be allowed if the server has no nodes
+		// yet, but it should help for the general case and for hot reloading
+		// configurations.
+		// Note that this check is only done for file-based policies in this function
+		// as the database-based policies are checked in the gRPC API where it is not
+		// allowed to be written to the database.
+		nodes, err := h.db.ListNodes()
+		if err != nil {
+			return fmt.Errorf("loading nodes from database to validate policy: %w", err)
+		}
+
+		_, err = pol.CompileFilterRules(nodes)
+		if err != nil {
+			return fmt.Errorf("verifying policy rules: %w", err)
+		}
+
+		if len(nodes) > 0 {
+			_, err = pol.CompileSSHPolicy(nodes[0], nodes)
+			if err != nil {
+				return fmt.Errorf("verifying SSH rules: %w", err)
+			}
+		}
+
 	case types.PolicyModeDB:
 		p, err := h.db.GetPolicy()
 		if err != nil {

hscontrol/db/db.go

@@ -51,8 +51,8 @@ func NewHeadscaleDatabase(
 		dbConn,
 		gormigrate.DefaultOptions,
 		[]*gormigrate.Migration{
-			// New migrations should be added as transactions at the end of this list.
-			// The initial commit here is quite messy, completely out of order and
+			// New migrations must be added as transactions at the end of this list.
+			// The initial migration here is quite messy, completely out of order and
 			// has no versioning and is the tech debt of not having versioned migrations
 			// prior to this point. This first migration is all DB changes to bring a DB
 			// up to 0.23.0.
@@ -123,6 +123,13 @@ func NewHeadscaleDatabase(
 						}
 					}
 
+					// Remove any invalid routes associated with a node that does not exist.
+					if tx.Migrator().HasTable(&types.Route{}) && tx.Migrator().HasTable(&types.Node{}) {
+						err := tx.Exec("delete from routes where node_id not in (select id from nodes)").Error
+						if err != nil {
+							return err
+						}
+					}
 					err = tx.AutoMigrate(&types.Route{})
 					if err != nil {
 						return err
@@ -409,7 +416,7 @@ func NewHeadscaleDatabase(
 		},
 	)
 
-	if err = migrations.Migrate(); err != nil {
+	if err := runMigrations(cfg, dbConn, migrations); err != nil {
 		log.Fatal().Err(err).Msgf("Migration failed: %v", err)
 	}
 
@@ -426,7 +433,7 @@ func openDB(cfg types.DatabaseConfig) (*gorm.DB, error) {
 	// TODO(kradalby): Integrate this with zerolog
 	var dbLogger logger.Interface
 	if cfg.Debug {
-		dbLogger = logger.Default
+		dbLogger = util.NewDBLogWrapper(&log.Logger, cfg.Gorm.SlowThreshold, cfg.Gorm.SkipErrRecordNotFound, cfg.Gorm.ParameterizedQueries)
 	} else {
 		dbLogger = logger.Default.LogMode(logger.Silent)
 	}
@@ -447,7 +454,8 @@ func openDB(cfg types.DatabaseConfig) (*gorm.DB, error) {
 		db, err := gorm.Open(
 			sqlite.Open(cfg.Sqlite.Path),
 			&gorm.Config{
-				Logger: dbLogger,
+				PrepareStmt: cfg.Gorm.PrepareStmt,
+				Logger:      dbLogger,
 			},
 		)
 
@@ -532,6 +540,70 @@ func openDB(cfg types.DatabaseConfig) (*gorm.DB, error) {
 	)
 }
 
+func runMigrations(cfg types.DatabaseConfig, dbConn *gorm.DB, migrations *gormigrate.Gormigrate) error {
+	// Turn off foreign keys for the duration of the migration if using sqllite to
+	// prevent data loss due to the way the GORM migrator handles certain schema
+	// changes.
+	if cfg.Type == types.DatabaseSqlite {
+		var fkEnabled int
+		if err := dbConn.Raw("PRAGMA foreign_keys").Scan(&fkEnabled).Error; err != nil {
+			return fmt.Errorf("checking foreign key status: %w", err)
+		}
+		if fkEnabled == 1 {
+			if err := dbConn.Exec("PRAGMA foreign_keys = OFF").Error; err != nil {
+				return fmt.Errorf("disabling foreign keys: %w", err)
+			}
+			defer dbConn.Exec("PRAGMA foreign_keys = ON")
+		}
+	}
+
+	if err := migrations.Migrate(); err != nil {
+		return err
+	}
+
+	// Since we disabled foreign keys for the migration, we need to check for
+	// constraint violations manually at the end of the migration.
+	if cfg.Type == types.DatabaseSqlite {
+		type constraintViolation struct {
+			Table           string
+			RowID           int
+			Parent          string
+			ConstraintIndex int
+		}
+
+		var violatedConstraints []constraintViolation
+
+		rows, err := dbConn.Raw("PRAGMA foreign_key_check").Rows()
+		if err != nil {
+			return err
+		}
+
+		for rows.Next() {
+			var violation constraintViolation
+			if err := rows.Scan(&violation.Table, &violation.RowID, &violation.Parent, &violation.ConstraintIndex); err != nil {
+				return err
+			}
+
+			violatedConstraints = append(violatedConstraints, violation)
+		}
+		_ = rows.Close()
+
+		if len(violatedConstraints) > 0 {
+			for _, violation := range violatedConstraints {
+				log.Error().
+					Str("table", violation.Table).
+					Int("row_id", violation.RowID).
+					Str("parent", violation.Parent).
+					Msg("Foreign key constraint violated")
+			}
+
+			return fmt.Errorf("foreign key constraints violated")
+		}
+	}
+
+	return nil
+}
+
 func (hsdb *HSDatabase) PingDB(ctx context.Context) error {
 	ctx, cancel := context.WithTimeout(ctx, time.Second)
 	defer cancel()

hscontrol/db/db_test.go

@@ -0,0 +1,168 @@
+package db
+
+import (
+	"fmt"
+	"io"
+	"net/netip"
+	"os"
+	"path/filepath"
+	"testing"
+
+	"github.com/google/go-cmp/cmp"
+	"github.com/google/go-cmp/cmp/cmpopts"
+	"github.com/juanfont/headscale/hscontrol/types"
+	"github.com/stretchr/testify/assert"
+	"gorm.io/gorm"
+)
+
+func TestMigrations(t *testing.T) {
+	ipp := func(p string) types.IPPrefix {
+		return types.IPPrefix(netip.MustParsePrefix(p))
+	}
+	r := func(id uint64, p string, a, e, i bool) types.Route {
+		return types.Route{
+			NodeID:     id,
+			Prefix:     ipp(p),
+			Advertised: a,
+			Enabled:    e,
+			IsPrimary:  i,
+		}
+	}
+	tests := []struct {
+		dbPath   string
+		wantFunc func(*testing.T, *HSDatabase)
+		wantErr  string
+	}{
+		{
+			dbPath: "testdata/0-22-3-to-0-23-0-routes-are-dropped-2063.sqlite",
+			wantFunc: func(t *testing.T, h *HSDatabase) {
+				routes, err := Read(h.DB, func(rx *gorm.DB) (types.Routes, error) {
+					return GetRoutes(rx)
+				})
+				assert.NoError(t, err)
+
+				assert.Len(t, routes, 10)
+				want := types.Routes{
+					r(1, "0.0.0.0/0", true, true, false),
+					r(1, "::/0", true, true, false),
+					r(1, "10.9.110.0/24", true, true, true),
+					r(26, "172.100.100.0/24", true, true, true),
+					r(26, "172.100.100.0/24", true, false, false),
+					r(31, "0.0.0.0/0", true, true, false),
+					r(31, "0.0.0.0/0", true, false, false),
+					r(31, "::/0", true, true, false),
+					r(31, "::/0", true, false, false),
+					r(32, "192.168.0.24/32", true, true, true),
+				}
+				if diff := cmp.Diff(want, routes, cmpopts.IgnoreFields(types.Route{}, "Model", "Node"), cmp.Comparer(func(x, y types.IPPrefix) bool {
+					return x == y
+				})); diff != "" {
+					t.Errorf("TestMigrations() mismatch (-want +got):\n%s", diff)
+				}
+			},
+		},
+		{
+			dbPath: "testdata/0-22-3-to-0-23-0-routes-fail-foreign-key-2076.sqlite",
+			wantFunc: func(t *testing.T, h *HSDatabase) {
+				routes, err := Read(h.DB, func(rx *gorm.DB) (types.Routes, error) {
+					return GetRoutes(rx)
+				})
+				assert.NoError(t, err)
+
+				assert.Len(t, routes, 4)
+				want := types.Routes{
+					// These routes exists, but have no nodes associated with them
+					// when the migration starts.
+					// r(1, "0.0.0.0/0", true, true, false),
+					// r(1, "::/0", true, true, false),
+					// r(3, "0.0.0.0/0", true, true, false),
+					// r(3, "::/0", true, true, false),
+					// r(5, "0.0.0.0/0", true, true, false),
+					// r(5, "::/0", true, true, false),
+					// r(6, "0.0.0.0/0", true, true, false),
+					// r(6, "::/0", true, true, false),
+					// r(6, "10.0.0.0/8", true, false, false),
+					// r(7, "0.0.0.0/0", true, true, false),
+					// r(7, "::/0", true, true, false),
+					// r(7, "10.0.0.0/8", true, false, false),
+					// r(9, "0.0.0.0/0", true, true, false),
+					// r(9, "::/0", true, true, false),
+					// r(9, "10.0.0.0/8", true, true, false),
+					// r(11, "0.0.0.0/0", true, true, false),
+					// r(11, "::/0", true, true, false),
+					// r(11, "10.0.0.0/8", true, true, true),
+					// r(12, "0.0.0.0/0", true, true, false),
+					// r(12, "::/0", true, true, false),
+					// r(12, "10.0.0.0/8", true, false, false),
+					//
+					// These nodes exists, so routes should be kept.
+					r(13, "10.0.0.0/8", true, false, false),
+					r(13, "0.0.0.0/0", true, true, false),
+					r(13, "::/0", true, true, false),
+					r(13, "10.18.80.2/32", true, true, true),
+				}
+				if diff := cmp.Diff(want, routes, cmpopts.IgnoreFields(types.Route{}, "Model", "Node"), cmp.Comparer(func(x, y types.IPPrefix) bool {
+					return x == y
+				})); diff != "" {
+					t.Errorf("TestMigrations() mismatch (-want +got):\n%s", diff)
+				}
+			},
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.dbPath, func(t *testing.T) {
+			dbPath, err := testCopyOfDatabase(tt.dbPath)
+			if err != nil {
+				t.Fatalf("copying db for test: %s", err)
+			}
+
+			hsdb, err := NewHeadscaleDatabase(types.DatabaseConfig{
+				Type: "sqlite3",
+				Sqlite: types.SqliteConfig{
+					Path: dbPath,
+				},
+			}, "")
+			if err != nil && tt.wantErr != err.Error() {
+				t.Errorf("TestMigrations() unexpected error = %v, wantErr %v", err, tt.wantErr)
+			}
+
+			if tt.wantFunc != nil {
+				tt.wantFunc(t, hsdb)
+			}
+		})
+	}
+}
+
+func testCopyOfDatabase(src string) (string, error) {
+	sourceFileStat, err := os.Stat(src)
+	if err != nil {
+		return "", err
+	}
+
+	if !sourceFileStat.Mode().IsRegular() {
+		return "", fmt.Errorf("%s is not a regular file", src)
+	}
+
+	source, err := os.Open(src)
+	if err != nil {
+		return "", err
+	}
+	defer source.Close()
+
+	tmpDir, err := os.MkdirTemp("", "hsdb-test-*")
+	if err != nil {
+		return "", err
+	}
+
+	fn := filepath.Base(src)
+	dst := filepath.Join(tmpDir, fn)
+
+	destination, err := os.Create(dst)
+	if err != nil {
+		return "", err
+	}
+	defer destination.Close()
+	_, err = io.Copy(destination, source)
+	return dst, err
+}

hscontrol/db/node.go

@@ -5,6 +5,7 @@ import (
 	"fmt"
 	"net/netip"
 	"sort"
+	"sync"
 	"time"
 
 	"github.com/juanfont/headscale/hscontrol/types"
@@ -12,7 +13,6 @@ import (
 	"github.com/patrickmn/go-cache"
 	"github.com/puzpuzpuz/xsync/v3"
 	"github.com/rs/zerolog/log"
-	"github.com/sasha-s/go-deadlock"
 	"gorm.io/gorm"
 	"tailscale.com/tailcfg"
 	"tailscale.com/types/key"
@@ -724,7 +724,7 @@ func ExpireExpiredNodes(tx *gorm.DB,
 // It is used to delete ephemeral nodes that have disconnected and should be
 // cleaned up.
 type EphemeralGarbageCollector struct {
-	mu deadlock.Mutex
+	mu sync.Mutex
 
 	deleteFunc  func(types.NodeID)
 	toBeDeleted map[types.NodeID]*time.Timer
@@ -752,10 +752,9 @@ func (e *EphemeralGarbageCollector) Close() {
 // Schedule schedules a node for deletion after the expiry duration.
 func (e *EphemeralGarbageCollector) Schedule(nodeID types.NodeID, expiry time.Duration) {
 	e.mu.Lock()
-	defer e.mu.Unlock()
-
 	timer := time.NewTimer(expiry)
 	e.toBeDeleted[nodeID] = timer
+	e.mu.Unlock()
 
 	go func() {
 		select {

hscontrol/db/node_test.go

@@ -600,23 +600,31 @@ func (s *Suite) TestAutoApproveRoutes(c *check.C) {
 func TestEphemeralGarbageCollectorOrder(t *testing.T) {
 	want := []types.NodeID{1, 3}
 	got := []types.NodeID{}
+	var mu sync.Mutex
 
 	e := NewEphemeralGarbageCollector(func(ni types.NodeID) {
+		mu.Lock()
+		defer mu.Unlock()
 		got = append(got, ni)
 	})
 	go e.Start()
 
-	e.Schedule(1, 1*time.Second)
-	e.Schedule(2, 2*time.Second)
-	e.Schedule(3, 3*time.Second)
-	e.Schedule(4, 4*time.Second)
-	e.Cancel(2)
-	e.Cancel(4)
+	go e.Schedule(1, 1*time.Second)
+	go e.Schedule(2, 2*time.Second)
+	go e.Schedule(3, 3*time.Second)
+	go e.Schedule(4, 4*time.Second)
+
+	time.Sleep(time.Second)
+	go e.Cancel(2)
+	go e.Cancel(4)
 
 	time.Sleep(6 * time.Second)
 
 	e.Close()
 
+	mu.Lock()
+	defer mu.Unlock()
+
 	if diff := cmp.Diff(want, got); diff != "" {
 		t.Errorf("wrong nodes deleted, unexpected result (-want +got):\n%s", diff)
 	}
@@ -629,8 +637,8 @@ func TestEphemeralGarbageCollectorLoads(t *testing.T) {
 	want := 1000
 
 	e := NewEphemeralGarbageCollector(func(ni types.NodeID) {
-		defer mu.Unlock()
 		mu.Lock()
+		defer mu.Unlock()
 
 		time.Sleep(time.Duration(generateRandomNumber(t, 3)) * time.Millisecond)
 		got = append(got, ni)
@@ -644,6 +652,10 @@ func TestEphemeralGarbageCollectorLoads(t *testing.T) {
 	time.Sleep(10 * time.Second)
 
 	e.Close()
+
+	mu.Lock()
+	defer mu.Unlock()
+
 	if len(got) != want {
 		t.Errorf("expected %d, got %d", want, len(got))
 	}

hscontrol/derp/derp.go

@@ -125,10 +125,5 @@ func GetDERPMap(cfg types.DERPConfig) *tailcfg.DERPMap {
 
 	log.Trace().Interface("derpMap", derpMap).Msg("DERPMap loaded")
 
-	if len(derpMap.Regions) == 0 {
-		log.Warn().
-			Msg("DERP map is empty, not a single DERP map datasource was loaded correctly or contained a region")
-	}
-
 	return derpMap
 }

hscontrol/grpcv1.go

@@ -4,6 +4,7 @@ package hscontrol
 import (
 	"context"
 	"errors"
+	"fmt"
 	"io"
 	"os"
 	"sort"
@@ -692,7 +693,8 @@ func (api headscaleV1APIServer) GetPolicy(
 		}, nil
 	case types.PolicyModeFile:
 		// Read the file and return the contents as-is.
-		f, err := os.Open(api.h.cfg.Policy.Path)
+		absPath := util.AbsolutePathFromConfigPath(api.h.cfg.Policy.Path)
+		f, err := os.Open(absPath)
 		if err != nil {
 			return nil, err
 		}
@@ -720,9 +722,31 @@ func (api headscaleV1APIServer) SetPolicy(
 
 	p := request.GetPolicy()
 
-	valid, err := policy.LoadACLPolicyFromBytes([]byte(p))
+	pol, err := policy.LoadACLPolicyFromBytes([]byte(p))
 	if err != nil {
-		return nil, err
+		return nil, fmt.Errorf("loading ACL policy file: %w", err)
+	}
+
+	// Validate and reject configuration that would error when applied
+	// when creating a map response. This requires nodes, so there is still
+	// a scenario where they might be allowed if the server has no nodes
+	// yet, but it should help for the general case and for hot reloading
+	// configurations.
+	nodes, err := api.h.db.ListNodes()
+	if err != nil {
+		return nil, fmt.Errorf("loading nodes from database to validate policy: %w", err)
+	}
+
+	_, err = pol.CompileFilterRules(nodes)
+	if err != nil {
+		return nil, fmt.Errorf("verifying policy rules: %w", err)
+	}
+
+	if len(nodes) > 0 {
+		_, err = pol.CompileSSHPolicy(nodes[0], nodes)
+		if err != nil {
+			return nil, fmt.Errorf("verifying SSH rules: %w", err)
+		}
 	}
 
 	updated, err := api.h.db.SetPolicy(p)
@@ -730,7 +754,7 @@ func (api headscaleV1APIServer) SetPolicy(
 		return nil, err
 	}
 
-	api.h.ACLPolicy = valid
+	api.h.ACLPolicy = pol
 
 	ctx := types.NotifyCtx(context.Background(), "acl-update", "na")
 	api.h.nodeNotifier.NotifyAll(ctx, types.StateUpdate{

hscontrol/mapper/tail.go

@@ -36,8 +36,7 @@ func tailNodes(
 	return tNodes, nil
 }
 
-// tailNode converts a Node into a Tailscale Node. includeRoutes is false for shared nodes
-// as per the expected behaviour in the official SaaS.
+// tailNode converts a Node into a Tailscale Node.
 func tailNode(
 	node *types.Node,
 	capVer tailcfg.CapabilityVersion,

hscontrol/mapper/tail_test.go

@@ -55,12 +55,14 @@ func TestTailNode(t *testing.T) {
 		{
 			name: "empty-node",
 			node: &types.Node{
-				Hostinfo: &tailcfg.Hostinfo{},
+				GivenName: "empty",
+				Hostinfo:  &tailcfg.Hostinfo{},
 			},
 			pol:        &policy.ACLPolicy{},
 			dnsConfig:  &tailcfg.DNSConfig{},
 			baseDomain: "",
 			want: &tailcfg.Node{
+				Name:              "empty",
 				StableID:          "0",
 				Addresses:         []netip.Prefix{},
 				AllowedIPs:        []netip.Prefix{},

hscontrol/noise.go

@@ -166,7 +166,7 @@ func (ns *noiseServer) earlyNoise(protocolVersion int, writer io.Writer) error {
 }
 
 const (
-	MinimumCapVersion tailcfg.CapabilityVersion = 58
+	MinimumCapVersion tailcfg.CapabilityVersion = 61
 )
 
 // NoisePollNetMapHandler takes care of /machine/:id/map using the Noise protocol

hscontrol/oidc.go

@@ -526,7 +526,17 @@ func (h *Headscale) validateNodeForOIDCCallback(
 			util.LogErr(err, "Failed to write response")
 		}
 
-		ctx := types.NotifyCtx(context.Background(), "oidc-expiry", "na")
+		ctx := types.NotifyCtx(context.Background(), "oidc-expiry-self", node.Hostname)
+		h.nodeNotifier.NotifyByNodeID(
+			ctx,
+			types.StateUpdate{
+				Type:        types.StateSelfUpdate,
+				ChangeNodes: []types.NodeID{node.ID},
+			},
+			node.ID,
+		)
+
+		ctx = types.NotifyCtx(context.Background(), "oidc-expiry-peers", node.Hostname)
 		h.nodeNotifier.NotifyWithIgnore(ctx, types.StateUpdateExpire(node.ID, expiry), node.ID)
 
 		return nil, true, nil

hscontrol/types/config.go

@@ -20,6 +20,7 @@ import (
 	"tailscale.com/net/tsaddr"
 	"tailscale.com/tailcfg"
 	"tailscale.com/types/dnstype"
+	"tailscale.com/util/set"
 )
 
 const (
@@ -88,6 +89,20 @@ type Config struct {
 	Tuning Tuning
 }
 
+type DNSConfig struct {
+	MagicDNS           bool   `mapstructure:"magic_dns"`
+	BaseDomain         string `mapstructure:"base_domain"`
+	Nameservers        Nameservers
+	SearchDomains      []string            `mapstructure:"search_domains"`
+	ExtraRecords       []tailcfg.DNSRecord `mapstructure:"extra_records"`
+	UserNameInMagicDNS bool                `mapstructure:"use_username_in_magic_dns"`
+}
+
+type Nameservers struct {
+	Global []string
+	Split  map[string][]string
+}
+
 type SqliteConfig struct {
 	Path          string
 	WriteAheadLog bool
@@ -105,11 +120,22 @@ type PostgresConfig struct {
 	ConnMaxIdleTimeSecs int
 }
 
+type GormConfig struct {
+	Debug                 bool
+	SlowThreshold         time.Duration
+	SkipErrRecordNotFound bool
+	ParameterizedQueries  bool
+	PrepareStmt           bool
+}
+
 type DatabaseConfig struct {
 	// Type sets the database type, either "sqlite3" or "postgres"
 	Type  string
 	Debug bool
 
+	// Type sets the gorm configuration
+	Gorm GormConfig
+
 	Sqlite   SqliteConfig
 	Postgres PostgresConfig
 }
@@ -201,7 +227,8 @@ func LoadConfig(path string, isFile bool) error {
 		}
 	}
 
-	viper.SetEnvPrefix("headscale")
+	envPrefix := "headscale"
+	viper.SetEnvPrefix(envPrefix)
 	viper.SetEnvKeyReplacer(strings.NewReplacer(".", "_"))
 	viper.AutomaticEnv()
 
@@ -213,9 +240,12 @@ func LoadConfig(path string, isFile bool) error {
 	viper.SetDefault("log.level", "info")
 	viper.SetDefault("log.format", TextLogFormat)
 
-	viper.SetDefault("dns_config", nil)
-	viper.SetDefault("dns_config.override_local_dns", true)
-	viper.SetDefault("dns_config.use_username_in_magic_dns", false)
+	viper.SetDefault("dns.magic_dns", true)
+	viper.SetDefault("dns.base_domain", "")
+	viper.SetDefault("dns.nameservers.global", []string{})
+	viper.SetDefault("dns.nameservers.split", map[string]string{})
+	viper.SetDefault("dns.search_domains", []string{})
+	viper.SetDefault("dns.extra_records", []tailcfg.DNSRecord{})
 
 	viper.SetDefault("derp.server.enabled", false)
 	viper.SetDefault("derp.server.stun.enabled", true)
@@ -259,17 +289,33 @@ func LoadConfig(path string, isFile bool) error {
 	}
 
 	if err := viper.ReadInConfig(); err != nil {
-		log.Warn().Err(err).Msg("Failed to read configuration from disk")
-
 		return fmt.Errorf("fatal error reading config file: %w", err)
 	}
 
+	depr := deprecator{
+		warns:  make(set.Set[string]),
+		fatals: make(set.Set[string]),
+	}
+
 	// Register aliases for backward compatibility
 	// Has to be called _after_ viper.ReadInConfig()
 	// https://github.com/spf13/viper/issues/560
 
 	// Alias the old ACL Policy path with the new configuration option.
-	registerAliasAndDeprecate("policy.path", "acl_policy_path")
+	depr.fatalIfNewKeyIsNotUsed("policy.path", "acl_policy_path")
+
+	// Move dns_config -> dns
+	depr.warn("dns_config.override_local_dns")
+	depr.fatalIfNewKeyIsNotUsed("dns.magic_dns", "dns_config.magic_dns")
+	depr.fatalIfNewKeyIsNotUsed("dns.base_domain", "dns_config.base_domain")
+	depr.fatalIfNewKeyIsNotUsed("dns.nameservers.global", "dns_config.nameservers")
+	depr.fatalIfNewKeyIsNotUsed("dns.nameservers.split", "dns_config.restricted_nameservers")
+	depr.fatalIfNewKeyIsNotUsed("dns.search_domains", "dns_config.domains")
+	depr.fatalIfNewKeyIsNotUsed("dns.extra_records", "dns_config.extra_records")
+	depr.warn("dns_config.use_username_in_magic_dns")
+	depr.warn("dns.use_username_in_magic_dns")
+
+	depr.Log()
 
 	// Collect any validation errors and return them all at once
 	var errorText string
@@ -450,6 +496,11 @@ func GetDatabaseConfig() DatabaseConfig {
 
 	type_ := viper.GetString("database.type")
 
+	skipErrRecordNotFound := viper.GetBool("database.gorm.skip_err_record_not_found")
+	slowThreshold := viper.GetDuration("database.gorm.slow_threshold") * time.Millisecond
+	parameterizedQueries := viper.GetBool("database.gorm.parameterized_queries")
+	prepareStmt := viper.GetBool("database.gorm.prepare_stmt")
+
 	switch type_ {
 	case DatabaseSqlite, DatabasePostgres:
 		break
@@ -463,6 +514,13 @@ func GetDatabaseConfig() DatabaseConfig {
 	return DatabaseConfig{
 		Type:  type_,
 		Debug: debug,
+		Gorm: GormConfig{
+			Debug:                 debug,
+			SkipErrRecordNotFound: skipErrRecordNotFound,
+			SlowThreshold:         slowThreshold,
+			ParameterizedQueries:  parameterizedQueries,
+			PrepareStmt:           prepareStmt,
+		},
 		Sqlite: SqliteConfig{
 			Path: util.AbsolutePathFromConfigPath(
 				viper.GetString("database.sqlite.path"),
@@ -485,123 +543,135 @@ func GetDatabaseConfig() DatabaseConfig {
 	}
 }
 
-func GetDNSConfig() (*tailcfg.DNSConfig, string) {
-	if viper.IsSet("dns_config") {
-		dnsConfig := &tailcfg.DNSConfig{}
+func DNS() (DNSConfig, error) {
+	var dns DNSConfig
 
-		overrideLocalDNS := viper.GetBool("dns_config.override_local_dns")
+	// TODO: Use this instead of manually getting settings when
+	// UnmarshalKey is compatible with Environment Variables.
+	// err := viper.UnmarshalKey("dns", &dns)
+	// if err != nil {
+	// 	return DNSConfig{}, fmt.Errorf("unmarshaling dns config: %w", err)
+	// }
 
-		if viper.IsSet("dns_config.nameservers") {
-			nameserversStr := viper.GetStringSlice("dns_config.nameservers")
+	dns.MagicDNS = viper.GetBool("dns.magic_dns")
+	dns.BaseDomain = viper.GetString("dns.base_domain")
+	dns.Nameservers.Global = viper.GetStringSlice("dns.nameservers.global")
+	dns.Nameservers.Split = viper.GetStringMapStringSlice("dns.nameservers.split")
+	dns.SearchDomains = viper.GetStringSlice("dns.search_domains")
 
-			nameservers := []netip.Addr{}
-			resolvers := []*dnstype.Resolver{}
+	if viper.IsSet("dns.extra_records") {
+		var extraRecords []tailcfg.DNSRecord
 
-			for _, nameserverStr := range nameserversStr {
-				// Search for explicit DNS-over-HTTPS resolvers
-				if strings.HasPrefix(nameserverStr, "https://") {
-					resolvers = append(resolvers, &dnstype.Resolver{
-						Addr: nameserverStr,
-					})
-
-					// This nameserver can not be parsed as an IP address
-					continue
-				}
-
-				// Parse nameserver as a regular IP
-				nameserver, err := netip.ParseAddr(nameserverStr)
-				if err != nil {
-					log.Error().
-						Str("func", "getDNSConfig").
-						Err(err).
-						Msgf("Could not parse nameserver IP: %s", nameserverStr)
-				}
-
-				nameservers = append(nameservers, nameserver)
-				resolvers = append(resolvers, &dnstype.Resolver{
-					Addr: nameserver.String(),
-				})
-			}
-
-			dnsConfig.Nameservers = nameservers
-
-			if overrideLocalDNS {
-				dnsConfig.Resolvers = resolvers
-			} else {
-				dnsConfig.FallbackResolvers = resolvers
-			}
+		err := viper.UnmarshalKey("dns.extra_records", &extraRecords)
+		if err != nil {
+			return DNSConfig{}, fmt.Errorf("unmarshaling dns extra records: %w", err)
 		}
 
-		if viper.IsSet("dns_config.restricted_nameservers") {
-			dnsConfig.Routes = make(map[string][]*dnstype.Resolver)
-			domains := []string{}
-			restrictedDNS := viper.GetStringMapStringSlice(
-				"dns_config.restricted_nameservers",
-			)
-			for domain, restrictedNameservers := range restrictedDNS {
-				restrictedResolvers := make(
-					[]*dnstype.Resolver,
-					len(restrictedNameservers),
-				)
-				for index, nameserverStr := range restrictedNameservers {
-					nameserver, err := netip.ParseAddr(nameserverStr)
-					if err != nil {
-						log.Error().
-							Str("func", "getDNSConfig").
-							Err(err).
-							Msgf("Could not parse restricted nameserver IP: %s", nameserverStr)
-					}
-					restrictedResolvers[index] = &dnstype.Resolver{
-						Addr: nameserver.String(),
-					}
-				}
-				dnsConfig.Routes[domain] = restrictedResolvers
-				domains = append(domains, domain)
-			}
-			dnsConfig.Domains = domains
-		}
-
-		if viper.IsSet("dns_config.extra_records") {
-			var extraRecords []tailcfg.DNSRecord
-
-			err := viper.UnmarshalKey("dns_config.extra_records", &extraRecords)
-			if err != nil {
-				log.Error().
-					Str("func", "getDNSConfig").
-					Err(err).
-					Msgf("Could not parse dns_config.extra_records")
-			}
-
-			dnsConfig.ExtraRecords = extraRecords
-		}
-
-		if viper.IsSet("dns_config.magic_dns") {
-			dnsConfig.Proxied = viper.GetBool("dns_config.magic_dns")
-		}
-
-		var baseDomain string
-		if viper.IsSet("dns_config.base_domain") {
-			baseDomain = viper.GetString("dns_config.base_domain")
-		} else {
-			baseDomain = "headscale.net" // does not really matter when MagicDNS is not enabled
-		}
-
-		if !viper.GetBool("dns_config.use_username_in_magic_dns") {
-			dnsConfig.Domains = []string{baseDomain}
-		} else {
-			log.Warn().Msg("DNS: Usernames in DNS has been deprecated, this option will be remove in future versions")
-			log.Warn().Msg("DNS: see 0.23.0 changelog for more information.")
-		}
-
-		if domains := viper.GetStringSlice("dns_config.domains"); len(domains) > 0 {
-			dnsConfig.Domains = append(dnsConfig.Domains, domains...)
-		}
-
-		log.Trace().Interface("dns_config", dnsConfig).Msg("DNS configuration loaded")
-		return dnsConfig, baseDomain
+		dns.ExtraRecords = extraRecords
 	}
 
-	return nil, ""
+	dns.UserNameInMagicDNS = viper.GetBool("dns.use_username_in_magic_dns")
+
+	return dns, nil
+}
+
+// GlobalResolvers returns the global DNS resolvers
+// defined in the config file.
+// If a nameserver is a valid IP, it will be used as a regular resolver.
+// If a nameserver is a valid URL, it will be used as a DoH resolver.
+// If a nameserver is neither a valid URL nor a valid IP, it will be ignored.
+func (d *DNSConfig) GlobalResolvers() []*dnstype.Resolver {
+	var resolvers []*dnstype.Resolver
+
+	for _, nsStr := range d.Nameservers.Global {
+		warn := ""
+		if _, err := netip.ParseAddr(nsStr); err == nil {
+			resolvers = append(resolvers, &dnstype.Resolver{
+				Addr: nsStr,
+			})
+
+			continue
+		} else {
+			warn = fmt.Sprintf("Invalid global nameserver %q. Parsing error: %s ignoring", nsStr, err)
+		}
+
+		if _, err := url.Parse(nsStr); err == nil {
+			resolvers = append(resolvers, &dnstype.Resolver{
+				Addr: nsStr,
+			})
+
+			continue
+		} else {
+			warn = fmt.Sprintf("Invalid global nameserver %q. Parsing error: %s ignoring", nsStr, err)
+		}
+
+		if warn != "" {
+			log.Warn().Msg(warn)
+		}
+	}
+
+	return resolvers
+}
+
+// SplitResolvers returns a map of domain to DNS resolvers.
+// If a nameserver is a valid IP, it will be used as a regular resolver.
+// If a nameserver is a valid URL, it will be used as a DoH resolver.
+// If a nameserver is neither a valid URL nor a valid IP, it will be ignored.
+func (d *DNSConfig) SplitResolvers() map[string][]*dnstype.Resolver {
+	routes := make(map[string][]*dnstype.Resolver)
+	for domain, nameservers := range d.Nameservers.Split {
+		var resolvers []*dnstype.Resolver
+		for _, nsStr := range nameservers {
+			warn := ""
+			if _, err := netip.ParseAddr(nsStr); err == nil {
+				resolvers = append(resolvers, &dnstype.Resolver{
+					Addr: nsStr,
+				})
+
+				continue
+			} else {
+				warn = fmt.Sprintf("Invalid split dns nameserver %q. Parsing error: %s ignoring", nsStr, err)
+			}
+
+			if _, err := url.Parse(nsStr); err == nil {
+				resolvers = append(resolvers, &dnstype.Resolver{
+					Addr: nsStr,
+				})
+
+				continue
+			} else {
+				warn = fmt.Sprintf("Invalid split dns nameserver %q. Parsing error: %s ignoring", nsStr, err)
+			}
+
+			if warn != "" {
+				log.Warn().Msg(warn)
+			}
+		}
+		routes[domain] = resolvers
+	}
+
+	return routes
+}
+
+func DNSToTailcfgDNS(dns DNSConfig) *tailcfg.DNSConfig {
+	cfg := tailcfg.DNSConfig{}
+
+	if dns.BaseDomain == "" && dns.MagicDNS {
+		log.Fatal().Msg("dns.base_domain must be set when using MagicDNS (dns.magic_dns)")
+	}
+
+	cfg.Proxied = dns.MagicDNS
+	cfg.ExtraRecords = dns.ExtraRecords
+	cfg.Resolvers = dns.GlobalResolvers()
+
+	routes := dns.SplitResolvers()
+	cfg.Routes = routes
+	if dns.BaseDomain != "" {
+		cfg.Domains = []string{dns.BaseDomain}
+	}
+	cfg.Domains = append(cfg.Domains, dns.SearchDomains...)
+
+	return &cfg
 }
 
 func PrefixV4() (*netip.Prefix, error) {
@@ -693,7 +763,11 @@ func GetHeadscaleConfig() (*Config, error) {
 		return nil, fmt.Errorf("config error, prefixes.allocation is set to %s, which is not a valid strategy, allowed options: %s, %s", allocStr, IPAllocationStrategySequential, IPAllocationStrategyRandom)
 	}
 
-	dnsConfig, baseDomain := GetDNSConfig()
+	dnsConfig, err := DNS()
+	if err != nil {
+		return nil, err
+	}
+
 	derpConfig := GetDERPConfig()
 	logTailConfig := GetLogTailConfig()
 	randomizeClientPort := viper.GetBool("randomize_client_port")
@@ -711,8 +785,23 @@ func GetHeadscaleConfig() (*Config, error) {
 		oidcClientSecret = strings.TrimSpace(string(secretBytes))
 	}
 
+	serverURL := viper.GetString("server_url")
+
+	// BaseDomain cannot be the same as the server URL.
+	// This is because Tailscale takes over the domain in BaseDomain,
+	// causing the headscale server and DERP to be unreachable.
+	// For Tailscale upstream, the following is true:
+	// - DERP run on their own domains
+	// - Control plane runs on login.tailscale.com/controlplane.tailscale.com
+	// - MagicDNS (BaseDomain) for users is on a *.ts.net domain per tailnet (e.g. tail-scale.ts.net)
+	//
+	// TODO(kradalby): remove dnsConfig.UserNameInMagicDNS check when removed.
+	if !dnsConfig.UserNameInMagicDNS && dnsConfig.BaseDomain != "" && strings.Contains(serverURL, dnsConfig.BaseDomain) {
+		return nil, errors.New("server_url cannot contain the base_domain, this will cause the headscale server and embedded DERP to become unreachable from the Tailscale node.")
+	}
+
 	return &Config{
-		ServerURL:          viper.GetString("server_url"),
+		ServerURL:          serverURL,
 		Addr:               viper.GetString("listen_addr"),
 		MetricsAddr:        viper.GetString("metrics_listen_addr"),
 		GRPCAddr:           viper.GetString("grpc_listen_addr"),
@@ -726,7 +815,7 @@ func GetHeadscaleConfig() (*Config, error) {
 		NoisePrivateKeyPath: util.AbsolutePathFromConfigPath(
 			viper.GetString("noise.private_key_path"),
 		),
-		BaseDomain: baseDomain,
+		BaseDomain: dnsConfig.BaseDomain,
 
 		DERP: derpConfig,
 
@@ -738,8 +827,8 @@ func GetHeadscaleConfig() (*Config, error) {
 
 		TLS: GetTLSConfig(),
 
-		DNSConfig:             dnsConfig,
-		DNSUserNameInMagicDNS: viper.GetBool("dns_config.use_username_in_magic_dns"),
+		DNSConfig:             DNSToTailcfgDNS(dnsConfig),
+		DNSUserNameInMagicDNS: dnsConfig.UserNameInMagicDNS,
 
 		ACMEEmail: viper.GetString("acme_email"),
 		ACMEURL:   viper.GetString("acme_url"),
@@ -805,19 +894,70 @@ func IsCLIConfigured() bool {
 	return viper.GetString("cli.address") != "" && viper.GetString("cli.api_key") != ""
 }
 
-// registerAliasAndDeprecate will register an alias between the newKey and the oldKey,
+type deprecator struct {
+	warns  set.Set[string]
+	fatals set.Set[string]
+}
+
+// warnWithAlias will register an alias between the newKey and the oldKey,
 // and log a deprecation warning if the oldKey is set.
-func registerAliasAndDeprecate(newKey, oldKey string) {
+func (d *deprecator) warnWithAlias(newKey, oldKey string) {
 	// NOTE: RegisterAlias is called with NEW KEY -> OLD KEY
 	viper.RegisterAlias(newKey, oldKey)
 	if viper.IsSet(oldKey) {
-		log.Warn().Msgf("The %q configuration key is deprecated. Please use %q instead. %q will be removed in the future.", oldKey, newKey, oldKey)
+		d.warns.Add(fmt.Sprintf("The %q configuration key is deprecated. Please use %q instead. %q will be removed in the future.", oldKey, newKey, oldKey))
 	}
 }
 
-// deprecateAndFatal will log a fatal deprecation warning if the oldKey is set.
-func deprecateAndFatal(newKey, oldKey string) {
+// fatal deprecates and adds an entry to the fatal list of options if the oldKey is set.
+func (d *deprecator) fatal(newKey, oldKey string) {
 	if viper.IsSet(oldKey) {
-		log.Fatal().Msgf("The %q configuration key is deprecated. Please use %q instead. %q has been removed.", oldKey, newKey, oldKey)
+		d.fatals.Add(fmt.Sprintf("The %q configuration key is deprecated. Please use %q instead. %q has been removed.", oldKey, newKey, oldKey))
+	}
+}
+
+// fatalIfNewKeyIsNotUsed deprecates and adds an entry to the fatal list of options if the oldKey is set and the new key is _not_ set.
+// If the new key is set, a warning is emitted instead.
+func (d *deprecator) fatalIfNewKeyIsNotUsed(newKey, oldKey string) {
+	if viper.IsSet(oldKey) && !viper.IsSet(newKey) {
+		d.fatals.Add(fmt.Sprintf("The %q configuration key is deprecated. Please use %q instead. %q has been removed.", oldKey, newKey, oldKey))
+	} else if viper.IsSet(oldKey) {
+		d.warns.Add(fmt.Sprintf("The %q configuration key is deprecated. Please use %q instead. %q has been removed.", oldKey, newKey, oldKey))
+	}
+}
+
+// warn deprecates and adds an option to log a warning if the oldKey is set.
+func (d *deprecator) warnNoAlias(newKey, oldKey string) {
+	if viper.IsSet(oldKey) {
+		d.warns.Add(fmt.Sprintf("The %q configuration key is deprecated. Please use %q instead. %q has been removed.", oldKey, newKey, oldKey))
+	}
+}
+
+// warn deprecates and adds an entry to the warn list of options if the oldKey is set.
+func (d *deprecator) warn(oldKey string) {
+	if viper.IsSet(oldKey) {
+		d.warns.Add(fmt.Sprintf("The %q configuration key is deprecated and has been removed. Please see the changelog for more details.", oldKey))
+	}
+}
+
+func (d *deprecator) String() string {
+	var b strings.Builder
+
+	for _, w := range d.warns.Slice() {
+		fmt.Fprintf(&b, "WARN: %s\n", w)
+	}
+
+	for _, f := range d.fatals.Slice() {
+		fmt.Fprintf(&b, "FATAL: %s\n", f)
+	}
+
+	return b.String()
+}
+
+func (d *deprecator) Log() {
+	if len(d.fatals) > 0 {
+		log.Fatal().Msg("\n" + d.String())
+	} else if len(d.warns) > 0 {
+		log.Warn().Msg("\n" + d.String())
 	}
 }

hscontrol/types/config_test.go

@@ -0,0 +1,291 @@
+package types
+
+import (
+	"testing"
+
+	"github.com/google/go-cmp/cmp"
+	"github.com/spf13/viper"
+	"github.com/stretchr/testify/assert"
+	"tailscale.com/tailcfg"
+	"tailscale.com/types/dnstype"
+)
+
+func TestReadConfig(t *testing.T) {
+	tests := []struct {
+		name       string
+		configPath string
+		setup      func(*testing.T) (any, error)
+		want       any
+		wantErr    string
+	}{
+		{
+			name:       "unmarshal-dns-full-config",
+			configPath: "testdata/dns_full.yaml",
+			setup: func(t *testing.T) (any, error) {
+				dns, err := DNS()
+				if err != nil {
+					return nil, err
+				}
+
+				return dns, nil
+			},
+			want: DNSConfig{
+				MagicDNS:   true,
+				BaseDomain: "example.com",
+				Nameservers: Nameservers{
+					Global: []string{"1.1.1.1", "1.0.0.1", "2606:4700:4700::1111", "2606:4700:4700::1001", "https://dns.nextdns.io/abc123"},
+					Split:  map[string][]string{"darp.headscale.net": {"1.1.1.1", "8.8.8.8"}, "foo.bar.com": {"1.1.1.1"}},
+				},
+				ExtraRecords: []tailcfg.DNSRecord{
+					{Name: "grafana.myvpn.example.com", Type: "A", Value: "100.64.0.3"},
+					{Name: "prometheus.myvpn.example.com", Type: "A", Value: "100.64.0.4"},
+				},
+				SearchDomains:      []string{"test.com", "bar.com"},
+				UserNameInMagicDNS: true,
+			},
+		},
+		{
+			name:       "dns-to-tailcfg.DNSConfig",
+			configPath: "testdata/dns_full.yaml",
+			setup: func(t *testing.T) (any, error) {
+				dns, err := DNS()
+				if err != nil {
+					return nil, err
+				}
+
+				return DNSToTailcfgDNS(dns), nil
+			},
+			want: &tailcfg.DNSConfig{
+				Proxied: true,
+				Domains: []string{"example.com", "test.com", "bar.com"},
+				Resolvers: []*dnstype.Resolver{
+					{Addr: "1.1.1.1"},
+					{Addr: "1.0.0.1"},
+					{Addr: "2606:4700:4700::1111"},
+					{Addr: "2606:4700:4700::1001"},
+					{Addr: "https://dns.nextdns.io/abc123"},
+				},
+				Routes: map[string][]*dnstype.Resolver{
+					"darp.headscale.net": {{Addr: "1.1.1.1"}, {Addr: "8.8.8.8"}},
+					"foo.bar.com":        {{Addr: "1.1.1.1"}},
+				},
+				ExtraRecords: []tailcfg.DNSRecord{
+					{Name: "grafana.myvpn.example.com", Type: "A", Value: "100.64.0.3"},
+					{Name: "prometheus.myvpn.example.com", Type: "A", Value: "100.64.0.4"},
+				},
+			},
+		},
+		{
+			name:       "unmarshal-dns-full-no-magic",
+			configPath: "testdata/dns_full_no_magic.yaml",
+			setup: func(t *testing.T) (any, error) {
+				dns, err := DNS()
+				if err != nil {
+					return nil, err
+				}
+
+				return dns, nil
+			},
+			want: DNSConfig{
+				MagicDNS:   false,
+				BaseDomain: "example.com",
+				Nameservers: Nameservers{
+					Global: []string{"1.1.1.1", "1.0.0.1", "2606:4700:4700::1111", "2606:4700:4700::1001", "https://dns.nextdns.io/abc123"},
+					Split:  map[string][]string{"darp.headscale.net": {"1.1.1.1", "8.8.8.8"}, "foo.bar.com": {"1.1.1.1"}},
+				},
+				ExtraRecords: []tailcfg.DNSRecord{
+					{Name: "grafana.myvpn.example.com", Type: "A", Value: "100.64.0.3"},
+					{Name: "prometheus.myvpn.example.com", Type: "A", Value: "100.64.0.4"},
+				},
+				SearchDomains:      []string{"test.com", "bar.com"},
+				UserNameInMagicDNS: true,
+			},
+		},
+		{
+			name:       "dns-to-tailcfg.DNSConfig",
+			configPath: "testdata/dns_full_no_magic.yaml",
+			setup: func(t *testing.T) (any, error) {
+				dns, err := DNS()
+				if err != nil {
+					return nil, err
+				}
+
+				return DNSToTailcfgDNS(dns), nil
+			},
+			want: &tailcfg.DNSConfig{
+				Proxied: false,
+				Domains: []string{"example.com", "test.com", "bar.com"},
+				Resolvers: []*dnstype.Resolver{
+					{Addr: "1.1.1.1"},
+					{Addr: "1.0.0.1"},
+					{Addr: "2606:4700:4700::1111"},
+					{Addr: "2606:4700:4700::1001"},
+					{Addr: "https://dns.nextdns.io/abc123"},
+				},
+				Routes: map[string][]*dnstype.Resolver{
+					"darp.headscale.net": {{Addr: "1.1.1.1"}, {Addr: "8.8.8.8"}},
+					"foo.bar.com":        {{Addr: "1.1.1.1"}},
+				},
+				ExtraRecords: []tailcfg.DNSRecord{
+					{Name: "grafana.myvpn.example.com", Type: "A", Value: "100.64.0.3"},
+					{Name: "prometheus.myvpn.example.com", Type: "A", Value: "100.64.0.4"},
+				},
+			},
+		},
+		{
+			name:       "base-domain-in-server-url-err",
+			configPath: "testdata/base-domain-in-server-url.yaml",
+			setup: func(t *testing.T) (any, error) {
+				return GetHeadscaleConfig()
+			},
+			want:    nil,
+			wantErr: "server_url cannot contain the base_domain, this will cause the headscale server and embedded DERP to become unreachable from the Tailscale node.",
+		},
+		{
+			name:       "base-domain-not-in-server-url",
+			configPath: "testdata/base-domain-not-in-server-url.yaml",
+			setup: func(t *testing.T) (any, error) {
+				cfg, err := GetHeadscaleConfig()
+				if err != nil {
+					return nil, err
+				}
+
+				return map[string]string{
+					"server_url":  cfg.ServerURL,
+					"base_domain": cfg.BaseDomain,
+				}, err
+			},
+			want: map[string]string{
+				"server_url":  "https://derp.no",
+				"base_domain": "clients.derp.no",
+			},
+			wantErr: "",
+		},
+		{
+			name:       "policy-path-is-loaded",
+			configPath: "testdata/policy-path-is-loaded.yaml",
+			setup: func(t *testing.T) (any, error) {
+				cfg, err := GetHeadscaleConfig()
+				if err != nil {
+					return nil, err
+				}
+
+				return map[string]string{
+					"policy.mode": string(cfg.Policy.Mode),
+					"policy.path": cfg.Policy.Path,
+				}, err
+			},
+			want: map[string]string{
+				"policy.mode": "file",
+				"policy.path": "/etc/policy.hujson",
+			},
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			viper.Reset()
+			err := LoadConfig(tt.configPath, true)
+			assert.NoError(t, err)
+
+			conf, err := tt.setup(t)
+
+			if tt.wantErr != "" {
+				assert.Equal(t, tt.wantErr, err.Error())
+
+				return
+			}
+
+			assert.NoError(t, err)
+
+			if diff := cmp.Diff(tt.want, conf); diff != "" {
+				t.Errorf("ReadConfig() mismatch (-want +got):\n%s", diff)
+			}
+		})
+	}
+}
+
+func TestReadConfigFromEnv(t *testing.T) {
+	tests := []struct {
+		name      string
+		configEnv map[string]string
+		setup     func(*testing.T) (any, error)
+		want      any
+	}{
+		{
+			name: "test-random-base-settings-with-env",
+			configEnv: map[string]string{
+				"HEADSCALE_LOG_LEVEL":                       "trace",
+				"HEADSCALE_DATABASE_SQLITE_WRITE_AHEAD_LOG": "false",
+				"HEADSCALE_PREFIXES_V4":                     "100.64.0.0/10",
+			},
+			setup: func(t *testing.T) (any, error) {
+				t.Logf("all settings: %#v", viper.AllSettings())
+
+				assert.Equal(t, "trace", viper.GetString("log.level"))
+				assert.Equal(t, "100.64.0.0/10", viper.GetString("prefixes.v4"))
+				assert.False(t, viper.GetBool("database.sqlite.write_ahead_log"))
+				return nil, nil
+			},
+			want: nil,
+		},
+		{
+			name: "unmarshal-dns-full-config",
+			configEnv: map[string]string{
+				"HEADSCALE_DNS_MAGIC_DNS":                 "true",
+				"HEADSCALE_DNS_BASE_DOMAIN":               "example.com",
+				"HEADSCALE_DNS_NAMESERVERS_GLOBAL":        `1.1.1.1 8.8.8.8`,
+				"HEADSCALE_DNS_SEARCH_DOMAINS":            "test.com bar.com",
+				"HEADSCALE_DNS_USE_USERNAME_IN_MAGIC_DNS": "true",
+
+				// TODO(kradalby): Figure out how to pass these as env vars
+				// "HEADSCALE_DNS_NAMESERVERS_SPLIT":  `{foo.bar.com: ["1.1.1.1"]}`,
+				// "HEADSCALE_DNS_EXTRA_RECORDS":      `[{ name: "prometheus.myvpn.example.com", type: "A", value: "100.64.0.4" }]`,
+			},
+			setup: func(t *testing.T) (any, error) {
+				t.Logf("all settings: %#v", viper.AllSettings())
+
+				dns, err := DNS()
+				if err != nil {
+					return nil, err
+				}
+
+				return dns, nil
+			},
+			want: DNSConfig{
+				MagicDNS:   true,
+				BaseDomain: "example.com",
+				Nameservers: Nameservers{
+					Global: []string{"1.1.1.1", "8.8.8.8"},
+					Split:  map[string][]string{
+						// "foo.bar.com": {"1.1.1.1"},
+					},
+				},
+				ExtraRecords: []tailcfg.DNSRecord{
+					// {Name: "prometheus.myvpn.example.com", Type: "A", Value: "100.64.0.4"},
+				},
+				SearchDomains:      []string{"test.com", "bar.com"},
+				UserNameInMagicDNS: true,
+			},
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			for k, v := range tt.configEnv {
+				t.Setenv(k, v)
+			}
+
+			viper.Reset()
+			err := LoadConfig("testdata/minimal.yaml", true)
+			assert.NoError(t, err)
+
+			conf, err := tt.setup(t)
+			assert.NoError(t, err)
+
+			if diff := cmp.Diff(tt.want, conf); diff != "" {
+				t.Errorf("ReadConfig() mismatch (-want +got):\n%s", diff)
+			}
+		})
+	}
+}

hscontrol/types/node.go

@@ -394,40 +394,39 @@ func (node *Node) Proto() *v1.Node {
 }
 
 func (node *Node) GetFQDN(cfg *Config, baseDomain string) (string, error) {
-	var hostname string
-	if cfg.DNSConfig != nil && cfg.DNSConfig.Proxied { // MagicDNS
-		if node.GivenName == "" {
-			return "", fmt.Errorf("failed to create valid FQDN: %w", ErrNodeHasNoGivenName)
-		}
+	if node.GivenName == "" {
+		return "", fmt.Errorf("failed to create valid FQDN: %w", ErrNodeHasNoGivenName)
+	}
 
+	hostname := node.GivenName
+
+	if baseDomain != "" {
 		hostname = fmt.Sprintf(
 			"%s.%s",
 			node.GivenName,
 			baseDomain,
 		)
+	}
 
-		if cfg.DNSUserNameInMagicDNS {
-			if node.User.Name == "" {
-				return "", fmt.Errorf("failed to create valid FQDN: %w", ErrNodeUserHasNoName)
-			}
-
-			hostname = fmt.Sprintf(
-				"%s.%s.%s",
-				node.GivenName,
-				node.User.Name,
-				baseDomain,
-			)
+	if cfg.DNSUserNameInMagicDNS {
+		if node.User.Name == "" {
+			return "", fmt.Errorf("failed to create valid FQDN: %w", ErrNodeUserHasNoName)
 		}
 
-		if len(hostname) > MaxHostnameLength {
-			return "", fmt.Errorf(
-				"failed to create valid FQDN (%s): %w",
-				hostname,
-				ErrHostnameTooLong,
-			)
-		}
-	} else {
-		hostname = node.GivenName
+		hostname = fmt.Sprintf(
+			"%s.%s.%s",
+			node.GivenName,
+			node.User.Name,
+			baseDomain,
+		)
+	}
+
+	if len(hostname) > MaxHostnameLength {
+		return "", fmt.Errorf(
+			"failed to create valid FQDN (%s): %w",
+			hostname,
+			ErrHostnameTooLong,
+		)
 	}
 
 	return hostname, nil

hscontrol/types/node_test.go

@@ -195,7 +195,7 @@ func TestNodeFQDN(t *testing.T) {
 				DNSUserNameInMagicDNS: true,
 			},
 			domain: "example.com",
-			want:   "test",
+			want:   "test.user.example.com",
 		},
 		{
 			name: "no-dnsconfig-with-username",
@@ -206,7 +206,7 @@ func TestNodeFQDN(t *testing.T) {
 				},
 			},
 			domain: "example.com",
-			want:   "test",
+			want:   "test.example.com",
 		},
 		{
 			name: "all-set",
@@ -271,7 +271,7 @@ func TestNodeFQDN(t *testing.T) {
 				DNSUserNameInMagicDNS: false,
 			},
 			domain: "example.com",
-			want:   "test",
+			want:   "test.example.com",
 		},
 		{
 			name: "no-dnsconfig",
@@ -282,7 +282,7 @@ func TestNodeFQDN(t *testing.T) {
 				},
 			},
 			domain: "example.com",
-			want:   "test",
+			want:   "test.example.com",
 		},
 	}
 

hscontrol/types/testdata/base-domain-in-server-url.yaml

@@ -0,0 +1,16 @@
+noise:
+  private_key_path: "private_key.pem"
+
+prefixes:
+  v6: fd7a:115c:a1e0::/48
+  v4: 100.64.0.0/10
+
+database:
+  type: sqlite3
+
+server_url: "https://derp.no"
+
+dns:
+  magic_dns: true
+  base_domain: derp.no
+  use_username_in_magic_dns: false

hscontrol/types/testdata/base-domain-not-in-server-url.yaml

@@ -0,0 +1,16 @@
+noise:
+  private_key_path: "private_key.pem"
+
+prefixes:
+  v6: fd7a:115c:a1e0::/48
+  v4: 100.64.0.0/10
+
+database:
+  type: sqlite3
+
+server_url: "https://derp.no"
+
+dns:
+  magic_dns: true
+  base_domain: clients.derp.no
+  use_username_in_magic_dns: false

hscontrol/types/testdata/dns_full.yaml

@@ -0,0 +1,37 @@
+# minimum to not fatal
+noise:
+  private_key_path: "private_key.pem"
+server_url: "https://derp.no"
+
+dns:
+  magic_dns: true
+  base_domain: example.com
+
+  nameservers:
+    global:
+      - 1.1.1.1
+      - 1.0.0.1
+      - 2606:4700:4700::1111
+      - 2606:4700:4700::1001
+      - https://dns.nextdns.io/abc123
+
+    split:
+      foo.bar.com:
+        - 1.1.1.1
+      darp.headscale.net:
+        - 1.1.1.1
+        - 8.8.8.8
+
+  search_domains:
+    - test.com
+    - bar.com
+
+  extra_records:
+    - name: "grafana.myvpn.example.com"
+      type: "A"
+      value: "100.64.0.3"
+
+    # you can also put it in one line
+    - { name: "prometheus.myvpn.example.com", type: "A", value: "100.64.0.4" }
+
+  use_username_in_magic_dns: true

hscontrol/types/testdata/dns_full_no_magic.yaml

@@ -0,0 +1,37 @@
+# minimum to not fatal
+noise:
+  private_key_path: "private_key.pem"
+server_url: "https://derp.no"
+
+dns:
+  magic_dns: false
+  base_domain: example.com
+
+  nameservers:
+    global:
+      - 1.1.1.1
+      - 1.0.0.1
+      - 2606:4700:4700::1111
+      - 2606:4700:4700::1001
+      - https://dns.nextdns.io/abc123
+
+    split:
+      foo.bar.com:
+        - 1.1.1.1
+      darp.headscale.net:
+        - 1.1.1.1
+        - 8.8.8.8
+
+  search_domains:
+    - test.com
+    - bar.com
+
+  extra_records:
+    - name: "grafana.myvpn.example.com"
+      type: "A"
+      value: "100.64.0.3"
+
+    # you can also put it in one line
+    - { name: "prometheus.myvpn.example.com", type: "A", value: "100.64.0.4" }
+
+  use_username_in_magic_dns: true

hscontrol/types/testdata/minimal.yaml

@@ -0,0 +1,3 @@
+noise:
+  private_key_path: "private_key.pem"
+server_url: "https://derp.no"

hscontrol/types/testdata/policy-path-is-loaded.yaml

@@ -0,0 +1,18 @@
+noise:
+  private_key_path: "private_key.pem"
+
+prefixes:
+  v6: fd7a:115c:a1e0::/48
+  v4: 100.64.0.0/10
+
+database:
+  type: sqlite3
+
+server_url: "https://derp.no"
+
+acl_policy_path: "/etc/acl_policy.yaml"
+policy:
+  type: file
+  path: "/etc/policy.hujson"
+
+dns.magic_dns: false

hscontrol/util/log.go

@@ -1,7 +1,14 @@
 package util
 
 import (
+	"context"
+	"errors"
+	"time"
+
+	"github.com/rs/zerolog"
 	"github.com/rs/zerolog/log"
+	"gorm.io/gorm"
+	gormLogger "gorm.io/gorm/logger"
 	"tailscale.com/types/logger"
 )
 
@@ -14,3 +21,71 @@ func TSLogfWrapper() logger.Logf {
 		log.Debug().Caller().Msgf(format, args...)
 	}
 }
+
+type DBLogWrapper struct {
+	Logger                *zerolog.Logger
+	Level                 zerolog.Level
+	Event                 *zerolog.Event
+	SlowThreshold         time.Duration
+	SkipErrRecordNotFound bool
+	ParameterizedQueries  bool
+}
+
+func NewDBLogWrapper(origin *zerolog.Logger, slowThreshold time.Duration, skipErrRecordNotFound bool, parameterizedQueries bool) *DBLogWrapper {
+	l := &DBLogWrapper{
+		Logger:                origin,
+		Level:                 origin.GetLevel(),
+		SlowThreshold:         slowThreshold,
+		SkipErrRecordNotFound: skipErrRecordNotFound,
+		ParameterizedQueries:  parameterizedQueries,
+	}
+
+	return l
+}
+
+type DBLogWrapperOption func(*DBLogWrapper)
+
+func (l *DBLogWrapper) LogMode(gormLogger.LogLevel) gormLogger.Interface {
+	return l
+}
+
+func (l *DBLogWrapper) Info(ctx context.Context, msg string, data ...interface{}) {
+	l.Logger.Info().Msgf(msg, data...)
+}
+
+func (l *DBLogWrapper) Warn(ctx context.Context, msg string, data ...interface{}) {
+	l.Logger.Warn().Msgf(msg, data...)
+}
+
+func (l *DBLogWrapper) Error(ctx context.Context, msg string, data ...interface{}) {
+	l.Logger.Error().Msgf(msg, data...)
+}
+
+func (l *DBLogWrapper) Trace(ctx context.Context, begin time.Time, fc func() (sql string, rowsAffected int64), err error) {
+	elapsed := time.Since(begin)
+	sql, rowsAffected := fc()
+	fields := map[string]interface{}{
+		"duration":     elapsed,
+		"sql":          sql,
+		"rowsAffected": rowsAffected,
+	}
+
+	if err != nil && !(errors.Is(err, gorm.ErrRecordNotFound) && l.SkipErrRecordNotFound) {
+		l.Logger.Error().Err(err).Fields(fields).Msgf("")
+		return
+	}
+
+	if l.SlowThreshold != 0 && elapsed > l.SlowThreshold {
+		l.Logger.Warn().Fields(fields).Msgf("")
+		return
+	}
+
+	l.Logger.Debug().Fields(fields).Msgf("")
+}
+
+func (l *DBLogWrapper) ParamsFilter(ctx context.Context, sql string, params ...interface{}) (string, []interface{}) {
+	if l.ParameterizedQueries {
+		return sql, nil
+	}
+	return sql, params
+}

hscontrol/util/test.go

@@ -4,7 +4,9 @@ import (
 	"net/netip"
 
 	"github.com/google/go-cmp/cmp"
+	"tailscale.com/types/ipproto"
 	"tailscale.com/types/key"
+	"tailscale.com/types/views"
 )
 
 var PrefixComparer = cmp.Comparer(func(x, y netip.Prefix) bool {
@@ -31,6 +33,8 @@ var DkeyComparer = cmp.Comparer(func(x, y key.DiscoPublic) bool {
 	return x.String() == y.String()
 })
 
+var ViewSliceIPProtoComparer = cmp.Comparer(func(a, b views.Slice[ipproto.Proto]) bool { return views.SliceEqual(a, b) })
+
 var Comparers []cmp.Option = []cmp.Option{
-	IPComparer, PrefixComparer, AddrPortComparer, MkeyComparer, NkeyComparer, DkeyComparer,
+	IPComparer, PrefixComparer, AddrPortComparer, MkeyComparer, NkeyComparer, DkeyComparer, ViewSliceIPProtoComparer,
 }

integration/cli_test.go

@@ -1676,3 +1676,77 @@ func TestPolicyCommand(t *testing.T) {
 	assert.Len(t, output.ACLs, 1)
 	assert.Equal(t, output.TagOwners["tag:exists"], []string{"policy-user"})
 }
+
+func TestPolicyBrokenConfigCommand(t *testing.T) {
+	IntegrationSkip(t)
+	t.Parallel()
+
+	scenario, err := NewScenario(dockertestMaxWait())
+	assertNoErr(t, err)
+	defer scenario.Shutdown()
+
+	spec := map[string]int{
+		"policy-user": 1,
+	}
+
+	err = scenario.CreateHeadscaleEnv(
+		spec,
+		[]tsic.Option{},
+		hsic.WithTestName("clins"),
+		hsic.WithConfigEnv(map[string]string{
+			"HEADSCALE_POLICY_MODE": "database",
+		}),
+	)
+	assertNoErr(t, err)
+
+	headscale, err := scenario.Headscale()
+	assertNoErr(t, err)
+
+	p := policy.ACLPolicy{
+		ACLs: []policy.ACL{
+			{
+				// This is an unknown action, so it will return an error
+				// and the config will not be applied.
+				Action:       "acccept",
+				Sources:      []string{"*"},
+				Destinations: []string{"*:*"},
+			},
+		},
+		TagOwners: map[string][]string{
+			"tag:exists": {"policy-user"},
+		},
+	}
+
+	pBytes, _ := json.Marshal(p)
+
+	policyFilePath := "/etc/headscale/policy.json"
+
+	err = headscale.WriteFile(policyFilePath, pBytes)
+	assertNoErr(t, err)
+
+	// No policy is present at this time.
+	// Add a new policy from a file.
+	_, err = headscale.Execute(
+		[]string{
+			"headscale",
+			"policy",
+			"set",
+			"-f",
+			policyFilePath,
+		},
+	)
+	assert.ErrorContains(t, err, "verifying policy rules: invalid action")
+
+	// The new policy was invalid, the old one should still be in place, which
+	// is none.
+	_, err = headscale.Execute(
+		[]string{
+			"headscale",
+			"policy",
+			"get",
+			"--output",
+			"json",
+		},
+	)
+	assert.ErrorContains(t, err, "acl policy not found")
+}

integration/dns_test.go

@@ -0,0 +1,246 @@
+package integration
+
+import (
+	"fmt"
+	"strings"
+	"testing"
+	"time"
+
+	"github.com/juanfont/headscale/integration/hsic"
+	"github.com/juanfont/headscale/integration/tsic"
+	"github.com/stretchr/testify/assert"
+)
+
+func TestResolveMagicDNS(t *testing.T) {
+	IntegrationSkip(t)
+	t.Parallel()
+
+	scenario, err := NewScenario(dockertestMaxWait())
+	assertNoErr(t, err)
+	defer scenario.Shutdown()
+
+	spec := map[string]int{
+		"magicdns1": len(MustTestVersions),
+		"magicdns2": len(MustTestVersions),
+	}
+
+	err = scenario.CreateHeadscaleEnv(spec, []tsic.Option{}, hsic.WithTestName("magicdns"))
+	assertNoErrHeadscaleEnv(t, err)
+
+	allClients, err := scenario.ListTailscaleClients()
+	assertNoErrListClients(t, err)
+
+	err = scenario.WaitForTailscaleSync()
+	assertNoErrSync(t, err)
+
+	// assertClientsState(t, allClients)
+
+	// Poor mans cache
+	_, err = scenario.ListTailscaleClientsFQDNs()
+	assertNoErrListFQDN(t, err)
+
+	_, err = scenario.ListTailscaleClientsIPs()
+	assertNoErrListClientIPs(t, err)
+
+	for _, client := range allClients {
+		for _, peer := range allClients {
+			// It is safe to ignore this error as we handled it when caching it
+			peerFQDN, _ := peer.FQDN()
+
+			assert.Equal(t, fmt.Sprintf("%s.headscale.net", peer.Hostname()), peerFQDN)
+
+			command := []string{
+				"tailscale",
+				"ip", peerFQDN,
+			}
+			result, _, err := client.Execute(command)
+			if err != nil {
+				t.Fatalf(
+					"failed to execute resolve/ip command %s from %s: %s",
+					peerFQDN,
+					client.Hostname(),
+					err,
+				)
+			}
+
+			ips, err := peer.IPs()
+			if err != nil {
+				t.Fatalf(
+					"failed to get ips for %s: %s",
+					peer.Hostname(),
+					err,
+				)
+			}
+
+			for _, ip := range ips {
+				if !strings.Contains(result, ip.String()) {
+					t.Fatalf("ip %s is not found in \n%s\n", ip.String(), result)
+				}
+			}
+		}
+	}
+}
+
+// TestValidateResolvConf validates that the resolv.conf file
+// ends up as expected in our Tailscale containers.
+// All the containers are based on Alpine, meaning Tailscale
+// will overwrite the resolv.conf file.
+// On other platform, Tailscale will integrate with a dns manager
+// if available (like Systemd-Resolved).
+func TestValidateResolvConf(t *testing.T) {
+	IntegrationSkip(t)
+
+	resolvconf := func(conf string) string {
+		return strings.ReplaceAll(`# resolv.conf(5) file generated by tailscale
+# For more info, see https://tailscale.com/s/resolvconf-overwrite
+# DO NOT EDIT THIS FILE BY HAND -- CHANGES WILL BE OVERWRITTEN
+`+conf, "\t", "")
+	}
+
+	tests := []struct {
+		name                string
+		conf                map[string]string
+		wantConfCompareFunc func(*testing.T, string)
+	}{
+		// New config
+		{
+			name: "no-config",
+			conf: map[string]string{
+				"HEADSCALE_DNS_BASE_DOMAIN":        "",
+				"HEADSCALE_DNS_MAGIC_DNS":          "false",
+				"HEADSCALE_DNS_NAMESERVERS_GLOBAL": "",
+			},
+			wantConfCompareFunc: func(t *testing.T, got string) {
+				assert.NotContains(t, got, "100.100.100.100")
+			},
+		},
+		{
+			name: "global-only",
+			conf: map[string]string{
+				"HEADSCALE_DNS_BASE_DOMAIN":        "",
+				"HEADSCALE_DNS_MAGIC_DNS":          "false",
+				"HEADSCALE_DNS_NAMESERVERS_GLOBAL": "8.8.8.8 1.1.1.1",
+			},
+			wantConfCompareFunc: func(t *testing.T, got string) {
+				want := resolvconf(`
+					nameserver 100.100.100.100
+				`)
+				assert.Equal(t, want, got)
+			},
+		},
+		{
+			name: "base-integration-config",
+			conf: map[string]string{
+				"HEADSCALE_DNS_BASE_DOMAIN": "very-unique-domain.net",
+			},
+			wantConfCompareFunc: func(t *testing.T, got string) {
+				want := resolvconf(`
+					nameserver 100.100.100.100
+					search very-unique-domain.net
+				`)
+				assert.Equal(t, want, got)
+			},
+		},
+		{
+			name: "base-magic-dns-off",
+			conf: map[string]string{
+				"HEADSCALE_DNS_MAGIC_DNS":   "false",
+				"HEADSCALE_DNS_BASE_DOMAIN": "very-unique-domain.net",
+			},
+			wantConfCompareFunc: func(t *testing.T, got string) {
+				want := resolvconf(`
+					nameserver 100.100.100.100
+					search very-unique-domain.net
+				`)
+				assert.Equal(t, want, got)
+			},
+		},
+		{
+			name: "base-extra-search-domains",
+			conf: map[string]string{
+				"HEADSCALE_DNS_SEARCH_DOMAINS": "test1.no test2.no",
+				"HEADSCALE_DNS_BASE_DOMAIN":    "with-local-dns.net",
+			},
+			wantConfCompareFunc: func(t *testing.T, got string) {
+				want := resolvconf(`
+					nameserver 100.100.100.100
+					search with-local-dns.net test1.no test2.no
+				`)
+				assert.Equal(t, want, got)
+			},
+		},
+		{
+			name: "base-nameservers-split",
+			conf: map[string]string{
+				"HEADSCALE_DNS_NAMESERVERS_SPLIT": `{foo.bar.com: ["1.1.1.1"]}`,
+				"HEADSCALE_DNS_BASE_DOMAIN":       "with-local-dns.net",
+			},
+			wantConfCompareFunc: func(t *testing.T, got string) {
+				want := resolvconf(`
+					nameserver 100.100.100.100
+					search with-local-dns.net
+				`)
+				assert.Equal(t, want, got)
+			},
+		},
+		{
+			name: "base-full-no-magic",
+			conf: map[string]string{
+				"HEADSCALE_DNS_MAGIC_DNS":          "false",
+				"HEADSCALE_DNS_BASE_DOMAIN":        "all-of.it",
+				"HEADSCALE_DNS_NAMESERVERS_GLOBAL": `8.8.8.8`,
+				"HEADSCALE_DNS_SEARCH_DOMAINS":     "test1.no test2.no",
+				// TODO(kradalby): this currently isnt working, need to fix it
+				// "HEADSCALE_DNS_NAMESERVERS_SPLIT": `{foo.bar.com: ["1.1.1.1"]}`,
+				// "HEADSCALE_DNS_EXTRA_RECORDS":     `[{ name: "prometheus.myvpn.example.com", type: "A", value: "100.64.0.4" }]`,
+			},
+			wantConfCompareFunc: func(t *testing.T, got string) {
+				want := resolvconf(`
+					nameserver 100.100.100.100
+					search all-of.it test1.no test2.no
+				`)
+				assert.Equal(t, want, got)
+			},
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			scenario, err := NewScenario(dockertestMaxWait())
+			assertNoErr(t, err)
+			defer scenario.Shutdown()
+
+			spec := map[string]int{
+				"resolvconf1": 3,
+				"resolvconf2": 3,
+			}
+
+			err = scenario.CreateHeadscaleEnv(spec, []tsic.Option{}, hsic.WithTestName("resolvconf"), hsic.WithConfigEnv(tt.conf))
+			assertNoErrHeadscaleEnv(t, err)
+
+			allClients, err := scenario.ListTailscaleClients()
+			assertNoErrListClients(t, err)
+
+			err = scenario.WaitForTailscaleSync()
+			assertNoErrSync(t, err)
+
+			// Poor mans cache
+			_, err = scenario.ListTailscaleClientsFQDNs()
+			assertNoErrListFQDN(t, err)
+
+			_, err = scenario.ListTailscaleClientsIPs()
+			assertNoErrListClientIPs(t, err)
+
+			time.Sleep(30 * time.Second)
+
+			for _, client := range allClients {
+				b, err := client.ReadFile("/etc/resolv.conf")
+				assertNoErr(t, err)
+
+				t.Logf("comparing resolv conf of %s", client.Hostname())
+				tt.wantConfCompareFunc(t, string(b))
+			}
+		})
+	}
+
+}

integration/dockertestutil/execute.go

@@ -62,7 +62,7 @@ func ExecuteCommand(
 		exitCode, err := resource.Exec(
 			cmd,
 			dockertest.ExecOptions{
-				Env:    append(env, "HEADSCALE_LOG_LEVEL=disabled"),
+				Env:    append(env, "HEADSCALE_LOG_LEVEL=info"),
 				StdOut: &stdout,
 				StdErr: &stderr,
 			},

integration/embedded_derp_test.go

@@ -4,7 +4,9 @@ import (
 	"fmt"
 	"log"
 	"net/url"
+	"strings"
 	"testing"
+	"time"
 
 	"github.com/juanfont/headscale/hscontrol/util"
 	"github.com/juanfont/headscale/integration/dockertestutil"
@@ -33,8 +35,7 @@ func TestDERPServerScenario(t *testing.T) {
 	defer scenario.Shutdown()
 
 	spec := map[string]int{
-		"user1": 10,
-		// "user1": len(MustTestVersions),
+		"user1": len(MustTestVersions),
 	}
 
 	err = scenario.CreateHeadscaleEnv(
@@ -44,24 +45,75 @@ func TestDERPServerScenario(t *testing.T) {
 		hsic.WithEmbeddedDERPServerOnly(),
 		hsic.WithTLS(),
 		hsic.WithHostnameAsServerURL(),
+		hsic.WithConfigEnv(map[string]string{
+			"HEADSCALE_DERP_AUTO_UPDATE_ENABLED": "true",
+			"HEADSCALE_DERP_UPDATE_FREQUENCY":    "10s",
+		}),
 	)
 	assertNoErrHeadscaleEnv(t, err)
 
 	allClients, err := scenario.ListTailscaleClients()
 	assertNoErrListClients(t, err)
 
-	allIps, err := scenario.ListTailscaleClientsIPs()
-	assertNoErrListClientIPs(t, err)
-
 	err = scenario.WaitForTailscaleSync()
 	assertNoErrSync(t, err)
 
 	allHostnames, err := scenario.ListTailscaleClientsFQDNs()
 	assertNoErrListFQDN(t, err)
 
+	for _, client := range allClients {
+		status, err := client.Status()
+		assertNoErr(t, err)
+
+		for _, health := range status.Health {
+			if strings.Contains(health, "could not connect to any relay server") {
+				t.Errorf("expected to be connected to derp, found: %s", health)
+			}
+			if strings.Contains(health, "could not connect to the 'Headscale Embedded DERP' relay server.") {
+				t.Errorf("expected to be connected to derp, found: %s", health)
+			}
+		}
+	}
+
 	success := pingDerpAllHelper(t, allClients, allHostnames)
 
-	t.Logf("%d successful pings out of %d", success, len(allClients)*len(allIps))
+	for _, client := range allClients {
+		status, err := client.Status()
+		assertNoErr(t, err)
+
+		for _, health := range status.Health {
+			if strings.Contains(health, "could not connect to any relay server") {
+				t.Errorf("expected to be connected to derp, found: %s", health)
+			}
+			if strings.Contains(health, "could not connect to the 'Headscale Embedded DERP' relay server.") {
+				t.Errorf("expected to be connected to derp, found: %s", health)
+			}
+		}
+	}
+
+	t.Logf("Run 1: %d successful pings out of %d", success, len(allClients)*len(allHostnames))
+
+	// Let the DERP updater run a couple of times to ensure it does not
+	// break the DERPMap.
+	time.Sleep(30 * time.Second)
+
+	success = pingDerpAllHelper(t, allClients, allHostnames)
+
+	for _, client := range allClients {
+		status, err := client.Status()
+		assertNoErr(t, err)
+
+		for _, health := range status.Health {
+			if strings.Contains(health, "could not connect to any relay server") {
+				t.Errorf("expected to be connected to derp, found: %s", health)
+			}
+			if strings.Contains(health, "could not connect to the 'Headscale Embedded DERP' relay server.") {
+				t.Errorf("expected to be connected to derp, found: %s", health)
+			}
+		}
+	}
+
+	t.Logf("Run2: %d successful pings out of %d", success, len(allClients)*len(allHostnames))
 }
 
 func (s *EmbeddedDERPServerScenario) CreateHeadscaleEnv(

integration/general_test.go

@@ -623,74 +623,6 @@ func TestTaildrop(t *testing.T) {
 	}
 }
 
-func TestResolveMagicDNS(t *testing.T) {
-	IntegrationSkip(t)
-	t.Parallel()
-
-	scenario, err := NewScenario(dockertestMaxWait())
-	assertNoErr(t, err)
-	defer scenario.Shutdown()
-
-	spec := map[string]int{
-		"magicdns1": len(MustTestVersions),
-		"magicdns2": len(MustTestVersions),
-	}
-
-	err = scenario.CreateHeadscaleEnv(spec, []tsic.Option{}, hsic.WithTestName("magicdns"))
-	assertNoErrHeadscaleEnv(t, err)
-
-	allClients, err := scenario.ListTailscaleClients()
-	assertNoErrListClients(t, err)
-
-	err = scenario.WaitForTailscaleSync()
-	assertNoErrSync(t, err)
-
-	// assertClientsState(t, allClients)
-
-	// Poor mans cache
-	_, err = scenario.ListTailscaleClientsFQDNs()
-	assertNoErrListFQDN(t, err)
-
-	_, err = scenario.ListTailscaleClientsIPs()
-	assertNoErrListClientIPs(t, err)
-
-	for _, client := range allClients {
-		for _, peer := range allClients {
-			// It is safe to ignore this error as we handled it when caching it
-			peerFQDN, _ := peer.FQDN()
-
-			command := []string{
-				"tailscale",
-				"ip", peerFQDN,
-			}
-			result, _, err := client.Execute(command)
-			if err != nil {
-				t.Fatalf(
-					"failed to execute resolve/ip command %s from %s: %s",
-					peerFQDN,
-					client.Hostname(),
-					err,
-				)
-			}
-
-			ips, err := peer.IPs()
-			if err != nil {
-				t.Fatalf(
-					"failed to get ips for %s: %s",
-					peer.Hostname(),
-					err,
-				)
-			}
-
-			for _, ip := range ips {
-				if !strings.Contains(result, ip.String()) {
-					t.Fatalf("ip %s is not found in \n%s\n", ip.String(), result)
-				}
-			}
-		}
-	}
-}
-
 func TestExpireNode(t *testing.T) {
 	IntegrationSkip(t)
 	t.Parallel()

integration/hsic/config.go

@@ -2,104 +2,6 @@ package hsic
 
 import "github.com/juanfont/headscale/hscontrol/types"
 
-// const (
-// 	defaultEphemeralNodeInactivityTimeout = time.Second * 30
-// 	defaultNodeUpdateCheckInterval        = time.Second * 10
-// )
-
-// TODO(kradalby): This approach doesnt work because we cannot
-// serialise our config object to YAML or JSON.
-// func DefaultConfig() headscale.Config {
-// 	derpMap, _ := url.Parse("https://controlplane.tailscale.com/derpmap/default")
-//
-// 	config := headscale.Config{
-// 		Log: headscale.LogConfig{
-// 			Level: zerolog.TraceLevel,
-// 		},
-// 		ACL:                            headscale.GetACLConfig(),
-// 		DBtype:                         "sqlite3",
-// 		EphemeralNodeInactivityTimeout: defaultEphemeralNodeInactivityTimeout,
-// 		NodeUpdateCheckInterval:        defaultNodeUpdateCheckInterval,
-// 		IPPrefixes: []netip.Prefix{
-// 			netip.MustParsePrefix("fd7a:115c:a1e0::/48"),
-// 			netip.MustParsePrefix("100.64.0.0/10"),
-// 		},
-// 		DNSConfig: &tailcfg.DNSConfig{
-// 			Proxied: true,
-// 			Nameservers: []netip.Addr{
-// 				netip.MustParseAddr("127.0.0.11"),
-// 				netip.MustParseAddr("1.1.1.1"),
-// 			},
-// 			Resolvers: []*dnstype.Resolver{
-// 				{
-// 					Addr: "127.0.0.11",
-// 				},
-// 				{
-// 					Addr: "1.1.1.1",
-// 				},
-// 			},
-// 		},
-// 		BaseDomain: "headscale.net",
-//
-// 		DBpath: "/tmp/integration_test_db.sqlite3",
-//
-// 		PrivateKeyPath:      "/tmp/integration_private.key",
-// 		NoisePrivateKeyPath: "/tmp/noise_integration_private.key",
-// 		Addr:                "0.0.0.0:8080",
-// 		MetricsAddr:         "127.0.0.1:9090",
-// 		ServerURL:           "http://headscale:8080",
-//
-// 		DERP: headscale.DERPConfig{
-// 			URLs: []url.URL{
-// 				*derpMap,
-// 			},
-// 			AutoUpdate:      false,
-// 			UpdateFrequency: 1 * time.Minute,
-// 		},
-// 	}
-//
-// 	return config
-// }
-
-// TODO: Reuse the actual configuration object above.
-// Deprecated: use env function instead as it is easier to
-// override.
-func DefaultConfigYAML() string {
-	yaml := `
-log:
-  level: trace
-acl_policy_path: ""
-database:
-  type: sqlite3
-  sqlite.path: /tmp/integration_test_db.sqlite3
-ephemeral_node_inactivity_timeout: 30m
-prefixes:
-  v6: fd7a:115c:a1e0::/48
-  v4: 100.64.0.0/10
-dns_config:
-  base_domain: headscale.net
-  magic_dns: true
-  domains: []
-  nameservers:
-    - 127.0.0.11
-    - 1.1.1.1
-private_key_path: /tmp/private.key
-noise:
-  private_key_path: /tmp/noise_private.key
-listen_addr: 0.0.0.0:8080
-metrics_listen_addr: 127.0.0.1:9090
-server_url: http://headscale:8080
-
-derp:
-  urls:
-    - https://controlplane.tailscale.com/derpmap/default
-  auto_update_enabled: false
-  update_frequency: 1m
-`
-
-	return yaml
-}
-
 func MinimumConfigYAML() string {
 	return `
 private_key_path: /tmp/private.key
@@ -111,16 +13,15 @@ noise:
 func DefaultConfigEnv() map[string]string {
 	return map[string]string{
 		"HEADSCALE_LOG_LEVEL":                         "trace",
-		"HEADSCALE_ACL_POLICY_PATH":                   "",
+		"HEADSCALE_POLICY_PATH":                       "",
 		"HEADSCALE_DATABASE_TYPE":                     "sqlite",
 		"HEADSCALE_DATABASE_SQLITE_PATH":              "/tmp/integration_test_db.sqlite3",
 		"HEADSCALE_EPHEMERAL_NODE_INACTIVITY_TIMEOUT": "30m",
 		"HEADSCALE_PREFIXES_V4":                       "100.64.0.0/10",
 		"HEADSCALE_PREFIXES_V6":                       "fd7a:115c:a1e0::/48",
-		"HEADSCALE_DNS_CONFIG_BASE_DOMAIN":            "headscale.net",
-		"HEADSCALE_DNS_CONFIG_MAGIC_DNS":              "true",
-		"HEADSCALE_DNS_CONFIG_DOMAINS":                "",
-		"HEADSCALE_DNS_CONFIG_NAMESERVERS":            "127.0.0.11 1.1.1.1",
+		"HEADSCALE_DNS_BASE_DOMAIN":                   "headscale.net",
+		"HEADSCALE_DNS_MAGIC_DNS":                     "true",
+		"HEADSCALE_DNS_NAMESERVERS_GLOBAL":            "127.0.0.11 1.1.1.1",
 		"HEADSCALE_PRIVATE_KEY_PATH":                  "/tmp/private.key",
 		"HEADSCALE_NOISE_PRIVATE_KEY_PATH":            "/tmp/noise_private.key",
 		"HEADSCALE_LISTEN_ADDR":                       "0.0.0.0:8080",

integration/hsic/hsic.go

@@ -82,7 +82,7 @@ type Option = func(c *HeadscaleInContainer)
 func WithACLPolicy(acl *policy.ACLPolicy) Option {
 	return func(hsic *HeadscaleInContainer) {
 		// TODO(kradalby): Move somewhere appropriate
-		hsic.env["HEADSCALE_ACL_POLICY_PATH"] = aclPolicyPath
+		hsic.env["HEADSCALE_POLICY_PATH"] = aclPolicyPath
 
 		hsic.aclPolicy = acl
 	}
@@ -551,7 +551,7 @@ func (t *HeadscaleInContainer) Execute(
 			log.Printf("command stdout: %s\n", stdout)
 		}
 
-		return "", err
+		return stdout, fmt.Errorf("executing command in docker: %w, stderr: %s", err, stderr)
 	}
 
 	return stdout, nil

integration/route_test.go

@@ -17,6 +17,7 @@ import (
 	"github.com/juanfont/headscale/integration/tsic"
 	"github.com/stretchr/testify/assert"
 	"tailscale.com/types/ipproto"
+	"tailscale.com/types/views"
 	"tailscale.com/wgengine/filter"
 )
 
@@ -1146,9 +1147,9 @@ func TestSubnetRouteACL(t *testing.T) {
 
 	wantClientFilter := []filter.Match{
 		{
-			IPProto: []ipproto.Proto{
+			IPProto: views.SliceOf([]ipproto.Proto{
 				ipproto.TCP, ipproto.UDP, ipproto.ICMPv4, ipproto.ICMPv6,
-			},
+			}),
 			Srcs: []netip.Prefix{
 				netip.MustParsePrefix("100.64.0.1/32"),
 				netip.MustParsePrefix("100.64.0.2/32"),
@@ -1169,7 +1170,7 @@ func TestSubnetRouteACL(t *testing.T) {
 		},
 	}
 
-	if diff := cmp.Diff(wantClientFilter, clientNm.PacketFilter, util.PrefixComparer); diff != "" {
+	if diff := cmp.Diff(wantClientFilter, clientNm.PacketFilter, util.ViewSliceIPProtoComparer, util.PrefixComparer); diff != "" {
 		t.Errorf("Client (%s) filter, unexpected result (-want +got):\n%s", client.Hostname(), diff)
 	}
 
@@ -1178,9 +1179,9 @@ func TestSubnetRouteACL(t *testing.T) {
 
 	wantSubnetFilter := []filter.Match{
 		{
-			IPProto: []ipproto.Proto{
+			IPProto: views.SliceOf([]ipproto.Proto{
 				ipproto.TCP, ipproto.UDP, ipproto.ICMPv4, ipproto.ICMPv6,
-			},
+			}),
 			Srcs: []netip.Prefix{
 				netip.MustParsePrefix("100.64.0.1/32"),
 				netip.MustParsePrefix("100.64.0.2/32"),
@@ -1200,9 +1201,9 @@ func TestSubnetRouteACL(t *testing.T) {
 			Caps: []filter.CapMatch{},
 		},
 		{
-			IPProto: []ipproto.Proto{
+			IPProto: views.SliceOf([]ipproto.Proto{
 				ipproto.TCP, ipproto.UDP, ipproto.ICMPv4, ipproto.ICMPv6,
-			},
+			}),
 			Srcs: []netip.Prefix{
 				netip.MustParsePrefix("100.64.0.1/32"),
 				netip.MustParsePrefix("100.64.0.2/32"),
@@ -1219,7 +1220,7 @@ func TestSubnetRouteACL(t *testing.T) {
 		},
 	}
 
-	if diff := cmp.Diff(wantSubnetFilter, subnetNm.PacketFilter, util.PrefixComparer); diff != "" {
+	if diff := cmp.Diff(wantSubnetFilter, subnetNm.PacketFilter, util.ViewSliceIPProtoComparer, util.PrefixComparer); diff != "" {
 		t.Errorf("Subnet (%s) filter, unexpected result (-want +got):\n%s", subRouter1.Hostname(), diff)
 	}
 }

integration/scenario.go

@@ -51,6 +51,8 @@ var (
 	tailscaleVersions2021 = map[string]bool{
 		"head":     true,
 		"unstable": true,
+		"1.70":     true,  // CapVer: not checked
+		"1.68":     true,  // CapVer: not checked
 		"1.66":     true,  // CapVer: not checked
 		"1.64":     true,  // CapVer: not checked
 		"1.62":     true,  // CapVer: not checked
@@ -62,10 +64,10 @@ var (
 		"1.50":     true,  // CapVer: 74
 		"1.48":     true,  // CapVer: 68
 		"1.46":     true,  // CapVer: 65
-		"1.44":     true,  // CapVer: 63
-		"1.42":     true,  // CapVer: 61
-		"1.40":     true,  // CapVer: 61
-		"1.38":     true,  // Oldest supported version, CapVer: 58
+		"1.44":     false, // CapVer: 63
+		"1.42":     false, // Oldest supported version, CapVer: 61
+		"1.40":     false, // CapVer: 61
+		"1.38":     false, // CapVer: 58
 		"1.36":     false, // CapVer: 56
 		"1.34":     false, // CapVer: 51
 		"1.32":     false, // CapVer: 46

integration/tailscale.go

@@ -36,6 +36,7 @@ type TailscaleClient interface {
 	Ping(hostnameOrIP string, opts ...tsic.PingOption) error
 	Curl(url string, opts ...tsic.CurlOption) (string, error)
 	ID() string
+	ReadFile(path string) ([]byte, error)
 
 	// FailingPeersAsString returns a formatted-ish multi-line-string of peers in the client
 	// and a bool indicating if the clients online count and peer count is equal.

integration/tsic/tsic.go

@@ -1,6 +1,8 @@
 package tsic
 
 import (
+	"archive/tar"
+	"bytes"
 	"context"
 	"encoding/json"
 	"errors"
@@ -998,3 +1000,41 @@ func (t *TailscaleInContainer) WriteFile(path string, data []byte) error {
 func (t *TailscaleInContainer) SaveLog(path string) error {
 	return dockertestutil.SaveLog(t.pool, t.container, path)
 }
+
+// ReadFile reads a file from the Tailscale container.
+// It returns the content of the file as a byte slice.
+func (t *TailscaleInContainer) ReadFile(path string) ([]byte, error) {
+	tarBytes, err := integrationutil.FetchPathFromContainer(t.pool, t.container, path)
+	if err != nil {
+		return nil, fmt.Errorf("reading file from container: %w", err)
+	}
+
+	var out bytes.Buffer
+	tr := tar.NewReader(bytes.NewReader(tarBytes))
+	for {
+		hdr, err := tr.Next()
+		if err == io.EOF {
+			break // End of archive
+		}
+		if err != nil {
+			return nil, fmt.Errorf("reading tar header: %w", err)
+		}
+
+		if !strings.Contains(path, hdr.Name) {
+			return nil, fmt.Errorf("file not found in tar archive, looking for: %s, header was: %s", path, hdr.Name)
+		}
+
+		if _, err := io.Copy(&out, tr); err != nil {
+			return nil, fmt.Errorf("copying file to buffer: %w", err)
+		}
+
+		// Only support reading the first tile
+		break
+	}
+
+	if out.Len() == 0 {
+		return nil, fmt.Errorf("file is empty")
+	}
+
+	return out.Bytes(), nil
+}

mkdocs.yml

@@ -144,4 +144,3 @@ nav:
   - Proposals:
       - ACLs: proposals/001-acls.md
       - Better routing: proposals/002-better-routing.md
-  - Glossary: glossary.md